Received: from malur.postgresql.org ([217.196.149.56]) by arkaria.postgresql.org with esmtp (Exim 4.84_2) (envelope-from ) id 1bwjiZ-0003xp-9t for pgadmin-hackers@arkaria.postgresql.org; Wed, 19 Oct 2016 05:47:11 +0000 Received: from localhost ([127.0.0.1] helo=postgresql.org) by malur.postgresql.org with smtp (Exim 4.84_2) (envelope-from ) id 1bwjiY-0007uS-R5 for pgadmin-hackers@arkaria.postgresql.org; Wed, 19 Oct 2016 05:47:10 +0000 Received: from makus.postgresql.org ([2001:4800:1501:1::229]) by malur.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1bwjiK-0007gH-E3 for pgadmin-hackers@postgresql.org; Wed, 19 Oct 2016 05:46:57 +0000 Received: from mail-it0-x22d.google.com ([2607:f8b0:4001:c0b::22d]) by makus.postgresql.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_CBC_SHA1:256) (Exim 4.84_2) (envelope-from ) id 1bwjiC-0008Qh-Bg for pgadmin-hackers@postgresql.org; Wed, 19 Oct 2016 05:46:55 +0000 Received: by mail-it0-x22d.google.com with SMTP id m138so18889200itm.0 for ; Tue, 18 Oct 2016 22:46:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=enterprisedb-com.20150623.gappssmtp.com; s=20150623; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=1qq0VgslSctkt+laCAdz0ifI6TKzzCaux3SBhbHPXyQ=; b=PlNlJLgv3D3MW/7rTW4aWykO1dVJmLdkGnGpOU1uHzYAw0A7Nt0NpiqyHJkuF+59Og zgrXE6OshVt/P2vWqs2Rx0q2CnNnBzuCdF32MGYcfg0F9zL/2vYLOvNSjVWB2C0ILloh UjF1UBJtuQHg+hGsMgvt1Q7t8HsWgkopRAQslzArYT5LNRuRST9f2XBLjbYbPh314EIT 0cJK4LpxwXrboDNlhPS9EvNcLlP6CLi6hxKqBzrZQT/8NqaqIUZmLSTvjEGeObpLDuer EAsMX7mCUGiebbMRdJg26uiaO4pZtyLV8LsyryvaNi6WtEkkcVmWHrDUj4l+DDsmBpv9 OmCQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=1qq0VgslSctkt+laCAdz0ifI6TKzzCaux3SBhbHPXyQ=; b=OEPViOpTskaN/TmfWNvYP7hfI+4JQtHhmsGCygGiicDYS0PGiA0B/12aQ4FKLqmzyp ExSsZ22JRGUywQ4Zz7A6kDul1MWGz0owxkJxd+jkZxop2tlbEXZx/zTuS3GDbMmOdtSI 0ZDJ0UzF50uyu5tQQ4FesE03VlvW0SHMAuLvrOHETwEAEqgyS/HuIpAsIkVMpPn3DGGZ DjCUcnufFt3iON+KlnG/vs9x9KmldEyOr0AvQYfV7e/Esz4Eveq5U/aLuaXBRLZIAb2E xuX6rCEX7b/xl09Y3ffI4iK+n7pdUFbBcGrpljsTyugdy/ififNKxDTm6lonJC1geLic iTeg== X-Gm-Message-State: AA6/9Rn+WKWj9E1hAn6rNMfq5NubRBrpuxW5bxdNUIL+mKuzMHQTrKw6xAiTnK6CFi6dmH+T61yIoDOWptN9uxV+ X-Received: by 10.36.0.9 with SMTP id 9mr4863330ita.83.1476856007017; Tue, 18 Oct 2016 22:46:47 -0700 (PDT) MIME-Version: 1.0 Received: by 10.107.25.139 with HTTP; Tue, 18 Oct 2016 22:46:26 -0700 (PDT) In-Reply-To: References: From: Ashesh Vashi Date: Wed, 19 Oct 2016 11:16:26 +0530 Message-ID: Subject: Re: RM1849: Auto-generating security keys To: Dave Page Cc: pgadmin-hackers , Josh Berkus , =?UTF-8?B?RGV2cmltIEfDnE5Ew5xa?= , Magnus Hagander Content-Type: multipart/mixed; boundary=001a11c00c4aaf7aa1053f3155a8 X-Pg-Spam-Score: -2.6 (--) List-Archive: List-Help: List-ID: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: X-Mailing-List: pgadmin-hackers Precedence: bulk Sender: pgadmin-hackers-owner@postgresql.org --001a11c00c4aaf7aa1053f3155a8 Content-Type: multipart/alternative; boundary=001a11c00c4aaf7a9c053f3155a6 --001a11c00c4aaf7a9c053f3155a6 Content-Type: text/plain; charset=UTF-8 Hi Dave, On Sat, Oct 15, 2016 at 8:02 AM, Dave Page wrote: > Hi > > > On Friday, October 14, 2016, Dave Page wrote: > >> Hi >> >> On Thursday, October 13, 2016, Ashesh Vashi < >> ashesh.vashi@enterprisedb.com> wrote: >> >>> Hi Dave, >>> >>> On Tue, Oct 11, 2016 at 9:10 PM, Dave Page wrote: >>> >>>> Hi Ashesh, >>>> >>>> Can you please review the attached patch, and apply if you're happy >>>> with it? >>>> >>> Overall the patch looked good to me. >>> But - I encounter an issue in 'web' mode, which wont happen with >>> 'runtime'. >>> >>> Steps for reproduction on existing pgAdmin 4 environment with 'web' mode. >>> - Apply the patch >>> - Start the pgAdmin4 application (stand alone application). >>> - Open pgAdmin home page. >>> - Log out (if already login). >>> >>> And, you will see an exception. >>> >>> I have figure out the issue with the patch. >>> We were setting the SECURITY_PASSWORD_SALT, after initializing the >>> Security object. >>> Hence - it could not set the SECURITY_KEY, and SECURITY_PASSWORD_SALT >>> properly. >>> >> >> Hmm. >> >> >>> >>> I had moved the Security object initialization after fetching these >>> configurations from the database. >>> I have attached a addon patch for the same. >>> >> >> OK, thanks. >> >> >>> >>> Now - I run into another issue. >>> Because - the existing password was hashed using the old >>> SECURITY_PASSWORD_SALT, I am no more able to login to pgAdmin 4. >>> >>> I think - we need to think about different strategy for upgrading the >>> configuration file in the 'web' mode. >>> I was thinking - we can store the existing security configurations in >>> the database during upgrade process in 'web' mode. >>> >> >> My concern with that is that we'll likely be storing the default config >> values in many cases, thus for those users, perpetuating the problem. >> >> I guess what we need to do is re-encrypt the password during the upgrade >> - however, that makes me think; we then have both the key and the encrypted >> passwords in the same database which is clearly not a good idea. Sigh... >> Needs more thought. >> > > OK, so I've been thinking about this and experimenting for a couple of > hours, as well as annoying the crap out of Magnus by thinking out loud in > his general direction, and it looks like this isn't a major problem as from > what I can see, SECURITY_PASSWORD_SALT is (aside from really being a key > not a salt) not the only salting that's done. > > It looks like it's used system-wide as the key to generate an HMAC of the > users password, which is then passed to passlib which salts and hashes it. > I did some testing, and found that two users with the same password end up > with different hashes in the database, so clearly there is also per-user > salting happening. I also created two users, then dropped the database and > created the same user accounts with the same passwords again, and found > that the resulting hashes were different in both databases - thus there is > something else ensuring the hashes are unique across different > installations/databases. > > So, I believe we can do as you suggest and migrate existing values for > SECURITY_PASSWORD_SALT, given that there's clearly some other per user and > per installation/database salting going on anyway. New installations can > have the random value for SECURITY_PASSWORD_SALT. > We do not need to generate the random SECURITY_PASSWORD_SALT during upgrade mode, which was wrong added in my addon patch. Please find the updated patch. Otherwise - looks good to me. Please commit the new patch (if you're ok with the change). -- Thanks & Regards, Ashesh Vashi EnterpriseDB INDIA: Enterprise PostgreSQL Company *http://www.linkedin.com/in/asheshvashi* > > I don't believe SECURITY_KEY and CSRF_SESSION_KEY are issues either, as > they're used for purposes that are essentially ephemeral, and thus can be > changed during an upgrade. > > Adding Magnus as I'd appreciate any thoughts he may have. > > Patch attached - please review (Ashesh, but others too would be > appreciated)! > > Thanks. > > > -- > Dave Page > Blog: http://pgsnake.blogspot.com > Twitter: @pgsnake > > EnterpriseDB UK: http://www.enterprisedb.com > The Enterprise PostgreSQL Company > > --001a11c00c4aaf7a9c053f3155a6 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
Hi Dave,

On Sat, Oct 15, 2016 at 8:02 AM, Dave Page <dpage@pgadm= in.org> wrote:
Hi


On Friday, October 14, 2016, = Dave Page <dpage@= pgadmin.org> wrote:
Hi

On Thursday, October 13, 2016, Ashesh Vashi <ashesh.va= shi@enterprisedb.com> wrote:
Hi Dave,

On Tue, Oct 11, 2016 at 9:10 PM, Dave= Page <dpage@pgadmin.org> wrote:
<= blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-l= eft:1px solid rgb(204,204,204);padding-left:1ex">Hi Ashesh,

<= div>Can you please review the attached patch, and apply if you're happy= with it?
Overall the patch looked good to me.
=
But - I encounter an issue in 'web' mode, which wont happen wi= th 'runtime'.

Steps for reproduction on ex= isting pgAdmin 4 environment with 'web' mode.
- Apply the= patch
- Start the pgAdmin4 application (stand alone application)= .
- Open pgAdmin home page.
- Log out (if already login= ).

And, you will see an exception.

<= /div>
I have figure out the issue with the patch.
We were set= ting the SECURITY_PASSWORD_SALT, after initializing the Security object.
Hence - it could not set the SECURITY_KEY, and SECURITY_PASSWORD_SA= LT properly.

Hmm.
=C2=A0
I had moved the Security object initialization after fetching t= hese configurations from the database.
I have attached a addon pa= tch for the same.

O= K, thanks.
=C2=A0

Now - I run into another issue.
Because -= the existing password was hashed using the old SECURITY_PASSWORD_SALT, I a= m no more able to login to pgAdmin 4.

I think - we= need to think about different strategy for upgrading the configuration fil= e in the 'web' mode.
I was thinking - we can store the ex= isting security configurations in the database during upgrade process in &#= 39;web' mode.

M= y concern with that is that we'll likely be storing the default config = values in many cases, thus for those users, perpetuating the problem.
=

I guess what we need to do is re-encrypt the password d= uring the upgrade - however, that makes me think; we then have both the key= and the encrypted passwords in the same database which is clearly not a go= od idea. Sigh... Needs more thought.=C2=A0

OK, so I've been thinking about this and experimentin= g for a couple of hours, as well as annoying the crap out of Magnus by thin= king out loud in his general direction, and it looks like this isn't a = major problem as from what I can see, =C2=A0SECURITY_PASSWORD_SALT is (asid= e from really being a key not a salt) not the only salting that's done.= =C2=A0

It looks like it's used system-wide as = the key to generate an HMAC of the users password, which is then passed to = passlib which salts and hashes it. I did some testing, and found that two u= sers with the same password end up with different hashes in the database, s= o clearly there is also per-user salting happening. I also created two user= s, then dropped the database and created the same user accounts with the sa= me passwords again, and found that the resulting hashes were different in b= oth databases - thus there is something else ensuring the hashes are unique= across different installations/databases.

So, I b= elieve we can do as you suggest and migrate existing values for SECURITY_PA= SSWORD_SALT, given that there's clearly some other per user and per ins= tallation/database salting going on anyway. New installations can have the = random value for SECURITY_PASSWORD_SALT.
We do not n= eed to generate the random SECURITY_PASSWORD_SALT during upgrade mode, whic= h was wrong added in my addon patch.

Please find t= he updated patch.

Otherwise - looks good to me.
Please commit the new patch (if you're ok with the change).


--

Thanks & Regards,

Ashesh Vashi
Ente= rpriseDB INDIA:=C2=A0Enterprise PostgreSQL Company



I don't believe SECURITY_KEY and=C2=A0CS= RF_SESSION_KEY are issues either, as they're used for purposes that are= essentially ephemeral, and thus can be changed during an upgrade.

Adding Magnus as I'd appreciate any thoughts he may ha= ve.

Patch attached - please review (Ashesh, but ot= hers too would be appreciated)!

Thanks.


--
Dave Page
= Blog: http://pgsn= ake.blogspot.com
Twitter: @pgsnake

EnterpriseDB UK: http://www.enterprisedb.= com
The Enterprise PostgreSQL Company


--001a11c00c4aaf7a9c053f3155a6-- --001a11c00c4aaf7aa1053f3155a8 Content-Type: application/octet-stream; name="auto_generate_security_keys_v3.patch" Content-Disposition: attachment; filename="auto_generate_security_keys_v3.patch" Content-Transfer-Encoding: base64 X-Attachment-Id: f_iughwcc11 ZGlmZiAtLWdpdCBhL3dlYi9jb25maWcucHkgYi93ZWIvY29uZmlnLnB5Cmlu ZGV4IDIwNzE0ZjkuLjg0MTFkNzkgMTAwNjQ0Ci0tLSBhL3dlYi9jb25maWcu cHkKKysrIGIvd2ViL2NvbmZpZy5weQpAQCAtMTQwLDIxICsxNDAsMTMgQEAg REVGQVVMVF9TRVJWRVJfUE9SVCA9IDUwNTAKICMgRW5hYmxlIENTUkYgcHJv dGVjdGlvbj8KIENTUkZfRU5BQkxFRCA9IFRydWUKIAotIyBTZWNyZXQga2V5 IGZvciBzaWduaW5nIENTUkYgZGF0YS4gT3ZlcnJpZGUgdGhpcyBpbiBjb25m aWdfbG9jYWwucHkgaWYKLSMgcnVubmluZyBvbiBhIHdlYiBzZXJ2ZXIKLUNT UkZfU0VTU0lPTl9LRVkgPSAnU3VwZXJTZWNyZXQxJwotCi0jIFNlY3JldCBr ZXkgZm9yIHNpZ25pbmcgY29va2llcy4gT3ZlcnJpZGUgdGhpcyBpbiBjb25m aWdfbG9jYWwucHkgaWYKLSMgcnVubmluZyBvbiBhIHdlYiBzZXJ2ZXIKLVNF Q1JFVF9LRVkgPSAnU3VwZXJTZWNyZXQyJwotCi0jIFNhbHQgdXNlZCB3aGVu IGhhc2hpbmcgcGFzc3dvcmRzLiBPdmVycmlkZSB0aGlzIGluIGNvbmZpZ19s b2NhbC5weSBpZgotIyBydW5uaW5nIG9uIGEgd2ViIHNlcnZlcgotU0VDVVJJ VFlfUEFTU1dPUkRfU0FMVCA9ICdTdXBlclNlY3JldDMnCi0KICMgSGFzaGlu ZyBhbGdvcml0aG0gdXNlZCBmb3IgcGFzc3dvcmQgc3RvcmFnZQogU0VDVVJJ VFlfUEFTU1dPUkRfSEFTSCA9ICdwYmtkZjJfc2hhNTEyJwogCisjIE5PVEU6 IENTUkZfU0VTU0lPTl9LRVksIFNFQ1JFVF9LRVkgYW5kIFNFQ1VSSVRZX1BB U1NXT1JEX1NBTFQgYXJlIG5vCisjICAgICAgIGxvbmdlciBwYXJ0IG9mIHRo ZSBtYWluIGNvbmZpZ3VyYXRpb24sIGJ1dCBhcmUgc3RvcmVkIGluIHRoZQor IyAgICAgICBjb25maWd1cmF0aW9uIGRhdGFiYXNlcyAna2V5cycgdGFibGUg YW5kIGFyZSBhdXRvLWdlbmVyYXRlZC4KKwogIyBTaG91bGQgSFRNTCBiZSBt aW5pZmllZCBvbiB0aGUgZmx5IHdoZW4gbm90IGluIGRlYnVnIG1vZGU/CiAj IE5vdGU6IFRoaXMgaXMgZGlzYWJsZWQgYnkgZGVmYXVsdCBhcyBpdCB3aWxs IGVycm9yIHdoZW4gcHJvY2Vzc2luZyB0aGUKICMgICAgICAgZG9jcy4gSWYg dGhlIHNlcnZpbmcgb2YgZG9jcyBpcyBoYW5kbGVkIGJ5IGFuIEFwYWNoZSBI VFRQRApkaWZmIC0tZ2l0IGEvd2ViL3BnQWRtaW40LnB5IGIvd2ViL3BnQWRt aW40LnB5CmluZGV4IDFmYjM0ZjkuLmY4OTRmOGIgMTAwNjQ0Ci0tLSBhL3dl Yi9wZ0FkbWluNC5weQorKysgYi93ZWIvcGdBZG1pbjQucHkKQEAgLTMyLDE4 ICszMiw2IEBAIGNvbmZpZy5TRVRUSU5HU19TQ0hFTUFfVkVSU0lPTiA9IFND SEVNQV9WRVJTSU9OCiAjIFNhbml0eSBjaGVja3MKICMjIyMjIyMjIyMjIyMj IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj IyMjIyMjIyMjIyMjIyMjCiAKLSMgQ2hlY2sgZm9yIGxvY2FsIHNldHRpbmdz IGlmIHJ1bm5pbmcgaW4gc2VydmVyIG1vZGUKLWlmIGNvbmZpZy5TRVJWRVJf TU9ERSBpcyBUcnVlOgotICAgIGxvY2FsX2NvbmZpZyA9IG9zLnBhdGguam9p bihvcy5wYXRoLmRpcm5hbWUob3MucGF0aC5yZWFscGF0aChfX2ZpbGVfXykp LAotICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnY29uZmlnX2xv Y2FsLnB5JykKLSAgICBpZiBub3Qgb3MucGF0aC5pc2ZpbGUobG9jYWxfY29u ZmlnKToKLSAgICAgICAgcHJpbnQoIlRoZSBjb25maWd1cmF0aW9uIGZpbGUg JXMgZG9lcyBub3QgZXhpc3QuXG4iICUgbG9jYWxfY29uZmlnKQotICAgICAg ICBwcmludCgiQmVmb3JlIHJ1bm5pbmcgdGhpcyBhcHBsaWNhdGlvbiwgZW5z dXJlIHRoYXQgY29uZmlnX2xvY2FsLnB5IGhhcyBiZWVuIGNyZWF0ZWQiKQot ICAgICAgICBwcmludCgiYW5kIHNldHMgdmFsdWVzIGZvciBTRUNSRVRfS0VZ LCBTRUNVUklUWV9QQVNTV09SRF9TQUxUIGFuZCBDU1JGX1NFU1NJT05fS0VZ IikKLSAgICAgICAgcHJpbnQoImF0IGJhcmUgbWluaW11bS4gU2VlIGNvbmZp Zy5weSBmb3IgbW9yZSBpbmZvcm1hdGlvbiBhbmQgYSBjb21wbGV0ZSBsaXN0 IG9mIikKLSAgICAgICAgcHJpbnQoInNldHRpbmdzLiBFeGl0aW5nLi4uIikK LSAgICAgICAgc3lzLmV4aXQoMSkKLQogIyBDaGVjayBpZiB0aGUgZGF0YWJh c2UgZXhpc3RzLiBJZiBpdCBkb2VzIG5vdCwgY3JlYXRlIGl0LgogaWYgbm90 IG9zLnBhdGguaXNmaWxlKGNvbmZpZy5TUUxJVEVfUEFUSCk6CiAgICAgc2V0 dXBmaWxlID0gb3MucGF0aC5qb2luKG9zLnBhdGguZGlybmFtZShvcy5wYXRo LnJlYWxwYXRoKF9fZmlsZV9fKSksCmRpZmYgLS1naXQgYS93ZWIvcGdhZG1p bi9fX2luaXRfXy5weSBiL3dlYi9wZ2FkbWluL19faW5pdF9fLnB5CmluZGV4 IGQ5ODgxNzIuLjc5ZmExYzYgMTAwNjQ0Ci0tLSBhL3dlYi9wZ2FkbWluL19f aW5pdF9fLnB5CisrKyBiL3dlYi9wZ2FkbWluL19faW5pdF9fLnB5CkBAIC0y Niw3ICsyNiw3IEBAIGZyb20gcGdhZG1pbi51dGlscy5zZXNzaW9uIGltcG9y dCBjcmVhdGVfc2Vzc2lvbl9pbnRlcmZhY2UKIGZyb20gd2Vya3pldWcubG9j YWwgaW1wb3J0IExvY2FsUHJveHkKIGZyb20gd2Vya3pldWcudXRpbHMgaW1w b3J0IGZpbmRfbW9kdWxlcwogCi1mcm9tIHBnYWRtaW4ubW9kZWwgaW1wb3J0 IGRiLCBSb2xlLCBTZXJ2ZXIsIFNlcnZlckdyb3VwLCBVc2VyLCBWZXJzaW9u Citmcm9tIHBnYWRtaW4ubW9kZWwgaW1wb3J0IGRiLCBSb2xlLCBTZXJ2ZXIs IFNlcnZlckdyb3VwLCBVc2VyLCBWZXJzaW9uLCBLZXlzCiAjIENvbmZpZ3Vy YXRpb24gc2V0dGluZ3MKIGltcG9ydCBjb25maWcKIApAQCAtMTI3LDExICsx MjcsNiBAQCBkZWYgY3JlYXRlX2FwcChhcHBfbmFtZT1jb25maWcuQVBQX05B TUUpOgogICAgIGFwcC5jb25maWcudXBkYXRlKGRpY3QoUFJPUEFHQVRFX0VY Q0VQVElPTlM9VHJ1ZSkpCiAKICAgICAjIyMjIyMjIyMjIyMjIyMjIyMjIyMj IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj IyMjIyMjIwotICAgICMgU2V0dXAgc2Vzc2lvbiBtYW5hZ2VtZW50Ci0gICAg IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMKLSAgICBhcHAuc2Vzc2lv bl9pbnRlcmZhY2UgPSBjcmVhdGVfc2Vzc2lvbl9pbnRlcmZhY2UoYXBwKQot Ci0gICAgIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMKICAgICAjIFNl dHVwIGxvZ2dpbmcgYW5kIGxvZyB0aGUgYXBwbGljYXRpb24gc3RhcnR1cAog ICAgICMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjCiAKQEAgLTIwNiw3 ICsyMDEsNyBAQCBkZWYgY3JlYXRlX2FwcChhcHBfbmFtZT1jb25maWcuQVBQ X05BTUUpOgogCiAgICAgIyBTZXR1cCBGbGFzay1TZWN1cml0eQogICAgIHVz ZXJfZGF0YXN0b3JlID0gU1FMQWxjaGVteVVzZXJEYXRhc3RvcmUoZGIsIFVz ZXIsIFJvbGUpCi0gICAgc2VjdXJpdHkgPSBTZWN1cml0eShhcHAsIHVzZXJf ZGF0YXN0b3JlKQorICAgIHNlY3VyaXR5ID0gU2VjdXJpdHkoTm9uZSwgdXNl cl9kYXRhc3RvcmUpCiAKICAgICAjIFVwZ3JhZGUgdGhlIHNjaGVtYSAoaWYg cmVxdWlyZWQpCiAgICAgd2l0aCBhcHAuYXBwX2NvbnRleHQoKToKQEAgLTIy MCw5ICsyMTUsMjkgQEAgZGVmIGNyZWF0ZV9hcHAoYXBwX25hbWU9Y29uZmln LkFQUF9OQU1FKToKICAgICAgICAgICAgICAgICApCiAgICAgICAgICAgICAp CiAgICAgICAgICAgICBmcm9tIHNldHVwIGltcG9ydCBkb191cGdyYWRlCi0g ICAgICAgICAgICBkb191cGdyYWRlKGFwcCwgdXNlcl9kYXRhc3RvcmUsIHNl Y3VyaXR5LCB2ZXJzaW9uKQorICAgICAgICAgICAgZG9fdXBncmFkZShhcHAs IHVzZXJfZGF0YXN0b3JlLCB2ZXJzaW9uKQorCisgICAgIyMjIyMjIyMjIyMj IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj IyMjIyMjIyMjIyMjIyMjIyMKKyAgICAjIFNldHVwIHNlY3VyaXR5CisgICAg IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMKKyAgICB3aXRoIGFwcC5h cHBfY29udGV4dCgpOgorICAgICAgICBjb25maWcuQ1NSRl9TRVNTSU9OX0tF WSA9IEtleXMucXVlcnkuZmlsdGVyX2J5KG5hbWUgPSAnQ1NSRl9TRVNTSU9O X0tFWScpLmZpcnN0KCkudmFsdWUKKyAgICAgICAgY29uZmlnLlNFQ1JFVF9L RVkgPSBLZXlzLnF1ZXJ5LmZpbHRlcl9ieShuYW1lID0gJ1NFQ1JFVF9LRVkn KS5maXJzdCgpLnZhbHVlCisgICAgICAgIGNvbmZpZy5TRUNVUklUWV9QQVNT V09SRF9TQUxUID0gS2V5cy5xdWVyeS5maWx0ZXJfYnkobmFtZSA9ICdTRUNV UklUWV9QQVNTV09SRF9TQUxUJykuZmlyc3QoKS52YWx1ZQorCisgICAgIyBV cGRhdGUgdGhlIGFwcC5jb25maWcgd2l0aCBwcm9wZXIgc2VjdXJpdHkga2V5 ZXMgZm9yIHNpZ25pbmcgQ1NSRiBkYXRhLAorICAgICMgc2lnbmluZyBjb29r aWVzLCBhbmQgdGhlIFNBTFQgZm9yIGhhc2hpbmcgdGhlIHBhc3N3b3Jkcy4K KyAgICBhcHAuY29uZmlnLnVwZGF0ZShkaWN0KENTUkZfU0VTU0lPTl9LRVk9 Y29uZmlnLkNTUkZfU0VTU0lPTl9LRVkpKQorICAgIGFwcC5jb25maWcudXBk YXRlKGRpY3QoU0VDUkVUX0tFWT1jb25maWcuU0VDUkVUX0tFWSkpCisgICAg YXBwLmNvbmZpZy51cGRhdGUoZGljdChTRUNVUklUWV9QQVNTV09SRF9TQUxU PWNvbmZpZy5TRUNVUklUWV9QQVNTV09SRF9TQUxUKSkKIAorICAgIHNlY3Vy aXR5LmluaXRfYXBwKGFwcCkKKworICAgIGFwcC5zZXNzaW9uX2ludGVyZmFj ZSA9IGNyZWF0ZV9zZXNzaW9uX2ludGVyZmFjZShhcHApCisKKyAgICAjIyMj IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIwogICAgICMgTG9hZCBhbGwgYXZh aWxhYmxlIHNlcnZlciBkcml2ZXJzCisgICAgIyMjIyMjIyMjIyMjIyMjIyMj IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj IyMjIyMjIyMjIyMKICAgICBkcml2ZXIuaW5pdF9hcHAoYXBwKQogCiAgICAg IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMKZGlmZiAtLWdpdCBhL3dl Yi9wZ2FkbWluL21vZGVsL19faW5pdF9fLnB5IGIvd2ViL3BnYWRtaW4vbW9k ZWwvX19pbml0X18ucHkKaW5kZXggMDE5ZTliMS4uOTcyN2QyYiAxMDA2NDQK LS0tIGEvd2ViL3BnYWRtaW4vbW9kZWwvX19pbml0X18ucHkKKysrIGIvd2Vi L3BnYWRtaW4vbW9kZWwvX19pbml0X18ucHkKQEAgLTI5LDcgKzI5LDcgQEAg ZnJvbSBmbGFza19zcWxhbGNoZW15IGltcG9ydCBTUUxBbGNoZW15CiAjCiAj IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIwogCi1TQ0hFTUFfVkVSU0lP TiA9IDEzCitTQ0hFTUFfVkVSU0lPTiA9IDE0CiAKICMjIyMjIyMjIyMjIyMj IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj IyMjIyMjIyMjIyMjIyMjCiAjCkBAIC0yMDcsMyArMjA3LDEwIEBAIGNsYXNz IFByb2Nlc3MoZGIuTW9kZWwpOgogICAgIGVuZF90aW1lID0gZGIuQ29sdW1u KGRiLlN0cmluZygpLCBudWxsYWJsZT1UcnVlKQogICAgIGV4aXRfY29kZSA9 IGRiLkNvbHVtbihkYi5JbnRlZ2VyKCksIG51bGxhYmxlPVRydWUpCiAgICAg YWNrbm93bGVkZ2UgPSBkYi5Db2x1bW4oZGIuU3RyaW5nKCksIG51bGxhYmxl PVRydWUpCisKKworY2xhc3MgS2V5cyhkYi5Nb2RlbCk6CisgICAgIiIiRGVm aW5lIHRoZSBrZXlzIHRhYmxlLiIiIgorICAgIF9fdGFibGVuYW1lX18gPSAn a2V5cycKKyAgICBuYW1lID0gZGIuQ29sdW1uKGRiLlN0cmluZygpLCBudWxs YWJsZT1GYWxzZSwgcHJpbWFyeV9rZXk9VHJ1ZSkKKyAgICB2YWx1ZSA9IGRi LkNvbHVtbihkYi5TdHJpbmcoKSwgbnVsbGFibGU9RmFsc2UpClwgTm8gbmV3 bGluZSBhdCBlbmQgb2YgZmlsZQpkaWZmIC0tZ2l0IGEvd2ViL3NldHVwLnB5 IGIvd2ViL3NldHVwLnB5CmluZGV4IDY0MjczZmIuLjEyNDY1ZjMgMTAwNzU1 Ci0tLSBhL3dlYi9zZXR1cC5weQorKysgYi93ZWIvc2V0dXAucHkKQEAgLTEw LDYgKzEwLDcgQEAKICIiIlBlcmZvcm0gdGhlIGluaXRpYWwgc2V0dXAgb2Yg dGhlIGFwcGxpY2F0aW9uLCBieSBjcmVhdGluZyB0aGUgYXV0aAogYW5kIHNl dHRpbmdzIGRhdGFiYXNlLiIiIgogCitpbXBvcnQgYmFzZTY0CiBpbXBvcnQg Z2V0cGFzcwogaW1wb3J0IG9zCiBpbXBvcnQgcmFuZG9tCkBAIC0yMiw3ICsy Myw3IEBAIGZyb20gZmxhc2tfc2VjdXJpdHkgaW1wb3J0IFNlY3VyaXR5LCBT UUxBbGNoZW15VXNlckRhdGFzdG9yZQogZnJvbSBmbGFza19zZWN1cml0eS51 dGlscyBpbXBvcnQgZW5jcnlwdF9wYXNzd29yZAogCiBmcm9tIHBnYWRtaW4u bW9kZWwgaW1wb3J0IGRiLCBSb2xlLCBVc2VyLCBTZXJ2ZXIsIFwKLSAgICBT ZXJ2ZXJHcm91cCwgVmVyc2lvbgorICAgIFNlcnZlckdyb3VwLCBWZXJzaW9u LCBLZXlzCiAjIENvbmZpZ3VyYXRpb24gc2V0dGluZ3MKIGltcG9ydCBjb25m aWcKIApAQCAtNDAsNiArNDEsNyBAQCBpZiBoYXNhdHRyKF9fYnVpbHRpbnNf XywgJ3Jhd19pbnB1dCcpOgogCiBkZWYgZG9fc2V0dXAoYXBwKToKICAgICAi IiJDcmVhdGUgYSBuZXcgc2V0dGluZ3MgZGF0YWJhc2UgZnJvbSBzY3JhdGNo IiIiCisKICAgICBpZiBjb25maWcuU0VSVkVSX01PREUgaXMgRmFsc2U6CiAg ICAgICAgIHByaW50KCJOT1RFOiBDb25maWd1cmluZyBhdXRoZW50aWNhdGlv biBmb3IgREVTS1RPUCBtb2RlLiIpCiAgICAgICAgIGVtYWlsID0gY29uZmln LkRFU0tUT1BfVVNFUgpAQCAtMTE2LDYgKzExOCwxNyBAQCBkZWYgZG9fc2V0 dXAoYXBwKToKICAgICAgICAgICAgIG5hbWU9J0NvbmZpZ0RCJywgdmFsdWU9 Y29uZmlnLlNFVFRJTkdTX1NDSEVNQV9WRVJTSU9OCiAgICAgICAgICkKICAg ICAgICAgZGIuc2Vzc2lvbi5tZXJnZSh2ZXJzaW9uKQorICAgICAgICBkYi5z ZXNzaW9uLmNvbW1pdCgpCisKKyAgICAgICAgIyBDcmVhdGUgdGhlIGtleXMK KyAgICAgICAga2V5ID0gS2V5cyhuYW1lPSdDU1JGX1NFU1NJT05fS0VZJywg dmFsdWU9Y29uZmlnLkNTUkZfU0VTU0lPTl9LRVkpCisgICAgICAgIGRiLnNl c3Npb24ubWVyZ2Uoa2V5KQorCisgICAgICAgIGtleSA9IEtleXMobmFtZT0n U0VDUkVUX0tFWScsIHZhbHVlPWNvbmZpZy5TRUNSRVRfS0VZKQorICAgICAg ICBkYi5zZXNzaW9uLm1lcmdlKGtleSkKKworICAgICAgICBrZXkgPSBLZXlz KG5hbWU9J1NFQ1VSSVRZX1BBU1NXT1JEX1NBTFQnLCB2YWx1ZT1jb25maWcu U0VDVVJJVFlfUEFTU1dPUkRfU0FMVCkKKyAgICAgICAgZGIuc2Vzc2lvbi5t ZXJnZShrZXkpCiAKICAgICAgICAgZGIuc2Vzc2lvbi5jb21taXQoKQogCkBA IC0xMjgsNyArMTQxLDcgQEAgZGVmIGRvX3NldHVwKGFwcCk6CiAgICAgKQog CiAKLWRlZiBkb191cGdyYWRlKGFwcCwgZGF0YXN0b3JlLCBzZWN1cml0eSwg dmVyc2lvbik6CitkZWYgZG9fdXBncmFkZShhcHAsIGRhdGFzdG9yZSwgdmVy c2lvbik6CiAgICAgIiIiVXBncmFkZSBhbiBleGlzdGluZyBzZXR0aW5ncyBk YXRhYmFzZSIiIgogICAgICMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjCiAg ICAgIyBSdW4gd2hhdGV2ZXIgaXMgcmVxdWlyZWQgdG8gdXBkYXRlIHRoZSBk YXRhYmFzZSBzY2hlbWEgdG8gdGhlIGN1cnJlbnQKQEAgLTMyOSw2ICszNDIs MjkgQEAgQUxURVIgVEFCTEUgU0VSVkVSCiAgICAgQUREIENPTFVNTiBkaXNj b3ZlcnlfaWQgVEVYVAogICAgICIiIikKIAorICAgICAgICBpZiBpbnQodmVy c2lvbi52YWx1ZSkgPCAxNDoKKyAgICAgICAgICAgIGRiLmVuZ2luZS5leGVj dXRlKCIiIgorQ1JFQVRFIFRBQkxFIGtleXMgKAorICAgIG5hbWUgVEVTVCBO T1QgTlVMTCwKKyAgICB2YWx1ZSBURVhUIE5PVCBOVUxMLAorICAgIFBSSU1B UlkgS0VZIChuYW1lKSkKKyAgICAgICAgICAgICAgICAiIiIpCisKKyAgICAg ICAgICAgIHNxbCA9ICJJTlNFUlQgSU5UTyBrZXlzIChuYW1lLCB2YWx1ZSkg VkFMVUVTICgnQ1NSRl9TRVNTSU9OX0tFWScsICclcycpIiAlIGJhc2U2NC51 cmxzYWZlX2I2NGVuY29kZShvcy51cmFuZG9tKDMyKSkKKyAgICAgICAgICAg IGRiLmVuZ2luZS5leGVjdXRlKHNxbCkKKworICAgICAgICAgICAgc3FsID0g IklOU0VSVCBJTlRPIGtleXMgKG5hbWUsIHZhbHVlKSBWQUxVRVMgKCdTRUNS RVRfS0VZJywgJyVzJykiICUgYmFzZTY0LnVybHNhZmVfYjY0ZW5jb2RlKG9z LnVyYW5kb20oMzIpKQorICAgICAgICAgICAgZGIuZW5naW5lLmV4ZWN1dGUo c3FsKQorCisgICAgICAgICAgICAjIElmIFNFQ1VSSVRZX1BBU1NXT1JEX1NB TFQgaXMgbm90IGluIHRoZSBjb25maWcsIGJ1dCB3ZSdyZSB1cGdyYWRpbmcs IHRoZW4gaXQgbXVzdCAodW5sZXNzIHRoZQorICAgICAgICAgICAgIyB1c2Vy IGVkaXRlZCB0aGUgbWFpbiBjb25maWcgLSB3aGljaCB0aGV5IHNob3VsZG4n dCBoYXZlIGRvbmUpIGhhdmUgYmVlbiBhdCBpdCdzIGRlZmF1bHQKKyAgICAg ICAgICAgICMgdmFsdWUsIHNvIHdlJ2xsIHVzZSB0aGF0LiBPdGhlcndpc2Us IHVzZSB3aGF0ZXZlciB3ZSBjYW4gZmluZCBpbiB0aGUgY29uZmlnLgorICAg ICAgICAgICAgaWYgaGFzYXR0cihjb25maWcsICdTRUNVUklUWV9QQVNTV09S RF9TQUxUJyk6CisgICAgICAgICAgICAgICAgc3FsID0gIklOU0VSVCBJTlRP IGtleXMgKG5hbWUsIHZhbHVlKSBWQUxVRVMgKCdTRUNVUklUWV9QQVNTV09S RF9TQUxUJywgJyVzJykiICUgY29uZmlnLlNFQ1VSSVRZX1BBU1NXT1JEX1NB TFQKKyAgICAgICAgICAgIGVsc2U6CisgICAgICAgICAgICAgICAgc3FsID0g IklOU0VSVCBJTlRPIGtleXMgKG5hbWUsIHZhbHVlKSBWQUxVRVMgKCdTRUNV UklUWV9QQVNTV09SRF9TQUxUJywgJ1N1cGVyU2VjcmV0MycpIgorICAgICAg ICAgICAgZGIuZW5naW5lLmV4ZWN1dGUoc3FsKQorCiAgICAgIyBGaW5hbGx5 LCB1cGRhdGUgdGhlIHNjaGVtYSB2ZXJzaW9uCiAgICAgdmVyc2lvbi52YWx1 ZSA9IGNvbmZpZy5TRVRUSU5HU19TQ0hFTUFfVkVSU0lPTgogICAgIGRiLnNl c3Npb24ubWVyZ2UodmVyc2lvbikKQEAgLTM0Nyw2ICszODMsNyBAQCBBTFRF UiBUQUJMRSBTRVJWRVIKICMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj IyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMj IyMjIyMKIGlmIF9fbmFtZV9fID09ICdfX21haW5fXyc6CiAgICAgYXBwID0g Rmxhc2soX19uYW1lX18pCisKICAgICBhcHAuY29uZmlnLmZyb21fb2JqZWN0 KGNvbmZpZykKIAogICAgIGlmIGNvbmZpZy5URVNUSU5HX01PREU6CkBAIC0z NjQsMTUgKzQwMSw2IEBAIGlmIF9fbmFtZV9fID09ICdfX21haW5fXyc6CiAg ICAgICAgICdjb25maWdfbG9jYWwucHknCiAgICAgKQogCi0gICAgaWYgbm90 IG9zLnBhdGguaXNmaWxlKGxvY2FsX2NvbmZpZyk6Ci0gICAgICAgIHByaW50 KCIiIgotIFRoZSBjb25maWd1cmF0aW9uIGZpbGUgLSB7MH0gZG9lcyBub3Qg ZXhpc3QuCi0gQmVmb3JlIHJ1bm5pbmcgdGhpcyBhcHBsaWNhdGlvbiwgZW5z dXJlIHRoYXQgY29uZmlnX2xvY2FsLnB5IGhhcyBiZWVuIGNyZWF0ZWQKLSBh bmQgc2V0cyB2YWx1ZXMgZm9yIFNFQ1JFVF9LRVksIFNFQ1VSSVRZX1BBU1NX T1JEX1NBTFQgYW5kIENTUkZfU0VTU0lPTl9LRVkKLSBhdCBiYXJlIG1pbmlt dW0uIFNlZSBjb25maWcucHkgZm9yIG1vcmUgaW5mb3JtYXRpb24gYW5kIGEg Y29tcGxldGUgbGlzdCBvZgotIHNldHRpbmdzLiBFeGl0aW5nLi4uIiIiLmZv cm1hdChsb2NhbF9jb25maWcpKQotICAgICAgICBzeXMuZXhpdCgxKQotCiAg ICAgIyBDaGVjayBpZiB0aGUgZGF0YWJhc2UgZXhpc3RzLiBJZiBpdCBkb2Vz LCB0ZWxsIHRoZSB1c2VyIGFuZCBleGl0LgogICAgIGlmIG9zLnBhdGguaXNm aWxlKGNvbmZpZy5TUUxJVEVfUEFUSCk6CiAgICAgICAgIHByaW50KCIiIgpA QCAtMzgxLDcgKzQwOSw2IEBAIEVudGVyaW5nIHVwZ3JhZGUgbW9kZS4uLiIi IiAlIGNvbmZpZy5TUUxJVEVfUEFUSCkKIAogICAgICAgICAjIFNldHVwIEZs YXNrLVNlY3VyaXR5CiAgICAgICAgIHVzZXJfZGF0YXN0b3JlID0gU1FMQWxj aGVteVVzZXJEYXRhc3RvcmUoZGIsIFVzZXIsIFJvbGUpCi0gICAgICAgIHNl Y3VyaXR5ID0gU2VjdXJpdHkoYXBwLCB1c2VyX2RhdGFzdG9yZSkKIAogICAg ICAgICAjIEFsd2F5cyB1c2UgIjwgUkVRVUlSRURfVkVSU0lPTiIgYXMgdGhl IHRlc3QgZm9yIHJlYWRhYmlsaXR5CiAgICAgICAgIHdpdGggYXBwLmFwcF9j b250ZXh0KCk6CkBAIC00MDMsOCArNDMwLDEzIEBAIEV4aXRpbmcuLi4iIiIg JSAodmVyc2lvbi52YWx1ZSkpCiAgICAgICAgICAgICBwcmludCgiTk9URTog VXBncmFkaW5nIGRhdGFiYXNlIHNjaGVtYSBmcm9tIHZlcnNpb24gJWQgdG8g JWQuIiAlICgKICAgICAgICAgICAgICAgICB2ZXJzaW9uLnZhbHVlLCBjb25m aWcuU0VUVElOR1NfU0NIRU1BX1ZFUlNJT04KICAgICAgICAgICAgICkpCi0g ICAgICAgICAgICBkb191cGdyYWRlKGFwcCwgdXNlcl9kYXRhc3RvcmUsIHNl Y3VyaXR5LCB2ZXJzaW9uKQorICAgICAgICAgICAgZG9fdXBncmFkZShhcHAs IHVzZXJfZGF0YXN0b3JlLCB2ZXJzaW9uKQogICAgIGVsc2U6CisgICAgICAg ICMgR2V0IHNvbWUgZGVmYXVsdHMgZm9yIHRoZSB2YXJpb3VzIGtleXMKKyAg ICAgICAgY29uZmlnLkNTUkZfU0VTU0lPTl9LRVkgPSBiYXNlNjQudXJsc2Fm ZV9iNjRlbmNvZGUob3MudXJhbmRvbSgzMikpCisgICAgICAgIGNvbmZpZy5T RUNSRVRfS0VZID0gYmFzZTY0LnVybHNhZmVfYjY0ZW5jb2RlKG9zLnVyYW5k b20oMzIpKQorICAgICAgICBjb25maWcuU0VDVVJJVFlfUEFTU1dPUkRfU0FM VCA9IGJhc2U2NC51cmxzYWZlX2I2NGVuY29kZShvcy51cmFuZG9tKDMyKSkK KwogICAgICAgICBkaXJlY3RvcnkgPSBvcy5wYXRoLmRpcm5hbWUoY29uZmln LlNRTElURV9QQVRIKQogICAgICAgICBpZiBub3Qgb3MucGF0aC5leGlzdHMo ZGlyZWN0b3J5KToKICAgICAgICAgICAgIG9zLm1ha2VkaXJzKGRpcmVjdG9y eSwgaW50KCc3MDAnLCA4KSkK --001a11c00c4aaf7aa1053f3155a8 Content-Type: text/plain Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 -- Sent via pgadmin-hackers mailing list (pgadmin-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgadmin-hackers --001a11c00c4aaf7aa1053f3155a8--