Skip to content

Commit

Permalink
Improve debugging output for passphrase validation failures
Browse files Browse the repository at this point in the history
  • Loading branch information
@alighazi288
alighazi288 committed Dec 29, 2024
1 parent a5a900e commit 44466e1
Show file tree
Hide file tree
Showing 3 changed files with 25 additions and 12 deletions.
2 changes: 2 additions & 0 deletions src/borg/crypto/key.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -371,6 +371,8 @@ def detect(cls, repository, manifest_data):
passphrase = Passphrase.getpass(prompt)
if key.load(target, passphrase):
break
else:
Passphrase.display_debug_info(passphrase)

Check warning on line 375 in src/borg/crypto/key.py

View check run for this annotation

Codecov / codecov/patch

src/borg/crypto/key.py#L375 

Added line #L375 was not covered by tests
else:
raise PasswordRetriesExceeded
else:
Expand Down
17 changes: 13 additions & 4 deletions src/borg/helpers/passphrase.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -118,6 +118,11 @@ def verification(cls, passphrase):
print(
"Your passphrase (UTF-8 encoding in hex): %s" % bin_to_hex(passphrase.encode("utf-8")), file=sys.stderr
)
print(
"It is recommended to keep the UTF-8 encoding in hex together with the passphrase at a safe place. "
"In case you should ever run into passphrase issues, it could sometimes help debugging them.\n",
file=sys.stderr,
)
try:
passphrase.encode("ascii")
except UnicodeEncodeError:
Expand All @@ -129,12 +134,16 @@ def verification(cls, passphrase):

@staticmethod
def display_debug_info(passphrase):
print(
"Incorrect passphrase (UTF-8 encoding in hex): %s" % bin_to_hex(passphrase.encode("utf-8")), file=sys.stderr
)
print("Incorrect passphrase!", file=sys.stderr)
print(f'Passphrase used (between double-quotes): "{passphrase}"', file=sys.stderr)

Check failure

Code scanning / CodeQL

Clear-text logging of sensitive information High

This expression logs
sensitive data (password)
Loading
as clear text.
This expression logs
sensitive data (password)
Loading
as clear text.
This expression logs
sensitive data (password)
Loading
as clear text.
This expression logs
sensitive data (password)
Loading
as clear text.
This expression logs
sensitive data (password)
Loading
as clear text.
This expression logs
sensitive data (password)
Loading
as clear text.
This expression logs
sensitive data (password)
Loading
as clear text.
This expression logs
sensitive data (password)
Loading
as clear text.
print(f'Same, UTF-8 encoded, in hex: {bin_to_hex(passphrase.encode("utf-8"))}', file=sys.stderr)
print("Relevant Environment Variables:", file=sys.stderr)
for env_var in ["BORG_PASSPHRASE", "BORG_PASSCOMMAND", "BORG_PASSPHRASE_FD"]:
env_var_value = os.environ.get(env_var)
print(f"{env_var} = {env_var_value}", file=sys.stderr)
if env_var_value is not None:
print(f'{env_var} = "{env_var_value}"', file=sys.stderr)
else:
print(f"# {env_var} is not set", file=sys.stderr)

Check warning on line 146 in src/borg/helpers/passphrase.py

View check run for this annotation

Codecov / codecov/patch

src/borg/helpers/passphrase.py#L146 

Added line #L146 was not covered by tests

@classmethod
def new(cls, allow_empty=False):
Expand Down
18 changes: 10 additions & 8 deletions src/borg/testsuite/helpers_test.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1417,11 +1417,12 @@ def test_passphrase_wrong(self, capsys, monkeypatch):
raise PassphraseWrong("wrong_passphrase")

out, err = capsys.readouterr()
assert "Incorrect passphrase (UTF-8 encoding in hex)" in err
assert "Incorrect passphrase!" in err
assert 'Passphrase used (between double-quotes): "wrong_passphrase"' in err
assert "77726f6e675f70617373706872617365" in err
assert "BORG_PASSPHRASE = wrong_passphrase" in err
assert "BORG_PASSCOMMAND = echo wrong_passphrase" in err
assert "BORG_PASSPHRASE_FD = 123" in err
assert "BORG_PASSPHRASE" in err
assert "BORG_PASSCOMMAND" in err
assert "BORG_PASSPHRASE_FD" in err

assert str(exc_info.value) == (
"passphrase supplied in BORG_PASSPHRASE, by BORG_PASSCOMMAND or via BORG_PASSPHRASE_FD is incorrect."
Expand Down Expand Up @@ -1457,11 +1458,12 @@ def test_display_debug_info(self, capsys, monkeypatch):
Passphrase.display_debug_info(passphrase)

out, err = capsys.readouterr()
assert "Incorrect passphrase (UTF-8 encoding in hex)" in err
assert "Incorrect passphrase!" in err
assert 'Passphrase used (between double-quotes): "debug_test"' in err
assert "64656275675f74657374" in err # UTF-8 hex encoding of 'debug_test'
assert "BORG_PASSPHRASE = debug_env_passphrase" in err
assert "BORG_PASSCOMMAND = command" in err
assert "BORG_PASSPHRASE_FD = fd_value" in err
assert "BORG_PASSPHRASE" in err
assert "BORG_PASSCOMMAND" in err
assert "BORG_PASSPHRASE_FD" in err


@pytest.mark.parametrize(
Expand Down

0 comments on commit 44466e1

Please sign in to comment.