[frameworks-kwallet] [Bug 459287] New: KWallet/Secret Service: inconsistent locked/unlocked state of wallets.

Sat, 17 Sep 2022 08:36:40 -0700 

https://bugs.kde.org/show_bug.cgi?id=459287

            Bug ID: 459287
           Summary: KWallet/Secret Service: inconsistent locked/unlocked
                    state of wallets.
    Classification: Unclassified
           Product: frameworks-kwallet
           Version: 5.98.0
          Platform: Neon
                OS: Linux
            Status: REPORTED
          Severity: normal
          Priority: NOR
         Component: general
          Assignee: va...@kde.org
          Reporter: mk.mat...@gmail.com
                CC: kdelibs-b...@kde.org
  Target Milestone: ---

SUMMARY
Locking/unlocking a wallet in KWalletManager (presumably via the old
`org.kde.kwalletd5` API), in Seahorse (via Secret Service API), and via
`secret-tool` (`libsecret`, Secret Service API) do not agree on what is locked
or unlocked.

To summarize the steps to reproduce, just try locking/unlocking from
KWalletManager, Seahorse, and secret-tool/libsecret/DBus, and observe the
result in those three places. All the clients should always agree on the
locked/unlocked state, but they do not. Detailed steps follow:

STEPS TO REPRODUCE

(preparation)
1. Set up KWallet with Secret Service integration, install Seahorse and
secret-tool.
2. Create a wallet in KWalletManager (I used a blowfish wallet), add some
passwords, and save changes.
3. Lock the wallet in KWalletManager, and restart `kwalletd5`.

(tests)
4. Run `qdbus org.freedesktop.secrets` in a terminal, inspect the wallet in
KWalletManager and in Seahorse.
5. Unlock the wallet in KWalletManager (do NOT resteart `kwalletd5`).
6. Repeat step 4.
7. Unlock the wallet in Seahorse.
8. Repeat step 4.
9. Lock the wallet again in KWalletManager (do NOT resteart `kwalletd5`).
10. Repeat step 4.
11. Unlock the wallet in Seahorse.
12. Repeat step 4.
13. Lock the wallet in Seahorse.
14. Repeat step 4.
15. Restart `kwalletd5`.
16. Repeat step 4.
17. Run `echo -n 'mypass' | secret-tool store --label=testfdo attr1 val1` in a
terminal (this will ask to unlock).
18. Repeat step 4.
19. Run `dbus-send --session --type=method_call --dest=org.freedesktop.secrets
/org/freedesktop/secrets org.freedesktop.Secret.Service.Lock
array:objpath:/org/freedesktop/secrets/aliases/default` in a terminal.
20. Repeat step 4.

OBSERVED RESULT

4. `qdbus org.freedesktop.secrets` doesn't list items (no entries of the form
`/org/freedesktop/secrets/collection/<wallet>/<item-index>`), KWalletManager
and Seahorse show the wallet as locked (correct behavior, since we restarted
`kwalletd5` in step 3).
6. KWalletManager shows unlocked, Seahorse shows locked, `qdbus
org.freedesktop.secrets` doesn't list any items.
7. Seahorse doesn't ask for a password, since the wallet is actually already
unlocked.
8. KWalletManager and Seahorse both show unlocked, `qdbus
org.freedesktop.secrets` lists the item paths (correct).
10. KWalletManager and Seahorse both show locked without restarting either
(correct), `qdbus org.freedesktop.secrets` still lists the items (not correct).
12. Now Seahorse shows unlocked, but KWalletManager shows locked. `qdbus
org.freedesktop.secrets` lists the item paths. After KWalletManager is
restarted, it shows unlocked as well.
14. KWalletManager and Seahorse both show locked without restarting either
(correct), `qdbus org.freedesktop.secrets` still lists the items (not correct).
16. KWalletManager and Seahorse both show locked, `qdbus
org.freedesktop.secrets` doesn't list any items (correct).
18. `qdbus org.freedesktop.secrets` lists the item paths, including the new one
(correct), Seahorse shows unlocked and lists all items without restarting
(correct), KWalletManager still shows locked (not correct). After
KWalletManager is restarted, it shows unlocked as well (and lists the new
item).
20. KWalletManager and Seahorse both show locked without restarting either
(correct), `qdbus org.freedesktop.secrets` still lists the items (not correct).
Correct behavior is restored after restarting `kwalletd5`.

EXPECTED RESULT

4. (as observed)
6. KWalletManager and Seahorse should both show UNlocked, `qdbus
org.freedesktop.secrets` should list the item paths.
7. (should not be necessary)
8. (as observed)
10. KWalletManager and Seahorse should both show locked, `qdbus
org.freedesktop.secrets` should NOT list the item paths.
12. KWalletManager and Seahorse should both show unlocked without restarting,
`qdbus org.freedesktop.secrets` should list the item paths.
14. KWalletManager and Seahorse should both show locked, `qdbus
org.freedesktop.secrets` should NOT list the item paths.
16. (as observed)
18. KWalletManager and Seahorse should both show unlocked without restarting,
`qdbus org.freedesktop.secrets` should list the item paths. All should show the
new item.
20. KWalletManager and Seahorse should both show locked, `qdbus
org.freedesktop.secrets` should NOT list the item paths. Restarting `kwalletd5`
should not be necessary.

SOFTWARE/OS VERSIONS

Linux/KDE Plasma: KDE Neon User 20220825-0951 live DVD
(after updating Qt libraries and KWallet)
KDE Frameworks Version: 5.98.0
KWalletManager: 22.08.1
Seahorse: 3.36-1
libsecret: 0.20.4
libsecret-tools: 0.20.4
KDE Plasma Version: 5.25.4
Qt Version: 5.15.5

ADDITIONAL INFORMATION

- `dbus-monitor "destination=org.freedesktop.secrets"
"sender=org.freedesktop.secrets"` suggests that KWalletManager lock/unlock
function does not make the corresponding calls to Secret Service API. There's
too much other noise in the output, so I'm not attaching it here.
- Steps 7 and 11 unlock specifically the selected collection (object path
`/org/freedesktop/secrets/collection/<wallet>`). No Dbus calls to the old
KWallet API.
- Step 13 locks specifically the selected collection (object path
`/org/freedesktop/secrets/collection/<wallet>`). Some signals raised to
`/modules/kwalletd5` such as `member=walletClosed`.
- Step 17 unlocks the "default" alias (object path
`/org/freedesktop/secrets/aliases/default`).

The weirdest result is in steps 10, 14, and 20, where Seahorse and DBus
disagree through the same API. The rest is disagreements between the Secret
Service and `org.kde.kwalletd5` APIs, since they're not synced correctly by
`kwalletd5`.

`dbus-monitor` output for main command of...

Steps 7 and 11 (unlock in Seahorse):
> method call time=1663418218.492113 sender=:1.234 -> destination=:1.225 
> serial=36 path=/org/freedesktop/secrets; 
> interface=org.freedesktop.Secret.Service; member=Unlock
>    array [
>       object path "/org/freedesktop/secrets/collection/test_2dblowfish"
>    ]

Step 13 (lock in Seahorse):
> method call time=1663419939.833426 sender=:1.243 -> destination=:1.225 
> serial=58 path=/org/freedesktop/secrets; 
> interface=org.freedesktop.Secret.Service; member=Lock
>    array [
>       object path "/org/freedesktop/secrets/collection/test_2dblowfish"
>    ]

Step 17 (unlock via `secret-tool store`):
> method call time=1663423628.991238 sender=:1.279 -> destination=:1.271 
> serial=10 path=/org/freedesktop/secrets; 
> interface=org.freedesktop.Secret.Service; member=Unlock
>    array [
>       object path "/org/freedesktop/secrets/aliases/default"
>    ]

-- 
You are receiving this mail because:
You are watching all bug changes.

Reply via email to