Support command substitutions in config commands

[vintagentleman]

Hi, thanks for this awesome project!

The docs for otptokencmd suggest providing a command that returns a one-time password directly:

# OTP token command. Optional. If this is specified, the provided
# command will be executed to obtain OTP token required by matterhorn
# 2FA. Resulting 6 digit code will be inserted into the OTP prompt
# automatically.
#
# otptokencmd: secret-tool lookup matterhorn OTP

However, I don't see how this approach can work with TOTPs, which are regenerated all the time. An option instead would be to use secret-tool to store the secret key and generate TOTPs dynamically via oathtool:

otptokencmd: oathtool --totp=SHA512 -b $(secret-tool lookup matterhorn otp_secret_key)

This config doesn't seem to work though, which I assume is due to the fact that secret-tool lookup matterhorn otp_secret_key is interpreted as a literal string rather than executed as a subcommand.

$ matterhorn
oathtool: base32 decoding failed: Base32 string is invalid
Error loading config: Could not execute OTP token command: failed

[jtdaugherty]

I recommend writing a shell script that does what you need and then use that as your otptokencmd. Wouldn't that meet the need?

[vintagentleman]

That did meet my need, though only hardcoding the absolute path to the script worked for me.

Thank you!