-
Notifications
You must be signed in to change notification settings - Fork 183
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve credentials manager selection #983
Conversation
On 2021-12-09 07:31:10 -0800, Daniel Mach wrote:
This PR is still incomplete.
Goals:
- [x] Implement kernel keyring password backend
Nice!:) But see below.
- [ ] Set as default for new installations
Hmm there is no default anymore. The user has to choose a
credentials manager during the setup of an apiurl.
- [ ] Warn user if insecure backend is used
Hmm that's not possible/trivial because, for instance, a user
can configure _any_ python-keyring backend (in theory, we
do not have a "fixed" number of potential credential managers).
Unresolved issues:
- [ ] py2 support (Popen doesn't support `encoding`)
- [ ] when removing password from the keyring (`keyctl purge user osc_https://api.opensuse.org`), osc asks for username again
What about using the python-keyring-keyutils module [1]?
It also ships a "special" osc keyring backend [2] (so that osc
does not always ask for a password). Its usage wrt. to osc is
described here [3].
The corresponding pythonXY-keyring-keyutils package is already
available in tumbleweed.
[1] https://github.com/marcus-h/python-keyring-keyutils
[2] https://github.com/marcus-h/python-keyring-keyutils/blob/master/keyutils/osc.py
[3] https://github.com/marcus-h/python-keyring-keyutils/blob/master/README_osc.md
|
@marcus-h I'll definitely take a look. BTW, haven't you considered splitting your lib in the following way?
Is python2 supported in your library? |
On 2021-12-10 01:13:49 -0800, Daniel Mach wrote:
@marcus-h I'll definitely take a look.
Cool! I'm always interested in feedback, objections, bug reports,
PRs etc.:)
BTW, haven't you considered splitting your lib in the following way?
- Submit the generic code to python-keyring.
- Move the osc specific code to osc.
I haven't thought about this yet but if there's interested in it, I can
certainly move the code.
Is python2 supported in your library?
Plain `super()` indicates that it may not be supported.
No. Also, the C extension is written with python3 in mind (it won't
compile on python2).
I was told that py2 support in osc is probably not going away for a while.
My personal take on this is the following:
- let's not actively break python2 support in osc (unless there is a really
good reason)
- it is perfectly fine if a new feature relies on python3
|
0311743
to
f6c3ed2
Compare
a66826d
to
70ce279
Compare
70ce279
to
6f05ee6
Compare
Force-pushed brand new code based on python-keyring-keyutils. The credentials manager selection looks like this now:
|
I just had a very very quick glance at it: I really like it:)
On 2022-03-24 13:43:00 +0000, Daniel Mach wrote:
diff --git a/osc/credentials.py b/osc/credentials.py
index d2ce493b..a0f789df 100644
--- a/osc/credentials.py
+++ b/osc/credentials.py
@@ -195,16 +195,21 @@ def delete_password(self, url, user):
<SNIP>
def get_credentials_manager_descriptors():
- if has_keyring_support():
- backend_list = keyring.backend.get_all_keyring()
- else:
- backend_list = []
descriptors = []
- for backend in backend_list:
- descriptors.append(KeyringCredentialsDescriptor(backend))
+
+ if has_keyring_support():
+ for backend in keyring.backend.get_all_keyring():
+ qualified_backend_name = qualified_name(backend)
+ data = SUPPORTED_KEYRING_BACKENDS.get(qualified_backend_name, None)
+ if not data:
+ continue
Hmm IMHO we should also offer the other backends (except "useless" ones
like fail, null etc.). We could give them a lower priority, though.
What do you think?
… + descriptor = KeyringCredentialsDescriptor(backend, data["name"], data["description"])
+ descriptors.append(descriptor)
|
Could you be more specific about which backends do you want enabled? I've reviewed classes python-keyring provides and added These are skipped on my system and I believe they should remain that way:
Do we really want to support Did I miss anything? |
Also provide pretty names and descriptions.
6f05ee6
to
90a1cb8
Compare
Hmm github ignored my mail again... here's the forwarded message:
|
Ok.. This works and is already discussed.. I will merge this now.. |
On 2022-03-30 01:21:38 -0700, Marco Strigl wrote:
Ok.. This works and is already discussed.. I will merge this now..
Hmm I really fail to see why we limit ourselves to SUPPORTED_KEYRING_BACKENDS
instead of offering all available backends (except the nonsense ones...) :/
Strictly speaking, this is again a (small) regression.
|
Implemented new keyctl credentials manager.
Order credential managers by priority and name.
Credential manager with the highest prio is a default now.
Remove unwanted python-keyrings backends.
Made clear which credentials managers are (in)secure.
Briefly tested the code on python2.