From 2a81ea69f03b323ee526a4017463daf5aac056f1 Mon Sep 17 00:00:00 2001 From: Tim Hockin Date: Mon, 5 Jul 2021 15:49:18 -0700 Subject: [PATCH] Add option to read passwd from file This is a port of #431. A new flag `--password-file` is added. This allows git-sync to read password from file and this is considered as safer than reading from env or flag directly. Few more checks are added as well: 1. `--password` and `--password-file` can't be specified at the same time. 2. If `--username` is specified, then one of `--password` or `--password-file` must be specified. --- README.md | 3 ++- cmd/git-sync/main.go | 27 +++++++++++++++++++++++++-- 2 files changed, 27 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 5d1ea06..459a1be 100644 --- a/README.md +++ b/README.md @@ -107,7 +107,8 @@ docker run -d \ | GIT_SYNC_WEBHOOK_TIMEOUT | `--webhook-timeout` | the timeout for the webhook | 1 (second) | | GIT_SYNC_WEBHOOK_BACKOFF | `--webhook-backoff` | the time to wait before retrying a failed webhook | 3 (seconds) | | GIT_SYNC_USERNAME | `--username` | the username to use for git auth | "" | -| GIT_SYNC_PASSWORD | `--password` | the password or [personal access token](https://docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token) to use for git auth. (users should prefer env vars for passwords) | "" | +| GIT_SYNC_PASSWORD | `--password` | the password or [personal access token](https://docs.github.com/en/free-pro-team@latest/github/authenticating-to-github/creating-a-personal-access-token) to use for git auth. (users should prefer --password-file or env vars for passwords) | "" | +| GIT_SYNC_PASSWORD_FILE | `--password-file` | the path to password file which contains password or personal access token (see --password) | "" | | GIT_SYNC_SSH | `--ssh` | use SSH for git operations | false | | GIT_SSH_KEY_FILE | `--ssh-key-file` | the SSH key to use | "/etc/git-secret/ssh" | | GIT_KNOWN_HOSTS | `--ssh-known-hosts` | enable SSH known_hosts verification | true | diff --git a/cmd/git-sync/main.go b/cmd/git-sync/main.go index 8a8dcbf..9990ccd 100644 --- a/cmd/git-sync/main.go +++ b/cmd/git-sync/main.go @@ -42,6 +42,7 @@ import ( "github.com/go-logr/logr" "github.com/prometheus/client_golang/prometheus" "github.com/prometheus/client_golang/prometheus/promhttp" + "github.com/spf13/pflag" "k8s.io/git-sync/pkg/pid1" "k8s.io/git-sync/pkg/version" ) @@ -95,7 +96,9 @@ var flWebhookBackoff = flag.Duration("webhook-backoff", envDuration("GIT_SYNC_WE var flUsername = flag.String("username", envString("GIT_SYNC_USERNAME", ""), "the username to use for git auth") var flPassword = flag.String("password", envString("GIT_SYNC_PASSWORD", ""), - "the password to use for git auth (users should prefer env vars for passwords)") + "the password to use for git auth (prefer --password-file or this env var)") +var flPasswordFile = pflag.String("password-file", envString("GIT_SYNC_PASSWORD_FILE", ""), + "the file from which the password or personal access token for git auth will be sourced") var flSSH = flag.Bool("ssh", envBool("GIT_SYNC_SSH", false), "use SSH for git operations") @@ -402,6 +405,15 @@ func main() { handleError(false, "ERROR: git executable %q not found: %v", *flGitCmd, err) } + if *flPassword != "" && *flPasswordFile != "" { + handleError(false, "ERROR: only one of --password and --password-file may be specified") + } + if *flUsername != "" { + if *flPassword == "" && *flPasswordFile == "" { + handleError(true, "ERROR: --password or --password-file must be set when --username is specified") + } + } + if *flSSH { if *flUsername != "" { handleError(false, "ERROR: only one of --ssh and --username may be specified") @@ -409,6 +421,9 @@ func main() { if *flPassword != "" { handleError(false, "ERROR: only one of --ssh and --password may be specified") } + if *flPasswordFile != "" { + handleError(false, "ERROR: only one of --ssh and --password-file may be specified") + } if *flAskPassURL != "" { handleError(false, "ERROR: only one of --ssh and --askpass-url may be specified") } @@ -435,7 +450,15 @@ func main() { // `git clone`, so initTimeout set to 30 seconds should be enough. ctx, cancel := context.WithTimeout(context.Background(), initTimeout) - if *flUsername != "" && *flPassword != "" { + if *flUsername != "" { + if *flPasswordFile != "" { + passwordFileBytes, err := ioutil.ReadFile(*flPasswordFile) + if err != nil { + log.Error(err, "ERROR: can't read password file") + os.Exit(1) + } + *flPassword = string(passwordFileBytes) + } if err := setupGitAuth(ctx, *flUsername, *flPassword, *flRepo); err != nil { handleError(false, "ERROR: can't create .netrc file: %v", err) }