From c4dc839d7c48d57ee69ffffbc76a0988a4de7cb2 Mon Sep 17 00:00:00 2001 From: Yogesh Mahajan Date: Wed, 28 Aug 2024 11:46:04 +0530 Subject: [PATCH] Fix issue found while testing keyring related changes. #7076 --- web/pgadmin/authenticate/kerberos.py | 4 +--- web/pgadmin/authenticate/oauth2.py | 4 +--- web/pgadmin/authenticate/webserver.py | 6 +++--- web/pgadmin/browser/__init__.py | 4 ++++ web/pgadmin/browser/server_groups/servers/utils.py | 8 ++++++-- web/pgadmin/utils/master_password.py | 7 +++++-- 6 files changed, 20 insertions(+), 13 deletions(-) diff --git a/web/pgadmin/authenticate/kerberos.py b/web/pgadmin/authenticate/kerberos.py index 3f8db6e67..f0e8d916b 100644 --- a/web/pgadmin/authenticate/kerberos.py +++ b/web/pgadmin/authenticate/kerberos.py @@ -30,7 +30,6 @@ from pgadmin.utils.ajax import make_json_response, internal_server_error from pgadmin.authenticate.internal import BaseAuthentication from pgadmin.authenticate import get_auth_sources from pgadmin.utils.csrf import pgCSRFProtect -from pgadmin.utils.master_password import set_crypt_key try: import gssapi @@ -193,8 +192,7 @@ class KerberosAuthentication(BaseAuthentication): if status: # Saving the first 15 characters of the kerberos key # to encrypt/decrypt database password - pass_enc_key = auth_header[1][0:15] - set_crypt_key(pass_enc_key) + session['pass_enc_key'] = auth_header[1][0:15] # Create user retval = self.__auto_create_user( str(negotiate.initiator_name)) diff --git a/web/pgadmin/authenticate/oauth2.py b/web/pgadmin/authenticate/oauth2.py index d1ce51a0b..b7642bb40 100644 --- a/web/pgadmin/authenticate/oauth2.py +++ b/web/pgadmin/authenticate/oauth2.py @@ -26,7 +26,6 @@ from pgadmin.utils import PgAdminModule, get_safe_post_login_redirect, \ get_safe_post_logout_redirect from pgadmin.utils.csrf import pgCSRFProtect from pgadmin.model import db -from pgadmin.utils.master_password import set_crypt_key OAUTH2_LOGOUT = 'oauth2.logout' OAUTH2_AUTHORIZE = 'oauth2.authorize' @@ -211,8 +210,7 @@ class OAuth2Authentication(BaseAuthentication): session['oauth2_token'] = self.oauth2_clients[ self.oauth2_current_client].authorize_access_token() - pass_enc_key = session['oauth2_token']['access_token'] - set_crypt_key(pass_enc_key) + session['pass_enc_key'] = session['oauth2_token']['access_token'] if 'OAUTH2_LOGOUT_URL' in self.oauth2_config[ self.oauth2_current_client]: diff --git a/web/pgadmin/authenticate/webserver.py b/web/pgadmin/authenticate/webserver.py index 2c9f47e8d..ca66f4ce1 100644 --- a/web/pgadmin/authenticate/webserver.py +++ b/web/pgadmin/authenticate/webserver.py @@ -12,7 +12,7 @@ import secrets import string import config -from flask import request, current_app, Response, render_template, \ +from flask import request, current_app, session, Response, render_template, \ url_for from flask_babel import gettext from flask_security import login_user @@ -90,9 +90,9 @@ class WebserverAuthentication(BaseAuthentication): return False, gettext( "Webserver authenticate failed.") - pass_enc_key = ''.join( + session['pass_enc_key'] = ''.join( (secrets.choice(string.ascii_lowercase) for _ in range(10))) - set_crypt_key(pass_enc_key) + useremail = request.environ.get('mail') if not useremail: useremail = '' diff --git a/web/pgadmin/browser/__init__.py b/web/pgadmin/browser/__init__.py index 1e4200177..4cd8d1271 100644 --- a/web/pgadmin/browser/__init__.py +++ b/web/pgadmin/browser/__init__.py @@ -735,6 +735,10 @@ def set_master_password(): keyring_name=keyring_name) else: if not error: + # Update keyring + keyring.set_password(KEY_RING_SERVICE_NAME, + KEY_RING_USER_NAME, + master_key) set_crypt_key(master_key) return form_master_password_response( present=True) diff --git a/web/pgadmin/browser/server_groups/servers/utils.py b/web/pgadmin/browser/server_groups/servers/utils.py index e34bfa2db..6511ea286 100644 --- a/web/pgadmin/browser/server_groups/servers/utils.py +++ b/web/pgadmin/browser/server_groups/servers/utils.py @@ -267,9 +267,8 @@ def migrate_passwords_from_os_secret_storage(servers, enc_key): tunnel_password = keyring.get_password( KEY_RING_SERVICE_NAME, tunnel_name) if tunnel_password: + tunnel_password = encrypt(tunnel_password, enc_key) setattr(server, 'tunnel_password', tunnel_password) - keyring.delete_password( - KEY_RING_SERVICE_NAME, tunnel_name) else: setattr(server, 'tunnel_password', None) passwords_migrated = True @@ -355,6 +354,11 @@ def migrate_saved_passwords(master_key, master_password): return passwords_migrated, error elif master_password: old_key = master_password + else: + current_app.logger.warning( + 'Saved password were already migrated once. ' + 'Hence not migrating again. ' + 'May be the old master key was deleted.') else: old_key = current_user.password diff --git a/web/pgadmin/utils/master_password.py b/web/pgadmin/utils/master_password.py index 3ebc5ea28..74685d0d3 100644 --- a/web/pgadmin/utils/master_password.py +++ b/web/pgadmin/utils/master_password.py @@ -1,10 +1,10 @@ import secrets import keyring -from keyring.errors import KeyringError, KeyringLocked, NoKeyringError +from keyring.errors import KeyringLocked, NoKeyringError import config -from flask import current_app +from flask import current_app, session from flask_login import current_user from pgadmin.model import db, User, Server from pgadmin.utils.constants import KEY_RING_SERVICE_NAME, KEY_RING_USER_NAME @@ -36,6 +36,9 @@ def get_crypt_key(): elif config.MASTER_PASSWORD_REQUIRED and \ enc_key is None: return False, None + elif not config.MASTER_PASSWORD_REQUIRED and config.SERVER_MODE and \ + 'pass_enc_key' in session: + return True, session['pass_enc_key'] else: return True, enc_key