From 2051e24863a1bbef268be75afdf5bdb06bbac870 Mon Sep 17 00:00:00 2001 From: Juergen Hoetzel Date: Sun, 2 Jan 2022 15:56:23 +0100 Subject: [PATCH] Add support for reading AES backend password from external command Fixes #362 --- cfg/aesbackend.go | 16 ++++++++++++++++ docs/config_encryption.md | 7 ++++++- 2 files changed, 22 insertions(+), 1 deletion(-) diff --git a/cfg/aesbackend.go b/cfg/aesbackend.go index b07ced8d..54ebac49 100644 --- a/cfg/aesbackend.go +++ b/cfg/aesbackend.go @@ -31,6 +31,9 @@ import ( "os" "path/filepath" + "os/exec" + "strings" + "golang.org/x/crypto/scrypt" ) @@ -38,6 +41,10 @@ import ( // contain the configuration password. const PasswordEnvVar = "BEEHIVE_CONFIG_PASSWORD" +// PasswordCmdEnvVar defines the environment variable name that should +// contain the external command to get the configuration password +const PasswordCmdEnvVar = "BEEHIVE_CONFIG_PASSWORD_COMMAND" + // EncryptedHeaderPrefix is added to the encrypted configuration // to make it possible to detect it's an encrypted configuration file const EncryptedHeaderPrefix = "beehiveconf+" @@ -227,6 +234,15 @@ func getPassword(u *url.URL) (string, error) { if p != "" { return p, nil } + if cmd := os.Getenv(PasswordCmdEnvVar); cmd != "" { + args := strings.Split(cmd, " ") + cmd := exec.Command(args[0], args[1:]...) + output, err := cmd.Output() + if err != nil { + return "", err + } + return strings.TrimSpace(string(output)), nil + } if u != nil && u.User != nil { p = u.User.Username() diff --git a/docs/config_encryption.md b/docs/config_encryption.md index 47a88ac9..3ce3e946 100644 --- a/docs/config_encryption.md +++ b/docs/config_encryption.md @@ -29,7 +29,12 @@ Will happily detect and load an encrypted configuration file. ## Using user keyrings to store the password -A sample wrapper script (Linux only) is provided in [tools/encrypted-config-wrapper] that will read the configuration password from the sessions's keyring. +You can also set the `BEEHIVE_CONFIG_PASSWORD_COMMAND` environment variable to automatically retrieve the password from an external command. +For example this environment setting will retrieve the password using the Secret Service API (Gnome Keyring): + +``` +export BEEHIVE_CONFIG_PASSWORD_COMMAND="secret-tool lookup user behive" +``` Something similar could be written to do it on macOS using Keychain and its `security(1)` CLI.