VPN-6422: Migrate to XDG Secrets Portal #9922
Conversation
It turns out that the CryptoSettings class really does need to be a singleton, and we run into some gnarly memory corrpution bugs if there is more than one implementation kicking around. So, lets make LinuxCryptoSettings inherit XdgCryptoSettings instead.
For host applications (eg: not in a Flatpak/Snap sandbox), there is some guesswork applied in the XDG Portals to figure out the application ID. If that guess is wrong, then the secrets API will give us a different key because it thinks we are a different application. Unfortunately, this guess goes very wrong when launched via the old /etc/xdg/autostart handlers, which results in the keys getting wiped upon boot. Luckily for us, just switching to the XDG Background portal fixes it for us.
oskirby
requested review from
ahal and
mcleinman
and removed request for
a team
|
r+ for the taskcluster changes, though removing myself so this gets a proper review. |
There was a problem hiding this comment.
A bunch of questions, mostly to make sure I understand this area of the code and the tradeoffs made here.
I'd like this to be a +2 (2 VPN engineers sign off), given the security implications and my limited prior work in this area of the codebase. I'd be comfortable being one of the signoffs after I make sure I'm understanding this - happy to setup time to talk live about my questions, or you're welcome to answer them here - whatever is easier.
| @@ -55,24 +55,24 @@ linux/noble: | |||
| name: linux-noble | |||
| type: build | |||
|
|
|||
| linux/fedora-fc37: | |||
| description: "Linux Build (Fedora/37)" | |||
| linux/fedora-fc39: | |||
There was a problem hiding this comment.
Are we updating versions here?
There was a problem hiding this comment.
This PR enables the XdgPortal class for all Linux builds (no longer just the Flatpaks), which has a dependency on Qt6::GuiPrivate in order to resolve the window handle. It turned out that this dependency doesn't build cleanly on Fedora 37/38.
These versions of Fedora have also been EOL for a couple of months now, so I figured the cleanest solution was just to do an upgrade... but I could be convinced to ignore the problem and do that upgrade in another PR.
There was a problem hiding this comment.
Thanks. That makes sense. Do we need to ensure any help docs or download pages are updated w/ this info?
| @@ -6,20 +6,22 @@ | |||
| #define LINUXCRYPTOSETTINGS_H | |||
|
|
|||
| #include "cryptosettings.h" | |||
There was a problem hiding this comment.
Can this line be removed now?
| auto schema = cryptosettings_get_schema(); | ||
| gchar* password = secret_password_lookup_sync(schema, nullptr, &err, nullptr); | ||
| if (err != nullptr) { | ||
| g_error_free(err); |
There was a problem hiding this comment.
Do we want to log the error in this block, as we do currently?
There was a problem hiding this comment.
Sure, I can put the error message back.
There was a problem hiding this comment.
I've added @lesleyjanenorton to this review - Like I said earlier, given that this is security-related and something I'm not that familiar with, I'd love a second r+ on this one.
r+ from me, thanks for answering a bunch of questions as I get more familiar with this part of the code. I'm not marking "approve" yet so we can't merge it until we get a second reviewer who looks at it.
|
After a bit of research, I think we could workaround the startup quirk by creating a Systemd scope on startup if we find that the application is launched outside of one. Basically we would need to invoke the startTransientUnit() method over D-Bus and request a scope name which matches the XDG desktop portal parser implementation |
Description
We have a steady stream of users reporting that their Linux clients are frequently loosing their settings across reboot. This looks and smells like a failure in the
LinuxCryptoSettingsclass to retrieve the settings encryption keys from thelibsecretAPI. We have seen this before, and it typically results from the user's keyring being locked at the time that they launch the VPN client.Fortunately, there is a better way to generate an application encryption key using the XDG Secrets Portal, and we already have it implemented for Flatpaks. This PR attempts to provide a migration strategy for users who have settings encrypted with
libsecretto switch over to the XDG secrets instead.We accomplish this by doing the following:
CryptoSettings::getKey()method to pass in the encrypted settings file version. This lets us distinguish if a file was encrypted withlibsecretor the XDG portal.LinuxCryptoSettingswith a wrapper that checks for a key inlibsecretto use as a fallback if a V1 file is found, otherwise it just wrapsXdgCryptoSettingsinstead.libsecretonce the user attempts to write a file with an XDG secret.Along the way, we found a bug (or quirk?). When the application is launched via the old
/etc/xdg/autostarthandlers, this results in the application being unassociated with a systemd scope. This means that any attempt to use an XDG portal results in the portals being unable to figure out the application ID. This can result in the application getting a different set of keys than when launched via the.desktopfile. Different keys results in a failure to read the settings files, which results in an apparent loss of settings. Luckily for us, this can be addressed by using the XDG Background Portal for launching at boot... which we also have implemented as a part of the Flatpak work.There is a potential bug in here though, or maybe a just a developer annoyance. Because the XDG secrets portal is sensitive to the application ID (which in turn is derived from the systemd scopes it is launched in). We wind up with different encryption keys if we launch it via the application menu (which winds up with the proper scopes and app IDs) vs. when we start it manually on the command line (which gets no scope).
And there seems to be something odd in the RPM build world that breaks when trying to include the Qt6 private GUI libraries (for the XDG Portal helpers). This doesn't seem to cause problems on Fedora 39 or later, so we have also included an update to the Fedora build images here as well (they were long overdue for an update anyways as the old versions have been EOL for a number of months).
Reference
JIRA Issue: VPN-6422
User bug reports:
Checklist