keeper_secrets_manager 17.0.3

data/lib/keeper_secrets_manager/notation.rb

@@ -0,0 +1,354 @@
+require 'base64'
+
+module KeeperSecretsManager
+  module Notation
+    # Parse and resolve keeper:// notation URIs
+    class Parser
+      ESCAPE_CHAR = '\\'.freeze
+      ESCAPE_CHARS = '/[]\\'.freeze # Characters that can be escaped
+
+      def initialize(secrets_manager)
+        @secrets_manager = secrets_manager
+      end
+
+      # Parse notation and return value
+      def parse(notation)
+        return nil if notation.nil? || notation.empty?
+        
+        # Parse notation URI
+        parsed = parse_notation(notation)
+        
+        # Validate we have minimum required sections
+        raise NotationError, "Invalid notation: #{notation}" if parsed.length < 3
+        
+        # Extract components
+        record_token = parsed[1].text&.first
+        selector = parsed[2].text&.first
+        
+        raise NotationError, "Invalid notation: missing record" unless record_token
+        raise NotationError, "Invalid notation: missing selector" unless selector
+        
+        # Get record
+        records = @secrets_manager.get_secrets([record_token])
+        
+        # If not found by UID, try by title
+        if records.empty?
+          all_records = @secrets_manager.get_secrets
+          records = all_records.select { |r| r.title == record_token }
+        end
+        
+        raise NotationError, "Multiple records match '#{record_token}'" if records.size > 1
+        raise NotationError, "No records match '#{record_token}'" if records.empty?
+        
+        record = records.first
+        
+        # Extract parameters
+        parameter = parsed[2].parameter&.first
+        index1 = parsed[2].index1&.first
+        index2 = parsed[2].index2&.first
+        
+        # Process selector
+        case selector.downcase
+        when 'type'
+          record.type
+        when 'title'
+          record.title
+        when 'notes'
+          record.notes
+        when 'file'
+          handle_file_selector(record, parameter, record_token)
+        when 'field', 'custom_field'
+          handle_field_selector(record, selector, parameter, index1, index2, parsed[2])
+        else
+          raise NotationError, "Invalid selector: #{selector}"
+        end
+      end
+
+      private
+
+      # Handle file selector
+      def handle_file_selector(record, parameter, record_token)
+        raise NotationError, "Missing required parameter: filename or file UID" unless parameter
+        raise NotationError, "Record #{record_token} has no file attachments" if record.files.nil? || record.files.empty?
+        
+        # Find matching file
+        files = record.files.select do |f|
+          parameter == f.name || parameter == f.title || parameter == f.uid
+        end
+        
+        raise NotationError, "No files match '#{parameter}'" if files.empty?
+        raise NotationError, "Multiple files match '#{parameter}'" if files.size > 1
+        
+        # Return file object (downloading would be handled by the caller)
+        files.first
+      end
+
+      # Handle field selector
+      def handle_field_selector(record, selector, parameter, index1, index2, parsed_section)
+        raise NotationError, "Missing required parameter for field" unless parameter
+        
+        # Get field array
+        custom_field = selector.downcase == 'custom_field'
+        field = record.get_field(parameter, custom_field)
+        
+        raise NotationError, "Field '#{parameter}' not found" unless field
+        
+        # Get field values
+        values = field['value'] || []
+        
+        # Handle index1
+        idx = parse_index(index1)
+        
+        # Validate index1 - only raise error if we have a non-empty, non-bracket value
+        if idx == -1 && parsed_section.index1 && 
+           parsed_section.index1[1] != '' && parsed_section.index1[1] != '[]' &&
+           parsed_section.index1[0] != ''  # Empty string parses to -1 which is valid
+          raise NotationError, "Invalid field index: #{parsed_section.index1[0]}"
+        end
+        
+        if idx >= values.size
+          raise NotationError, "Field index out of bounds: #{idx} >= #{values.size}"
+        end
+        
+        # Apply index1
+        values = [values[idx]] if idx >= 0
+        
+        # Handle legacy compatibility
+        if parsed_section.index1.nil? && parsed_section.index2.nil?
+          return values.first
+        end
+        
+        if parsed_section.index1 && parsed_section.index1[1] == '[]' && 
+           (index2.nil? || index2.empty?)
+          return values
+        end
+        
+        if index1.to_s.empty? && !index2.to_s.empty?
+          return values.first[index2] if values.first.is_a?(Hash)
+        end
+        
+        # Handle index2 (property access)
+        full_obj_value = parsed_section.index2.nil? || 
+                        parsed_section.index2[1] == '' || 
+                        parsed_section.index2[1] == '[]'
+        
+        if full_obj_value
+          idx >= 0 ? values.first : values
+        elsif values.first.is_a?(Hash)
+          obj_property = index2
+          if values.first.key?(obj_property)
+            values.first[obj_property]
+          else
+            raise NotationError, "Property '#{obj_property}' not found"
+          end
+        else
+          raise NotationError, "Cannot extract property from non-object value"
+        end
+      end
+
+      # Parse index value
+      def parse_index(index_str)
+        return -1 if index_str.nil? || index_str.empty?
+        
+        begin
+          Integer(index_str)
+        rescue ArgumentError
+          -1
+        end
+      end
+
+      # Parse notation URI into sections
+      def parse_notation(notation)
+        # Handle base64 encoded notation
+        unless notation.include?('/')
+          begin
+            decoded = Base64.urlsafe_decode64(notation)
+            notation = decoded.force_encoding('UTF-8')
+          rescue
+            raise NotationError, "Invalid notation format"
+          end
+        end
+        
+        # Parse sections
+        prefix = parse_section(notation, 'prefix', 0)
+        pos = prefix.present? ? prefix.end_pos + 1 : 0
+        
+        record = parse_section(notation, 'record', pos)
+        pos = record.present? ? record.end_pos + 1 : notation.length
+        
+        selector = parse_section(notation, 'selector', pos)
+        pos = selector.present? ? selector.end_pos + 1 : notation.length
+        
+        footer = parse_section(notation, 'footer', pos)
+        
+        [prefix, record, selector, footer]
+      end
+
+      # Parse a section of the notation
+      def parse_section(notation, section_name, pos)
+        result = NotationSection.new(section_name)
+        result.start_pos = pos
+        
+        case section_name.downcase
+        when 'prefix'
+          # Check for keeper:// prefix
+          prefix = "#{Core::SecretsManager::NOTATION_PREFIX}://"
+          if notation.downcase.start_with?(prefix.downcase)
+            result.present = true
+            result.start_pos = 0
+            result.end_pos = prefix.length - 1
+            result.text = [notation[0...prefix.length], notation[0...prefix.length]]
+          end
+          
+        when 'footer'
+          # Footer is anything after the last section
+          if pos < notation.length
+            result.present = true
+            result.start_pos = pos
+            result.end_pos = notation.length - 1
+            result.text = [notation[pos..], notation[pos..]]
+          end
+          
+        when 'record'
+          # Record is required - parse until '/' with escaping
+          if pos < notation.length
+            parsed = parse_subsection(notation, pos, '/', true)
+            if parsed
+              result.present = true
+              result.start_pos = pos
+              result.end_pos = pos + parsed[1].length - 1
+              result.text = parsed
+            end
+          end
+          
+        when 'selector'
+          # Selector is required
+          if pos < notation.length
+            parsed = parse_subsection(notation, pos, '/', false)
+            if parsed
+              result.present = true
+              result.start_pos = pos
+              result.end_pos = pos + parsed[1].length - 1
+              result.text = parsed
+              
+              # Check for long selectors that have parameters
+              if %w[field custom_field file].include?(parsed[0].downcase)
+                # Parse parameter (field type/label or filename)
+                param_parsed = parse_subsection(notation, result.end_pos + 1, '[', true)
+                if param_parsed
+                  result.parameter = param_parsed
+                  plen = param_parsed[1].length
+                  plen -= 1 if param_parsed[1].end_with?('[') && !param_parsed[1].end_with?('\\[')
+                  result.end_pos += plen
+                  
+                  # Parse index1 [N] or []
+                  index1_parsed = parse_subsection(notation, result.end_pos + 1, '[]', true)
+                  if index1_parsed
+                    result.index1 = index1_parsed
+                    result.end_pos += index1_parsed[1].length
+                    
+                    # Parse index2 [property]
+                    index2_parsed = parse_subsection(notation, result.end_pos + 1, '[]', true)
+                    if index2_parsed
+                      result.index2 = index2_parsed
+                      result.end_pos += index2_parsed[1].length
+                    end
+                  end
+                end
+              end
+            end
+          end
+          
+        else
+          raise NotationError, "Unknown section: #{section_name}"
+        end
+        
+        result
+      end
+
+      # Parse subsection with delimiters and escaping
+      def parse_subsection(text, pos, delimiters, escaped = false)
+        return nil if text.nil? || text.empty? || pos < 0 || pos >= text.length
+        
+        if delimiters.nil? || delimiters.length > 2
+          raise NotationError, "Internal error: incorrect delimiters"
+        end
+        
+        token = ''
+        raw = ''
+        
+        while pos < text.length
+          if escaped && text[pos] == ESCAPE_CHAR
+            # Handle escape sequence
+            if pos + 1 >= text.length || !ESCAPE_CHARS.include?(text[pos + 1])
+              raise NotationError, "Incorrect escape sequence at position #{pos}"
+            end
+            
+            token += text[pos + 1]
+            raw += text[pos, 2]
+            pos += 2
+          else
+            raw += text[pos]
+            
+            if delimiters.length == 1
+              # Single delimiter
+              break if text[pos] == delimiters[0]
+              token += text[pos]
+            else
+              # Two delimiters (for brackets)
+              if raw[0] != delimiters[0]
+                raise NotationError, "Index sections must start with '['"
+              end
+              
+              if raw.length > 1 && text[pos] == delimiters[0]
+                raise NotationError, "Index sections do not allow extra '[' inside"
+              end
+              
+              if !delimiters.include?(text[pos])
+                token += text[pos]
+              elsif text[pos] == delimiters[1]
+                break
+              end
+            end
+            
+            pos += 1
+          end
+        end
+        
+        # Validate brackets are properly closed
+        if delimiters.length == 2
+          if raw.length < 2 || raw[0] != delimiters[0] || raw[-1] != delimiters[1]
+            raise NotationError, "Index sections must be enclosed in '[' and ']'"
+          end
+          
+          if escaped && raw[-2] == ESCAPE_CHAR
+            raise NotationError, "Index sections must be enclosed in '[' and ']'"
+          end
+        end
+        
+        [token, raw]
+      end
+
+      # Notation section data class
+      class NotationSection
+        attr_accessor :section, :present, :start_pos, :end_pos, 
+                      :text, :parameter, :index1, :index2
+
+        def initialize(section_name)
+          @section = section_name
+          @present = false
+          @start_pos = -1
+          @end_pos = -1
+          @text = nil
+          @parameter = nil
+          @index1 = nil
+          @index2 = nil
+        end
+
+        def present?
+          @present
+        end
+      end
+    end
+  end
+end

data/lib/keeper_secrets_manager/notation_enhancements.rb

@@ -0,0 +1,67 @@
+# Enhanced notation functionality for files and TOTP
+
+module KeeperSecretsManager
+  module Notation
+    class Parser
+      # Get value with enhanced functionality
+      # This method extends the basic parse method to handle special cases
+      def get_value(notation, options = {})
+        value = parse(notation)
+        
+        # Check if we should process special types
+        return value unless options[:auto_process]
+        
+        # Parse the notation to understand what we're dealing with
+        parsed = parse_notation(notation)
+        return value if parsed.length < 3
+        
+        selector = parsed[2].text&.first
+        return value unless selector
+        
+        case selector.downcase
+        when 'file'
+          # If it's a file and auto_download is enabled, download it
+          if options[:auto_download] && value.is_a?(Hash) && value['fileUid']
+            begin
+              file_data = @secrets_manager.download_file(value['fileUid'])
+              return file_data['data']  # Return file content
+            rescue => e
+              raise NotationError, "Failed to download file: #{e.message}"
+            end
+          end
+          
+        when 'field'
+          # Check if it's a TOTP field
+          parameter = parsed[2].parameter&.first
+          if parameter && parameter.downcase == 'onetimecode' && value.is_a?(String) && value.start_with?('otpauth://')
+            if options[:generate_totp_code]
+              begin
+                totp_params = TOTP.parse_url(value)
+                return TOTP.generate_code(
+                  totp_params['secret'],
+                  algorithm: totp_params['algorithm'],
+                  digits: totp_params['digits'],
+                  period: totp_params['period']
+                )
+              rescue => e
+                raise NotationError, "Failed to generate TOTP code: #{e.message}"
+              end
+            end
+          end
+        end
+        
+        value
+      end
+      
+      # Convenience method to get TOTP code directly
+      def get_totp_code(notation)
+        get_value(notation, auto_process: true, generate_totp_code: true)
+      end
+      
+      # Convenience method to download file content directly
+      def download_file(notation)
+        get_value(notation, auto_process: true, auto_download: true)
+      end
+    end
+  end
+end

data/lib/keeper_secrets_manager/storage.rb

@@ -0,0 +1,254 @@
+require 'json'
+require 'base64'
+require 'fileutils'
+
+module KeeperSecretsManager
+  module Storage
+    # Base storage interface
+    module KeyValueStorage
+      def get_string(key)
+        raise NotImplementedError, "Subclass must implement get_string"
+      end
+
+      def save_string(key, value)
+        raise NotImplementedError, "Subclass must implement save_string"
+      end
+
+      def get_bytes(key)
+        data = get_string(key)
+        return nil unless data
+        
+        # Handle both standard and URL-safe base64
+        begin
+          # First try standard base64
+          Base64.strict_decode64(data)
+        rescue ArgumentError
+          begin
+            # Try URL-safe base64 with padding
+            padding = 4 - (data.length % 4)
+            padding = 0 if padding == 4
+            Base64.urlsafe_decode64(data + '=' * padding)
+          rescue => e
+            # Last resort - try with decode64 which is more lenient
+            Base64.decode64(data)
+          end
+        end
+      end
+
+      def save_bytes(key, value)
+        save_string(key, Base64.strict_encode64(value))
+      end
+
+      def delete(key)
+        raise NotImplementedError, "Subclass must implement delete"
+      end
+
+      def contains?(key)
+        !get_string(key).nil?
+      end
+    end
+
+    # In-memory storage implementation
+    class InMemoryStorage
+      include KeyValueStorage
+
+      def initialize(config_data = nil)
+        @data = {}
+        
+        # Initialize from JSON string, base64 string, or hash
+        if config_data
+          parsed = case config_data
+                   when String
+                     # Check if it's base64 encoded
+                     if is_base64?(config_data)
+                       JSON.parse(Base64.decode64(config_data))
+                     else
+                       JSON.parse(config_data)
+                     end
+                   when Hash
+                     config_data
+                   else
+                     {}
+                   end
+          
+          parsed.each { |k, v| @data[k.to_s] = v.to_s }
+        end
+      end
+
+      def get_string(key)
+        @data[key.to_s]
+      end
+
+      def save_string(key, value)
+        @data[key.to_s] = value.to_s
+      end
+
+      def delete(key)
+        @data.delete(key.to_s)
+      end
+
+      def to_h
+        @data.dup
+      end
+
+      def to_json(*args)
+        @data.to_json(*args)
+      end
+      
+      private
+      
+      def is_base64?(str)
+        # Check if string is valid base64
+        return false if str.nil? || str.empty?
+        
+        # Remove whitespace
+        str = str.strip
+        
+        # Check if length is multiple of 4 (with padding) or can be padded to multiple of 4
+        # Also check if it only contains base64 characters
+        base64_regex = /\A[A-Za-z0-9+\/]*={0,2}\z/
+        
+        str.match?(base64_regex) && (str.length % 4 == 0 || str.length % 4 == 2 || str.length % 4 == 3)
+      end
+    end
+
+    # File-based storage implementation
+    class FileStorage
+      include KeyValueStorage
+
+      def initialize(filename = 'keeper_config.json')
+        @filename = File.expand_path(filename)
+        @data = {}
+        load_data
+      end
+
+      def get_string(key)
+        @data[key.to_s]
+      end
+
+      def save_string(key, value)
+        @data[key.to_s] = value.to_s
+        save_data
+      end
+
+      def delete(key)
+        @data.delete(key.to_s)
+        save_data
+      end
+
+      private
+
+      def load_data
+        if File.exist?(@filename)
+          begin
+            content = File.read(@filename)
+            # Handle empty files
+            if content.strip.empty?
+              @data = {}
+            else
+              @data = JSON.parse(content)
+            end
+          rescue JSON::ParserError => e
+            raise Error, "Failed to parse config file: #{e.message}"
+          end
+        end
+      end
+
+      def save_data
+        # Ensure directory exists
+        FileUtils.mkdir_p(File.dirname(@filename))
+        
+        # Write atomically to avoid corruption
+        temp_file = "#{@filename}.tmp"
+        File.open(temp_file, 'w') do |f|
+          f.write(JSON.pretty_generate(@data))
+        end
+        
+        # Move atomically
+        File.rename(temp_file, @filename)
+        
+        # Set restrictive permissions (owner read/write only)
+        File.chmod(0600, @filename)
+      rescue => e
+        raise Error, "Failed to save config file: #{e.message}"
+      end
+    end
+
+    # Environment-based storage (read-only)
+    class EnvironmentStorage
+      include KeyValueStorage
+
+      def initialize(prefix = 'KSM_')
+        @prefix = prefix
+      end
+
+      def get_string(key)
+        ENV["#{@prefix}#{key.to_s.upcase}"]
+      end
+
+      def save_string(key, value)
+        raise Error, "Environment storage is read-only"
+      end
+
+      def delete(key)
+        raise Error, "Environment storage is read-only"
+      end
+    end
+
+    # Cacheable storage wrapper
+    class CachingStorage
+      include KeyValueStorage
+
+      def initialize(base_storage, ttl_seconds = 600)
+        @base_storage = base_storage
+        @ttl_seconds = ttl_seconds
+        @cache = {}
+        @timestamps = {}
+      end
+
+      def get_string(key)
+        key_str = key.to_s
+        
+        # Check cache validity
+        if @cache.key?(key_str) && !expired?(key_str)
+          return @cache[key_str]
+        end
+
+        # Fetch from base storage
+        value = @base_storage.get_string(key)
+        if value
+          @cache[key_str] = value
+          @timestamps[key_str] = Time.now
+        end
+        
+        value
+      end
+
+      def save_string(key, value)
+        key_str = key.to_s
+        @base_storage.save_string(key, value)
+        @cache[key_str] = value.to_s
+        @timestamps[key_str] = Time.now
+      end
+
+      def delete(key)
+        key_str = key.to_s
+        @base_storage.delete(key)
+        @cache.delete(key_str)
+        @timestamps.delete(key_str)
+      end
+
+      def clear_cache
+        @cache.clear
+        @timestamps.clear
+      end
+
+      private
+
+      def expired?(key)
+        return true unless @timestamps[key]
+        Time.now - @timestamps[key] > @ttl_seconds
+      end
+    end
+  end
+end