Merge pull request #1133 from middelink/fix-1132

Force restic to ask the password when adding a key.
This commit is contained in:
Alexander Neumann 2017-07-26 22:11:37 +02:00
commit 2e804511ca
5 changed files with 40 additions and 28 deletions

View file

@ -249,7 +249,7 @@ func readBackupFromStdin(opts BackupOptions, gopts GlobalOptions, args []string)
return errors.Fatal("filename for backup from stdin must not be empty") return errors.Fatal("filename for backup from stdin must not be empty")
} }
if gopts.password == "" && gopts.PasswordFile == "" { if gopts.password == "" {
return errors.Fatal("unable to read password from stdin when data is to be read from stdin, use --password-file or $RESTIC_PASSWORD") return errors.Fatal("unable to read password from stdin when data is to be read from stdin, use --password-file or $RESTIC_PASSWORD")
} }
@ -322,8 +322,8 @@ func readLinesFromFile(filename string) ([]string, error) {
} }
func runBackup(opts BackupOptions, gopts GlobalOptions, args []string) error { func runBackup(opts BackupOptions, gopts GlobalOptions, args []string) error {
if opts.FilesFrom == "-" && gopts.password == "" && gopts.PasswordFile == "" { if opts.FilesFrom == "-" && gopts.password == "" {
return errors.Fatal("no password; either use `--password-file` option or put the password into the RESTIC_PASSWORD environment variable") return errors.Fatal("unable to read password from stdin when data is to be read from stdin, use --password-file or $RESTIC_PASSWORD")
} }
fromfile, err := readLinesFromFile(opts.FilesFrom) fromfile, err := readLinesFromFile(opts.FilesFrom)

View file

@ -34,14 +34,12 @@ func runInit(gopts GlobalOptions, args []string) error {
return errors.Fatalf("create backend at %s failed: %v\n", gopts.Repo, err) return errors.Fatalf("create backend at %s failed: %v\n", gopts.Repo, err)
} }
if gopts.password == "" {
gopts.password, err = ReadPasswordTwice(gopts, gopts.password, err = ReadPasswordTwice(gopts,
"enter password for new backend: ", "enter password for new backend: ",
"enter password again: ") "enter password again: ")
if err != nil { if err != nil {
return err return err
} }
}
s := repository.New(be) s := repository.New(be)

View file

@ -59,7 +59,12 @@ func getNewPassword(gopts GlobalOptions) (string, error) {
return testKeyNewPassword, nil return testKeyNewPassword, nil
} }
return ReadPasswordTwice(gopts, // Since we already have an open repository, temporary remove the password
// to prompt the user for the passwd.
newopts := gopts
newopts.password = ""
return ReadPasswordTwice(newopts,
"enter password for new key: ", "enter password for new key: ",
"enter password again: ") "enter password again: ")
} }

View file

@ -53,11 +53,6 @@ var globalOptions = GlobalOptions{
} }
func init() { func init() {
pw := os.Getenv("RESTIC_PASSWORD")
if pw != "" {
globalOptions.password = pw
}
var cancel context.CancelFunc var cancel context.CancelFunc
globalOptions.ctx, cancel = context.WithCancel(context.Background()) globalOptions.ctx, cancel = context.WithCancel(context.Background())
AddCleanupHandler(func() error { AddCleanupHandler(func() error {
@ -207,6 +202,20 @@ func Exitf(exitcode int, format string, args ...interface{}) {
Exit(exitcode) Exit(exitcode)
} }
// resolvePassword determines the password to be used for opening the repository.
func resolvePassword(opts GlobalOptions, env string) (string, error) {
if opts.PasswordFile != "" {
s, err := ioutil.ReadFile(opts.PasswordFile)
return strings.TrimSpace(string(s)), errors.Wrap(err, "Readfile")
}
if pwd := os.Getenv(env); pwd != "" {
return pwd, nil
}
return "", nil
}
// readPassword reads the password from the given reader directly. // readPassword reads the password from the given reader directly.
func readPassword(in io.Reader) (password string, err error) { func readPassword(in io.Reader) (password string, err error) {
buf := make([]byte, 1000) buf := make([]byte, 1000)
@ -238,13 +247,8 @@ func readPasswordTerminal(in *os.File, out io.Writer, prompt string) (password s
// ReadPassword reads the password from a password file, the environment // ReadPassword reads the password from a password file, the environment
// variable RESTIC_PASSWORD or prompts the user. // variable RESTIC_PASSWORD or prompts the user.
func ReadPassword(opts GlobalOptions, prompt string) (string, error) { func ReadPassword(opts GlobalOptions, prompt string) (string, error) {
if opts.PasswordFile != "" { if opts.password != "" {
s, err := ioutil.ReadFile(opts.PasswordFile) return opts.password, nil
return strings.TrimSpace(string(s)), errors.Wrap(err, "Readfile")
}
if pwd := os.Getenv("RESTIC_PASSWORD"); pwd != "" {
return pwd, nil
} }
var ( var (
@ -303,12 +307,10 @@ func OpenRepository(opts GlobalOptions) (*repository.Repository, error) {
s := repository.New(be) s := repository.New(be)
if opts.password == "" {
opts.password, err = ReadPassword(opts, "enter password for repository: ") opts.password, err = ReadPassword(opts, "enter password for repository: ")
if err != nil { if err != nil {
return nil, err return nil, err
} }
}
err = s.SearchKey(context.TODO(), opts.password, maxKeys) err = s.SearchKey(context.TODO(), opts.password, maxKeys)
if err != nil { if err != nil {

View file

@ -36,6 +36,13 @@ directories in an encrypted repository stored on different backends.
} }
globalOptions.extended = opts globalOptions.extended = opts
pwd, err := resolvePassword(globalOptions, "RESTIC_PASSWORD")
if err != nil {
fmt.Fprintf(os.Stderr, "Resolving password failed: %v\n", err)
Exit(1)
}
globalOptions.password = pwd
// run the debug functions for all subcommands (if build tag "debug" is // run the debug functions for all subcommands (if build tag "debug" is
// enabled) // enabled)
if err := runDebug(); err != nil { if err := runDebug(); err != nil {