Allow plaintext passwords

[JamesBelchamber]

I'm expecting this to be quite controversial, but on our project the choice seemed to be this or using expect (ugh). Skyscape has no way of authenticating other than a username/password with a short expiry, and we want to use CI to keep our edge gateway up-to-date with our repository.

I'm sure there's some tidying up I should do (a working spec test, for one), but I'm sure there's some discussion to be had first. Quite happy to be shown an alternative way of handling this issue.

[rjw1]

Hi, We get round this using a script very much like the following

#!/bin/bash
set -eu

function cleanup {
  set +e
  bundle exec vcloud-logout
  rm $FOG_RC
  unset FOG_RC
}

# Override default of ~/.fog and delete afterwards.
export FOG_RC=$(mktemp /tmp/vcloud_fog_rc.XXXXXXXXXX)
trap cleanup EXIT

unset FOG_CREDENTIAL
cat <<EOF >${FOG_RC}
default:
  vcloud_director_host: '${VCLOUD_HOST}'
  vcloud_director_username: '${VCLOUD_USERNAME}'
  vcloud_director_password: ''
EOF

# Never log token to STDOUT.
set +x
eval $(printenv VCLOUD_PASSWORD | bundle exec vcloud-login)

[dcarley]

vcloud-login accepts the password over STDIN for this purpose - no expect required. It's documented in the usage string, but perhaps it should be on the website as well?

https://github.com/gds-operations/vcloud-core/blob/e49d30eefb8604c34e2fcb133e8fbc5c98b1bba3/lib/vcloud/core/login_cli.rb#L43-L47

I'm against reverting the behaviour. It's important that the password never touches disk, so that there's no risk of it being intercepted or left after the login operation.

[JamesBelchamber]

Yeh, this is the kind of thing I was trying to avoid (though it is secure - and I didn't realise you could just pipe into vcloud-login). Yes, allowing fog's 'password feature' is insecure - but people can just as easily do something horribly insecure without it. I can skip vcloud-login entirely and just securely manage the fog file, which is a problem we have already had to solve elsewhere (and with other fog-based tools).

vcloud-login accepts the password over STDIN for this purpose - no expect required

I didn't know about that - having it documented on the website would, indeed, be useful.

[JamesBelchamber]

I'd like to add this, because it's something fog itself supports. However, if this goes against what the team wants I think we should close this off - I'll use @rjw1's example instead.

[deanwilson]

Thank you for your interest in this project but we now consider it both feature complete for our own usage and in maintenance mode. While we will not be investing any more development time in this project we may still include pull requests.