aspera-cli 4.9.0 → 4.11.0

data/lib/aspera/fasp/resume_policy.rb

@@ -20,13 +20,13 @@ module Aspera
         @parameters = DEFAULTS.dup
         if !params.nil?
           raise "expecting Hash (or nil), but have #{params.class}" unless params.is_a?(Hash)
-          params.each do |k,v|
-            raise "unknown resume parameter: #{k}, expect one of #{DEFAULTS.keys.map(&:to_s).join(',')}" unless DEFAULTS.has_key?(k)
+          params.each do |k, v|
+            raise "unknown resume parameter: #{k}, expect one of #{DEFAULTS.keys.map(&:to_s).join(',')}" unless DEFAULTS.key?(k)
             raise "#{k} must be Integer" unless v.is_a?(Integer)
             @parameters[k] = v
           end
         end
-        Log.log.debug("resume params=#{@parameters}")
+        Log.log.debug{"resume params=#{@parameters}"}
       end
 
       # calls block a number of times (resumes) until success or limit reached
@@ -36,20 +36,20 @@ module Aspera
         # maximum of retry
         remaining_resumes = @parameters[:iter_max]
         sleep_seconds = @parameters[:sleep_initial]
-        Log.log.debug("retries=#{remaining_resumes}")
+        Log.log.debug{"retries=#{remaining_resumes}"}
         # try to send the file until ascp is succesful
         loop do
-          Log.log.debug('transfer starting');
+          Log.log.debug('transfer starting')
           begin
             # call provided block
             yield
             break
           rescue Fasp::Error => e
-            Log.log.warn("An error occured: #{e.message}");
+            Log.log.warn{"An error occurred: #{e.message}"}
             # failure in ascp
             if e.retryable?
               # exit if we exceed the max number of retry
-              raise Fasp::Error,'Maximum number of retry reached' if remaining_resumes <= 0
+              raise Fasp::Error, 'Maximum number of retry reached' if remaining_resumes <= 0
             else
               # give one chance only to non retryable errors
               unless remaining_resumes.eql?(@parameters[:iter_max])
@@ -61,7 +61,7 @@ module Aspera
 
           # take this retry in account
           remaining_resumes -= 1
-          Log.log.warn("resuming in  #{sleep_seconds} seconds (retry left:#{remaining_resumes})");
+          Log.log.warn{"resuming in  #{sleep_seconds} seconds (retry left:#{remaining_resumes})"}
 
           # wait a bit before retrying, maybe network condition will be better
           sleep(sleep_seconds)

data/lib/aspera/fasp/transfer_spec.rb

@@ -16,10 +16,43 @@ module Aspera
         'fasp_port'   => UDP_PORT
       }.freeze
       # define constants for enums of parameters: <paramater>_<enum>, e.g. CIPHER_AES_128
-      Aspera::Fasp::Parameters.description.each do |k,v|
+      Aspera::Fasp::Parameters.description.each do |k, v|
         next unless v[:enum].is_a?(Array)
         v[:enum].each do |enum|
-          TransferSpec.const_set("#{k.to_s.upcase}_#{enum.upcase.gsub(/[^A-Z0-9]/,'_')}", enum.freeze)
+          TransferSpec.const_set("#{k.to_s.upcase}_#{enum.upcase.gsub(/[^A-Z0-9]/, '_')}", enum.freeze)
+        end
+      end
+      class << self
+        def ascp_opts_to_ts(tspec, opts)
+          return if opts.nil?
+          raise 'ascp options must be an Array' unless opts.is_a?(Array)
+          raise 'transfer spec must be a Hash' unless tspec.is_a?(Hash)
+          raise 'ascp options must be an Array or Strings' if opts.any?{|o|!o.is_a?(String)}
+          tspec['EX_ascp_args'] ||= []
+          raise 'EX_ascp_args must be an Array' unless tspec['EX_ascp_args'].is_a?(Array)
+          # TODO: translate command line args into transfer spec
+          # non translatable args are left in special ts parameter
+          tspec['EX_ascp_args'] = tspec['EX_ascp_args'].concat(opts)
+          return tspec
+        end
+
+        def action_to_direction(tspec, command)
+          raise 'transfer spec must be a Hash' unless tspec.is_a?(Hash)
+          tspec['direction'] = case command.to_sym
+          when :upload then DIRECTION_SEND
+          when :download then DIRECTION_RECEIVE
+          else raise 'Error: upload or download only'
+          end
+          return tspec
+        end
+
+        def action(tspec)
+          raise 'transfer spec must be a Hash' unless tspec.is_a?(Hash)
+          return case tspec['direction']
+                 when DIRECTION_SEND then :upload
+                 when DIRECTION_RECEIVE then :download
+                 else raise 'Error: upload or download only'
+                 end
         end
       end
     end

data/lib/aspera/fasp/uri.rb

@@ -5,10 +5,10 @@ require 'aspera/command_line_builder'
 
 module Aspera
   module Fasp
-    # translates a "faspe:" URI (used in Faspex) into transfer spec hash
+    # translates a "faspe:" URI (used in Faspex 4) into transfer spec hash
     class Uri
       def initialize(fasplink)
-        @fasp_uri = URI.parse(fasplink.gsub(' ','%20'))
+        @fasp_uri = URI.parse(fasplink.gsub(' ', '%20'))
         # TODO: check scheme is faspe
       end
 
@@ -34,16 +34,16 @@ module Aspera
           when 'minrate' then result_ts['min_rate_kbps'] = value.to_i
           when 'port' then result_ts['fasp_port'] = value.to_i
           when 'bwcap' then result_ts['target_rate_cap_kbps'] = value.to_i
-          when 'enc' then result_ts['cipher'] = value.gsub(/^aes/,'aes-').gsub(/cfb$/,'-cfb').gsub(/gcm$/,'-gcm').gsub(/--/,'-')
+          when 'enc' then result_ts['cipher'] = value.gsub(/^aes/, 'aes-').gsub(/cfb$/, '-cfb').gsub(/gcm$/, '-gcm').gsub(/--/, '-')
           when 'tags64' then result_ts['tags'] = JSON.parse(Base64.strict_decode64(value))
           when 'createpath' then result_ts['create_dir'] = CommandLineBuilder.yes_to_true(value)
           when 'fallback' then result_ts['http_fallback'] = CommandLineBuilder.yes_to_true(value)
           when 'lockpolicy' then result_ts['lock_rate_policy'] = CommandLineBuilder.yes_to_true(value)
           when 'lockminrate' then result_ts['lock_min_rate'] = CommandLineBuilder.yes_to_true(value)
-          when 'auth' then Log.log.debug("ignoring auth #{name}=#{value}") # TODO: translate into transfer spec ? yes/no
-          when 'v' then Log.log.debug("ignoring v #{name}=#{value}") # TODO: translate into transfer spec ? 2
-          when 'protect' then Log.log.debug("ignoring protect #{name}=#{value}") # TODO: translate into transfer spec ?
-          else Log.log.warn("URI parameter ignored: #{name} = #{value}")
+          when 'auth' then Log.log.debug{"ignoring auth #{name}=#{value}"} # TODO: translate into transfer spec ? yes/no
+          when 'v' then Log.log.debug{"ignoring v #{name}=#{value}"} # TODO: translate into transfer spec ? 2
+          when 'protect' then Log.log.debug{"ignoring protect #{name}=#{value}"} # TODO: translate into transfer spec ?
+          else Log.log.warn{"URI parameter ignored: #{name} = #{value}"}
           end
         end
         return result_ts

data/lib/aspera/faspex_gw.rb

@@ -37,12 +37,13 @@ module Aspera
 
         faspex_pkg_parameters = JSON.parse(request.body)
         faspex_pkg_delivery = faspex_pkg_parameters['delivery']
-        Log.log.debug("faspex pkg create parameters=#{faspex_pkg_parameters}")
+        Log.log.debug{"faspex pkg create parameters=#{faspex_pkg_parameters}"}
 
         # get recipient ids
         files_pkg_recipients = []
         faspex_pkg_delivery['recipients'].each do |recipient_email|
-          user_lookup = @aoc_api_user.read('contacts',
+          user_lookup = @aoc_api_user.read(
+            'contacts',
             { 'current_workspace_id' => @aoc_workspace_id, 'q' => recipient_email })[:data]
           raise StandardError,
             "no such unique user: #{recipient_email} / #{user_lookup}" unless !user_lookup.nil? && user_lookup.length.eql?(1)
@@ -67,7 +68,8 @@ module Aspera
         node_info = @aoc_api_user.read("nodes/#{the_package['node_id']}")[:data]
 
         #  get transfer token (for node)
-        node_auth_bearer_token = @aoc_api_user.oauth_token(scope: AoC.node_scope(node_info['access_key'],
+        node_auth_bearer_token = @aoc_api_user.oauth_token(scope: AoC.node_scope(
+          node_info['access_key'],
           AoC::SCOPE_NODE_USER))
 
         # tell Files what to expect in package: 1 transfer (can also be done after transfer)
@@ -123,7 +125,7 @@ module Aspera
           'links'         => { 'status' => 'unused' },
           'xfer_sessions' => [faspex_transfer_spec]
         }
-        Log.log.info("faspex_package_create_result=#{faspex_package_create_result}")
+        Log.log.info{"faspex_package_create_result=#{faspex_package_create_result}"}
         response.status = 200
         response.content_type = 'application/json'
         response.body = JSON.generate(faspex_package_create_result)
@@ -160,7 +162,7 @@ module Aspera
         SSLEnable:   true,
         SSLCertName: [['CN', WEBrick::Utils.getservername]]
       }
-      Log.log.info("Server started on port #{webrick_options[:Port]}")
+      Log.log.info{"Server started on port #{webrick_options[:Port]}"}
       @server = WEBrick::HTTPServer.new(webrick_options)
       @server.mount('/aspera/faspex', FxGwServlet, a_aoc_api_user, a_workspace_id)
       @server.mount('/newuser', NewUserServlet)

data/lib/aspera/hash_ext.rb

@@ -2,11 +2,11 @@
 
 class ::Hash
   def deep_merge(second)
-    merge(second){|_key,v1,v2|Hash === v1 && Hash === v2 ? v1.deep_merge(v2) : v2}
+    merge(second){|_key, v1, v2|Hash === v1 && Hash === v2 ? v1.deep_merge(v2) : v2}
   end
 
   def deep_merge!(second)
-    merge!(second){|_key,v1,v2|Hash === v1 && Hash === v2 ? v1.deep_merge!(v2) : v2}
+    merge!(second){|_key, v1, v2|Hash === v1 && Hash === v2 ? v1.deep_merge!(v2) : v2}
   end
 end
 
@@ -14,7 +14,7 @@ end
 unless Hash.method_defined?(:transform_keys)
   class Hash
     def transform_keys
-      return each_with_object({}){|(k,v),memo|memo[yield(k)]=v} if block_given?
+      return each_with_object({}){|(k, v), memo|memo[yield(k)] = v} if block_given?
       raise 'missing block'
     end
   end

data/lib/aspera/id_generator.rb

@@ -7,7 +7,7 @@ module Aspera
     ID_SEPARATOR = '_'
     WINDOWS_PROTECTED_CHAR = %r{[/:"<>\\*?]}.freeze
     PROTECTED_CHAR_REPLACE = '_'
-    private_constant :ID_SEPARATOR,:PROTECTED_CHAR_REPLACE,:WINDOWS_PROTECTED_CHAR
+    private_constant :ID_SEPARATOR, :PROTECTED_CHAR_REPLACE, :WINDOWS_PROTECTED_CHAR
     class << self
       def from_list(object_id)
         if object_id.is_a?(Array)
@@ -16,10 +16,10 @@ module Aspera
           end.join(ID_SEPARATOR)
         end
         raise 'id must be a String' unless object_id.is_a?(String)
-        return object_id.
-            gsub(WINDOWS_PROTECTED_CHAR,PROTECTED_CHAR_REPLACE). # remove windows forbidden chars
-            gsub('.',PROTECTED_CHAR_REPLACE).  # keep dot for extension only (nicer)
-            downcase
+        return object_id
+            .gsub(WINDOWS_PROTECTED_CHAR, PROTECTED_CHAR_REPLACE) # remove windows forbidden chars
+            .gsub('.', PROTECTED_CHAR_REPLACE)  # keep dot for extension only (nicer)
+            .downcase
       end
     end
   end

data/lib/aspera/keychain/encrypted_hash.rb

@@ -1,134 +1,67 @@
 # frozen_string_literal: true
 
 require 'aspera/hash_ext'
-require 'openssl'
+require 'aspera/environment'
+require 'symmetric_encryption/core'
+require 'yaml'
 
 module Aspera
   module Keychain
-    class SimpleCipher
-      def initialize(key)
-        @key = Digest::SHA1.hexdigest(key+('*'*23))[0..23]
-        @cipher = OpenSSL::Cipher.new('DES-EDE3-CBC')
-      end
-
-      def encrypt(value)
-        @cipher.encrypt
-        @cipher.key = @key
-        s = @cipher.update(value) + @cipher.final
-        s.unpack1('H*')
-      end
-
-      def decrypt(value)
-        @cipher.decrypt
-        @cipher.key = @key
-        s = [value].pack('H*').unpack('C*').pack('c*')
-        @cipher.update(s) + @cipher.final
-      end
-    end
-
     # Manage secrets in a simple Hash
     class EncryptedHash
-      SEPARATOR = '%'
-      ACCEPTED_KEYS = %i[username url secret description].freeze
-      private_constant :SEPARATOR
-      attr_reader :legacy_detected
-      def initialize(values)
-        raise 'values shall be Hash' unless values.is_a?(Hash)
-        @all_secrets = values
+      CIPHER_NAME = 'aes-256-cbc'
+      CONTENT_KEYS = %i[label username password url description].freeze
+      def initialize(path, current_password)
+        @path = path
+        self.password = current_password
+        raise 'path to vault file shall be String' unless @path.is_a?(String)
+        @all_secrets = File.exist?(@path) ? YAML.load_stream(@cipher.decrypt(File.read(@path))).first : {}
+      end
+
+      def password=(new_password)
+        # number of bits in second position
+        key_bytes = CIPHER_NAME.split('-')[1].to_i / Environment::BITS_PER_BYTE
+        # derive key from passphrase, add trailing zeros
+        key = "#{new_password}#{"\x0" * key_bytes}"[0..(key_bytes - 1)]
+        Log.log.debug{"key=[#{key}],#{key.length}"}
+        SymmetricEncryption.cipher = @cipher = SymmetricEncryption::Cipher.new(cipher_name: CIPHER_NAME, key: key, encoding: :none)
       end
 
-      def identifier(options)
-        return options[:username] if options[:url].to_s.empty?
-        %i[url username].map{|s|options[s]}.join(SEPARATOR)
+      def save
+        File.write(@path, @cipher.encrypt(YAML.dump(@all_secrets)), encoding: 'BINARY')
       end
 
       def set(options)
         raise 'options shall be Hash' unless options.is_a?(Hash)
-        unsupported = options.keys - ACCEPTED_KEYS
+        unsupported = options.keys - CONTENT_KEYS
+        options.each_value {|v| raise 'value must be String' unless v.is_a?(String)}
         raise "unsupported options: #{unsupported}" unless unsupported.empty?
-        username = options[:username]
-        raise 'options shall have username' if username.nil?
-        url = options[:url]
-        raise 'options shall have username' if url.nil?
-        secret = options[:secret]
-        raise 'options shall have secret' if secret.nil?
-        key = identifier(options)
-        raise "secret #{key} already exist, delete first" if @all_secrets.has_key?(key)
-        obj = {username: username, url: url, secret: SimpleCipher.new(key).encrypt(secret)}
-        obj[:description] = options[:description] if options.has_key?(:description)
-        @all_secrets[key] = obj.stringify_keys
-        nil
+        label = options.delete(:label)
+        raise "secret #{label} already exist, delete first" if @all_secrets.key?(label)
+        @all_secrets[label] = options.symbolize_keys
+        save
       end
 
       def list
         result = []
-        legacy_detected=false
-        @all_secrets.each do |name,value|
-          normal = # normalized version
-            case value
-            when String
-              legacy_detected=true
-              {username: name, url: '', secret: value}
-            when Hash then value.symbolize_keys
-            else raise 'error secret must be String (legacy) or Hash (new)'
-            end
-          normal[:description] = '' unless normal.has_key?(:description)
-          extraneous_keys=normal.keys - ACCEPTED_KEYS
-          Log.log.error("wrongs keys in secret hash: #{extraneous_keys.map(&:to_s).join(',')}") unless extraneous_keys.empty?
+        @all_secrets.each do |label, values|
+          normal = values.symbolize_keys
+          normal[:label] = label
+          CONTENT_KEYS.each{|k|normal[k] = '' unless normal.key?(k)}
           result.push(normal)
         end
-        Log.log.warn('Legacy vault format detected in config file, please refer to documentation to convert to new format.') if legacy_detected
         return result
       end
 
-      def delete(options)
-        raise 'options shall be Hash' unless options.is_a?(Hash)
-        unsupported = options.keys - %i[username url]
-        raise "unsupported options: #{unsupported}" unless unsupported.empty?
-        username = options[:username]
-        raise 'options shall have username' if username.nil?
-        url = options[:url]
-        key = nil
-        if !url.nil?
-          extk = identifier(options)
-          key = extk if @all_secrets.has_key?(extk)
-        end
-        # backward compatibility: TODO: remove in future ? (make url mandatory ?)
-        key = username if key.nil? && @all_secrets.has_key?(username)
-        raise 'no such secret' if key.nil?
-        @all_secrets.delete(key)
+      def delete(label:)
+        @all_secrets.delete(label)
+        save
       end
 
-      def get(options)
-        raise 'options shall be Hash' unless options.is_a?(Hash)
-        unsupported = options.keys - %i[username url]
-        raise "unsupported options: #{unsupported}" unless unsupported.empty?
-        username = options[:username]
-        raise 'options shall have username' if username.nil?
-        url = options[:url]
-        info = nil
-        if !url.nil?
-          info = @all_secrets[identifier(options)]
-        end
-        # backward compatibility: TODO: remove in future ? (make url mandatory ?)
-        if info.nil?
-          info = @all_secrets[username]
-        end
-        result = options.clone
-        case info
-        when NilClass
-          raise "no such secret: [#{url}|#{username}] in #{@all_secrets.keys.join(',')}"
-        when String
-          result[:secret] = info
-          result[:description] = ''
-        when Hash
-          info=info.symbolize_keys
-          key = identifier(options)
-          plain = SimpleCipher.new(key).decrypt(info[:secret]) rescue info[:secret]
-          result[:secret] = plain
-          result[:description] = info[:description]
-        else raise "#{info.class} is not an expected type"
-        end
+      def get(label:, exception: true)
+        raise "Label not found: #{label}" unless @all_secrets.key?(label) || !exception
+        result = @all_secrets[label].clone
+        result[:label] = label if result.is_a?(Hash)
         return result
       end
     end

data/lib/aspera/keychain/macos_security.rb

@@ -1,91 +1,162 @@
 # frozen_string_literal: true
 
-require 'security'
+# https://github.com/fastlane-community/security
+require 'aspera/cli/info'
 
 # enhance the gem to support other keychains
-module Security
-  class Keychain
-    class << self
-      def by_name(name)
-        keychains_from_output('security list-keychains').find{|kc|kc.filename.end_with?("/#{name}.keychain-db")}
-      end
-    end
-  end
+module Aspera
+  module Keychain
+    module MacosSecurity
+      # keychain based on macOS keychain, using `security` cmmand line
+      class Keychain
+        DOMAINS = %i[user system common dynamic].freeze
+        LIST_OPTIONS = {
+          domain: :c
+        }
+        ADD_PASS_OPTIONS = {
+          account:  :a,
+          creator:  :c,
+          type:     :C,
+          domain:   :d,
+          kind:     :D,
+          value:    :G,
+          comment:  :j,
+          label:    :l,
+          path:     :p,
+          port:     :P,
+          protocol: :r,
+          server:   :s,
+          service:  :s,
+          auth:     :t,
+          password: :w,
+          getpass:  :g
+        }.freeze
+        class << self
+          def execute(command, options=nil, supported=nil, lastopt=nil)
+            url = options&.delete(:url)
+            if !url.nil?
+              uri = URI.parse(url)
+              raise 'only https' unless uri.scheme.eql?('https')
+              options[:protocol] = 'htps'
+              raise 'host required in URL' if uri.host.nil?
+              options[:server] = uri.host
+              options[:path] = uri.path unless ['', '/'].include?(uri.path)
+              options[:port] = uri.port unless uri.port.eql?(443) && !url.include?(':443/')
+            end
+            cmd = ['security', command]
+            options&.each do |k, v|
+              raise "unknown option: #{k}" unless supported.key?(k)
+              next if v.nil?
+              cmd.push("-#{supported[k]}")
+              cmd.push(v.shellescape) unless v.empty?
+            end
+            cmd.push(lastopt) unless lastopt.nil?
+            Log.log.debug{"executing>>#{cmd.join(' ')}"}
+            result = %x(#{cmd.join(' ')} 2>&1)
+            Log.log.debug{"result>>[#{result}]"}
+            return result
+          end
 
-  class Password
-    class << self
-      # add some login to original method
-      alias_method :orig_flags_for_options, :flags_for_options
-      def flags_for_options(options = {})
-        keychain = options.delete(:keychain)
-        url = options.delete(:url)
-        if !url.nil?
-          uri = URI.parse(url)
-          raise 'only https' unless uri.scheme.eql?('https')
-          options[:r] = 'htps'
-          raise 'host required in URL' if uri.host.nil?
-          options[:s] = uri.host
-          options[:p] = uri.path unless ['','/'].include?(uri.path)
-          options[:P] = uri.port unless uri.port.eql?(443) && !url.include?(':443/')
+          def keychains(output)
+            output.split("\n").collect { |line| new(line.strip.gsub(/^"|"$/, '')) }
+          end
+
+          def default
+            keychains(execute('default-keychain')).first
+          end
+
+          def login
+            keychains(execute('login-keychain')).first
+          end
+
+          def list(options={})
+            raise ArgumentError, "Invalid domain #{options[:domain]}, expected one of: #{DOMAINS}" unless options[:domain].nil? || DOMAINS.include?(options[:domain])
+            keychains(execute('list-keychains', options, LIST_OPTIONS))
+          end
+
+          def by_name(name)
+            list.find{|kc|kc.path.end_with?("/#{name}.keychain-db")}
+          end
+        end
+        attr_reader :path
+
+        def initialize(path)
+          @path = path
+        end
+
+        def decode_hex_blob(string)
+          [string].pack('H*').force_encoding('UTF-8')
+        end
+
+        def password(operation, passtype, options)
+          raise "wrong operation: #{operation}" unless %i[add find delete].include?(operation)
+          raise "wrong passtype: #{passtype}" unless %i[generic internet].include?(passtype)
+          raise 'options shall be Hash' unless options.is_a?(Hash)
+          missing = (operation.eql?(:add) ? %i[account service password] : %i[label]) - options.keys
+          raise "missing options: #{missing}" unless missing.empty?
+          options[:getpass] = '' if operation.eql?(:find)
+          output = self.class.execute("#{operation}-#{passtype}-password", options, ADD_PASS_OPTIONS, @path)
+          raise output.gsub(/^.*: /, '') if output.start_with?('security: ')
+          return nil unless operation.eql?(:find)
+          attributes = {}
+          output.split("\n").each do |line|
+            case line
+            when /^keychain: "(.+)"/
+              # ignore
+            when /0x00000007 .+="(.+)"/
+              attributes['label'] = Regexp.last_match(1)
+            when /"(\w{4})".+="(.+)"/
+              attributes[Regexp.last_match(1)] = Regexp.last_match(2)
+            when /"(\w{4})"<blob>=0x([[:xdigit:]]+)/
+              attributes[Regexp.last_match(1)] = decode_hex_blob(Regexp.last_match(2))
+            when /^password: "(.+)"/
+              attributes['password'] = Regexp.last_match(1)
+            when /^password: 0x([[:xdigit:]]+)/
+              attributes['password'] = decode_hex_blob(Regexp.last_match(1))
+            end
+          end
+          return attributes
         end
-        flags = [orig_flags_for_options(options)]
-        flags.push(keychain.filename) unless keychain.nil?
-        flags.join(' ')
       end
     end
-  end
-end
 
-module Aspera
-  module Keychain
-    # keychain based on macOS keychain, using `security` cmmand line
-    class MacosSecurity
-      def initialize(name=nil)
-        @keychain = name.nil? ? Security::Keychain.default_keychain : Security::Keychain.by_name(name)
+    class MacosSystem
+      def initialize(name=nil, _password=nil)
+        @keychain = name.nil? ? MacosSecurity::Keychain.default_keychain : MacosSecurity::Keychain.by_name(name)
         raise "no such keychain #{name}" if @keychain.nil?
       end
 
       def set(options)
         raise 'options shall be Hash' unless options.is_a?(Hash)
-        unsupported = options.keys - %i[username url secret description]
+        unsupported = options.keys - %i[label username password url description]
         raise "unsupported options: #{unsupported}" unless unsupported.empty?
-        username = options[:username]
-        raise 'options shall have username' if username.nil?
-        url = options[:url]
-        raise 'options shall have url' if url.nil?
-        secret = options[:secret]
-        raise 'options shall have secret' if secret.nil?
-        raise 'set not implemented'
+        @keychain.password(
+          :add, :generic, service: options[:label],
+          account: options[:username] || 'none', password: options[:password], comment: options[:description])
       end
 
       def get(options)
         raise 'options shall be Hash' unless options.is_a?(Hash)
-        unsupported = options.keys - %i[username url]
+        unsupported = options.keys - %i[label]
         raise "unsupported options: #{unsupported}" unless unsupported.empty?
-        username = options[:username]
-        raise 'options shall have username' if username.nil?
-        url = options[:url]
-        raise 'options shall have url' if url.nil?
-        info = Security::InternetPassword.find(keychain: @keychain, url: url, account: username)
+        info = @keychain.password(:find, :generic, label: options[:label])
         raise 'not found' if info.nil?
         result = options.clone
-        result[:secret] = info.password
-        result[:description] = info.attributes['icmt']
+        result[:secret] = info['password']
+        result[:description] = info['icmt']
         return result
       end
 
       def list
-        raise 'list not implemented'
+        # the only way to list is `dump-keychain` which triggers security alert
+        raise 'list not implemented, use macos keychain app'
       end
 
       def delete(options)
         raise 'options shall be Hash' unless options.is_a?(Hash)
-        unsupported = options.keys - %i[username url]
+        unsupported = options.keys - %i[label]
         raise "unsupported options: #{unsupported}" unless unsupported.empty?
-        username = options[:username]
-        raise 'options shall have username' if username.nil?
-        url = options[:url]
-        raise "delete not implemented #{url}"
+        raise 'delete not implemented, use macos keychain app'
       end
     end
   end

data/lib/aspera/log.rb

@@ -14,25 +14,25 @@ module Aspera
     # class methods
     class << self
       # levels are :debug,:info,:warn,:error,fatal,:unknown
-      def levels; Logger::Severity.constants.sort{|a,b|Logger::Severity.const_get(a) <=> Logger::Severity.const_get(b)}.map{|c|c.downcase.to_sym};end
+      def levels; Logger::Severity.constants.sort{|a, b|Logger::Severity.const_get(a) <=> Logger::Severity.const_get(b)}.map{|c|c.downcase.to_sym}; end
 
       # where logs are sent to
-      def logtypes; %i[stderr stdout syslog];end
+      def logtypes; %i[stderr stdout syslog]; end
 
       # get the logger object of singleton
-      def log; instance.logger;end
+      def log; instance.logger; end
 
       # dump object in debug mode
       # @param name string or symbol
       # @param format either pp or json format
-      def dump(name,object,format=:json)
+      def dump(name, object, format=:json)
         log.debug do
           result =
             case format
             when :json
-              JSON.pretty_generate(object) rescue PP.pp(object,+'')
+              JSON.pretty_generate(object) rescue PP.pp(object, +'')
             when :ruby
-              PP.pp(object,+'')
+              PP.pp(object, +'')
             else
               raise 'wrong parameter, expect pp or json'
             end
@@ -70,7 +70,7 @@ module Aspera
     # change underlying logger, but keep log level
     def logger_type=(new_logtype)
       current_severity_integer = @logger.level unless @logger.nil?
-      current_severity_integer = ENV['AS_LOG_LEVEL'] if current_severity_integer.nil? && ENV.has_key?('AS_LOG_LEVEL')
+      current_severity_integer = ENV['AS_LOG_LEVEL'] if current_severity_integer.nil? && ENV.key?('AS_LOG_LEVEL')
       current_severity_integer = Logger::Severity::WARN if current_severity_integer.nil?
       case new_logtype
       when :stderr