Secure api_key in zuliprc file using encryption

Gopinath-Mahendiran · Gopinath-Mahendiran · commit 04fd0ae18993 · 2025-03-22T17:47:36.000+05:30
- Implemented encryption for storing api_key securely in the zuliprc file.
- Added decryption logic to retrieve the api_key when needed.
- Ensured backward compatibility for existing plaintext api_keys.
- Improved security by preventing exposure of sensitive credentials.
diff --git a/tools/encrypt.py b/tools/encrypt.py
@@ -0,0 +1,82 @@
+    #!/usr/bin/python3
+
+import os
+import base64
+import hashlib
+import sys
+from cryptography.fernet import Fernet
+import argparse
+import platform
+
+
+
+STORAGE_FILE = os.path.expanduser("~/zuliprc")
+
+
+
+parser = argparse.ArgumentParser(description="Demo for optional arguments.")
+
+parser.add_argument("--encrypt", type=str, help="encrypt the given api_key with SHA256 algorithm")
+parser.add_argument("--decrypt", help="decrypt the hash using SHA256 algorithm")
+
+args = parser.parse_args()
+
+def in_color(color: str, text: str) -> str:
+    color_for_str = {
+        "red": "1",
+        "green": "2",
+        "yellow": "3",
+        "blue": "4",
+        "purple": "5",
+        "cyan": "6",
+    }
+    # We can use 3 instead of 9 if high-contrast is eg. less compatible?
+    return f"\033[9{color_for_str[color]}m{text}\033[0m"
+
+
+def exit_with_error(
+    error_message: str, *, helper_text: str = "", error_code: int = 1) -> None:
+    print(in_color("red", error_message))
+    if helper_text:
+        print(helper_text)
+    sys.exit(error_code)
+
+def get_machine_key():
+    machine_id=''
+    if platform.system()=="Darwin":
+        machine_id = os.popen('ioreg -rd1 -c IOPlatformExpertDevice | grep IOPlatformUUID').read().strip()
+    elif platform.system()=="Linux":
+        machine_id = os.popen('''blkid | awk -F 'UUID="' '{if (NF>1) print $2}' | cut -d '"' -f1''').read().strip()
+
+    key = hashlib.sha256(machine_id.encode()).digest()
+
+    return base64.urlsafe_b64encode(key)
+
+def encrypt(api_key):
+
+    #getting key from the system
+    key = get_machine_key()
+    cipher = Fernet(key)
+    encrypted_key = cipher.encrypt(api_key.encode())
+
+    
+    return encrypted_key.decode()
+
+def decrypt(encrypted_key):
+
+    key = get_machine_key()
+    cipher = Fernet(key)
+    decrypted_key = cipher.decrypt(encrypted_key)
+
+    return decrypted_key.decode()
+
+
+
+if args.encrypt :
+    print(encrypt(args.encrypt))
+if args.decrypt:
+    print(decrypt(args.decrypt))
+
+
+
+
diff --git a/zulipterminal/cli/run.py b/zulipterminal/cli/run.py
@@ -9,9 +9,13 @@
 import stat
 import sys
 import traceback
+import subprocess
 from enum import Enum
-from os import path, remove
+import re
+from os import path  , remove
 from typing import Dict, List, NamedTuple, Optional, Tuple
+import path as pt
+
 
 import requests
 from urwid import display_common, set_encoding
@@ -226,6 +230,11 @@ def parse_args(argv: List[str]) -> argparse.Namespace:
         help="profile runtime",
     )
 
+    parser.add_argument(
+        "--encrypt",
+        help="encrypt the hash using SHA256 algorithm",
+    )
+
     return parser.parse_args(argv)
 
 
@@ -312,10 +321,15 @@ def fetch_zuliprc(zuliprc_path: str) -> None:
         login_data = get_api_key(realm_url)
 
     preferred_realm_url, login_id, api_key = login_data
+
+    
+    command = ['python3', os.path.join(os.path.dirname(__file__), '../../tools/encrypt.py'), '--encrypt', api_key]
+    encrypted_key = subprocess.run(command, stdout=subprocess.PIPE, text=True)
+
     save_zuliprc_failure = _write_zuliprc(
         zuliprc_path,
         login_id=login_id,
-        api_key=api_key,
+        api_key=encrypted_key.stdout.strip(),
         server_url=preferred_realm_url,
     )
     if not save_zuliprc_failure:
@@ -377,7 +391,6 @@ def parse_zuliprc(zuliprc_str: str) -> Dict[str, SettingData]:
         sys.exit(1)
 
     zuliprc = configparser.ConfigParser()
-
     try:
         res = zuliprc.read(zuliprc_path)
         if len(res) == 0:
@@ -532,7 +545,42 @@ def main(options: Optional[List[str]] = None) -> None:
 
         if args.notify:
             zterm["notify"] = SettingData(args.notify, ConfigSource.COMMANDLINE)
+        
+        if args.encrypt:
+            config_file = os.path.expanduser(args.encrypt)
+            config_file = os.path.abspath(config_file)
+            print(config_file)
+            api_key,email,site='','',''
+            if os.path.exists(config_file):
+                config = configparser.ConfigParser()
+                config.read(config_file)  
+                api_config = dict(config.items('api'))
+                api_key = api_config['key']
+                email = api_config['email']
+                site = api_config['site']
+            else:
+                exit_with_error(f"Could not access zuliprc file at {config_file}")
+                sys.exit(1)
+            if len(api_key) >= 64 :
+                exit_with_error(f"API key is already encrypted")
+                sys.exit(1) 
+                
+            command = ['python3', os.path.join(os.path.dirname(__file__), '../../tools/encrypt.py'), '--encrypt', api_key]
+            encrypted_key = subprocess.run(command, stdout=subprocess.PIPE, text=True)
+            os.remove(config_file)
+            save_zuliprc_failure = _write_zuliprc(
+            config_file,
+            login_id=email,
+            api_key=encrypted_key.stdout.strip(),
+            server_url=site,
+            )
+            if not save_zuliprc_failure:
+                print(f"Generated API key saved at {zuliprc_path}")
+            else:
+                exit_with_error(save_zuliprc_failure)
+            sys.exit(0)
 
+        
         valid_remaining_settings = dict(
             VALID_BOOLEAN_SETTINGS,
             **{"color-depth": COLOR_DEPTH_ARGS_TO_DEPTHS},
diff --git a/zulipterminal/core.py b/zulipterminal/core.py
@@ -12,6 +12,8 @@
 from platform import platform
 from types import TracebackType
 from typing import Any, Dict, List, Optional, Tuple, Type, Union
+import subprocess
+import configparser
 
 import pyperclip
 import urwid
@@ -98,7 +100,19 @@ def __init__(
 
         self.show_loading()
         client_identifier = f"ZulipTerminal/{ZT_VERSION} {platform()}"
-        self.client = zulip.Client(config_file=config_file, client=client_identifier)
+
+        api_key = ''
+        config_file = os.path.expanduser(config_file)
+        if os.path.exists(config_file):
+            config = configparser.ConfigParser()
+            config.read(config_file)  
+            api_config = dict(config.items('api'))
+            api_key = api_config['key']
+        command = ['python3', os.path.join(os.path.dirname(__file__), '../tools/encrypt.py'), '--decrypt', api_key]
+
+        decryped_key = subprocess.run(command, stdout=subprocess.PIPE, text=True)
+        decrypted_key= decryped_key.stdout.strip()
+        self.client = zulip.Client(config_file=config_file, client=client_identifier,api_key=decrypted_key)
         self.model = Model(self)
         self.view = View(self)
         # Start polling for events after view is rendered.
