PageRenderTime 136ms CodeModel.GetById 27ms RepoModel.GetById 21ms app.codeStats 1ms

/lib/Passwd/Keyring/PWSafe3.pm

https://bitbucket.org/Mekk/perl-keyring-pwsafe3
Perl | 368 lines | 255 code | 106 blank | 7 comment | 48 complexity | 9d9de4fe45724f6cc29c0e4cc26438fd MD5 | raw file
    

  1. package Passwd::Keyring::PWSafe3;
    2. 

  2. 

  3. use warnings;
    4. 

  4. use strict;
    5. 

  5. #use parent 'Keyring';
    6. 

  6. use Crypt::PWSafe3;
    7. 

  7. use File::Spec;
    8. 

  8. use File::Basename;
    9. 

  9. use Term::ReadKey;              # For secure password prompt
    10. 

  10. use Carp;
    11. 

  11. 

  12. =head1 NAME
    13. 

  13. 

  14. Passwd::Keyring::PWSafe3 - Password storage based on Password Safe encrypted files
    15. 

  15. 

  16. =head1 VERSION
    17. 

  17. 

  18. Version 0.61
    19. 

  19. 

  20. =cut
    21. 

  21. 

  22. our $VERSION = '0.61';
    23. 

  23. 

  24. our $APP_NAME = "Passwd::Keyring";
    25. 

  25. our $FOLDER_NAME = "Perl-Passwd-Keyring";
    26. 

  26. 

  27. =head1 SYNOPSIS
    28. 

  28. 

  29. Password Safe implementation of L<Passwd::Keyring>. Passwords are
    30. 

  30. stored in the L<Password Safe|http://passwordsafe.sourceforge.net>
    31. 

  31. encrypted file.
    32. 

  32. 

  33.     use Passwd::Keyring::PWSafe3;
    34. 

  34. 

  35.     my $keyring = Passwd::Keyring::PWSafe3->new(
    36. 

  36.          app=>"blahblah scraper",
    37. 

  37.          group=>"Johnny web scrapers",
    38. 

  38.          file=>"/home/joe/secrets.pwsafe3",        # ~/passwd-keyring.pwsafe3 by default
    39. 

  39.          master_password=>"very secret password",  # Or callback. See below
    40. 

  40.     );
    41. 

  41. 

  42.     my $username = "John";  # or get from .ini, or from .argv...
    43. 

  43. 

  44.     my $password = $keyring->get_password($username, "blahblah.com");
    45. 

  45.     unless( $password ) {
    46. 

  46.         $password = <somehow interactively prompt for password>;
    47. 

  47. 

  48.         # securely save password for future use
    49. 

  49.         $keyring->set_password($username, $password, "blahblah.com");
    50. 

  50.     }
    51. 

  51. 

  52.     login_somewhere_using($username, $password);
    53. 

  53.     if( password_was_wrong ) {
    54. 

  54.         $keyring->clear_password($username, "blahblah.com");
    55. 

  55.     }
    56. 

  56. 

  57. =head1 DESCRIPTION
    58. 

  58. 

  59. This module does not require Password Safe to be installed, and can be
    60. 

  60. used as generic "store many passwords in file encrypted with single
    61. 

  61. master password" storage. Password Safe GUI, if installed, may help
    62. 

  62. the user to review, modify, or delete saved passwords.
    63. 

  63. 

  64. =over 4
    65. 

  65. 

  66. Official GUIs can be freely downloaded from L<the official
    67. 

  67. site|http://passwordsafe.sourceforge.net> - both Windows and (beta)
    68. 

  68. Linux versions are available. Apart from them there exist
    69. 

  69. various L<compatible tools|http://passwordsafe.sourceforge.net/relatedprojects.shtml>,
    70. 

  70. for example <Pasaffe for Gnome|https://launchpad.net/pasaffe>  or
    71. 

  71. <PwSafe for Mac|http://passwordsafe.sourceforge.net/relatedprojects.shtml>.
    72. 

  72. 

  73. =back
    74. 

  74. 

  75. Actual handling of Password Safe format is based on L<Crypt::PWSafe3>
    76. 

  76. module. Passwd::Keyring::PWSafe3 just wraps it into the interface
    77. 

  77. compatible with other Passwd::Keyring backends.
    78. 

  78. 

  79. See L<Passwd::Keyring::Auto::KeyringAPI> for detailed comments
    80. 

  80. on keyring methods (this document is installed with
    81. 

  81. C<Passwd::Keyring::Auto> package).
    82. 

  82. 

  83. =head1 CAVEATS
    84. 

  84. 

  85. Underlying module (L<Crypt::PWSafe3>) in fact rewrites the whole file
    86. 

  86. on every save and keeps all passwords cached in memory while active.
    87. 

  87. This means, that any attempts to use the file paralelly from a few
    88. 

  88. programs, or from a few objects within one program, are doomed to
    89. 

  89. cause lost updates. Also, all passwords from the file are kept in
    90. 

  90. (unprotected) memory while keyring object is active. Therefore, it is
    91. 

  91. recommended to use separate .psafe3 file for Passwd::Keyring::PWSafe3,
    92. 

  92. not mixing it with normal Password Safe database, and to keep keyring
    93. 

  93. object for a short time only, especially if modifications happen.
    94. 

  94. 

  95. There are some limitations in L<Crypt::PWSafe3> handling of Password
    96. 

  96. Safe format. Passwords are read and saved properly and it is possible
    97. 

  97. to alternate using them from perl, and via Password Safe GUI, but some
    98. 

  98. less important aspects of the format, like password expiraton policy,
    99. 

  99. may be ignored. Refer to L<Crypt::PWSafe3> docs for more details.
    100. 

  100. 

  101. =head1 DATA MAPPING
    102. 

  102. 

  103. Group name is mapped to Password Safe folder.
    104. 

  104. 

  105. Realm is mapped as password title.
    106. 

  106. 

  107. Username and password are ... well, used as username and password.
    108. 

  108. 

  109. =head1 SUBROUTINES/METHODS
    110. 

  110. 

  111. =head2 new(app=>'app name', group=>'passwords folder', file=>'pwsafe3 file', master_password=>'secret or callback', lazy_save=>1)
    112. 

  112. 

  113. Initializes the processing. Croaks if Crypt::PWSafe3 is not installed or
    114. 

  114. master password is invalid. May create password file if it is missing.
    115. 

  115. 

  116. Handled parameters:
    117. 

  117. 

  118. =over 4
    119. 

  119. 

  120. =item app
    121. 

  121. 

  122. Symbolic application name (used in password notes)
    123. 

  123. 

  124. =item group
    125. 

  125. 

  126. Name for the password group (used as folder name)
    127. 

  127. 

  128. =item file
    129. 

  129. 

  130. Location of .pwsafe3 file. If not given, C<passwd-keyring.pwsafe3> in
    131. 

  131. user home directory is used. Will be created if does not exist. Note:
    132. 

  132. absolute path is required, relative paths are very error prone.
    133. 

  133. 

  134. =item master_password 
    135. 

  135. 

  136. Password required to unlock the file. Can be given as string, or
    137. 

  137. as callback returning a string (usually some way of interactively
    138. 

  138. asking user for the password).  The callback gets two parameters: app
    139. 

  139. and file.
    140. 

  140. 

  141. If this param is missing, module will prompt interactively for this
    142. 

  142. password using console prompt.
    143. 

  143. 

  144. =item lazy_save
    145. 

  145. 

  146. if given, asks not to save the file after every change (saving is
    147. 

  147. fairly time consuming), but only when $keyring->save is called or when
    148. 

  148. keyring is destroyed.
    149. 

  149. 

  150. =back
    151. 

  151. 

  152. Note: it of course does not make much sense to keep app passwords in
    153. 

  153. encrypted storage if master password is saved in plain text. The
    154. 

  154. module most natural usage is to interactively ask for master password
    155. 

  155. (and use it to protect noticeable number of application-specific
    156. 

  156. passwords).
    157. 

  157. 

  158. Ideas of how to workaround this obstacle are welcome. I loosely
    159. 

  159. consider either caching master password per desktop session
    160. 

  160. (implementing sht. similar to ssh-agent/gpg-agent or using one of
    161. 

  161. those somehow), or integrating the tool with PAM to use actual system
    162. 

  162. password, or both - but while it seems doable on Linux, cross platform
    163. 

  163. solution is not so easy.
    164. 

  164. 

  165. =cut
    166. 

  166. 

  167. sub new {
    168. 

  168.     my ($cls, %args) = @_;
    169. 

  169. 

  170.     my $self = {};
    171. 

  171.     $self->{app} = $args{app} || 'Passwd::Keyring::PWSafe3';
    172. 

  172.     $self->{group} = $args{group} || 'Passwd::Keyring';
    173. 

  173.     $self->{lazy_save} = $args{lazy_save};
    174. 

  174.     my $file = $args{file} || File::Spec->catfile(File::HomeDir->users_data, "passwd-keyring.pwsafe3");
    175. 

  175. 

  176.     unless(File::Spec->file_name_is_absolute($file)) {
    177. 

  177.         croak("Absolute path to .pwsafe3 file is required, but relative path '$file' given");
    178. 

  178.     }
    179. 

  179.     my $parent_dir = dirname($file);
    180. 

  180.     unless(-d $parent_dir) {
    181. 

  181.         croak("Directory $parent_dir (parent directory of file $file) does not exist");
    182. 

  182.     }
    183. 

  183. 

  184.     # TODO: escape group (note that . are used for hierarchy!)
    185. 

  185.     # TODO: some locking or maybe detect gui
    186. 

  186. 

  187.     bless $self;
    188. 

  188. 

  189.     my $master = $args{master_password} || \&_prompt_for_password;
    190. 

  190.     if(ref($master) eq 'CODE') {
    191. 

  191.         $master = $master->($self->{app}, $file);
    192. 

  192.     }
    193. 

  193. 

  194.     $self->{vault} = Crypt::PWSafe3->new(file=>$file, password=>$master);
    195. 

  195. 

  196.     return $self;
    197. 

  197. }
    198. 

  198. 

  199. sub DESTROY {
    200. 

  200.     my $self = shift;
    201. 

  201.     $self->save();
    202. 

  202. }
    203. 

  203. 

  204. sub _prompt_for_password {
    205. 

  205.     my ($app, $file) = @_;
    206. 

  206.     print "* The applicaton $app is requesting to access\n";
    207. 

  207.     print "* the Password Safe file $file\n";
    208. 

  208.     if (-f $file) {
    209. 

  209.         print "* Enter master password necessary to unlock this file.\n";
    210. 

  210.     } else {
    211. 

  211.         print "* (the file does not exist and will be created on first password save)\n";
    212. 

  212.         print "* Enter master password which will protect this file.\n";
    213. 

  213.     }
    214. 

  214.     while(1) {
    215. 

  215.         print "  Master password: ";
    216. 

  216.         ReadMode 'noecho';
    217. 

  217.         my $password = ReadLine 0; chomp($password);
    218. 

  218.         ReadMode 'normal';
    219. 

  219.         print "\n";
    220. 

  220.         return $password if $password;
    221. 

  221.     }
    222. 

  222. }
    223. 

  223. 

  224. # Find data record for given params, or undef if not found
    225. 

  225. sub _find_record {
    226. 

  226.     my ($self, $username, $realm) = @_;
    227. 

  227.     my $group = $self->{group};
    228. 

  228.     foreach my $record($self->{vault}->getrecords()) {
    229. 

  229.         if( ($record->group || '') eq $group
    230. 

  230.             && ($record->user || '') eq $username
    231. 

  231.             && ($record->title || '')  eq $realm) {
    232. 

  232.             return $record;
    233. 

  233.         }
    234. 

  234.     }
    235. 

  235.     return undef;
    236. 

  236. }
    237. 

  237. 

  238. =head2 set_password(username, password, realm)
    239. 

  239. 

  240. Sets (stores) password identified by given realm for given user 
    241. 

  241. 

  242. =cut
    243. 

  243. 

  244. sub set_password {
    245. 

  245.     my ($self, $user_name, $user_password, $realm) = @_;
    246. 

  246. 

  247.     my $rec = $self->_find_record($user_name, $realm);
    248. 

  248.     if($rec) {
    249. 

  249.         $self->{vault}->modifyrecord(
    250. 

  250.             $rec->uuid,
    251. 

  251.             passwd => $user_password,
    252. 

  252.             notes => "Saved by $self->{app}",
    253. 

  253.            );
    254. 

  254.     } else {
    255. 

  255.         $self->{vault}->newrecord(
    256. 

  256.             group => $self->{group},
    257. 

  257.             title => $realm,
    258. 

  258.             user => $user_name,
    259. 

  259.             passwd => $user_password,
    260. 

  260.             notes => "Saved by $self->{app}",
    261. 

  261.             );
    262. 

  262.     }
    263. 

  263.     $self->save() unless $self->{lazy_save};
    264. 

  264. }
    265. 

  265. 

  266. =head2 get_password($user_name, $realm)
    267. 

  267. 

  268. Reads previously stored password for given user in given app.
    269. 

  269. If such password can not be found, returns undef.
    270. 

  270. 

  271. =cut
    272. 

  272. 

  273. sub get_password {
    274. 

  274.     my ($self, $user_name, $realm) = @_;
    275. 

  275. 

  276.     my $rec = $self->_find_record($user_name, $realm);
    277. 

  277.     if($rec) {
    278. 

  278.         return $rec->passwd;
    279. 

  279.     }
    280. 

  280.     return undef;
    281. 

  281. }
    282. 

  282. 

  283. =head2 clear_password($user_name, $realm)
    284. 

  284. 

  285. Removes given password (if present)
    286. 

  286. 

  287. =cut
    288. 

  288. 

  289. sub clear_password {
    290. 

  290.     my ($self, $user_name, $realm) = @_;
    291. 

  291. 

  292.     my $rec = $self->_find_record($user_name, $realm);
    293. 

  293.     if($rec) {
    294. 

  294.         $self->{vault}->deleterecord($rec->uuid);
    295. 

  295.         $self->save() unless $self->{lazy_save};
    296. 

  296.         return 1;
    297. 

  297.     } else {
    298. 

  298.         return 0;
    299. 

  299.     }
    300. 

  300. }
    301. 

  301. 

  302. =head2 save
    303. 

  303. 

  304. Saves unsaved changes, if any are present.
    305. 

  305. 

  306. Important only when lazy_save was given in constructor.
    307. 

  307. 

  308. =cut
    309. 

  309. 

  310. sub save {
    311. 

  311.     my ($self) = @_;
    312. 

  312.     # Crypt::PWSafe3 internally keeps track of changes presence,
    313. 

  313.     # and makes this noop if there are no changes. So just call it.
    314. 

  314.     $self->{vault}->save();
    315. 

  315. }
    316. 

  316. 

  317. =head2 is_persistent
    318. 

  318. 

  319. Returns info, whether this keyring actually saves passwords persistently.
    320. 

  320. 

  321. (true in this case)
    322. 

  322. 

  323. =cut
    324. 

  324. 

  325. sub is_persistent {
    326. 

  326.     my ($self) = @_;
    327. 

  327.     return 1;
    328. 

  328. }
    329. 

  329. 

  330. =head1 AUTHOR
    331. 

  331. 

  332. Marcin Kasperski
    333. 

  333. 

  334. =head1 BUGS
    335. 

  335. 

  336. Please report any bugs or feature requests to 
    337. 

  337. issue tracker at L<https://bitbucket.org/Mekk/perl-keyring-pwsafe3>.
    338. 

  338. 

  339. =head1 SUPPORT
    340. 

  340. 

  341. You can find documentation for this module with the perldoc command.
    342. 

  342. 

  343.     perldoc Passwd::Keyring::PWSafe3
    344. 

  344. 

  345. You can also look for information at:
    346. 

  346. 

  347. L<http://search.cpan.org/~mekk/Passwd-Keyring-PWSafe3/>
    348. 

  348. 

  349. Source code is tracked at:
    350. 

  350. 

  351. L<https://bitbucket.org/Mekk/perl-keyring-pwsafe3>
    352. 

  352. 

  353. =head1 LICENSE AND COPYRIGHT
    354. 

  354. 

  355. Copyright 2012 Marcin Kasperski.
    356. 

  356. 

  357. This program is free software; you can redistribute it and/or modify it
    358. 

  358. under the terms of either: the GNU General Public License as published
    359. 

  359. by the Free Software Foundation; or the Artistic License.
    360. 

  360. 

  361. See http://dev.perl.org/licenses/ for more information.
    362. 

  362. 

  363. =cut
    364. 

  364. 

  365. 

  366. 1; # End of Passwd::Keyring::PWSafe3
    367. 

  367. 

  368. 

  369.