MIME-Version: 1.0
In-Reply-To: 
 <CA+OCxozo4=FCjorfF8j4QH=p4iEa15Bp4P0bD5+Ch=aFY37ERg@mail.gmail.com>
References: 
 <CA+OCxownxfR2eDEaXNkgSdFqat6+AQgukrzcYOyoFX0V-zs_VA@mail.gmail.com>
 <CAG7mmoyhJXXrLv+fgjmgd-Z5GFSaJfHTC89MWQ8LQX3Atw-04A@mail.gmail.com>
 <CA+OCxozo4=FCjorfF8j4QH=p4iEa15Bp4P0bD5+Ch=aFY37ERg@mail.gmail.com>
From: Dave Page <dpage@pgadmin.org>
Date: Sat, 15 Oct 2016 03:32:22 +0100
Message-ID: 
 <CA+OCxowJPuXo8QBnbhhA-kycJpzYSvhXnsrutuo4oce0Su9U+w@mail.gmail.com>
Subject: Re: RM1849: Auto-generating security keys
To: Ashesh Vashi <ashesh.vashi@enterprisedb.com>
Cc: pgadmin-hackers <pgadmin-hackers@postgresql.org>,
 Josh Berkus <josh@agliodbs.com>,
	=?UTF-8?B?RGV2cmltIEfDnE5Ew5xa?= <devrim@gunduz.org>,
	Magnus Hagander <magnus@hagander.net>
Content-Type: multipart/mixed; boundary=94eb2c04791218dc0a053ede27b9
Precedence: bulk
Sender: pgadmin-hackers-owner@postgresql.org

--94eb2c04791218dc0a053ede27b9
Content-Type: multipart/alternative; boundary=94eb2c04791218dc05053ede27b7

--94eb2c04791218dc05053ede27b7
Content-Type: text/plain; charset=UTF-8

Hi

On Friday, October 14, 2016, Dave Page <dpage@pgadmin.org> wrote:

> Hi
>
> On Thursday, October 13, 2016, Ashesh Vashi <ashesh.vashi@enterprisedb.com
> <javascript:_e(%7B%7D,'cvml','ashesh.vashi@enterprisedb.com');>> wrote:
>
>> Hi Dave,
>>
>> On Tue, Oct 11, 2016 at 9:10 PM, Dave Page <dpage@pgadmin.org> wrote:
>>
>>> Hi Ashesh,
>>>
>>> Can you please review the attached patch, and apply if you're happy with
>>> it?
>>>
>> Overall the patch looked good to me.
>> But - I encounter an issue in 'web' mode, which wont happen with
>> 'runtime'.
>>
>> Steps for reproduction on existing pgAdmin 4 environment with 'web' mode.
>> - Apply the patch
>> - Start the pgAdmin4 application (stand alone application).
>> - Open pgAdmin home page.
>> - Log out (if already login).
>>
>> And, you will see an exception.
>>
>> I have figure out the issue with the patch.
>> We were setting the SECURITY_PASSWORD_SALT, after initializing the
>> Security object.
>> Hence - it could not set the SECURITY_KEY, and SECURITY_PASSWORD_SALT
>> properly.
>>
>
> Hmm.
>
>
>>
>> I had moved the Security object initialization after fetching these
>> configurations from the database.
>> I have attached a addon patch for the same.
>>
>
> OK, thanks.
>
>
>>
>> Now - I run into another issue.
>> Because - the existing password was hashed using the old
>> SECURITY_PASSWORD_SALT, I am no more able to login to pgAdmin 4.
>>
>> I think - we need to think about different strategy for upgrading the
>> configuration file in the 'web' mode.
>> I was thinking - we can store the existing security configurations in the
>> database during upgrade process in 'web' mode.
>>
>
> My concern with that is that we'll likely be storing the default config
> values in many cases, thus for those users, perpetuating the problem.
>
> I guess what we need to do is re-encrypt the password during the upgrade -
> however, that makes me think; we then have both the key and the encrypted
> passwords in the same database which is clearly not a good idea. Sigh...
> Needs more thought.
>

OK, so I've been thinking about this and experimenting for a couple of
hours, as well as annoying the crap out of Magnus by thinking out loud in
his general direction, and it looks like this isn't a major problem as from
what I can see,  SECURITY_PASSWORD_SALT is (aside from really being a key
not a salt) not the only salting that's done.

It looks like it's used system-wide as the key to generate an HMAC of the
users password, which is then passed to passlib which salts and hashes it.
I did some testing, and found that two users with the same password end up
with different hashes in the database, so clearly there is also per-user
salting happening. I also created two users, then dropped the database and
created the same user accounts with the same passwords again, and found
that the resulting hashes were different in both databases - thus there is
something else ensuring the hashes are unique across different
installations/databases.

So, I believe we can do as you suggest and migrate existing values for
SECURITY_PASSWORD_SALT, given that there's clearly some other per user and
per installation/database salting going on anyway. New installations can
have the random value for SECURITY_PASSWORD_SALT.

I don't believe SECURITY_KEY and CSRF_SESSION_KEY are issues either, as
they're used for purposes that are essentially ephemeral, and thus can be
changed during an upgrade.

Adding Magnus as I'd appreciate any thoughts he may have.

Patch attached - please review (Ashesh, but others too would be
appreciated)!

Thanks.


-- 
Dave Page
Blog: http://pgsnake.blogspot.com
Twitter: @pgsnake

EnterpriseDB UK: http://www.enterprisedb.com
The Enterprise PostgreSQL Company

--94eb2c04791218dc05053ede27b7
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Hi<br><br>On Friday, October 14, 2016, Dave Page &lt;<a href=3D"mailto:dpag=
e@pgadmin.org">dpage@pgadmin.org</a>&gt; wrote:<br><blockquote class=3D"gma=
il_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-lef=
t:1ex">Hi<br><br>On Thursday, October 13, 2016, Ashesh Vashi &lt;<a href=3D=
"javascript:_e(%7B%7D,&#39;cvml&#39;,&#39;ashesh.vashi@enterprisedb.com&#39=
;);" target=3D"_blank">ashesh.vashi@enterprisedb.com</a><wbr>&gt; wrote:<br=
><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1=
px #ccc solid;padding-left:1ex"><div dir=3D"ltr">Hi Dave,<div><br></div><di=
v class=3D"gmail_extra"><div class=3D"gmail_quote">On Tue, Oct 11, 2016 at =
9:10 PM, Dave Page <span dir=3D"ltr">&lt;<a>dpage@pgadmin.org</a>&gt;</span=
> wrote:<br><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;bo=
rder-left:1px #ccc solid;padding-left:1ex">Hi Ashesh,<div><br></div><div>Ca=
n you please review the attached patch, and apply if you&#39;re happy with =
it?</div></blockquote><div>Overall the patch looked good to me.</div><div>B=
ut - I encounter an issue in &#39;web&#39; mode, which wont happen with =
9;runtime&#39;.</div><div><br></div><div>Steps for reproduction on existing=
 pgAdmin 4 environment with &#39;web&#39; mode.</div><div>- Apply the patch=
</div><div>- Start the pgAdmin4 application (stand alone application).</div=
><div>- Open pgAdmin home page.</div><div>- Log out (if already login).</di=
v><div><br></div><div>And, you will see an exception.</div><div><br></div><=
div>I have figure out the issue with the patch.</div><div>We were setting t=
he SECURITY_PASSWORD_SALT, after initializing the Security object.</div><di=
v>Hence - it could not set the SECURITY_KEY, and SECURITY_PASSWORD_SALT pro=
perly.</div></div></div></div></blockquote><div><br></div><div>Hmm.</div><d=
iv>=C2=A0</div><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex=
;border-left:1px #ccc solid;padding-left:1ex"><div dir=3D"ltr"><div class=
=3D"gmail_extra"><div class=3D"gmail_quote"><div><br></div><div>I had moved=
 the Security object initialization after fetching these configurations fro=
m the database.</div><div>I have attached a addon patch for the same.</div>=
</div></div></div></blockquote><div><br></div><div>OK, thanks.</div><div>=
=C2=A0</div><blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;bo=
rder-left:1px #ccc solid;padding-left:1ex"><div dir=3D"ltr"><div class=3D"g=
mail_extra"><div class=3D"gmail_quote"><div><br></div><div>Now - I run into=
 another issue.</div><div>Because - the existing password was hashed using =
the old SECURITY_PASSWORD_SALT, I am no more able to login to pgAdmin 4.</d=
iv><div><br></div><div>I think - we need to think about different strategy =
for upgrading the configuration file in the &#39;web&#39; mode.</div><div>I=
 was thinking - we can store the existing security configurations in the da=
tabase during upgrade process in &#39;web&#39; mode.</div></div></div></div=
></blockquote><div><br></div><div>My concern with that is that we&#39;ll li=
kely be storing the default config values in many cases, thus for those use=
rs, perpetuating the problem.</div><div><br></div><div>I guess what we need=
 to do is re-encrypt the password during the upgrade - however, that makes =
me think; we then have both the key and the encrypted passwords in the same=
 database which is clearly not a good idea. Sigh... Needs more thought.=C2=
=A0</div></blockquote><div><br></div><div>OK, so I&#39;ve been thinking abo=
ut this and experimenting for a couple of hours, as well as annoying the cr=
ap out of Magnus by thinking out loud in his general direction, and it look=
s like this isn&#39;t a major problem as from what I can see, =C2=A0SECURIT=
Y_PASSWORD_SALT is (aside from really being a key not a salt) not the only =
salting that&#39;s done.=C2=A0</div><div><br></div><div>It looks like it=
9;s used system-wide as the key to generate an HMAC of the users password, =
which is then passed to passlib which salts and hashes it. I did some testi=
ng, and found that two users with the same password end up with different h=
ashes in the database, so clearly there is also per-user salting happening.=
 I also created two users, then dropped the database and created the same u=
ser accounts with the same passwords again, and found that the resulting ha=
shes were different in both databases - thus there is something else ensuri=
ng the hashes are unique across different installations/databases.</div><di=
v><br></div><div>So, I believe we can do as you suggest and migrate existin=
g values for SECURITY_PASSWORD_SALT, given that there&#39;s clearly some ot=
her per user and per installation/database salting going on anyway. New ins=
tallations can have the random value for SECURITY_PASSWORD_SALT.</div><div>=
<br></div><div>I don&#39;t believe SECURITY_KEY and=C2=A0CSRF_SESSION_KEY a=
re issues either, as they&#39;re used for purposes that are essentially eph=
emeral, and thus can be changed during an upgrade.</div><div><br></div><div=
>Adding Magnus as I&#39;d appreciate any thoughts he may have.</div><div><b=
r></div><div>Patch attached - please review (Ashesh, but others too would b=
e appreciated)!</div><div><br></div><div>Thanks.</div><br><br>-- <br>Dave P=
age<br>Blog: <a href=3D"http://pgsnake.blogspot.com" target=3D"_blank">http=
://pgsnake.blogspot.com</a><br>Twitter: @pgsnake<br><br>EnterpriseDB UK: <a=
 href=3D"http://www.enterprisedb.com" target=3D"_blank">http://www.enterpri=
sedb.com</a><br>The Enterprise PostgreSQL Company<br><br>

--94eb2c04791218dc05053ede27b7--

--94eb2c04791218dc0a053ede27b9
Content-Type: text/x-diff; charset=US-ASCII;
 name="auto_generate_security_keys_v2.patch"
Content-Disposition: attachment;
	filename="auto_generate_security_keys_v2.patch"
Content-Transfer-Encoding: base64
X-Attachment-Id: 2d7e993b6d0f8a50_0.1

ZGlmZiAtLWdpdCBhL3dlYi9jb25maWcucHkgYi93ZWIvY29uZmlnLnB5Cmlu
ZGV4IDIwNzE0ZjkuLjg0MTFkNzkgMTAwNjQ0Ci0tLSBhL3dlYi9jb25maWcu
cHkKKysrIGIvd2ViL2NvbmZpZy5weQpAQCAtMTQwLDIxICsxNDAsMTMgQEAg
REVGQVVMVF9TRVJWRVJfUE9SVCA9IDUwNTAKICMgRW5hYmxlIENTUkYgcHJv
dGVjdGlvbj8KIENTUkZfRU5BQkxFRCA9IFRydWUKIAotIyBTZWNyZXQga2V5
IGZvciBzaWduaW5nIENTUkYgZGF0YS4gT3ZlcnJpZGUgdGhpcyBpbiBjb25m
aWdfbG9jYWwucHkgaWYKLSMgcnVubmluZyBvbiBhIHdlYiBzZXJ2ZXIKLUNT
UkZfU0VTU0lPTl9LRVkgPSAnU3VwZXJTZWNyZXQxJwotCi0jIFNlY3JldCBr
ZXkgZm9yIHNpZ25pbmcgY29va2llcy4gT3ZlcnJpZGUgdGhpcyBpbiBjb25m
aWdfbG9jYWwucHkgaWYKLSMgcnVubmluZyBvbiBhIHdlYiBzZXJ2ZXIKLVNF
Q1JFVF9LRVkgPSAnU3VwZXJTZWNyZXQyJwotCi0jIFNhbHQgdXNlZCB3aGVu
IGhhc2hpbmcgcGFzc3dvcmRzLiBPdmVycmlkZSB0aGlzIGluIGNvbmZpZ19s
b2NhbC5weSBpZgotIyBydW5uaW5nIG9uIGEgd2ViIHNlcnZlcgotU0VDVVJJ
VFlfUEFTU1dPUkRfU0FMVCA9ICdTdXBlclNlY3JldDMnCi0KICMgSGFzaGlu
ZyBhbGdvcml0aG0gdXNlZCBmb3IgcGFzc3dvcmQgc3RvcmFnZQogU0VDVVJJ
VFlfUEFTU1dPUkRfSEFTSCA9ICdwYmtkZjJfc2hhNTEyJwogCisjIE5PVEU6
IENTUkZfU0VTU0lPTl9LRVksIFNFQ1JFVF9LRVkgYW5kIFNFQ1VSSVRZX1BB
U1NXT1JEX1NBTFQgYXJlIG5vCisjICAgICAgIGxvbmdlciBwYXJ0IG9mIHRo
ZSBtYWluIGNvbmZpZ3VyYXRpb24sIGJ1dCBhcmUgc3RvcmVkIGluIHRoZQor
IyAgICAgICBjb25maWd1cmF0aW9uIGRhdGFiYXNlcyAna2V5cycgdGFibGUg
YW5kIGFyZSBhdXRvLWdlbmVyYXRlZC4KKwogIyBTaG91bGQgSFRNTCBiZSBt
aW5pZmllZCBvbiB0aGUgZmx5IHdoZW4gbm90IGluIGRlYnVnIG1vZGU/CiAj
IE5vdGU6IFRoaXMgaXMgZGlzYWJsZWQgYnkgZGVmYXVsdCBhcyBpdCB3aWxs
IGVycm9yIHdoZW4gcHJvY2Vzc2luZyB0aGUKICMgICAgICAgZG9jcy4gSWYg
dGhlIHNlcnZpbmcgb2YgZG9jcyBpcyBoYW5kbGVkIGJ5IGFuIEFwYWNoZSBI
VFRQRApkaWZmIC0tZ2l0IGEvd2ViL3BnQWRtaW40LnB5IGIvd2ViL3BnQWRt
aW40LnB5CmluZGV4IDFmYjM0ZjkuLmY4OTRmOGIgMTAwNjQ0Ci0tLSBhL3dl
Yi9wZ0FkbWluNC5weQorKysgYi93ZWIvcGdBZG1pbjQucHkKQEAgLTMyLDE4
ICszMiw2IEBAIGNvbmZpZy5TRVRUSU5HU19TQ0hFTUFfVkVSU0lPTiA9IFND
SEVNQV9WRVJTSU9OCiAjIFNhbml0eSBjaGVja3MKICMjIyMjIyMjIyMjIyMj
IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj
IyMjIyMjIyMjIyMjIyMjCiAKLSMgQ2hlY2sgZm9yIGxvY2FsIHNldHRpbmdz
IGlmIHJ1bm5pbmcgaW4gc2VydmVyIG1vZGUKLWlmIGNvbmZpZy5TRVJWRVJf
TU9ERSBpcyBUcnVlOgotICAgIGxvY2FsX2NvbmZpZyA9IG9zLnBhdGguam9p
bihvcy5wYXRoLmRpcm5hbWUob3MucGF0aC5yZWFscGF0aChfX2ZpbGVfXykp
LAotICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnY29uZmlnX2xv
Y2FsLnB5JykKLSAgICBpZiBub3Qgb3MucGF0aC5pc2ZpbGUobG9jYWxfY29u
ZmlnKToKLSAgICAgICAgcHJpbnQoIlRoZSBjb25maWd1cmF0aW9uIGZpbGUg
JXMgZG9lcyBub3QgZXhpc3QuXG4iICUgbG9jYWxfY29uZmlnKQotICAgICAg
ICBwcmludCgiQmVmb3JlIHJ1bm5pbmcgdGhpcyBhcHBsaWNhdGlvbiwgZW5z
dXJlIHRoYXQgY29uZmlnX2xvY2FsLnB5IGhhcyBiZWVuIGNyZWF0ZWQiKQot
ICAgICAgICBwcmludCgiYW5kIHNldHMgdmFsdWVzIGZvciBTRUNSRVRfS0VZ
LCBTRUNVUklUWV9QQVNTV09SRF9TQUxUIGFuZCBDU1JGX1NFU1NJT05fS0VZ
IikKLSAgICAgICAgcHJpbnQoImF0IGJhcmUgbWluaW11bS4gU2VlIGNvbmZp
Zy5weSBmb3IgbW9yZSBpbmZvcm1hdGlvbiBhbmQgYSBjb21wbGV0ZSBsaXN0
IG9mIikKLSAgICAgICAgcHJpbnQoInNldHRpbmdzLiBFeGl0aW5nLi4uIikK
LSAgICAgICAgc3lzLmV4aXQoMSkKLQogIyBDaGVjayBpZiB0aGUgZGF0YWJh
c2UgZXhpc3RzLiBJZiBpdCBkb2VzIG5vdCwgY3JlYXRlIGl0LgogaWYgbm90
IG9zLnBhdGguaXNmaWxlKGNvbmZpZy5TUUxJVEVfUEFUSCk6CiAgICAgc2V0
dXBmaWxlID0gb3MucGF0aC5qb2luKG9zLnBhdGguZGlybmFtZShvcy5wYXRo
LnJlYWxwYXRoKF9fZmlsZV9fKSksCmRpZmYgLS1naXQgYS93ZWIvcGdhZG1p
bi9fX2luaXRfXy5weSBiL3dlYi9wZ2FkbWluL19faW5pdF9fLnB5CmluZGV4
IGQ5ODgxNzIuLjc5ZmExYzYgMTAwNjQ0Ci0tLSBhL3dlYi9wZ2FkbWluL19f
aW5pdF9fLnB5CisrKyBiL3dlYi9wZ2FkbWluL19faW5pdF9fLnB5CkBAIC0y
Niw3ICsyNiw3IEBAIGZyb20gcGdhZG1pbi51dGlscy5zZXNzaW9uIGltcG9y
dCBjcmVhdGVfc2Vzc2lvbl9pbnRlcmZhY2UKIGZyb20gd2Vya3pldWcubG9j
YWwgaW1wb3J0IExvY2FsUHJveHkKIGZyb20gd2Vya3pldWcudXRpbHMgaW1w
b3J0IGZpbmRfbW9kdWxlcwogCi1mcm9tIHBnYWRtaW4ubW9kZWwgaW1wb3J0
IGRiLCBSb2xlLCBTZXJ2ZXIsIFNlcnZlckdyb3VwLCBVc2VyLCBWZXJzaW9u
Citmcm9tIHBnYWRtaW4ubW9kZWwgaW1wb3J0IGRiLCBSb2xlLCBTZXJ2ZXIs
IFNlcnZlckdyb3VwLCBVc2VyLCBWZXJzaW9uLCBLZXlzCiAjIENvbmZpZ3Vy
YXRpb24gc2V0dGluZ3MKIGltcG9ydCBjb25maWcKIApAQCAtMTI3LDExICsx
MjcsNiBAQCBkZWYgY3JlYXRlX2FwcChhcHBfbmFtZT1jb25maWcuQVBQX05B
TUUpOgogICAgIGFwcC5jb25maWcudXBkYXRlKGRpY3QoUFJPUEFHQVRFX0VY
Q0VQVElPTlM9VHJ1ZSkpCiAKICAgICAjIyMjIyMjIyMjIyMjIyMjIyMjIyMj
IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj
IyMjIyMjIwotICAgICMgU2V0dXAgc2Vzc2lvbiBtYW5hZ2VtZW50Ci0gICAg
IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj
IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMKLSAgICBhcHAuc2Vzc2lv
bl9pbnRlcmZhY2UgPSBjcmVhdGVfc2Vzc2lvbl9pbnRlcmZhY2UoYXBwKQot
Ci0gICAgIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj
IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMKICAgICAjIFNl
dHVwIGxvZ2dpbmcgYW5kIGxvZyB0aGUgYXBwbGljYXRpb24gc3RhcnR1cAog
ICAgICMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj
IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjCiAKQEAgLTIwNiw3
ICsyMDEsNyBAQCBkZWYgY3JlYXRlX2FwcChhcHBfbmFtZT1jb25maWcuQVBQ
X05BTUUpOgogCiAgICAgIyBTZXR1cCBGbGFzay1TZWN1cml0eQogICAgIHVz
ZXJfZGF0YXN0b3JlID0gU1FMQWxjaGVteVVzZXJEYXRhc3RvcmUoZGIsIFVz
ZXIsIFJvbGUpCi0gICAgc2VjdXJpdHkgPSBTZWN1cml0eShhcHAsIHVzZXJf
ZGF0YXN0b3JlKQorICAgIHNlY3VyaXR5ID0gU2VjdXJpdHkoTm9uZSwgdXNl
cl9kYXRhc3RvcmUpCiAKICAgICAjIFVwZ3JhZGUgdGhlIHNjaGVtYSAoaWYg
cmVxdWlyZWQpCiAgICAgd2l0aCBhcHAuYXBwX2NvbnRleHQoKToKQEAgLTIy
MCw5ICsyMTUsMjkgQEAgZGVmIGNyZWF0ZV9hcHAoYXBwX25hbWU9Y29uZmln
LkFQUF9OQU1FKToKICAgICAgICAgICAgICAgICApCiAgICAgICAgICAgICAp
CiAgICAgICAgICAgICBmcm9tIHNldHVwIGltcG9ydCBkb191cGdyYWRlCi0g
ICAgICAgICAgICBkb191cGdyYWRlKGFwcCwgdXNlcl9kYXRhc3RvcmUsIHNl
Y3VyaXR5LCB2ZXJzaW9uKQorICAgICAgICAgICAgZG9fdXBncmFkZShhcHAs
IHVzZXJfZGF0YXN0b3JlLCB2ZXJzaW9uKQorCisgICAgIyMjIyMjIyMjIyMj
IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj
IyMjIyMjIyMjIyMjIyMjIyMKKyAgICAjIFNldHVwIHNlY3VyaXR5CisgICAg
IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj
IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMKKyAgICB3aXRoIGFwcC5h
cHBfY29udGV4dCgpOgorICAgICAgICBjb25maWcuQ1NSRl9TRVNTSU9OX0tF
WSA9IEtleXMucXVlcnkuZmlsdGVyX2J5KG5hbWUgPSAnQ1NSRl9TRVNTSU9O
X0tFWScpLmZpcnN0KCkudmFsdWUKKyAgICAgICAgY29uZmlnLlNFQ1JFVF9L
RVkgPSBLZXlzLnF1ZXJ5LmZpbHRlcl9ieShuYW1lID0gJ1NFQ1JFVF9LRVkn
KS5maXJzdCgpLnZhbHVlCisgICAgICAgIGNvbmZpZy5TRUNVUklUWV9QQVNT
V09SRF9TQUxUID0gS2V5cy5xdWVyeS5maWx0ZXJfYnkobmFtZSA9ICdTRUNV
UklUWV9QQVNTV09SRF9TQUxUJykuZmlyc3QoKS52YWx1ZQorCisgICAgIyBV
cGRhdGUgdGhlIGFwcC5jb25maWcgd2l0aCBwcm9wZXIgc2VjdXJpdHkga2V5
ZXMgZm9yIHNpZ25pbmcgQ1NSRiBkYXRhLAorICAgICMgc2lnbmluZyBjb29r
aWVzLCBhbmQgdGhlIFNBTFQgZm9yIGhhc2hpbmcgdGhlIHBhc3N3b3Jkcy4K
KyAgICBhcHAuY29uZmlnLnVwZGF0ZShkaWN0KENTUkZfU0VTU0lPTl9LRVk9
Y29uZmlnLkNTUkZfU0VTU0lPTl9LRVkpKQorICAgIGFwcC5jb25maWcudXBk
YXRlKGRpY3QoU0VDUkVUX0tFWT1jb25maWcuU0VDUkVUX0tFWSkpCisgICAg
YXBwLmNvbmZpZy51cGRhdGUoZGljdChTRUNVUklUWV9QQVNTV09SRF9TQUxU
PWNvbmZpZy5TRUNVUklUWV9QQVNTV09SRF9TQUxUKSkKIAorICAgIHNlY3Vy
aXR5LmluaXRfYXBwKGFwcCkKKworICAgIGFwcC5zZXNzaW9uX2ludGVyZmFj
ZSA9IGNyZWF0ZV9zZXNzaW9uX2ludGVyZmFjZShhcHApCisKKyAgICAjIyMj
IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj
IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIwogICAgICMgTG9hZCBhbGwgYXZh
aWxhYmxlIHNlcnZlciBkcml2ZXJzCisgICAgIyMjIyMjIyMjIyMjIyMjIyMj
IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj
IyMjIyMjIyMjIyMKICAgICBkcml2ZXIuaW5pdF9hcHAoYXBwKQogCiAgICAg
IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj
IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMKZGlmZiAtLWdpdCBhL3dl
Yi9wZ2FkbWluL21vZGVsL19faW5pdF9fLnB5IGIvd2ViL3BnYWRtaW4vbW9k
ZWwvX19pbml0X18ucHkKaW5kZXggMDE5ZTliMS4uOTcyN2QyYiAxMDA2NDQK
LS0tIGEvd2ViL3BnYWRtaW4vbW9kZWwvX19pbml0X18ucHkKKysrIGIvd2Vi
L3BnYWRtaW4vbW9kZWwvX19pbml0X18ucHkKQEAgLTI5LDcgKzI5LDcgQEAg
ZnJvbSBmbGFza19zcWxhbGNoZW15IGltcG9ydCBTUUxBbGNoZW15CiAjCiAj
IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj
IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIwogCi1TQ0hFTUFfVkVSU0lP
TiA9IDEzCitTQ0hFTUFfVkVSU0lPTiA9IDE0CiAKICMjIyMjIyMjIyMjIyMj
IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj
IyMjIyMjIyMjIyMjIyMjCiAjCkBAIC0yMDcsMyArMjA3LDEwIEBAIGNsYXNz
IFByb2Nlc3MoZGIuTW9kZWwpOgogICAgIGVuZF90aW1lID0gZGIuQ29sdW1u
KGRiLlN0cmluZygpLCBudWxsYWJsZT1UcnVlKQogICAgIGV4aXRfY29kZSA9
IGRiLkNvbHVtbihkYi5JbnRlZ2VyKCksIG51bGxhYmxlPVRydWUpCiAgICAg
YWNrbm93bGVkZ2UgPSBkYi5Db2x1bW4oZGIuU3RyaW5nKCksIG51bGxhYmxl
PVRydWUpCisKKworY2xhc3MgS2V5cyhkYi5Nb2RlbCk6CisgICAgIiIiRGVm
aW5lIHRoZSBrZXlzIHRhYmxlLiIiIgorICAgIF9fdGFibGVuYW1lX18gPSAn
a2V5cycKKyAgICBuYW1lID0gZGIuQ29sdW1uKGRiLlN0cmluZygpLCBudWxs
YWJsZT1GYWxzZSwgcHJpbWFyeV9rZXk9VHJ1ZSkKKyAgICB2YWx1ZSA9IGRi
LkNvbHVtbihkYi5TdHJpbmcoKSwgbnVsbGFibGU9RmFsc2UpClwgTm8gbmV3
bGluZSBhdCBlbmQgb2YgZmlsZQpkaWZmIC0tZ2l0IGEvd2ViL3NldHVwLnB5
IGIvd2ViL3NldHVwLnB5CmluZGV4IDY0MjczZmIuLjQ0MWEwZjMgMTAwNzU1
Ci0tLSBhL3dlYi9zZXR1cC5weQorKysgYi93ZWIvc2V0dXAucHkKQEAgLTEw
LDYgKzEwLDcgQEAKICIiIlBlcmZvcm0gdGhlIGluaXRpYWwgc2V0dXAgb2Yg
dGhlIGFwcGxpY2F0aW9uLCBieSBjcmVhdGluZyB0aGUgYXV0aAogYW5kIHNl
dHRpbmdzIGRhdGFiYXNlLiIiIgogCitpbXBvcnQgYmFzZTY0CiBpbXBvcnQg
Z2V0cGFzcwogaW1wb3J0IG9zCiBpbXBvcnQgcmFuZG9tCkBAIC0yMiw3ICsy
Myw3IEBAIGZyb20gZmxhc2tfc2VjdXJpdHkgaW1wb3J0IFNlY3VyaXR5LCBT
UUxBbGNoZW15VXNlckRhdGFzdG9yZQogZnJvbSBmbGFza19zZWN1cml0eS51
dGlscyBpbXBvcnQgZW5jcnlwdF9wYXNzd29yZAogCiBmcm9tIHBnYWRtaW4u
bW9kZWwgaW1wb3J0IGRiLCBSb2xlLCBVc2VyLCBTZXJ2ZXIsIFwKLSAgICBT
ZXJ2ZXJHcm91cCwgVmVyc2lvbgorICAgIFNlcnZlckdyb3VwLCBWZXJzaW9u
LCBLZXlzCiAjIENvbmZpZ3VyYXRpb24gc2V0dGluZ3MKIGltcG9ydCBjb25m
aWcKIApAQCAtNDAsNiArNDEsNyBAQCBpZiBoYXNhdHRyKF9fYnVpbHRpbnNf
XywgJ3Jhd19pbnB1dCcpOgogCiBkZWYgZG9fc2V0dXAoYXBwKToKICAgICAi
IiJDcmVhdGUgYSBuZXcgc2V0dGluZ3MgZGF0YWJhc2UgZnJvbSBzY3JhdGNo
IiIiCisKICAgICBpZiBjb25maWcuU0VSVkVSX01PREUgaXMgRmFsc2U6CiAg
ICAgICAgIHByaW50KCJOT1RFOiBDb25maWd1cmluZyBhdXRoZW50aWNhdGlv
biBmb3IgREVTS1RPUCBtb2RlLiIpCiAgICAgICAgIGVtYWlsID0gY29uZmln
LkRFU0tUT1BfVVNFUgpAQCAtMTE2LDYgKzExOCwxNyBAQCBkZWYgZG9fc2V0
dXAoYXBwKToKICAgICAgICAgICAgIG5hbWU9J0NvbmZpZ0RCJywgdmFsdWU9
Y29uZmlnLlNFVFRJTkdTX1NDSEVNQV9WRVJTSU9OCiAgICAgICAgICkKICAg
ICAgICAgZGIuc2Vzc2lvbi5tZXJnZSh2ZXJzaW9uKQorICAgICAgICBkYi5z
ZXNzaW9uLmNvbW1pdCgpCisKKyAgICAgICAgIyBDcmVhdGUgdGhlIGtleXMK
KyAgICAgICAga2V5ID0gS2V5cyhuYW1lPSdDU1JGX1NFU1NJT05fS0VZJywg
dmFsdWU9Y29uZmlnLkNTUkZfU0VTU0lPTl9LRVkpCisgICAgICAgIGRiLnNl
c3Npb24ubWVyZ2Uoa2V5KQorCisgICAgICAgIGtleSA9IEtleXMobmFtZT0n
U0VDUkVUX0tFWScsIHZhbHVlPWNvbmZpZy5TRUNSRVRfS0VZKQorICAgICAg
ICBkYi5zZXNzaW9uLm1lcmdlKGtleSkKKworICAgICAgICBrZXkgPSBLZXlz
KG5hbWU9J1NFQ1VSSVRZX1BBU1NXT1JEX1NBTFQnLCB2YWx1ZT1jb25maWcu
U0VDVVJJVFlfUEFTU1dPUkRfU0FMVCkKKyAgICAgICAgZGIuc2Vzc2lvbi5t
ZXJnZShrZXkpCiAKICAgICAgICAgZGIuc2Vzc2lvbi5jb21taXQoKQogCkBA
IC0xMjgsNyArMTQxLDcgQEAgZGVmIGRvX3NldHVwKGFwcCk6CiAgICAgKQog
CiAKLWRlZiBkb191cGdyYWRlKGFwcCwgZGF0YXN0b3JlLCBzZWN1cml0eSwg
dmVyc2lvbik6CitkZWYgZG9fdXBncmFkZShhcHAsIGRhdGFzdG9yZSwgdmVy
c2lvbik6CiAgICAgIiIiVXBncmFkZSBhbiBleGlzdGluZyBzZXR0aW5ncyBk
YXRhYmFzZSIiIgogICAgICMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj
IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjCiAg
ICAgIyBSdW4gd2hhdGV2ZXIgaXMgcmVxdWlyZWQgdG8gdXBkYXRlIHRoZSBk
YXRhYmFzZSBzY2hlbWEgdG8gdGhlIGN1cnJlbnQKQEAgLTMyOSw2ICszNDIs
MjkgQEAgQUxURVIgVEFCTEUgU0VSVkVSCiAgICAgQUREIENPTFVNTiBkaXNj
b3ZlcnlfaWQgVEVYVAogICAgICIiIikKIAorICAgICAgICBpZiBpbnQodmVy
c2lvbi52YWx1ZSkgPCAxNDoKKyAgICAgICAgICAgIGRiLmVuZ2luZS5leGVj
dXRlKCIiIgorQ1JFQVRFIFRBQkxFIGtleXMgKAorICAgIG5hbWUgVEVTVCBO
T1QgTlVMTCwKKyAgICB2YWx1ZSBURVhUIE5PVCBOVUxMLAorICAgIFBSSU1B
UlkgS0VZIChuYW1lKSkKKyAgICAgICAgICAgICAgICAiIiIpCisKKyAgICAg
ICAgICAgIHNxbCA9ICJJTlNFUlQgSU5UTyBrZXlzIChuYW1lLCB2YWx1ZSkg
VkFMVUVTICgnQ1NSRl9TRVNTSU9OX0tFWScsICclcycpIiAlIGJhc2U2NC51
cmxzYWZlX2I2NGVuY29kZShvcy51cmFuZG9tKDMyKSkKKyAgICAgICAgICAg
IGRiLmVuZ2luZS5leGVjdXRlKHNxbCkKKworICAgICAgICAgICAgc3FsID0g
IklOU0VSVCBJTlRPIGtleXMgKG5hbWUsIHZhbHVlKSBWQUxVRVMgKCdTRUNS
RVRfS0VZJywgJyVzJykiICUgYmFzZTY0LnVybHNhZmVfYjY0ZW5jb2RlKG9z
LnVyYW5kb20oMzIpKQorICAgICAgICAgICAgZGIuZW5naW5lLmV4ZWN1dGUo
c3FsKQorCisgICAgICAgICAgICAjIElmIFNFQ1VSSVRZX1BBU1NXT1JEX1NB
TFQgaXMgbm90IGluIHRoZSBjb25maWcsIGJ1dCB3ZSdyZSB1cGdyYWRpbmcs
IHRoZW4gaXQgbXVzdCAodW5sZXNzIHRoZQorICAgICAgICAgICAgIyB1c2Vy
IGVkaXRlZCB0aGUgbWFpbiBjb25maWcgLSB3aGljaCB0aGV5IHNob3VsZG4n
dCBoYXZlIGRvbmUpIGhhdmUgYmVlbiBhdCBpdCdzIGRlZmF1bHQKKyAgICAg
ICAgICAgICMgdmFsdWUsIHNvIHdlJ2xsIHVzZSB0aGF0LiBPdGhlcndpc2Us
IHVzZSB3aGF0ZXZlciB3ZSBjYW4gZmluZCBpbiB0aGUgY29uZmlnLgorICAg
ICAgICAgICAgaWYgaGFzYXR0cihjb25maWcsICdTRUNVUklUWV9QQVNTV09S
RF9TQUxUJyk6CisgICAgICAgICAgICAgICAgc3FsID0gIklOU0VSVCBJTlRP
IGtleXMgKG5hbWUsIHZhbHVlKSBWQUxVRVMgKCdTRUNVUklUWV9QQVNTV09S
RF9TQUxUJywgJyVzJykiICUgY29uZmlnLlNFQ1VSSVRZX1BBU1NXT1JEX1NB
TFQKKyAgICAgICAgICAgIGVsc2U6CisgICAgICAgICAgICAgICAgc3FsID0g
IklOU0VSVCBJTlRPIGtleXMgKG5hbWUsIHZhbHVlKSBWQUxVRVMgKCdTRUNV
UklUWV9QQVNTV09SRF9TQUxUJywgJ1N1cGVyU2VjcmV0MycpIgorICAgICAg
ICAgICAgZGIuZW5naW5lLmV4ZWN1dGUoc3FsKQorCiAgICAgIyBGaW5hbGx5
LCB1cGRhdGUgdGhlIHNjaGVtYSB2ZXJzaW9uCiAgICAgdmVyc2lvbi52YWx1
ZSA9IGNvbmZpZy5TRVRUSU5HU19TQ0hFTUFfVkVSU0lPTgogICAgIGRiLnNl
c3Npb24ubWVyZ2UodmVyc2lvbikKQEAgLTM0Nyw2ICszODMsMTIgQEAgQUxU
RVIgVEFCTEUgU0VSVkVSCiAjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj
IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj
IyMjIyMjCiBpZiBfX25hbWVfXyA9PSAnX19tYWluX18nOgogICAgIGFwcCA9
IEZsYXNrKF9fbmFtZV9fKQorCisgICAgIyBHZXQgc29tZSBkZWZhdWx0cyBm
b3IgdGhlIHZhcmlvdXMga2V5cworICAgIGNvbmZpZy5DU1JGX1NFU1NJT05f
S0VZID0gYmFzZTY0LnVybHNhZmVfYjY0ZW5jb2RlKG9zLnVyYW5kb20oMzIp
KQorICAgIGNvbmZpZy5TRUNSRVRfS0VZID0gYmFzZTY0LnVybHNhZmVfYjY0
ZW5jb2RlKG9zLnVyYW5kb20oMzIpKQorICAgIGNvbmZpZy5TRUNVUklUWV9Q
QVNTV09SRF9TQUxUID0gYmFzZTY0LnVybHNhZmVfYjY0ZW5jb2RlKG9zLnVy
YW5kb20oMzIpKQorCiAgICAgYXBwLmNvbmZpZy5mcm9tX29iamVjdChjb25m
aWcpCiAKICAgICBpZiBjb25maWcuVEVTVElOR19NT0RFOgpAQCAtMzY0LDE1
ICs0MDYsNiBAQCBpZiBfX25hbWVfXyA9PSAnX19tYWluX18nOgogICAgICAg
ICAnY29uZmlnX2xvY2FsLnB5JwogICAgICkKIAotICAgIGlmIG5vdCBvcy5w
YXRoLmlzZmlsZShsb2NhbF9jb25maWcpOgotICAgICAgICBwcmludCgiIiIK
LSBUaGUgY29uZmlndXJhdGlvbiBmaWxlIC0gezB9IGRvZXMgbm90IGV4aXN0
LgotIEJlZm9yZSBydW5uaW5nIHRoaXMgYXBwbGljYXRpb24sIGVuc3VyZSB0
aGF0IGNvbmZpZ19sb2NhbC5weSBoYXMgYmVlbiBjcmVhdGVkCi0gYW5kIHNl
dHMgdmFsdWVzIGZvciBTRUNSRVRfS0VZLCBTRUNVUklUWV9QQVNTV09SRF9T
QUxUIGFuZCBDU1JGX1NFU1NJT05fS0VZCi0gYXQgYmFyZSBtaW5pbXVtLiBT
ZWUgY29uZmlnLnB5IGZvciBtb3JlIGluZm9ybWF0aW9uIGFuZCBhIGNvbXBs
ZXRlIGxpc3Qgb2YKLSBzZXR0aW5ncy4gRXhpdGluZy4uLiIiIi5mb3JtYXQo
bG9jYWxfY29uZmlnKSkKLSAgICAgICAgc3lzLmV4aXQoMSkKLQogICAgICMg
Q2hlY2sgaWYgdGhlIGRhdGFiYXNlIGV4aXN0cy4gSWYgaXQgZG9lcywgdGVs
bCB0aGUgdXNlciBhbmQgZXhpdC4KICAgICBpZiBvcy5wYXRoLmlzZmlsZShj
b25maWcuU1FMSVRFX1BBVEgpOgogICAgICAgICBwcmludCgiIiIKQEAgLTM4
MSw3ICs0MTQsNiBAQCBFbnRlcmluZyB1cGdyYWRlIG1vZGUuLi4iIiIgJSBj
b25maWcuU1FMSVRFX1BBVEgpCiAKICAgICAgICAgIyBTZXR1cCBGbGFzay1T
ZWN1cml0eQogICAgICAgICB1c2VyX2RhdGFzdG9yZSA9IFNRTEFsY2hlbXlV
c2VyRGF0YXN0b3JlKGRiLCBVc2VyLCBSb2xlKQotICAgICAgICBzZWN1cml0
eSA9IFNlY3VyaXR5KGFwcCwgdXNlcl9kYXRhc3RvcmUpCiAKICAgICAgICAg
IyBBbHdheXMgdXNlICI8IFJFUVVJUkVEX1ZFUlNJT04iIGFzIHRoZSB0ZXN0
IGZvciByZWFkYWJpbGl0eQogICAgICAgICB3aXRoIGFwcC5hcHBfY29udGV4
dCgpOgpAQCAtNDAzLDcgKzQzNSw3IEBAIEV4aXRpbmcuLi4iIiIgJSAodmVy
c2lvbi52YWx1ZSkpCiAgICAgICAgICAgICBwcmludCgiTk9URTogVXBncmFk
aW5nIGRhdGFiYXNlIHNjaGVtYSBmcm9tIHZlcnNpb24gJWQgdG8gJWQuIiAl
ICgKICAgICAgICAgICAgICAgICB2ZXJzaW9uLnZhbHVlLCBjb25maWcuU0VU
VElOR1NfU0NIRU1BX1ZFUlNJT04KICAgICAgICAgICAgICkpCi0gICAgICAg
ICAgICBkb191cGdyYWRlKGFwcCwgdXNlcl9kYXRhc3RvcmUsIHNlY3VyaXR5
LCB2ZXJzaW9uKQorICAgICAgICAgICAgZG9fdXBncmFkZShhcHAsIHVzZXJf
ZGF0YXN0b3JlLCB2ZXJzaW9uKQogICAgIGVsc2U6CiAgICAgICAgIGRpcmVj
dG9yeSA9IG9zLnBhdGguZGlybmFtZShjb25maWcuU1FMSVRFX1BBVEgpCiAg
ICAgICAgIGlmIG5vdCBvcy5wYXRoLmV4aXN0cyhkaXJlY3RvcnkpOgo=

--94eb2c04791218dc0a053ede27b9
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
MIME-Version: 1.0


-- 
Sent via pgadmin-hackers mailing list (pgadmin-hackers@postgresql.org)
To make changes to your subscription:
http://www.postgresql.org/mailpref/pgadmin-hackers

--94eb2c04791218dc0a053ede27b9--