diff --git a/.config/qutebrowser/config.py b/.config/qutebrowser/config.py index 9c735e6..ef76cb1 100644 --- a/.config/qutebrowser/config.py +++ b/.config/qutebrowser/config.py @@ -35,7 +35,6 @@ config.set("colors.webpage.darkmode.enabled", False, "file://*") # c.tabs.title.format = "{audio}{current_title}" -c.fonts.web.size.default = 20 c.url.searchengines = { # note - if you use duckduckgo, you can make use of its built in bangs, of which there are many! https://duckduckgo.com/bangs @@ -48,10 +47,7 @@ c.url.searchengines = { c.completion.open_categories = [ "searchengines", - "quickmarks", "bookmarks", - "history", - "filesystem", ] c.auto_save.session = False # save tabs on quit/restart @@ -82,8 +78,10 @@ c.tabs.indicator.width = 0 # no tab indicators c.tabs.width = "7%" # fonts -c.fonts.default_family = [] +c.fonts.default_family = "JetBrainsMono Nerd Font" c.fonts.default_size = "13pt" +c.fonts.web.size.minimum = 16 +c.fonts.web.size.default = 16 c.fonts.web.family.fixed = "monospace" c.fonts.web.family.sans_serif = "monospace" c.fonts.web.family.serif = "monospace" @@ -93,7 +91,7 @@ c.fonts.web.family.standard = "monospace" # config.set("completion.cmd_history_max_items", 0) # config.set("content.private_browsing", True) config.set("content.webgl", False, "*") -config.set("content.canvas_reading", False) +config.set("content.canvas_reading", True) config.set("content.geolocation", False) config.set("content.webrtc_ip_handling_policy", "default-public-interface-only") config.set("content.cookies.accept", "all") diff --git a/.config/qutebrowser/userscripts/bw b/.config/qutebrowser/userscripts/bw new file mode 100755 index 0000000..4cd620f --- /dev/null +++ b/.config/qutebrowser/userscripts/bw @@ -0,0 +1,368 @@ +#!/usr/bin/env python3 + +# SPDX-FileCopyrightText: Chris Braun (cryzed) +# +# SPDX-License-Identifier: GPL-3.0-or-later + +""" +Insert login information using Bitwarden CLI and a dmenu-compatible application +(e.g. dmenu, wofi -dmenu, ...). +""" + +USAGE = """The domain of the site has to be in the name of the Bitwarden entry, for example: "github.com/cryzed" or +"websites/github.com". The login information is inserted by emulating key events using qutebrowser's fake-key command in this manner: +[USERNAME][PASSWORD], which is compatible with almost all login forms. + +If enabled, with the `--totp` flag, it will also move the TOTP code to the +clipboard, much like the Firefox add-on. + +You must log into Bitwarden CLI using `bw login` prior to use of this script. +The session key will be stored using keyctl for the number of seconds passed to +the --auto-lock option. + +To use in qutebrowser, run: `spawn --userscript qute-bitwarden` +""" + +EPILOG = """Dependencies: tldextract (Python 3 module), pyperclip (optional +Python module, used for TOTP codes), Bitwarden CLI (1.7.4 is known to work +but older versions may well also work) + +WARNING: The login details are viewable as plaintext in qutebrowser's debug log +(qute://log) and might be shared if you decide to submit a crash report!""" + +import argparse +import enum +import functools +import os +import shlex +import subprocess +import sys +import json +import tldextract + +argument_parser = argparse.ArgumentParser( + description=__doc__, + usage=USAGE, + epilog=EPILOG, +) +argument_parser.add_argument("url", nargs="?", default=os.getenv("QUTE_URL")) +argument_parser.add_argument( + "--dmenu-invocation", + "-d", + default="wofi -dmenu -i -p Bitwarden --columns 1", + help="Invocation used to execute a dmenu-provider", +) +argument_parser.add_argument( + "--password-prompt-invocation", + "-p", + default='wofi -dmenu -p "Master Password" -password -lines 0', + help="Invocation used to prompt the user for their Bitwarden password", +) +argument_parser.add_argument( + "--no-insert-mode", + "-n", + dest="insert_mode", + action="store_false", + help="Don't automatically enter insert mode", +) +argument_parser.add_argument( + "--totp", + "-t", + action="store_true", + default="store_true", + help="Copy TOTP key to clipboard", +) +argument_parser.add_argument( + "--io-encoding", + "-i", + default="UTF-8", + help="Encoding used to communicate with subprocesses", +) +argument_parser.add_argument( + "--merge-candidates", + "-m", + action="store_true", + help="Merge pass candidates for fully-qualified and registered domain name", +) +argument_parser.add_argument( + "--auto-lock", + type=int, + default=900, + help="Automatically lock the vault after this many seconds", +) +group = argument_parser.add_mutually_exclusive_group() +group.add_argument( + "--username-only", "-e", action="store_true", help="Only insert username" +) +group.add_argument( + "--password-only", "-w", action="store_true", help="Only insert password" +) +group.add_argument( + "--totp-only", "-T", action="store_true", help="Only insert totp code" +) + +stderr = functools.partial(print, file=sys.stderr) + + +class ExitCodes(enum.IntEnum): + SUCCESS = 0 + FAILURE = 1 + # 1 is automatically used if Python throws an exception + NO_PASS_CANDIDATES = 2 + COULD_NOT_MATCH_USERNAME = 3 + COULD_NOT_MATCH_PASSWORD = 4 + + +def qute_command(command): + with open(os.environ["QUTE_FIFO"], "w") as fifo: + fifo.write(command + "\n") + fifo.flush() + + +def ask_password(password_prompt_invocation): + process = subprocess.run( + shlex.split(password_prompt_invocation), + text=True, + stdout=subprocess.PIPE, + ) + if process.returncode > 0: + raise Exception("Could not unlock vault") + master_pass = process.stdout.strip() + return subprocess.check_output( + ["bw", "unlock", "--raw", "--passwordenv", "BW_MASTERPASS"], + env={**os.environ, "BW_MASTERPASS": master_pass}, + text=True, + ).strip() + + +def get_session_key(auto_lock, password_prompt_invocation): + try: + # Get the password from secret-tool + password_process = subprocess.run( + ["secret-tool", "lookup", "drive", "bitwarden"], + text=True, + stdout=subprocess.PIPE, + stderr=subprocess.PIPE, + check=True, + ) + password = password_process.stdout.strip() + + # Unlock Bitwarden using the retrieved password + bw_process = subprocess.run( + ["bw", "unlock", password, "--raw"], + text=True, + stdout=subprocess.PIPE, + stderr=subprocess.PIPE, + check=True, + ) + return bw_process.stdout.strip() + except subprocess.CalledProcessError as e: + print(f"Error: {e.stderr}") + raise Exception("Could not unlock vault") from e + + +def pass_(domain, encoding, auto_lock, password_prompt_invocation): + session_key = get_session_key(auto_lock, password_prompt_invocation) + process = subprocess.run( + [ + "bw", + "list", + "items", + "--nointeraction", + "--session", + session_key, + "--url", + domain, + ], + capture_output=True, + ) + + err = process.stderr.decode(encoding).strip() + if err: + msg = "Bitwarden CLI returned for {:s} - {:s}".format(domain, err) + stderr(msg) + + if "Vault is locked" in err: + stderr("Bitwarden Vault got locked, trying again with clean session") + return pass_(domain, encoding, 0, password_prompt_invocation) + + if process.returncode: + return "[]" + + out = process.stdout.decode(encoding).strip() + + return out + + +def get_totp_code( + selection_id, domain_name, encoding, auto_lock, password_prompt_invocation +): + session_key = get_session_key(auto_lock, password_prompt_invocation) + process = subprocess.run( + [ + "bw", + "get", + "totp", + "--nointeraction", + "--session", + session_key, + selection_id, + ], + capture_output=True, + ) + + err = process.stderr.decode(encoding).strip() + if err: + # domain_name instead of selection_id to make it more user-friendly + msg = "Bitwarden CLI returned for {:s} - {:s}".format(domain_name, err) + stderr(msg) + + if "Vault is locked" in err: + stderr("Bitwarden Vault got locked, trying again with clean session") + return get_totp_code( + selection_id, domain_name, encoding, 0, password_prompt_invocation + ) + + if process.returncode: + return "[]" + + out = process.stdout.decode(encoding).strip() + + return out + + +def dmenu(items, invocation, encoding): + command = shlex.split(invocation) + process = subprocess.run( + command, input="\n".join(items).encode(encoding), stdout=subprocess.PIPE + ) + return process.stdout.decode(encoding).strip() + + +def fake_key_raw(text): + for character in text: + # Escape all characters by default, space requires special handling + sequence = '" "' if character == " " else r"\{}".format(character) + qute_command("fake-key {}".format(sequence)) + + +def main(arguments): + if not arguments.url: + argument_parser.print_help() + return ExitCodes.FAILURE + + extract_result = tldextract.extract(arguments.url) + + # Try to find candidates using targets in the following order: fully-qualified domain name (includes subdomains), + # the registered domain name and finally: the IPv4 address if that's what + # the URL represents + candidates = [] + for target in filter( + None, + [ + extract_result.fqdn, + getattr( + extract_result, + "top_domain_under_public_suffix", + getattr(extract_result, "registered_domain"), + ), + extract_result.subdomain + "." + extract_result.domain, + extract_result.domain, + extract_result.ipv4, + ], + ): + target_candidates = json.loads( + pass_( + target, + arguments.io_encoding, + arguments.auto_lock, + arguments.password_prompt_invocation, + ) + ) + if not target_candidates: + continue + + candidates = candidates + target_candidates + if not arguments.merge_candidates: + break + else: + if not candidates: + stderr("No pass candidates for URL {!r} found!".format(arguments.url)) + return ExitCodes.NO_PASS_CANDIDATES + + if len(candidates) == 1: + selection = candidates.pop() + else: + choices = [ + "{:s} | {:s}".format(c["name"], c["login"]["username"]) for c in candidates + ] + choice = dmenu(choices, arguments.dmenu_invocation, arguments.io_encoding) + choice_tokens = choice.split("|") + choice_name = choice_tokens[0].strip() + choice_username = choice_tokens[1].strip() + selection = next( + ( + c + for (i, c) in enumerate(candidates) + if c["name"] == choice_name + and c["login"]["username"] == choice_username + ), + None, + ) + + # Nothing was selected, simply return + if not selection: + return ExitCodes.SUCCESS + + username = selection["login"]["username"] + password = selection["login"]["password"] + totp = selection["login"]["totp"] + + if arguments.username_only: + fake_key_raw(username) + elif arguments.password_only: + fake_key_raw(password) + elif arguments.totp_only: + # No point in moving it to the clipboard in this case + fake_key_raw( + get_totp_code( + selection["id"], + selection["name"], + arguments.io_encoding, + arguments.auto_lock, + arguments.password_prompt_invocation, + ) + ) + else: + # Enter username and password using fake-key and (which seems to work almost universally), then switch + # back into insert-mode, so the form can be directly submitted by + # hitting enter afterwards + fake_key_raw(username) + qute_command("fake-key ") + fake_key_raw(password) + + if arguments.insert_mode: + qute_command("mode-enter insert") + + # If it finds a TOTP code, it copies it to the clipboard, + # which is the same behavior as the Firefox add-on. + if not arguments.totp_only and totp and arguments.totp: + # The import is done here, to make pyperclip an optional dependency + import pyperclip + + pyperclip.copy( + get_totp_code( + selection["id"], + selection["name"], + arguments.io_encoding, + arguments.auto_lock, + arguments.password_prompt_invocation, + ) + ) + + return ExitCodes.SUCCESS + + +if __name__ == "__main__": + arguments = argument_parser.parse_args() + sys.exit(main(arguments)) diff --git a/ansible/roles/packages/vars/Archlinux.yml b/ansible/roles/packages/vars/Archlinux.yml index bd7b37f..9aee5fc 100644 --- a/ansible/roles/packages/vars/Archlinux.yml +++ b/ansible/roles/packages/vars/Archlinux.yml @@ -104,6 +104,7 @@ required_packages_pacman: - blueman - qutebrowser - python-tldextrct + - python-pyperclip flatpak_remote: - { name: "flathub", url: "https://dl.flathub.org/repo/flathub.flatpakrepo" }