derivepassphrase.git

@@ -0,0 +1,58 @@

+import os

+

+

+def get_vault_key() -> bytes:

+    """Automatically determine the vault master key/password.

+

+    Query the `VAULT_KEY`, `LOGNAME`, `USER` and `USERNAME` environment

+    variables, in that order.  This is the same algorithm as vault uses.

+

+    Returns:

+        The master key/password.  This is generally used as input to

+        a key-derivation function to determine the *actual* encryption

+        and signing keys for the vault configuration.

+

+    Raises:

+        KeyError:

+            We cannot find any of the named environment variables.

+            Please set `VAULT_KEY` manually to the desired value.

+

+    """

+

+    username = (

+        os.environb.get(b'VAULT_KEY')

+        or os.environb.get(b'LOGNAME')

+        or os.environb.get(b'USER')

+        or os.environb.get(b'USERNAME')

+    )

+    if not username:

+        env_var = 'VAULT_KEY'

+        raise KeyError(env_var)

+    return username

+

+

+def get_vault_path() -> str | bytes | os.PathLike:

+    """Automatically determine the vault configuration path.

+

+    Query the `VAULT_PATH` environment variable, or default to

+    `~/.vault`.  This is the same algorithm as vault uses.  If not

+    absolute, then `VAULT_PATH` is relative to the home directory.

+

+    Returns:

+        The vault configuration path.  Depending on the vault version,

+        this may be a file or a directory.

+

+    Raises:

+        RuntimeError:

+            We cannot determine the home directory.  Please set `HOME`

+            manually to the correct value.

+

+    """

+

+    result = os.path.join(

+        os.path.expanduser('~'), os.environ.get('VAULT_PATH', '.vault')

+    )

+    if result.startswith('~'):

+        msg = 'Cannot determine home directory'

+        raise RuntimeError(msg)

+    return result

@@ -15,6 +15,8 @@ from cryptography.hazmat.primitives import ciphers, hashes, hmac, padding

 from cryptography.hazmat.primitives.ciphers import algorithms, modes

 from cryptography.hazmat.primitives.kdf import pbkdf2

+from derivepassphrase import exporter

+

 if TYPE_CHECKING:

     from collections.abc import Iterator

@@ -24,15 +26,6 @@ IV_SIZE = 16

 KEY_SIZE = MAC_SIZE = 32

 ENCRYPTED_KEYPAIR_SIZE = 128

 VERSION_SIZE = 1

-MASTER_KEYS_KEY = (

-    os.getenv('VAULT_KEY')

-    or os.getenv('LOGNAME')

-    or os.getenv('USER')

-    or os.getenv('USERNAME')

-)

-VAULT_PATH = os.path.join(

-    os.path.expanduser('~'), os.getenv('VAULT_PATH', '.vault')

-)

 logger = logging.getLogger(__name__)

@@ -448,18 +441,21 @@ def store(config: dict[str, Any], path: str, json_contents: bytes) -> None:

 def export_storeroom_data(

-    storeroom_path: str | bytes | os.PathLike = VAULT_PATH,

-    master_keys_key: str | bytes | None = MASTER_KEYS_KEY,

+    storeroom_path: str | bytes | os.PathLike | None = None,

+    master_keys_key: str | bytes | None = None,

 ) -> dict[str, Any]:

     """Export the full configuration stored in the storeroom.

     Args:

         storeroom_path:

-            Path to the storeroom; usually `~/.vault`.

+            Path to the storeroom; usually `~/.vault`.  If not given,

+            then query [`derivepassphrase.exporter.get_vault_path`][]

+            for the value.

         master_keys_key:

-            Encryption key/password for the master keys.  If not set via

-            the `VAULT_KEY` environment variable, this usually is the

-            user's username.

+            Encryption key/password for the master keys, usually the

+            username, or passed via the `VAULT_KEY` environment

+            variable.  If not given, then query

+            [`derivepassphrase.exporter.get_vault_key`][] for the value.

     Returns:

         The full configuration, as stored in the storeroom.

@@ -477,9 +473,10 @@ def export_storeroom_data(

     """

+    if storeroom_path is None:

+        storeroom_path = exporter.get_vault_path()

     if master_keys_key is None:

-        msg = 'Cannot determine master key; please set VAULT_KEY'

-        raise RuntimeError(msg)

+        master_keys_key = exporter.get_vault_key()

     with open(

         os.path.join(os.fsdecode(storeroom_path), '.keys'), encoding='utf-8'

     ) as master_keys_file:

@@ -15,7 +15,7 @@ from cryptography.hazmat.primitives import ciphers, hashes, hmac, padding

 from cryptography.hazmat.primitives.ciphers import algorithms, modes

 from cryptography.hazmat.primitives.kdf import pbkdf2

-from derivepassphrase import vault

+from derivepassphrase import exporter, vault

 logger = logging.getLogger(__name__)

@@ -252,20 +252,9 @@ if __name__ == '__main__':

     import os

     logging.basicConfig(level=('DEBUG' if os.getenv('DEBUG') else 'WARNING'))

-    with open(

-        os.path.join(

-            os.path.expanduser('~'), os.getenv('VAULT_PATH', '.vault')

-        ),

-        'rb',

-    ) as infile:

+    with open(exporter.get_vault_path(), 'rb') as infile:

         contents = base64.standard_b64decode(infile.read())

-    password = (

-        os.getenv('VAULT_KEY')

-        or os.getenv('LOGNAME')

-        or os.getenv('USER')

-        or os.getenv('USERNAME')

-    )

-    assert password

+    password = exporter.get_vault_key()

     try:

         config = V03Reader(contents, password).run()

     except ValueError: