Added alert to admin interface of instances still on Trusty after Mar 4

install_files/ansible-base/roles/build-securedrop-app-code-deb-pkg/files/usr.sbin.apache2

@@ -63,6 +63,7 @@
   /etc/apache2/sites-enabled/ r,
   /etc/ld.so.cache r,
   /etc/localtime r,
+  /etc/lsb-release r,
   /etc/magic r,
   /etc/mime.types r,
   /etc/services r,
@@ -259,6 +260,7 @@
   /var/www/securedrop/static/i/font-awesome/lock-black.png r,
   /var/www/securedrop/static/i/font-awesome/refresh-blue.png r,
   /var/www/securedrop/static/i/font-awesome/refresh-white.png r,
+  /var/www/securedrop/static/i/font-awesome/skull-crossbones-white.png r,
   /var/www/securedrop/static/i/font-awesome/times-white.png r,
   /var/www/securedrop/static/i/font-awesome/trash-black.png r,
   /var/www/securedrop/static/i/toronion.png r,

securedrop/journalist_app/__init__.py

@@ -12,6 +12,7 @@
 import i18n
 import template_filters
 import version
+import platform
 
 from crypto_util import CryptoUtil
 from db import db
@@ -61,6 +62,12 @@ def create_app(config):
     app.config['SQLALCHEMY_DATABASE_URI'] = db_uri
     db.init_app(app)
 
+    # Magic values for Xenial upgrade message
+    app.config.update(
+        XENIAL_WARNING_DATE=datetime.strptime('Mar 4 2019', '%b %d %Y'),
+        XENIAL_VER='16.04'
+    )
+
     app.storage = Storage(config.STORE_DIR,
                           config.TEMP_DIR,
                           config.JOURNALIST_KEY)
@@ -135,6 +142,10 @@ def setup_g():
         g.html_lang = i18n.locale_to_rfc_5646(g.locale)
         g.locales = i18n.get_locale2name()
 
+        if (platform.linux_distribution()[1] != app.config['XENIAL_VER'] and
+                datetime.now() >= app.config['XENIAL_WARNING_DATE']):
+            g.show_xenial_warning = True
+
         if request.path.split('/')[1] == 'api':
             pass  # We use the @token_required decorator for the API endpoints
         else:  # We are not using the API

securedrop/journalist_templates/base.html

@@ -20,6 +20,15 @@
   <body>
 
     {% if g.user %}
+
+        {% if g.show_xenial_warning %}
+    <div class="xenial-upgrade critical">
+        <img class="critical-skull" src="{{ url_for('static', filename='i/font-awesome/skull-crossbones-white.png') }}" 
+             width="14px" height="16px">
+        {{ gettext ('<strong>Critical Security:</strong> The operating system used by your SecureDrop servers has reached its end-of-life. A manual update is urgently required to remain safe - <a href="//securedrop.org/xenial-upgrade" rel="noreferrer">Learn More</a>') }}
+    </div>
+        {% endif %}
+
     <div id="logout">
       {{ gettext('Logged on as') }} <a href="{{ url_for('account.edit') }}" id="link-edit-account">{{ g.user.username }}</a> |
       {% if g.user and g.user.is_admin %}

securedrop/sass/_base.sass

@@ -39,6 +39,8 @@
 @import modules/panel
 // Warning - Messages to user e.g. about protecting your security by turning Tor settings to high
 @import modules/warning
+// Critical - Messages to admin about issues that compromise security of instance
+@import modules/critical
 // Confirm prompt - When deleting something this prompt is shown
 @import modules/confirm-prompt
 // 'Serious' text - Seems to be unused. Delete?
@@ -121,6 +123,7 @@
   +cols
   +panel
   +warning
+  +critical
   +confirm-prompt
   +serious-text
   +code

securedrop/sass/modules/_critical.sass

@@ -0,0 +1,20 @@
+=critical
+  .critical
+    display: block
+    background-color: $color_warning_red
+    color: white
+    padding: 10px 0
+    width: 100%
+    text-align: center
+    font-size: small
+    box-sizing: border-box
+    -moz-box-sizing: border-box
+
+    a
+      color: white
+
+  #critical-close
+    cursor: pointer
+
+  img.critical-skull
+    vertical-align: sub

securedrop/tests/test_journalist.py

@@ -5,6 +5,7 @@
 import random
 import zipfile
 import base64
+import datetime
 
 from base64 import b64decode
 from cStringIO import StringIO
@@ -1585,6 +1586,55 @@ def test_render_locales(config, journalist_app, test_journo, test_source):
     assert url_end + '?l=en_US' in text, text
 
 
+def test_render_xenial_positive(config, journalist_app, test_journo):
+    yesterday = datetime.datetime.now() - datetime.timedelta(days=1)
+    journalist_app.config.update(
+        XENIAL_WARNING_DATE=yesterday,
+        XENIAL_VER='16.04'
+    )
+
+    with journalist_app.test_client() as app:
+        _login_user(app, test_journo['username'], test_journo['password'],
+                    test_journo['otp_secret'])
+
+        resp = app.get(url_for('main.index'))
+
+    text = resp.data.decode('utf-8')
+    assert "critical-skull" in text, text
+
+
+def test_render_xenial_negative_version(config, journalist_app, test_journo):
+    yesterday = datetime.datetime.now() - datetime.timedelta(days=1)
+    journalist_app.config.update(
+        XENIAL_WARNING_DATE=yesterday,
+        XENIAL_VER='14.04'
+    )
+
+    with journalist_app.test_client() as app:
+        _login_user(app, test_journo['username'], test_journo['password'],
+                    test_journo['otp_secret'])
+        resp = app.get('/')
+
+    text = resp.data.decode('utf-8')
+    assert "critical-skull" not in text, text
+
+
+def test_render_xenial_negative_date(config, journalist_app, test_journo):
+    tomorrow = datetime.datetime.now() + datetime.timedelta(days=1)
+    journalist_app.config.update(
+        XENIAL_WARNING_DATE=tomorrow,
+        XENIAL_VER='16.04'
+    )
+
+    with journalist_app.test_client() as app:
+        _login_user(app, test_journo['username'], test_journo['password'],
+                    test_journo['otp_secret'])
+        resp = app.get('/')
+
+    text = resp.data.decode('utf-8')
+    assert "critical-skull" not in text, text
+
+
 def test_download_selected_submissions_from_source(journalist_app,
                                                    test_journo,
                                                    test_source):