From 4d39a13500f7b5a039790c0a826fa602927a9498 Mon Sep 17 00:00:00 2001 From: Kunal Mehta Date: Thu, 19 Sep 2024 16:52:50 -0400 Subject: [PATCH 1/3] Split generate and sign steps One of the biggest frustrations I have with this process is that the generation and signing steps are combined. I really want to generate everything, review it, and then move ahead with signing. This splits the two steps and inlines them into the Makefile as separate `make generate` and `make sign`. Also change the default goal to `help`, which is what all of our other Makefiles do. This necessitates checking in the default.rulesets file that's used as the input for signing. --- .gitignore | 1 - Makefile | 18 ++++++++++++++---- rulesets/default.rulesets | 1 + scripts/generate-and-sign | 24 ------------------------ 4 files changed, 15 insertions(+), 29 deletions(-) create mode 100644 rulesets/default.rulesets delete mode 100755 scripts/generate-and-sign diff --git a/.gitignore b/.gitignore index 9e83c7e..5f192d0 100644 --- a/.gitignore +++ b/.gitignore @@ -7,7 +7,6 @@ test-key.jwk public.pem # Generated files -rulesets/default.rulesets rulesets/default.rulesets.json # Byte-compiled / optimized / DLL files diff --git a/Makefile b/Makefile index 6716753..f27228c 100644 --- a/Makefile +++ b/Makefile @@ -1,6 +1,6 @@ image := fpf.local/securedrop-https-everywhere-ruleset:$(shell cat latest-rulesets-timestamp) -DEFAULT_GOAL: rules +DEFAULT_GOAL: help .PHONY: check-black check-black: ## Check Python source code formatting with black @@ -16,9 +16,19 @@ test-key: ## Generates a test key for development/testing purposes locally. openssl rsa -in key.pem -outform PEM -pubout -out public.pem poetry run python jwk.py > test-key.jwk -.PHONY: rules -rules: ## Regenerates rulesets in preparation for signing ceremony - poetry run ./scripts/generate-and-sign +.PHONY: generate +generate: ## Regenerates rulesets in preparation for signing ceremony + echo "Generating SecureDrop Onion Name rulesets..." + poetry run python3 sddir.py + poetry run python3 upstream/merge-rulesets.py --source_dir rulesets + +.PHONY: sign +sign: ## Signs the latest ruleset + echo "Preparing rulesets for airgapped signature request..." + ./upstream/async-request.sh public_release.pem . + echo "Updating index for SecureDrop rules..." + ./update_index.sh + echo "Finished. Please review local changes, and commit as appropriate." .PHONY: serve serve: ## Builds Nginx container to serve generated files diff --git a/rulesets/default.rulesets b/rulesets/default.rulesets new file mode 100644 index 0000000..beb051d --- /dev/null +++ b/rulesets/default.rulesets @@ -0,0 +1 @@ +[{"name":"2600: The Hacker Quarterly","target":["2600.securedrop.tor.onion"],"rule":[{"from":"^http[s]?://2600.securedrop.tor.onion","to":"http://cy6wj77vryhcyh6go576hxycjz4wxlo4s5vevdinkw3armwzty5jozyd.onion"}]},{"name":"ABC","target":["abc.au.securedrop.tor.onion"],"rule":[{"from":"^http[s]?://abc.au.securedrop.tor.onion","to":"http://dqa4zahticcobfq5rmmmbewbdtyiznbl75hu23k4i37y7yfoosrh7mqd.onion"}]},{"name":"Aftenposten AS","target":["aftenposten.securedrop.tor.onion"],"rule":[{"from":"^http[s]?://aftenposten.securedrop.tor.onion","to":"http://tiykfvhb562gheutfnedysnhrxpxoztyszkqyroloyepwzxmxien77id.onion"}]},{"name":"Aftonbladet","target":["aftonbladet.securedrop.tor.onion"],"rule":[{"from":"^http[s]?://aftonbladet.securedrop.tor.onion","to":"http://xm33ge4kupk5o66eqxcd2r4fqcplpqb2sbdduf5z2nw4g2jrxe57luid.onion"}]},{"name":"Al Jazeera Media Network","target":["ajiunit.securedrop.tor.onion"],"rule":[{"from":"^http[s]?://ajiunit.securedrop.tor.onion","to":"http://jkta32w5gvk6pmqdfwj67psojot3l2iwoqbdvrvywi5bkudfeandq7id.onion"}]},{"name":"Apache","target":["apache.securedrop.tor.onion"],"rule":[{"from":"^http[s]?://apache.securedrop.tor.onion","to":"http://okd7utbak43lm7qaixr6yv7s62e32mhngjsfpjn26eklokqofg6776yd.onion"}]},{"name":"Barton Gellman","target":["bartongellman.securedrop.tor.onion"],"rule":[{"from":"^http[s]?://bartongellman.securedrop.tor.onion","to":"http://hxywmnvdz5f2l5gqwjfcejdpla7nhj35dn5cf5l6qevjb77wasnna3qd.onion"}]},{"name":"Bloomberg Industry Group","target":["bloombergindustrygroup.securedrop.tor.onion"],"rule":[{"from":"^http[s]?://bloombergindustrygroup.securedrop.tor.onion","to":"http://33buewrpzrfpttl7kerqvtvzyo3ivumilwwmeqjryzajusltibaqc6ad.onion"}]},{"name":"Bloomberg Law","target":["bloomberglaw.securedrop.tor.onion"],"rule":[{"from":"^http[s]?://bloomberglaw.securedrop.tor.onion","to":"http://33buewrpzrfpttl7kerqvtvzyo3ivumilwwmeqjryzajusltibaqc6ad.onion"}]},{"name":"Bloomberg News","target":["bloomberg.securedrop.tor.onion"],"rule":[{"from":"^http[s]?://bloomberg.securedrop.tor.onion","to":"http://ogdwaroarq4p6rnfn2hl4crvldyruyc2g24435qtxmd3twhevg7dsqid.onion"}]},{"name":"CBC","target":["cbcrc.securedrop.tor.onion"],"rule":[{"from":"^http[s]?://cbcrc.securedrop.tor.onion","to":"http://gppg43zz5d2yfuom3yfmxnnokn3zj4mekt55onlng3zs653ty4fio6qd.onion"}]},{"name":"The Center for Public Integrity","target":["publicintegrity.securedrop.tor.onion"],"rule":[{"from":"^http[s]?://publicintegrity.securedrop.tor.onion","to":"http://ahgpmkiaqfde4innkotgz5q6bgt4gbxmelqod3tjtmpdt3zvxaxareyd.onion"}]},{"name":"Claudio Guarnieri","target":["nex.securedrop.tor.onion"],"rule":[{"from":"^http[s]?://nex.securedrop.tor.onion","to":"http://7dw7foypguycptlodmkscnziw5a65ilivzz6ajiei3yhe3gsfojlqwad.onion"}]},{"name":"CNN","target":["cnn.securedrop.tor.onion"],"rule":[{"from":"^http[s]?://cnn.securedrop.tor.onion","to":"http://qmifwf762qftydprw2adbg7hs2mkunac5xrz3cb5busaflji3rja5lid.onion"}]},{"name":"Dagbladet","target":["dagbladet.securedrop.tor.onion"],"rule":[{"from":"^http[s]?://dagbladet.securedrop.tor.onion","to":"http://ydbpz5knb6ji3bdtahhm3wo7sed6lsy5vqnwfpnhpez4bquvoexbz7qd.onion"}]},{"name":"Der Spiegel","target":["spiegel.securedrop.tor.onion"],"rule":[{"from":"^http[s]?://spiegel.securedrop.tor.onion","to":"http://q6vdlj2ukulrqk37piqgxucpcwtxzdjhvjzqrfbevuhrzimsgjltmpqd.onion"}]},{"name":"Disclose","target":["disclose.securedrop.tor.onion"],"rule":[{"from":"^http[s]?://disclose.securedrop.tor.onion","to":"http://3tcbrdg2ejwu5nzbjg7xqixkis6mdbgkkthcyxmzv2q3oi6v7th5ahqd.onion"}]},{"name":"DR - Danish Broadcasting Corporation","target":["dr.securedrop.tor.onion"],"rule":[{"from":"^http[s]?://dr.securedrop.tor.onion","to":"http://hpaauqmv2wegiu4cz6st6hty4s7gwqol272xhcu3xmh6azw2f2zffgid.onion"}]},{"name":"Espen Andersen","target":["espena.securedrop.tor.onion"],"rule":[{"from":"^http[s]?://espena.securedrop.tor.onion","to":"http://tsovw443sbbaizc3mxwuqrnbc4uiml3x3uuinmplthsmpiqdphl7v5yd.onion"}]},{"name":"Financial Times","target":["ft.securedrop.tor.onion"],"rule":[{"from":"^http[s]?://ft.securedrop.tor.onion","to":"http://nqu6crmtnzs2hs5abo2uqni53yqsnnwqnerdxuzyz5yxairxlzjzt6yd.onion"}]},{"name":"Forbes","target":["forbes.securedrop.tor.onion"],"rule":[{"from":"^http[s]?://forbes.securedrop.tor.onion","to":"http://6zonlfhh7aqtfwoyvdlad3nxn6ljecx2k6tyyy3spt43nn54q6lvncid.onion"}]},{"name":"Forbidden Stories","target":["forbiddenstories.securedrop.tor.onion"],"rule":[{"from":"^http[s]?://forbiddenstories.securedrop.tor.onion","to":"http://fg25fqpu2dnxp24xs3jlcley4hp2inshpzek44q3czkhq3zffoqk26id.onion"}]},{"name":"The Globe and Mail","target":["theglobeandmail.securedrop.tor.onion"],"rule":[{"from":"^http[s]?://theglobeandmail.securedrop.tor.onion","to":"http://a4zum5ydurvljrohxqp2rjjal5kro4ge2q2qizuonf2jubkhcr627gad.onion"}]},{"name":"Greekleaks","target":["greekleaks.securedrop.tor.onion"],"rule":[{"from":"^http[s]?://greekleaks.securedrop.tor.onion","to":"http://jatasaqcoe7lqdpcyxo7vl3e5tdvl5jgmtadfat77i25qdj6z6a4ulad.onion"}]},{"name":"The Guardian","target":["theguardian.securedrop.tor.onion"],"rule":[{"from":"^http[s]?://theguardian.securedrop.tor.onion","to":"http://xp44cagis447k3lpb4wwhcqukix6cgqokbuys24vmxmbzmaq2gjvc2yd.onion"}]},{"name":"HuffPost","target":["huffpost.securedrop.tor.onion"],"rule":[{"from":"^http[s]?://huffpost.securedrop.tor.onion","to":"http://ppw2pmtagxykinex6uubypsommtrcg6ytdh6bcr6agq2wxnrweao4cad.onion"}]},{"name":"Institute for Quantitative Social Science at Harvard University","target":["iqss.harvard.securedrop.tor.onion"],"rule":[{"from":"^http[s]?://iqss.harvard.securedrop.tor.onion","to":"http://5kcyaqagvnrvyan7y5ntzreqsn2msowqlmtoo46qju2pctlbkzzztxqd.onion"}]},{"name":"The Intercept","target":["theintercept.securedrop.tor.onion"],"rule":[{"from":"^http[s]?://theintercept.securedrop.tor.onion","to":"http://lhollo6vzrft3w77mgm67fhfv3fjadmf7oinmafa7tbmupc273oi7kid.onion"}]},{"name":"Investigace.cz","target":["investigace.securedrop.tor.onion"],"rule":[{"from":"^http[s]?://investigace.securedrop.tor.onion","to":"http://e2kkexl7exz6rg7fhl4oftkaeojm7wlbw567hqu2tbrjlixsjjoynzad.onion"}]},{"name":"K-Tipp","target":["ktipp.securedrop.tor.onion"],"rule":[{"from":"^http[s]?://ktipp.securedrop.tor.onion","to":"http://tukldpfzdizsrfyvdljnipmvix2dcb5hmfoemcidkw7bq56wxblk6did.onion"}]},{"name":"Kenneth R. Rosen","target":["kennethrrosen.securedrop.tor.onion"],"rule":[{"from":"^http[s]?://kennethrrosen.securedrop.tor.onion","to":"http://dpsw5tvlh2pccviydqw2cz5tjszd34zcdj322oikydqvgsqwitxup7yd.onion"}]},{"name":"Lessig.law LLC","target":["lessig.securedrop.tor.onion"],"rule":[{"from":"^http[s]?://lessig.securedrop.tor.onion","to":"http://o4nhtigrvss5wktskr5ph5m22ewmhk7nr5at2tac2wdsworcqz62vsqd.onion"}]},{"name":"New York Times","target":["nytimes.securedrop.tor.onion"],"rule":[{"from":"^http[s]?://nytimes.securedrop.tor.onion","to":"https://ej3kv4ebuugcmuwxctx5ic7zxh73rnxt42soi3tdneu2c2em55thufqd.onion"}]},{"name":"News24","target":["news24.securedrop.tor.onion"],"rule":[{"from":"^http[s]?://news24.securedrop.tor.onion","to":"http://uhmj4j5pnwbpmkebfze3qgjmkum465fvok376nxtpku5yvyv5takz6qd.onion"}]},{"name":"NOYB","target":["noyb.securedrop.tor.onion"],"rule":[{"from":"^http[s]?://noyb.securedrop.tor.onion","to":"http://xjc4s5z26i2z5tzjzj3w6jwzuomedzsahq4tccktwdcs6fldt4ojznqd.onion"}]},{"name":"NRK","target":["nrk.securedrop.tor.onion"],"rule":[{"from":"^http[s]?://nrk.securedrop.tor.onion","to":"http://537ztcntpbmspja4mkpxldpsoc46mqlssnsaklqnfw3gnlpj5glcjgid.onion"}]},{"name":"POLITICO","target":["politico.securedrop.tor.onion"],"rule":[{"from":"^http[s]?://politico.securedrop.tor.onion","to":"http://mzi5yynpd6qqq3lnh7vnaojy36v3hcorytsut47zwkguhnorduyxwead.onion"}]},{"name":"ProPublica","target":["propublica.securedrop.tor.onion"],"rule":[{"from":"^http[s]?://propublica.securedrop.tor.onion","to":"http://lvtu6mh6dd6ynqcxtd2mseqfkm7g2iuxvjobbyzpgx2jt427zvd7n3ad.onion"}]},{"name":"San Francisco Chronicle","target":["sfchronicle.securedrop.tor.onion"],"rule":[{"from":"^http[s]?://sfchronicle.securedrop.tor.onion","to":"http://b52gknakgsyqqeq476oi5nymw6yapysfig4owqgwppi5qpuk4az6bxad.onion"}]},{"name":"Stavanger Aftenblad","target":["aftenbladet.securedrop.tor.onion"],"rule":[{"from":"^http[s]?://aftenbladet.securedrop.tor.onion","to":"http://4beybcv5e7xya4xu2nzdqkohawm32imugjtatkvmp2xwgfhcoj64slid.onion"}]},{"name":"Stefania Maurizi","target":["maurizi.securedrop.tor.onion"],"rule":[{"from":"^http[s]?://maurizi.securedrop.tor.onion","to":"http://jxsb4ovmavjy3r64bak4ha63xwggf3nzf3vikvs23r2avm5rhzmaqtqd.onion"}]},{"name":"Suddeutsche Zeitung","target":["sueddeutsche.securedrop.tor.onion"],"rule":[{"from":"^http[s]?://sueddeutsche.securedrop.tor.onion","to":"http://udhauo3m3fh7v6yfiuornjzxn3fh6vlp4ooo3wogvghcnv5xik6mnayd.onion"}]},{"name":"Taz","target":["taz.securedrop.tor.onion"],"rule":[{"from":"^http[s]?://taz.securedrop.tor.onion","to":"http://tazleakssvtc2lqrhkpvbzo6qwolcldzkzoexo7wombufd6a573bhlid.onion"}]},{"name":"TechCrunch","target":["techcrunch.securedrop.tor.onion"],"rule":[{"from":"^http[s]?://techcrunch.securedrop.tor.onion","to":"http://vplxle7awnyvvvduv6exnwrxbf4gzsh7lv7fxosnfl2ecidkttcbfcqd.onion"}]},{"name":"The Economist","target":["theeconomist.securedrop.tor.onion"],"rule":[{"from":"^http[s]?://theeconomist.securedrop.tor.onion","to":"http://mxmddqsh4jnr4gjan37ayin3fu5ecnejxge4wjhj4i45qq5djbxdjtad.onion"}]},{"name":"Thomson Reuters","target":["reuters.securedrop.tor.onion"],"rule":[{"from":"^http[s]?://reuters.securedrop.tor.onion","to":"http://dvvbik7vtmvwwgj2cziqa36noa26l2pweghd26e5l5qwdnqtwmfhz5id.onion"}]},{"name":"Toronto Star","target":["torontostar.securedrop.tor.onion"],"rule":[{"from":"^http[s]?://torontostar.securedrop.tor.onion","to":"http://yj3b7rgmglcocbbvzrwfbo4d6j2aa7thwupra4yqutbd27v3vxcpvgid.onion"}]},{"name":"TV2 Denmark","target":["tv2.dk.securedrop.tor.onion"],"rule":[{"from":"^http[s]?://tv2.dk.securedrop.tor.onion","to":"http://srumyob2jq5nvppzt66aaab333n2wmq6xgkg4khfe24ixdb7umf7mtyd.onion"}]},{"name":"The Washington Post","target":["washingtonpost.securedrop.tor.onion"],"rule":[{"from":"^http[s]?://washingtonpost.securedrop.tor.onion","to":"https://vfnmxpa6fo4jdpyq3yneqhglluweax2uclvxkytfpmpkp5rsl75ir5qd.onion"}]},{"name":"Whistleblower Aid","target":["whistlebloweraid.securedrop.tor.onion"],"rule":[{"from":"^http[s]?://whistlebloweraid.securedrop.tor.onion","to":"http://kogbxf4ysay2qzozmg7ar45ijqmj2vxrwqa4upzqq2i7sqj7wv7wcdqd.onion"}]}] \ No newline at end of file diff --git a/scripts/generate-and-sign b/scripts/generate-and-sign deleted file mode 100755 index 2839232..0000000 --- a/scripts/generate-and-sign +++ /dev/null @@ -1,24 +0,0 @@ -#!/bin/bash -# Utility script to generate the SecureDrop HTTPS Everywhere rulesets, -# used for managing Onion Names for SecureDrop instances. -# -# Much of the business logic is taken verbatim from the EFF HTTPSE repo: -# -# https://github.com/EFForg/https-everywhere/blob/master/docs/en_US/ruleset-update-channels.md#signing -# -set -euo pipefail - -# Generate the SD rulesets -echo "Generating SecureDrop Onion Name rulesets..." -python3 sddir.py - -python3 upstream/merge-rulesets.py --source_dir rulesets -echo "Preparing rulesets for airgapped signature request..." -./upstream/async-request.sh public_release.pem . - -echo "Updating index for SecureDrop rules..." -./update_index.sh - -echo "Finished. Please review local changes, and commit as appropriate." -# TODO: Not automatically running 'git add *' due to -# https://github.com/freedomofpress/securedrop-https-everywhere-ruleset/issues/20 From 56bbd817a468631a3688fd87c34db68bd2862768 Mon Sep 17 00:00:00 2001 From: Kunal Mehta Date: Thu, 19 Sep 2024 17:02:57 -0400 Subject: [PATCH 2/3] Add more CI checks As requested in #21, this verifies: * generated rulesets files match the XML files. (In some sense it's just a reimplementation of the `upstream/merge-rulesets.py` script, but would stop a zero-length ruleset from being deployed) * there are no extra nor missing signatures Fixes #21. --- .github/workflows/ci.yml | 3 ++- Makefile | 1 + poetry.lock | 50 +++++++++++++++++++++++++++++++++-- pyproject.toml | 1 + test_rulesets.py | 57 ++++++++++++++++++++++++++++++++++++++++ 5 files changed, 109 insertions(+), 3 deletions(-) create mode 100644 test_rulesets.py diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 953650e..256c763 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -11,7 +11,8 @@ jobs: - uses: actions/checkout@v4 - name: Install dependencies run: | - apt-get update && apt-get install --yes --no-install-recommends make openssl + apt-get update && apt-get install --yes --no-install-recommends make openssl python3 python3-poetry + poetry install --no-ansi - name: Verify ruleset signature run: | make verify diff --git a/Makefile b/Makefile index f27228c..4f19d91 100644 --- a/Makefile +++ b/Makefile @@ -42,6 +42,7 @@ serve: ## Builds Nginx container to serve generated files verify: ## Verifies the signature of the latest ruleset. Requires openssl to be installed. @echo "Attempting to verify ruleset signature using openssl." @./scripts/verify + @poetry run pytest -v .PHONY: help help: diff --git a/poetry.lock b/poetry.lock index a0f0573..7f7185b 100644 --- a/poetry.lock +++ b/poetry.lock @@ -1,4 +1,4 @@ -# This file is automatically @generated by Poetry 1.8.3 and should not be changed by hand. +# This file is automatically @generated by Poetry 1.8.2 and should not be changed by hand. [[package]] name = "authlib" @@ -335,6 +335,17 @@ files = [ [package.extras] all = ["flake8 (>=7.1.1)", "mypy (>=1.11.2)", "pytest (>=8.3.2)", "ruff (>=0.6.2)"] +[[package]] +name = "iniconfig" +version = "2.0.0" +description = "brain-dead simple config-ini parsing" +optional = false +python-versions = ">=3.7" +files = [ + {file = "iniconfig-2.0.0-py3-none-any.whl", hash = "sha256:b6a85871a79d2e3b22d2d1b94ac2824226a63c6b741c88f7ae975f18b6778374"}, + {file = "iniconfig-2.0.0.tar.gz", hash = "sha256:2d91e135bf72d31a410b17c16da610a82cb55f6b0477d1a902134b24a455b8b3"}, +] + [[package]] name = "mypy-extensions" version = "1.0.0" @@ -398,6 +409,21 @@ docs = ["furo (>=2024.8.6)", "proselint (>=0.14)", "sphinx (>=8.0.2)", "sphinx-a test = ["appdirs (==1.4.4)", "covdefaults (>=2.3)", "pytest (>=8.3.2)", "pytest-cov (>=5)", "pytest-mock (>=3.14)"] type = ["mypy (>=1.11.2)"] +[[package]] +name = "pluggy" +version = "1.5.0" +description = "plugin and hook calling mechanisms for python" +optional = false +python-versions = ">=3.8" +files = [ + {file = "pluggy-1.5.0-py3-none-any.whl", hash = "sha256:44e1ad92c8ca002de6377e165f3e0f1be63266ab4d554740532335b9d75ea669"}, + {file = "pluggy-1.5.0.tar.gz", hash = "sha256:2cffa88e94fdc978c4c574f15f9e59b7f4201d439195c3715ca9e2486f1d0cf1"}, +] + +[package.extras] +dev = ["pre-commit", "tox"] +testing = ["pytest", "pytest-benchmark"] + [[package]] name = "pyasn1" version = "0.6.1" @@ -420,6 +446,26 @@ files = [ {file = "pycparser-2.22.tar.gz", hash = "sha256:491c8be9c040f5390f5bf44a5b07752bd07f56edf992381b05c701439eec10f6"}, ] +[[package]] +name = "pytest" +version = "8.3.3" +description = "pytest: simple powerful testing with Python" +optional = false +python-versions = ">=3.8" +files = [ + {file = "pytest-8.3.3-py3-none-any.whl", hash = "sha256:a6853c7375b2663155079443d2e45de913a911a11d669df02a50814944db57b2"}, + {file = "pytest-8.3.3.tar.gz", hash = "sha256:70b98107bd648308a7952b06e6ca9a50bc660be218d53c257cc1fc94fda10181"}, +] + +[package.dependencies] +colorama = {version = "*", markers = "sys_platform == \"win32\""} +iniconfig = "*" +packaging = "*" +pluggy = ">=1.5,<2" + +[package.extras] +dev = ["argcomplete", "attrs (>=19.2)", "hypothesis (>=3.56)", "mock", "pygments (>=2.7.2)", "requests", "setuptools", "xmlschema"] + [[package]] name = "requests" version = "2.32.3" @@ -461,4 +507,4 @@ zstd = ["zstandard (>=0.18.0)"] [metadata] lock-version = "2.0" python-versions = ">= 3.11" -content-hash = "eef11cd99663782e8179aeb17de6daa2b78aa75fb905a645260e88721b80f8b8" +content-hash = "9383819fb8219250f39c527368ee1c0a2a5d1cc61ef60f234740029a73928341" diff --git a/pyproject.toml b/pyproject.toml index 7d1755c..420c9fc 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -14,6 +14,7 @@ pgpy = ">=0.6.0" [tool.poetry.group.dev.dependencies] black = "*" +pytest = "^8.3.3" [tool.black] line-length = 100 diff --git a/test_rulesets.py b/test_rulesets.py new file mode 100644 index 0000000..e11a9c0 --- /dev/null +++ b/test_rulesets.py @@ -0,0 +1,57 @@ +import gzip +import json +import xml.etree.ElementTree +from pathlib import Path + +LATEST_TIMESTAMP = Path("latest-rulesets-timestamp").read_text().strip() + + +def load_xml_files(): + xml_files = [] + for ruleset in sorted(Path("rulesets").glob("*.xml")): + tree = xml.etree.ElementTree.parse(ruleset) + root = tree.getroot() + # Rebuild the JSON + expected = { + "name": root.attrib["name"], + "target": [root[0].attrib["host"]], + "rule": [{"from": root[1].attrib["from"], "to": root[1].attrib["to"]}], + } + xml_files.append(expected) + return xml_files + + +def test_compressed_matches_xml(): + # Read the contents of the gzipped file + with gzip.open(f"default.rulesets.{LATEST_TIMESTAMP}.gz", "rb") as f: + rulesets = json.load(f) + xml_files = load_xml_files() + + assert rulesets["rulesets"] == xml_files + + +def test_generated_matches_xml(): + # Read the contents of the default file + rulesets = json.loads(Path("rulesets/default.rulesets").read_text()) + xml_files = load_xml_files() + + assert rulesets == xml_files + + +def test_unique_signature(): + """ + For every default.rulesets.*.gz file, there should be a corresponding + rulesets-signature.*.sha256 file with no extras. + """ + rulesets = [] + for path in sorted(Path(".").glob("default.rulesets.*.gz")): + rulesets.append(path.name.split(".")[2]) + + signatures = [] + for path in sorted(Path(".").glob("rulesets-signature.*.sha256")): + signatures.append(path.name.split(".")[1]) + + # Just verify it found *something* + assert LATEST_TIMESTAMP in rulesets + # Now check they're equal + assert rulesets == signatures From c94b549cb78d43561eb55489eb966186c230fa4d Mon Sep 17 00:00:00 2001 From: Kunal Mehta Date: Mon, 30 Sep 2024 18:37:09 -0400 Subject: [PATCH 3/3] Update README for split of generate and signing steps And update the reference that Tor Browser now correctly checks the -2021 variant. --- README.md | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index ff63527..76074a3 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ # HTTPS-Everywhere Rulesets for SecureDrop -`securedrop-https-everywhere-ruleset` is used to create a signed HTTPS Everywhere ruleset that maps full-length .onion addresses to user-friendly [onion names](https://securedrop.org/faq/getting-onion-name-your-securedrop/) for some news organizations listed in the [SecureDrop directory](https://securedrop.org/directory/). Any time a new onion name is approved, we add its mapping to our HTTPS Everywhere ruleset and deploy it to https://securedrop.org/https-everywhere/ . Tor Browser automatically includes our ruleset in the default HTTPS Everywhere extension and checks for updates on startup. (Tor Browser will soon switch to checking https://securedrop.org/https-everywhere-2021/ which uses our new release signing key). +`securedrop-https-everywhere-ruleset` is used to create a signed HTTPS Everywhere ruleset that maps full-length .onion addresses to user-friendly [onion names](https://securedrop.org/faq/getting-onion-name-your-securedrop/) for some news organizations listed in the [SecureDrop directory](https://securedrop.org/directory/). Any time a new onion name is approved, we add its mapping to our HTTPS Everywhere ruleset and deploy it to https://securedrop.org/https-everywhere-2021/ . Tor Browser automatically includes our ruleset in the default HTTPS Everywhere extension and checks for updates on startup. ## Development @@ -24,13 +24,11 @@ which will create `test-key.jwk` in your current working directory. 2. Add their domain name and the requested URL to the `onboarded.txt` via PR into this repository. We match the domain based on the landing page of the organization, comparing the `netloc` in a URL with structure `scheme://netloc/path;parameters?query#fragment`. -3. Next, generate and sign the update ruleset using the following command (requires signing key, please ping a key holder for assistance): +3. Next, generate the updated ruleset with `make generate` and review the output. -``` -make rules -``` +4. Once satisfied, you can sign it with `make sign` (requires signing key, please ping a key holder for assistance). -4. Commit all files generated by the script above and open a Pull Request to this repository. Once the PR is merged, the rulesets will automatically be deployed to production. +5. Commit all files generated by the script above and open a Pull Request to this repository. Once the PR is merged, the rulesets will automatically be deployed to production. ## Verifying changes