2019-08-27 15:08:38 +02:00
|
|
|
import importlib
|
|
|
|
import bz2
|
|
|
|
import base64
|
2019-08-27 16:26:20 +02:00
|
|
|
import getpass
|
2020-02-24 11:26:49 +01:00
|
|
|
import sys
|
|
|
|
|
2019-08-27 15:08:38 +02:00
|
|
|
try:
|
|
|
|
from urllib.parse import urlsplit
|
|
|
|
except ImportError:
|
|
|
|
from urlparse import urlsplit
|
2020-02-24 11:26:49 +01:00
|
|
|
|
2019-08-27 15:08:38 +02:00
|
|
|
try:
|
|
|
|
import keyring
|
|
|
|
except ImportError:
|
|
|
|
keyring = None
|
2020-02-24 11:26:49 +01:00
|
|
|
except BaseException as e:
|
|
|
|
# catch and report any exceptions raised in the 'keyring' module
|
|
|
|
msg = "Warning: Unable to load the 'keyring' module due to an internal error:"
|
|
|
|
print(msg, e, file=sys.stderr)
|
|
|
|
keyring = None
|
|
|
|
|
2019-08-27 15:08:38 +02:00
|
|
|
try:
|
|
|
|
import gnomekeyring
|
|
|
|
except ImportError:
|
|
|
|
gnomekeyring = None
|
2020-02-24 11:26:49 +01:00
|
|
|
except BaseException as e:
|
|
|
|
# catch and report any exceptions raised in the 'gnomekeyring' module
|
|
|
|
msg = "Warning: Unable to load the 'gnomekeyring' module due to an internal error:"
|
|
|
|
print(msg, e, file=sys.stderr)
|
|
|
|
gnomekeyring = None
|
2019-08-27 15:08:38 +02:00
|
|
|
|
2022-03-24 14:35:43 +01:00
|
|
|
from . import conf
|
|
|
|
from . import oscerr
|
|
|
|
|
2019-08-27 15:08:38 +02:00
|
|
|
|
|
|
|
class AbstractCredentialsManagerDescriptor(object):
|
|
|
|
def name(self):
|
|
|
|
raise NotImplementedError()
|
|
|
|
|
|
|
|
def description(self):
|
|
|
|
raise NotImplementedError()
|
|
|
|
|
2022-03-24 11:31:01 +01:00
|
|
|
def priority(self):
|
|
|
|
# priority determines order in the credentials managers list
|
|
|
|
# higher number means higher priority
|
|
|
|
raise NotImplementedError()
|
|
|
|
|
2019-08-27 15:08:38 +02:00
|
|
|
def create(self, cp):
|
|
|
|
raise NotImplementedError()
|
|
|
|
|
|
|
|
def __lt__(self, other):
|
2022-03-24 11:31:01 +01:00
|
|
|
return (-self.priority(), self.name()) < (-other.priority(), other.name())
|
2019-08-27 15:08:38 +02:00
|
|
|
|
|
|
|
|
|
|
|
class AbstractCredentialsManager(object):
|
|
|
|
config_entry = 'credentials_mgr_class'
|
|
|
|
|
|
|
|
def __init__(self, cp, options):
|
|
|
|
super(AbstractCredentialsManager, self).__init__()
|
|
|
|
self._cp = cp
|
|
|
|
self._process_options(options)
|
|
|
|
|
2019-10-16 10:41:06 +02:00
|
|
|
@classmethod
|
|
|
|
def create(cls, cp, options):
|
|
|
|
return cls(cp, options)
|
|
|
|
|
2019-08-27 15:08:38 +02:00
|
|
|
def get_password(self, url, user, defer=True):
|
|
|
|
# If defer is True a callable can be returned
|
|
|
|
# and the password is retrieved if the callable
|
|
|
|
# is called. Implementations are free to ignore
|
|
|
|
# defer parameter and can directly return the password.
|
|
|
|
# If defer is False the password is directly returned.
|
|
|
|
raise NotImplementedError()
|
|
|
|
|
|
|
|
def set_password(self, url, user, password):
|
|
|
|
raise NotImplementedError()
|
|
|
|
|
|
|
|
def delete_password(self, url, user):
|
|
|
|
raise NotImplementedError()
|
|
|
|
|
|
|
|
def _qualified_name(self):
|
|
|
|
return qualified_name(self)
|
|
|
|
|
|
|
|
def _process_options(self, options):
|
|
|
|
pass
|
|
|
|
|
|
|
|
|
|
|
|
class PlaintextConfigFileCredentialsManager(AbstractCredentialsManager):
|
|
|
|
def get_password(self, url, user, defer=True):
|
|
|
|
return self._cp.get(url, 'pass', raw=True)
|
|
|
|
|
|
|
|
def set_password(self, url, user, password):
|
|
|
|
self._cp.set(url, 'pass', password)
|
|
|
|
self._cp.set(url, self.config_entry, self._qualified_name())
|
|
|
|
|
|
|
|
def delete_password(self, url, user):
|
|
|
|
self._cp.remove_option(url, 'pass')
|
|
|
|
|
|
|
|
def _process_options(self, options):
|
|
|
|
if options is not None:
|
|
|
|
raise RuntimeError('options must be None')
|
|
|
|
|
|
|
|
|
|
|
|
class PlaintextConfigFileDescriptor(AbstractCredentialsManagerDescriptor):
|
|
|
|
def name(self):
|
2022-03-24 11:22:21 +01:00
|
|
|
return 'Config'
|
2019-08-27 15:08:38 +02:00
|
|
|
|
|
|
|
def description(self):
|
2022-03-24 11:22:21 +01:00
|
|
|
return 'Store the password in plain text in the osc config file [insecure, persistent]'
|
2019-08-27 15:08:38 +02:00
|
|
|
|
2022-03-24 11:31:01 +01:00
|
|
|
def priority(self):
|
|
|
|
return 1
|
|
|
|
|
2019-08-27 15:08:38 +02:00
|
|
|
def create(self, cp):
|
|
|
|
return PlaintextConfigFileCredentialsManager(cp, None)
|
|
|
|
|
|
|
|
|
|
|
|
class ObfuscatedConfigFileCredentialsManager(
|
|
|
|
PlaintextConfigFileCredentialsManager):
|
|
|
|
def get_password(self, url, user, defer=True):
|
2019-11-04 14:25:48 +01:00
|
|
|
if self._cp.has_option(url, 'passx', proper=True):
|
|
|
|
passwd = self._cp.get(url, 'passx', raw=True)
|
|
|
|
else:
|
|
|
|
passwd = super(self.__class__, self).get_password(url, user)
|
2019-08-27 15:08:38 +02:00
|
|
|
return self.decode_password(passwd)
|
|
|
|
|
|
|
|
def set_password(self, url, user, password):
|
|
|
|
compressed_pw = bz2.compress(password.encode('ascii'))
|
|
|
|
password = base64.b64encode(compressed_pw).decode("ascii")
|
|
|
|
super(self.__class__, self).set_password(url, user, password)
|
|
|
|
|
2019-10-29 11:04:22 +01:00
|
|
|
def delete_password(self, url, user):
|
|
|
|
self._cp.remove_option(url, 'passx')
|
|
|
|
super(self.__class__, self).delete_password(url, user)
|
|
|
|
|
2019-08-27 15:08:38 +02:00
|
|
|
@classmethod
|
|
|
|
def decode_password(cls, password):
|
|
|
|
compressed_pw = base64.b64decode(password.encode("ascii"))
|
|
|
|
return bz2.decompress(compressed_pw).decode("ascii")
|
|
|
|
|
|
|
|
|
|
|
|
class ObfuscatedConfigFileDescriptor(AbstractCredentialsManagerDescriptor):
|
|
|
|
def name(self):
|
2022-03-24 11:22:21 +01:00
|
|
|
return 'Obfuscated config'
|
2019-08-27 15:08:38 +02:00
|
|
|
|
|
|
|
def description(self):
|
2022-03-24 11:22:21 +01:00
|
|
|
return 'Store the password in obfuscated form in the osc config file [insecure, persistent]'
|
2019-08-27 15:08:38 +02:00
|
|
|
|
2022-03-24 11:31:01 +01:00
|
|
|
def priority(self):
|
|
|
|
return 2
|
|
|
|
|
2019-08-27 15:08:38 +02:00
|
|
|
def create(self, cp):
|
|
|
|
return ObfuscatedConfigFileCredentialsManager(cp, None)
|
|
|
|
|
|
|
|
|
2019-08-27 16:26:20 +02:00
|
|
|
class TransientCredentialsManager(AbstractCredentialsManager):
|
|
|
|
def __init__(self, *args, **kwargs):
|
|
|
|
super(self.__class__, self).__init__(*args, **kwargs)
|
|
|
|
self._password = None
|
|
|
|
|
|
|
|
def _process_options(self, options):
|
|
|
|
if options is not None:
|
|
|
|
raise RuntimeError('options must be None')
|
|
|
|
|
|
|
|
def get_password(self, url, user, defer=True):
|
|
|
|
if defer:
|
|
|
|
return self
|
|
|
|
return self()
|
|
|
|
|
|
|
|
def set_password(self, url, user, password):
|
|
|
|
self._password = password
|
|
|
|
self._cp.set(url, self.config_entry, self._qualified_name())
|
|
|
|
|
|
|
|
def delete_password(self, url, user):
|
|
|
|
self._password = None
|
|
|
|
|
|
|
|
def __call__(self):
|
|
|
|
if self._password is None:
|
|
|
|
self._password = getpass.getpass('Password: ')
|
|
|
|
return self._password
|
|
|
|
|
|
|
|
|
|
|
|
class TransientDescriptor(AbstractCredentialsManagerDescriptor):
|
|
|
|
def name(self):
|
2022-03-24 11:22:21 +01:00
|
|
|
return 'Transient'
|
2019-08-27 16:26:20 +02:00
|
|
|
|
|
|
|
def description(self):
|
2022-03-24 11:22:21 +01:00
|
|
|
return 'Do not store the password and always ask for it [secure, in-memory]'
|
2019-08-27 16:26:20 +02:00
|
|
|
|
2022-03-24 11:31:01 +01:00
|
|
|
def priority(self):
|
|
|
|
return 3
|
|
|
|
|
2019-08-27 16:26:20 +02:00
|
|
|
def create(self, cp):
|
|
|
|
return TransientCredentialsManager(cp, None)
|
|
|
|
|
|
|
|
|
2019-08-27 15:08:38 +02:00
|
|
|
class KeyringCredentialsManager(AbstractCredentialsManager):
|
|
|
|
def _process_options(self, options):
|
|
|
|
if options is None:
|
|
|
|
raise RuntimeError('options may not be None')
|
|
|
|
self._backend_cls_name = options
|
|
|
|
|
|
|
|
def _load_backend(self):
|
2022-03-24 14:35:43 +01:00
|
|
|
try:
|
|
|
|
keyring_backend = keyring.core.load_keyring(self._backend_cls_name)
|
|
|
|
except ModuleNotFoundError:
|
|
|
|
msg = "Invalid credentials_mgr_class: {}".format(self._backend_cls_name)
|
|
|
|
raise oscerr.ConfigError(msg, conf.config['conffile'])
|
2019-08-27 15:08:38 +02:00
|
|
|
keyring.set_keyring(keyring_backend)
|
|
|
|
|
2019-10-16 10:41:06 +02:00
|
|
|
@classmethod
|
|
|
|
def create(cls, cp, options):
|
|
|
|
if not has_keyring_support():
|
|
|
|
return None
|
|
|
|
return super(cls, cls).create(cp, options)
|
|
|
|
|
2019-08-27 15:08:38 +02:00
|
|
|
def get_password(self, url, user, defer=True):
|
|
|
|
self._load_backend()
|
2019-11-03 12:33:17 +01:00
|
|
|
return keyring.get_password(urlsplit(url)[1], user)
|
2019-08-27 15:08:38 +02:00
|
|
|
|
|
|
|
def set_password(self, url, user, password):
|
|
|
|
self._load_backend()
|
2019-11-03 12:33:17 +01:00
|
|
|
keyring.set_password(urlsplit(url)[1], user, password)
|
2019-08-27 15:08:38 +02:00
|
|
|
config_value = self._qualified_name() + ':' + self._backend_cls_name
|
|
|
|
self._cp.set(url, self.config_entry, config_value)
|
|
|
|
|
|
|
|
def delete_password(self, url, user):
|
|
|
|
self._load_backend()
|
2019-11-03 12:33:17 +01:00
|
|
|
keyring.delete_password(urlsplit(url)[1], user)
|
2019-08-27 15:08:38 +02:00
|
|
|
|
|
|
|
|
|
|
|
class KeyringCredentialsDescriptor(AbstractCredentialsManagerDescriptor):
|
2022-03-24 11:31:01 +01:00
|
|
|
def __init__(self, keyring_backend, name=None, description=None, priority=None):
|
2019-08-27 15:08:38 +02:00
|
|
|
self._keyring_backend = keyring_backend
|
2022-03-24 11:11:36 +01:00
|
|
|
self._name = name
|
|
|
|
self._description = description
|
2022-03-24 11:31:01 +01:00
|
|
|
self._priority = priority
|
2019-08-27 15:08:38 +02:00
|
|
|
|
|
|
|
def name(self):
|
2022-03-24 11:11:36 +01:00
|
|
|
if self._name:
|
|
|
|
return self._name
|
2020-02-14 09:35:07 +01:00
|
|
|
if hasattr(self._keyring_backend, 'name'):
|
|
|
|
return self._keyring_backend.name
|
2022-03-24 11:11:36 +01:00
|
|
|
return self._keyring_backend.__class__.__name__
|
2019-08-27 15:08:38 +02:00
|
|
|
|
|
|
|
def description(self):
|
2022-03-24 11:11:36 +01:00
|
|
|
if self._description:
|
|
|
|
return self._description
|
2019-08-27 15:08:38 +02:00
|
|
|
return 'Backend provided by python-keyring'
|
|
|
|
|
2022-03-24 11:31:01 +01:00
|
|
|
def priority(self):
|
|
|
|
if self._priority is not None:
|
|
|
|
return self._priority
|
|
|
|
return 0
|
|
|
|
|
2019-08-27 15:08:38 +02:00
|
|
|
def create(self, cp):
|
|
|
|
qualified_backend_name = qualified_name(self._keyring_backend)
|
|
|
|
return KeyringCredentialsManager(cp, qualified_backend_name)
|
|
|
|
|
|
|
|
|
|
|
|
class GnomeKeyringCredentialsManager(AbstractCredentialsManager):
|
2019-10-16 10:41:06 +02:00
|
|
|
@classmethod
|
|
|
|
def create(cls, cp, options):
|
|
|
|
if gnomekeyring is None:
|
|
|
|
return None
|
|
|
|
return super(cls, cls).create(cp, options)
|
|
|
|
|
2019-08-27 15:08:38 +02:00
|
|
|
def get_password(self, url, user, defer=True):
|
|
|
|
gk_data = self._keyring_data(url, user)
|
|
|
|
if gk_data is None:
|
|
|
|
return None
|
|
|
|
return gk_data['password']
|
|
|
|
|
|
|
|
def set_password(self, url, user, password):
|
|
|
|
scheme, host, path = self._urlsplit(url)
|
|
|
|
gnomekeyring.set_network_password_sync(
|
|
|
|
user=user,
|
|
|
|
password=password,
|
|
|
|
protocol=scheme,
|
|
|
|
server=host,
|
|
|
|
object=path)
|
|
|
|
self._cp.set(url, self.config_entry, self._qualified_name())
|
|
|
|
|
|
|
|
def delete_password(self, url, user):
|
|
|
|
gk_data = self._keyring_data(url, user)
|
|
|
|
if gk_data is None:
|
|
|
|
return
|
|
|
|
gnomekeyring.item_delete_sync(gk_data['keyring'], gk_data['item_id'])
|
|
|
|
|
|
|
|
def get_user(self, url):
|
|
|
|
gk_data = self._keyring_data(url, None)
|
|
|
|
if gk_data is None:
|
|
|
|
return None
|
|
|
|
return gk_data['user']
|
|
|
|
|
|
|
|
def _keyring_data(self, url, user):
|
|
|
|
scheme, host, path = self._urlsplit(url)
|
|
|
|
try:
|
|
|
|
entries = gnomekeyring.find_network_password_sync(protocol=scheme,
|
|
|
|
server=host,
|
|
|
|
object=path)
|
|
|
|
except gnomekeyring.NoMatchError:
|
|
|
|
return None
|
|
|
|
|
|
|
|
for entry in entries:
|
|
|
|
if 'user' not in entry or 'password' not in entry:
|
|
|
|
continue
|
|
|
|
if user is None or entry['user'] == user:
|
|
|
|
return entry
|
|
|
|
return None
|
|
|
|
|
|
|
|
def _urlsplit(self, url):
|
|
|
|
splitted_url = urlsplit(url)
|
|
|
|
return splitted_url.scheme, splitted_url.netloc, splitted_url.path
|
|
|
|
|
|
|
|
|
|
|
|
class GnomeKeyringCredentialsDescriptor(AbstractCredentialsManagerDescriptor):
|
|
|
|
def name(self):
|
|
|
|
return 'GNOME Keyring Manager (deprecated)'
|
|
|
|
|
|
|
|
def description(self):
|
|
|
|
return 'Deprecated GNOME Keyring Manager. If you use \
|
|
|
|
this we will send you a Dial-In modem'
|
|
|
|
|
2022-03-24 11:31:01 +01:00
|
|
|
def priority(self):
|
|
|
|
return 0
|
|
|
|
|
2019-08-27 15:08:38 +02:00
|
|
|
def create(self, cp):
|
|
|
|
return GnomeKeyringCredentialsManager(cp, None)
|
|
|
|
|
|
|
|
|
2022-03-24 11:11:36 +01:00
|
|
|
# we're supporting only selected python-keyring backends in osc
|
|
|
|
SUPPORTED_KEYRING_BACKENDS = {
|
|
|
|
"keyutils.osc.OscKernelKeyringBackend": {
|
|
|
|
"name": "Kernel keyring",
|
|
|
|
"description": "Store password in user session keyring in kernel keyring [secure, in-memory, per-session]",
|
2022-03-24 11:31:01 +01:00
|
|
|
"priority": 10,
|
2022-03-24 11:11:36 +01:00
|
|
|
},
|
|
|
|
"keyring.backends.SecretService.Keyring": {
|
|
|
|
"name": "Secret Service",
|
|
|
|
"description": "Store password in Secret Service (GNOME Keyring backend) [secure, persistent]",
|
2022-03-24 11:31:01 +01:00
|
|
|
"priority": 9,
|
2022-03-24 11:11:36 +01:00
|
|
|
},
|
|
|
|
"keyring.backends.kwallet.DBusKeyring": {
|
|
|
|
"name": "KWallet",
|
|
|
|
"description": "Store password in KWallet [secure, persistent]",
|
2022-03-24 11:31:01 +01:00
|
|
|
"priority": 8,
|
2022-03-24 11:11:36 +01:00
|
|
|
},
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2019-08-27 15:08:38 +02:00
|
|
|
def get_credentials_manager_descriptors():
|
|
|
|
descriptors = []
|
2022-03-24 11:11:36 +01:00
|
|
|
|
|
|
|
if has_keyring_support():
|
|
|
|
for backend in keyring.backend.get_all_keyring():
|
|
|
|
qualified_backend_name = qualified_name(backend)
|
|
|
|
data = SUPPORTED_KEYRING_BACKENDS.get(qualified_backend_name, None)
|
|
|
|
if not data:
|
|
|
|
continue
|
2022-03-24 11:31:01 +01:00
|
|
|
descriptor = KeyringCredentialsDescriptor(
|
|
|
|
backend,
|
|
|
|
data["name"],
|
|
|
|
data["description"],
|
|
|
|
data["priority"]
|
|
|
|
)
|
2022-03-24 11:11:36 +01:00
|
|
|
descriptors.append(descriptor)
|
2019-08-27 15:08:38 +02:00
|
|
|
if gnomekeyring:
|
|
|
|
descriptors.append(GnomeKeyringCredentialsDescriptor())
|
|
|
|
descriptors.append(PlaintextConfigFileDescriptor())
|
|
|
|
descriptors.append(ObfuscatedConfigFileDescriptor())
|
2019-08-27 16:26:20 +02:00
|
|
|
descriptors.append(TransientDescriptor())
|
2022-03-24 11:31:01 +01:00
|
|
|
descriptors.sort()
|
2019-08-27 15:08:38 +02:00
|
|
|
return descriptors
|
|
|
|
|
|
|
|
|
|
|
|
def get_keyring_credentials_manager(cp):
|
|
|
|
keyring_backend = keyring.get_keyring()
|
|
|
|
return KeyringCredentialsManager(cp, qualified_name(keyring_backend))
|
|
|
|
|
|
|
|
|
|
|
|
def create_credentials_manager(url, cp):
|
|
|
|
config_entry = cp.get(url, AbstractCredentialsManager.config_entry)
|
|
|
|
if ':' in config_entry:
|
|
|
|
creds_mgr_cls, options = config_entry.split(':', 1)
|
|
|
|
else:
|
|
|
|
creds_mgr_cls = config_entry
|
|
|
|
options = None
|
|
|
|
mod, cls = creds_mgr_cls.rsplit('.', 1)
|
2019-10-16 10:41:06 +02:00
|
|
|
return getattr(importlib.import_module(mod), cls).create(cp, options)
|
2019-08-27 15:08:38 +02:00
|
|
|
|
|
|
|
|
|
|
|
def qualified_name(obj):
|
|
|
|
return obj.__module__ + '.' + obj.__class__.__name__
|
|
|
|
|
|
|
|
|
|
|
|
def has_keyring_support():
|
|
|
|
return keyring is not None
|