Pulp CLI takes only plaintext password

[swetha-swaminathan1]

Summary

Pulp-CLI currently accepts only plain-text password as input to the pulp config create command. This command creates a cli.toml file which contains the plaintext password. This is an issue as there is a requirement for us that the password must not be visible as plain text in the cli.toml file. Please let me know if a fix can be provided for this (by either accepting an encrypted password or something else). Otherwise, I can try to contribute to the pulp-cli repository with some guidance.

Examples

pulp file repository create --name file_repo1 --username USER --enc_password BASE64PASS (pulp-cli could include this new parameter enc_password which takes base64 encoded password instead of plain text password)

[mdellweg]

We allow certificate based authentication too. If you don not put the password in the config file, you will be asked for it (every single command...).

As a solution for this, would integrating with https://pypi.org/project/SecretStorage/ help? (For securing the password, i would prefer to go all the way.)

[swetha-swaminathan1]

We allow certificate based authentication too. If you don not put the password in the config file, you will be asked for it (every single command...).

As a solution for this, would integrating with https://pypi.org/project/SecretStorage/ help? (For securing the password, i would prefer to go all the way.)

1. Password would still be required if i use certificate right? Certificate is just for authentication whereas password is required for authorization.
2. Regarding sercretStorage, do you mean it will be integrated into pulp?

[mdellweg]

I meant ssl client certs. And you'd need to provide a key. If that was password protected after all, i'm not sure this is supported by pulp-cli. Regarding secret storage: I could see that implemented (actually love to see...). It would use the d-bus secrets interface and by that matter integrate with all common Linux desktop environments.

[ggainey]

We had some great discussion around this at the latest cli-mtg It would be a great addition to pulp-cli, if it were taught how to take advantage of SecretStorage (as linked in those minutes!) We absolutely would love a PR that implemented such a thing!