aspera-cli 4.4.0 → 4.7.0

data/lib/aspera/fasp/resume_policy.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 require 'singleton'
 require 'aspera/log'
 
@@ -5,13 +6,12 @@ module Aspera
   module Fasp
     # implements a simple resume policy
     class ResumePolicy
-
       # list of supported parameters and default values
       DEFAULTS={
-        :iter_max      => 7,
-        :sleep_initial => 2,
-        :sleep_factor  => 2,
-        :sleep_max     => 60
+        iter_max:       7,
+        sleep_initial:  2,
+        sleep_factor:   2,
+        sleep_max:      60
       }
 
       # @param params see DEFAULTS
@@ -20,12 +20,9 @@ module Aspera
         if !params.nil?
           raise "expecting Hash (or nil), but have #{params.class}" unless params.is_a?(Hash)
           params.each do |k,v|
-            if DEFAULTS.has_key?(k)
-              raise "#{k} must be Integer" unless v.is_a?(Integer)
-              @parameters[k]=v
-            else
-              raise "unknown resume parameter: #{k}, expect one of #{DEFAULTS.keys.map{|i|i.to_s}.join(",")}"
-            end
+            raise "unknown resume parameter: #{k}, expect one of #{DEFAULTS.keys.map(&:to_s).join(',')}" unless DEFAULTS.has_key?(k)
+            raise "#{k} must be Integer" unless v.is_a?(Integer)
+            @parameters[k]=v
           end
         end
         Log.log.debug("resume params=#{@parameters}")
@@ -45,9 +42,9 @@ module Aspera
             block.call
             break
           rescue Fasp::Error => e
-            Log.log.warn("An error occured: #{e.message}" );
+            Log.log.warn("An error occured: #{e.message}");
             # failure in ascp
-            if e.retryable? then
+            if e.retryable?
               # exit if we exceed the max number of retry
               raise Fasp::Error,'Maximum number of retry reached' if remaining_resumes <= 0
             else
@@ -61,7 +58,7 @@ module Aspera
 
           # take this retry in account
           remaining_resumes-=1
-          Log.log.warn( "resuming in  #{sleep_seconds} seconds (retry left:#{remaining_resumes})" );
+          Log.log.warn("resuming in  #{sleep_seconds} seconds (retry left:#{remaining_resumes})");
 
           # wait a bit before retrying, maybe network condition will be better
           sleep(sleep_seconds)

data/lib/aspera/fasp/transfer_spec.rb

@@ -0,0 +1,26 @@
+# frozen_string_literal: true
+require 'aspera/fasp/parameters'
+
+module Aspera
+  module Fasp
+    # parameters for Transfer Spec
+    class TransferSpec
+      # default transfer username for access key based transfers
+      ACCESS_KEY_TRANSFER_USER='xfer'
+      SSH_PORT=33_001
+      UDP_PORT=33_001
+      AK_TSPEC_BASE={
+        'remote_user' => ACCESS_KEY_TRANSFER_USER,
+        'ssh_port'    => SSH_PORT,
+        'fasp_port'   => UDP_PORT
+      }
+      # define constants for enums of parameters: <paramater>_<enum>, e.g. CIPHER_AES_128
+      Aspera::Fasp::Parameters.description.each do |k,v|
+        next unless v[:enum].is_a?(Array)
+        v[:enum].each do |enum|
+          TransferSpec.const_set("#{k.to_s.upcase}_#{enum.upcase.gsub(/[^A-Z0-9]/,'_')}", enum.freeze)
+        end
+      end
+    end
+  end
+end

data/lib/aspera/fasp/uri.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 require 'aspera/log'
 require 'aspera/command_line_builder'
 
@@ -15,33 +16,33 @@ module Aspera
         result_ts['remote_host']=@fasp_uri.host
         result_ts['remote_user']=@fasp_uri.user
         result_ts['ssh_port']=@fasp_uri.port
-        result_ts['paths']=[{"source"=>URI.decode_www_form_component(@fasp_uri.path)}]
+        result_ts['paths']=[{'source'=>URI.decode_www_form_component(@fasp_uri.path)}]
         # faspex does not encode trailing base64 encoded tags, fix that
         fixed_query = @fasp_uri.query.gsub(/(=+)$/){|x|'%3D'*x.length}
 
-        URI::decode_www_form(fixed_query).each do |i|
+        URI.decode_www_form(fixed_query).each do |i|
           name=i[0]
           value=i[1]
           case name
-          when 'cookie'; result_ts['cookie']=value
-          when 'token'; result_ts['token']=value
-          when 'policy'; result_ts['rate_policy']=value
-          when 'httpport'; result_ts['http_fallback_port']=value.to_i
-          when 'targetrate'; result_ts['target_rate_kbps']=value.to_i
-          when 'minrate'; result_ts['min_rate_kbps']=value.to_i
-          when 'port'; result_ts['fasp_port']=value.to_i
-          when 'enc'; result_ts['cipher']=value.gsub('-','') # aes-128 -> aes128
-          when 'tags64'; result_ts['tags']=JSON.parse(Base64.strict_decode64(value))
-          when 'bwcap'; result_ts['target_rate_cap_kbps']=value.to_i
-          when 'createpath'; result_ts['create_dir']=CommandLineBuilder.yes_to_true(value)
-          when 'fallback'; result_ts['http_fallback']=CommandLineBuilder.yes_to_true(value)
-          when 'lockpolicy'; result_ts['lock_rate_policy']=CommandLineBuilder.yes_to_true(value)
-          when 'lockminrate'; result_ts['lock_min_rate']=CommandLineBuilder.yes_to_true(value)
-          when 'sshfp'; result_ts['sshfp']=value
-          when 'auth'; Log.log.debug("ignoring #{name}=#{value}") # TODO: translate into transfer spec ? yes/no
-          when 'v'; Log.log.debug("ignoring #{name}=#{value}") # TODO: translate into transfer spec ? 2
-          when 'protect'; Log.log.debug("ignoring #{name}=#{value}") # TODO: translate into transfer spec ?
-          else Log.log.error("non managed URI value: #{name} = #{value}")
+          when 'cookie' then result_ts['cookie']=value
+          when 'token' then result_ts['token']=value
+          when 'sshfp' then result_ts['sshfp']=value
+          when 'policy' then result_ts['rate_policy']=value
+          when 'httpport' then result_ts['http_fallback_port']=value.to_i
+          when 'targetrate' then result_ts['target_rate_kbps']=value.to_i
+          when 'minrate' then result_ts['min_rate_kbps']=value.to_i
+          when 'port' then result_ts['fasp_port']=value.to_i
+          when 'bwcap' then result_ts['target_rate_cap_kbps']=value.to_i
+          when 'enc' then result_ts['cipher']=value.gsub(/^aes/,'aes-').gsub(/cfb$/,'-cfb').gsub(/gcm$/,'-gcm').gsub(/--/,'-')
+          when 'tags64' then result_ts['tags']=JSON.parse(Base64.strict_decode64(value))
+          when 'createpath' then result_ts['create_dir']=CommandLineBuilder.yes_to_true(value)
+          when 'fallback' then result_ts['http_fallback']=CommandLineBuilder.yes_to_true(value)
+          when 'lockpolicy' then result_ts['lock_rate_policy']=CommandLineBuilder.yes_to_true(value)
+          when 'lockminrate' then result_ts['lock_min_rate']=CommandLineBuilder.yes_to_true(value)
+          when 'auth' then Log.log.debug("ignoring auth #{name}=#{value}") # TODO: translate into transfer spec ? yes/no
+          when 'v' then Log.log.debug("ignoring v #{name}=#{value}") # TODO: translate into transfer spec ? 2
+          when 'protect' then Log.log.debug("ignoring protect #{name}=#{value}") # TODO: translate into transfer spec ?
+          else Log.log.warn("URI parameter ignored: #{name} = #{value}")
           end
         end
         return result_ts

data/lib/aspera/faspex_gw.rb

@@ -1,6 +1,7 @@
+# frozen_string_literal: true
 require 'aspera/log'
 require 'aspera/aoc'
-require 'aspera/node'
+require 'aspera/fasp/transfer_spec'
 require 'aspera/cli/main'
 require 'webrick'
 require 'webrick/https'
@@ -12,7 +13,8 @@ module Aspera
   # this class answers the Faspex /send API and creates a package on Aspera on Cloud
   class FaspexGW
     class FxGwServlet < WEBrick::HTTPServlet::AbstractServlet
-      def initialize(server,a_aoc_api_user,a_workspace_id)
+      def initialize(_server,a_aoc_api_user,a_workspace_id)
+        super
         @aoc_api_user=a_aoc_api_user
         @aoc_workspace_id=a_workspace_id
       end
@@ -30,27 +32,27 @@ module Aspera
       #      }
       #    }
       def process_faspex_send(request, response)
-        raise "no payload" if request.body.nil?
+        raise 'no payload' if request.body.nil?
         faspex_pkg_parameters=JSON.parse(request.body)
         faspex_pkg_delivery=faspex_pkg_parameters['delivery']
-        Log.log.debug "faspex pkg create parameters=#{faspex_pkg_parameters}"
+        Log.log.debug("faspex pkg create parameters=#{faspex_pkg_parameters}")
 
         # get recipient ids
         files_pkg_recipients=[]
         faspex_pkg_delivery['recipients'].each do |recipient_email|
-          user_lookup=@aoc_api_user.read("contacts",{'current_workspace_id'=>@aoc_workspace_id,'q'=>recipient_email})[:data]
-          raise StandardError,"no such unique user: #{recipient_email} / #{user_lookup}" unless !user_lookup.nil? and user_lookup.length == 1
+          user_lookup=@aoc_api_user.read('contacts',{'current_workspace_id'=>@aoc_workspace_id,'q'=>recipient_email})[:data]
+          raise StandardError,"no such unique user: #{recipient_email} / #{user_lookup}" unless !user_lookup.nil? && user_lookup.length.eql?(1)
           recipient_user_info=user_lookup.first
-          files_pkg_recipients.push({"id"=>recipient_user_info['source_id'],"type"=>recipient_user_info['source_type']})
+          files_pkg_recipients.push({'id'=>recipient_user_info['source_id'],'type'=>recipient_user_info['source_type']})
         end
 
         #  create a new package with one file
-        the_package=@aoc_api_user.create("packages",{
-          "file_names"=>faspex_pkg_delivery['sources'][0]['paths'],
-          "name"=>faspex_pkg_delivery['title'],
-          "note"=>faspex_pkg_delivery['note'],
-          "recipients"=>files_pkg_recipients,
-          "workspace_id"=>@aoc_workspace_id})[:data]
+        the_package=@aoc_api_user.create('packages',{
+          'file_names'  =>faspex_pkg_delivery['sources'][0]['paths'],
+          'name'        =>faspex_pkg_delivery['title'],
+          'note'        =>faspex_pkg_delivery['note'],
+          'recipients'  =>files_pkg_recipients,
+          'workspace_id'=>@aoc_workspace_id})[:data]
 
         #  get node information for the node on which package must be created
         node_info=@aoc_api_user.read("nodes/#{the_package['node_id']}")[:data]
@@ -59,50 +61,50 @@ module Aspera
         node_auth_bearer_token=@aoc_api_user.oauth_token(scope: AoC.node_scope(node_info['access_key'],AoC::SCOPE_NODE_USER))
 
         # tell Files what to expect in package: 1 transfer (can also be done after transfer)
-        @aoc_api_user.update("packages/#{the_package['id']}",{"sent"=>true,"transfers_expected"=>1})
+        @aoc_api_user.update("packages/#{the_package['id']}",{'sent'=>true,'transfers_expected'=>1})
+
+        # to return an error:
+        # response.status=400
+        # return 'ERROR HERE'
 
-        if false
-          response.status=400
-          return "ERROR HERE"
-        end
         # TODO: check about xfer_*
         ts_tags={
-          "aspera" => {
-          "files"      => { "package_id" => the_package['id'], "package_operation" => "upload" },
-          "node"       => { "access_key" => node_info['access_key'], "file_id" => the_package['contents_file_id'] },
-          "xfer_id"    => SecureRandom.uuid,
-          "xfer_retry" => 3600 } }
+          'aspera' => {
+          'files'      => { 'package_id' => the_package['id'], 'package_operation' => 'upload' },
+          'node'       => { 'access_key' => node_info['access_key'], 'file_id' => the_package['contents_file_id'] },
+          'xfer_id'    => SecureRandom.uuid,
+          'xfer_retry' => 3600 } }
         # this transfer spec is for transfer to AoC
         faspex_transfer_spec={
           'direction'   => 'send',
           'remote_host' => node_info['host'],
-          'remote_user' => Node::ACCESS_KEY_TRANSFER_USER,
-          'ssh_port'    => Node::SSH_PORT_DEFAULT,
-          'fasp_port'   => Node::UDP_PORT_DEFAULT
+          'remote_user' => Fasp::TransferSpec::ACCESS_KEY_TRANSFER_USER,
+          'ssh_port'    => Fasp::TransferSpec::SSH_PORT,
+          'fasp_port'   => Fasp::TransferSpec::UDP_PORT,
           'tags'        => ts_tags,
           'token'       => node_auth_bearer_token,
           'paths'       => [{'destination' => '/'}],
           'cookie'      => 'unused',
           'create_dir'  => true,
           'rate_policy' => 'fair',
-          'rate_policy_allowed' => 'fixed',
-          'min_rate_cap_kbps' => nil,
-          'min_rate_kbps' => 0,
+          'rate_policy_allowed'  => 'fixed',
+          'min_rate_cap_kbps'    => nil,
+          'min_rate_kbps'        => 0,
           'target_rate_percentage' => nil,
-          'lock_target_rate' => nil,
-          'fasp_url' => 'unused',
-          'lock_min_rate' => true,
-          'lock_rate_policy' => true,
-          'source_root' => '',
-          'content_protection' => nil,
-          'target_rate_cap_kbps' => 20000, # TODO
-          'target_rate_kbps' => 10000, # TODO
-          'cipher' => 'aes-128',
-          'cipher_allowed' => nil,
-          'http_fallback' => false,
-          'http_fallback_port' => nil,
-          'https_fallback_port' => nil,
-          'destination_root' => '/'
+          'lock_target_rate'     => nil,
+          'fasp_url'             => 'unused',
+          'lock_min_rate'        => true,
+          'lock_rate_policy'     => true,
+          'source_root'          => '',
+          'content_protection'   => nil,
+          'target_rate_cap_kbps' => 20_000, # TODO: is this value useful ?
+          'target_rate_kbps'     => 10_000, # TODO: get from where?
+          'cipher'               => 'aes-128',
+          'cipher_allowed'       => nil,
+          'http_fallback'        => false,
+          'http_fallback_port'   => nil,
+          'https_fallback_port'  => nil,
+          'destination_root'     => '/'
         }
         # but we place it in a Faspex package creation response
         faspex_package_create_result={
@@ -111,28 +113,27 @@ module Aspera
         }
         Log.log.info("faspex_package_create_result=#{faspex_package_create_result}")
         response.status=200
-        response.content_type = "application/json"
+        response.content_type = 'application/json'
         response.body=JSON.generate(faspex_package_create_result)
       end
 
-      def do_GET (request, response)
+      def do_GET(request, response) # rubocop:disable Naming/MethodName
         case request.path
         when '/aspera/faspex/send'
           process_faspex_send(request, response)
         else
           response.status=400
-          return "ERROR HERE"
-          raise "unsupported path: #{request.path}"
+          return 'ERROR HERE'
         end
       end
     end # FxGwServlet
 
     class NewUserServlet < WEBrick::HTTPServlet::AbstractServlet
-      def do_GET (request, response)
+      def do_GET(request, response) # rubocop:disable Naming/MethodName
         case request.path
         when '/newuser'
           response.status=200
-          response.content_type = "text/html"
+          response.content_type = 'text/html'
           response.body='<html><body>hello world</body></html>'
         else
           raise "unsupported path: [#{request.path}]"
@@ -140,49 +141,14 @@ module Aspera
       end
     end
 
-    def fill_self_signed_cert(options)
-      key = OpenSSL::PKey::RSA.new(4096)
-      cert = OpenSSL::X509::Certificate.new
-      cert.subject = cert.issuer = OpenSSL::X509::Name.parse("/C=FR/O=Test/OU=Test/CN=Test")
-      cert.not_before = Time.now
-      cert.not_after = Time.now + 365 * 24 * 60 * 60
-      cert.public_key = key.public_key
-      cert.serial = 0x0
-      cert.version = 2
-      ef = OpenSSL::X509::ExtensionFactory.new
-      ef.issuer_certificate = cert
-      ef.subject_certificate = cert
-      cert.extensions = [
-        ef.create_extension("basicConstraints","CA:TRUE", true),
-        ef.create_extension("subjectKeyIdentifier", "hash"),
-        # ef.create_extension("keyUsage", "cRLSign,keyCertSign", true),
-      ]
-      cert.add_extension(ef.create_extension("authorityKeyIdentifier","keyid:always,issuer:always"))
-      cert.sign(key, OpenSSL::Digest::SHA256.new)
-      options[:SSLPrivateKey]  = key
-      options[:SSLCertificate] = cert
-    end
-
     def initialize(a_aoc_api_user,a_workspace_id)
       webrick_options = {
-        :app                => FaspexGW,
-        :Port               => 9443,
-        :Logger             => Log.log,
-        #:DocumentRoot       => Cli::Main.gem_root,
-        :SSLEnable          => true,
-        :SSLVerifyClient    => OpenSSL::SSL::VERIFY_NONE,
+        Port:                9443,
+        Logger:              Log.log,
+        SSLEnable:           true,
+        SSLVerifyClient:     OpenSSL::SSL::VERIFY_NONE,
+        SSLCertName:         [['CN',WEBrick::Utils.getservername]]
       }
-      case 2
-      when 0
-        # generate self signed cert
-        webrick_options[:SSLCertName]    = [ [ 'CN',WEBrick::Utils::getservername ] ]
-        Log.log.error(">>>#{webrick_options[:SSLCertName]}")
-      when 1
-        fill_self_signed_cert(webrick_options)
-      when 2
-        webrick_options[:SSLPrivateKey] =OpenSSL::PKey::RSA.new(File.read('/Users/laurent/workspace/Tools/certificate/myserver.key'))
-        webrick_options[:SSLCertificate] = OpenSSL::X509::Certificate.new(File.read('/Users/laurent/workspace/Tools/certificate/myserver.crt'))
-      end
       Log.log.info("Server started on port #{webrick_options[:Port]}")
       @server = WEBrick::HTTPServer.new(webrick_options)
       @server.mount('/aspera/faspex', FxGwServlet,a_aoc_api_user,a_workspace_id)

data/lib/aspera/hash_ext.rb

@@ -1,3 +1,4 @@
+# frozen_string_literal: true
 # for older rubies
 unless Hash.method_defined?(:dig)
   class Hash
@@ -11,18 +12,18 @@ end
 
 class ::Hash
   def deep_merge(second)
-    self.merge(second){|key,v1,v2|Hash===v1&&Hash===v2 ? v1.deep_merge(v2) : v2}
+    merge(second){|_key,v1,v2|Hash===v1&&Hash===v2 ? v1.deep_merge(v2) : v2}
   end
 
   def deep_merge!(second)
-    self.merge!(second){|key,v1,v2|Hash===v1&&Hash===v2 ? v1.deep_merge!(v2) : v2}
+    merge!(second){|_key,v1,v2|Hash===v1&&Hash===v2 ? v1.deep_merge!(v2) : v2}
   end
 end
 
 unless Hash.method_defined?(:symbolize_keys)
   class Hash
     def symbolize_keys
-      return self.inject({}){|memo,(k,v)| memo[k.to_sym] = v; memo}
+      return each_with_object({}){|(k,v),memo| memo[k.to_sym] = v; }
     end
   end
 end

data/lib/aspera/id_generator.rb

@@ -1,22 +1,23 @@
+# frozen_string_literal: true
 require 'uri'
 
 module Aspera
   class IdGenerator
     ID_SEPARATOR='_'
-    WINDOWS_PROTECTED_CHAR=%r{[/:"<>\\\*\?]}
+    WINDOWS_PROTECTED_CHAR=%r{[/:"<>\\*?]}
     PROTECTED_CHAR_REPLACE='_'
     private_constant :ID_SEPARATOR,:PROTECTED_CHAR_REPLACE,:WINDOWS_PROTECTED_CHAR
     def self.from_list(object_id)
       if object_id.is_a?(Array)
-        object_id=object_id.select{|i|!i.nil?}.map do |i|
-          (i.is_a?(String) and i.start_with?('https://')) ? URI.parse(i).host : i.to_s
+        object_id=object_id.reject(&:nil?).map do |i|
+          i.is_a?(String) && i.start_with?('https://') ? URI.parse(i).host : i.to_s
         end.join(ID_SEPARATOR)
       end
-      raise "id must be a String" unless object_id.is_a?(String)
+      raise 'id must be a String' unless object_id.is_a?(String)
       return object_id.
-      gsub(WINDOWS_PROTECTED_CHAR,PROTECTED_CHAR_REPLACE). # remove windows forbidden chars
-      gsub('.',PROTECTED_CHAR_REPLACE).  # keep dot for extension only (nicer)
-      downcase
+        gsub(WINDOWS_PROTECTED_CHAR,PROTECTED_CHAR_REPLACE). # remove windows forbidden chars
+        gsub('.',PROTECTED_CHAR_REPLACE).  # keep dot for extension only (nicer)
+        downcase
     end
   end
 end

data/lib/aspera/keychain/encrypted_hash.rb

@@ -0,0 +1,121 @@
+# frozen_string_literal: true
+require 'openssl'
+
+module Aspera
+  module Keychain
+    class SimpleCipher
+      def initialize(key)
+        @key=Digest::SHA1.hexdigest(key)[0..23]
+        @cipher = OpenSSL::Cipher.new('DES-EDE3-CBC')
+      end
+
+      def encrypt(value)
+        @cipher.encrypt
+        @cipher.key = @key
+        s = @cipher.update(value) + @cipher.final
+        s.unpack1('H*')
+      end
+
+      def decrypt(value)
+        @cipher.decrypt
+        @cipher.key = @key
+        s = [value].pack('H*').unpack('C*').pack('c*')
+        @cipher.update(s) + @cipher.final
+      end
+    end
+
+    # Manage secrets in a simple Hash
+    class EncryptedHash
+      SEPARATOR='%'
+      private_constant :SEPARATOR
+      def initialize(values)
+        raise 'values shall be Hash' unless values.is_a?(Hash)
+        @all_secrets=values
+      end
+
+      def set(options)
+        raise 'options shall be Hash' unless options.is_a?(Hash)
+        unsupported=options.keys-[:username,:url,:secret,:description]
+        raise "unsupported options: #{unsupported}" unless unsupported.empty?
+        username=options[:username]
+        raise 'options shall have username' if username.nil?
+        url=options[:url]
+        raise 'options shall have username' if url.nil?
+        secret=options[:secret]
+        raise 'options shall have secret' if secret.nil?
+        key=[url,username].join(SEPARATOR)
+        raise "secret #{key} already exist, delete first" if @all_secrets.has_key?(key)
+        obj={username: username, url: url, secret: SimpleCipher.new(key).encrypt(secret)}
+        obj[:description]=options[:description] if options.has_key?(:description)
+        @all_secrets[key]=obj
+        nil
+      end
+
+      def list
+        result=[]
+        @all_secrets.each do |k,v|
+          case v
+          when String
+            o={username: k, url: '', description: ''}
+          when Hash
+            o=v.clone
+            o.delete(:secret)
+            o[:description]||=''
+          else raise 'error'
+          end
+          o[:description]=v[:description] if v.is_a?(Hash) && v[:description].is_a?(String)
+          result.push(o)
+        end
+        return result
+      end
+
+      def delete(options)
+        raise 'options shall be Hash' unless options.is_a?(Hash)
+        unsupported=options.keys-[:username,:url]
+        raise "unsupported options: #{unsupported}" unless unsupported.empty?
+        username=options[:username]
+        raise 'options shall have username' if username.nil?
+        url=options[:url]
+        key=nil
+        if !url.nil?
+          extk=[url,username].join(SEPARATOR)
+          key=extk if @all_secrets.has_key?(extk)
+        end
+        # backward compatibility: TODO: remove in future ? (make url mandatory ?)
+        key=username if key.nil? && @all_secrets.has_key?(username)
+        raise 'no such secret' if key.nil?
+        @all_secrets.delete(key)
+      end
+
+      def get(options)
+        raise 'options shall be Hash' unless options.is_a?(Hash)
+        unsupported=options.keys-[:username,:url]
+        raise "unsupported options: #{unsupported}" unless unsupported.empty?
+        username=options[:username]
+        raise 'options shall have username' if username.nil?
+        url=options[:url]
+        val=nil
+        if !url.nil?
+          val=@all_secrets[[url,username].join(SEPARATOR)]
+        end
+        # backward compatibility: TODO: remove in future ? (make url mandatory ?)
+        if val.nil?
+          val=@all_secrets[username]
+        end
+        result=options.clone
+        case val
+        when NilClass
+          raise 'no such secret'
+        when String
+          result.merge!({secret: val, description: ''})
+        when Hash
+          key=[url,username].join(SEPARATOR)
+          plain=SimpleCipher.new(key).decrypt(val[:secret])
+          result.merge!({secret: plain, description: val[:description]})
+        else raise 'error'
+        end
+        return result
+      end
+    end
+  end
+end

data/lib/aspera/keychain/macos_security.rb

@@ -0,0 +1,90 @@
+# frozen_string_literal: true
+require 'security'
+
+# enhance the gem to support other keychains
+module Security
+  class Keychain
+    class << self
+      def by_name(name)
+        keychains_from_output('security list-keychains').select{|kc|kc.filename.end_with?("/#{name}.keychain-db")}.first
+      end
+    end
+  end
+
+  class Password
+    class << self
+      # add some login to original method
+      alias orig_flags_for_options flags_for_options
+      def flags_for_options(options = {})
+        keychain=options.delete(:keychain)
+        url=options.delete(:url)
+        if !url.nil?
+          uri=URI.parse(url)
+          raise 'only https' unless uri.scheme.eql?('https')
+          options[:r]='htps'
+          raise 'host required in URL' if uri.host.nil?
+          options[:s]=uri.host
+          options[:p]=uri.path unless ['','/'].include?(uri.path)
+          options[:P]=uri.port unless uri.port.eql?(443) && !url.include?(':443/')
+        end
+        flags=[orig_flags_for_options(options)]
+        flags.push(keychain.filename) unless keychain.nil?
+        flags.join(' ')
+      end
+    end
+  end
+end
+
+module Aspera
+  module Keychain
+    # keychain based on macOS keychain, using `security` cmmand line
+    class MacosSecurity
+      def initialize(name=nil)
+        @keychain=name.nil? ? Security::Keychain.default_keychain : Security::Keychain.by_name(name)
+        raise "no such keychain #{name}" if @keychain.nil?
+      end
+
+      def set(options)
+        raise 'options shall be Hash' unless options.is_a?(Hash)
+        unsupported=options.keys-[:username,:url,:secret,:description]
+        raise "unsupported options: #{unsupported}" unless unsupported.empty?
+        username=options[:username]
+        raise 'options shall have username' if username.nil?
+        url=options[:url]
+        raise 'options shall have url' if url.nil?
+        secret=options[:secret]
+        raise 'options shall have secret' if secret.nil?
+        raise 'set not implemented'
+      end
+
+      def get(options)
+        raise 'options shall be Hash' unless options.is_a?(Hash)
+        unsupported=options.keys-[:username,:url]
+        raise "unsupported options: #{unsupported}" unless unsupported.empty?
+        username=options[:username]
+        raise 'options shall have username' if username.nil?
+        url=options[:url]
+        raise 'options shall have url' if url.nil?
+        info=Security::InternetPassword.find(keychain: @keychain, url: url, account: username)
+        raise 'not found' if info.nil?
+        result=options.clone
+        result.merge!({secret: info.password, description: info.attributes['icmt']})
+        return result
+      end
+
+      def list
+        raise 'list not implemented'
+      end
+
+      def delete(options)
+        raise 'options shall be Hash' unless options.is_a?(Hash)
+        unsupported=options.keys-[:username,:url]
+        raise "unsupported options: #{unsupported}" unless unsupported.empty?
+        username=options[:username]
+        raise 'options shall have username' if username.nil?
+        url=options[:url]
+        raise "delete not implemented #{url}"
+      end
+    end
+  end
+end