-
-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[RFC] Implement Freedesktop.org Secret Storage spec server side API #2726
Conversation
ce0bf35
to
9418f61
Compare
Rebased on the latest develop branch and fixed EntrySearcher unit test. |
Can you please squash a majority of your interstitial commits? It is hard to see the forest from the trees at the current state. |
Sure, will do once I get to my computer. |
68657de
to
eb75045
Compare
Re-ordered and squashed commits. Changes to other parts of KeepassXC are isolated into individual commits before the one last big commit adding the plugin. It should be a lot easier to read now. |
Oh very nice, thank you. I will review after 2.4.1 is settled. |
eb75045
to
1f56739
Compare
Force-pushed to fix some bugs when the database was reloaded due to external file changes. A new signal |
1f56739
to
665f8db
Compare
Rebased on develop |
You have an issue in our CI, are we missing a dependency?
|
Ah, I see. |
665f8db
to
b14d37b
Compare
Remove any usages of APIs later than Qt 5.3. (I used the docker image at |
Just figured out that I can view the build log by logging in as a guest on TeamCity... I'll fix other CI test failures in a few days. |
b14d37b
to
425ab6a
Compare
@Aetf I haven't forgot about this. I will review this week and merge if acceptable. I'll also approve your bounty win. |
No problem 😄 |
* DatabaseTabWidget::newDatabase returns the created DatabaseWidget * Emit DatabaseTabWidget::databaseOpened signal before a new tab is added * EntrySearcher can now search attribute values including custom ones * Add Group::applyGroupIconTo to set the group icon on the supplied entry * Implement desktop notifications through the system tray icon * Add DatabaseWidget::deleteEntries to delete a list of entries * Add Aes128 in SymmetricCipher::algorithmIvSize * Add DatabaseWidget::databaseReplaced signal * Add a helper class to override the message box's parent (prevent bugs)
…reboot#1403) This plugin implements the Secret Storage specification version 0.2. While running KeePassXC, it acts as a Secret Service server, registered on DBus, so clients like seahorse, python-secretstorage, or other implementations can connect and access the exposed database in KeePassXC. Squashed commits: - Initial code - Add SessionAdaptor and fix build - The skeletons for all dbus objects are in place - Implement collection creation and deletion - Emit collectionChanged signal - Implement app-wise settings page - Implement error message on GUI - Implement settings - Fix uuid to dbus path - Implement app level settings - Add freedesktop logo - Implement database settings page - Change database settings to a treeview - Move all settings read/write to one place - Rename SecretServiceOptionsPage to SettingsWidgetFdoSecrets - Fix selected group can not be saved if the user hasn't click on the item - Show selected group per database in app settings - Disable editing of various readonly widgets - Remove unused warning about non exposed database - Fix method signature on dbus adaptors - Fix type derived from DBusObject not recognized as QDBusContext - Resolve a few TODOs around error handling - Remove const when passing DBus exposed objects - Move dismiss to PromptBase - Implement per collection locking/unlocking - Fix const correctness on Item::setSecret - Implement SecretService::getSecrets - Rework the signal connections around collections. - Remove generateId from DBusObject - Per spec, use encoded label as DBus object path for collections - Fix some corner cases around collection name changes - Implement alias - Fix wrong alias dbus path - Implement encryption per spec - Cleanup SessionCipher - Implement searchItems for SecretService - Use Tools::uuidToHex - Implement Item attributes and delete - Implement createItem - Always check if the database is unlocked before perform any operation - Add missing ReadAlias/SetAlias on service - Reorganize and fix OpenSession always returning empty output - Overhaul error handling - Make sure default alias is always present - Remove collection aliases early in doDelete - Handles all content types, fix setProperties not working - Fix sometimes there is an extraneous leading zero when converting from MPI - Fix session encryption negotiation - Do not expose recycle bin - Protect against the methods not called from DBus - Also emit collectionChanged signal when lock state changes - Show notification when entry secret is requested - Add a README file - Actually close session when client disconnects - Gracefully return alternative label when collection is locked - Reorganize, rename secretservice to fdosecrets - Fix issues reported by clazy - Unify UI strings and fix icon - Implement a setting to skip confirmation when deleting entries from DBus - Remove some unused debugging log - Simply ignore errors when DBus context is not available. QtDBus won't set QDBusContext when deliver property get/set, and there is no way to get a QDBusMessage in property getter/setter. - Simplify GcryptMPI using std::unique_ptr and add unit test - Format code in fdosecrets - Move DBusReturnImpl to details namespace - Fix crash when locking a database: don't modify exposedGroup setting in customData when database is deleted - Make sure Collection::searchItems works, whether it's locked or not - Fix FdoSecrets::Collection becomes empty after a database reload - Fix crash when looping while modifying the list
425ab6a
to
f25f2e0
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Honestly this is the most beautiful code I have reviewed. I squashed all the small commits on existing code, will merge once the CI finishes.
@hifi We can use the desktop notification that was added here to notify when SSH credentials are being accessed (as an option). This notification path would also be nice for KeeShare. |
For reference, this is the perfect place to post issues which may be documentation or training related regarding new features. Creating new issues for recently merged, but not deployed, features spreads the conversation out. With this conversation I can write documentation that meets niche cases not tested by the author. Now if this blows up into something that needs fixing, then we can create an issue to track it. |
@phddoom, unfortunately that behavior is intended.
However, in KeepassXC, when a database is locked, it's "gone" and there is no information left for the program to be able to search inside it. So the list of locked items is empty. So nothing will happen and the database remains locked. @elvirolo The "exposed database groups" list enumerates exposed database groups for currently opened databases (either locked or not). You can then go from there to the per-database setting page to configure the exposed group. See my previous comment. If you have databases open but that list is empty, it's a bug and please create a new issue for that. @droidmonkey What is the canonical place for this kind of plugin manual or "get started" like documentation? There are indeed some cases that are not so intuitive and I'd like to help document them. Thanks |
Thank you for your reply. My database is indeed open and unlocked, but the list is empty. |
@elvirolo Okay. So there's indeed something went wrong. A few things to try:
|
@Aetf I am going to flesh out our documentation section of the website once I get the final products from our tech writer. The best place for documentation will be (in the future) https://github.com/keepassxreboot/keepassxreboot.github.io As for the locked database issue, you could issue a call to bring the KeePassXC window to the front (mainWindow()->raiseWindow()) when you receive an unlock request. |
@droidmonkey Cool! Let me know if anything is needed from my part documenting this plugin. |
@Aetf Thank you for your help. Exposing a group from the database settings page did make it work for the Nextcloud client (which uses qtkeychain). However, NetworkManager doesn't seem to be able to store Wifi secret in Keepassxc. Here are the errors which are displayed in the journal when I try to configure a connection for a specific user (which is supposed to store the secret in the user's keyring):
|
@elvirolo Could you please post a record of dbus messages while reproducing the error using the following command?
Please run the command right after starting KeepassXC, and make sure it's running when you use NetworkManager. Then, stop monitoring by hit Note that the recording contains secret values passing through the interface, so be sure to NOT use your actual database file. |
@Aetf Thank you for your reply. Here is the content of the logfile:
|
@elvirolo Sorry for the late reply, I was busy last week... It that all the content of the log file? It means no one ever contacted KeepassXC through the API. Could you double check if the dbus service is running when KeepassXC is open and while using NetworkManager? The command is
If it prints nothing, then the service is not running. If the dbus service is running, then the issue is with NetworkManager, which doesn't correct use the API. |
It is indeed running (the command outputs "string "org.freedesktop.secrets""). I'll contact the NetworkManager team to try and find out what's wrong. Thanks for your help. |
Added - Add 'Paper Backup' aka 'Export to HTML file' to the 'Database' menu [[#3277](#3277)] - Add statistics panel with information about the database (number of entries, number of unique passwords, etc.) to the Database Settings dialog [[#2034](#2034)] - Add offline user manual accessible via the 'Help' menu [[#3274](#3274)] - Add support for importing 1Password OpVault files [[#2292](#2292)] - Implement Freedesktop.org secret storage DBus protocol so that KeePassXC can be used as a vault service by libsecret [[#2726](#2726)] - Add support for OnlyKey as an alternative to YubiKeys (requires yubikey-personalization >= 1.20.0) [[#3352](#3352)] - Add group sorting feature [[#3282](#3282)] - Add feature to download favicons for all entries at once [[#3169](#3169)] - Add word case option to passphrase generator [[#3172](#3172)] - Add support for RFC6238-compliant TOTP hashes [[#2972](#2972)] - Add UNIX man page for main program [[#3665](#3665)] - Add 'Monospaced font' option to the notes field [[#3321](#3321)] - Add support for key files in auto open [[#3504](#3504)] - Add search field for filtering entries in Auto-Type dialog [[#2955](#2955)] - Complete usernames based on known usernames from other entries [[#3300](#3300)] - Parse hyperlinks in the notes field of the entry preview pane [[#3596](#3596)] - Allow abbreviation of field names in entry search [[#3440](#3440)] - Allow setting group icons recursively [[#3273](#3273)] - Add copy context menu for username and password in Auto-Type dialog [[#3038](#3038)] - Drop to background after copying a password to the clipboard [[#3253](#3253)] - Add 'Lock databases' entry to tray icon menu [[#2896](#2896)] - Add option to minimize window after unlocking [[#3439](#3439)] - Add option to minimize window after opening a URL [[#3302](#3302)] - Request accessibility permissions for Auto-Type on macOS [[#3624](#3624)] - Browser: Add initial support for multiple URLs [[#3558](#3558)] - Browser: Add entry-specific browser integration settings [[#3444](#3444)] - CLI: Add offline HIBP checker (requires a downloaded HIBP dump) [[#2707](#2707)] - CLI: Add 'flatten' option to the 'ls' command [[#3276](#3276)] - CLI: Add password generation options to `Add` and `Edit` commands [[#3275](#3275)] - CLI: Add XML import [[#3572](#3572)] - CLI: Add CSV export to the 'export' command [[#3278](#3278)] - CLI: Add `-y --yubikey` option for YubiKey [[#3416](#3416)] - CLI: Add `--dry-run` option for merging databases [[#3254](#3254)] - CLI: Add group commands (mv, mkdir and rmdir) [[#3313](#3313)]. - CLI: Add interactive shell mode command `open` [[#3224](#3224)] Changed - Redesign database unlock dialog [ [#3287](#3287)] - Rework the entry preview panel [ [#3306](#3306)] - Move notes to General tab on Group Preview Panel [[#3336](#3336)] - Enable entry actions when editing an entry and cleanup entry context menu [[#3641](#3641)] - Improve detection of external database changes [[#2389](#2389)] - Warn if user is trying to use a KDBX file as a key file [[#3625](#3625)] - Add option to disable KeePassHTTP settings migrations prompt [[#3349](#3349), [#3344](#3344)] - Re-enabled Wayland support (no Auto-Type yet) [[#3520](#3520), [#3341](#3341)] - Add icon to 'Toggle Window' action in tray icon menu [[3244](#3244)] - Merge custom data between databases only when necessary [[#3475](#3475)] - Improve various file-handling related issues when picking files using the system's file dialog [[#3473](#3473)] - Add 'New Entry' context menu when no entries are selected [[#3671](#3671)] - Reduce default Argon2 settings from 128 MiB and one thread per CPU core to 64 MiB and two threads to account for lower-spec mobile hardware [ [#3672](#3672)] - Browser: Remove unused 'Remember' checkbox for HTTP Basic Auth [[#3371](#3371)] - Browser: Show database name when pairing with a new browser [[#3638](#3638)] - Browser: Show URL in allow access dialog [[#3639](#3639)] - CLI: The password length option `-l` for the CLI commands `Add` and `Edit` is now `-L` [[#3275](#3275)] - CLI: The `-u` shorthand for the `--upper` password generation option has been renamed to `-U` [[#3275](#3275)] - CLI: Rename command `extract` to `export`. [[#3277](#3277)] Fixed - Improve accessibility for assistive technologies [[#3409](#3409)] - Correctly unlock all databases if `--pw-stdin` is provided [[#2916](#2916)] - Fix password generator issues with special characters [[#3303](#3303)] - Fix KeePassXC interrupting shutdown procedure [[#3666](#3666)] - Fix password visibility toggle button state on unlock dialog [[#3312](#3312)] - Fix potential data loss if database is reloaded while user is editing an entry [[#3656](#3656)] - Fix hard-coded background color in search help popup [[#3001](#3001)] - Fix font choice for password preview [[#3425](#3425)] - Fix handling of read-only files when autosave is enabled [[#3408](#3408)] - Handle symlinks correctly when atomic saves are disabled [[#3463](#3463)] - Enable HighDPI icon scaling on Linux [[#3332](#3332)] - Make Auto-Type on macOS more robust and remove old Carbon API calls [[#3634](#3634), [[#3347](#3347))] - Hide Share tab if KeePassXC is compiled without KeeShare support and other minor KeeShare improvements [[#3654](#3654), [[#3291](#3291), [#3029](#3029), [#3031](#3031), [#3236](#3236)] - Correctly bring window to the front when clicking tray icon on macOS [[#3576](#3576)] - Correct application shortcut created by MSI Installer on Windows [[#3296](#3296)] - Fix crash when removing custom data [[#3508](#3508)] - Fix placeholder resolution in URLs [[#3281](#3281)] - Fix various inconsistencies and platform-dependent compilation bugs [[#3664](#3664), [#3662](#3662), [#3660](#3660), [#3655](#3655), [#3649](#3649), [#3417](#3417), [#3357](#3357), [#3319](#3319), [#3318](#3318), [#3304](#3304)] - Browser: Fix potential leaking of entries through the browser integration API if multiple databases are opened [[#3480](#3480)] - Browser: Fix password entropy calculation [[#3107](#3107)] - Browser: Fix Windows registry settings for portable installation [[#3603](#3603)]
What is the right way to disable gnome-keyring-daemon? |
If this is still the current behavior, isn't that a security issue? A malicious script could launch This comment by @ntninja seems relevant (last two paragraphs):
If this needs changes to This |
This feature has come quite a long way since this PR. Dbus traffic is encrypted using asymmetric cryptography and we have implemented a prompt window when credentials are requested. |
@droidmonkey , while we're at it, what's the situation on client isolation (point 4 of @ntninja 's plan)? One of the things that was bugging me with KWallet was the lack of such isolation: any app could get the password of any other app. I understand this is a general problem with such password stores, and is difficult to solve. But anything we can do to start moving the needle towards a solution, would be welcome IMO. It may be worthwhile to involve Stef Walter on that, at least. |
There is nothing stopping an app from requesting arbitrary data from the collection. This is part of the spec, and without strict AAA guarantees at the process level I'm not sure you'll ever get there. (e.g. Process A can cryptographically prove they are really Process A and has access to this specific credential set) We did implement the prompt to allow access which tells you which process is requesting which entry. We also create a new encryption pipe for each client. |
That's already a start, which is good. But how is the process identity determined here? If it's just a string passed from the client, it's very easy to impersonate. Or more commonly, a client may neglect setting a sensible string - a known issue with KWallet. If we can determine the process ID as has been suggested, that can be converted to the binary path. Maybe that could be tapmered-with too, if there's no tamper-proof system call for that, but that would already be more reliable than a client-specified string. Once we have the app identity, KPXC can create a separate collection for each app, and let the user control which apps can access which collections (by default, only the one created for that app). Maybe that's already done? Using collections for this lets binaries store more than secret. That's especially useful for interpreted scripts. This way, each script can save its own secrets in the interpreter's collection. The scripts for a particular interpreter still won't be isolated from each other, but at least they'll be isolated from other interpreters and binaries. For further security, KPXC could fingerprint the binary on first access, and use that to control subsequent access. At its simplest, that could just be a SHA hash of the binary. That would mean that new binary versions will need to re-authenticate, but as far as I'm concerned, that's a feature. As long as the user has access control, he could tell KPXC to "let this newer version use that older version's collection". And the whole fingerprinting feature can be optional. (In the future, there might be an online database of trusted binary fingerprints for each package, maintained by the package publishers. But that's a long way off.) This isn't a perfect solution, but I think it's better than no isolation at all, a la KWallet. |
You should read up on all the subsequent FDO Secrets PRs from this one first. A lot of work has been done and almost everything you mention above is done already. Exception being the hashing of the binary. |
Awesome, thanks! I have a bunch of PRs on my reading list already. Going over them. |
This PR adds the feature requested in #1403, adding a new plugin implementing the Freedesktop.org Secret Storage spec version 0.2. Basically this exposes a new DBus service that is described in the spec which can be used by libsecret-based applications.
Type of change
Description and Context
For motivation, please see #1403 for discussion.
For a description of the plugin, please see the README file.
There are also some modifications to existing code:
EntrySearcher
can now search attribute values including custom onesapplyGroupIconTo
to be a member function ofGroup
DatabaseTabWidget::newDatabase
returns the createdDatabaseWidget
DatabaseTabWidget
emitsdatabaseOpened
signal when a new tab is addedDatabaseWidget
can delete a list of entries nowDatabaseWidget
emitsdatabaseReplaced
signal when replacing the databaseAes128
inSymmetricCipher::algorithmIvSize
MainWindow
to show desktop notificationsScreenshots
Testing strategy
Checklist:
-DWITH_ASAN=ON
. [REQUIRED]