algae_cli/
passphrases.rs

1use std::path::PathBuf;
2
3use age::{secrecy::SecretString, Identity, Recipient};
4use clap::Parser;
5use dialoguer::Password;
6use miette::{miette, Context as _, IntoDiagnostic as _, Result};
7use pinentry::PassphraseInput;
8use tokio::fs::read_to_string;
9
10/// [Clap][clap] arguments for passphrases.
11///
12/// ```no_run
13/// use clap::Parser;
14/// use miette::Result;
15/// use algae_cli::passphrases::PassphraseArgs;
16///
17/// /// Your CLI tool
18/// #[derive(Parser)]
19/// struct Args {
20///     #[command(flatten)]
21///     pass: PassphraseArgs,
22/// }
23///
24/// #[tokio::main]
25/// async fn main() -> Result<()> {
26///     let args = Args::parse();
27///     let key = args.pass.require().await?;
28///     // use key somehow...
29/// # let _key = key;
30///     Ok(())
31/// }
32/// ```
33#[derive(Debug, Clone, Parser)]
34pub struct PassphraseArgs {
35	/// Path to a file containing a passphrase.
36	///
37	/// The contents of the file will be trimmed of whitespace.
38	#[arg(short = 'P', long)]
39	pub passphrase_path: Option<PathBuf>,
40
41	/// A passphrase as a string.
42	///
43	/// This is extremely insecure, only use when there is no other option. When on an interactive
44	/// terminal, make sure to wipe this command line from your history, or better yet not record it
45	/// in the first place (in Bash you often can do that by prepending a space to your command).
46	#[arg(long, conflicts_with = "passphrase_path")]
47	pub insecure_passphrase: Option<SecretString>,
48}
49
50impl PassphraseArgs {
51	/// Retrieve a passphrase from the user.
52	pub async fn require(&self) -> Result<Passphrase> {
53		self.get(false).await
54	}
55
56	/// Retrieve a passphrase from the user, with confirmation when prompting.
57	pub async fn require_with_confirmation(&self) -> Result<Passphrase> {
58		self.get(true).await
59	}
60
61	/// Retrieve a passphrase from the user, as a [`SecretString`].
62	pub async fn require_phrase(&self) -> Result<SecretString> {
63		self.get_phrase(false).await
64	}
65
66	/// Retrieve a passphrase from the user, as a [`SecretString`], with confirmation when prompting.
67	pub async fn require_phrase_with_confirmation(&self) -> Result<SecretString> {
68		self.get_phrase(true).await
69	}
70
71	async fn get(&self, confirm: bool) -> Result<Passphrase> {
72		self.get_phrase(confirm).await.map(Passphrase::new)
73	}
74
75	async fn get_phrase(&self, confirm: bool) -> Result<SecretString> {
76		if let Some(ref phrase) = self.insecure_passphrase {
77			Ok(phrase.clone())
78		} else if let Some(ref path) = self.passphrase_path {
79			Ok(read_to_string(path)
80				.await
81				.into_diagnostic()
82				.wrap_err("reading keyfile")?
83				.trim()
84				.into())
85		} else if let Some(mut input) = PassphraseInput::with_default_binary() {
86			input
87				.with_prompt("Passphrase:")
88				.required("Cannot use an empty passphrase");
89			if confirm {
90				input.with_confirmation("Confirm passphrase:", "Passphrases do not match");
91			}
92			input.interact().map_err(|err| miette!("{err}"))
93		} else {
94			let mut prompt = Password::new().with_prompt("Passphrase");
95			if confirm {
96				prompt = prompt.with_confirmation("Confirm passphrase", "Passphrases do not match");
97			}
98			let phrase = prompt.interact().into_diagnostic()?;
99			Ok(phrase.into())
100		}
101	}
102}
103
104/// A wrapper around [`age::scrypt::Recipient`] and [`age::scrypt::Identity`].
105///
106/// Such that a single struct implements both [`Recipient`] and [`Identity`]
107/// traits for a single passphrase, simplifying usage.
108pub struct Passphrase(age::scrypt::Recipient, age::scrypt::Identity);
109
110impl Passphrase {
111	/// Initialise from a string.
112	pub fn new(secret: SecretString) -> Self {
113		Self(
114			age::scrypt::Recipient::new(secret.clone()),
115			age::scrypt::Identity::new(secret),
116		)
117	}
118}
119
120impl Recipient for Passphrase {
121	fn wrap_file_key(
122		&self,
123		file_key: &age_core::format::FileKey,
124	) -> std::result::Result<
125		(
126			Vec<age_core::format::Stanza>,
127			std::collections::HashSet<String>,
128		),
129		age::EncryptError,
130	> {
131		self.0.wrap_file_key(file_key)
132	}
133}
134
135impl Identity for Passphrase {
136	fn unwrap_stanza(
137		&self,
138		stanza: &age_core::format::Stanza,
139	) -> Option<std::result::Result<age_core::format::FileKey, age::DecryptError>> {
140		self.1.unwrap_stanza(stanza)
141	}
142
143	fn unwrap_stanzas(
144		&self,
145		stanzas: &[age_core::format::Stanza],
146	) -> Option<std::result::Result<age_core::format::FileKey, age::DecryptError>> {
147		self.1.unwrap_stanzas(stanzas)
148	}
149}
algae_cli/passphrases.rs

algae_cli/
passphrases.rs
