From 5dc5dc816f2ba50920dd3a5908824c244c8d9390 Mon Sep 17 00:00:00 2001 From: Kali Kaneko Date: Sat, 11 Jan 2014 23:10:53 -0400 Subject: workaround for using keyring inside a virtualenv (securestorage backend) This is related to research #4190 and #4083. I didn't resolve them, but I ended understanding a bit more what kind of issues can we be having with those. This workaround is more than anything a cleanup on that for future work, and is making me able to test the client much more nicely inside a virtualenv (where the default keyring selecting was the plaintext one). For this to work inside a virtualenv, one have to install SecureStorage, which in turns depends on python-dbus, which is basically uninstallable using pip inside a venv. So, symlinking to the rescue! it needs gi/repository and pyobject to be symlinked too. but at least you don't have to type the pass every time. I don't know what should be do in the long term with this issue. Some of us were not too fond on using the keyrings at all. We don't have many options among all the keyring backends, and sadly many of them depend on PyCrypto. So probably roll our own backend. Yay. --- src/leap/bitmask/util/keyring_helpers.py | 43 ++++++++++++++++++++++++++------ 1 file changed, 35 insertions(+), 8 deletions(-) (limited to 'src/leap/bitmask/util/keyring_helpers.py') diff --git a/src/leap/bitmask/util/keyring_helpers.py b/src/leap/bitmask/util/keyring_helpers.py index 4b3eb57f..b202d47e 100644 --- a/src/leap/bitmask/util/keyring_helpers.py +++ b/src/leap/bitmask/util/keyring_helpers.py @@ -31,18 +31,45 @@ OBSOLETE_KEYRINGS = [ PlaintextKeyring ] +canuse = lambda kr: kr is not None and kr.__class__ not in OBSOLETE_KEYRINGS + + +def _get_keyring_with_fallback(): + """ + Get the default keyring, and if obsolete try to pick SecretService keyring + if available. + + This is a workaround for the cases in which the keyring module chooses + an insecure keyring by default (ie, inside a virtualenv). + """ + kr = keyring.get_keyring() + if not canuse(kr): + try: + kr_klass = keyring.backends.SecretService + kr = kr_klass.Keyring() + except AttributeError: + logger.warning("Keyring cannot find SecretService Backend") + logger.debug("Selected keyring: %s" % (kr.__class__,)) + if not canuse(kr): + logger.debug("Not using default keyring since it is obsolete") + return kr + def has_keyring(): """ - Returns whether we have an useful keyring to use. + Return whether we have an useful keyring to use. :rtype: bool """ - kr = keyring.get_keyring() - klass = kr.__class__ - logger.debug("Selected keyring: %s" % (klass,)) + kr = _get_keyring_with_fallback() + return canuse(kr) + - canuse = kr is not None and klass not in OBSOLETE_KEYRINGS - if not canuse: - logger.debug("Not using this keyring since it is obsolete") - return canuse +def get_keyring(): + """ + Return an usable keyring. + + :rtype: keyringBackend or None + """ + kr = _get_keyring_with_fallback() + return kr if canuse(kr) else None -- cgit v1.2.3 From 9dbbfeebbb4bb7c445e01f94533e88e514fd6821 Mon Sep 17 00:00:00 2001 From: Kali Kaneko Date: Fri, 17 Jan 2014 11:22:35 -0400 Subject: defend against keyring errors on certain settings, like a virtualenv with symlinks, I'm getting errors after a suspend, related to a error to connect to the dbus socket. wrapping all of it in a conditional we avoid that kind of error. --- src/leap/bitmask/util/keyring_helpers.py | 30 ++++++++++++++++++++---------- 1 file changed, 20 insertions(+), 10 deletions(-) (limited to 'src/leap/bitmask/util/keyring_helpers.py') diff --git a/src/leap/bitmask/util/keyring_helpers.py b/src/leap/bitmask/util/keyring_helpers.py index b202d47e..ee2d7a1c 100644 --- a/src/leap/bitmask/util/keyring_helpers.py +++ b/src/leap/bitmask/util/keyring_helpers.py @@ -19,19 +19,23 @@ Keyring helpers. """ import logging -import keyring +try: + import keyring + from keyring.backends.file import EncryptedKeyring, PlaintextKeyring + OBSOLETE_KEYRINGS = [ + EncryptedKeyring, + PlaintextKeyring + ] + canuse = lambda kr: (kr is not None + and kr.__class__ not in OBSOLETE_KEYRINGS) -from keyring.backends.file import EncryptedKeyring, PlaintextKeyring - -logger = logging.getLogger(__name__) +except Exception: + # Problems when importing keyring! It might be a problem binding to the + # dbus socket, or stuff like that. + keyring = None -OBSOLETE_KEYRINGS = [ - EncryptedKeyring, - PlaintextKeyring -] - -canuse = lambda kr: kr is not None and kr.__class__ not in OBSOLETE_KEYRINGS +logger = logging.getLogger(__name__) def _get_keyring_with_fallback(): @@ -42,6 +46,8 @@ def _get_keyring_with_fallback(): This is a workaround for the cases in which the keyring module chooses an insecure keyring by default (ie, inside a virtualenv). """ + if not keyring: + return None kr = keyring.get_keyring() if not canuse(kr): try: @@ -61,6 +67,8 @@ def has_keyring(): :rtype: bool """ + if not keyring: + return False kr = _get_keyring_with_fallback() return canuse(kr) @@ -71,5 +79,7 @@ def get_keyring(): :rtype: keyringBackend or None """ + if not keyring: + return False kr = _get_keyring_with_fallback() return kr if canuse(kr) else None -- cgit v1.2.3