-
Notifications
You must be signed in to change notification settings - Fork 40
Configuration
Cory Francis Myers edited this page Jun 5, 2024
·
4 revisions
SecureDrop Workstation applications are configured in production via QubesDB's /vm-config hierarchy. For convenience in development, the QubesDB value at /vm-config/FOO can also be provided as the environment variable FOO.
Currently:
- Rust programs (e.g.,
securedrop-proxy) built with thequbesdbfeature MUST read from QubesDB. Without this feature, they MUST fall back to environment variables. - Python programs (e.g.,
securedrop-client) MUST try to loadqubesdbat runtime (from thepython3-qubesdbDebian package from the Qubes repository; unavailable from PyPI). If it's not available, they MUST fall back to environment variables. -
template-from-qubesdbalways reads from QubesDB and never falls back to environment variables.
Therefore, in Python other than template-from-qubesdb, for some dataclass.field k:
flowchart TD
subgraph read
os.environ.get
QubesDB.read
end
subgraph normalize
ifEmpty
isNone
end
subgraph enforce
ifNone
getDefault
checkDefault
cast
end
import_qubesdb[import QubesDB] --ImportError --> os.environ.get["v = os.environ.get(k)"] --> ifEmpty
import_qubesdb --> QubesDB.read["v = QubesDB.read(k)"] --> ifEmpty
ifEmpty{"if not v or len(v) == 0"} --True--> isNone["v = None"] --> ifNone
ifEmpty --False--> ifNone
ifNone{"if v is None"} --True--> getDefault["v = field.default"] --> checkDefault
ifNone --False--> cast
checkDefault{"if v is MISSING"} --True--> KeyError["raise KeyError"]
checkDefault --False--> return
cast["x = field.type(v)"] --> return["return v"]
cast --ValueError--> TypeError["raise TypeError"]