// // Password.swift // pass // // Created by Mingshen Sun on 2/2/2017. // Copyright © 2017 Bob Sun. All rights reserved. // import Foundation import SwiftyUserDefaults import OneTimePassword import Base32 import Yams public struct AdditionField: Equatable { public var title: String = "" public var content: String = "" var asString: String { return title.isEmpty ? content : title + ": " + content } var asTuple: (String, String) { return (title, content) } public static func == (first: AdditionField, second: AdditionField) -> Bool { return first.asTuple == second.asTuple } } public enum OtpType { case totp, hotp, none static func from(token: Token?) -> OtpType { switch token?.generator.factor { case .some(.counter): return .hotp case .some(.timer): return .totp default: return .none } } } enum PasswordChange: Int { case path = 0x01 case content = 0x02 case none = 0x00 } public class Password { public static let OTP_KEYWORDS = ["otp_secret", "otp_type", "otp_algorithm", "otp_period", "otp_digits", "otp_counter", "otpauth"] private static let OTPAUTH = "otpauth" private static let OTPAUTH_URL_START = "\(OTPAUTH)://" private static let PASSWORD_KEYWORD = "password" private static let USERNAME_KEYWORD = "username" private static let LOGIN_KEYWORD = "login" private static let URL_KEYWORD = "url" private static let UNKNOWN = "unknown" public var name = "" public var url: URL? public var namePath: String { return url?.deletingPathExtension().path ?? "" } public var password = "" public var changed: Int = 0 public var plainText = "" private var additions = [AdditionField]() private var firstLineIsOTPField = false private var otpToken: Token? public var otpType: OtpType { return OtpType.from(token: self.otpToken) } public init(name: String, url: URL?, plainText: String) { self.initEverything(name: name, url: url, plainText: plainText) } public func updatePassword(name: String, url: URL?, plainText: String) { if self.plainText != plainText || self.url != url { if self.plainText != plainText { changed = changed|PasswordChange.content.rawValue } if self.url != url { changed = changed|PasswordChange.path.rawValue } self.initEverything(name: name, url: url, plainText: plainText) } } private func initEverything(name: String, url: URL?, plainText: String) { self.name = name self.url = url self.plainText = plainText additions.removeAll() // split the plain text let plainTextSplit = self.plainText .split(omittingEmptySubsequences: false) { $0 == "\n" || $0 == "\r\n" } .map(String.init) // get password password = plainTextSplit.first ?? "" // get remaining lines (filter out empty lines) let additionalLines = plainTextSplit[1...].filter { !$0.isEmpty } // separate normal lines (no otp tokens) let normalAdditionalLines = additionalLines.filter { !$0.hasPrefix(Password.OTPAUTH_URL_START) }.joined(separator: "\n") // try to interpret the text format as YAML first do { try getAdditionalFields(fromYaml: normalAdditionalLines) } catch { getAdditionalFields(fromPlainText: normalAdditionalLines) } // get and append otp tokens let otpAdditionalLines = additionalLines.filter { $0.hasPrefix(Password.OTPAUTH_URL_START) } otpAdditionalLines.forEach { self.additions.append(AdditionField(title: Password.OTPAUTH, content: $0)) } // check whether the first line looks like an otp entry let (key, value) = Password.getKeyValuePair(from: self.password) if Password.OTP_KEYWORDS.contains(key ?? "") { firstLineIsOTPField = true self.additions.append(AdditionField(title: key!, content: value)) } else { firstLineIsOTPField = false } // construct the otp token updateOtpToken() } // check whether the file has lines with duplicated field names private func checkDuplicatedFields(lines: String) -> Bool { var keys = Set() var hasDuplicatedFields = false lines.enumerateLines { (line, stop) -> () in let (key, _) = Password.getKeyValuePair(from: line) if let key = key { hasDuplicatedFields = !keys.insert(key).0 stop = hasDuplicatedFields } } return hasDuplicatedFields } private func getAdditionalFields(fromYaml: String) throws { guard !fromYaml.isEmpty else { return } if checkDuplicatedFields(lines: fromYaml) { throw AppError.YamlLoadError } guard let yamlFile = try Yams.load(yaml: fromYaml) as? [String: String] else { throw AppError.YamlLoadError } additions.append(contentsOf: yamlFile.map { AdditionField(title: $0, content: String(describing: $1)) }) } private func getAdditionalFields(fromPlainText: String) { var unknownIndex = 0 fromPlainText.enumerateLines() { line, _ in if !line.isEmpty { var (key, value) = Password.getKeyValuePair(from: line) if key == nil { unknownIndex += 1 key = "\(Password.UNKNOWN) \(unknownIndex)" } self.additions.append(AdditionField(title: key!, content: value)) } } } public func getFilteredAdditions() -> [AdditionField] { return additions.filter { field in field.title.lowercased() != Password.USERNAME_KEYWORD && field.title.lowercased() != Password.LOGIN_KEYWORD && field.title.lowercased() != Password.PASSWORD_KEYWORD && (!field.title.hasPrefix(Password.UNKNOWN) || !SharedDefaults[.isHideUnknownOn]) && (!Password.OTP_KEYWORDS.contains(field.title) || !SharedDefaults[.isHideOTPOn]) } } public func getUsername() -> String? { return getAdditionValue(withKey: Password.USERNAME_KEYWORD, caseSensitive: false) } public func getLogin() -> String? { return getAdditionValue(withKey: Password.LOGIN_KEYWORD, caseSensitive: false) } public func getURLString() -> String? { return getAdditionValue(withKey: Password.URL_KEYWORD, caseSensitive: false) } // return a key-value pair from the line // key might be nil, if there is no ":" in the line private static func getKeyValuePair(from line: String) -> (key: String?, value: String) { let items = line.components(separatedBy: ": ").map{String($0).trimmingCharacters(in: .whitespaces)} var key : String? = nil var value = "" if items.count == 1 || (items[0].isEmpty && items[1].isEmpty) { // no ": " found, or empty on both sides of ": " value = line // otpauth special case if value.hasPrefix(Password.OTPAUTH_URL_START) { key = Password.OTPAUTH } } else { if !items[0].isEmpty { key = items[0] } value = items[1] } return (key, value) } public func getAdditionsPlainText() -> String { // lines starting from the second let plainTextSplit = plainText.split(maxSplits: 1, omittingEmptySubsequences: false) { $0 == "\n" || $0 == "\r\n" }.map(String.init) return plainTextSplit.count == 1 ? "" : plainTextSplit[1] } private func getPlainText() -> String { return self.plainText } public func getPlainData() -> Data { return getPlainText().data(using: .utf8)! } private func getAdditionValue(withKey key: String, caseSensitive: Bool = true) -> String? { let searchKey = caseSensitive ? key : key.lowercased() let matchingField = additions.first { (caseSensitive ? $0.title : $0.title.lowercased()) == searchKey } return matchingField?.content } /* Set otpType and otpToken, if we are able to construct a valid token. Example of TOTP otpauth (Key Uri Format: https://github.com/google/google-authenticator/wiki/Key-Uri-Format) otpauth://totp/totp-secret?secret=AAAAAAAAAAAAAAAA&issuer=totp-secret Example of TOTP fields [Legacy, lower priority] otp_secret: secretsecretsecretsecretsecretsecret otp_type: totp otp_algorithm: sha1 (default: sha1, optional) otp_period: 30 (default: 30, optional) otp_digits: 6 (default: 6, optional) Example of HOTP fields [Legacy, lower priority] otp_secret: secretsecretsecretsecretsecretsecret otp_type: hotp otp_counter: 1 otp_digits: 6 (default: 6, optional) */ private func updateOtpToken() { self.otpToken = nil // get otpauth, if we are able to generate a token, return if var otpauthString = getAdditionValue(withKey: Password.OTPAUTH) { if !otpauthString.hasPrefix("\(Password.OTPAUTH):") { otpauthString = "\(Password.OTPAUTH):\(otpauthString)" } if let otpauthUrl = URL(string: otpauthString), let token = Token(url: otpauthUrl) { self.otpToken = token return } } // get secret data guard let secretString = getAdditionValue(withKey: "otp_secret"), let secretData = MF_Base32Codec.data(fromBase32String: secretString), !secretData.isEmpty else { // print("Missing / Invalid otp secret") return } // get type guard let type = getAdditionValue(withKey: "otp_type")?.lowercased(), (type == "totp" || type == "hotp") else { // print("Missing / Invalid otp type") return } // get algorithm (optional) var algorithm = Generator.Algorithm.sha1 if let algoString = getAdditionValue(withKey: "otp_algorithm") { switch algoString.lowercased() { case "sha256": algorithm = .sha256 case "sha512": algorithm = .sha512 default: algorithm = .sha1 } } // construct the token if type == "totp" { // HOTP // default: 6 digits, 30 seconds guard let digits = Int(getAdditionValue(withKey: "otp_digits") ?? "6"), let period = Double(getAdditionValue(withKey: "otp_period") ?? "30.0") else { let alertMessage = "Invalid otp_digits or otp_period." print(alertMessage) return } guard let generator = Generator( factor: .timer(period: period), secret: secretData, algorithm: algorithm, digits: digits) else { let alertMessage = "Invalid OTP generator parameters." print(alertMessage) return } self.otpToken = Token(name: self.name, issuer: "", generator: generator) } else { // HOTP // default: 6 digits guard let digits = Int(getAdditionValue(withKey: "otp_digits") ?? "6"), let counter = UInt64(getAdditionValue(withKey: "otp_counter") ?? "") else { let alertMessage = "Invalid otp_digits or otp_counter." print(alertMessage) return } guard let generator = Generator( factor: .counter(counter), secret: secretData, algorithm: algorithm, digits: digits) else { let alertMessage = "Invalid OTP generator parameters." print(alertMessage) return } self.otpToken = Token(name: self.name, issuer: "", generator: generator) } } // return the description and the password strings public func getOtpStrings() -> (description: String, otp: String)? { guard let token = self.otpToken else { return nil } var description : String switch token.generator.factor { case .counter: // htop description = "HMAC-based" case .timer(let period): // totp let timeSinceEpoch = Date().timeIntervalSince1970 let validTime = Int(period - timeSinceEpoch.truncatingRemainder(dividingBy: period)) description = "time-based (expiring in \(validTime)s)" } let otp = self.otpToken?.currentPassword ?? "error" return (description, otp) } // return the password strings public func getOtp() -> String? { return self.otpToken?.currentPassword } // return the password strings // it is guaranteed that it is a HOTP password when we call this public func getNextHotp() -> String? { // increase the counter otpToken = otpToken?.updatedToken() // replace old HOTP settings with the new otpauth var newOtpauth = try! otpToken?.toURL().absoluteString newOtpauth?.append("&secret=") newOtpauth?.append(MF_Base32Codec.base32String(from: otpToken?.generator.secret)) var lines : [String] = [] self.plainText.enumerateLines() { line, _ in let (key, _) = Password.getKeyValuePair(from: line) if !Password.OTP_KEYWORDS.contains(key ?? "") { lines.append(line) } else if key == Password.OTPAUTH && newOtpauth != nil { lines.append(newOtpauth!) // set to nil to prevent duplication newOtpauth = nil } } if newOtpauth != nil { lines.append(newOtpauth!) } self.updatePassword(name: self.name, url: self.url, plainText: lines.joined(separator: "\n")) // get and return the password return self.otpToken?.currentPassword } public static func LooksLikeOTP(line: String) -> Bool { let (key, _) = getKeyValuePair(from: line) return Password.OTP_KEYWORDS.contains(key ?? "") } }