load_key: no key is same as empty key, fixes #6441

when migrating from repokey to keyfile, we just store an empty key into the repo config,
because we do not have a "delete key" RPC api. thus, empty key means "there is no key".

here we fix load_key, so that it does not behave differently for no key and empty key:
in both cases, it just returns an empty value.

additionally, we strip the value we get from the config, so whitespace does not matter.

All callers now check for the repokey not being empty, otherwise RepoKeyNotFoundError
is raised.

src/borg/crypto/key.py

@@ -617,11 +617,11 @@ class FlexiKey:
             raise KeyfileNotFoundError(self.repository._location.canonical_path(), get_keys_dir())
         elif self.STORAGE == KeyBlobStorage.REPO:
             loc = self.repository._location.canonical_path()
-            try:
-                self.repository.load_key()
-                return loc
-            except configparser.NoOptionError:
+            key = self.repository.load_key()
+            if not key:
+                # if we got an empty key, it means there is no key.
                 raise RepoKeyNotFoundError(loc) from None
+            return loc
         else:
             raise TypeError('Unsupported borg key storage type')
 
@@ -681,6 +681,10 @@ class FlexiKey:
             # what we get in target is just a repo location, but we already have the repo obj:
             target = self.repository
             key_data = target.load_key()
+            if not key_data:
+                # if we got an empty key, it means there is no key.
+                loc = target._location.canonical_path()
+                raise RepoKeyNotFoundError(loc) from None
             key_data = key_data.decode('utf-8')  # remote repo: msgpack issue #99, getting bytes
         else:
             raise TypeError('Unsupported borg key storage type')

src/borg/crypto/keymanager.py

@@ -7,7 +7,7 @@ from hashlib import sha256
 from ..helpers import Manifest, NoManifestError, Error, yes, bin_to_hex, dash_open
 from ..repository import Repository
 
-from .key import KeyfileKey, KeyfileNotFoundError, KeyBlobStorage, identify_key
+from .key import KeyfileKey, KeyfileNotFoundError, RepoKeyNotFoundError, KeyBlobStorage, identify_key
 
 
 class UnencryptedRepo(Error):
@@ -56,7 +56,12 @@ class KeyManager:
                 self.keyblob = ''.join(fd.readlines()[1:])
 
         elif self.keyblob_storage == KeyBlobStorage.REPO:
-            self.keyblob = self.repository.load_key().decode()
+            key_data = self.repository.load_key().decode()
+            if not key_data:
+                # if we got an empty key, it means there is no key.
+                loc = self.repository._location.canonical_path()
+                raise RepoKeyNotFoundError(loc) from None
+            self.keyblob = key_data
 
     def store_keyblob(self, args):
         if self.keyblob_storage == KeyBlobStorage.KEYFILE:

src/borg/repository.py

@@ -343,7 +343,7 @@ class Repository:
         self.save_config(self.path, self.config)
 
     def load_key(self):
-        keydata = self.config.get('repository', 'key')
+        keydata = self.config.get('repository', 'key', fallback='').strip()
         # note: if we return an empty string, it means there is no repo key
         return keydata.encode('utf-8')  # remote repo: msgpack issue #99, returning bytes