Merge pull request #1098 from freedomofpress/1097-sd-viewer-internal

Make sd-viewer and sd-app internal (again)
freedomofpress · Jun 26, 2024 · c3f4dce · c3f4dce
2 parents 617d88c + 012b7ed
commit c3f4dce
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 8 deletions.
diff --git a/securedrop_salt/sd-app.sls b/securedrop_salt/sd-app.sls
@@ -30,15 +30,14 @@ sd-app:
         - sd-client
         - sd-workstation
     - features:
-    {% if d.environment == "prod" %}
       - set:
+        - vm-config.SD_MIME_HANDLING: sd-app
+{% if d.environment == "prod" %}
         - internal: 1
-    {% endif %}
+{% endif %}
       - enable:
         - service.paxctld
         - service.securedrop-mime-handling
-      - set:
-        - vm-config.SD_MIME_HANDLING: sd-app
     - require:
       - qvm: sd-small-{{ sdvars.distribution }}-template
 

diff --git a/securedrop_salt/sd-viewer.sls b/securedrop_salt/sd-viewer.sls
@@ -38,15 +38,14 @@ sd-viewer:
         - sd-viewer-vm
         - sd-{{ sdvars.distribution }}
     - features:
-    {% if d.environment == "prod" %}
       - set:
+        - vm-config.SD_MIME_HANDLING: sd-viewer
+{% if d.environment == "prod" %}
         - internal: 1
-    {% endif %}
+{% endif %}
       - enable:
         - service.paxctld
         - service.securedrop-mime-handling
-      - set:
-        - vm-config.SD_MIME_HANDLING: sd-viewer
     - require:
       - qvm: sd-large-{{ sdvars.distribution }}-template
 

diff --git a/tests/test_vms_exist.py b/tests/test_vms_exist.py
@@ -12,6 +12,9 @@
 )
 from qubesadmin import Qubes
 
+with open("config.json") as f:
+    CONFIG = json.load(f)
+
 
 class SD_VM_Tests(unittest.TestCase):
     def setUp(self):
@@ -29,6 +32,16 @@ def test_expected(self):
         expected_vms = set(SD_VMS + SD_DVM_TEMPLATES + SD_TEMPLATES)
         self.assertEqual(set(sdw_tagged_vm_names), set(expected_vms))
 
+    @unittest.skipIf(CONFIG["environment"] != "prod", "Skipping on non-prod system")
+    def test_internal(self):
+        not_internal = ["sd-proxy", "sd-whonix", "sd-devices"]
+
+        for vm_name in SD_VMS:
+            if vm_name in not_internal:
+                continue
+            vm = self.app.domains[vm_name]
+            self.assertEqual(vm.features.get("internal"), "1")
+
     def test_grsec_kernel(self):
         """
         Confirms expected grsecurity-patched kernel is running.