Securedrop: Release SecureDrop 0.9.0

Created on 22 Aug 2018  Â·  14Comments  Â·  Source: freedomofpress/securedrop

This is a tracking issue for the upcoming release of SecureDrop 0.9.0 - tasks may get added or modified.

Feature freeze: August 22, 2018
String freeze: August 29, 2018
Pre-release announcement: August 29, 2018
Release date: September 5, 2018

_SecureDrop maintainers and testers:_ As you QA 0.9.0, please report back your testing results as comments on this ticket. File GitHub issues for any problems found, tag them "QA: Release", and associate them with the 0.9 milestone for tracking.

Test debian packages will be posted on https://apt-test.freedom.press signed with the test key. An Ansible playbook testing the upgrade path is here.

Prepare release candidate (0.9.0~rc2)

  • [x] Update securedrop-keyring package (#3723)
  • [x] Prepare 0.9.0-rc2 release changelog - @emkll
  • [x] Prepare test plan for 0.9.0~rc2 - @emkll and @redshiftzero
  • [x] Create pull request for 0.9.0~rc2 into release/0.9 - @emkll
  • [x] Build debs (including linux-{image,firmware}) and put up 0.9.0~rc2 on test apt server - @emkll

Prepare release candidate (0.9.0~rc1)

  • [x] Prepare 0.9.0 release changelog - @emkll
  • [x] Write and send pre-release announcement (#3725 ) - @eloquence
  • [x] Check for Tor stable release (0.3.3.9 is currently on apt-test)
  • [x] Prepare test plan for 0.9.0~rc1 - @emkll and @redshiftzero
  • [x] Branch release/0.9 off develop
  • [x] Build debs (including linux-{image,firmware}) and put up 0.9.0~rc1 on test apt server - @emkll

QA Matrix for SecureDrop 0.9.0

After each test, please update the QA matrix and post details for Basic Server Testing, Application Acceptance Testing and 0.9.0-specific testing below.

Final release

  • [x] Merge final translations
  • [x] Push updated signing key to keyservers
  • [x] Push signed tag
  • [x] Update tor-apt repo with latest tor
  • [x] Build final Debian packages for 0.9.0
  • [x] Upload Debian packages (including new securedrop-keyring, linux-image, linux-firmware, and tor packages)
  • [x] Pre-Flight: Test install (not upgrade) of 0.9.0 works w/ prod repo debs
  • [x] Write and send release announcement (#3726 ) - @eloquence
  • [x] Publish blog post about 0.9.0 Debian package release and instructions for admins

Post release

  • [x] Merge changelog (i.e. rc commits) back to develop
  • [x] Bump version on develop in prep for 0.10.0 release

Most helpful comment

SecureDrop 0.9.0 pre-release QA Checklist

For both upgrades and fresh installs, here is a list of functionality that requires testing. You can use this for copy/pasting into your QA report. Feel free to edit this message to update the plan as appropriate.

Basic Server Testing

  • [ ] I can access both the source and journalist interfaces
  • [ ] I can SSH into both machines over Tor
  • [ ] AppArmor is loaded on app
  • [ ] AppArmor is loaded on mon
  • [ ] Both servers are running grsec kernels
  • [ ] iptables rules loaded
  • [ ] OSSEC emails begin to flow after install
  • [ ] OSSEC emails are decrypted to correct key and I am able to decrypt them

Command Line User Generation

  • [ ] Can successfully add admin user and login

Administration

  • [ ] I have backed up and successfully restored the app server following the documentation here: https://docs.securedrop.org/en/latest/backup_and_restore.html
  • [ ] If doing upgrade testing, make a backup on 0.8.0 and restore this backup on 0.9.0. Confirm that no further action is necessary and that (#3737) worked correctly.

Application Acceptance Testing

Source Interface

Landing page base cases
  • [ ] JS warning bar does not appear when using Security Slider high
  • [ ] JS warning bar does appear when using Security Slider Low
First submission base cases
  • [ ] On generate page, refreshing codename produces a new 7-word codename
  • [ ] On submit page, empty submissions produce flashed message
  • [ ] On submit page, short message submitted successfully
  • [ ] On submit page, file greater than 500 MB produces "The connection was reset" in Tor Browser _quickly_ before the entire file is uploaded
  • [ ] On submit page, file less than 500 MB submitted successfully
Returning source base cases
  • [ ] Nonexistent codename cannot log in
  • [ ] Empty codename cannot log in
  • [ ] Legitimate codename can log in
  • [ ] Returning user can view journalist replies - need to log into journalist interface to test

Journalist Interface

Login base cases
  • [ ] Can log in with 2FA tokens
  • [ ] incorrect password cannot log in
  • [ ] invalid 2fa token cannot log in
  • [ ] 2fa immediate reuse cannot log in
Index base cases
  • [ ] Filter by codename works
  • [ ] Starring and unstarring works
  • [ ] Click select all selects all submissions
  • [ ] Selecting all and clicking "Download all" works
Individual source page
  • [ ] You can submit a reply and a flashed message and new row appears
  • [ ] You cannot submit an empty reply
  • [ ] Clicking "Delete collection" and the source and docs are deleted
  • [ ] You can click on a document and successfully decrypt using application private key

0.9.0-specific testing

Tails 3.9~rc1 specific testing

Upgrade path
  • [ ] I have upgraded a Tails stick to 3.9~rc1
  • [ ] ./securedrop-admin setup successful
  • [ ] ./securedrop-admin sdconfig successful
  • [ ] ./securedrop-admin install successful
  • [ ] ./securedrop-admin tailsconfig successful

Journalist API:

Database Migrations (upgrade testing from 0.8.0)

Install on 0.8.0.

  • [ ] Add a test user and ensure you can login.
  • [ ] Submit a document as a source and save the codename.
    SSH into the application, and run ./qa-loader.py -m 25 in /var/www/securedrop (this is a script that loads a large quantity of random, fake data):
sudo su
cd /var/www/securedrop
./qa_loader.py

This might take some time. Note that it is the first time we are using this script in QA, so get loud if you notice any errors or anything confusing.

  • [ ] Upgrade to 0.9.0. The database migration occurs smoothly.
  • [ ] You can log in as your test user, the data should still be present in the journalist interface.
  • [ ] You can submit a new document as a new source.
  • [ ] You can log back into your existing source account.
  • [ ] From a source's perspective, the messaging flow in the same as in 0.8.0

Now, you should verify that the UUID columns added in the 0.9.0 release are present in each table, and that the new password hash columns exist:

Open db.sqlite with sqlite3 and validate:

sqlite3 /var/lib/securedrop/db.sqlite
select * from <table>
  • [ ] Journalist table contains argon2 passwords (user password is re-hashed with argon2 after a login with 0.9.0)
  • [ ] Replies table has a column called UUID and it is populated
  • [ ] Submissions table has a column called UUID and it is populated
  • [ ] Sources table has a column called UUID and it is populated

Linux kernel 4.4.144

  • [ ] Uname -r returns 4.4.144-grsec
  • [ ] sudo apt list --installed | grep linux-image does not include linux-image-4.4.115-grsec (3.14.79, 4.4.135 and 4.4.144)
  • [ ] Update the kernel testing matrix if you are using dedicated hardware

Tor 0.3.3.9

  • [ ] tor bootstaps successfully and source/journalist interfaces are reachable
  • [ ] tor --version returns 0.3.3.9

Journalist Reply refactor

  • [ ] Reply to a source, and the reply is visible in the journalist interface
  • [ ] The reply can be downloaded and successfully decrypted
  • [ ] Login as a source and delete a reply that you received. The reply is no longer visible in the source interface. It is still visible in the journalist interface, where a check mark icon (2nd table column) indicates receipt by the source.

Tails 3.9~rc1 testing

  • [ ] ./securedrop-admin setup works without error
  • [ ] ./securedrop-admin config works without error
  • [ ] ./securedrop-admin install works without error
  • [ ] ./securedrop-admin tailsconfig works without error
  • [ ] I can access the source interface through the desktop shortcut
  • [ ] I can access the journalist interface by clicking on the desktop shortcut
  • [ ] ./securedrop-admin backup works without error
  • [ ] checkout 0.7.0, reboot, and ensure the SecureDrop updater gui appears (and updates to 0.8.0)

0.9.0-rc2 specific testing

  • [ ] apt-key list on app and mon server return an expiry date of 2019-10-03 for the SecureDrop release Key (00FAD77) (#3723)
  • [ ] On the journalist interface, the reply icon for a read message now has a tooltip that says 'Read' (#3734)
  • [ ] /var/securedrop/wheelhouse contains Flask 1.0.2 and werkzeug 0.14.1 (#3740)
  • [ ] create a local tag for 0.10.0 and ensure that ./securedrop-admin update correctly switches to that branch when invoked (#3579)

0.9.0-rc4 specific testing

0.9.0-rc5 specific testing

  • [ ] The banner does not ask you to use Tor Browser when using Tor Browser 8.0 series.

All 14 comments

SecureDrop 0.9.0 pre-release QA Checklist

For both upgrades and fresh installs, here is a list of functionality that requires testing. You can use this for copy/pasting into your QA report. Feel free to edit this message to update the plan as appropriate.

Basic Server Testing

  • [ ] I can access both the source and journalist interfaces
  • [ ] I can SSH into both machines over Tor
  • [ ] AppArmor is loaded on app
  • [ ] AppArmor is loaded on mon
  • [ ] Both servers are running grsec kernels
  • [ ] iptables rules loaded
  • [ ] OSSEC emails begin to flow after install
  • [ ] OSSEC emails are decrypted to correct key and I am able to decrypt them

Command Line User Generation

  • [ ] Can successfully add admin user and login

Administration

  • [ ] I have backed up and successfully restored the app server following the documentation here: https://docs.securedrop.org/en/latest/backup_and_restore.html
  • [ ] If doing upgrade testing, make a backup on 0.8.0 and restore this backup on 0.9.0. Confirm that no further action is necessary and that (#3737) worked correctly.

Application Acceptance Testing

Source Interface

Landing page base cases
  • [ ] JS warning bar does not appear when using Security Slider high
  • [ ] JS warning bar does appear when using Security Slider Low
First submission base cases
  • [ ] On generate page, refreshing codename produces a new 7-word codename
  • [ ] On submit page, empty submissions produce flashed message
  • [ ] On submit page, short message submitted successfully
  • [ ] On submit page, file greater than 500 MB produces "The connection was reset" in Tor Browser _quickly_ before the entire file is uploaded
  • [ ] On submit page, file less than 500 MB submitted successfully
Returning source base cases
  • [ ] Nonexistent codename cannot log in
  • [ ] Empty codename cannot log in
  • [ ] Legitimate codename can log in
  • [ ] Returning user can view journalist replies - need to log into journalist interface to test

Journalist Interface

Login base cases
  • [ ] Can log in with 2FA tokens
  • [ ] incorrect password cannot log in
  • [ ] invalid 2fa token cannot log in
  • [ ] 2fa immediate reuse cannot log in
Index base cases
  • [ ] Filter by codename works
  • [ ] Starring and unstarring works
  • [ ] Click select all selects all submissions
  • [ ] Selecting all and clicking "Download all" works
Individual source page
  • [ ] You can submit a reply and a flashed message and new row appears
  • [ ] You cannot submit an empty reply
  • [ ] Clicking "Delete collection" and the source and docs are deleted
  • [ ] You can click on a document and successfully decrypt using application private key

0.9.0-specific testing

Tails 3.9~rc1 specific testing

Upgrade path
  • [ ] I have upgraded a Tails stick to 3.9~rc1
  • [ ] ./securedrop-admin setup successful
  • [ ] ./securedrop-admin sdconfig successful
  • [ ] ./securedrop-admin install successful
  • [ ] ./securedrop-admin tailsconfig successful

Journalist API:

Database Migrations (upgrade testing from 0.8.0)

Install on 0.8.0.

  • [ ] Add a test user and ensure you can login.
  • [ ] Submit a document as a source and save the codename.
    SSH into the application, and run ./qa-loader.py -m 25 in /var/www/securedrop (this is a script that loads a large quantity of random, fake data):
sudo su
cd /var/www/securedrop
./qa_loader.py

This might take some time. Note that it is the first time we are using this script in QA, so get loud if you notice any errors or anything confusing.

  • [ ] Upgrade to 0.9.0. The database migration occurs smoothly.
  • [ ] You can log in as your test user, the data should still be present in the journalist interface.
  • [ ] You can submit a new document as a new source.
  • [ ] You can log back into your existing source account.
  • [ ] From a source's perspective, the messaging flow in the same as in 0.8.0

Now, you should verify that the UUID columns added in the 0.9.0 release are present in each table, and that the new password hash columns exist:

Open db.sqlite with sqlite3 and validate:

sqlite3 /var/lib/securedrop/db.sqlite
select * from <table>
  • [ ] Journalist table contains argon2 passwords (user password is re-hashed with argon2 after a login with 0.9.0)
  • [ ] Replies table has a column called UUID and it is populated
  • [ ] Submissions table has a column called UUID and it is populated
  • [ ] Sources table has a column called UUID and it is populated

Linux kernel 4.4.144

  • [ ] Uname -r returns 4.4.144-grsec
  • [ ] sudo apt list --installed | grep linux-image does not include linux-image-4.4.115-grsec (3.14.79, 4.4.135 and 4.4.144)
  • [ ] Update the kernel testing matrix if you are using dedicated hardware

Tor 0.3.3.9

  • [ ] tor bootstaps successfully and source/journalist interfaces are reachable
  • [ ] tor --version returns 0.3.3.9

Journalist Reply refactor

  • [ ] Reply to a source, and the reply is visible in the journalist interface
  • [ ] The reply can be downloaded and successfully decrypted
  • [ ] Login as a source and delete a reply that you received. The reply is no longer visible in the source interface. It is still visible in the journalist interface, where a check mark icon (2nd table column) indicates receipt by the source.

Tails 3.9~rc1 testing

  • [ ] ./securedrop-admin setup works without error
  • [ ] ./securedrop-admin config works without error
  • [ ] ./securedrop-admin install works without error
  • [ ] ./securedrop-admin tailsconfig works without error
  • [ ] I can access the source interface through the desktop shortcut
  • [ ] I can access the journalist interface by clicking on the desktop shortcut
  • [ ] ./securedrop-admin backup works without error
  • [ ] checkout 0.7.0, reboot, and ensure the SecureDrop updater gui appears (and updates to 0.8.0)

0.9.0-rc2 specific testing

  • [ ] apt-key list on app and mon server return an expiry date of 2019-10-03 for the SecureDrop release Key (00FAD77) (#3723)
  • [ ] On the journalist interface, the reply icon for a read message now has a tooltip that says 'Read' (#3734)
  • [ ] /var/securedrop/wheelhouse contains Flask 1.0.2 and werkzeug 0.14.1 (#3740)
  • [ ] create a local tag for 0.10.0 and ensure that ./securedrop-admin update correctly switches to that branch when invoked (#3579)

0.9.0-rc4 specific testing

0.9.0-rc5 specific testing

  • [ ] The banner does not ask you to use Tor Browser when using Tor Browser 8.0 series.

Clean install of 0.9rc1 (Rackmounted servers)

NOTE: I did not test the journalist API nor did I test the database migrations. I only installed cleanly, details are below.

Basic Server Testing

  • [x] I can access both the source and journalist interfaces
  • [x] I can SSH into both machines over Tor
  • [x] AppArmor is loaded on app
  • [x] AppArmor is loaded on mon
  • [x] Both servers are running grsec kernels
  • [x] iptables rules loaded
  • [x] OSSEC emails begin to flow after install
  • [x] OSSEC emails are decrypted to correct key and I am able to decrypt them

Command Line User Generation

  • [x] Can successfully add admin user and login

Administration

Application Acceptance Testing

Source Interface

Landing page base cases

  • [x] JS warning bar does not appear when using Security Slider high
  • [x] JS warning bar does appear when using Security Slider Low

First submission base cases

  • [x] On generate page, refreshing codename produces a new 7-word codename
  • [x] On submit page, empty submissions produce flashed message
  • [x] On submit page, short message submitted successfully
  • [x] On submit page, file greater than 500 MB produces "The connection was reset" in Tor Browser quickly before the entire file is uploaded
  • [x] On submit page, file less than 500 MB submitted successfully

    Returning source base cases

  • [x] Nonexistent codename cannot log in

  • [x] Empty codename cannot log in
  • [x] Legitimate codename can log in
  • [x] Returning user can view journalist replies - need to log into journalist interface to test

    Journalist Interface

Login base cases

  • [x] Can log in with 2FA tokens
  • [x] incorrect password cannot log in
  • [x] invalid 2fa token cannot log in
  • [x] 2fa immediate reuse cannot log in

    Index base cases

  • [x] Filter by codename works

  • [x] Starring and unstarring works
  • [x] Click select all selects all submissions
  • [] Selecting all and clicking "Download all" works

    Individual source page

  • [x] You can submit a reply and a flashed message and new row appears

  • [x] You cannot submit an empty reply
  • [x] Clicking "Delete collection" and the source and docs are deleted
  • [x] You can click on a document and successfully decrypt using application private key

0.9.0-specific testing

Linux kernel 4.4.144

  • [x] Uname -r returns 4.4.144-grsec
  • [x] sudo apt list --installed | grep linux-image does not include linux-image-4.4.115-grsec (3.14.79, 4.4.135 and 4.4.144)
  • [x] Update the kernel testing matrix if you are using dedicated hardware

    Tor 0.3.3.9

  • [x] tor bootstaps successfully and source/journalist interfaces are reachable

  • [x] tor --version returns 0.3.3.9

    Journalist Reply refactor

  • [x] Reply to a source, and the reply is visible in the journalist interface

  • [x] The reply can be downloaded and successfully decrypted

Upgrade test: 0.8.0 to 0.9.0~rc1 - 2014 Mac Minis

_Note: API db migration tests TK_

Basic Server Testing

  • [x] I can access both the source and journalist interfaces
  • [x] I can SSH into both machines over Tor
  • [x] AppArmor is loaded on app - confirmed with ‘sudo aa-status’
  • [x] AppArmor is loaded on mon - confirmed with ‘sudo aa-status’
  • [x] Both servers are running grsec kernels - _App:4.4.135-grsec; mon:4.4.135-grsec initially - rebooted manually, now 4.4.144-grsec_
  • [x] iptables rules loaded - _Confirmed on both with ‘sudo iptables -L -n’_
  • [x] OSSEC emails begin to flow after install
  • [x] OSSEC emails are decrypted to correct key and I am able to decrypt them

Command Line User Generation

  • [x] Can successfully add admin user and login.

Administration

Application Acceptance Testing

Source Interface

Landing page base cases

  • [x] JS warning bar does not appear when using Security Slider high
  • [x] JS warning bar does appear when using Security Slider Low

First submission base cases

  • [x] On generate page, refreshing codename produces a new 7-word codename
  • [x] On submit page, empty submissions produce flashed message
  • [x] On submit page, short message submitted successfully
  • [x] On submit page, file greater than 500 MB produces "The connection was reset" in Tor Browser quickly before the entire file is uploaded
  • [x] On submit page, file less than 500 MB submitted successfully

Returning source base cases

  • [x] Nonexistent codename cannot log in
  • [x] Empty codename cannot log in
  • [x] Legitimate codename can log in
  • [x] Returning user can view journalist replies - need to log into journalist interface to test

Journalist Interface

Login base cases

  • [x] Can log in with 2FA tokens
  • [x] incorrect password cannot log in
  • [x] invalid 2fa token cannot log in
  • [x] 2fa immediate reuse cannot log in

Index base cases

  • [x] Filter by codename works
  • [x] Starring and unstarring works
  • [x] Click select all selects all submissions
  • [x] Selecting all and clicking "Download all" works - _Confirmed - except there is no “Download all,” just “Download”_

Individual source page

  • [x] You can submit a reply and a flashed message and new row appears
  • [x] You cannot submit an empty reply
  • [x] Clicking "Delete collection" and the source and docs are deleted - _Confirmed - except it’s “Delete Source And Submissions”_
  • [x] You can click on a document and successfully decrypt using application private key

0.9.0-specific testing

Journalist API:

Database Migrations (upgrade testing from 0.8.0)

Install on 0.8.0.

  • [x] Add a test user and ensure you can login.
  • [x] Submit a document as a source and save the codename.
  • [x] SSH into the application, and run the qa-loader.py (this is a script that loads a large quantity of random, fake data):
  • [x] Upgrade to 0.9.0. The database migration occurs smoothly.
    :exclamation: #3733 was opened to track this - db migration v.v.slow

  • [x] You can log in as your test user, the data should still be present in the journalist interface.

  • [x] You can submit a new document as a new source.
  • [x] You can log back into your existing source account.
  • [ ] From a source's perspective, the messaging flow in the same as in 0.8.0
    :exclamation: qa_loader.py adds extraneous replies, cluttering up the source view. #3739 added to track this.

Now, you should verify that the UUID columns added in the 0.9.0 release are present in each table, and that the new password hash columns exist:

Open db.sqlite with sqlite3 and validate:

sqlite3 /var/lib/securedrop/db.sqlite
select * from <table>
  • [x] Journalist table contains argon2 passwords (user password is re-hashed with argon2 after a login with 0.9.0)
  • [x] Replies table has a column called UUID and it is populated
  • [x] Submissions table has a column called UUID and it is populated
  • [x] Sources table has a column called UUID and it is populated

Linux kernel 4.4.144

  • [x] Uname -r returns 4.4.144-grsec - _Confirmed - after manual reboot_
  • [x] sudo apt list --installed | grep linux-image does not include linux-image-4.4.115-grsec (3.14.79, 4.4.135 and 4.4.144)
  • [x] Update the kernel testing matrix if you are using dedicated hardware -

Tor 0.3.3.9

  • [x] tor bootstraps successfully and source/journalist interfaces are reachable
  • [x] tor --version returns 0.3.3.9

Journalist Reply refactor

  • [x] Reply to a source, and the reply is visible in the journalist interface
  • [x] The reply can be downloaded and successfully decrypted
  • [x] Login as a source and delete a reply that you received. The reply is no longer visible in the source interface. It is still visible in the journalist interface, where a check mark icon (2nd table column) indicates receipt by the source. - _Confirmed, but tooltip missing from checkmark icon_

To use the tbb-0.9.0 branch against an external rc server, one has to fill up an instance_information.json file inside of the tests/functinoal directory as given in https://github.com/freedomofpress/securedrop/tree/tbb-0.9.0/securedrop/tests/functional#to-test-in-prod-vms , make sure to have a "sleep_time": 30 or more.

Next, you can run all the functional tests by

cd securedrop
./bin/dev-shell ./bin/run-test --capture=no -v tests/functional/

It is better to run each of the test files inside of the functional tests directory one by one. Remember to reset the terminal if you get a lot of debugging error log. The errors (Python tracebacks) will be mentioned in the top section of the output.

What should the expected behaviour be when restoring a backup from a 0.8.0 instance onto a 0.9.0 one? Is that simply unsupported? If not, is it expected to work? If so, it might be good to have a test case like

  • [ ] Install on 0.8.0
  • [ ] Add test journalist user and source users, submit document and message as source, reply as journalist
  • [ ] take backup of system from admin workstation using securedrop-admin backup
  • [ ] Upgrade to 0.9.0
  • [ ] restore from backup without errors and with db migration
  • [ ] confirm that test users and documents still present
  • [ ] confirm that UUID fields added as per API tests

NUC 5PYH upgrade testing (with https on source interface)

Basic Server Testing

  • [x] I can access both the source and journalist interfaces
  • [x] I can SSH into both machines over Tor
  • [x] AppArmor is loaded on app
  • [x] AppArmor is loaded on mon
  • [x] Both servers are running grsec kernels
  • [x] iptables rules loaded
  • [x] OSSEC emails begin to flow after install
  • [x] OSSEC emails are decrypted to correct key and I am able to decrypt them

Command Line User Generation

  • [x] Can successfully add admin user and login

Administration

:exclamation: https://github.com/freedomofpress/securedrop/issues/3732 was opened to track the previous version backup applying database migrations.

  • [x] If doing upgrade testing, make a backup on 0.8.0 and restore this backup on 0.9.0. Confirm that sudo dpkg-reconfigure securedrop-app-code on the app server fixes the install.

Application Acceptance Testing

Source Interface

Landing page base cases
  • [x] JS warning bar does not appear when using Security Slider high
  • [x] JS warning bar does appear when using Security Slider Low
First submission base cases
  • [x] On generate page, refreshing codename produces a new 7-word codename
  • [ ] On submit page, empty submissions produce flashed message
  • [x] On submit page, short message submitted successfully
  • [x] On submit page, file greater than 500 MB produces "The connection was reset" in Tor Browser _quickly_ before the entire file is uploaded
  • [x] On submit page, file less than 500 MB submitted successfully
Returning source base cases
  • [x] Nonexistent codename cannot log in
  • [x] Empty codename cannot log in
  • [x] Legitimate codename can log in
  • [x] Returning user can view journalist replies - need to log into journalist interface to test

Journalist Interface

Login base cases
  • [x] Can log in with 2FA tokens
  • [x] incorrect password cannot log in
  • [x] invalid 2fa token cannot log in
  • [x] 2fa immediate reuse cannot log in
Index base cases
  • [x] Filter by codename works
  • [x] Starring and unstarring works
  • [x] Click select all selects all submissions
  • [x] Selecting all and clicking "Download all" works
Individual source page
  • [x] You can submit a reply and a flashed message and new row appears
  • [x] You cannot submit an empty reply
  • [x] Clicking "Delete collection" and the source and docs are deleted
  • [x] You can click on a document and successfully decrypt using application private key

0.9.0-specific testing

Journalist API:

Database Migrations (upgrade testing from 0.8.0)

Install on 0.8.0.

  • [x] Add a test user and ensure you can login.
  • [ ] Submit a document as a source and save the codename.
    SSH into the application, and run the qa-loader.py (this is a script that loads a large quantity of random, fake data):
sudo su
cd /var/www/securedrop
./qa_loader.py

This might take some time. Note that it is the first time we are using this script in QA, so get loud if you notice any errors or anything confusing.

  • [x] Upgrade to 0.9.0. The database migration occurs smoothly.
  • [x] You can log in as your test user, the data should still be present in the journalist interface.
  • [x] You can submit a new document as a new source.
  • [x] You can log back into your existing source account.
  • [x] From a source's perspective, the messaging flow in the same as in 0.8.0

Now, you should verify that the UUID columns added in the 0.9.0 release are present in each table, and that the new password hash columns exist:

Open db.sqlite with sqlite3 and validate:

sqlite3 /var/lib/securedrop/db.sqlite
select * from <table>
  • [x] Journalist table contains argon2 passwords (user password is re-hashed with argon2 after a login with 0.9.0)
  • [x] Replies table has a column called UUID and it is populated
  • [x] Submissions table has a column called UUID and it is populated
  • [x] Sources table has a column called UUID and it is populated

Linux kernel 4.4.144

  • [x] Uname -r returns 4.4.144-grsec
  • [x] sudo apt list --installed | grep linux-image does not include linux-image-4.4.115-grsec (3.14.79, 4.4.135 and 4.4.144)
  • [x] Update the kernel testing matrix if you are using dedicated hardware

Tor 0.3.3.9

  • [x] tor bootstaps successfully and source/journalist interfaces are reachable
  • [x] tor --version returns 0.3.3.9

Journalist Reply refactor

  • [x] Reply to a source, and the reply is visible in the journalist interface
  • [x] The reply can be downloaded and successfully decrypted
  • [x] Login as a source and delete a reply that you received. The reply is no longer visible in the source interface. It is still visible in the journalist interface, where a check mark icon (2nd table column) indicates receipt by the source.

Tails 3.9~rc1 testing

  • [x] ./securedrop-admin setup works without error
  • [x] ./securedrop-admin config works without error
  • [x] ./securedrop-admin install works without error
  • [x] ./securedrop-admin tailsconfig works without error
  • [x] I can access the source interface through the desktop shortcut
  • [x] I can access the journalist interface by clicking on the desktop shortcut
  • [x] ./securedrop-admin backup works without error
  • [ ] checkout 0.7.0, reboot, and ensure the SecureDrop updater gui appears (and updates to 0.8.0)
    :exclamation: The SecureDrop updater does not appear on reboot when 0.7.0 is checked out.

That's a great point @zenmonkeykstop, thanks! Based on my testing for 0.8.0 and 0.9.0, the application will break, I have opened a ticket to track this https://github.com/freedomofpress/securedrop/issues/3732 and updated the administration section of the test plan. Feel free to edit the test plan further, as you see fit.

SecureDrop 0.9.0 rc upgrade 0.8.0

Basic Server Testing

  • [x] I can access both the source and journalist interfaces
  • [x] I can SSH into both machines over Tor
  • [x] AppArmor is loaded on app
  • [x] AppArmor is loaded on mon
  • [x] Both servers are running grsec kernels
  • [x] iptables rules loaded
  • [x] OSSEC emails begin to flow after install
  • [x] OSSEC emails are decrypted to correct key and I am able to decrypt them

Command Line User Generation

  • [x] Can successfully add admin user and login

Administration

  • [x] I have backed up and successfully restored the app server following the documentation here: https://docs.securedrop.org/en/latest/backup_and_restore.html
  • [ ] If doing upgrade testing, make a backup on 0.8.0 and restore this backup on 0.9.0. Confirm that sudo dpkg-reconfigure securedrop-app-code on the app server fixes the install. (did not test).

Application Acceptance Testing

Source Interface

Landing page base cases
  • [x] JS warning bar does not appear when using Security Slider high
  • [x] JS warning bar does appear when using Security Slider Low
First submission base cases
  • [x] On generate page, refreshing codename produces a new 7-word codename
  • [x] On submit page, empty submissions produce flashed message
  • [x] On submit page, short message submitted successfully
  • [x] On submit page, file greater than 500 MB produces "The connection was reset" in Tor Browser _quickly_ before the entire file is uploaded
  • [x] On submit page, file less than 500 MB submitted successfully
Returning source base cases
  • [ ] Nonexistent codename cannot log in
  • [x] Empty codename cannot log in
  • [x] Legitimate codename can log in
  • [x] Returning user can view journalist replies - need to log into journalist interface to test

Journalist Interface

Login base cases
  • [x] Can log in with 2FA tokens
  • [x] incorrect password cannot log in
  • [x] invalid 2fa token cannot log in
  • [x] 2fa immediate reuse cannot log in
Index base cases
  • [x] Filter by codename works
  • [x] Starring and unstarring works
  • [x] Click select all selects all submissions
  • [x] Selecting all and clicking "Download all" works
Individual source page
  • [x] You can submit a reply and a flashed message and new row appears
  • [x] You cannot submit an empty reply
  • [x] Clicking "Delete collection" and the source and docs are deleted
  • [x] You can click on a document and successfully decrypt using application private key

0.9.0-specific testing

Tails 3.9~rc1 specific testing

Upgrade path
  • [x] I have upgraded a Tails stick to 3.9~rc1
  • [x] ./securedrop-admin setup successful
  • [x] ./securedrop-admin sdconfig successful
  • [x] ./securedrop-admin install successful
  • [x] ./securedrop-admin tailsconfig successful

Journalist API:

Database Migrations (upgrade testing from 0.8.0)

Install on 0.8.0.

  • [x] Add a test user and ensure you can login.
  • [x] Submit a document as a source and save the codename.

SSH into the application, and run the qa-loader.py (this is a script that loads a large quantity of random, fake data):

sudo su

cd /var/www/securedrop

./qa_loader.py

This might take some time. Note that it is the first time we are using this script in QA, so get loud if you notice any errors or anything confusing.

  • [x] Upgrade to 0.9.0. The database migration occurs smoothly.
  • [x] You can log in as your test user, the data should still be present in the journalist interface.
  • [x] You can submit a new document as a new source.
  • [x] You can log back into your existing source account.
  • [x] From a source's perspective, the messaging flow in the same as in 0.8.0

Now, you should verify that the UUID columns added in the 0.9.0 release are present in each table, and that the new password hash columns exist:

Open db.sqlite with sqlite3 and validate:

sqlite3 /var/lib/securedrop/db.sqlite
select * from <table>

  • [x] Journalist table contains argon2 passwords (user password is re-hashed with argon2 after a login with 0.9.0)
  • [x] Replies table has a column called UUID and it is populated
  • [x] Submissions table has a column called UUID and it is populated
  • [x] Sources table has a column called UUID and it is populated

Linux kernel 4.4.144

  • [x] Uname -r returns 4.4.144-grsec
  • [x] sudo apt list --installed | grep linux-image does not include linux-image-4.4.115-grsec (3.14.79, 4.4.135 and 4.4.144)
  • [x] Update the kernel testing matrix if you are using dedicated hardware

Tor 0.3.3.9

  • [x] tor bootstaps successfully and source/journalist interfaces are reachable
  • [x] tor --version returns 0.3.3.9

Journalist Reply refactor

  • [x] Reply to a source, and the reply is visible in the journalist interface
  • [x] The reply can be downloaded and successfully decrypted
  • [x] Login as a source and delete a reply that you received. The reply is no longer visible in the source interface. It is still visible in the journalist interface, where a check mark icon (2nd table column) indicates receipt by the source.

Edit: opened as #3758

I believe I found a bug in upgrading from 0.8 to 0.9rc2 in that sources can only submit documents or documents and messages. If I try to send _only_ messages or a blank form field I get a "Bad Request, the browser or proxy sent a request that this server could not understand" error.

First I installed 0.8.0 on hardware and create a journalist. I then ran ./qa-loader.py -m 25. I logged in and and see submissions. I then added the apt-test key and updated sources.list to apt.freedom.press to apt-test.freedom.press. Finally I ran sudo cron-apt -i -s to update to 0.9rc2

I also enabled apache debug logging and attempted to patch the source_app/ code to log anything related to CSRF violations and I was was not able to trigger a debug log.

Upgrade install of 0.9rc3 (Rackmounted servers)

Notes: I know we are cutting rc4 debs soon, this list is for posterity.

Basic Server Testing

  • [x] I can access both the source and journalist interfaces
  • [x] I can SSH into both machines over Tor
  • [x] AppArmor is loaded on app
  • [x] AppArmor is loaded on mon
  • [x] Both servers are running grsec kernels
  • [x] iptables rules loaded
  • [ ] OSSEC emails begin to flow after install (Did not test)
  • [ ] OSSEC emails are decrypted to correct key and I am able to decrypt them (Did not test)

Command Line User Generation

  • [x] Can successfully add admin user and login

Administration

Application Acceptance Testing

Source Interface

Landing page base cases

  • [x] JS warning bar does not appear when using Security Slider high
  • [x] JS warning bar does appear when using Security Slider Low

First submission base cases

  • [x] On generate page, refreshing codename produces a new 7-word codename
  • [x] On submit page, empty submissions produce flashed message (BAD REQUEST / the browser or proxy sent a request that this server could not understand)
  • [x] On submit page, short message submitted successfully
  • [x] On submit page, file greater than 500 MB produces "The connection was reset" in Tor Browser quickly before the entire file is uploaded
  • [x] On submit page, file less than 500 MB submitted successfully

Returning source base cases

  • [x] Nonexistent codename cannot log in
  • [x] Empty codename cannot log in
  • [x] Legitimate codename can log in
  • [x] Returning user can view journalist replies - need to log into journalist interface to test

Journalist Interface

Login base cases

  • [x] Can log in with 2FA tokens
  • [x] incorrect password cannot log in
  • [x] invalid 2fa token cannot log in
  • [x] 2fa immediate reuse cannot log in

Index base cases

  • [x] Filter by codename works
  • [x] Starring and unstarring works
  • [x] Click select all selects all submissions
  • [x] Selecting all and clicking "Download all" works

Individual source page

  • [x] You can submit a reply and a flashed message and new row appears
  • [x] You cannot submit an empty reply
  • [x] Clicking "Delete collection" and the source and docs are deleted
  • [ ] You can click on a document and successfully decrypt using application private key (Did not test)

0.9.0-specific testing

  • [x] Add a test user and ensure you can login.
  • [x] Submit a document as a source and save the codename.
  • [x] SSH into the application, and run ./qa-loader.py -m 25 in /var/www/securedrop (this is a script that loads a large quantity of random, fake data):
  • [x] Journalist table contains argon2 passwords (user password is re-hashed with argon2 after a login with 0.9.0)
  • [x] Replies table has a column called UUID and it is populated
  • [x] Submissions table has a column called UUID and it is populated
  • [x] Sources table has a column called UUID and it is populated

Linux kernel 4.4.144

  • [x] Uname -r returns 4.4.144-grsec
  • [x] sudo apt list --installed | grep linux-image does not include linux-image-4.4.115-grsec (3.14.79, 4.4.135 and 4.4.144)
  • [] Update the kernel testing matrix if you are using dedicated hardware

Tor 0.3.3.9

  • [x] tor bootstaps successfully and source/journalist interfaces are reachable
  • [x] tor --version returns 0.3.3.9

0.9.0-rc3 specific testing

  • [x] allow text only submissions #3758
  • [x] apt-key list on app and mon server return an expiry date of 2018-10-03 for the SecureDrop release Key (00FAD77) (#3723)
  • [x] /var/securedrop/wheelhouse contains Flask 1.0.2 and werkzeug 0.14.1 (#3740)

Upgrade test: 0.8.0 to 0.9.0~rc4 - 2014 Mac Minis

Basic Server Testing

  • [x] I can access both the source and journalist interfaces
  • [x] I can SSH into both machines over Tor
  • [x] AppArmor is loaded on app - confirmed with ‘sudo aa-status’
  • [x] AppArmor is loaded on mon - confirmed with ‘sudo aa-status’
  • [x] Both servers are running grsec kernels - _App:4.4.135-grsec; mon:4.4.135-grsec initially - rebooted manually, now 4.4.144-grsec_
  • [x] iptables rules loaded - _Confirmed on both with ‘sudo iptables -L -n’_
  • [x] OSSEC emails begin to flow after install
  • [x] OSSEC emails are decrypted to correct key and I am able to decrypt them

Command Line User Generation

  • [x] Can successfully add admin user and login.

Administration

Application Acceptance Testing

Source Interface

Landing page base cases

  • [x] JS warning bar does not appear when using Security Slider high
  • [ ] JS warning bar does appear when using Security Slider Low - gets the "it is recommended to use the Tor Browser..." bar instead on Tails 3.9~rc1
    :exclamation: #3788 was opened to track this

First submission base cases

  • [x] On generate page, refreshing codename produces a new 7-word codename
  • [x] On submit page, empty submissions produce flashed message
  • [x] On submit page, short message submitted successfully
  • [x] On submit page, file greater than 500 MB produces "The connection was reset" in Tor Browser quickly before the entire file is uploaded
  • [x] On submit page, file less than 500 MB submitted successfully

Returning source base cases

  • [x] Nonexistent codename cannot log in
  • [x] Empty codename cannot log in
  • [x] Legitimate codename can log in
  • [x] Returning user can view journalist replies - need to log into journalist interface to test

Journalist Interface

Login base cases

  • [x] Can log in with 2FA tokens
  • [x] incorrect password cannot log in
  • [x] invalid 2fa token cannot log in
  • [x] 2fa immediate reuse cannot log in

Index base cases

  • [x] Filter by codename works
  • [x] Starring and unstarring works
  • [x] Click select all selects all submissions
  • [x] Selecting all and clicking "Download all" works - works fine with manually-generated submissions. - fails with 500 error for large number of qa_loader.py-generated submissions

Individual source page

  • [x] You can submit a reply and a flashed message and new row appears
  • [x] You cannot submit an empty reply
  • [x] Clicking "Delete collection" and the source and docs are deleted - _Confirmed - except it’s “Delete Source And Submissions”_
  • [x] You can click on a document and successfully decrypt using application private key

0.9.0-specific testing

Journalist API:

Authorization:

  • [x] WSGIPassAuthorization directive set to On in /etc/apache2/sites-available/journalist.conf

Database Migrations (upgrade testing from 0.8.0)

Install on 0.8.0.

  • [x] Add a test user and ensure you can login.
  • [x] Submit a document as a source and save the codename.
  • [x] SSH into the application, and run the qa-loader.py (this is a script that loads a large quantity of random, fake data):
  • [x] Upgrade to 0.9.0. The database migration occurs smoothly.

  • [x] You can log in as your test user, the data should still be present in the journalist interface.

  • [x] You can submit a new document as a new source.
  • [x] You can log back into your existing source account.
  • [X] From a source's perspective, the messaging flow in the same as in 0.8.0

Now, you should verify that the UUID columns added in the 0.9.0 release are present in each table, and that the new password hash columns exist:

Open db.sqlite with sqlite3 and validate:

sqlite3 /var/lib/securedrop/db.sqlite
select * from <table>
  • [x] Journalist table contains argon2 passwords (user password is re-hashed with argon2 after a login with 0.9.0)
  • [x] Replies table has a column called UUID and it is populated
  • [x] Submissions table has a column called UUID and it is populated
  • [x] Sources table has a column called UUID and it is populated

Linux kernel 4.4.144

  • [x] Uname -r returns 4.4.144-grsec - _Confirmed - after manual reboot_
  • [x] sudo apt list --installed | grep linux-image does not include linux-image-4.4.115-grsec (3.14.79, 4.4.135 and 4.4.144)
  • [x] Update the kernel testing matrix if you are using dedicated hardware -

Tor 0.3.3.9

  • [x] tor bootstraps successfully and source/journalist interfaces are reachable
  • [x] tor --version returns 0.3.3.9

Journalist Reply refactor

  • [x] Reply to a source, and the reply is visible in the journalist interface
  • [x] The reply can be downloaded and successfully decrypted
  • [x] Login as a source and delete a reply that you received. The reply is no longer visible in the source interface. It is still visible in the journalist interface, where a check mark icon (2nd table column) indicates receipt by the source.

SecureDrop 0.9.0 Upgrade from 0.8.0 - Intel NUC (IN PROGRESS)

Basic Server Testing

  • [x] I can access both the source and journalist interfaces
  • [x] I can SSH into both machines over Tor
  • [x] AppArmor is loaded on app
  • [x] AppArmor is loaded on mon
  • [x] Both servers are running grsec kernels
  • [x] iptables rules loaded
  • [x] OSSEC emails begin to flow after install
  • [x] OSSEC emails are decrypted to correct key and I am able to decrypt them

Command Line User Generation

  • [x] Can successfully add admin user and login

Administration

  • [x] I have backed up and successfully restored the app server following the documentation here: https://docs.securedrop.org/en/latest/backup_and_restore.html
  • [x] If doing upgrade testing, make a backup on 0.8.0 and restore this backup on 0.9.0. Confirm that no further action is necessary and that (#3737) worked correctly.

Application Acceptance Testing

Source Interface

Landing page base cases
  • [x] JS warning bar does not appear when using Security Slider high
  • x] JS warning bar does appear when using Security Slider Low
First submission base cases
  • [x] On generate page, refreshing codename produces a new 7-word codename
  • [x] On submit page, empty submissions produce flashed message
  • [x] On submit page, short message submitted successfully
  • [x] On submit page, file greater than 500 MB produces "The connection was reset" in Tor Browser _quickly_ before the entire file is uploaded
  • [x] On submit page, file less than 500 MB submitted successfully
Returning source base cases
  • [ ] Nonexistent codename cannot log in
  • [ ] Empty codename cannot log in
  • [ ] Legitimate codename can log in
  • [ ] Returning user can view journalist replies - need to log into journalist interface to test

Journalist Interface

Login base cases
  • [ ] Can log in with 2FA tokens
  • [ ] incorrect password cannot log in
  • [ ] invalid 2fa token cannot log in
  • [ ] 2fa immediate reuse cannot log in
Index base cases
  • [ ] Filter by codename works
  • [ ] Starring and unstarring works
  • [ ] Click select all selects all submissions
  • [ ] Selecting all and clicking "Download all" works
Individual source page
  • [ ] You can submit a reply and a flashed message and new row appears
  • [ ] You cannot submit an empty reply
  • [ ] Clicking "Delete collection" and the source and docs are deleted
  • [ ] You can click on a document and successfully decrypt using application private key

0.9.0-specific testing

Tails 3.9~rc1 specific testing

Upgrade path
  • [ ] I have upgraded a Tails stick to 3.9~rc1
  • [ ] ./securedrop-admin setup successful
  • [ ] ./securedrop-admin sdconfig successful
  • [ ] ./securedrop-admin install successful
  • [ ] ./securedrop-admin tailsconfig successful

Journalist API:

Database Migrations (upgrade testing from 0.8.0)

Install on 0.8.0.

  • [ ] Add a test user and ensure you can login.
  • [ ] Submit a document as a source and save the codename.
    SSH into the application, and run ./qa-loader.py -m 25 in /var/www/securedrop (this is a script that loads a large quantity of random, fake data):
sudo su
cd /var/www/securedrop
./qa_loader.py

This might take some time. Note that it is the first time we are using this script in QA, so get loud if you notice any errors or anything confusing.

  • [ ] Upgrade to 0.9.0. The database migration occurs smoothly.
  • [ ] You can log in as your test user, the data should still be present in the journalist interface.
  • [ ] You can submit a new document as a new source.
  • [ ] You can log back into your existing source account.
  • [ ] From a source's perspective, the messaging flow in the same as in 0.8.0

Now, you should verify that the UUID columns added in the 0.9.0 release are present in each table, and that the new password hash columns exist:

Open db.sqlite with sqlite3 and validate:

sqlite3 /var/lib/securedrop/db.sqlite
select * from <table>
  • [ ] Journalist table contains argon2 passwords (user password is re-hashed with argon2 after a login with 0.9.0)
  • [ ] Replies table has a column called UUID and it is populated
  • [ ] Submissions table has a column called UUID and it is populated
  • [ ] Sources table has a column called UUID and it is populated

Linux kernel 4.4.144

  • [ ] Uname -r returns 4.4.144-grsec
  • [ ] sudo apt list --installed | grep linux-image does not include linux-image-4.4.115-grsec (3.14.79, 4.4.135 and 4.4.144)
  • [ ] Update the kernel testing matrix if you are using dedicated hardware

Tor 0.3.3.9

  • [ ] tor bootstaps successfully and source/journalist interfaces are reachable
  • [ ] tor --version returns 0.3.3.9

Journalist Reply refactor

  • [ ] Reply to a source, and the reply is visible in the journalist interface
  • [ ] The reply can be downloaded and successfully decrypted
  • [ ] Login as a source and delete a reply that you received. The reply is no longer visible in the source interface. It is still visible in the journalist interface, where a check mark icon (2nd table column) indicates receipt by the source.

Tails 3.9~rc1 testing

  • [ ] ./securedrop-admin setup works without error
  • [ ] ./securedrop-admin config works without error
  • [ ] ./securedrop-admin install works without error
  • [ ] ./securedrop-admin tailsconfig works without error
  • [ ] I can access the source interface through the desktop shortcut
  • [ ] I can access the journalist interface by clicking on the desktop shortcut
  • [ ] ./securedrop-admin backup works without error
  • [ ] checkout 0.7.0, reboot, and ensure the SecureDrop updater gui appears (and updates to 0.8.0)

0.9.0-rc2 specific testing

  • [ ] apt-key list on app and mon server return an expiry date of 2018-10-03 for the SecureDrop release Key (00FAD77) (#3723)
  • [ ] On the journalist interface, the reply icon for a read message now has a tooltip that says 'Read' (#3734)
  • [ ] /var/securedrop/wheelhouse contains Flask 1.0.2 and werkzeug 0.14.1 (#3740)
  • [ ] create a local tag for 0.10.0 and ensure that ./securedrop-admin update correctly switches to that branch when invoked (#3579)

0.9.0-rc4 specific testing

Upgrade install of 0.9rc5 (Rackmounted servers)

NOTE: Tested on both rolled back 3.14 kernels and on the new kernels. After upgrading to 0.9rc5, the server worked as expected. Ran through all tests and then rolled the server forward to the new kernel and it works as intended.

Basic Server Testing

  • [x] I can access both the source and journalist interfaces
  • [x] I can SSH into both machines over Tor
  • [x] AppArmor is loaded on app
  • [x] AppArmor is loaded on mon
  • [x] Both servers are running grsec kernels
  • [x] iptables rules loaded

Command Line User Generation

  • [x] Can successfully add admin user and login

Administration

!! Did not test #3732

Application Acceptance Testing

Source Interface

Landing page base cases

  • [x] JS warning bar does not appear when using Security Slider high
  • [x] JS warning bar does appear when using Security Slider Low

First submission base cases

  • [x] On generate page, refreshing codename produces a new 7-word codename
  • [x] On submit page, empty submissions produce flashed message
  • [x] On submit page, short message submitted successfully
  • [x] On submit page, file greater than 500 MB produces "The connection was reset" in Tor Browser quickly before the entire file is uploaded
  • [x] On submit page, file less than 500 MB submitted successfully

Returning source base cases

  • [x] Nonexistent codename cannot log in
  • [x] Empty codename cannot log in
  • [x] Legitimate codename can log in
  • [x] Returning user can view journalist replies - need to log into journalist interface to test

Journalist Interface

Login base cases

  • [x] Can log in with 2FA tokens
  • [x] incorrect password cannot log in
  • [x] invalid 2fa token cannot log in
  • [x] 2fa immediate reuse cannot log in

Index base cases

  • [x] Filter by codename works
  • [x] Starring and unstarring works
  • [x] Click select all selects all submissions
  • [x] Selecting all and clicking "Download all" works (500 because of huge download)

Individual source page

  • [x] You can submit a reply and a flashed message and new row appears
  • [x] You cannot submit an empty reply
  • [x] Clicking "Delete collection" and the source and docs are deleted
  • [x] You can click on a document and successfully decrypt using application private key

0.9.0-specific testing

  • [x] Add a test user and ensure you can login.
  • [x] Submit a document as a source and save the codename.
  • [x] SSH into the application, and run ./qa-loader.py -m 25 in /var/www/securedrop (this is a script that loads a large quantity of random, fake data):
  • [x] Journalist table contains argon2 passwords (user password is re-hashed with argon2 after a login with 0.9.0)
  • [x] Replies table has a column called UUID and it is populated
  • [x] Submissions table has a column called UUID and it is populated
  • [x] Sources table has a column called UUID and it is populated

Linux kernel 4.4.144

  • [x] Uname -r returns 4.4.144-grsec !! Testing on rolled back kernels
  • [x] sudo apt list --installed | grep linux-image does not include linux-image-4.4.115-grsec (3.14.79, 4.4.135 and 4.4.144)
  • [x] Update the kernel testing matrix if you are using dedicated hardware

Tor 0.3.3.9

  • [x] tor bootstaps successfully and source/journalist interfaces are reachable
  • [x] tor --version returns 0.3.3.9

Journalist Reply refactor

  • [x] Reply to a source, and the reply is visible in the journalist interface
  • [x] The reply can be downloaded and successfully decrypted
  • [x] Login as a source and delete a reply that you received. The reply is no longer visible in the source interface. It is still visible in the journalist interface, where a check mark icon (2nd table column) indicates receipt by the source.

Tails 3.9 testing

  • [x] ./securedrop-admin setup works without error
  • [x] ./securedrop-admin config works without error
  • [x] ./securedrop-admin install works without error
  • [x] ./securedrop-admin tailsconfig works without error
  • [x] I can access the source interface through the desktop shortcut
  • [x] I can access the journalist interface by clicking on the desktop shortcut
  • [x] ./securedrop-admin backup works without error
  • [x] checkout 0.7.0, reboot, and ensure the SecureDrop updater gui appears (and updates to 0.8.0)

0.9.0-rc specific testing

  • [x] apt-key list on app and mon server return an expiry date of 2018-10-03 for the SecureDrop release Key (00FAD77) (#3723)
  • [x] On the journalist interface, the reply icon for a read message now has a tooltip that says 'Read' (#3734)
  • [x] /var/securedrop/wheelhouse contains Flask 1.0.2 and werkzeug 0.14.1 (#3740)
  • [ ] create a local tag for 0.10.0 and ensure that ./securedrop-admin update correctly switches to that branch when invoked (#3579)
  • [x] I can submit only a message
  • [x] Submitting a blank message shows a relevant error message
  • [x] Script in test plan of #3774 completes without error
  • [x] apt-key list on app and mon server return an expiry date of 2018-10-03 for the SecureDrop release Key (00FAD77) (#3723)
  • [x] On the journalist interface, the reply icon for a read message now has a tooltip that says 'Read' (#3734)

SecureDrop 0.9.0 pre-release QA Checklist

0.9.0-rc5 Fresh Install - 2014 Mac Minis (in progress)

Basic Server Testing

  • [x] I can access both the source and journalist interfaces
  • [x] I can SSH into both machines over Tor
  • [x] AppArmor is loaded on app
  • [x] AppArmor is loaded on mon
  • [x] Both servers are running grsec kernels
  • [x] iptables rules loaded
  • [ ] OSSEC emails begin to flow after install
  • [ ] OSSEC emails are decrypted to correct key and I am able to decrypt them

Command Line User Generation

  • [x] Can successfully add admin user and login

Administration

  • [x] I have backed up and successfully restored the app server following the documentation here: https://docs.securedrop.org/en/latest/backup_and_restore.html
  • [ ] If doing upgrade testing, make a backup on 0.8.0 and restore this backup on 0.9.0. Confirm that no further action is necessary and that (#3737) worked correctly.

Application Acceptance Testing

Source Interface

Landing page base cases
  • [x] JS warning bar does not appear when using Security Slider high
  • [x] JS warning bar does appear when using Security Slider Low
First submission base cases
  • [x] On generate page, refreshing codename produces a new 7-word codename
  • [x] On submit page, empty submissions produce flashed message
  • [x] On submit page, short message submitted successfully
  • [x] On submit page, file greater than 500 MB produces "The connection was reset" in Tor Browser _quickly_ before the entire file is uploaded
  • [x] On submit page, file less than 500 MB submitted successfully
Returning source base cases
  • [x] Nonexistent codename cannot log in
  • [x] Empty codename cannot log in
  • [x] Legitimate codename can log in
  • [x] Returning user can view journalist replies - need to log into journalist interface to test

Journalist Interface

Login base cases
  • [x] Can log in with 2FA tokens
  • [x] incorrect password cannot log in
  • [x] invalid 2fa token cannot log in
  • [x] 2fa immediate reuse cannot log in
Index base cases
  • [x] Filter by codename works
  • [x] Starring and unstarring works
  • [x] Click select all selects all submissions
  • [x] Selecting all and clicking "Download all" works
Individual source page
  • [x] You can submit a reply and a flashed message and new row appears
  • [x] You cannot submit an empty reply
  • [x] Clicking "Delete collection" and the source and docs are deleted
  • [x] You can click on a document and successfully decrypt using application private key

0.9.0-specific testing

Tails 3.9~rc1 specific testing

Upgrade path
  • [x] I have upgraded a Tails stick to 3.9~rc1
  • [x] ./securedrop-admin setup successful
  • [x] ./securedrop-admin sdconfig successful
  • [x] ./securedrop-admin install successful
  • [x] ./securedrop-admin tailsconfig successful

Journalist API:

Database Migrations (upgrade testing from 0.8.0)

Install on 0.8.0.

  • [ ] Add a test user and ensure you can login.
  • [ ] Submit a document as a source and save the codename.
    SSH into the application, and run ./qa-loader.py -m 25 in /var/www/securedrop (this is a script that loads a large quantity of random, fake data):
sudo su
cd /var/www/securedrop
./qa_loader.py

This might take some time. Note that it is the first time we are using this script in QA, so get loud if you notice any errors or anything confusing.

  • [ ] Upgrade to 0.9.0. The database migration occurs smoothly.
  • [ ] You can log in as your test user, the data should still be present in the journalist interface.
  • [ ] You can submit a new document as a new source.
  • [ ] You can log back into your existing source account.
  • [ ] From a source's perspective, the messaging flow in the same as in 0.8.0

Now, you should verify that the UUID columns added in the 0.9.0 release are present in each table, and that the new password hash columns exist:

Open db.sqlite with sqlite3 and validate:

sqlite3 /var/lib/securedrop/db.sqlite
select * from <table>
  • [ ] Journalist table contains argon2 passwords (user password is re-hashed with argon2 after a login with 0.9.0)
  • [ ] Replies table has a column called UUID and it is populated
  • [ ] Submissions table has a column called UUID and it is populated
  • [ ] Sources table has a column called UUID and it is populated

Linux kernel 4.4.144

  • [x] Uname -r returns 4.4.144-grsec
  • [x] sudo apt list --installed | grep linux-image does not include linux-image-4.4.115-grsec (3.14.79, 4.4.135 and 4.4.144)
  • [x] Update the kernel testing matrix if you are using dedicated hardware

Tor 0.3.3.9

  • [x] tor bootstaps successfully and source/journalist interfaces are reachable
  • [x] tor --version returns 0.3.3.9

Journalist Reply refactor

  • [x] Reply to a source, and the reply is visible in the journalist interface
  • [x] The reply can be downloaded and successfully decrypted
  • [x] Login as a source and delete a reply that you received. The reply is no longer visible in the source interface. It is still visible in the journalist interface, where a check mark icon (2nd table column) indicates receipt by the source.

Tails 3.9~rc1 testing

  • [x] ./securedrop-admin setup works without error
  • [x] ./securedrop-admin config works without error
  • [x] ./securedrop-admin install works without error
  • [x] ./securedrop-admin tailsconfig works without error
  • [x] I can access the source interface through the desktop shortcut
  • [x] I can access the journalist interface by clicking on the desktop shortcut
  • [x] ./securedrop-admin backup works without error
  • [ ] checkout 0.7.0, reboot, and ensure the SecureDrop updater gui appears (and updates to 0.8.0)

0.9.0-rc2 specific testing

  • [x] apt-key list on app and mon server return an expiry date of 2018-10-03 for the SecureDrop release Key (00FAD77) (#3723) (is 2019-10-03)
  • [x] On the journalist interface, the reply icon for a read message now has a tooltip that says 'Read' (#3734)
  • [x] /var/securedrop/wheelhouse contains Flask 1.0.2 and werkzeug 0.14.1 (#3740)
  • [ ] create a local tag for 0.10.0 and ensure that ./securedrop-admin update correctly switches to that branch when invoked (#3579)

0.9.0-rc4 specific testing

Was this page helpful?
0 / 5 - 0 ratings