Merge branch 'stable' into devel

features/step_definitions/browser.rb

@@ -243,7 +243,7 @@ Then /^I can listen to an Ogg audio track in Tor Browser$/ do
 end
 
 Then /^I can watch a WebM video in Tor Browser$/ do
-  test_url = 'https://tails.boum.org/lib/test_suite/test.webm'
+  test_url = WEBM_VIDEO_URL
   info = xul_application_info('Tor Browser')
   open_test_url = Proc.new do
     step "I open the address \"#{test_url}\" in the Tor Browser"

features/step_definitions/common_steps.rb

@@ -826,7 +826,7 @@ Given /^a web server is running on the LAN$/ do
   end
   server.start
 EOF
-  add_lan_host(@web_server_ip_addr, @web_server_port)
+  add_extra_allowed_host(@web_server_ip_addr, @web_server_port)
   proc = IO.popen(['ruby', '-e', code])
   try_for(10, :msg => "It seems the LAN web server failed to start") do
     Process.kill(0, proc.pid) == 1

features/step_definitions/ssh.rb

@@ -76,7 +76,7 @@ Given /^an SSH server is running on the LAN$/ do
   @sshd_server_host = $vmnet.bridge_ip_addr
   sshd = SSHServer.new(@sshd_server_host, @sshd_server_port)
   sshd.start
-  add_lan_host(@sshd_server_host, @sshd_server_port)
+  add_extra_allowed_host(@sshd_server_host, @sshd_server_port)
   add_after_scenario_hook { sshd.stop }
 end
 

features/step_definitions/totem.rb

+require 'resolv'
+require 'uri'
+
 Given /^I create sample videos$/ do
   @video_dir_on_host = "#{$config["TMPDIR"]}/video_dir"
   FileUtils.mkdir_p(@video_dir_on_host)
@@ -32,8 +35,39 @@ When /^I close Totem$/ do
   step 'I kill the process "totem"'
 end
 
+def disable_tor_reject_internal_addresses
+  client_torrc_lines = [
+    'ClientDNSRejectInternalAddresses 0',
+    'ClientRejectInternalAddresses 0',
+  ]
+  $vm.file_append('/etc/tor/torrc', client_torrc_lines)
+  $vm.execute("systemctl stop tor@default.service")
+  $vm.execute("systemctl --no-block restart tails-tor-has-bootstrapped.target")
+  $vm.execute("systemctl start tor@default.service")
+  wait_until_tor_is_working
+end
+
 Then /^I can watch a WebM video over HTTPs$/ do
-  test_url = 'https://tails.boum.org/lib/test_suite/test.webm'
+  test_url = WEBM_VIDEO_URL
+  host = URI(test_url).host
+
+  # These tricks are needed because on Jenkins, tails.boum.org
+  # resolves to a RFC 1918 address (#10442), which tor would not allow
+  # connecting to, and the firewall leak checker would make a fuss
+  # out of it.
+  resolver = Resolv::DNS.new
+  rfc1918_ips = resolver.getaddresses(host).select do |addr|
+    # This crude "is it a RFC 1918 IP address?" check is just accurate enough
+    # for our current needs. We'll improve it if/as needed.
+    addr.class == Resolv::IPv4 && addr.to_s.start_with?('192.168.')
+  end
+  if rfc1918_ips.count > 0
+    disable_tor_reject_internal_addresses
+  end
+  rfc1918_ips.each do |ip|
+    add_extra_allowed_host(ip.to_s, 443)
+  end
+
   recovery_on_failure = Proc.new do
     step 'I close Totem'
   end

features/support/config.rb

@@ -82,3 +82,4 @@ VM_XML_PATH = "#{Dir.pwd}/features/domains"
 
 TAILS_SIGNING_KEY = cmd_helper(". #{Dir.pwd}/config/amnesia; echo ${AMNESIA_DEV_KEYID}").tr(' ', '').chomp
 TAILS_DEBIAN_REPO_KEY = "221F9A3C6FA3E09E182E060BC7988EA7A358D82E"
+WEBM_VIDEO_URL = 'https://tails.boum.org/lib/test_suite/test.webm'

features/support/helpers/misc_helpers.rb

@@ -232,7 +232,7 @@ def all_tor_hosts
 end
 
 def allowed_hosts_under_tor_enforcement
-  all_tor_hosts + @lan_hosts
+  all_tor_hosts + @extra_allowed_hosts
 end
 
 def get_free_space(machine, path)

features/support/hooks.rb

@@ -146,18 +146,18 @@ rescue Exception => e
 end
 
 # Due to Tails' Tor enforcement, we only allow contacting hosts that
-# are Tor nodes or located on the LAN. However, when we try
-# to verify that only such hosts are contacted we have a problem --
-# we run all Tor nodes (via Chutney) *and* LAN hosts (used on some
-# tests) on the same host, the one running the test suite. Hence we
-# need to always explicitly track which nodes are LAN or not.
+# are Tor nodes, located on the LAN, or allowed for some operational reason.
+# However, when we try to verify that only such hosts are contacted we have
+# a problem -- we run all Tor nodes (via Chutney) *and* LAN hosts (used on
+# some tests) on the same host, the one running the test suite. Hence we
+# need to always explicitly track which nodes are allowed or not.
 #
 # Warning: when a host is added via this function, it is only added
 # for the current scenario. As such, if this is done before saving a
 # snapshot, it will not remain after the snapshot is loaded.
-def add_lan_host(ipaddr, port)
-  @lan_hosts ||= []
-  @lan_hosts << { address: ipaddr, port: port }
+def add_extra_allowed_host(ipaddr, port)
+  @extra_allowed_hosts ||= []
+  @extra_allowed_hosts << { address: ipaddr, port: port }
 end
 
 BeforeFeature('@product') do |feature|
@@ -242,8 +242,8 @@ Before('@product') do |scenario|
   @os_loader = "MBR"
   @sudo_password = "asdf"
   @persistence_password = "asdf"
-  # See comment for add_lan_host() above.
-  @lan_hosts ||= []
+  # See comment for add_extra_allowed_host() above.
+  @extra_allowed_hosts ||= []
 end
 
 # Cucumber After hooks are executed in the *reverse* order they are

features/totem.feature

@@ -45,8 +45,7 @@ Feature: Using Totem
     Then I see "TotemUnableToOpen.png" after at most 10 seconds
     And AppArmor has denied "/usr/bin/totem" from opening "/home/amnesia/.purple/otr.private_key"
 
-  #10442
-  @check_tor_leaks @fragile
+  @check_tor_leaks
   Scenario: Watching a WebM video over HTTPS
     Given I have started Tails from DVD and logged in and the network is connected
     Then I can watch a WebM video over HTTPs