Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unlocking Secrets before retrieving them #45

Open
SvenMarquardt5772 opened this issue Oct 27, 2023 · 6 comments · May be fixed by #46
Open

Unlocking Secrets before retrieving them #45

SvenMarquardt5772 opened this issue Oct 27, 2023 · 6 comments · May be fixed by #46

Comments

@SvenMarquardt5772
Copy link

If I understand the spec correctly here

The client application should act as if it must unlock each item individually
https://specifications.freedesktop.org/secret-service/latest/ch08.html

The client must ask the application to unlock the specific item before using get to retrieve the secret. For example, Keepassxc has a configuration, that asks with a prompt if I want to provide access to a secret to the specified application. Because of this, I cannot retrieve secrets. There should be a check, if the secret is locked, before trying to get it.
@purejava
Copy link
Contributor

purejava commented Oct 27, 2023
edited
Loading

See:

secret-service/src/main/java/de/swiesend/secretservice/simple/SimpleCollection.java

Lines 393 to 394 in d08ec91

* Once the default collection is unlocked the user will not be prompted again
* as long as the default collection stays unlocked.

You can use the high level API / SimpleCollection, that handles the unlocking for you.

KeePassXC's own secret service interfaces differ massively from the ones, gnome keyring does provide. You can't compare these two in this context from my point of view.

There should be a check, if the secret is locked, before trying to get it.

On the low level API, you can check for yourself:

secret-service/src/main/java/de/swiesend/secretservice/Collection.java

Lines 120 to 124 in d08ec91

public boolean isLocked() {
Variant response = getProperty("Locked");
if (response == null) return true;
return (boolean) response.getValue();
}

@SvenMarquardt5772
Copy link
Author

SvenMarquardt5772 commented Oct 27, 2023
edited
Loading

But the problem is, that it is not possible to unlock the secrets from the simplecollection interface. I prepared a patch that I think would not harm if you only use gnome-keyring.

Keepassxc follows the spec here, gnome keyring is just missing a feature for prompting if I want to use a secret.

@SvenMarquardt5772 SvenMarquardt5772 linked a pull request Oct 27, 2023 that will close this issue
Open
@purejava
Copy link
Contributor

But the problem is, that it is not possible to unlock the secrets from the simplecollection interface.

Why not? What is your code?
Did you set up your keyring correctly and have a default keying?

Keepassxc follows the spec here, gnome keyring is just missing a feature for prompting if I want to use a secret.

SimpleCollection calls the following unlock() method on all operations:

secret-service/src/main/java/de/swiesend/secretservice/simple/SimpleCollection.java

Lines 372 to 386 in d08ec91

private void unlock() {
if (collection != null && collection.isLocked()) {
if (withoutPrompt != null && encrypted != null) {
withoutPrompt.unlockWithMasterPassword(collection.getPath(), encrypted);
log.debug("Unlocked collection: " + collection.getLabel() + " (" + collection.getObjectPath() + ")");
} else {
Pair<List<ObjectPath>, ObjectPath> response = service.unlock(lockable());
performPrompt(response.b);
if (!collection.isLocked()) {
isUnlockedOnceWithUserPermission = true;
log.info("Unlocked collection: " + collection.getLabel() + " (" + collection.getObjectPath() + ")");
}
}
}
}

That prompts you, when the keyring is locked.

@purejava
Copy link
Contributor

Try this:

SimpleCollection sc = new SimpleCollection();
var x = sc.getSecret("/org/freedesktop/secrets/collection/login/4");

You need the right objectPath for the secret you want to retrieve, of course. This reads the secret right away, when the keyring is unlocked, and prompts to unlock it otherwise.

@swiesend
Copy link
Owner

I see. KeepassXC is probably doing better in following the spec here.

Until now this issue did not come up, as the gnome-keyring usually is not locking individual secret items. Never tried if that is even possible.

I hope you can help yourself right now by building it on your own. In general I am trying to support KeepassXC with the 2.x.x branch. Will adapt and merge this to the branch.

@SvenMarquardt5772 have you tested if there is a regression to the behaviour regarding gnome-keyring, apart from slowing down the retrieval through yet another remote call? Please ping me again if nothing happens within a week.

@purejava thank you for looking into the issue swiftly.

@SvenMarquardt5772
Copy link
Author

@swiesend its not possible in gnome-keyring to do that. I tested this in my local gnome-keyring version 3.36.0-1ubuntu1. And I saw no regression.

[WARNING] Tests run: 84, Failures: 0, Errors: 0, Skipped: 17

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

This closes #45 SvenMarquardt5772/secret-service
3 participants
@purejava @swiesend @SvenMarquardt5772