derivepassphrase.git

@@ -26,14 +26,16 @@ $ pip install derivepassphrase

 `derivepassphrase` is a pure Python package, and may be easily installed manually by placing the respective files and the package's dependencies into Python's import path.

 `derivepassphrase` requires Python 3.10 or higher as well as the [typing-extensions package][TYPING_EXTENSIONS] for its core functionality and programmatic interface, and [`click`][CLICK] 8.1 or higher for its command-line interface.

+Using the `export vault` subcommand additionally requires the [cryptography package][CRYPTOGRAPHY], version 39.0 or newer.

 [TYPING_EXTENSIONS]: https://pypi.org/project/typing-extensions/

 [CLICK]: https://click.palletsprojects.com/

+[CRYPTOGRAPHY]: https://github.com/pyca/cryptography

 ## Quick Usage

 ```` shell-session

-$ derivepassphrase -p --length 30 --upper 3 --lower 1 --number 2 --space 0 --symbol 0 my-email-account

+$ derivepassphrase vault -p --length 30 --upper 3 --lower 1 --number 2 --space 0 --symbol 0 my-email-account

 Passphrase: This passphrase is for demonstration purposes only.

 JKeet7GeBpxysOgdCEJo6UzmP8A0Ih

 ````

@@ -41,7 +43,7 @@ JKeet7GeBpxysOgdCEJo6UzmP8A0Ih

 Some time later…

 ```` shell-session

-$ derivepassphrase -p --length 30 --upper 3 --lower 1 --number 2 --space 0 --symbol 0 my-email-account

+$ derivepassphrase vault -p --length 30 --upper 3 --lower 1 --number 2 --space 0 --symbol 0 my-email-account

 Passphrase: This passphrase is for demonstration purposes only.

 JKeet7GeBpxysOgdCEJo6UzmP8A0Ih

 ````

@@ -1,14 +1,14 @@

-# derivepassphrase\_export(1)

+# derivepassphrase-export-vault(1)

 ## NAME

-derivepassphrase\_export – export a vault-native configuration to standard

-output

+derivepassphrase-export-vault – export a vault-native configuration to

+standard output

 ## SYNOPSIS

 ````

-derivepassphrase_export [OPTIONS] PATH

+derivepassphrase export vault [OPTIONS] PATH

 ````

 ## DESCRIPTION

@@ -0,0 +1,38 @@

+# derivepassphrase-export(1)

+

+## NAME

+

+derivepassphrase-export – export a foreign configuration to standard

+output

+

+## SYNOPSIS

+

+````

+derivepassphrase export [SUBCOMMAND_ARGS]...

+````

+

+## DESCRIPTION

+

+Read a foreign system configuration, extract all information from

+it, and export the resulting configuration to standard output.

+

+The only available subcommand is <b>vault</b>, which implements the

+vault-native configuration scheme.  If no subcommand is given, we

+default to <b>vault</b>.

+

+## SUBCOMMANDS

+

+[<b>vault</b>][VAULT_SUBCMD]

+:    Export a vault-native configuration to standard output.

+

+## DEPRECATION NOTICE

+

+Defaulting to <b>vault</b> is deprecated.  Starting in v1.0, the

+subcommand must be specified explicitly.

+

+## SEE ALSO

+

+[derivepassphrase(1)](derivepassphrase.1.md),

+[derivepassphrase-export-vault(1)]

+

+[VAULT_SUBCMD]: derivepassphrase-export-vault.1.md

@@ -0,0 +1,117 @@

+# derivepassphrase-vault(1)

+

+## NAME

+

+derivepassphrase-vault – derive a passphrase using the vault(1)

+derivation scheme

+

+## SYNOPSIS

+

+````

+derivepassphrase vault [OPTIONS] [SERVICE]

+````

+

+## DESCRIPTION

+

+Using a master passphrase or a master SSH key, derive a passphrase for

+<i>SERVICE</i>, subject to length, character and character repetition

+constraints.  The derivation is cryptographically strong, meaning that even

+if a single passphrase is compromised, guessing the master passphrase or

+a different service's passphrase is computationally infeasible.  The

+derivation is also deterministic, given the same inputs, thus the resulting

+passphrase need not be stored explicitly. The service name and constraints

+themselves also need not be kept secret; the latter are usually stored in

+a world-readable file.

+

+If operating on global settings, or importing/exporting settings, then

+<i>SERVICE</i> must be omitted.  Otherwise it is required.

+

+## OPTIONS

+

+### Password generation

+

+<b>-p</b>, <b>-</b><b>-phrase</b>

+:   prompts you for your passphrase

+

+<b>-k</b>, <b>-</b><b>-key</b>

+:   uses your SSH private key to generate passwords

+

+<b>-l</b>, <b>-</b><b>-length</b> <var>NUMBER</var>

+:   emits password of length <var>NUMBER</var>

+

+<b>-r</b>, <b>-</b><b>-repeat</b> <var>NUMBER</var>

+:   allows maximum of <var>NUMBER</var> repeated adjacent chars

+

+<b>-</b><b>-lower</b> <var>NUMBER</var>

+:   includes at least <var>NUMBER</var> lowercase letters

+

+<b>-</b><b>-upper</b> <var>NUMBER</var>

+:   includes at least <var>NUMBER</var> uppercase letters

+

+<b>-</b><b>-number</b> <var>NUMBER</var>

+:   includes at least <var>NUMBER</var> digits

+

+<b>-</b><b>-space</b> <var>NUMBER</var>

+:   includes at least <var>NUMBER</var> spaces

+

+<b>-</b><b>-dash</b> <var>NUMBER</var>

+:   includes at least <var>NUMBER</var> `-` or `_`

+

+<b>-</b><b>-symbol</b> <var>NUMBER</var>

+:   includes at least <var>NUMBER</var> symbol chars

+

+Use <var>NUMBER</var>=0, e.g. `--symbol 0`, to exclude a character type from

+the output.

+

+### Configuration

+

+<b>-n</b>, <b>-</b><b>-notes</b>

+:   spawn an editor to edit notes for <var>SERVICE</var>

+

+<b>-c</b>, <b>-</b><b>-config</b>

+:   saves the given settings for <var>SERVICE</var> or global

+

+<b>-x</b>, <b>-</b><b>-delete</b>

+:   deletes settings for <var>SERVICE</var>

+

+<b>-</b><b>-delete-globals</b>

+:   deletes the global shared settings

+

+<b>-X</b>, <b>-</b><b>-clear</b>

+:   deletes all settings

+

+Use `$VISUAL` or `$EDITOR` to configure the spawned editor.

+

+### Storage management

+

+<b>-e</b>, <b>-</b><b>-export</b> <var>PATH</var>

+:   export all saved settings into file <var>PATH</var>

+

+<b>-i</b>, <b>-</b><b>-import</b> <var>PATH</var>

+:   import saved settings from file <var>PATH</var>

+

+Using `-` as <var>PATH</var> for standard input/standard output is supported.

+

+### Other Options

+

+<b>--version</b>

+:   Show the version and exit.

+

+<b>-h</b>, <b>-</b><b>-help</b>

+:   Show this message and exit.

+

+## WARNINGS

+

+There is **no way** to retrieve the generated passphrases if the master

+passphrase, the SSH key, or the exact passphrase settings are lost,

+short of trying out all possible combinations.  You are **strongly**

+advised to keep independent backups of the settings and the SSH key, if

+any.

+

+The configuration is **not** encrypted, and you are **strongly**

+discouraged from using a stored passphrase.

+

+## SEE ALSO

+

+[derivepassphrase(1)](derivepassphrase.1.md),

+[vault(1)](https://github.com/jcoglan/vault)

@@ -8,114 +8,50 @@ a master secret

 ## SYNOPSIS

 ````

-derivepassphrase [OPTIONS] [SERVICE]

+derivepassphrase [SUBCOMMAND_ARGS]...

 ````

 ## DESCRIPTION

-Using a master passphrase or a master SSH key, derive a passphrase for

-<i>SERVICE</i>, subject to length, character and character repetition

-constraints.  The derivation is cryptographically strong, meaning that even

-if a single passphrase is compromised, guessing the master passphrase or

-a different service's passphrase is computationally infeasible.  The

-derivation is also deterministic, given the same inputs, thus the resulting

-passphrase need not be stored explicitly. The service name and constraints

-themselves also need not be kept secret; the latter are usually stored in

-a world-readable file.

+Using a master secret, derive a passphrase for a named service,

+subject to constraints e.g. on passphrase length, allowed

+characters, etc.  The exact derivation depends on the selected

+derivation scheme.  For each scheme, it is computationally

+infeasible to discern the master secret from the derived passphrase.

+The derivations are also deterministic, given the same inputs, thus

+the resulting passphrases need not be stored explicitly.  The

+service name and constraints themselves also generally need not be

+kept secret, depending on the scheme.

-If operating on global settings, or importing/exporting settings, then

-<i>SERVICE</i> must be omitted.  Otherwise it is required.

+The currently implemented subcommands are <b>vault</b> (for the scheme

+used by vault) and <b>export</b> (for exporting foreign configuration

+data).  See the respective `--help` output for instructions.  If no

+subcommand is given, we default to <b>vault</b>.

-## OPTIONS

+## SUBCOMMANDS

-### Password generation

+[<b>export</b>][EXPORT_SUBCMD]

+:   Export a foreign configuration to standard output.

-<b>-p</b>, <b>-</b><b>-phrase</b>

-:   prompts you for your passphrase

+[<b>vault</b>][VAULT_SUBCMD]

+:   Derive a passphrase using the vault(1) derivation scheme.

-<b>-k</b>, <b>-</b><b>-key</b>

-:   uses your SSH private key to generate passwords

+## DEPRECATION NOTICE

-<b>-l</b>, <b>-</b><b>-length</b> <var>NUMBER</var>

-:   emits password of length <var>NUMBER</var>

-

-<b>-r</b>, <b>-</b><b>-repeat</b> <var>NUMBER</var>

-:   allows maximum of <var>NUMBER</var> repeated adjacent chars

-

-<b>-</b><b>-lower</b> <var>NUMBER</var>

-:   includes at least <var>NUMBER</var> lowercase letters

-

-<b>-</b><b>-upper</b> <var>NUMBER</var>

-:   includes at least <var>NUMBER</var> uppercase letters

-

-<b>-</b><b>-number</b> <var>NUMBER</var>

-:   includes at least <var>NUMBER</var> digits

-

-<b>-</b><b>-space</b> <var>NUMBER</var>

-:   includes at least <var>NUMBER</var> spaces

-

-<b>-</b><b>-dash</b> <var>NUMBER</var>

-:   includes at least <var>NUMBER</var> `-` or `_`

-

-<b>-</b><b>-symbol</b> <var>NUMBER</var>

-:   includes at least <var>NUMBER</var> symbol chars

-

-Use <var>NUMBER</var>=0, e.g. `--symbol 0`, to exclude a character type from

-the output.

-

-### Configuration

-

-<b>-n</b>, <b>-</b><b>-notes</b>

-:   spawn an editor to edit notes for <var>SERVICE</var>

-

-<b>-c</b>, <b>-</b><b>-config</b>

-:   saves the given settings for <var>SERVICE</var> or global

-

-<b>-x</b>, <b>-</b><b>-delete</b>

-:   deletes settings for <var>SERVICE</var>

-

-<b>-</b><b>-delete-globals</b>

-:   deletes the global shared settings

-

-<b>-X</b>, <b>-</b><b>-clear</b>

-:   deletes all settings

-

-Use `$VISUAL` or `$EDITOR` to configure the spawned editor.

-

-### Storage management

-

-<b>-e</b>, <b>-</b><b>-export</b> <var>PATH</var>

-:   export all saved settings into file <var>PATH</var>

-

-<b>-i</b>, <b>-</b><b>-import</b> <var>PATH</var>

-:   import saved settings from file <var>PATH</var>

-

-Using `-` as <var>PATH</var> for standard input/standard output is supported.

-

-### Other Options

-

-<b>--version</b>

-:   Show the version and exit.

-

-<b>-h</b>, <b>-</b><b>-help</b>

-:   Show this message and exit.

-

-## WARNINGS

-

-There is **no way** to retrieve the generated passphrases if the master

-passphrase, the SSH key, or the exact passphrase settings are lost,

-short of trying out all possible combinations.  You are **strongly**

-advised to keep independent backups of the settings and the SSH key, if

-any.

+Defaulting to <b>vault</b> is deprecated.  Starting in v1.0, the

+subcommand must be specified explicitly.

 ## CONFIGURATION

 Configuration is stored in a directory according to the

-`$DERIVEPASSPHRASE_PATH` variable, which defaults to `~/.derivepassphrase` on

-UNIX-like systems and `C:\Users\<user>\AppData\Roaming\Derivepassphrase` on

-Windows. The configuration is **not** encrypted, and you are **strongly**

-discouraged from using a stored passphrase.

+`$DERIVEPASSPHRASE_PATH` variable, which defaults to

+`~/.derivepassphrase` on UNIX-like systems and

+`C:\Users\<user>\AppData\Roaming\Derivepassphrase` on Windows.

 ## SEE ALSO

-[vault(1)](https://github.com/jcoglan/vault)

+[derivepassphrase-export(1)][EXPORT_SUBCMD],

+[derivepassphrase-vault(1)][VAULT_SUBCMD]

+

+[EXPORT_SUBCMD]: derivepassphrase-export.1.md

+[VAULT_SUBCMD]: derivepassphrase-export.1.md

@@ -4,8 +4,10 @@ title: Reference overview

 ## Man pages

-* [`derivepassphrase(1)`][cli_man]: A deterministic, stateless password manager: command-line tool.

-* [`derivepassphrase_export(1)`][export_man]: Export a vault-native configuration to standard output.

+* [`derivepassphrase(1)`][top_man]: Derive a strong passphrase, deterministically, from a master secret.

+    * [`derivepassphrase-vault(1)`][top_man]: Derive a passphrase using the vault(1) derivation scheme.

+    * [`derivepassphrase-export(1)`][export_man]: Export a foreign configuration to standard output.

+        * [`derivepassphrase-export-vault(1)`][export_man]: Export a vault-native configuration to standard output.

 ## Modules and packages

@@ -19,5 +21,7 @@ title: Reference overview

     * [`derivepassphrase._types`][]: Types used by `derivepassphrase`.

     * [`derivepassphrase.vault`][]: Python port of the vault(1) password generation scheme.

-  [cli_man]: derivepassphrase.1.md

-  [export_man]: derivepassphrase_export.1.md

+  [top_man]: derivepassphrase.1.md

+  [vault_man]: derivepassphrase-vault.1.md

+  [export_man]: derivepassphrase-export.1.md

+  [export_vault_man]: derivepassphrase-export-vault.1.md

@@ -93,7 +93,9 @@ nav:

   - Reference:

     - reference/index.md

     - 'Man page: derivepassphrase': reference/derivepassphrase.1.md

-    - 'Man page: derivepassphrase_export': reference/derivepassphrase_export.1.md

+    - 'Man page: derivepassphrase-vault': reference/derivepassphrase-vault.1.md

+    - 'Man page: derivepassphrase-export': reference/derivepassphrase-export.1.md

+    - 'Man page: derivepassphrase-export-vault': reference/derivepassphrase-export-vault.1.md

     - Module derivepassphrase:

       - Submodule cli: reference/derivepassphrase.md

       - Subpackage exporter:

@@ -10,8 +10,10 @@ import base64

 import collections

 import contextlib

 import copy

+import importlib

 import inspect

 import json

+import logging

 import os

 import socket

 import unicodedata

@@ -30,10 +32,11 @@ from typing_extensions import (

 )

 import derivepassphrase as dpp

-from derivepassphrase import _types, ssh_agent, vault

+from derivepassphrase import _types, exporter, ssh_agent, vault

 if TYPE_CHECKING:

     import pathlib

+    import types

     from collections.abc import (

         Iterator,

         Sequence,

@@ -54,6 +57,289 @@ _NO_USABLE_KEYS = 'No usable SSH keys were found'

 _EMPTY_SELECTION = 'Empty selection'

+# Top-level

+# =========

+

+

+@click.command(

+    context_settings={

+        'help_option_names': ['-h', '--help'],

+        'ignore_unknown_options': True,

+        'allow_interspersed_args': False,

+    },

+    epilog=r"""

+        Configuration is stored in a directory according to the

+        DERIVEPASSPHRASE_PATH variable, which defaults to

+        `~/.derivepassphrase` on UNIX-like systems and

+        `C:\Users\<user>\AppData\Roaming\Derivepassphrase` on Windows.

+    """

+)

+@click.version_option(version=dpp.__version__, prog_name=PROG_NAME)

+@click.argument('subcommand_args', nargs=-1, type=click.UNPROCESSED)

+def derivepassphrase(

+    *,

+    subcommand_args: list[str],

+) -> None:

+    """Derive a strong passphrase, deterministically, from a master secret.

+

+    Using a master secret, derive a passphrase for a named service,

+    subject to constraints e.g. on passphrase length, allowed

+    characters, etc.  The exact derivation depends on the selected

+    derivation scheme.  For each scheme, it is computationally

+    infeasible to discern the master secret from the derived passphrase.

+    The derivations are also deterministic, given the same inputs, thus

+    the resulting passphrases need not be stored explicitly.  The

+    service name and constraints themselves also generally need not be

+    kept secret, depending on the scheme.

+

+    The currently implemented subcommands are "vault" (for the scheme

+    used by vault) and "export" (for exporting foreign configuration

+    data).  See the respective `--help` output for instructions.  If no

+    subcommand is given, we default to "vault".

+

+    Deprecation notice: Defaulting to "vault" is deprecated.  Starting

+    in v1.0, the subcommand must be specified explicitly.\f

+

+    This is a [`click`][CLICK]-powered command-line interface function,

+    and not intended for programmatic use.  Call with arguments

+    `['--help']` to see full documentation of the interface.  (See also

+    [`click.testing.CliRunner`][] for controlled, programmatic

+    invocation.)

+

+    [CLICK]: https://click.palletsprojects.com/

+

+    """  # noqa: D301

+    if subcommand_args and subcommand_args[0] == 'export':

+        return derivepassphrase_export.main(

+            args=subcommand_args[1:],

+            prog_name=f'{PROG_NAME} export',

+            standalone_mode=False,

+        )

+    if not (subcommand_args and subcommand_args[0] == 'vault'):

+        click.echo(

+            (

+                f'{PROG_NAME}: Deprecation warning: A subcommand will be '

+                f'required in v1.0. See --help for available subcommands.'

+            ),

+            err=True,

+        )

+        click.echo(

+            f'{PROG_NAME}: Warning: Defaulting to subcommand "vault".',

+            err=True,

+        )

+    else:

+        subcommand_args = subcommand_args[1:]

+    return derivepassphrase_vault.main(

+        args=subcommand_args,

+        prog_name=f'{PROG_NAME} vault',

+        standalone_mode=False,

+    )

+

+

+# Exporter

+# ========

+

+

+@click.command(

+    context_settings={

+        'help_option_names': ['-h', '--help'],

+        'ignore_unknown_options': True,

+        'allow_interspersed_args': False,

+    }

+)

+@click.version_option(version=dpp.__version__, prog_name=PROG_NAME)

+@click.argument('subcommand_args', nargs=-1, type=click.UNPROCESSED)

+def derivepassphrase_export(

+    *,

+    subcommand_args: list[str],

+) -> None:

+    """Export a foreign configuration to standard output.

+

+    Read a foreign system configuration, extract all information from

+    it, and export the resulting configuration to standard output.

+

+    The only available subcommand is "vault", which implements the

+    vault-native configuration scheme.  If no subcommand is given, we

+    default to "vault".

+

+    Deprecation notice: Defaulting to "vault" is deprecated.  Starting

+    in v1.0, the subcommand must be specified explicitly.\f

+

+    This is a [`click`][CLICK]-powered command-line interface function,

+    and not intended for programmatic use.  Call with arguments

+    `['--help']` to see full documentation of the interface.  (See also

+    [`click.testing.CliRunner`][] for controlled, programmatic

+    invocation.)

+

+    [CLICK]: https://click.palletsprojects.com/

+

+    """  # noqa: D301

+    if not (subcommand_args and subcommand_args[0] == 'vault'):

+        click.echo(

+            (

+                f'{PROG_NAME}: Deprecation warning: A subcommand will be '

+                f'required in v1.0. See --help for available subcommands.'

+            ),

+            err=True,

+        )

+        click.echo(

+            f'{PROG_NAME}: Warning: Defaulting to subcommand "vault".',

+            err=True,

+        )

+    else:

+        subcommand_args = subcommand_args[1:]

+    return derivepassphrase_export_vault.main(

+        args=subcommand_args,

+        prog_name=f'{PROG_NAME} export vault',

+        standalone_mode=False,

+    )

+

+

+def _load_data(

+    fmt: Literal['v0.2', 'v0.3', 'storeroom'],

+    path: str | bytes | os.PathLike[str],

+    key: bytes,

+) -> Any:  # noqa: ANN401

+    contents: bytes

+    module: types.ModuleType

+    match fmt:

+        case 'v0.2':

+            module = importlib.import_module(

+                'derivepassphrase.exporter.vault_native'

+            )

+            if module.STUBBED:

+                raise ModuleNotFoundError

+            with open(path, 'rb') as infile:

+                contents = base64.standard_b64decode(infile.read())

+            return module.export_vault_native_data(

+                contents, key, try_formats=['v0.2']

+            )

+        case 'v0.3':

+            module = importlib.import_module(

+                'derivepassphrase.exporter.vault_native'

+            )

+            if module.STUBBED:

+                raise ModuleNotFoundError

+            with open(path, 'rb') as infile:

+                contents = base64.standard_b64decode(infile.read())

+            return module.export_vault_native_data(

+                contents, key, try_formats=['v0.3']

+            )

+        case 'storeroom':

+            module = importlib.import_module(

+                'derivepassphrase.exporter.storeroom'

+            )

+            if module.STUBBED:

+                raise ModuleNotFoundError

+            return module.export_storeroom_data(path, key)

+        case _:  # pragma: no cover

+            assert_never(fmt)

+

+

+@click.command(

+    context_settings={'help_option_names': ['-h', '--help']},

+)

+@click.option(

+    '-f',

+    '--format',

+    'formats',

+    metavar='FMT',

+    multiple=True,

+    default=('v0.3', 'v0.2', 'storeroom'),

+    type=click.Choice(['v0.2', 'v0.3', 'storeroom']),

+    help='try the following storage formats, in order (default: v0.3, v0.2)',

+)

+@click.option(

+    '-k',

+    '--key',

+    metavar='K',

+    help=(

+        'use K as the storage master key '

+        '(default: check the `VAULT_KEY`, `LOGNAME`, `USER` or '

+        '`USERNAME` environment variables)'

+    ),

+)

+@click.argument('path', metavar='PATH', required=True)

+@click.pass_context

+def derivepassphrase_export_vault(

+    ctx: click.Context,

+    /,

+    *,

+    path: str | bytes | os.PathLike[str],

+    formats: Sequence[Literal['v0.2', 'v0.3', 'storeroom']] = (),

+    key: str | bytes | None = None,

+) -> None:

+    """Export a vault-native configuration to standard output.

+

+    Read the vault-native configuration at PATH, extract all information

+    from it, and export the resulting configuration to standard output.

+    Depending on the configuration format, PATH may either be a file or

+    a directory.  Supports the vault "v0.2", "v0.3" and "storeroom"

+    formats.

+

+    If PATH is explicitly given as `VAULT_PATH`, then use the

+    `VAULT_PATH` environment variable to determine the correct path.

+    (Use `./VAULT_PATH` or similar to indicate a file/directory actually

+    named `VAULT_PATH`.)

+

+    """

+    logging.basicConfig()

+    if path in {'VAULT_PATH', b'VAULT_PATH'}:

+        path = exporter.get_vault_path()

+    if key is None:

+        key = exporter.get_vault_key()

+    elif isinstance(key, str):  # pragma: no branch

+        key = key.encode('utf-8')

+    for fmt in formats:

+        try:

+            config = _load_data(fmt, path, key)

+        except (

+            IsADirectoryError,

+            NotADirectoryError,

+            ValueError,

+            RuntimeError,

+        ):

+            logging.info('Cannot load as %s: %s', fmt, path)

+            continue

+        except OSError as exc:

+            click.echo(

+                (

+                    f'{PROG_NAME}: ERROR: Cannot parse {path!r} as '

+                    f'a valid config: {exc.strerror}: {exc.filename!r}'

+                ),

+                err=True,

+            )

+            ctx.exit(1)

+        except ModuleNotFoundError:

+            # TODO(the-13th-letter): Use backslash continuation.

+            # https://github.com/nedbat/coveragepy/issues/1836

+            msg = f"""

+{PROG_NAME}: ERROR: Cannot load the required Python module "cryptography".

+{PROG_NAME}: INFO: pip users: see the "export" extra.

+""".lstrip('\n')

+            click.echo(msg, nl=False, err=True)

+            ctx.exit(1)

+        else:

+            if not _types.is_vault_config(config):

+                click.echo(

+                    f'{PROG_NAME}: ERROR: Invalid vault config: {config!r}',

+                    err=True,

+                )

+                ctx.exit(1)

+            click.echo(json.dumps(config, indent=2, sort_keys=True))

+            break

+    else:

+        click.echo(

+            f'{PROG_NAME}: ERROR: Cannot parse {path!r} as a valid config.',

+            err=True,

+        )

+        ctx.exit(1)

+

+

+# Vault

+# =====

+

+

 def _config_filename() -> str | bytes | pathlib.Path:

     """Return the filename of the configuration file.

@@ -603,6 +889,8 @@ DEFAULT_NOTES_MARKER = '# - - - - - >8 - - - - -'

 @click.command(

+    # 'vault',

+    # help="derivation scheme compatible with James Coglan's vault(1)",

     context_settings={'help_option_names': ['-h', '--help']},

     cls=CommandWithHelpGroups,

     epilog=r"""

@@ -612,10 +900,6 @@ DEFAULT_NOTES_MARKER = '# - - - - - >8 - - - - -'

         combinations.  You are STRONGLY advised to keep independent

         backups of the settings and the SSH key, if any.

-        Configuration is stored in a directory according to the

-        DERIVEPASSPHRASE_PATH variable, which defaults to

-        `~/.derivepassphrase` on UNIX-like systems and

-        `C:\Users\<user>\AppData\Roaming\Derivepassphrase` on Windows.

         The configuration is NOT encrypted, and you are STRONGLY

         discouraged from using a stored passphrase.

     """,

@@ -751,7 +1035,7 @@ DEFAULT_NOTES_MARKER = '# - - - - - >8 - - - - -'

 @click.version_option(version=dpp.__version__, prog_name=PROG_NAME)

 @click.argument('service', required=False)

 @click.pass_context

-def derivepassphrase(  # noqa: C901,PLR0912,PLR0913,PLR0914,PLR0915

+def derivepassphrase_vault(  # noqa: C901,PLR0912,PLR0913,PLR0914,PLR0915

     ctx: click.Context,

     /,

     *,

@@ -774,7 +1058,7 @@ def derivepassphrase(  # noqa: C901,PLR0912,PLR0913,PLR0914,PLR0915

     export_settings: TextIO | pathlib.Path | os.PathLike[str] | None = None,

     import_settings: TextIO | pathlib.Path | os.PathLike[str] | None = None,

 ) -> None:

-    """Derive a strong passphrase, deterministically, from a master secret.

+    """Derive a passphrase using the vault(1) derivation scheme.

     Using a master passphrase or a master SSH key, derive a passphrase

     for SERVICE, subject to length, character and character repetition

@@ -1,176 +0,0 @@

-# SPDX-FileCopyrightText: 2024 Marco Ricci <software@the13thletter.info>

-#

-# SPDX-License-Identifier: MIT

-

-"""Command-line interface for derivepassphrase_export."""

-

-from __future__ import annotations

-

-import base64

-import importlib

-import json

-import logging

-from typing import TYPE_CHECKING, Any, Literal

-

-import click

-from typing_extensions import assert_never

-

-import derivepassphrase as dpp

-from derivepassphrase import _types, exporter

-

-if TYPE_CHECKING:

-    import os

-    import types

-    from collections.abc import Sequence

-

-__author__ = dpp.__author__

-__version__ = dpp.__version__

-

-__all__ = ('derivepassphrase_export',)

-

-PROG_NAME = 'derivepassphrase_export'

-

-

-def _load_data(

-    fmt: Literal['v0.2', 'v0.3', 'storeroom'],

-    path: str | bytes | os.PathLike[str],

-    key: bytes,

-) -> Any:  # noqa: ANN401

-    contents: bytes

-    module: types.ModuleType

-    match fmt:

-        case 'v0.2':

-            module = importlib.import_module(

-                'derivepassphrase.exporter.vault_native'

-            )

-            if module.STUBBED:

-                raise ModuleNotFoundError

-            with open(path, 'rb') as infile:

-                contents = base64.standard_b64decode(infile.read())

-            return module.export_vault_native_data(

-                contents, key, try_formats=['v0.2']

-            )

-        case 'v0.3':

-            module = importlib.import_module(

-                'derivepassphrase.exporter.vault_native'

-            )

-            if module.STUBBED:

-                raise ModuleNotFoundError

-            with open(path, 'rb') as infile:

-                contents = base64.standard_b64decode(infile.read())

-            return module.export_vault_native_data(

-                contents, key, try_formats=['v0.3']

-            )

-        case 'storeroom':

-            module = importlib.import_module(

-                'derivepassphrase.exporter.storeroom'

-            )

-            if module.STUBBED:

-                raise ModuleNotFoundError

-            return module.export_storeroom_data(path, key)

-        case _:  # pragma: no cover

-            assert_never(fmt)

-

-

-@click.command(

-    context_settings={'help_option_names': ['-h', '--help']},

-)

-@click.option(

-    '-f',

-    '--format',

-    'formats',

-    metavar='FMT',

-    multiple=True,

-    default=('v0.3', 'v0.2', 'storeroom'),

-    type=click.Choice(['v0.2', 'v0.3', 'storeroom']),

-    help='try the following storage formats, in order (default: v0.3, v0.2)',

-)

-@click.option(

-    '-k',

-    '--key',

-    metavar='K',

-    help=(

-        'use K as the storage master key '

-        '(default: check the `VAULT_KEY`, `LOGNAME`, `USER` or '

-        '`USERNAME` environment variables)'

-    ),

-)

-@click.argument('path', metavar='PATH', required=True)

-@click.pass_context

-def derivepassphrase_export(

-    ctx: click.Context,

-    /,

-    *,

-    path: str | bytes | os.PathLike[str],

-    formats: Sequence[Literal['v0.2', 'v0.3', 'storeroom']] = (),

-    key: str | bytes | None = None,

-) -> None:

-    """Export a vault-native configuration to standard output.

-

-    Read the vault-native configuration at PATH, extract all information

-    from it, and export the resulting configuration to standard output.

-    Depending on the configuration format, this may either be a file or

-    a directory.  Supports the vault "v0.2", "v0.3" and "storeroom"

-    formats.

-

-    If PATH is explicitly given as `VAULT_PATH`, then use the

-    `VAULT_PATH` environment variable to determine the correct path.

-    (Use `./VAULT_PATH` or similar to indicate a file/directory actually

-    named `VAULT_PATH`.)

-

-    """

-    logging.basicConfig()

-    if path in {'VAULT_PATH', b'VAULT_PATH'}:

-        path = exporter.get_vault_path()

-    if key is None:

-        key = exporter.get_vault_key()

-    elif isinstance(key, str):  # pragma: no branch

-        key = key.encode('utf-8')

-    for fmt in formats:

-        try:

-            config = _load_data(fmt, path, key)

-        except (

-            IsADirectoryError,

-            NotADirectoryError,

-            ValueError,

-            RuntimeError,

-        ):

-            logging.info('Cannot load as %s: %s', fmt, path)

-            continue

-        except OSError as exc:

-            click.echo(

-                (

-                    f'{PROG_NAME}: ERROR: Cannot parse {path!r} as '

-                    f'a valid config: {exc.strerror}: {exc.filename!r}'

-                ),

-                err=True,

-            )

-            ctx.exit(1)

-        except ModuleNotFoundError:

-            # TODO(the-13th-letter): Use backslash continuation.

-            # https://github.com/nedbat/coveragepy/issues/1836

-            msg = f"""

-{PROG_NAME}: ERROR: Cannot load the required Python module "cryptography".

-{PROG_NAME}: INFO: pip users: see the "export" extra.

-""".lstrip('\n')

-            click.echo(msg, nl=False, err=True)

-            ctx.exit(1)

-        else:

-            if not _types.is_vault_config(config):

-                click.echo(

-                    f'{PROG_NAME}: ERROR: Invalid vault config: {config!r}',

-                    err=True,

-                )

-                ctx.exit(1)

-            click.echo(json.dumps(config, indent=2, sort_keys=True))

-            break

-    else:

-        click.echo(

-            f'{PROG_NAME}: ERROR: Cannot parse {path!r} as a valid config.',

-            err=True,

-        )

-        ctx.exit(1)

-

-

-if __name__ == '__main__':

-    derivepassphrase_export()

@@ -208,7 +208,7 @@ class TestCLI:

             config={'services': {}},

         ):

             _result = runner.invoke(

-                cli.derivepassphrase, ['--help'], catch_exceptions=False

+                cli.derivepassphrase_vault, ['--help'], catch_exceptions=False

             )

             result = tests.ReadableResult.parse(_result)

         assert result.clean_exit(

@@ -234,7 +234,7 @@ class TestCLI:

             config={'services': {}},

         ):

             _result = runner.invoke(

-                cli.derivepassphrase,

+                cli.derivepassphrase_vault,

                 [option, '0', '-p', DUMMY_SERVICE],

                 input=DUMMY_PASSPHRASE,

                 catch_exceptions=False,

@@ -257,7 +257,7 @@ class TestCLI:

             config={'services': {}},

         ):

             _result = runner.invoke(

-                cli.derivepassphrase,

+                cli.derivepassphrase_vault,

                 ['--repeat', '0', '-p', DUMMY_SERVICE],

                 input=DUMMY_PASSPHRASE,

                 catch_exceptions=False,

@@ -310,7 +310,9 @@ class TestCLI:

                 dpp.vault.Vault, 'phrase_from_key', tests.phrase_from_key

             )

             _result = runner.invoke(

-                cli.derivepassphrase, [DUMMY_SERVICE], catch_exceptions=False

+                cli.derivepassphrase_vault,

+                [DUMMY_SERVICE],

+                catch_exceptions=False,

             )

         result = tests.ReadableResult.parse(_result)

         assert result.clean_exit(

@@ -340,7 +342,7 @@ class TestCLI:

                 dpp.vault.Vault, 'phrase_from_key', tests.phrase_from_key

             )

             _result = runner.invoke(

-                cli.derivepassphrase,

+                cli.derivepassphrase_vault,

                 ['-k', DUMMY_SERVICE],

                 input='1\n',

                 catch_exceptions=False,

@@ -406,7 +408,7 @@ class TestCLI:

             monkeypatch=monkeypatch, runner=runner, config=config

         ):

             _result = runner.invoke(

-                cli.derivepassphrase,

+                cli.derivepassphrase_vault,

                 ['-k', DUMMY_SERVICE],

                 input=f'{key_index}\n',

             )

@@ -437,7 +439,9 @@ class TestCLI:

             },

         ):

             _result = runner.invoke(

-                cli.derivepassphrase, [DUMMY_SERVICE], catch_exceptions=False

+                cli.derivepassphrase_vault,

+                [DUMMY_SERVICE],

+                catch_exceptions=False,

             )

         result = tests.ReadableResult.parse(_result)

         assert result.clean_exit(), 'expected clean exit'

@@ -474,7 +478,7 @@ class TestCLI:

         ):

             for value in '-42', 'invalid':

                 _result = runner.invoke(

-                    cli.derivepassphrase,

+                    cli.derivepassphrase_vault,

                     [option, value, '-p', DUMMY_SERVICE],

                     input=DUMMY_PASSPHRASE,

                     catch_exceptions=False,

@@ -508,7 +512,7 @@ class TestCLI:

             config={'global': {'phrase': 'abc'}, 'services': {}},

         ):

             _result = runner.invoke(

-                cli.derivepassphrase,

+                cli.derivepassphrase_vault,

                 options if service else [*options, DUMMY_SERVICE],

                 input=input,

                 catch_exceptions=False,

@@ -537,7 +541,7 @@ class TestCLI:

                     cli, '_prompt_for_passphrase', tests.auto_prompt

                 )

                 _result = runner.invoke(

-                    cli.derivepassphrase,

+                    cli.derivepassphrase_vault,

                     [*options, DUMMY_SERVICE] if service else options,

                     input=input,

                     catch_exceptions=False,

@@ -566,7 +570,7 @@ class TestCLI:

             config={'services': {}},

         ):

             _result = runner.invoke(

-                cli.derivepassphrase,

+                cli.derivepassphrase_vault,

                 [*options, DUMMY_SERVICE] if service else options,

                 input=DUMMY_PASSPHRASE,

                 catch_exceptions=False,

@@ -585,7 +589,7 @@ class TestCLI:

             monkeypatch=monkeypatch, runner=runner, config={'services': {}}

         ):

             _result = runner.invoke(

-                cli.derivepassphrase,

+                cli.derivepassphrase_vault,

                 ['--import', '-'],

                 input='null',

                 catch_exceptions=False,

@@ -604,7 +608,7 @@ class TestCLI:

             monkeypatch=monkeypatch, runner=runner, config={'services': {}}

         ):

             _result = runner.invoke(

-                cli.derivepassphrase,

+                cli.derivepassphrase_vault,

                 ['--import', '-'],

                 input='This string is not valid JSON.',

                 catch_exceptions=False,

@@ -631,7 +635,7 @@ class TestCLI:

                 print('This string is not valid JSON.', file=outfile)

             dname = os.path.dirname(cli._config_filename())

             _result = runner.invoke(

-                cli.derivepassphrase,

+                cli.derivepassphrase_vault,

                 ['--import', os.fsdecode(dname)],

                 catch_exceptions=False,

             )

@@ -651,7 +655,9 @@ class TestCLI:

             with contextlib.suppress(FileNotFoundError):

                 os.remove(cli._config_filename())

             _result = runner.invoke(

-                cli.derivepassphrase, ['--export', '-'], catch_exceptions=False

+                cli.derivepassphrase_vault,

+                ['--export', '-'],

+                catch_exceptions=False,

             )

         result = tests.ReadableResult.parse(_result)

         assert result.clean_exit(empty_stderr=True), 'expected clean exit'

@@ -665,7 +671,7 @@ class TestCLI:

             monkeypatch=monkeypatch, runner=runner, config={}

         ):

             _result = runner.invoke(

-                cli.derivepassphrase,

+                cli.derivepassphrase_vault,

                 ['--export', '-'],

                 input='null',

                 catch_exceptions=False,

@@ -687,7 +693,7 @@ class TestCLI:

                 os.remove(cli._config_filename())