How to fetch proxy password from osx keychain in python?

Question

Currently I am fetching the password by running the following shell command inside python

For Http proxy password

security find-internet-password -s 192.168.1.38 -r htsx -P 808 -w

For Https proxy password

security find-internet-password -s 192.168.1.38 -r htpx -P 808 -w

and I get all those host-name and port by running the following code

>>> import urllib
>>> urllib.getproxies()
{'http': 'http://192.168.1.38:808', 'https': 'http://192.168.1.38:808'}

But Every time I run the above shell command from python, I am being asked to Allow "security" to access the keychain, if I gave Always Allow application to access the keychain for proxy password then the proxy password can even be accessed by other applications which I haven't allowed explicitly. They can access the proxy password just by running the same command (I have tried it from command prompt, this time it didn't prompt me and tried to access it from other python script also it is not asking me permission).

But other applications like AuthBroker shows the following message while accessing proxy

I know I am giving permission to the application security to access the keychain, but other applications are asking permission for themselves. My approach may compromise the security of the system.

I have two questions:

1. What is the recommended way to access the keychain for proxy password ?
2. Is there any python library that could do this ?

Answer 1

It's super convenient to use the keyring library in Python. Installation was trivial for me:

$ sudo easy_install keyring

Then, use the simple API like described here: https://alexwlchan.net/2016/11/you-should-use-keyring/

$ python
>>> import keyring
>>> import getpass
>>> keyring.set_password('twitter', 'xkcd', getpass.getpass())
Password: 
>>> keyring.get_password('twitter', 'xkcd')
u'correct horse battery staple'

See https://xkcd.com/936/ for the story behind this password. :-)

I'm not sure whether this integrates completely with the proxy passwords you're referring to, because I'm just using it for storing a password for a simple script.

Answer 2

The recommended way to do this in any language on OS X is with Keychain Services.

Keychain Services provides a mostly-C API, and the documentation for it is only available for C, ObjC, and Swift. The Programming Guide linked above is mostly language-agnostic, but the examples, and the syntax for the function references, won't be.

I believe 'SecKeychainFindInternetPassword` is the function you want, but that's not going to do you any good unless you read the background first.

As far as I know, nobody's published a Python wrapper for this. If you're familiar with PyObjC, I vaguely remember a thread on the PyObjC mailing lists where someone wrapped up the core Keychain Services functions the same way Launch Services comes wrapped up out of the box. Alternatively, since the API is pure C, not ObjC, you can access it via ctypes.

However, the easiest solution is probably to get one of the third-party ObjC wrappers (I think SSKeychain.framework and Keychain.framework are the two everyone uses, but don't quote me on that). You can then load them dynamically by using the NSBundle and NSClass APIs from PyObjC. Of course that does mean you'll need to distribute that third-party framework, so make sure to check the licenses.

If you google for "Keychain Access Python", "SSKeychain Python", etc., you see a few blog posts, but they all seem a few years out of date (the first one I found had a dead link to SSKeychain…), so I'm not sure how much help they'll be.