-
Notifications
You must be signed in to change notification settings - Fork 685
1.4.0 Test Plan
There is no kernel update in this release, so we’ll be testing on fewer hardware platforms. However, given the importance of the iptables check, we’ll test the officially supported hardware:
- NUC7
- 1U test server
For both upgrades and fresh installs, here is a list of functionality that requires testing. You can use this for copy/pasting into your QA report. Feel free to edit this message to update the plan as appropriate.
If you have submitted a QA report already for a 1.4.0 release candidate with successful Basic Server Testing and Application Acceptance Testing, then you can skip these sections in subsequent reports, unless otherwise indicated by the Release Manager. This is to ensure that you focus your QA effort on the 1.4.0-specific changes as well as changes since the previous release candidate.
- Install target:
- Tails version:
- Test Scenario:
- SSH over Tor:
- Onion service version:
- Release candidate:
- General notes:
- I can access both the source and journalist interfaces
- I can SSH into both machines over Tor
- AppArmor is loaded on app
- 0 processes are running unconfined
- AppArmor is loaded on mon
- 0 processes are running unconfined
- Both servers are running grsec kernels
- iptables rules loaded
- OSSEC emails begin to flow after install
- OSSEC emails are decrypted to correct key and I am able to decrypt them
- QA Matrix checks pass
- Can successfully add admin user and login
- I have backed up and successfully restored the app server following the backup documentation
- If doing upgrade testing, make a backup on 1.3.0 and restore this backup on 1.4.0
- "Send Test OSSEC Alert" button in the journalist triggers an OSSEC alert and an email is sent
- Can successfully add journalist account with HOTP authentication
- JS warning bar does not appear when using Security Slider high
- JS warning bar does appear when using Security Slider Low
- On generate page, refreshing codename produces a new 7-word codename
- On submit page, empty submissions produce flashed message
- On submit page, short message submitted successfully
- On submit page, file greater than 500 MB produces "The connection was reset" in Tor Browser quickly before the entire file is uploaded
- On submit page, file less than 500 MB submitted successfully
- Nonexistent codename cannot log in
- Empty codename cannot log in
- Legitimate codename can log in
- Returning user can view journalist replies - need to log into journalist interface to test
- Can log in with 2FA tokens
- incorrect password cannot log in
- invalid 2fa token cannot log in
- 2fa immediate reuse cannot log in
- Journalist account with HOTP can log in
- Filter by codename works
- Starring and unstarring works
- Click select all selects all submissions
- Selecting all and clicking "Download" works
- You can submit a reply and a flashed message and new row appears
- You cannot submit an empty reply
- Clicking "Delete Source And Submissions" and the source and docs are deleted
- You can click on a document and successfully decrypt using application private key
After updating to this release candidate and running securedrop-admin tailsconfig
- The Updater GUI appears on boot
- Updating occurs without issue
- Verify that Tor 0.4.3.5 is running by running
sudo apt-cache policy tor
- Verify that the new
securedrop-keyring
package has an updated expiration date of 2021-06-30 by runningsudo apt-key finger
- Verify that the 1.4.0
securedrop-ossec-agent
andsecuredrop-ossec-server
packages are being used runningsudo apt-cache policy securedrop-ossec-agent
andsudo apt-cache policy securedrop-ossec-server
.
- Verify the
source_deleter
service is running on the app server- Use
qa_loader.py
orcreate-dev-data.py
to populate the staging database with a large number of sources (100 should be sufficient to have triggered the timeout before this change, but 500 or 1000 would be better). - While the database is being populated, run
systemctl status securedrop_source_deleter
- Use
- Verify that the JI delete action responds quickly (no longer times out) and sources are no longer available.
- Once the database is populated, visit the journalist interface and select all but a few of the sources for deletion.
- Verify that
source_deleter
deletes all sources (Deleting 1000 sources took around a half an hour during PR testing)- Monitor the
source_deleter
logs on the app server withjournalctl -fu securedrop_source_deleter
- Monitor the
- Verify that sources not deleted are still present once deletion is complete
- Verify that you receive an OSSEC alert level 12 email that says “The iptables default drop rules are incorrect.” when iptables is broken.
- [Upgrade scenario] Run
sdconfig
on 1.3.0 with a broken config and runmake install
(to repro known-bad state), then upgrade viaapt-test
. - Break the
/etc/networking/iptables/rules_ipv4
file on the servers after installation (by substituting invalid values into fields, for example), then reboot the servers.
- [Upgrade scenario] Run
- Verify that there are no errors in the sdconfig logic when multiple nameservers are provided during
sdconfig
- On an admin workstation, run
securedrop-admin sdconfig
. Try giving a single nameserver, then a list separated by commas, then by spaces. Enter invalid IP addresses. Try to enter more than three nameservers.
- On an admin workstation, run
- Verify that the
dns_server
value ininstall_files/ansible-base/group_vars/all/site-specific
is a list, not a string after specifying multiple nameservers. - Verify that
securedrop-admin install
completes successfully and that each server's/etc/resolvconf/resolv.conf.d/base
contains the correct nameservers. - Verify that the dns rules contain the nameservers you provided by running Run
sudo iptables -S | grep
- Verify that the value is correctly transformed to a list and that the server's
/etc/resolvconf/resolv.conf.d/base
and iptables rules are correct- Edit
install_files/ansible-base/group_vars/all/site-specific
to makedns_server
a string, covering at least some of the variations you tested above: single, comma-separated, space-separated. Upon each change, runsecuredrop-admin install
.
- Edit
-
Since we can't rely on the updater to get the new key until the release object is published (see https://github.com/freedomofpress/securedrop/blob/ee9b16e39908b1bac9d9aba202eb9a50193a0923/admin/securedrop_admin/__init__.py#L665-L667), we will need to create temporary keyrings for each check.
-
Verify the SecureDrop Release signing key is present with the new expiration date of 2021-06-30 on the keyserver
mkdir -m 700 /tmp/qa-new-key-on-keyserver
gpg --homedir /tmp/qa-new-key-on-keyserver --keyserver hkps://keys.openpgp.org --recv-keys 22245C81E3BAEB4138B36061310F561200F4AD77
gpg --homedir /tmp/qa-new-key-on-keyserver -k
-
Verify the SecureDrop Release signing key is present with the new expiration date of 2021-06-30 on securedrop.org
mkdir -m 700 /tmp/qa-new-key-on-website
curl -LO https://securedrop.org/securedrop-release-key.asc
gpg --homedir /tmp/qa-new-key-on-website --import securedrop-release-key.asc
gpg --homedir /tmp/qa-new-key-on-website -k
-
- Ensure the builder image is up-to-date on release day
These tests should be performed the day of release prior to live debian packages on apt.freedom.press
.
- Install or upgrade occurs without error
- Source interface is available and version string indicates it is 1.4.0
- A message can be successfully submitted
- The updater GUI appears on boot
- The update successfully occurs to 1.4.0
- After reboot, updater GUI no longer appears