search

r-lib / keyring

:closed_lock_with_key: Access the system credential store from R
https://keyring.r-lib.org/
Other
196 stars 28 forks source link

R can't see user/password pairs added by different method. #89

Closed berlogb closed 3 years ago

berlogb commented 3 years ago

Python and secret-tool can see all the users set from R , but R can see only users set from R itself.

Setting 3 different users via 3 different methods: secret-tool

secret-tool store --label=fromST username userST service serviceST

python

import keyring
keyring.set_password(service_name='servicePY', username='userPY', password='p1')

R

library(keyring)
key_set(service='serviceR', username='userR')

Now trying to read it back: Python

>>> import keyring
>>> keyring.get_password(service_name='serviceST', username='userST')
'p1'
>>> keyring.get_password(service_name='serviceR', username='userR')
'p1'
>>> keyring.get_password(service_name='servicePY', username='userPY')
'p1'
>>>

R

> key_get(service='serviceR', username='userR')
[1] "p1"
> key_get(service='serviceST', username='userST')
Error in b_ss_get(self, private, service, username, keyring) :
  keyring item not found
> key_get(service='servicePY', username='userPY')
Error in b_ss_get(self, private, service, username, keyring) :
  keyring item not found
> key_list()
   service username
1 serviceR    userR

So, python can see and read properly all the users, no matter from where they are set, while R can see only users set from R.

secret-tool also sees all of them:

>> secret-tool search username userR
[/org/freedesktop/secrets/collection/login/10]
label = serviceR
secret = p1
created = 2021-02-03 17:28:35
modified = 2021-02-03 17:28:35
schema = com.rstudio.keyring.password
attribute.username = userR
attribute.service = serviceR
>> secret-tool search username userPY
[/org/freedesktop/secrets/collection/login/9]
label = Password for 'userPY' on 'servicePY'
secret = p1
created = 2021-02-03 17:27:30
modified = 2021-02-03 17:27:30
schema = org.freedesktop.Secret.Generic
attribute.username = userPY
attribute.application = Python keyring library
attribute.service = servicePY
>>secret-tool search username userST
[/org/freedesktop/secrets/collection/login/8]
label = fromST
secret = p1
created = 2021-02-03 17:26:12
modified = 2021-02-03 17:26:12
schema = org.freedesktop.Secret.Generic
attribute.username = userST
attribute.service = serviceST

Possible fix Issue seems to be in exact schema to be used during search, in particular here:

  secretlist = secret_collection_search_sync(
    /* self = */ collection,
    /* schema = */ keyring_secret_service_schema(),
    /* attributes = */ attributes,
    /* flags = */ SECRET_SEARCH_ALL | SECRET_SEARCH_UNLOCK |
                  SECRET_SEARCH_LOAD_SECRETS,
    /* cancellable = */ NULL,
    &err);

Wouldn't it be better not to limit search to a specific schema? Current usecase includes situation when code is deployed by sysadmins on their system and they would prefer to use available tools like secret-tool to configure all the necessary keys and not R.

Environment

R version 3.6.3 (2020-02-29) -- "Holding the Windsock"
Platform: x86_64-pc-linux-gnu (64-bit)

> default_backend()
<keyring backend: ‘secret service’>
Store secrets using the Secret Service library and daemon.

Thank you

gaborcsardi commented 3 years ago

You can probably use the oskeyring package which gives you access to more low level parameters.

berlogb commented 3 years ago

Thanks, I think it doesn't have implementation for linux. In the end I've just edited an

    /* schema = */ keyring_secret_service_schema(),

into

NULL

Of course, if the input schema differs, there will be issues with parsing output, but that's ok.

Thank you.