Update for proxy v2

Now that proxy v2 has landed (see <freedomofpress/securedrop-client#1718>), we can remove the qubes.Filecopy RPC rule from sd-proxy to sd-client (it now goes over the securedrop.Proxy RPC) and the sd-proxy.yaml configuration (now read from QubesDB). Fixes #1026.
freedomofpress · May 17, 2024 · 2eacc8f · 2eacc8f
1 parent 3386a04
commit 2eacc8f
Show file tree

Hide file tree

Showing 6 changed files with 0 additions and 57 deletions.
diff --git a/dom0/sd-proxy-files.sls b/dom0/sd-proxy-files.sls
diff --git a/dom0/sd-proxy.sls b/dom0/sd-proxy.sls
@@ -36,5 +36,4 @@ sd-proxy-config:
   qvm.features:
     - name: sd-proxy
     - set:
-        # TODO: sd-proxy: /home/user/.securedrop_proxy/sd-proxy.yaml
         - vm-config.SD_PROXY_ORIGIN: http://{{ d.hidserv.hostname }}
diff --git a/dom0/sd-workstation.top b/dom0/sd-workstation.top
@@ -50,7 +50,6 @@ base:
   sd-devices-dvm:
     - sd-mime-handling
   sd-proxy:
-    - sd-proxy-files
     - sd-mime-handling
 
   # "Placeholder" config to trigger TemplateVM boots,

diff --git a/files/31-securedrop-workstation.policy b/files/31-securedrop-workstation.policy
@@ -39,7 +39,6 @@ qubes.ClipboardPaste    *           sd-app @tag:sd-receive-app-clipboard ask
 
 qubes.Filecopy          *           sd-log @default ask
 qubes.Filecopy          *           sd-log @tag:sd-receive-logs ask
-qubes.Filecopy          *           sd-proxy @tag:sd-client allow
 
 qubes.OpenInVM          *           @tag:sd-client @dispvm:sd-viewer allow
 qubes.OpenInVM          *           @tag:sd-client sd-devices allow

diff --git a/sd-proxy/sd-proxy.yaml b/sd-proxy/sd-proxy.yaml
diff --git a/tests/test_proxy_vm.py b/tests/test_proxy_vm.py
@@ -21,46 +21,12 @@ def test_do_not_open_here(self):
     def test_sd_proxy_package_installed(self):
         self.assertTrue(self._package_is_installed("securedrop-proxy"))
 
-    def test_sd_proxy_yaml_config(self):
-        with open("config.json") as c:
-            config = json.load(c)
-            hostname = config["hidserv"]["hostname"]
-
-        # Config file moved to private volume during template consolidation
-        assert not self._fileExists("/etc/sd-proxy.yaml")
-
-        wanted_lines = [
-            "host: {}".format(hostname),
-            "scheme: http",
-            "port: 80",
-            "target_vm: sd-app",
-            "dev: False",
-        ]
-        for line in wanted_lines:
-            self.assertFileHasLine("/home/user/.securedrop_proxy/sd-proxy.yaml", line)
-
     def test_sd_proxy_config(self):
         self.assertEqual(
             f"http://{self.dom0_config['hidserv']['hostname']}",
             self._vm_config_read("SD_PROXY_ORIGIN"),
         )
 
-    def test_sd_proxy_writable_config_dir(self):
-        # Directory must be writable by normal user. If owned by root,
-        # sd-proxy can't write logs, and will fail, blocking client logins.
-        result = False
-        try:
-            self._run("test -w /home/user/.securedrop_proxy")
-            result = True
-        except subprocess.CalledProcessError:
-            pass
-        self.assertTrue(result)
-
-    def test_sd_proxy_rpc_spec(self):
-        wanted_lines = ["/usr/bin/sd-proxy /home/user/.securedrop_proxy/sd-proxy.yaml"]
-        for line in wanted_lines:
-            self.assertFileHasLine("/etc/qubes-rpc/securedrop.Proxy", line)
-
     def test_whonix_ws_repo_absent(self):
         """
         The sd-proxy VM was previously based on Whonix Workstation,