search

hedgedoc / cli

A tiny CLI for HedgeDoc
GNU Affero General Public License v3.0
150 stars 37 forks source link

Add pass support #22

Open SISheogorath opened 5 years ago

SISheogorath commented 5 years ago

The UNIX passwordstore called pass is a very handy unix tool that allows to have GPG encrypted passwords stored in a git repository and being used as a password safe.

CodiMD CLI could integrate with pass by checking for its existence and reading login (i.e. pass show demo.codimd.org/myuser) data from there.

In order to make it easy to integrate, we should provide a function that abstracts provided password. Means check if a password is supplied by CLi parameter, check if passwordstore is there and if so, check for a password. When non of the above provides a password, show a prompt.

Just my rough idea, feel free to extend/change/improve.

Fumesover commented 5 years ago

Using #23 and settings such as those of isync it will be possible. Cf man mbsync:

Pass password

Specify the password for username on the IMAP server. Note that this option is not required. If neither a password nor a password command is specified in the configuration file, mbsync will prompt you for a password.

PassCmd [+]command

Specify a shell command to obtain a password rather than specifying a password directly. This allows you to use password files and agents. The command must produce exactly one line on stdout; the trailing newline is optional. Prepend + to the command to indicate that it produces TTY output (e.g., a decryption password prompt); failure to do so will merely produce messier output.
SISheogorath commented 5 years ago

@Fumesover I'm sorry to say, but I'm not really sure what you say with your comment :sweat_smile:

Could you elaborate (maybe with links to documentations) what you mean?

Mhm, so you suggest to have a parameter --password-cmd which refers to a binary that will run in order to get he password out?

Maybe we should take the approach that ansible uses: Having a --vault-password-file (in our case probably just --password-file) which can be either a plaintext file container a password or a executable file that will run in order to get the password.

Fumesover commented 5 years ago

If we use codimd in command line, we can just do something like that: ~codimd codimd login --email email@example.net $(pass show my/pass/for/codi)~ do not do that, the password leaks and can be accessed by anyone My first comment was about hypotetic configuration file where some secrets could be written in clear

ccoenen commented 5 years ago

Depending on how big and how versatile a change would have to be, I'm against integrating stuff for a single other product (pass in this case).

pirate commented 5 years ago

FWIW I run this on a Mac where pass is not supported not natively installed, but a system keychain CLI does exist. I'm not sure it's worth adding this relatively complex dependency for such a small thing, especially considering things like Amazon AWS keys, entire chrome data directories with all cookies/sessions keys, and SSH private keys are routinely stored unencrypted in user's home folders.

SISheogorath commented 5 years ago

@pirate I might be mistaken, but I think it is supported: https://www.passwordstore.org/#macintosh

davidak commented 4 years ago

I would prefer a universal solution where you can specify a command that outputs the password.

This way other popular password-managers are also supported.