freedomofpress
Move reply key generation to /submit endpoint
Status
Ready for review, but flagged as draft to block merge until release/2.5.0 branch is created
Description of Changes
Fixes #6489
Reply key generation is moved in the SI from /lookup to /submit. If a key is not already present for the given source it will be created during the first submisstion.
Testing
-
Check out this branch and run
make dev -
[ ] in another terminal, connect to the dev container with
docker exec -it securedrop-dev-0 bashand verify that only the default dev source reply keys exist withgpg --homedir /var/lib/securedrop/keys -k -
Create a new source via the SI, but do not submit anything
-
[ ] verify that no new key was created, with
gpg --homedir /var/lib/securedrop/keys -k -
[ ] submit a message as the source and verify that a reply key was created
-
[ ] log in to the JI and verify that the source is listed and a reply can be sent
-
[ ] on the SI, verify that the reply is displayed correctly
-
[ ] submit another message and verify that a new reply key was not created
-
[ ] on the JI, verify that another reply can be submitted.
-
[ ] log out of the SI, log back in as the same source, and verify that both replies can be read.
-
[ ] For extra points, try to break reply key generation by doing multiple simultaneous file submissions.
Deployment
n/a
Checklist
If you made changes to the server application code:
- [x] Linting (
make lint) and tests (make test) pass in the development container
If you made non-trivial code changes:
- [x] I have written a test plan and validated it for this PR
Choose one of the following:
- [ ] I have opened a PR in the docs repo for these changes, or will do so later
- [ ] I would appreciate help with the documentation
- [x] These changes do not require documentation
@cfm that's valid, it is a bit :thinking: that we can make a change like this with no test suite impact. Will add later.
In lieu of adding tests, updated existing ones that check the relevant behavior - feel free to take a look @cfm
TBH I might not aim to have this in scope for 2.5.0. I think we need to do a bit more around key/account cleanup (especially for unused pending accounts) before a potential move to Sequoia, so maybe a 2.6.0? and then Sequoia in 2.7.0? Either way, no rush.
The offer of extra points inspired me to draft a minimal stress test for the /{,generate,create,lookup,submit,logout} happy path. I was indeed able to induce some stress, but I need to test further to determine:
- whether this possibility precedes or is introduced by these changes; and
- how much it matters.
Initial traceback pending further investigation
10.0.2.100 - - [27/Sep/2022 00:55:34] "POST /submit HTTP/1.1" 302 -
Exception in thread Thread-1567:
Traceback (most recent call last):
File "/usr/lib/python3.8/threading.py", line 932, in _bootstrap_inner
self.run()
File "/usr/lib/python3.8/threading.py", line 870, in run
self._target(*self._args, **self._kwargs)
File "/opt/venvs/securedrop-app-code/lib/python3.8/site-packages/pretty_bad_protocol/_meta.py", line 670, in _read_response
result._handle_status(keyword, value)
File "/opt/venvs/securedrop-app-code/lib/python3.8/site-packages/pretty_bad_protocol/_parsers.py", line 995, in _handle_status
raise ValueError("Unknown status message: %r" % key)
ValueError: Unknown status message: 'ERROR'
Marking ready for review now that we have release/2.5.0. @zenmonkeykstop, at your convenience, could you rebase this from develop, and then I'll re-approve and merge?
@zenmonkeykstop, would you have time to rebase and conflict-resolve this branch this week, for me to take another (probably final!) look?