diff options
author | Antoine A <> | 2024-04-24 12:49:12 +0900 |
---|---|---|
committer | Antoine A <> | 2024-04-24 12:49:12 +0900 |
commit | 689f03e962ed38b12e9d9107ecaf28d8f2397770 (patch) | |
tree | c51bb899e577f300c1a5799ea163c83dd9888603 | |
parent | 90a755454f40234dd59e26a71da6319fe0b3c7f2 (diff) | |
download | deployment-689f03e962ed38b12e9d9107ecaf28d8f2397770.tar.gz deployment-689f03e962ed38b12e9d9107ecaf28d8f2397770.tar.bz2 deployment-689f03e962ed38b12e9d9107ecaf28d8f2397770.zip |
Fix printing secrets in terminal
-rwxr-xr-x | regional-currency/config.py | 41 | ||||
-rwxr-xr-x | regional-currency/main.sh | 7 |
2 files changed, 32 insertions, 16 deletions
diff --git a/regional-currency/config.py b/regional-currency/config.py index 94ecd9d..e382927 100755 --- a/regional-currency/config.py +++ b/regional-currency/config.py @@ -7,6 +7,7 @@ import re import subprocess import urllib.parse import uuid +import getpass from base64 import b64decode, b64encode from typing import Callable, Dict, TypeVar @@ -45,11 +46,8 @@ def load_conf() -> Dict[str, str]: conf = load_conf() result_conf = {**conf, "CONFIG_LOADED": "y"} - -def add_conf(name: str, value: str): - """Update a user configuration value and update the configuration file""" - conf[name] = value - result_conf[name] = value +def store_conf(): + """Update the configuration file""" content = "" for key, value in conf.items(): escaped = value.replace("'", "'\\''") @@ -57,6 +55,11 @@ def add_conf(name: str, value: str): with open(CONFIG_FILE, "w") as f: f.write(content) +def add_conf(name: str, value: str): + """Update a user configuration value and update the configuration file""" + conf[name] = value + result_conf[name] = value + store_conf() def run_cmd( cmd: list[str], input: str | None = None, env: Dict[str, str] | None = None @@ -132,14 +135,16 @@ def ask( default: T | None = None, check: Callable[[str], T | None] = lambda it: it, fmt: Callable[[T], str] = lambda it: str(it), + secret: bool = False ) -> T: """ - Prompt the user to configurea value + Prompt the user to configure a value :param name: if present will try to fetch the current value and will store the new value :param msg: the message to prompt the user with :param default: default value to use if no value is obtained :param check: check and normalize the value :param fmt: format value for storage + :param secret: hide the input content :return: the configuration value """ @@ -147,7 +152,10 @@ def ask( # Log the prompt log.write(msg.encode() + "\n".encode()) # Actual prompt - raw = input(msg).strip() + if secret: + raw = getpass.getpass(msg).strip() + else: + raw = input(msg).strip() if raw == "": if default is None: print("You must enter a value") @@ -157,9 +165,9 @@ def ask( return conf_value(name, do_ask, default, check, fmt) -def ask_str(name: str | None, msg: str, default: str | None = None) -> str: +def ask_str(name: str | None, msg: str, default: str | None = None, secret: bool = False) -> str: "Prompt the user to configure a string" - return ask(name, msg, default) + return ask(name, msg, default, secret=secret) def ask_bic(name: str | None, msg: str, default: str | None = None) -> str: @@ -272,14 +280,14 @@ def ask_config_password() -> str: passwd = None if hash is not None: while True: - passwd = ask_str(None, "Enter the config password : ") + passwd = ask_str(None, "Enter the config password : ", secret=True) try: ph.verify(hash, passwd) break except argon2.exceptions.VerifyMismatchError: print("invalid password") else: - passwd = ask_str(None, "1.1 Choose a config password : ") + passwd = ask_str(None, "1.1 Choose a config password : ", secret=True) if hash is None or ph.check_needs_rehash(hash): add_conf("CONFIG_PASSWORD", ph.hash(passwd)) @@ -317,7 +325,7 @@ def ask_secret( f"$pbkdf2_sha512_chacha20_poly1305$1000000${base64.b64encode(salt).decode()}${base64.b64encode(cipher.nonce).decode()}${base64.b64encode(tag).decode()}${base64.b64encode(ciphertext).decode()}", ) else: - plaintext = ask_str(None, msg, default) + plaintext = ask_str(None, msg, default, True) salt = get_random_bytes(16) key = PBKDF2(passwd, salt, 32, count=1000000, hmac_hash_module=SHA512) cipher = ChaCha20_Poly1305.new(key=key) @@ -439,12 +447,14 @@ if ask_yes_no( return auth_token conf_value("TELESIGN_AUTH_TOKEN", ask_telesign) -ask_secret( +generated_password= str(uuid.uuid4()) +admin_password = ask_secret( "BANK_ADMIN_PASSWORD", "8. Enter the admin password for the bank (or press enter to autogenerate password): ", config_passwd, - str(uuid.uuid4()), + generated_password, ) +add_conf("BANK_ADMIN_PASSWORD_GENERATED", "y" if generated_password==admin_password else "n") if ask_yes_no( "DO_EXCHANGE_TERMS", @@ -468,6 +478,9 @@ if ask_yes_no( "-pp-", ) +# Update on disk format even if nothing have changed +store_conf() + # ----- Return conf ----- # content = "" diff --git a/regional-currency/main.sh b/regional-currency/main.sh index 1655c7d..a88ac3d 100755 --- a/regional-currency/main.sh +++ b/regional-currency/main.sh @@ -83,11 +83,14 @@ say "Setting up merchant (step 6 of 6)" ./setup-merchant.sh # Final message to the user -source config/user.conf say "" say "Congratulations, you have successfully installed GNU Taler" say "Your bank is at ${PROTO}://bank.${DOMAIN_NAME}/" -say "You can connect to the bank web UI as 'admin' using '${BANK_ADMIN_PASSWORD}'" +if test ${BANK_ADMIN_PASSWORD_GENERATED} == y; then + say "You can connect to the bank web UI as 'admin' using '${BANK_ADMIN_PASSWORD}'" +else + say "You can connect to the bank web UI as 'admin' using the password you entered earlier" +fi say "A merchant is at ${PROTO}://backend.${DOMAIN_NAME}/" say "You should set credentials for the merchant soon." say "The exchange withdraw URI is taler://withdraw-exchange/exchange.${DOMAIN_NAME}/" |