Move to 1Password CLI 2, and support biometric authentication (#9)
* Migrate to 1Password CLI 2 V2 of the 1Password CLI is not backwards compatible: https://developer.1password.com/docs/cli/upgrade/#step-2-update-your-scripts * Support biometric * Update README * Update README.md Co-authored-by: Felipe Martin <812088+fmartingr@users.noreply.github.com> Co-authored-by: Felipe Martin <812088+fmartingr@users.noreply.github.com>
This commit is contained in:
parent
63afed98d3
commit
88e1aa6027
10
README.md
10
README.md
|
@ -8,6 +8,7 @@ Qutebrowser userscript to fill 1password credentials
|
|||
|
||||
- [The 1Password CLI](https://support.1password.com/command-line-getting-started/)
|
||||
Ensure you have it installed and set up. Follow the official documentation.
|
||||
> ℹ️ **Note**: Only the 1Password CLI v2 is supported.
|
||||
- [rofi](https://github.com/davatorium/rofi) to ask for password and list items
|
||||
|
||||
## How it works
|
||||
|
@ -34,20 +35,25 @@ Flags:
|
|||
- `--auto-submit` Will send a carriage return once the last character is sent, hopefully submitting the form.
|
||||
- `--cache-session` Caches the session for 30 minutes to prevent asking for the password again in that interval.
|
||||
- `--allow-insecure-sites` Allow filling in insecure (non-https) sites
|
||||
- `--biometric` Use biometric or PAM authentication instead of asking for the master password
|
||||
|
||||
Using the biometric flag requires installing the 1Password Desktop app and enabling "Biometric unlock" in it's Developer options.
|
||||
|
||||
```
|
||||
$ python qute_1pass.py --help
|
||||
usage: qute_1pass.py [-h] [--auto-submit] [--cache-session] [--allow-insecure-sites] command
|
||||
usage: qute_1pass.py [-h] [--auto-submit] [--cache-session] [--allow-insecure-sites] [--cache] [--biometric] command
|
||||
|
||||
positional arguments:
|
||||
command fill_credentials, fill_totp, fill_username, fill_password
|
||||
|
||||
optional arguments:
|
||||
options:
|
||||
-h, --help show this help message and exit
|
||||
--auto-submit Auto submit after filling
|
||||
--cache-session Cache 1password session for 30 minutes
|
||||
--allow-insecure-sites
|
||||
Allow filling credentials on insecure sites
|
||||
--cache store and use cached information
|
||||
--biometric Use biometric unlock - don't ask for password
|
||||
```
|
||||
|
||||
Call your script from qutebrowser using
|
||||
|
|
|
@ -22,17 +22,17 @@ SESSION_DURATION = timedelta(minutes=30)
|
|||
LAST_ITEM_PATH = os.path.join(CACHE_DIR, "last_item")
|
||||
LAST_ITEM_DURATION = timedelta(seconds=10)
|
||||
|
||||
OP_SUBDOMAIN = "my"
|
||||
CMD_PASSWORD_PROMPT = [
|
||||
"rofi", "-password", "-dmenu", "-p", "Vault Password", "-l", "0", "-sidebar", "-width", "20"
|
||||
]
|
||||
CMD_LIST_PROMPT = ["rofi", "-dmenu"]
|
||||
CMD_ITEM_SELECT = CMD_LIST_PROMPT + ["-p", "Select login"]
|
||||
|
||||
CMD_OP_LOGIN = ["op", "signin", "--output=raw"]
|
||||
CMD_OP_LIST_ITEMS = "op list items --categories Login --session {session_id}"
|
||||
CMD_OP_GET_ITEM = "op get item --session {session_id} {uuid}"
|
||||
CMD_OP_GET_TOTP = "op get totp --session {session_id} {uuid}"
|
||||
CMD_OP_CHECK_LOGIN = ["op", "whoami"]
|
||||
CMD_OP_LOGIN = ["op", "signin", "--raw"]
|
||||
CMD_OP_LIST_ITEMS = "op item list --categories Login --session {session_id} --format=json"
|
||||
CMD_OP_GET_ITEM = "op item get --session {session_id} {uuid} --format=json"
|
||||
CMD_OP_GET_TOTP = "op item get --otp --session {session_id} {uuid}"
|
||||
|
||||
QUTE_FIFO = os.environ["QUTE_FIFO"]
|
||||
|
||||
|
@ -58,6 +58,11 @@ parser.add_argument(
|
|||
help="store and use cached information",
|
||||
action="store_true",
|
||||
)
|
||||
parser.add_argument(
|
||||
"--biometric",
|
||||
help="Use biometric unlock - don't ask for password",
|
||||
action="store_true",
|
||||
)
|
||||
|
||||
|
||||
class Qute:
|
||||
|
@ -144,26 +149,35 @@ class OnePass:
|
|||
|
||||
@classmethod
|
||||
def login(cls):
|
||||
try:
|
||||
password = execute_command(CMD_PASSWORD_PROMPT)
|
||||
except ExecuteError:
|
||||
Qute.message_error("Error calling pinentry program")
|
||||
sys.exit(0)
|
||||
if arguments.biometric:
|
||||
try:
|
||||
execute_command(CMD_OP_CHECK_LOGIN)
|
||||
except ExecuteError:
|
||||
try:
|
||||
execute_command(CMD_OP_LOGIN)
|
||||
except ExecuteError:
|
||||
Qute.message_error("Login error")
|
||||
sys.exit(0)
|
||||
return "0"
|
||||
else:
|
||||
try:
|
||||
password = execute_command(CMD_PASSWORD_PROMPT)
|
||||
except ExecuteError:
|
||||
Qute.message_error("Error calling pinentry program")
|
||||
sys.exit(0)
|
||||
try:
|
||||
session_id = pipe_commands(
|
||||
["echo", "-n", password],
|
||||
CMD_OP_LOGIN)
|
||||
except ExecuteError:
|
||||
Qute.message_error("Login error")
|
||||
sys.exit(0)
|
||||
|
||||
try:
|
||||
session_id = pipe_commands(
|
||||
["echo", "-n", password],
|
||||
CMD_OP_LOGIN + [OP_SUBDOMAIN])
|
||||
except ExecuteError:
|
||||
Qute.message_error("Login error")
|
||||
sys.exit(0)
|
||||
|
||||
if arguments.cache_session:
|
||||
with open(SESSION_PATH, "w") as handler:
|
||||
handler.write(session_id)
|
||||
os.chmod(SESSION_PATH, 0o640)
|
||||
|
||||
return session_id
|
||||
if arguments.cache_session:
|
||||
with open(SESSION_PATH, "w") as handler:
|
||||
handler.write(session_id)
|
||||
os.chmod(SESSION_PATH, 0o640)
|
||||
return session_id
|
||||
|
||||
@classmethod
|
||||
def get_session(cls):
|
||||
|
@ -208,14 +222,14 @@ class OnePass:
|
|||
|
||||
def filter_host(item):
|
||||
"""Exclude items that does not match host on any configured URL"""
|
||||
if "URLs" in item["overview"]:
|
||||
return any(filter(lambda x: host in x["u"], item["overview"]["URLs"]))
|
||||
if "urls" in item:
|
||||
return any(filter(lambda x: host in x["href"], item["urls"]))
|
||||
return False
|
||||
|
||||
items = cls.list_items()
|
||||
filtered = filter(filter_host, items)
|
||||
mapping = {
|
||||
f"{host}: {item['overview']['title']} ({item['uuid']})": item
|
||||
f"{host}: {item['title']} ({item['id']})": item
|
||||
for item in filtered
|
||||
}
|
||||
|
||||
|
@ -233,15 +247,15 @@ class OnePass:
|
|||
# Cancelled
|
||||
return
|
||||
|
||||
return cls.get_item(mapping[credential]["uuid"])
|
||||
return cls.get_item(mapping[credential]["id"])
|
||||
|
||||
@classmethod
|
||||
def get_credentials(cls, item):
|
||||
username = password = None
|
||||
for field in item["details"]["fields"]:
|
||||
if field.get("designation") == "username":
|
||||
for field in item["fields"]:
|
||||
if field.get("purpose") == "USERNAME":
|
||||
username = field["value"]
|
||||
if field.get("designation") == "password":
|
||||
if field.get("purpose") == "PASSWORD":
|
||||
password = field["value"]
|
||||
|
||||
if username is None or password is None:
|
||||
|
@ -292,7 +306,7 @@ class CLI:
|
|||
Stores a reference to an item to easily get single information from it (password, TOTP)
|
||||
right after filling the username or credentials.
|
||||
"""
|
||||
last_item = {"host": extract_host(os.environ["QUTE_URL"]), "uuid": item["uuid"]}
|
||||
last_item = {"host": extract_host(os.environ["QUTE_URL"]), "id": item["id"]}
|
||||
with open(LAST_ITEM_PATH, "w") as handler:
|
||||
handler.write(json.dumps(last_item))
|
||||
os.chmod(LAST_ITEM_PATH, 0o640)
|
||||
|
@ -338,7 +352,7 @@ class CLI:
|
|||
if not item:
|
||||
item = self._get_item()
|
||||
|
||||
totp = OnePass.get_totp(item["uuid"])
|
||||
totp = OnePass.get_totp(item["id"])
|
||||
logger.error(totp)
|
||||
Qute.fill_totp(totp)
|
||||
|
||||
|
|
Loading…
Reference in New Issue