Jump to content

LP Vault Manager: A Workflow for LastPass


Recommended Posts

Recently, I became frustrated how fluid/nice/elegant/etc. 1Password integration is within Alfred; being a LastPass user, the frustration arose because I wanted similar functionality for my beloved password manager. :)
 
Thus, I introduce LastPass Vault Manager!
 
Current Version: 4.2
 
DIRECT DOWNLOAD
PACKAL PAGE
 
lpvm.gif
 
Current functionality:

  • log into and out of LastPass
  • search a vault by query
  • search a vault by your browser's front-most tab
  • launch a vault URL in the default browser
  • copy a vault item's username
  • copy vault item's password
  • inspect a vault item's fields (and copy their values)
  • generate random passwords
  • manage many different configuration options
  • easy workflow updating
  • much more!

History
 
Release v4.2 (2015-01-22)

  • Fixed a bug where the full path to /usr/bin/python was not specified.
  • Fixed a settings selection bug.
  • Streamlined some verbiage within notifications.

Release v4.1 (2015-01-14)

  • Implemented auto-updating.
  • Fixed a few small path bugs.

Release v4.0 (2015-01-11)

  • Added support for non-ASCII characters.
  • Addresses slow Script Filter results via background updating.
  • Modified documentation to warn against unicode characters in config file.
  • Added ability to inspect a vault item's fields.
  • Added ability to configure filepath to `lpass`.
  • Added ability to toggle uppercase letter use in password generation.
  • Added ability to toggle lowercase letter use in password generation.
  • Added ability to toggle digit use in password generation.
  • Added ability to toggle symbol use in password generation.
  • Added ability to toggle ambiguous character avoidance in password generation.
  • Modified field retrieval to use official `lpass` flags.
  • Modified notifications to be more streamlined.
  • Fixed a bug wherein password generation would fail.

Release v3.1 (2014-12-29)

  • Added ability to login to LastPass.
  • Added ability to logout from LastPass.
  • Added ability to configure filepath to `lpass`.
  • Added new (and slimmer) icons.
  • Environment-proofed Python path in all scripts and Script Filters.

Release v3.0 (2014-12-29)

  • Shifted from Ruby to Python.
  • Implemented Alfred-Workflow (including fuzzy search, configuration management, and more).
  • Added `lpbrowser` command to look up default browser's front-most tab's URL in the vault.
  • Configuration management: cache timeout, default browser, number of generated password, and generated password length.
  • Check for whether `lpass` is logged in.

Release v2.0 (2014-12-16)

  • Added data caching
  • Added command to force data caching
  • Added ability to specify path to `lpass` executable
  • Added fallback lookup for `lpass` executable
  • Changed `lpvs` command to look at vault item name *andURL
  • Major code refactoring

Release v1.0 (2014-12-16)

  • Added ability to search a LastPass vault.
  • Added ability to launch URL of LastPass item.
  • Added ability to copy username of LastPass item.
  • Added ability to copy password of LastPass item.
  • Added ability to generate a random password.
  • Created documentation.

How To Use
 
Usage instructions can be found on GitHub: https://github.com/bachya/lp-vault-manager – since I don't like duplicating that info all over the place, the repo will always be the authoritative source. Would love your feedback, feature requests, bug reports, etc. Thanks!

Edited by Aaron B.
Link to comment

Just finished v2.0 – still waiting for Packal to update itself, but in the meantime, you can always DIRECT DOWNLOAD.

 

Changelog for v2.0:

  • Added data caching
  • Added command to force data caching
  • Added ability to specify path to `lpass` executable
  • Added fallback lookup for `lpass` executable
  • Changed lpvs command to look at vault item name *and* URL
  • Major code refactoring
Edited by Aaron B.
Link to comment

I've been waiting for a LP workflow! Thanks!

 

However, I can't get it to work =(

 

When I type "lpvs amazon" as soon as I type anything after "lpvs " it defaults to a web search.

 

Is this a configuration issue on my end or a bug in the workflow? I successfully installed the Lastpass CLI and logged in, disabled the autologout and downloaded the LP data.

Link to comment

I've been waiting for a LP workflow! Thanks!

 

However, I can't get it to work =(

 

When I type "lpvs amazon" as soon as I type anything after "lpvs " it defaults to a web search.

 

Is this a configuration issue on my end or a bug in the workflow? I successfully installed the Lastpass CLI and logged in, disabled the autologout and downloaded the LP data.

 

Would you mind trying this beta and letting me know if it works?

 

https://www.dropbox.com/s/2xxq4qd5tpaidcf/LP%20Vault%20Manager%20beta2.1.alfredworkflow?dl=0

 

Make sure you run `lpdd` first. Let me know!

Link to comment

Hi Aaron, 

 

The beta appears to get past the previous error and does allow some searching but doesn't seem to pull up expected results if certain characters are present. (Many of my stored sites contain "." in the name and searching for something like xxxyy.zzz stops working as soon as the "." is pressed). 

 

Unfortunately I can't use this workflow because it pulls down your entire password vault and stores it in a plain text csv file--This feels incredibly insecure to me. Perhaps it makes more sense to cache searchable metadata and use that to query the password directly from lastpass when it is selected?

Edited by lkngtn
Link to comment

Hi Aaron, 

 

The beta appears to get past the previous error and does allow some searching but doesn't seem to pull up expected results if certain characters are present. (Many of my stored sites contain "." in the name and searching for something like xxxyy.zzz stops working as soon as the "." is pressed). 

 

Unfortunately I can't use this workflow because it pulls down your entire password vault and stores it in a plain text csv file--This feels incredibly insecure to me. Perhaps it makes more sense to cache searchable metadata and use that to query the password directly from lastpass when it is selected?

 

Interesting on the "." – I'll dig deeper.

 

RE: storing the data locally, I know – I hate it, too. :(Here's why I did it. Fortunately, Alfred 2.6 will make some changes that will allow me to not have to cache everything.

 

RE: caching "searchable metadata" – what would that include? URLs? Usernames? Everything except the passwords themselves? Thanks for your thoughts!

Link to comment

Is there any reason that the "lpvm.rb" file is not on Github? When it comes to lastpass I'm a bit careful of course :)

 

As you should be! To make it easier to get to the script, I've added all the workflow contents to the root of the GitHub repo.

 

lkngtn's comments really got me thinking last night: the speed gained by caching the entire output of `lpass export` isn't worth the insecurity of having unencrypted usernames/passwords sitting on the filesystem. So, I'm making a change: going forward, I'll only cache URLs and hostnames (and query the other data [and then throw it away] as needed).

 

This is part of some bigger work I'm doing, so I appreciate your patience. I will post back here when a build is ready.

Edited by Aaron B.
Link to comment

Hi Aaron, 

 

The beta appears to get past the previous error and does allow some searching but doesn't seem to pull up expected results if certain characters are present. (Many of my stored sites contain "." in the name and searching for something like xxxyy.zzz stops working as soon as the "." is pressed). 

 

Unfortunately I can't use this workflow because it pulls down your entire password vault and stores it in a plain text csv file--This feels incredibly insecure to me. Perhaps it makes more sense to cache searchable metadata and use that to query the password directly from lastpass when it is selected?

 

I had exactly the same issue until I tried the beta.

 

However, it still has the "." issue and can't seem to handle passwords with character that need escaping.

 

Further, it would be nice for it to be able to grab the current tab's domain to input automatically...

Link to comment

Hi folks – thanks so much for your patience. I have another beta build for you to test: https://dl.dropboxusercontent.com/u/111722/LP%20Vault%20Manager%20beta2.2.alfredworkflow. I haven't posted this to GitHub yet; I would love you to hammer on it a bit before I make the source fully public.

 

Here's what I offer for your consideration!

 

First, several configuration options (sorry for the nutty keywords; open to suggestions).

  • lpsetcache: sets the amount of time (in seconds) that data from LastPass should be cached (default is 300 seconds, or 5 minutes).
  • lpsetbrowser: sets the desired browser (defaults to "Google Chrome"); primarily used for the `lpbrowser` command below.
  • lpsetpwnum: sets the number of passwords that should be generated by the `lppg` command.
  • lpsetpwlen: sets the length of the passwords generated by the `lppg` command.

Next, the commands:

  • lpvs: searches your vault for URLs or Hostnames (e.g., "Personal/GitHub") for the provided query. Note that only URLs and Hostnames are cached; all additional lookups happen on the fly with no caching, which is much more secure.
    • Select an entry to launch it in your default browser.
    • Cmd-Select an entry to copy the password to your clipboard.
    • Shift-Select an entry to copy the username to your clipboard.
  • lpbrowser: grabs the URL from the active tab in your desired browser and searches your vault for it.
    • Select an entry to launch it in your default browser.
    • Cmd-Select an entry to copy the password to your clipboard.
    • Shift-Select an entry to copy the username to your clipboard.
  • lpdd: blows away cached data and re-downloads your vault's URL/Hostname data.
  • lppg: generates several random passwords.

This is a big update. Everything works on my machine, but that's never a good test, so I'm anticipating some breakage. Let me know about it here and I'll get it addressed ASAP. Planning to update the GitHub repo with the new source in the next day or so.

Edited by Aaron B.
Link to comment

Tried out the new version this evening. Looks like tons of progress has been made!

 

I really appreciate the change to the caching behavior--which appears to work as expected. :) The issue with "." in searches seems to also be resolved. 

 

I tried some of the other functionality and I'm not sure if its working as intended. 

 

1. When I select and entry and use "cmd+select" I get an error copied to clipboard. <?xml version="1.0" encoding="utf-8"?>

<items><item valid="no"><title>Error in workflow 'com.bachya.lpvm'</title><subtitle>Command '['/usr/local/bin/lpass', 'show', u'xxx/yyyyyy']' returned non-zero exit status 1</subtitle><icon>/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/AlertStopIcon.icns</icon></item></items>
 
This seems to also happen with "shift+select"
 
I replaced the actual site name with 'xxx/yyyyyyy' where xxx is a folder in lastpass and yyyyyy is a site name. I tested using the command line lpass tool to get the correct syntax for 'show' and the correct syntax would be to just pass yyyyyy so I expect that this may not come up if you don't have folders in you vault, but if you do then it should just be a matter of stripping everything before the "/" that is returned from the export command. 
 
2. Launching a credential entry brings up the url in my current browser but does not fill in the login (like it does if you select it from you vault in a browser). This might work okay with autofill populated for a site--but if you have multiple logins for a single url that approach doesn't work very well. I'm not sure if there is any easy solution to this since the command line tool doesn't seem to support logging in to a site. 
Link to comment

1. When I select and entry and use "cmd+select" I get an error copied to clipboard. <?xml version="1.0" encoding="utf-8"?>

<items><item valid="no"><title>Error in workflow 'com.bachya.lpvm'</title><subtitle>Command '['/usr/local/bin/lpass', 'show', u'xxx/yyyyyy']' returned non-zero exit status 1</subtitle><icon>/System/Library/CoreServices/CoreTypes.bundle/Contents/Resources/AlertStopIcon.icns</icon></item></items>

 

This seems to also happen with "shift+select"

 

I replaced the actual site name with 'xxx/yyyyyyy' where xxx is a folder in lastpass and yyyyyy is a site name. I tested using the command line lpass tool to get the correct syntax for 'show' and the correct syntax would be to just pass yyyyyy so I expect that this may not come up if you don't have folders in you vault, but if you do then it should just be a matter of stripping everything before the "/" that is returned from the export command.

 

I'm a bit confused by this one. The workflow should use as input the hostname that comes out of your vault; not sure how the workflow is getting xxx/yyyyyyy unless it already existed in your vault... In my case, passing a folder/name combination to lpass show works as expected. :(

 

If you run lpass export | grep -i 'xxx/yyyyyyy' from the command line, does an entry show up?

 

Additionally, can you guarantee that you are logged in (i.e., have run lpass login <USERNAME> from the command line)? The output you are receiving can appear when you haven't logged in (I'm working on a more proactive notification).

 

2. Launching a credential entry brings up the url in my current browser but does not fill in the login (like it does if you select it from you vault in a browser). This might work okay with autofill populated for a site--but if you have multiple logins for a single url that approach doesn't work very well. I'm not sure if there is any easy solution to this since the command line tool doesn't seem to support logging in to a site.

 

I'm right there with you: this would be nice, but it doesn't appear that lpass supports a mechanism to do this. :( I'll keep digging, though!

 

Although the new version looks a lot safer, leaving the lastpass command open and unprotected is too much of a security risk for me. Thanks for the great efforts though, it really does work nicely :)

Is it the fact that I don't force you to run lpass login <USERNAME> every so often (or every time)? If I could figure out a way to address this (or point the user toward it) in the workflow, would that help?

Edited by Aaron B.
Link to comment

Aaron, with regards to the first issue I'm getting that error despite definitely being logged into the command line tool. I do see 'xxx/yyyyyy' when doing the export "lpass export | grep -i 'xxx/yyyyyyy'" but I also see just yyyyyy on that line. When I run lpass show from the command line with 'xxx/yyyyyyy' it does not find a result but it does if I do lpass show 'yyyyyy'.

 

Wolph, What concerns you about the agent running in the background? You can set whether the agent is used and how long it runs before timing out. Here is the relevant part of the lpass manual:

 

 

  Agent

       An agent process will be spawned in the background on a first successful command, and all subsequent commands will
       use the agent for decryption, instead of asking a user for a password. The agent will quit after one hour, unless
       the LPASS_AGENT_TIMEOUT environment variable is set to an alternative number of seconds in which to quit, or 0 to
       never quit. If the environment variable LPASS_AGENT_DISABLE is set to 1, the agent will not be used.

 

I personally don't see an issue with having it set to a reasonable timeout--since the behavior I use for the browser extensions is to keep me logged in as long as the browser session is active--but I'd be curious to hear your reasoning. 

 

It would be kind of handy to support logging out via alfred (easy I think) and logging in (which might require not using the pin entry program). 

Edited by lkngtn
Link to comment

Aaron, with regards to the first issue I'm getting that error despite definitely being logged into the command line tool. I do see 'xxx/yyyyyy' when doing the export "lpass export | grep -i 'xxx/yyyyyyy'" but I also see just yyyyyy on that line. When I run lpass show from the command line with 'xxx/yyyyyyy' it does not find a result but it does if I do lpass show 'yyyyyy'.

 

Very interesting! Would you mind PM'ing me and sharing with me the full hostname that is causing this issue?

 

It would be kind of handy to support logging out via alfred (easy I think) and logging in (which might require not using the pin entry program).

Another great idea! As you note, logging out is easy, while logging in isn't, but I'll add both to my roadmap. :)

Edited by Aaron B.
Link to comment

Is it the fact that I don't force you to run lpass login <USERNAME> every so often (or every time)? If I could figure out a way to address this (or point the user toward it) in the workflow, would that help?

Yes, that would help a bit.

The thing is that I don't want my passwords to be available straight away. And the "special" passwords which normally require an extra password/security input should require the entering of the master password again. I'll check the lastpass cli to see if I can add some extra security measures (i.e. small activation code for every password like the lastpass android app does).

I'm just a tad paranoid :)

Wolph, What concerns you about the agent running in the background? You can set whether the agent is used and how long it runs before timing out.

Well... the thing that concerns me mostly is that any app/script/whatever could read the passwords from lastpass as long as it's active. The odds of exploiting this are slim but it's a bit scary to me. Especially since it (I assume) runs in user space. If it was root memory where only specific apps were allowed to read it, it would be different.
Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...