New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[PM-7486] Detect Libsecret Service #8776
base: main
Are you sure you want to change the base?
Conversation
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #8776 +/- ##
==========================================
- Coverage 27.65% 27.65% -0.01%
==========================================
Files 2376 2376
Lines 69193 69196 +3
Branches 12950 12950
==========================================
Hits 19133 19133
- Misses 48624 48627 +3
Partials 1436 1436 ☔ View full report in Codecov by Sentry. |
No New Or Fixed Issues Found |
138ae7f
to
d3345c6
Compare
Looking in to linker issue with desktop native module build |
@MGibson1 the commits in this PR are not signed. |
@bwdil thanks for the heads up! That's a catch-22 of sorts. It's because to replicate the issue I was forced to work on a system that didn't have my typical secret service set up. |
ef0686d
to
01a73bd
Compare
signed commits |
ba68a4f
to
0571887
Compare
fn list_names(&self) -> Result<Vec<String>>; | ||
} | ||
|
||
// Query dbus names looking for the org.freedesktop.secrets service, which indicates an active libsecret provider |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I do not see any risk by simply querying dbus names and searching for org.freedesktop.secrets which is similar to performing the following:
dbus-send --session --dest=org.freedesktop.DBus --type=method_call --print-reply /org/freedesktop/DBus org.freedesktop.DBus.ListNames | grep 'org.freedesktop.secrets'
Result
string "org.freedesktop.secrets"
However, what we do after the query matters, so I reviewed the zbus
project and tested the logic in your code, which produces the expected results (you know what you're doing and the approach is good).
I would note that the zbus
project doesn't have any information regarding the handling of security vulnerabilities in SECURITY.md
at https://github.com/dbus2/zbus/security
And since we're using zbus
API to essentially broker the validation of libsecret provider on a host where we need to securely store secrets, we want to make sure that the maintainer is security conscious.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd note too that zbus
api does not provide any assurances on what comes back from the message bus, so I think we are just trusting that org.freedesktop.secrets
belongs to org.freedesktop.DBus
if this is the only gate before we hand deliver secrets, then I would be concerned that using a string value from the message bus could be spoofed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree with what you're saying except for
trusting that org.freedesktop.secrets belongs to org.freedesktop.DBus
We actually have no expectation that the DBus service has anything to do with what is providing the secrets service. What we're trusting is that the machine we're running on does not have a bad actor running a service as a libsecret provider.
At that point, though, we're just taking issue with the way an OS's secure storage works -- which is fine and we've done before -- but the alternative in this case is to store the access tokens and refresh tokens in plaintext to a well-known location on disk. Without handling some form of PAM listening service ourselves I don't currently know a better way to do it. Even then, validating the receiving end of IPC is roughly impossible without a trusted intermediary hosting/validating both services.
407d298
to
987f8da
Compare
This method allows us to not require an unlocked keyring to store data. However, the keyring will need to be unlocked prior to storage. This is typically done on login to the user's account.
987f8da
to
ff3e839
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, not sure if we need to be so verbose about the naming, and the rust module doesn't currently convery a secure storage concept. Imho from the module scope perspective it would be better to convey that the passwords module is supported or not.
@@ -12,6 +12,7 @@ export namespace passwords { | |||
export function setPassword(service: string, account: string, password: string): Promise<void> | |||
/** Delete the stored password from the keychain. */ | |||
export function deletePassword(service: string, account: string): Promise<void> | |||
export function osSupportsSecuredStorage(): boolean |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We could probably shorten this and just call it osSupport
or enabled
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
went with osSupport
. Everything is namespaced to passwords
, so I quite liked that readability
Type of change
Objective
We currently rely on a libsecret provider to store user-account secrets on linux. Auth tokens were moved to Secure storage if available with #7975, but this expands our dependencies to include something that provides libsecret without explicitly listing it.
This PR gracefully degrade request token storage to disk when OS-sponsored storage is unavailable.
Draft reason
Still vetting dbus and likely need build environment updates to ensure dbus headers are available to them.
Code changes
osSupportsSecuredStorage
that syncronously indicates whether or not the host operating system supports encrypted disk storage.Err
response and indicates that the OS is not set up for user account encrypted storage.TokenService
Before you submit