From 18947d3e37074211df25e91f6404b3af7e66034d Mon Sep 17 00:00:00 2001 From: Tim Hockin Date: Mon, 5 Jul 2021 15:39:56 -0700 Subject: [PATCH] Small nits I found with password-fil while porting Forgot the manual entry for it, tweaked some words. --- cmd/git-sync/main.go | 45 +++++++++++++++++++++++++------------------- 1 file changed, 26 insertions(+), 19 deletions(-) diff --git a/cmd/git-sync/main.go b/cmd/git-sync/main.go index 872ce92..9de3ff4 100644 --- a/cmd/git-sync/main.go +++ b/cmd/git-sync/main.go @@ -101,7 +101,7 @@ var flWebhookBackoff = pflag.Duration("webhook-backoff", envDuration("GIT_SYNC_W var flUsername = pflag.String("username", envString("GIT_SYNC_USERNAME", ""), "the username to use for git auth") var flPassword = pflag.String("password", envString("GIT_SYNC_PASSWORD", ""), - "the password or personal access token to use for git auth (prefer env vars for passwords)") + "the password or personal access token to use for git auth (prefer --password-file or this env var)") var flPasswordFile = pflag.String("password-file", envString("GIT_SYNC_PASSWORD_FILE", ""), "the file from which the password or personal access token for git auth will be sourced") @@ -468,6 +468,15 @@ func main() { } } + if *flPassword != "" && *flPasswordFile != "" { + handleError(false, "ERROR: only one of --password and --password-file may be specified") + } + if *flUsername != "" { + if *flPassword == "" && *flPasswordFile == "" { + handleError(true, "ERROR: --password or --password-file must be set when --username is specified") + } + } + if *flSSH { if *flUsername != "" { handleError(false, "ERROR: only one of --ssh and --username may be specified") @@ -494,15 +503,6 @@ func main() { } } - if *flPassword != "" && *flPasswordFile != "" { - handleError(false, "ERROR: only one of --password and --password-file may be specified") - } - if *flUsername != "" { - if *flPassword == "" && *flPasswordFile == "" { - handleError(true, "ERROR: --password or --password-file must be set when --username is specified") - } - } - // From here on, output goes through logging. log.V(0).Info("starting up", "pid", os.Getpid(), @@ -561,12 +561,12 @@ func main() { if *flUsername != "" { if *flPasswordFile != "" { - flPasswordFileBytes, err := ioutil.ReadFile(*flPasswordFile) + passwordFileBytes, err := ioutil.ReadFile(*flPasswordFile) if err != nil { log.Error(err, "ERROR: can't read password file") os.Exit(1) } - *flPassword = string(flPasswordFileBytes) + *flPassword = string(passwordFileBytes) } if err := git.SetupAuth(ctx, *flUsername, *flPassword); err != nil { log.Error(err, "ERROR: can't set up git auth") @@ -1733,8 +1733,13 @@ OPTIONS --password , $GIT_SYNC_PASSWORD The password or personal access token (see github docs) to use for git authentication (see --username). NOTE: for security reasons, - users should prefer the environment variable for specifying the - password. + users should prefer --password-file or $GIT_SYNC_PASSWORD for + specifying the password. + + --password-file , $GIT_SYNC_PASSWORD + The file from which the password or personal access token (see + github docs) to use for git authentication (see --username) will be + sourced. --period , $GIT_SYNC_PERIOD How long to wait between sync attempts. This must be at least @@ -1787,7 +1792,8 @@ OPTIONS it will take precedence. (default: 120s) --username , $GIT_SYNC_USERNAME - The username to use for git authentication (see --password). + The username to use for git authentication (see --password-file or + --password). -v, --verbose Set the log verbosity level. Logs at this level and lower will be @@ -1831,10 +1837,11 @@ AUTHENTICATION and "git@example.com:repo" will try to use SSH. username/password - The --username (GIT_SYNC_USERNAME) and --password - (GIT_SYNC_PASSWORD) flags will be used. To prevent password - leaks, the GIT_SYNC_PASSWORD environment variable is almost always - preferred to the flag. + The --username (GIT_SYNC_USERNAME) and --password-file + (GIT_SYNC_PASSWORD_FILE) or --password (GIT_SYNC_PASSWORD) flags + will be used. To prevent password leaks, the --password-file flag + or GIT_SYNC_PASSWORD environment variable is almost always + preferred to the --password flag. A variant of this is --askpass-url (GIT_ASKPASS_URL), which consults a URL (e.g. http://metadata) to get credentials on each