crunchy-containers icon indicating copy to clipboard operation
crunchy-containers copied to clipboard

Published 20 hours ago verified publisher icon CrunchyData

FIPS enabled pgAdmin4 does not start

Open albundy83 opened this issue 2 years ago • 2 comments

Describe the bug When FIPS is enabled, pgAdmin4 does not achieve to create correctly /var/lib/pgadminpgadmin4.db

To Reproduce Steps to reproduce the behavior: Be sure that FIPS is enabled: cat /proc/sys/crypto/fips_enabled must return 1

Start PGAdmin4 using Crunchy Data Operator (5.1.0) or using common Deployment

Expected behavior Make it works :-)

  • Operating System: ubi8
  • Container Image Tag: registry.developers.crunchydata.com/crunchydata/crunchy-pgadmin4:ubi8-4.30-1
  • PostgreSQL Version: 14
  • Platform (Docker, Kubernetes, OpenShift): OpenShift with SCC as restricted
  • Platform Version: OpenShift 4.10

Here the full log

sh-4.4$ /opt/crunchy/bin/start-pgadmin4.sh
Wed Jun  8 16:34:52 UTC 2022 INFO: TLS disabled. Applying http configuration..
Wed Jun  8 16:34:52 UTC 2022 INFO: Setting up pgAdmin4 database..
Wed Jun  8 16:34:53 UTC 2022 ERROR: pgAdmin4 Database Setup: Could not create pgAdmin4 database: 
Traceback (most recent call last):
  File "setup.py", line 449, in <module>
    setup_db()
  File "setup.py", line 372, in setup_db
    app = create_app()
  File "/usr/lib/python3.6/site-packages/pgadmin4-web/pgadmin/__init__.py", line 351, in create_app
    db_upgrade(app)
  File "/usr/lib/python3.6/site-packages/pgadmin4-web/pgadmin/setup/db_upgrade.py", line 25, in db_upgrade
    flask_migrate.upgrade(migration_folder)
  File "/usr/lib/python3.6/site-packages/pgadmin4-web/flask_migrate/__init__.py", line 95, in wrapped
    f(*args, **kwargs)
  File "/usr/lib/python3.6/site-packages/pgadmin4-web/flask_migrate/__init__.py", line 280, in upgrade
    command.upgrade(config, revision, sql=sql, tag=tag)
  File "/usr/lib/python3.6/site-packages/pgadmin4-web/alembic/command.py", line 254, in upgrade
    script.run_env()
  File "/usr/lib/python3.6/site-packages/pgadmin4-web/alembic/script/base.py", line 425, in run_env
    util.load_python_file(self.dir, 'env.py')
  File "/usr/lib/python3.6/site-packages/pgadmin4-web/alembic/util/pyfiles.py", line 81, in load_python_file
    module = load_module_py(module_id, path)
  File "/usr/lib/python3.6/site-packages/pgadmin4-web/alembic/util/compat.py", line 83, in load_module_py
    spec.loader.exec_module(module)
  File "<frozen importlib._bootstrap_external>", line 678, in exec_module
  File "<frozen importlib._bootstrap>", line 219, in _call_with_frames_removed
  File "/usr/lib/python3.6/site-packages/pgadmin4-web/pgadmin/setup/../../migrations/env.py", line 93, in <module>
    run_migrations_online()
  File "/usr/lib/python3.6/site-packages/pgadmin4-web/pgadmin/setup/../../migrations/env.py", line 86, in run_migrations_online
    context.run_migrations()
  File "<string>", line 8, in run_migrations
  File "/usr/lib/python3.6/site-packages/pgadmin4-web/alembic/runtime/environment.py", line 836, in run_migrations
    self.get_context().run_migrations(**kw)
  File "/usr/lib/python3.6/site-packages/pgadmin4-web/alembic/runtime/migration.py", line 330, in run_migrations
    step.migration_fn(**kw)
  File "/usr/lib/python3.6/site-packages/pgadmin4-web/migrations/versions/fdc58d9bd449_.py", line 122, in upgrade
    Security(current_app, user_datastore, register_blueprint=False)
  File "/usr/lib/python3.6/site-packages/pgadmin4-web/flask_security/core.py", line 821, in __init__
    app, datastore, register_blueprint=register_blueprint, **kwargs
  File "/usr/lib/python3.6/site-packages/pgadmin4-web/flask_security/core.py", line 858, in init_app
    self._state = state = _get_state(app, datastore, **kwargs)
  File "/usr/lib/python3.6/site-packages/pgadmin4-web/flask_security/core.py", line 496, in _get_state
    hashing_context=_get_hashing_context(app),
  File "/usr/lib/python3.6/site-packages/pgadmin4-web/flask_security/core.py", line 477, in _get_hashing_context
    return CryptContext(schemes=schemes, deprecated=deprecated)
  File "/usr/lib/python3.6/site-packages/pgadmin4-web/passlib/context.py", line 1401, in __init__
    self.load(kwds)
  File "/usr/lib/python3.6/site-packages/pgadmin4-web/passlib/context.py", line 1592, in load
    config = _CryptConfig(source)
  File "/usr/lib/python3.6/site-packages/pgadmin4-web/passlib/context.py", line 634, in __init__
    self._init_scheme_list(source.get((None,None,"schemes")))
  File "/usr/lib/python3.6/site-packages/pgadmin4-web/passlib/context.py", line 652, in _init_scheme_list
    handler = get_crypt_handler(elem)
  File "/usr/lib/python3.6/site-packages/pgadmin4-web/passlib/registry.py", line 350, in get_crypt_handler
    mod = __import__(modname, fromlist=[modattr], level=0)
  File "/usr/lib/python3.6/site-packages/pgadmin4-web/passlib/handlers/digests.py", line 72, in <module>
    hex_md5     = create_hex_hash("md5")
  File "/usr/lib/python3.6/site-packages/pgadmin4-web/passlib/handlers/digests.py", line 55, in create_hex_hash
    info = lookup_hash(digest)
  File "/usr/lib/python3.6/site-packages/pgadmin4-web/passlib/crypto/digest.py", line 298, in lookup_hash
    info = HashInfo(const, name_list)
  File "/usr/lib/python3.6/site-packages/pgadmin4-web/passlib/crypto/digest.py", line 403, in __init__
    hash = const()
ValueError: [digital envelope routines: EVP_DigestInit_ex] disabled for FIPS

We can see also that the pgadmin4.db file has been created but not correctly:

sh-4.4$ ls -al
total 104
drwxrwsrwx. 5 root    pgadmin  4096 Jun  8 16:34 .
drwxr-xr-x. 1 root    root      174 May 26 15:01 ..
-rw-r--r--. 1 pgadmin pgadmin     0 Jun  8 13:40 access_log
-rw-r--r--. 1 pgadmin pgadmin   853 Jun  8 16:34 config_local.py
-rw-r--r--. 1 pgadmin pgadmin   927 Jun  8 13:40 error_log
drwxrws---. 2 root    pgadmin 16384 Jun  8 13:39 lost+found
-rw-r--r--. 1 pgadmin pgadmin 61440 Jun  8 16:34 pgadmin4.db
-rw-r--r--. 1 pgadmin pgadmin   620 Jun  8 16:34 pgadmin.conf
drwx------. 2 pgadmin pgadmin  4096 Jun  8 13:40 sessions
drwxr-sr-x. 2 pgadmin pgadmin  4096 Jun  8 13:40 storage

sh-4.4$ sqlite3 pgadmin4.db 
SQLite version 3.26.0 2018-12-01 12:34:55
Enter ".help" for usage hints.
sqlite> select * from user ;
sqlite>

albundy83 avatar Jun 08 '22 16:06 albundy83

Hello,

here the explanation of the problem: https://stackoverflow.com/questions/67559170/paramiko-ssh-command-execution-failing-with-valueerror-digital-envelope-routi

Using md5 hash is not allowed with FIPS enabled.

Here the original issue on passlib (and the problem was reported from pgAdmin4): https://foss.heptapod.net/python-libs/passlib/-/issues/116

It seems you are still using an unpatched version of passlib (passlib-1.7.2).

As workaround, changing the line should do the trick:

grep -n 'return hashlib.md5' /usr/lib/python3.6/site-packages/pgadmin4-web/passlib/handlers/digests.py
104:        return hashlib.md5(data).hexdigest()

to

grep -n 'return hashlib.md5' /usr/lib/python3.6/site-packages/pgadmin4-web/passlib/handlers/digests.py
104:        return hashlib.md5(data, usedforsecurity=False).hexdigest()

But it's a bit ugly...

albundy83 avatar Jun 28 '22 06:06 albundy83

Hello, any update with this issue ?

albundy83 avatar Feb 02 '23 07:02 albundy83