Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
CLI tool to unlock the XDG Secret collection used by 99designs/aws-vault
#!/usr/bin/env python3
# Copyright © 2020 Pennock Tech, LLC
# SPDX-License-Identifier: MIT
aws-vault-unlock: unlock (or lock) the awsvault libsecret collection
The XDG folks specify the Secret service available over D-Bus.
When everything works right, 99designs/aws-vault trying to access a locked
collection automatically prompts for it to be unlocked.
When things do not work right, it's time to manually unlock it.
After which, even after locking it, automatic unlocking should happen.
You could also install Seahorse and use a GUI, but if you have more than
"a very small number" of OpenPGP keys on your system, then you will likely
regret that approach.
__author__ = ' (Phil Pennock)'
import argparse
import contextlib
import sys
import secretstorage # pip: SecretStorage
except ModuleNotFoundError as e:
print(f'{e}\n Suggestion: pip install SecretStorage\n')
COLLECTION_PATH_PREFIX = '/org/freedesktop/secrets/collection/'
parser = argparse.ArgumentParser()
parser.add_argument('-l', '--lock',
action='store_true', default=False,
help='Lock secret collection/vault')
parser.add_argument('-u', '--unlock',
action='store_true', default=False,
help='Unlock secret collection/vault')
action='store_true', default=False,
help='List known collections')
help='Collection alias to query [%(default)s]')
options = parser.parse_args()
if not (options.lock or options.unlock or options.list):
options.unlock = True
# Allow both unlock and lock: treat as desire to lock-then-unlock, bouncing
# the collection. Non-sensical perhaps, but do it.
with contextlib.closing(secretstorage.dbus_init()) as conn:
if options.list:
print('{:30} {:6} {}'.format('Collection', 'Locked', 'Path'))
LAYOUT='{!r:30} {:6} {!r}'
for collection in secretstorage.get_all_collections(conn):
print(LAYOUT.format(collection.get_label(), str(collection.is_locked()), collection.collection_path))
# collection = secretstorage.get_collection_by_alias(conn, options.collection_name)
# 'awsvault' is not an alias and I can find no way to look up a list of aliases,
# or any other introspection. Reading the 99designs/keyring Go code, they just iterate
# all the collections and look for a path match.
needle = COLLECTION_PATH_PREFIX + options.collection_name
candidates = [c for c in secretstorage.get_all_collections(conn) if c.collection_path == needle]
if len(candidates) == 0:
print(f'secret storage: collection {options.collection_name!r} NOT FOUND', file=sys.stderr)
if len(candidates) > 1:
C = len(candidates)
print(f'secret storage: collection {options.collection_name!r} has {C} matches, assuming attack, aborting', file=sys.stderr)
collection = candidates[0]
if options.lock:
if collection.is_locked():
print(f'secret storage: collection {options.collection_name!r} was already locked', file=sys.stderr)
print(f'secret storage: collection {options.collection_name!r} now locked', file=sys.stderr)
if options.unlock:
if collection.is_locked():
print(f'secret storage: collection {options.collection_name!r} now unlocked', file=sys.stderr)
print(f'secret storage: collection {options.collection_name!r} was already unlocked', file=sys.stderr)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment