16 files changed, 205 insertions, 162 deletions

diff --git a/nitrocli/CHANGELOG.md b/nitrocli/CHANGELOG.md
index dd40acd..7104c20 100644
--- a/nitrocli/CHANGELOG.md
+++ b/nitrocli/CHANGELOG.md
@@ -1,6 +1,8 @@
 Unreleased
 ----------
-- Bumped `nitrokey` dependency to `0.4.0-alpha.2`
+- Bumped `nitrokey` dependency to `0.4.0-alpha.3`
+  - Bumped `nitrokey-sys` dependency to `3.5.0`
+  - Added `lazy_static` dependency in version `1.2.0`
 
 
 0.3.0
diff --git a/nitrocli/Cargo.lock b/nitrocli/Cargo.lock
index 168be50..cd90994 100644
--- a/nitrocli/Cargo.lock
+++ b/nitrocli/Cargo.lock
@@ -55,7 +55,6 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 [[package]]
 name = "lazy_static"
 version = "1.2.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
 
 [[package]]
 name = "libc"
@@ -77,32 +76,33 @@ dependencies = [
  "argparse 0.2.2",
  "base32 0.4.0",
  "libc 0.2.66",
- "nitrokey 0.4.0-alpha.2",
- "nitrokey-test 0.2.1 (registry+https://github.com/rust-lang/crates.io-index)",
+ "nitrokey 0.4.0-alpha.3",
+ "nitrokey-test 0.3.1 (registry+https://github.com/rust-lang/crates.io-index)",
  "nitrokey-test-state 0.1.0 (registry+https://github.com/rust-lang/crates.io-index)",
  "regex 1.1.0 (registry+https://github.com/rust-lang/crates.io-index)",
 ]
 
 [[package]]
 name = "nitrokey"
-version = "0.4.0-alpha.2"
+version = "0.4.0-alpha.3"
 dependencies = [
+ "lazy_static 1.2.0",
  "libc 0.2.66",
- "nitrokey-sys 3.4.3",
+ "nitrokey-sys 3.5.0",
  "rand_core 0.3.0",
  "rand_os 0.1.1",
 ]
 
 [[package]]
 name = "nitrokey-sys"
-version = "3.4.3"
+version = "3.5.0"
 dependencies = [
  "cc 1.0.48",
 ]
 
 [[package]]
 name = "nitrokey-test"
-version = "0.2.1"
+version = "0.3.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 dependencies = [
  "proc-macro2 0.4.26 (registry+https://github.com/rust-lang/crates.io-index)",
@@ -190,7 +190,7 @@ name = "thread_local"
 version = "0.3.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 dependencies = [
- "lazy_static 1.2.0 (registry+https://github.com/rust-lang/crates.io-index)",
+ "lazy_static 1.2.0",
 ]
 
 [[package]]
@@ -234,9 +234,8 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 "checksum cloudabi 0.0.3 (registry+https://github.com/rust-lang/crates.io-index)" = "ddfc5b9aa5d4507acaf872de71051dfd0e309860e88966e1051e462a077aac4f"
 "checksum fuchsia-zircon 0.3.3 (registry+https://github.com/rust-lang/crates.io-index)" = "2e9763c69ebaae630ba35f74888db465e49e259ba1bc0eda7d06f4a067615d82"
 "checksum fuchsia-zircon-sys 0.3.3 (registry+https://github.com/rust-lang/crates.io-index)" = "3dcaa9ae7725d12cdb85b3ad99a434db70b468c09ded17e012d86b5c1010f7a7"
-"checksum lazy_static 1.2.0 (registry+https://github.com/rust-lang/crates.io-index)" = "a374c89b9db55895453a74c1e38861d9deec0b01b405a82516e9d5de4820dea1"
 "checksum memchr 2.1.3 (registry+https://github.com/rust-lang/crates.io-index)" = "e1dd4eaac298c32ce07eb6ed9242eda7d82955b9170b7d6db59b2e02cc63fcb8"
-"checksum nitrokey-test 0.2.1 (registry+https://github.com/rust-lang/crates.io-index)" = "f2195b25114e38da93d24169b074e7d1007238a0e33916e01b353099c09df379"
+"checksum nitrokey-test 0.3.1 (registry+https://github.com/rust-lang/crates.io-index)" = "7e7e81b55db51769209e88a63cdbb4f2dc7ee9cd20ccaf32fbb940a3b0c50259"
 "checksum nitrokey-test-state 0.1.0 (registry+https://github.com/rust-lang/crates.io-index)" = "a59b732ed6d5212424ed31ec9649f05652bcbc38f45f2292b27a6044e7098803"
 "checksum proc-macro2 0.4.26 (registry+https://github.com/rust-lang/crates.io-index)" = "38fddd23d98b2144d197c0eca5705632d4fe2667d14a6be5df8934f8d74f1978"
 "checksum quote 0.6.11 (registry+https://github.com/rust-lang/crates.io-index)" = "cdd8e04bd9c52e0342b406469d494fcb033be4bdbe5c606016defbb1681411e1"
diff --git a/nitrocli/Cargo.toml b/nitrocli/Cargo.toml
index 1eb301e..23395c2 100644
--- a/nitrocli/Cargo.toml
+++ b/nitrocli/Cargo.toml
@@ -53,10 +53,10 @@ path = "../base32"
 version = "0.2"
 
 [dependencies.nitrokey]
-version = "0.4.0-alpha.2"
+version = "0.4.0-alpha.3"
 
 [dev-dependencies.nitrokey-test]
-version = "0.2.1"
+version = "0.3.1"
 
 [dev-dependencies.nitrokey-test-state]
 version = "0.1"
@@ -71,5 +71,6 @@ cc = { path = "../cc" }
 libc = { path = "../libc" }
 nitrokey = { path = "../nitrokey" }
 nitrokey-sys = { path = "../nitrokey-sys" }
+lazy_static = { path = "../lazy-static" }
 rand_core = { path = "../rand/rand_core" }
 rand_os = { path = "../rand/rand_os" }
diff --git a/nitrocli/src/commands.rs b/nitrocli/src/commands.rs
index ee410e5..f0e0f6e 100644
--- a/nitrocli/src/commands.rs
+++ b/nitrocli/src/commands.rs
@@ -60,16 +60,19 @@ fn set_log_level(ctx: &mut args::ExecCtx<'_>) {
 /// Connect to any Nitrokey device and do something with it.
 fn with_device<F>(ctx: &mut args::ExecCtx<'_>, op: F) -> Result<()>
 where
-  F: FnOnce(&mut args::ExecCtx<'_>, nitrokey::DeviceWrapper) -> Result<()>,
+  F: FnOnce(&mut args::ExecCtx<'_>, nitrokey::DeviceWrapper<'_>) -> Result<()>,
 {
+  let mut manager = nitrokey::take()?;
   set_log_level(ctx);
 
   let device = match ctx.model {
-    Some(model) => nitrokey::connect_model(model.into()).map_err(|_| {
+    Some(model) => manager.connect_model(model.into()).map_err(|_| {
       let error = format!("Nitrokey {} device not found", model.as_user_facing_str());
       Error::Error(error)
     })?,
-    None => nitrokey::connect().map_err(|_| Error::from("Nitrokey device not found"))?,
+    None => manager
+      .connect()
+      .map_err(|_| Error::from("Nitrokey device not found"))?,
   };
 
   op(ctx, device)
@@ -78,8 +81,9 @@ where
 /// Connect to a Nitrokey Storage device and do something with it.
 fn with_storage_device<F>(ctx: &mut args::ExecCtx<'_>, op: F) -> Result<()>
 where
-  F: FnOnce(&mut args::ExecCtx<'_>, nitrokey::Storage) -> Result<()>,
+  F: FnOnce(&mut args::ExecCtx<'_>, nitrokey::Storage<'_>) -> Result<()>,
 {
+  let mut manager = nitrokey::take()?;
   set_log_level(ctx);
 
   if let Some(model) = ctx.model {
@@ -90,8 +94,9 @@ where
     }
   }
 
-  let device =
-    nitrokey::Storage::connect().map_err(|_| Error::from("Nitrokey Storage device not found"))?;
+  let device = manager
+    .connect_storage()
+    .map_err(|_| Error::from("Nitrokey Storage device not found"))?;
   op(ctx, device)
 }
 
@@ -99,7 +104,7 @@ where
 /// do something with it.
 fn with_password_safe<F>(ctx: &mut args::ExecCtx<'_>, mut op: F) -> Result<()>
 where
-  F: FnMut(&mut args::ExecCtx<'_>, nitrokey::PasswordSafe<'_>) -> Result<()>,
+  F: FnMut(&mut args::ExecCtx<'_>, nitrokey::PasswordSafe<'_, '_>) -> Result<()>,
 {
   with_device(ctx, |ctx, mut device| {
     let pin_entry = pinentry::PinEntry::from(pinentry::PinType::User, &device)?;
@@ -123,7 +128,7 @@ where
 /// Authenticate the given device using the given PIN type and operation.
 ///
 /// If an error occurs, the error message `msg` is used.
-fn authenticate<D, A, F>(
+fn authenticate<'mgr, D, A, F>(
   ctx: &mut args::ExecCtx<'_>,
   device: D,
   pin_type: pinentry::PinType,
@@ -131,7 +136,7 @@ fn authenticate<D, A, F>(
   op: F,
 ) -> Result<A>
 where
-  D: Device,
+  D: Device<'mgr>,
   F: FnMut(&mut args::ExecCtx<'_>, D, &str) -> result::Result<A, (D, nitrokey::Error)>,
 {
   let pin_entry = pinentry::PinEntry::from(pin_type, &device)?;
@@ -140,9 +145,12 @@ where
 }
 
 /// Authenticate the given device with the user PIN.
-fn authenticate_user<T>(ctx: &mut args::ExecCtx<'_>, device: T) -> Result<nitrokey::User<T>>
+fn authenticate_user<'mgr, T>(
+  ctx: &mut args::ExecCtx<'_>,
+  device: T,
+) -> Result<nitrokey::User<'mgr, T>>
 where
-  T: Device,
+  T: Device<'mgr>,
 {
   authenticate(
     ctx,
@@ -154,9 +162,12 @@ where
 }
 
 /// Authenticate the given device with the admin PIN.
-fn authenticate_admin<T>(ctx: &mut args::ExecCtx<'_>, device: T) -> Result<nitrokey::Admin<T>>
+fn authenticate_admin<'mgr, T>(
+  ctx: &mut args::ExecCtx<'_>,
+  device: T,
+) -> Result<nitrokey::Admin<'mgr, T>>
 where
-  T: Device,
+  T: Device<'mgr>,
 {
   authenticate(
     ctx,
@@ -322,7 +333,7 @@ fn print_storage_status(
 fn print_status(
   ctx: &mut args::ExecCtx<'_>,
   model: &'static str,
-  device: &nitrokey::DeviceWrapper,
+  device: &nitrokey::DeviceWrapper<'_>,
 ) -> Result<()> {
   let serial_number = device
     .get_serial_number()
@@ -700,7 +711,7 @@ pub fn otp_clear(
 fn print_otp_status(
   ctx: &mut args::ExecCtx<'_>,
   algorithm: args::OtpAlgorithm,
-  device: &nitrokey::DeviceWrapper,
+  device: &nitrokey::DeviceWrapper<'_>,
   all: bool,
 ) -> Result<()> {
   let mut slot: u8 = 0;
@@ -843,7 +854,7 @@ fn print_pws_data(
   Ok(())
 }
 
-fn check_slot(pws: &nitrokey::PasswordSafe<'_>, slot: u8) -> Result<()> {
+fn check_slot(pws: &nitrokey::PasswordSafe<'_, '_>, slot: u8) -> Result<()> {
   if slot >= nitrokey::SLOT_COUNT {
     return Err(nitrokey::Error::from(nitrokey::LibraryError::InvalidSlot).into());
   }
@@ -912,7 +923,7 @@ pub fn pws_clear(ctx: &mut args::ExecCtx<'_>, slot: u8) -> Result<()> {
 
 fn print_pws_slot(
   ctx: &mut args::ExecCtx<'_>,
-  pws: &nitrokey::PasswordSafe<'_>,
+  pws: &nitrokey::PasswordSafe<'_, '_>,
   slot: usize,
   programmed: bool,
 ) -> Result<()> {
diff --git a/nitrocli/src/pinentry.rs b/nitrocli/src/pinentry.rs
index 0733cd1..af28e2d 100644
--- a/nitrocli/src/pinentry.rs
+++ b/nitrocli/src/pinentry.rs
@@ -58,9 +58,9 @@ pub struct PinEntry {
 }
 
 impl PinEntry {
-  pub fn from<D>(pin_type: PinType, device: &D) -> crate::Result<Self>
+  pub fn from<'mgr, D>(pin_type: PinType, device: &D) -> crate::Result<Self>
   where
-    D: nitrokey::Device,
+    D: nitrokey::Device<'mgr>,
   {
     let model = device.get_model();
     let serial = device.get_serial_number()?;
@@ -131,9 +131,9 @@ pub struct PwdEntry {
 }
 
 impl PwdEntry {
-  pub fn from<D>(device: &D) -> crate::Result<Self>
+  pub fn from<'mgr, D>(device: &D) -> crate::Result<Self>
   where
-    D: nitrokey::Device,
+    D: nitrokey::Device<'mgr>,
   {
     let model = device.get_model();
     let serial = device.get_serial_number()?;
diff --git a/nitrocli/src/tests/config.rs b/nitrocli/src/tests/config.rs
index 8983cb8..ea3a0e8 100644
--- a/nitrocli/src/tests/config.rs
+++ b/nitrocli/src/tests/config.rs
@@ -20,7 +20,7 @@
 use super::*;
 
 #[test_device]
-fn get(device: nitrokey::DeviceWrapper) -> crate::Result<()> {
+fn get(model: nitrokey::Model) -> crate::Result<()> {
   let re = regex::Regex::new(
     r#"^Config:
   numlock binding:          (not set|\d+)
@@ -31,14 +31,14 @@ $"#,
   )
   .unwrap();
 
-  let out = Nitrocli::with_dev(device).handle(&["config", "get"])?;
+  let out = Nitrocli::with_model(model).handle(&["config", "get"])?;
   assert!(re.is_match(&out), out);
   Ok(())
 }
 
 #[test_device]
-fn set_wrong_usage(device: nitrokey::DeviceWrapper) {
-  let res = Nitrocli::with_dev(device).handle(&["config", "set", "--numlock", "2", "-N"]);
+fn set_wrong_usage(model: nitrokey::Model) {
+  let res = Nitrocli::with_model(model).handle(&["config", "set", "--numlock", "2", "-N"]);
   assert_eq!(
     res.unwrap_str_err(),
     "--numlock and --no-numlock are mutually exclusive"
@@ -46,8 +46,8 @@ fn set_wrong_usage(device: nitrokey::DeviceWrapper) {
 }
 
 #[test_device]
-fn set_get(device: nitrokey::DeviceWrapper) -> crate::Result<()> {
-  let mut ncli = Nitrocli::with_dev(device);
+fn set_get(model: nitrokey::Model) -> crate::Result<()> {
+  let mut ncli = Nitrocli::with_model(model);
   let _ = ncli.handle(&["config", "set", "-s", "1", "-c", "0", "-N"])?;
 
   let re = regex::Regex::new(
diff --git a/nitrocli/src/tests/encrypted.rs b/nitrocli/src/tests/encrypted.rs
index 8aef864..75b84c3 100644
--- a/nitrocli/src/tests/encrypted.rs
+++ b/nitrocli/src/tests/encrypted.rs
@@ -19,8 +19,8 @@
 
 use super::*;
 
-#[test_device]
-fn status_open_close(device: nitrokey::Storage) -> crate::Result<()> {
+#[test_device(storage)]
+fn status_open_close(model: nitrokey::Model) -> crate::Result<()> {
   fn make_re(open: Option<bool>) -> regex::Regex {
     let encrypted = match open {
       Some(open) => {
@@ -44,7 +44,7 @@ $"#,
     regex::Regex::new(&re).unwrap()
   }
 
-  let mut ncli = Nitrocli::with_dev(device);
+  let mut ncli = Nitrocli::with_model(model);
   let out = ncli.handle(&["status"])?;
   assert!(make_re(None).is_match(&out), out);
 
@@ -59,32 +59,37 @@ $"#,
   Ok(())
 }
 
-#[test_device]
-fn encrypted_open_on_pro(device: nitrokey::Pro) {
-  let res = Nitrocli::with_dev(device).handle(&["encrypted", "open"]);
+#[test_device(pro)]
+fn encrypted_open_on_pro(model: nitrokey::Model) {
+  let res = Nitrocli::with_model(model).handle(&["encrypted", "open"]);
   assert_eq!(
     res.unwrap_str_err(),
     "This command is only available on the Nitrokey Storage",
   );
 }
 
-#[test_device]
-fn encrypted_open_close(device: nitrokey::Storage) -> crate::Result<()> {
-  let mut ncli = Nitrocli::with_dev(device);
+#[test_device(storage)]
+fn encrypted_open_close(model: nitrokey::Model) -> crate::Result<()> {
+  let mut ncli = Nitrocli::with_model(model);
   let out = ncli.handle(&["encrypted", "open"])?;
   assert!(out.is_empty());
 
-  let device = nitrokey::Storage::connect()?;
-  assert!(device.get_status()?.encrypted_volume.active);
-  assert!(!device.get_status()?.hidden_volume.active);
-  drop(device);
+  {
+    let mut manager = nitrokey::force_take()?;
+    let device = manager.connect_storage()?;
+    assert!(device.get_status()?.encrypted_volume.active);
+    assert!(!device.get_status()?.hidden_volume.active);
+  }
 
   let out = ncli.handle(&["encrypted", "close"])?;
   assert!(out.is_empty());
 
-  let device = nitrokey::Storage::connect()?;
-  assert!(!device.get_status()?.encrypted_volume.active);
-  assert!(!device.get_status()?.hidden_volume.active);
+  {
+    let mut manager = nitrokey::force_take()?;
+    let device = manager.connect_storage()?;
+    assert!(!device.get_status()?.encrypted_volume.active);
+    assert!(!device.get_status()?.hidden_volume.active);
+  }
 
   Ok(())
 }
diff --git a/nitrocli/src/tests/hidden.rs b/nitrocli/src/tests/hidden.rs
index 483a801..28a5d23 100644
--- a/nitrocli/src/tests/hidden.rs
+++ b/nitrocli/src/tests/hidden.rs
@@ -19,26 +19,31 @@
 
 use super::*;
 
-#[test_device]
-fn hidden_create_open_close(device: nitrokey::Storage) -> crate::Result<()> {
-  let mut ncli = Nitrocli::with_dev(device);
+#[test_device(storage)]
+fn hidden_create_open_close(model: nitrokey::Model) -> crate::Result<()> {
+  let mut ncli = Nitrocli::with_model(model);
   let out = ncli.handle(&["hidden", "create", "0", "50", "100"])?;
   assert!(out.is_empty());
 
   let out = ncli.handle(&["hidden", "open"])?;
   assert!(out.is_empty());
 
-  let device = nitrokey::Storage::connect()?;
-  assert!(!device.get_status()?.encrypted_volume.active);
-  assert!(device.get_status()?.hidden_volume.active);
-  drop(device);
+  {
+    let mut manager = nitrokey::force_take()?;
+    let device = manager.connect_storage()?;
+    assert!(!device.get_status()?.encrypted_volume.active);
+    assert!(device.get_status()?.hidden_volume.active);
+  }
 
   let out = ncli.handle(&["hidden", "close"])?;
   assert!(out.is_empty());
 
-  let device = nitrokey::Storage::connect()?;
-  assert!(!device.get_status()?.encrypted_volume.active);
-  assert!(!device.get_status()?.hidden_volume.active);
+  {
+    let mut manager = nitrokey::force_take()?;
+    let device = manager.connect_storage()?;
+    assert!(!device.get_status()?.encrypted_volume.active);
+    assert!(!device.get_status()?.hidden_volume.active);
+  }
 
   Ok(())
 }
diff --git a/nitrocli/src/tests/lock.rs b/nitrocli/src/tests/lock.rs
index d23d2ae..5140152 100644
--- a/nitrocli/src/tests/lock.rs
+++ b/nitrocli/src/tests/lock.rs
@@ -19,24 +19,25 @@
 
 use super::*;
 
-#[test_device]
-fn lock_pro(device: nitrokey::Pro) -> crate::Result<()> {
+#[test_device(pro)]
+fn lock_pro(model: nitrokey::Model) -> crate::Result<()> {
   // We can't really test much more here than just success of the command.
-  let out = Nitrocli::with_dev(device).handle(&["lock"])?;
+  let out = Nitrocli::with_model(model).handle(&["lock"])?;
   assert!(out.is_empty());
 
   Ok(())
 }
 
-#[test_device]
-fn lock_storage(device: nitrokey::Storage) -> crate::Result<()> {
-  let mut ncli = Nitrocli::with_dev(device);
+#[test_device(storage)]
+fn lock_storage(model: nitrokey::Model) -> crate::Result<()> {
+  let mut ncli = Nitrocli::with_model(model);
   let _ = ncli.handle(&["encrypted", "open"])?;
 
   let out = ncli.handle(&["lock"])?;
   assert!(out.is_empty());
 
-  let device = nitrokey::Storage::connect()?;
+  let mut manager = nitrokey::force_take()?;
+  let device = manager.connect_storage()?;
   assert!(!device.get_status()?.encrypted_volume.active);
 
   Ok(())
diff --git a/nitrocli/src/tests/mod.rs b/nitrocli/src/tests/mod.rs
index e8af624..1e2fe26 100644
--- a/nitrocli/src/tests/mod.rs
+++ b/nitrocli/src/tests/mod.rs
@@ -97,21 +97,18 @@ impl Nitrocli {
     }
   }
 
-  pub fn with_dev<D>(device: D) -> Self
+  pub fn with_model<M>(model: M) -> Self
   where
-    D: nitrokey::Device,
+    M: Into<nitrokey::Model>,
   {
-    let result = Self {
-      model: Some(device.get_model()),
+    Self {
+      model: Some(model.into()),
       admin_pin: Some(nitrokey::DEFAULT_ADMIN_PIN.into()),
       user_pin: Some(nitrokey::DEFAULT_USER_PIN.into()),
       new_admin_pin: None,
       new_user_pin: None,
       password: Some("1234567".into()),
-    };
-
-    drop(device);
-    result
+    }
   }
 
   pub fn admin_pin(&mut self, pin: impl Into<ffi::OsString>) {
diff --git a/nitrocli/src/tests/otp.rs b/nitrocli/src/tests/otp.rs
index 2893e80..0ccecf9 100644
--- a/nitrocli/src/tests/otp.rs
+++ b/nitrocli/src/tests/otp.rs
@@ -22,8 +22,8 @@ use super::*;
 use crate::args;
 
 #[test_device]
-fn set_invalid_slot_raw(device: nitrokey::DeviceWrapper) {
-  let (rc, out, err) = Nitrocli::with_dev(device).run(&["otp", "set", "100", "name", "1234"]);
+fn set_invalid_slot_raw(model: nitrokey::Model) {
+  let (rc, out, err) = Nitrocli::with_model(model).run(&["otp", "set", "100", "name", "1234"]);
 
   assert_ne!(rc, 0);
   assert_eq!(out, b"");
@@ -31,8 +31,8 @@ fn set_invalid_slot_raw(device: nitrokey::DeviceWrapper) {
 }
 
 #[test_device]
-fn set_invalid_slot(device: nitrokey::DeviceWrapper) {
-  let res = Nitrocli::with_dev(device).handle(&["otp", "set", "100", "name", "1234"]);
+fn set_invalid_slot(model: nitrokey::Model) {
+  let res = Nitrocli::with_model(model).handle(&["otp", "set", "100", "name", "1234"]);
 
   assert_eq!(
     res.unwrap_lib_err(),
@@ -44,14 +44,14 @@ fn set_invalid_slot(device: nitrokey::DeviceWrapper) {
 }
 
 #[test_device]
-fn status(device: nitrokey::DeviceWrapper) -> crate::Result<()> {
+fn status(model: nitrokey::Model) -> crate::Result<()> {
   let re = regex::Regex::new(
     r#"^alg\tslot\tname
 ((totp|hotp)\t\d+\t.+\n)+$"#,
   )
   .unwrap();
 
-  let mut ncli = Nitrocli::with_dev(device);
+  let mut ncli = Nitrocli::with_model(model);
   // Make sure that we have at least something to display by ensuring
   // that there is one slot programmed.
   let _ = ncli.handle(&["otp", "set", "0", "the-name", "123456"])?;
@@ -62,14 +62,14 @@ fn status(device: nitrokey::DeviceWrapper) -> crate::Result<()> {
 }
 
 #[test_device]
-fn set_get_hotp(device: nitrokey::DeviceWrapper) -> crate::Result<()> {
+fn set_get_hotp(model: nitrokey::Model) -> crate::Result<()> {
   // Secret and expected HOTP values as per RFC 4226: Appendix D -- HOTP
   // Algorithm: Test Values.
   const SECRET: &str = "12345678901234567890";
   const OTP1: &str = concat!(755224, "\n");
   const OTP2: &str = concat!(287082, "\n");
 
-  let mut ncli = Nitrocli::with_dev(device);
+  let mut ncli = Nitrocli::with_model(model);
   let _ = ncli.handle(&[
     "otp", "set", "-a", "hotp", "-f", "ascii", "1", "name", &SECRET,
   ])?;
@@ -83,14 +83,14 @@ fn set_get_hotp(device: nitrokey::DeviceWrapper) -> crate::Result<()> {
 }
 
 #[test_device]
-fn set_get_totp(device: nitrokey::DeviceWrapper) -> crate::Result<()> {
+fn set_get_totp(model: nitrokey::Model) -> crate::Result<()> {
   // Secret and expected TOTP values as per RFC 6238: Appendix B --
   // Test Vectors.
   const SECRET: &str = "12345678901234567890";
   const TIME: &str = stringify!(1111111111);
   const OTP: &str = concat!(14050471, "\n");
 
-  let mut ncli = Nitrocli::with_dev(device);
+  let mut ncli = Nitrocli::with_model(model);
   let _ = ncli.handle(&["otp", "set", "-d", "8", "-f", "ascii", "2", "name", &SECRET])?;
 
   let out = ncli.handle(&["otp", "get", "-t", TIME, "2"])?;
@@ -99,22 +99,22 @@ fn set_get_totp(device: nitrokey::DeviceWrapper) -> crate::Result<()> {
 }
 
 #[test_device]
-fn set_totp_uneven_chars(device: nitrokey::DeviceWrapper) -> crate::Result<()> {
+fn set_totp_uneven_chars(model: nitrokey::Model) -> crate::Result<()> {
   let secrets = [
     (args::OtpSecretFormat::Hex, "123"),
     (args::OtpSecretFormat::Base32, "FBILDWWGA2"),
   ];
 
-  let mut ncli = Nitrocli::with_dev(device);
   for (format, secret) in &secrets {
+    let mut ncli = Nitrocli::with_model(model);
     let _ = ncli.handle(&["otp", "set", "-f", format.as_ref(), "3", "foobar", &secret])?;
   }
   Ok(())
 }
 
 #[test_device]
-fn clear(device: nitrokey::DeviceWrapper) -> crate::Result<()> {
-  let mut ncli = Nitrocli::with_dev(device);
+fn clear(model: nitrokey::Model) -> crate::Result<()> {
+  let mut ncli = Nitrocli::with_model(model);
   let _ = ncli.handle(&["otp", "set", "3", "hotp-test", "abcdef"])?;
   let _ = ncli.handle(&["otp", "clear", "3"])?;
   let res = ncli.handle(&["otp", "get", "3"]);
diff --git a/nitrocli/src/tests/pin.rs b/nitrocli/src/tests/pin.rs
index e4cd316..958a36d 100644
--- a/nitrocli/src/tests/pin.rs
+++ b/nitrocli/src/tests/pin.rs
@@ -23,40 +23,48 @@ use nitrokey::Device;
 use super::*;
 
 #[test_device]
-fn unblock(device: nitrokey::DeviceWrapper) -> crate::Result<()> {
-  let (device, err) = device.authenticate_user("wrong-pin").unwrap_err();
-  match err {
-    nitrokey::Error::CommandError(err) if err == nitrokey::CommandError::WrongPassword => (),
-    _ => panic!("Unexpected error variant found: {:?}", err),
+fn unblock(model: nitrokey::Model) -> crate::Result<()> {
+  {
+    let mut manager = nitrokey::force_take()?;
+    let device = manager.connect_model(model)?;
+    let (device, err) = device.authenticate_user("wrong-pin").unwrap_err();
+    match err {
+      nitrokey::Error::CommandError(err) if err == nitrokey::CommandError::WrongPassword => (),
+      _ => panic!("Unexpected error variant found: {:?}", err),
+    }
+    assert!(device.get_user_retry_count()? < 3);
   }
-  assert!(device.get_user_retry_count()? < 3);
 
-  let model = device.get_model();
-  let _ = Nitrocli::with_dev(device).handle(&["pin", "unblock"])?;
-  let device = nitrokey::connect_model(model)?;
-  assert_eq!(device.get_user_retry_count()?, 3);
+  let _ = Nitrocli::with_model(model).handle(&["pin", "unblock"])?;
+
+  {
+    let mut manager = nitrokey::force_take()?;
+    let device = manager.connect_model(model)?;
+    assert_eq!(device.get_user_retry_count()?, 3);
+  }
   Ok(())
 }
 
 #[test_device]
-fn set_user(device: nitrokey::DeviceWrapper) -> crate::Result<()> {
-  let mut ncli = Nitrocli::with_dev(device);
-
+fn set_user(model: nitrokey::Model) -> crate::Result<()> {
+  let mut ncli = Nitrocli::with_model(model);
   // Set a new user PIN.
   ncli.new_user_pin("new-pin");
   let out = ncli.handle(&["pin", "set", "user"])?;
   assert!(out.is_empty());
 
-  let device = nitrokey::connect_model(ncli.model().unwrap())?;
-  let (device, err) = device
-    .authenticate_user(nitrokey::DEFAULT_USER_PIN)
-    .unwrap_err();
+  {
+    let mut manager = nitrokey::force_take()?;
+    let device = manager.connect_model(model)?;
+    let (_, err) = device
+      .authenticate_user(nitrokey::DEFAULT_USER_PIN)
+      .unwrap_err();
 
-  match err {
-    nitrokey::Error::CommandError(err) if err == nitrokey::CommandError::WrongPassword => (),
-    _ => panic!("Unexpected error variant found: {:?}", err),
+    match err {
+      nitrokey::Error::CommandError(err) if err == nitrokey::CommandError::WrongPassword => (),
+      _ => panic!("Unexpected error variant found: {:?}", err),
+    }
   }
-  drop(device);
 
   // Revert to the default user PIN.
   ncli.user_pin("new-pin");
@@ -65,9 +73,12 @@ fn set_user(device: nitrokey::DeviceWrapper) -> crate::Result<()> {
   let out = ncli.handle(&["pin", "set", "user"])?;
   assert!(out.is_empty());
 
-  let device = nitrokey::connect_model(ncli.model().unwrap())?;
-  let _ = device
-    .authenticate_user(nitrokey::DEFAULT_USER_PIN)
-    .unwrap();
+  {
+    let mut manager = nitrokey::force_take()?;
+    let device = manager.connect_model(ncli.model().unwrap())?;
+    let _ = device
+      .authenticate_user(nitrokey::DEFAULT_USER_PIN)
+      .unwrap();
+  }
   Ok(())
 }
diff --git a/nitrocli/src/tests/pws.rs b/nitrocli/src/tests/pws.rs
index 9468dcf..651b2d5 100644
--- a/nitrocli/src/tests/pws.rs
+++ b/nitrocli/src/tests/pws.rs
@@ -20,8 +20,8 @@
 use super::*;
 
 #[test_device]
-fn set_invalid_slot(device: nitrokey::DeviceWrapper) {
-  let res = Nitrocli::with_dev(device).handle(&["pws", "set", "100", "name", "login", "1234"]);
+fn set_invalid_slot(model: nitrokey::Model) {
+  let res = Nitrocli::with_model(model).handle(&["pws", "set", "100", "name", "login", "1234"]);
 
   assert_eq!(
     res.unwrap_lib_err(),
@@ -33,14 +33,14 @@ fn set_invalid_slot(device: nitrokey::DeviceWrapper) {
 }
 
 #[test_device]
-fn status(device: nitrokey::DeviceWrapper) -> crate::Result<()> {
+fn status(model: nitrokey::Model) -> crate::Result<()> {
   let re = regex::Regex::new(
     r#"^slot\tname
 (\d+\t.+\n)+$"#,
   )
   .unwrap();
 
-  let mut ncli = Nitrocli::with_dev(device);
+  let mut ncli = Nitrocli::with_model(model);
   // Make sure that we have at least something to display by ensuring
   // that there are there is one slot programmed.
   let _ = ncli.handle(&["pws", "set", "0", "the-name", "the-login", "123456"])?;
@@ -51,12 +51,12 @@ fn status(device: nitrokey::DeviceWrapper) -> crate::Result<()> {
 }
 
 #[test_device]
-fn set_get(device: nitrokey::DeviceWrapper) -> crate::Result<()> {
+fn set_get(model: nitrokey::Model) -> crate::Result<()> {
   const NAME: &str = "dropbox";
   const LOGIN: &str = "d-e-s-o";
   const PASSWORD: &str = "my-secret-password";
 
-  let mut ncli = Nitrocli::with_dev(device);
+  let mut ncli = Nitrocli::with_model(model);
   let _ = ncli.handle(&["pws", "set", "1", &NAME, &LOGIN, &PASSWORD])?;
 
   let out = ncli.handle(&["pws", "get", "1", "--quiet", "--name"])?;
@@ -83,12 +83,12 @@ fn set_get(device: nitrokey::DeviceWrapper) -> crate::Result<()> {
 }
 
 #[test_device]
-fn set_reset_get(device: nitrokey::DeviceWrapper) -> crate::Result<()> {
+fn set_reset_get(model: nitrokey::Model) -> crate::Result<()> {
   const NAME: &str = "some/svc";
   const LOGIN: &str = "a\\user";
   const PASSWORD: &str = "!@&-)*(&+%^@";
 
-  let mut ncli = Nitrocli::with_dev(device);
+  let mut ncli = Nitrocli::with_model(model);
   let _ = ncli.handle(&["pws", "set", "2", &NAME, &LOGIN, &PASSWORD])?;
 
   let out = ncli.handle(&["reset"])?;
@@ -106,8 +106,8 @@ fn set_reset_get(device: nitrokey::DeviceWrapper) -> crate::Result<()> {
 }
 
 #[test_device]
-fn clear(device: nitrokey::DeviceWrapper) -> crate::Result<()> {
-  let mut ncli = Nitrocli::with_dev(device);
+fn clear(model: nitrokey::Model) -> crate::Result<()> {
+  let mut ncli = Nitrocli::with_model(model);
   let _ = ncli.handle(&["pws", "set", "10", "clear-test", "some-login", "abcdef"])?;
   let _ = ncli.handle(&["pws", "clear", "10"])?;
   let res = ncli.handle(&["pws", "get", "10"]);
diff --git a/nitrocli/src/tests/reset.rs b/nitrocli/src/tests/reset.rs
index f9452ec..e197970 100644
--- a/nitrocli/src/tests/reset.rs
+++ b/nitrocli/src/tests/reset.rs
@@ -23,32 +23,38 @@ use nitrokey::GetPasswordSafe;
 use super::*;
 
 #[test_device]
-fn reset(device: nitrokey::DeviceWrapper) -> crate::Result<()> {
+fn reset(model: nitrokey::Model) -> crate::Result<()> {
   let new_admin_pin = "87654321";
-  let mut ncli = Nitrocli::with_dev(device);
+  let mut ncli = Nitrocli::with_model(model);
 
   // Change the admin PIN.
   ncli.new_admin_pin(new_admin_pin);
   let _ = ncli.handle(&["pin", "set", "admin"])?;
 
-  // Check that the admin PIN has been changed.
-  let device = nitrokey::connect_model(ncli.model().unwrap())?;
-  let _ = device.authenticate_admin(new_admin_pin).unwrap();
+  {
+    let mut manager = nitrokey::force_take()?;
+    // Check that the admin PIN has been changed.
+    let device = manager.connect_model(ncli.model().unwrap())?;
+    let _ = device.authenticate_admin(new_admin_pin).unwrap();
+  }
 
   // Perform factory reset
   ncli.admin_pin(new_admin_pin);
   let out = ncli.handle(&["reset"])?;
   assert!(out.is_empty());
 
-  // Check that the admin PIN has been reset.
-  let device = nitrokey::connect_model(ncli.model().unwrap())?;
-  let mut device = device
-    .authenticate_admin(nitrokey::DEFAULT_ADMIN_PIN)
-    .unwrap();
-
-  // Check that the password store works, i.e., the AES key has been
-  // built.
-  let _ = device.get_password_safe(nitrokey::DEFAULT_USER_PIN)?;
+  {
+    let mut manager = nitrokey::force_take()?;
+    // Check that the admin PIN has been reset.
+    let device = manager.connect_model(ncli.model().unwrap())?;
+    let mut device = device
+      .authenticate_admin(nitrokey::DEFAULT_ADMIN_PIN)
+      .unwrap();
+
+    // Check that the password store works, i.e., the AES key has been
+    // built.
+    let _ = device.get_password_safe(nitrokey::DEFAULT_USER_PIN)?;
+  }
 
   Ok(())
 }
diff --git a/nitrocli/src/tests/status.rs b/nitrocli/src/tests/status.rs
index 7aac5ad..c9f4976 100644
--- a/nitrocli/src/tests/status.rs
+++ b/nitrocli/src/tests/status.rs
@@ -36,31 +36,31 @@ fn not_found() {
   assert_eq!(res.unwrap_str_err(), "Nitrokey device not found");
 }
 
-#[test_device]
-fn output_pro(device: nitrokey::Pro) -> crate::Result<()> {
+#[test_device(pro)]
+fn output_pro(model: nitrokey::Model) -> crate::Result<()> {
   let re = regex::Regex::new(
     r#"^Status:
   model:             Pro
   serial number:     0x[[:xdigit:]]{8}
-  firmware version:  \d+\.\d+
+  firmware version:  v\d+\.\d+
   user retry count:  [0-3]
   admin retry count: [0-3]
 $"#,
   )
   .unwrap();
 
-  let out = Nitrocli::with_dev(device).handle(&["status"])?;
+  let out = Nitrocli::with_model(model).handle(&["status"])?;
   assert!(re.is_match(&out), out);
   Ok(())
 }
 
-#[test_device]
-fn output_storage(device: nitrokey::Storage) -> crate::Result<()> {
+#[test_device(storage)]
+fn output_storage(model: nitrokey::Model) -> crate::Result<()> {
   let re = regex::Regex::new(
     r#"^Status:
   model:             Storage
   serial number:     0x[[:xdigit:]]{8}
-  firmware version:  \d+\.\d+
+  firmware version:  v\d+\.\d+
   user retry count:  [0-3]
   admin retry count: [0-3]
   Storage:
@@ -75,7 +75,7 @@ $"#,
   )
   .unwrap();
 
-  let out = Nitrocli::with_dev(device).handle(&["status"])?;
+  let out = Nitrocli::with_model(model).handle(&["status"])?;
   assert!(re.is_match(&out), out);
   Ok(())
 }
diff --git a/nitrocli/src/tests/unencrypted.rs b/nitrocli/src/tests/unencrypted.rs
index c976f50..547dcaf 100644
--- a/nitrocli/src/tests/unencrypted.rs
+++ b/nitrocli/src/tests/unencrypted.rs
@@ -19,23 +19,28 @@
 
 use super::*;
 
-#[test_device]
-fn unencrypted_set_read_write(device: nitrokey::Storage) -> crate::Result<()> {
-  let mut ncli = Nitrocli::with_dev(device);
+#[test_device(storage)]
+fn unencrypted_set_read_write(model: nitrokey::Model) -> crate::Result<()> {
+  let mut ncli = Nitrocli::with_model(model);
   let out = ncli.handle(&["unencrypted", "set", "read-write"])?;
   assert!(out.is_empty());
 
-  let device = nitrokey::Storage::connect()?;
-  assert!(device.get_status()?.unencrypted_volume.active);
-  assert!(!device.get_status()?.unencrypted_volume.read_only);
-  drop(device);
+  {
+    let mut manager = nitrokey::force_take()?;
+    let device = manager.connect_storage()?;
+    assert!(device.get_status()?.unencrypted_volume.active);
+    assert!(!device.get_status()?.unencrypted_volume.read_only);
+  }
 
   let out = ncli.handle(&["unencrypted", "set", "read-only"])?;
   assert!(out.is_empty());
 
-  let device = nitrokey::Storage::connect()?;
-  assert!(device.get_status()?.unencrypted_volume.active);
-  assert!(device.get_status()?.unencrypted_volume.read_only);
+  {
+    let mut manager = nitrokey::force_take()?;
+    let device = manager.connect_storage()?;
+    assert!(device.get_status()?.unencrypted_volume.active);
+    assert!(device.get_status()?.unencrypted_volume.read_only);
+  }
 
   Ok(())
 }