derivepassphrase.git

1) # SPDX-FileCopyrightText: 2024 Marco Ricci <m@the13thletter.info>
2) #
3) # SPDX-License-Identifier: MIT
4) 
5) """Command-line interface for derivepassphrase.
6) 
7) """
8) 
9) from __future__ import annotations
10) 

11) import base64
12) import collections
13) from collections.abc import MutableMapping
14) import contextlib

15) import inspect
16) import json

17) import os

18) import pathlib

19) import socket
20) from typing import (
21)     Any, assert_never, cast, reveal_type, Iterator, Never, NotRequired,
22)     Sequence, TextIO, TypedDict, TYPE_CHECKING,
23) )

24) 
25) import click
26) import derivepassphrase as dpp
27) from derivepassphrase import types as dpp_types

28) import ssh_agent_client

29) 
30) __author__ = dpp.__author__
31) __version__ = dpp.__version__
32) 
33) __all__ = ('derivepassphrase',)
34) 
35) prog_name = 'derivepassphrase'
36) 
37) 

38) def _config_filename() -> str | bytes | pathlib.Path:
39)     """Return the filename of the configuration file.
40) 
41)     The file is currently named `settings.json`, located within the
42)     configuration directory as determined by the `DERIVEPASSPHRASE_PATH`
43)     environment variable, or by [`click.get_app_dir`][] in POSIX
44)     mode.
45) 
46)     """
47)     path: str | bytes | pathlib.Path
48)     path = (os.getenv(prog_name.upper() + '_PATH')
49)             or click.get_app_dir(prog_name, force_posix=True))
50)     return os.path.join(path, 'settings.json')
51) 
52) 
53) def _load_config() -> dpp_types.VaultConfig:
54)     """Load a vault(1)-compatible config from the application directory.
55) 
56)     The filename is obtained via
57)     [`derivepassphrase.cli._config_filename`][].  This must be an
58)     unencrypted JSON file.
59) 
60)     Returns:
61)         The vault settings.  See
62)         [`derivepassphrase.types.VaultConfig`][] for details.
63) 
64)     Raises:
65)         OSError:
66)             There was an OS error accessing the file.
67)         ValueError:
68)             The data loaded from the file is not a vault(1)-compatible
69)             config.
70) 
71)     """
72)     filename = _config_filename()
73)     with open(filename, 'rb') as fileobj:
74)         data = json.load(fileobj)
75)     if not dpp_types.is_vault_config(data):
76)         raise ValueError('Invalid vault config')
77)     return data
78) 
79) 
80) def _save_config(config: dpp_types.VaultConfig, /) -> None:
81)     """Save a vault(1)-compatbile config to the application directory.
82) 
83)     The filename is obtained via
84)     [`derivepassphrase.cli._config_filename`][].  The config will be
85)     stored as an unencrypted JSON file.
86) 
87)     Args:
88)         config:
89)             vault configuration to save.
90) 
91)     Raises:
92)         OSError:
93)             There was an OS error accessing or writing the file.
94)         ValueError:
95)             The data cannot be stored as a vault(1)-compatible config.
96) 
97)     """
98)     if not dpp_types.is_vault_config(config):
99)         raise ValueError('Invalid vault config')
100)     filename = _config_filename()
101)     with open(filename, 'wt', encoding='UTF-8') as fileobj:
102)         json.dump(config, fileobj)
103) 
104) 

105) def _get_suitable_ssh_keys(
106)     conn: ssh_agent_client.SSHAgentClient | socket.socket | None = None,
107)     /
108) ) -> Iterator[ssh_agent_client.types.KeyCommentPair]:
109)     """Yield all SSH keys suitable for passphrase derivation.
110) 
111)     Suitable SSH keys are queried from the running SSH agent (see
112)     [`ssh_agent_client.SSHAgentClient.list_keys`][]).
113) 
114)     Args:
115)         conn:
116)             An optional connection hint to the SSH agent; specifically,
117)             an SSH agent client, or a socket connected to an SSH agent.
118) 
119)             If an existing SSH agent client, then this client will be
120)             queried for the SSH keys, and otherwise left intact.
121) 
122)             If a socket, then a one-shot client will be constructed
123)             based on the socket to query the agent, and deconstructed
124)             afterwards.
125) 
126)             If neither are given, then the agent's socket location is
127)             looked up in the `SSH_AUTH_SOCK` environment variable, and
128)             used to construct/deconstruct a one-shot client, as in the
129)             previous case.
130) 
131)     Yields:
132)         :
133)             Every SSH key from the SSH agent that is suitable for
134)             passphrase derivation.
135) 
136)     Raises:
137)         RuntimeError:
138)             There was an error communicating with the SSH agent.
139)         RuntimeError:
140)             No keys usable for passphrase derivation are loaded into the
141)             SSH agent.
142) 
143)     """
144)     client: ssh_agent_client.SSHAgentClient
145)     client_context: contextlib.AbstractContextManager
146)     match conn:
147)         case ssh_agent_client.SSHAgentClient():
148)             client = conn
149)             client_context = contextlib.nullcontext()
150)         case socket.socket() | None:
151)             client = ssh_agent_client.SSHAgentClient(socket=conn)
152)             client_context = client
153)         case _:  # pragma: no cover
154)             assert_never(conn)
155)             raise TypeError(f'invalid connection hint: {conn!r}')
156)     with client_context:
157)         try:
158)             all_key_comment_pairs = list(client.list_keys())
159)         except EOFError as e:  # pragma: no cover
160)             raise RuntimeError(
161)                 'error communicating with the SSH agent'
162)             ) from e
163)     suitable_keys = all_key_comment_pairs[:]
164)     for pair in all_key_comment_pairs:
165)         key, comment = pair
166)         if dpp.Vault._is_suitable_ssh_key(key):
167)             yield pair
168)     if not suitable_keys:  # pragma: no cover
169)         raise RuntimeError('No usable SSH keys were found')
170) 
171) 
172) def _prompt_for_selection(
173)     items: Sequence[str | bytes], heading: str = 'Possible choices:',
174)     single_choice_prompt: str = 'Confirm this choice?',
175) ) -> int:
176)     """Prompt user for a choice among the given items.
177) 
178)     Print the heading, if any, then present the items to the user.  If
179)     there are multiple items, prompt the user for a selection, validate
180)     the choice, then return the list index of the selected item.  If
181)     there is only a single item, request confirmation for that item
182)     instead, and return the correct index.
183) 
184)     Args:
185)         heading:
186)             A heading for the list of items, to print immediately
187)             before.  Defaults to a reasonable standard heading.  If
188)             explicitly empty, print no heading.
189)         single_choice_prompt:
190)             The confirmation prompt if there is only a single possible
191)             choice.  Defaults to a reasonable standard prompt.
192) 
193)     Returns:
194)         An index into the items sequence, indicating the user's
195)         selection.
196) 
197)     Raises:
198)         IndexError:
199)             The user made an invalid or empty selection, or requested an
200)             abort.
201) 
202)     """
203)     n = len(items)
204)     if heading:
205)         click.echo(click.style(heading, bold=True))
206)     for i, x in enumerate(items, start=1):
207)         click.echo(click.style(f'[{i}]', bold=True), nl=False)
208)         click.echo(' ', nl=False)
209)         click.echo(x)
210)     if n > 1:
211)         choices = click.Choice([''] + [str(i) for i in range(1, n + 1)])
212)         choice = click.prompt(
213)             f'Your selection? (1-{n}, leave empty to abort)',
214)             err=True, type=choices, show_choices=False,
215)             show_default=False, default='')
216)         if not choice:
217)             raise IndexError('empty selection')
218)         return int(choice) - 1
219)     else:
220)         prompt_suffix = (' '
221)                          if single_choice_prompt.endswith(tuple('?.!'))
222)                          else ': ')
223)         try:
224)             click.confirm(single_choice_prompt,
225)                           prompt_suffix=prompt_suffix, err=True,
226)                           abort=True, default=False, show_default=False)
227)         except click.Abort:
228)             raise IndexError('empty selection') from None
229)         return 0
230) 
231) 
232) def _select_ssh_key(
233)     conn: ssh_agent_client.SSHAgentClient | socket.socket | None = None,
234)     /
235) ) -> bytes | bytearray:
236)     """Interactively select an SSH key for passphrase derivation.
237) 
238)     Suitable SSH keys are queried from the running SSH agent (see
239)     [`ssh_agent_client.SSHAgentClient.list_keys`][]), then the user is
240)     prompted interactively (see [`click.prompt`][]) for a selection.
241) 
242)     Args:
243)         conn:
244)             An optional connection hint to the SSH agent; specifically,
245)             an SSH agent client, or a socket connected to an SSH agent.
246) 
247)             If an existing SSH agent client, then this client will be
248)             queried for the SSH keys, and otherwise left intact.
249) 
250)             If a socket, then a one-shot client will be constructed
251)             based on the socket to query the agent, and deconstructed
252)             afterwards.
253) 
254)             If neither are given, then the agent's socket location is
255)             looked up in the `SSH_AUTH_SOCK` environment variable, and
256)             used to construct/deconstruct a one-shot client, as in the
257)             previous case.
258) 
259)     Returns:
260)         The selected SSH key.
261) 
262)     Raises:
263)         IndexError:
264)             The user made an invalid or empty selection, or requested an
265)             abort.
266)         RuntimeError:
267)             There was an error communicating with the SSH agent.
268)         RuntimeError:
269)             No keys usable for passphrase derivation are loaded into the
270)             SSH agent.
271)     """
272)     suitable_keys = list(_get_suitable_ssh_keys(conn))
273)     key_listing: list[str] = []
274)     unstring_prefix = ssh_agent_client.SSHAgentClient.unstring_prefix
275)     for key, comment in suitable_keys:
276)         keytype = unstring_prefix(key)[0].decode('ASCII')
277)         key_str = base64.standard_b64encode(key).decode('ASCII')
278)         key_prefix = key_str if len(key_str) < 30 else key_str[:27] + '...'
279)         comment_str = comment.decode('UTF-8', errors='replace')
280)         key_listing.append(f'{keytype} {key_prefix} {comment_str}')
281)     choice = _prompt_for_selection(
282)         key_listing, heading='Suitable SSH keys:',
283)         single_choice_prompt='Use this key?')
284)     return suitable_keys[choice].key
285) 
286) 
287) def _prompt_for_passphrase() -> str:
288)     """Interactively prompt for the passphrase.
289) 
290)     Calls [`click.prompt`][] internally.  Moved into a separate function
291)     mainly for testing/mocking purposes.
292) 
293)     Returns:
294)         The user input.
295) 
296)     """
297)     return click.prompt('Passphrase', default='', hide_input=True,
298)                         show_default=False, err=True)
299) 
300) 

301) class OptionGroupOption(click.Option):

302)     """A [`click.Option`][] with an associated group name and group epilog.
303) 
304)     Used by [`derivepassphrase.cli.CommandWithHelpGroups`][] to print
305)     help sections.  Each subclass contains its own group name and
306)     epilog.
307) 
308)     Attributes:
309)         option_group_name:
310)             The name of the option group.  Used as a heading on the help
311)             text for options in this section.
312)         epilog:
313)             An epilog to print after listing the options in this
314)             section.
315) 
316)     """
317)     option_group_name: str = ''
318)     epilog: str = ''
319) 
320)     def __init__(self, *args, **kwargs):  # type: ignore
321)         if self.__class__ == __class__:
322)             raise NotImplementedError()
323)         return super().__init__(*args, **kwargs)
324) 

325) 
326) class CommandWithHelpGroups(click.Command):

327)     """A [`click.Command`][] with support for help/option groups.
328) 
329)     Inspired by [a comment on `pallets/click#373`][CLICK_ISSUE], and
330)     further modified to support group epilogs.
331) 
332)     [CLICK_ISSUE]: https://github.com/pallets/click/issues/373#issuecomment-515293746
333) 
334)     """
335) 

336)     def format_options(
337)         self, ctx: click.Context, formatter: click.HelpFormatter,
338)     ) -> None:

339)         r"""Format options on the help listing, grouped into sections.
340) 
341)         As part of the `--help` listing, list all options, but grouped
342)         into sections according to the concrete [`click.Option`][]
343)         subclass being used.  If the option is an instance of some
344)         subclass `X` of [`derivepassphrase.cli.OptionGroupOption`][],
345)         then the section heading and the epilog is taken from
346)         `X.option_group_name` and `X.epilog`; otherwise, the section
347)         heading is "Options" (or "Other options" if there are other
348)         option groups) and the epilog is empty.
349) 
350)         Args:
351)             ctx:
352)                 The click context.
353)             formatter:
354)                 The formatter for the `--help` listing.
355) 
356)         """

357)         help_records: dict[str, list[tuple[str, str]]] = {}
358)         epilogs: dict[str, str] = {}
359)         params = self.params[:]

360)         if (  # pragma: no branch
361)             (help_opt := self.get_help_option(ctx)) is not None
362)             and help_opt not in params
363)         ):

364)             params.append(help_opt)
365)         for param in params:
366)             rec = param.get_help_record(ctx)
367)             if rec is not None:
368)                 if isinstance(param, OptionGroupOption):
369)                     group_name = param.option_group_name
370)                     epilogs.setdefault(group_name, param.epilog)
371)                 else:
372)                     group_name = ''
373)                 help_records.setdefault(group_name, []).append(rec)
374)         default_group = help_records.pop('')
375)         default_group_name = ('Other Options' if len(default_group) > 1
376)                               else 'Options')
377)         help_records[default_group_name] = default_group
378)         for group_name, records in help_records.items():
379)             with formatter.section(group_name):
380)                 formatter.write_dl(records)
381)             epilog = inspect.cleandoc(epilogs.get(group_name, ''))
382)             if epilog:
383)                 formatter.write_paragraph()
384)                 with formatter.indentation():
385)                     formatter.write_text(epilog)
386) 

387) 

388) # Concrete option groups used by this command-line interface.
389) class PasswordGenerationOption(OptionGroupOption):

390)     """Password generation options for the CLI."""

391)     option_group_name = 'Password generation'

392)     epilog = '''
393)         Use NUMBER=0, e.g. "--symbol 0", to exclude a character type
394)         from the output.
395)     '''
396) 

397) 
398) class ConfigurationOption(OptionGroupOption):

399)     """Configuration options for the CLI."""

400)     option_group_name = 'Configuration'

401)     epilog = '''
402)         Use $VISUAL or $EDITOR to configure the spawned editor.
403)     '''
404) 

405) 
406) class StorageManagementOption(OptionGroupOption):

407)     """Storage management options for the CLI."""

408)     option_group_name = 'Storage management'

409)     epilog = '''
410)         Using "-" as PATH for standard input/standard output is
411)         supported.
412)     '''

413) 

414) def _validate_occurrence_constraint(

415)     ctx: click.Context, param: click.Parameter, value: Any,
416) ) -> int | None:

417)     """Check that the occurrence constraint is valid (int, 0 or larger)."""

418)     if value is None:
419)         return value
420)     if isinstance(value, int):
421)         int_value = value
422)     else:
423)         try:
424)             int_value = int(value, 10)
425)         except ValueError as e:
426)             raise click.BadParameter('not an integer') from e
427)     if int_value < 0:
428)         raise click.BadParameter('not a non-negative integer')
429)     return int_value
430) 

431) 
432) def _validate_length(

433)     ctx: click.Context, param: click.Parameter, value: Any,
434) ) -> int | None:

435)     """Check that the length is valid (int, 1 or larger)."""

436)     if value is None:
437)         return value
438)     if isinstance(value, int):
439)         int_value = value
440)     else:
441)         try:
442)             int_value = int(value, 10)
443)         except ValueError as e:
444)             raise click.BadParameter('not an integer') from e
445)     if int_value < 1:
446)         raise click.BadParameter('not a positive integer')
447)     return int_value
448) 

449) DEFAULT_NOTES_TEMPLATE = '''\
450) # Enter notes below the line with the cut mark (ASCII scissors and
451) # dashes).  Lines above the cut mark (such as this one) will be ignored.
452) #
453) # If you wish to clear the notes, leave everything beyond the cut mark
454) # blank.  However, if you leave the *entire* file blank, also removing
455) # the cut mark, then the edit is aborted, and the old notes contents are
456) # retained.
457) #
458) # - - - - - >8 - - - - - >8 - - - - - >8 - - - - - >8 - - - - -
459) '''
460) DEFAULT_NOTES_MARKER = '# - - - - - >8 - - - - -'
461) 
462) 

463) @click.command(
464)     context_settings={"help_option_names": ["-h", "--help"]},
465)     cls=CommandWithHelpGroups,

466)     epilog=r'''

467)         WARNING: There is NO WAY to retrieve the generated passphrases
468)         if the master passphrase, the SSH key, or the exact passphrase
469)         settings are lost, short of trying out all possible
470)         combinations.  You are STRONGLY advised to keep independent
471)         backups of the settings and the SSH key, if any.

472) 
473)         Configuration is stored in a directory according to the
474)         DERIVEPASSPHRASE_PATH variable, which defaults to
475)         `~/.derivepassphrase` on UNIX-like systems and
476)         `C:\Users\<user>\AppData\Roaming\Derivepassphrase` on Windows.
477)         The configuration is NOT encrypted, and you are STRONGLY
478)         discouraged from using a stored passphrase.

479)     ''',
480) )

481) @click.option('-p', '--phrase', 'use_phrase', is_flag=True,

482)               help='prompts you for your passphrase',
483)               cls=PasswordGenerationOption)

484) @click.option('-k', '--key', 'use_key', is_flag=True,

485)               help='uses your SSH private key to generate passwords',
486)               cls=PasswordGenerationOption)

487) @click.option('-l', '--length', metavar='NUMBER',
488)               callback=_validate_length,

489)               help='emits password of length NUMBER',
490)               cls=PasswordGenerationOption)
491) @click.option('-r', '--repeat', metavar='NUMBER',

492)               callback=_validate_occurrence_constraint,

493)               help='allows maximum of NUMBER repeated adjacent chars',
494)               cls=PasswordGenerationOption)
495) @click.option('--lower', metavar='NUMBER',

496)               callback=_validate_occurrence_constraint,

497)               help='includes at least NUMBER lowercase letters',
498)               cls=PasswordGenerationOption)
499) @click.option('--upper', metavar='NUMBER',

500)               callback=_validate_occurrence_constraint,

501)               help='includes at least NUMBER uppercase letters',
502)               cls=PasswordGenerationOption)
503) @click.option('--number', metavar='NUMBER',

504)               callback=_validate_occurrence_constraint,

505)               help='includes at least NUMBER digits',
506)               cls=PasswordGenerationOption)
507) @click.option('--space', metavar='NUMBER',

508)               callback=_validate_occurrence_constraint,

509)               help='includes at least NUMBER spaces',
510)               cls=PasswordGenerationOption)
511) @click.option('--dash', metavar='NUMBER',

512)               callback=_validate_occurrence_constraint,

513)               help='includes at least NUMBER "-" or "_"',
514)               cls=PasswordGenerationOption)
515) @click.option('--symbol', metavar='NUMBER',

516)               callback=_validate_occurrence_constraint,

517)               help='includes at least NUMBER symbol chars',
518)               cls=PasswordGenerationOption)

519) @click.option('-n', '--notes', 'edit_notes', is_flag=True,

520)               help='spawn an editor to edit notes for SERVICE',
521)               cls=ConfigurationOption)

522) @click.option('-c', '--config', 'store_config_only', is_flag=True,

523)               help='saves the given settings for SERVICE or global',
524)               cls=ConfigurationOption)

525) @click.option('-x', '--delete', 'delete_service_settings', is_flag=True,

526)               help='deletes settings for SERVICE',
527)               cls=ConfigurationOption)
528) @click.option('--delete-globals', is_flag=True,
529)               help='deletes the global shared settings',
530)               cls=ConfigurationOption)

531) @click.option('-X', '--clear', 'clear_all_settings', is_flag=True,

532)               help='deletes all settings',
533)               cls=ConfigurationOption)

534) @click.option('-e', '--export', 'export_settings', metavar='PATH',
535)               type=click.Path(file_okay=True, allow_dash=True, exists=False),

536)               help='export all saved settings into file PATH',
537)               cls=StorageManagementOption)

538) @click.option('-i', '--import', 'import_settings', metavar='PATH',
539)               type=click.Path(file_okay=True, allow_dash=True, exists=False),

540)               help='import saved settings from file PATH',
541)               cls=StorageManagementOption)
542) @click.version_option(version=dpp.__version__, prog_name=prog_name)
543) @click.argument('service', required=False)
544) @click.pass_context
545) def derivepassphrase(

546)     ctx: click.Context, /, *,
547)     service: str | None = None,
548)     use_phrase: bool = False,
549)     use_key: bool = False,
550)     length: int | None = None,
551)     repeat: int | None = None,
552)     lower: int | None = None,
553)     upper: int | None = None,
554)     number: int | None = None,
555)     space: int | None = None,
556)     dash: int | None = None,
557)     symbol: int | None = None,
558)     edit_notes: bool = False,
559)     store_config_only: bool = False,
560)     delete_service_settings: bool = False,
561)     delete_globals: bool = False,
562)     clear_all_settings: bool = False,
563)     export_settings: TextIO | pathlib.Path | os.PathLike[str] | None = None,
564)     import_settings: TextIO | pathlib.Path | os.PathLike[str] | None = None,

565) ) -> None:
566)     """Derive a strong passphrase, deterministically, from a master secret.
567) 
568)     Using a master passphrase or a master SSH key, derive a strong
569)     passphrase for SERVICE, deterministically, subject to length,
570)     character and character repetition constraints.  The service name
571)     and constraints themselves need not be kept secret; the latter are
572)     usually stored in a world-readable file.
573) 
574)     If operating on global settings, or importing/exporting settings,
575)     then SERVICE must be omitted.  Otherwise it is required.\f
576) 
577)     This is a [`click`][CLICK]-powered command-line interface function,
578)     and not intended for programmatic use.  Call with arguments

579)     `['--help']` to see full documentation of the interface.  (See also
580)     [`click.testing.CliRunner`][] for controlled, programmatic
581)     invocation.)

582) 
583)     [CLICK]: https://click.palletsprojects.com/
584) 
585)     Parameters:
586)         ctx (click.Context):
587)             The `click` context.
588) 
589)     Other Parameters:

590)         service:

591)             A service name.  Required, unless operating on global
592)             settings or importing/exporting settings.

593)         use_phrase:

594)             Command-line argument `-p`/`--phrase`.  If given, query the
595)             user for a passphrase instead of an SSH key.

596)         use_key:

597)             Command-line argument `-k`/`--key`.  If given, query the
598)             user for an SSH key instead of a passphrase.

599)         length:

600)             Command-line argument `-l`/`--length`.  Override the default
601)             length of the generated passphrase.

602)         repeat:

603)             Command-line argument `-r`/`--repeat`.  Override the default
604)             repetition limit if positive, or disable the repetition
605)             limit if 0.

606)         lower:

607)             Command-line argument `--lower`.  Require a given amount of
608)             ASCII lowercase characters if positive, else forbid ASCII
609)             lowercase characters if 0.

610)         upper:

611)             Command-line argument `--upper`.  Same as `lower`, but for
612)             ASCII uppercase characters.

613)         number:

614)             Command-line argument `--number`.  Same as `lower`, but for
615)             ASCII digits.

616)         space:

617)             Command-line argument `--number`.  Same as `lower`, but for
618)             the space character.

619)         dash:

620)             Command-line argument `--number`.  Same as `lower`, but for
621)             the hyphen-minus and underscore characters.

622)         symbol:

623)             Command-line argument `--number`.  Same as `lower`, but for
624)             all other ASCII printable characters (except backquote).

625)         edit_notes:

626)             Command-line argument `-n`/`--notes`.  If given, spawn an
627)             editor to edit notes for `service`.

628)         store_config_only:

629)             Command-line argument `-c`/`--config`.  If given, saves the
630)             other given settings (`--key`, ..., `--symbol`) to the
631)             configuration file, either specifically for `service` or as
632)             global settings.

633)         delete_service_settings:

634)             Command-line argument `-x`/`--delete`.  If given, removes
635)             the settings for `service` from the configuration file.

636)         delete_globals:

637)             Command-line argument `--delete-globals`.  If given, removes
638)             the global settings from the configuration file.

639)         clear_all_settings:

640)             Command-line argument `-X`/`--clear`.  If given, removes all
641)             settings from the configuration file.

642)         export_settings:
643)             Command-line argument `-e`/`--export`.  If a file object,
644)             then it must be open for writing and accept `str` inputs.
645)             Otherwise, a filename to open for writing.  Using `-` for
646)             standard output is supported.
647)         import_settings:
648)             Command-line argument `-i`/`--import`.  If a file object, it
649)             must be open for reading and yield `str` values.  Otherwise,
650)             a filename to open for reading.  Using `-` for standard
651)             input is supported.

652) 
653)     """

654) 
655)     options_in_group: dict[type[click.Option], list[click.Option]] = {}
656)     params_by_str: dict[str, click.Parameter] = {}

657)     for param in ctx.command.params:
658)         if isinstance(param, click.Option):
659)             group: type[click.Option]

660)             match param:
661)                 case PasswordGenerationOption():
662)                     group = PasswordGenerationOption
663)                 case ConfigurationOption():
664)                     group = ConfigurationOption
665)                 case StorageManagementOption():
666)                     group = StorageManagementOption
667)                 case OptionGroupOption():
668)                     raise AssertionError(
669)                         f'Unknown option group for {param!r}')
670)                 case _:
671)                     group = click.Option
672)             options_in_group.setdefault(group, []).append(param)
673)         params_by_str[param.human_readable_name] = param
674)         for name in param.opts + param.secondary_opts:
675)             params_by_str[name] = param
676) 
677)     def is_param_set(param: click.Parameter):
678)         return bool(ctx.params.get(param.human_readable_name))
679) 

680)     def check_incompatible_options(

681)         param: click.Parameter | str, *incompatible: click.Parameter | str,

682)     ) -> None:

683)         if isinstance(param, str):
684)             param = params_by_str[param]
685)         assert isinstance(param, click.Parameter)
686)         if not is_param_set(param):

687)             return
688)         for other in incompatible:

689)             if isinstance(other, str):
690)                 other = params_by_str[other]
691)             assert isinstance(other, click.Parameter)
692)             if other != param and is_param_set(other):
693)                 opt_str = param.opts[0]
694)                 other_str = other.opts[0]
695)                 raise click.BadOptionUsage(
696)                     opt_str, f'mutually exclusive with {other_str}', ctx=ctx)
697) 
698)     def get_config() -> dpp_types.VaultConfig:
699)         try:
700)             return _load_config()
701)         except FileNotFoundError:
702)             return {'services': {}}
703)         except Exception as e:
704)             ctx.fail(f'cannot load config: {e}')
705) 
706)     configuration: dpp_types.VaultConfig
707) 
708)     check_incompatible_options('--phrase', '--key')

709)     for group in (ConfigurationOption, StorageManagementOption):

710)         for opt in options_in_group[group]:
711)             if opt != params_by_str['--config']:
712)                 check_incompatible_options(
713)                     opt, *options_in_group[PasswordGenerationOption])
714) 

715)     for group in (ConfigurationOption, StorageManagementOption):

716)         for opt in options_in_group[group]:
717)             check_incompatible_options(
718)                 opt, *options_in_group[ConfigurationOption],
719)                 *options_in_group[StorageManagementOption])
720)     sv_options = (options_in_group[PasswordGenerationOption] +
721)                   [params_by_str['--notes'], params_by_str['--delete']])
722)     sv_options.remove(params_by_str['--key'])
723)     sv_options.remove(params_by_str['--phrase'])
724)     for param in sv_options:
725)         if is_param_set(param) and not service:
726)             opt_str = param.opts[0]
727)             raise click.UsageError(f'{opt_str} requires a SERVICE')
728)     for param in [params_by_str['--key'], params_by_str['--phrase']]:
729)         if (
730)             is_param_set(param)
731)             and not (service or is_param_set(params_by_str['--config']))
732)         ):
733)             opt_str = param.opts[0]
734)             raise click.UsageError(f'{opt_str} requires a SERVICE or --config')
735)     no_sv_options = [params_by_str['--delete-globals'],
736)                      params_by_str['--clear'],
737)                      *options_in_group[StorageManagementOption]]
738)     for param in no_sv_options:
739)         if is_param_set(param) and service:
740)             opt_str = param.opts[0]

741)             raise click.UsageError(

742)                 f'{opt_str} does not take a SERVICE argument')

743) 
744)     if edit_notes:
745)         assert service is not None
746)         configuration = get_config()
747)         text = (DEFAULT_NOTES_TEMPLATE +
748)                 configuration['services']
749)                 .get(service, cast(dpp_types.VaultConfigServicesSettings, {}))
750)                 .get('notes', ''))
751)         notes_value = click.edit(text=text)
752)         if notes_value is not None:
753)             notes_lines = collections.deque(notes_value.splitlines(True))
754)             while notes_lines:
755)                 line = notes_lines.popleft()
756)                 if line.startswith(DEFAULT_NOTES_MARKER):
757)                     notes_value = ''.join(notes_lines)
758)                     break
759)             else:
760)                 if not notes_value.strip():
761)                     ctx.fail('not saving new notes: user aborted request')
762)             configuration['services'].setdefault(service, {})['notes'] = (
763)                 notes_value.strip('\n'))
764)             _save_config(configuration)
765)     elif delete_service_settings:
766)         assert service is not None
767)         configuration = get_config()
768)         if service in configuration['services']:
769)             del configuration['services'][service]
770)             _save_config(configuration)
771)     elif delete_globals:
772)         configuration = get_config()
773)         if 'global' in configuration:
774)             del configuration['global']
775)             _save_config(configuration)
776)     elif clear_all_settings:
777)         _save_config({'services': {}})
778)     elif import_settings:
779)         try:
780)             # TODO: keep track of auto-close; try os.dup if feasible
781)             infile = (cast(TextIO, import_settings)
782)                       if hasattr(import_settings, 'close')
783)                       else click.open_file(os.fspath(import_settings), 'rt'))
784)             with infile:
785)                 maybe_config = json.load(infile)
786)         except json.JSONDecodeError as e:
787)             ctx.fail(f'Cannot load config: cannot decode JSON: {e}')
788)         except OSError as e:
789)             ctx.fail(f'Cannot load config: {e.strerror}')
790)         if dpp_types.is_vault_config(maybe_config):
791)             _save_config(maybe_config)
792)         else:
793)             ctx.fail('not a valid config')
794)     elif export_settings:
795)         configuration = get_config()
796)         try:
797)             # TODO: keep track of auto-close; try os.dup if feasible
798)             outfile = (cast(TextIO, export_settings)
799)                        if hasattr(export_settings, 'close')
800)                        else click.open_file(os.fspath(export_settings), 'wt'))
801)             with outfile:
802)                 json.dump(configuration, outfile)
803)         except OSError as e:
804)             ctx.fail('cannot write config: {e.strerror}')
805)     else:
806)         configuration = get_config()
807)         # This block could be type checked more stringently, but this
808)         # would probably involve a lot of code repetition.  Since we
809)         # have a type guarding function anyway, assert that we didn't
810)         # make any mistakes at the end instead.
811)         global_keys = {'key', 'phrase'}
812)         service_keys = {'key', 'phrase', 'length', 'repeat', 'lower',
813)                         'upper', 'number', 'space', 'dash', 'symbol'}
814)         settings: collections.ChainMap[str, Any] = collections.ChainMap(
815)             {k: v for k, v in locals().items()
816)              if k in service_keys and v is not None},
817)             cast(dict[str, Any],
818)                  configuration['services'].get(service or '', {})),
819)             {},
820)             cast(dict[str, Any], configuration.get('global', {}))
821)         )
822)         if use_key:
823)             try:
824)                 key = base64.standard_b64encode(
825)                     _select_ssh_key()).decode('ASCII')
826)             except IndexError:
827)                 ctx.fail('no valid SSH key selected')
828)             except RuntimeError as e:
829)                 ctx.fail(str(e))
830)         elif use_phrase:
831)             maybe_phrase = _prompt_for_passphrase()
832)             if not maybe_phrase:
833)                 ctx.fail('no passphrase given')
834)             else:
835)                 phrase = maybe_phrase
836)         if store_config_only:
837)             view: collections.ChainMap[str, Any]
838)             view = (collections.ChainMap(*settings.maps[:2]) if service
839)                     else settings.parents.parents)
840)             if use_key:
841)                 view['key'] = key
842)                 for m in view.maps:
843)                     m.pop('phrase', '')
844)             elif use_phrase:
845)                 view['phrase'] = phrase
846)                 for m in view.maps:
847)                     m.pop('key', '')
848)             if service:
849)                 if not view.maps[0]:
850)                     raise click.UsageError('cannot update service settings '
851)                                            'without actual settings')
852)                 else:
853)                     configuration['services'].setdefault(
854)                         service, {}).update(view)  # type: ignore[typeddict-item]
855)             else:
856)                 if not view.maps[0]:
857)                     raise click.UsageError('cannot update global settings '
858)                                            'without actual settings')
859)                 else:
860)                     configuration.setdefault(
861)                         'global', {}).update(view)  # type: ignore[typeddict-item]
862)             assert dpp_types.is_vault_config(configuration), (
863)                 f'invalid vault configuration: {configuration!r}'
864)             )
865)             _save_config(configuration)
866)         else:
867)             if not service:
868)                 raise click.UsageError(f'SERVICE is required')
869)             kwargs: dict[str, Any] = {k: v for k, v in settings.items()
870)                                       if k in service_keys and v is not None}
871)             # If either --key or --phrase are given, use that setting.
872)             # Otherwise, if both key and phrase are set in the config,
873)             # one must be global (ignore it) and one must be
874)             # service-specific (use that one). Otherwise, if only one of
875)             # key and phrase is set in the config, use that one.  In all
876)             # these above cases, set the phrase via
877)             # derivepassphrase.Vault.phrase_from_key if a key is
878)             # given. Finally, if nothing is set, error out.
879)             key_to_phrase = lambda key: dpp.Vault.phrase_from_key(
880)                 base64.standard_b64decode(key))
881)             if use_key or use_phrase:
882)                 if use_key:
883)                     kwargs['phrase'] = key_to_phrase(key)
884)                 else:
885)                     kwargs['phrase'] = phrase
886)                     kwargs.pop('key', '')
887)             elif kwargs.get('phrase') and kwargs.get('key'):
888)                 if any('key' in m for m in settings.maps[:2]):
889)                     kwargs['phrase'] = key_to_phrase(kwargs.pop('key'))
890)                 else:
891)                     kwargs.pop('key')
892)             elif kwargs.get('key'):
893)                 kwargs['phrase'] = key_to_phrase(kwargs.pop('key'))
894)             elif kwargs.get('phrase'):
895)                 pass
896)             else:
897)                 raise click.UsageError(
898)                     'no passphrase or key given on command-line '
899)                     'or in configuration')
900)             vault = dpp.Vault(**kwargs)
901)             result = vault.generate(service)
902)             click.echo(result.decode('ASCII'))