small pixel drawing of a pufferfish pa

pa

#!/bin/sh
#
# pa - a simple password manager

pw_add() {
    if yn "Generate a password?"; then
        pass=$(rand_chars "${PA_LENGTH:-50}" "${PA_PATTERN:-A-Za-z0-9-_}") ||
            die "Couldn't generate a password"
    else
        # 'sread()' is a simple wrapper function around 'read'
        # to prevent user input from being printed to the terminal.
        sread pass "Enter a password"

        [ "$pass" ] ||
            die "Password can't be empty"

        sread pass2 "Enter a password (again)"

        # Disable this check as we dynamically populate the two
        # passwords using the 'sread()' function.
        # shellcheck disable=2154
        [ "$pass" = "$pass2" ] ||
            die "Passwords don't match"
    fi

    mkdir -p "$(dirname "./$name")" ||
        die "Couldn't create category '$(dirname "./$name" | cut -c3-)'"

    # Use 'age' to store the password in an encrypted file.
    # A heredoc is used here instead of a 'printf' to avoid
    # leaking the password through the '/proc' filesystem.
    #
    # Heredocs are sometimes implemented via temporary files,
    # however this is typically done using 'mkstemp()' which
    # is more secure than a leak in '/proc'.
    $age --encrypt -R "$recipients_file" -o "./$name.age" <<-EOF ||
		$pass
	EOF
        die "Couldn't encrypt $name.age"

    printf '%s\n' "Saved '$name' to the store."

    git_add_and_commit "./$name.age" "add '$name'"
}

pw_edit() {
    # Prefer /dev/shm because it's an in-memory
    # space that we can use to store data without
    # having bits laying around in sectors.
    tmpdir=/dev/shm
    # Fall back to /tmp - /dev/shm is Linux-only & /tmp
    # and shared memory space on other operating systems
    # have non-standard methods of setup/access.
    [ -w /dev/shm ] || tmpdir=/tmp

    # Reimplement mktemp here, because
    # mktemp isn't defined in POSIX.
    suffix=$(rand_chars 10 'A-Za-z0-9') ||
        die "Couldn't generate random characters"

    tmpfile=$tmpdir/pa.$suffix/$name.age

    mkdir -p "$(dirname "$tmpfile")" ||
        die "Couldn't create a shared memory dir"

    trap 'rm -rf "$tmpdir/pa.$suffix"' EXIT

    if [ ! -f "$name.age" ]; then new=true; else new=false && {
        $age --decrypt -i "$identities_file" -o "$tmpfile" "./$name.age" ||
            die "Couldn't decrypt $name.age"
    }; fi

    ${EDITOR:-vi} "$tmpfile"

    [ -f "$tmpfile" ] && {
        $age --encrypt -R "$recipients_file" -o "./$name.age" "$tmpfile" ||
            die "Couldn't encrypt $name.age"

        if $new; then printf '%s\n' "Saved '$name' to the store."; fi

        git_add_and_commit "./$name.age" "edit '$name'"
    }
}

pw_del() {
    yn "Delete password '$name'?" && {
        rm -f "./$name.age"

        # Remove empty parent directories of a password
        # entry. It's fine if this fails as it means that
        # another entry also lives in the same directory.
        rmdir -p "$(dirname "./$name")" 2>/dev/null || :

        git_add_and_commit "./$name.age" "delete '$name'"
    }
}

pw_show() {
    $age --decrypt -i "$identities_file" "./$name.age" ||
        die "Couldn't decrypt $name.age"
}

pw_list() {
    find . -type f -name \*.age | sed 's/..//;s/\.age$//' | sort
}

git_add_and_commit() {
    if $git_enabled; then git add "$1" && git commit -qm "$2"; fi
}

rand_chars() {
    # Generate random characters by reading '/dev/urandom' with the
    # 'tr' command to translate the random bytes into a
    # configurable character set.
    #
    # The 'dd' command is then used to read only the desired
    # password length, since head -c isn't POSIX compliant.
    #
    # Regarding usage of '/dev/urandom' instead of '/dev/random'.
    # See: https://www.2uo.de/myths-about-urandom
    #
    # $1 = number of chars to receive
    # $2 = filter for the chars
    LC_ALL=C tr -dc "$2" </dev/urandom | dd ibs=1 obs=1 count="$1" 2>/dev/null
}

yn() {
    printf '%s [y/N]: ' "$1"

    # Enable raw input to allow for a single byte to be read from
    # stdin without needing to wait for the user to press Return.
    [ -t 0 ] && stty -echo -icanon

    # Read a single byte from stdin using 'dd'. POSIX 'read' has
    # no support for single/'N' byte based input from the user.
    answer=$(dd ibs=1 count=1 2>/dev/null)

    # Disable raw input, leaving the terminal how we *should*
    # have found it.
    [ -t 0 ] && stty echo icanon

    printf '%s\n' "$answer"

    # Handle the answer here directly, enabling this function's
    # return status to be used in place of checking for '[yY]'
    # throughout this program.
    glob "$answer" '[yY]'
}

sread() {
    printf '%s: ' "$2"

    # Disable terminal printing while the user inputs their
    # password. POSIX 'read' has no '-s' flag which would
    # effectively do the same thing.
    [ -t 0 ] && stty -echo
    read -r "$1"
    [ -t 0 ] && stty echo

    printf '\n'
}

glob() {
    # This is a simple wrapper around a case statement to allow
    # for simple string comparisons against globs.
    #
    # Example: if glob "Hello World" '* World'; then
    #
    # Disable this warning as it is the intended behavior.
    # shellcheck disable=2254
    case $1 in $2) return 0 ;; esac
    return 1
}

die() {
    printf 'error: %s.\n' "$1" >&2
    exit 1
}

usage() {
    printf %s "\
  pa
    a simple password manager

  commands:
    [a]dd  [name] - Add a password entry.
    [d]el  [name] - Delete a password entry.
    [e]dit [name] - Edit a password entry with ${EDITOR:-vi}.
    [l]ist        - List all entries.
    [s]how [name] - Show password for an entry.

  env vars:
    Password length:   export PA_LENGTH=50
    Password pattern:  export PA_PATTERN=A-Za-z0-9-_
    Password dir:      export PA_DIR=~/.local/share/pa/passwords
    Disable tracking:  export PA_NOGIT=
"
    exit 0
}

main() {
    age=$(command -v age || command -v rage) ||
        die "age not found, install per https://age-encryption.org"

    age_keygen=$(command -v age-keygen || command -v rage-keygen) ||
        die "age-keygen not found, install per https://age-encryption.org"

    command=$1

    # Combine the rest of positional arguments into
    # a name and remove control characters from it
    # so that a name can always be safely displayed.
    shift
    name=$(printf %s "$*" | LC_ALL=C tr -d '[:cntrl:]')

    basedir=${XDG_DATA_HOME:=$HOME/.local/share}/pa
    : "${PA_DIR:=$basedir/passwords}"
    identities_file=$basedir/identities
    recipients_file=$basedir/recipients

    mkdir -p "$basedir" "$PA_DIR" ||
        die "Couldn't create pa directories"

    cd "$PA_DIR" ||
        die "Couldn't change to password directory"

    # Move any passwords hanging out in the old dir
    # for backwards-compat reasons
    mv "$basedir"/*.age "$PA_DIR" 2>/dev/null

    # Ensure that globbing is disabled
    # to avoid insecurities with word-splitting.
    set -f

    git_enabled=false
    [ -z "${PA_NOGIT+x}" ] && command -v git >/dev/null 2>&1 && git_enabled=true

    $git_enabled && [ ! -d .git ] && {
        git init

        # Put something in user config if it's not set globally,
        # because git doesn't allow to commit without it.
        git config user.name >/dev/null || git config user.name pa
        git config user.email >/dev/null || git config user.email ""

        # Configure diff driver for age encrypted files that treats them as
        # binary and decrypts them when a human-readable diff is requested.
        git config diff.age.binary true
        git config diff.age.textconv "$age --decrypt -i '$identities_file'"

        # Assign this diff driver to all passwords.
        printf '%s\n' '*.age diff=age' >.gitattributes

        git_add_and_commit . "initial commit"
    }

    glob "$command" '[ades]*' && [ -z "$name" ] &&
        die "Missing [name] argument"

    glob "$command" '[ds]*' && [ ! -f "$name.age" ] &&
        die "Password '$name' doesn't exist"

    glob "$command" 'a*' && [ -f "$name.age" ] &&
        die "Password '$name' already exists"

    glob "$name" '/*' || glob "$name" '*/' &&
        die "Name can't start or end with '/'"

    glob "$name" '../*' || glob "$name" '*/../*' &&
        die "Category went out of bounds"

    # First, copy any existing identities files from the old
    # storage location to the new one for backwards compat.
    # Then, attempt key generation.
    [ -f "$identities_file" ] ||
        cp ~/.age/key.txt "$identities_file" 2>/dev/null ||
        $age_keygen -o "$identities_file" 2>/dev/null

    [ -f "$recipients_file" ] ||
        $age_keygen -y -o "$recipients_file" "$identities_file" 2>/dev/null

    # Ensure that we leave the terminal in a usable state on Ctrl+C.
    [ -t 0 ] && trap 'stty echo icanon; trap - INT; kill -s INT 0' INT

    case $command in
    a*) pw_add ;;
    d*) pw_del ;;
    e*) pw_edit ;;
    l*) pw_list ;;
    s*) pw_show ;;
    *) usage ;;
    esac
}

# Ensure that debug mode is never enabled to
# prevent the password from leaking.
set +x

# Restrict permissions of any new files to
# only the current user.
umask 077

[ "$1" ] || usage && main "$@"