aspera-cli 4.9.0 → 4.10.0

data/lib/aspera/keychain/macos_security.rb

@@ -1,91 +1,161 @@
 # frozen_string_literal: true
 
-require 'security'
+# https://github.com/fastlane-community/security
+require 'aspera/cli/info'
 
 # enhance the gem to support other keychains
-module Security
-  class Keychain
-    class << self
-      def by_name(name)
-        keychains_from_output('security list-keychains').find{|kc|kc.filename.end_with?("/#{name}.keychain-db")}
-      end
-    end
-  end
+module Aspera
+  module Keychain
+    module MacosSecurity
+      # keychain based on macOS keychain, using `security` cmmand line
+      class Keychain
+        DOMAINS = %i[user system common dynamic].freeze
+        LIST_OPTIONS={
+          domain: :c
+        }
+        ADD_PASS_OPTIONS={
+          account:  :a,
+          creator:  :c,
+          type:     :C,
+          domain:   :d,
+          kind:     :D,
+          value:    :G,
+          comment:  :j,
+          label:    :l,
+          path:     :p,
+          port:     :P,
+          protocol: :r,
+          server:   :s,
+          service:  :s,
+          auth:     :t,
+          password: :w,
+          getpass:  :g
+        }.freeze
+        class << self
+          def execute(command,options=nil,supported=nil,lastopt=nil)
+            url = options&.delete(:url)
+            if !url.nil?
+              uri = URI.parse(url)
+              raise 'only https' unless uri.scheme.eql?('https')
+              options[:protocol] = 'htps'
+              raise 'host required in URL' if uri.host.nil?
+              options[:server] = uri.host
+              options[:path] = uri.path unless ['','/'].include?(uri.path)
+              options[:port] = uri.port unless uri.port.eql?(443) && !url.include?(':443/')
+            end
+            cmd=['security',command]
+            options&.each do |k,v|
+              raise "unknown option: #{k}" unless supported.has_key?(k)
+              next if v.nil?
+              cmd.push("-#{supported[k]}")
+              cmd.push(v.shellescape) unless v.empty?
+            end
+            cmd.push(lastopt) unless lastopt.nil?
+            Log.log.debug("executing>>#{cmd.join(' ')}")
+            result=%x(#{cmd.join(' ')} 2>&1)
+            Log.log.debug("result>>[#{result}]")
+            return result
+          end
 
-  class Password
-    class << self
-      # add some login to original method
-      alias_method :orig_flags_for_options, :flags_for_options
-      def flags_for_options(options = {})
-        keychain = options.delete(:keychain)
-        url = options.delete(:url)
-        if !url.nil?
-          uri = URI.parse(url)
-          raise 'only https' unless uri.scheme.eql?('https')
-          options[:r] = 'htps'
-          raise 'host required in URL' if uri.host.nil?
-          options[:s] = uri.host
-          options[:p] = uri.path unless ['','/'].include?(uri.path)
-          options[:P] = uri.port unless uri.port.eql?(443) && !url.include?(':443/')
+          def keychains(output)
+            output.split("\n").collect { |line| new(line.strip.gsub(/^"|"$/, '')) }
+          end
+
+          def default
+            keychains(execute('default-keychain')).first
+          end
+
+          def login
+            keychains(execute('login-keychain')).first
+          end
+
+          def list(options={})
+            raise ArgumentError,"Invalid domain #{options[:domain]}, expected one of: #{DOMAINS}" unless options[:domain].nil? || DOMAINS.include?(options[:domain])
+            keychains(execute('list-keychains',options,LIST_OPTIONS))
+          end
+
+          def by_name(name)
+            list.find{|kc|kc.path.end_with?("/#{name}.keychain-db")}
+          end
+        end
+        attr_reader :path
+
+        def initialize(path)
+          @path = path
+        end
+
+        def decode_hex_blob(string)
+          [string].pack('H*').force_encoding('UTF-8')
+        end
+
+        def password(operation,passtype,options)
+          raise "wrong operation: #{operation}" unless %i[add find delete].include?(operation)
+          raise "wrong passtype: #{passtype}" unless %i[generic internet].include?(passtype)
+          raise 'options shall be Hash' unless options.is_a?(Hash)
+          missing=(operation.eql?(:add) ? %i[account service password] : %i[label])-options.keys
+          raise "missing options: #{missing}" unless missing.empty?
+          options[:getpass]='' if operation.eql?(:find)
+          output=self.class.execute("#{operation}-#{passtype}-password",options,ADD_PASS_OPTIONS,@path)
+          raise output.gsub(/^.*: /,'') if output.start_with?('security: ')
+          return nil unless operation.eql?(:find)
+          attributes = {}
+          output.split("\n").each do |line|
+            case line
+            when /^keychain: "(.+)"/
+              # ignore
+            when /0x00000007 .+="(.+)"/
+              attributes['label'] = Regexp.last_match(1)
+            when /"(\w{4})".+="(.+)"/
+              attributes[Regexp.last_match(1)] = Regexp.last_match(2)
+            when /"(\w{4})"<blob>=0x([[:xdigit:]]+)/
+              attributes[Regexp.last_match(1)] = decode_hex_blob(Regexp.last_match(2))
+            when /^password: "(.+)"/
+              attributes['password'] = Regexp.last_match(1)
+            when /^password: 0x([[:xdigit:]]+)/
+              attributes['password'] = decode_hex_blob(Regexp.last_match(1))
+            end
+          end
+          return attributes
         end
-        flags = [orig_flags_for_options(options)]
-        flags.push(keychain.filename) unless keychain.nil?
-        flags.join(' ')
       end
     end
-  end
-end
 
-module Aspera
-  module Keychain
-    # keychain based on macOS keychain, using `security` cmmand line
-    class MacosSecurity
-      def initialize(name=nil)
-        @keychain = name.nil? ? Security::Keychain.default_keychain : Security::Keychain.by_name(name)
+    class MacosSystem
+      def initialize(name=nil,password=nil)
+        @keychain = name.nil? ? MacosSecurity::Keychain.default_keychain : MacosSecurity::Keychain.by_name(name)
         raise "no such keychain #{name}" if @keychain.nil?
       end
 
       def set(options)
         raise 'options shall be Hash' unless options.is_a?(Hash)
-        unsupported = options.keys - %i[username url secret description]
+        unsupported = options.keys - %i[label username password url description]
         raise "unsupported options: #{unsupported}" unless unsupported.empty?
-        username = options[:username]
-        raise 'options shall have username' if username.nil?
-        url = options[:url]
-        raise 'options shall have url' if url.nil?
-        secret = options[:secret]
-        raise 'options shall have secret' if secret.nil?
-        raise 'set not implemented'
+        @keychain.password(:add,:generic, service: options[:label],
+          account: options[:username] || 'none', password: options[:password], comment: options[:description])
       end
 
       def get(options)
         raise 'options shall be Hash' unless options.is_a?(Hash)
-        unsupported = options.keys - %i[username url]
+        unsupported = options.keys - %i[label]
         raise "unsupported options: #{unsupported}" unless unsupported.empty?
-        username = options[:username]
-        raise 'options shall have username' if username.nil?
-        url = options[:url]
-        raise 'options shall have url' if url.nil?
-        info = Security::InternetPassword.find(keychain: @keychain, url: url, account: username)
+        info = @keychain.password(:find,:generic,label: options[:label])
         raise 'not found' if info.nil?
         result = options.clone
-        result[:secret] = info.password
-        result[:description] = info.attributes['icmt']
+        result[:secret] = info['password']
+        result[:description] = info['icmt']
         return result
       end
 
       def list
-        raise 'list not implemented'
+        # the only way to list is `dump-keychain` which triggers security alert
+        raise 'list not implemented, use macos keychain app'
       end
 
       def delete(options)
         raise 'options shall be Hash' unless options.is_a?(Hash)
-        unsupported = options.keys - %i[username url]
+        unsupported = options.keys - %i[label]
         raise "unsupported options: #{unsupported}" unless unsupported.empty?
-        username = options[:username]
-        raise 'options shall have username' if username.nil?
-        url = options[:url]
-        raise "delete not implemented #{url}"
+        raise 'delete not implemented, use macos keychain app'
       end
     end
   end

data/lib/aspera/persistency_folder.rb

@@ -2,6 +2,7 @@
 
 require 'fileutils'
 require 'aspera/log'
+require 'aspera/environment'
 
 # search: persistency_folder PersistencyFolder
 
@@ -38,7 +39,7 @@ module Aspera
       Log.log.debug("persistency saving: #{persist_filepath}")
       File.delete(persist_filepath) if File.exist?(persist_filepath)
       File.write(persist_filepath,value)
-      File.chmod(0400,persist_filepath)
+      Environment.restrict_file_access(persist_filepath)
       @cache[object_id] = value
     end
 
@@ -68,7 +69,7 @@ module Aspera
     def id_to_filepath(object_id)
       raise 'object_id: only String supported' unless object_id.is_a?(String)
       FileUtils.mkdir_p(@folder)
-      File.chmod(0700,@folder)
+      Environment.restrict_file_access(@folder)
       return File.join(@folder,"#{object_id}#{FILE_SUFFIX}")
       #.gsub(/[^a-z]+/,FILE_FIELD_SEPARATOR)
     end

data/lib/aspera/proxy_auto_config.rb

@@ -52,13 +52,15 @@ END_OF_JAVASCRIPT
 
     public
 
+    attr_writer :proxy_user,:proxy_pass
+
     # @param proxy_auto_config the proxy auto config script to be evaluated
     def initialize(proxy_auto_config)
       # user provided javascript with FindProxyForURL function
       @proxy_auto_config = proxy_auto_config
       # avoid multiple execution, this does not support load balancing
       @cache = {}
-      @pac_functions = nil
+      @proxy_user=@proxy_pass=@pac_functions = nil
     end
 
     def register_uri_generic
@@ -106,23 +108,28 @@ END_OF_JAVASCRIPT
         case parts.shift
         when 'DIRECT'
           raise 'DIRECT has no param' unless parts.empty?
+          Log.log.debug('ignoring proxy DIRECT')
         when 'PROXY'
           addr_port = parts.shift
           raise 'PROXY shall have one param' unless addr_port.is_a?(String) && parts.empty?
           begin
             # PAC proxy addresses are <host>:<port>
             if /:[0-9]+$/.match?(addr_port)
-              # we want to return URIs, so add dummy scheme
-              uri_list.push(URI.parse("proxy://#{addr_port}"))
+              uri=URI.parse("proxy://#{addr_port}")
+              # ruby v>2.6 allows
+              uri.user=@proxy_user
+              uri.password=@proxy_pass
+              uri_list.push(uri)
             else
               Log.log.warn("PAC: PROXY must be <address>:<port>, ignoring #{addr_port}")
             end
-          rescue StandardError
-            Log.log.warn("PAC: cannot parse #{addr_port}")
+          rescue StandardError => e
+            Log.log.warn("PAC: cannot parse #{addr_port} #{e}")
           end
         else Log.log.warn("PAC: ignoring proxy type #{parts.first}: not supported")
         end
       end
+      Log.log.debug("Proxies: #{uri_list}")
       return uri_list
     end
   end

data/lib/aspera/rest.rb

@@ -37,7 +37,9 @@ module Aspera
       user_agent:              'Ruby',
       download_partial_suffix: '.http_partial',
       # a lambda which takes the Net::HTTP as arg, use this to change parameters
-      session_cb:              nil
+      session_cb:              nil,
+      proxy_user:              nil,
+      proxy_pass:              nil
     }
 
     class << self
@@ -75,6 +77,21 @@ module Aspera
         end
         return uri
       end
+
+      def start_http_session(base_url)
+        uri = build_uri(base_url)
+        # this honors http_proxy env var
+        http_session = Net::HTTP.new(uri.host, uri.port)
+        http_session.proxy_user=proxy_user
+        http_session.proxy_pass=proxy_pass
+        http_session.use_ssl = uri.scheme.eql?('https')
+        http_session.set_debug_output($stdout) if debug
+        # set http options in callback, such as timeout and cert. verification
+        session_cb&.call(http_session)
+        # manually start session for keep alive (if supported by server, else, session is closed every time)
+        http_session.start
+        return http_session
+      end
     end
 
     private
@@ -82,15 +99,7 @@ module Aspera
     # create and start keep alive connection on demand
     def http_session
       if @http_session.nil?
-        uri = self.class.build_uri(@params[:base_url])
-        # this honors http_proxy env var
-        @http_session = Net::HTTP.new(uri.host, uri.port)
-        @http_session.use_ssl = uri.scheme.eql?('https')
-        @http_session.set_debug_output($stdout) if self.class.debug
-        # set http options in callback, such as timeout and cert. verification
-        self.class.session_cb&.call(@http_session)
-        # manually start session for keep alive (if supported by server, else, session is closed every time)
-        @http_session.start
+        @http_session=self.class.start_http_session(@params[:base_url])
       end
       return @http_session
     end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: aspera-cli
 version: !ruby/object:Gem::Version
-  version: 4.9.0
+  version: 4.10.0
 platform: ruby
 authors:
 - Laurent Martin
@@ -35,7 +35,7 @@ cert_chain:
   ZjkOWbUc1aLIsfaQFHWyNfisY9X2RgkFHjX0p5493wnoA7aWh52MUhc145npFh8z
   v4P9xwkT02Shkert4B4iwNvVjoAUGk+J4090svZCroAyXBjon5LV7MJ4fyw=
   -----END CERTIFICATE-----
-date: 2022-09-14 00:00:00.000000000 Z
+date: 2022-12-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: execjs
@@ -128,19 +128,19 @@ dependencies:
       - !ruby/object:Gem::Version
         version: '2.0'
 - !ruby/object:Gem::Dependency
-  name: security
+  name: symmetric-encryption
   requirement: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.0'
+        version: '4.6'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: '0.0'
+        version: '4.6'
 - !ruby/object:Gem::Dependency
   name: terminal-table
   requirement: !ruby/object:Gem::Requirement
@@ -197,20 +197,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.2'
-- !ruby/object:Gem::Dependency
-  name: websocket-client-simple
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '0.3'
-  type: :runtime
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '0.3'
 - !ruby/object:Gem::Dependency
   name: xml-simple
   requirement: !ruby/object:Gem::Requirement
@@ -225,20 +211,6 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '1.0'
-- !ruby/object:Gem::Dependency
-  name: grpc
-  requirement: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.0'
-  type: :development
-  prerelease: false
-  version_requirements: !ruby/object:Gem::Requirement
-    requirements:
-    - - "~>"
-      - !ruby/object:Gem::Version
-        version: '1.0'
 - !ruby/object:Gem::Dependency
   name: mimemagic
   requirement: !ruby/object:Gem::Requirement