summaryrefslogtreecommitdiffstats
path: root/features
diff options
context:
space:
mode:
authorintrigeri <intrigeri@boum.org>2016-06-10 19:29:16 +0000
committerintrigeri <intrigeri@boum.org>2016-06-10 19:29:16 +0000
commitf60879e27a1525af2479c59fccea9eb448af58b6 (patch)
tree8812f0fb29b052a93b449a36eea691ae978bcc4c /features
parent5b7351dffb749544715c9e455dda13281cb4e755 (diff)
parentdadd01c05f91b6109eb083a4b72bef890901a9eb (diff)
Merge remote-tracking branch 'origin/stable' into test/9707-power-off-after-memory-erasure
Diffstat (limited to 'features')
-rw-r--r--features/apt.feature5
-rw-r--r--features/build.feature220
-rw-r--r--features/checks.feature7
-rw-r--r--features/chutney/test-network56
-rw-r--r--features/dhcp.feature2
-rw-r--r--features/electrum.feature8
-rw-r--r--features/encryption.feature3
-rw-r--r--features/evince.feature2
-rw-r--r--features/i2p.feature10
-rw-r--r--features/icedove.feature10
-rw-r--r--features/images/CupsTestPage.pngbin14411 -> 2859 bytes
-rw-r--r--features/images/GnomeApplicationsAccessories.pngbin1025 -> 0 bytes
-rw-r--r--features/images/GnomeApplicationsAdministration.pngbin2667 -> 0 bytes
-rw-r--r--features/images/GnomeApplicationsConfigurePersistentVolume.pngbin3214 -> 0 bytes
-rw-r--r--features/images/GnomeApplicationsDeletePersistentVolume.pngbin2803 -> 0 bytes
-rw-r--r--features/images/GnomeApplicationsElectrum.pngbin2927 -> 0 bytes
-rw-r--r--features/images/GnomeApplicationsFiles.pngbin1849 -> 0 bytes
-rw-r--r--features/images/GnomeApplicationsGedit.pngbin2201 -> 0 bytes
-rw-r--r--features/images/GnomeApplicationsGobby.pngbin2304 -> 0 bytes
-rw-r--r--features/images/GnomeApplicationsI2PBrowser.pngbin3606 -> 0 bytes
-rw-r--r--features/images/GnomeApplicationsIcedove.pngbin2991 -> 0 bytes
-rw-r--r--features/images/GnomeApplicationsInternet.pngbin603 -> 0 bytes
-rw-r--r--features/images/GnomeApplicationsPidgin.pngbin3208 -> 0 bytes
-rw-r--r--features/images/GnomeApplicationsPreferences.pngbin1705 -> 0 bytes
-rw-r--r--features/images/GnomeApplicationsSeahorse.pngbin3422 -> 0 bytes
-rw-r--r--features/images/GnomeApplicationsSoundVideo.pngbin1431 -> 0 bytes
-rw-r--r--features/images/GnomeApplicationsSynaptic.pngbin4219 -> 0 bytes
-rw-r--r--features/images/GnomeApplicationsSystem.pngbin1313 -> 0 bytes
-rw-r--r--features/images/GnomeApplicationsTails.pngbin498 -> 0 bytes
-rw-r--r--features/images/GnomeApplicationsTailsInstaller.pngbin2127 -> 0 bytes
-rw-r--r--features/images/GnomeApplicationsTerminal.pngbin2220 -> 0 bytes
-rw-r--r--features/images/GnomeApplicationsTorBrowser.pngbin3750 -> 0 bytes
-rw-r--r--features/images/GnomeApplicationsTotem.pngbin2583 -> 0 bytes
-rw-r--r--features/images/GnomeApplicationsUnsafeBrowser.pngbin2245 -> 0 bytes
-rw-r--r--features/images/GnomeApplicationsUtilities.pngbin669 -> 0 bytes
-rw-r--r--features/images/IcedoveEnigmailKeyserver.pngbin1945 -> 2002 bytes
-rw-r--r--features/images/IcedoveEnigmailProxy.pngbin2925 -> 2267 bytes
-rw-r--r--features/images/IcedoveTorbirdyCongratulationsTab.pngbin2668 -> 0 bytes
-rw-r--r--features/images/IcedoveTorbirdyPreferencesWindow.pngbin2471 -> 0 bytes
-rw-r--r--features/images/IcedoveTorbirdyTestProxySettingsButton.pngbin2164 -> 0 bytes
-rw-r--r--features/images/PidginTailsChannelEntry.pngbin1510 -> 0 bytes
-rw-r--r--features/images/PidginTailsChannelWelcome.pngbin1355 -> 2567 bytes
-rw-r--r--features/images/PidginTailsConversationTab.pngbin926 -> 674 bytes
-rw-r--r--features/images/TailsHomepage.pngbin0 -> 4743 bytes
-rw-r--r--features/images/TorBrowserStartupPage.pngbin12537 -> 0 bytes
-rw-r--r--features/images/TorBrowserTailsRoadmap.pngbin1078 -> 0 bytes
-rw-r--r--features/images/TorBrowserTorCheck.pngbin5226 -> 0 bytes
-rw-r--r--features/images/TorBrowserUnableToConnect.pngbin3855 -> 0 bytes
-rw-r--r--features/images/UnsafeBrowserNoAddons.pngbin1974 -> 2483 bytes
-rw-r--r--features/images/UnsafeBrowserRedTheme.pngbin1499 -> 243 bytes
-rw-r--r--features/images/UnsafeBrowserTorCheckFail.pngbin6913 -> 0 bytes
-rw-r--r--features/localization.feature3
-rw-r--r--features/mac_spoofing.feature7
-rw-r--r--features/persistence.feature10
-rw-r--r--features/pidgin.feature49
-rw-r--r--features/root_access_control.feature3
-rw-r--r--features/ssh.feature1
-rw-r--r--features/step_definitions/apt.rb2
-rw-r--r--features/step_definitions/browser.rb39
-rw-r--r--features/step_definitions/build.rb46
-rw-r--r--features/step_definitions/chutney.rb128
-rw-r--r--features/step_definitions/common_steps.rb129
-rw-r--r--features/step_definitions/electrum.rb4
-rw-r--r--features/step_definitions/encryption.rb8
-rw-r--r--features/step_definitions/firewall_leaks.rb29
-rw-r--r--features/step_definitions/icedove.rb10
-rw-r--r--features/step_definitions/mac_spoofing.rb16
-rw-r--r--features/step_definitions/pidgin.rb52
-rw-r--r--features/step_definitions/snapshots.rb9
-rw-r--r--features/step_definitions/ssh.rb1
-rw-r--r--features/step_definitions/tor.rb68
-rw-r--r--features/step_definitions/torified_browsing.rb8
-rw-r--r--features/step_definitions/torified_gnupg.rb2
-rw-r--r--features/step_definitions/totem.rb2
-rw-r--r--features/step_definitions/unsafe_browser.rb15
-rw-r--r--features/step_definitions/usb.rb29
-rw-r--r--features/support/env.rb36
-rw-r--r--features/support/helpers/dogtail.rb218
-rw-r--r--features/support/helpers/exec_helper.rb2
-rw-r--r--features/support/helpers/firewall_helper.rb177
-rw-r--r--features/support/helpers/misc_helpers.rb32
-rw-r--r--features/support/helpers/sniffing_helper.rb14
-rw-r--r--features/support/helpers/vm_helper.rb18
-rw-r--r--features/support/hooks.rb28
-rw-r--r--features/time_syncing.feature92
-rw-r--r--features/tor_bridges.feature16
-rw-r--r--features/tor_enforcement.feature23
-rw-r--r--features/tor_stream_isolation.feature3
-rw-r--r--features/torified_browsing.feature34
-rw-r--r--features/torified_git.feature2
-rw-r--r--features/torified_gnupg.feature2
-rw-r--r--features/torified_misc.feature2
-rw-r--r--features/totem.feature1
-rw-r--r--features/unsafe_browser.feature14
-rw-r--r--features/untrusted_partitions.feature1
-rw-r--r--features/usb_install.feature4
-rw-r--r--features/usb_upgrade.feature2
97 files changed, 1138 insertions, 576 deletions
diff --git a/features/apt.feature b/features/apt.feature
index 01371c1..b0ece1f 100644
--- a/features/apt.feature
+++ b/features/apt.feature
@@ -1,5 +1,4 @@
-#10497: wait_until_tor_is_working
-@product @fragile
+@product
Feature: Installing packages through APT
As a Tails user
when I set an administration password in Tails Greeter
@@ -10,7 +9,7 @@ Feature: Installing packages through APT
Given I have started Tails from DVD and logged in with an administration password and the network is connected
Scenario: APT sources are configured correctly
- Then the only hosts in APT sources are "ftp.us.debian.org,security.debian.org,backports.debian.org,deb.tails.boum.org,deb.torproject.org,mozilla.debian.net"
+ Then the only hosts in APT sources are "ftp.us.debian.org,security.debian.org,deb.tails.boum.org,deb.torproject.org"
#10496: apt-get scenarios are fragile
@check_tor_leaks @fragile
diff --git a/features/build.feature b/features/build.feature
index 583a214..4241197 100644
--- a/features/build.feature
+++ b/features/build.feature
@@ -24,10 +24,39 @@ Feature: custom APT sources to build branches
And I should see the 'bugfix-bar' suite
But I should not see the '1.0' suite
+ Scenario: build from an untagged stable branch with no encoded time-based snapshot
+ Given I am working on the stable base branch
+ And Tails 0.10 has been released
+ And the last versions mentioned in debian/changelog are 0.10 and 1.0
+ And Tails 1.0 has not been released yet
+ And no frozen APT snapshot is encoded in config/APT_snapshots.d
+ When I successfully run "apt-snapshots-serials prepare-build"
+ And I successfully run "apt-mirror debian"
+ Then I should see the 0.10 tagged snapshot
+ When I successfully run "apt-mirror torproject"
+ Then I should see the 0.10 tagged snapshot
+ When I successfully run "apt-mirror debian-security"
+ Then I should see a time-based snapshot
+
+ Scenario: build from an untagged stable branch with encoded time-based snapshots
+ Given I am working on the stable base branch
+ And Tails 0.10 has been released
+ And the last versions mentioned in debian/changelog are 0.10 and 1.0
+ And Tails 1.0 has not been released yet
+ And frozen APT snapshots are encoded in config/APT_snapshots.d
+ When I successfully run "apt-snapshots-serials prepare-build"
+ And I successfully run "apt-mirror debian"
+ Then I should see a time-based snapshot
+ When I successfully run "apt-mirror torproject"
+ Then I should see a time-based snapshot
+ When I successfully run "apt-mirror debian-security"
+ Then I should see a time-based snapshot
+
Scenario: build from a tagged stable branch where the config/APT_overlays.d directory is empty
Given Tails 0.10 has been released
And the last version mentioned in debian/changelog is 0.10
And I am working on the stable base branch
+ And I checkout the 0.10 tag
And the config/APT_overlays.d directory is empty
When I successfully run tails-custom-apt-sources
Then I should see only the '0.10' suite
@@ -36,10 +65,39 @@ Feature: custom APT sources to build branches
Given Tails 0.10 has been released
And the last version mentioned in debian/changelog is 0.10
And I am working on the stable base branch
+ And I checkout the 0.10 tag
And config/APT_overlays.d contains 'feature-foo'
When I run tails-custom-apt-sources
Then it should fail
+ Scenario: build from a tagged stable branch with no encoded time-based snapshot
+ Given I am working on the stable base branch
+ And Tails 0.10 has been released
+ And the last version mentioned in debian/changelog is 0.10
+ And no frozen APT snapshot is encoded in config/APT_snapshots.d
+ And I checkout the 0.10 tag
+ When I successfully run "apt-snapshots-serials prepare-build"
+ And I successfully run "apt-mirror debian"
+ Then I should see the 0.10 tagged snapshot
+ When I successfully run "apt-mirror torproject"
+ Then I should see the 0.10 tagged snapshot
+ When I successfully run "apt-mirror debian-security"
+ Then I should see the 0.10 tagged snapshot
+
+ Scenario: build from a tagged stable branch with encoded time-based snapshots
+ Given I am working on the stable base branch
+ And Tails 0.10 has been released
+ And the last version mentioned in debian/changelog is 0.10
+ And frozen APT snapshots are encoded in config/APT_snapshots.d
+ And I checkout the 0.10 tag
+ When I successfully run "apt-snapshots-serials prepare-build"
+ And I successfully run "apt-mirror debian"
+ Then I should see the 0.10 tagged snapshot
+ When I successfully run "apt-mirror torproject"
+ Then I should see the 0.10 tagged snapshot
+ When I successfully run "apt-mirror debian-security"
+ Then I should see the 0.10 tagged snapshot
+
Scenario: build from a bugfix branch without overlays for a stable release
Given Tails 0.10 has been released
And the last version mentioned in debian/changelog is 0.10.1
@@ -62,6 +120,34 @@ Feature: custom APT sources to build branches
And I should see the 'bugfix-bar' suite
But I should not see the '0.10' suite
+ Scenario: build from a bugfix branch with no encoded time-based snapshot for a stable release
+ Given Tails 0.10 has been released
+ And the last version mentioned in debian/changelog is 0.10.1
+ And Tails 0.10.1 has not been released yet
+ And I am working on the bugfix/disable_gdomap branch based on stable
+ And no frozen APT snapshot is encoded in config/APT_snapshots.d
+ When I successfully run "apt-snapshots-serials prepare-build"
+ And I successfully run "apt-mirror debian"
+ Then I should see the 0.10 tagged snapshot
+ When I successfully run "apt-mirror torproject"
+ Then I should see the 0.10 tagged snapshot
+ When I successfully run "apt-mirror debian-security"
+ Then I should see a time-based snapshot
+
+ Scenario: build from a bugfix branch with encoded time-based snapshots for a stable release
+ Given Tails 0.10 has been released
+ And the last version mentioned in debian/changelog is 0.10.1
+ And Tails 0.10.1 has not been released yet
+ And I am working on the bugfix/disable_gdomap branch based on stable
+ And frozen APT snapshots are encoded in config/APT_snapshots.d
+ When I successfully run "apt-snapshots-serials prepare-build"
+ And I successfully run "apt-mirror debian"
+ Then I should see a time-based snapshot
+ When I successfully run "apt-mirror torproject"
+ Then I should see a time-based snapshot
+ When I successfully run "apt-mirror debian-security"
+ Then I should see a time-based snapshot
+
Scenario: build from an untagged testing branch where the config/APT_overlays.d directory is empty
Given I am working on the testing base branch
And the last version mentioned in debian/changelog is 0.11
@@ -85,11 +171,40 @@ Feature: custom APT sources to build branches
And I should see the 'bugfix-bar' suite
But I should not see the '0.11' suite
+ Scenario: build from an untagged testing branch with no encoded time-based snapshot
+ Given I am working on the testing base branch
+ And Tails 0.10 has been released
+ And the last versions mentioned in debian/changelog are 0.10 and 1.0
+ And Tails 1.0 has not been released yet
+ And no frozen APT snapshot is encoded in config/APT_snapshots.d
+ When I successfully run "apt-snapshots-serials prepare-build"
+ And I successfully run "apt-mirror debian"
+ Then I should see a time-based snapshot
+ When I successfully run "apt-mirror torproject"
+ Then I should see a time-based snapshot
+ When I successfully run "apt-mirror debian-security"
+ Then I should see a time-based snapshot
+
+ Scenario: build from an untagged testing branch with encoded time-based snapshots
+ Given I am working on the testing base branch
+ And Tails 0.10 has been released
+ And the last versions mentioned in debian/changelog are 0.10 and 1.0
+ And Tails 1.0 has not been released yet
+ And frozen APT snapshots are encoded in config/APT_snapshots.d
+ When I successfully run "apt-snapshots-serials prepare-build"
+ And I successfully run "apt-mirror debian"
+ Then I should see a time-based snapshot
+ When I successfully run "apt-mirror torproject"
+ Then I should see a time-based snapshot
+ When I successfully run "apt-mirror debian-security"
+ Then I should see a time-based snapshot
+
Scenario: build from a tagged testing branch where the config/APT_overlays.d directory is empty
Given I am working on the testing base branch
And the last version mentioned in debian/changelog is 0.11
And Tails 0.11 has been released
And the config/APT_overlays.d directory is empty
+ And I checkout the 0.11 tag
When I successfully run tails-custom-apt-sources
Then I should see only the '0.11' suite
@@ -98,15 +213,45 @@ Feature: custom APT sources to build branches
And the last version mentioned in debian/changelog is 0.11
And Tails 0.11 has been released
And config/APT_overlays.d contains 'feature-foo'
+ And I checkout the 0.11 tag
When I run tails-custom-apt-sources
Then it should fail
+ Scenario: build from a tagged testing branch with no encoded time-based snapshot
+ Given I am working on the testing base branch
+ And the last version mentioned in debian/changelog is 0.11
+ And Tails 0.11 has been released
+ And no frozen APT snapshot is encoded in config/APT_snapshots.d
+ And I checkout the 0.11 tag
+ When I successfully run "apt-snapshots-serials prepare-build"
+ And I run "apt-mirror debian"
+ Then it should fail
+ When I run "apt-mirror torproject"
+ Then it should fail
+ When I successfully run "apt-mirror debian-security"
+ Then I should see the 0.11 tagged snapshot
+
+ Scenario: build from a tagged testing branch with encoded time-based snapshots
+ Given I am working on the testing base branch
+ And the last version mentioned in debian/changelog is 0.11
+ And Tails 0.11 has been released
+ And frozen APT snapshots are encoded in config/APT_snapshots.d
+ And I checkout the 0.11 tag
+ When I successfully run "apt-snapshots-serials prepare-build"
+ And I successfully run "apt-mirror debian"
+ Then I should see the 0.11 tagged snapshot
+ When I successfully run "apt-mirror torproject"
+ Then I should see the 0.11 tagged snapshot
+ When I successfully run "apt-mirror debian-security"
+ Then I should see the 0.11 tagged snapshot
+
Scenario: build a release candidate from a tagged testing branch
Given I am working on the testing base branch
And Tails 0.11 has been released
And the last version mentioned in debian/changelog is 0.12~rc1
And Tails 0.12-rc1 has been tagged
And the config/APT_overlays.d directory is empty
+ And I checkout the 0.12-rc1 tag
When I successfully run tails-custom-apt-sources
Then I should see only the '0.12-rc1' suite
@@ -116,9 +261,40 @@ Feature: custom APT sources to build branches
And the last version mentioned in debian/changelog is 0.12~rc1
And Tails 0.12-rc1 has been tagged
And config/APT_overlays.d contains 'bugfix-bar'
+ And I checkout the 0.12-rc1 tag
When I run tails-custom-apt-sources
Then it should fail
+ Scenario: build from a bugfix branch with no encoded time-based snapshot for a major release
+ Given I am working on the testing base branch
+ And Tails 0.10~rc1 has been released
+ And the last versions mentioned in debian/changelog are 0.10~rc1 and 0.10
+ And Tails 0.10 has not been released yet
+ And I am working on the bugfix/disable_gdomap branch based on testing
+ And no frozen APT snapshot is encoded in config/APT_snapshots.d
+ When I successfully run "apt-snapshots-serials prepare-build"
+ And I successfully run "apt-mirror debian"
+ Then I should see a time-based snapshot
+ When I successfully run "apt-mirror torproject"
+ Then I should see a time-based snapshot
+ When I successfully run "apt-mirror debian-security"
+ Then I should see a time-based snapshot
+
+ Scenario: build from a bugfix branch with encoded time-based snapshots for a major release
+ Given I am working on the testing base branch
+ And Tails 0.10~rc1 has been released
+ And the last versions mentioned in debian/changelog are 0.10~rc1 and 0.10
+ And Tails 0.10 has not been released yet
+ And I am working on the bugfix/disable_gdomap branch based on testing
+ And frozen APT snapshots are encoded in config/APT_snapshots.d
+ When I successfully run "apt-snapshots-serials prepare-build"
+ And I successfully run "apt-mirror debian"
+ Then I should see a time-based snapshot
+ When I successfully run "apt-mirror torproject"
+ Then I should see a time-based snapshot
+ When I successfully run "apt-mirror debian-security"
+ Then I should see a time-based snapshot
+
Scenario: build from the devel branch without overlays
Given I am working on the devel base branch
And the config/APT_overlays.d directory is empty
@@ -134,6 +310,28 @@ Feature: custom APT sources to build branches
And I should see the 'feature-foo' suite
And I should see the 'bugfix-bar' suite
+ Scenario: build from the devel branch with no encoded time-based snapshot
+ Given I am working on the devel base branch
+ And no frozen APT snapshot is encoded in config/APT_snapshots.d
+ When I successfully run "apt-snapshots-serials prepare-build"
+ And I successfully run "apt-mirror debian"
+ Then I should see a time-based snapshot
+ When I successfully run "apt-mirror torproject"
+ Then I should see a time-based snapshot
+ When I successfully run "apt-mirror debian-security"
+ Then I should see a time-based snapshot
+
+ Scenario: build from the devel branch with encoded time-based snapshots
+ Given I am working on the devel base branch
+ And frozen APT snapshots are encoded in config/APT_snapshots.d
+ When I successfully run "apt-snapshots-serials prepare-build"
+ And I run "apt-mirror debian"
+ Then it should fail
+ When I run "apt-mirror torproject"
+ Then it should fail
+ When I successfully run "apt-mirror debian-security"
+ Then I should see a time-based snapshot
+
Scenario: build from the feature/jessie branch without overlays
Given I am working on the feature/jessie base branch
And the config/APT_overlays.d directory is empty
@@ -162,6 +360,28 @@ Feature: custom APT sources to build branches
When I successfully run tails-custom-apt-sources
Then I should see only the 'devel' suite
+ Scenario: build from a feature branch based on devel with no encoded time-based snapshot
+ Given I am working on the feature/icedove branch based on devel
+ And no frozen APT snapshot is encoded in config/APT_snapshots.d
+ When I successfully run "apt-snapshots-serials prepare-build"
+ And I successfully run "apt-mirror debian"
+ Then I should see a time-based snapshot
+ When I successfully run "apt-mirror torproject"
+ Then I should see a time-based snapshot
+ When I successfully run "apt-mirror debian-security"
+ Then I should see a time-based snapshot
+
+ Scenario: build from a feature branch based on devel with encoded time-based snapshots
+ Given I am working on the feature/icedove branch based on devel
+ And frozen APT snapshots are encoded in config/APT_snapshots.d
+ When I successfully run "apt-snapshots-serials prepare-build"
+ And I run "apt-mirror debian"
+ Then it should fail
+ When I run "apt-mirror torproject"
+ Then it should fail
+ When I successfully run "apt-mirror debian-security"
+ Then I should see a time-based snapshot
+
Scenario: build from a feature branch with overlays based on feature/jessie
Given I am working on the feature/7756-reintroduce-whisperback branch based on feature/jessie
And config/APT_overlays.d contains 'feature-7756-reintroduce-whisperback'
diff --git a/features/checks.feature b/features/checks.feature
index 24d3594..bbda069 100644
--- a/features/checks.feature
+++ b/features/checks.feature
@@ -25,7 +25,7 @@ Feature: Various checks
Given I have started Tails from DVD without network and logged in
Then the shipped Debian repository key will be valid for the next 3 months
- @doc @fragile
+ @doc
Scenario: The "Report an Error" launcher will open the support documentation
Given I have started Tails from DVD without network and logged in
And the network is plugged
@@ -40,7 +40,6 @@ Feature: Various checks
And the live user is a member of only its own group and "audio cdrom dialout floppy video plugdev netdev scanner lp lpadmin vboxsf"
And the live user owns its home dir and it has normal permissions
- @fragile
Scenario: No initial network
Given I have started Tails from DVD without network and logged in
And I wait between 30 and 60 seconds
@@ -51,6 +50,7 @@ Feature: Various checks
And all notifications have disappeared
And the time has synced
+ #11463
@fragile
Scenario: The 'Tor is ready' notification is shown when Tor has bootstrapped
Given I have started Tails from DVD without network and logged in
@@ -58,14 +58,12 @@ Feature: Various checks
When I see the 'Tor is ready' notification
Then Tor is ready
- @fragile
Scenario: The tor process should be confined with Seccomp
Given I have started Tails from DVD without network and logged in
And the network is plugged
And Tor is ready
Then the running process "tor" is confined with Seccomp in filter mode
- @fragile
Scenario: No unexpected network services
Given I have started Tails from DVD without network and logged in
When the network is plugged
@@ -103,5 +101,4 @@ Feature: Various checks
And I enable more Tails Greeter options
And I disable all networking in the Tails Greeter
And I log in to a new session
- And the Tails desktop is ready
Then no network interfaces are enabled
diff --git a/features/chutney/test-network b/features/chutney/test-network
new file mode 100644
index 0000000..adb8ee5
--- /dev/null
+++ b/features/chutney/test-network
@@ -0,0 +1,56 @@
+Authority = Node(
+ tag="auth",
+ authority=1,
+ relay=1,
+ torrc="authority.tmpl"
+)
+
+BridgeAuthority = Node(
+ tag="brauth",
+ authority=1,
+ bridgeauthority=1,
+ relay=1,
+ torrc="bridgeauthority.tmpl"
+)
+
+NonExitRelay = Node(
+ tag="relay",
+ relay=1,
+ torrc="relay-non-exit.tmpl"
+)
+
+ExitRelay = Node(
+ tag="exit",
+ relay=1,
+ exit=1,
+ torrc="relay.tmpl"
+)
+
+Client = Node(
+ tag="client",
+ torrc="client.tmpl"
+)
+
+Bridge = Node(
+ tag="bridge",
+ bridge=1,
+ relay=1,
+ torrc="bridge.tmpl"
+)
+
+BridgeObfs4 = Node(
+ tag="obfs4",
+ bridge=1,
+ relay=1,
+ torrc="bridge-obfs4.tmpl"
+)
+
+NODES = Authority.getN(4) + \
+ BridgeAuthority.getN(1) + \
+ NonExitRelay.getN(20) + \
+ ExitRelay.getN(10) + \
+ Bridge.getN(3) + \
+ BridgeObfs4.getN(3) + \
+ Client.getN(1)
+
+ConfigureNodes(NODES)
diff --git a/features/dhcp.feature b/features/dhcp.feature
index 18874db..0e17fce 100644
--- a/features/dhcp.feature
+++ b/features/dhcp.feature
@@ -1,4 +1,4 @@
-@product @fragile
+@product
Feature: Getting a DHCP lease without leaking too much information
As a Tails user
when I connect to a network with a DHCP server
diff --git a/features/electrum.feature b/features/electrum.feature
index e4e8d74..9807fec 100644
--- a/features/electrum.feature
+++ b/features/electrum.feature
@@ -1,17 +1,17 @@
-#10497: wait_until_tor_is_working
-#10720: Tails Installer freezes on Jenkins
-@product @check_tor_leaks @fragile
+@product @check_tor_leaks
Feature: Electrum Bitcoin client
As a Tails user
I might want to use a Bitcoin client
And all Internet traffic should flow only through Tor
Scenario: A warning will be displayed if Electrum is not persistent
- Given I have started Tails from DVD and logged in and the network is connected
+ Given I have started Tails from DVD without network and logged in
When I start Electrum through the GNOME menu
But persistence for "electrum" is not enabled
Then I see a warning that Electrum is not persistent
+ #10720: Tails Installer freezes on Jenkins
+ @fragile
Scenario: Using a persistent Electrum configuration
Given I have started Tails without network from a USB drive with a persistent partition enabled and logged in
And the network is plugged
diff --git a/features/encryption.feature b/features/encryption.feature
index 608af8f..d4426f7 100644
--- a/features/encryption.feature
+++ b/features/encryption.feature
@@ -29,8 +29,7 @@ Feature: Encryption and verification using GnuPG
And I both encrypt and sign the message using my OpenPGP key
Then I can decrypt and verify the encrypted message
- #11394
- #11398
+ # 11394
@fragile
Scenario: Symmetric encryption and decryption using OpenPGP Applet
When I type a message into gedit
diff --git a/features/evince.feature b/features/evince.feature
index b413add..6fd27ec 100644
--- a/features/evince.feature
+++ b/features/evince.feature
@@ -21,8 +21,6 @@ Feature: Using Evince
Then I see "CupsTestPage.png" after at most 20 seconds
And I can print the current document to "/home/amnesia/output.pdf"
- #11398
- @fragile
Scenario: I cannot view a PDF file stored in non-persistent /home/amnesia/.gnupg
Given I have started Tails from DVD without network and logged in
And I copy "/usr/share/cups/data/default-testpage.pdf" to "/home/amnesia/.gnupg" as user "amnesia"
diff --git a/features/i2p.feature b/features/i2p.feature
index c899d7c..616c5ff 100644
--- a/features/i2p.feature
+++ b/features/i2p.feature
@@ -15,13 +15,11 @@ Feature: I2P
And the I2P Browser sudo rules are present
And the I2P firewall rules are enabled
- @fragile
Scenario: I2P's AppArmor profile is in enforce mode
Given I have started Tails from DVD with I2P enabled and logged in and the network is connected
When I2P is running
Then the running process "i2p" is confined with AppArmor in enforce mode
- @fragile
Scenario: The I2P Browser works as it should
Given I have started Tails from DVD with I2P enabled and logged in and the network is connected
And the I2P router console is ready
@@ -29,6 +27,7 @@ Feature: I2P
Then the I2P router console is displayed in I2P Browser
And the I2P Browser uses all expected TBB shared libraries
+ #11457, #11458
@fragile
Scenario: Closing the I2P Browser shows a stop notification and properly tears down the chroot.
Given I have started Tails from DVD with I2P enabled and logged in and the network is connected
@@ -38,6 +37,7 @@ Feature: I2P
Then I see the I2P Browser stop notification
And the I2P Browser chroot is torn down
+ #11114, #11465
@fragile
Scenario: The I2P internal websites can be viewed in I2P Browser
Given I have started Tails from DVD with I2P enabled and logged in and the network is connected
@@ -48,7 +48,6 @@ Feature: I2P
When I open the address "http://i2p-projekt.i2p" in the I2P Browser
Then the I2P homepage loads in I2P Browser
- @fragile
Scenario: I2P is configured to run in Hidden mode
Given I have started Tails from DVD with I2P enabled and logged in and the network is connected
And the I2P router console is ready
@@ -56,6 +55,7 @@ Feature: I2P
Then the I2P router console is displayed in I2P Browser
And I2P is running in hidden mode
+ #10474
@fragile
Scenario: Connecting to the #i2p IRC channel with the pre-configured account
Given I have started Tails from DVD with I2P enabled and logged in and the network is connected
@@ -68,8 +68,9 @@ Feature: I2P
When I activate the "I2P" Pidgin account
And I close Pidgin's account manager window
Then Pidgin successfully connects to the "I2P" account
- And I can join the "#i2p" channel on "I2P"
+ And I can join the pre-configured "#i2p" channel on "I2P"
+ #11452
@fragile
Scenario: I2P displays a notice when bootstrapping fails
Given I have started Tails from DVD with I2P enabled and logged in
@@ -85,6 +86,7 @@ Feature: I2P
When I start the I2P Browser through the GNOME menu
Then the I2P router console is displayed in I2P Browser
+ #11462
@fragile
Scenario: I2P displays a notice when it fails to start
Given I have started Tails from DVD with I2P enabled and logged in
diff --git a/features/icedove.feature b/features/icedove.feature
index e05f024..8693a44 100644
--- a/features/icedove.feature
+++ b/features/icedove.feature
@@ -1,3 +1,4 @@
+#11465
@product @check_tor_leaks @fragile
Feature: Icedove email client
As a Tails user
@@ -10,9 +11,6 @@ Feature: Icedove email client
And I have not configured an email account
Then I am prompted to setup an email account
- Scenario: Icedove defaults to using IMAP
- Then IMAP is the default protocol
-
Scenario: Adblock is not enabled within Icedove
Given I cancel setting up an email account
When I open Icedove's Add-ons Manager
@@ -31,9 +29,3 @@ Feature: Icedove email client
Given I cancel setting up an email account
And I open Torbirdy's preferences
Then I see that Torbirdy is configured to use Tor
-
- Scenario: Icedove will work over Tor
- Given I cancel setting up an email account
- And I open Torbirdy's preferences
- When I test Torbirdy's proxy settings
- Then Torbirdy's proxy test is successful
diff --git a/features/images/CupsTestPage.png b/features/images/CupsTestPage.png
index 294374b..65b3cac 100644
--- a/features/images/CupsTestPage.png
+++ b/features/images/CupsTestPage.png
Binary files differ
diff --git a/features/images/GnomeApplicationsAccessories.png b/features/images/GnomeApplicationsAccessories.png
deleted file mode 100644
index 9c39fbe..0000000
--- a/features/images/GnomeApplicationsAccessories.png
+++ /dev/null
Binary files differ
diff --git a/features/images/GnomeApplicationsAdministration.png b/features/images/GnomeApplicationsAdministration.png
deleted file mode 100644
index 0c7ee53..0000000
--- a/features/images/GnomeApplicationsAdministration.png
+++ /dev/null
Binary files differ
diff --git a/features/images/GnomeApplicationsConfigurePersistentVolume.png b/features/images/GnomeApplicationsConfigurePersistentVolume.png
deleted file mode 100644
index 2fc9a5c..0000000
--- a/features/images/GnomeApplicationsConfigurePersistentVolume.png
+++ /dev/null
Binary files differ
diff --git a/features/images/GnomeApplicationsDeletePersistentVolume.png b/features/images/GnomeApplicationsDeletePersistentVolume.png
deleted file mode 100644
index b65d8df..0000000
--- a/features/images/GnomeApplicationsDeletePersistentVolume.png
+++ /dev/null
Binary files differ
diff --git a/features/images/GnomeApplicationsElectrum.png b/features/images/GnomeApplicationsElectrum.png
deleted file mode 100644
index be497c4..0000000
--- a/features/images/GnomeApplicationsElectrum.png
+++ /dev/null
Binary files differ
diff --git a/features/images/GnomeApplicationsFiles.png b/features/images/GnomeApplicationsFiles.png
deleted file mode 100644
index 2a2fee6..0000000
--- a/features/images/GnomeApplicationsFiles.png
+++ /dev/null
Binary files differ
diff --git a/features/images/GnomeApplicationsGedit.png b/features/images/GnomeApplicationsGedit.png
deleted file mode 100644
index f96b6d7..0000000
--- a/features/images/GnomeApplicationsGedit.png
+++ /dev/null
Binary files differ
diff --git a/features/images/GnomeApplicationsGobby.png b/features/images/GnomeApplicationsGobby.png
deleted file mode 100644
index b9d29f0..0000000
--- a/features/images/GnomeApplicationsGobby.png
+++ /dev/null
Binary files differ
diff --git a/features/images/GnomeApplicationsI2PBrowser.png b/features/images/GnomeApplicationsI2PBrowser.png
deleted file mode 100644
index b23b4c3..0000000
--- a/features/images/GnomeApplicationsI2PBrowser.png
+++ /dev/null
Binary files differ
diff --git a/features/images/GnomeApplicationsIcedove.png b/features/images/GnomeApplicationsIcedove.png
deleted file mode 100644
index c0e461d..0000000
--- a/features/images/GnomeApplicationsIcedove.png
+++ /dev/null
Binary files differ
diff --git a/features/images/GnomeApplicationsInternet.png b/features/images/GnomeApplicationsInternet.png
deleted file mode 100644
index f9eefed..0000000
--- a/features/images/GnomeApplicationsInternet.png
+++ /dev/null
Binary files differ
diff --git a/features/images/GnomeApplicationsPidgin.png b/features/images/GnomeApplicationsPidgin.png
deleted file mode 100644
index 6dcb215..0000000
--- a/features/images/GnomeApplicationsPidgin.png
+++ /dev/null
Binary files differ
diff --git a/features/images/GnomeApplicationsPreferences.png b/features/images/GnomeApplicationsPreferences.png
deleted file mode 100644
index 9209ad4..0000000
--- a/features/images/GnomeApplicationsPreferences.png
+++ /dev/null
Binary files differ
diff --git a/features/images/GnomeApplicationsSeahorse.png b/features/images/GnomeApplicationsSeahorse.png
deleted file mode 100644
index d740fe6..0000000
--- a/features/images/GnomeApplicationsSeahorse.png
+++ /dev/null
Binary files differ
diff --git a/features/images/GnomeApplicationsSoundVideo.png b/features/images/GnomeApplicationsSoundVideo.png
deleted file mode 100644
index 1ddad6c..0000000
--- a/features/images/GnomeApplicationsSoundVideo.png
+++ /dev/null
Binary files differ
diff --git a/features/images/GnomeApplicationsSynaptic.png b/features/images/GnomeApplicationsSynaptic.png
deleted file mode 100644
index 7f46105..0000000
--- a/features/images/GnomeApplicationsSynaptic.png
+++ /dev/null
Binary files differ
diff --git a/features/images/GnomeApplicationsSystem.png b/features/images/GnomeApplicationsSystem.png
deleted file mode 100644
index 5037d5e..0000000
--- a/features/images/GnomeApplicationsSystem.png
+++ /dev/null
Binary files differ
diff --git a/features/images/GnomeApplicationsTails.png b/features/images/GnomeApplicationsTails.png
deleted file mode 100644
index 10c3101..0000000
--- a/features/images/GnomeApplicationsTails.png
+++ /dev/null
Binary files differ
diff --git a/features/images/GnomeApplicationsTailsInstaller.png b/features/images/GnomeApplicationsTailsInstaller.png
deleted file mode 100644
index e41e070..0000000
--- a/features/images/GnomeApplicationsTailsInstaller.png
+++ /dev/null
Binary files differ
diff --git a/features/images/GnomeApplicationsTerminal.png b/features/images/GnomeApplicationsTerminal.png
deleted file mode 100644
index 62dd716..0000000
--- a/features/images/GnomeApplicationsTerminal.png
+++ /dev/null
Binary files differ
diff --git a/features/images/GnomeApplicationsTorBrowser.png b/features/images/GnomeApplicationsTorBrowser.png
deleted file mode 100644
index 5fd4617..0000000
--- a/features/images/GnomeApplicationsTorBrowser.png
+++ /dev/null
Binary files differ
diff --git a/features/images/GnomeApplicationsTotem.png b/features/images/GnomeApplicationsTotem.png
deleted file mode 100644
index ce5e750..0000000
--- a/features/images/GnomeApplicationsTotem.png
+++ /dev/null
Binary files differ
diff --git a/features/images/GnomeApplicationsUnsafeBrowser.png b/features/images/GnomeApplicationsUnsafeBrowser.png
deleted file mode 100644
index e9c7f82..0000000
--- a/features/images/GnomeApplicationsUnsafeBrowser.png
+++ /dev/null
Binary files differ
diff --git a/features/images/GnomeApplicationsUtilities.png b/features/images/GnomeApplicationsUtilities.png
deleted file mode 100644
index 2fa5e0f..0000000
--- a/features/images/GnomeApplicationsUtilities.png
+++ /dev/null
Binary files differ
diff --git a/features/images/IcedoveEnigmailKeyserver.png b/features/images/IcedoveEnigmailKeyserver.png
index 8595eba..afe56ad 100644
--- a/features/images/IcedoveEnigmailKeyserver.png
+++ b/features/images/IcedoveEnigmailKeyserver.png
Binary files differ
diff --git a/features/images/IcedoveEnigmailProxy.png b/features/images/IcedoveEnigmailProxy.png
index e0c5153..10c034f 100644
--- a/features/images/IcedoveEnigmailProxy.png
+++ b/features/images/IcedoveEnigmailProxy.png
Binary files differ
diff --git a/features/images/IcedoveTorbirdyCongratulationsTab.png b/features/images/IcedoveTorbirdyCongratulationsTab.png
deleted file mode 100644
index 464db25..0000000
--- a/features/images/IcedoveTorbirdyCongratulationsTab.png
+++ /dev/null
Binary files differ
diff --git a/features/images/IcedoveTorbirdyPreferencesWindow.png b/features/images/IcedoveTorbirdyPreferencesWindow.png
deleted file mode 100644
index 288b21e..0000000
--- a/features/images/IcedoveTorbirdyPreferencesWindow.png
+++ /dev/null
Binary files differ
diff --git a/features/images/IcedoveTorbirdyTestProxySettingsButton.png b/features/images/IcedoveTorbirdyTestProxySettingsButton.png
deleted file mode 100644
index 2e2e127..0000000
--- a/features/images/IcedoveTorbirdyTestProxySettingsButton.png
+++ /dev/null
Binary files differ
diff --git a/features/images/PidginTailsChannelEntry.png b/features/images/PidginTailsChannelEntry.png
deleted file mode 100644
index c055061..0000000
--- a/features/images/PidginTailsChannelEntry.png
+++ /dev/null
Binary files differ
diff --git a/features/images/PidginTailsChannelWelcome.png b/features/images/PidginTailsChannelWelcome.png
index 5673d0d..39d18ed 100644
--- a/features/images/PidginTailsChannelWelcome.png
+++ b/features/images/PidginTailsChannelWelcome.png
Binary files differ
diff --git a/features/images/PidginTailsConversationTab.png b/features/images/PidginTailsConversationTab.png
index 947144a..f641112 100644
--- a/features/images/PidginTailsConversationTab.png
+++ b/features/images/PidginTailsConversationTab.png
Binary files differ
diff --git a/features/images/TailsHomepage.png b/features/images/TailsHomepage.png
new file mode 100644
index 0000000..e21c0f7
--- /dev/null
+++ b/features/images/TailsHomepage.png
Binary files differ
diff --git a/features/images/TorBrowserStartupPage.png b/features/images/TorBrowserStartupPage.png
deleted file mode 100644
index bd9b948..0000000
--- a/features/images/TorBrowserStartupPage.png
+++ /dev/null
Binary files differ
diff --git a/features/images/TorBrowserTailsRoadmap.png b/features/images/TorBrowserTailsRoadmap.png
deleted file mode 100644
index d6c9321..0000000
--- a/features/images/TorBrowserTailsRoadmap.png
+++ /dev/null
Binary files differ
diff --git a/features/images/TorBrowserTorCheck.png b/features/images/TorBrowserTorCheck.png
deleted file mode 100644
index 0ed51a8..0000000
--- a/features/images/TorBrowserTorCheck.png
+++ /dev/null
Binary files differ
diff --git a/features/images/TorBrowserUnableToConnect.png b/features/images/TorBrowserUnableToConnect.png
deleted file mode 100644
index bd6d251..0000000
--- a/features/images/TorBrowserUnableToConnect.png
+++ /dev/null
Binary files differ
diff --git a/features/images/UnsafeBrowserNoAddons.png b/features/images/UnsafeBrowserNoAddons.png
index 75c426d..54cf7bd 100644
--- a/features/images/UnsafeBrowserNoAddons.png
+++ b/features/images/UnsafeBrowserNoAddons.png
Binary files differ
diff --git a/features/images/UnsafeBrowserRedTheme.png b/features/images/UnsafeBrowserRedTheme.png
index d48e43b..7c26b58 100644
--- a/features/images/UnsafeBrowserRedTheme.png
+++ b/features/images/UnsafeBrowserRedTheme.png
Binary files differ
diff --git a/features/images/UnsafeBrowserTorCheckFail.png b/features/images/UnsafeBrowserTorCheckFail.png
deleted file mode 100644
index 635c2e3..0000000
--- a/features/images/UnsafeBrowserTorCheckFail.png
+++ /dev/null
Binary files differ
diff --git a/features/localization.feature b/features/localization.feature
index f533add..4ec4a05 100644
--- a/features/localization.feature
+++ b/features/localization.feature
@@ -1,4 +1,4 @@
-@product @fragile
+@product
Feature: Localization
As a Tails user
I want Tails to be localized in my native language
@@ -9,7 +9,6 @@ Feature: Localization
Given I have started Tails from DVD without network and stopped at Tails Greeter's login screen
And the network is plugged
And I log in to a new session in German
- And Tails seems to have booted normally
And Tor is ready
When I double-click the Report an Error launcher on the desktop
Then the support documentation page opens in Tor Browser
diff --git a/features/mac_spoofing.feature b/features/mac_spoofing.feature
index 5777372..c775841 100644
--- a/features/mac_spoofing.feature
+++ b/features/mac_spoofing.feature
@@ -10,21 +10,17 @@ Feature: Spoofing MAC addresses
And I capture all network traffic
And the network is plugged
- @fragile
Scenario: MAC address spoofing is disabled
When I enable more Tails Greeter options
And I disable MAC spoofing in Tails Greeter
And I log in to a new session
- And the Tails desktop is ready
And Tor is ready
Then 1 network interface is enabled
And the network device has its default MAC address configured
And the real MAC address was leaked
- @fragile
Scenario: MAC address spoofing is successful
When I log in to a new session
- And the Tails desktop is ready
And Tor is ready
Then 1 network interface is enabled
And the network device has a spoofed MAC address configured
@@ -36,7 +32,6 @@ Feature: Spoofing MAC addresses
Given macchanger will fail by not spoofing and always returns false
When I log in to a new session
And see the "Network card disabled" notification
- And the Tails desktop is ready
Then no network interfaces are enabled
And the real MAC address was not leaked
@@ -46,7 +41,6 @@ Feature: Spoofing MAC addresses
Given macchanger will fail by not spoofing and always returns true
When I log in to a new session
And see the "Network card disabled" notification
- And the Tails desktop is ready
Then no network interfaces are enabled
And the real MAC address was not leaked
@@ -57,7 +51,6 @@ Feature: Spoofing MAC addresses
And no network interface modules can be unloaded
When I log in to a new session
And see the "All networking disabled" notification
- And the Tails desktop is ready
Then 1 network interface is enabled
But the MAC spoofing panic mode disabled networking
And the real MAC address was not leaked
diff --git a/features/persistence.feature b/features/persistence.feature
index 13f0af7..42f91de 100644
--- a/features/persistence.feature
+++ b/features/persistence.feature
@@ -7,18 +7,20 @@ Feature: Tails persistence
Scenario: Booting Tails from a USB drive with a disabled persistent partition
Given I have started Tails without network from a USB drive with a persistent partition and stopped at Tails Greeter's login screen
When I log in to a new session
- Then Tails seems to have booted normally
- And Tails is running from USB drive "__internal"
+ Then Tails is running from USB drive "__internal"
And persistence is disabled
But a Tails persistence partition exists on USB drive "__internal"
- Scenario: Booting Tails from a USB drive with an enabled persistent partition
+ Scenario: Booting Tails from a USB drive with an enabled persistent partition and reconfiguring it
Given I have started Tails without network from a USB drive with a persistent partition enabled and logged in
Then Tails is running from USB drive "__internal"
And all persistence presets are enabled
And all persistent directories have safe access rights
+ When I disable the first persistence preset
+ And I shutdown Tails and wait for the computer to power off
+ And I start Tails from USB drive "__internal" with network unplugged and I login with read-only persistence enabled
+ Then all persistence presets but the first one are enabled
- @fragile
Scenario: Writing files first to a read/write-enabled persistent partition, and then to a read-only-enabled persistent partition
Given I have started Tails without network from a USB drive with a persistent partition enabled and logged in
And the network is plugged
diff --git a/features/pidgin.feature b/features/pidgin.feature
index cbfddbe..aabe9b7 100644
--- a/features/pidgin.feature
+++ b/features/pidgin.feature
@@ -1,5 +1,4 @@
-#10497: wait_until_tor_is_working
-@product @fragile
+@product
Feature: Chatting anonymously using Pidgin
As a Tails user
when I chat using Pidgin
@@ -8,7 +7,8 @@ Feature: Chatting anonymously using Pidgin
And AppArmor should prevent Pidgin from doing dangerous things
And all Internet traffic should flow only through Tor
- @check_tor_leaks
+ #11453
+ @check_tor_leaks @fragile
Scenario: Chatting with some friend over XMPP
Given I have started Tails from DVD and logged in and the network is connected
When I start Pidgin through the GNOME menu
@@ -21,7 +21,8 @@ Feature: Chatting anonymously using Pidgin
And I say something to my friend
Then I receive a response from my friend
- @check_tor_leaks
+ #11414
+ @check_tor_leaks @fragile
Scenario: Chatting with some friend over XMPP in a multi-user chat
Given I have started Tails from DVD and logged in and the network is connected
When I start Pidgin through the GNOME menu
@@ -35,8 +36,14 @@ Feature: Chatting anonymously using Pidgin
Then I can see that my friend joined the multi-user chat
And I say something to my friend in the multi-user chat
Then I receive a response from my friend in the multi-user chat
+ When I say https://labs.riseup.net/code/projects/tails/roadmap to my friend in the multi-user chat
+ Then I see the Tails roadmap URL
+ When I wait 10 seconds
+ And I click on the Tails roadmap URL
+ Then the Tor Browser has started and loaded the Tails roadmap
- @check_tor_leaks
+ #11453
+ @check_tor_leaks @fragile
Scenario: Chatting with some friend over XMPP and with OTR
Given I have started Tails from DVD and logged in and the network is connected
When I start Pidgin through the GNOME menu
@@ -52,25 +59,17 @@ Feature: Chatting anonymously using Pidgin
When I say something to my friend
Then I receive a response from my friend
- # 10376 - "the Tor Browser loads the (startup page|Tails roadmap)" step is fragile
- # 10443 - OFTC tests are fragile
+ #11414
@check_tor_leaks @fragile
- Scenario: Connecting to the #tails IRC channel with the pre-configured account
+ Scenario: Connecting to the tails multi-user chat with my XMPP account
Given I have started Tails from DVD and logged in and the network is connected
And Pidgin has the expected accounts configured with random nicknames
When I start Pidgin through the GNOME menu
Then I see Pidgin's account manager window
- When I activate the "irc.oftc.net" Pidgin account
+ And I create my XMPP account
And I close Pidgin's account manager window
- Then Pidgin successfully connects to the "irc.oftc.net" account
- And I can join the "#tails" channel on "irc.oftc.net"
- When I type "/topic"
- And I press the "ENTER" key
- Then I see the Tails roadmap URL
- When I wait 10 seconds
- And I click on the Tails roadmap URL
- Then the Tor Browser has started and loaded the Tails roadmap
- And the "irc.oftc.net" account only responds to PING and VERSION CTCP requests
+ Then Pidgin automatically enables my XMPP account
+ And I can join the "tails" channel on "conference.riseup.net"
Scenario: Adding a certificate to Pidgin
Given I have started Tails from DVD and logged in and the network is connected
@@ -92,7 +91,6 @@ Feature: Chatting anonymously using Pidgin
And I close Pidgin's certificate manager
Then I cannot add a certificate from the "/live/overlay/home/amnesia/.gnupg" directory to Pidgin
- #10443 - OFTC tests are fragile
#10720: Tails Installer freezes on Jenkins
@check_tor_leaks @fragile
Scenario: Using a persistent Pidgin configuration
@@ -104,20 +102,21 @@ Feature: Chatting anonymously using Pidgin
And all notifications have disappeared
When I start Pidgin through the GNOME menu
Then I see Pidgin's account manager window
+ When I create my XMPP account
+ And I close Pidgin's account manager window
+ Then Pidgin automatically enables my XMPP account
+ When I close Pidgin
# And I generate an OTR key for the default Pidgin account
And I take note of the configured Pidgin accounts
- # And I take note of the OTR key for Pidgin's "irc.oftc.net" account
+ # And I take note of the OTR key for Pidgin's "conference.riseup.net" account
And I shutdown Tails and wait for the computer to power off
Given a computer
And I start Tails from USB drive "__internal" and I login with persistence enabled
And Pidgin has the expected persistent accounts configured
# And Pidgin has the expected persistent OTR keys
When I start Pidgin through the GNOME menu
- Then I see Pidgin's account manager window
- When I activate the "irc.oftc.net" Pidgin account
- And I close Pidgin's account manager window
- Then Pidgin successfully connects to the "irc.oftc.net" account
- And I can join the "#tails" channel on "irc.oftc.net"
+ Then Pidgin automatically enables my XMPP account
+ And I join some empty multi-user chat
# Exercise Pidgin AppArmor profile with persistence enabled.
# This should really be in dedicated scenarios, but it would be
# too costly to set up the virtual USB drive with persistence more
diff --git a/features/root_access_control.feature b/features/root_access_control.feature
index 8ceb816..fea20ff 100644
--- a/features/root_access_control.feature
+++ b/features/root_access_control.feature
@@ -12,7 +12,6 @@ Feature: Root access control enforcement
Scenario: If no administrative password is set in Tails Greeter the live user should not be able to run arbitrary commands administrative privileges.
Given I have started Tails from DVD without network and logged in
- And Tails Greeter has dealt with the sudo password
Then I should not be able to run administration commands as the live user with the "" password
And I should not be able to run administration commands as the live user with the "amnesia" password
And I should not be able to run administration commands as the live user with the "live" password
@@ -22,8 +21,6 @@ Feature: Root access control enforcement
And running a command as root with pkexec requires PolicyKit administrator privileges
Then I should be able to run a command as root with pkexec
- #11398
- @fragile
Scenario: If no administrative password is set in Tails Greeter the live user should not be able to get administrative privileges through PolicyKit with the standard passwords.
Given I have started Tails from DVD without network and logged in
And running a command as root with pkexec requires PolicyKit administrator privileges
diff --git a/features/ssh.feature b/features/ssh.feature
index 8528999..0e64e86 100644
--- a/features/ssh.feature
+++ b/features/ssh.feature
@@ -1,4 +1,3 @@
-#10497: wait_until_tor_is_working
#10498: SSH tests are fragile
@product @fragile
Feature: Logging in via SSH
diff --git a/features/step_definitions/apt.rb b/features/step_definitions/apt.rb
index c69d259..8756803 100644
--- a/features/step_definitions/apt.rb
+++ b/features/step_definitions/apt.rb
@@ -50,7 +50,7 @@ Then /^I should be able to install a package using Synaptic$/ do
end
When /^I start Synaptic$/ do
- step 'I start "Synaptic" via the GNOME "System" applications menu'
+ step 'I start "Synaptic Package Manager" via the GNOME "System Tools" applications menu'
deal_with_polkit_prompt('PolicyKitAuthPrompt.png', @sudo_password)
@screen.wait('SynapticReloadButton.png', 30)
end
diff --git a/features/step_definitions/browser.rb b/features/step_definitions/browser.rb
index 84ef1d3..896906b 100644
--- a/features/step_definitions/browser.rb
+++ b/features/step_definitions/browser.rb
@@ -12,7 +12,7 @@ Then /^the (Unsafe|I2P) Browser has started$/ do |browser_type|
end
When /^I start the (Unsafe|I2P) Browser(?: through the GNOME menu)?$/ do |browser_type|
- step "I start \"#{browser_type}Browser\" via the GNOME \"Internet\" applications menu"
+ step "I start \"#{browser_type} Browser\" via the GNOME \"Internet\" applications menu"
end
When /^I successfully start the (Unsafe|I2P) Browser$/ do |browser_type|
@@ -113,6 +113,19 @@ When /^I open the address "([^"]*)" in the (.*)$/ do |address, browser|
end
end
+# This step is limited to the Tor Browser due to #7502 since dogtail
+# uses the same interface.
+Then /^"([^"]+)" has loaded in the Tor Browser$/ do |title|
+ expected_title = "#{title} - Tor Browser"
+ app = Dogtail::Application.new('Firefox')
+ app.child(expected_title, roleName: 'frame').wait(60)
+ # The 'Reload current page' button (graphically shown as a looping
+ # arrow) is only shown when a page has loaded, so once we see the
+ # expected title *and* this button has appeared, then we can be sure
+ # that the page has fully loaded.
+ app.child('Reload current page', roleName: 'push button').wait(60)
+end
+
Then /^the (.*) has no plugins installed$/ do |browser|
step "I open the address \"about:plugins\" in the #{browser}"
step "I see \"TorBrowserNoPlugins.png\" after at most 30 seconds"
@@ -193,3 +206,27 @@ Then /^the file is saved to the default Tor Browser download directory$/ do
expected_path = "/home/#{LIVE_USER}/Tor Browser/#{@some_file}"
try_for(10) { $vm.file_exist?(expected_path) }
end
+
+When /^I open Tails homepage in the (.+)$/ do |browser|
+ step "I open the address \"https://tails.boum.org\" in the #{browser}"
+end
+
+Then /^Tails homepage loads in the Tor Browser$/ do
+ title = 'Tails - Privacy for anyone anywhere'
+ step "\"#{title}\" has loaded in the Tor Browser"
+end
+
+Then /^Tails homepage loads in the Unsafe Browser$/ do
+ @screen.wait('TailsHomepage.png', 60)
+end
+
+Then /^the Tor Browser shows the "([^"]+)" error$/ do |error|
+ firefox = Dogtail::Application.new('Firefox')
+ page = firefox.child("Problem loading page", roleName: "document frame")
+ # Important to wait here since children() won't retry but return the
+ # immediate results
+ page.wait
+ headers = page.children(roleName: "heading")
+ found = headers.any? { |heading| heading.text == error }
+ raise "Could not find the '#{error}' error in the Tor Browser" unless found
+end
diff --git a/features/step_definitions/build.rb b/features/step_definitions/build.rb
index fd001ff..e02edc6 100644
--- a/features/step_definitions/build.rb
+++ b/features/step_definitions/build.rb
@@ -1,4 +1,4 @@
-Given /^Tails ([[:alnum:].]+) has been released$/ do |version|
+Given /^Tails ([[:alnum:]~.]+) has been released$/ do |version|
create_git unless git_exists?
old_branch = current_branch
@@ -17,7 +17,7 @@ tails (#{version}) stable; urgency=low
END_OF_CHANGELOG
end
fatal_system "git commit --quiet debian/changelog -m 'Release #{version}'"
- fatal_system "git tag '#{version}'"
+ fatal_system "git tag '#{version.gsub('~', '-')}'"
if old_branch != 'stable'
fatal_system "git checkout --quiet '#{old_branch}'"
@@ -42,6 +42,31 @@ Given /^the last version mentioned in debian\/changelog is ([[:alnum:]~.]+)$/ do
end
end
+Given /^the last versions mentioned in debian\/changelog are ([[:alnum:]~.]+) and ([[:alnum:]~.]+)$/ do |version_a, version_b|
+ step "the last version mentioned in debian/changelog is #{version_a}"
+ step "the last version mentioned in debian/changelog is #{version_b}"
+end
+
+Given(/^no frozen APT snapshot is encoded in config\/APT_snapshots\.d$/) do
+ ['debian', 'debian-security', 'torproject'].map do |origin|
+ File.open("config/APT_snapshots.d/#{origin}/serial", 'w+') do |serial|
+ serial.write("latest\n")
+ end
+ end
+end
+
+Given(/^frozen APT snapshots are encoded in config\/APT_snapshots\.d$/) do
+ ['debian', 'torproject'].map do |origin|
+ File.open("config/APT_snapshots.d/#{origin}/serial", 'w+') do |serial|
+ serial.write("2016060602\n")
+ end
+ end
+ # We never freeze debian-security
+ File.open("config/APT_snapshots.d/debian-security/serial", 'w+') do |serial|
+ serial.write("latest\n")
+ end
+end
+
Given %r{I am working on the ([[:alnum:]./_-]+) base branch$} do |branch|
create_git unless git_exists?
@@ -54,6 +79,11 @@ Given %r{I am working on the ([[:alnum:]./_-]+) base branch$} do |branch|
end
end
+Given %r{^I checkout the ([[:alnum:]~.-]+) tag$} do |tag|
+ create_git unless git_exists?
+ fatal_system "git checkout --quiet #{tag}"
+end
+
Given %r{I am working on the ([[:alnum:]./_-]+) branch based on ([[:alnum:]./_-]+)$} do |branch, base|
create_git unless git_exists?
@@ -66,12 +96,12 @@ Given %r{I am working on the ([[:alnum:]./_-]+) branch based on ([[:alnum:]./_-]
end
end
-When /^I successfully run ([[:alnum:]-]+)$/ do |command|
+When /^I successfully run "?([[:alnum:] -]+)"?$/ do |command|
@output = `#{File.expand_path("../../../auto/scripts/#{command}", __FILE__)}`
raise StandardError.new("#{command} failed. Exit code: #{$?}") if $? != 0
end
-When /^I run ([[:alnum:]-]+)$/ do |command|
+When /^I run "?([[:alnum:] -]+)"?$/ do |command|
@output = `#{File.expand_path("../../../auto/scripts/#{command}", __FILE__)}`
@exit_code = $?.exitstatus
end
@@ -113,3 +143,11 @@ end
Given(/^the config\/base_branch file is empty$/) do
File.truncate('config/base_branch', 0)
end
+
+Then(/^I should see the ([[:alnum:].-]+) tagged snapshot$/) do |tag|
+ @output.should have_tagged_snapshot(tag)
+end
+
+Then(/^I should see a time\-based snapshot$/) do
+ @output.should have_time_based_snapshot()
+end
diff --git a/features/step_definitions/chutney.rb b/features/step_definitions/chutney.rb
new file mode 100644
index 0000000..0b24b31
--- /dev/null
+++ b/features/step_definitions/chutney.rb
@@ -0,0 +1,128 @@
+def ensure_chutney_is_running
+ # Ensure that a fresh chutney instance is running, and that it will
+ # be cleaned upon exit. We only do it once, though, since the same
+ # setup can be used throughout the same test suite run.
+ if not($chutney_initialized)
+ chutney_src_dir = "#{GIT_DIR}/submodules/chutney"
+ chutney_listen_address = $vmnet.bridge_ip_addr
+ chutney_script = "#{chutney_src_dir}/chutney"
+ assert(
+ File.executable?(chutney_script),
+ "It does not look like '#{chutney_src_dir}' is the Chutney source tree"
+ )
+ network_definition = "#{GIT_DIR}/features/chutney/test-network"
+ env = {
+ 'CHUTNEY_LISTEN_ADDRESS' => chutney_listen_address,
+ 'CHUTNEY_DATA_DIR' => "#{$config['TMPDIR']}/chutney-data/"
+ }
+
+ chutney_data_dir_cleanup = Proc.new do
+ if File.directory?(env['CHUTNEY_DATA_DIR'])
+ FileUtils.rm_r(env['CHUTNEY_DATA_DIR'])
+ end
+ end
+
+ chutney_cmd = Proc.new do |cmd|
+ Dir.chdir(chutney_src_dir) do
+ cmd_helper([chutney_script, cmd, network_definition], env)
+ end
+ end
+
+ if KEEP_SNAPSHOTS
+ begin
+ chutney_cmd.call('start')
+ rescue Test::Unit::AssertionFailedError
+ if File.directory?(env['CHUTNEY_DATA_DIR'])
+ raise "You are running with --keep-snapshots but Chutney failed " +
+ "to start with its current data directory. To recover you " +
+ "likely want to delete '#{env['CHUTNEY_DATA_DIR']}' and " +
+ "all test suite snapshots and then start over."
+ else
+ chutney_cmd.call('configure')
+ chutney_cmd.call('start')
+ end
+ end
+ else
+ chutney_cmd.call('stop')
+ chutney_data_dir_cleanup.call
+ chutney_cmd.call('configure')
+ chutney_cmd.call('start')
+ end
+
+ at_exit do
+ chutney_cmd.call('stop')
+ chutney_data_dir_cleanup.call unless KEEP_SNAPSHOTS
+ end
+
+ $chutney_initialized = true
+ end
+end
+
+When /^I configure Tails to use a simulated Tor network$/ do
+ # At the moment this step essentially assumes that we boot with 'the
+ # network is unplugged', run this step, and then 'the network is
+ # plugged'. I believe we can make this pretty transparent without
+ # the need of a dedicated step by using tags (e.g. @fake_tor or
+ # whatever -- possibly we want the opposite, @real_tor,
+ # instead).
+ #
+ # There are two time points where we for a scenario must ensure that
+ # the client configuration below is enabled if and only if the
+ # scenario is tagged, and that is:
+ #
+ # 1. During a proper boot, as soon as the remote shell is up in the
+ # 'the computer boots Tails' step.
+ #
+ # 2. When restoring a snapshot, in restore_background().
+ #
+ # If we do this, it doesn't even matter if a snapshot is made of an
+ # untagged scenario (without the conf), and we later restore it with
+ # a tagged scenario.
+ #
+ # Note: We probably have to clear the /var/lib/tor data dir when we
+ # switch mode. Possibly there are other such problems that make this
+ # abstraction impractical and it's better that we avoid it an go
+ # with the more explicit, step-based approach.
+
+ assert(not($vm.execute('service tor status').success?),
+ "Running this step when Tor is running is probably not intentional")
+ ensure_chutney_is_running
+ # Most of these lines are taken from chutney's client template.
+ client_torrc_lines = [
+ 'TestingTorNetwork 1',
+ 'AssumeReachable 1',
+ 'PathsNeededToBuildCircuits 0.25',
+ 'TestingBridgeDownloadSchedule 0, 5',
+ 'TestingClientConsensusDownloadSchedule 0, 5',
+ 'TestingClientDownloadSchedule 0, 5',
+ 'TestingDirAuthVoteExit *',
+ 'TestingDirAuthVoteGuard *',
+ 'TestingDirAuthVoteHSDir *',
+ 'TestingMinExitFlagThreshold 0',
+ 'V3AuthNIntervalsValid 2',
+ # Enabling TestingTorNetwork disables ClientRejectInternalAddresses
+ # so the Tor client will happily try LAN connections. Coupled with
+ # that TestingTorNetwork is enabled on all exits, and their
+ # ExitPolicyRejectPrivate is disabled, we will allow exiting to
+ # LAN hosts. We have at least one test that tries to make sure
+ # that is *not* possible (Scenario: The Tor Browser cannot access
+ # the LAN) so we cannot allow it. We'll have to rethink all this
+ # if we ever want to run all services locally as well (#9520).
+ 'ClientRejectInternalAddresses 1',
+ ]
+ # We run one client in chutney so we easily can grep the generated
+ # DirAuthority lines and use them.
+ chutney_src_dir = "#{GIT_DIR}/submodules/chutney"
+ client_torrcs = Dir.glob(
+ "#{$config['TMPDIR']}/chutney-data/nodes/*client/torrc"
+ )
+ dir_auth_lines = open(client_torrcs.first) do |f|
+ f.grep(/^(Alternate)?(Dir|Bridge)Authority\s/)
+ end
+ client_torrc_lines.concat(dir_auth_lines)
+ $vm.file_append('/etc/tor/torrc', client_torrc_lines)
+end
+
+When /^Tails is using the real Tor network$/ do
+ assert($vm.execute('grep "TestingTorNetwork 1" /etc/torrc').failure?)
+end
diff --git a/features/step_definitions/common_steps.rb b/features/step_definitions/common_steps.rb
index b17ff5b..250700f 100644
--- a/features/step_definitions/common_steps.rb
+++ b/features/step_definitions/common_steps.rb
@@ -84,10 +84,8 @@ def robust_notification_wait(notification_image, time_to_wait)
found
end
- # Click anywhere to close the notification applet
- @screen.hide_cursor
- @screen.click("GnomeApplicationsMenu.png")
- @screen.hide_cursor
+ # Close the notification applet
+ @screen.type(Sikuli::Key.ESC)
end
def post_snapshot_restore_hook
@@ -201,7 +199,6 @@ Given /^I start Tails( from DVD)?( with network unplugged)?( and I login)?$/ do
step "the computer boots Tails"
if do_login
step "I log in to a new session"
- step "Tails seems to have booted normally"
if network_unplugged.nil?
step "Tor is ready"
step "all notifications have disappeared"
@@ -230,7 +227,6 @@ Given /^I start Tails from (.+?) drive "(.+?)"(| with network unplugged)( and I
end
end
step "I log in to a new session"
- step "Tails seems to have booted normally"
if network_unplugged.empty?
step "Tor is ready"
step "all notifications have disappeared"
@@ -290,6 +286,7 @@ Given /^the computer (re)?boots Tails$/ do |reboot|
@screen.wait('TailsGreeter.png', 30*60)
$vm.wait_until_remote_shell_is_up
activate_filesystem_shares
+ step 'I configure Tails to use a simulated Tor network'
end
Given /^I log in to a new session(?: in )?(|German)$/ do |lang|
@@ -304,6 +301,8 @@ Given /^I log in to a new session(?: in )?(|German)$/ do |lang|
else
raise "Unsupported language: #{lang}"
end
+ step 'Tails Greeter has dealt with the sudo password'
+ step 'the Tails desktop is ready'
end
Given /^I enable more Tails Greeter options$/ do
@@ -327,11 +326,18 @@ end
Given /^Tails Greeter has dealt with the sudo password$/ do
f1 = "/etc/sudoers.d/tails-greeter"
f2 = "#{f1}-no-password-lecture"
- try_for(20) {
+ try_for(30) {
$vm.execute("test -e '#{f1}' -o -e '#{f2}'").success?
}
end
+def florence_keyboard_is_visible
+ $vm.execute(
+ "xdotool search --all --onlyvisible --maxdepth 1 --classname 'Florence'",
+ :user => LIVE_USER,
+ ).success?
+end
+
Given /^the Tails desktop is ready$/ do
desktop_started_picture = "GnomeApplicationsMenu#{@language}.png"
# We wait for the Florence icon to be displayed to ensure reliable systray icon clicking.
@@ -344,10 +350,20 @@ Given /^the Tails desktop is ready$/ do
'gsettings set org.gnome.desktop.session idle-delay 0',
:user => LIVE_USER
)
-end
-
-Then /^Tails seems to have booted normally$/ do
- step "the Tails desktop is ready"
+ # We need to enable the accessibility toolkit for dogtail.
+ $vm.execute_successfully(
+ 'gsettings set org.gnome.desktop.interface toolkit-accessibility true',
+ :user => LIVE_USER,
+ )
+ # Sometimes the Florence window is not hidden on startup (#11398).
+ # Whenever that's the case, hide it ourselves and verify that it vanishes.
+ # I could not find that window using Accerciser, so I'm not using dogtail;
+ # and it doesn't feel worth it to add an image and use Sikuli, since we can
+ # instead do this programmatically with xdotool.
+ if florence_keyboard_is_visible
+ @screen.click("GnomeSystrayFlorence.png")
+ try_for(5, delay: 0.1) { ! florence_keyboard_is_visible }
+ end
end
When /^I see the 'Tor is ready' notification$/ do
@@ -387,14 +403,14 @@ end
Given /^the Tor Browser (?:has started and )?load(?:ed|s) the (startup page|Tails roadmap)$/ do |page|
case page
when "startup page"
- picture = "TorBrowserStartupPage.png"
+ title = 'Tails - News'
when "Tails roadmap"
- picture = "TorBrowserTailsRoadmap.png"
+ title = 'Roadmap - Tails - RiseupLabs Code Repository'
else
raise "Unsupported page: #{page}"
end
step "the Tor Browser has started"
- @screen.wait(picture, 120)
+ step "\"#{title}\" has loaded in the Tor Browser"
end
Given /^the Tor Browser has started in offline mode$/ do
@@ -416,8 +432,12 @@ Given /^the Tor Browser has a bookmark to eff.org$/ do
end
Given /^all notifications have disappeared$/ do
- next if not(@screen.exists("GnomeNotificationApplet.png"))
- @screen.click("GnomeNotificationApplet.png")
+ begin
+ @screen.click("GnomeNotificationApplet.png")
+ rescue FindFailed
+ # No notifications, so we're done here.
+ next
+ end
@screen.wait("GnomeNotificationAppletOpened.png", 10)
begin
entries = @screen.findAll("GnomeNotificationEntry.png")
@@ -446,9 +466,10 @@ Then /^I (do not )?see "([^"]*)" after at most (\d+) seconds$/ do |negation, ima
end
Then /^all Internet traffic has only flowed through Tor$/ do
- leaks = FirewallLeakCheck.new(@sniffer.pcap_file,
- :accepted_hosts => get_all_tor_nodes)
- leaks.assert_no_leaks
+ allowed_hosts = allowed_hosts_under_tor_enforcement
+ assert_all_connections(@sniffer.pcap_file) do |c|
+ allowed_hosts.include?({ address: c.daddr, port: c.dport })
+ end
end
Given /^I enter the sudo password in the pkexec prompt$/ do
@@ -535,7 +556,7 @@ Given /^package "([^"]+)" is installed$/ do |package|
end
When /^I start the Tor Browser$/ do
- step 'I start "TorBrowser" via the GNOME "Internet" applications menu'
+ step 'I start "Tor Browser" via the GNOME "Internet" applications menu'
end
When /^I request a new identity using Torbutton$/ do
@@ -647,56 +668,10 @@ Then /^persistence for "([^"]+)" is (|not )enabled$/ do |app, enabled|
end
end
-def gnome_app_menu_click_helper(click_me, verify_me = nil)
- try_for(30) do
- @screen.hide_cursor
- # The sensitivity for submenus to open by just hovering past them
- # is extremely high, and may result in the wrong one
- # opening. Hence we better avoid hovering over undesired submenus
- # entirely by "approaching" the menu strictly horizontally.
- r = @screen.wait(click_me, 10)
- @screen.hover_point(@screen.w, r.getY)
- @screen.click(r)
- @screen.wait(verify_me, 10) if verify_me
- return
- end
-end
-
-Given /^I start "([^"]+)" via the GNOME "([^"]+)" applications menu$/ do |app, submenu|
- menu_button = "GnomeApplicationsMenu.png"
- sub_menu_entry = "GnomeApplications" + submenu + ".png"
- application_entry = "GnomeApplications" + app + ".png"
- try_for(120) do
- begin
- gnome_app_menu_click_helper(menu_button, sub_menu_entry)
- gnome_app_menu_click_helper(sub_menu_entry, application_entry)
- gnome_app_menu_click_helper(application_entry)
- rescue Exception => e
- # Close menu, if still open
- @screen.type(Sikuli::Key.ESC)
- raise e
- end
- true
- end
-end
-
-Given /^I start "([^"]+)" via the GNOME "([^"]+)"\/"([^"]+)" applications menu$/ do |app, submenu, subsubmenu|
- menu_button = "GnomeApplicationsMenu.png"
- sub_menu_entry = "GnomeApplications" + submenu + ".png"
- sub_sub_menu_entry = "GnomeApplications" + subsubmenu + ".png"
- application_entry = "GnomeApplications" + app + ".png"
- try_for(120) do
- begin
- gnome_app_menu_click_helper(menu_button, sub_menu_entry)
- gnome_app_menu_click_helper(sub_menu_entry, sub_sub_menu_entry)
- gnome_app_menu_click_helper(sub_sub_menu_entry, application_entry)
- gnome_app_menu_click_helper(application_entry)
- rescue Exception => e
- # Close menu, if still open
- @screen.type(Sikuli::Key.ESC)
- raise e
- end
- true
+Given /^I start "([^"]+)" via the GNOME "([^"]+)" applications menu$/ do |app_name, submenu|
+ app = Dogtail::Application.new('gnome-shell')
+ for element in ['Applications', submenu, app_name] do
+ app.child(element, roleName: 'label').click
end
end
@@ -821,9 +796,9 @@ When /^I can print the current page as "([^"]+[.]pdf)" to the (default downloads
end
Given /^a web server is running on the LAN$/ do
- web_server_ip_addr = $vmnet.bridge_ip_addr
- web_server_port = 8000
- @web_server_url = "http://#{web_server_ip_addr}:#{web_server_port}"
+ @web_server_ip_addr = $vmnet.bridge_ip_addr
+ @web_server_port = 8000
+ @web_server_url = "http://#{@web_server_ip_addr}:#{@web_server_port}"
web_server_hello_msg = "Welcome to the LAN web server!"
# I've tested ruby Thread:s, fork(), etc. but nothing works due to
@@ -838,14 +813,15 @@ Given /^a web server is running on the LAN$/ do
require "webrick"
STDOUT.reopen("/dev/null", "w")
STDERR.reopen("/dev/null", "w")
- server = WEBrick::HTTPServer.new(:BindAddress => "#{web_server_ip_addr}",
- :Port => #{web_server_port},
+ server = WEBrick::HTTPServer.new(:BindAddress => "#{@web_server_ip_addr}",
+ :Port => #{@web_server_port},
:DocumentRoot => "/dev/null")
server.mount_proc("/") do |req, res|
res.body = "#{web_server_hello_msg}"
end
server.start
EOF
+ add_lan_host(@web_server_ip_addr, @web_server_port)
proc = IO.popen(['ruby', '-e', code])
try_for(10, :msg => "It seems the LAN web server failed to start") do
Process.kill(0, proc.pid) == 1
@@ -921,8 +897,7 @@ When /^AppArmor has (not )?denied "([^"]+)" from opening "([^"]+)"(?: after at m
end
Then /^I force Tor to use a new circuit$/ do
- debug_log("Forcing new Tor circuit...")
- $vm.execute_successfully('tor_control_send "signal NEWNYM"', :libs => 'tor')
+ force_new_tor_circuit
end
When /^I eject the boot medium$/ do
diff --git a/features/step_definitions/electrum.rb b/features/step_definitions/electrum.rb
index f18e838..85bcf0f 100644
--- a/features/step_definitions/electrum.rb
+++ b/features/step_definitions/electrum.rb
@@ -1,5 +1,5 @@
Then /^I start Electrum through the GNOME menu$/ do
- step "I start \"Electrum\" via the GNOME \"Internet\" applications menu"
+ step "I start \"Electrum Bitcoin Wallet\" via the GNOME \"Internet\" applications menu"
end
When /^a bitcoin wallet is (|not )present$/ do |existing|
@@ -24,7 +24,7 @@ When /^I create a new bitcoin wallet$/ do
seed = $vm.get_clipboard
@screen.wait_and_click("ElectrumNextButton.png", 15)
@screen.wait("ElectrumSeedVerificationPrompt.png", 15)
- @screen.click("ElectrumWalletSeedTextbox.png", 15)
+ @screen.wait_and_click("ElectrumWalletSeedTextbox.png", 15)
@screen.type(seed) # Confirm seed
@screen.wait_and_click("ElectrumNextButton.png", 10)
@screen.wait_and_click("ElectrumEncryptWallet.png", 10)
diff --git a/features/step_definitions/encryption.rb b/features/step_definitions/encryption.rb
index 9f7f1b9..68f620e 100644
--- a/features/step_definitions/encryption.rb
+++ b/features/step_definitions/encryption.rb
@@ -32,7 +32,7 @@ EOF
end
When /^I type a message into gedit$/ do
- step 'I start "Gedit" via the GNOME "Accessories" applications menu'
+ step 'I start "gedit" via the GNOME "Accessories" applications menu'
@screen.wait_and_click("GeditWindow.png", 20)
# We don't have a good visual indicator for when we can continue. Without the
# sleep we may start typing in the gedit window far too soon, causing
@@ -60,7 +60,7 @@ def gedit_copy_all_text
context_menu_helper('GeditWindow.png', 'GeditStatusBar.png', 'GeditCopy.png')
end
-def paste_into_a_new_tab
+def gedit_paste_into_a_new_tab
@screen.wait_and_click("GeditNewTab.png", 20)
context_menu_helper('GeditWindow.png', 'GeditStatusBar.png', 'GeditPaste.png')
end
@@ -74,7 +74,7 @@ def encrypt_sign_helper
sleep 5
yield
maybe_deal_with_pinentry
- paste_into_a_new_tab
+ gedit_paste_into_a_new_tab
end
def decrypt_verify_helper(icon)
@@ -129,5 +129,5 @@ When /^I symmetrically encrypt the message with password "([^"]+)"$/ do |pwd|
seahorse_menu_click_helper('GpgAppletIconNormal.png', 'GpgAppletEncryptPassphrase.png')
maybe_deal_with_pinentry # enter password
maybe_deal_with_pinentry # confirm password
- paste_into_a_new_tab
+ gedit_paste_into_a_new_tab
end
diff --git a/features/step_definitions/firewall_leaks.rb b/features/step_definitions/firewall_leaks.rb
index 942d00b..5d07a6e 100644
--- a/features/step_definitions/firewall_leaks.rb
+++ b/features/step_definitions/firewall_leaks.rb
@@ -1,29 +1,6 @@
-Then(/^the firewall leak detector has detected (.*?) leaks$/) do |type|
- leaks = FirewallLeakCheck.new(@sniffer.pcap_file,
- :accepted_hosts => get_all_tor_nodes)
- case type.downcase
- when 'ipv4 tcp'
- if leaks.ipv4_tcp_leaks.empty?
- leaks.save_pcap_file
- raise "Couldn't detect any IPv4 TCP leaks"
- end
- when 'ipv4 non-tcp'
- if leaks.ipv4_nontcp_leaks.empty?
- leaks.save_pcap_file
- raise "Couldn't detect any IPv4 non-TCP leaks"
- end
- when 'ipv6'
- if leaks.ipv6_leaks.empty?
- leaks.save_pcap_file
- raise "Couldn't detect any IPv6 leaks"
- end
- when 'non-ip'
- if leaks.nonip_leaks.empty?
- leaks.save_pcap_file
- raise "Couldn't detect any non-IP leaks"
- end
- else
- raise "Incorrect packet type '#{type}'"
+Then(/^the firewall leak detector has detected leaks$/) do
+ assert_raise(Test::Unit::AssertionFailedError) do
+ step 'all Internet traffic has only flowed through Tor'
end
end
diff --git a/features/step_definitions/icedove.rb b/features/step_definitions/icedove.rb
index d367289..dd3a0a0 100644
--- a/features/step_definitions/icedove.rb
+++ b/features/step_definitions/icedove.rb
@@ -82,13 +82,3 @@ When /^I open Torbirdy's preferences$/ do
@screen.wait('GnomeQuestionDialogIcon.png', 10)
@screen.type(Sikuli::Key.ENTER)
end
-
-When /^I test Torbirdy's proxy settings$/ do
- @screen.wait('IcedoveTorbirdyPreferencesWindow.png', 10)
- @screen.click('IcedoveTorbirdyTestProxySettingsButton.png')
- @screen.wait('IcedoveTorbirdyCongratulationsTab.png', 180)
-end
-
-Then /^Torbirdy's proxy test is successful$/ do
- @screen.wait('IcedoveTorbirdyCongratulationsTab.png', 180)
-end
diff --git a/features/step_definitions/mac_spoofing.rb b/features/step_definitions/mac_spoofing.rb
index a4aa871..0c10fb0 100644
--- a/features/step_definitions/mac_spoofing.rb
+++ b/features/step_definitions/mac_spoofing.rb
@@ -33,20 +33,8 @@ end
Then /^the real MAC address was (not )?leaked$/ do |mode|
is_leaking = mode.nil?
- leaks = FirewallLeakCheck.new(@sniffer.pcap_file)
- mac_leaks = leaks.mac_leaks
- if is_leaking
- if !mac_leaks.include?($vm.real_mac)
- save_pcap_file
- raise "The real MAC address was expected to leak but didn't. We " +
- "observed the following MAC addresses: #{mac_leaks}"
- end
- else
- if mac_leaks.include?($vm.real_mac)
- save_pcap_file
- raise "The real MAC address was leaked but was expected not to. We " +
- "observed the following MAC addresses: #{mac_leaks}"
- end
+ assert_all_connections(@sniffer.pcap_file) do |c|
+ [c.mac_saddr, c.mac_daddr].include?($vm.real_mac) == is_leaking
end
end
diff --git a/features/step_definitions/pidgin.rb b/features/step_definitions/pidgin.rb
index 3f5ed93..74fe151 100644
--- a/features/step_definitions/pidgin.rb
+++ b/features/step_definitions/pidgin.rb
@@ -109,8 +109,9 @@ When /^I start a conversation with my friend$/ do
@screen.wait("PidginConversationWindowMenuBar.png", 10)
end
-And /^I say something to my friend( in the multi-user chat)?$/ do |multi_chat|
- msg = "ping" + Sikuli::Key.ENTER
+And /^I say (.*) to my friend( in the multi-user chat)?$/ do |msg, multi_chat|
+ msg = "ping" if msg == "something"
+ msg = msg + Sikuli::Key.ENTER
if multi_chat
$vm.focus_window(@chat_room_jid.split("@").first)
msg = @friend_name + ": " + msg
@@ -210,8 +211,18 @@ def configured_pidgin_accounts
account_name, network = account.split("@")
protocol = e.elements["protocol"].text
port = e.elements["settings/setting[@name='port']"].text
- nickname = e.elements["settings/setting[@name='username']"].text
- real_name = e.elements["settings/setting[@name='realname']"].text
+ username_element = e.elements["settings/setting[@name='username']"]
+ realname_elemenet = e.elements["settings/setting[@name='realname']"]
+ if username_element
+ nickname = username_element.text
+ else
+ nickname = nil
+ end
+ if realname_elemenet
+ real_name = realname_elemenet.text
+ else
+ real_name = nil
+ end
accounts[network] = {
'name' => account_name,
'network' => network,
@@ -227,9 +238,8 @@ end
def chan_image (account, channel, image)
images = {
- 'irc.oftc.net' => {
- '#tails' => {
- 'roster' => 'PidginTailsChannelEntry',
+ 'conference.riseup.net' => {
+ 'tails' => {
'conversation_tab' => 'PidginTailsConversationTab',
'welcome' => 'PidginTailsChannelWelcome',
}
@@ -247,7 +257,7 @@ end
def default_chan (account)
chans = {
- 'irc.oftc.net' => '#tails',
+ 'conference.riseup.net' => 'tails',
'I2P' => '#i2p',
}
return chans[account]
@@ -279,7 +289,7 @@ Given /^Pidgin has the expected accounts configured with random nicknames$/ do
end
When /^I start Pidgin through the GNOME menu$/ do
- step 'I start "Pidgin" via the GNOME "Internet" applications menu'
+ step 'I start "Pidgin Internet Messenger" via the GNOME "Internet" applications menu'
end
When /^I open Pidgin's account manager window$/ do
@@ -296,6 +306,12 @@ When /^I close Pidgin's account manager window$/ do
@screen.wait_and_click("PidginAccountManagerCloseButton.png", 10)
end
+When /^I close Pidgin$/ do
+ $vm.focus_window('Buddy List')
+ @screen.type("q", Sikuli::KeyModifier.CTRL)
+ @screen.waitVanish('PidginAvailableStatus.png', 10)
+end
+
When /^I (de)?activate the "([^"]+)" Pidgin account$/ do |deactivate, account|
@screen.click("PidginAccount_#{account}.png")
@screen.type(Sikuli::Key.LEFT + Sikuli::Key.SPACE)
@@ -363,10 +379,22 @@ Then /^the "([^"]*)" account only responds to PING and VERSION CTCP requests$/ d
ctcp_check.verify_ctcp_responses
end
-Then /^I can join the "([^"]+)" channel on "([^"]+)"$/ do |channel, account|
- @screen.doubleClick( chan_image(account, channel, 'roster'))
+Then /^I can join the( pre-configured)? "([^"]+)" channel on "([^"]+)"$/ do |preconfigured, channel, account|
+ if preconfigured
+ @screen.doubleClick(chan_image(account, channel, 'roster'))
+ focus_pidgin_irc_conversation_window(account)
+ else
+ $vm.focus_window('Buddy List')
+ @screen.wait_and_click("PidginBuddiesMenu.png", 20)
+ @screen.wait_and_click("PidginBuddiesMenuJoinChat.png", 10)
+ @screen.wait_and_click("PidginJoinChatWindow.png", 10)
+ @screen.click_mid_right_edge("PidginJoinChatRoomLabel.png")
+ @screen.type(channel)
+ @screen.click("PidginJoinChatButton.png")
+ @chat_room_jid = channel + "@" + account
+ $vm.focus_window(@chat_room_jid)
+ end
@screen.hide_cursor
- focus_pidgin_irc_conversation_window(account)
try_for(60) do
begin
@screen.wait_and_click(chan_image(account, channel, 'conversation_tab'), 5)
diff --git a/features/step_definitions/snapshots.rb b/features/step_definitions/snapshots.rb
index 0e9ae3b..8675915 100644
--- a/features/step_definitions/snapshots.rb
+++ b/features/step_definitions/snapshots.rb
@@ -15,8 +15,6 @@ def checkpoints
:parent_checkpoint => "tails-greeter",
:steps => [
'I log in to a new session',
- 'Tails Greeter has dealt with the sudo password',
- 'the Tails desktop is ready',
],
},
@@ -29,7 +27,6 @@ def checkpoints
'I start the computer',
'the computer boots Tails',
'I log in to a new session',
- 'the Tails desktop is ready',
],
},
@@ -66,8 +63,6 @@ def checkpoints
'I enable more Tails Greeter options',
'I enable the specific Tor configuration option',
'I log in to a new session',
- 'Tails Greeter has dealt with the sudo password',
- 'the Tails desktop is ready',
'all notifications have disappeared',
],
},
@@ -80,8 +75,6 @@ def checkpoints
'I enable more Tails Greeter options',
'I set an administration password',
'I log in to a new session',
- 'Tails Greeter has dealt with the sudo password',
- 'the Tails desktop is ready',
],
},
@@ -121,7 +114,6 @@ def checkpoints
:parent_checkpoint => 'usb-install-tails-greeter',
:steps => [
'I log in to a new session',
- 'the Tails desktop is ready',
],
},
@@ -146,7 +138,6 @@ def checkpoints
:steps => [
'I enable persistence',
'I log in to a new session',
- 'the Tails desktop is ready',
'all persistence presets are enabled',
'all persistent filesystems have safe access rights',
'all persistence configuration files have safe access rights',
diff --git a/features/step_definitions/ssh.rb b/features/step_definitions/ssh.rb
index 038b297..64c6841 100644
--- a/features/step_definitions/ssh.rb
+++ b/features/step_definitions/ssh.rb
@@ -75,6 +75,7 @@ Given /^an SSH server is running on the LAN$/ do
@sshd_server_host = $vmnet.bridge_ip_addr
sshd = SSHServer.new(@sshd_server_host, @sshd_server_port)
sshd.start
+ add_lan_host(@sshd_server_host, @sshd_server_port)
add_after_scenario_hook { sshd.stop }
end
diff --git a/features/step_definitions/tor.rb b/features/step_definitions/tor.rb
index ac12fd4..babde27 100644
--- a/features/step_definitions/tor.rb
+++ b/features/step_definitions/tor.rb
@@ -90,7 +90,7 @@ Then /^the firewall is configured to only allow the (.+) users? to connect direc
"The following rule has an unexpected destination:\n" +
rule.to_s)
state_cond = try_xml_element_text(rule, "conditions/state/state")
- next if state_cond == "RELATED,ESTABLISHED"
+ next if state_cond == "ESTABLISHED"
assert_not_nil(rule.elements['conditions/owner/uid-owner'])
rule.elements.each('conditions/owner/uid-owner') do |owner|
uid = owner.text.to_i
@@ -337,35 +337,47 @@ When /^the Tor Launcher autostarts$/ do
end
When /^I configure some (\w+) pluggable transports in Tor Launcher$/ do |bridge_type|
- bridge_type.downcase!
- bridge_type.capitalize!
- begin
- @bridges = $config["Tor"]["Transports"][bridge_type]
- assert_not_nil(@bridges)
- assert(!@bridges.empty?)
- rescue NoMethodError, Test::Unit::AssertionFailedError
- raise(
-<<EOF
-It seems no '#{bridge_type}' pluggable transports are defined in your local configuration file (#{LOCAL_CONFIG_FILE}). See wiki/src/contribute/release_process/test/usage.mdwn for the format.
-EOF
-)
- end
- @bridge_hosts = []
- for bridge in @bridges do
- @bridge_hosts << bridge["ipv4_address"]
- end
-
@screen.wait_and_click('TorLauncherConfigureButton.png', 10)
@screen.wait('TorLauncherBridgePrompt.png', 10)
@screen.wait_and_click('TorLauncherYesRadioOption.png', 10)
@screen.wait_and_click('TorLauncherNextButton.png', 10)
@screen.wait_and_click('TorLauncherBridgeList.png', 10)
- for bridge in @bridges do
- bridge_line = bridge_type.downcase + " " +
- bridge["ipv4_address"] + ":" +
- bridge["ipv4_port"].to_s
- bridge_line += " " + bridge["fingerprint"].to_s if bridge["fingerprint"]
- bridge_line += " " + bridge["extra"].to_s if bridge["extra"]
+ @bridge_hosts = []
+ chutney_src_dir = "#{GIT_DIR}/submodules/chutney"
+ bridge_dirs = Dir.glob(
+ "#{$config['TMPDIR']}/chutney-data/nodes/*#{bridge_type}/"
+ )
+ bridge_dirs.each do |bridge_dir|
+ address = $vmnet.bridge_ip_addr
+ port = nil
+ fingerprint = nil
+ extra = nil
+ if bridge_type == 'bridge'
+ open(bridge_dir + "/torrc") do |f|
+ port = f.grep(/^OrPort\b/).first.split.last
+ end
+ else
+ # This is the pluggable transport case. While we could set a
+ # static port via ServerTransportListenAddr we instead let it be
+ # picked randomly so an already used port is not picked --
+ # Chutney already has issues with that for OrPort selection.
+ pt_re = /Registered server transport '#{bridge_type}' at '[^']*:(\d+)'/
+ open(bridge_dir + "/notice.log") do |f|
+ pt_lines = f.grep(pt_re)
+ port = pt_lines.last.match(pt_re)[1]
+ end
+ if bridge_type == 'obfs4'
+ open(bridge_dir + "/pt_state/obfs4_bridgeline.txt") do |f|
+ extra = f.readlines.last.chomp.sub(/^.* cert=/, 'cert=')
+ end
+ end
+ end
+ open(bridge_dir + "/fingerprint") do |f|
+ fingerprint = f.read.chomp.split.last
+ end
+ @bridge_hosts << { address: address, port: port.to_i }
+ bridge_line = bridge_type + " " + address + ":" + port
+ [fingerprint, extra].each { |e| bridge_line += " " + e.to_s if e }
@screen.type(bridge_line + Sikuli::Key.ENTER)
end
@screen.wait_and_click('TorLauncherNextButton.png', 10)
@@ -378,9 +390,9 @@ end
When /^all Internet traffic has only flowed through the configured pluggable transports$/ do
assert_not_nil(@bridge_hosts, "No bridges has been configured via the " +
"'I configure some ... bridges in Tor Launcher' step")
- leaks = FirewallLeakCheck.new(@sniffer.pcap_file,
- :accepted_hosts => @bridge_hosts)
- leaks.assert_no_leaks
+ assert_all_connections(@sniffer.pcap_file) do |c|
+ @bridge_hosts.include?({ address: c.daddr, port: c.dport })
+ end
end
Then /^the Tor binary is configured to use the expected Tor authorities$/ do
diff --git a/features/step_definitions/torified_browsing.rb b/features/step_definitions/torified_browsing.rb
index c8f3ff1..7676078 100644
--- a/features/step_definitions/torified_browsing.rb
+++ b/features/step_definitions/torified_browsing.rb
@@ -1,5 +1,5 @@
-When /^no traffic has flowed to the LAN$/ do
- leaks = FirewallLeakCheck.new(@sniffer.pcap_file, :ignore_lan => false)
- assert(not(leaks.ipv4_tcp_leaks.include?(@lan_host)),
- "Traffic was sent to LAN host #{@lan_host}")
+Then /^no traffic was sent to the web server on the LAN$/ do
+ assert_no_connections(@sniffer.pcap_file) do |c|
+ c.daddr == @web_server_ip_addr and c.dport == @web_server_port
+ end
end
diff --git a/features/step_definitions/torified_gnupg.rb b/features/step_definitions/torified_gnupg.rb
index d4982f2..282db48 100644
--- a/features/step_definitions/torified_gnupg.rb
+++ b/features/step_definitions/torified_gnupg.rb
@@ -20,7 +20,7 @@ def start_or_restart_seahorse
if @withgpgapplet
seahorse_menu_click_helper('GpgAppletIconNormal.png', 'GpgAppletManageKeys.png')
else
- step 'I start "Seahorse" via the GNOME "Utilities" applications menu'
+ step 'I start "Passwords and Keys" via the GNOME "Utilities" applications menu'
end
step 'Seahorse has opened'
end
diff --git a/features/step_definitions/totem.rb b/features/step_definitions/totem.rb
index 72698dd..7b45b2e 100644
--- a/features/step_definitions/totem.rb
+++ b/features/step_definitions/totem.rb
@@ -32,7 +32,7 @@ When /^I close Totem$/ do
end
Then /^I can watch a WebM video over HTTPs$/ do
- test_url = 'https://webm.html5.org/test.webm'
+ test_url = 'https://tails.boum.org/lib/test_suite/test.webm'
recovery_on_failure = Proc.new do
step 'I close Totem'
end
diff --git a/features/step_definitions/unsafe_browser.rb b/features/step_definitions/unsafe_browser.rb
index b8c0498..f168e83 100644
--- a/features/step_definitions/unsafe_browser.rb
+++ b/features/step_definitions/unsafe_browser.rb
@@ -1,6 +1,11 @@
-When /^I see and accept the Unsafe Browser start verification$/ do
+When /^I see and accept the Unsafe Browser start verification(?:| in the "([^"]+)" locale)$/ do |locale|
@screen.wait('GnomeQuestionDialogIcon.png', 30)
- @screen.type(Sikuli::Key.ESC)
+ if ['ar_EG.utf8', 'fa_IR'].include?(locale)
+ # Take into account button ordering in RTL languages
+ @screen.type(Sikuli::Key.LEFT + Sikuli::Key.ENTER)
+ else
+ @screen.type(Sikuli::Key.RIGHT + Sikuli::Key.ENTER)
+ end
end
def supported_torbrowser_languages
@@ -19,7 +24,7 @@ end
Then /^I start the Unsafe Browser in the "([^"]+)" locale$/ do |loc|
step "I run \"LANG=#{loc} LC_ALL=#{loc} sudo unsafe-browser\" in GNOME Terminal"
- step "I see and accept the Unsafe Browser start verification"
+ step "I see and accept the Unsafe Browser start verification in the \"#{loc}\" locale"
end
Then /^the Unsafe Browser works in all supported languages$/ do
@@ -140,9 +145,9 @@ Then /^I cannot configure the Unsafe Browser to use any local proxies$/ do
@screen.waitVanish('UnsafeBrowserProxySettingsWindow.png', 10)
# Test that the proxy settings work as they should
- step "I open the address \"https://check.torproject.org\" in the Unsafe Browser"
+ step 'I open Tails homepage in the Unsafe Browser'
if proxy_type == no_proxy
- @screen.wait('UnsafeBrowserTorCheckFail.png', 60)
+ step 'Tails homepage loads in the Unsafe Browser'
else
@screen.wait('UnsafeBrowserProxyRefused.png', 60)
end
diff --git a/features/step_definitions/usb.rb b/features/step_definitions/usb.rb
index 76f94d2..a1d333a 100644
--- a/features/step_definitions/usb.rb
+++ b/features/step_definitions/usb.rb
@@ -80,7 +80,7 @@ def usb_install_helper(name)
end
When /^I start Tails Installer$/ do
- step 'I start "TailsInstaller" via the GNOME "Tails" applications menu'
+ step 'I start "Tails Installer" via the GNOME "Tails" applications menu'
@screen.wait('USBCloneAndInstall.png', 30)
end
@@ -178,8 +178,17 @@ Given /^I enable all persistence presets$/ do
@screen.type(Sikuli::Key.F4, Sikuli::KeyModifier.ALT)
end
+When /^I disable the first persistence preset$/ do
+ step 'I start "Configure persistent volume" via the GNOME "Tails" applications menu'
+ @screen.wait('PersistenceWizardPresets.png', 300)
+ @screen.type(Sikuli::Key.SPACE)
+ @screen.wait_and_click('PersistenceWizardSave.png', 10)
+ @screen.wait('PersistenceWizardDone.png', 30)
+ @screen.type(Sikuli::Key.F4, Sikuli::KeyModifier.ALT)
+end
+
Given /^I create a persistent partition$/ do
- step 'I start "ConfigurePersistentVolume" via the GNOME "Tails" applications menu'
+ step 'I start "Configure persistent volume" via the GNOME "Tails" applications menu'
@screen.wait('PersistenceWizardStart.png', 20)
@screen.type(@persistence_password + "\t" + @persistence_password + Sikuli::Key.ENTER)
@screen.wait('PersistenceWizardPresets.png', 300)
@@ -325,13 +334,21 @@ def tails_persistence_enabled?
'test "$TAILS_PERSISTENCE_ENABLED" = true').success?
end
-Given /^all persistence presets(| from the old Tails version) are enabled$/ do |old_tails|
+Given /^all persistence presets(| from the old Tails version)(| but the first one) are enabled$/ do |old_tails, except_first|
+ assert(old_tails.empty? || except_first.empty?, "Unsupported case.")
try_for(120, :msg => "Persistence is disabled") do
tails_persistence_enabled?
end
+ unexpected_mounts = Array.new
# Check that all persistent directories are mounted
if old_tails.empty?
expected_mounts = persistent_mounts
+ if ! except_first.empty?
+ first_expected_mount_source = expected_mounts.keys[0]
+ first_expected_mount_destination = expected_mounts[first_expected_mount_source]
+ expected_mounts.delete(first_expected_mount_source)
+ unexpected_mounts = [first_expected_mount_destination]
+ end
else
assert_not_nil($remembered_persistence_mounts)
expected_mounts = $remembered_persistence_mounts
@@ -341,6 +358,10 @@ Given /^all persistence presets(| from the old Tails version) are enabled$/ do |
assert(mount.include?("on #{dir} "),
"Persistent directory '#{dir}' is not mounted")
end
+ for dir in unexpected_mounts do
+ assert(! mount.include?("on #{dir} "),
+ "Persistent directory '#{dir}' is mounted")
+ end
end
Given /^persistence is disabled$/ do
@@ -568,7 +589,7 @@ Then /^only the expected files are present on the persistence partition on USB d
end
When /^I delete the persistent partition$/ do
- step 'I start "DeletePersistentVolume" via the GNOME "Tails" applications menu'
+ step 'I start "Delete persistent volume" via the GNOME "Tails" applications menu'
@screen.wait("PersistenceWizardDeletionStart.png", 20)
@screen.type(" ")
@screen.wait("PersistenceWizardDone.png", 120)
diff --git a/features/support/env.rb b/features/support/env.rb
index f70f6b4..e3f039b 100644
--- a/features/support/env.rb
+++ b/features/support/env.rb
@@ -23,6 +23,10 @@ def create_git
Dir.mkdir 'config'
FileUtils.touch('config/base_branch')
Dir.mkdir('config/APT_overlays.d')
+ Dir.mkdir('config/APT_snapshots.d')
+ ['debian', 'debian-security', 'torproject'].map do |origin|
+ Dir.mkdir("config/APT_snapshots.d/#{origin}")
+ end
Dir.mkdir 'debian'
File.open('debian/changelog', 'w') do |changelog|
changelog.write(<<END_OF_CHANGELOG)
@@ -88,3 +92,35 @@ RSpec::Matchers.define :have_suite do |suite|
"expected an output with #{suite}"
end
end
+
+RSpec::Matchers.define :have_tagged_snapshot do |tag|
+ match do |string|
+ # e.g.: `http://tagged.snapshots.deb.tails.boum.org/0.10`
+ %r{^http://tagged\.snapshots\.deb\.tails\.boum\.org/#{Regexp.escape(tag)}/[a-z-]+$}.match(string)
+ end
+ failure_message_for_should do |string|
+ "expected the mirror to be #{tag}\nCurrent mirror: #{string}"
+ end
+ failure_message_for_should_not do |string|
+ "expected the mirror not to be #{tag}\nCurrent mirror: #{string}"
+ end
+ description do
+ "expected an output with #{tag}"
+ end
+end
+
+RSpec::Matchers.define :have_time_based_snapshot do |tag|
+ match do |string|
+ # e.g.: `http://time-based.snapshots.deb.tails.boum.org/debian/2016060602`
+ %r{^http://time\-based\.snapshots\.deb\.tails\.boum\.org/[^/]+/\d+}.match(string)
+ end
+ failure_message_for_should do |string|
+ "expected the mirror to be a time-based snapshot\nCurrent mirror: #{string}"
+ end
+ failure_message_for_should_not do |string|
+ "expected the mirror not to be a time-based snapshot\nCurrent mirror: #{string}"
+ end
+ description do
+ "expected a time-based snapshot"
+ end
+end
diff --git a/features/support/helpers/dogtail.rb b/features/support/helpers/dogtail.rb
new file mode 100644
index 0000000..c9cf79d
--- /dev/null
+++ b/features/support/helpers/dogtail.rb
@@ -0,0 +1,218 @@
+module Dogtail
+ module Mouse
+ LEFT_CLICK = 1
+ MIDDLE_CLICK = 2
+ RIGHT_CLICK = 3
+ end
+
+ TREE_API_NODE_SEARCHES = [
+ :button,
+ :child,
+ :childLabelled,
+ :childNamed,
+ :menu,
+ :menuItem,
+ :tab,
+ :textentry,
+ ]
+
+ TREE_API_NODE_ACTIONS = [
+ :click,
+ :doubleClick,
+ :grabFocus,
+ :keyCombo,
+ :point,
+ :typeText,
+ ]
+
+ TREE_API_APP_SEARCHES = TREE_API_NODE_SEARCHES + [
+ :dialog,
+ :window,
+ ]
+
+ # We want to keep this class immutable so that handles always are
+ # left intact when doing new (proxied) method calls. This way we
+ # can support stuff like:
+ #
+ # app = Dogtail::Application.new('gedit')
+ # menu = app.menu('Menu')
+ # menu.click()
+ # menu.something_else()
+ # menu.click()
+ #
+ # i.e. the object referenced by `menu` is never modified by method
+ # calls and can be used as expected. This explains why
+ # `proxy_call()` below returns a new instance instead of adding
+ # appending the new component the proxied method call would result
+ # in.
+
+ class Application
+
+ def initialize(app_name, opts = {})
+ @app_name = app_name
+ @opts = opts
+ @init_lines = @opts[:init_lines] || [
+ "from dogtail import tree",
+ "from dogtail.config import config",
+ "config.searchShowingOnly = True",
+ "application = tree.root.application('#{@app_name}')",
+ ]
+ @components = @opts[:components] || ['application']
+ end
+
+ def build_script(lines)
+ (
+ ["#!/usr/bin/python"] +
+ @init_lines +
+ lines
+ ).join("\n")
+ end
+
+ def build_line
+ @components.join('.')
+ end
+
+ def run(lines = nil)
+ @opts[:user] ||= LIVE_USER
+ lines ||= [build_line]
+ lines = [lines] if lines.class != Array
+ script = build_script(lines)
+ script_path = $vm.execute_successfully('mktemp', @opts).stdout.chomp
+ $vm.file_overwrite(script_path, script, @opts[:user])
+ args = ["/usr/bin/python '#{script_path}'", @opts]
+ if @opts[:allow_failure]
+ $vm.execute(*args)
+ else
+ $vm.execute_successfully(*args)
+ end
+ ensure
+ $vm.execute("rm -f '#{script_path}'")
+ end
+
+ def self.value_to_s(v)
+ if v == true
+ 'True'
+ elsif v == false
+ 'False'
+ elsif v.class == String
+ "'#{v}'"
+ elsif [Fixnum, Float].include?(v.class)
+ v.to_s
+ else
+ raise "#{self.class.name} does not know how to handle argument type '#{v.class}'"
+ end
+ end
+
+ # Generates a Python-style parameter list from `args`. If the last
+ # element of `args` is a Hash, it's used as Python's kwargs dict.
+ # In the end, the resulting string should be possible to copy-paste
+ # into the parentheses of a Python function call.
+ # Example: [42, {:foo => 'bar'}] => "42, foo = 'bar'"
+ def self.args_to_s(args)
+ args_list = args
+ args_hash = nil
+ if args_list.class == Array && args_list.last.class == Hash
+ *args_list, args_hash = args_list
+ end
+ (
+ (args_list.nil? ? [] : args_list.map { |e| self.value_to_s(e) }) +
+ (args_hash.nil? ? [] : args_hash.map { |k, v| "#{k}=#{self.value_to_s(v)}" })
+ ).join(', ')
+ end
+
+ def wait(timeout = nil)
+ if timeout
+ try_for(timeout) { run }
+ else
+ run
+ end
+ end
+
+ # Equivalent to the Tree API's Node.findChildren(), with the
+ # arguments constructing a GenericPredicate to use as parameter.
+ def children(*args)
+ # A fundamental assumption of ScriptProxy is that we will only
+ # act on *one* object at a time. If we were to allow more, we'd
+ # have to port looping, conditionals and much more into our
+ # script generation, which is insane.
+ # However, since references are lost between script runs (=
+ # Application.run()) we need to be a bit tricky here. We use the
+ # internal a11y AT-SPI "path" to uniquely identify a Dogtail
+ # node, so we can give handles to each of them that can be used
+ # later to re-find them.
+ find_paths_script_lines = [
+ "from dogtail import predicate",
+ "for n in #{build_line}.findChildren(predicate.GenericPredicate(#{self.class.args_to_s(args)})):",
+ " print(n.path)",
+ ]
+ a11y_at_spi_paths = run(find_paths_script_lines).stdout.chomp.split("\n")
+ .grep(Regexp.new('^/org/a11y/atspi/accessible/'))
+ .map { |path| path.chomp }
+ a11y_at_spi_paths.map do |path|
+ more_init_lines = [
+ "from dogtail import predicate",
+ "node = None",
+ "for n in #{build_line}.findChildren(predicate.GenericPredicate()):",
+ " if str(n.path) == '#{path}':",
+ " node = n",
+ " break",
+ "assert(node)",
+ ]
+ Node.new(
+ @app_name,
+ @opts.merge(
+ init_lines: @init_lines + more_init_lines,
+ components: ['node']
+ )
+ )
+ end
+ end
+
+ def get_field(key)
+ run("print(#{build_line}.#{key})").stdout.chomp
+ end
+
+ def set_field(key, value)
+ run("#{build_line}.#{key} = #{self.class.value_to_s(value)}")
+ end
+
+ def text
+ get_field('text')
+ end
+
+ def proxy_call(method, args)
+ args_str = self.class.args_to_s(args)
+ method_call = "#{method.to_s}(#{args_str})"
+ Node.new(
+ @app_name,
+ @opts.merge(
+ init_lines: @init_lines,
+ components: @components + [method_call]
+ )
+ )
+ end
+
+ TREE_API_APP_SEARCHES.each do |method|
+ define_method(method) do |*args|
+ proxy_call(method, args)
+ end
+ end
+
+ end
+
+ class Node < Application
+
+ TREE_API_NODE_SEARCHES.each do |method|
+ define_method(method) do |*args|
+ proxy_call(method, args)
+ end
+ end
+
+ TREE_API_NODE_ACTIONS.each do |method|
+ define_method(method) do |*args|
+ proxy_call(method, args).run
+ end
+ end
+
+ end
+end
diff --git a/features/support/helpers/exec_helper.rb b/features/support/helpers/exec_helper.rb
index 42f6532..98fba8c 100644
--- a/features/support/helpers/exec_helper.rb
+++ b/features/support/helpers/exec_helper.rb
@@ -18,8 +18,6 @@ class VMCommand
end
end
- # The parameter `cmd` cannot contain newlines. Separate multiple
- # commands using ";" instead.
# If `:spawn` is false the server will block until it has finished
# executing `cmd`. If it's true the server won't block, and the
# response will always be [0, "", ""] (only used as an
diff --git a/features/support/helpers/firewall_helper.rb b/features/support/helpers/firewall_helper.rb
index fce363c..ed2a09b 100644
--- a/features/support/helpers/firewall_helper.rb
+++ b/features/support/helpers/firewall_helper.rb
@@ -1,121 +1,74 @@
require 'packetfu'
-require 'ipaddr'
-# Extent IPAddr with a private/public address space checks
-class IPAddr
- PrivateIPv4Ranges = [
- IPAddr.new("10.0.0.0/8"),
- IPAddr.new("172.16.0.0/12"),
- IPAddr.new("192.168.0.0/16"),
- IPAddr.new("255.255.255.255/32")
- ]
-
- PrivateIPv6Ranges = [
- IPAddr.new("fc00::/7")
- ]
-
- def private?
- private_ranges = self.ipv4? ? PrivateIPv4Ranges : PrivateIPv6Ranges
- private_ranges.any? { |range| range.include?(self) }
- end
-
- def public?
- !private?
- end
-end
-
-class FirewallLeakCheck
- attr_reader :ipv4_tcp_leaks, :ipv4_nontcp_leaks, :ipv6_leaks, :nonip_leaks, :mac_leaks
-
- def initialize(pcap_file, options = {})
- options[:accepted_hosts] ||= []
- options[:ignore_lan] ||= true
- @pcap_file = pcap_file
- packets = PacketFu::PcapFile.new.file_to_array(:filename => @pcap_file)
- mac_leaks = Set.new
- ipv4_tcp_packets = []
- ipv4_nontcp_packets = []
- ipv6_packets = []
- nonip_packets = []
- packets.each do |p|
- if PacketFu::EthPacket.can_parse?(p)
- packet = PacketFu::EthPacket.parse(p)
- mac_leaks << packet.eth_saddr
- mac_leaks << packet.eth_daddr
- end
-
- if PacketFu::TCPPacket.can_parse?(p)
- ipv4_tcp_packets << PacketFu::TCPPacket.parse(p)
- elsif PacketFu::IPPacket.can_parse?(p)
- ipv4_nontcp_packets << PacketFu::IPPacket.parse(p)
- elsif PacketFu::IPv6Packet.can_parse?(p)
- ipv6_packets << PacketFu::IPv6Packet.parse(p)
- elsif PacketFu::Packet.can_parse?(p)
- nonip_packets << PacketFu::Packet.parse(p)
- else
- save_pcap_file
- raise "Found something in the pcap file that cannot be parsed"
- end
+# Returns the unique edges (based on protocol, source/destination
+# address/port) in the graph of all network flows.
+def pcap_connections_helper(pcap_file, opts = {})
+ opts[:ignore_dhcp] ||= true
+ connections = Array.new
+ packets = PacketFu::PcapFile.new.file_to_array(:filename => pcap_file)
+ packets.each do |p|
+ if PacketFu::EthPacket.can_parse?(p)
+ eth_packet = PacketFu::EthPacket.parse(p)
+ else
+ raise 'Found something that is not an ethernet packet'
end
- ipv4_tcp_hosts = filter_hosts_from_ippackets(ipv4_tcp_packets,
- options[:ignore_lan])
- accepted = Set.new(options[:accepted_hosts])
- @mac_leaks = mac_leaks
- @ipv4_tcp_leaks = ipv4_tcp_hosts.select { |host| !accepted.member?(host) }
- @ipv4_nontcp_leaks = filter_hosts_from_ippackets(ipv4_nontcp_packets,
- options[:ignore_lan])
- @ipv6_leaks = filter_hosts_from_ippackets(ipv6_packets,
- options[:ignore_lan])
- @nonip_leaks = nonip_packets
- end
-
- def save_pcap_file
- save_failure_artifact("Network capture", @pcap_file)
- end
-
- # Returns a list of all unique destination IP addresses found in
- # `packets`. Exclude LAN hosts if ignore_lan is set.
- def filter_hosts_from_ippackets(packets, ignore_lan)
- hosts = []
- packets.each do |p|
- candidate = nil
- if p.kind_of?(PacketFu::IPPacket)
- candidate = p.ip_daddr
- elsif p.kind_of?(PacketFu::IPv6Packet)
- candidate = p.ipv6_header.ipv6_daddr
- else
- save_pcap_file
- raise "Expected an IP{v4,v6} packet, but got something else:\n" +
- p.peek_format
- end
- if candidate != nil and (not(ignore_lan) or IPAddr.new(candidate).public?)
- hosts << candidate
- end
+ sport = nil
+ dport = nil
+ if PacketFu::TCPPacket.can_parse?(p)
+ ip_packet = PacketFu::TCPPacket.parse(p)
+ protocol = 'tcp'
+ sport = ip_packet.tcp_sport
+ dport = ip_packet.tcp_dport
+ elsif PacketFu::UDPPacket.can_parse?(p)
+ ip_packet = PacketFu::UDPPacket.parse(p)
+ protocol = 'udp'
+ sport = ip_packet.udp_sport
+ dport = ip_packet.udp_dport
+ elsif PacketFu::ICMPPacket.can_parse?(p)
+ ip_packet = PacketFu::ICMPPacket.parse(p)
+ protocol = 'icmp'
+ elsif PacketFu::IPPacket.can_parse?(p)
+ ip_packet = PacketFu::IPPacket.parse(p)
+ protocol = 'ip'
+ elsif PacketFu::IPv6Packet.can_parse?(p)
+ ip_packet = PacketFu::IPv6Packet.parse(p)
+ protocol = 'ipv6'
+ else
+ raise "Found something that cannot be parsed"
end
- hosts.uniq
- end
- def assert_no_leaks
- err = ""
- if !@ipv4_tcp_leaks.empty?
- err += "The following IPv4 TCP non-Tor Internet hosts were " +
- "contacted:\n" + ipv4_tcp_leaks.join("\n")
- end
- if !@ipv4_nontcp_leaks.empty?
- err += "The following IPv4 non-TCP Internet hosts were contacted:\n" +
- ipv4_nontcp_leaks.join("\n")
- end
- if !@ipv6_leaks.empty?
- err += "The following IPv6 Internet hosts were contacted:\n" +
- ipv6_leaks.join("\n")
- end
- if !@nonip_leaks.empty?
- err += "Some non-IP packets were sent\n"
- end
- if !err.empty?
- save_pcap_file
- raise err
+ if protocol == "udp" and
+ sport == 68 and
+ dport == 67 and
+ ip_packet.ip_saddr == '0.0.0.0' and
+ ip_packet.ip_daddr == "255.255.255.255"
+ next if opts[:ignore_dhcp]
end
+
+ connections << {
+ mac_saddr: eth_packet.eth_saddr,
+ mac_daddr: eth_packet.eth_daddr,
+ protocol: protocol,
+ saddr: ip_packet.ip_saddr,
+ daddr: ip_packet.ip_daddr,
+ sport: sport,
+ dport: dport,
+ }
end
+ connections.uniq.map { |p| OpenStruct.new(p) }
+end
+
+# These assertions are made from the perspective of the system under
+# testing when it comes to the concepts of "source" and "destination".
+def assert_all_connections(pcap_file, opts = {}, &block)
+ all = pcap_connections_helper(pcap_file, opts)
+ good = all.find_all(&block)
+ bad = all - good
+ save_failure_artifact("Network capture", pcap_file) unless bad.empty?
+ assert(bad.empty?, "Unexpected connections were made:\n" +
+ bad.map { |e| " #{e}" } .join("\n"))
+end
+def assert_no_connections(pcap_file, opts = {}, &block)
+ assert_all_connections(pcap_file, opts) { |*args| not(block.call(*args)) }
end
diff --git a/features/support/helpers/misc_helpers.rb b/features/support/helpers/misc_helpers.rb
index 7e09411..8f4bcd8 100644
--- a/features/support/helpers/misc_helpers.rb
+++ b/features/support/helpers/misc_helpers.rb
@@ -89,6 +89,11 @@ end
class MaxRetriesFailure < StandardError
end
+def force_new_tor_circuit()
+ debug_log("Forcing new Tor circuit...")
+ $vm.execute_successfully('tor_control_send "signal NEWNYM"', :libs => 'tor')
+end
+
# This will retry the block up to MAX_NEW_TOR_CIRCUIT_RETRIES
# times. The block must raise an exception for a run to be considered
# as a failure. After a failure recovery_proc will be called (if
@@ -177,13 +182,14 @@ def convert_from_bytes(size, unit)
return size.to_f/convert_bytes_mod(unit).to_f
end
-def cmd_helper(cmd)
+def cmd_helper(cmd, env = {})
if cmd.instance_of?(Array)
cmd << {:err => [:child, :out]}
elsif cmd.instance_of?(String)
cmd += " 2>&1"
end
- IO.popen(cmd) do |p|
+ env = ENV.to_h.merge(env)
+ IO.popen(env, cmd) do |p|
out = p.readlines.join("\n")
p.close
ret = $?
@@ -192,11 +198,23 @@ def cmd_helper(cmd)
end
end
-# This command will grab all router IP addresses from the Tor
-# consensus in the VM + the hardcoded TOR_AUTHORITIES.
-def get_all_tor_nodes
- cmd = 'awk "/^r/ { print \$6 }" /var/lib/tor/cached-microdesc-consensus'
- $vm.execute(cmd).stdout.chomp.split("\n") + TOR_AUTHORITIES
+def all_tor_hosts
+ nodes = Array.new
+ chutney_torrcs = Dir.glob(
+ "#{$config['TMPDIR']}/chutney-data/nodes/*/torrc"
+ )
+ chutney_torrcs.each do |torrc|
+ open(torrc) do |f|
+ nodes += f.grep(/^(Or|Dir)Port\b/).map do |line|
+ { address: $vmnet.bridge_ip_addr, port: line.split.last.to_i }
+ end
+ end
+ end
+ return nodes
+end
+
+def allowed_hosts_under_tor_enforcement
+ all_tor_hosts + @lan_hosts
end
def get_free_space(machine, path)
diff --git a/features/support/helpers/sniffing_helper.rb b/features/support/helpers/sniffing_helper.rb
index 213411e..38b1382 100644
--- a/features/support/helpers/sniffing_helper.rb
+++ b/features/support/helpers/sniffing_helper.rb
@@ -22,8 +22,18 @@ class Sniffer
end
def capture(filter="not ether src host #{@vmnet.bridge_mac} and not ether proto \\arp and not ether proto \\rarp")
- job = IO.popen(["/usr/sbin/tcpdump", "-n", "-i", @vmnet.bridge_name, "-w",
- @pcap_file, "-U", filter, :err => ["/dev/null", "w"]])
+ job = IO.popen(
+ [
+ "/usr/sbin/tcpdump",
+ "-n",
+ "-U",
+ "--immediate-mode",
+ "-i", @vmnet.bridge_name,
+ "-w", @pcap_file,
+ filter,
+ :err => ["/dev/null", "w"]
+ ]
+ )
@pid = job.pid
end
diff --git a/features/support/helpers/vm_helper.rb b/features/support/helpers/vm_helper.rb
index 6d7204d..72448f3 100644
--- a/features/support/helpers/vm_helper.rb
+++ b/features/support/helpers/vm_helper.rb
@@ -1,3 +1,4 @@
+require 'ipaddr'
require 'libvirt'
require 'rexml/document'
@@ -517,12 +518,17 @@ EOF
end
def file_append(file, lines, user = 'root')
- lines = lines.split("\n") if lines.class == String
- lines.each do |line|
- cmd = execute("echo '#{line}' >> '#{file}'", :user => user)
- assert(cmd.success?,
- "Could not append to '#{file}':\n#{cmd.stdout}\n#{cmd.stderr}")
- end
+ lines = lines.join("\n") if lines.class == Array
+ # Use some tricky quoting to allow any character to be appended
+ lines.gsub!("'", "'\"'\"'")
+ cmd = execute("echo '#{lines}' >> '#{file}'", :user => user)
+ assert(cmd.success?,
+ "Could not append to '#{file}':\n#{cmd.stdout}\n#{cmd.stderr}")
+ end
+
+ def file_overwrite(*args)
+ execute_successfully("rm -f '#{args.first}'")
+ file_append(*args)
end
def set_clipboard(text)
diff --git a/features/support/hooks.rb b/features/support/hooks.rb
index be8a023..6589d9b 100644
--- a/features/support/hooks.rb
+++ b/features/support/hooks.rb
@@ -127,6 +127,21 @@ def save_failure_artifact(type, path)
$failure_artifacts << [type, path]
end
+# Due to Tails' Tor enforcement, we only allow contacting hosts that
+# are Tor (or I2P) nodes or located on the LAN. However, when we try
+# to verify that only such hosts are contacted we have a problem --
+# we run all Tor nodes (via Chutney) *and* LAN hosts (used on some
+# tests) on the same host, the one running the test suite. Hence we
+# need to always explicitly track which nodes are LAN or not.
+#
+# Warning: when a host is added via this function, it is only added
+# for the current scenario. As such, if this is done before saving a
+# snapshot, it will not remain after the snapshot is loaded.
+def add_lan_host(ipaddr, port)
+ @lan_hosts ||= []
+ @lan_hosts << { address: ipaddr, port: port }
+end
+
BeforeFeature('@product') do |feature|
if TAILS_ISO.nil?
raise "No Tails ISO image specified, and none could be found in the " +
@@ -159,6 +174,7 @@ BeforeFeature('@product') do |feature|
$vmstorage = VMStorage.new($virt, VM_XML_PATH)
$started_first_product_feature = true
end
+ ensure_chutney_is_running
end
AfterFeature('@product') do
@@ -198,6 +214,8 @@ Before('@product') do |scenario|
@os_loader = "MBR"
@sudo_password = "asdf"
@persistence_password = "asdf"
+ # See comment for add_lan_host() above.
+ @lan_hosts ||= []
end
# Cucumber After hooks are executed in the *reverse* order they are
@@ -252,14 +270,10 @@ end
After('@product', '@check_tor_leaks') do |scenario|
@tor_leaks_sniffer.stop
if scenario.passed?
- if @bridge_hosts.nil?
- expected_tor_nodes = get_all_tor_nodes
- else
- expected_tor_nodes = @bridge_hosts
+ allowed_nodes = @bridge_hosts ? @bridge_hosts : allowed_hosts_under_tor_enforcement
+ assert_all_connections(@tor_leaks_sniffer.pcap_file) do |c|
+ allowed_nodes.include?({ address: c.daddr, port: c.dport })
end
- leaks = FirewallLeakCheck.new(@tor_leaks_sniffer.pcap_file,
- :accepted_hosts => expected_tor_nodes)
- leaks.assert_no_leaks
end
end
diff --git a/features/time_syncing.feature b/features/time_syncing.feature
index 69a0c9e..cda75f6 100644
--- a/features/time_syncing.feature
+++ b/features/time_syncing.feature
@@ -4,109 +4,21 @@ Feature: Time syncing
I want Tor to work properly
And for that I need a reasonably accurate system clock
- #10497: wait_until_tor_is_working
- @fragile
Scenario: Clock with host's time
Given I have started Tails from DVD without network and logged in
When the network is plugged
And Tor is ready
Then Tails clock is less than 5 minutes incorrect
- #10497: wait_until_tor_is_working
- @fragile
Scenario: Clock with host's time in bridge mode
Given I have started Tails from DVD without network and logged in with bridge mode enabled
When the network is plugged
And the Tor Launcher autostarts
- And I configure some Bridge pluggable transports in Tor Launcher
+ And I configure some bridge pluggable transports in Tor Launcher
And Tor is ready
Then Tails clock is less than 5 minutes incorrect
- #10497: wait_until_tor_is_working
- @fragile
- Scenario: Clock is one day in the past
- Given I have started Tails from DVD without network and logged in
- When I bump the system time with "-1 day"
- And the network is plugged
- And Tor is ready
- Then Tails clock is less than 5 minutes incorrect
-
- #10497: wait_until_tor_is_working
- @fragile
- Scenario: Clock is one day in the past in bridge mode
- Given I have started Tails from DVD without network and logged in with bridge mode enabled
- When I bump the system time with "-1 day"
- And the network is plugged
- And the Tor Launcher autostarts
- And I configure some Bridge pluggable transports in Tor Launcher
- And Tor is ready
- Then Tails clock is less than 5 minutes incorrect
-
- #10497: wait_until_tor_is_working
- @fragile
- Scenario: Clock is way in the past
- Given I have started Tails from DVD without network and logged in
- # 13 weeks will span over two Tails release cycles.
- When I bump the system time with "-13 weeks"
- And the network is plugged
- And Tor is ready
- Then Tails clock is less than 5 minutes incorrect
-
- #10497: wait_until_tor_is_working
- @fragile
- Scenario: Clock way in the past in bridge mode
- Given I have started Tails from DVD without network and logged in with bridge mode enabled
- When I bump the system time with "-6 weeks"
- And the network is plugged
- And the Tor Launcher autostarts
- And I configure some Bridge pluggable transports in Tor Launcher
- And Tor is ready
- Then Tails clock is less than 5 minutes incorrect
-
- #10497: wait_until_tor_is_working
- #10440: Time syncing tests are fragile
- @fragile
- Scenario: Clock is one day in the future
- Given I have started Tails from DVD without network and logged in
- When I bump the system time with "+1 day"
- And the network is plugged
- And Tor is ready
- Then Tails clock is less than 5 minutes incorrect
-
- #10497: wait_until_tor_is_working
- @fragile
- Scenario: Clock is one day in the future in bridge mode
- Given I have started Tails from DVD without network and logged in with bridge mode enabled
- When I bump the system time with "+1 day"
- And the network is plugged
- And the Tor Launcher autostarts
- And I configure some Bridge pluggable transports in Tor Launcher
- And Tor is ready
- Then Tails clock is less than 5 minutes incorrect
-
- #10497: wait_until_tor_is_working
- #10440: Time syncing tests are fragile
- @fragile
- Scenario: Clock way in the future
- Given I have started Tails from DVD without network and logged in
- When I set the system time to "01 Jan 2020 12:34:56"
- And the network is plugged
- And Tor is ready
- Then Tails clock is less than 5 minutes incorrect
-
- #10497: wait_until_tor_is_working
- #10440: Time syncing tests are fragile
- @fragile
- Scenario: Clock way in the future in bridge mode
- Given I have started Tails from DVD without network and logged in with bridge mode enabled
- When I set the system time to "01 Jan 2020 12:34:56"
- And the network is plugged
- And the Tor Launcher autostarts
- And I configure some Bridge pluggable transports in Tor Launcher
- And Tor is ready
- Then Tails clock is less than 5 minutes incorrect
-
-Scenario: The system time is not synced to the hardware clock
+ Scenario: The system time is not synced to the hardware clock
Given I have started Tails from DVD without network and logged in
When I bump the system time with "-15 days"
And I warm reboot the computer
diff --git a/features/tor_bridges.feature b/features/tor_bridges.feature
index b5277ca..bda0304 100644
--- a/features/tor_bridges.feature
+++ b/features/tor_bridges.feature
@@ -1,4 +1,4 @@
-@product @fragile
+@product
Feature: Using Tails with Tor pluggable transports
As a Tails user
I want to circumvent censorship of Tor by using Tor pluggable transports
@@ -12,19 +12,7 @@ Feature: Using Tails with Tor pluggable transports
And the Tor Launcher uses all expected TBB shared libraries
Scenario: Using bridges
- When I configure some Bridge pluggable transports in Tor Launcher
- Then Tor is ready
- And available upgrades have been checked
- And all Internet traffic has only flowed through the configured pluggable transports
-
- Scenario: Using obfs2 pluggable transports
- When I configure some obfs2 pluggable transports in Tor Launcher
- Then Tor is ready
- And available upgrades have been checked
- And all Internet traffic has only flowed through the configured pluggable transports
-
- Scenario: Using obfs3 pluggable transports
- When I configure some obfs3 pluggable transports in Tor Launcher
+ When I configure some bridge pluggable transports in Tor Launcher
Then Tor is ready
And available upgrades have been checked
And all Internet traffic has only flowed through the configured pluggable transports
diff --git a/features/tor_enforcement.feature b/features/tor_enforcement.feature
index 164220a..a958b14 100644
--- a/features/tor_enforcement.feature
+++ b/features/tor_enforcement.feature
@@ -1,5 +1,4 @@
-#10497: wait_until_tor_is_working
-@product @fragile
+@product
Feature: The Tor enforcement is effective
As a Tails user
I want all direct Internet connections I do by mistake or applications do by misconfiguration or buggy leaks to be blocked
@@ -18,34 +17,34 @@ Feature: The Tor enforcement is effective
And the firewall is configured to block all external IPv6 traffic
@fragile
- Scenario: Anti test: Detecting IPv4 TCP leaks from the Unsafe Browser with the firewall leak detector
+ Scenario: Anti test: Detecting TCP leaks from the Unsafe Browser with the firewall leak detector
Given I have started Tails from DVD and logged in and the network is connected
And I capture all network traffic
When I successfully start the Unsafe Browser
- And I open the address "https://check.torproject.org" in the Unsafe Browser
- And I see "UnsafeBrowserTorCheckFail.png" after at most 60 seconds
- Then the firewall leak detector has detected IPv4 TCP leaks
+ And I open Tails homepage in the Unsafe Browser
+ And Tails homepage loads in the Unsafe Browser
+ Then the firewall leak detector has detected leaks
- Scenario: Anti test: Detecting IPv4 TCP leaks of TCP DNS lookups with the firewall leak detector
+ Scenario: Anti test: Detecting TCP leaks of DNS lookups with the firewall leak detector
Given I have started Tails from DVD and logged in and the network is connected
And I capture all network traffic
And I disable Tails' firewall
When I do a TCP DNS lookup of "torproject.org"
- Then the firewall leak detector has detected IPv4 TCP leaks
+ Then the firewall leak detector has detected leaks
- Scenario: Anti test: Detecting IPv4 non-TCP leaks (UDP) of UDP DNS lookups with the firewall leak detector
+ Scenario: Anti test: Detecting UDP leaks of DNS lookups with the firewall leak detector
Given I have started Tails from DVD and logged in and the network is connected
And I capture all network traffic
And I disable Tails' firewall
When I do a UDP DNS lookup of "torproject.org"
- Then the firewall leak detector has detected IPv4 non-TCP leaks
+ Then the firewall leak detector has detected leaks
- Scenario: Anti test: Detecting IPv4 non-TCP (ICMP) leaks of ping with the firewall leak detector
+ Scenario: Anti test: Detecting ICMP leaks of ping with the firewall leak detector
Given I have started Tails from DVD and logged in and the network is connected
And I capture all network traffic
And I disable Tails' firewall
When I send some ICMP pings
- Then the firewall leak detector has detected IPv4 non-TCP leaks
+ Then the firewall leak detector has detected leaks
@check_tor_leaks
Scenario: The Tor enforcement is effective at blocking untorified TCP connection attempts
diff --git a/features/tor_stream_isolation.feature b/features/tor_stream_isolation.feature
index c51c641..59aa34d 100644
--- a/features/tor_stream_isolation.feature
+++ b/features/tor_stream_isolation.feature
@@ -1,5 +1,4 @@
-#10497: wait_until_tor_is_working
-@product @check_tor_leaks @fragile
+@product @check_tor_leaks
Feature: Tor stream isolation is effective
As a Tails user
I want my Torified sessions to be sensibly isolated from each other to prevent identity correlation
diff --git a/features/torified_browsing.feature b/features/torified_browsing.feature
index 78a4013..52fda62 100644
--- a/features/torified_browsing.feature
+++ b/features/torified_browsing.feature
@@ -1,6 +1,4 @@
-#10376: The "the Tor Browser loads the (startup page|Tails roadmap)" step is fragile
-#10497: wait_until_tor_is_working
-@product @fragile
+@product
Feature: Browsing the web using the Tor Browser
As a Tails user
when I browse the web using the Tor Browser
@@ -13,8 +11,8 @@ Feature: Browsing the web using the Tor Browser
When I start the Tor Browser
And the Tor Browser has started and loaded the startup page
And I open a page on the LAN web server in the Tor Browser
- Then I see "TorBrowserUnableToConnect.png" after at most 20 seconds
- And no traffic has flowed to the LAN
+ Then the Tor Browser shows the "Unable to connect" error
+ And no traffic was sent to the web server on the LAN
@check_tor_leaks
Scenario: The Tor Browser directory is usable
@@ -47,17 +45,6 @@ Feature: Browsing the web using the Tor Browser
And I click the HTML5 play button
And 1 application is playing audio after 10 seconds
- @check_tor_leaks @fragile
- Scenario: Watching a WebM video
- Given I have started Tails from DVD and logged in and the network is connected
- When I start the Tor Browser
- And the Tor Browser has started and loaded the startup page
- And I open the address "https://webm.html5.org/test.webm" in the Tor Browser
- And I click the blocked video icon
- And I see "TorBrowserNoScriptTemporarilyAllowDialog.png" after at most 30 seconds
- And I accept to temporarily allow playing this video
- Then I see "TorBrowserSampleRemoteWebMVideoFrame.png" after at most 180 seconds
-
Scenario: I can view a file stored in "~/Tor Browser" but not in ~/.gnupg
Given I have started Tails from DVD and logged in and the network is connected
And I copy "/usr/share/synaptic/html/index.html" to "/home/amnesia/Tor Browser/synaptic.html" as user "amnesia"
@@ -110,20 +97,12 @@ Feature: Browsing the web using the Tor Browser
Then the Tor Browser uses all expected TBB shared libraries
@check_tor_leaks @fragile
- Scenario: Opening check.torproject.org in the Tor Browser shows the green onion and the congratulations message
- Given I have started Tails from DVD and logged in and the network is connected
- When I start the Tor Browser
- And the Tor Browser has started and loaded the startup page
- And I open the address "https://check.torproject.org" in the Tor Browser
- Then I see "TorBrowserTorCheck.png" after at most 180 seconds
-
- @check_tor_leaks @fragile
Scenario: The Tor Browser's "New identity" feature works as expected
Given I have started Tails from DVD and logged in and the network is connected
When I start the Tor Browser
And the Tor Browser has started and loaded the startup page
- And I open the address "https://check.torproject.org" in the Tor Browser
- Then I see "TorBrowserTorCheck.png" after at most 180 seconds
+ And I open Tails homepage in the Tor Browser
+ Then Tails homepage loads in the Tor Browser
When I request a new identity using Torbutton
And I acknowledge Torbutton's New Identity confirmation prompt
Then the Tor Browser loads the startup page
@@ -134,7 +113,7 @@ Feature: Browsing the web using the Tor Browser
And the Tor Browser has started and loaded the startup page
Then the Tor Browser has no plugins installed
- #10497, #10720
+ #10720
@fragile
Scenario: The persistent Tor Browser directory is usable
Given I have started Tails without network from a USB drive with a persistent partition enabled and logged in
@@ -166,7 +145,6 @@ Feature: Browsing the web using the Tor Browser
And the computer reboots Tails
And I enable read-only persistence
And I log in to a new session
- And the Tails desktop is ready
And I start the Tor Browser in offline mode
And the Tor Browser has started in offline mode
Then the Tor Browser has a bookmark to eff.org
diff --git a/features/torified_git.feature b/features/torified_git.feature
index 04e19a5..64f93a6 100644
--- a/features/torified_git.feature
+++ b/features/torified_git.feature
@@ -1,5 +1,3 @@
-#10497: wait_until_tor_is_working
-#10444: Git tests are fragile
@product @check_tor_leaks @fragile
Feature: Cloning a Git repository
As a Tails user
diff --git a/features/torified_gnupg.feature b/features/torified_gnupg.feature
index cbdab7f..bba2744 100644
--- a/features/torified_gnupg.feature
+++ b/features/torified_gnupg.feature
@@ -1,4 +1,4 @@
-@product @check_tor_leaks @fragile
+@product @check_tor_leaks
Feature: Keyserver interaction with GnuPG
As a Tails user
when I interact with keyservers using various GnuPG tools
diff --git a/features/torified_misc.feature b/features/torified_misc.feature
index 75f3fd0..5bb83c8 100644
--- a/features/torified_misc.feature
+++ b/features/torified_misc.feature
@@ -1,4 +1,4 @@
-@product @check_tor_leaks @fragile
+@product @check_tor_leaks
Feature: Various checks for torified software
Background:
diff --git a/features/totem.feature b/features/totem.feature
index 0e6fa05..c5fb37a 100644
--- a/features/totem.feature
+++ b/features/totem.feature
@@ -40,7 +40,6 @@ Feature: Using Totem
# as /lib/live/mount/overlay.
And AppArmor has denied "/usr/bin/totem" from opening "/lib/live/mount/overlay/home/amnesia/.gnupg/video.mp4"
- #10497: wait_until_tor_is_working
@check_tor_leaks @fragile
Scenario: Watching a WebM video over HTTPS
Given I have started Tails from DVD and logged in and the network is connected
diff --git a/features/unsafe_browser.feature b/features/unsafe_browser.feature
index d47f770..a0a26fa 100644
--- a/features/unsafe_browser.feature
+++ b/features/unsafe_browser.feature
@@ -4,6 +4,7 @@ Feature: Browsing the web using the Unsafe Browser
when I browse the web using the Unsafe Browser
I should have direct access to the web
+ #11458
@fragile
Scenario: The Unsafe Browser can access the LAN
Given I have started Tails from DVD and logged in and the network is connected
@@ -12,6 +13,7 @@ Feature: Browsing the web using the Unsafe Browser
And I open a page on the LAN web server in the Unsafe Browser
Then I see "UnsafeBrowserHelloLANWebServer.png" after at most 20 seconds
+ #11458
@fragile
Scenario: Starting the Unsafe Browser works as it should.
Given I have started Tails from DVD and logged in and the network is connected
@@ -25,6 +27,7 @@ Feature: Browsing the web using the Unsafe Browser
And the Unsafe Browser has no proxy configured
And the Unsafe Browser uses all expected TBB shared libraries
+ #11457, #11458
@fragile
Scenario: Closing the Unsafe Browser shows a stop notification and properly tears down the chroot.
Given I have started Tails from DVD and logged in and the network is connected
@@ -33,6 +36,7 @@ Feature: Browsing the web using the Unsafe Browser
Then I see the Unsafe Browser stop notification
And the Unsafe Browser chroot is torn down
+ #11458
@fragile
Scenario: Starting a second instance of the Unsafe Browser results in an error message being shown.
Given I have started Tails from DVD and logged in and the network is connected
@@ -40,20 +44,14 @@ Feature: Browsing the web using the Unsafe Browser
And I start the Unsafe Browser
Then I see a warning about another instance already running
- @fragile
- Scenario: Opening check.torproject.org in the Unsafe Browser shows the red onion and a warning message.
- Given I have started Tails from DVD and logged in and the network is connected
- When I successfully start the Unsafe Browser
- And I open the address "https://check.torproject.org" in the Unsafe Browser
- Then I see "UnsafeBrowserTorCheckFail.png" after at most 60 seconds
- And the clearnet user has sent packets out to the Internet
-
+ #11458
@fragile
Scenario: The Unsafe Browser cannot be configured to use Tor and other local proxies.
Given I have started Tails from DVD and logged in and the network is connected
When I successfully start the Unsafe Browser
Then I cannot configure the Unsafe Browser to use any local proxies
+ #11458
@fragile
Scenario: The Unsafe Browser will not make any connections to the Internet which are not user initiated
Given I have started Tails from DVD and logged in and the network is connected
diff --git a/features/untrusted_partitions.feature b/features/untrusted_partitions.feature
index 5549013..b1045c4 100644
--- a/features/untrusted_partitions.feature
+++ b/features/untrusted_partitions.feature
@@ -50,7 +50,6 @@ Feature: Untrusted partitions
And I set Tails to boot with options "live-media="
When I start Tails with network unplugged and I login
Then Tails is running from ide drive "live_hd"
- And Tails seems to have booted normally
Scenario: Tails booting from a DVD does not use live systems stored on hard drives
Given a computer
diff --git a/features/usb_install.feature b/features/usb_install.feature
index 750df7a..e8ce2fe 100644
--- a/features/usb_install.feature
+++ b/features/usb_install.feature
@@ -42,7 +42,6 @@ Feature: Installing Tails to a USB drive
Scenario: Booting Tails from a USB drive without a persistent partition and creating one
Given I have started Tails without network from a USB drive without a persistent partition and stopped at Tails Greeter's login screen
And I log in to a new session
- Then Tails seems to have booted normally
When I create a persistent partition
Then a Tails persistence partition exists on USB drive "__internal"
@@ -51,8 +50,7 @@ Feature: Installing Tails to a USB drive
Scenario: Booting Tails from a USB drive without a persistent partition
Given I have started Tails without network from a USB drive without a persistent partition and stopped at Tails Greeter's login screen
When I log in to a new session
- Then Tails seems to have booted normally
- And Tails is running from USB drive "__internal"
+ Then Tails is running from USB drive "__internal"
And the persistent Tor Browser directory does not exist
And there is no persistence partition on USB drive "__internal"
diff --git a/features/usb_upgrade.feature b/features/usb_upgrade.feature
index 7462489..fc61308 100644
--- a/features/usb_upgrade.feature
+++ b/features/usb_upgrade.feature
@@ -56,7 +56,6 @@ Feature: Upgrading an old Tails USB installation
And I start the computer
When the computer boots Tails
And I log in to a new session
- And the Tails desktop is ready
And all notifications have disappeared
And I create a 4 GiB disk named "old"
And I plug USB drive "old"
@@ -113,7 +112,6 @@ Feature: Upgrading an old Tails USB installation
Scenario: Upgrading an old Tails USB installation from another Tails USB drive
Given I have started Tails without network from a USB drive without a persistent partition and stopped at Tails Greeter's login screen
And I log in to a new session
- And Tails seems to have booted normally
And I clone USB drive "old" to a new USB drive "to_upgrade"
And I plug USB drive "to_upgrade"
When I "Clone & Upgrade" Tails to USB drive "to_upgrade"