sym 2.3.0 → 2.4.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: ba48a5359afbfb7ab1dd26e998a8534d6b5a1cd1
-  data.tar.gz: 4441338abdc75c4cc94ce8bf62e0cfa124c22290
+  metadata.gz: 2c1acdb6cfcceef2df7e797519901ebec2105abf
+  data.tar.gz: 207fef73284f1ed1cad87b2112dbd3bba6615ee1
 SHA512:
-  metadata.gz: a58d04eee85fe8f9d888c432bd1a076437073448420d1ab83d2439a96f54665f33538cb7212ea9f287af646e369e767c89192af5c46140ce45e85bf9c455784a
-  data.tar.gz: 1796761a05b5c3eaa614999bca47bde80ba0967a2c6471d38b349171c49ed601888fcafc028aeedd46df90252063587ef1ab385b026cd4dcbdbedb553a50b5f5
+  metadata.gz: 2064567295f89592911ce4f3cc105a11ed679286bc3345a5743700d60ec5facd8895ab97f35eb5fb9eb1f5c5a640ec2e5973fcdefd2c8b419698bd117e8e3984
+  data.tar.gz: 8a55697cf80cfdde490558404ca3c52533798e1446b40226e40e66511b81e6f8c49e270309104302712bf7751ec5dccf77af84943681a868ecd3d0facaec9880

data/CHANGELOG.md

@@ -2,8 +2,61 @@
 
 ## [HEAD](https://github.com/kigster/sym/tree/HEAD)
 
-[Changes since the last tag](https://github.com/kigster/sym/compare/v2.2.1...HEAD)
-
+[Changes since the last tag](https://github.com/kigster/sym/compare/v2.3.0...HEAD)
+
+## [v2.4.2](https://github.com/kigster/sym/tree/v2.4.2) (2017-02-28)
+[Full Changelog](https://github.com/kigster/sym/compare/v2.4.1...v2.4.2)
+
+ * Fixing BASH completion for sym to look for files after `--negate` and
+   to auto-complete long options as well.
+
+## [v2.4.1](https://github.com/kigster/sym/tree/v2.4.1) (2017-02-28)
+[Full Changelog](https://github.com/kigster/sym/compare/v2.4.0...v2.4.1)
+
+ * Added new feature:   `-n/--negate` to quickly encrypt/decrypt a file to/from *.enc extension; extension is configurable.
+ * Refactored `application.opts` to be a hash.
+ * Refactored and consolidate key sources via the `Detector` class.
+ * Split off `KeySourceCheck` into a separate entity
+ * Simplified `Sym::Application`
+ * Removed `OrderedHash`
+ * Added `key_source` to logging with `-D`
+ * New tests.
+ * Fixed command ordering bug.
+ * Better "default" file handing, only when no options are supplied.
+
+## [v2.4.0](https://github.com/kigster/sym/tree/v2.4.0) (2017-02-27)
+[Full Changelog](https://github.com/kigster/sym/compare/v2.3.0...v2.4.0)
+
+ * CLI API changes:
+   * Version 2.4.0
+   * New behavior: `-k <value>` now attempts to read a file, environment, keychain or a string.
+   * Removed `--keyfile / -K` (-k now accepts file)
+   * Removed all `require_relative` occurances, replaced with `require`
+   * Adding support for the default key file, stored in `~/.sym.key` by default.
+   * Moved all constants to `Sym::Constants`
+   * Added ability to map legacy (deprecated) flags
+   * Auto-disabling color when STDOUT is not a tty
+   * Changed Password Cache flags:
+     * Replaced `-C` with `-c` (to enable cache)
+     * Replaced `-T` with `-u` for timeout
+     * Replaced `-P` with `-r` for provider
+   * Changed `-A` (trace) to `-T`
+   * Now adding password to the cache upon generation
+   * Adding `KeyChain.get` method
+   * Replacing private key `Detector` with `Reader`
+   * Adding logger
+   * Fixing handling of STDIN and STDOUT with pipes
+   * Deleting unused files
+
+## [v2.3.0](https://github.com/kigster/sym/tree/v2.3.0) (2017-02-23)
+[Full Changelog](https://github.com/kigster/sym/compare/v2.2.1...v2.3.0)
+ 
+ * Improving output, especially as it pertains to error reporting
+ * Split encrypt_decrypt command into encrypt and decrypt
+ * Fix permissions before `rake build`
+ * Improve Yard Doc by moving `Kernel` and `Object` monkey-patching
+   into `lib/sym/extensions/stdlib.rb`
+ 
 ## [v2.2.1](https://github.com/kigster/sym/tree/v2.2.1) (2017-02-15)
 [Full Changelog](https://github.com/kigster/sym/compare/v2.2.0...v2.2.1)
 

data/README.md

@@ -33,24 +33,40 @@ __Sym__ is a layer built on top of the [`OpenSSL`](https://www.openssl.org/) lib
 
 This gem includes two primary components:
 
- * [Ruby API](#ruby-api) for enabling encryption/decryption of any data within any Ruby class, with extremely easy-to-use methods
- * [Rich command line interface CLI](#cli) with many additional features to streamline handling of encrypted data.
+ * [Ruby API](#rubyapi) for enabling encryption/decryption of any data within any Ruby class, with extremely easy-to-use methods
+ * [Rich command line interface CLI](#cli) with many additional features to streamline handling of encrypted data.
 
 _Symmetric Encryption_ simply means that we are using the same private key to encrypt and decrypt. In addition to the private key, the encryption uses an IV vector. The library completely hides `iv` generation from the user, and automatically generates a random `iv` per encryption.
 
+
+### Massive Time Savers
+
+So how does `sym` substantiate its claim that it *streamlines* the encryption process? I thought about it, and turns out there are quite a few reasons:
+ 
+  * By using Mac OS-X Keychain, `sym` offers a simple yet secure way of storing the key on a local machine, much more secure then storing it on a file system.
+  * By using a password cache (`-c`) via an in-memory provider such as `memcached` or `drb`, `sym` invocations take advantage of password cache, and only ask for a password once per a configurable time period.
+  * By using `SYM_ARGS` environment variable, where common flags can be saved.
+  * By reading a key from the default key source file `~/.sym.key` which requires no flags at all.
+  * By utilizing the `--negate` option to quickly encrypt a regular file, or decrypt an encrypted file with extension `.enc`.
+  * By using the `-t` (edit) mode, that opens an encrypted file in your `$EDITOR`, and replaces the encrypted version upon save & exit.
+
+As you can see, we really tried to build a tool that provides good security for application secrets, including password-based encryption, but does not annoyingly ask for password every time. With `--edit` option, and `--negate` options you can treat encrypted files like regular files. 
+
+> Encrypting application secrets had never been easier! –– Socrates. 
+
 ### How It Works
 
-  1. You start with a piece of sensitive __data__ you want to protect. This can be a file or a string.
-  2. You generate a new encryption key, that will be used to both encrypt and decrypt the data. The key is 256 bits, or 32 bytes, or 45 bytes when base64-encoded, and can be generated with `sym -g`.
+  1. You generate a new encryption key, that will be used to both encrypt and decrypt the data. The key is 256 bits, or 32 bytes, or 45 bytes when base64-encoded, and can be generated with `sym -g`.
      * You can optionally password protect the key with `sym -gp`
-     * You can save the key into a file `sym -gp -o key-file` 
-     * Or you can save it into the OS-X Keychain, with `sym -gp -x keychain-name`
+     * You can save the key into a file `sym -gpo key-file` 
+     * Or you can save it into the OS-X Keychain, with `sym -gpcx keychain-name`, while caching its password for a period of time.
      * or you can print it to STDOUT, which is the default.
-  3. You can then use the key to encrypt sensitive __data__, with `sym -e [key-option] [data-option]`, passing it the key in several accepted ways:
-     * You can pass the key as a string (not recommended) via `-k key`
-     * Or read the key from a file `-K key-file`
-     * Or read the key from the OS-X Keychain with `-x keychain-name`
-     * Or you can paste the key interactively with `-i` 
+  2. You then take a piece of sensitive __data__ that you want to encrypt. This can be a file or a string.
+  3. You can then use the key to encrypt sensitive __data__, with `sym -e [key-option] [data-option]`, passing it the key in several accepted ways. Smart flag `-k` automatically interpretes the source of the key, by trying:
+     * a file with a pathname.
+     * or environment variable
+     * or OS-X Keychain password entry
+     * or you can paste the key interactively with `-i` 
   4. Input data can be read from a file with `-f file`, or read from STDIN, or a passed on the command line with `-s string`    
   4. Output is the encrypted data, which is printed to STDOUT by the default, or it can be saved to a file with `-o <file>`
   5. Encrypted file can be later decrypted with `sym -d [key-option] [data-option]`
@@ -58,28 +74,35 @@ _Symmetric Encryption_ simply means that we are using the same private key to en
 Sample session that uses Mac OS-X Keychain to store the password-protected key.
 
 ```bash
-❯ sym -gpx my-new-key
+# Gen a new key, password-encrypt it, cache the password, save
+# result in the key chain entry 'my-new-key' (but don't print it '-q')
+❯ sym -gpqcx my-new-key
 New Password     :  •••••••••
 Confirm Password :  •••••••••
-BAhTOh1TeW06OkRhdGE6OldyYXBwZXJTdH.....
 
-❯ sym -ex my-new-key -s 'My secret data' -o secret.enc -C
+❯ sym -eck my-new-key -s 'My secret data' -o secret.enc
 Coin::Vault listening at: druby://127.0.0.1:24924
 Password: •••••••••
 
 ❯ cat secret.enc
 BAhTOh1TeW06OkRhdGE6OldyYXBFefDFFD.....
 
-❯ sym -dx my-new-key -f secret.enc -C
+❯ sym -dck my-new-key -f secret.enc
 My secret data
 
+# Now, let's save our keychain key in the default key file:
+❯ sym -ck my-new-key -o ~/.sym.key
+# Now we can decrypt/encrypt with this key at will
+❯ sym -n secret.enc
+# created a decrypted file `secret` 
+
 # Lets now save common flags in the SYM_ARGS bash variable:
-❯ export SYM_ARGS="-x my-new-key -C"
-❯ sym -d -f secret.enc 
+❯ export SYM_ARGS="-ck my-new-key"
+❯ sym -df secret.enc 
 My secret data
 ```
 
-The line that says `Coin::Vault listening at: druby://127.0.0.1:24924` is the indication that the local dRB server used for caching passwords has been started. Password caching is off by default, but is enabled with `-C` flag. In the example above, the decryption step fetched the password from the cache, and so the user was not required to re-enter the password.
+The line that says `Coin::Vault listening at: druby://127.0.0.1:24924` is the indication that the local dRB server used for caching passwords has been started. Password caching is off by default, but is enabled with `-c` flag. In the example above, the decryption step fetched the password from the cache, and so the user was not required to re-enter the password.
 
 __Direct Editing Encrypted Files__
 
@@ -87,7 +110,7 @@ Instead of decrypting data anytime you need to change it, you can use the shortc
 
 Example:
 
-    sym -t -f config/application/secrets.yml.enc -K ~/.key
+    sym -t -f config/application/secrets.yml.enc -k ~/.key
     
 > This is one of those time-saving features that can make a difference in making encryption feel easy and transparent.
 
@@ -115,7 +138,7 @@ Optionally, after gem installation, you can also install bash-completion of gem'
 
 Should you choose to install it (this part is optional), you will be able to use "tab-tab" after typing `sym`, and you'll be able to choose from all of the supported flags.
 
-<a name="#cli"></a>
+<a name="cli"></a>
 
 ## Using `sym` with the Command Line
 
@@ -126,7 +149,7 @@ The private key is the cornerstone of the symmetric encryption. Using `sym`, the
  * generated and printed to STDOUT, or saved to Mac OS-X KeyChain or a file
  * fetched from the Keychain in subsequent operations
  * password-protected during generation (or import) with the `-p` flag.
- * password can be cached using either `memcached` or `dRB` server, if the `-C` flag is provided.
+ * password can be cached using either `memcached` or `dRB` server, if the `-c` flag is provided.
  * must be kept very well protected and secure from attackers.
 
 The __unencrypted private__ key will be in the form of a base64-encoded string, 45 characters long.
@@ -145,21 +168,25 @@ Or save a new key into a bash variable
 
 Or save it to a file:
 
-    sym -g -o ~/.key
     sym -go ~/.key
 
-Or create a password-protected key (`-p`), and save it to a file (`-o`), and skip printing the new key to STDOUT (`-q` for quiet):
+Or create a password-protected key (`-p`), and save it to a file (`-o`), cache the password (`-c`), and don't print the new key to STDOUT (`-q` for quiet):
 
-    sym -gpqo ~/.secret
+    sym -gpcqo ~/.secret
     New Password:     ••••••••••
     Confirm Password: ••••••••••
-
+    
+##### Key Sources
+    
 You can subsequently use the private key by passing either:
 
- 1. the `-k key-string` flag
- 2. the `-K key-file` flag
- 3. the `-x key-keychain-name` flag to read the key from Mac OS-X KeyChain
- 4. pasting or typing the key with the `-i` (interactive) flag
+ 1. the `-k key` flag, where key is either:
+    * a file
+    * an environment variable name 
+    * an actual base64-encoded key
+    * a keychain name
+ 2. pasting or typing the key with the `-i` (interactive) flag
+ 3. a default key file, in your home folder, `~/.sym.key`, used only when no other flags passed in.
 
 #### Using KeyChain Access on Mac OS-X
 
@@ -170,11 +197,11 @@ Apple had released a `security` command line tool, which this library uses to se
  * The private key won't be lying around your file system unencrypted, so if your Mac is ever stolen, you don't need to worry about the keys running wild.
  * If you sync your keychain with the iCloud you will have access to it on other machines
 
-To activate the KeyChain mode on the Mac, use `-x <key-name>` field instead of `-k` or `-K`, and add it to `-g` when generating a key. The `key name` is what you call this particular key, based on how you plan to use it. For example, you may call it `staging`, etc.
+To activate the KeyChain mode on the Mac, use `-x <key-name>` flag with `-g` flag when generating a key. The `key name` is what you call this particular key, based on how you plan to use it. For example, you may call it `staging`, etc.
 
 The following command generates the private key and immediately stores it in the KeyChain access under the name provided:
 
-    sym -g -x staging
+    sym -gx staging
 
 Now, whenever you need to encrypt something you can specify the key with `-x staging`. 
 
@@ -194,15 +221,15 @@ It's help message is self-explanatory:
 
 #### Moving a Key to the Keychain
 
-You can easily move an existing key from a file or a string to a keychain by combining -k or -K to read the key, with -x to write it.
+You can easily move an existing key from a file or a string to a keychain by combining -k or -k to read the key, with -x to write it.
 
-    sym -k $mykey -x mykey
+    sym -k $keysource -x mykey
 
 #### Adding Password to Existing Key
 
-You can add a password to a key by combining one of the key description flags (-k, -K, -i) and then also -p. 
+You can add a password to a key by combining one of the key description flags (-k, -i) and then also -p.  Use `-q` to hide new key from the STDOUT, and `c` to cache the password.
 
-    sym -k $mykey -p -x moo
+    sym -k $mykey -pqcx moo
     
 The above example will take an unencrypted key passed in `$mykey`, ask for a password and save password protected key into the keychain with name "moo."
 
@@ -214,22 +241,22 @@ Specifics of configuring both Cache Providers is left to the `Configuration` cla
 
 In order to control password caching, the following flags are available:
 
- * `-C` turns on caching
- * `-T seconds` sets the expiration for cached passwords
- * `-P memcached | drb` controls which of the providers is used. Without this flag, *sym* auto-detects caching provider by first checking for `memcached`, and then starting the `dRB` server.
+ * `-c` turns on caching
+ * `-u seconds` sets the expiration for cached passwords
+ * `-r memcached | drb` controls which of the providers is used. Without this flag, *sym* auto-detects caching provider by first checking for `memcached`, and then starting the `dRB` server.
 
 #### Saving Common Flags in an Environment Variable
 
 You can optionally store frequently used flags for `sym` in the `SYM_ARGS` environment variable. For example, to always cache passwords, and to always use the same encryption key from the keychain named "production", set the following in your `~/.bashrc`:
 
 ```
-export SYM_ARGS="-x production -C"
+export SYM_ARGS="-cx production"
 ```
 
 This will always be appended to the command line, and so to encrypt/decrypt anything with password caching enabled and using that particular key, you would simply type:
 
 ```bash
-# -x production -C are added from SYM_ARGS
+# -cx production are added from SYM_ARGS
 sym -ef file -o file.enc
 
 # And to decrypt:
@@ -244,27 +271,27 @@ sym -tf file.enc
 This may be a good time to take a look at the full help message for the `sym` tool, shown naturally with a `-h` or `--help` option.
 
 ```
-Sym (2.2.1) – encrypt/decrypt data with a private key
+Sym (2.4.1) – encrypt/decrypt data with a private key
 
 Usage:
-   # Generate a new key...
-   sym -g [ -p ] [ -x keychain | -o keyfile | -q | ]  
+   # Generate a new key, optionally password protected, and save it
+   # in one of: keychain, file, or STDOUT (-q turns off STDOUT) 
+   sym -g [ -p/--password ] [ -x keychain | -o file | ] [ -q ]  
 
-   # To specify a key for an operation use one of...
-   <key-spec> = -k key | -K file | -x keychain | -i 
 
-   # Encrypt/Decrypt to STDOUT or an output file 
-   sym -e <key-spec> [-f <file> | -s <string>] [-o <file>] 
-   sym -d <key-spec> [-f <file> | -s <string>] [-o <file>] 
+   # Encrypt/Decrypt from STDIN/file/args, to STDOUT/file:
+   sym -e/--encrypt <key-spec> [-f [file | - ] | -s string ] [-o file] 
+   sym -d/--decrypt <key-spec> [-f [file | - ] | -s string ] [-o file] 
  
    # Edit an encrypted file in $EDITOR 
-   sym -t <key-spec>  -f <file> [ -b ]
+   sym -t/--edit    <key-spec> -f file [ -b/--backup ]
  
-   # Specify any common flags in the BASH variable:
-   export SYM_ARGS="-x staging -C"
+   # Specify any  common flags in the BASH variable. Here we
+   # specify KeyChain name "staging" and turn on password caching
+   export SYM_ARGS="-ck staging"
  
-   # And now encrypt without having to specify key location:
-   sym -e -f <file>
+   # And now encrypt using default key location /Users/kig/.sym.key
+   sym -e -f file
    # May need to disable SYM_ARGS with -M, eg for help:
    sym -h -M 
  
@@ -276,29 +303,30 @@ Modes:
 Create a new private key:
   -g, --generate                    generate a new private key
   -p, --password                    encrypt the key with a password
+  -x, --keychain         [key-name] write the key to OS-X Keychain
  
 Read existing private key from:
-  -k, --private-key      [key]      private key (or key file)
-  -K, --keyfile          [key-file] private key from a file
-  -x, --keychain         [key-name] add to (or read from) the OS-X Keychain
+  -k, --key              [key-spec] private key, key file, or keychain
   -i, --interactive                 Paste or type the key interactively
  
 Password Cache:
-  -C, --cache-password              enable the cache (off by default)
-  -T, --cache-for        [seconds]  to cache the password for
-  -P, --cache-provider   [provider] type of cache, one of memcached, drb
+  -c, --cache-passwords             enable password cache
+  -u, --cache-timeout    [seconds]  expire passwords after
+  -r, --cache-provider   [provider] cache provider, one of memcached, drb
  
 Data to Encrypt/Decrypt:
   -s, --string           [string]   specify a string to encrypt/decrypt
   -f, --file             [file]     filename to read from
   -o, --output           [file]     filename to write to
+  -n, --negate           [file]     encrypts any regular file into file.enc
+                                    conversely decrypts file.enc into file.
  
 Flags:
   -b, --backup                      create a backup file in the edit mode
   -v, --verbose                     show additional information
-  -A, --trace                       print a backtrace of any errors
-  -D, --debug                       print debugging information
   -q, --quiet                       do not print to STDOUT
+  -T, --trace                       print a backtrace of any errors
+  -D, --debug                       print debugging information
   -V, --version                     print library version
   -N, --no-color                    disable color output
   -M, --no-environment              disable reading flags from SYM_ARGS
@@ -309,6 +337,7 @@ Utility:
 Help & Examples:
   -E, --examples                    show several examples
   -h, --help                        show help
+
 ```
 
 ### CLI Usage Examples
@@ -360,7 +389,7 @@ In this mode several flags are of importance:
     -b (--backup)   – will create a backup of the original file
     -v (--verbose) - will show additional info about file sizes
 
-Here is a full command that opens a file specified by `-f | --file`, using the key specified in `-K | --keyfile`, in the editor defined by the `$EDITOR` environment variable (or if not set – defaults to `/bin/vi`)".
+Here is a full command that opens a file specified by `-f | --file`, using the key specified in `-k | --keyfile`, in the editor defined by the `$EDITOR` environment variable (or if not set – defaults to `/bin/vi`)".
 
 To edit an encrypted file in `$EDITOR`, while asking to paste the key (`-i | --interactive`), while creating a backup file (`-b | --backup`):
 
@@ -373,7 +402,7 @@ To edit an encrypted file in `$EDITOR`, while asking to paste the key (`-i | --i
     # ---
     # # (c) 2016 Konstantin Gredeskoul.  All rights reserved.
 
-<a name="#ruby-api"></a>
+<a name="rubyapi"></a>
 
 ## Ruby API
 
@@ -449,12 +478,18 @@ The library offers a typical `Sym::Configuration` class which can be used to twe
 require 'zlib'
 require 'sym'
 Sym::Configuration.configure do |config|
-  config.password_cipher     = 'AES-128-CBC'
-  config.private_key_cipher  = config.data_cipher
-  config.compression_enabled = true
-  config.compression_level   = Zlib::BEST_COMPRESSION
-
-  config.password_cache_timeout = 300
+  config.password_cipher          = 'AES-128-CBC'
+  config.data_cipher              = 'AES-256-CBC'
+  config.private_key_cipher       = config.data_cipher
+  config.compression_enabled      = true
+  config.compression_level        = Zlib::BEST_COMPRESSION
+  config.encrypted_file_extension = 'enc'
+  config.default_key_file         = "#{ENV['HOME']}/.sym.key"
+
+  config.password_cache_timeout          = 300
+
+  # When nil is selected, providers are auto-detected.
+  config.password_cache_default_provider = nil
   config.password_cache_arguments        = {
     drb:       {
       opts: {
@@ -471,6 +506,7 @@ Sym::Configuration.configure do |config|
     }
   }
 end
+
 ```
 
 As you can see, it's possible to change the default cipher type, although not all ciphers will be code-compatible with the current algorithm, and may require additional code changes.
@@ -480,7 +516,7 @@ As you can see, it's possible to change the default cipher type, although not al
 The `sym` executable as well as the Ruby API provide:
 
  * Symmetric data encryption with:
-   * the Cipher `AES-256-CBC` used by the US Government
+   * the Cipher `AES-256-cBC` used by the US Government
    * 256-bit private key, that
      *  can be generated and is a *base64-encoded* string about 45 characters long. The *decoded* key is always 32 characters (or 256 bytes) long.
      * can be optionally password-encrypted using the 128-bit key, and then be automatically detected (and password requested) when the key is used

data/Rakefile

@@ -8,8 +8,9 @@ def shell(*args)
 end
 
 task :permissions do 
-  shell("find . -type f -exec chmod o+r,g+r {} \\;")
-  shell("find . -type d -exec chmod o+rx,g+rx {} \\;")
+  shell('rm -rf pkg/')
+  shell("chmod -v o+r,g+r * */* */*/* */*/*/* */*/*/*/* */*/*/*/*/*")
+  shell("find . -type d -exec chmod o+x,g+x {} \\;")
 end
 
 task :build => :permissions

data/bin/sym.completion

@@ -46,17 +46,21 @@ _sym()
     _expand || return 0
 
     case "$prev" in
-    --@(key-file|file|output|))
+    --@(key|file|output|negate))
         _filedir
         return 0
         ;;
-    -@(f|K|o))
+    -@(f|k|o|n))
         _filedir
         return 0
         ;;
     esac
 
     case "$cur" in
+    --*)
+        export DICT_SYM_COMP_LONG_OPTIONS=${DICT_SYM_COMP_LONG_OPTIONS:-$(sym -hM | grep -- '--' | egrep '^  -' | awk '{print $2}')}
+        COMPREPLY=( $( compgen -W "$DICT_SYM_COMP_LONG_OPTIONS" -- "$cur" ))
+        ;;
     -*)
         export DICT_SYM_COMP_OPTIONS=${DICT_SYM_COMP_OPTIONS:-$(sym --dictionary | sed -E 's/ /\n/g')}
         COMPREPLY=( $( compgen -W "$DICT_SYM_COMP_OPTIONS" -- "$cur" ))