lockr 0.2.0

data/bin/lockr

@@ -0,0 +1,5 @@
+#!/usr/bin/env ruby
+
+require 'lockr'
+lockr = Lockr.new()
+lockr.run()

data/lib/lockr.rb

@@ -0,0 +1,139 @@
+require 'rubygems'
+require 'bundler/setup'
+
+require 'optparse'
+require 'highline/import'
+
+require 'lockr/action/add'
+require 'lockr/action/list'
+require 'lockr/action/remove'
+require 'lockr/action/show'
+require 'lockr/pwdgen'
+  
+class Lockr
+  def run()
+    options = parse_options()
+    validate_options( options)
+    acquire_additional_input( options)
+    process_actions( options)
+  end
+  
+  def parse_options()
+    options = {}
+    
+    optparse = OptionParser.new do|opts|
+    # Set a banner, displayed at the top
+    # of the help screen.
+      opts.banner = "Usage: lockr.rb [options]"
+    
+      # Define the options, and what they do
+      options[:action] = nil
+      opts.on( '-a', '--action ACTION', 'Execute the requested ACTION (add, remove, list, show)' ) do |id|
+        options[:action] = id
+      end
+    
+      options[:id] = nil
+      opts.on( '-i', '--id ID', 'the ID of the password set' ) do |id|
+        options[:id] = id
+      end
+      
+      options[:keyfile] = nil
+      opts.on( '-k', '--keyfile FILE', 'the FILE to use as key for the password encryption') do |file|
+        options[:keyfile] = file
+      end
+      
+      options[:vault] = 'vault.yaml'
+      opts.on( '-v', '--vault FILE', 'FILE is the name of the vault to store the password sets') do |file|
+        options[:vault] = file
+      end
+      
+      options[:generatepwd] = nil
+      opts.on( '-g', '--genpwd PARAMS', 'generate a random password (based on the optional PARAMS)') do |params|
+        options[:generatepwd] = params
+      end
+    
+      # This displays the help screen, all programs are
+      # assumed to have this option.
+      opts.on( '-h', '--help', 'Display this screen' ) do
+        puts opts
+        exit
+      end
+    end
+    
+    # Parse the command-line. Remember there are two forms
+    # of the parse method. The 'parse' method simply parses
+    # ARGV, while the 'parse!' method parses ARGV and removes
+    # any options found there, as well as any parameters for
+    # the options. What's left is the list of files to resize.
+    optparse.parse!
+  
+    options
+  end
+  
+  def validate_options( options)
+    if options[:action].nil?
+      puts 'Please provide an action (--action)'
+      exit 1
+    end
+    
+    allowed_actions = %w{ a add r remove s show l list}
+    if allowed_actions.index( options[:action]).nil? 
+      puts "Allowed actions are add, remove, list and show"
+      exit 2
+    end
+    
+    # keyfile is required for all actions other than list
+    if options[:keyfile].nil? and %w{ l list}.index( options[:action]).nil?
+      puts 'Please provide an encryption key file (--keyfile)'
+      exit 3
+    end
+  end
+  
+  def acquire_additional_input( options)
+    # id is required for all actions except list
+    while options[:id].nil? and %w{ l list}.index( options[:action]).nil?
+      options[:id] = ask("Id?  ") { |q| }
+      options[:id] = nil if options[:id].strip() == '' 
+    end
+    
+    # username is required for actions add, remove
+    actions_requiring_username = %w{ a add r remove}
+    while options[:username].nil? and not actions_requiring_username.index( options[:action]).nil?
+      options[:username] = ask("Username?  ") { |q| }
+      options[:username] = nil if options[:username].strip == ''
+    end
+    
+    # url is optional for add
+    actions_requiring_url = %w{ a add}
+    if options[:url].nil? and not actions_requiring_url.index( options[:action]).nil?
+      options[:url] = ask("Url?  ") { |q| }
+      options[:url] = nil if options[:url].strip() == ''
+    end
+  end
+  
+  def process_actions( options)
+    begin
+      case options[:action]
+      when 'a', 'add'
+        if options[:generatepwd].nil?
+          password = ask("Password?  ") { |q| q.echo = "x" }
+        else 
+          password = PasswordGenerator.new.generate( options[:generatepwd])
+        end 
+        
+        action = AddAction.new( options[:id], options[:url], options[:username], password, options[:keyfile], options[:vault])
+      when 'r', 'remove'
+        action = RemoveAction.new( options[:id], options[:username], options[:keyfile], options[:vault])
+      when 's', 'show'
+        action = ShowAction.new( options[:id], options[:username], options[:keyfile], options[:vault])
+      when 'l', 'list'
+        action = ListAction.new( options[:keyfile], options[:vault])
+      else
+        puts "Unknown action #{options[:action]}"
+      end
+    rescue OpenSSL::Cipher::CipherError
+      say( "<%= color('Invalid keyfile', :red) %>")
+      exit 42
+    end
+  end
+end

data/lib/lockr/action/add.rb

@@ -0,0 +1,34 @@
+require 'lockr/action/aes'
+require 'lockr/pwdstore'
+
+class AddAction < AesAction
+  
+  def initialize(id,url,username,pwd,keyfile,vault)
+    keyfilehash = calculate_hash( keyfile)
+    
+    pwd_directory = load_from_vault( vault)
+    
+    if pwd_directory.has_key?( id)
+      pwd_directory_id = YAML::load(decrypt( pwd_directory[id][:enc], keyfilehash, pwd_directory[id][:salt]))
+    else
+      pwd_directory_id = {}
+    end
+    
+    if ( pwd_directory_id.has_key?( username))
+      overwrite = ask( "Password already exists. Update? (y/n)  ") { |q| }
+      unless overwrite.downcase == 'y'
+        exit 14
+      end
+    end
+    
+    new_store = PasswordStore.new( id, url, username, pwd)
+    pwd_directory_id[username] = new_store
+    
+    pwd_directory[id] = {}
+    pwd_directory[id][:enc], pwd_directory[id][:salt] = encrypt( pwd_directory_id.to_yaml, keyfilehash)
+    
+    save_to_vault( pwd_directory, vault)
+    say("Password saved for ID '<%= color('#{id}', :blue) %>' and user '<%= color('#{username}', :green) %>'")
+  end
+  
+end

data/lib/lockr/action/aes.rb

@@ -0,0 +1,5 @@
+require 'lockr/action/base'
+
+class AesAction < BaseAction
+  include Aes
+end

data/lib/lockr/action/base.rb

@@ -0,0 +1,71 @@
+require 'openssl'
+require 'lockr/encryption/aes'
+
+class BaseAction
+  def calculate_hash( filename)
+    sha1 = OpenSSL::Digest::SHA512.new
+
+    File.open( filename) do |file|
+      buffer = ''
+
+      # Read the file 512 bytes at a time
+      while not file.eof
+        file.read(512, buffer)
+        sha1.update(buffer)
+      end
+    end
+    
+    sha1.to_s
+  end
+  
+  def save_to_vault( storelist, vault)
+    rotate_vault( vault)
+    
+    File.open( vault, 'w') do |f|
+      f.write( storelist.to_yaml)
+    end
+  end
+  
+  def rotate_vault( vault)
+    return unless File.exists?(vault)
+    
+    # move old files first
+    max_files = 2 # = 3 - 1
+    max_files.downto( 0) { |i|
+      
+      if i == 0
+        File.rename( vault, "#{vault}_#{i}")
+      else
+        j = i - 1
+        if File.exists?("#{vault}_#{j}")
+          File.rename( "#{vault}_#{j}", "#{vault}_#{i}")  
+        end
+      end
+    }
+  end
+  
+  # loads the datastructure for the password sets from the file
+  # it looks like this:
+  #
+  # pwd_directory = { 
+  #   :id => { 
+  #     :enc  => 'encrypted password store list', 
+  #     :salt => 'salt for decryption' 
+  #   } 
+  # }
+  #
+  # decrypted_store_list = {
+  #   :username => PasswordStore
+  # }
+  def load_from_vault( vault)
+    storelist = {} 
+    
+    if File.exist?( vault)
+      File.open( vault, 'r') do |f|
+        storelist = YAML::load(f)
+      end
+    end
+    
+    storelist
+  end
+end

data/lib/lockr/action/list.rb

@@ -0,0 +1,28 @@
+require 'lockr/action/aes'
+require 'lockr/pwdstore'
+
+class ListAction < AesAction
+  
+  def initialize( keyfile, vault)
+    pwd_directory = load_from_vault( vault)
+    out = []
+    
+    if keyfile.nil?
+      pwd_directory.each { |id,value|
+        out << "Id: #{id}"
+      }
+    else
+      keyfilehash = calculate_hash( keyfile)
+      pwd_directory.each { |oid,value|
+        pwd_directory_id = YAML::load(decrypt( value[:enc], keyfilehash, value[:salt]))
+        pwd_directory_id.each { |username, pwdstore|
+          out << "Id: #{pwdstore.id} / Username: #{pwdstore.username}"
+        }
+      }
+    end
+    
+    out.sort!
+    out.each{ |e| puts e }
+  end
+  
+end 

data/lib/lockr/action/remove.rb

@@ -0,0 +1,40 @@
+require 'lockr/action/aes'
+require 'lockr/pwdstore'
+
+class RemoveAction < AesAction
+  
+  def initialize(id,username,keyfile,vault)
+    keyfilehash = calculate_hash( keyfile)
+    pwd_directory = load_from_vault( vault)
+    
+    unless pwd_directory.has_key?( id)
+      puts "Id '#{id}' not found"
+      exit 20
+    end
+    
+    pwd_directory_id = YAML::load(decrypt( pwd_directory[id][:enc], keyfilehash, pwd_directory[id][:salt]))
+    
+    unless pwd_directory_id.has_key?(username)
+      puts "Username '#{username}' not found for id '#{id}'"
+      exit 21
+    end
+    
+    confirm = ask( "Are you sure you want to delete the entry with id '#{id}' and username '#{username}'? (y/n)  ") { |q| }
+    unless confirm.downcase == 'y'
+      exit 22
+    end
+    
+    pwd_directory_id.delete( username)
+    
+    if ( pwd_directory_id.size == 0 )
+      pwd_directory.delete( id)
+    else
+      pwd_directory[id] = {}
+      pwd_directory[id][:enc], pwd_directory[id][:salt] = encrypt( pwd_directory_id.to_yaml, keyfilehash)
+    end
+    
+    save_to_vault( pwd_directory, vault)
+    puts "Entry removed"
+  end
+  
+end

data/lib/lockr/action/show.rb

@@ -0,0 +1,40 @@
+require 'lockr/action/aes'
+
+class ShowAction < AesAction
+  
+  def initialize(id,username,keyfile, vault)
+    keyfilehash = calculate_hash( keyfile)
+    
+    pwd_directory = load_from_vault( vault)
+    
+    unless pwd_directory.has_key?( id)
+      puts "Id '#{id}' not found"
+      exit 10
+    end
+    
+    pwd_directory_id = YAML::load(decrypt( pwd_directory[id][:enc], keyfilehash, pwd_directory[id][:salt]))
+    
+    if username.nil? 
+      unless pwd_directory_id.length == 1
+        puts "More than one username for id '#{id}'. Please provide a username!"
+        exit 13
+      end
+       
+      key = pwd_directory_id.keys[0]
+      store = pwd_directory_id[key]
+    else  
+      unless pwd_directory_id.has_key?(username)
+        puts "Username '#{username}' not found for id '#{id}'"
+        exit 11
+      end
+      
+      store = pwd_directory_id[username]
+    end
+    
+    say("Password found")
+    say("ID '<%= color('#{store.id}', :blue) %>', URL '<%= color('#{store.url}', :blue) %>'")
+    say("User '<%= color('#{store.username}', :blue) %>'")
+    say("Password:  <%= color('#{store.password}', :green) %>")
+  end
+  
+end

data/lib/lockr/encryption/aes.rb

@@ -0,0 +1,43 @@
+require 'openssl'
+require 'securerandom'
+
+module Aes
+  # encrypt the string with AES 256-bit CBC encryption. 
+  # the key and iv are calculated by the derive_key_iv 
+  # method using the provided password. 
+  #
+  # returns encrypted_string, salt
+  def encrypt( string, pass)
+    salt = SecureRandom.random_bytes(16)
+    key, iv = derive_key_iv( pass, salt)
+    
+    cipher = OpenSSL::Cipher::AES.new(256, :CBC)
+    cipher.encrypt
+    cipher.key = key
+    cipher.iv = iv
+    [cipher.update(string) + cipher.final, salt]
+  end
+  
+  # decrypt the string with AES 256-bit CBC encryption. 
+  # the key and iv are calculated by the derive_key_iv 
+  # method using the provided password. 
+  def decrypt( string, pass, salt)
+    key, iv = derive_key_iv( pass, salt)
+    
+    decipher = OpenSSL::Cipher::AES.new(256, :CBC)
+    decipher.decrypt
+    decipher.key = key
+    decipher.iv = iv
+
+    decipher.update( string) + decipher.final
+  end
+  
+  # derive a key and initial vector from the password thru
+  # the use of PKCS5 pbkdf2 key derivation function. 
+  def derive_key_iv( pass, salt)
+    key = OpenSSL::PKCS5::pbkdf2_hmac_sha1( pass, salt, 4096, 32)
+    iv = OpenSSL::PKCS5::pbkdf2_hmac_sha1( pass, salt, 4096, 16)
+    
+    [key, iv]
+  end
+end

data/lib/lockr/pwdgen.rb

@@ -0,0 +1,25 @@
+require 'securerandom'
+
+class PasswordGenerator
+  
+  def generate( params)
+    pwd = []
+    
+    # create x random characters
+    params.to_i.times do
+      l = SecureRandom.random_number(26)
+      pwd << l
+    end
+    
+    # up/downcase with 50% chance
+    pwd.collect!{ |i| (i + 65).chr }.collect!{ |c| 
+      if ( SecureRandom.random_number(0) > 0.5)
+        c.downcase 
+      else
+        c
+      end 
+    }
+    
+    pwd.join
+  end
+end

data/lib/lockr/pwdstore.rb

@@ -0,0 +1,13 @@
+# A password store contains an id of the site the password belongs to, 
+# the username to login and the password. 
+    
+class PasswordStore
+    attr_accessor :id,:url,:username,:password
+    
+    def initialize(id,url,username,pwd)
+      @id = id
+      @url = url
+      @username = username
+      @password = pwd
+    end
+end

metadata

@@ -0,0 +1,79 @@
+--- !ruby/object:Gem::Specification
+name: lockr
+version: !ruby/object:Gem::Version
+  version: 0.2.0
+  prerelease: 
+platform: ruby
+authors:
+- Marc Doerflinger
+autorequire: 
+bindir: bin
+cert_chain: []
+date: 2012-08-06 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: highline
+  requirement: &70213081483480 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: *70213081483480
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: &70213081482560 !ruby/object:Gem::Requirement
+    none: false
+    requirements:
+    - - ! '>='
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: *70213081482560
+description: Store your passwords AES encrypted in a simple yaml file
+email: info@byteblues.com
+executables:
+- lockr
+extensions: []
+extra_rdoc_files: []
+files:
+- lib/lockr.rb
+- lib/lockr/action/add.rb
+- lib/lockr/action/aes.rb
+- lib/lockr/action/base.rb
+- lib/lockr/action/list.rb
+- lib/lockr/action/remove.rb
+- lib/lockr/action/show.rb
+- lib/lockr/encryption/aes.rb
+- lib/lockr/pwdgen.rb
+- lib/lockr/pwdstore.rb
+- !binary |-
+  YmluL2xvY2ty
+homepage: http://lockr.byteblues.com/
+licenses: []
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  none: false
+  requirements:
+  - - ! '>='
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 1.8.10
+signing_key: 
+specification_version: 3
+summary: Safe password storage
+test_files: []