From 39424d3d64d5bd04cc6c5c4b0011d831c07fd3c6 Mon Sep 17 00:00:00 2001
From: Kunal Mehta <legoktm@debian.org>
Date: Tue, 27 Jun 2023 17:34:45 -0400
Subject: [PATCH] Build Rust redwood wheel during packaging process

Use maturin to build the redwood wheel and then install it into the
virtualenv shipped in the Debian package.

A testinfra check is added that verifies the redwood wheel is importable
and is able to generate a key pair.

Fixes #6817.
---
 builder/build-debs-securedrop.sh             |  3 +++
 builder/tests/test_securedrop_deb_package.py |  2 ++
 molecule/testinfra/app/test_smoke.py         | 18 ++++++++++++++++++
 securedrop/debian/rules                      |  4 ++++
 securedrop/debian/translations.sh            |  2 --
 5 files changed, 27 insertions(+), 2 deletions(-)

diff --git a/builder/build-debs-securedrop.sh b/builder/build-debs-securedrop.sh
index 11a36145889..4e449696d73 100755
--- a/builder/build-debs-securedrop.sh
+++ b/builder/build-debs-securedrop.sh
@@ -4,11 +4,14 @@
 
 export PIP_DISABLE_PIP_VERSION_CHECK=1
 export PIP_PROGRESS_BAR=off
+export CARGO_TERM_COLOR=never
+export CARGO_TERM_PROGRESS_WHEN=never
 
 set -euxo pipefail
 
 # Make a copy of the source tree since we do destructive operations on it
 cp -R /src/securedrop /srv/securedrop
+cp -R /src/redwood /srv/redwood
 cd /srv/securedrop/
 
 # Control the version of setuptools used in the default construction of virtual environments
diff --git a/builder/tests/test_securedrop_deb_package.py b/builder/tests/test_securedrop_deb_package.py
index 667245daac6..8f8761373ae 100644
--- a/builder/tests/test_securedrop_deb_package.py
+++ b/builder/tests/test_securedrop_deb_package.py
@@ -9,6 +9,7 @@
     subprocess.check_output(["git", "rev-parse", "--show-toplevel"]).decode().strip()
 )
 DEB_PATHS = list((SECUREDROP_ROOT / "build/focal").glob("*.deb"))
+SITE_PACKAGES = "/opt/venvs/securedrop-app-code/lib/python3.8/site-packages"
 
 
 @pytest.fixture(scope="module")
@@ -69,6 +70,7 @@ def test_deb_package_contains_expected_conffiles(deb: Path):
         "/var/www/securedrop/.well-known/pki-validation/",
         "/var/www/securedrop/translations/messages.pot",
         "/var/www/securedrop/translations/de_DE/LC_MESSAGES/messages.mo",
+        f"{SITE_PACKAGES}/redwood/redwood.cpython-38-x86_64-linux-gnu.so",
     ),
 )
 def test_app_code_paths(securedrop_app_code_contents: str, path: str):
diff --git a/molecule/testinfra/app/test_smoke.py b/molecule/testinfra/app/test_smoke.py
index 6145745c1e3..8cf031dc799 100644
--- a/molecule/testinfra/app/test_smoke.py
+++ b/molecule/testinfra/app/test_smoke.py
@@ -1,6 +1,8 @@
 """
 Basic smoke tests that verify the apps are functioning as expected
 """
+import json
+
 import pytest
 import testutils
 
@@ -31,3 +33,19 @@ def test_interface_up(host, name, url, curl_flags):
                 assert "nopenopenope" in f.content_string
     assert "200 OK" in response
     assert "Powered by" in response
+
+
+def test_redwood(host):
+    """
+    Verify the redwood wheel was built and installed properly and basic
+    functionality works
+    """
+    response = host.run(
+        "/opt/venvs/securedrop-app-code/bin/python3 -c "
+        "'import redwood; import json; print("
+        'json.dumps(redwood.generate_source_key_pair("abcde", "test@invalid")))\''
+    )
+    parsed = json.loads(response.stdout)
+    assert "-----BEGIN PGP PUBLIC KEY BLOCK-----" in parsed[0]
+    assert "-----BEGIN PGP PRIVATE KEY BLOCK-----" in parsed[1]
+    assert len(parsed[2]) == 40
diff --git a/securedrop/debian/rules b/securedrop/debian/rules
index 1c21ac92a3a..b8a8d1e3f8f 100755
--- a/securedrop/debian/rules
+++ b/securedrop/debian/rules
@@ -21,6 +21,8 @@ override_dh_installdeb:
 	echo "" > ${CURDIR}/debian/securedrop-keyring/DEBIAN/conffiles
 
 override_dh_auto_install:
+	# Build redwood wheel
+	python3 /srv/redwood/build-wheel.py --release --redwood /srv/redwood --target /srv/redwood/target
 	# Set up virtualenv and install dependencies
 	/usr/bin/python3 -m venv ./debian/securedrop-app-code/opt/venvs/securedrop-app-code
 	./debian/securedrop-app-code/opt/venvs/securedrop-app-code/bin/pip install $(PIP_ARGS) \
@@ -29,6 +31,8 @@ override_dh_auto_install:
 		pip==21.3
 	./debian/securedrop-app-code/opt/venvs/securedrop-app-code/bin/pip install $(PIP_ARGS) \
 		-r requirements/python3/requirements.txt
+	./debian/securedrop-app-code/opt/venvs/securedrop-app-code/bin/pip install $(PIP_ARGS) \
+		/srv/redwood/redwood-*.whl
 	# Update paths to point to install destination
 	find ./debian/securedrop-app-code/ -type f -exec sed -i "s#$(shell pwd)/debian/securedrop-app-code##" {} \;
 	dh_auto_install $@
diff --git a/securedrop/debian/translations.sh b/securedrop/debian/translations.sh
index 53538864c1a..9f164c0566b 100644
--- a/securedrop/debian/translations.sh
+++ b/securedrop/debian/translations.sh
@@ -1,8 +1,6 @@
 #!/bin/bash
 set -ex
 
-export PATH="${PATH}:/root/.cargo/bin"
-
 # We create the virtualenv separately from the "pip install" commands below,
 # to make error-reporting a bit more obvious. We also update beforehand,
 # beyond what the system version provides, see #6317.