107 lines
3.9 KiB
Python
107 lines
3.9 KiB
Python
# This module can load passwords from external sources, such as files or
|
|
# environment variables or KWallet (and no, *not* libsecret -- as much as I
|
|
# want to use the nifty gi-based libsecret API...).
|
|
#
|
|
# It deals with strings (the lowest common denominator), but it's really meant
|
|
# to be used for storing Base64-encoded keys and not raw passwords.
|
|
|
|
import dbus
|
|
import os
|
|
import re
|
|
import subprocess
|
|
|
|
class KWalletClient():
|
|
app_id = "org.eu.nullroute.Secretsd"
|
|
folder = "Passwords"
|
|
|
|
def __init__(self):
|
|
self.bus = dbus.SessionBus()
|
|
self.mgr = self.bus.get_object("org.kde.kwalletd5", "/modules/kwalletd5")
|
|
self.mgr = dbus.Interface(self.mgr, "org.kde.KWallet")
|
|
|
|
def __enter__(self):
|
|
self.wallet = self.mgr.localWallet()
|
|
self.handle = self.mgr.open(self.wallet, 0, self.app_id)
|
|
return self
|
|
|
|
def __exit__(self, *argv):
|
|
self.mgr.disconnectApplication(self.wallet, self.app_id)
|
|
|
|
def get_password(self, name):
|
|
if self.mgr.hasEntry(self.handle, self.folder, name, self.app_id):
|
|
return str(self.mgr.readPassword(self.handle, self.folder, name, self.app_id))
|
|
else:
|
|
raise KeyError(name)
|
|
|
|
def set_password(self, name, value):
|
|
self.mgr.writePassword(self.handle, self.folder, name, value, self.app_id)
|
|
|
|
def _parse_specifier(source):
|
|
m = re.match(r"^(\w+):(.*)", source)
|
|
if m:
|
|
return m.groups()
|
|
else:
|
|
# Too easy to end up saving keys in a file named 'kwallet'...
|
|
#return "file", source
|
|
raise ValueError("key location must be specified as 'type:rest'")
|
|
|
|
def load_ext_key(source):
|
|
kind, rest = _parse_specifier(source)
|
|
if kind == "env":
|
|
return os.environ[rest]
|
|
elif kind == "exec":
|
|
res = subprocess.run(rest, shell=True,
|
|
stdin=subprocess.DEVNULL,
|
|
stdout=subprocess.PIPE,
|
|
check=True)
|
|
return res.stdout.decode().strip()
|
|
elif kind == "file":
|
|
with open(rest, "r") as fh:
|
|
return fh.read().strip()
|
|
elif kind == "kwallet":
|
|
with KWalletClient() as kw:
|
|
return kw.get_password(rest or "secretsd master key")
|
|
elif kind == "libsecret":
|
|
raise ValueError("cannot load external key from myself")
|
|
else:
|
|
raise ValueError("unknown external key source %r" % kind)
|
|
|
|
def store_ext_key(source, key):
|
|
kind, rest = _parse_specifier(source)
|
|
if kind == "env":
|
|
raise ValueError("environment is volatile storage, cannot store keys there")
|
|
elif kind == "exec":
|
|
# XXX: Should there be a way to distinguish whether the command is
|
|
# invoked for load vs store, or should I just remove storing to exec:
|
|
# because this is an advanced operation and the user can just emulate
|
|
# it with a temporary file?
|
|
res = subprocess.run(rest, shell=True,
|
|
input=key.encode(),
|
|
check=True)
|
|
elif kind == "file":
|
|
with open(rest, "w", opener=lambda p, f: os.open(p, f, 0o400)) as fh:
|
|
fh.write(key)
|
|
elif kind == "kwallet":
|
|
with KWalletClient() as kw:
|
|
kw.set_password(rest or "secretsd master key", key)
|
|
elif kind == "libsecret":
|
|
raise ValueError("cannot store external key in myself")
|
|
else:
|
|
raise ValueError("unknown external key source %r" % kind)
|
|
|
|
if __name__ == "__main__":
|
|
import argparse
|
|
|
|
parser = argparse.ArgumentParser()
|
|
parser.add_argument("specifier")
|
|
parser.add_argument("--store-key", metavar="KEY", help="store the specified key (as text)")
|
|
args = parser.parse_args()
|
|
|
|
arg = args.specifier
|
|
if key := args.store_key:
|
|
print(f"Storing key {key!r} to {arg!r}")
|
|
store_ext_key(arg, key)
|
|
print(f"Retrieving key from {arg!r}")
|
|
key = load_ext_key(arg)
|
|
print(f"The key is {key!r}")
|