Enforce NPF-SEC-00009

SECURITY.md

@@ -47,7 +47,7 @@ Using `--show-config` should hide sensible data, and manager password.
 # NPF-SEC-00009: Option to show sensible data
 
 When using `--show-config` or right click `show unecrypted`, we should only show unencrypted config if password is set.  
-Envivironmnt variable `NPBACKUP_MANAGER_PASSWORD` will be read to verify access.
+Environment variable `NPBACKUP_MANAGER_PASSWORD` will be read to verify access, or GUI may ask for password.
 Also, when wrong password is entered, we should wait in order to reduce brute force attacks.
 
 # NPF-SEC-00010: Date attacks

npbackup/configuration.py

@@ -119,8 +119,8 @@ ENCRYPTED_OPTIONS = [
     "repo_uri",
     "repo_opts.repo_password",
     "repo_opts.repo_password_command",
-    "prometheus.http_username",
+    "global_prometheus.http_username",
-    "prometheus.http_password",
+    "global_prometheus.http_password",
     "env.encrypted_env_variables",
     "global_options.auto_upgrade_server_username",
     "global_options.auto_upgrade_server_password",

npbackup/gui/config.py

@@ -212,15 +212,6 @@ def config_gui(full_config: dict, config_file: str):
         nonlocal env_variables_tree
         nonlocal encrypted_env_variables_tree
 
-        if key in ("repo_uri", "repo_group"):
-            if object_type == "group":
-                window[key].Disabled = True
-            else:
-                window[key].Disabled = False
-                # Update the combo group selector
-                window[key].Update(value=value)
-            return
-
         try:
             # Don't bother to update repo name
             # Also permissions / manager_password are in a separate gui
@@ -239,6 +230,8 @@ def config_gui(full_config: dict, config_file: str):
                 "prometheus.http_password",
             ) or key.startswith("prometheus.additional_labels"):
                 return
+            
+            # NPF-SEC-00009
             # Don't show sensible info unless unencrypted requested
             if not unencrypted:
                 # Use last part of key only
@@ -254,6 +247,15 @@ def config_gui(full_config: dict, config_file: str):
                     except (KeyError, TypeError):
                         pass
 
+            if key in ("repo_uri", "repo_group"):
+                if object_type == "group":
+                    window[key].Disabled = True
+                else:
+                    window[key].Disabled = False
+                    # Update the combo group selector
+                    window[key].Update(value=value)
+                return
+
             # Update tree objects
             if key == "backup_opts.paths":
                 if value:
@@ -1174,7 +1176,7 @@ def config_gui(full_config: dict, config_file: str):
                 sg.Input(key="repo_opts.repo_password", size=(95, 1)),
             ],
             [
-                sg.Text(_t("config_gui.backup_repo_password_command"), size=(40, 1)),
+                sg.Text(_t("config_gui.backup_repo_password_command"), size=(95, 1)),
             ],
             [
                 sg.Image(
@@ -1846,7 +1848,7 @@ def config_gui(full_config: dict, config_file: str):
             manager_password = configuration.get_manager_password(
                 full_config, object_name
             )
-            if ask_manager_password(manager_password):
+            if not manager_password or ask_manager_password(manager_password):
                 full_config = set_permissions(full_config, values["-OBJECT-SELECT-"])
             continue
         if event in (
@@ -1986,6 +1988,9 @@ def config_gui(full_config: dict, config_file: str):
             )
             # NPF-SEC-00009
             env_manager_password = os.environ.get("NPBACKUP_MANAGER_PASSWORD", None)
+            if not manager_password:
+                sg.PopupError(_t("config_gui.no_manager_password_defined"))
+                continue
             if (
                 env_manager_password and env_manager_password == manager_password
             ) or ask_manager_password(manager_password):

npbackup/translations/config_gui.en.yml

@@ -89,7 +89,7 @@ en:
   machine_group: Machine group
 
   show_decrypted: Show decrypted
-  no_manager_password_set: No managert password set, cannot show unencrypted
+  no_manager_password_defined: No manager password defined, cannot show unencrypted
 
   # compression
   auto: Automatic

npbackup/translations/config_gui.fr.yml

@@ -34,7 +34,7 @@ fr:
   minimum_backup_age: Délai minimal entre deux sauvegardes
   backup_repo_uri: URI / chemin local dépot de sauvegarde
   backup_repo_password: Mot de passe (chiffrement) dépot de sauvegarde
-  backup_repo_password_command: Commande qui retourne le mot de passe chiffrement dépot
+  backup_repo_password_command: Commande qui retourne le mot de passe de chiffrement dépot
   upload_speed: Vitesse limite de téléversement (KB/s)
   download_speed: Vitesse limite de téléchargement (KB/s)
   backend_connections: Connexions simultanées au dépot
@@ -90,7 +90,7 @@ fr:
   machine_group: Groupe machine
 
   show_decrypted: Voir déchiffré
-  no_manager_password_set: Mot de passe gestionnaire non initialisé, ne peut montrer la version déchiffrée
+  no_manager_password_defined: Mot de passe gestionnaire non initialisé, ne peut montrer la version déchiffrée
 
   # compression
   auto: Automatique