Cannot login with any user after update to 3.9.11

Hi,
after upgrading from 3.9.11 to 3.9.12 no user can login anymore (admin or other).
The error on log file is “Login: Invalid credentials”
I have tried to use the gl-admin resetpass command that executes succesfully (the db file is updated as well), but the error with the new password is still the same.

After upgrading to 3.9.12 the problem remains.

I’ts still possible to “Blow the Wistle” and the form settings look ok.

Thank to anyone that could help :slight_smile:

Thank you for reporting this @gneotel

We will check on the issue and try to emit a patch in the day.

Would you please clarify me which was the versione you hard before the issue started?
From your message it is in fact not clear if you started having the issue on the 3.9.12 or before.

Thank you!

Giovanni Pellerano

You are right, I did put the wrong versions on my post.
With 3.9.7 everything was working fine,
after upgrading from 3.9.7 to 3.9.11 the error showed up,
ugrading from 3.9.11 to 3.9.12 dod not solve the issue.

Thanks

Thank you @gneotel

Actually the bug seems to be in this line and i think it should apply only to setups based on ubuntu Xenial https://github.com/globaleaks/GlobaLeaks/commit/1ff0b2ac922027506cdfc46d60d554042b312f19#diff-2854d9b86f1a3b299137b299e13d4de7R79

Do you confirm that you are still running onto Ubuntu Xenial?

If you feel confortable would you please remove that line, restart globaleaks and see if the issue is solved ?

I will proceed as well emitting a patch

thank you!

Giovanni

@gneotel: actually we are still retesting as we are not convinced your issue is caused by this.

Let me know anyhow if you gave it a try and it worked.

thanks,

Giovanni

@gneotel actually after a set of retest i cannot reproduce your issue.

The only issue i’ve found is in the implementation of the gl-admin utility that is currently not configuring well the resetted password.

For this the fix is https://github.com/globaleaks/GlobaLeaks/commit/f7fafd89d905dbac92567140e98f62f29d6f7608
It will be shipped in the next upcoming release (3.9.13) but if you want you can already apply this to fix your inconvenience manually.

best,

Giovanni Pellerano

I tried the second solution first and it actually worked. Thanks!

Still, its odd that three different users with different roles stopped logging in at the same time.
Could it be related to the hash algorithm?
I noticed in the user table that all the users have the SCRYPT algorithm, but one that has ARGON2 (unfortunately I don’t have the password for that user, I dont’ know if it can login and I cannot reach the owner until monday or tuesday).

I did not try the first solution and my instance is running on Ubuntu 18.04.2 LTS bionic.

Thanks again.
Adriano

@gneotel: actually if your old users have scrypt as has algorithm i think almost for sure the solution to your bug is removing the line that i’ve indicated to you.

Feel free to proceed removing it manually and at the same time i will now issue a patch that will be included in release 3.9.13.

I’ve located the file fixes.py but it looks different from the one in the link you gave me:

import base64
import os

from sqlalchemy.sql.expression import func

from globaleaks.models import Config, InternalTipData, SubmissionStatus, User


def db_fix_tip_data(session):
    # Fix for issue: https://github.com/globaleaks/GlobaLeaks/issues/2612
    # The bug is due to the fact that the data was initially saved as an array of one entry
    for data in session.query(InternalTipData).filter(InternalTipData.key == 'whistleblower_identity',
                                                      InternalTipData.encrypted == False):
        if isinstance(data.value, list):
            data.value = data.value[0]


def db_fix_statuses(session):
    items = session.query(SubmissionStatus).filter(SubmissionStatus.system_usage == u'open')
    for item in items:
        item.system_usage = u'opened'
        item.label = {'en': u'Opened'}


def db_fix_users(session):
    items = session.query(User).filter(func.length(User.password) == 47)
    for item in items:
        if(item.password[0] == 'b' and item.password[1] == '\'' and item.password[len(item.password) - 1] == '\''):
            item.password = item.password[2: -1]


def db_fix(session):
    db_fix_statuses(session)
    db_fix_users(session)
    db_fix_tip_data(session)

Adriano

@gneotel: release 3.6.13 is now out, try just to update to it.

best,

Giovanni Pellerano