Escape from terminal: evolution of a shell script

Escape from terminal: evolution of a shell script

I usually write some shell scripts to speed up or facilitate tasks in my daily job. Most of them are just small enough or so tied to a particular problem that they are worthless to anyone but me. In this article you can read about the development of one of these scripts initially created in 2017 and that has evolved into a full Python program usable by everyone.

The problem: Don't lock myself out by forgetting my keys

It all started when I went to the office, forgetting my mobile phone at home. I use it for second factor authentication on a lot of websites, so it was practically impossible to do my job. After going forth and back from home (and 2 hours later), I started wondering if it was possible to have my 2FA authentication on my office workstation. There are a lot of programs ready for that purpose, but I was curious about how the second factor authentication works behind the scenes.

Phase I: The dirty hack

As a GNU/Linux user, the first place I looked into was the package repository of my distribution to check if there was something ready to use and I found the OATH Toolkit. It's well documented and I can generate an OTP code with a simple command like:

oathtool --totp -b "ABCDEFGHIJKLMNOP"        

The totp option enables the "Time-Based One-Time Password algorithm" as described by RFC6238 and the string is a base32 secret used to generate the code. In its common implementation, the generated code changes every 30 seconds, so this happens when

unix_epoch % 30 = 0        

Amazing, but how do I generate a real code for one of my accounts? I was using Google Authenticator and when I first tried it was 2017 and there was no export function for the OTPs generated by the app. Fortunately, I discovered that the database used by the app is a standard SQLite3 stored in the folder

/data/data/com.google.android.apps.authenticator2/databases/        

and following a couple of guides on the Internet, I was able to use the Android "adb" toolkit to download it onto my computer and open it using the SQLite command-line tool and export the secret strings to a plain text file.

Lo and behold, I assembled a script using Bash, Jq and OATH-Tool to provide the same functionalities. You can see the source code on this Github repository. It has a fancy ASCII interface, I can copy/paste the OTPs because it's just text and it uses a Json file to store code generator strings.

bash-otp-gen screenshot

Phase II: Tempted by a snake

Bash scripting is good and I use it for a lot of system administration tasks. I'm comfortable with it, but when it comes to managing data structures, it makes everything harder. Take, for example, the Json file used to store secret OTP strings. It's something like:

[ 
 {
  "name": "My Google gmail account",
  "generator": "ABCDEFGHIJ"
 },
 {
  "name": "My Foobar cool web site",
  "generator": "KLMNOPQRST"
 }
]        

To parse it with Bash you need another tool, i.e. Jq, and to use its language to query and select data. Implementing an ASCII interface to display data is not that easy, but there are some programs to help you, i.e. dialog. However, it is clear that the more external tools you add, the more functions, controls, tricks and traps you get.

Hence, I decided to rewrite it in Python.

I knew very little about Python, but I thought it might be a perfect example to learn something new. One of my main goals was to keep the config file for OTP secrets in a simple and understandable format which I could directly edit, so I dropped Json in favor of the YAML format because it's easier to manage. But the most important change was when I chose to have a graphical interface instead of a text-based one.

After reading documentation and looking at examples on Internet I wrote a small program using Python2.7. I used Python modules (PyYaml, PyOtp and PyGObject) to implement it. You can find the source code in this github commit.

otpgui screenshot

Phase III: Overcoming "It works on my computer"

My program was working and I started using it on a daily basis. Looking at it now, I can say it was a bit raw and lacked a programming style, but it fit my needs. Until I changed my computer.

From a new installation of the operating system, I downloaded a copy of Otpgui from the source repository and restored the backup config file. But when I attempted to run "otpgui. py", I immediately faced the problem of missing dependencies. Although I wrote a "requirements.txt", reinstalling packages from PyPi using it was not working, mainly because PyGObject needs to compile C bindings and requires installation of development libraries. It took a while to remember what I installed the first time and some trial and error, but I sorted it out.

I updated the "README" in the source repository with instructions for installing dependencies and for creating the Virtualenv, but every time I had to retry a fresh install it always took me some time to get it working.

As a first step to solve these issues, I upgraded my code to use Python3. Python2.7 was still the default version at the beginning of this story, but it is EOL since 2020. Changing the code to run it with Python3 required just a few differences, but I still had the problem with dependencies. I needed another format to distribute my code. I needed a package.

Phase IV: A package is born

The standard format for Python packaging is called Wheel, and package installation is managed with the "pip" tool. The official Python guide recommends different build systems for source distributions. The preferred way is to create a "pyproject.toml" file to declare and manage build dependencies. Fortunately, you don't have to edit it manually, but you can use a tool like Python Poetry that helps you out to manage the package development lifecycle. I have now this pyproject.toml file for Otpgui and it looks far better than the old requirements.txt and thanks to Poetry creating a package require just a simple command

]$ poetry build
Building otpgui (0.2.3)
  - Building sdist
  - Built otpgui-0.2.3.tar.gz
  - Building wheel
  - Built otpgui-0.2.3-py3-none-any.whl
]$ tree dist/
dist/
├── otpgui-0.2.3-py3-none-any.whl
└── otpgui-0.2.3.tar.gz

0 directories, 2 files        

Phase V: "Down the pipes"

Now I've got a package, but how do I distribute it to end users? One option is to distribute my Python Wheel using the PyPi public repository. In my opinion, a couple of drawbacks of PyPi have to be taken into account: first of all, it won't solve the problem of dependencies with development libraries (needed by PyGObject to compile bindings) and last but not least, using "pip" to install a package is developer-friendly but it can be an obstacle for end users.

To address these issues I decided to create Linux distribution packages and to target people using Debian, Ubuntu and Arch. There are Python packaging guidelines to follow both for Debian and Arch. Despite the difference between the two package systems, one interesting point is that build steps are pretty easy to implement because I'm following a Python standard to create the Wheel (links to debian and arch build files). Furthermore, a native distribution package has the possibility to create the menu entry with icons so that the end user can start Otpgui without using the command line.

The last step of this journey is to trigger package build and publishing with each new release. This is clearly a job for a CI/CD pipeline and I implemented it using a Github workflow that creates an artifact for each package and uploads it to a release page. Installing Otpgui is now easy (at least for people using the supported Linux distributions) and the README provide instructions to use it.

Conclusions

Writing a program can be a challenging task, but trying to distribute it to other people besides you is a job that takes time and patience. You have to adhere to standards and guidelines and this is more important than ever in the GNU/Linux world where there is a plethora of distributions. Each distribution may appear completely different from each other, but most of them share a common basis and there are standards that should be valid for any. Whenever you decide to start coding a new software, may it be a simple shell script or something more sophisticated, try to release it to the public or share it as soon as possible. It doesn't matter how much you test it on your computer, only when you submit it to other people will you discover that something is missing or that you have to fix some bug.

Otpgui is a project I work on to learn and improve my coding skills and, while it is far from being complete, I think its development has reached a point where it can be interesting to other people. I hope you can find it useful and give me some feedback.

Thank you and happy hacking.

Matteo De Ponti

Engineering Manager @ Prima

2y

Grande Gianluca! Domattina lo installo 😛

Franco Geraci

Head of Engineering & Devops | Technology Innovation Leader

2y

Well written, nice job Gianluca Mascolo!

To view or add a comment, sign in

Insights from the community

Others also viewed

Explore topics