Merge pull request #7606 from freedomofpress/admin-deb

Refactor `securedrop-admin` to be a Debian package

Author: legoktm

.github/workflows/build.yml

@@ -34,12 +34,15 @@ jobs:
       - uses: actions/setup-python@v6
         with:
           python-version: ${{ matrix.versions.python }}
-      - name: Build packages
+      - name: Build SecureDrop packages
         run: |
-          UBUNTU_VERSION=${{ matrix.versions.ubuntu }} ./builder/build-debs.sh
+          OS_VERSION=${{ matrix.versions.ubuntu }} ./builder/build-debs.sh
       - name: Build OSSEC packages
         run: |
-          UBUNTU_VERSION=${{ matrix.versions.ubuntu }} WHAT=ossec ./builder/build-debs.sh
+          OS_VERSION=${{ matrix.versions.ubuntu }} WHAT=ossec ./builder/build-debs.sh
+      - name: Build admin packages
+        run: |
+          OS_VERSION=${{ matrix.versions.ubuntu }} WHAT=admin ./builder/build-debs.sh
       - uses: actions/upload-artifact@v5
         id: upload
         with:
@@ -67,7 +70,7 @@ jobs:
         run: |
           find . -name '*.deb' -exec sha256sum {} \;
           # FIXME: securedrop-app-code isn't reproducible
-          for pkg in ossec-agent ossec-server securedrop-config securedrop-keyring securedrop-ossec-agent securedrop-ossec-server
+          for pkg in ossec-agent ossec-server securedrop-config securedrop-keyring securedrop-ossec-agent securedrop-ossec-server securedrop-admin
           do
               echo "Checking ${pkg}..."
               diffoscope ${{ matrix.ubuntu_version }}-one/${pkg}_*.deb ${{ matrix.ubuntu_version }}-two/${pkg}_*.deb

.github/workflows/ci.yml

@@ -121,27 +121,6 @@ jobs:
           make rust-lint
           make rust-test
 
-  updater-gui-tests:
-    runs-on: ubuntu-latest
-    container: debian:bookworm
-    steps:
-      - name: Install dependencies
-        run: |
-          apt-get update && apt-get install --yes git libqt5designer5 python3-venv
-      - uses: actions/checkout@v5
-        with:
-          persist-credentials: false
-      - name: Install Python dependencies
-        run: |
-          cd journalist_gui
-          python3 -m venv .venv/ && source .venv/bin/activate
-          pip install --require-hashes -r dev-requirements.txt
-      - name: Run tests
-        run: |
-          cd journalist_gui
-          source .venv/bin/activate
-          QT_QPA_PLATFORM=offscreen python3 test_gui.py -v
-
   admin-tests:
     runs-on: ubuntu-latest
     steps:

.gitignore

@@ -181,4 +181,7 @@ securedrop/geckodriver.log
 
 # Rust build artifacts
 target/
-redwood/build/
+redwood/build/
+
+# Admin build artifacts
+admin/build/

Makefile

@@ -34,7 +34,7 @@ update-admin-pip-requirements:  ## Update admin requirements.
 .PHONY: update-python3-requirements
 update-python3-requirements:  ## Update Python 3 requirements with pip-compile.
 	@echo "███ Updating Python 3 requirements files..."
-	@SLIM_BUILD=1 UBUNTU_VERSION=noble $(DEVSHELL) $(SDBIN)/update-requirements
+	@SLIM_BUILD=1 OS_VERSION=noble $(DEVSHELL) $(SDBIN)/update-requirements
 
 .PHONY: update-pip-requirements
 update-pip-requirements: update-admin-pip-requirements update-python3-requirements ## Update all requirements with pip-compile.
@@ -499,6 +499,29 @@ build-debs-ossec-notest: ## Build OSSEC Debian packages without running tests
 	@echo "$(SCRIPT_MESSAGE)"
 	@echo "$(OUT)"
 
+.PHONY: build-debs-admin
+build-debs-admin: OUT:=$(SCRIPT_OUTPUT_PREFIX)-securedrop-admin.$(SCRIPT_OUTPUT_EXT)
+build-debs-admin: ## Build admin Debian packages
+	@echo "Building admin Debian packages"
+	@export TERM=dumb
+	@WHAT=admin script \
+		--command $(SDROOT)/builder/build-debs.sh --return \
+		$(OUT)
+	@echo
+	@echo "$(SCRIPT_MESSAGE)"
+	@echo "$(OUT)"
+
+.PHONY: build-debs-admin-notest
+build-debs-admin-notest: OUT:=$(SCRIPT_OUTPUT_PREFIX)-securedrop-admin.$(SCRIPT_OUTPUT_EXT)
+build-debs-admin-notest: ## Build admin Debian packages without running tests
+	@echo "Building admin Debian packages, skipping tests..."
+	@export TERM=dumb
+	@NOTEST=1 WHAT=admin script \
+	       --command $(SDROOT)/builder/build-debs.sh --return \
+	       $(OUT)
+	@echo
+	@echo "$(SCRIPT_MESSAGE)"
+	@echo "$(OUT)"
 
 ########################
 #

admin/Dockerfile

@@ -1,23 +1,55 @@
 # debian:trixie 2025-08-25
 FROM debian@sha256:6d87375016340817ac2391e670971725a9981cfc24e221c47734681ed0f6c0f5
 ARG USER_NAME
-ENV USER_NAME ${USER_NAME:-root}
+ENV USER_NAME=${USER_NAME:-root}
 ARG USER_ID
-ENV USER_ID ${USER_ID:-0}
+ENV USER_ID=${USER_ID:-0}
 
-ENV LC_ALL C.UTF-8
-ENV LANG C.UTF-8
+ENV LC_ALL=C.UTF-8
+ENV LANG=C.UTF-8
 
-RUN apt-get update && \
-    apt-get install -y python3 sudo gnupg2 git sq
-RUN if test $USER_NAME != root ; then useradd --no-create-home --home-dir /tmp --uid $USER_ID $USER_NAME && echo "$USER_NAME ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers ; fi
+# Install deps for building securedrop-admin package
+ARG DEBIAN_FRONTEND=noninteractive
+RUN apt-get -y update && \
+    apt-get -y upgrade && \
+    apt-get -y install \
+    coreutils \
+    debhelper \
+    devscripts \
+    dh-python \
+    make \
+    pkg-config \
+    python3-all \
+    python3-pip \
+    python3-setuptools \
+    python3-venv \
+    rsync \
+    sudo \
+    tzdata \
+    unzip \
+    virtualenv \
+    gnupg2 \
+    git
 
-WORKDIR /opt/admin
-COPY . /opt
-RUN rm -rf /opt/admin/.venv3
-RUN cd /opt/admin && python3 bootstrap.py -v
-ENV VIRTUAL_ENV /opt/admin/.venv3
-ENV PATH="$VIRTUAL_ENV/bin:$PATH"
-RUN pip3 install --no-deps --require-hashes -r /opt/admin/requirements-dev.txt
+# Add user if necessary
+RUN if test $USER_NAME != root ; then \
+        useradd --no-create-home --home-dir /tmp --uid $USER_ID $USER_NAME && \
+        echo "$USER_NAME ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers ; \
+    fi
 
-RUN chown -R $USER_NAME /opt
+WORKDIR /src
+COPY . /src
+
+# Build and install the securedrop-admin package
+ENV PATH="/usr/share/securedrop-admin/venv/bin:$PATH"
+RUN ln -s /src/builder/fixup-changelog.sh /fixup-changelog
+RUN /src/builder/build-debs-admin.sh
+RUN apt-get install -y /src/build/trixie/securedrop-admin_*+trixie_amd64.deb
+
+# Install dev dependencies in a separate venv
+RUN /usr/bin/python3 -m venv /opt/admin-dev/venv
+RUN /opt/admin-dev/venv/bin/pip install --no-deps --require-hashes -r /src/admin/requirements-dev.txt
+
+WORKDIR /src/admin
+
+RUN chown -R $USER_NAME /src

admin/Makefile

@@ -3,14 +3,14 @@ DEFAULT_GOAL: help
 .PHONY: test
 test:  ## Run tox
 	@echo "NB.  This can be VERY slow.  If you find yourself running this test suite multiple times, you may prefer to \"docker run -it securedrop-admin bash\", install the editor of your choice into the container and edit there, and run \"tox\" directly as you work."
-	bin/dev-shell tox
+	bin/dev-shell /opt/admin-dev/venv/bin/tox
 
 .PHONY: update-pip-requirements
 update-pip-requirements: ## Updates all Python requirements files via pip-compile.
 	@echo "███ Updating admin pip requirements..."
-	@bin/dev-shell pip-compile --allow-unsafe --generate-hashes --output-file requirements.txt requirements.in requirements-ansible.in
-	@bin/dev-shell pip-compile --allow-unsafe --generate-hashes --output-file requirements-testinfra.txt requirements.in requirements-ansible.in requirements-testinfra.in
-	@bin/dev-shell pip-compile --allow-unsafe --generate-hashes --output-file requirements-dev.txt requirements-dev.in
+	@bin/dev-shell /opt/admin-dev/venv/bin/pip-compile --allow-unsafe --generate-hashes --output-file requirements.txt requirements.in requirements-ansible.in
+	@bin/dev-shell /opt/admin-dev/venv/bin/pip-compile --allow-unsafe --generate-hashes --output-file requirements-testinfra.txt requirements.in requirements-ansible.in requirements-testinfra.in
+	@bin/dev-shell /opt/admin-dev/venv/bin/pip-compile --allow-unsafe --generate-hashes --output-file requirements-dev.txt requirements-dev.in
 
 # Explanation of the below shell command should it ever break.
 # 1. Set the field separator to ": ##" and any make targets that might appear between : and ##

admin/bin/dev-shell

@@ -17,14 +17,11 @@ if test -t 0; then
 fi
 
 function docker_image() {
-    local out
-    out="$(mktemp)"
     cd "${TOPLEVEL}"
     if ! docker build \
            --build-arg=USER_ID="$(id -u)" \
            --build-arg=USER_NAME="${USER:-root}" \
-           ${DOCKER_BUILD_ARGUMENTS:-} -t securedrop-admin -f admin/Dockerfile . >& "$out" ; then
-        cat "$out"
+           ${DOCKER_BUILD_ARGUMENTS:-} -t securedrop-admin -f admin/Dockerfile . ; then
         status=1
     else
         status=0

admin/bin/securedrop-admin-packaged

@@ -0,0 +1,6 @@
+#!/usr/share/securedrop-admin/venv/bin/python3
+import sys
+
+from securedrop_admin import main
+
+main(sys.argv[1:])

admin/bootstrap-tails-wrapper.sh

@@ -0,0 +1,73 @@
+#!/bin/bash
+# Bootstrap script for fresh Tails installations
+# This script sets up SecureDrop admin tools on Tails via APT
+set -e
+set -o pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+# Check if running on Tails
+if ! grep -q 'NAME="Tails"' /etc/os-release; then
+    zenity --error \
+        --title="Unsupported Platform" \
+        --width=500 \
+        --text="This command only works on Tails.\n\nCurrent platform is not supported."
+    exit 1
+fi
+
+echo "========================================"
+echo "SecureDrop Admin Tools Bootstrap"
+echo "========================================"
+echo ""
+echo "This will install the SecureDrop admin tools on Tails..."
+echo ""
+
+# Run the root script
+ROOT_SCRIPT="$SCRIPT_DIR/configure-tails-persistence.sh"
+echo "Configuring Tails persistence (requires password)..."
+if ! pkexec bash "$ROOT_SCRIPT"; then
+    echo ""
+    echo "========================================"
+    echo "ERROR: Bootstrap failed!"
+    echo "========================================"
+    echo ""
+    zenity --error \
+        --title="Bootstrap Failed" \
+        --width=500 \
+        --text="Failed to configure Tails persistence.\n\nPlease see the terminal output for details."
+    exit 1
+fi
+
+# Verify installation
+if ! command -v /usr/bin/securedrop-admin >/dev/null 2>&1; then
+    echo ""
+    echo "========================================"
+    echo "ERROR: Installation failed!"
+    echo "========================================"
+    echo ""
+    zenity --error \
+        --title="Bootstrap Failed" \
+        --width=500 \
+        --text="Package installed but securedrop-admin command not found.\n\nInstallation may have failed."
+    exit 1
+fi
+
+echo ""
+echo "========================================"
+echo "Bootstrap completed successfully!"
+echo "========================================"
+echo ""
+
+# Inform user to click Install Every Time
+zenity --info \
+    --title="Click Install Every Time" \
+    --width=500 \
+    --text="In the Additional Software notification above, click \"Install Every Time\"."
+
+# Show final instructions
+zenity --info \
+    --title="Reboot Tails" \
+    --width=500 \
+    --text="Please REBOOT Tails to complete bootstrapping SecureDrop Admin Tools."
+
+exit 0