# HG changeset patch
# User Thomas Junk <thomas.junk@intevation.de>
# Date 1559116602 -7200
# Node ID c64c47ff2ab10546b50fa8cc6046302089575e9c
# Parent  4d7b481e1d392cd68c48a4ad19fc2865110e724e
import: fix for passwordleakage. No passwords are received/sent if configuration is edited.

diff -r 4d7b481e1d39 -r c64c47ff2ab1 client/src/components/importconfiguration/ScheduledImports.vue
--- a/client/src/components/importconfiguration/ScheduledImports.vue	Tue May 28 17:12:02 2019 +0200
+++ b/client/src/components/importconfiguration/ScheduledImports.vue	Wed May 29 09:56:42 2019 +0200
@@ -393,6 +393,7 @@
       </button>
       <div>
         <button
+          v-if="!currentSchedule.id"
           @click="triggerManualImport"
           type="button"
           class="btn btn-sm btn-outline-info"
@@ -568,6 +569,22 @@
           return false;
       }
     },
+    usernamePasswordFilled() {
+      if (
+        this.isCredentialsRequired &&
+        this.currentSchedule.id &&
+        this.username
+      )
+        return true;
+      if (
+        this.isCredentialsRequired &&
+        !this.currentSchedule.id &&
+        this.username &&
+        this.password
+      )
+        return true;
+      return false;
+    },
     isValid() {
       if (!this.import_) return false;
       if (this.isToleranceRequired && !this.tolerance) return false;
@@ -576,8 +593,7 @@
         if (this.isURLRequired && !this.url) return false;
         if (this.isSortbyRequired && !this.sortBy) return false;
         if (this.isFeatureTypeRequired && !this.featureType) return false;
-        if (this.isCredentialsRequired && (!this.username || !this.password))
-          return false;
+        if (!this.usernamePasswordFilled) return false;
         if (this.import_ == this.$options.IMPORTTYPES.FAIRWAYDIMENSION) {
           if (
             !this.LOS ||
@@ -856,12 +872,12 @@
         config["tolerance"] = parseFloat(this.tolerance);
       }
       if (this.isCredentialsRequired) {
-        if (!this.username || !this.password) return;
+        if (!this.usernamePasswordFilled) return;
         config = {
           ...config,
-          user: this.username,
-          password: this.password
+          user: this.username
         };
+        if (!this.currentSchedule.id) config["password"] = this.password;
       }
       if (this.import_ == this.$options.IMPORTTYPES.FAIRWAYDIMENSION) {
         if (
diff -r 4d7b481e1d39 -r c64c47ff2ab1 client/src/components/importconfiguration/types/Distancemarksvirtual.vue
--- a/client/src/components/importconfiguration/types/Distancemarksvirtual.vue	Tue May 28 17:12:02 2019 +0200
+++ b/client/src/components/importconfiguration/types/Distancemarksvirtual.vue	Wed May 29 09:56:42 2019 +0200
@@ -59,7 +59,10 @@
             <font-awesome-icon :icon="passwordVisible ? 'eye-slash' : 'eye'" />
           </span>
         </div>
-        <div v-if="!password" class="d-flex flex-row">
+        <div
+          v-if="!password && !this.currentSchedule.id"
+          class="d-flex flex-row"
+        >
           <small
             ><translate class="text-danger"
               >Please enter a Password</translate
@@ -85,6 +88,8 @@
  * Author(s):
  * Thomas Junk <thomas.junk@intevation.de>
  */
+
+import { mapState } from "vuex";
 export default {
   name: "distancemarksvirtual",
   props: ["url", "username", "password"],
@@ -94,6 +99,10 @@
     };
   },
   computed: {
+    ...mapState("importschedule", [
+      "importScheduleDetailVisible",
+      "currentSchedule"
+    ]),
     showPassword() {
       if (this.passwordVisible) return "text";
       return "password";
diff -r 4d7b481e1d39 -r c64c47ff2ab1 client/src/components/importconfiguration/types/Waterwaygauges.vue
--- a/client/src/components/importconfiguration/types/Waterwaygauges.vue	Tue May 28 17:12:02 2019 +0200
+++ b/client/src/components/importconfiguration/types/Waterwaygauges.vue	Wed May 29 09:56:42 2019 +0200
@@ -59,7 +59,10 @@
             <font-awesome-icon :icon="passwordVisible ? 'eye-slash' : 'eye'" />
           </span>
         </div>
-        <div v-if="!password" class="d-flex flex-row">
+        <div
+          v-if="!password && !this.currentSchedule.id"
+          class="d-flex flex-row"
+        >
           <small
             ><translate class="text-danger"
               >Please enter a Password</translate
@@ -85,6 +88,9 @@
  * Author(s):
  * Thomas Junk <thomas.junk@intevation.de>
  */
+
+import { mapState } from "vuex";
+
 export default {
   name: "waterwaygauges",
   props: ["username", "password", "url"],
@@ -94,6 +100,10 @@
     };
   },
   computed: {
+    ...mapState("importschedule", [
+      "importScheduleDetailVisible",
+      "currentSchedule"
+    ]),
     showPassword() {
       if (this.passwordVisible) return "text";
       return "password";
diff -r 4d7b481e1d39 -r c64c47ff2ab1 pkg/controllers/importconfig.go
--- a/pkg/controllers/importconfig.go	Tue May 28 17:12:02 2019 +0200
+++ b/pkg/controllers/importconfig.go	Wed May 29 09:56:42 2019 +0200
@@ -177,9 +177,19 @@
 		return
 	}
 
-	what := ctor()
+	// Remove `password` from the attributes to be delivered to the client.
+	// Even a priviledged user shall not be able to see the password.
+	// (See config.ListAllPersistentConfigurationsContext() for the other
+	//  place where this is done.)
+	filteredAttributes := make(common.Attributes)
+	for key, value := range cfg.Attributes {
+		if key != "password" {
+			filteredAttributes[key] = value
+		}
+	}
 
-	if err = cfg.Attributes.Unmarshal(what); err != nil {
+	what := ctor()
+	if err = filteredAttributes.Unmarshal(what); err != nil {
 		return
 	}
 
diff -r 4d7b481e1d39 -r c64c47ff2ab1 pkg/imports/config.go
--- a/pkg/imports/config.go	Tue May 28 17:12:02 2019 +0200
+++ b/pkg/imports/config.go	Wed May 29 09:56:42 2019 +0200
@@ -269,7 +269,12 @@
 			if pc.Attributes == nil {
 				pc.Attributes = common.Attributes{}
 			}
-			pc.Attributes.Set(k.String, v.String)
+			// Prevent sending the `password` back to the client.
+			// (See importconfig.infoImportConfig() for the other place
+			//  where this is done.)
+			if k.String != "password" {
+				pc.Attributes.Set(k.String, v.String)
+			}
 		}
 	}