1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
|
// Copyright 2013 Google Inc. All Rights Reserved.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package keyring
import (
"encoding/base64"
"encoding/hex"
"fmt"
"io"
"os/exec"
"strings"
"github.com/alessio/shellescape"
)
const (
execPathKeychain = "/usr/bin/security"
// encodingPrefix is a well-known prefix added to strings encoded by Set.
encodingPrefix = "go-keyring-encoded:"
base64EncodingPrefix = "go-keyring-base64:"
)
type macOSXKeychain struct{}
// func (*MacOSXKeychain) IsAvailable() bool {
// return exec.Command(execPathKeychain).Run() != exec.ErrNotFound
// }
// Get password from macos keyring given service and user name.
func (k macOSXKeychain) Get(service, username string) (string, error) {
out, err := exec.Command(
execPathKeychain,
"find-generic-password",
"-s", service,
"-wa", username).CombinedOutput()
if err != nil {
if strings.Contains(string(out), "could not be found") {
err = ErrNotFound
}
return "", err
}
trimStr := strings.TrimSpace(string(out[:]))
// if the string has the well-known prefix, assume it's encoded
if strings.HasPrefix(trimStr, encodingPrefix) {
dec, err := hex.DecodeString(trimStr[len(encodingPrefix):])
return string(dec), err
} else if strings.HasPrefix(trimStr, base64EncodingPrefix) {
dec, err := base64.StdEncoding.DecodeString(trimStr[len(base64EncodingPrefix):])
return string(dec), err
}
return trimStr, nil
}
// Set stores a secret in the macos keyring given a service name and a user.
func (k macOSXKeychain) Set(service, username, password string) error {
// if the added secret has multiple lines or some non ascii,
// osx will hex encode it on return. To avoid getting garbage, we
// encode all passwords
password = base64EncodingPrefix + base64.StdEncoding.EncodeToString([]byte(password))
cmd := exec.Command(execPathKeychain, "-i")
stdIn, err := cmd.StdinPipe()
if err != nil {
return err
}
if err = cmd.Start(); err != nil {
return err
}
command := fmt.Sprintf("add-generic-password -U -s %s -a %s -w %s\n", shellescape.Quote(service), shellescape.Quote(username), shellescape.Quote(password))
if len(command) > 4096 {
return ErrSetDataTooBig
}
if _, err := io.WriteString(stdIn, command); err != nil {
return err
}
if err = stdIn.Close(); err != nil {
return err
}
err = cmd.Wait()
return err
}
// Delete deletes a secret, identified by service & user, from the keyring.
func (k macOSXKeychain) Delete(service, username string) error {
out, err := exec.Command(
execPathKeychain,
"delete-generic-password",
"-s", service,
"-a", username).CombinedOutput()
if strings.Contains(string(out), "could not be found") {
err = ErrNotFound
}
return err
}
func init() {
provider = macOSXKeychain{}
}
|
