mirrors/github.com_openSUSE_osc
1
0
Fork 0
mirror of https://github.com/openSUSE/osc.git synced 2024-11-14 16:26:13 +01:00
Code
4d1651d038
github.com_openSUSE_osc/osc/credentials.py

338 lines
11 KiB
Python
Raw Normal View History

Introduction of new credential management * new module credentials.py which contains classes and methods to set and get passwords for different backends: - python-keyring - gnomekeyring - ConfigFile based storage The new code should be backward compatible except a minor change in add_section (pass and passx are not removed from the config parser). This affects only callers that do not pass a creds_mgr_descriptor. On initial osc call or initial osc call on new API Url the user now can decide where to store the password (based on the backends available on his system)
2019-08-27 15:08:38 +02:00
import base64
Clean imports up, drop python 2 fallbacks
2022-07-28 12:28:33 +02:00
import bz2
New credentials backend (Transient store) New backend to not store the password and ask for it every time.
2019-08-27 16:26:20 +02:00
import getpass
Clean imports up, drop python 2 fallbacks
2022-07-28 12:28:33 +02:00
import importlib
osc can crash due to various exceptions when loading key management. Not sure if this is the best way, but make osc usable at all again...
2020-02-24 11:26:49 +01:00
import sys
Clean imports up, drop python 2 fallbacks
2022-07-28 12:28:33 +02:00
from urllib.parse import urlsplit
osc can crash due to various exceptions when loading key management. Not sure if this is the best way, but make osc usable at all again...
2020-02-24 11:26:49 +01:00
Introduction of new credential management * new module credentials.py which contains classes and methods to set and get passwords for different backends: - python-keyring - gnomekeyring - ConfigFile based storage The new code should be backward compatible except a minor change in add_section (pass and passx are not removed from the config parser). This affects only callers that do not pass a creds_mgr_descriptor. On initial osc call or initial osc call on new API Url the user now can decide where to store the password (based on the backends available on his system)
2019-08-27 15:08:38 +02:00
try:
import keyring
except ImportError:
keyring = None
osc can crash due to various exceptions when loading key management. Not sure if this is the best way, but make osc usable at all again...
2020-02-24 11:26:49 +01:00
except BaseException as e:
# catch and report any exceptions raised in the 'keyring' module
msg = "Warning: Unable to load the 'keyring' module due to an internal error:"
print(msg, e, file=sys.stderr)
keyring = None
Report a config error when trying to load credentials_mgr_class that does't exist
2022-03-24 14:35:43 +01:00
from . import conf
from . import oscerr
Introduction of new credential management * new module credentials.py which contains classes and methods to set and get passwords for different backends: - python-keyring - gnomekeyring - ConfigFile based storage The new code should be backward compatible except a minor change in add_section (pass and passx are not removed from the config parser). This affects only callers that do not pass a creds_mgr_descriptor. On initial osc call or initial osc call on new API Url the user now can decide where to store the password (based on the backends available on his system)
2019-08-27 15:08:38 +02:00
Modernize code with pyupgrade pyupgrade --keep-percent-format --py36-plus `find -name '*.py'`
2022-07-28 19:11:29 +02:00
class AbstractCredentialsManagerDescriptor:
Introduction of new credential management * new module credentials.py which contains classes and methods to set and get passwords for different backends: - python-keyring - gnomekeyring - ConfigFile based storage The new code should be backward compatible except a minor change in add_section (pass and passx are not removed from the config parser). This affects only callers that do not pass a creds_mgr_descriptor. On initial osc call or initial osc call on new API Url the user now can decide where to store the password (based on the backends available on his system)
2019-08-27 15:08:38 +02:00
def name(self):
raise NotImplementedError()
def description(self):
raise NotImplementedError()
Order credentials managers by priority
2022-03-24 11:31:01 +01:00
def priority(self):
# priority determines order in the credentials managers list
# higher number means higher priority
raise NotImplementedError()
Introduction of new credential management * new module credentials.py which contains classes and methods to set and get passwords for different backends: - python-keyring - gnomekeyring - ConfigFile based storage The new code should be backward compatible except a minor change in add_section (pass and passx are not removed from the config parser). This affects only callers that do not pass a creds_mgr_descriptor. On initial osc call or initial osc call on new API Url the user now can decide where to store the password (based on the backends available on his system)
2019-08-27 15:08:38 +02:00
def create(self, cp):
raise NotImplementedError()
def __lt__(self, other):
Order credentials managers by priority
2022-03-24 11:31:01 +01:00
return (-self.priority(), self.name()) < (-other.priority(), other.name())
Introduction of new credential management * new module credentials.py which contains classes and methods to set and get passwords for different backends: - python-keyring - gnomekeyring - ConfigFile based storage The new code should be backward compatible except a minor change in add_section (pass and passx are not removed from the config parser). This affects only callers that do not pass a creds_mgr_descriptor. On initial osc call or initial osc call on new API Url the user now can decide where to store the password (based on the backends available on his system)
2019-08-27 15:08:38 +02:00
Modernize code with pyupgrade pyupgrade --keep-percent-format --py36-plus `find -name '*.py'`
2022-07-28 19:11:29 +02:00
class AbstractCredentialsManager:
Introduction of new credential management * new module credentials.py which contains classes and methods to set and get passwords for different backends: - python-keyring - gnomekeyring - ConfigFile based storage The new code should be backward compatible except a minor change in add_section (pass and passx are not removed from the config parser). This affects only callers that do not pass a creds_mgr_descriptor. On initial osc call or initial osc call on new API Url the user now can decide where to store the password (based on the backends available on his system)
2019-08-27 15:08:38 +02:00
config_entry = 'credentials_mgr_class'
def __init__(self, cp, options):
Modernize code with pyupgrade pyupgrade --keep-percent-format --py36-plus `find -name '*.py'`
2022-07-28 19:11:29 +02:00
super().__init__()
Introduction of new credential management * new module credentials.py which contains classes and methods to set and get passwords for different backends: - python-keyring - gnomekeyring - ConfigFile based storage The new code should be backward compatible except a minor change in add_section (pass and passx are not removed from the config parser). This affects only callers that do not pass a creds_mgr_descriptor. On initial osc call or initial osc call on new API Url the user now can decide where to store the password (based on the backends available on his system)
2019-08-27 15:08:38 +02:00
self._cp = cp
self._process_options(options)
catch configured keyring without module installed If a python-keyring based backend is configured, but python-keyring is not installed osc fails without giving the user the opportunity to continue. This introduces a new class method `create` for the AbstractCredentialsManager. The CredentialsManagers for the backends that use a 3rd party software can now check if the software is present in its own create method.
2019-10-16 10:41:06 +02:00
@classmethod
def create(cls, cp, options):
return cls(cp, options)
Print user and apiurl when prompting for a password It's not a good idea to send a password to a different server than it belongs. Now the server identity is obvious.
2022-09-07 16:10:55 +02:00
def _get_password(self, url, user, apiurl=None):
Introduction of new credential management * new module credentials.py which contains classes and methods to set and get passwords for different backends: - python-keyring - gnomekeyring - ConfigFile based storage The new code should be backward compatible except a minor change in add_section (pass and passx are not removed from the config parser). This affects only callers that do not pass a creds_mgr_descriptor. On initial osc call or initial osc call on new API Url the user now can decide where to store the password (based on the backends available on his system)
2019-08-27 15:08:38 +02:00
raise NotImplementedError()
Print user and apiurl when prompting for a password It's not a good idea to send a password to a different server than it belongs. Now the server identity is obvious.
2022-09-07 16:10:55 +02:00
def get_password(self, url, user, defer=True, apiurl=None):
Only prompt for a password if the server asks for it In many cases the session cookie is already available, so there is no need to ask for a password. To make this work with the python authentication implementation, we add a small proxy object for the password and only ask the credential manager if the stringify method is called. This approach also makes it possible to offer a non-password based authorization type if the server allows multiple authentication methods.
2022-04-04 10:15:35 +02:00
if defer:
Switch 'osc.conf.config' from dict to Options class with type checking
2023-08-22 15:34:45 +02:00
return conf.Password(lambda: self._get_password(url, user, apiurl=apiurl))
Only prompt for a password if the server asks for it In many cases the session cookie is already available, so there is no need to ask for a password. To make this work with the python authentication implementation, we add a small proxy object for the password and only ask the credential manager if the stringify method is called. This approach also makes it possible to offer a non-password based authorization type if the server allows multiple authentication methods.
2022-04-04 10:15:35 +02:00
else:
Switch 'osc.conf.config' from dict to Options class with type checking
2023-08-22 15:34:45 +02:00
return conf.Password(self._get_password(url, user, apiurl=apiurl))
Only prompt for a password if the server asks for it In many cases the session cookie is already available, so there is no need to ask for a password. To make this work with the python authentication implementation, we add a small proxy object for the password and only ask the credential manager if the stringify method is called. This approach also makes it possible to offer a non-password based authorization type if the server allows multiple authentication methods.
2022-04-04 10:15:35 +02:00
Introduction of new credential management * new module credentials.py which contains classes and methods to set and get passwords for different backends: - python-keyring - gnomekeyring - ConfigFile based storage The new code should be backward compatible except a minor change in add_section (pass and passx are not removed from the config parser). This affects only callers that do not pass a creds_mgr_descriptor. On initial osc call or initial osc call on new API Url the user now can decide where to store the password (based on the backends available on his system)
2019-08-27 15:08:38 +02:00
def set_password(self, url, user, password):
raise NotImplementedError()
def delete_password(self, url, user):
raise NotImplementedError()
def _qualified_name(self):
return qualified_name(self)
def _process_options(self, options):
pass
class PlaintextConfigFileCredentialsManager(AbstractCredentialsManager):
Print user and apiurl when prompting for a password It's not a good idea to send a password to a different server than it belongs. Now the server identity is obvious.
2022-09-07 16:10:55 +02:00
def get_password(self, url, user, defer=True, apiurl=None):
Fix credentials managers to consistently return Password
2024-01-04 16:39:27 +01:00
password = self._cp.get(url, "pass", fallback=None, raw=True)
if password is None:
return None
return conf.Password(password)
Introduction of new credential management * new module credentials.py which contains classes and methods to set and get passwords for different backends: - python-keyring - gnomekeyring - ConfigFile based storage The new code should be backward compatible except a minor change in add_section (pass and passx are not removed from the config parser). This affects only callers that do not pass a creds_mgr_descriptor. On initial osc call or initial osc call on new API Url the user now can decide where to store the password (based on the backends available on his system)
2019-08-27 15:08:38 +02:00
def set_password(self, url, user, password):
self._cp.set(url, 'pass', password)
self._cp.set(url, self.config_entry, self._qualified_name())
def delete_password(self, url, user):
self._cp.remove_option(url, 'pass')
def _process_options(self, options):
if options is not None:
raise RuntimeError('options must be None')
class PlaintextConfigFileDescriptor(AbstractCredentialsManagerDescriptor):
def name(self):
Reword names and decriptions of credentials managers
2022-03-24 11:22:21 +01:00
return 'Config'
Introduction of new credential management * new module credentials.py which contains classes and methods to set and get passwords for different backends: - python-keyring - gnomekeyring - ConfigFile based storage The new code should be backward compatible except a minor change in add_section (pass and passx are not removed from the config parser). This affects only callers that do not pass a creds_mgr_descriptor. On initial osc call or initial osc call on new API Url the user now can decide where to store the password (based on the backends available on his system)
2019-08-27 15:08:38 +02:00
def description(self):
Reword names and decriptions of credentials managers
2022-03-24 11:22:21 +01:00
return 'Store the password in plain text in the osc config file [insecure, persistent]'
Introduction of new credential management * new module credentials.py which contains classes and methods to set and get passwords for different backends: - python-keyring - gnomekeyring - ConfigFile based storage The new code should be backward compatible except a minor change in add_section (pass and passx are not removed from the config parser). This affects only callers that do not pass a creds_mgr_descriptor. On initial osc call or initial osc call on new API Url the user now can decide where to store the password (based on the backends available on his system)
2019-08-27 15:08:38 +02:00
Order credentials managers by priority
2022-03-24 11:31:01 +01:00
def priority(self):
return 1
Introduction of new credential management * new module credentials.py which contains classes and methods to set and get passwords for different backends: - python-keyring - gnomekeyring - ConfigFile based storage The new code should be backward compatible except a minor change in add_section (pass and passx are not removed from the config parser). This affects only callers that do not pass a creds_mgr_descriptor. On initial osc call or initial osc call on new API Url the user now can decide where to store the password (based on the backends available on his system)
2019-08-27 15:08:38 +02:00
def create(self, cp):
return PlaintextConfigFileCredentialsManager(cp, None)
Print user and apiurl when prompting for a password It's not a good idea to send a password to a different server than it belongs. Now the server identity is obvious.
2022-09-07 16:10:55 +02:00
class ObfuscatedConfigFileCredentialsManager(PlaintextConfigFileCredentialsManager):
def get_password(self, url, user, defer=True, apiurl=None):
Move passx handling into ObfuscatedConfigFileCredentialsManager Minor cleanup for commit c5231d61dd52df24f1c810964021bc100a4a6ce9 ("fix credentials with passx entries").
2019-11-04 14:25:48 +01:00
if self._cp.has_option(url, 'passx', proper=True):
passwd = self._cp.get(url, 'passx', raw=True)
else:
Fix usage of super()
2022-08-29 09:19:07 +02:00
passwd = super().get_password(url, user, apiurl=apiurl)
Fix credentials managers to consistently return Password
2024-01-04 16:39:27 +01:00
password = self.decode_password(passwd)
return conf.Password(password)
Introduction of new credential management * new module credentials.py which contains classes and methods to set and get passwords for different backends: - python-keyring - gnomekeyring - ConfigFile based storage The new code should be backward compatible except a minor change in add_section (pass and passx are not removed from the config parser). This affects only callers that do not pass a creds_mgr_descriptor. On initial osc call or initial osc call on new API Url the user now can decide where to store the password (based on the backends available on his system)
2019-08-27 15:08:38 +02:00
def set_password(self, url, user, password):
compressed_pw = bz2.compress(password.encode('ascii'))
password = base64.b64encode(compressed_pw).decode("ascii")
Fix usage of super()
2022-08-29 09:19:07 +02:00
super().set_password(url, user, password)
Introduction of new credential management * new module credentials.py which contains classes and methods to set and get passwords for different backends: - python-keyring - gnomekeyring - ConfigFile based storage The new code should be backward compatible except a minor change in add_section (pass and passx are not removed from the config parser). This affects only callers that do not pass a creds_mgr_descriptor. On initial osc call or initial osc call on new API Url the user now can decide where to store the password (based on the backends available on his system)
2019-08-27 15:08:38 +02:00
fix credentials with passx entries Existing passx enries resulted in a stacktrace because the cp.get() call for the passx entries was missing. Also added a delete_password function for ObfuscatedPasswordManager to delete passx entries
2019-10-29 11:04:22 +01:00
def delete_password(self, url, user):
self._cp.remove_option(url, 'passx')
Fix usage of super()
2022-08-29 09:19:07 +02:00
super().delete_password(url, user)
fix credentials with passx entries Existing passx enries resulted in a stacktrace because the cp.get() call for the passx entries was missing. Also added a delete_password function for ObfuscatedPasswordManager to delete passx entries
2019-10-29 11:04:22 +01:00
Introduction of new credential management * new module credentials.py which contains classes and methods to set and get passwords for different backends: - python-keyring - gnomekeyring - ConfigFile based storage The new code should be backward compatible except a minor change in add_section (pass and passx are not removed from the config parser). This affects only callers that do not pass a creds_mgr_descriptor. On initial osc call or initial osc call on new API Url the user now can decide where to store the password (based on the backends available on his system)
2019-08-27 15:08:38 +02:00
@classmethod
def decode_password(cls, password):
Fix crash when 'pass' is not set in the config file
2022-07-26 15:07:40 +02:00
if password is None:
# avoid crash on encoding None when 'pass' is not specified in the config
return None
Introduction of new credential management * new module credentials.py which contains classes and methods to set and get passwords for different backends: - python-keyring - gnomekeyring - ConfigFile based storage The new code should be backward compatible except a minor change in add_section (pass and passx are not removed from the config parser). This affects only callers that do not pass a creds_mgr_descriptor. On initial osc call or initial osc call on new API Url the user now can decide where to store the password (based on the backends available on his system)
2019-08-27 15:08:38 +02:00
compressed_pw = base64.b64decode(password.encode("ascii"))
return bz2.decompress(compressed_pw).decode("ascii")
class ObfuscatedConfigFileDescriptor(AbstractCredentialsManagerDescriptor):
def name(self):
Reword names and decriptions of credentials managers
2022-03-24 11:22:21 +01:00
return 'Obfuscated config'
Introduction of new credential management * new module credentials.py which contains classes and methods to set and get passwords for different backends: - python-keyring - gnomekeyring - ConfigFile based storage The new code should be backward compatible except a minor change in add_section (pass and passx are not removed from the config parser). This affects only callers that do not pass a creds_mgr_descriptor. On initial osc call or initial osc call on new API Url the user now can decide where to store the password (based on the backends available on his system)
2019-08-27 15:08:38 +02:00
def description(self):
Reword names and decriptions of credentials managers
2022-03-24 11:22:21 +01:00
return 'Store the password in obfuscated form in the osc config file [insecure, persistent]'
Introduction of new credential management * new module credentials.py which contains classes and methods to set and get passwords for different backends: - python-keyring - gnomekeyring - ConfigFile based storage The new code should be backward compatible except a minor change in add_section (pass and passx are not removed from the config parser). This affects only callers that do not pass a creds_mgr_descriptor. On initial osc call or initial osc call on new API Url the user now can decide where to store the password (based on the backends available on his system)
2019-08-27 15:08:38 +02:00
Order credentials managers by priority
2022-03-24 11:31:01 +01:00
def priority(self):
return 2
Introduction of new credential management * new module credentials.py which contains classes and methods to set and get passwords for different backends: - python-keyring - gnomekeyring - ConfigFile based storage The new code should be backward compatible except a minor change in add_section (pass and passx are not removed from the config parser). This affects only callers that do not pass a creds_mgr_descriptor. On initial osc call or initial osc call on new API Url the user now can decide where to store the password (based on the backends available on his system)
2019-08-27 15:08:38 +02:00
def create(self, cp):
return ObfuscatedConfigFileCredentialsManager(cp, None)
New credentials backend (Transient store) New backend to not store the password and ask for it every time.
2019-08-27 16:26:20 +02:00
class TransientCredentialsManager(AbstractCredentialsManager):
def __init__(self, *args, **kwargs):
Fix usage of super()
2022-08-29 09:19:07 +02:00
super().__init__(*args, **kwargs)
New credentials backend (Transient store) New backend to not store the password and ask for it every time.
2019-08-27 16:26:20 +02:00
self._password = None
def _process_options(self, options):
if options is not None:
raise RuntimeError('options must be None')
Print user and apiurl when prompting for a password It's not a good idea to send a password to a different server than it belongs. Now the server identity is obvious.
2022-09-07 16:10:55 +02:00
def _get_password(self, url, user, apiurl=None):
Only prompt for a password if the server asks for it In many cases the session cookie is already available, so there is no need to ask for a password. To make this work with the python authentication implementation, we add a small proxy object for the password and only ask the credential manager if the stringify method is called. This approach also makes it possible to offer a non-password based authorization type if the server allows multiple authentication methods.
2022-04-04 10:15:35 +02:00
if self._password is None:
Print user and apiurl when prompting for a password It's not a good idea to send a password to a different server than it belongs. Now the server identity is obvious.
2022-09-07 16:10:55 +02:00
if apiurl:
# strip scheme from apiurl because we don't want to display it to the user
apiurl_no_scheme = urlsplit(apiurl)[1]
msg = f'Password [{user}@{apiurl_no_scheme}]: '
else:
msg = 'Password: '
self._password = getpass.getpass(msg)
Only prompt for a password if the server asks for it In many cases the session cookie is already available, so there is no need to ask for a password. To make this work with the python authentication implementation, we add a small proxy object for the password and only ask the credential manager if the stringify method is called. This approach also makes it possible to offer a non-password based authorization type if the server allows multiple authentication methods.
2022-04-04 10:15:35 +02:00
return self._password
New credentials backend (Transient store) New backend to not store the password and ask for it every time.
2019-08-27 16:26:20 +02:00
def set_password(self, url, user, password):
self._password = password
self._cp.set(url, self.config_entry, self._qualified_name())
def delete_password(self, url, user):
self._password = None
class TransientDescriptor(AbstractCredentialsManagerDescriptor):
def name(self):
Reword names and decriptions of credentials managers
2022-03-24 11:22:21 +01:00
return 'Transient'
New credentials backend (Transient store) New backend to not store the password and ask for it every time.
2019-08-27 16:26:20 +02:00
def description(self):
Reword names and decriptions of credentials managers
2022-03-24 11:22:21 +01:00
return 'Do not store the password and always ask for it [secure, in-memory]'
New credentials backend (Transient store) New backend to not store the password and ask for it every time.
2019-08-27 16:26:20 +02:00
Order credentials managers by priority
2022-03-24 11:31:01 +01:00
def priority(self):
return 3
New credentials backend (Transient store) New backend to not store the password and ask for it every time.
2019-08-27 16:26:20 +02:00
def create(self, cp):
return TransientCredentialsManager(cp, None)
Introduction of new credential management * new module credentials.py which contains classes and methods to set and get passwords for different backends: - python-keyring - gnomekeyring - ConfigFile based storage The new code should be backward compatible except a minor change in add_section (pass and passx are not removed from the config parser). This affects only callers that do not pass a creds_mgr_descriptor. On initial osc call or initial osc call on new API Url the user now can decide where to store the password (based on the backends available on his system)
2019-08-27 15:08:38 +02:00
class KeyringCredentialsManager(AbstractCredentialsManager):
Cache password from SecretService to avoid spamming user with an accept dialog
2024-04-08 09:21:15 +02:00
def __init__(self, *args, **kwargs):
super().__init__(*args, **kwargs)
self._password = None
Introduction of new credential management * new module credentials.py which contains classes and methods to set and get passwords for different backends: - python-keyring - gnomekeyring - ConfigFile based storage The new code should be backward compatible except a minor change in add_section (pass and passx are not removed from the config parser). This affects only callers that do not pass a creds_mgr_descriptor. On initial osc call or initial osc call on new API Url the user now can decide where to store the password (based on the backends available on his system)
2019-08-27 15:08:38 +02:00
def _process_options(self, options):
if options is None:
raise RuntimeError('options may not be None')
self._backend_cls_name = options
def _load_backend(self):
Report a config error when trying to load credentials_mgr_class that does't exist
2022-03-24 14:35:43 +01:00
try:
keyring_backend = keyring.core.load_keyring(self._backend_cls_name)
except ModuleNotFoundError:
Modernize code with pyupgrade pyupgrade --keep-percent-format --py36-plus `find -name '*.py'`
2022-07-28 19:11:29 +02:00
msg = f"Invalid credentials_mgr_class: {self._backend_cls_name}"
Report a config error when trying to load credentials_mgr_class that does't exist
2022-03-24 14:35:43 +01:00
raise oscerr.ConfigError(msg, conf.config['conffile'])
Introduction of new credential management * new module credentials.py which contains classes and methods to set and get passwords for different backends: - python-keyring - gnomekeyring - ConfigFile based storage The new code should be backward compatible except a minor change in add_section (pass and passx are not removed from the config parser). This affects only callers that do not pass a creds_mgr_descriptor. On initial osc call or initial osc call on new API Url the user now can decide where to store the password (based on the backends available on his system)
2019-08-27 15:08:38 +02:00
keyring.set_keyring(keyring_backend)
catch configured keyring without module installed If a python-keyring based backend is configured, but python-keyring is not installed osc fails without giving the user the opportunity to continue. This introduces a new class method `create` for the AbstractCredentialsManager. The CredentialsManagers for the backends that use a 3rd party software can now check if the software is present in its own create method.
2019-10-16 10:41:06 +02:00
@classmethod
def create(cls, cp, options):
if not has_keyring_support():
return None
Fix usage of super()
2022-08-29 09:19:07 +02:00
return super().create(cp, options)
catch configured keyring without module installed If a python-keyring based backend is configured, but python-keyring is not installed osc fails without giving the user the opportunity to continue. This introduces a new class method `create` for the AbstractCredentialsManager. The CredentialsManagers for the backends that use a 3rd party software can now check if the software is present in its own create method.
2019-10-16 10:41:06 +02:00
Print user and apiurl when prompting for a password It's not a good idea to send a password to a different server than it belongs. Now the server identity is obvious.
2022-09-07 16:10:55 +02:00
def _get_password(self, url, user, apiurl=None):
Cache password from SecretService to avoid spamming user with an accept dialog
2024-04-08 09:21:15 +02:00
if self._password is None:
self._load_backend()
self._password = keyring.get_password(urlsplit(url)[1], user)
# TODO: this works fine on the command-line but a long-running process using osc library would start failing after changing the password in the keyring
# TODO: implement retrieving the password again after basic auth fails; sufficiently inform user about what's being done
return self._password
Introduction of new credential management * new module credentials.py which contains classes and methods to set and get passwords for different backends: - python-keyring - gnomekeyring - ConfigFile based storage The new code should be backward compatible except a minor change in add_section (pass and passx are not removed from the config parser). This affects only callers that do not pass a creds_mgr_descriptor. On initial osc call or initial osc call on new API Url the user now can decide where to store the password (based on the backends available on his system)
2019-08-27 15:08:38 +02:00
def set_password(self, url, user, password):
self._load_backend()
Don't enforce password reuse
2019-11-03 12:33:17 +01:00
keyring.set_password(urlsplit(url)[1], user, password)
Convert to using f-strings
2024-01-06 09:54:57 +01:00
config_value = f"{self._qualified_name()}:{self._backend_cls_name}"
Introduction of new credential management * new module credentials.py which contains classes and methods to set and get passwords for different backends: - python-keyring - gnomekeyring - ConfigFile based storage The new code should be backward compatible except a minor change in add_section (pass and passx are not removed from the config parser). This affects only callers that do not pass a creds_mgr_descriptor. On initial osc call or initial osc call on new API Url the user now can decide where to store the password (based on the backends available on his system)
2019-08-27 15:08:38 +02:00
self._cp.set(url, self.config_entry, config_value)
Cache password from SecretService to avoid spamming user with an accept dialog
2024-04-08 09:21:15 +02:00
self._password = password
Introduction of new credential management * new module credentials.py which contains classes and methods to set and get passwords for different backends: - python-keyring - gnomekeyring - ConfigFile based storage The new code should be backward compatible except a minor change in add_section (pass and passx are not removed from the config parser). This affects only callers that do not pass a creds_mgr_descriptor. On initial osc call or initial osc call on new API Url the user now can decide where to store the password (based on the backends available on his system)
2019-08-27 15:08:38 +02:00
def delete_password(self, url, user):
self._load_backend()
Avoid crash when deleting a password When using keyring, osc would crash when called as `osc config ENDPOINT --change-password` and when the password didn't exist in the backend. This prevents it by first checking if a password exists.
2022-11-01 19:40:39 +01:00
service = urlsplit(url)[1]
data = keyring.get_password(service, user)
if data is None:
return
keyring.delete_password(service, user)
Introduction of new credential management * new module credentials.py which contains classes and methods to set and get passwords for different backends: - python-keyring - gnomekeyring - ConfigFile based storage The new code should be backward compatible except a minor change in add_section (pass and passx are not removed from the config parser). This affects only callers that do not pass a creds_mgr_descriptor. On initial osc call or initial osc call on new API Url the user now can decide where to store the password (based on the backends available on his system)
2019-08-27 15:08:38 +02:00
class KeyringCredentialsDescriptor(AbstractCredentialsManagerDescriptor):
Order credentials managers by priority
2022-03-24 11:31:01 +01:00
def __init__(self, keyring_backend, name=None, description=None, priority=None):
Introduction of new credential management * new module credentials.py which contains classes and methods to set and get passwords for different backends: - python-keyring - gnomekeyring - ConfigFile based storage The new code should be backward compatible except a minor change in add_section (pass and passx are not removed from the config parser). This affects only callers that do not pass a creds_mgr_descriptor. On initial osc call or initial osc call on new API Url the user now can decide where to store the password (based on the backends available on his system)
2019-08-27 15:08:38 +02:00
self._keyring_backend = keyring_backend
Cherry-pick supported python-keyring backends Also provide pretty names and descriptions.
2022-03-24 11:11:36 +01:00
self._name = name
self._description = description
Order credentials managers by priority
2022-03-24 11:31:01 +01:00
self._priority = priority
Introduction of new credential management * new module credentials.py which contains classes and methods to set and get passwords for different backends: - python-keyring - gnomekeyring - ConfigFile based storage The new code should be backward compatible except a minor change in add_section (pass and passx are not removed from the config parser). This affects only callers that do not pass a creds_mgr_descriptor. On initial osc call or initial osc call on new API Url the user now can decide where to store the password (based on the backends available on his system)
2019-08-27 15:08:38 +02:00
def name(self):
Cherry-pick supported python-keyring backends Also provide pretty names and descriptions.
2022-03-24 11:11:36 +01:00
if self._name:
return self._name
fix list of backends for old python-keyring old python-keyring classes have no name method. This is used instead: return self._keyring_backend.__class__.__name__
2020-02-14 09:35:07 +01:00
if hasattr(self._keyring_backend, 'name'):
return self._keyring_backend.name
Cherry-pick supported python-keyring backends Also provide pretty names and descriptions.
2022-03-24 11:11:36 +01:00
return self._keyring_backend.__class__.__name__
Introduction of new credential management * new module credentials.py which contains classes and methods to set and get passwords for different backends: - python-keyring - gnomekeyring - ConfigFile based storage The new code should be backward compatible except a minor change in add_section (pass and passx are not removed from the config parser). This affects only callers that do not pass a creds_mgr_descriptor. On initial osc call or initial osc call on new API Url the user now can decide where to store the password (based on the backends available on his system)
2019-08-27 15:08:38 +02:00
def description(self):
Cherry-pick supported python-keyring backends Also provide pretty names and descriptions.
2022-03-24 11:11:36 +01:00
if self._description:
return self._description
Introduction of new credential management * new module credentials.py which contains classes and methods to set and get passwords for different backends: - python-keyring - gnomekeyring - ConfigFile based storage The new code should be backward compatible except a minor change in add_section (pass and passx are not removed from the config parser). This affects only callers that do not pass a creds_mgr_descriptor. On initial osc call or initial osc call on new API Url the user now can decide where to store the password (based on the backends available on his system)
2019-08-27 15:08:38 +02:00
return 'Backend provided by python-keyring'
Order credentials managers by priority
2022-03-24 11:31:01 +01:00
def priority(self):
if self._priority is not None:
return self._priority
return 0
Introduction of new credential management * new module credentials.py which contains classes and methods to set and get passwords for different backends: - python-keyring - gnomekeyring - ConfigFile based storage The new code should be backward compatible except a minor change in add_section (pass and passx are not removed from the config parser). This affects only callers that do not pass a creds_mgr_descriptor. On initial osc call or initial osc call on new API Url the user now can decide where to store the password (based on the backends available on his system)
2019-08-27 15:08:38 +02:00
def create(self, cp):
qualified_backend_name = qualified_name(self._keyring_backend)
return KeyringCredentialsManager(cp, qualified_backend_name)
Cherry-pick supported python-keyring backends Also provide pretty names and descriptions.
2022-03-24 11:11:36 +01:00
# we're supporting only selected python-keyring backends in osc
SUPPORTED_KEYRING_BACKENDS = {
"keyutils.osc.OscKernelKeyringBackend": {
"name": "Kernel keyring",
"description": "Store password in user session keyring in kernel keyring [secure, in-memory, per-session]",
Order credentials managers by priority
2022-03-24 11:31:01 +01:00
"priority": 10,
Cherry-pick supported python-keyring backends Also provide pretty names and descriptions.
2022-03-24 11:11:36 +01:00
},
"keyring.backends.SecretService.Keyring": {
"name": "Secret Service",
"description": "Store password in Secret Service (GNOME Keyring backend) [secure, persistent]",
Order credentials managers by priority
2022-03-24 11:31:01 +01:00
"priority": 9,
Cherry-pick supported python-keyring backends Also provide pretty names and descriptions.
2022-03-24 11:11:36 +01:00
},
"keyring.backends.kwallet.DBusKeyring": {
"name": "KWallet",
"description": "Store password in KWallet [secure, persistent]",
Order credentials managers by priority
2022-03-24 11:31:01 +01:00
"priority": 8,
Cherry-pick supported python-keyring backends Also provide pretty names and descriptions.
2022-03-24 11:11:36 +01:00
},
}
Introduction of new credential management * new module credentials.py which contains classes and methods to set and get passwords for different backends: - python-keyring - gnomekeyring - ConfigFile based storage The new code should be backward compatible except a minor change in add_section (pass and passx are not removed from the config parser). This affects only callers that do not pass a creds_mgr_descriptor. On initial osc call or initial osc call on new API Url the user now can decide where to store the password (based on the backends available on his system)
2019-08-27 15:08:38 +02:00
def get_credentials_manager_descriptors():
descriptors = []
Cherry-pick supported python-keyring backends Also provide pretty names and descriptions.
2022-03-24 11:11:36 +01:00
if has_keyring_support():
for backend in keyring.backend.get_all_keyring():
qualified_backend_name = qualified_name(backend)
data = SUPPORTED_KEYRING_BACKENDS.get(qualified_backend_name, None)
if not data:
continue
Order credentials managers by priority
2022-03-24 11:31:01 +01:00
descriptor = KeyringCredentialsDescriptor(
backend,
data["name"],
data["description"],
data["priority"]
)
Cherry-pick supported python-keyring backends Also provide pretty names and descriptions.
2022-03-24 11:11:36 +01:00
descriptors.append(descriptor)
Introduction of new credential management * new module credentials.py which contains classes and methods to set and get passwords for different backends: - python-keyring - gnomekeyring - ConfigFile based storage The new code should be backward compatible except a minor change in add_section (pass and passx are not removed from the config parser). This affects only callers that do not pass a creds_mgr_descriptor. On initial osc call or initial osc call on new API Url the user now can decide where to store the password (based on the backends available on his system)
2019-08-27 15:08:38 +02:00
descriptors.append(PlaintextConfigFileDescriptor())
descriptors.append(ObfuscatedConfigFileDescriptor())
New credentials backend (Transient store) New backend to not store the password and ask for it every time.
2019-08-27 16:26:20 +02:00
descriptors.append(TransientDescriptor())
Order credentials managers by priority
2022-03-24 11:31:01 +01:00
descriptors.sort()
Introduction of new credential management * new module credentials.py which contains classes and methods to set and get passwords for different backends: - python-keyring - gnomekeyring - ConfigFile based storage The new code should be backward compatible except a minor change in add_section (pass and passx are not removed from the config parser). This affects only callers that do not pass a creds_mgr_descriptor. On initial osc call or initial osc call on new API Url the user now can decide where to store the password (based on the backends available on his system)
2019-08-27 15:08:38 +02:00
return descriptors
def get_keyring_credentials_manager(cp):
keyring_backend = keyring.get_keyring()
return KeyringCredentialsManager(cp, qualified_name(keyring_backend))
def create_credentials_manager(url, cp):
config_entry = cp.get(url, AbstractCredentialsManager.config_entry)
if ':' in config_entry:
creds_mgr_cls, options = config_entry.split(':', 1)
else:
creds_mgr_cls = config_entry
options = None
mod, cls = creds_mgr_cls.rsplit('.', 1)
Don't traceback on invalid credentials manager
2022-06-21 08:33:38 +02:00
try:
creds_mgr = getattr(importlib.import_module(mod), cls).create(cp, options)
except ModuleNotFoundError:
Modernize code with pyupgrade pyupgrade --keep-percent-format --py36-plus `find -name '*.py'`
2022-07-28 19:11:29 +02:00
msg = f"Invalid credentials_mgr_class: {creds_mgr_cls}"
Don't traceback on invalid credentials manager
2022-06-21 08:33:38 +02:00
raise oscerr.ConfigError(msg, conf.config['conffile'])
return creds_mgr
Introduction of new credential management * new module credentials.py which contains classes and methods to set and get passwords for different backends: - python-keyring - gnomekeyring - ConfigFile based storage The new code should be backward compatible except a minor change in add_section (pass and passx are not removed from the config parser). This affects only callers that do not pass a creds_mgr_descriptor. On initial osc call or initial osc call on new API Url the user now can decide where to store the password (based on the backends available on his system)
2019-08-27 15:08:38 +02:00
def qualified_name(obj):
Convert to using f-strings
2024-01-06 09:54:57 +01:00
return f"{obj.__module__}.{obj.__class__.__name__}"
Introduction of new credential management * new module credentials.py which contains classes and methods to set and get passwords for different backends: - python-keyring - gnomekeyring - ConfigFile based storage The new code should be backward compatible except a minor change in add_section (pass and passx are not removed from the config parser). This affects only callers that do not pass a creds_mgr_descriptor. On initial osc call or initial osc call on new API Url the user now can decide where to store the password (based on the backends available on his system)
2019-08-27 15:08:38 +02:00
def has_keyring_support():
return keyring is not None
Copy Permalink