Fix issue found while testing keyring related changes. #7076

2024-11-21 16:27:39 -06:00 · 2024-08-28 11:46:04 +05:30 · 2024-08-28 11:46:04 +05:30 · c4dc839d7c
commit c4dc839d7c
parent f5c1cd9df8
6 changed files with 20 additions and 13 deletions
--- a/web/pgadmin/authenticate/kerberos.py
+++ b/web/pgadmin/authenticate/kerberos.py
@ -30,7 +30,6 @@ from pgadmin.utils.ajax import make_json_response, internal_server_error
 from pgadmin.authenticate.internal import BaseAuthentication
 from pgadmin.authenticate import get_auth_sources
 from pgadmin.utils.csrf import pgCSRFProtect
-from pgadmin.utils.master_password import set_crypt_key

 try:
    import gssapi
@ -193,8 +192,7 @@ class KerberosAuthentication(BaseAuthentication):
                    if status:
                        # Saving the first 15 characters of the kerberos key
                        # to encrypt/decrypt database password
-                        pass_enc_key = auth_header[1][0:15]
-                        set_crypt_key(pass_enc_key)
+                        session['pass_enc_key'] = auth_header[1][0:15]
                        # Create user
                        retval = self.__auto_create_user(
                            str(negotiate.initiator_name))
--- a/web/pgadmin/authenticate/oauth2.py
+++ b/web/pgadmin/authenticate/oauth2.py
@ -26,7 +26,6 @@ from pgadmin.utils import PgAdminModule, get_safe_post_login_redirect, \
    get_safe_post_logout_redirect
 from pgadmin.utils.csrf import pgCSRFProtect
 from pgadmin.model import db
-from pgadmin.utils.master_password import set_crypt_key

 OAUTH2_LOGOUT = 'oauth2.logout'
 OAUTH2_AUTHORIZE = 'oauth2.authorize'
@ -211,8 +210,7 @@ class OAuth2Authentication(BaseAuthentication):
        session['oauth2_token'] = self.oauth2_clients[
            self.oauth2_current_client].authorize_access_token()

-        pass_enc_key = session['oauth2_token']['access_token']
-        set_crypt_key(pass_enc_key)
+        session['pass_enc_key'] = session['oauth2_token']['access_token']

        if 'OAUTH2_LOGOUT_URL' in self.oauth2_config[
                self.oauth2_current_client]:
--- a/web/pgadmin/authenticate/webserver.py
+++ b/web/pgadmin/authenticate/webserver.py
@ -12,7 +12,7 @@
 import secrets
 import string
 import config
-from flask import request, current_app, Response, render_template, \
+from flask import request, current_app, session, Response, render_template, \
    url_for
 from flask_babel import gettext
 from flask_security import login_user
@ -90,9 +90,9 @@ class WebserverAuthentication(BaseAuthentication):
            return False, gettext(
                "Webserver authenticate failed.")

-        pass_enc_key = ''.join(
+        session['pass_enc_key'] = ''.join(
            (secrets.choice(string.ascii_lowercase) for _ in range(10)))
-        set_crypt_key(pass_enc_key)
+
        useremail = request.environ.get('mail')
        if not useremail:
            useremail = ''
--- a/web/pgadmin/browser/init.py
+++ b/web/pgadmin/browser/init.py
@ -735,6 +735,10 @@ def set_master_password():
                            keyring_name=keyring_name)
                    else:
                        if not error:
+                            # Update keyring
+                            keyring.set_password(KEY_RING_SERVICE_NAME,
+                                                 KEY_RING_USER_NAME,
+                                                 master_key)
                            set_crypt_key(master_key)
                            return form_master_password_response(
                                present=True)
--- a/web/pgadmin/browser/server_groups/servers/utils.py
+++ b/web/pgadmin/browser/server_groups/servers/utils.py
@ -267,9 +267,8 @@ def migrate_passwords_from_os_secret_storage(servers, enc_key):
                tunnel_password = keyring.get_password(
                    KEY_RING_SERVICE_NAME, tunnel_name)
                if tunnel_password:
+                    tunnel_password = encrypt(tunnel_password, enc_key)
                    setattr(server, 'tunnel_password', tunnel_password)
-                    keyring.delete_password(
-                        KEY_RING_SERVICE_NAME, tunnel_name)
                else:
                    setattr(server, 'tunnel_password', None)
            passwords_migrated = True
@ -355,6 +354,11 @@ def migrate_saved_passwords(master_key, master_password):
                return passwords_migrated, error
            elif master_password:
                old_key = master_password
+            else:
+                current_app.logger.warning(
+                    'Saved password were already migrated once. '
+                    'Hence not migrating again. '
+                    'May be the old master key was deleted.')
        else:
            old_key = current_user.password

--- a/web/pgadmin/utils/master_password.py
+++ b/web/pgadmin/utils/master_password.py
@ -1,10 +1,10 @@
 import secrets

 import keyring
-from keyring.errors import KeyringError, KeyringLocked, NoKeyringError
+from keyring.errors import KeyringLocked, NoKeyringError

 import config
-from flask import current_app
+from flask import current_app, session
 from flask_login import current_user
 from pgadmin.model import db, User, Server
 from pgadmin.utils.constants import KEY_RING_SERVICE_NAME, KEY_RING_USER_NAME
@ -36,6 +36,9 @@ def get_crypt_key():
    elif config.MASTER_PASSWORD_REQUIRED and \
            enc_key is None:
        return False, None
+    elif not config.MASTER_PASSWORD_REQUIRED and config.SERVER_MODE and \
+            'pass_enc_key' in session:
+        return True, session['pass_enc_key']
    else:
        return True, enc_key