keepasshttp 0.1.1 → 0.2.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8babaeef8f439832b4219ddf366386242ede64d42fd74b204e658dcd7c61d983
-  data.tar.gz: 4e9f8f1badad0824bb1ed6c67be75b03b31f0b3524be2287d89f7c794e572e93
+  metadata.gz: 2f07357cd21290bc9cdc42bbf6b12060a890d499e33a27dbf7e9278391862c6d
+  data.tar.gz: 3f4659d7322951be51501b5c95880a734b75152f4a9780847572e707d3d69609
 SHA512:
-  metadata.gz: 339f9ac3d4e43896db11340e56aa021d4ce47044abcb8f573bb7028dfab6801a6f78a4c39ad4daed26c2c0863e6db394bed1f6471494371babfed9c7b1eca82a
-  data.tar.gz: cc40c75b8f751b11026cd1420c4486e5b56c8e294dbb41971cf18e470f3eea9022e0899f15e452b1606f84405eafab6ddad5613e815e48f8d7cc2d229342c0d2
+  metadata.gz: c96c8c638dcab3ba57830b466f3c3dbab439100f4d54399f3497fe98538def7e35e5ecca2d8c44b8da7f3e6020f59ee565be482ce1968102b3f89039fe8df410
+  data.tar.gz: bcc493cf7281c03d75cf168466b009edb07338d63186ca4f3a6c467ca33f76f96930e08411176cd11b4f992ee1a810556a910f90015a6a977602d2cb89eedf50

data/.rubocop.yml

@@ -2,4 +2,10 @@ AllCops:
   TargetRubyVersion: 2.5
 
 Naming/UncommunicativeMethodParamName:
-  AllowedNames: [ iv ]
+  AllowedNames:
+    - iv
+    - id
+
+Metrics/BlockLength:
+  Exclude:
+    - spec/*_spec.rb

data/Gemfile

@@ -4,5 +4,8 @@ source 'https://rubygems.org'
 
 git_source(:github) { |repo_name| "https://github.com/#{repo_name}" }
 
+# Optional depdendency
+gem 'net-ssh'
+
 # Specify your gem's dependencies in keepasshttp.gemspec
 gemspec

data/Gemfile.lock

@@ -1,12 +1,13 @@
 PATH
   remote: .
   specs:
-    keepasshttp (0.1.1)
+    keepasshttp (0.2.0)
 
 GEM
   remote: https://rubygems.org/
   specs:
     diff-lcs (1.3)
+    net-ssh (5.0.2)
     rake (10.5.0)
     rspec (3.8.0)
       rspec-core (~> 3.8.0)
@@ -28,6 +29,7 @@ PLATFORMS
 DEPENDENCIES
   bundler (~> 1.16)
   keepasshttp!
+  net-ssh
   rake (~> 10.0)
   rspec (~> 3.0)
 

data/README.md

@@ -20,14 +20,32 @@ Or install it yourself as:
 
 ## Usage
 
-```
-require 'keepass'
+```ruby
+require 'keepasshttp'
 
-keep = Keepass.connect
+keep = Keepasshttp.connect
 
-keep.password_for('http://example.com')
+keep.credentials_for('http://example.com')
 ```
 
+### KeyStores
+
+With the above code you'll be prompted by your Keepass to enter a label for the new key (because the tool generates a new key every time)
+which is shorter that typing your password but still annoying. So I added a (session) key_store. At the moment you can choose between:
+
+  * :Plain - save your key in plaintext - maximum convienience, minimal security
+    ```ruby
+      Keepasshttp.connect(key_store: :Plain)
+    ```
+  * :SshAgent - (re)use your running ssh-agent session to encrypt your session key (and then save it to a file)
+    ```ruby
+      Keepasshttp.connect(key_store: :SshAgent)
+    ```
+  * { key:, id: } - Do the keymanagement yourself and just input the necessary keys as Hash.
+    ```ruby
+      Keepasshttp.connect(key_store: { key: 'SECRET', id: 'Foo' })
+    ```
+
 ## Development
 
 After checking out the repo, run `bin/setup` to install dependencies. Then, run `rake spec` to run the tests. You can also run `bin/console` for an interactive prompt that will allow you to experiment.
@@ -37,7 +55,7 @@ To install this gem onto your local machine, run `bundle exec rake install`.
 To see if it works run
 
 ```bash
-$ keepasshttp URL_THAT_IS_IN_YOUR_KEEPASSDB
+$ keepasshttp URL_THAT_IS_IN_YOUR_KEEPASSDB [OPTS]
 ```
 
 If it works Keypass will prompt you for a label (which name you pick is irrelevant) and it should print you an json to the shell containing your data.

data/exe/keepasshttp

@@ -4,5 +4,34 @@
 require 'bundler/setup'
 require 'keepasshttp'
 require 'json'
+require 'optparse'
 
-puts Keepasshttp.connect.password_for(ARGV[0]).to_json
+params = {}
+
+ARGV.options do |opts|
+  opts.on('-p INTEGER', '--port', 'Use Keystore::Plain') do |val|
+    params[:port] = val.to_i
+  end
+
+  opts.on('--plain', 'Use Keystore::Plain') do
+    params[:key_store] = :Plain
+  end
+
+  opts.on('--ssh-agent', 'Use Keystore::SshAgent') do
+    params[:key_store] = :SshAgent
+  end
+
+  opts.on('--key STRING', 'Input your key directly') do |val|
+    params[:key_store] ||= {}
+    params[:key_store][:key] = val
+  end
+
+  opts.on('--id STRING', 'Input your id directly') do |val|
+    params[:key_store] ||= {}
+    params[:key_store][:id] = val
+  end
+
+  opts.parse!
+end
+
+puts Keepasshttp.connect(params).credentials_for(ARGV[0]).to_json

data/lib/keepasshttp.rb

@@ -17,23 +17,34 @@ class Keepasshttp
   end
   using Base64Helper
 
-  VERSION = '0.1.1'
+  VERSION = '0.2.0'
 
-  def self.connect(port: 19_455)
-    kee = new(port: port)
+  def self.connect(**params)
+    kee = new(**params)
     kee.login
     kee
   end
 
   attr_accessor :port
   attr_reader :session
+  attr_reader :id
+  autoload :KeyStore, 'keepasshttp/key_store'
 
-  def initialize(port: 19_455)
+  def initialize(port: 19_455, key_store: false)
     @port = port
     @session = false
+    init_keystore(key_store) if key_store
   end
 
-  def password_for(url)
+  def init_keystore(key_store)
+    @key_store = if key_store.is_a?(Hash)
+                   KeyStore::External.new(key_store)
+                 else
+                   KeyStore.const_get(key_store)
+                 end
+  end
+
+  def credentials_for(url)
     ping
 
     enc_url = encrypt(url, iv: new_iv)
@@ -51,6 +62,9 @@ class Keepasshttp
 
     @session = OpenSSL::Cipher.new('AES-256-CBC')
     session.encrypt
+
+    return cached_login if @key_store&.available?
+
     @key = session.random_key
     new_iv
 
@@ -58,6 +72,16 @@ class Keepasshttp
     return false unless json
 
     @id = json['Id']
+
+    @key_store&.save(id: @id, key: @key)
+  end
+
+  def cached_login
+    cache = @key_store.load
+    @key = cache[:key]
+    @id = cache[:id]
+    new_iv
+    ping
   end
 
   def ping

data/lib/keepasshttp/key_store.rb

@@ -0,0 +1,107 @@
+# frozen_string_literal: true
+
+require 'yaml'
+
+class Keepasshttp
+  module KeyStore
+    # Input the key and the id directly into the client so you can take care
+    # of the storage yourself.
+    class External
+      def initialize(key:, id:)
+        @params = { key: key, id: id }
+      end
+
+      def save(*_args)
+        false
+      end
+
+      def load
+        @params
+      end
+
+      def available?
+        true
+      end
+    end
+
+    # The most simple but unsecure way wo store your session key (so you don't
+    # have to reenter the label over and over again). Use this only for testing!
+    class Plain
+      # TODO, make the PATH adjustable
+      PATH = File.join(Dir.home, '.keepasshttp-ruby')
+      def self.save(params = {})
+        File.write(PATH, params.to_yaml)
+      end
+
+      def self.load
+        YAML.load_file(PATH)
+      end
+
+      def self.available?
+        File.exist?(PATH) && File.size(PATH).positive?
+      end
+    end
+
+    # Use your running ssh-agent session to encrypt your session key
+    class SshAgent < Plain
+      class << self
+        def available?
+          require 'net/ssh'
+
+          super
+        rescue LoadError
+          raise LoadError, 'To use key_store: :SshAgent you have to install ' \
+                           "the 'net-ssh' gem"
+        end
+
+        def save(params = {})
+          enc, iv = encrypt(params.delete(:key))
+          params[:key] = enc
+          params[:iv] = iv
+          super(params)
+        end
+
+        def load
+          params = super
+          params[:key] = decrypt(params[:key], iv: params.delete(:iv))
+          params
+        end
+
+        private
+
+        def encrypt(string)
+          agent = Net::SSH::Authentication::Agent.connect
+
+          cip = OpenSSL::Cipher.new('AES-256-CBC')
+          cip.encrypt
+          iv = cip.random_iv
+
+          cip.key = agent.sign(identity(agent), iv)[-32..-1]
+
+          [cip.update(string) + cip.final, iv]
+        end
+
+        def decrypt(string, iv:)
+          agent = Net::SSH::Authentication::Agent.connect
+
+          cip = OpenSSL::Cipher.new('AES-256-CBC')
+          cip.decrypt
+          cip.iv = iv
+
+          cip.key = agent.sign(identity(agent), iv)[-32..-1]
+
+          cip.update(string) + cip.final
+        end
+
+        # TODO, make the key selectable
+        def identity(agent)
+          if agent.identities.empty?
+            raise 'No identity available. Run `ssh-add` and try again'
+          end
+
+          agent.identities.first
+        end
+      end
+    end
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: keepasshttp
 version: !ruby/object:Gem::Version
-  version: 0.1.1
+  version: 0.2.0
 platform: ruby
 authors:
 - Holger Arndt
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2018-09-25 00:00:00.000000000 Z
+date: 2018-10-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -74,6 +74,7 @@ files:
 - exe/keepasshttp
 - keepasshttp.gemspec
 - lib/keepasshttp.rb
+- lib/keepasshttp/key_store.rb
 homepage: https://github.com/Kjarrigan/keepasshttp-ruby
 licenses:
 - MIT