rbrich
diff --git a/‎.github/workflows/python-app.yml‎
Lines changed: 5 additions & 3 deletions b/‎.github/workflows/python-app.yml‎
Lines changed: 5 additions & 3 deletions
diff --git a/‎Makefile‎
Lines changed: 3 additions & 4 deletions b/‎Makefile‎
Lines changed: 3 additions & 4 deletions
diff --git a/‎README.rst‎
Lines changed: 28 additions & 22 deletions b/‎README.rst‎
Lines changed: 28 additions & 22 deletions
diff --git a/‎VERSION‎
Lines changed: 1 addition & 1 deletion b/‎VERSION‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎docs/keybox.rst‎
Lines changed: 0 additions & 8 deletions b/‎docs/keybox.rst‎
Lines changed: 0 additions & 8 deletions
diff --git a/‎docs/requirements.txt‎
Lines changed: 0 additions & 1 deletion b/‎docs/requirements.txt‎
Lines changed: 0 additions & 1 deletion
diff --git a/‎keybox/__init__.py‎
Lines changed: 1 addition & 1 deletion b/‎keybox/__init__.py‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎keybox/backend/__init__.py‎
Lines changed: 7 additions & 1 deletion b/‎keybox/backend/__init__.py‎
Lines changed: 7 additions & 1 deletion
diff --git a/‎keybox/memory.py‎ renamed to ‎keybox/backend/os_unix.py‎
Lines changed: 31 additions & 15 deletions b/‎keybox/memory.py‎ renamed to ‎keybox/backend/os_unix.py‎
Lines changed: 31 additions & 15 deletions
@@ -30,7 +30,7 @@ jobs:
         sudo apt-get install --no-install-recommends -y wamerican
         python -m pip install --upgrade pip
         pip install flake8 twine wheel tox
-        pip install -r requirements.txt -r test-requirements.txt -r docs/requirements.txt
+        pip install -r requirements.txt
 
     - name: Lint with flake8
       run: |
@@ -42,8 +42,10 @@ jobs:
     - name: Build and check package
       run: make check
 
-    - name: Build zipapp
-      run: make zipapp
+    - name: Build and check zipapp
+      run: |
+        make zipapp
+        build/keybox.pyz pwgen
 
     - name: Build docs
       run: make -C docs html
 
@@ -12,8 +12,8 @@ dist/keybox-$(VERSION).tar.gz:
 
 $(BUILD)/keybox.pyz: keybox
 	rm -rf $(ZIPAPP)
-	mkdir -p $(ZIPAPP)/keybox
-	cp keybox/*.py $(ZIPAPP)/keybox
+	mkdir -p $(ZIPAPP)
+	cp -r keybox $(ZIPAPP)
 	python3 -m zipapp $(ZIPAPP) -m 'keybox.main:main' -p '/usr/bin/env python3' -o $@
 
 cryptoref: cryptoref/cryptoref.pyx
@@ -23,8 +23,7 @@ test:
 	python3 setup.py pytest
 
 .coverage: keybox tests .coveragerc
-	env COVERAGE=1 coverage run --parallel-mode setup.py pytest
-	coverage combine
+	coverage run setup.py pytest
 
 cov: .coverage
 	coverage report --show-missing --fail-under=70
 
@@ -17,94 +17,100 @@ using some other tool.
 Features:
 
 - Data encrypted using strong encryption (PyNaCl)
-- Simple tab-delimited file format
+- Inside encrypted envelope, it's a simple tab-delimited file format
 - Shell-like text user interface
 
 Security:
 
 - Master password is saved in memory for as long as the program runs.
-- Neither the password nor decrypted data are ever written to disk.
+- Neither the password nor decrypted data are written to the disk (unless explicitly exported).
 
 Portability:
 
-- The script should run on any system with Python3 installed.
+- The script should run on any system with Python3 installed (including Windows).
 - Requires no installation. You can bring your keybox with you anywhere.
 - Can be contained in a single Python file (see `Static Distribution`_ below)
 
 Dependencies:
 
-- POSIX OS
 - Python 3.7 or later
-- PyNaCl, blessed, pyperclip
+- PyNaCl, prompt_toolkit, blessed, pyperclip
 
 
 Installation
 ------------
 
-Install Python package together with the ``keybox`` wrapper script,
+Install Python package, together with the ``keybox`` wrapper script,
 from PyPI::
 
     pip3 install keybox
 
 That's it. PIP should pull in the required dependencies.
 
+From source / Git repo
+``````````````````````
+
 Alternatively, install from source::
 
     python3 setup.py install
 
-The package can also be run directly, without installation::
+The package can also run without installation, directly from source tree root::
 
     python3 -m keybox
 
-Dependencies:
+Dependencies
+````````````
 
-* ``/usr/share/dict/words``
+* `pynacl <https://pynacl.readthedocs.io/en/latest/install/>`_ - the encryption
 
-    - required for pwgen
-    - Debian: ``apt install wamerican``
+* **argon2-cffi** - optional, replaces argon2 from PyNaCl when available
 
-* blessed, pyperclip - terminal utility
+* **prompt_toolkit, blessed, pyperclip** - command-line and shell
 
-* `pynacl <https://pynacl.readthedocs.io/en/latest/install/>`_
+*  ``/usr/share/dict/words``
 
-* argon2-cffi - optional, replaces argon2 from PyNaCl when available
+   * used for password generator
+   * Debian: ``apt install wamerican``
+   * when not available, a replacement ``words`` file is downloaded from Internet
+     (This is the only option on Windows)
 
-* pytest, pexpect - for tests
+* **pytest, coverage** - for tests
 
 Getting Started
 ---------------
 
 Run the program, choose a master password. A new keybox file will be created.
 
-You are now in the shell. The basic workflow is as follows:
+You are now in the shell. The basic workflow uses the following commands:
 
 - **add** some passwords
 - **list** the records
 - **select** a record
 - **print** the password
 - **quit**
 
-Type **help** for a list of all commands.
+Type **help** for a list of all commands, **help <cmd>** for description of each command and its parameters.
 
 
 Config file
 -----------
 
-The default config file path is `~/.keybox/keybox.conf`.
+The default config file path is ``~/.keybox/keybox.conf``.
 It can be used to point to a different location for the keybox file::
 
     [keybox]
     path = ~/vcs/keybox/keybox.safe
 
-The default path is `~/.keybox/keybox.safe`.
+Without the config file, the default keybox path is ``~/.keybox/keybox.safe``.
 
 
 Password Generator
 ------------------
 
 A bundled password generator can be called from command line (``keybox pwgen``)
 or internally from the shell.
-In the shell, try ``<tab>`` when asked for a password (in the ``add`` command).
+In the shell, use ``<tab>`` when asked for a password (in the ``add``/``modify`` commands)
+to generate some random passwords.
 
 Pwgen is based on the system word list that is usually found in ``/usr/share/dict/words``.
 By default, it generates a password from two concatenated words, altered by
@@ -118,10 +124,10 @@ Static Distribution
 -------------------
 
 Call ``make zipapp`` to create a `zipapp file <https://docs.python.org/3.5/library/zipapp.html#the-python-zip-application-archive-format>`_ containing all sources.
-The zipapp file is written to ``dist`` directory and is directly executable
+The zipapp file is written to ``build`` directory and is directly executable
 by Python.
 
-The make target uses ``zipapp`` module which is available since Python 3.5.
+The Makefile target uses ``zipapp`` module which is available since Python 3.5.
 
 
 Development
 
@@ -1 +1 @@
-0.4.1
+0.5.0
@@ -25,14 +25,6 @@ keybox.keybox module
     :undoc-members:
     :show-inheritance:
 
-keybox.memory module
----------------------
-
-.. automodule:: keybox.memory
-    :members:
-    :undoc-members:
-    :show-inheritance:
-
 keybox.pwgen module
 -------------------
 
 
@@ -1,2 +1,2 @@
-__all__ = ('envelope', 'envelope_gpg', 'fileformat', 'keybox', 'main', 'memory', 'pwgen',
+__all__ = ('datasafe', 'envelope', 'envelope_gpg', 'fileformat', 'keybox', 'main', 'pwgen',
            'record', 'shell', 'stringutil', 'ui')
@@ -14,10 +14,13 @@
     'crc32',
     # utility
     'randombytes',
+    'SecureMemory',
+    'lock_file',
+    'timeout',
 )
 
 # ordered by priority, the first one providing a function will be picked
-all_backend_names = ('cryptoref', 'argon2_cffi', 'pynacl', 'standard')
+all_backend_names = ('cryptoref', 'argon2_cffi', 'pynacl', 'os_unix', 'os_windows', 'standard')
 
 symbol_provided_by = {
     'Argon2Params': ('argon2_cffi', 'pynacl'),
@@ -29,6 +32,9 @@
     'deflate_decompress': ('standard',),
     'crc32': ('standard',),
     'randombytes': ('pynacl', 'standard'),
+    'SecureMemory': ('os_unix', 'os_windows'),
+    'lock_file': ('os_unix', 'os_windows'),
+    'timeout': ('os_unix', 'standard'),
 }
 
 available_backends = ()
 
@@ -1,9 +1,13 @@
 import ctypes
 from ctypes.util import find_library
+from ctypes import c_void_p, c_size_t, c_int
 import sys
 import os
 import errno
 import resource
+import fcntl
+import signal
+from contextlib import contextmanager
 
 libc = ctypes.CDLL(find_library("c"), use_errno=True)
 
@@ -14,12 +18,19 @@ def memory_lock(addr, len):
     Encountering error while locking memory is not considered fatal,
     no exception is raised.
 
+    The memory page is locked until the process terminates.
+    We cannot pair mlock/munlock safely without additional page management.
+    From linux' mlock(2):
+    > Memory locks do not stack, that is, pages which have been locked several times
+    > by calls to mlock() or mlockall() will be unlocked by a single call to munlock()
+    > for the corresponding range.
+
     """
     # Set MEMLOCK soft limit to maximum
     limits = resource.getrlimit(resource.RLIMIT_MEMLOCK)
     resource.setrlimit(resource.RLIMIT_MEMLOCK, (limits[1], limits[1]))
     try:
-        rc = libc.mlock(ctypes.c_void_p(addr), len)
+        rc = libc.mlock(c_void_p(addr), c_size_t(len))
     except OSError as e:
         print("Warning: Unable to lock memory.", str(e))
         return
@@ -33,20 +44,9 @@ def memory_lock(addr, len):
             print("Error (mlock):", errno.errorcode[err], os.strerror(err))
 
 
-def memory_unlock(addr, len):
-    try:
-        rc = libc.munlock(ctypes.c_void_p(addr), len)
-    except OSError as e:
-        print("Warning: Unable to unlock memory.", str(e))
-        return
-    if rc == -1:  # pragma: no cover
-        err = ctypes.get_errno()
-        print("Error (munlock):", errno.errorcode[err], os.strerror(err))
-
-
 def memory_clear(addr, len):
     try:
-        rc = libc.memset(ctypes.c_void_p(addr), 0, len)
+        rc = libc.memset(c_void_p(addr), c_int(0), c_size_t(len))
     except OSError as e:
         print("Warning: Unable to clear memory.", str(e))
         return
@@ -60,7 +60,7 @@ class SecureMemory:
     """Memlock the memory (do not allow swap).
 
     Zero the memory in deleter. This is a little hacky,
-    it depends on CPython and it's bytes object implementation.
+    it depends on CPython and its bytes object implementation.
 
     """
 
@@ -77,7 +77,6 @@ def __del__(self):
         # CPython assumption:
         # bytes object has header, followed by data and 1 byte terminator
         memory_clear(addr + (brutto - netto - 1), netto)
-        memory_unlock(addr, brutto)
 
     def __bytes__(self):
         return self._data
@@ -86,6 +85,23 @@ def __eq__(self, other):
         return self._data == bytes(other)
 
 
+def lock_file(fileobj):
+    fcntl.lockf(fileobj.fileno(), fcntl.LOCK_EX | fcntl.LOCK_NB)
+
+
+@contextmanager
+def timeout(secs: int, handler):
+    def sigalrm_handler(_signum, _frame):
+        handler()
+    orig_handler = signal.signal(signal.SIGALRM, sigalrm_handler)
+    signal.alarm(int(secs))
+    try:
+        yield
+    finally:
+        signal.alarm(0)
+        signal.signal(signal.SIGALRM, orig_handler)
+
+
 if __name__ == '__main__':
     def self_test():
         b = b"sensitive data"
Original file line number	Diff line number	Diff line change
`@@ -1,2 +1,2 @@`
`1`		`-__all__ = ('envelope', 'envelope_gpg', 'fileformat', 'keybox', 'main', 'memory', 'pwgen',`
	`1`	`+__all__ = ('datasafe', 'envelope', 'envelope_gpg', 'fileformat', 'keybox', 'main', 'pwgen',`
`2`	`2`	`'record', 'shell', 'stringutil', 'ui')`