Bug 459287 - KWallet/Secret Service: inconsistent locked/unlocked state of wallets.
Summary: KWallet/Secret Service: inconsistent locked/unlocked state of wallets.
Status: REPORTED
Alias: None
Product: frameworks-kwallet
Classification: Frameworks and Libraries
Component: general (show other bugs)
Version: 5.98.0
Platform: Neon Linux
: NOR normal
Target Milestone: ---
Assignee: Valentin Rusu
URL:
Keywords:
: 462244 (view as bug list)
Depends on:
Blocks:
 
Reported: 2022-09-17 15:36 UTC by michaelk83
Modified: 2022-11-28 19:29 UTC (History)
2 users (show)

See Also:
Latest Commit:
Version Fixed In:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.
Description michaelk83 2022-09-17 15:36:26 UTC 
SUMMARY
Locking/unlocking a wallet in KWalletManager (presumably via the old `org.kde.kwalletd5` API), in Seahorse (via Secret Service API), and via `secret-tool` (`libsecret`, Secret Service API) do not agree on what is locked or unlocked.

To summarize the steps to reproduce, just try locking/unlocking from KWalletManager, Seahorse, and secret-tool/libsecret/DBus, and observe the result in those three places. All the clients should always agree on the locked/unlocked state, but they do not. Detailed steps follow:

STEPS TO REPRODUCE

(preparation)
1. Set up KWallet with Secret Service integration, install Seahorse and secret-tool.
2. Create a wallet in KWalletManager (I used a blowfish wallet), add some passwords, and save changes.
3. Lock the wallet in KWalletManager, and restart `kwalletd5`.

(tests)
4. Run `qdbus org.freedesktop.secrets` in a terminal, inspect the wallet in KWalletManager and in Seahorse.
5. Unlock the wallet in KWalletManager (do NOT resteart `kwalletd5`).
6. Repeat step 4.
7. Unlock the wallet in Seahorse.
8. Repeat step 4.
9. Lock the wallet again in KWalletManager (do NOT resteart `kwalletd5`).
10. Repeat step 4.
11. Unlock the wallet in Seahorse.
12. Repeat step 4.
13. Lock the wallet in Seahorse.
14. Repeat step 4.
15. Restart `kwalletd5`.
16. Repeat step 4.
17. Run `echo -n 'mypass' | secret-tool store --label=testfdo attr1 val1` in a terminal (this will ask to unlock).
18. Repeat step 4.
19. Run `dbus-send --session --type=method_call --dest=org.freedesktop.secrets /org/freedesktop/secrets org.freedesktop.Secret.Service.Lock array:objpath:/org/freedesktop/secrets/aliases/default` in a terminal.
20. Repeat step 4.

OBSERVED RESULT

4. `qdbus org.freedesktop.secrets` doesn't list items (no entries of the form `/org/freedesktop/secrets/collection/<wallet>/<item-index>`), KWalletManager and Seahorse show the wallet as locked (correct behavior, since we restarted `kwalletd5` in step 3).
6. KWalletManager shows unlocked, Seahorse shows locked, `qdbus org.freedesktop.secrets` doesn't list any items.
7. Seahorse doesn't ask for a password, since the wallet is actually already unlocked.
8. KWalletManager and Seahorse both show unlocked, `qdbus org.freedesktop.secrets` lists the item paths (correct).
10. KWalletManager and Seahorse both show locked without restarting either (correct), `qdbus org.freedesktop.secrets` still lists the items (not correct).
12. Now Seahorse shows unlocked, but KWalletManager shows locked. `qdbus org.freedesktop.secrets` lists the item paths. After KWalletManager is restarted, it shows unlocked as well.
14. KWalletManager and Seahorse both show locked without restarting either (correct), `qdbus org.freedesktop.secrets` still lists the items (not correct).
16. KWalletManager and Seahorse both show locked, `qdbus org.freedesktop.secrets` doesn't list any items (correct).
18. `qdbus org.freedesktop.secrets` lists the item paths, including the new one (correct), Seahorse shows unlocked and lists all items without restarting (correct), KWalletManager still shows locked (not correct). After KWalletManager is restarted, it shows unlocked as well (and lists the new item).
20. KWalletManager and Seahorse both show locked without restarting either (correct), `qdbus org.freedesktop.secrets` still lists the items (not correct). Correct behavior is restored after restarting `kwalletd5`.

EXPECTED RESULT

4. (as observed)
6. KWalletManager and Seahorse should both show UNlocked, `qdbus org.freedesktop.secrets` should list the item paths.
7. (should not be necessary)
8. (as observed)
10. KWalletManager and Seahorse should both show locked, `qdbus org.freedesktop.secrets` should NOT list the item paths.
12. KWalletManager and Seahorse should both show unlocked without restarting, `qdbus org.freedesktop.secrets` should list the item paths.
14. KWalletManager and Seahorse should both show locked, `qdbus org.freedesktop.secrets` should NOT list the item paths.
16. (as observed)
18. KWalletManager and Seahorse should both show unlocked without restarting, `qdbus org.freedesktop.secrets` should list the item paths. All should show the new item.
20. KWalletManager and Seahorse should both show locked, `qdbus org.freedesktop.secrets` should NOT list the item paths. Restarting `kwalletd5` should not be necessary.

SOFTWARE/OS VERSIONS

Linux/KDE Plasma: KDE Neon User 20220825-0951 live DVD
(after updating Qt libraries and KWallet)
KDE Frameworks Version: 5.98.0
KWalletManager: 22.08.1
Seahorse: 3.36-1
libsecret: 0.20.4
libsecret-tools: 0.20.4
KDE Plasma Version: 5.25.4
Qt Version: 5.15.5

ADDITIONAL INFORMATION

- `dbus-monitor "destination=org.freedesktop.secrets" "sender=org.freedesktop.secrets"` suggests that KWalletManager lock/unlock function does not make the corresponding calls to Secret Service API. There's too much other noise in the output, so I'm not attaching it here.
- Steps 7 and 11 unlock specifically the selected collection (object path `/org/freedesktop/secrets/collection/<wallet>`). No Dbus calls to the old KWallet API.
- Step 13 locks specifically the selected collection (object path `/org/freedesktop/secrets/collection/<wallet>`). Some signals raised to `/modules/kwalletd5` such as `member=walletClosed`.
- Step 17 unlocks the "default" alias (object path `/org/freedesktop/secrets/aliases/default`).

The weirdest result is in steps 10, 14, and 20, where Seahorse and DBus disagree through the same API. The rest is disagreements between the Secret Service and `org.kde.kwalletd5` APIs, since they're not synced correctly by `kwalletd5`.

`dbus-monitor` output for main command of...

Steps 7 and 11 (unlock in Seahorse):
> method call time=1663418218.492113 sender=:1.234 -> destination=:1.225 serial=36 path=/org/freedesktop/secrets; interface=org.freedesktop.Secret.Service; member=Unlock
>    array [
>       object path "/org/freedesktop/secrets/collection/test_2dblowfish"
>    ]

Step 13 (lock in Seahorse):
> method call time=1663419939.833426 sender=:1.243 -> destination=:1.225 serial=58 path=/org/freedesktop/secrets; interface=org.freedesktop.Secret.Service; member=Lock
>    array [
>       object path "/org/freedesktop/secrets/collection/test_2dblowfish"
>    ]

Step 17 (unlock via `secret-tool store`):
> method call time=1663423628.991238 sender=:1.279 -> destination=:1.271 serial=10 path=/org/freedesktop/secrets; interface=org.freedesktop.Secret.Service; member=Unlock
>    array [
>       object path "/org/freedesktop/secrets/aliases/default"
>    ]
Comment 1 michaelk83 2022-11-28 19:29:21 UTC 
*** Bug 462244 has been marked as a duplicate of this bug. ***