Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

FIPS enabled pgAdmin4 does not start #1452

Open
albundy83 opened this issue Jun 8, 2022 · 2 comments
Open

FIPS enabled pgAdmin4 does not start #1452

albundy83 opened this issue Jun 8, 2022 · 2 comments
Labels
triaged

Comments

@albundy83
Copy link

Describe the bug
When FIPS is enabled, pgAdmin4 does not achieve to create correctly /var/lib/pgadminpgadmin4.db

To Reproduce
Steps to reproduce the behavior:
Be sure that FIPS is enabled:
cat /proc/sys/crypto/fips_enabled must return 1

Start PGAdmin4 using Crunchy Data Operator (5.1.0) or using common Deployment

Expected behavior
Make it works :-)

  • Operating System: ubi8
  • Container Image Tag: registry.developers.crunchydata.com/crunchydata/crunchy-pgadmin4:ubi8-4.30-1
  • PostgreSQL Version: 14
  • Platform (Docker, Kubernetes, OpenShift): OpenShift with SCC as restricted
  • Platform Version: OpenShift 4.10

Here the full log

sh-4.4$ /opt/crunchy/bin/start-pgadmin4.sh
Wed Jun  8 16:34:52 UTC 2022 INFO: TLS disabled. Applying http configuration..
Wed Jun  8 16:34:52 UTC 2022 INFO: Setting up pgAdmin4 database..
Wed Jun  8 16:34:53 UTC 2022 ERROR: pgAdmin4 Database Setup: Could not create pgAdmin4 database: 
Traceback (most recent call last):
  File "setup.py", line 449, in <module>
    setup_db()
  File "setup.py", line 372, in setup_db
    app = create_app()
  File "/usr/lib/python3.6/site-packages/pgadmin4-web/pgadmin/__init__.py", line 351, in create_app
    db_upgrade(app)
  File "/usr/lib/python3.6/site-packages/pgadmin4-web/pgadmin/setup/db_upgrade.py", line 25, in db_upgrade
    flask_migrate.upgrade(migration_folder)
  File "/usr/lib/python3.6/site-packages/pgadmin4-web/flask_migrate/__init__.py", line 95, in wrapped
    f(*args, **kwargs)
  File "/usr/lib/python3.6/site-packages/pgadmin4-web/flask_migrate/__init__.py", line 280, in upgrade
    command.upgrade(config, revision, sql=sql, tag=tag)
  File "/usr/lib/python3.6/site-packages/pgadmin4-web/alembic/command.py", line 254, in upgrade
    script.run_env()
  File "/usr/lib/python3.6/site-packages/pgadmin4-web/alembic/script/base.py", line 425, in run_env
    util.load_python_file(self.dir, 'env.py')
  File "/usr/lib/python3.6/site-packages/pgadmin4-web/alembic/util/pyfiles.py", line 81, in load_python_file
    module = load_module_py(module_id, path)
  File "/usr/lib/python3.6/site-packages/pgadmin4-web/alembic/util/compat.py", line 83, in load_module_py
    spec.loader.exec_module(module)
  File "<frozen importlib._bootstrap_external>", line 678, in exec_module
  File "<frozen importlib._bootstrap>", line 219, in _call_with_frames_removed
  File "/usr/lib/python3.6/site-packages/pgadmin4-web/pgadmin/setup/../../migrations/env.py", line 93, in <module>
    run_migrations_online()
  File "/usr/lib/python3.6/site-packages/pgadmin4-web/pgadmin/setup/../../migrations/env.py", line 86, in run_migrations_online
    context.run_migrations()
  File "<string>", line 8, in run_migrations
  File "/usr/lib/python3.6/site-packages/pgadmin4-web/alembic/runtime/environment.py", line 836, in run_migrations
    self.get_context().run_migrations(**kw)
  File "/usr/lib/python3.6/site-packages/pgadmin4-web/alembic/runtime/migration.py", line 330, in run_migrations
    step.migration_fn(**kw)
  File "/usr/lib/python3.6/site-packages/pgadmin4-web/migrations/versions/fdc58d9bd449_.py", line 122, in upgrade
    Security(current_app, user_datastore, register_blueprint=False)
  File "/usr/lib/python3.6/site-packages/pgadmin4-web/flask_security/core.py", line 821, in __init__
    app, datastore, register_blueprint=register_blueprint, **kwargs
  File "/usr/lib/python3.6/site-packages/pgadmin4-web/flask_security/core.py", line 858, in init_app
    self._state = state = _get_state(app, datastore, **kwargs)
  File "/usr/lib/python3.6/site-packages/pgadmin4-web/flask_security/core.py", line 496, in _get_state
    hashing_context=_get_hashing_context(app),
  File "/usr/lib/python3.6/site-packages/pgadmin4-web/flask_security/core.py", line 477, in _get_hashing_context
    return CryptContext(schemes=schemes, deprecated=deprecated)
  File "/usr/lib/python3.6/site-packages/pgadmin4-web/passlib/context.py", line 1401, in __init__
    self.load(kwds)
  File "/usr/lib/python3.6/site-packages/pgadmin4-web/passlib/context.py", line 1592, in load
    config = _CryptConfig(source)
  File "/usr/lib/python3.6/site-packages/pgadmin4-web/passlib/context.py", line 634, in __init__
    self._init_scheme_list(source.get((None,None,"schemes")))
  File "/usr/lib/python3.6/site-packages/pgadmin4-web/passlib/context.py", line 652, in _init_scheme_list
    handler = get_crypt_handler(elem)
  File "/usr/lib/python3.6/site-packages/pgadmin4-web/passlib/registry.py", line 350, in get_crypt_handler
    mod = __import__(modname, fromlist=[modattr], level=0)
  File "/usr/lib/python3.6/site-packages/pgadmin4-web/passlib/handlers/digests.py", line 72, in <module>
    hex_md5     = create_hex_hash("md5")
  File "/usr/lib/python3.6/site-packages/pgadmin4-web/passlib/handlers/digests.py", line 55, in create_hex_hash
    info = lookup_hash(digest)
  File "/usr/lib/python3.6/site-packages/pgadmin4-web/passlib/crypto/digest.py", line 298, in lookup_hash
    info = HashInfo(const, name_list)
  File "/usr/lib/python3.6/site-packages/pgadmin4-web/passlib/crypto/digest.py", line 403, in __init__
    hash = const()
ValueError: [digital envelope routines: EVP_DigestInit_ex] disabled for FIPS

We can see also that the pgadmin4.db file has been created but not correctly:

sh-4.4$ ls -al
total 104
drwxrwsrwx. 5 root    pgadmin  4096 Jun  8 16:34 .
drwxr-xr-x. 1 root    root      174 May 26 15:01 ..
-rw-r--r--. 1 pgadmin pgadmin     0 Jun  8 13:40 access_log
-rw-r--r--. 1 pgadmin pgadmin   853 Jun  8 16:34 config_local.py
-rw-r--r--. 1 pgadmin pgadmin   927 Jun  8 13:40 error_log
drwxrws---. 2 root    pgadmin 16384 Jun  8 13:39 lost+found
-rw-r--r--. 1 pgadmin pgadmin 61440 Jun  8 16:34 pgadmin4.db
-rw-r--r--. 1 pgadmin pgadmin   620 Jun  8 16:34 pgadmin.conf
drwx------. 2 pgadmin pgadmin  4096 Jun  8 13:40 sessions
drwxr-sr-x. 2 pgadmin pgadmin  4096 Jun  8 13:40 storage
sh-4.4$ sqlite3 pgadmin4.db 
SQLite version 3.26.0 2018-12-01 12:34:55
Enter ".help" for usage hints.
sqlite> select * from user ;
sqlite>
@albundy83
Copy link
Author

albundy83 commented Jun 28, 2022
edited

Hello,

here the explanation of the problem:
https://stackoverflow.com/questions/67559170/paramiko-ssh-command-execution-failing-with-valueerror-digital-envelope-routi

Using md5 hash is not allowed with FIPS enabled.

Here the original issue on passlib (and the problem was reported from pgAdmin4):
https://foss.heptapod.net/python-libs/passlib/-/issues/116

It seems you are still using an unpatched version of passlib (passlib-1.7.2).

As workaround, changing the line should do the trick:

grep -n 'return hashlib.md5' /usr/lib/python3.6/site-packages/pgadmin4-web/passlib/handlers/digests.py
104:        return hashlib.md5(data).hexdigest()

to

grep -n 'return hashlib.md5' /usr/lib/python3.6/site-packages/pgadmin4-web/passlib/handlers/digests.py
104:        return hashlib.md5(data, usedforsecurity=False).hexdigest()

But it's a bit ugly...

@albundy83
Copy link
Author

Hello, any update with this issue ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
triaged
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@albundy83 @benjaminjb