Merge pull request #7692 from freedomofpress/stg-7670-ossec-fail

legoktm · web-flow · commit 20234825dd90 · 2025-10-30T18:59:21.000Z
ossec: ignore 'failed to find node for hop #1' error from tor
diff --git a/molecule/testinfra/app/test_smoke.py b/molecule/testinfra/app/test_smoke.py
@@ -12,13 +12,26 @@
 sdvars = testutils.securedrop_test_vars
 testinfra_hosts = [sdvars.app_hostname]
 
+_TIMEOUT = 30.0
+_POLL_FREQUENCY = 5.0
 
 JOURNALIST_PUB = "/var/lib/securedrop/journalist.pub"
 WEAK_KEY_CONTENTS = (
     Path(__file__).parent.parent.parent.parent / "redwood/res/weak_sample_key.asc"
 ).read_text()
 
 
+def wait_for(necessary_condition, timeout=_TIMEOUT):
+    """Polling wait for an arbitrary true/false condition"""
+    start_time = time.time()
+    while time.time() - start_time < timeout:
+        if necessary_condition():
+            return True
+        time.sleep(_POLL_FREQUENCY)
+    # one last chance!
+    return necessary_condition()
+
+
 @pytest.mark.parametrize(
     ("name", "url", "curl_flags", "expected"),
     [
@@ -34,13 +47,13 @@ def test_interface_up(host, name, url, curl_flags, expected):
     best to grab the error log and print it via an intentionally failed
     assertion.
     """
-    response = host.run(f"curl -{curl_flags}i {url}").stdout
-    if "200 OK" not in response:
+    if not wait_for(lambda: "200 OK" in host.run(f"curl -{curl_flags}i {url}").stdout):
         # Try to grab the log and print it via a failed assertion
         with host.sudo():
             f = host.file(f"/var/log/apache2/{name}-error.log")
             if f.exists:
                 assert "nopenopenope" in f.content_string
+    response = host.run(f"curl -{curl_flags}i {url}").stdout
     assert "200 OK" in response
     assert expected in response
 
@@ -76,12 +89,19 @@ def test_weak_submission_key(host):
             # give the interfaces a chance to come up - a TODO could be polling here
             time.sleep(10)
             # Now try to hit the JI
-            response = host.run("curl -Li http://localhost:8080/").stdout
-            assert "HTTP/1.1 500 Internal Server Error" in response
+            assert wait_for(
+                lambda: "HTTP/1.1 500 Internal Server Error"
+                in host.run("curl -Li http://localhost:8080/").stdout
+            )
             # Now hit the SI
-            response = host.run("curl -i http://localhost:80/").stdout
-            assert "HTTP/1.1 503 SERVICE UNAVAILABLE" in response  # Flask shouts
-            assert "We're sorry, our SecureDrop is currently offline." in response
+            assert wait_for(
+                lambda: "HTTP/1.1 503 SERVICE UNAVAILABLE"
+                in host.run("curl -i http://localhost:80/").stdout
+            )
+            assert wait_for(
+                lambda: "We're sorry, our SecureDrop is currently offline"
+                in host.run("curl -i http://localhost:80/").stdout
+            )
 
         finally:
             set_public_key(host, old_public_key)
diff --git a/molecule/testinfra/vars/staging.yml b/molecule/testinfra/vars/staging.yml
@@ -126,26 +126,33 @@ log_events_without_ossec_alerts:
     rule_id: "100114"
 
   # #6866
-  - name: NameError_hasattr_does_not_produce_alert
+  - name: test_NameError_hasattr_does_not_produce_alert
     alert: >
       NameError: name 'hasattr' is not defined
     level: "0"
     rule_id: "199996"
 
   # #7491
-  - name: Update_notifier_download_failed_text_no_alert
+  - name: test_Update_notifier_download_failed_text_no_alert
     alert: >
         Download data for packages that failed at package install time
     level: "0"
     rule_id: "199994"
 
   # #7491
-  - name: apt_news_warning_text_no_alert
+  - name: test_apt_news_warning_text_no_alert
     alert: >
         Warning: W:Download is performed unsandboxed as root as file
     level: "0"
     rule_id: "199995"
 
+  # #7670
+  - name: test_tor_hop_failure_no_alert
+    alert: >
+       Failed to find node for hop #1 of our path. Discarding this circuit.
+    level: "0"
+    rule_id: "199997"
+
   # OSSEC should not alert when "manage.py check-disconnected-{db,fs}-
   # submissions" has logged that there are no disconnected submissions.
   - name: test_no_disconnected_db_submissions_produces_alert
diff --git a/securedrop/debian/ossec-server/var/ossec/rules/local_rules.xml b/securedrop/debian/ossec-server/var/ossec/rules/local_rules.xml
@@ -118,6 +118,12 @@
 </group>
 
 <group name="do not alert">
+  <rule id="199993" level="0">
+    <match>Failed to find node for hop</match>
+    <description>ignore non-fatal error generated by Tor</description>
+    <options>no_email_alert</options>
+   </rule>
+
   <rule id="199994" level="0">
     <match>Download data for packages that failed at package install time</match>
     <description>ignore update_notifier_download.service text with "failed" string (https://github.com/freedomofpress/securedrop/issues/7491)</description>
