├── .github └── workflows │ └── shellcheck.yml ├── .gitignore ├── 1pass ├── 1pass.el ├── LICENSE ├── README.md ├── bash_completion.sh ├── config.sample ├── fuzzpass.fish └── fuzzpass.sh /.github/workflows/shellcheck.yml: -------------------------------------------------------------------------------- 1 | # check with Shellcheck (https://www.shellcheck.net/) linter 2 | # 3 | 4 | name: shellcheck 5 | 6 | on: push 7 | 8 | jobs: 9 | shellcheck: 10 | name: Shellcheck 11 | runs-on: ubuntu-latest 12 | 13 | steps: 14 | - name: checkout code 15 | uses: actions/checkout@v2 16 | 17 | - name: Run ShellCheck 18 | uses: ludeeus/action-shellcheck@master 19 | env: 20 | SHELLCHECK_OPTS: -x 21 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | *~ 2 | .DS_Store 3 | -------------------------------------------------------------------------------- /1pass: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env bash 2 | # 3 | # 1pass -- a simple caching wrapper for the "op" 1Password CLI. 4 | # 5 | # Copyright (C) 2017 David Creemer, (twitter: @dcreemer) 6 | # 7 | # This program is free software: you can redistribute it and/or modify 8 | # it under the terms of the GNU General Public License as published by 9 | # the Free Software Foundation, either version 3 of the License, or 10 | # (at your option) any later version. 11 | # 12 | # This program is distributed in the hope that it will be useful, 13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of 14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 15 | # GNU General Public License for more details. 16 | # 17 | # You should have received a copy of the GNU General Public License 18 | # along with this program. If not, see . 19 | # 20 | 21 | set -e 22 | set -o pipefail 23 | 24 | VERSION="1.6.1" 25 | 26 | if [ "$XDG_CONFIG_HOME" != "" ] && [ ! -d "${HOME}/.1pass" ]; then 27 | op_dir="${XDG_CONFIG_HOME}/1pass" 28 | else 29 | op_dir=${HOME}/.1pass 30 | fi 31 | 32 | if [ "$XDG_CACHE_HOME" != "" ] && [ ! -d "${op_dir}/cache" ]; then 33 | cache_dir="${XDG_CACHE_HOME}/1pass" 34 | else 35 | cache_dir=${op_dir}/cache 36 | fi 37 | 38 | os=$(uname) 39 | 40 | # check for bare -V/version request first: 41 | if [ $# -eq 1 ] && [ "$1" == "-V" ]; then 42 | echo "${VERSION}" 43 | exit 0 44 | fi 45 | 46 | # Try to find the GPG executable 47 | if [ -z "$GPG" ]; then 48 | # Default to gpg, but prefer what gpgconf says 49 | GPG="gpg" 50 | if command -v gpgconf >/dev/null 2>&1; then 51 | GPG="$( gpgconf | awk -F: '/^gpg:/ { print $NF }' )" 52 | fi 53 | fi 54 | 55 | # test setup: 56 | if [ ! -d "$op_dir" ] || [ ! -r "${op_dir}/config" ]; then 57 | mkdir -p "$cache_dir" 58 | cat > "${op_dir}/config" < ${master}" 119 | exit 1 120 | fi 121 | 122 | if [ ! -r "${secret}" ]; then 123 | echo "please put your ${domain} secret key into ${secret}" 124 | echo "ex: echo \"A3-XXXXXX-XXXXXX-XXXXX-XXXXX-XXXXX-XXXXX\" | $GPG -er $email > ${secret}" 125 | exit 1 126 | fi 127 | 128 | if [ "${use_totp}" == "1" ] && [ ! -r "${totp}" ]; then 129 | echo "please put your ${domain} totp secret into ${totp}" 130 | echo "ex: echo \"XXXXXXXXXXXXXXXX\" | $GPG -er $email > ${totp}" 131 | exit 1 132 | fi 133 | 134 | index=${cache_dir}/_index.gpg 135 | session=${cache_dir}/_session.gpg 136 | token="" 137 | get_result="" 138 | OPTIND=1 139 | refresh=0 140 | verbose=0 141 | print_output=0 142 | clip_time=30 143 | OP_SESSION_NAME=$(echo "$domain" | cut -f1 -d'.' | tr '-' '_') 144 | list_fields=0 145 | OPBIN="op1" 146 | 147 | usage() 148 | { 149 | cat <|- []] 151 | 152 | -f Forget GPG key from gpg-agent, and remove local session 153 | -h Help 154 | -p Print the 1pass output to stdout, rather than copying to the clipboard 155 | -l List all the known fields for the specified item 156 | -r Refresh all appropriate data from 1password.com, ignoring local cache 157 | -v Verbose output 158 | -V Print 1pass version and exit 159 | 160 | With no arguments, prints a list of all Logins and Passwords in all 1Password vaults. 161 | 162 | With a single argument, fetches the Item (Login, Password, or TOTP) matching the 163 | given name, and copies the resulting password to the clipboard. If "-" is supplied 164 | for , the item is read from stdin. 165 | 166 | With two arguments, fetches the specified field (e.g.) "username" from the named 167 | item, and copies the results to the clipboard. 168 | USAGE 169 | } 170 | 171 | sanity_check() 172 | { 173 | programs=("$OPBIN" jq "$GPG" expect) 174 | 175 | if [ "$use_totp" == "1" ]; then 176 | programs+=(oathtool) 177 | fi 178 | if [ "$os" == "Linux" ] || [ "$os" == "FreeBSD" ]; then 179 | if [ "$XDG_SESSION_TYPE" == "wayland" ]; then 180 | programs+=(wl-copy) 181 | else 182 | programs+=(xclip) 183 | fi 184 | fi 185 | 186 | for cmd in "${programs[@]}" 187 | do 188 | if [ $verbose -eq 1 ]; then 189 | echo "checking for $cmd" 1>&2 190 | fi 191 | if ! command -v "$cmd" > /dev/null; then 192 | echo "Cannot find the '$cmd' command. Please make sure it is installed" 1>&2 193 | exit 1 194 | fi 195 | done 196 | 197 | opversion=$("$OPBIN" --version) 198 | if [ "${opversion:0:1}" -gt 1 ]; then 199 | echo "Only 1Password CLI version 1 is supported (found $opversion)" 1>&2 200 | exit 1 201 | fi 202 | } 203 | 204 | signin() 205 | { 206 | local pw 207 | pw=$("$GPG" -d -q "$master") 208 | local se 209 | se=$("$GPG" -d -q "$secret") 210 | if [ "${use_totp}" == "1" ]; then 211 | local ot 212 | totp=$("$GPG" -d -q "$totp") 213 | ot=$(oathtool -b --totp "$totp") 214 | fi 215 | if [ $verbose -eq 1 ]; then 216 | echo "signing in to ${domain} $email" 1>&2 217 | fi 218 | local script 219 | if [ "${use_totp}" == "0" ]; then 220 | script=" 221 | spawn ${OPBIN} signin ${domain} ${email} ${se} 222 | expect \"${domain}:\" 223 | send \"${pw}\n\" 224 | expect { 225 | \"Enter your six-digit authentication code:\" { 226 | puts -nonewline stderr \"Enter your six-digit authentication code: \" 227 | flush stderr 228 | interact -o \"\r\" return 229 | puts stderr \"\" 230 | exp_continue 231 | } 232 | eof 233 | } 234 | " 235 | else 236 | local script=" 237 | spawn ${OPBIN} signin ${domain} ${email} ${se} 238 | expect \"${domain}:\" 239 | send \"${pw}\n\" 240 | expect { 241 | \"Enter your six-digit authentication code:\" { 242 | flush stderr 243 | send -- \"$ot\r\" 244 | puts stderr \"\" 245 | exp_continue 246 | } 247 | eof 248 | } 249 | " 250 | fi 251 | local output0 252 | output0=$(expect -c "${script}") 253 | local output 254 | output=$(echo "${output0}" | grep "export" || echo -n "_fail_") 255 | if [ "$output" == "_fail_" ]; then 256 | echo "1pass failed to signin to ${domain}" 257 | exit 1 258 | fi 259 | # extract token from 'export OP_SESSION_domain="asdsad"' 260 | local token 261 | token=$(expr "${output}" : '.*="\(.*\)"') 262 | echo -n "${token}" | "$GPG" -qe --batch -r "$self_key" > "$session" 263 | } 264 | 265 | init_session() 266 | { 267 | if [ "${token}" != "" ]; then 268 | # already have token 269 | return 270 | fi 271 | # test for stale session 272 | if [ ! -r "$session" ] || [ ! "$(find "$session" -mmin -29)" ] || [ $refresh -eq 1 ]; then 273 | signin 274 | else 275 | if [ $verbose -eq 1 ]; then 276 | echo "using existing session token" 1>&2 277 | fi 278 | fi 279 | token=$("$GPG" -d -q "$session") 280 | touch "$session" 281 | } 282 | 283 | forget_session() 284 | { 285 | unset "$OP_SESSION_NAME" 286 | rm -f "$session" 287 | gpgconf --kill gpg-agent 288 | echo "cleared local session" 289 | } 290 | 291 | # 292 | # fetch the index of all items from the net, and cache 293 | # 294 | fetch_index() 295 | { 296 | init_session 297 | if [ $verbose -eq 1 ]; then 298 | echo "fetching index of all items" 1>&2 299 | fi 300 | local items 301 | items=$("$OPBIN" list items --session="${token}" || echo -n "_fail_") 302 | if [ "$items" == "_fail_" ]; then 303 | echo "1pass: failed to fetch index of all items" 304 | exit 1 305 | fi 306 | # backup current index 307 | if [ -r "$index" ]; then 308 | cp -a "$index" "${index}.bak" 309 | fi 310 | echo -n "${items}" | "$GPG" -qe --batch -r "$self_key" > "$index" 311 | } 312 | 313 | # 314 | # fetch an item from the net by uuid and cache it locally 315 | # 316 | fetch_item() 317 | { 318 | local uuid=$1 319 | init_session 320 | if [ $verbose -eq 1 ]; then 321 | echo "fetching item $uuid" 1>&2 322 | fi 323 | local item 324 | item=$("$OPBIN" get item "$uuid" --session="$token" || echo -n "_fail_") 325 | if [ "$item" == "_fail_" ]; then 326 | echo "1pass: failed to fetch item $uuid" 327 | exit 1 328 | fi 329 | echo -n "${item}" | "$GPG" -qe --batch -r "$self_key" > "${cache_dir}/${uuid}.gpg" 330 | } 331 | 332 | # 333 | # list the titles of all items in the index 334 | # 335 | list_items() 336 | { 337 | if [ ! -r "$index" ] || [ $refresh -eq 1 ]; then 338 | fetch_index 339 | fi 340 | "$GPG" -qd "$index" | jq -r ".[].overview.title" | LC_ALL="C" bash -c 'sort -bf' 341 | } 342 | 343 | # 344 | # ensure we have the local gpg encoded file of the item given by the uuid 345 | # 346 | ensure_item() 347 | { 348 | local uuid=$1 349 | local file=${cache_dir}/${uuid}.gpg 350 | if [ ! -r "$file" ] || [ $refresh -eq 1 ]; then 351 | fetch_item "$uuid" 352 | fi 353 | } 354 | 355 | # 356 | # fetch a field from template 001 ("Login") 357 | # 358 | get_001() 359 | { 360 | local uuid=$1 361 | local field=${2/"DEFAULT"/"password"} 362 | local q="" 363 | if [ "$field" == "username" ] || [ "$field" == "password" ]; then 364 | q=".details.fields[] | select(.designation==\"${field}\").value" 365 | else 366 | q=".details.sections[] | select(.fields).fields[] | select(.t==\"${field}\").v" 367 | fi 368 | ensure_item "$uuid" 369 | get_result=$("$GPG" -qd "${cache_dir}/${uuid}.gpg" | jq -r "${q}" || echo -n "_fail_") 370 | } 371 | 372 | # 373 | # fetch a field from template 005 ("Password") 374 | # 375 | get_005() 376 | { 377 | local uuid=$1 378 | local field=${2/"DEFAULT"/"password"} 379 | local q="" 380 | if [ "$field" == "password" ]; then 381 | q=".details.${field}" 382 | else 383 | q=".details.sections[] | select(.fields).fields[] | select(.t==\"${field}\").v" 384 | fi 385 | ensure_item "$uuid" 386 | get_result=$("$GPG" -qd "${cache_dir}/${uuid}.gpg" | jq -r "${q}" || echo -n "_fail_") 387 | } 388 | 389 | # 390 | # fetch a field from template 003 ("Secure Note / notesPlain") 391 | # 392 | get_003() 393 | { 394 | local uuid=$1 395 | local field=${2/"DEFAULT"/"notes"} 396 | if [ "$field" == "notes" ]; then 397 | # notes feels more natural than notesPlain 398 | q=".details.notesPlain" 399 | else 400 | q=".details.sections[] | select(.fields).fields[] | select(.t==\"${field}\").v" 401 | fi 402 | 403 | ensure_item "$uuid" 404 | 405 | get_result=$("$GPG" -qd "${cache_dir}/${uuid}.gpg" | jq -r "${q}" || echo -n "_fail_") 406 | } 407 | 408 | # 409 | # fetch a field from template 110 ("Server") 410 | # 411 | get_110() 412 | { 413 | local uuid=$1 414 | local field=${2/"DEFAULT"/"password"} 415 | local q=".details.sections[] | select(.fields).fields[] | select(.t==\"${field}\").v" 416 | 417 | ensure_item "$uuid" 418 | 419 | get_result=$("$GPG" -qd "${cache_dir}/${uuid}.gpg" | jq -r "${q}" || echo -n "_fail_") 420 | } 421 | 422 | # 423 | # fetch the list of fields from template 001 ("Login") 424 | # 425 | get_fields_001() 426 | { 427 | _get_fields_template "$1" "username" "password" 428 | } 429 | 430 | # 431 | # fetch the list of fields from template 003 ("Secure Note") 432 | # 433 | get_fields_003() 434 | { 435 | _get_fields_template "$1" "notes" 436 | } 437 | 438 | # 439 | # fetch the list of fields from template 005 ("Password") 440 | # 441 | get_fields_005() 442 | { 443 | _get_fields_template "$1" "password" 444 | } 445 | 446 | # 447 | # fetch the list of fields from template 110 ("Server") 448 | # 449 | get_fields_110() 450 | { 451 | _get_fields_template "$1" 452 | } 453 | 454 | _get_fields_template() 455 | { 456 | local uuid=$1 457 | shift 458 | local q='.details.sections[] | select(.fields).fields[] | select(.t!="").t' 459 | local fields=("${@}") 460 | ensure_item "$uuid" 461 | while read -r f; do 462 | fields+=("$f") 463 | done < <("$GPG" -qd "${cache_dir}/${uuid}.gpg" | jq -r "${q}" || echo -n "_fail_") 464 | get_result=$(_join_by $'\n' "${fields[@]}") 465 | } 466 | 467 | function _join_by { local IFS="$1"; shift; echo "$*"; } 468 | 469 | # 470 | # fetch a TOTP value for the given item 471 | # 472 | get_totp() 473 | { 474 | # Make sure we have a current and valid session and then get the UUID 475 | init_session 476 | if [ ! -r "$index" ] || [ $refresh -eq 1 ]; then 477 | fetch_index 478 | fi 479 | local title 480 | title="${1}" 481 | if [ "$title" == "-" ]; then 482 | # read title from stdin. turn off error propogation to handle EOF as well as NL 483 | set +e 484 | read -r title 485 | set -e 486 | fi 487 | 488 | local uuid 489 | uuid=$("$GPG" -qd "$index" | jq -r ".[] | select(.overview.title==\"$title\").uuid") 490 | # Fetch the TOTP 491 | if [ $verbose -eq 1 ]; then 492 | echo "fetching TOTP for $uuid" 1>&2 493 | fi 494 | local totp 495 | totp=$("$OPBIN" get totp "$uuid" --session="$token" || echo -n "_fail_") 496 | if [ "$item" == "_fail_" ]; then 497 | echo "1pass: failed to fetch TOTP for $uuid" 498 | exit 1 499 | fi 500 | if [ $? ]; then 501 | get_result="${totp}" 502 | output_result 503 | fi 504 | } 505 | 506 | output_result() 507 | { 508 | if [ $print_output -eq 1 ]; then 509 | echo "${get_result}" 510 | else 511 | local pbcopy 512 | pbcopy=pbcopy 513 | if [ "$os" == "Linux" ] || [ "$os" == "FreeBSD" ]; then 514 | if [ "$XDG_SESSION_TYPE" == "wayland" ]; then 515 | pbcopy="wl-copy" 516 | else 517 | pbcopy="xclip -selection clipboard" 518 | fi 519 | fi 520 | echo -n "${get_result}" | $pbcopy 521 | # sleep and reset clipboard 522 | local sleep_argv0 523 | sleep_argv0="1pass sleep for user $(id -u)" 524 | pkill -f "^$sleep_argv0" 2>/dev/null && sleep 0.5 525 | ( 526 | ( exec -a "$sleep_argv0" sleep "$clip_time" ) 527 | echo -n "CLEAR" | $pbcopy 528 | ) 2>/dev/null & disown 529 | fi 530 | } 531 | 532 | get_by_title() 533 | { 534 | _get_by "get_" "${@}" 535 | } 536 | 537 | get_fields_by_title() 538 | { 539 | _get_by "get_fields_" "${@}" 540 | } 541 | 542 | _get_by() 543 | { 544 | local func=$1 545 | local title=$2 546 | local field=$3 547 | if [ "$title" == "-" ]; then 548 | # read title from stdin. turn off error propogation to handle EOF as well as NL 549 | set +e 550 | read -r title 551 | set -e 552 | fi 553 | if [ ! -r "$index" ] || [ $refresh -eq 1 ]; then 554 | fetch_index 555 | fi 556 | # read both uuid and templateUuid. Complicated call is so that we only call GPG once 557 | q=".[] | select(.overview.title==\"${title}\").uuid + \":\" + select(.overview.title==\"${title}\").templateUuid" 558 | IFS=':' read -r uuid tid <<< "$("$GPG" -qd "$index" | jq -r "${q}")" 559 | if [ "$tid" != "" ]; then 560 | "${func}${tid}" "$uuid" "$field" 561 | if [ $? ]; then 562 | output_result 563 | fi 564 | fi 565 | } 566 | 567 | while getopts "f?h?p?l?r?v?:" opt; do 568 | case $opt in 569 | h) 570 | usage 571 | exit 0 572 | ;; 573 | f) 574 | forget_session 575 | exit 0 576 | ;; 577 | p) 578 | print_output=1 579 | ;; 580 | l) 581 | print_output=1 582 | list_fields=1 583 | ;; 584 | r) 585 | refresh=1 586 | ;; 587 | v) 588 | verbose=1 589 | ;; 590 | \?) 591 | echo "Invalid option: -$OPTARG" >&2 592 | ;; 593 | esac 594 | done 595 | 596 | shift $((OPTIND-1)) 597 | 598 | sanity_check 599 | 600 | if [ $# -eq 0 ]; then 601 | list_items 602 | elif [ $# -eq 1 ]; then 603 | if [[ $list_fields -eq 1 ]]; then 604 | get_fields_by_title "$1" 605 | else 606 | get_by_title "$1" DEFAULT 607 | fi 608 | elif [ $# -eq 2 ]; then 609 | case "$2" in 610 | totp ) get_totp "$1" ;; 611 | * ) get_by_title "$1" "$2" ;; 612 | esac 613 | fi 614 | -------------------------------------------------------------------------------- /1pass.el: -------------------------------------------------------------------------------- 1 | ;;; 1pass.el -- tiny wrapper to get usernames & passwords from 1pass 2 | ;; 3 | ;; Copyright (C) 2017 David Creemer, (twitter: @dcreemer) 4 | ;; 5 | ;; This program is free software: you can redistribute it and/or modify 6 | ;; it under the terms of the GNU General Public License as published by 7 | ;; the Free Software Foundation, either version 3 of the License, or 8 | ;; (at your option) any later version. 9 | ;; 10 | ;; This program is distributed in the hope that it will be useful, 11 | ;; but WITHOUT ANY WARRANTY; without even the implied warranty of 12 | ;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 | ;; GNU General Public License for more details. 14 | ;; 15 | ;; You should have received a copy of the GNU General Public License 16 | ;; along with this program. If not, see . 17 | ;; 18 | 19 | ;;; Commentary: 20 | ;; 21 | ;; Thin wrapper around the 1pass CLI utility. It is likely that bugs will be 22 | ;; found, so please report any findings as issues or pull requests here: 23 | ;; https://github.com/dcreemer/1pass 24 | 25 | ;;; Code: 26 | (require 's) 27 | 28 | (defvar 1pass-cli-executable 29 | (executable-find "1pass") 30 | "Path to the 1pass executable.") 31 | 32 | ;; private helpers 33 | (defun 1pass--cli-run (item field) 34 | "Call 1pass with given ITEM and FIELD." 35 | (with-temp-buffer 36 | (let* ((exit-code 37 | (apply #'call-process 38 | (list 1pass-cli-executable nil t nil "-p" item field)))) 39 | (if (zerop exit-code) 40 | (s-chomp (buffer-string)) 41 | (error (s-chomp (buffer-string))))))) 42 | 43 | ;; public API 44 | (defun 1pass-field-for (item field) 45 | "Lookup ITEM in 1pass and return the data from the given FIELD, if any." 46 | (1pass--cli-run item field)) 47 | 48 | (defun 1pass-password-for (item) 49 | "Lookup ITEM in 1pass and return the password, if any." 50 | (1pass--cli-run item "password")) 51 | 52 | (defun 1pass-username-for (item) 53 | "Lookup ITEM in 1pass and return the username, if any." 54 | (1pass--cli-run item "username")) 55 | 56 | ;; deprecated API: 57 | (define-obsolete-function-alias '1pass--item-field '1pass-field-for) 58 | (define-obsolete-function-alias '1pass--item-password '1pass-password-for) 59 | (define-obsolete-function-alias '1pass--item-username '1pass-username-for) 60 | 61 | (provide '1pass) 62 | 63 | ;;; 1pass.el ends here 64 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | GNU GENERAL PUBLIC LICENSE 2 | Version 3, 29 June 2007 3 | 4 | Copyright (C) 2007 Free Software Foundation, Inc. 5 | Everyone is permitted to copy and distribute verbatim copies 6 | of this license document, but changing it is not allowed. 7 | 8 | Preamble 9 | 10 | The GNU General Public License is a free, copyleft license for 11 | software and other kinds of works. 12 | 13 | The licenses for most software and other practical works are designed 14 | to take away your freedom to share and change the works. By contrast, 15 | the GNU General Public License is intended to guarantee your freedom to 16 | share and change all versions of a program--to make sure it remains free 17 | software for all its users. We, the Free Software Foundation, use the 18 | GNU General Public License for most of our software; it applies also to 19 | any other work released this way by its authors. You can apply it to 20 | your programs, too. 21 | 22 | When we speak of free software, we are referring to freedom, not 23 | price. Our General Public Licenses are designed to make sure that you 24 | have the freedom to distribute copies of free software (and charge for 25 | them if you wish), that you receive source code or can get it if you 26 | want it, that you can change the software or use pieces of it in new 27 | free programs, and that you know you can do these things. 28 | 29 | To protect your rights, we need to prevent others from denying you 30 | these rights or asking you to surrender the rights. Therefore, you have 31 | certain responsibilities if you distribute copies of the software, or if 32 | you modify it: responsibilities to respect the freedom of others. 33 | 34 | For example, if you distribute copies of such a program, whether 35 | gratis or for a fee, you must pass on to the recipients the same 36 | freedoms that you received. You must make sure that they, too, receive 37 | or can get the source code. And you must show them these terms so they 38 | know their rights. 39 | 40 | Developers that use the GNU GPL protect your rights with two steps: 41 | (1) assert copyright on the software, and (2) offer you this License 42 | giving you legal permission to copy, distribute and/or modify it. 43 | 44 | For the developers' and authors' protection, the GPL clearly explains 45 | that there is no warranty for this free software. For both users' and 46 | authors' sake, the GPL requires that modified versions be marked as 47 | changed, so that their problems will not be attributed erroneously to 48 | authors of previous versions. 49 | 50 | Some devices are designed to deny users access to install or run 51 | modified versions of the software inside them, although the manufacturer 52 | can do so. This is fundamentally incompatible with the aim of 53 | protecting users' freedom to change the software. The systematic 54 | pattern of such abuse occurs in the area of products for individuals to 55 | use, which is precisely where it is most unacceptable. Therefore, we 56 | have designed this version of the GPL to prohibit the practice for those 57 | products. If such problems arise substantially in other domains, we 58 | stand ready to extend this provision to those domains in future versions 59 | of the GPL, as needed to protect the freedom of users. 60 | 61 | Finally, every program is threatened constantly by software patents. 62 | States should not allow patents to restrict development and use of 63 | software on general-purpose computers, but in those that do, we wish to 64 | avoid the special danger that patents applied to a free program could 65 | make it effectively proprietary. To prevent this, the GPL assures that 66 | patents cannot be used to render the program non-free. 67 | 68 | The precise terms and conditions for copying, distribution and 69 | modification follow. 70 | 71 | TERMS AND CONDITIONS 72 | 73 | 0. Definitions. 74 | 75 | "This License" refers to version 3 of the GNU General Public License. 76 | 77 | "Copyright" also means copyright-like laws that apply to other kinds of 78 | works, such as semiconductor masks. 79 | 80 | "The Program" refers to any copyrightable work licensed under this 81 | License. Each licensee is addressed as "you". "Licensees" and 82 | "recipients" may be individuals or organizations. 83 | 84 | To "modify" a work means to copy from or adapt all or part of the work 85 | in a fashion requiring copyright permission, other than the making of an 86 | exact copy. The resulting work is called a "modified version" of the 87 | earlier work or a work "based on" the earlier work. 88 | 89 | A "covered work" means either the unmodified Program or a work based 90 | on the Program. 91 | 92 | To "propagate" a work means to do anything with it that, without 93 | permission, would make you directly or secondarily liable for 94 | infringement under applicable copyright law, except executing it on a 95 | computer or modifying a private copy. Propagation includes copying, 96 | distribution (with or without modification), making available to the 97 | public, and in some countries other activities as well. 98 | 99 | To "convey" a work means any kind of propagation that enables other 100 | parties to make or receive copies. Mere interaction with a user through 101 | a computer network, with no transfer of a copy, is not conveying. 102 | 103 | An interactive user interface displays "Appropriate Legal Notices" 104 | to the extent that it includes a convenient and prominently visible 105 | feature that (1) displays an appropriate copyright notice, and (2) 106 | tells the user that there is no warranty for the work (except to the 107 | extent that warranties are provided), that licensees may convey the 108 | work under this License, and how to view a copy of this License. If 109 | the interface presents a list of user commands or options, such as a 110 | menu, a prominent item in the list meets this criterion. 111 | 112 | 1. Source Code. 113 | 114 | The "source code" for a work means the preferred form of the work 115 | for making modifications to it. "Object code" means any non-source 116 | form of a work. 117 | 118 | A "Standard Interface" means an interface that either is an official 119 | standard defined by a recognized standards body, or, in the case of 120 | interfaces specified for a particular programming language, one that 121 | is widely used among developers working in that language. 122 | 123 | The "System Libraries" of an executable work include anything, other 124 | than the work as a whole, that (a) is included in the normal form of 125 | packaging a Major Component, but which is not part of that Major 126 | Component, and (b) serves only to enable use of the work with that 127 | Major Component, or to implement a Standard Interface for which an 128 | implementation is available to the public in source code form. A 129 | "Major Component", in this context, means a major essential component 130 | (kernel, window system, and so on) of the specific operating system 131 | (if any) on which the executable work runs, or a compiler used to 132 | produce the work, or an object code interpreter used to run it. 133 | 134 | The "Corresponding Source" for a work in object code form means all 135 | the source code needed to generate, install, and (for an executable 136 | work) run the object code and to modify the work, including scripts to 137 | control those activities. However, it does not include the work's 138 | System Libraries, or general-purpose tools or generally available free 139 | programs which are used unmodified in performing those activities but 140 | which are not part of the work. For example, Corresponding Source 141 | includes interface definition files associated with source files for 142 | the work, and the source code for shared libraries and dynamically 143 | linked subprograms that the work is specifically designed to require, 144 | such as by intimate data communication or control flow between those 145 | subprograms and other parts of the work. 146 | 147 | The Corresponding Source need not include anything that users 148 | can regenerate automatically from other parts of the Corresponding 149 | Source. 150 | 151 | The Corresponding Source for a work in source code form is that 152 | same work. 153 | 154 | 2. Basic Permissions. 155 | 156 | All rights granted under this License are granted for the term of 157 | copyright on the Program, and are irrevocable provided the stated 158 | conditions are met. This License explicitly affirms your unlimited 159 | permission to run the unmodified Program. The output from running a 160 | covered work is covered by this License only if the output, given its 161 | content, constitutes a covered work. This License acknowledges your 162 | rights of fair use or other equivalent, as provided by copyright law. 163 | 164 | You may make, run and propagate covered works that you do not 165 | convey, without conditions so long as your license otherwise remains 166 | in force. You may convey covered works to others for the sole purpose 167 | of having them make modifications exclusively for you, or provide you 168 | with facilities for running those works, provided that you comply with 169 | the terms of this License in conveying all material for which you do 170 | not control copyright. Those thus making or running the covered works 171 | for you must do so exclusively on your behalf, under your direction 172 | and control, on terms that prohibit them from making any copies of 173 | your copyrighted material outside their relationship with you. 174 | 175 | Conveying under any other circumstances is permitted solely under 176 | the conditions stated below. Sublicensing is not allowed; section 10 177 | makes it unnecessary. 178 | 179 | 3. Protecting Users' Legal Rights From Anti-Circumvention Law. 180 | 181 | No covered work shall be deemed part of an effective technological 182 | measure under any applicable law fulfilling obligations under article 183 | 11 of the WIPO copyright treaty adopted on 20 December 1996, or 184 | similar laws prohibiting or restricting circumvention of such 185 | measures. 186 | 187 | When you convey a covered work, you waive any legal power to forbid 188 | circumvention of technological measures to the extent such circumvention 189 | is effected by exercising rights under this License with respect to 190 | the covered work, and you disclaim any intention to limit operation or 191 | modification of the work as a means of enforcing, against the work's 192 | users, your or third parties' legal rights to forbid circumvention of 193 | technological measures. 194 | 195 | 4. Conveying Verbatim Copies. 196 | 197 | You may convey verbatim copies of the Program's source code as you 198 | receive it, in any medium, provided that you conspicuously and 199 | appropriately publish on each copy an appropriate copyright notice; 200 | keep intact all notices stating that this License and any 201 | non-permissive terms added in accord with section 7 apply to the code; 202 | keep intact all notices of the absence of any warranty; and give all 203 | recipients a copy of this License along with the Program. 204 | 205 | You may charge any price or no price for each copy that you convey, 206 | and you may offer support or warranty protection for a fee. 207 | 208 | 5. Conveying Modified Source Versions. 209 | 210 | You may convey a work based on the Program, or the modifications to 211 | produce it from the Program, in the form of source code under the 212 | terms of section 4, provided that you also meet all of these conditions: 213 | 214 | a) The work must carry prominent notices stating that you modified 215 | it, and giving a relevant date. 216 | 217 | b) The work must carry prominent notices stating that it is 218 | released under this License and any conditions added under section 219 | 7. This requirement modifies the requirement in section 4 to 220 | "keep intact all notices". 221 | 222 | c) You must license the entire work, as a whole, under this 223 | License to anyone who comes into possession of a copy. This 224 | License will therefore apply, along with any applicable section 7 225 | additional terms, to the whole of the work, and all its parts, 226 | regardless of how they are packaged. This License gives no 227 | permission to license the work in any other way, but it does not 228 | invalidate such permission if you have separately received it. 229 | 230 | d) If the work has interactive user interfaces, each must display 231 | Appropriate Legal Notices; however, if the Program has interactive 232 | interfaces that do not display Appropriate Legal Notices, your 233 | work need not make them do so. 234 | 235 | A compilation of a covered work with other separate and independent 236 | works, which are not by their nature extensions of the covered work, 237 | and which are not combined with it such as to form a larger program, 238 | in or on a volume of a storage or distribution medium, is called an 239 | "aggregate" if the compilation and its resulting copyright are not 240 | used to limit the access or legal rights of the compilation's users 241 | beyond what the individual works permit. Inclusion of a covered work 242 | in an aggregate does not cause this License to apply to the other 243 | parts of the aggregate. 244 | 245 | 6. Conveying Non-Source Forms. 246 | 247 | You may convey a covered work in object code form under the terms 248 | of sections 4 and 5, provided that you also convey the 249 | machine-readable Corresponding Source under the terms of this License, 250 | in one of these ways: 251 | 252 | a) Convey the object code in, or embodied in, a physical product 253 | (including a physical distribution medium), accompanied by the 254 | Corresponding Source fixed on a durable physical medium 255 | customarily used for software interchange. 256 | 257 | b) Convey the object code in, or embodied in, a physical product 258 | (including a physical distribution medium), accompanied by a 259 | written offer, valid for at least three years and valid for as 260 | long as you offer spare parts or customer support for that product 261 | model, to give anyone who possesses the object code either (1) a 262 | copy of the Corresponding Source for all the software in the 263 | product that is covered by this License, on a durable physical 264 | medium customarily used for software interchange, for a price no 265 | more than your reasonable cost of physically performing this 266 | conveying of source, or (2) access to copy the 267 | Corresponding Source from a network server at no charge. 268 | 269 | c) Convey individual copies of the object code with a copy of the 270 | written offer to provide the Corresponding Source. This 271 | alternative is allowed only occasionally and noncommercially, and 272 | only if you received the object code with such an offer, in accord 273 | with subsection 6b. 274 | 275 | d) Convey the object code by offering access from a designated 276 | place (gratis or for a charge), and offer equivalent access to the 277 | Corresponding Source in the same way through the same place at no 278 | further charge. You need not require recipients to copy the 279 | Corresponding Source along with the object code. If the place to 280 | copy the object code is a network server, the Corresponding Source 281 | may be on a different server (operated by you or a third party) 282 | that supports equivalent copying facilities, provided you maintain 283 | clear directions next to the object code saying where to find the 284 | Corresponding Source. Regardless of what server hosts the 285 | Corresponding Source, you remain obligated to ensure that it is 286 | available for as long as needed to satisfy these requirements. 287 | 288 | e) Convey the object code using peer-to-peer transmission, provided 289 | you inform other peers where the object code and Corresponding 290 | Source of the work are being offered to the general public at no 291 | charge under subsection 6d. 292 | 293 | A separable portion of the object code, whose source code is excluded 294 | from the Corresponding Source as a System Library, need not be 295 | included in conveying the object code work. 296 | 297 | A "User Product" is either (1) a "consumer product", which means any 298 | tangible personal property which is normally used for personal, family, 299 | or household purposes, or (2) anything designed or sold for incorporation 300 | into a dwelling. In determining whether a product is a consumer product, 301 | doubtful cases shall be resolved in favor of coverage. For a particular 302 | product received by a particular user, "normally used" refers to a 303 | typical or common use of that class of product, regardless of the status 304 | of the particular user or of the way in which the particular user 305 | actually uses, or expects or is expected to use, the product. A product 306 | is a consumer product regardless of whether the product has substantial 307 | commercial, industrial or non-consumer uses, unless such uses represent 308 | the only significant mode of use of the product. 309 | 310 | "Installation Information" for a User Product means any methods, 311 | procedures, authorization keys, or other information required to install 312 | and execute modified versions of a covered work in that User Product from 313 | a modified version of its Corresponding Source. The information must 314 | suffice to ensure that the continued functioning of the modified object 315 | code is in no case prevented or interfered with solely because 316 | modification has been made. 317 | 318 | If you convey an object code work under this section in, or with, or 319 | specifically for use in, a User Product, and the conveying occurs as 320 | part of a transaction in which the right of possession and use of the 321 | User Product is transferred to the recipient in perpetuity or for a 322 | fixed term (regardless of how the transaction is characterized), the 323 | Corresponding Source conveyed under this section must be accompanied 324 | by the Installation Information. But this requirement does not apply 325 | if neither you nor any third party retains the ability to install 326 | modified object code on the User Product (for example, the work has 327 | been installed in ROM). 328 | 329 | The requirement to provide Installation Information does not include a 330 | requirement to continue to provide support service, warranty, or updates 331 | for a work that has been modified or installed by the recipient, or for 332 | the User Product in which it has been modified or installed. Access to a 333 | network may be denied when the modification itself materially and 334 | adversely affects the operation of the network or violates the rules and 335 | protocols for communication across the network. 336 | 337 | Corresponding Source conveyed, and Installation Information provided, 338 | in accord with this section must be in a format that is publicly 339 | documented (and with an implementation available to the public in 340 | source code form), and must require no special password or key for 341 | unpacking, reading or copying. 342 | 343 | 7. Additional Terms. 344 | 345 | "Additional permissions" are terms that supplement the terms of this 346 | License by making exceptions from one or more of its conditions. 347 | Additional permissions that are applicable to the entire Program shall 348 | be treated as though they were included in this License, to the extent 349 | that they are valid under applicable law. If additional permissions 350 | apply only to part of the Program, that part may be used separately 351 | under those permissions, but the entire Program remains governed by 352 | this License without regard to the additional permissions. 353 | 354 | When you convey a copy of a covered work, you may at your option 355 | remove any additional permissions from that copy, or from any part of 356 | it. (Additional permissions may be written to require their own 357 | removal in certain cases when you modify the work.) You may place 358 | additional permissions on material, added by you to a covered work, 359 | for which you have or can give appropriate copyright permission. 360 | 361 | Notwithstanding any other provision of this License, for material you 362 | add to a covered work, you may (if authorized by the copyright holders of 363 | that material) supplement the terms of this License with terms: 364 | 365 | a) Disclaiming warranty or limiting liability differently from the 366 | terms of sections 15 and 16 of this License; or 367 | 368 | b) Requiring preservation of specified reasonable legal notices or 369 | author attributions in that material or in the Appropriate Legal 370 | Notices displayed by works containing it; or 371 | 372 | c) Prohibiting misrepresentation of the origin of that material, or 373 | requiring that modified versions of such material be marked in 374 | reasonable ways as different from the original version; or 375 | 376 | d) Limiting the use for publicity purposes of names of licensors or 377 | authors of the material; or 378 | 379 | e) Declining to grant rights under trademark law for use of some 380 | trade names, trademarks, or service marks; or 381 | 382 | f) Requiring indemnification of licensors and authors of that 383 | material by anyone who conveys the material (or modified versions of 384 | it) with contractual assumptions of liability to the recipient, for 385 | any liability that these contractual assumptions directly impose on 386 | those licensors and authors. 387 | 388 | All other non-permissive additional terms are considered "further 389 | restrictions" within the meaning of section 10. If the Program as you 390 | received it, or any part of it, contains a notice stating that it is 391 | governed by this License along with a term that is a further 392 | restriction, you may remove that term. If a license document contains 393 | a further restriction but permits relicensing or conveying under this 394 | License, you may add to a covered work material governed by the terms 395 | of that license document, provided that the further restriction does 396 | not survive such relicensing or conveying. 397 | 398 | If you add terms to a covered work in accord with this section, you 399 | must place, in the relevant source files, a statement of the 400 | additional terms that apply to those files, or a notice indicating 401 | where to find the applicable terms. 402 | 403 | Additional terms, permissive or non-permissive, may be stated in the 404 | form of a separately written license, or stated as exceptions; 405 | the above requirements apply either way. 406 | 407 | 8. Termination. 408 | 409 | You may not propagate or modify a covered work except as expressly 410 | provided under this License. Any attempt otherwise to propagate or 411 | modify it is void, and will automatically terminate your rights under 412 | this License (including any patent licenses granted under the third 413 | paragraph of section 11). 414 | 415 | However, if you cease all violation of this License, then your 416 | license from a particular copyright holder is reinstated (a) 417 | provisionally, unless and until the copyright holder explicitly and 418 | finally terminates your license, and (b) permanently, if the copyright 419 | holder fails to notify you of the violation by some reasonable means 420 | prior to 60 days after the cessation. 421 | 422 | Moreover, your license from a particular copyright holder is 423 | reinstated permanently if the copyright holder notifies you of the 424 | violation by some reasonable means, this is the first time you have 425 | received notice of violation of this License (for any work) from that 426 | copyright holder, and you cure the violation prior to 30 days after 427 | your receipt of the notice. 428 | 429 | Termination of your rights under this section does not terminate the 430 | licenses of parties who have received copies or rights from you under 431 | this License. If your rights have been terminated and not permanently 432 | reinstated, you do not qualify to receive new licenses for the same 433 | material under section 10. 434 | 435 | 9. Acceptance Not Required for Having Copies. 436 | 437 | You are not required to accept this License in order to receive or 438 | run a copy of the Program. Ancillary propagation of a covered work 439 | occurring solely as a consequence of using peer-to-peer transmission 440 | to receive a copy likewise does not require acceptance. However, 441 | nothing other than this License grants you permission to propagate or 442 | modify any covered work. These actions infringe copyright if you do 443 | not accept this License. Therefore, by modifying or propagating a 444 | covered work, you indicate your acceptance of this License to do so. 445 | 446 | 10. Automatic Licensing of Downstream Recipients. 447 | 448 | Each time you convey a covered work, the recipient automatically 449 | receives a license from the original licensors, to run, modify and 450 | propagate that work, subject to this License. You are not responsible 451 | for enforcing compliance by third parties with this License. 452 | 453 | An "entity transaction" is a transaction transferring control of an 454 | organization, or substantially all assets of one, or subdividing an 455 | organization, or merging organizations. If propagation of a covered 456 | work results from an entity transaction, each party to that 457 | transaction who receives a copy of the work also receives whatever 458 | licenses to the work the party's predecessor in interest had or could 459 | give under the previous paragraph, plus a right to possession of the 460 | Corresponding Source of the work from the predecessor in interest, if 461 | the predecessor has it or can get it with reasonable efforts. 462 | 463 | You may not impose any further restrictions on the exercise of the 464 | rights granted or affirmed under this License. For example, you may 465 | not impose a license fee, royalty, or other charge for exercise of 466 | rights granted under this License, and you may not initiate litigation 467 | (including a cross-claim or counterclaim in a lawsuit) alleging that 468 | any patent claim is infringed by making, using, selling, offering for 469 | sale, or importing the Program or any portion of it. 470 | 471 | 11. Patents. 472 | 473 | A "contributor" is a copyright holder who authorizes use under this 474 | License of the Program or a work on which the Program is based. The 475 | work thus licensed is called the contributor's "contributor version". 476 | 477 | A contributor's "essential patent claims" are all patent claims 478 | owned or controlled by the contributor, whether already acquired or 479 | hereafter acquired, that would be infringed by some manner, permitted 480 | by this License, of making, using, or selling its contributor version, 481 | but do not include claims that would be infringed only as a 482 | consequence of further modification of the contributor version. For 483 | purposes of this definition, "control" includes the right to grant 484 | patent sublicenses in a manner consistent with the requirements of 485 | this License. 486 | 487 | Each contributor grants you a non-exclusive, worldwide, royalty-free 488 | patent license under the contributor's essential patent claims, to 489 | make, use, sell, offer for sale, import and otherwise run, modify and 490 | propagate the contents of its contributor version. 491 | 492 | In the following three paragraphs, a "patent license" is any express 493 | agreement or commitment, however denominated, not to enforce a patent 494 | (such as an express permission to practice a patent or covenant not to 495 | sue for patent infringement). To "grant" such a patent license to a 496 | party means to make such an agreement or commitment not to enforce a 497 | patent against the party. 498 | 499 | If you convey a covered work, knowingly relying on a patent license, 500 | and the Corresponding Source of the work is not available for anyone 501 | to copy, free of charge and under the terms of this License, through a 502 | publicly available network server or other readily accessible means, 503 | then you must either (1) cause the Corresponding Source to be so 504 | available, or (2) arrange to deprive yourself of the benefit of the 505 | patent license for this particular work, or (3) arrange, in a manner 506 | consistent with the requirements of this License, to extend the patent 507 | license to downstream recipients. "Knowingly relying" means you have 508 | actual knowledge that, but for the patent license, your conveying the 509 | covered work in a country, or your recipient's use of the covered work 510 | in a country, would infringe one or more identifiable patents in that 511 | country that you have reason to believe are valid. 512 | 513 | If, pursuant to or in connection with a single transaction or 514 | arrangement, you convey, or propagate by procuring conveyance of, a 515 | covered work, and grant a patent license to some of the parties 516 | receiving the covered work authorizing them to use, propagate, modify 517 | or convey a specific copy of the covered work, then the patent license 518 | you grant is automatically extended to all recipients of the covered 519 | work and works based on it. 520 | 521 | A patent license is "discriminatory" if it does not include within 522 | the scope of its coverage, prohibits the exercise of, or is 523 | conditioned on the non-exercise of one or more of the rights that are 524 | specifically granted under this License. You may not convey a covered 525 | work if you are a party to an arrangement with a third party that is 526 | in the business of distributing software, under which you make payment 527 | to the third party based on the extent of your activity of conveying 528 | the work, and under which the third party grants, to any of the 529 | parties who would receive the covered work from you, a discriminatory 530 | patent license (a) in connection with copies of the covered work 531 | conveyed by you (or copies made from those copies), or (b) primarily 532 | for and in connection with specific products or compilations that 533 | contain the covered work, unless you entered into that arrangement, 534 | or that patent license was granted, prior to 28 March 2007. 535 | 536 | Nothing in this License shall be construed as excluding or limiting 537 | any implied license or other defenses to infringement that may 538 | otherwise be available to you under applicable patent law. 539 | 540 | 12. No Surrender of Others' Freedom. 541 | 542 | If conditions are imposed on you (whether by court order, agreement or 543 | otherwise) that contradict the conditions of this License, they do not 544 | excuse you from the conditions of this License. If you cannot convey a 545 | covered work so as to satisfy simultaneously your obligations under this 546 | License and any other pertinent obligations, then as a consequence you may 547 | not convey it at all. For example, if you agree to terms that obligate you 548 | to collect a royalty for further conveying from those to whom you convey 549 | the Program, the only way you could satisfy both those terms and this 550 | License would be to refrain entirely from conveying the Program. 551 | 552 | 13. Use with the GNU Affero General Public License. 553 | 554 | Notwithstanding any other provision of this License, you have 555 | permission to link or combine any covered work with a work licensed 556 | under version 3 of the GNU Affero General Public License into a single 557 | combined work, and to convey the resulting work. The terms of this 558 | License will continue to apply to the part which is the covered work, 559 | but the special requirements of the GNU Affero General Public License, 560 | section 13, concerning interaction through a network will apply to the 561 | combination as such. 562 | 563 | 14. Revised Versions of this License. 564 | 565 | The Free Software Foundation may publish revised and/or new versions of 566 | the GNU General Public License from time to time. Such new versions will 567 | be similar in spirit to the present version, but may differ in detail to 568 | address new problems or concerns. 569 | 570 | Each version is given a distinguishing version number. If the 571 | Program specifies that a certain numbered version of the GNU General 572 | Public License "or any later version" applies to it, you have the 573 | option of following the terms and conditions either of that numbered 574 | version or of any later version published by the Free Software 575 | Foundation. If the Program does not specify a version number of the 576 | GNU General Public License, you may choose any version ever published 577 | by the Free Software Foundation. 578 | 579 | If the Program specifies that a proxy can decide which future 580 | versions of the GNU General Public License can be used, that proxy's 581 | public statement of acceptance of a version permanently authorizes you 582 | to choose that version for the Program. 583 | 584 | Later license versions may give you additional or different 585 | permissions. However, no additional obligations are imposed on any 586 | author or copyright holder as a result of your choosing to follow a 587 | later version. 588 | 589 | 15. Disclaimer of Warranty. 590 | 591 | THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY 592 | APPLICABLE LAW. EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT 593 | HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY 594 | OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, 595 | THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 596 | PURPOSE. THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM 597 | IS WITH YOU. SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF 598 | ALL NECESSARY SERVICING, REPAIR OR CORRECTION. 599 | 600 | 16. Limitation of Liability. 601 | 602 | IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING 603 | WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS 604 | THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY 605 | GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE 606 | USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF 607 | DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD 608 | PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), 609 | EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF 610 | SUCH DAMAGES. 611 | 612 | 17. Interpretation of Sections 15 and 16. 613 | 614 | If the disclaimer of warranty and limitation of liability provided 615 | above cannot be given local legal effect according to their terms, 616 | reviewing courts shall apply local law that most closely approximates 617 | an absolute waiver of all civil liability in connection with the 618 | Program, unless a warranty or assumption of liability accompanies a 619 | copy of the Program in return for a fee. 620 | 621 | END OF TERMS AND CONDITIONS 622 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # 1pass 2 | 3 | **1pass** is a caching wrapper for the [1Password 4 | CLI](https://support.1password.com/command-line-getting-started/) `op`. 5 | 6 | ![Shellcheck](https://github.com/dcreemer/1pass/workflows/shellcheck/badge.svg) 7 | 8 | ## NO LONGER MAINTAINED 9 | 10 | I am no longer maintaining this software, as the 1Password CLI version 2 11 | provides all of the features I need. 12 | 13 | ## WARNING 1password 2 CLI compatibility 14 | 15 | Do not upgrade to 1password CLI version 2! This `1pass` tool is not yet compatible with 16 | it. 17 | 18 | ## UPGRADE NOTE 19 | 20 | Upgrading to version 1.1 requires installation of the 21 | [expect](https://core.tcl.tk/expect/index) tool. `1pass` will check for this (and 22 | other) dependencies and remind you to install them. 23 | 24 | ## Introduction 25 | 26 | **1pass** is designed to make using your 1Password usernames and passwords quick and easy. It is 27 | intended for use within an interactive shell as well as from scripts. Once installed and configured 28 | as described below, you can obtain an account password in a shell simply by typing: 29 | 30 | ```sh 31 | $ 1pass Github 32 | ``` 33 | 34 | and your Github password will be copied to the clipboard. 35 | 36 | The official 1Password CLI application (```op```) can be difficult to use interactively, and unlike 37 | the macOS or Windows 1Password native applications, requires an internet connection to fetch data 38 | from your password vaults. **1pass** solves both of these problems. ```Op``` needs session tokens to 39 | be revalidated manually after 30 minutes of inactivity and produces rich output in JSON format. The 40 | JSON output is easy for a program to use, but is not trivially consumed by humans without help. 41 | **1pass** provides that help, with two main features: 42 | 43 | - a simplified interface for listing and fetching usernames, passwords, and other fields for 44 | individual items. 45 | - an encrypted local cache of 1Password CLI results. 46 | 47 | Together these features enable easy use of 1Password-stored credentials. 48 | 49 | ## Installation 50 | 51 | First make sure that the `op` [1Password 52 | CLI](https://support.1password.com/command-line-getting-started/) and the `jq` 53 | [JQ](https://stedolan.github.io/jq) and 54 | [expect](https://core.tcl.tk/expect/index) requirements are installed. If you use 55 | homebrew cask on macOS, this works well: 56 | 57 | ```sh 58 | $ brew install 1password-cli 59 | $ brew install jq expect 60 | ``` 61 | 62 | If you want to automate 2FA (TOTP) logging into 1password.com, then also install the oathtool, and 63 | see further instructions below. 64 | 65 | ```sh 66 | $ brew install oath-toolkit 67 | ``` 68 | 69 | Copy the 1pass executable file to a suitable location on your PATH (for example, /usr/local/bin) 70 | and ensure that it is executable. For example: 71 | 72 | ```sh 73 | curl https://raw.githubusercontent.com/dcreemer/1pass/master/1pass > /usr/local/bin/1pass 74 | chmod a+x /usr/local/bin/1pass 75 | ``` 76 | 77 | ### Bash Completion 78 | 79 | If you would like to install bash-completion for 1pass, place the `bash-completion.sh` script in 80 | and accessible location and then source it from your `.bash_profile`. For example: 81 | 82 | ```sh 83 | mkdir -p /usr/local/etc/1pass 84 | curl https://raw.githubusercontent.com/dcreemer/1pass/master/bash_completion.sh > /usr/local/etc/1pass/bash_completion.sh 85 | echo "source /usr/local/etc/1pass/bash_completion.sh" >> ~/.bash_profile 86 | ``` 87 | 88 | By default the completion script will look for `fzf` completion support in your environment. If present, 89 | it will use fzf completion ([see here](https://github.com/junegunn/fzf#fuzzy-completion-for-bash-and-zsh)). 90 | 91 | _Note: If you have installed `fzf` using homebrew on macOS, make sure you have enabled completion by 92 | running `$(brew --prefix)/opt/fzf/install --completion` and follow the prompts._ 93 | 94 | If you do not have fzf or if you turn this feature off it will revert to standard bash completion 95 | behavior. If you would like to explicitly disable FZF completion for 1pass, you can do so as follows: 96 | 97 | ```sh 98 | export ONEPASS_FZF_COMPLETE=false 99 | ``` 100 | This line should be added to your `.bash_profile` 101 | 102 | ## Security and Warning 103 | 104 | **1pass** requires you to store your 1Password master password in a local GPG-encrypted file. You 105 | should inspect the source code to ensure that you trust the software, as well as read this 106 | documentation to understand the security tradeoffs. 107 | 108 | Like the 1Password application itself, **1pass** relies on *one password*. However that password is 109 | **not** your 1Password "master password" -- it is your Gnu Privacy Guard ([gpg](https://gnupg.org/)) 110 | private key. GPG, when configured to use the GPG-agent, will cache your private key password for a 111 | configurable length of time (a few hours to a day is perhaps reasonable). **1pass** uses your GPG 112 | key to store an encrypted copies of your 1Password master password and your 1Password account secret 113 | key. 114 | 115 | When data is needed from your online 1Password data store, the master password and secret key are 116 | temporarily decrypted and exchanged for a session token, which is also then encrypted and stored. 117 | The session token will be refreshed as needed. These actions happen automatically once your GPG key 118 | is available in the GPG-agent. 119 | 120 | The data that is fetched from the 1Password service is cached in local files -- once again also 121 | encrypted using your GPG private key. 122 | 123 | You can "lock" your **1pass** session by running the "forget" command: 124 | 125 | ```sh 126 | $ 1pass -f 127 | cleared local session 128 | ``` 129 | 130 | which removes the local session token (if any), and calls ```gpgconf --kill gpg-agent``` to purge 131 | any running gpg-agent of your GPG secret keys. 132 | 133 | ## Configuration 134 | 135 | In order to run with minimum user input, **1pass** relies on the Gnu Privacy Guard 136 | [gpg](https://gnupg.org/) to encrypt all locally stored data. 1Password needs both a *master 137 | password* and a *secret key* to access your vault. Each of these must be stored in an encrypted 138 | file (in ~/.1pass or `$XDG_CONFIG_HOME/1pass`) for 1pass to work correctly. 1pass encrypts these 139 | and all other files with your own gpg key. This key, as well as your 1Password login email and 140 | domain must be configured in the ~/.1pass/config file. The domain is the full domain name that you 141 | use to sign-in when you use the 1Password website, for example `example.1password.com` or 142 | `subdomain.1password.ca`. 143 | 144 | GPG can be configured to use the ```gpg-agent```, which can prompt for your *gpg* password, and 145 | cache it in a local agent for a fixed amount of time. If you configure GPG this way, you will only 146 | need to enter you GPG password (e.g.) once a day, and then seldom need to enter your 1Password 147 | master password. 148 | 149 | Running ```1pass -rv``` repeatedly will output instructions on how to configure this file and safely 150 | store your master password and secret key. 151 | 152 | ```sh 153 | $ ./1pass -rv 154 | please config 1pass by editing /home/me/.1pass/config 155 | $ vi ~/.1pass/config 156 | $ ./1pass -rv 157 | please put your master password into /home/me/.1pass/_master.gpg 158 | ex: echo "master-password" | gpg -er me@example.com > /home/me/.1pass/_master.gpg 159 | $ echo "sEcre77" | gpg -er me@example.com > /home/me/.1pass/_master.gpg 160 | $ ./1pass -rv 161 | please put your mysubdomain.1password.com secret key into /home/me/.1pass/_secret.gpg 162 | ex: echo "A3-XXXXXX-XXXXXX-XXXXX-XXXXX-XXXXX-XXXXX" | gpg -er me@example.com > /home/me/.1pass/_secret.gpg 163 | $ echo "A3-XXXXXX-XXXXXX-XXXXX-XXXXX-XXXXX-XXXXX" | gpg -er me@example.com > /home/me/.1pass/_secret.gpg 164 | $ ./1pass -rv 165 | signing in to mysubdomain.1password.com me@example.com 166 | ... 167 | ``` 168 | 169 | ## Usage 170 | 171 | Once you are configured and signed in, you are ready to use **1pass**. The simplest command is 172 | **1pass** with no arguments to list all items in your vault: 173 | 174 | ```sh 175 | $ 1pass 176 | Github 177 | MyBankAccount 178 | gmail.com 179 | ... 180 | ``` 181 | 182 | The list consists of the *titles* of each item. You can then retrieve the password of an item: 183 | 184 | ```sh 185 | $ 1pass -p Github 186 | sjd$kh23@0dfjs1DDj 187 | ``` 188 | 189 | The password is echoed to the standard output (when the '-p' option is used). You can easily use 190 | this in scripts, for example: 191 | 192 | ```sh 193 | export PGPASSWORD=$(1pass -p MyPostgresServer) 194 | ``` 195 | 196 | Without the '-p' option, 1pass copies the password to the clipboard: 197 | 198 | ```sh 199 | $ 1pass Github 200 | ``` 201 | 202 | The contents of the clipboard will be automatically cleared after 30 seconds. You can also pass 203 | **1pass** an optional field argument -- for example "username" to retrieve that field from the item: 204 | 205 | ```sh 206 | $ 1pass -p MyBankAccount username 207 | me@example.com 208 | ``` 209 | 210 | Sometimes it's easier to pass the title to search for via stdin, rather than as a command line 211 | argument. Use the `-` character to force 1pass to read from stdin for the value. 212 | 213 | ```sh 214 | $ echo "MyBankAccount" | 1pass -p - username 215 | me@example.com 216 | ``` 217 | 218 | **1pass** can lookup other fields besides username or password. They field name is the "label" for 219 | the field in the 1Password GUI. 220 | 221 | ```sh 222 | $ 1pass -p MyBankAccount pin 223 | 1234 224 | ``` 225 | 226 | **1pass** has special support for TOTP fields -- these are fetched directly via `op` 227 | rather than a local cache. (Thanks to (@ev0rtex)[https://github.com/ev0rtex]). 228 | Note that this **is different** from using TOTP 2FA to log into your 1Password 229 | account (that is supported too -- see below) 230 | 231 | ```sh 232 | $ 1pass -p MyBankAccount totp 233 | 9865432 234 | ``` 235 | 236 | ## FZF Integration 237 | 238 | **1pass** can be nicely combined with [fzf](https://github.com/junegunn/fzf) for fuzzy search and 239 | completion. 240 | 241 | Starting with 1pass v1.5: 242 | 243 | ```sh 244 | $ 1pass | fzf | 1pass -p - 245 | ``` 246 | 247 | which can be easily created as an alias in your `.bashrc` or equivalent: 248 | 249 | `alias fp="1pass | fzf | 1pass -p -"` 250 | 251 | In older versions: See [fuzzpass.sh](fuzzpass.sh) or [fuzzpass.fish](fuzzpass.fish) for sample 252 | integration functions. 253 | 254 | ## Emacs 255 | 256 | For the brave, a trivial Emacs wrapper library is included. E.g. 257 | 258 | ```elisp 259 | (setq freenode-nick-username (1pass--item-username "Freenode/nick1")) 260 | (setq freenode-nick-password (1pass--item-password "Freenode/nick1")) 261 | (setq freenode-nick-password (1pass--item-field "Freenode" "server")) 262 | ``` 263 | 264 | ## Iterm2 integration 265 | 266 | (This work is thanks to [birlog](https://github.com/birlorg)). This integration lets you select and 267 | insert passwords into programs running in iTerm2(shell). If you are tired of typing in your sudo 268 | password, this is for you. 269 | 270 | This is effectively a clone of [sudolikeaboss](https://github.com/ravenac95/sudolikeaboss) 271 | functionality. with the caveat that all of your passwords are available, not just ones tagged 272 | x-sudolikeaboss 273 | 274 | Using [choose](https://github.com/chipsenkbeil/choose) (a GUI fzf clone) 275 | 276 | in iTerm2, go to preferences, then keys, add a new key `open-apple+/` to run coprocess and then 277 | copy paste in the command to run box: 278 | 279 | `export PATH="/usr/local/bin:/usr/bin"; 1pass | choose | 1pass -p -` 280 | 281 | Then start a program asking for input like `sudo -s` and then at the password prompt push the key 282 | you assigned earlier(`open-apple+/` above) and select the password title by typing or arrowing 283 | down/up and then hit enter. It might take a second, as 1pass has to go fetch your password from 284 | 1pass, but it then should type in your password and hit enter for you. 285 | 286 | If you run into trouble, iTerm2 should attach a little yellow bar at the top, select 'view errors' 287 | and it should then open a new window showing the output of the commands above, you will need to 288 | work through whatever issue comes up. 289 | 290 | If you get a `Command not found error` You installed choose, 1pass or op other than 291 | `/usr/local/bin/`, you will need to edit the PATH part of the line above. 292 | 293 | FZF will not work in place of choose, as coprocesses if they want to ask for user input need to 294 | happen in their own window. 295 | 296 | 297 | ## Caching and Sessions 298 | 299 | When using **1pass**, all response data from 1Password is encrypted and then cached to 300 | ```~/.1pass/cache```. Sometimes this cache will be out of date -- for example if you have created a 301 | new password entry via the 1Password application. Passing ```-r``` to **1pass** will force a refresh 302 | from the online 1Password vault. 303 | 304 | Similarly, 1Password CLI sessions last for 30 minutes from the time of last use. **1pass** will 305 | manage the session for you, and refresh it as needed. 306 | 307 | ## 2FA for 1Password 308 | 309 | If you have turned on two-factor authentication (2FA) support for your 1Password account, then 310 | 1pass will prompt for you to enter a TOTP code when creating a session. You can either re-enter 311 | this code after every session expiration (30 minutes of inactivity), or automate entry of the code 312 | using the oath-toolkit `oathtool` command. If you wish to automate the 2FA process, add 313 | `use_totp="1"` to your config file, and follow the instructions to store the TOTP secret: 314 | 315 | ```sh 316 | $ ./1pass -rv 317 | please put your ${domain} totp secret into /home/me/.1pass/_totp.gpg 318 | ex: echo \"XXXXXXXXXXXXXXXX\" | $GPG -er $email > /home/me/.1pass/_totp.gpg 319 | ``` 320 | 321 | ## License 322 | 323 | Copyright (c) 2017-2021, David Creemer (twitter: 324 | [@dcreemer](https://twitter.com/dcreemer)) with some components from other GPL 2+ 325 | software. 326 | 327 | [GPL3](https://raw.githubusercontent.com/dcreemer/1pass/master/LICENSE) 328 | 329 | ## Credits 330 | 331 | Some ideas, and a tiny bit of code are taken from [pass](https://www.passwordstore.org) by Jason 332 | A. Donenfeld. Please see the git commit log for contributions from others. 333 | -------------------------------------------------------------------------------- /bash_completion.sh: -------------------------------------------------------------------------------- 1 | #! /usr/bin/env bash 2 | # add fuzzyfind (fzf) completion for 1pass objects 3 | 4 | function _fzf_complete_1pass() { 5 | local doFzf=false 6 | local cword="${COMP_WORDS[$COMP_CWORD]}" 7 | if _should_1p_fzf_complete; then 8 | doFzf=true 9 | local trigger=${FZF_COMPLETION_TRIGGER-'**'} 10 | if [[ -z "$cword" ]]; then 11 | COMP_WORDS[$COMP_CWORD]=$trigger 12 | elif [[ "$cword" != *"$trigger" ]]; then 13 | COMP_WORDS[$COMP_CWORD]="$cword$trigger" 14 | fi 15 | fi 16 | 17 | local item 18 | local words=("${COMP_WORDS[@]::${#COMP_WORDS[@]}-1}") 19 | for i in "${!words[@]}"; do 20 | local curr=${words[$i]} 21 | if [[ $i -ne 0 ]] && [[ ${curr} != "-"* ]]; then 22 | item=${curr} 23 | break 24 | fi 25 | done 26 | # Avoid any aliases that might be set 27 | local opcmd="command 1pass" 28 | local rcmd="" 29 | if [[ -z "$item" ]]; then 30 | rcmd="${opcmd}" 31 | else 32 | rcmd="${opcmd} -l \"$item\"" 33 | fi 34 | if ${doFzf}; then 35 | _fzf_complete --reverse --prompt="1pass> " -- "${@}" < <(eval "$rcmd") 36 | else 37 | COMPREPLY=() 38 | local search 39 | # The rest adapted from https://stackoverflow.com/a/1146716/190100 40 | search=$(eval echo "$cword" 2>/dev/null || eval echo "$cword'" 2>/dev/null || eval echo "$cword\"" 2>/dev/null || eval echo "" 2>/dev/null ) 41 | local IFS=$'\n' 42 | while read -r line; do COMPREPLY+=("$line"); done < <(compgen -W "$(_1p_entries "${rcmd}")" -- "$search") 43 | local escaped_single_qoute="'\''" 44 | local i=0 45 | for entry in "${COMPREPLY[@]}" 46 | do 47 | if [[ "${cword:0:1}" == "'" ]] 48 | then 49 | # started with single quote, escaping only other single quotes 50 | # [']bla'bla"bla\bla bla --> [']bla'\''bla"bla\bla bla 51 | COMPREPLY[$i]="${entry//\'/${escaped_single_qoute}}" 52 | elif [[ "${cword:0:1}" == "\"" ]] 53 | then 54 | # started with double quote, escaping all double quotes and all backslashes 55 | # ["]bla'bla"bla\bla bla --> ["]bla'bla\"bla\\bla bla 56 | entry="${entry//\\/\\\\}" 57 | COMPREPLY[$i]="${entry//\"/\\\"}" 58 | else 59 | # no quotes in front, escaping _everything_ 60 | # [ ]bla'bla"bla\bla bla --> [ ]bla\'bla\"bla\\bla\ bla 61 | entry="${entry//\\/\\\\}" 62 | entry="${entry//\'/\'}" 63 | entry="${entry//\"/\\\"}" 64 | COMPREPLY[$i]="${entry// /\\ }" 65 | fi 66 | (( i++ )) 67 | done 68 | fi 69 | } 70 | complete -F _fzf_complete_1pass -o default -o bashdefault 1pass 71 | 72 | function _should_1p_fzf_complete() { 73 | ${ONEPASS_FZF_COMPLETE:-true} && declare -f _fzf_complete > /dev/null 2>&1 74 | } 75 | 76 | function _1p_entries() { 77 | eval "$*" | sed -e "{" -e 's#\\#\\\\#g' -e "s#'#\\\'#g" -e 's#"#\\\"#g' -e "}" 78 | } 79 | -------------------------------------------------------------------------------- /config.sample: -------------------------------------------------------------------------------- 1 | # configuration file for 1pass 2 | 3 | # set to the ID of your GPG key 4 | self_key="" 5 | 6 | # set to the email address associated with your 1Password account 7 | email="" 8 | 9 | # set to your 1password domain (e.g. example.1password.com) 10 | domain="" 11 | -------------------------------------------------------------------------------- /fuzzpass.fish: -------------------------------------------------------------------------------- 1 | function fuzzpass 2 | set arg $argv[1] 3 | if test -z "$arg" 4 | set arg "password" 5 | end 6 | set item (1pass | fzf) 7 | 8 | [ -n $item ] & 1pass $item $arg 9 | end 10 | -------------------------------------------------------------------------------- /fuzzpass.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | # 3 | # -*- shell-script -*- 4 | # 5 | # Use fzf (https://github.com/junegunn/fzf) to rapidly select an account, 6 | # and run 1pass (with optional argument) on the result. 7 | # To use this, source this file in your .bashrc or .profile as appropriate, 8 | # e.g. 9 | # 10 | # source fuzzpass.sh 11 | # 12 | 13 | fuzzpass() { 14 | local arg 15 | arg=$1 16 | if [ "$arg" = "" ]; then 17 | arg="password" 18 | fi 19 | local item 20 | item=$(1pass | fzf); 21 | [[ -n "$item" ]] && 1pass "$item" "$arg" 22 | } 23 | --------------------------------------------------------------------------------