CLI tool to unlock the XDG Secret collection used by 99designs/aws-vault

aws-vault-unlock

#!/usr/bin/env python3
#
# Copyright © 2020 Pennock Tech, LLC
# SPDX-License-Identifier: MIT

"""
aws-vault-unlock: unlock (or lock) the awsvault libsecret collection

The XDG folks specify the Secret service available over D-Bus.
When everything works right, 99designs/aws-vault trying to access a locked
collection automatically prompts for it to be unlocked.
When things do not work right, it's time to manually unlock it.
After which, even after locking it, automatic unlocking should happen.

You could also install Seahorse and use a GUI, but if you have more than
"a very small number" of OpenPGP keys on your system, then you will likely
regret that approach.
"""

__author__ = 'phil@pennock-tech.com (Phil Pennock)'

import argparse
import contextlib
import sys

try:
    import secretstorage    # pip: SecretStorage
except ModuleNotFoundError as e:
    print(f'{e}\n  Suggestion: pip install SecretStorage\n')
    sys.exit(1)

DEF_COLLECTION_NAME = 'awsvault'
COLLECTION_PATH_PREFIX = '/org/freedesktop/secrets/collection/'

parser = argparse.ArgumentParser()
parser.add_argument('-l', '--lock',
                    action='store_true', default=False,
                    help='Lock secret collection/vault')
parser.add_argument('-u', '--unlock',
                    action='store_true', default=False,
                    help='Unlock secret collection/vault')
parser.add_argument('--list',
                    action='store_true', default=False,
                    help='List known collections')
parser.add_argument('--collection-name',
                    default=DEF_COLLECTION_NAME,
                    help='Collection alias to query [%(default)s]')
options = parser.parse_args()
if not (options.lock or options.unlock or options.list):
    options.unlock = True
# Allow both unlock and lock: treat as desire to lock-then-unlock, bouncing
# the collection.  Non-sensical perhaps, but do it.

with contextlib.closing(secretstorage.dbus_init()) as conn:
    if options.list:
        print('{:30} {:6} {}'.format('Collection', 'Locked', 'Path'))
        LAYOUT='{!r:30} {:6} {!r}'
        for collection in secretstorage.get_all_collections(conn):
            print(LAYOUT.format(collection.get_label(), str(collection.is_locked()), collection.collection_path))
        sys.exit(0)

    # collection = secretstorage.get_collection_by_alias(conn, options.collection_name)
    # 'awsvault' is not an alias and I can find no way to look up a list of aliases,
    # or any other introspection.  Reading the 99designs/keyring Go code, they just iterate
    # all the collections and look for a path match.
    needle = COLLECTION_PATH_PREFIX + options.collection_name
    candidates = [c for c in secretstorage.get_all_collections(conn) if c.collection_path == needle]
    if len(candidates) == 0:
        print(f'secret storage: collection {options.collection_name!r} NOT FOUND', file=sys.stderr)
        sys.exit(1)
    if len(candidates) > 1:
        C = len(candidates)
        print(f'secret storage: collection {options.collection_name!r} has {C} matches, assuming attack, aborting', file=sys.stderr)
        sys.exit(1)
    collection = candidates[0]

    if options.lock:
        if collection.is_locked():
            print(f'secret storage: collection {options.collection_name!r} was already locked', file=sys.stderr)
        else:
            collection.lock()
            print(f'secret storage: collection {options.collection_name!r} now locked', file=sys.stderr)

    if options.unlock:
        if collection.is_locked():
            collection.unlock()
            print(f'secret storage: collection {options.collection_name!r} now unlocked', file=sys.stderr)
        else:
            print(f'secret storage: collection {options.collection_name!r} was already unlocked', file=sys.stderr)