derivepassphrase.git

@@ -3,3 +3,4 @@ html/

 .pytest_cache/

 __pycache__/

 *.swp

+.coverage*

@@ -52,6 +52,7 @@ plugins:

         python:

           import:

             - https://docs.python.org/3/objects.inv

+            - https://click.palletsprojects.com/en/8.1.x/objects.inv

           options:

             docstring_options:

               ignore_init_summary: true

@@ -82,6 +83,7 @@ nav:

     - Module derivepassphrase: reference/derivepassphrase.md

     - Module sequin: reference/sequin.md

     - Module ssh_agent_client: reference/ssh_agent_client.md

+    - Coverage: reference/coverage/index.html

   #- explanation.md

 markdown_extensions:

@@ -43,6 +43,7 @@ Source = "https://github.com/the-13th-letter/derivepassphrase"

 derivepassphrase = "derivepassphrase.cli:derivepassphrase"

 [tool.mypy]

+files = ['src/**/*.py']

 mypy_path = '$MYPY_CONFIG_FILE_DIR/src'

 explicit_package_bases = true

 implicit_reexport = false

@@ -84,21 +85,32 @@ extra-dependencies = [

 [tool.hatch.envs.types.scripts]

 check = "mypy --install-types --non-interactive {args:src/derivepassphrase tests}"

+[tool.coverage.html]

+directory = "docs/reference/coverage"

+

 [tool.coverage.run]

-source_pkgs = ["derivepassphrase", "tests"]

+source_pkgs = ["derivepassphrase", "sequin", "ssh_agent_client", "tests"]

 branch = true

 parallel = true

 omit = [

-  "src/derivepassphrase/__main__.py",

+  "__main__.py",

 ]

 [tool.coverage.paths]

-derivepassphrase = ["src/derivepassphrase", "*/derivepassphrase/src/derivepassphrase"]

-tests = ["tests", "*/derivepassphrase/tests"]

+src = ["src"]

+tests = ["tests"]

 [tool.coverage.report]

-exclude_lines = [

-  "no cov",

+skip_covered = false

+skip_empty = true

+precision = 3

+partial_branches = [

+    'pragma: no branch',

+]

+exclude_also = [

   "if __name__ == .__main__.:",

-  "if TYPE_CHECKING:",

+  'if (?:typing\.)?TYPE_CHECKING:',

+  "raise AssertionError",

+  "raise NotImplementedError",

+  'assert False',

 ]

@@ -1,6 +1,8 @@

 # SPDX-FileCopyrightText: 2024 Marco Ricci <m@the13thletter.info>

 #

 # SPDX-License-Identifier: MIT

+"""Run [`derivepassphrase.cli.derivepassphrase`][] on import."""

+

 import sys

 if __name__ == "__main__":

@@ -8,14 +8,24 @@

 from __future__ import annotations

+import base64

+import collections

+from collections.abc import MutableMapping

+import contextlib

 import inspect

 import json

+import os

 import pathlib

-from typing import Any, TextIO

+import socket

+from typing import (

+    Any, assert_never, cast, reveal_type, Iterator, Never, NotRequired,

+    Sequence, TextIO, TypedDict, TYPE_CHECKING,

+)

 import click

 import derivepassphrase as dpp

 from derivepassphrase import types as dpp_types

+import ssh_agent_client

 __author__ = dpp.__author__

 __version__ = dpp.__version__

@@ -92,6 +102,202 @@ def _save_config(config: dpp_types.VaultConfig, /) -> None:

         json.dump(config, fileobj)

+def _get_suitable_ssh_keys(

+    conn: ssh_agent_client.SSHAgentClient | socket.socket | None = None,

+    /

+) -> Iterator[ssh_agent_client.types.KeyCommentPair]:

+    """Yield all SSH keys suitable for passphrase derivation.

+

+    Suitable SSH keys are queried from the running SSH agent (see

+    [`ssh_agent_client.SSHAgentClient.list_keys`][]).

+

+    Args:

+        conn:

+            An optional connection hint to the SSH agent; specifically,

+            an SSH agent client, or a socket connected to an SSH agent.

+

+            If an existing SSH agent client, then this client will be

+            queried for the SSH keys, and otherwise left intact.

+

+            If a socket, then a one-shot client will be constructed

+            based on the socket to query the agent, and deconstructed

+            afterwards.

+

+            If neither are given, then the agent's socket location is

+            looked up in the `SSH_AUTH_SOCK` environment variable, and

+            used to construct/deconstruct a one-shot client, as in the

+            previous case.

+

+    Yields:

+        :

+            Every SSH key from the SSH agent that is suitable for

+            passphrase derivation.

+

+    Raises:

+        RuntimeError:

+            There was an error communicating with the SSH agent.

+        RuntimeError:

+            No keys usable for passphrase derivation are loaded into the

+            SSH agent.

+

+    """

+    client: ssh_agent_client.SSHAgentClient

+    client_context: contextlib.AbstractContextManager

+    match conn:

+        case ssh_agent_client.SSHAgentClient():

+            client = conn

+            client_context = contextlib.nullcontext()

+        case socket.socket() | None:

+            client = ssh_agent_client.SSHAgentClient(socket=conn)

+            client_context = client

+        case _:  # pragma: no cover

+            assert_never(conn)

+            raise TypeError(f'invalid connection hint: {conn!r}')

+    with client_context:

+        try:

+            all_key_comment_pairs = list(client.list_keys())

+        except EOFError as e:  # pragma: no cover

+            raise RuntimeError(

+                'error communicating with the SSH agent'

+            ) from e

+    suitable_keys = all_key_comment_pairs[:]

+    for pair in all_key_comment_pairs:

+        key, comment = pair

+        if dpp.Vault._is_suitable_ssh_key(key):

+            yield pair

+    if not suitable_keys:  # pragma: no cover

+        raise RuntimeError('No usable SSH keys were found')

+

+

+def _prompt_for_selection(

+    items: Sequence[str | bytes], heading: str = 'Possible choices:',

+    single_choice_prompt: str = 'Confirm this choice?',

+) -> int:

+    """Prompt user for a choice among the given items.

+

+    Print the heading, if any, then present the items to the user.  If

+    there are multiple items, prompt the user for a selection, validate

+    the choice, then return the list index of the selected item.  If

+    there is only a single item, request confirmation for that item

+    instead, and return the correct index.

+

+    Args:

+        heading:

+            A heading for the list of items, to print immediately

+            before.  Defaults to a reasonable standard heading.  If

+            explicitly empty, print no heading.

+        single_choice_prompt:

+            The confirmation prompt if there is only a single possible

+            choice.  Defaults to a reasonable standard prompt.

+

+    Returns:

+        An index into the items sequence, indicating the user's

+        selection.

+

+    Raises:

+        IndexError:

+            The user made an invalid or empty selection, or requested an

+            abort.

+

+    """

+    n = len(items)

+    if heading:

+        click.echo(click.style(heading, bold=True))

+    for i, x in enumerate(items, start=1):

+        click.echo(click.style(f'[{i}]', bold=True), nl=False)

+        click.echo(' ', nl=False)

+        click.echo(x)

+    if n > 1:

+        choices = click.Choice([''] + [str(i) for i in range(1, n + 1)])

+        choice = click.prompt(

+            f'Your selection? (1-{n}, leave empty to abort)',

+            err=True, type=choices, show_choices=False,

+            show_default=False, default='')

+        if not choice:

+            raise IndexError('empty selection')

+        return int(choice) - 1

+    else:

+        prompt_suffix = (' '

+                         if single_choice_prompt.endswith(tuple('?.!'))

+                         else ': ')

+        try:

+            click.confirm(single_choice_prompt,

+                          prompt_suffix=prompt_suffix, err=True,

+                          abort=True, default=False, show_default=False)

+        except click.Abort:

+            raise IndexError('empty selection') from None

+        return 0

+

+

+def _select_ssh_key(

+    conn: ssh_agent_client.SSHAgentClient | socket.socket | None = None,

+    /

+) -> bytes | bytearray:

+    """Interactively select an SSH key for passphrase derivation.

+

+    Suitable SSH keys are queried from the running SSH agent (see

+    [`ssh_agent_client.SSHAgentClient.list_keys`][]), then the user is

+    prompted interactively (see [`click.prompt`][]) for a selection.

+

+    Args:

+        conn:

+            An optional connection hint to the SSH agent; specifically,

+            an SSH agent client, or a socket connected to an SSH agent.

+

+            If an existing SSH agent client, then this client will be

+            queried for the SSH keys, and otherwise left intact.

+

+            If a socket, then a one-shot client will be constructed

+            based on the socket to query the agent, and deconstructed

+            afterwards.

+

+            If neither are given, then the agent's socket location is

+            looked up in the `SSH_AUTH_SOCK` environment variable, and

+            used to construct/deconstruct a one-shot client, as in the

+            previous case.

+

+    Returns:

+        The selected SSH key.

+

+    Raises:

+        IndexError:

+            The user made an invalid or empty selection, or requested an

+            abort.

+        RuntimeError:

+            There was an error communicating with the SSH agent.

+        RuntimeError:

+            No keys usable for passphrase derivation are loaded into the

+            SSH agent.

+    """

+    suitable_keys = list(_get_suitable_ssh_keys(conn))

+    key_listing: list[str] = []

+    unstring_prefix = ssh_agent_client.SSHAgentClient.unstring_prefix

+    for key, comment in suitable_keys:

+        keytype = unstring_prefix(key)[0].decode('ASCII')

+        key_str = base64.standard_b64encode(key).decode('ASCII')

+        key_prefix = key_str if len(key_str) < 30 else key_str[:27] + '...'

+        comment_str = comment.decode('UTF-8', errors='replace')

+        key_listing.append(f'{keytype} {key_prefix} {comment_str}')

+    choice = _prompt_for_selection(

+        key_listing, heading='Suitable SSH keys:',

+        single_choice_prompt='Use this key?')

+    return suitable_keys[choice].key

+

+

+def _prompt_for_passphrase() -> str:

+    """Interactively prompt for the passphrase.

+

+    Calls [`click.prompt`][] internally.  Moved into a separate function

+    mainly for testing/mocking purposes.

+

+    Returns:

+        The user input.

+

+    """

+    return click.prompt('Passphrase', default='', hide_input=True,

+                        show_default=False, err=True)

+

+

 class OptionGroupOption(click.Option):

     """A [`click.Option`][] with an associated group name and group epilog.

@@ -240,15 +446,36 @@ def _validate_length(

         raise click.BadParameter('not a positive integer')

     return int_value

+DEFAULT_NOTES_TEMPLATE = '''\

+# Enter notes below the line with the cut mark (ASCII scissors and

+# dashes).  Lines above the cut mark (such as this one) will be ignored.

+#

+# If you wish to clear the notes, leave everything beyond the cut mark

+# blank.  However, if you leave the *entire* file blank, also removing

+# the cut mark, then the edit is aborted, and the old notes contents are

+# retained.

+#

+# - - - - - >8 - - - - - >8 - - - - - >8 - - - - - >8 - - - - -

+'''

+DEFAULT_NOTES_MARKER = '# - - - - - >8 - - - - -'

+

+

 @click.command(

     context_settings={"help_option_names": ["-h", "--help"]},

     cls=CommandWithHelpGroups,

-    epilog='''

+    epilog=r'''

         WARNING: There is NO WAY to retrieve the generated passphrases

         if the master passphrase, the SSH key, or the exact passphrase

         settings are lost, short of trying out all possible

         combinations.  You are STRONGLY advised to keep independent

         backups of the settings and the SSH key, if any.

+

+        Configuration is stored in a directory according to the

+        DERIVEPASSPHRASE_PATH variable, which defaults to

+        `~/.derivepassphrase` on UNIX-like systems and

+        `C:\Users\<user>\AppData\Roaming\Derivepassphrase` on Windows.

+        The configuration is NOT encrypted, and you are STRONGLY

+        discouraged from using a stored passphrase.

     ''',

 )

 @click.option('-p', '--phrase', 'use_phrase', is_flag=True,

@@ -513,11 +740,166 @@ def derivepassphrase(

             opt_str = param.opts[0]

             raise click.UsageError(

                 f'{opt_str} does not take a SERVICE argument')

-    #if kwargs['length'] is None:

-    #    kwargs['length'] = dpp.Vault.__init__.__kwdefaults__['length']

-    #if kwargs['repeat'] is None:

-    #    kwargs['repeat'] = dpp.Vault.__init__.__kwdefaults__['repeat']

-    click.echo(repr(ctx.params))

+

+    if edit_notes:

+        assert service is not None

+        configuration = get_config()

+        text = (DEFAULT_NOTES_TEMPLATE +

+                configuration['services']

+                .get(service, cast(dpp_types.VaultConfigServicesSettings, {}))

+                .get('notes', ''))

+        notes_value = click.edit(text=text)

+        if notes_value is not None:

+            notes_lines = collections.deque(notes_value.splitlines(True))

+            while notes_lines:

+                line = notes_lines.popleft()

+                if line.startswith(DEFAULT_NOTES_MARKER):

+                    notes_value = ''.join(notes_lines)

+                    break

+            else:

+                if not notes_value.strip():

+                    ctx.fail('not saving new notes: user aborted request')

+            configuration['services'].setdefault(service, {})['notes'] = (

+                notes_value.strip('\n'))

+            _save_config(configuration)

+    elif delete_service_settings:

+        assert service is not None

+        configuration = get_config()

+        if service in configuration['services']:

+            del configuration['services'][service]

+            _save_config(configuration)

+    elif delete_globals:

+        configuration = get_config()

+        if 'global' in configuration:

+            del configuration['global']

+            _save_config(configuration)

+    elif clear_all_settings:

+        _save_config({'services': {}})

+    elif import_settings:

+        try:

+            # TODO: keep track of auto-close; try os.dup if feasible

+            infile = (cast(TextIO, import_settings)

+                      if hasattr(import_settings, 'close')

+                      else click.open_file(os.fspath(import_settings), 'rt'))

+            with infile:

+                maybe_config = json.load(infile)

+        except json.JSONDecodeError as e:

+            ctx.fail(f'Cannot load config: cannot decode JSON: {e}')

+        except OSError as e:

+            ctx.fail(f'Cannot load config: {e.strerror}')

+        if dpp_types.is_vault_config(maybe_config):

+            _save_config(maybe_config)

+        else:

+            ctx.fail('not a valid config')

+    elif export_settings:

+        configuration = get_config()

+        try:

+            # TODO: keep track of auto-close; try os.dup if feasible

+            outfile = (cast(TextIO, export_settings)

+                       if hasattr(export_settings, 'close')

+                       else click.open_file(os.fspath(export_settings), 'wt'))

+            with outfile:

+                json.dump(configuration, outfile)

+        except OSError as e:

+            ctx.fail('cannot write config: {e.strerror}')

+    else:

+        configuration = get_config()

+        # This block could be type checked more stringently, but this

+        # would probably involve a lot of code repetition.  Since we

+        # have a type guarding function anyway, assert that we didn't

+        # make any mistakes at the end instead.

+        global_keys = {'key', 'phrase'}

+        service_keys = {'key', 'phrase', 'length', 'repeat', 'lower',

+                        'upper', 'number', 'space', 'dash', 'symbol'}

+        settings: collections.ChainMap[str, Any] = collections.ChainMap(

+            {k: v for k, v in locals().items()

+             if k in service_keys and v is not None},

+            cast(dict[str, Any],

+                 configuration['services'].get(service or '', {})),

+            {},

+            cast(dict[str, Any], configuration.get('global', {}))

+        )

+        if use_key:

+            try:

+                key = base64.standard_b64encode(

+                    _select_ssh_key()).decode('ASCII')

+            except IndexError:

+                ctx.fail('no valid SSH key selected')

+            except RuntimeError as e:

+                ctx.fail(str(e))

+        elif use_phrase:

+            maybe_phrase = _prompt_for_passphrase()

+            if not maybe_phrase:

+                ctx.fail('no passphrase given')

+            else:

+                phrase = maybe_phrase

+        if store_config_only:

+            view: collections.ChainMap[str, Any]

+            view = (collections.ChainMap(*settings.maps[:2]) if service

+                    else settings.parents.parents)

+            if use_key:

+                view['key'] = key

+                for m in view.maps:

+                    m.pop('phrase', '')

+            elif use_phrase:

+                view['phrase'] = phrase

+                for m in view.maps:

+                    m.pop('key', '')

+            if service:

+                if not view.maps[0]:

+                    raise click.UsageError('cannot update service settings '

+                                           'without actual settings')

+                else:

+                    configuration['services'].setdefault(

+                        service, {}).update(view)  # type: ignore[typeddict-item]

+            else:

+                if not view.maps[0]:

+                    raise click.UsageError('cannot update global settings '

+                                           'without actual settings')

+                else:

+                    configuration.setdefault(

+                        'global', {}).update(view)  # type: ignore[typeddict-item]

+            assert dpp_types.is_vault_config(configuration), (

+                f'invalid vault configuration: {configuration!r}'

+            )

+            _save_config(configuration)

+        else:

+            if not service:

+                raise click.UsageError(f'SERVICE is required')

+            kwargs: dict[str, Any] = {k: v for k, v in settings.items()

+                                      if k in service_keys and v is not None}

+            # If either --key or --phrase are given, use that setting.

+            # Otherwise, if both key and phrase are set in the config,

+            # one must be global (ignore it) and one must be

+            # service-specific (use that one). Otherwise, if only one of

+            # key and phrase is set in the config, use that one.  In all

+            # these above cases, set the phrase via

+            # derivepassphrase.Vault.phrase_from_key if a key is

+            # given. Finally, if nothing is set, error out.

+            key_to_phrase = lambda key: dpp.Vault.phrase_from_key(

+                base64.standard_b64decode(key))

+            if use_key or use_phrase:

+                if use_key:

+                    kwargs['phrase'] = key_to_phrase(key)

+                else:

+                    kwargs['phrase'] = phrase

+                    kwargs.pop('key', '')

+            elif kwargs.get('phrase') and kwargs.get('key'):

+                if any('key' in m for m in settings.maps[:2]):

+                    kwargs['phrase'] = key_to_phrase(kwargs.pop('key'))

+                else:

+                    kwargs.pop('key')

+            elif kwargs.get('key'):

+                kwargs['phrase'] = key_to_phrase(kwargs.pop('key'))

+            elif kwargs.get('phrase'):

+                pass

+            else:

+                raise click.UsageError(

+                    'no passphrase or key given on command-line '

+                    'or in configuration')

+            vault = dpp.Vault(**kwargs)

+            result = vault.generate(service)

+            click.echo(result.decode('ASCII'))

 if __name__ == '__main__':

@@ -2,17 +2,308 @@

 #

 # SPDX-License-Identifier: MIT

+from __future__ import annotations

+

+import base64

+import contextlib

+import errno

+import json

+import os

+from typing import Any, cast, TYPE_CHECKING, NamedTuple

+

 import click.testing

-import derivepassphrase

-import derivepassphrase.cli

+import derivepassphrase as dpp

+import derivepassphrase.cli as cli

+import ssh_agent_client.types

 import pytest

 DUMMY_SERVICE = 'service1'

 DUMMY_PASSPHRASE = b'my secret passphrase\n'

+DUMMY_CONFIG_SETTINGS = {"length": 10, "upper": 1, "lower": 1, "repeat": 5,

+                         "number": 1, "space": 1, "dash": 1, "symbol": 1}

+DUMMY_RESULT_PASSPHRASE = b'.2V_QJkd o'

+DUMMY_RESULT_KEY1 = b'E<b<{ -7iG'

+DUMMY_PHRASE_FROM_KEY1_RAW = (

+    b'\x00\x00\x00\x0bssh-ed25519'

+    b'\x00\x00\x00@\xf0\x98\x19\x80l\x1a\x97\xd5&\x03n'

+    b'\xcc\xe3e\x8f\x86f\x07\x13\x19\x13\t!33\xf9\xe46S'

+    b'\x1d\xaf\xfd\r\x08\x1f\xec\xf8s\x9b\x8c_U9\x16|ST,'

+    b'\x1eR\xbb0\xed\x7f\x89\xe2/iQU\xd8\x9e\xa6\x02'

+)

+DUMMY_PHRASE_FROM_KEY1 = b'8JgZgGwal9UmA27M42WPhmYHExkTCSEzM/nkNlMdr/0NCB/s+HObjF9VORZ8U1QsHlK7MO1/ieIvaVFV2J6mAg=='

+

+# See Ed25519 and RSA test keys in test_key_signing.py

+DUMMY_KEY1 = 'AAAAC3NzaC1lZDI1NTE5AAAAIIF4gWgm1gJIXw//Mkhv5MEwidwcakUGCekJD/vCEml2'

+DUMMY_KEY2 = 'AAAAB3NzaC1yc2EAAAADAQABAAABgQCxoe7pezhxWy4NI0mUwKqg9WCYOAS+IjxN9eYcqpfcmQiojcuy9XsiN/xYJ1O94SrsKS5mEia2xHnYA4RUChTyYNcM2v6cnnBQ/N/VQhpGMN7SVxdbhKUXTWFCwbjBgO6rGyHB6WtoH8vd7TOEPt+NgcXwhsWyoaUUdYTA62V+GF9vEmxMaC4ubgDz+B0QkPnauSoNxmkhcIe0lsLNb1pClZyz88PDnKXCX/d0HuN/HJ+sbPg7dCvOyqFYSyKn3uY6bCXqoIdurxXzH3O7z0P8f5sbmKOrGGKNuNxVRbeVl/D/3uDL0nqsbfUc1qvkfwbJwtMXC4IV6kOZMSk2BAsqh7x48gQ+rhYeEVSi8F3CWs4HJQoqrGt7K9a3mCSlMBHP70u3w6ME7eumoryxlUofewTd17ZEkzdX08l2ZlKzZvwQUrc+xQZ2Uw8z2mfW6Ti4gi0pYGaig7Ke4PwuXpo/C5YAWfeXycsvJZ2uaYRjMdZeJGNAnHLUGLkBscw5aI8='

+

+

+class IncompatibleConfiguration(NamedTuple):

+    other_options: list[tuple[str, ...]]

+    needs_service: bool | None

+    input: bytes | None

+

+class SingleConfiguration(NamedTuple):

+    needs_service: bool | None

+    input: bytes | None

+    check_success: bool

+

+class OptionCombination(NamedTuple):

+    options: list[str]

+    incompatible: bool

+    needs_service: bool | None

+    input: bytes | None

+    check_success: bool

+

+PASSWORD_GENERATION_OPTIONS: list[tuple[str, ...]] = [

+    ('--phrase',), ('--key',), ('--length', '20'), ('--repeat', '20'),

+    ('--lower', '1'), ('--upper', '1'), ('--number', '1'),

+    ('--space', '1'), ('--dash', '1'), ('--symbol', '1')

+]

+CONFIGURATION_OPTIONS: list[tuple[str, ...]] = [

+    ('--notes',), ('--config',), ('--delete',), ('--delete-globals',),

+    ('--clear',)

+]

+CONFIGURATION_COMMANDS: list[tuple[str, ...]] = [

+    ('--notes',), ('--delete',), ('--delete-globals',), ('--clear',)

+]

+STORAGE_OPTIONS: list[tuple[str, ...]] = [

+    ('--export', '-'), ('--import', '-')

+]

+INCOMPATIBLE: dict[tuple[str, ...], IncompatibleConfiguration] = {

+    ('--phrase',): IncompatibleConfiguration(

+        [('--key',)] + CONFIGURATION_COMMANDS + STORAGE_OPTIONS,

+        True, DUMMY_PASSPHRASE),

+    ('--key',): IncompatibleConfiguration(

+        CONFIGURATION_COMMANDS + STORAGE_OPTIONS,

+        True, DUMMY_PASSPHRASE),

+    ('--length', '20'): IncompatibleConfiguration(

+        CONFIGURATION_COMMANDS + STORAGE_OPTIONS,

+        True, DUMMY_PASSPHRASE),

+    ('--repeat', '20'): IncompatibleConfiguration(

+        CONFIGURATION_COMMANDS + STORAGE_OPTIONS,

+        True, DUMMY_PASSPHRASE),

+    ('--lower', '1'): IncompatibleConfiguration(

+        CONFIGURATION_COMMANDS + STORAGE_OPTIONS,

+        True, DUMMY_PASSPHRASE),

+    ('--upper', '1'): IncompatibleConfiguration(

+        CONFIGURATION_COMMANDS + STORAGE_OPTIONS,

+        True, DUMMY_PASSPHRASE),

+    ('--number', '1'): IncompatibleConfiguration(

+        CONFIGURATION_COMMANDS + STORAGE_OPTIONS,

+        True, DUMMY_PASSPHRASE),

+    ('--space', '1'): IncompatibleConfiguration(

+        CONFIGURATION_COMMANDS + STORAGE_OPTIONS,

+        True, DUMMY_PASSPHRASE),

+    ('--dash', '1'): IncompatibleConfiguration(

+        CONFIGURATION_COMMANDS + STORAGE_OPTIONS,

+        True, DUMMY_PASSPHRASE),

+    ('--symbol', '1'): IncompatibleConfiguration(

+        CONFIGURATION_COMMANDS + STORAGE_OPTIONS,

+        True, DUMMY_PASSPHRASE),

+    ('--notes',): IncompatibleConfiguration(

+        [('--config',), ('--delete',), ('--delete-globals',),

+         ('--clear',)] + STORAGE_OPTIONS,

+        True, None),

+    ('--config', '-p'): IncompatibleConfiguration(

+        [('--delete',), ('--delete-globals',),

+         ('--clear',)] + STORAGE_OPTIONS,

+        None, DUMMY_PASSPHRASE),

+    ('--delete',): IncompatibleConfiguration(

+        [('--delete-globals',), ('--clear',)] + STORAGE_OPTIONS, True, None),

+    ('--delete-globals',): IncompatibleConfiguration(

+        [('--clear',)] + STORAGE_OPTIONS, False, None),

+    ('--clear',): IncompatibleConfiguration(STORAGE_OPTIONS, False, None),

+    ('--export', '-'): IncompatibleConfiguration(

+        [('--import', '-')], False, None),

+    ('--import', '-'): IncompatibleConfiguration(

+        [], False, None),

+}

+SINGLES: dict[tuple[str, ...], SingleConfiguration] = {

+    ('--phrase',): SingleConfiguration(True, DUMMY_PASSPHRASE, True),

+    ('--key',): SingleConfiguration(True, None, False),

+    ('--length', '20'): SingleConfiguration(True, DUMMY_PASSPHRASE, True),

+    ('--repeat', '20'): SingleConfiguration(True, DUMMY_PASSPHRASE, True),

+    ('--lower', '1'): SingleConfiguration(True, DUMMY_PASSPHRASE, True),

+    ('--upper', '1'): SingleConfiguration(True, DUMMY_PASSPHRASE, True),

+    ('--number', '1'): SingleConfiguration(True, DUMMY_PASSPHRASE, True),

+    ('--space', '1'): SingleConfiguration(True, DUMMY_PASSPHRASE, True),

+    ('--dash', '1'): SingleConfiguration(True, DUMMY_PASSPHRASE, True),

+    ('--symbol', '1'): SingleConfiguration(True, DUMMY_PASSPHRASE, True),

+    ('--notes',): SingleConfiguration(True, None, False),

+    ('--config', '-p'): SingleConfiguration(None, DUMMY_PASSPHRASE, False),

+    ('--delete',): SingleConfiguration(True, None, False),

+    ('--delete-globals',): SingleConfiguration(False, None, True),

+    ('--clear',): SingleConfiguration(False, None, True),

+    ('--export', '-'): SingleConfiguration(False, None, True),

+    ('--import', '-'): SingleConfiguration(False, b'{"services": {}}', True),

+}

+INTERESTING_OPTION_COMBINATIONS: list[OptionCombination] = []

+config: OptionCombination | SingleConfiguration

+for opt, config in INCOMPATIBLE.items():

+    for opt2 in config.other_options:

+        INTERESTING_OPTION_COMBINATIONS.extend([

+            OptionCombination(options=list(opt + opt2), incompatible=True,

+                              needs_service=config.needs_service,

+                              input=config.input, check_success=False),

+            OptionCombination(options=list(opt2 + opt), incompatible=True,

+                              needs_service=config.needs_service,

+                              input=config.input, check_success=False)

+        ])

+for opt, config in SINGLES.items():

+    INTERESTING_OPTION_COMBINATIONS.append(

+        OptionCombination(options=list(opt), incompatible=False,

+                          needs_service=config.needs_service,

+                          input=config.input,

+                          check_success=config.check_success))

+

+@contextlib.contextmanager

+def isolated_config(

+    monkeypatch: Any, runner: click.testing.CliRunner, config: Any,

+):

+    with runner.isolated_filesystem():

+        monkeypatch.setenv('HOME', os.getcwd())

+        monkeypatch.setenv('USERPROFILE', os.getcwd())

+        monkeypatch.delenv(cli.prog_name.replace(' ', '_').upper() + '_PATH',

+                           raising=False)

+        os.makedirs(os.path.dirname(cli._config_filename()), exist_ok=True)

+        with open(cli._config_filename(), 'wt') as outfile:

+            json.dump(config, outfile)

+        yield

+

+

+def test_100_save_bad_config(monkeypatch: Any) -> None:

+    runner = click.testing.CliRunner()

+    with isolated_config(monkeypatch=monkeypatch, runner=runner, config={}):

+        with pytest.raises(ValueError, match='Invalid vault config'):

+            cli._save_config(None)  # type: ignore

+

+

+def test_101_prompt_for_selection_multiple(monkeypatch: Any) -> None:

+    @click.command()

+    @click.option('--heading', default='Our menu:')

+    @click.argument('items', nargs=-1)

+    def driver(heading, items):

+        # from https://montypython.fandom.com/wiki/Spam#The_menu

+        items = items or [

+            'Egg and bacon',

+            'Egg, sausage and bacon',

+            'Egg and spam',

+            'Egg, bacon and spam',

+            'Egg, bacon, sausage and spam',

+            'Spam, bacon, sausage and spam',

+            'Spam, egg, spam, spam, bacon and spam',

+            'Spam, spam, spam, egg and spam',

+            ('Spam, spam, spam, spam, spam, spam, baked beans, '

+             'spam, spam, spam and spam'),

+            ('Lobster thermidor aux crevettes with a mornay sauce '

+             'garnished with truffle paté, brandy '

+             'and a fried egg on top and spam'),

+        ]

+        index = cli._prompt_for_selection(items, heading=heading)

+        click.echo('A fine choice: ', nl=False)

+        click.echo(items[index])

+        click.echo('(Note: Vikings strictly optional.)')

+    runner = click.testing.CliRunner(mix_stderr=True)

+    result = runner.invoke(driver, [], input='9')

+    assert result.exit_code == 0, 'driver program failed'

+    assert result.stdout == '''\

+Our menu:

+[1] Egg and bacon

+[2] Egg, sausage and bacon

+[3] Egg and spam

+[4] Egg, bacon and spam

+[5] Egg, bacon, sausage and spam

+[6] Spam, bacon, sausage and spam

+[7] Spam, egg, spam, spam, bacon and spam

+[8] Spam, spam, spam, egg and spam

+[9] Spam, spam, spam, spam, spam, spam, baked beans, spam, spam, spam and spam

+[10] Lobster thermidor aux crevettes with a mornay sauce garnished with truffle paté, brandy and a fried egg on top and spam

+Your selection? (1-10, leave empty to abort): 9

+A fine choice: Spam, spam, spam, spam, spam, spam, baked beans, spam, spam, spam and spam

+(Note: Vikings strictly optional.)

+''', 'driver program produced unexpected output'

+    result = runner.invoke(driver, ['--heading='], input='',

+                           catch_exceptions=True)

+    assert result.exit_code > 0, 'driver program succeeded?!'

+    assert result.stdout == '''\

+[1] Egg and bacon

+[2] Egg, sausage and bacon

+[3] Egg and spam

+[4] Egg, bacon and spam

+[5] Egg, bacon, sausage and spam

+[6] Spam, bacon, sausage and spam

+[7] Spam, egg, spam, spam, bacon and spam

+[8] Spam, spam, spam, egg and spam

+[9] Spam, spam, spam, spam, spam, spam, baked beans, spam, spam, spam and spam

+[10] Lobster thermidor aux crevettes with a mornay sauce garnished with truffle paté, brandy and a fried egg on top and spam

+Your selection? (1-10, leave empty to abort): \n''', (

+        'driver program produced unexpected output'

+    )

+    assert isinstance(result.exception, IndexError), (

+        'driver program did not raise IndexError?!'

+    )

+

+

+def test_102_prompt_for_selection_single(monkeypatch: Any) -> None:

+    @click.command()

+    @click.option('--item', default='baked beans')

+    @click.argument('prompt')

+    def driver(item, prompt):

+        try:

+            cli._prompt_for_selection([item], heading='',

+                                      single_choice_prompt=prompt)

+        except IndexError as e:

+            click.echo('Boo.')

+            raise e

+        else:

+            click.echo('Great!')

+    runner = click.testing.CliRunner(mix_stderr=True)

+    result = runner.invoke(driver, ['Will replace with spam. Confirm, y/n?'],

+                           input='y')

+    assert result.exit_code == 0, 'driver program failed'

+    assert result.stdout == '''\

+[1] baked beans

+Will replace with spam. Confirm, y/n? y

+Great!

+''', 'driver program produced unexpected output'

+    result = runner.invoke(driver,

+                           ['Will replace with spam, okay? ' +

+                            '(Please say "y" or "n".)'],

+                           input='')

+    assert result.exit_code > 0, 'driver program succeeded?!'

+    assert result.stdout == '''\

+[1] baked beans

+Will replace with spam, okay? (Please say "y" or "n".): 

+Boo.

+''', 'driver program produced unexpected output'

+    assert isinstance(result.exception, IndexError), (

+        'driver program did not raise IndexError?!'

+    )

+

+

+def test_103_prompt_for_passphrase(monkeypatch: Any) -> None:

+    monkeypatch.setattr(click, 'prompt',

+                        lambda *a, **kw: json.dumps({'args': a, 'kwargs': kw}))

+    res = json.loads(cli._prompt_for_passphrase())

+    assert 'args' in res and 'kwargs' in res, (

+        'missing arguments to passphrase prompt'

+    )

+    assert res['args'][:1] == ['Passphrase'], (

+        'missing arguments to passphrase prompt'

+    )

+    assert (res['kwargs'].get('default') == ''

+            and not res['kwargs'].get('show_default', True)), (

+        'missing arguments to passphrase prompt'

+    )

+    assert res['kwargs'].get('err') and res['kwargs'].get('hide_input'), (

+        'missing arguments to passphrase prompt'

+    )

+

 def test_200_help_output():

     runner = click.testing.CliRunner(mix_stderr=False)

-    result = runner.invoke(derivepassphrase.cli.derivepassphrase, ['--help'])

+    result = runner.invoke(cli.derivepassphrase, ['--help'],

+                           catch_exceptions=False)

     assert result.exit_code == 0

     assert 'Password generation:\n' in result.output, (

         'Option groups not respected in help text.'

@@ -21,36 +312,20 @@ def test_200_help_output():

         'Option group epilog not printed.'

     )

-@pytest.mark.parametrize(['option'],

-                         [('--lower',), ('--upper',), ('--number',),

-                          ('--space',), ('--dash',), ('--symbol',),

-                          ('--repeat',), ('--length',)])

-def test_201_invalid_argument_range(option):

-    runner = click.testing.CliRunner(mix_stderr=False)

-    result = runner.invoke(derivepassphrase.cli.derivepassphrase,

-                           [option, '-42', '-p', DUMMY_SERVICE],

-                           input=DUMMY_PASSPHRASE)

-    assert result.exit_code > 0, (

-        f'program unexpectedly succeeded'

-    )

-    assert result.stderr_bytes, (

-        f'program did not print any error message'

-    )

-    assert b'Error: Invalid value' in result.stderr_bytes, (

-        f'program did not print the expected error message'

-    )

-

 @pytest.mark.parametrize(['charset_name'],

                          [('lower',), ('upper',), ('number',), ('space',),

                           ('dash',), ('symbol',)])

-@pytest.mark.xfail(reason='implementation not written yet')

-def test_202_disable_character_set(charset_name):

+def test_201_disable_character_set(

+    monkeypatch: Any, charset_name: str

+) -> None:

+    monkeypatch.setattr(cli, '_prompt_for_passphrase',

+                        lambda *a, **kw: DUMMY_PASSPHRASE.decode('UTF-8'))

     option = f'--{charset_name}'

-    charset = derivepassphrase.Vault._CHARSETS[charset_name].decode('ascii')

+    charset = dpp.Vault._CHARSETS[charset_name].decode('ascii')

     runner = click.testing.CliRunner(mix_stderr=False)

-    result = runner.invoke(derivepassphrase.cli.derivepassphrase,

+    result = runner.invoke(cli.derivepassphrase,

                            [option, '0', '-p', DUMMY_SERVICE],

-                           input=DUMMY_PASSPHRASE)

+                           input=DUMMY_PASSPHRASE, catch_exceptions=False)

     assert result.exit_code == 0, (

         f'program died unexpectedly with exit code {result.exit_code}'

     )

@@ -63,12 +338,13 @@ def test_202_disable_character_set(charset_name):

             f'{result.stdout!r}'

         )

-@pytest.mark.xfail(reason='implementation not written yet')

-def test_203_disable_repetition():

+def test_202_disable_repetition(monkeypatch: Any) -> None:

+    monkeypatch.setattr(cli, '_prompt_for_passphrase',

+                        lambda *a, **kw: DUMMY_PASSPHRASE.decode('UTF-8'))

     runner = click.testing.CliRunner(mix_stderr=False)

-    result = runner.invoke(derivepassphrase.cli.derivepassphrase,

+    result = runner.invoke(cli.derivepassphrase,

                            ['--repeat', '0', '-p', DUMMY_SERVICE],

-                           input=DUMMY_PASSPHRASE)

+                           input=DUMMY_PASSPHRASE, catch_exceptions=False)

     assert result.exit_code == 0, (

         f'program died unexpectedly with exit code {result.exit_code}'

     )

@@ -78,6 +354,544 @@ def test_203_disable_repetition():

     passphrase = result.stdout.rstrip('\r\n')

     for i in range(len(passphrase) - 1):

         assert passphrase[i:i+1] != passphrase[i+1:i+2], (

-            f'derived password contains repeated character at position {i}: '

-            f'{result.stdout!r}'

+            f'derived password contains repeated character '

+            f'at position {i}: {result.stdout!r}'

+        )

+

+@pytest.mark.parametrize(['command_line', 'config', 'result_config'], [

+    (['--delete-globals'],

+     {'global': {'phrase': 'abc'}, 'services': {}}, {'services': {}}),

+    (['--delete', DUMMY_SERVICE],

+     {'global': {'phrase': 'abc'},

+      'services': {DUMMY_SERVICE: {'notes': '...'}}},

+     {'global': {'phrase': 'abc'}, 'services': {}}),

+    (['--clear'],

+     {'global': {'phrase': 'abc'},

+      'services': {DUMMY_SERVICE: {'notes': '...'}}},

+     {'services': {}}),

+])

+def test_203_repeated_config_deletion(

+    monkeypatch: Any, command_line: list[str],

+    config: dpp.types.VaultConfig, result_config: dpp.types.VaultConfig,

+) -> None:

+    runner = click.testing.CliRunner(mix_stderr=False)

+    for start_config in [config, result_config]:

+        with isolated_config(monkeypatch=monkeypatch, runner=runner,

+                             config=start_config):

+            result = runner.invoke(cli.derivepassphrase, command_line,

+                                   catch_exceptions=False)

+            assert (result.exit_code, result.stderr_bytes) == (0, b''), (

+                'program exited with failure'

+            )

+            with open(cli._config_filename(), 'rt') as infile:

+                config_readback = json.load(infile)

+            assert config_readback == result_config

+

+def test_204_phrase_from_key_manually() -> None:

+    assert (

+        dpp.Vault(phrase=DUMMY_PHRASE_FROM_KEY1, **DUMMY_CONFIG_SETTINGS)

+        .generate(DUMMY_SERVICE) == DUMMY_RESULT_KEY1

+    )

+

+@pytest.mark.parametrize(['config'], [

+    pytest.param({'global': {'key': DUMMY_KEY1},

+                  'services': {DUMMY_SERVICE: DUMMY_CONFIG_SETTINGS}},

+                 id='global'),

+    pytest.param({'global': {'phrase': DUMMY_PASSPHRASE.rstrip(b'\n').decode('ASCII')},

+                  'services': {DUMMY_SERVICE: {'key': DUMMY_KEY1,

+                                               **DUMMY_CONFIG_SETTINGS}}},

+                 id='service'),

+])

+def test_204a_key_from_config(

+    monkeypatch: Any, config: dpp.types.VaultConfig,

+) -> None:

+    def phrase_from_key(key: bytes) -> bytes:

+        if key == base64.standard_b64decode(DUMMY_KEY1):  # pragma: no branch

+            return DUMMY_PHRASE_FROM_KEY1

+        raise KeyError(key)  # pragma: no cover

+    runner = click.testing.CliRunner(mix_stderr=False)

+    with isolated_config(monkeypatch=monkeypatch, runner=runner,

+                         config=config):

+        monkeypatch.setattr(dpp.Vault, 'phrase_from_key',

+                            phrase_from_key)

+        result = runner.invoke(cli.derivepassphrase, [DUMMY_SERVICE],

+                               catch_exceptions=False)

+        assert (result.exit_code, result.stderr_bytes) == (0, b''), (

+            'program exited with failure'

+        )

+        assert result.stdout_bytes.rstrip(b'\n') != DUMMY_RESULT_PASSPHRASE, (

+            'program generated unexpected result (phrase instead of key)'

+        )

+        assert result.stdout_bytes.rstrip(b'\n') == DUMMY_RESULT_KEY1, (

+            'program generated unexpected result (wrong settings?)'

+        )

+

+def test_204b_key_from_command_line(monkeypatch: Any) -> None:

+    KeyCommentPair = ssh_agent_client.types.KeyCommentPair

+    key_list = [

+        KeyCommentPair(base64.standard_b64decode(DUMMY_KEY1), b'no comment'),

+        KeyCommentPair(base64.standard_b64decode(DUMMY_KEY2), b'a comment'),

+    ]

+    def _suitable_ssh_keys(conn: Any) -> Iterator[KeyCommentPair]:

+        yield from key_list

+    def phrase_from_key(key: bytes) -> bytes:

+        if key == base64.standard_b64decode(DUMMY_KEY1):  # pragma: no branch

+            return DUMMY_PHRASE_FROM_KEY1

+        raise KeyError(key)  # pragma: no cover

+    runner = click.testing.CliRunner(mix_stderr=False)

+    with isolated_config(monkeypatch=monkeypatch, runner=runner,

+                         config={'services': {DUMMY_SERVICE: DUMMY_CONFIG_SETTINGS}}):

+        monkeypatch.setattr(cli, '_get_suitable_ssh_keys', _suitable_ssh_keys)

+        monkeypatch.setattr(dpp.Vault, 'phrase_from_key',

+                            phrase_from_key)

+        result = runner.invoke(cli.derivepassphrase,

+                               ['-k', DUMMY_SERVICE],

+                               input=b'1\n', catch_exceptions=False)

+        assert result.exit_code == 0, 'program exited with failure'

+        assert result.stdout_bytes, 'program output expected'

+        last_line = result.stdout_bytes.splitlines(True)[-1]

+        assert last_line.rstrip(b'\n') != DUMMY_RESULT_PASSPHRASE, (

+            'program generated unexpected result (phrase instead of key)'

+        )

+        assert last_line.rstrip(b'\n') == DUMMY_RESULT_KEY1, (

+            'program generated unexpected result (wrong settings?)'

+        )

+

+def test_205_service_phrase_if_key_in_global_config(monkeypatch: Any) -> None:

+    runner = click.testing.CliRunner(mix_stderr=False)

+    with isolated_config(

+        monkeypatch=monkeypatch, runner=runner,

+        config={

+            'global': {'key': DUMMY_KEY1},

+            'services': {

+                DUMMY_SERVICE: {

+                    'phrase': DUMMY_PASSPHRASE.rstrip(b'\n').decode('ASCII'),

+                    **DUMMY_CONFIG_SETTINGS}}}

+    ):

+        result = runner.invoke(cli.derivepassphrase, [DUMMY_SERVICE],

+                               catch_exceptions=False)

+        assert result.exit_code == 0, 'program exited with failure'

+        assert result.stdout_bytes, 'program output expected'

+        last_line = result.stdout_bytes.splitlines(True)[-1]

+        assert last_line.rstrip(b'\n') != DUMMY_RESULT_KEY1, (

+            'program generated unexpected result (key instead of phrase)'

+        )

+        assert last_line.rstrip(b'\n') == DUMMY_RESULT_PASSPHRASE, (

+            'program generated unexpected result (wrong settings?)'

+        )

+

+@pytest.mark.parametrize(['option'],

+                         [('--lower',), ('--upper',), ('--number',),

+                          ('--space',), ('--dash',), ('--symbol',),

+                          ('--repeat',), ('--length',)])

+def test_210_invalid_argument_range(option: str) -> None:

+    runner = click.testing.CliRunner(mix_stderr=False)

+    value: str | int

+    for value in '-42', 'invalid':

+        result = runner.invoke(cli.derivepassphrase,

+                               [option, cast(str, value), '-p', DUMMY_SERVICE],

+                               input=DUMMY_PASSPHRASE, catch_exceptions=False)

+        assert result.exit_code > 0, (

+            'program unexpectedly succeeded'

+        )

+        assert result.stderr_bytes, (

+            'program did not print any error message'

+        )

+        assert b'Error: Invalid value' in result.stderr_bytes, (

+            'program did not print the expected error message'

+        )

+

+@pytest.mark.parametrize(['vfunc', 'input'], [

+    (cli._validate_occurrence_constraint, 20),

+    (cli._validate_length, 20),

+])

+def test_210a_validate_constraints_manually(

+    vfunc: Callable[[click.Context, click.Parameter, Any], int | None],

+    input: int,

+) -> None:

+    ctx = cli.derivepassphrase.make_context(cli.prog_name, [])

+    param = cli.derivepassphrase.params[0]

+    assert vfunc(ctx, param, input) == input

+

+@pytest.mark.parametrize(

+    ['options', 'service', 'input', 'check_success'],

+    [(o.options, o.needs_service, o.input, o.check_success)

+     for o in INTERESTING_OPTION_COMBINATIONS if not o.incompatible],

+)

+def test_211_service_needed(

+    monkeypatch: Any, options: list[str],

+    service: bool | None, input: bytes | None, check_success: bool,

+) -> None:

+    def _prompt1(*args, **kwargs):

+        """Needed for --config handling."""

+        return DUMMY_PASSPHRASE.decode('UTF-8')

+    monkeypatch.setattr(cli, '_prompt_for_passphrase', _prompt1)

+    runner = click.testing.CliRunner(mix_stderr=False)

+    with isolated_config(monkeypatch=monkeypatch, runner=runner,

+                         config={'global': {'phrase': 'abc'},

+                                 'services': {}}):

+        result = runner.invoke(cli.derivepassphrase,

+                               options if service

+                               else options + [DUMMY_SERVICE],

+                               input=input, catch_exceptions=False)

+        if service is not None:

+            assert result.exit_code > 0, (

+                'program unexpectedly succeeded'

+            )

+            assert result.stderr_bytes, (

+                'program did not print any error message'

+            )

+            err_msg = (b' requires a SERVICE' if service

+                       else b' does not take a SERVICE argument')

+            assert err_msg in result.stderr_bytes, (

+                'program did not print the expected error message'

+            )

+        else: