Merge pull request #212 from brotskydotcom/attributes

Add support for credential-store attributes.  Fixes #208.

Author: brotskydotcom

CHANGELOG.md

@@ -1,3 +1,25 @@
+## Version 3.3.0
+- Add support for credential-store attributes other than those used by this crate.  This allows the creation of credentials that are more compatible with 3rd-party clients, such as the OS-provided GUIs over credentials.
+- Make the textual descriptions of entries consistently follow the form `user@service` (or  `user@service:target` if a target was specified).
+
+## Version 3.2.1
+- Re-enable access to v1 credentials. The fixes of version 3.2 meant that legacy credentials with no target attribute couldn't be accessed.
+
+## Version 3.2.0
+- Improve secret-service handling of targets, so that searches on locked items distinguish items with different targets properly.
+
+## Version 3.1.0
+- enhance the CLI to allow empty user names and better info about `Ambiguous` credentials.
+
+## Version 3.0.5
+- updated docs and clean up dead code. No code changes.
+
+## Version 3.0.4
+- expose a cross-platform module alias via the `default` module.
+
+## Version 3.0.3
+- fix feature `linux-native`, which was causing compile errors.
+
 ## Version 3.0.2
 - add missing implementations for iOS `set_secret` and `get_secret`
 

Cargo.toml

@@ -6,7 +6,7 @@ keywords = ["password", "credential", "keychain", "keyring", "cross-platform"]
 license = "MIT OR Apache-2.0"
 name = "keyring"
 repository = "https://github.com/hwchen/keyring-rs.git"
-version = "3.2.1"
+version = "3.3.0"
 rust-version = "1.75"
 edition = "2021"
 exclude = [".github/"]
@@ -64,6 +64,7 @@ path = "examples/cli.rs"
 base64 = "0.22"
 clap = { version = "4", features = ["derive", "wrap_help"] }
 rpassword = "7"
+rprompt = "2"
 rand = "0.8"
 doc-comment = "0.3"
 whoami = "1"

README.md

@@ -135,6 +135,7 @@ Thanks to the following for helping make this library better, whether through co
 - @russellbanks
 - @ryanavella
 - @samuela
+- @ShaunSHamilton
 - @stankec
 - @steveatinfincia
 - @Sytten

build-xplat-docs.sh

@@ -1,5 +1,5 @@
 #!/bin/bash
-cargo doc --no-deps --target aarch64-unknown-linux-musl $OPEN_DOCS
-cargo doc --no-deps --target aarch64-pc-windows-msvc $OPEN_DOCS
-cargo doc --no-deps --target aarch64-apple-darwin $OPEN_DOCS
-cargo doc --no-deps --target aarch64-apple-ios $OPEN_DOCS
+cargo doc --no-deps --features=linux-native --target aarch64-unknown-linux-musl $OPEN_DOCS
+cargo doc --no-deps --features=windows-native --target aarch64-pc-windows-msvc $OPEN_DOCS
+cargo doc --no-deps --features=apple-native --target aarch64-apple-darwin $OPEN_DOCS
+cargo doc --no-deps --features=apple-native --target aarch64-apple-ios $OPEN_DOCS

examples/cli.rs

@@ -1,6 +1,7 @@
 extern crate keyring;
 
-use clap::Parser;
+use clap::{Args, Parser};
+use std::collections::HashMap;
 
 use keyring::{Entry, Error, Result};
 
@@ -21,40 +22,52 @@ fn main() {
     };
     match &args.command {
         Command::Set { .. } => {
-            let (secret, password) = args.get_password();
-            if let Some(secret) = secret {
-                match entry.set_secret(&secret) {
-                    Ok(()) => args.success_message_for(Some(&secret), None),
+            let value = args.get_password_and_attributes();
+            match &value {
+                Value::Secret(secret) => match entry.set_secret(secret) {
+                    Ok(()) => args.success_message_for(&value),
                     Err(err) => args.error_message_for(err),
-                }
-            } else if let Some(password) = password {
-                match entry.set_password(&password) {
-                    Ok(()) => args.success_message_for(None, Some(&password)),
+                },
+                Value::Password(password) => match entry.set_password(password) {
+                    Ok(()) => args.success_message_for(&value),
                     Err(err) => args.error_message_for(err),
+                },
+                Value::Attributes(attributes) => {
+                    let attrs: HashMap<&str, &str> = attributes
+                        .iter()
+                        .map(|(k, v)| (k.as_str(), v.as_str()))
+                        .collect();
+                    match entry.update_attributes(&attrs) {
+                        Ok(()) => args.success_message_for(&value),
+                        Err(err) => args.error_message_for(err),
+                    }
                 }
-            } else {
-                if args.verbose {
-                    eprintln!("You must provide a password to the set command");
-                }
-                std::process::exit(1)
+                _ => panic!("Can't set without a value"),
             }
         }
         Command::Password => match entry.get_password() {
             Ok(password) => {
                 println!("{password}");
-                args.success_message_for(None, Some(&password));
+                args.success_message_for(&Value::Password(password));
             }
             Err(err) => args.error_message_for(err),
         },
         Command::Secret => match entry.get_secret() {
             Ok(secret) => {
                 println!("{}", secret_string(&secret));
-                args.success_message_for(Some(&secret), None);
+                args.success_message_for(&Value::Secret(secret));
+            }
+            Err(err) => args.error_message_for(err),
+        },
+        Command::Attributes => match entry.get_attributes() {
+            Ok(attributes) => {
+                println!("{}", attributes_string(&attributes));
+                args.success_message_for(&Value::Attributes(attributes));
             }
             Err(err) => args.error_message_for(err),
         },
         Command::Delete => match entry.delete_credential() {
-            Ok(()) => args.success_message_for(None, None),
+            Ok(()) => args.success_message_for(&Value::None),
             Err(err) => args.error_message_for(err),
         },
     }
@@ -87,32 +100,58 @@ pub struct Cli {
 
 #[derive(Debug, Parser)]
 pub enum Command {
-    /// Set the password in the secure store
+    /// Set the password or update the attributes in the secure store
     Set {
+        #[command(flatten)]
+        what: What,
+
         #[clap(value_parser)]
-        /// The password to set into the secure store.
-        /// If it's a valid base64 encoding (with padding),
-        /// it will be decoded and used to set the binary secret.
-        /// Otherwise, it will be interpreted as a string password.
-        /// If no password is specified, it will be
-        /// collected interactively (without echo)
-        /// from the terminal.
-        password: Option<String>,
+        /// The input to parse. If not specified, it will be
+        /// read interactively from the terminal. Password/secret
+        /// input will not be echoed.
+        input: Option<String>,
     },
     /// Retrieve the (string) password from the secure store
     /// and write it to the standard output.
     Password,
     /// Retrieve the (binary) secret from the secure store
     /// and write it in base64 encoding to the standard output.
     Secret,
-    /// Delete the underlying credential from the secure store.
+    /// Retrieve attributes available in the secure store.
+    Attributes,
+    /// Delete the credential from the secure store.
     Delete,
 }
 
+#[derive(Debug, Args)]
+#[group(multiple = false, required = true)]
+pub struct What {
+    #[clap(short, long, action, help = "The input is a password")]
+    password: bool,
+
+    #[clap(short, long, action, help = "The input is a base64-encoded secret")]
+    secret: bool,
+
+    #[clap(
+        short,
+        long,
+        action,
+        help = "The input is comma-separated, key=val attribute pairs"
+    )]
+    attributes: bool,
+}
+
+enum Value {
+    Secret(Vec<u8>),
+    Password(String),
+    Attributes(HashMap<String, String>),
+    None,
+}
+
 impl Cli {
     fn description(&self) -> String {
         if let Some(target) = &self.target {
-            format!("[{target}]{}@{}", &self.user, &self.service)
+            format!("{}@{}:{target}", &self.user, &self.service)
         } else {
             format!("{}@{}", &self.user, &self.service)
         }
@@ -146,6 +185,9 @@ impl Cli {
                     Command::Secret => {
                         eprintln!("Couldn't get secret for '{description}': {err}");
                     }
+                    Command::Attributes => {
+                        eprintln!("Couldn't get attributes for '{description}': {err}");
+                    }
                     Command::Delete => {
                         eprintln!("Couldn't delete credential for '{description}': {err}");
                     }
@@ -155,46 +197,69 @@ impl Cli {
         std::process::exit(1)
     }
 
-    fn success_message_for(&self, secret: Option<&[u8]>, password: Option<&str>) {
+    fn success_message_for(&self, value: &Value) {
         if !self.verbose {
             return;
         }
         let description = self.description();
         match self.command {
-            Command::Set { .. } => {
-                if let Some(pw) = password {
-                    eprintln!("Set password for '{description}' to '{pw}'");
-                }
-                if let Some(secret) = secret {
+            Command::Set { .. } => match value {
+                Value::Secret(secret) => {
                     let secret = secret_string(secret);
                     eprintln!("Set secret for '{description}' to decode of '{secret}'");
                 }
-            }
+                Value::Password(password) => {
+                    eprintln!("Set password for '{description}' to '{password}'");
+                }
+                Value::Attributes(attributes) => {
+                    eprintln!("The following attributes for '{description}' were sent for update:");
+                    eprint_attributes(attributes);
+                }
+                _ => panic!("Can't set without a value"),
+            },
             Command::Password => {
-                let pw = password.unwrap();
-                eprintln!("Password for '{description}' is '{pw}'");
-            }
-            Command::Secret => {
-                let secret = secret_string(secret.unwrap());
-                eprintln!("Secret for '{description}' encodes as {secret}");
+                match value {
+                    Value::Password(password) => {
+                        eprintln!("Password for '{description}' is '{password}'");
+                    }
+                    _ => panic!("Wrong value type for command"),
+                };
             }
+            Command::Secret => match value {
+                Value::Secret(secret) => {
+                    let encoded = secret_string(secret);
+                    eprintln!("Secret for '{description}' encodes as {encoded}");
+                }
+                _ => panic!("Wrong value type for command"),
+            },
+            Command::Attributes => match value {
+                Value::Attributes(attributes) => {
+                    if attributes.is_empty() {
+                        eprintln!("No attributes found for '{description}'");
+                    } else {
+                        eprintln!("Attributes for '{description}' are:");
+                        eprint_attributes(attributes);
+                    }
+                }
+                _ => panic!("Wrong value type for command"),
+            },
             Command::Delete => {
                 eprintln!("Successfully deleted credential for '{description}'");
             }
         }
     }
 
-    fn get_password(&self) -> (Option<Vec<u8>>, Option<String>) {
-        match &self.command {
-            Command::Set { password: Some(pw) } => password_or_secret(pw),
-            Command::Set { password: None } => {
-                if let Ok(password) = rpassword::prompt_password("Password: ") {
-                    password_or_secret(&password)
-                } else {
-                    (None, None)
-                }
+    fn get_password_and_attributes(&self) -> Value {
+        if let Command::Set { what, input } = &self.command {
+            if what.password {
+                Value::Password(read_password(input))
+            } else if what.secret {
+                Value::Secret(decode_secret(input))
+            } else {
+                Value::Attributes(parse_attributes(input))
             }
-            _ => (None, None),
+        } else {
+            panic!("Can't happen: asking for password and attributes on non-set command")
         }
     }
 }
@@ -205,11 +270,66 @@ fn secret_string(secret: &[u8]) -> String {
     BASE64_STANDARD.encode(secret)
 }
 
-fn password_or_secret(input: &str) -> (Option<Vec<u8>>, Option<String>) {
+fn eprint_attributes(attributes: &HashMap<String, String>) {
+    for (key, value) in attributes {
+        println!("    {key}: {value}");
+    }
+}
+
+fn decode_secret(input: &Option<String>) -> Vec<u8> {
     use base64::prelude::*;
 
-    match BASE64_STANDARD.decode(input) {
-        Ok(secret) => (Some(secret), None),
-        Err(_) => (None, Some(input.to_string())),
+    let encoded = if let Some(input) = input {
+        input.clone()
+    } else {
+        rpassword::prompt_password("Base64 encoding: ").unwrap_or_else(|_| String::new())
+    };
+    if encoded.is_empty() {
+        return Vec::new();
+    }
+    match BASE64_STANDARD.decode(encoded) {
+        Ok(secret) => secret,
+        Err(err) => {
+            eprintln!("Sorry, the provided secret data is not base64-encoded: {err}");
+            std::process::exit(1);
+        }
+    }
+}
+
+fn read_password(input: &Option<String>) -> String {
+    if let Some(input) = input {
+        input.clone()
+    } else {
+        rpassword::prompt_password("Password: ").unwrap_or_else(|_| String::new())
+    }
+}
+
+fn attributes_string(attributes: &HashMap<String, String>) -> String {
+    let strings = attributes
+        .iter()
+        .map(|(k, v)| format!("{}={}", k, v))
+        .collect::<Vec<_>>();
+    strings.join(",")
+}
+
+fn parse_attributes(input: &Option<String>) -> HashMap<String, String> {
+    let input = if let Some(input) = input {
+        input.clone()
+    } else {
+        rprompt::prompt_reply("Attributes: ").unwrap_or_else(|_| String::new())
+    };
+    if input.is_empty() {
+        eprintln!("You must specify at least one key=value attribute pair to set")
+    }
+    let mut attributes = HashMap::new();
+    let parts = input.split(',');
+    for s in parts.into_iter() {
+        let parts: Vec<&str> = s.split("=").collect();
+        if parts.len() != 2 || parts[0].is_empty() {
+            eprintln!("Sorry, this part of the attributes string is not a key=val pair: {s}");
+            std::process::exit(1);
+        }
+        attributes.insert(parts[0].to_string(), parts[1].to_string());
     }
+    attributes
 }