Fix issue found while testing keyring related changes. pgadmin-org#7076

akshay-joshi · Aug 28, 2024 · c4dc839 · c4dc839
1 parent f5c1cd9
commit c4dc839
Show file tree

Hide file tree

Showing 6 changed files with 20 additions and 13 deletions.
diff --git a/web/pgadmin/authenticate/kerberos.py b/web/pgadmin/authenticate/kerberos.py
@@ -30,7 +30,6 @@
 from pgadmin.authenticate.internal import BaseAuthentication
 from pgadmin.authenticate import get_auth_sources
 from pgadmin.utils.csrf import pgCSRFProtect
-from pgadmin.utils.master_password import set_crypt_key
 
 try:
     import gssapi
@@ -193,8 +192,7 @@ def authenticate(self, frm):
                     if status:
                         # Saving the first 15 characters of the kerberos key
                         # to encrypt/decrypt database password
-                        pass_enc_key = auth_header[1][0:15]
-                        set_crypt_key(pass_enc_key)
+                        session['pass_enc_key'] = auth_header[1][0:15]
                         # Create user
                         retval = self.__auto_create_user(
                             str(negotiate.initiator_name))

diff --git a/web/pgadmin/authenticate/oauth2.py b/web/pgadmin/authenticate/oauth2.py
@@ -26,7 +26,6 @@
     get_safe_post_logout_redirect
 from pgadmin.utils.csrf import pgCSRFProtect
 from pgadmin.model import db
-from pgadmin.utils.master_password import set_crypt_key
 
 OAUTH2_LOGOUT = 'oauth2.logout'
 OAUTH2_AUTHORIZE = 'oauth2.authorize'
@@ -211,8 +210,7 @@ def get_user_profile(self):
         session['oauth2_token'] = self.oauth2_clients[
             self.oauth2_current_client].authorize_access_token()
 
-        pass_enc_key = session['oauth2_token']['access_token']
-        set_crypt_key(pass_enc_key)
+        session['pass_enc_key'] = session['oauth2_token']['access_token']
 
         if 'OAUTH2_LOGOUT_URL' in self.oauth2_config[
                 self.oauth2_current_client]:

diff --git a/web/pgadmin/authenticate/webserver.py b/web/pgadmin/authenticate/webserver.py
@@ -12,7 +12,7 @@
 import secrets
 import string
 import config
-from flask import request, current_app, Response, render_template, \
+from flask import request, current_app, session, Response, render_template, \
     url_for
 from flask_babel import gettext
 from flask_security import login_user
@@ -90,9 +90,9 @@ def authenticate(self, form):
             return False, gettext(
                 "Webserver authenticate failed.")
 
-        pass_enc_key = ''.join(
+        session['pass_enc_key'] = ''.join(
             (secrets.choice(string.ascii_lowercase) for _ in range(10)))
-        set_crypt_key(pass_enc_key)
+
         useremail = request.environ.get('mail')
         if not useremail:
             useremail = ''

diff --git a/web/pgadmin/browser/__init__.py b/web/pgadmin/browser/__init__.py
@@ -735,6 +735,10 @@ def set_master_password():
                             keyring_name=keyring_name)
                     else:
                         if not error:
+                            # Update keyring
+                            keyring.set_password(KEY_RING_SERVICE_NAME,
+                                                 KEY_RING_USER_NAME,
+                                                 master_key)
                             set_crypt_key(master_key)
                             return form_master_password_response(
                                 present=True)

diff --git a/web/pgadmin/browser/server_groups/servers/utils.py b/web/pgadmin/browser/server_groups/servers/utils.py
@@ -267,9 +267,8 @@ def migrate_passwords_from_os_secret_storage(servers, enc_key):
                 tunnel_password = keyring.get_password(
                     KEY_RING_SERVICE_NAME, tunnel_name)
                 if tunnel_password:
+                    tunnel_password = encrypt(tunnel_password, enc_key)
                     setattr(server, 'tunnel_password', tunnel_password)
-                    keyring.delete_password(
-                        KEY_RING_SERVICE_NAME, tunnel_name)
                 else:
                     setattr(server, 'tunnel_password', None)
             passwords_migrated = True
@@ -355,6 +354,11 @@ def migrate_saved_passwords(master_key, master_password):
                 return passwords_migrated, error
             elif master_password:
                 old_key = master_password
+            else:
+                current_app.logger.warning(
+                    'Saved password were already migrated once. '
+                    'Hence not migrating again. '
+                    'May be the old master key was deleted.')
         else:
             old_key = current_user.password
 

diff --git a/web/pgadmin/utils/master_password.py b/web/pgadmin/utils/master_password.py
@@ -1,10 +1,10 @@
 import secrets
 
 import keyring
-from keyring.errors import KeyringError, KeyringLocked, NoKeyringError
+from keyring.errors import KeyringLocked, NoKeyringError
 
 import config
-from flask import current_app
+from flask import current_app, session
 from flask_login import current_user
 from pgadmin.model import db, User, Server
 from pgadmin.utils.constants import KEY_RING_SERVICE_NAME, KEY_RING_USER_NAME
@@ -36,6 +36,9 @@ def get_crypt_key():
     elif config.MASTER_PASSWORD_REQUIRED and \
             enc_key is None:
         return False, None
+    elif not config.MASTER_PASSWORD_REQUIRED and config.SERVER_MODE and \
+            'pass_enc_key' in session:
+        return True, session['pass_enc_key']
     else:
         return True, enc_key