SecureDrop Workstation 0.2.4-rpm/0.2.{7,8}-deb QA

[eloquence]

This issue tracks QA reports for

• 0.2.7 release of Debian packages or 0.2.8 release of Debian packages
• 0.2.4 release of RPM package

Following this test plan:
https://github.com/freedomofpress/securedrop-workstation/wiki/Workstation-Beta-Acceptance-Tests

Reports for the previous releases can be found here:
#484, #494, #499

[eloquence]

I'll start with Scenario: Client and Journalist Interface both in use.

[rocodes]

I'm starting with Scenario: Online mode, however I don't have an appropriate printer, so I will not be able to test the print portion.

[eloquence]

Scenario: Client and Journalist Interface both in use

Note: this scenario requires access to the Journalist Interface (JI) via
Tor Browser. If the scenario is being tested on Qubes, the JI address can be found
in sd-whonix in /usr/local/etc/torrc.d/50_user.conf. The sd-proxy VM includes
Tor Browser, and can be used to access the JI without config changes.

Prerequisites:

• server is available and contains source test data
• client data directory is empty

Login

• when SecureDrop desktop icon is double-clicked, preflight updater is displayed (did not run into [0.2.3-rpm] libxenlight failed to create new domain sd-log  #498 this time, dom0 was already patched)
• After preflight updater runs, when user clicks Continue, login dialog is displayed
• after valid login to client:
  • the login dialog closes
  • source data is downloaded and source list is populated
  • user is prompted for GPG key access
  • submissions and replies are decrypted
  • the source list is displayed but no sources are selected by default
  • the conversation view is not populated
• when the JI address is visited in Tor Browser:
  • JI login page is displayed
• after valid login to JI using same account as for client:
  • sources page is displayed, containing the same sources as the client (order may differ)

Sources, replies, submissions

• when a source is starred in the client:
  • the source is also starred in the JI after a page reload
• when a starred source is unstarred in the JI:
  • the source is also unstarred in the client after next sync.
• when a reply is sent to a source via the client:
• the reply is visible in the JI and can be viewed by the source in the Source Interface
• when a reply is sent to a source via the JI:
  • the reply is visible in the source conversation view after next sync
• when an individual file submission is deleted in the JI:
  • the submission is no longer listed in the conversation view
  • the submission files are deleted from the client data directory
• when an individual message is deleted in the JI:
  • the message is no longer listed in the conversation view
  • the messages are deleted from the client database
• when a source is deleted in the JI:
  • the source is no longer listed in the client after next sync (it took two syncs, one to remove the files/messages, another to remove the source)
  • files associated with the source are no longer present in the client data directory
• when a source is deleted in the client:
  • the source is no longer listed in the JI after a page reload

[rocodes]

Scenario: Online mode

Prerequisites:

• server is available and contains source test data
• access to sd-gpg keyring has not been previously granted (not this session)
• client data directory is empty
• the sd-devices VM is not running (shut down manually if necessary)
  [:heavy_multiplication_x:] a supported printer is available, but not attached. (no printer)
• all VMs are up-to-date
• test instance contains several sources, including some with files & some with HTML characters in messages

Login

• when SecureDrop desktop icon is double-clicked, preflight updater is displayed
• After preflight updater runs, when user clicks Continue, login dialog is displayed
• In login dialog:
  • show/hide password functionality works
  • incorrect password cannot log in
  • 2FA token reuse cannot log in after password failure
  • invalid 2FA token cannot log in
  • valid credentials and 2FA can log in

Sources

• after valid login:
  • the login dialog closes
  • source data is downloaded and source list is populated
  • user is prompted for GPG key access
  • submissions and replies are decrypted
  • the source list is displayed but no sources are selected by default
  • the conversation view is not populated
• when a source is selected in source list:
  • conversation view is populated with source conversation
  • a source message containing HTML is displayed as unformatted text
  • source submissions have an active Download button
  • source submission compressed file size is displayed accurately
• when the upper right 3-dot button is clicked:
  • a menu is displayed with a delete source account option
  • when delete source account is selected:
    • the source is deleted from the source list and the conversation view is blanked
    • the source is deleted from the server and not restored on next sync
    • source submissions and messages are removed from the client's data directory (source was not in data directory, no submissions downloaded)
• when a source is starred in source list, and the client is closed and reopened in Online mode:
  • the source is still starred in the source list

Replies

• when a source is selected in the source list:
  • the reply panel is available for use and there is no message asking the user to sign in
  • a reply can be added to the conversations
  • a reply containing HTML is displayed as unformatted text
  • [:heavy_multiplication_x:] a reply with a single string of characters longer than 100 chars is displayed correctly: Not always; see Messages/replies cut off when sent together with files securedrop-client#998 or Tracking upstream issue QTBUG-85498 securedrop-client#815
  • [:heavy_multiplication_x:] a reply with a line longer than 100 chars is displayed correctly: Not always; it depends if an attachment was submitted by source, see Messages/replies cut off when sent together with files securedrop-client#998
  • two replies added immediately after each other are ordered correctly

Submissions

Preview

• when Download is clicked on a submission:
  • the submission is downloaded and decrypted
  • the Download button is replaced with Print and Export options
  • the submission filename is displayed.
• For a DOC submission:
  • when the submission filename is clicked, a disposable VM (dispVM) is started.
  • after the dispVM starts, the submission is displayed in LibreOffice
  • when LibreOffice is closed, the dispVM shuts down
• For a PDF submission:
  • when the submission filename is clicked, a dispVM is started.
  • after the dispVM starts, the submission is displayed in evince (Document Viewer)
  • when evince is closed, the dispVM shuts down
• For a JPEG submission:
  • when the submission filename is clicked, a dispVM is started.
  • after the dispVM starts, the submission is displayed in Image Viewer
  • when evince is closed, the dispVM shuts down (Image Viewer)

Export

• When Export is first clicked on a submission:
  • the "Preparing to export..." message is displayed
  • the sd-devices VM is started
  • the user is prompted to insert an Export USB
  • On clicking Cancel, the prompt closes and the file is not exported
• When Export is clicked on the submission again:
  • the "Preparing to export..." message is displayed
  • the user is prompted to insert an Export USB
  • When the user inserts an invalid Export USB, attaches it to the sd-devices VM and clicks OK:
    • a message is displayed indicating that the Export USB is invalid and
      the user is prompted to insert a valid device
• When Export is clicked on the submission again:
  • the "Preparing to export..." message is displayed
  • the user is prompted to insert an Export USB
  • When the user inserts a valid Export USB, attaches it to the sd-devices VM, and clicks OK:
    • the user is prompted for the Export USB's password
  • When the user enters an invalid Export USB password and clicks Submit:
    • a failure message is displayed and the user is prompted to enter the password again
  • When the user enters an valid Export USB password and clicks Submit:
    • the file is saved to the Export USB (a message says "remember to be careful with files...")
• When the user detaches the Export USB and mounts it on another VM or computer:
  • the decrypted submission is available in on the Export USB, in a directory sd-export-<timestamp>/export_data

Print (did not complete)

• When the user clicks Print on a downloaded submission:
  • a "Preparing to print..." message is displayed
  • the sd-devicesVM is started
  • the user is prompted to connect a supported printer
• When the user connects a printer, attaches it to the sd-devices VM, and clicks Continue:
  • a "Printing..." message is displayed
  • the X Printer Panel dialog is displayed with the printer selected
• When the user clicks Print in the X Printer Panel:
  • the submission is printed successfully.

Closing the client

• When the user clicks the main window close button:
  • the client exits.

[conorsch]

Scenario: Online mode

Prerequisites:

• server is available and contains source test data
• access to sd-gpg keyring has not been previously granted
• ❌ ~/.securedrop_client/data in sd-app is empty, and ~/.securedrop_client/svs.sqlite does not exist (do not delete the entire ~/.securedrop_client directory)
• i did not perform this step, used pre-existing client data in sd-app
• the sd-devices VM is not running (shut down manually if necessary)
• ❌ a supported printer is available, but not attached.
  • no hardware printer available, did not validate printer steps
• all VMs are up-to-date
• test instance contains several sources, including some with files & some with HTML characters in messages

Login

• when SecureDrop desktop icon is double-clicked, preflight updater is displayed
• After preflight updater runs, when user clicks Continue, login dialog is displayed
• In login dialog:
  • show/hide password functionality works
  • incorrect password cannot log in
  • 2FA token reuse cannot log in after password failure
  • invalid 2FA token cannot log in
  • valid credentials and 2FA can log in

Sources

• after valid login:
  • the login dialog closes
  • source data is downloaded and source list is populated
  • user is prompted for GPG key access
  • submissions and replies are decrypted
  • the source list is displayed but no sources are selected by default
  • the conversation view is not populated
• when a source is selected in source list:
  • conversation view is populated with source conversation
  • a source message containing HTML is displayed as unformatted text
  • source submissions have an active Download button
  • source submission compressed file size is displayed accurately
• when the upper right 3-dot button is clicked:
  • a menu is displayed with a delete source account option
  • when delete source account is selected:
    • the source is deleted from the source list and the conversation view is blanked
    • 🔶 the source is deleted from the server and not restored on next sync
      • confirmed not restored, but could not verify state on server due to lack of ssh access
    • source submissions and messages are removed from the client's data directory
• when a source is starred in source list, and the client is closed and reopened in Online mode:
  • the source is still starred in the source list
    • first appeared as unstarred, then after ~2s it was starred

Replies

• when a source is selected in the source list:
  • the reply panel is available for use and there is no message asking the user to sign in
  • a reply can be added to the conversations
  • a reply containing HTML is displayed as unformatted text
  • ❌ a reply with a single string of characters longer than 100 chars is displayed correctly
    • fail, message is not wrapped, truncated after ~72 characters
    • behavior consistent with report in Messages/replies cut off when sent together with files securedrop-client#998 (comment)
  • ❌ a reply with a line longer than 100 chars is displayed correctly
    • used zombieipsum.com, in two-paragraph mode, both rendered well
    • after following STR, was able to get messages to truncate Messages/replies cut off when sent together with files securedrop-client#998 (comment)
  • two replies added immediately after each other are ordered correctly

Submissions

Preview

• when Download is clicked on a submission:
  • the submission is downloaded and decrypted
  • the Download button is replaced with Print and Export options
  • the submission filename is displayed.
• For a DOC submission:
  • when the submission filename is clicked, a disposable VM (dispVM) is started.
  • after the dispVM starts, the submission is displayed in LibreOffice
  • when LibreOffice is closed, the dispVM shuts down
• For a PDF submission:
  • when the submission filename is clicked, a dispVM is started.
  • after the dispVM starts, the submission is displayed in evince
  • when evince is closed, the dispVM shuts down
• For a JPEG submission:
  • when the submission filename is clicked, a dispVM is started.
  • after the dispVM starts, the submission is displayed in Image Viewer
  • when evince is closed, the dispVM shuts down

Export

• When Export is first clicked on a submission:
  • the "Preparing to export..." message is displayed
  • the sd-devices VM is started
  • 🔶 the user is prompted to insert an Export USB
    • no prompt appeared, but that's because i clicked cancel, so correct behavior
  • On clicking Cancel, the prompt closes and the file is not exported
• When Export is clicked on the submission again:
  • the "Preparing to export..." message is displayed
  • the user is prompted to insert an Export USB
  • When the user inserts an invalid Export USB, attaches it to the sd-devices VM and clicks OK:
    • a message is displayed indicating that the Export USB is invalid and
      the user is prompted to insert a valid device
• When Export is clicked on the submission again:
  • the "Preparing to export..." message is displayed
  • the user is prompted to insert an Export USB
  • When the user inserts a valid Export USB, attaches it to the sd-devices VM, and clicks OK:
    • the user is prompted for the Export USB's password
  • When the user enters an invalid Export USB password and clicks Submit:
    • a failure message is displayed and the user is prompted to enter the password again
  • When the user enters an valid Export USB password and clicks Submit:
    • the file is saved to the Export USB
• When the user detaches the Export USB and mounts it on another VM or computer:
  • the decrypted submission is available in on the Export USB, in a directory sd-export-<timestamp>/export_data

Print (skipped, did not perform)

• When the user clicks Print on a downloaded submission:
  • a "Preparing to print..." message is displayed
  • the sd-devicesVM is started
  • the user is prompted to connect a supported printer
• When the user connects a printer, attaches it to the sd-devices VM, and clicks Continue:
  • a "Printing..." message is displayed
  • the X Printer Panel dialog is displayed with the printer selected
• When the user clicks Print in the X Printer Panel:
  • the submission is printed successflly.

Closing the client

• When the user clicks the main window close button:
  • the client exits.

[zenmonkeykstop]

Print testing (Brother HL-L2390DW)

File type	Result
avi	blank pages
csv	✔️
djvu	blank pages
doc	✔️
docx	✔️
gif	sent to printer, job queued but nothing happens
jpg	sent to printer, job queued but nothing happens
mov	blank pages
mp3	blank pages
mp4	blank pages
odp	✔️
ods	✔️
odt	✔️
ogg	blank pages
ogv	blank pages
pdf	✔️
ppt	✔️
pptx	✔️
rar	blank pages
svg	client-error-document-format-not-supported error
tiff	sent to printer, job queued but nothing happens
7z	blank pages
wav	blank pages
wmv	blank pages
xls	✔️
xlsx	✔️
zip	blank pages

[eloquence]

Tested with a server patched to include changes in freedomofpress/securedrop#5178:

• when the journalist account used to reply is deleted by an admin in the JI:
  • the next sync is successful
  • the reply is visible in the conversation view
  • the journalist's details are deleted from the client database

Also tested that on a subsequent sync of a client with empty DB and empty data dir, everything was synchronized successfully. The user was inserted with name and UUID deleted as expected.

[eloquence]

(Old tracking issue, closing)