KeepassXC 2.7.0 not remembering Access Request selection with secret service request, prompts everytime before supplying secret

[ioogithub]

Overview

I am using Keepassxc to pass secrets to gpg agent via the secret service function. In previous versions this worked as expected. In 2.7 I am prompted with an Access Request every time a secret is requested.

Three buttons are presented in this Access request dialogue:

• Allow Selected
• Allow All & Future
• Deny All & Future

I select "Allow All & Future" and Keepass provided the secret.

The next time the same secret is requested, Keepass presents this dialog again and does not remember the Allow All & Future selection.

Note: This existing entry was already working with the previous version of Keepass so this bug was introduced in version 2.7.0

Steps to Reproduce

1. Clear gpg agent to ensure a request is made to keepass echo RELOADAGENT | gpg-connect-agent
2. Make a request for a secret from an app
3. The keepass dialogue box KeepassXC - Access Request" will open.
4. Select "Allow All & Future"
5. Observe that Keepass successfully supplies the secret to the app.
6. repeat steps 1-3
7. Observe that Keepass did not remember the Allow All & Future setting and prompts everytime for the request.

Expected Behavior

I expect Keepass will remember the request as it did in previous versions.

Actual Behavior

Keepass prompts for action every time a secret is requested.

Context

Bug only appears in the lastest version of keepass

KeePassXC - 2.7.0 Revision: --

Operating System: Linux Desktop Env: KDE Neon Windowing System: X11

[droidmonkey]

Duplicate

[ioogithub]

I can't find the issue report that is a duplicate of this one, can you link it?

Has a fix been issues or should I revert to the previous version?

[droidmonkey]

it is on the first page of issues, reported within the past two days

https://github.com/keepassxreboot/keepassxc/issues?q=is%3Aissue+is%3Aopen+sort%3Aupdated-desc+label%3A%22feature%3A+Secret+Service%22

[ioogithub]

I looked at each result from that search and I am still not sure which issue it is. Is it this one: https://github.com/keepassxreboot/keepassxc/issues/7571

This issue is tagged with the "new feature" but my submission is definitely a bug. This feature worked perfectly in several previous versions and is broken now. I can't have keepass prompting me hundreds of times a day every time I need to use it.

I forgot to mention in my original report that dialogue box that appears every time now has a "remember checkbox", it is checked however the remember checkbox is not remembered, this is the issue. This worked before and is broken now.

I build much of my system around keepassxc, using all of the features. I use it heavily and I need it to work reliably. I got this this 2.7.0 update unexpectedly when I did a dist-upgrade. Is it possible to downgrade to the previous version? I am on KDE Neon which is based on Ubuntu.

[droidmonkey]

That's the one, you will have to disable authorization requests to prevent this problem for now.

[ioogithub]

That's the one, you will have to disable authorization requests to prevent this problem for now.

How can I do this? Is it one of the settings under Settings->Secret Service->General.

Which setting is it?

I still need the application application (Kmail) to be able to get the secrets from Keepass. Will disabling these requests disable the functionality?

[droidmonkey]

The one that disables asking for confirmation. Just try them you won't break anything. Can always put it back.

[ioogithub]

Okay I think it appears to be: Confirm when passwords are retrieved by clients? Can you confirm?

Other than that feature request issue I liked to above, is there more information or discussion on these changes to the secret service function of keepass?

[droidmonkey]

Yes thats the one. We don't have formal documentation of secret service yet.

[tazer4]

I've had this issue since even before 2.7.0 whatever that was. I also have "confirm when passwords are retrieved by clients" unchecked completely and it still asks for confirmation every time despite checking "remember and allow all and in the future", for example when opening my chromium browser. Is this a new bug or the same?

This guy seems to have same problem: Originally posted by @gnrlus in https://github.com/keepassxreboot/keepassxc/issues/7681#issuecomment-1079950237

[mormegil-cz]

I believe the problem is in UnlockPrompt::unlockItems where the code tests whether client->itemKnown(uuid) and then if !client->itemAuthorized(uuid). However: while DBusClient::itemAuthorized takes into account the FdoSecrets::settings()->confirmAccessItem() setting, DBusClient::itemKnown does not.

Which means the code in unlockItems ignores the setting and always needs to ask for the confirmation.

I am not sure which of the two places is the correct one to add the check: Either DBusClient::itemKnown should return true always when FdoSecrets::settings()->confirmAccessItem() is unset, or UnlockPrompt::unlockItems should check for the setting as well. I tested the latter variant and this seem to work:

diff --git a/src/fdosecrets/objects/Prompt.cpp b/src/fdosecrets/objects/Prompt.cpp
index bd01de89..e89cd499 100644
--- a/src/fdosecrets/objects/Prompt.cpp
+++ b/src/fdosecrets/objects/Prompt.cpp
@@ -23,6 +23,7 @@
 #include "fdosecrets/objects/Session.h"
 #include "fdosecrets/widgets/AccessControlDialog.h"

+#include "FdoSecretsSettings.h"
 #include "core/Entry.h"
 #include "gui/MessageBox.h"

@@ -298,7 +299,7 @@ namespace FdoSecrets
                 }
                 auto entry = item->backend();
                 auto uuid = entry->uuid();
-                if (client->itemKnown(uuid)) {
+                if (client->itemKnown(uuid) || !FdoSecrets::settings()->confirmAccessItem()) {
                     if (!client->itemAuthorized(uuid)) {
                         m_numRejected += 1;