revault-cli 1.0.0__py3-none-any.whl

cli.py

@@ -0,0 +1,172 @@
+# cli.py
+import typer
+from getpass import getpass
+import json
+import base64
+import sys
+import time
+import threading
+from vault import init_vault, add_entry, get_entry, remove_entry, list_entries, get_salt
+from crypto import derive_key, encrypt_data, decrypt_data
+
+app = typer.Typer()
+
+@app.command()
+def add(identifier: str):
+    """Add username + password for a service."""
+    vault = init_vault()
+    master_password = getpass("Master password: ")
+    key = derive_key(master_password, get_salt(vault))
+
+    username = input("Username: ")
+    password = getpass("Password: ")
+
+    # Prepare entry JSON
+    entry_json = json.dumps({"username": username, "password": password}).encode()
+    encrypted_blob = encrypt_data(key, entry_json)
+    encrypted_b64 = base64.b64encode(encrypted_blob).decode()
+
+    add_entry(vault, identifier, encrypted_b64)
+    typer.echo(f"Entry '{identifier}' added successfully!")
+
+@app.command()
+def show(identifier: str):
+    """Show username + password for a service."""
+    vault = init_vault()
+    encrypted_b64 = get_entry(vault, identifier)
+    if not encrypted_b64:
+        typer.echo(f"No entry found for '{identifier}'")
+        raise typer.Exit()
+
+    master_password = getpass("Master password: ")
+    key = derive_key(master_password, get_salt(vault))
+
+    encrypted_blob = base64.b64decode(encrypted_b64)
+    try:
+        decrypted_bytes = decrypt_data(key, encrypted_blob)
+        entry = json.loads(decrypted_bytes.decode())
+        typer.echo(f"Username: {entry['username']}")
+        typer.echo(f"Password: {entry['password']}")
+    except Exception:
+        typer.echo("Incorrect master password or corrupted entry!")
+
+
+def _connect_pexpect(ssh_target: str, password: str):
+    import pexpect
+    child = pexpect.spawn(f"ssh {ssh_target}")
+    child.expect("password:")
+    child.sendline(password)
+    child.interact()
+
+
+def _connect_paramiko(ssh_target: str, password: str):
+    import paramiko
+
+    if "@" not in ssh_target:
+        typer.echo("Error: SSH target must be in 'user@host' format.")
+        return
+
+    user, host = ssh_target.split("@", 1)
+    client = paramiko.SSHClient()
+    client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
+
+    try:
+        client.connect(host, username=user, password=password)
+    except paramiko.AuthenticationException:
+        typer.echo("Authentication failed: wrong password.")
+        return
+    except Exception as e:
+        typer.echo(f"Connection failed: {e}")
+        return
+
+    channel = client.invoke_shell()
+    stop = threading.Event()
+
+    def _read_output():
+        while not stop.is_set():
+            try:
+                data = channel.recv(4096)
+                if not data:
+                    stop.set()
+                    break
+                sys.stdout.buffer.write(data)
+                sys.stdout.buffer.flush()
+            except Exception:
+                stop.set()
+                break
+
+    reader = threading.Thread(target=_read_output, daemon=True)
+    reader.start()
+
+    try:
+        import msvcrt
+        while not stop.is_set():
+            if msvcrt.kbhit():
+                ch = msvcrt.getch()
+                if not channel.send(ch):
+                    break
+            else:
+                time.sleep(0.05)
+    except KeyboardInterrupt:
+        pass
+    finally:
+        stop.set()
+        channel.close()
+        client.close()
+
+
+@app.command()
+def connect(identifier: str):
+    """SSH into a host using stored credentials."""
+    vault = init_vault()
+    encrypted_b64 = get_entry(vault, identifier)
+    if not encrypted_b64:
+        typer.echo(f"No entry found for '{identifier}'")
+        return
+
+    master_password = getpass("Master password: ")
+    key = derive_key(master_password, get_salt(vault))
+    encrypted_blob = base64.b64decode(encrypted_b64)
+
+    try:
+        decrypted_bytes = decrypt_data(key, encrypted_blob)
+        entry = json.loads(decrypted_bytes.decode())
+    except Exception:
+        typer.echo("Incorrect master password or corrupted entry!")
+        return
+
+    ssh_target = entry["username"]
+    password = entry["password"]
+
+    typer.echo(f"Connecting to {ssh_target}...")
+
+    if sys.platform == "win32":
+        _connect_paramiko(ssh_target, password)
+    else:
+        _connect_pexpect(ssh_target, password)
+
+
+@app.command()
+def remove(identifier: str):
+    """Remove a stored entry."""
+    vault = init_vault()
+    if not remove_entry(vault, identifier):
+        typer.echo(f"No entry found for '{identifier}'")
+        raise typer.Exit(1)
+    typer.echo(f"Entry '{identifier}' removed.")
+
+
+@app.command()
+def list():
+    """List all stored identifiers."""
+    vault = init_vault()
+    entries = list_entries(vault)
+    if entries:
+        typer.echo("Stored entries:")
+        for e in entries:
+            typer.echo(f"- {e}")
+    else:
+        typer.echo("No entries stored yet.")
+
+if __name__ == "__main__":
+    app()

crypto.py

@@ -0,0 +1,26 @@
+# crypto.py
+import base64
+from cryptography.hazmat.primitives.kdf.scrypt import Scrypt
+from cryptography.fernet import Fernet
+
+def derive_key(master_password: str, salt: bytes) -> bytes:
+    """
+    Derive a symmetric key from master password and salt
+    """
+    kdf = Scrypt(
+        salt=salt,
+        length=32,
+        n=2**14,
+        r=8,
+        p=1,
+    )
+    key = kdf.derive(master_password.encode())
+    return base64.urlsafe_b64encode(key)  # Fernet requires base64 key
+
+def encrypt_data(key: bytes, data: bytes) -> bytes:
+    f = Fernet(key)
+    return f.encrypt(data)
+
+def decrypt_data(key: bytes, token: bytes) -> bytes:
+    f = Fernet(key)
+    return f.decrypt(token)

revault_cli-1.0.0.dist-info/METADATA

@@ -0,0 +1,111 @@
+Metadata-Version: 2.4
+Name: revault-cli
+Version: 1.0.0
+Summary: CLI password manager for server credentials with SSH connector
+License: MIT
+Project-URL: Homepage, https://github.com/sufi-an/re-vault
+Requires-Python: >=3.9
+Description-Content-Type: text/markdown
+Requires-Dist: typer>=0.9.0
+Requires-Dist: cryptography>=41.0.3
+Requires-Dist: pexpect>=4.8.0; sys_platform != "win32"
+Requires-Dist: paramiko>=3.4.0
+
+Author was lost in a sea of server credentials, brain.exe could not handle so much info
+Wrote a password manager to store server credentails(Yes, ENCRYPTED)
+then thought why should I connect.
+so 
+re-valut connect myserver :)
+
+## Install
+
+### macOS (Homebrew)
+```bash
+brew tap sufi-an/re-vault
+brew install re-vault
+```
+
+### Linux / macOS (pip / pipx)
+```bash
+# pipx keeps it isolated (recommended)
+pipx install revault-cli
+
+# or plain pip
+pip install revault-cli
+```
+
+Then use `re-vault` instead of `python cli.py`:
+```bash
+re-vault add myserver
+re-vault connect myserver
+```
+
+> **apt install:** Not yet in official Debian/Ubuntu repos (that process takes months).
+> Use `pip`/`pipx` on Linux for now.
+
+---
+
+## Windows .exe
+
+**Quick test (run on your Windows machine):**
+```bat
+build.bat
+dist\passkeeper.exe add myserver
+```
+
+**Automated releases:** push a version tag and GitHub Actions builds + attaches the exe to the release automatically.
+```bash
+git tag v1.0.0 && git push origin v1.0.0
+```
+
+---
+
+## How to use
+
+### Install
+
+```bash
+pip install -r requirements.txt
+```
+
+### Commands
+
+Each command prompts for your **master password** (it is never stored). The vault
+lives at `~/.passkeeper/vault.json` and is locked to your user account on both
+Unix (`chmod 0o600`) and Windows (`icacls`).
+
+| Command | What it does |
+| --- | --- |
+| `python cli.py add <identifier>`     | Prompt for username + password and store them encrypted under `<identifier>`. |
+| `python cli.py show <identifier>`    | Decrypt and print the username + password. |
+| `python cli.py list`                 | List all stored identifiers. |
+| `python cli.py connect <identifier>` | Decrypt the entry and SSH in, auto-sending the password (works on Unix **and** Windows). |
+| `python cli.py remove <identifier>`  | Delete a stored entry permanently. |
+
+### Example
+
+```bash
+# Store credentials for a server (username should be the full SSH target, e.g. user@host)
+$ python cli.py add myserver
+Master password:
+Username: deploy@198.51.100.10
+Password:
+Entry 'myserver' added successfully!
+
+# Look them up later
+$ python cli.py show myserver
+Master password:
+Username: deploy@198.51.100.10
+Password: ...
+
+# List everything you've stored
+$ python cli.py list
+Stored entries:
+- myserver
+
+# Connect over SSH without typing the password (Unix/macOS/Windows)
+$ python cli.py connect myserver
+```
+
+> **Note:** On Unix/macOS `connect` uses `pexpect` to drive the system `ssh` binary.
+> On Windows it uses `paramiko` to connect directly — no external `ssh` binary needed.

revault_cli-1.0.0.dist-info/RECORD

@@ -0,0 +1,8 @@
+cli.py,sha256=gEqqsI8abZRD5sbyln4uciHwrZul4e92plzDkZqXw2I,4909
+crypto.py,sha256=myB4KnjmL7bVVY61vgLp6XK0RunzjYEBjpDQ_1uwINg,685
+vault.py,sha256=xfaJmqDIQjE1a9MLiKZOgGA0mJQ8QOXQYpZWYsUWAfY,2460
+revault_cli-1.0.0.dist-info/METADATA,sha256=0JxsiWHyH3jejee4_ZCr8VulaXCtjENe2QBM5YzAaQI,2952
+revault_cli-1.0.0.dist-info/WHEEL,sha256=aeYiig01lYGDzBgS8HxWXOg3uV61G9ijOsup-k9o1sk,91
+revault_cli-1.0.0.dist-info/entry_points.txt,sha256=gKXIZ3Xz9c_j-M0FyS-7M3Qf_gstYYkYGOtPdHE_XLE,37
+revault_cli-1.0.0.dist-info/top_level.txt,sha256=dnoB5T5DWeC8LBVMIpHUIkoukpLrodsa7oTw5soLUIc,17
+revault_cli-1.0.0.dist-info/RECORD,,

revault_cli-1.0.0.dist-info/WHEEL

@@ -0,0 +1,5 @@
+Wheel-Version: 1.0
+Generator: setuptools (82.0.1)
+Root-Is-Purelib: true
+Tag: py3-none-any
+

revault_cli-1.0.0.dist-info/entry_points.txt

@@ -0,0 +1,2 @@
+[console_scripts]
+re-vault = cli:app

revault_cli-1.0.0.dist-info/top_level.txt

@@ -0,0 +1,3 @@
+cli
+crypto
+vault

vault.py

@@ -0,0 +1,77 @@
+# vault.py
+import json
+from pathlib import Path
+import os
+import base64
+import getpass
+import subprocess
+
+VAULT_DIR = Path.home() / ".passkeeper"
+VAULT_FILE = VAULT_DIR / "vault.json"
+
+def _restrict_to_current_user(path: Path):
+    """Restrict a path so only the current user can read/write it.
+
+    On POSIX this is a simple chmod 0o600/0o700. On Windows os.chmod can only
+    toggle the read-only bit and cannot express per-user access, so the secrets
+    would stay readable by every account on the machine. We use icacls instead
+    to drop inherited permissions and grant access to the current user only.
+    """
+    if os.name == "nt":
+        user = os.environ.get("USERNAME") or getpass.getuser()
+        try:
+            subprocess.run(
+                ["icacls", str(path), "/inheritance:r", "/grant:r", f"{user}:(F)"],
+                check=True,
+                capture_output=True,
+            )
+        except (subprocess.CalledProcessError, FileNotFoundError):
+            # icacls unavailable (e.g. some minimal environments) — fall back to
+            # the read-only bit so we at least do something.
+            os.chmod(path, 0o600)
+    else:
+        mode = 0o700 if path.is_dir() else 0o600
+        os.chmod(path, mode)
+
+def init_vault():
+    VAULT_DIR.mkdir(exist_ok=True)
+    _restrict_to_current_user(VAULT_DIR)
+    if not VAULT_FILE.exists():
+        # Generate random salt
+        salt = os.urandom(16)
+        vault = {
+            "version": 1,
+            "salt": base64.b64encode(salt).decode(),
+            "entries": {}
+        }
+        save_vault(vault)
+        _restrict_to_current_user(VAULT_FILE)
+    return load_vault()
+
+def load_vault():
+    with VAULT_FILE.open("r", encoding="utf-8") as f:
+        return json.load(f)
+
+def save_vault(vault: dict):
+    with VAULT_FILE.open("w", encoding="utf-8") as f:
+        json.dump(vault, f, indent=4)
+
+def get_salt(vault: dict) -> bytes:
+    return base64.b64decode(vault["salt"])
+
+def add_entry(vault: dict, identifier: str, encrypted_blob: str):
+    vault["entries"][identifier] = encrypted_blob
+    save_vault(vault)
+
+def get_entry(vault: dict, identifier: str):
+    return vault["entries"].get(identifier)
+
+def remove_entry(vault: dict, identifier: str) -> bool:
+    if identifier not in vault["entries"]:
+        return False
+    del vault["entries"][identifier]
+    save_vault(vault)
+    return True
+
+def list_entries(vault: dict):
+    return list(vault["entries"].keys())