tome 1.0.1 → 1.0.3

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 6043d9572fcacc2fc1ce08e196b43741cb7d7e8f
+  data.tar.gz: 18d884c8f681e3410d08c1dedda61a807a71e00f
+SHA512:
+  metadata.gz: ba3dfb8372777f1663d9e774fdd619f227b3dec1145c055b2e6199a38803a7f7dcb7ad73f163f72b0677ec1b9f314e869015f8f777a49c22b6baa985dc95d43a
+  data.tar.gz: 140a796fd311a64abe09896b509d761371d9e93d20d9263bec5415ef2e8b81973422fa2fc480fc70f5b4a0c82c49279e0a444e62766bb2b23b9a4579fb3dcaf2

data/README.md

@@ -1,121 +1,128 @@
-## Tome
-
-Tome is a lightweight password manager with a humane command-line interface.
-
-Tome stores your passwords in an encrypted file which you manage with a single master password.
-You can keep track of multiple complex passwords without having to remember any of them.
-
-*Disclaimer* I am not a security expert. I've only had limited formal training in security and cryptography.
-Now that I've scared off all but the bravest, feel free to look [under the hood](#under-the-hood) or
-at the security bits in [crypt.rb](https://github.com/schmich/tome/blob/master/lib/tome/crypt.rb).
-
-[![Build Status](https://secure.travis-ci.org/schmich/tome.png)](http://travis-ci.org/schmich/tome)
-[![Dependency Status](https://gemnasium.com/schmich/tome.png)](http://gemnasium.com/schmich/tome)
-[![Code Quality](https://codeclimate.com/badge.png)](https://codeclimate.com/github/schmich/tome)
-
-## Installation
-
-* Install [Ruby 1.9.3](http://www.ruby-lang.org/en/downloads/) or newer.
-* `gem install tome`
-* `tome` should now be available on the command-line. Run `tome help` to get started.
-
-## Usage
-
-The first time you run `tome`, you'll be asked to create a master password for your encrypted password database.
-Any operations involving your password database will require this master password.
-
-Creating a new password is simple:
-
-    > tome set linkedin.com
-    Creating tome database.
-    Master password:
-    Master password (verify):
-    Password:
-    Password (verify):
-    Created password for linkedin.com.
-
-Recalling a password is just as easy:
-
-    > tome get linkedin.com
-    Master password:
-    Password for linkedin.com:
-    p4ssw0rd
-    
-In fact, it's even simpler than that. `tome get` does substring pattern matching to recall a password,
-so this works, too:
-
-    > tome get linked
-    Master password:
-    Password for linkedin.com:
-    p4ssw0rd
-
-You can also generate and copy complex passwords without having to remember anything:
-
-    > tome generate last.fm
-    Master password:
-    Generated password for last.fm.
-
-    > tome get last
-    Master password:
-    Password for last.fm:
-    kizWy76F2@G(21c11(9Tf?f@43B!kq
-
-    > tome copy last
-    Master password:
-    Password for last.fm copied to clipboard.
-    
-If you want, you can specify a username with your domain:
-
-    > tome set foo@bar.com baz
-    Master password:
-    Created password for foo@bar.com.
-    
-    > tome get bar
-    Master password:
-    Password for foo@bar.com:
-    baz
-    
-See `tome help` for advanced commands and usage.
-
-## Philosophy
-
-Tome is meant to be simple and secure. Instead of having blind trust in the secure coding practices
-of every website you sign up with, you can use tome to help mitigate your risk and exposure.
-
-**Benefits**
-* Easily maintain unique per-site passwords.
-* Have complex passwords without having to remember them (see `tome generate`).
-* If a website leaks your password or its hash, you can quickly generate another unique complex password.
-* You can keep track of all of the various websites you have accounts with.
-
-**Drawbacks**
-* Single point of failure: if your `.tome` file is compromised, all of your passwords are potentially at risk.
-  The encryption on the `.tome` file is meant to mitigate this danger. Brute-force decryption should take significant
-  computing power and time. To further reduce risk, don't store usernames (e.g. do `tome set gmail.com` instead of `tome set foo@gmail.com`).
-* Dependence on the `.tome` file: if your `.tome` file is lost or corrupt and you forget your passwords, you'll have to reset them.
-* If you want access to your passwords on multiple machines, you'll have to sync the `.tome` file between machines.
-* Trust in *my* secure coding practices. I encourage you to look at the source yourself.
-
-## Under the hood
-
-All account and password information is stored in a single `.tome` file in the user's home directory. This file is
-YAML-formatted and stores the encrypted account and password information as well as the encryption parameters.
-These encryption parameters, along with the master password, are used to decrypt the password information.
-
-A randomly-generated 1K-4K block of data is appended to the actual password data to obfuscate the number of passwords
-stored in the database. This is not a security mechanism, but rather a hindrance to attempts to infer
-anything from the encrypted data.
-
-Each time the `.tome` file is modified, new encryption parameters (i.e. the salt and IV) are randomly generated
-and used for encryption.
-
-**Password database encryption**
-* Encryption algorithm: symmetric [AES-256](http://en.wikipedia.org/wiki/Advanced_Encryption_Standard)
-  [CBC](http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation#Cipher-block_chaining_.28CBC.29)
-  using the [Ruby OpenSSL library](http://www.ruby-doc.org/stdlib-1.9.3/libdoc/openssl/rdoc/index.html).
-* Key derivation:
- * [PBKDF2](http://en.wikipedia.org/wiki/PBKDF2)/[HMAC-SHA-512](http://en.wikipedia.org/wiki/SHA-2) with a master password.
- * [UUID](http://en.wikipedia.org/wiki/UUID)-based random, probabilistically unique [salt](http://en.wikipedia.org/wiki/Salt_%28cryptography%29)
-   from [SecureRandom#uuid](http://www.ruby-doc.org/stdlib-1.9.3/libdoc/securerandom/rdoc/SecureRandom.html#method-c-uuid).
- * Randomly-generated [IV](http://en.wikipedia.org/wiki/Initialization_vector) from [OpenSSL::Cipher#random_iv](http://www.ruby-doc.org/stdlib-1.9.3/libdoc/openssl/rdoc/OpenSSL/Cipher.html#method-i-random_iv).
- * 100,000 [key stretch](http://en.wikipedia.org/wiki/Key_stretching) iterations.
+## Tome
+
+Tome is a lightweight password manager with a humane command-line interface.
+
+Tome stores your passwords in an encrypted file which you manage with a single master password.
+You can keep track of multiple complex passwords without having to remember any of them.
+
+*Disclaimer* I am not a security expert. I've only had limited formal training in security and cryptography.
+Now that I've scared off all but the bravest, feel free to look [under the hood](#under-the-hood) or
+at the security bits in [crypt.rb](https://github.com/schmich/tome/blob/master/lib/tome/crypt.rb).
+
+[![Gem Version](https://badge.fury.io/rb/tome.svg)](http://rubygems.org/gems/tome)
+[![Build Status](https://secure.travis-ci.org/schmich/tome.svg)](http://travis-ci.org/schmich/tome)
+[![Dependency Status](https://gemnasium.com/schmich/tome.svg)](http://gemnasium.com/schmich/tome)
+[![Code Quality](http://img.shields.io/codeclimate/github/schmich/tome.svg)](https://codeclimate.com/github/schmich/tome)
+
+## Installation
+
+* Install [Ruby 1.9.3](http://www.ruby-lang.org/en/downloads/) or newer.
+* `gem install tome`
+* `tome` should now be available on the command-line. Run `tome help` to get started.
+
+## Usage
+
+The first time you run `tome`, you'll be asked to create a master password for your encrypted password database.
+Any operations involving your password database will require this master password.
+
+Creating a new password is simple:
+
+    > tome set linkedin.com
+    Creating tome database.
+    Master password:
+    Master password (verify):
+    Password:
+    Password (verify):
+    Created password for linkedin.com.
+
+Recalling a password is just as easy:
+
+    > tome get linkedin.com
+    Master password:
+    Password for linkedin.com:
+    p4ssw0rd
+    
+In fact, it's even simpler than that. `tome get` does substring pattern matching to recall a password,
+so this works, too:
+
+    > tome get linked
+    Master password:
+    Password for linkedin.com:
+    p4ssw0rd
+
+You can also generate and copy complex passwords without having to remember anything:
+
+    > tome generate last.fm
+    Master password:
+    Generated and copied password for last.fm.
+
+    > tome get last
+    Master password:
+    Password for last.fm:
+    kizWy76F2@G(21c11(9Tf?f@43B!kq
+
+    > tome copy last
+    Master password:
+    Password for last.fm copied to clipboard.
+    
+If you want, you can specify a username with your domain:
+
+    > tome set foo@bar.com baz
+    Master password:
+    Created password for foo@bar.com.
+    
+    > tome get bar
+    Master password:
+    Password for foo@bar.com:
+    baz
+    
+See `tome help` for advanced commands and usage.
+
+## Philosophy
+
+Tome is meant to be simple and secure. Instead of having blind trust in the secure coding practices
+of every website you sign up with, you can use tome to help mitigate your risk and exposure.
+
+**Benefits**
+* Easily maintain unique per-site passwords.
+* Have complex passwords without having to remember them (see `tome generate`).
+* If a website leaks your password or its hash, you can quickly generate another unique complex password.
+* You can keep track of all of the various websites you have accounts with.
+
+**Drawbacks**
+* Single point of failure: if your `.tome` file is compromised, all of your passwords are potentially at risk.
+  The encryption on the `.tome` file is meant to mitigate this danger. Brute-force decryption should take significant
+  computing power and time. To further reduce risk, don't store usernames (e.g. do `tome set gmail.com` instead of `tome set foo@gmail.com`).
+* Dependence on the `.tome` file: if your `.tome` file is lost or corrupt and you forget your passwords, you'll have to reset them.
+* If you want access to your passwords on multiple machines, you'll have to sync the `.tome` file between machines.
+* Trust in *my* secure coding practices. I encourage you to look at the source yourself.
+
+## Under the hood
+
+All account and password information is stored in a single `.tome` file in the user's home directory. This file is
+YAML-formatted and stores the encrypted account and password information as well as the encryption parameters.
+These encryption parameters, along with the master password, are used to decrypt the password information.
+
+A randomly-generated 1K-4K block of data is appended to the actual password data to obfuscate the number of passwords
+stored in the database. This is not a security mechanism, but rather a hindrance to attempts to infer
+anything from the encrypted data.
+
+Each time the `.tome` file is modified, new encryption parameters (i.e. the salt and IV) are randomly generated
+and used for encryption.
+
+**Password database encryption**
+* Encryption algorithm: symmetric [AES-256](http://en.wikipedia.org/wiki/Advanced_Encryption_Standard)
+  [CBC](http://en.wikipedia.org/wiki/Block_cipher_modes_of_operation#Cipher-block_chaining_.28CBC.29)
+  using the [Ruby OpenSSL library](http://www.ruby-doc.org/stdlib-1.9.3/libdoc/openssl/rdoc/index.html).
+* Key derivation:
+ * [PBKDF2](http://en.wikipedia.org/wiki/PBKDF2)/[HMAC-SHA-512](http://en.wikipedia.org/wiki/SHA-2) with a master password.
+ * [UUID](http://en.wikipedia.org/wiki/UUID)-based random, probabilistically unique [salt](http://en.wikipedia.org/wiki/Salt_%28cryptography%29)
+   from [SecureRandom#uuid](http://www.ruby-doc.org/stdlib-1.9.3/libdoc/securerandom/rdoc/SecureRandom.html#method-c-uuid).
+ * Randomly-generated [IV](http://en.wikipedia.org/wiki/Initialization_vector) from [OpenSSL::Cipher#random_iv](http://www.ruby-doc.org/stdlib-1.9.3/libdoc/openssl/rdoc/OpenSSL/Cipher.html#method-i-random_iv).
+ * 100,000 [key stretch](http://en.wikipedia.org/wiki/Key_stretching) iterations.
+
+## License
+
+Copyright © 2013-2014 Chris Schmich
+<br />
+MIT License, see LICENSE for details.

data/bin/tome

@@ -1,5 +1,5 @@
-#!/usr/bin/env ruby
-
-require 'tome'
-tome_filename = File.join(Dir.home, '.tome')
-exit(Tome::Command.run(tome_filename, ARGV))
+#!/usr/bin/env ruby
+
+require 'tome'
+tome_filename = File.join(Dir.home, '.tome')
+exit(Tome::Command.run(tome_filename, ARGV))

data/lib/tome.rb

@@ -1,6 +1,6 @@
-require 'tome/tome'
-require 'tome/command'
-require 'tome/crypt'
-require 'tome/padding'
-require 'tome/usage'
-require 'tome/version'
+require 'tome/tome'
+require 'tome/command'
+require 'tome/crypt'
+require 'tome/padding'
+require 'tome/usage'
+require 'tome/version'

data/lib/tome/command.rb

@@ -1,440 +1,460 @@
-require 'io/console'
-require 'passgen'
-require 'clipboard'
-
-module Tome
-  class CommandError < RuntimeError
-  end
-
-  class Command
-    private_class_method :new 
-
-    def self.run(tome_filename, args, stdout = $stdout, stderr = $stderr, stdin = $stdin)
-      command = new()
-      return command.send(:run, tome_filename, args, stdout, stderr, stdin)
-    end
-
-  private
-    def run(tome_filename, args, stdout, stderr, stdin)
-      @out = stdout
-      @err = stderr
-      @in = stdin
-      @tome_filename = tome_filename
-      
-      if args.length < 1
-        usage()
-        return 1
-      end
-
-      begin
-        handle_command(args)
-      rescue CommandError => error
-        @err.puts "Error: #{error.message}"
-        return 1
-      rescue FileFormatError => error
-        # Fix file separators for Windows.
-        filename = @tome_filename.gsub(File::SEPARATOR, File::ALT_SEPARATOR || File::SEPARATOR)
-        @err.puts "Error: Cannot read #{filename}: #{error.message}"
-        return 1
-      end
-
-      return 0
-    end
-
-    def handle_command(args)
-      # TODO: Handle 'command --help', e.g. 'tome set --help'.
-
-      command = command_from_arg(args[0])
-
-      if command.nil?
-        raise CommandError, "Unrecognized command: #{args[0]}.\n\n#{$usage}"
-      end
-
-      args.shift
-      send(command, args) 
-    end
-
-    def command_from_arg(arg)
-      commands = {
-        /\A(help|-h|--help)\z/i => :help,
-        /\A(version|ver|-v|--version)\z/i => :version,
-        /\A(set|s|add)\z/i => :set,
-        /\A(get|g|show)\z/i => :get,
-        /\A(delete|del|rm|remove)\z/i => :delete,
-        /\A(generate|gen)\z/i => :generate,
-        /\A(copy|cp)\z/i => :copy,
-        /\A(rename|ren|rn)\z/i => :rename,
-        /\A(master)\z/i => :master,
-        /\A(list|ls)\z/i => :list
-      }
-
-      commands.each { |pattern, command|
-        return command if arg =~ pattern
-      }
-
-      return nil
-    end
-
-    def help(args)
-      if args.length > 1
-        raise CommandError, "Invalid arguments.\n\n#{$usage}"
-      end
-
-      if args.empty?
-        usage()
-        return
-      end
-
-      command = command_from_arg(args[0])
-
-      if command.nil?
-        raise CommandError, "No help for unrecognized command: #{args[0]}.\n\n#{$usage}"
-      end
-
-      help = {
-        :help => $help_usage,
-        :set => $set_usage,
-        :get => $get_usage,
-        :delete => $delete_usage,
-        :generate => $generate_usage,
-        :copy => $copy_usage,
-        :rename => $rename_usage,
-        :master => $master_usage,
-        :list => $list_usage
-      }
-
-      usage = help[command]
-      if usage.nil?
-        raise CommandError, "No help available for command: #{args[0]}."
-      end
-
-      @out.puts usage
-    end
-
-    def version(args)
-      @out.puts "tome version #{$version}"
-    end
-
-    def set(args)
-      if args.length < 1 || args.length > 2
-        raise CommandError, "Invalid arguments.\n\n#{$set_usage}"
-      end
-      
-      created, tome = tome_create_connect()
-
-      case args.length
-        # TODO: Validate that first argument is in [username@]domain form.
-
-        # tome set bar.com
-        # tome set foo@bar.com
-        when 1
-          id = args[0]
-          password = prompt_password()
-
-        # tome set bar.com p4ssw0rd
-        # tome set foo@bar.com p4ssw0rd
-        when 2
-          id = args[0]
-          password = args[1]
-      end
-
-      exists = !tome.get(id).nil?
-      if exists
-        confirm = prompt_confirm("A password already exists for #{id}. Overwrite (y/n)? ")
-        if !confirm
-          raise CommandError, 'Aborted.'
-        end
-      end
-
-      created = tome.set(id, password)
-      if created
-        @out.print 'Created '
-      else
-        @out.print 'Updated '
-      end
-
-      @out.puts "password for #{id}."
-    end
-
-    def get(args)
-      if args.length != 1
-        raise CommandError, "Invalid arguments.\n\n#{$get_usage}"
-      end
-      
-      # tome get bar.com
-      # tome get foo@bar.com
-      pattern = args[0]
-
-      tome = tome_connect()
-      matches = tome.find(pattern)
-
-      if matches.empty?
-        raise CommandError, "No password found for #{pattern}."
-      elsif matches.count == 1
-        match = matches.first
-        @out.puts "Password for #{match.first}:"
-        @out.puts match.last
-      else
-        @out.puts "Multiple matches for #{pattern}:"
-        matches.each { |key, password|
-          @out.puts "#{key}: #{password}"
-        }
-      end
-    end
-
-    def delete(args)
-      if args.length != 1
-        raise CommandError, "Invalid arguments.\n\n#{$delete_usage}"
-      end
-
-      tome = tome_connect()
-
-      # tome del bar.com
-      # tome del foo@bar.com
-      id = args[0]
-
-      exists = !tome.get(id).nil?
-      if exists
-        confirmed = prompt_confirm("Are you sure you want to delete the password for #{id} (y/n)? ")
-        if !confirmed
-          raise CommandError, 'Aborted.'
-        end
-      end
-
-      deleted = tome.delete(id)
-
-      if deleted
-        @out.puts "Deleted password for #{id}."
-      else
-        @out.puts "No password found for #{id}."
-      end
-    end
-
-    def generate(args)
-      if args.length != 1
-        raise CommandError, "Invalid arguments.\n\n#{$generate_usage}"
-      end
-      
-      created, tome = tome_create_connect()
-
-      # tome gen bar.com
-      # tome gen foo@bar.com
-      id = args[0]
-      password = generate_password()
-
-      exists = !tome.get(id).nil?
-      if exists
-        confirm = prompt_confirm("A password already exists for #{id}. Overwrite (y/n)? ")
-        if !confirm
-          raise CommandError, 'Aborted.'
-        end
-      end
-
-      created = tome.set(id, password)
-      Clipboard.copy(password)
-
-      if created
-        @out.puts "Generated and copied password for #{id}."
-      else
-        @out.puts "Updated and copied password for #{id}."
-      end
-    end
-
-    def copy(args)
-      if args.length != 1
-        raise CommandError, "Invalid arguments.\n\n#{$copy_usage}"
-      end
-
-      # tome cp bar.com
-      # tome cp foo@bar.com
-      pattern = args[0]
-
-      tome = tome_connect()
-      matches = tome.find(pattern)
-
-      if matches.empty?
-        raise CommandError, "No password found for #{pattern}."
-      elsif matches.count > 1
-        message = "Found multiple matches for #{pattern}. Did you mean one of the following?\n\n"
-        error.matches.each { |match|
-          message += "\t#{match}\n"
-        }
-
-        raise CommandError, message
-      else
-        match = matches.first
-        password = match.last
-
-        Clipboard.copy(password)
-        if Clipboard.paste == password
-          @out.puts "Password for #{match.first} copied to clipboard."
-        else
-          @err.puts "Failed to copy password for #{match.first} to clipboard."
-        end
-      end
-    end
-
-    def list(args)
-      if !args.empty?
-        raise CommandError, "Invalid arguments.\n\n#{$list_usage}"
-      end
-
-      tome = tome_connect()
-
-      count = 0
-      tome.each_password { |id, password|
-        @out.puts "#{id}: #{password}"
-        count += 1
-      }
-
-      if count == 0
-        @out.puts 'No passwords stored.'
-      end
-    end
-
-    def rename(args)
-      if args.count != 2
-        raise CommandError, "Invalid arguments.\n\n#{$rename_usage}"
-      end
-
-      tome = tome_connect()
-
-      old_id = args[0]
-      new_id = args[1]
-
-      overwriting = !tome.get(new_id).nil?
-      if overwriting
-        confirm = prompt_confirm("A password already exists for #{new_id}. Overwrite (y/n)? ")
-        if !confirm
-          raise CommandError, 'Aborted.'
-        end
-      end
-
-      renamed = tome.rename(old_id, new_id)
-      
-      if !renamed
-        raise CommandError, "#{old_id} does not exist."
-      else
-        @out.puts "#{old_id} renamed to #{new_id}."
-      end
-    end
-
-    def master(args)
-      if args.count > 0
-        raise CommandError, "Invalid arguments.\n\n#{$master_usage}"
-      end
-
-      created, tome = tome_create_connect()
-
-      if !created
-        master_password = prompt_password('New master password')
-        tome.master_password = master_password
-        @out.puts 'Master password updated.'
-      end
-    end
-
-    def generate_password
-      Passgen.generate(:length => 30, :symbols => true)
-    end
-
-    def prompt_password(prompt = 'Password')
-      begin
-        @err.print "#{prompt}: "
-        password = input_password()
-
-        if password.empty?
-          @err.puts 'Password cannot be blank.'
-          raise
-        end
-
-        @err.print "#{prompt} (verify): "
-        verify = input_password()
-
-        if verify != password
-          @err.puts 'Passwords do not match.'
-          raise
-        end
-      rescue
-        retry
-      end
-
-      return password
-    end
-
-    def input_password
-      input = proc { |stdin|
-        raw = stdin.gets
-        return nil if raw.nil?
-
-        password = raw.strip
-        @out.puts
-
-        return password
-      }
-
-      begin
-        @in.noecho { |stdin|
-          input.call stdin
-        }
-      rescue Errno::EBADF
-        # This can happen when stdin refers to a file or pipe.
-        # In this case, we ignore 'no echo' and do normal input.
-        input.call @in
-      end
-    end
-
-    def prompt_confirm(prompt)
-      begin
-        @out.print prompt
-
-        confirm = @in.gets.strip
-
-        if confirm =~ /\Ay/i
-          return true
-        elsif confirm =~ /\An/i
-          return false
-        end
-      rescue
-        retry
-      end
-    end
-
-    def usage
-      @err.puts "tome version #{$version}"
-      @err.puts
-      @err.puts $usage
-    end
-
-    def tome_connect
-      if !Tome.exists?(@tome_filename)
-        raise CommandError, "Tome database does not exist. Use 'tome set' or 'tome generate' to create a password first."
-      end
-
-      begin
-        @err.print 'Master password: '
-        master_password = input_password()
-        tome = Tome.new(@tome_filename, master_password)
-      rescue MasterPasswordError
-        @err.puts 'Incorrect master password.'
-
-        if master_password.nil?
-          raise CommandError, 'Authentication failed.'
-        else
-          retry
-        end
-      end
-
-      return tome
-    end
-
-    def tome_create_connect
-      if !Tome.exists?(@tome_filename)
-        @out.puts 'Creating tome database.'
-        master_password = prompt_password('Master password')
-        return true, Tome.create!(@tome_filename, master_password)
-      else
-        return false, tome_connect()
-      end
-    end
-  end
-end
+require 'io/console'
+require 'passgen'
+require 'clipboard'
+
+module Tome
+  class CommandError < RuntimeError
+  end
+
+  class Command
+    private_class_method :new 
+
+    def self.run(tome_filename, args, stdout = $stdout, stderr = $stderr, stdin = $stdin)
+      command = new()
+      return command.send(:run, tome_filename, args, stdout, stderr, stdin)
+    end
+
+  private
+    def run(tome_filename, args, stdout, stderr, stdin)
+      @out = stdout
+      @err = stderr
+      @in = stdin
+      @tome_filename = tome_filename
+      
+      if args.length < 1
+        usage()
+        return 1
+      end
+
+      begin
+        handle_command(args)
+      rescue CommandError => error
+        @err.puts "Error: #{error.message}"
+        return 1
+      rescue FileFormatError => error
+        # Fix file separators for Windows.
+        filename = @tome_filename.gsub(File::SEPARATOR, File::ALT_SEPARATOR || File::SEPARATOR)
+        @err.puts "Error: Cannot read #{filename}: #{error.message}"
+        return 1
+      end
+
+      return 0
+    end
+
+    def handle_command(args)
+      # TODO: Handle 'command --help', e.g. 'tome set --help'.
+
+      command = command_from_arg(args[0])
+
+      if command.nil?
+        raise CommandError, "Unrecognized command: #{args[0]}.\n\n#{$usage}"
+      end
+
+      args.shift
+      send(command, args) 
+    end
+
+    def command_from_arg(arg)
+      commands = {
+        /\A(help|-h|--help)\z/i => :help,
+        /\A(version|ver|-v|--version)\z/i => :version,
+        /\A(set|s|add)\z/i => :set,
+        /\A(get|g|show)\z/i => :get,
+        /\A(delete|del|rm|remove)\z/i => :delete,
+        /\A(generate|gen)\z/i => :generate,
+        /\A(copy|cp)\z/i => :copy,
+        /\A(rename|ren|rn)\z/i => :rename,
+        /\A(master)\z/i => :master,
+        /\A(list|ls)\z/i => :list
+      }
+
+      commands.each { |pattern, command|
+        return command if arg =~ pattern
+      }
+
+      return nil
+    end
+
+    def help(args)
+      if args.length > 1
+        raise CommandError, "Invalid arguments.\n\n#{$usage}"
+      end
+
+      if args.empty?
+        usage()
+        return
+      end
+
+      command = command_from_arg(args[0])
+
+      if command.nil?
+        raise CommandError, "No help for unrecognized command: #{args[0]}.\n\n#{$usage}"
+      end
+
+      help = {
+        :help => $help_usage,
+        :set => $set_usage,
+        :get => $get_usage,
+        :delete => $delete_usage,
+        :generate => $generate_usage,
+        :copy => $copy_usage,
+        :rename => $rename_usage,
+        :master => $master_usage,
+        :list => $list_usage
+      }
+
+      usage = help[command]
+      if usage.nil?
+        raise CommandError, "No help available for command: #{args[0]}."
+      end
+
+      @out.puts usage
+    end
+
+    def version(args)
+      @out.puts "tome version #{VERSION}"
+    end
+
+    def set(args)
+      if args.length < 1 || args.length > 2
+        raise CommandError, "Invalid arguments.\n\n#{$set_usage}"
+      end
+      
+      created, tome = tome_create_connect()
+
+      case args.length
+        # TODO: Validate that first argument is in [username@]domain form.
+
+        # tome set bar.com
+        # tome set foo@bar.com
+        when 1
+          id = args[0]
+          password = prompt_password()
+
+        # tome set bar.com p4ssw0rd
+        # tome set foo@bar.com p4ssw0rd
+        when 2
+          id = args[0]
+          password = args[1]
+      end
+
+      exists = !tome.get(id).nil?
+      if exists
+        confirm = prompt_confirm("A password already exists for #{id}. Overwrite (y/n)? ")
+        if !confirm
+          raise CommandError, 'Aborted.'
+        end
+      end
+
+      created = tome.set(id, password)
+      if created
+        @out.print 'Created '
+      else
+        @out.print 'Updated '
+      end
+
+      @out.puts "password for #{id}."
+    end
+
+    def get(args)
+      if args.length != 1
+        raise CommandError, "Invalid arguments.\n\n#{$get_usage}"
+      end
+      
+      # tome get bar.com
+      # tome get foo@bar.com
+      pattern = args[0]
+
+      tome = tome_connect()
+      matches = tome.find(pattern)
+
+      if matches.empty?
+        raise CommandError, "No password found for #{pattern}."
+      elsif matches.count == 1
+        match = matches.first
+        @out.puts "Password for #{match.first}:"
+        @out.puts match.last
+      else
+        @out.puts "Multiple matches for #{pattern}:"
+        matches.each { |key, password|
+          @out.puts "#{key}: #{password}"
+        }
+      end
+    end
+
+    def delete(args)
+      if args.length != 1
+        raise CommandError, "Invalid arguments.\n\n#{$delete_usage}"
+      end
+
+      tome = tome_connect()
+
+      # tome del bar.com
+      # tome del foo@bar.com
+      id = args[0]
+
+      exists = !tome.get(id).nil?
+      if exists
+        confirmed = prompt_confirm("Are you sure you want to delete the password for #{id} (y/n)? ")
+        if !confirmed
+          raise CommandError, 'Aborted.'
+        end
+      end
+
+      deleted = tome.delete(id)
+
+      if deleted
+        @out.puts "Deleted password for #{id}."
+      else
+        @out.puts "No password found for #{id}."
+      end
+    end
+
+    def generate(args)
+      if args.length != 1
+        raise CommandError, "Invalid arguments.\n\n#{$generate_usage}"
+      end
+      
+      created, tome = tome_create_connect()
+
+      # tome gen bar.com
+      # tome gen foo@bar.com
+      id = args[0]
+      password = generate_password()
+
+      exists = !tome.get(id).nil?
+      if exists
+        confirm = prompt_confirm("A password already exists for #{id}. Overwrite (y/n)? ")
+        if !confirm
+          raise CommandError, 'Aborted.'
+        end
+      end
+
+      created = tome.set(id, password)
+      Clipboard.copy(password)
+
+      if created
+        @out.puts "Generated and copied password for #{id}."
+      else
+        @out.puts "Updated and copied password for #{id}."
+      end
+    end
+
+    def copy(args)
+      if args.length != 1
+        raise CommandError, "Invalid arguments.\n\n#{$copy_usage}"
+      end
+
+      # tome cp bar.com
+      # tome cp foo@bar.com
+      pattern = args[0]
+
+      tome = tome_connect()
+      matches = tome.find(pattern)
+
+      if matches.empty?
+        raise CommandError, "No password found for #{pattern}."
+      elsif matches.count > 1
+        match = pick_match(pattern, matches)
+      else
+        match = matches.first
+      end
+
+      name = match.first
+      password = match.last
+
+      Clipboard.copy(password)
+      if Clipboard.paste == password
+        @out.puts "Password for #{name} copied to clipboard."
+      else
+        @err.puts "Failed to copy password for #{name} to clipboard."
+      end
+    end
+
+    def pick_match(pattern, matches)
+      matches = matches.to_a
+
+      @out.puts "Found multiple matches for \"#{pattern}\":\n\n"
+      matches.each_with_index { |match, i|
+        @out.puts "\t#{i + 1}: #{match[0]}"
+      }
+
+      begin
+        @out.print "\n> "
+
+        index = @in.gets.to_i
+        if index <= 0 || index > matches.length
+          @out.puts 'Invalid option.'
+          raise
+        end
+
+        return matches[index - 1]
+      rescue
+        retry
+      end
+    end
+
+    def list(args)
+      if !args.empty?
+        raise CommandError, "Invalid arguments.\n\n#{$list_usage}"
+      end
+
+      tome = tome_connect()
+
+      count = 0
+      tome.each_password { |id, password|
+        @out.puts "#{id}: #{password}"
+        count += 1
+      }
+
+      if count == 0
+        @out.puts 'No passwords stored.'
+      end
+    end
+
+    def rename(args)
+      if args.count != 2
+        raise CommandError, "Invalid arguments.\n\n#{$rename_usage}"
+      end
+
+      tome = tome_connect()
+
+      old_id = args[0]
+      new_id = args[1]
+
+      overwriting = !tome.get(new_id).nil?
+      if overwriting
+        confirm = prompt_confirm("A password already exists for #{new_id}. Overwrite (y/n)? ")
+        if !confirm
+          raise CommandError, 'Aborted.'
+        end
+      end
+
+      renamed = tome.rename(old_id, new_id)
+      
+      if !renamed
+        raise CommandError, "#{old_id} does not exist."
+      else
+        @out.puts "#{old_id} renamed to #{new_id}."
+      end
+    end
+
+    def master(args)
+      if args.count > 0
+        raise CommandError, "Invalid arguments.\n\n#{$master_usage}"
+      end
+
+      created, tome = tome_create_connect()
+
+      if !created
+        master_password = prompt_password('New master password')
+        tome.master_password = master_password
+        @out.puts 'Master password updated.'
+      end
+    end
+
+    def generate_password
+      Passgen.generate(:length => 30, :symbols => true)
+    end
+
+    def prompt_password(prompt = 'Password')
+      begin
+        @err.print "#{prompt}: "
+        password = input_password()
+
+        if password.empty?
+          @err.puts 'Password cannot be blank.'
+          raise
+        end
+
+        @err.print "#{prompt} (verify): "
+        verify = input_password()
+
+        if verify != password
+          @err.puts 'Passwords do not match.'
+          raise
+        end
+      rescue
+        retry
+      end
+
+      return password
+    end
+
+    def input_password
+      input = proc { |stdin|
+        raw = stdin.gets
+        return nil if raw.nil?
+
+        password = raw.strip
+        @out.puts
+
+        return password
+      }
+
+      begin
+        @in.noecho { |stdin|
+          input.call stdin
+        }
+      rescue Errno::EBADF
+        # This can happen when stdin refers to a file or pipe.
+        # In this case, we ignore 'no echo' and do normal input.
+        input.call @in
+      end
+    end
+
+    def prompt_confirm(prompt)
+      begin
+        @out.print prompt
+
+        confirm = @in.gets.strip
+
+        if confirm =~ /\Ay/i
+          return true
+        elsif confirm =~ /\An/i
+          return false
+        end
+      rescue
+        retry
+      end
+    end
+
+    def usage
+      @err.puts "tome version #{VERSION}"
+      @err.puts
+      @err.puts $usage
+    end
+
+    def tome_connect
+      if !Tome.exists?(@tome_filename)
+        raise CommandError, "Tome database does not exist. Use 'tome set' or 'tome generate' to create a password first."
+      end
+
+      begin
+        @err.print 'Master password: '
+        master_password = input_password()
+        tome = Tome.new(@tome_filename, master_password)
+      rescue MasterPasswordError
+        @err.puts 'Incorrect master password.'
+
+        if master_password.nil?
+          raise CommandError, 'Authentication failed.'
+        else
+          retry
+        end
+      end
+
+      return tome
+    end
+
+    def tome_create_connect
+      if !Tome.exists?(@tome_filename)
+        @out.puts 'Creating tome database.'
+        master_password = prompt_password('Master password')
+        return true, Tome.create!(@tome_filename, master_password)
+      else
+        return false, tome_connect()
+      end
+    end
+  end
+end