Skip to content

org.freedesktop.secrets DBus API initial support

Slava Aseev requested to merge ptrnine/kwallet:fork into master

This MR introduce the org.freedesktop.secrets DBus API.

In current state, it allows kwalletd to be used as a backend for seahorse and python "SecretStorage".

The main implementation details:

  • Was built over KWalletD. KWalletD holds a pointer to the KWalletFreedesktopService which holds sessions, prompts, collections and items. All of these objects inherit QDBusContext, have access to the parent KWalletD and can call its functions.
  • Wallet names map to fdo collection labels, entry names map to fdo item labels with some extras:
    • Wallet names must be unique, but collection labels may not be (same as entry/item). Thus, the addition of a numeric suffix was introduced for each non-unique label. For fdo api all non-unique labels will be non-unique and wallets names will be unique (e.g. fdo [label, label, label] will be [label, label__0_, label__1_] in kwallet)
    • KWallet entries stores into folders, so every fdo item will be stored into "Secret Service" folder. Also there is ability for specifying folder from fdo secrets api - for this item's label must contain a folder prefix (e.g. secrets with labels [item, Passwords/item] stores as [Secret Service/item, Passowrds/item] in kwallet)
  • All entries that will be created using the fdo secrets API will have a specific structure, and Wallet Manager will show this as binary data. It is because fdo items can store an arbitrary number of attributes and must store creation/modification timestamps. However, every "native" kwalletd's entry can be read from the fdo secrets API (but with some restrictions, in this case there is no creation/modification timestamps)
  • Renaming of wallets was introduced because fdo secrets API has a collection renaming.
  • Collection aliases (and default collection) stores in kwalletrc config.

Also there is a some flaws:

  • DBus item objects creates only after collection unlocking. I don't know why this exists, but gnome-keyring creates item objects before collection unlocking. In this case, all you can do is unlock the item / collection.
  • This MR introduces a session with encryption, but it does not make a sense when "Prompt when an application access a wallet" is off. This is because KWallet asks for a password for the first app but gives everyone access. Also (as I understand) KWallet identify apps for their "appid" that accepts over DBus. It is not difficult to replace it, so may be using of unique DBus connection name will be better solution.

Merge request reports