Bug 458644

Summary: Make legacy KWallet entries searchable via Secret Service API
Product: [Frameworks and Libraries] frameworks-kwallet Reporter: michaelk83 <mk.mateng>
Component: generalAssignee: Valentin Rusu <valir>
Status: REPORTED ---    
Severity: wishlist CC: CoelacanthusHex, kdelibs-bugs, nate
Priority: NOR    
Version: 5.97.0   
Target Milestone: ---   
Platform: unspecified   
OS: Linux   
Latest Commit: Version Fixed In:
Bug Depends on:    
Bug Blocks: 458318    

Description michaelk83 2022-09-02 17:42:33 UTC
Secret Service API (`org.freedesktop.secrets`) support was added to KWallet Framework in 5.97.0. Legacy entries that were created with the old `org.kde.kwalletd5` lack any attributes, so they're not searchable with the new API. Furthermore, they cannot be easily accessed directly, since their item indices are not trivial to determine. This presents a potential migration issue should the legacy `org.kde.kwalletd5` API be discontinued (Bug 458318).

1. Install KWallet 5.97.0 and enable Secret Service integration.
2. Create some entries via the old `org.kde.kwalletd5` API (or via KWalletManager).
3. Inspect the wallet contents via the DBus Secret Service API and/or via a Secret Service client such as Seahorse. For example, run the following commands:

> qdbus org.freedesktop.secrets
> qdbus --literal org.freedesktop.secrets /org/freedesktop/secrets/collection/<name-of-wallet>/<legacy-item-index> org.freedesktop.Secret.Item.Label
> qdbus --literal org.freedesktop.secrets /org/freedesktop/secrets/collection/<name-of-wallet>/<legacy-item-index> org.freedesktop.Secret.Item.Attributes

- Legacy items have no attributes, so are not searchable.
- Items are listed by index only; indices of specific items are not trivial to determine.
- Items cannot be accessed by legacy path or label.

- Legacy items should be searchable at least by their legacy path and label.

KDE Frameworks Version: 5.97.0

Expose a read-only virtual attribute `org.kde.kwalletd5:label` for all legacy items. The value of this attribute should be the same as the `Label` property of the item, which includes its legacy path. For example, an item created as "mypassword" under folder "MyFolder", would have `org.kde.kwalletd5:label` equal to "MyFolder/mypassword". Items should be searchable by this attribute using the `org.freedesktop.Secret.Service.SearchItems()` and `org.freedesktop.Secret.Collection.SearchItems()` methods.

Legacy entries that were created with the old `org.kde.kwalletd5` are enumerated via the `org.freedesktop.Secret.Service.Collections` and `org.freedesktop.Secret.Collection.Items` properties:

However, they are not listed by label or path, and their DBus paths are based on their index within the collection, not the legacy path. For example, a password created as "Foo/test" may show up only as `/org/freedesktop/secrets/collection/<name-of-wallet>/0`. The item index is not trivial to determine. Furthermore, they lack any attributes, so are not searchable with the `SearchItems()` methods (which can only search by attributes).

This is correct behavior per the Secret Service API specification, as the intention of the API was to search items by their attributes. But the legacy `org.kde.kwalletd5` API does not support specifying attributes.

Exposing a searchable virtual attribute `org.kde.kwalletd5:label` for all legacy items would allow the legacy items to be easily accessed via the Secret Service API. Each client app or library (including but not limited to QtKeyChain) can then migrate legacy items to their new Secret Service location as needed. Client apps would not need QtKeyChain or some other tool to migrate for them (though it's still possible). This approach also guarantees that the source and target locations are in the same backend, so items won't be unintentionally migrated from one secrets store to some other (such as from old KWallet to Gnome keyring).
Comment 1 michaelk83 2022-09-02 18:55:36 UTC
(In reply to michaelk83 from comment #0)
> Expose a read-only virtual attribute `org.kde.kwalletd5:label` for all legacy items.
Maybe make it non-virtual, so that it's discoverable through `org.freedesktop.Secret.Item.Attributes` property. But this would expose the labels of all legacy items, since attributes are not encrypted per the Secret Service specification - https://specifications.freedesktop.org/secret-service/latest/ch05.html .

This attribute should *not* be added to (non-legacy) items created via the Secret Service API, since clients can't expect the same from other Secret Service API providers.
Comment 2 michaelk83 2022-09-08 20:11:50 UTC
Better/additional STEPS TO REPRODUCE, assuming the proposed `org.kde.kwalletd5:label` behavior:
1. Install KWallet 5.97.0 and enable Secret Service integration.
2. Create some entries via the old `org.kde.kwalletd5` API (or via KWalletManager). For example, entry "mypass" in folder "test-legacy".
3. Run the following command (adjust the last parameter as needed):
> secret-tool lookup 'org.kde.kwalletd5:label' 'test-legacy/mypass'
(See https://manpages.ubuntu.com/manpages/trusty/man1/secret-tool.1.html )

Not found