netinvent/npbackup
1
1
Fork 0
mirror of https://github.com/netinvent/npbackup.git synced 2025-10-08 20:47:50 +08:00
Code Issues Projects Releases Packages Wiki Activity

Add manager password env variable support

Browse source
This commit is contained in:
deajan 2024-04-23 10:08:31 +02:00
parent 50e6969e57
commit a012d3fd0f
3 changed files with 8 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
SECURITY.md
View file

@ -47,5 +47,6 @@ to show actual secrets.
# NPF-SEC-00009: Manager password in CLI mode # NPF-SEC-00009: Manager password in CLI mode
When using `--show-config --manager-password password`, we should only show unencrypted config if password is set. When using `--show-config` or right click `show unecrypted`, we should only show unencrypted config if password is set.
Envivironmnt variable `NPBACKUP_MANAGER_PASSWORD` will be read to verify access.
Also, when wrong password is entered, we should wait in order to reduce brute force attacks. Also, when wrong password is entered, we should wait in order to reduce brute force attacks.

12
npbackup/__main__.py
View file

@ -238,13 +238,6 @@ This is free software, and you are welcome to redistribute it under certain cond
required=False, required=False,
help="Show full inherited configuration for current repo", help="Show full inherited configuration for current repo",
) )
parser.add_argument(
"--manager-password",
type=str,
default=None,
required=False,
help="Optional manager password when showing config",
)
parser.add_argument( parser.add_argument(
"--external-backend-binary", "--external-backend-binary",
type=str, type=str,
@ -341,10 +334,11 @@ This is free software, and you are welcome to redistribute it under certain cond
# NPF-SEC-00009 # NPF-SEC-00009
# Load an anonymous version of the repo config # Load an anonymous version of the repo config
show_encrypted = False show_encrypted = False
if args.manager_password: manager_password = os.environ.get("NPBACKUP_MANAGER_PASSWORD", None)
if manager_password:
__current_manager_password = repo_config.g("__current_manager_password") __current_manager_password = repo_config.g("__current_manager_password")
if __current_manager_password: if __current_manager_password:
if __current_manager_password == args.manager_password: if __current_manager_password == manager_password:
show_encrypted = True show_encrypted = True
else: else:
# NPF-SEC # NPF-SEC

4
npbackup/gui/config.py
View file

@ -1834,7 +1834,9 @@ def config_gui(full_config: dict, config_file: str):
manager_password = configuration.get_manager_password( manager_password = configuration.get_manager_password(
full_config, object_name full_config, object_name
) )
if ask_manager_password(manager_password): # NPF-SEC-00009
env_manager_password = os.environ.get("NPBACKUP_MANAGER_PASSWORD", None)
if (env_manager_password and env_manager_password == manager_password) or ask_manager_password(manager_password):
update_object_gui(values["-OBJECT-SELECT-"], unencrypted=True) update_object_gui(values["-OBJECT-SELECT-"], unencrypted=True)
update_global_gui(full_config, unencrypted=True) update_global_gui(full_config, unencrypted=True)
continue continue