extensions/guacamole-vault/modules/guacamole-vault-ksm/src/main/java/org/apache/guacamole/vault/ksm/secret/KsmRecordService.java - guacamole-client - Git at Google

 /*
  * Licensed to the Apache Software Foundation (ASF) under one
  * or more contributor license agreements.  See the NOTICE file
  * distributed with this work for additional information
  * regarding copyright ownership.  The ASF licenses this file
  * to you under the Apache License, Version 2.0 (the
  * "License"); you may not use this file except in compliance
  * with the License.  You may obtain a copy of the License at
  *
  *   http://www.apache.org/licenses/LICENSE-2.0
  *
  * Unless required by applicable law or agreed to in writing,
  * software distributed under the License is distributed on an
  * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
  * KIND, either express or implied.  See the License for the
  * specific language governing permissions and limitations
  * under the License.
  */

 package org.apache.guacamole.vault.ksm.secret;

 import com.google.inject.Singleton;
 import com.keepersecurity.secretsManager.core.HiddenField;
 import com.keepersecurity.secretsManager.core.Host;
 import com.keepersecurity.secretsManager.core.Hosts;
 import com.keepersecurity.secretsManager.core.KeeperFile;
 import com.keepersecurity.secretsManager.core.KeeperRecord;
 import com.keepersecurity.secretsManager.core.KeeperRecordData;
 import com.keepersecurity.secretsManager.core.KeeperRecordField;
 import com.keepersecurity.secretsManager.core.KeyPair;
 import com.keepersecurity.secretsManager.core.KeyPairs;
 import com.keepersecurity.secretsManager.core.Login;
 import com.keepersecurity.secretsManager.core.Password;
 import com.keepersecurity.secretsManager.core.SecretsManager;
 import com.keepersecurity.secretsManager.core.Text;
 import java.nio.charset.StandardCharsets;
 import java.util.List;
 import java.util.concurrent.CompletableFuture;
 import java.util.concurrent.Future;
 import java.util.function.Function;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;

 /**
  * Service for automatically parsing out secrets and data from Keeper records.
  */
 @Singleton
 public class KsmRecordService {

     /**
      * Regular expression which matches the labels of custom fields containing
      * hostnames/addresses.
      */
     private static final Pattern HOSTNAME_LABEL_PATTERN =
             Pattern.compile("hostname|(ip\\s*)?address", Pattern.CASE_INSENSITIVE);

     /**
      * Regular expression which matches the labels of custom fields containing
      * usernames.
      */
     private static final Pattern USERNAME_LABEL_PATTERN =
             Pattern.compile("username", Pattern.CASE_INSENSITIVE);

     /**
      * Regular expression which matches the labels of custom fields containing
      * passwords.
      */
     private static final Pattern PASSWORD_LABEL_PATTERN =
             Pattern.compile("password", Pattern.CASE_INSENSITIVE);

     /**
      * Regular expression which matches the labels of custom fields containing
      * passphrases for private keys.
      */
     private static final Pattern PASSPHRASE_LABEL_PATTERN =
             Pattern.compile("passphrase", Pattern.CASE_INSENSITIVE);

     /**
      * Regular expression which matches the labels of custom fields containing
      * private keys.
      */
     private static final Pattern PRIVATE_KEY_LABEL_PATTERN =
             Pattern.compile("private\\s*key", Pattern.CASE_INSENSITIVE);

     /**
      * Regular expression which matches the filenames of private keys attached
      * to Keeper records.
      */
     private static final Pattern PRIVATE_KEY_FILENAME_PATTERN =
             Pattern.compile(".*\\.pem", Pattern.CASE_INSENSITIVE);

     /**
      * Returns the single value stored in the given list. If the list is empty
      * or contains multiple values, null is returned. Note that null will also
      * be returned if the single value stored in the list is itself null.
      *
      * @param <T>
      *     The type of object stored in the list.
      *
      * @param values
      *     The list to retrieve a single value from.
      *
      * @return
      *     The single value stored in the given list, or null if the list is
      *     empty or contains multiple values.
      */
     private <T> T getSingleValue(List<T> values) {

         if (values == null || values.size() != 1)
             return null;

         return values.get(0);

     }

     /**
      * Returns the single value stored in the given list of strings. If the
      * list is empty, contains multiple values, or contains only a single empty
      * string, null is returned. Note that null will also be returned if the
      * single value stored in the list is itself null.
      *
      * @param values
      *     The list to retrieve a single value from.
      *
      * @return
      *     The single value stored in the given list, or null if the list is
      *     empty, contains multiple values, or contains only a single empty
      *     string.
      */
     private String getSingleStringValue(List<String> values) {

         String value = getSingleValue(values);
         if (value != null && !value.isEmpty())
             return value;

         return null;

     }

     /**
      * Returns the single value stored in the given list, additionally
      * performing a mapping transformation on the single value. If the list is
      * empty or contains multiple values, null is returned. Note that null will
      * also be returned if the mapping transformation returns null for the
      * single value stored in the list.
      *
      * @param <T>
      *     The type of object stored in the list.
      *
      * @param <R>
      *     The type of object to return.
      *
      * @param values
      *     The list to retrieve a single value from.
      *
      * @param mapper
      *     The function to use to map the single object of type T to type R.
      *
      * @return
      *     The single value stored in the given list, transformed using the
      *     provided mapping function, or null if the list is empty or contains
      *     multiple values.
      */
     private <T, R> R getSingleValue(List<T> values, Function<T, R> mapper) {

         T value = getSingleValue(values);
         if (value == null)
             return null;

         return mapper.apply(value);

     }

     /**
      * Returns the single value stored in the given list of strings,
      * additionally performing a mapping transformation on the single value. If
      * the list is empty, contains multiple values, or contains only a single
      * empty string, null is returned. Note that null will also be returned if
      * the mapping transformation returns null for the single value stored in
      * the list.
      *
      * @param <T>
      *     The type of object stored in the list.
      *
      * @param values
      *     The list to retrieve a single value from.
      *
      * @param mapper
      *     The function to use to map the single object of type T to type R.
      *
      * @return
      *     The single value stored in the given list, transformed using the
      *     provided mapping function, or null if the list is empty, contains
      *     multiple values, or contains only a single empty string.
      */
     private <T> String getSingleStringValue(List<T> values, Function<T, String> mapper) {

         String value = getSingleValue(values, mapper);
         if (value != null && !value.isEmpty())
             return value;

         return null;

     }

     /**
      * Returns the instance of the only field that has the given type and
      * matches the given label pattern. If there are no such fields, or
      * multiple such fields, null is returned.
      *
      * @param <T>
      *     The type of field to return.
      *
      * @param fields
      *     The list of fields to retrieve the field from. For convenience, this
      *     may be null. A null list will be considered equivalent to an empty
      *     list.
      *
      * @param fieldClass
      *     The class representing the type of field to return.
      *
      * @param labelPattern
      *     The pattern to match against the desired field's label, or null if
      *     no label pattern match should be performed.
      *
      * @return
      *     The field having the given type and matching the given label
      *     pattern, or null if there is not exactly one such field.
      */
     @SuppressWarnings("unchecked") // Manually verified with isAssignableFrom()
     private <T extends KeeperRecordField> T getField(List<KeeperRecordField> fields,
             Class<T> fieldClass, Pattern labelPattern) {

         // There are no fields if no List was provided at all
         if (fields == null)
             return null;

         T foundField = null;
         for (KeeperRecordField field : fields) {

             // Ignore fields of wrong class
             if (!fieldClass.isAssignableFrom(field.getClass()))
                 continue;

             // Match against provided pattern, if any
             if (labelPattern != null) {

                 // Ignore fields without labels if a label match is requested
                 String label = field.getLabel();
                 if (label == null)
                     continue;

                 // Ignore fields whose labels do not match
                 Matcher labelMatcher = labelPattern.matcher(label);
                 if (!labelMatcher.matches())
                     continue;

             }

             // Ignore ambiguous fields
             if (foundField != null)
                 return null;

             // Tentative match found - we can use this as long as no other
             // field matches the criteria
             foundField = (T) field;

         }

         return foundField;

     }

     /**
      * Returns the instance of the only field that has the given type and
      * matches the given label pattern. If there are no such fields, or
      * multiple such fields, null is returned. Both standard and custom fields
      * are searched. As standard fields do not have labels, any given label
      * pattern is ignored for standard fields.
      *
      * @param <T>
      *     The type of field to return.
      *
      * @param record
      *     The Keeper record to retrieve the field from.
      *
      * @param fieldClass
      *     The class representing the type of field to return.
      *
      * @param labelPattern
      *     The pattern to match against the labels of custom fields, or null if
      *     no label pattern match should be performed.
      *
      * @return
      *     The field having the given type and matching the given label
      *     pattern, or null if there is not exactly one such field.
      */
     private <T extends KeeperRecordField> T getField(KeeperRecord record,
             Class<T> fieldClass, Pattern labelPattern) {

         KeeperRecordData data = record.getData();

         // Attempt to find standard field first, ignoring custom fields if a
         // standard field exists (NOTE: standard fields do not have labels)
         T field = getField(data.getFields(), fieldClass, null);
         if (field != null)
             return field;

         // Fall back on custom fields
         return getField(data.getCustom(), fieldClass, labelPattern);

     }

     /**
      * Returns the file attached to the give Keeper record whose filename
      * matches the given pattern. If there are no such files, or multiple such
      * files, null is returned.
      *
      * @param record
      *     The record to retrieve the file from.
      *
      * @param filenamePattern
      *     The pattern to match filenames against.
      *
      * @return
      *     The single matching file attached to the given Keeper record, or
      *     null if there is not exactly one matching file.
      */
     private KeeperFile getFile(KeeperRecord record, Pattern filenamePattern) {

         List<KeeperFile> files = record.getFiles();
         if (files == null)
             return null;

         KeeperFile foundFile = null;
         for (KeeperFile file : files) {

             // Ignore files whose filenames do not match
             Matcher filenameMatcher = filenamePattern.matcher(file.getData().getName());
             if (!filenameMatcher.matches())
                 continue;

             // Ignore ambiguous fields
             if (foundFile != null)
                 return null;

             foundFile = file;

         }

         return foundFile;

     }

     /**
      * Downloads the given file from the Keeper vault asynchronously. All files
      * are read as UTF-8.
      *
      * @param file
      *     The file to download, which may be null.
      *
      * @return
      *     A Future which resolves with the contents of the file once
      *     downloaded. If no file was provided (file was null), this Future
      *     resolves with null.
      */
     public Future<String> download(final KeeperFile file) {

         if (file == null)
             return CompletableFuture.completedFuture(null);

         return CompletableFuture.supplyAsync(() -> {
             return new String(SecretsManager.downloadFile(file), StandardCharsets.UTF_8);
         });

     }

     /**
      * Returns the single hostname (or address) associated with the given
      * record. If the record has no associated hostname, or multiple hostnames,
      * null is returned. Hostnames are retrieved from "Hosts" fields, as well
      * as "Text" and "Hidden" fields that have the label "hostname", "address",
      * or "ip address" (case-insensitive, space optional).
      *
      * @param record
      *     The record to retrieve the hostname from.
      *
      * @return
      *     The hostname associated with the given record, or null if the record
      *     has no associated hostname or multiple hostnames.
      */
     public String getHostname(KeeperRecord record) {

         // Prefer standard login field
         Hosts hostsField = getField(record, Hosts.class, null);
         if (hostsField != null)
             return getSingleStringValue(hostsField.getValue(), Host::getHostName);

         KeeperRecordData data = record.getData();
         List<KeeperRecordField> custom = data.getCustom();

         // Use text "hostname" custom field as fallback ...
         Text textField = getField(custom, Text.class, HOSTNAME_LABEL_PATTERN);
         if (textField != null)
             return getSingleStringValue(textField.getValue());

         // ... or hidden "hostname" custom field
         HiddenField hiddenField = getField(custom, HiddenField.class, HOSTNAME_LABEL_PATTERN);
         if (hiddenField != null)
             return getSingleStringValue(hiddenField.getValue());

         return null;

     }

     /**
      * Returns the single username associated with the given record. If the
      * record has no associated username, or multiple usernames, null is
      * returned. Usernames are retrieved from "Login" fields, as well as
      * "Text" and "Hidden" fields that have the label "username"
      * (case-insensitive).
      *
      * @param record
      *     The record to retrieve the username from.
      *
      * @return
      *     The username associated with the given record, or null if the record
      *     has no associated username or multiple usernames.
      */
     public String getUsername(KeeperRecord record) {

         // Prefer standard login field
         Login loginField = getField(record, Login.class, null);
         if (loginField != null)
             return getSingleStringValue(loginField.getValue());

         KeeperRecordData data = record.getData();
         List<KeeperRecordField> custom = data.getCustom();

         // Use text "username" custom field as fallback ...
         Text textField = getField(custom, Text.class, USERNAME_LABEL_PATTERN);
         if (textField != null)
             return getSingleStringValue(textField.getValue());

         // ... or hidden "username" custom field
         HiddenField hiddenField = getField(custom, HiddenField.class, USERNAME_LABEL_PATTERN);
         if (hiddenField != null)
             return getSingleStringValue(hiddenField.getValue());

         return null;

     }

     /**
      * Returns the password associated with the given record. Both standard and
      * custom fields are searched. Only "Password" and "Hidden" field types are
      * considered. Custom fields must additionally have the label "password"
      * (case-insensitive).
      *
      * @param record
      *     The record to retrieve the password from.
      *
      * @return
      *     The password associated with the given record, or null if the record
      *     has no associated password.
      */
     public String getPassword(KeeperRecord record) {

         Password passwordField = getField(record, Password.class, PASSWORD_LABEL_PATTERN);
         if (passwordField != null)
             return getSingleStringValue(passwordField.getValue());

         HiddenField hiddenField = getField(record, HiddenField.class, PASSWORD_LABEL_PATTERN);
         if (hiddenField != null)
             return getSingleStringValue(hiddenField.getValue());

         return null;

     }

     /**
      * Returns the private key associated with the given record. If the record
      * has no associated private key, or multiple private keys, null is
      * returned. Private keys are retrieved from "KeyPairs" fields.
      * Alternatively, private keys are retrieved from PEM-type attachments or
      * custom fields with the label "private key" (case-insensitive, space
      * optional) if they are "KeyPairs", "Password", or "Hidden" fields. If
      * file downloads are required, they will be performed asynchronously.
      *
      * @param record
      *     The record to retrieve the private key from.
      *
      * @return
      *     A Future which resolves with the private key associated with the
      *     given record. If the record has no associated private key or
      *     multiple private keys, the returned Future will resolve to null.
      */
     public Future<String> getPrivateKey(KeeperRecord record) {

         // Attempt to find single matching keypair field
         KeyPairs keyPairsField = getField(record, KeyPairs.class, PRIVATE_KEY_LABEL_PATTERN);
         if (keyPairsField != null) {
             String privateKey = getSingleStringValue(keyPairsField.getValue(), KeyPair::getPrivateKey);
             if (privateKey != null && !privateKey.isEmpty())
                 return CompletableFuture.completedFuture(privateKey);
         }

         // Lacking a typed keypair field, prefer a PEM-type attachment
         KeeperFile keyFile = getFile(record, PRIVATE_KEY_FILENAME_PATTERN);
         if (keyFile != null)
             return download(keyFile);

         KeeperRecordData data = record.getData();
         List<KeeperRecordField> custom = data.getCustom();

         // Use password "private key" custom field as fallback ...
         Password passwordField = getField(custom, Password.class, PRIVATE_KEY_LABEL_PATTERN);
         if (passwordField != null)
             return CompletableFuture.completedFuture(getSingleStringValue(passwordField.getValue()));

         // ... or hidden "private key" custom field
         HiddenField hiddenField = getField(custom, HiddenField.class, PRIVATE_KEY_LABEL_PATTERN);
         if (hiddenField != null)
             return CompletableFuture.completedFuture(getSingleStringValue(hiddenField.getValue()));

         return CompletableFuture.completedFuture(null);

     }

     /**
      * Returns the passphrase for the private key associated with the given
      * record. Both standard and custom fields are searched. Only "Password"
      * and "Hidden" field types are considered. Custom fields must additionally
      * have the label "passphrase" (case-insensitive). Note that there is no
      * specific association between private keys and passphrases in the
      * "KeyPairs" field type.
      *
      * @param record
      *     The record to retrieve the passphrase from.
      *
      * @return
      *     The passphrase for the private key associated with the given record,
      *     or null if there is no such passphrase associated with the record.
      */
     public String getPassphrase(KeeperRecord record) {

         KeeperRecordData data = record.getData();
         List<KeeperRecordField> fields = data.getFields();
         List<KeeperRecordField> custom = data.getCustom();

         // For records with a standard keypair field, the passphrase is the
         // standard password field
         if (getField(fields, KeyPairs.class, null) != null) {
             Password passwordField = getField(fields, Password.class, null);
             if (passwordField != null)
                 return getSingleStringValue(passwordField.getValue());
         }

         // For records WITHOUT a standard keypair field, the passphrase can
         // only reasonably be a custom field (consider a "Login" record with
         // a pair of custom hidden fields for the private key and passphrase:
         // the standard password field of the "Login" record refers to the
         // user's own password, if any, not the passphrase of their key)

         // Use password "private key" custom field as fallback ...
         Password passwordField = getField(custom, Password.class, PASSPHRASE_LABEL_PATTERN);
         if (passwordField != null)
             return getSingleStringValue(passwordField.getValue());

         // ... or hidden "private key" custom field
         HiddenField hiddenField = getField(custom, HiddenField.class, PASSPHRASE_LABEL_PATTERN);
         if (hiddenField != null)
             return getSingleStringValue(hiddenField.getValue());

         return null;

     }

 }
	/*
	* Licensed to the Apache Software Foundation (ASF) under one
	* or more contributor license agreements. See the NOTICE file
	* distributed with this work for additional information
	* regarding copyright ownership. The ASF licenses this file
	* to you under the Apache License, Version 2.0 (the
	* "License"); you may not use this file except in compliance
	* with the License. You may obtain a copy of the License at
	*
	* http://www.apache.org/licenses/LICENSE-2.0
	*
	* Unless required by applicable law or agreed to in writing,
	* software distributed under the License is distributed on an
	* "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
	* KIND, either express or implied. See the License for the
	* specific language governing permissions and limitations
	* under the License.
	*/

	package org.apache.guacamole.vault.ksm.secret;

	import com.google.inject.Singleton;
	import com.keepersecurity.secretsManager.core.HiddenField;
	import com.keepersecurity.secretsManager.core.Host;
	import com.keepersecurity.secretsManager.core.Hosts;
	import com.keepersecurity.secretsManager.core.KeeperFile;
	import com.keepersecurity.secretsManager.core.KeeperRecord;
	import com.keepersecurity.secretsManager.core.KeeperRecordData;
	import com.keepersecurity.secretsManager.core.KeeperRecordField;
	import com.keepersecurity.secretsManager.core.KeyPair;
	import com.keepersecurity.secretsManager.core.KeyPairs;
	import com.keepersecurity.secretsManager.core.Login;
	import com.keepersecurity.secretsManager.core.Password;
	import com.keepersecurity.secretsManager.core.SecretsManager;
	import com.keepersecurity.secretsManager.core.Text;
	import java.nio.charset.StandardCharsets;
	import java.util.List;
	import java.util.concurrent.CompletableFuture;
	import java.util.concurrent.Future;
	import java.util.function.Function;
	import java.util.regex.Matcher;
	import java.util.regex.Pattern;

	/**
	* Service for automatically parsing out secrets and data from Keeper records.
	*/
	@Singleton
	public class KsmRecordService {

	/**
	* Regular expression which matches the labels of custom fields containing
	* hostnames/addresses.
	*/
	private static final Pattern HOSTNAME_LABEL_PATTERN =
	Pattern.compile("hostname\|(ip\\s*)?address", Pattern.CASE_INSENSITIVE);

	/**
	* Regular expression which matches the labels of custom fields containing
	* usernames.
	*/
	private static final Pattern USERNAME_LABEL_PATTERN =
	Pattern.compile("username", Pattern.CASE_INSENSITIVE);

	/**
	* Regular expression which matches the labels of custom fields containing
	* passwords.
	*/
	private static final Pattern PASSWORD_LABEL_PATTERN =
	Pattern.compile("password", Pattern.CASE_INSENSITIVE);

	/**
	* Regular expression which matches the labels of custom fields containing
	* passphrases for private keys.
	*/
	private static final Pattern PASSPHRASE_LABEL_PATTERN =
	Pattern.compile("passphrase", Pattern.CASE_INSENSITIVE);

	/**
	* Regular expression which matches the labels of custom fields containing
	* private keys.
	*/
	private static final Pattern PRIVATE_KEY_LABEL_PATTERN =
	Pattern.compile("private\\s*key", Pattern.CASE_INSENSITIVE);

	/**
	* Regular expression which matches the filenames of private keys attached
	* to Keeper records.
	*/
	private static final Pattern PRIVATE_KEY_FILENAME_PATTERN =
	Pattern.compile(".*\\.pem", Pattern.CASE_INSENSITIVE);

	/**
	* Returns the single value stored in the given list. If the list is empty
	* or contains multiple values, null is returned. Note that null will also
	* be returned if the single value stored in the list is itself null.
	*
	* @param <T>
	* The type of object stored in the list.
	*
	* @param values
	* The list to retrieve a single value from.
	*
	* @return
	* The single value stored in the given list, or null if the list is
	* empty or contains multiple values.
	*/
	private <T> T getSingleValue(List<T> values) {

	if (values == null \|\| values.size() != 1)
	return null;

	return values.get(0);

	}

	/**
	* Returns the single value stored in the given list of strings. If the
	* list is empty, contains multiple values, or contains only a single empty
	* string, null is returned. Note that null will also be returned if the
	* single value stored in the list is itself null.
	*
	* @param values
	* The list to retrieve a single value from.
	*
	* @return
	* The single value stored in the given list, or null if the list is
	* empty, contains multiple values, or contains only a single empty
	* string.
	*/
	private String getSingleStringValue(List<String> values) {

	String value = getSingleValue(values);
	if (value != null && !value.isEmpty())
	return value;

	return null;

	}

	/**
	* Returns the single value stored in the given list, additionally
	* performing a mapping transformation on the single value. If the list is
	* empty or contains multiple values, null is returned. Note that null will
	* also be returned if the mapping transformation returns null for the
	* single value stored in the list.
	*
	* @param <T>
	* The type of object stored in the list.
	*
	* @param <R>
	* The type of object to return.
	*
	* @param values
	* The list to retrieve a single value from.
	*
	* @param mapper
	* The function to use to map the single object of type T to type R.
	*
	* @return
	* The single value stored in the given list, transformed using the
	* provided mapping function, or null if the list is empty or contains
	* multiple values.
	*/
	private <T, R> R getSingleValue(List<T> values, Function<T, R> mapper) {

	T value = getSingleValue(values);
	if (value == null)
	return null;

	return mapper.apply(value);

	}

	/**
	* Returns the single value stored in the given list of strings,
	* additionally performing a mapping transformation on the single value. If
	* the list is empty, contains multiple values, or contains only a single
	* empty string, null is returned. Note that null will also be returned if
	* the mapping transformation returns null for the single value stored in
	* the list.
	*
	* @param <T>
	* The type of object stored in the list.
	*
	* @param values
	* The list to retrieve a single value from.
	*
	* @param mapper
	* The function to use to map the single object of type T to type R.
	*
	* @return
	* The single value stored in the given list, transformed using the
	* provided mapping function, or null if the list is empty, contains
	* multiple values, or contains only a single empty string.
	*/
	private <T> String getSingleStringValue(List<T> values, Function<T, String> mapper) {

	String value = getSingleValue(values, mapper);
	if (value != null && !value.isEmpty())
	return value;

	return null;

	}

	/**
	* Returns the instance of the only field that has the given type and
	* matches the given label pattern. If there are no such fields, or
	* multiple such fields, null is returned.
	*
	* @param <T>
	* The type of field to return.
	*
	* @param fields
	* The list of fields to retrieve the field from. For convenience, this
	* may be null. A null list will be considered equivalent to an empty
	* list.
	*
	* @param fieldClass
	* The class representing the type of field to return.
	*
	* @param labelPattern
	* The pattern to match against the desired field's label, or null if
	* no label pattern match should be performed.
	*
	* @return
	* The field having the given type and matching the given label
	* pattern, or null if there is not exactly one such field.
	*/
	@SuppressWarnings("unchecked") // Manually verified with isAssignableFrom()
	private <T extends KeeperRecordField> T getField(List<KeeperRecordField> fields,
	Class<T> fieldClass, Pattern labelPattern) {

	// There are no fields if no List was provided at all
	if (fields == null)
	return null;

	T foundField = null;
	for (KeeperRecordField field : fields) {

	// Ignore fields of wrong class
	if (!fieldClass.isAssignableFrom(field.getClass()))
	continue;

	// Match against provided pattern, if any
	if (labelPattern != null) {

	// Ignore fields without labels if a label match is requested
	String label = field.getLabel();
	if (label == null)
	continue;

	// Ignore fields whose labels do not match
	Matcher labelMatcher = labelPattern.matcher(label);
	if (!labelMatcher.matches())
	continue;

	}

	// Ignore ambiguous fields
	if (foundField != null)
	return null;

	// Tentative match found - we can use this as long as no other
	// field matches the criteria
	foundField = (T) field;

	}

	return foundField;

	}

	/**
	* Returns the instance of the only field that has the given type and
	* matches the given label pattern. If there are no such fields, or
	* multiple such fields, null is returned. Both standard and custom fields
	* are searched. As standard fields do not have labels, any given label
	* pattern is ignored for standard fields.
	*
	* @param <T>
	* The type of field to return.
	*
	* @param record
	* The Keeper record to retrieve the field from.
	*
	* @param fieldClass
	* The class representing the type of field to return.
	*
	* @param labelPattern
	* The pattern to match against the labels of custom fields, or null if
	* no label pattern match should be performed.
	*
	* @return
	* The field having the given type and matching the given label
	* pattern, or null if there is not exactly one such field.
	*/
	private <T extends KeeperRecordField> T getField(KeeperRecord record,
	Class<T> fieldClass, Pattern labelPattern) {

	KeeperRecordData data = record.getData();

	// Attempt to find standard field first, ignoring custom fields if a
	// standard field exists (NOTE: standard fields do not have labels)
	T field = getField(data.getFields(), fieldClass, null);
	if (field != null)
	return field;

	// Fall back on custom fields
	return getField(data.getCustom(), fieldClass, labelPattern);

	}

	/**
	* Returns the file attached to the give Keeper record whose filename
	* matches the given pattern. If there are no such files, or multiple such
	* files, null is returned.
	*
	* @param record
	* The record to retrieve the file from.
	*
	* @param filenamePattern
	* The pattern to match filenames against.
	*
	* @return
	* The single matching file attached to the given Keeper record, or
	* null if there is not exactly one matching file.
	*/
	private KeeperFile getFile(KeeperRecord record, Pattern filenamePattern) {

	List<KeeperFile> files = record.getFiles();
	if (files == null)
	return null;

	KeeperFile foundFile = null;
	for (KeeperFile file : files) {

	// Ignore files whose filenames do not match
	Matcher filenameMatcher = filenamePattern.matcher(file.getData().getName());
	if (!filenameMatcher.matches())
	continue;

	// Ignore ambiguous fields
	if (foundFile != null)
	return null;

	foundFile = file;

	}

	return foundFile;

	}

	/**
	* Downloads the given file from the Keeper vault asynchronously. All files
	* are read as UTF-8.
	*
	* @param file
	* The file to download, which may be null.
	*
	* @return
	* A Future which resolves with the contents of the file once
	* downloaded. If no file was provided (file was null), this Future
	* resolves with null.
	*/
	public Future<String> download(final KeeperFile file) {

	if (file == null)
	return CompletableFuture.completedFuture(null);

	return CompletableFuture.supplyAsync(() -> {
	return new String(SecretsManager.downloadFile(file), StandardCharsets.UTF_8);
	});

	}

	/**
	* Returns the single hostname (or address) associated with the given
	* record. If the record has no associated hostname, or multiple hostnames,
	* null is returned. Hostnames are retrieved from "Hosts" fields, as well
	* as "Text" and "Hidden" fields that have the label "hostname", "address",
	* or "ip address" (case-insensitive, space optional).
	*
	* @param record
	* The record to retrieve the hostname from.
	*
	* @return
	* The hostname associated with the given record, or null if the record
	* has no associated hostname or multiple hostnames.
	*/
	public String getHostname(KeeperRecord record) {

	// Prefer standard login field
	Hosts hostsField = getField(record, Hosts.class, null);
	if (hostsField != null)
	return getSingleStringValue(hostsField.getValue(), Host::getHostName);

	KeeperRecordData data = record.getData();
	List<KeeperRecordField> custom = data.getCustom();

	// Use text "hostname" custom field as fallback ...
	Text textField = getField(custom, Text.class, HOSTNAME_LABEL_PATTERN);
	if (textField != null)
	return getSingleStringValue(textField.getValue());

	// ... or hidden "hostname" custom field
	HiddenField hiddenField = getField(custom, HiddenField.class, HOSTNAME_LABEL_PATTERN);
	if (hiddenField != null)
	return getSingleStringValue(hiddenField.getValue());

	return null;

	}

	/**
	* Returns the single username associated with the given record. If the
	* record has no associated username, or multiple usernames, null is
	* returned. Usernames are retrieved from "Login" fields, as well as
	* "Text" and "Hidden" fields that have the label "username"
	* (case-insensitive).
	*
	* @param record
	* The record to retrieve the username from.
	*
	* @return
	* The username associated with the given record, or null if the record
	* has no associated username or multiple usernames.
	*/
	public String getUsername(KeeperRecord record) {

	// Prefer standard login field
	Login loginField = getField(record, Login.class, null);
	if (loginField != null)
	return getSingleStringValue(loginField.getValue());

	KeeperRecordData data = record.getData();
	List<KeeperRecordField> custom = data.getCustom();

	// Use text "username" custom field as fallback ...
	Text textField = getField(custom, Text.class, USERNAME_LABEL_PATTERN);
	if (textField != null)
	return getSingleStringValue(textField.getValue());

	// ... or hidden "username" custom field
	HiddenField hiddenField = getField(custom, HiddenField.class, USERNAME_LABEL_PATTERN);
	if (hiddenField != null)
	return getSingleStringValue(hiddenField.getValue());

	return null;

	}

	/**
	* Returns the password associated with the given record. Both standard and
	* custom fields are searched. Only "Password" and "Hidden" field types are
	* considered. Custom fields must additionally have the label "password"
	* (case-insensitive).
	*
	* @param record
	* The record to retrieve the password from.
	*
	* @return
	* The password associated with the given record, or null if the record
	* has no associated password.
	*/
	public String getPassword(KeeperRecord record) {

	Password passwordField = getField(record, Password.class, PASSWORD_LABEL_PATTERN);
	if (passwordField != null)
	return getSingleStringValue(passwordField.getValue());

	HiddenField hiddenField = getField(record, HiddenField.class, PASSWORD_LABEL_PATTERN);
	if (hiddenField != null)
	return getSingleStringValue(hiddenField.getValue());

	return null;

	}

	/**
	* Returns the private key associated with the given record. If the record
	* has no associated private key, or multiple private keys, null is
	* returned. Private keys are retrieved from "KeyPairs" fields.
	* Alternatively, private keys are retrieved from PEM-type attachments or
	* custom fields with the label "private key" (case-insensitive, space
	* optional) if they are "KeyPairs", "Password", or "Hidden" fields. If
	* file downloads are required, they will be performed asynchronously.
	*
	* @param record
	* The record to retrieve the private key from.
	*
	* @return
	* A Future which resolves with the private key associated with the
	* given record. If the record has no associated private key or
	* multiple private keys, the returned Future will resolve to null.
	*/
	public Future<String> getPrivateKey(KeeperRecord record) {

	// Attempt to find single matching keypair field
	KeyPairs keyPairsField = getField(record, KeyPairs.class, PRIVATE_KEY_LABEL_PATTERN);
	if (keyPairsField != null) {
	String privateKey = getSingleStringValue(keyPairsField.getValue(), KeyPair::getPrivateKey);
	if (privateKey != null && !privateKey.isEmpty())
	return CompletableFuture.completedFuture(privateKey);
	}

	// Lacking a typed keypair field, prefer a PEM-type attachment
	KeeperFile keyFile = getFile(record, PRIVATE_KEY_FILENAME_PATTERN);
	if (keyFile != null)
	return download(keyFile);

	KeeperRecordData data = record.getData();
	List<KeeperRecordField> custom = data.getCustom();

	// Use password "private key" custom field as fallback ...
	Password passwordField = getField(custom, Password.class, PRIVATE_KEY_LABEL_PATTERN);
	if (passwordField != null)
	return CompletableFuture.completedFuture(getSingleStringValue(passwordField.getValue()));

	// ... or hidden "private key" custom field
	HiddenField hiddenField = getField(custom, HiddenField.class, PRIVATE_KEY_LABEL_PATTERN);
	if (hiddenField != null)
	return CompletableFuture.completedFuture(getSingleStringValue(hiddenField.getValue()));

	return CompletableFuture.completedFuture(null);

	}

	/**
	* Returns the passphrase for the private key associated with the given
	* record. Both standard and custom fields are searched. Only "Password"
	* and "Hidden" field types are considered. Custom fields must additionally
	* have the label "passphrase" (case-insensitive). Note that there is no
	* specific association between private keys and passphrases in the
	* "KeyPairs" field type.
	*
	* @param record
	* The record to retrieve the passphrase from.
	*
	* @return
	* The passphrase for the private key associated with the given record,
	* or null if there is no such passphrase associated with the record.
	*/
	public String getPassphrase(KeeperRecord record) {

	KeeperRecordData data = record.getData();
	List<KeeperRecordField> fields = data.getFields();
	List<KeeperRecordField> custom = data.getCustom();

	// For records with a standard keypair field, the passphrase is the
	// standard password field
	if (getField(fields, KeyPairs.class, null) != null) {
	Password passwordField = getField(fields, Password.class, null);
	if (passwordField != null)
	return getSingleStringValue(passwordField.getValue());
	}

	// For records WITHOUT a standard keypair field, the passphrase can
	// only reasonably be a custom field (consider a "Login" record with
	// a pair of custom hidden fields for the private key and passphrase:
	// the standard password field of the "Login" record refers to the
	// user's own password, if any, not the passphrase of their key)

	// Use password "private key" custom field as fallback ...
	Password passwordField = getField(custom, Password.class, PASSPHRASE_LABEL_PATTERN);
	if (passwordField != null)
	return getSingleStringValue(passwordField.getValue());

	// ... or hidden "private key" custom field
	HiddenField hiddenField = getField(custom, HiddenField.class, PASSPHRASE_LABEL_PATTERN);
	if (hiddenField != null)
	return getSingleStringValue(hiddenField.getValue());

	return null;

	}

	}