From f9097a0215166ea9336d234c11ef732a7d8fceea Mon Sep 17 00:00:00 2001
From: Ross Patterson <me@rpatterson.net>
Date: Mon, 27 Dec 2021 22:45:22 -0800
Subject: [PATCH] fix(auth): Fix broken PAS plugin config at root

Outside of the context of a Plone site, there usually isn't a
`plone.keyring.interfaces.IKeyManager` but the GenericSetup "various" import step that
adds the JWT token plugin to the Zope root `/acl_users` leaves the default keyring
plugin setting which results in the following when authenticating to the Zope root:

    2021-12-27 11:25:39,451 ERROR   [Zope.SiteErrorLog:22][waitress-3] ComponentLookupError: http://localhost:49080/api/acl_users/credentials_cookie_auth/login
    Traceback (innermost last):
      Module ZPublisher.WSGIPublisher, line 162, in transaction_pubevents
      Module ZPublisher.WSGIPublisher, line 372, in publish_module
      Module ZPublisher.WSGIPublisher, line 266, in publish
      Module ZPublisher.mapply, line 85, in mapply
      Module ZPublisher.WSGIPublisher, line 63, in call_object
      Module Products.PluggableAuthService.plugins.CookieAuthHelper, line 279, in login
      Module Products.PluggableAuthService.PluggableAuthService, line 1153, in updateCredentials
      Module plone.restapi.pas.plugin, line 165, in updateCredentials
      Module plone.restapi.pas.plugin, line 260, in create_payload_token
      Module plone.restapi.pas.plugin, line 230, in _signing_secret
      Module zope.component._api, line 165, in getUtility
    zope.interface.interfaces.ComponentLookupError: (<InterfaceClass plone.keyring.interfaces.IKeyManager>, '')

Fix this by doing an interface for the Plone portal and changing that configuration
setting if not being installed into a Plone portal.
---
 src/plone/restapi/setuphandlers.py   | 2 ++
 src/plone/restapi/upgrades/to0007.py | 6 ++++++
 2 files changed, 8 insertions(+)

diff --git a/src/plone/restapi/setuphandlers.py b/src/plone/restapi/setuphandlers.py
index a1a3948172..7b01de357f 100644
--- a/src/plone/restapi/setuphandlers.py
+++ b/src/plone/restapi/setuphandlers.py
@@ -46,6 +46,8 @@ def install_pas_plugin(context):
                     "ICredentialsResetPlugin",
                 ],
             )
+            if not is_plone_site:
+                plugin.use_keyring = False
 
 
 def post_install_default(context):
diff --git a/src/plone/restapi/upgrades/to0007.py b/src/plone/restapi/upgrades/to0007.py
index c315766a5f..0c3af18424 100644
--- a/src/plone/restapi/upgrades/to0007.py
+++ b/src/plone/restapi/upgrades/to0007.py
@@ -22,6 +22,12 @@ def enable_new_pas_plugin_interfaces(context):
     portal = getToolByName(context, "portal_url").getPortalObject()
     for uf, is_plone_site in pas.iter_ancestor_pas(portal):
         for jwt_plugin in uf.objectValues(plugin.JWTAuthenticationPlugin.meta_type):
+            if not is_plone_site and jwt_plugin.use_keyring:
+                logger.info(
+                    "Disabling keyring for plugin outside of Plone: %s",
+                    "/".join(jwt_plugin.getPhysicalPath()),
+                )
+                jwt_plugin.use_keyring = False
             for new_iface in (
                 plugins_ifaces.ICredentialsUpdatePlugin,
                 plugins_ifaces.ICredentialsResetPlugin,