Hi Dave, On Tue, Oct 11, 2016 at 9:10 PM, Dave Page <dp...@pgadmin.org> wrote:
> Hi Ashesh, > > Can you please review the attached patch, and apply if you're happy with > it? > Overall the patch looked good to me. But - I encounter an issue in 'web' mode, which wont happen with 'runtime'. Steps for reproduction on existing pgAdmin 4 environment with 'web' mode. - Apply the patch - Start the pgAdmin4 application (stand alone application). - Open pgAdmin home page. - Log out (if already login). And, you will see an exception. I have figure out the issue with the patch. We were setting the SECURITY_PASSWORD_SALT, after initializing the Security object. Hence - it could not set the SECURITY_KEY, and SECURITY_PASSWORD_SALT properly. I had moved the Security object initialization after fetching these configurations from the database. I have attached a addon patch for the same. Now - I run into another issue. Because - the existing password was hashed using the old SECURITY_PASSWORD_SALT, I am no more able to login to pgAdmin 4. I think - we need to think about different strategy for upgrading the configuration file in the 'web' mode. I was thinking - we can store the existing security configurations in the database during upgrade process in 'web' mode. I was not able to spend much time on it due to some other priorities. -- Thanks & Regards, Ashesh Vashi > The purpose is to auto-generate the various security keys that are > currently in the configuration file, and store them in the SQLite database. > This allows us to remove the checks for config_local.py and the hard-coded > default keys which are causing some problems with packaging: > > - Hard coded defaults are fine for Desktop mode, and packages generally > aim to make that work primarily. > - Hard coded defaults are a security risk for Server mode, hence we > currently require the user to manually setup keys, which is currently being > overridden by packagers for Desktop mode. > > This change ensures that we have unique security keys for every > installation, whether running in desktop or server mode (generated from > os.urandom). > > Thanks! > > > -- > Dave Page > Blog: http://pgsnake.blogspot.com > Twitter: @pgsnake > > EnterpriseDB UK: http://www.enterprisedb.com > The Enterprise PostgreSQL Company > >
add_auto_generate_security_keys.patch
Description: Binary data
-- Sent via pgadmin-hackers mailing list (pgadmin-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgadmin-hackers
