[pgAdmin4][Patch]- Feature #7012 - disable master password requirement when using alternative auth source

public inbox for [email protected]  
help / color / mirror / Atom feed

From: Khushboo Vashi <[email protected]>
To: pgadmin-hackers <[email protected]>
Subject: [pgAdmin4][Patch]- Feature #7012 - disable master password requirement when using alternative auth source
Date: Mon, 11 Apr 2022 11:59:54 +0530
Message-ID: <CAFOhELcrv+Rm0bBmXt1-c8NOpsaxinKi=QQTn491dbcUo2xjZA@mail.gmail.com> (raw)

Hi,

Please find the attached patch to implement the feature #7012 - Disable
master password requirement when using alternative auth source

When pgAdmin stores a connection password, it encrypts it using a key that
is formed either from the master password, or from the pgAdmin login
password for the user. In the case of auth methods such as OAuth, Kerberos
or Webserver, pgAdmin doesn't have access to anything long-lived to form
the encryption key from, hence it uses the master password. And if the
master is disabled, there is no way to store the connection password.

To resolve this, we have added an option to config.py (which defaults to
None) for an alternate encryption key. pgAdmin would use this if a) the
master password is disabled AND b) there is no suitable key/password
available from the auth module for the user. If the option is set to None,
pgAdmin works as it does now.

Thanks,
Khushboo


Attachments:

  [application/octet-stream] RM_7012.patch (7.2K, 3-RM_7012.patch)
  download | inline diff:
diff --git a/docs/en_US/alternate_encryption_key.rst b/docs/en_US/alternate_encryption_key.rst
new file mode 100644
index 000000000..4bc470a34
--- /dev/null
+++ b/docs/en_US/alternate_encryption_key.rst
@@ -0,0 +1,33 @@
+.. _alternate_encryption_key:
+
+**********************************
+`Alternate Encryption Key`:index:
+**********************************
+
+pgAdmin would use the alternate encryption key to secure and later unlock the saved server
+passwords if the master password is disabled AND there is NO suitable key/password available
+from the authentication module for the user in server mode.
+
+When pgAdmin stores a connection password,
+it encrypts it using a key that is formed either from the master password, or
+from the pgAdmin login password for the user. In the case of authentication methods
+such as OAuth, Kerberos or Webserver, pgAdmin doesn't have access to anything long-lived to
+form the encryption key from, hence it uses the master password and if master password
+is disabled pgAdmin would use the alternate encryption key, if it is set.
+
+
+.. note:: You can set the alternate encryption key by setting the configuration
+  parameter *ALTERNATE_ENCRYPTION_KEY=<Key>*.
+  See :ref:`config_py` for more information on configuration parameters and how
+  they can be changed or enforced across an organisation.
+
+.. note:: If the master password and the alternate encryption key is disabled,
+  then all the saved passwords will be removed.
+
+
+.. warning:: By setting this option, you should be fully aware of the potential security
+    risk of using the same encryption key for multiple users, that may be accessible to
+    sysadmins who would not normally be able to use pgAdmin.
+
+    It is **not recommended** that you use the alternate encryption key instead of master password
+    if you use the *Save Password* option.
diff --git a/docs/en_US/connecting.rst b/docs/en_US/connecting.rst
index 8d1a3e4cf..df1874c37 100644
--- a/docs/en_US/connecting.rst
+++ b/docs/en_US/connecting.rst
@@ -38,6 +38,13 @@ It is set by the user and can be disabled using config.
 
     master_password
 
+The Alternate Encryption Key is used to secure and later unlock saved server passwords.
+It is **not recommended** to use the alternate encryption key.
+
+.. toctree::
+
+    alternate_encryption_key
+
 After defining a server connection, right-click on the server name, and select
 *Connect to server* to authenticate with the server, and start using pgAdmin to
 manage objects that reside on the server.
diff --git a/docs/en_US/master_password.rst b/docs/en_US/master_password.rst
index ced1c7eb5..48edfdf49 100644
--- a/docs/en_US/master_password.rst
+++ b/docs/en_US/master_password.rst
@@ -5,7 +5,9 @@
 ************************
 
 A master password is required to secure and later unlock the saved server
-passwords. This is applicable only for desktop mode users.
+passwords. This is applicable for desktop mode users and for the auth methods
+such as OAuth, Kerberos or Webserver where pgAdmin doesn't have access to anything
+long-lived to form the encryption key.
 
 * You are prompted to enter the master password when you open the window for
   the first time after starting the application.
@@ -23,15 +25,15 @@ passwords. This is applicable only for desktop mode users.
   See :ref:`config_py` for more information on configuration parameters and how
   they can be changed or enforced across an organisation.
 
-.. note:: If the master password is disabled, then all the saved passwords will
-    be removed.
+.. note:: If the master password and :ref:`alternate_encryption_key` is disabled,
+  then all the saved passwords will be removed.
 
 .. warning:: If the master password is disabled, then the saved passwords will
-    be encrypted using a key which is derived from information within the
-    configuration database. Use of a master password ensures that the encryption
-    key does not need to be stored anywhere, and thus prevents possible access
-    to server credentials if the configuration database becomes available to an
-    attacker.
+    be encrypted using the :ref:`alternate_encryption_key` or a key which is derived
+    from information within the configuration database. Use of a master password
+    ensures that the encryption key does not need to be stored anywhere, and thus
+    prevents possible access to server credentials if the configuration database
+    becomes available to an attacker.
 
     It is **strongly** recommended that you use the master password if you use
     the *Save Password* option.
diff --git a/web/config.py b/web/config.py
index f8733fe0a..14e3b3ec0 100644
--- a/web/config.py
+++ b/web/config.py
@@ -553,6 +553,27 @@ ALLOW_SAVE_TUNNEL_PASSWORD = False
 ##########################################################################
 MASTER_PASSWORD_REQUIRED = True
 
+##########################################################################
+# When pgAdmin stores a connection password,
+# it encrypts it using a key that is formed either from the master password, or
+# from the pgAdmin login password for the user.
+#
+# In the case of auth methods such as OAuth or Kerberos, pgAdmin
+# doesn't have access to anything long-lived to form the encryption key from,
+# hence it uses the master password.
+
+# So, pgAdmin would use this alternate encryption key  if
+# a) the master password is disabled
+# AND
+# b) there is NO suitable key/pass available from the auth module for the user.
+
+# By setting this option, you should fully aware of the potential security
+# risk of using the same encryption key for multiple users,
+# that may be accessible to sysadmins who would not normally
+# be able to use pgAdmin.
+##########################################################################
+ALTERNATE_ENCRYPTION_KEY = None
+
 ##########################################################################
 # Allows pgAdmin4 to create session cookies based on IP address, so even
 # if a cookie is stolen, the attacker will not be able to connect to the
diff --git a/web/pgadmin/browser/__init__.py b/web/pgadmin/browser/__init__.py
index 4a7e18eb0..4525206ee 100644
--- a/web/pgadmin/browser/__init__.py
+++ b/web/pgadmin/browser/__init__.py
@@ -750,7 +750,8 @@ def index():
         auth_source = session['auth_source_manager'][
             'source_friendly_name']
 
-        if not config.MASTER_PASSWORD_REQUIRED and 'pass_enc_key' in session:
+        if not config.MASTER_PASSWORD_REQUIRED and 'pass_enc_key' in session\
+                and not config.ALTERNATE_ENCRYPTION_KEY:
             session['allow_save_password'] = False
 
     response = Response(render_template(
diff --git a/web/pgadmin/utils/master_password.py b/web/pgadmin/utils/master_password.py
index 27db924cf..ba00963a7 100644
--- a/web/pgadmin/utils/master_password.py
+++ b/web/pgadmin/utils/master_password.py
@@ -33,6 +33,9 @@ def get_crypt_key():
     elif config.MASTER_PASSWORD_REQUIRED \
             and enc_key is None:
         return False, None
+    elif not config.MASTER_PASSWORD_REQUIRED and config.SERVER_MODE and \
+            config.ALTERNATE_ENCRYPTION_KEY:
+        return True, config.ALTERNATE_ENCRYPTION_KEY
     elif not config.MASTER_PASSWORD_REQUIRED and config.SERVER_MODE and \
             'pass_enc_key' in session:
         return True, session['pass_enc_key']

view thread (14+ messages)  latest in thread

reply

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Reply to all the recipients using the --to and --cc options:
  reply via email

  To: [email protected]
  Cc: [email protected]
  Subject: Re: [pgAdmin4][Patch]- Feature #7012 - disable master password requirement when using alternative auth source
  In-Reply-To: <CAFOhELcrv+Rm0bBmXt1-c8NOpsaxinKi=QQTn491dbcUo2xjZA@mail.gmail.com>

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

This inbox is served by agora; see mirroring instructions
for how to clone and mirror all data and code used for this inbox