| |
- builtins.dict(builtins.object)
-
- CredentialRecord
- builtins.object
-
- CategoryState
- PasswordVault
class CategoryState(builtins.object) |
|
CategoryState(data_key: bytes) -> None
Holds in-memory decrypted data key for a category. |
|
Methods defined here:
- __eq__(self, other)
- Return self==value.
- __init__(self, data_key: bytes) -> None
- Initialize self. See help(type(self)) for accurate signature.
- __repr__(self)
- Return repr(self).
Data descriptors defined here:
- __dict__
- dictionary for instance variables (if defined)
- __weakref__
- list of weak references to the object (if defined)
Data and other attributes defined here:
- __annotations__ = {'data_key': <class 'bytes'>}
- __dataclass_fields__ = {'data_key': Field(name='data_key',type=<class 'bytes'>,defau...appingproxy({}),kw_only=False,_field_type=_FIELD)}
- __dataclass_params__ = _DataclassParams(init=True,repr=True,eq=True,order=False,unsafe_hash=False,frozen=False)
- __hash__ = None
- __match_args__ = ('data_key',)
|
class CredentialRecord(builtins.dict) |
|
A single credential entry stored in a category file.
Fields
------
role: str
Logical identifier of the credential (e.g., "db-admin", "webapp-user").
Used as the lookup key when retrieving credentials.
username: str
The username associated with this credential.
password_b64: str
The encrypted password, stored as Base64 text. The raw value is
RC6-CBC encrypted (with PKCS#7 padding) using the per-category
data key. It must be decoded and decrypted at runtime before use.
notes: str, optional
Human-readable notes or metadata about this credential.
Not used in cryptographic operations, purely informational.
Notes
-----
- Only ``password_b64`` is encrypted at rest. All other fields are
plaintext in the JSON file.
- This TypedDict is marked ``total=False``, which means all fields
are optional from the type checker’s perspective. However, in
practice ``role``, ``username`` and ``password_b64`` are always
expected to be present in persisted files. |
|
- Method resolution order:
- CredentialRecord
- builtins.dict
- builtins.object
Data descriptors defined here:
- __dict__
- dictionary for instance variables (if defined)
- __weakref__
- list of weak references to the object (if defined)
Data and other attributes defined here:
- __annotations__ = {'notes': <class 'str'>, 'password_b64': <class 'str'>, 'role': <class 'str'>, 'username': <class 'str'>}
- __optional_keys__ = frozenset({'notes', 'password_b64', 'role', 'username'})
- __orig_bases__ = (<function TypedDict>,)
- __required_keys__ = frozenset()
- __total__ = False
Methods inherited from builtins.dict:
- __contains__(self, key, /)
- True if the dictionary has the specified key, else False.
- __delitem__(self, key, /)
- Delete self[key].
- __eq__(self, value, /)
- Return self==value.
- __ge__(self, value, /)
- Return self>=value.
- __getattribute__(self, name, /)
- Return getattr(self, name).
- __getitem__(...)
- x.__getitem__(y) <==> x[y]
- __gt__(self, value, /)
- Return self>value.
- __init__(self, /, *args, **kwargs)
- Initialize self. See help(type(self)) for accurate signature.
- __ior__(self, value, /)
- Return self|=value.
- __iter__(self, /)
- Implement iter(self).
- __le__(self, value, /)
- Return self<=value.
- __len__(self, /)
- Return len(self).
- __lt__(self, value, /)
- Return self<value.
- __ne__(self, value, /)
- Return self!=value.
- __or__(self, value, /)
- Return self|value.
- __repr__(self, /)
- Return repr(self).
- __reversed__(self, /)
- Return a reverse iterator over the dict keys.
- __ror__(self, value, /)
- Return value|self.
- __setitem__(self, key, value, /)
- Set self[key] to value.
- __sizeof__(...)
- D.__sizeof__() -> size of D in memory, in bytes
- clear(...)
- D.clear() -> None. Remove all items from D.
- copy(...)
- D.copy() -> a shallow copy of D
- get(self, key, default=None, /)
- Return the value for key if key is in the dictionary, else default.
- items(...)
- D.items() -> a set-like object providing a view on D's items
- keys(...)
- D.keys() -> a set-like object providing a view on D's keys
- pop(...)
- D.pop(k[,d]) -> v, remove specified key and return the corresponding value.
If the key is not found, return the default if given; otherwise,
raise a KeyError.
- popitem(self, /)
- Remove and return a (key, value) pair as a 2-tuple.
Pairs are returned in LIFO (last-in, first-out) order.
Raises KeyError if the dict is empty.
- setdefault(self, key, default=None, /)
- Insert key with a value of default if key is not in the dictionary.
Return the value for key if key is in the dictionary, else default.
- update(...)
- D.update([E, ]**F) -> None. Update D from dict/iterable E and F.
If E is present and has a .keys() method, then does: for k in E: D[k] = E[k]
If E is present and lacks a .keys() method, then does: for k, v in E: D[k] = v
In either case, this is followed by: for k in F: D[k] = F[k]
- values(...)
- D.values() -> an object providing a view on D's values
Class methods inherited from builtins.dict:
- __class_getitem__(...) from typing._TypedDictMeta
- See PEP 585
- fromkeys(iterable, value=None, /) from typing._TypedDictMeta
- Create a new dictionary with keys from iterable and values set to value.
Static methods inherited from builtins.dict:
- __new__(*args, **kwargs) from builtins.type
- Create and return a new object. See help(type) for accurate signature.
Data and other attributes inherited from builtins.dict:
- __hash__ = None
|
class PasswordVault(builtins.object) |
|
PasswordVault(root_dir: pathlib.Path)
A small password vault that encrypts only the password fields using RC6.
Use :meth:`PasswordVault.start` to initialize from a root directory, passing a
master password. The constructor is not public because we want to constrain
initialization through the key-derivation step.
All persistent data lives in files under *root_dir*, one JSON file per category.
Notes on Security
-----------------
- Passwords are encrypted with RC6 in CBC mode with PKCS#7 padding.
- Per-category data keys are protected using a key derived from the master password
by scrypt (N=2**14, r=8, p=1). The encrypted data key (encrypted_data_key) is integrity-protected
with HMAC-SHA512. |
|
Methods defined here:
- __init__(self, root_dir: pathlib.Path)
- Initialize self. See help(type(self)) for accurate signature.
- create_new_category(self, category: str, master_password: str) -> None
- This method creates a new category using master password.
- get_credentials(self, category: str, role: str) -> MiniVault.CredentialRecord
- Return the credential for (*category*, *role*), decrypting the password.
Raises ``FileNotFoundError`` if the category file does not exist, or ``KeyError``
if the role cannot be found.
- put_credentials(self, category: str, role: str, username: str, password: str, notes: str | None = None) -> None
- Create or update a credential entry in *category*.
Only the *password* is RC6-encrypted and Base64-encoded at rest.
Class methods defined here:
- start(master_password: str, root_dir: str | os.PathLike[str]) -> ~PasswordVault from builtins.type
- Start the vault by deriving the master key, decrypting category data keys,
and erasing the master password from memory.
Parameters
----------
master_password : str
The user-provided master password.
root_dir : str | PathLike
Directory containing category files.
Data descriptors defined here:
- __dict__
- dictionary for instance variables (if defined)
- __weakref__
- list of weak references to the object (if defined)
Data and other attributes defined here:
- __annotations__ = {'_categories': typing.Dict[str, MiniVault.CategoryState], '_master_key': typing.Optional[bytes], '_root': <class 'pathlib.Path'>}
| |