keepass_kpscript 1.0.1 → 1.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f97c25985d64806567559377354f7bba9114e450253653fe8afcd73a6519b1c9
-  data.tar.gz: '0778819142fef3931cf994bea3aa9c2ae7bf9d3320aee2935dfc9e6736476908'
+  metadata.gz: b43e6819b71dddbef09dc6dec7c7c95e20e53445e089d65e4eed898caba86a1d
+  data.tar.gz: 5b4d42dfe11bc27592e7414818e00826f1f44b52a64d53fe0538a5aadb335764
 SHA512:
-  metadata.gz: 07a5a1e79788ce88eb33375b789d4689c72a74882806d4400f57e22033bf2951334c60df205e3baa9163eec9d5e82e1069889f29b27c250c44fc21c0ef406f82
-  data.tar.gz: c1eb2a87fbecf106d88e9155333d04d516ff3a27aac3f3a6b848b4863034c593244c811b4bf207ee2634a1358a350a82ba736da1218d644de60051ed118fcead
+  metadata.gz: 54aea07a8a029f137bb9af378d79b11f09728cd9c14c7ce94fee5568d7c6429678259d6d23480a3d81226ad06fadc6b84778c413929d1c2b1d3b44c4593b0c28
+  data.tar.gz: 88fdcd0538b7627e1cb86b3c975ec5bd89581a16be1ce9211b51d5b061253426f18b07cc08dbc4a558eba18b2f17f0fdff75fd3ec105d3d89a181a61a3df6acd

data/CHANGELOG.md

@@ -1,3 +1,9 @@
+# [v1.1.0](https://github.com/Muriel-Salvan/keepass_kpscript/compare/v1.0.1...v1.1.0) (2021-07-09 16:10:11)
+
+### Features
+
+* [[Feature] [#1] Support secret strings as input for any possible secret to protect them from logs and exceptions output](https://github.com/Muriel-Salvan/keepass_kpscript/commit/1de9d2e3d5e3445f8a5cfe987428f74145a7e4ba)
+
 # [v1.0.1](https://github.com/Muriel-Salvan/keepass_kpscript/compare/v1.0.0...v1.0.1) (2021-06-30 15:29:15)
 
 ### Patches

data/lib/keepass_kpscript/database.rb

@@ -15,9 +15,9 @@ module KeepassKpscript
     # Parameters::
     # * *kpscript* (Kpscript): The KPScript instance handling this database
     # * *database_file* (String): Database file path
-    # * *password* (String or nil): Password opening the database, or nil if none [default: nil].
-    # * *password_enc* (String or nil): Encrypted password opening the database, or nil if none [default: nil].
-    # * *key_file* (String or nil): Key file path opening the database, or nil if none [default: nil].
+    # * *password* (String, SecretString or nil): Password opening the database, or nil if none [default: nil].
+    # * *password_enc* (String, SecretString or nil): Encrypted password opening the database, or nil if none [default: nil].
+    # * *key_file* (String, SecretString or nil): Key file path opening the database, or nil if none [default: nil].
     def initialize(kpscript, database_file, password: nil, password_enc: nil, key_file: nil)
       @kpscript = kpscript
       @database_file = database_file
@@ -78,7 +78,7 @@ module KeepassKpscript
     #
     # Parameters::
     # * *select* (Select): The entries selector
-    # * *fields* (Hash<String or Symbol, String>): Set of { field name => field value } to be set [default: {}]
+    # * *fields* (Hash<String or Symbol, String or SecretString>): Set of { field name => field value } to be set [default: {}]
     # * *icon_idx* (Integer or nil): Set the icon index, or nil if none [default: nil]
     # * *custom_icon_idx* (Integer or nil): Set the custom icon index, or nil if none [default: nil]
     # * *expires* (Boolean or nil): Edit the expires flag, or nil to leave it untouched [default: nil]
@@ -96,7 +96,9 @@ module KeepassKpscript
       args = [
         '-c:EditEntry',
         select.to_s
-      ] + fields.map { |field_name, field_value| "-set-#{field_name}:\"#{field_value}\"" }
+      ] + fields.map do |field_name, field_value|
+        SecretString.new("-set-#{field_name}:\"#{field_value.to_unprotected}\"", silenced_str: "-set-#{field_name}:\"#{field_value}\"")
+      end
       args << "-setx-Icon:#{icon_idx}" if icon_idx
       args << "-setx-CustomIcon:#{custom_icon_idx}" if custom_icon_idx
       args << "-setx-Expires:#{expires ? 'true' : 'false'}" unless expires.nil?
@@ -172,9 +174,13 @@ module KeepassKpscript
       resulting_stdout = nil
       begin
         kdbx_args = ["\"#{@database_file}\""]
-        kdbx_args << SecretString.new("-pw:\"#{@password}\"", silenced_str: '-pw:"XXXXX"') if @password
-        kdbx_args << SecretString.new("-pw-enc:\"#{@password_enc}\"", silenced_str: '-pw-env:"XXXXX"') if @password_enc
-        kdbx_args << SecretString.new("-keyfile:\"#{@key_file}\"", silenced_str: '-keyfile:"XXXXX"') if @key_file
+        {
+          'pw' => @password,
+          'pw-enc' => @password_enc,
+          'keyfile' => @key_file
+        }.each do |arg, var|
+          kdbx_args << SecretString.new("-#{arg}:\"#{var.to_unprotected}\"", silenced_str: "-#{arg}:\"#{var.is_a?(SecretString) ? var.to_s : 'XXXXX'}\"") if var
+        end
         resulting_stdout = @kpscript.run(kdbx_args + args.flatten)
       ensure
         # Make sure we erase secrets

data/lib/keepass_kpscript/kpscript.rb

@@ -24,9 +24,9 @@ module KeepassKpscript
     #
     # Parameters::
     # * *database_file* (String): Path to the database file
-    # * *password* (String or nil): Password opening the database, or nil if none [default: nil].
-    # * *password_enc* (String or nil): Encrypted password opening the database, or nil if none [default: nil].
-    # * *key_file* (String or nil): Key file path opening the database, or nil if none [default: nil].
+    # * *password* (String, SecretString or nil): Password opening the database, or nil if none [default: nil].
+    # * *password_enc* (String, SecretString or nil): Encrypted password opening the database, or nil if none [default: nil].
+    # * *key_file* (String, SecretString or nil): Key file path opening the database, or nil if none [default: nil].
     # Result::
     # * Database: The database
     def open(database_file, password: nil, password_enc: nil, key_file: nil)
@@ -55,7 +55,7 @@ module KeepassKpscript
       begin
         tmp_database = self.open(tmp_database_file, password: 'pass_encryptor')
         selector = select.fields(Title: 'pass_encryptor')
-        tmp_database.edit_entries(selector, fields: { Password: password.to_unprotected })
+        tmp_database.edit_entries(selector, fields: { Password: password })
         password_enc = tmp_database.entries_string(selector, 'URL', spr: true).first
       ensure
         File.unlink tmp_database_file

data/lib/keepass_kpscript/version.rb

@@ -1,5 +1,5 @@
 module KeepassKpscript
 
-  VERSION = '1.0.1'
+  VERSION = '1.1.0'
 
 end

data/spec/keepass_kpscript_test/tests/keepass_kpscript/database_spec.rb

@@ -136,6 +136,7 @@ describe KeepassKpscript::Database do
     # All edit entries test cases
     {
       { fields: { Field: 'Value' } } => '-set-Field:"Value"',
+      { fields: { Field: SecretString.new('Value') } } => '-set-Field:"Value"',
       { fields: { Field1: 'Value1', Field2: 'Value2' } } => '-set-Field1:"Value1" -set-Field2:"Value2"',
       { icon_idx: 7 } => '-setx-Icon:7',
       { custom_icon_idx: 11 } => '-setx-CustomIcon:11',

data/spec/keepass_kpscript_test/tests/keepass_kpscript/kpscript_spec.rb

@@ -26,6 +26,23 @@ describe KeepassKpscript::Kpscript do
       expect(kpscript.encrypt_password('MyPassword')).to eq 'ENCRYPTED_PASSWORD'
     end
 
+    it 'encrypts passwords using SecretString' do
+      expect_calls_to_kpscript [
+        [
+          '/path/to/KPScript.exe "/tmp/keepass_kpscript.tmp.kdbx" -pw:"pass_encryptor" -c:EditEntry -ref-Title:"pass_encryptor" -set-Password:"MyPassword"',
+          'OK: Operation completed successfully.'
+        ],
+        [
+          '/path/to/KPScript.exe "/tmp/keepass_kpscript.tmp.kdbx" -pw:"pass_encryptor" -c:GetEntryString -ref-Title:"pass_encryptor" -Field:"URL" -Spr',
+          <<~EO_STDOUT
+            ENCRYPTED_PASSWORD
+            OK: Operation completed successfully.
+          EO_STDOUT
+        ]
+      ]
+      expect(kpscript.encrypt_password(SecretString.new('MyPassword'))).to eq 'ENCRYPTED_PASSWORD'
+    end
+
     it 'opens a database with a password' do
       expect_calls_to_kpscript [
         [
@@ -39,6 +56,19 @@ describe KeepassKpscript::Kpscript do
       expect(kpscript.open('/path/to/my_db.kdbx', password: 'MyPassword').password_for('MyEntryTitle')).to eq 'MyEntryPassword'
     end
 
+    it 'opens a database with a password using SecretString' do
+      expect_calls_to_kpscript [
+        [
+          '/path/to/KPScript.exe "/path/to/my_db.kdbx" -pw:"MyPassword" -c:GetEntryString -ref-Title:"MyEntryTitle" -Field:"Password"',
+          <<~EO_STDOUT
+            MyEntryPassword
+            OK: Operation completed successfully.
+          EO_STDOUT
+        ]
+      ]
+      expect(kpscript.open('/path/to/my_db.kdbx', password: SecretString.new('MyPassword')).password_for('MyEntryTitle')).to eq 'MyEntryPassword'
+    end
+
     it 'opens a database with an encrypted password' do
       expect_calls_to_kpscript [
         [
@@ -91,6 +121,19 @@ describe KeepassKpscript::Kpscript do
       expect(kpscript.open('/path/to/my_db.kdbx', password_enc: 'MyEncryptedPassword', key_file: '/path/to/key_file').password_for('MyEntryTitle')).to eq 'MyEntryPassword'
     end
 
+    it 'opens a database with a key file and encrypted password using SecretStrings' do
+      expect_calls_to_kpscript [
+        [
+          '/path/to/KPScript.exe "/path/to/my_db.kdbx" -pw-enc:"MyEncryptedPassword" -keyfile:"/path/to/key_file" -c:GetEntryString -ref-Title:"MyEntryTitle" -Field:"Password"',
+          <<~EO_STDOUT
+            MyEntryPassword
+            OK: Operation completed successfully.
+          EO_STDOUT
+        ]
+      ]
+      expect(kpscript.open('/path/to/my_db.kdbx', password_enc: SecretString.new('MyEncryptedPassword'), key_file: SecretString.new('/path/to/key_file')).password_for('MyEntryTitle')).to eq 'MyEntryPassword'
+    end
+
     it 'gives a selector' do
       expect_calls_to_kpscript []
       expect(kpscript.select.fields(Title: 'MyEntryTitle').to_s).to eq '-ref-Title:"MyEntryTitle"'

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: keepass_kpscript
 version: !ruby/object:Gem::Version
-  version: 1.0.1
+  version: 1.1.0
 platform: ruby
 authors:
 - Muriel Salvan
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2021-06-30 00:00:00.000000000 Z
+date: 2021-07-09 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: secret_string