Enhance passphrase handling (Fixes #8496) #8605
Conversation
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## master #8605 +/- ##
==========================================
- Coverage 81.83% 81.79% -0.05%
==========================================
Files 74 74
Lines 13319 13333 +14
Branches 1963 1966 +3
==========================================
+ Hits 10900 10906 +6
- Misses 1755 1761 +6
- Partials 664 666 +2 ☔ View full report in Codecov by Sentry. |
alighazi288
force-pushed
the
fix-issue-8496-clean
branch
from
0a5c57d to
a5a900e
Compare
|
Thank you so much for the feedback! Will try to fix all this by tomorrow! |
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
There was a problem hiding this comment.
some feedback.
beside addressing the feedback and writing a unit test, i also recommend that you practically try this code for some scenarios.
E.g.:
Use borg repo-create -e repokey ... - this will ask you to define a passphrase. Answer y or answer n when it asks to display the passphrase.
Use borg repo-list ... to access the repo. It will ask for a passphrase and under normal circumstances, it MUST NOT display what you entered. But there should be a way for optional "passphrase debugging" and it displaying the passphrase and its hex encoding.
Do the same, but use an env var with a correct and with a incorrect passphrase.
|
This is exactly how I've been testing. I was just uncertain whether the requirement was to always show debug information when a wrong passphrase is entered, or if it should be shown "optionally" based on the user's input. I chose to conditionally display it based on the new environment variable Now, debugging information (including passphrase and environment variable details) is only shown when the I hope this matches the intended behavior. Looking forward to your thoughts! |
|
The docs CI failure seems unrelated to your PR changes. Maybe some stuff in sphinx changed, so it is triggering new warnings. Guess I need to change so that code unit tests do not depend on docs test. |
|
@ThomasWaldmann if this is ready to close, do you have any suggestions for another issue I could work on next? |
|
I've fixed the docs issue in master. Please update your local master branch, then rebase the PR branch onto master, then force push to github. In the issue tracker, some stuff is labelled as easy, good first issue or help wanted - choose from these if you feel it is a good fit for you. |
- Ensure hex bytes for passphrases are displayed in all cases, covering both ASCII and non-ASCII characters. - Introduce an option to show the hex bytes when an incorrect password is detected. - Indicate which environment variables were utilized during passphrase operations. - Direct sensitive passphrase information to sys.stderr to prevent unintended logging.
Added tests to verify: - Handling of incorrect passphrases. - Passphrase verification logic. - Debug information display for passphrases.
- Ensured the passphrase argument is correctly passed to the PassphraseWrong exception.
- Displaying passphrase debugging information only when the `BORG_DEBUG_PASSPHRASE` environment variable is set to "YES". - If the env var is not set or set to a value other than "YES", debugging info will not be displayed.
alighazi288
force-pushed
the
fix-issue-8496-clean
branch
from
bbdb424 to
6463ad6
Compare
|
I realized I completely forgot to update the tests after changing my implementation—apologies for that oversight! I've reviewed and adjusted everything now, so the tests should align correctly with the updated implementation. Let me know if there's anything else you'd like me to refine. |
alighazi288
force-pushed
the
fix-issue-8496-clean
branch
from
d09d2d8 to
b907173
Compare
Description
This pull request improves the handling of passphrases and adds comprehensive debug information. The main changes include: