pax_global_header00006660000000000000000000000064131535100160014505gustar00rootroot0000000000000052 comment=87678654cc36b43c1f859a0200d4ee745ca3bfd0 pass-git-helper-release-0.4/000077500000000000000000000000001315351001600157725ustar00rootroot00000000000000pass-git-helper-release-0.4/.gitignore000066400000000000000000000000301315351001600177530ustar00rootroot00000000000000/build /dist *.egg-info pass-git-helper-release-0.4/LICENSE.txt000066400000000000000000000167431315351001600176300ustar00rootroot00000000000000 GNU LESSER GENERAL PUBLIC LICENSE Version 3, 29 June 2007 Copyright (C) 2007 Free Software Foundation, Inc. Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. This version of the GNU Lesser General Public License incorporates the terms and conditions of version 3 of the GNU General Public License, supplemented by the additional permissions listed below. 0. Additional Definitions. As used herein, "this License" refers to version 3 of the GNU Lesser General Public License, and the "GNU GPL" refers to version 3 of the GNU General Public License. "The Library" refers to a covered work governed by this License, other than an Application or a Combined Work as defined below. An "Application" is any work that makes use of an interface provided by the Library, but which is not otherwise based on the Library. Defining a subclass of a class defined by the Library is deemed a mode of using an interface provided by the Library. A "Combined Work" is a work produced by combining or linking an Application with the Library. The particular version of the Library with which the Combined Work was made is also called the "Linked Version". The "Minimal Corresponding Source" for a Combined Work means the Corresponding Source for the Combined Work, excluding any source code for portions of the Combined Work that, considered in isolation, are based on the Application, and not on the Linked Version. The "Corresponding Application Code" for a Combined Work means the object code and/or source code for the Application, including any data and utility programs needed for reproducing the Combined Work from the Application, but excluding the System Libraries of the Combined Work. 1. Exception to Section 3 of the GNU GPL. You may convey a covered work under sections 3 and 4 of this License without being bound by section 3 of the GNU GPL. 2. Conveying Modified Versions. If you modify a copy of the Library, and, in your modifications, a facility refers to a function or data to be supplied by an Application that uses the facility (other than as an argument passed when the facility is invoked), then you may convey a copy of the modified version: a) under this License, provided that you make a good faith effort to ensure that, in the event an Application does not supply the function or data, the facility still operates, and performs whatever part of its purpose remains meaningful, or b) under the GNU GPL, with none of the additional permissions of this License applicable to that copy. 3. Object Code Incorporating Material from Library Header Files. The object code form of an Application may incorporate material from a header file that is part of the Library. You may convey such object code under terms of your choice, provided that, if the incorporated material is not limited to numerical parameters, data structure layouts and accessors, or small macros, inline functions and templates (ten or fewer lines in length), you do both of the following: a) Give prominent notice with each copy of the object code that the Library is used in it and that the Library and its use are covered by this License. b) Accompany the object code with a copy of the GNU GPL and this license document. 4. Combined Works. You may convey a Combined Work under terms of your choice that, taken together, effectively do not restrict modification of the portions of the Library contained in the Combined Work and reverse engineering for debugging such modifications, if you also do each of the following: a) Give prominent notice with each copy of the Combined Work that the Library is used in it and that the Library and its use are covered by this License. b) Accompany the Combined Work with a copy of the GNU GPL and this license document. c) For a Combined Work that displays copyright notices during execution, include the copyright notice for the Library among these notices, as well as a reference directing the user to the copies of the GNU GPL and this license document. d) Do one of the following: 0) Convey the Minimal Corresponding Source under the terms of this License, and the Corresponding Application Code in a form suitable for, and under terms that permit, the user to recombine or relink the Application with a modified version of the Linked Version to produce a modified Combined Work, in the manner specified by section 6 of the GNU GPL for conveying Corresponding Source. 1) Use a suitable shared library mechanism for linking with the Library. A suitable mechanism is one that (a) uses at run time a copy of the Library already present on the user's computer system, and (b) will operate properly with a modified version of the Library that is interface-compatible with the Linked Version. e) Provide Installation Information, but only if you would otherwise be required to provide such information under section 6 of the GNU GPL, and only to the extent that such information is necessary to install and execute a modified version of the Combined Work produced by recombining or relinking the Application with a modified version of the Linked Version. (If you use option 4d0, the Installation Information must accompany the Minimal Corresponding Source and Corresponding Application Code. If you use option 4d1, you must provide the Installation Information in the manner specified by section 6 of the GNU GPL for conveying Corresponding Source.) 5. Combined Libraries. You may place library facilities that are a work based on the Library side by side in a single library together with other library facilities that are not Applications and are not covered by this License, and convey such a combined library under terms of your choice, if you do both of the following: a) Accompany the combined library with a copy of the same work based on the Library, uncombined with any other library facilities, conveyed under the terms of this License. b) Give prominent notice with the combined library that part of it is a work based on the Library, and explaining where to find the accompanying uncombined form of the same work. 6. Revised Versions of the GNU Lesser General Public License. The Free Software Foundation may publish revised and/or new versions of the GNU Lesser General Public License from time to time. Such new versions will be similar in spirit to the present version, but may differ in detail to address new problems or concerns. Each version is given a distinguishing version number. If the Library as you received it specifies that a certain numbered version of the GNU Lesser General Public License "or any later version" applies to it, you have the option of following the terms and conditions either of that published version or of any later version published by the Free Software Foundation. If the Library as you received it does not specify a version number of the GNU Lesser General Public License, you may choose any version of the GNU Lesser General Public License ever published by the Free Software Foundation. If the Library as you received it specifies that a proxy can decide whether future versions of the GNU Lesser General Public License shall apply, that proxy's public statement of acceptance of any version is permanent authorization for you to choose that version for the Library. pass-git-helper-release-0.4/README000077700000000000000000000000001315351001600201242README.mdustar00rootroot00000000000000pass-git-helper-release-0.4/README.md000066400000000000000000000117471315351001600172630ustar00rootroot00000000000000# pass-git-helper A [git] credential helper implementation which allows to use [pass] as the credential backend for your git repositories. This is achieved by explicitly defining mappings between hosts and entries in the password store. ## Preconditions GPG must be configured to use a graphical pinentry dialog. The shell cannot be used due to the interaction required by [git] ## Installation System-wide: ```sh sudo python3 setup.py install ``` For a single user: ```sh python3 setup.py install --user ``` Ensure that `~/.local/bin` is in your `PATH` for the single-user installation. ## Usage Create the file `~/.config/pass-git-helper/git-pass-mapping.ini`. This file uses ini syntax to specify the mapping of hosts to entries in the passwordstore database. Section headers define patterns which are matched against the host part of a URL with a git repository. Matching supports wildcards (using the python [fnmatch module](https://docs.python.org/3.4/library/fnmatch.html)). Each section needs to contain a `target` entry pointing to the entry in the password store with the password (and optionally username) to use. Example: ```ini [github.com*] target=dev/github [*.fooo-bar.*] target=dev/fooo-bar ``` To instruct git to use the helper, set the `credential.helper` configuration option of git to: ``` /full/path/to/pass-git-helper ``` In case you do not want to include a full path, a workaround using a shell fragment needs to be used, i.e.: ``` !pass-git-helper $@ ``` The option can be set e.g. via: ```sh git config credential.helper '!pass-git-helper $@' ``` If you want to match entries not only based on the host, but also based on the path on a host, set `credential.useHttpPath` to `true` in your git config, e.g. via: ```sh git config credential.useHttpPath true ``` Afterwards, entries can be matched against `host.com/path/to/repo` in the mapping. This means that in order to use a specific account for a certain github project, you can then use the following mapping pattern: ```ini [github.com/username/project*] target=dev/github ``` Please note that when including the path in the mapping, the mapping expressions need to match against the whole path. As a consequence, in case you want to use the same account for all github projects, you need to make sure that a wildcard covers the path of the URL, as shown here: ```ini [github.com*] target=dev/github ``` The host can be used as a variable to address a pass entry. This is especially helpful for wildcard matches: ```ini [*] target=git-logins/${host} ``` The above configuration directive will lead to any host that did not match any previous section in the ini file to being looked up under the `git-logins` directory in your passwordstore. ## Passwordstore Layout As usual with [pass], this helper assumes that the password is contained in the first line of the passwordstore entry. Additionally, if a second line is present, this line is interpreted as the username and also returned back to the git process invoking this helper. In case you use markers at the start of lines to identify what is contained in this line, e.g. like `Username: fooo`, the options `skip_username` and `skip_password` can be defined in each mapping to skip the given amount of characters from the beginning of the respective line. Additionally, global defaults can be configured via the `DEFAULT` section: ```ini [DEFAULT] # this is actually the default skip_password=0 # Lenght of "Username: " skip_username=10 [somedomain] target=special/somedomain # somehow this entry does not have a prefix for the username skip_username=0 ``` ## Command Line Options `-l` can be given as an option to the script to produce logging output on stderr. This might be useful to understand how the mapping is applied. `-m MAPPING_FILE` can be specified to use an alternative mapping file location. ## Skipping Processing In some automated contexts it might be necessary to prevent GPG from asking for the passphrase (via the agent). To achieve this, you can disable the complete processing of this helper by defining the environment variable `PASS_GIT_HELPER_SKIP` with any content (or no content at all). pass-git-helper will return immediately in this case, indicating to git that no suitable credentials could be found. ## License This library is [free software](https://en.wikipedia.org/wiki/Free_software); you can redistribute it and/or modify it under the terms of the [GNU Lesser General Public License](https://en.wikipedia.org/wiki/GNU_Lesser_General_Public_License) as published by the [Free Software Foundation](https://en.wikipedia.org/wiki/Free_Software_Foundation); either version 3 of the License, or any later version. This work is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the [GNU Lesser General Public License](https://www.gnu.org/copyleft/lgpl.html) for more details. [git]: https://git-scm.com/ [pass]: http://www.passwordstore.org/ "pass - the standard unix password manager" pass-git-helper-release-0.4/pass-git-helper000077500000000000000000000121411315351001600207230ustar00rootroot00000000000000#!/usr/bin/env python3 import argparse import configparser import fnmatch import logging import os import os.path import subprocess import sys import xdg.BaseDirectory LOGGER = logging.getLogger() CONFIG_FILE_NAME = 'git-pass-mapping.ini' DEFAULT_CONFIG_FILE = os.path.join( xdg.BaseDirectory.save_config_path('pass-git-helper'), CONFIG_FILE_NAME) def parse_arguments(): parser = argparse.ArgumentParser( description='Git credential helper using pass as the data source.', formatter_class=argparse.ArgumentDefaultsHelpFormatter) parser.add_argument( '-m', '--mapping', type=argparse.FileType('r'), metavar='MAPPING_FILE', default=None, help='A mapping file to be used, specifying how hosts ' 'map to pass entries. Overrides the default mapping files from ' 'XDG config locations, usually: {}'.format(DEFAULT_CONFIG_FILE)) parser.add_argument( '-l', '--logging', action='store_true', default=False, help='Print debug messages on stderr. ' 'Might include sensitive information') parser.add_argument( 'action', type=str, metavar='ACTION', help='Action to preform as specified in the git credential API') args = parser.parse_args() return args def parse_mapping(mapping_file): LOGGER.debug('Parsing mapping file. Command line: %s', mapping_file) def parse(mapping_file): config = configparser.ConfigParser() config.read_file(mapping_file) return config # give precedence to the user-specified file if mapping_file is not None: LOGGER.debug('Parsing command line mapping file') return parse(mapping_file) # fall back on XDG config location xdg_config_dir = xdg.BaseDirectory.load_first_config('pass-git-helper') if xdg_config_dir is None: raise RuntimeError( 'No mapping configured so far at any XDG config location. ' 'Please create {}'.format(DEFAULT_CONFIG_FILE)) mapping_file = os.path.join(xdg_config_dir, CONFIG_FILE_NAME) LOGGER.debug('Parsing mapping file %s', mapping_file) with open(mapping_file, 'r') as file_handle: return parse(file_handle) def parse_request(): in_lines = sys.stdin.readlines() LOGGER.debug('Received request "%s"', in_lines) request = {} for line in in_lines: # skip empty lines to be a bit resilient against protocol errors if not line.strip(): continue parts = line.split('=', 1) assert len(parts) == 2 request[parts[0].strip()] = parts[1].strip() return request def get_password(request, mapping): LOGGER.debug('Received request "%s"', request) if 'host' not in request: LOGGER.error('host= entry missing in request. ' 'Cannot query without a host') return host = request['host'] if 'path' in request: host = os.path.join(host, request['path']) def decode_skip(line, skip): return line.decode('utf-8')[skip:] LOGGER.debug('Iterating mapping to match against host "%s"', host) for section in mapping.sections(): if fnmatch.fnmatch(host, section): LOGGER.debug('Section "%s" matches requested host "%s"', section, host) # TODO handle exceptions pass_target = mapping.get(section, 'target').replace("${host}", host) skip_password_chars = mapping.getint( section, 'skip_password', fallback=0) skip_username_chars = mapping.getint( section, 'skip_username', fallback=0) LOGGER.debug('Requesting entry "%s" from pass', pass_target) output = subprocess.check_output(['pass', 'show', pass_target]) lines = output.splitlines() if len(lines) >= 1: print('password={}'.format( decode_skip(lines[0], skip_password_chars))) if 'username' not in request and len(lines) >= 2: print('username={}'.format( decode_skip(lines[1], skip_username_chars))) return LOGGER.warning('No mapping matched') sys.exit(1) def handle_skip(): if 'PASS_GIT_HELPER_SKIP' in os.environ: LOGGER.info( 'Skipping processing as requested via environment variable') sys.exit(1) def main(): args = parse_arguments() if args.logging: logging.basicConfig(level=logging.DEBUG) handle_skip() action = args.action request = parse_request() LOGGER.debug('Received action %s with request:\n%s', action, request) try: mapping = parse_mapping(args.mapping) except Exception as error: LOGGER.critical('Unable to parse mapping file', exc_info=True) print('Unable to parse mapping file: {}'.format(error), file=sys.stderr) sys.exit(1) if action == 'get': get_password(request, mapping) else: LOGGER.info('Action %s is currently not supported', action) sys.exit(1) if __name__ == '__main__': main() pass-git-helper-release-0.4/setup.py000066400000000000000000000012671315351001600175120ustar00rootroot00000000000000from setuptools import setup setup( name='pass-git-helper', version='0.4', install_requires=['pyxdg'], scripts=['pass-git-helper'], author='Johannes Wienke', author_email='languitar@semipol.de', url='https://github.com/languitar/pass-git-helper', description='A git credential helper interfacing with pass, ' 'the standard unix password manager.', license='LGPLv3+', keywords=['git', 'passwords', 'pass', 'credentials', 'password store'], classifiers=[ 'Programming Language :: Python :: 3', 'Topic :: Utilities', 'License :: OSI Approved :: GNU Lesser General Public License v3 or later (LGPLv3+)' ])