Merge pull request #358 from secrethub/feature/improve-credential-error

SimonBarendse · web-flow · commit bdadd2724eac · 2020-12-16T10:54:04.000+01:00
Improve credential errors
diff --git a/go.mod b/go.mod
@@ -17,7 +17,7 @@ require (
 	github.com/op/go-logging v0.0.0-20160315200505-970db520ece7
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/secrethub/demo-app v0.1.0
-	github.com/secrethub/secrethub-go v0.31.0
+	github.com/secrethub/secrethub-go v0.30.1-0.20201215150659-e5f45b9d8a0d
 	github.com/zalando/go-keyring v0.0.0-20190208082241-fbe81aec3a07
 	golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550
 	golang.org/x/sys v0.0.0-20200501052902-10377860bb8e
diff --git a/go.sum b/go.sum
@@ -182,6 +182,8 @@ github.com/secrethub/secrethub-go v0.29.1-0.20200728110331-9d7b31301226/go.mod h
 github.com/secrethub/secrethub-go v0.29.1-0.20200728110331-9d7b31301226/go.mod h1:tDeBtyjfFQX3UqgaZfY+H4dYkcGfiVzrwLDf0XtfOrw=
 github.com/secrethub/secrethub-go v0.30.0 h1:Nh1twPDwPbYQj/cYc1NG+j7sv76LZiXLPovyV83tZj0=
 github.com/secrethub/secrethub-go v0.30.0/go.mod h1:tDeBtyjfFQX3UqgaZfY+H4dYkcGfiVzrwLDf0XtfOrw=
+github.com/secrethub/secrethub-go v0.30.1-0.20201215150659-e5f45b9d8a0d h1:5HtPCmZWsK3hLHyT825lhp6361uu3gRFJFN7MLr36ec=
+github.com/secrethub/secrethub-go v0.30.1-0.20201215150659-e5f45b9d8a0d/go.mod h1:ZIco8Y0G0Pi0Vb7pQROjvEKgSreZiRMLhAbzWUneUSQ=
 github.com/secrethub/secrethub-go v0.31.0 h1:0KoG0KHBOa5knkvf3K0f6sKuPSQ5VGPXLD4ttC9Eul8=
 github.com/secrethub/secrethub-go v0.31.0/go.mod h1:ZIco8Y0G0Pi0Vb7pQROjvEKgSreZiRMLhAbzWUneUSQ=
 github.com/stretchr/objx v0.1.0 h1:4G4v2dO3VZwixGIRoQ5Lfboy6nUhCyYzaqnIAPPhYs4=
diff --git a/internals/secrethub/client_factory.go b/internals/secrethub/client_factory.go
@@ -40,6 +40,7 @@ type clientFactory struct {
 }
 
 // Register the flags for configuration on a cli application.
+// The environment variables of these flags are also checked on the client, but checking them here allows us to fail fast.
 func (f *clientFactory) Register(r FlagRegisterer) {
 	r.Flag("api-remote", "The SecretHub API address, don't set this unless you know what you're doing.").Hidden().URLVar(&f.ServerURL)
 	r.Flag("identity-provider", "Enable native authentication with a trusted identity provider. Options are `aws` (IAM + KMS), `gcp` (IAM + KMS) and `key`. When you run the CLI on one of the platforms, you can leverage their respective identity providers to do native keyless authentication. Defaults to key, which uses the default credential sourced from a file, command-line flag, or environment variable. ").Default("key").StringVar(&f.identityProvider)
diff --git a/internals/secrethub/credential_store.go b/internals/secrethub/credential_store.go
@@ -3,6 +3,8 @@ package secrethub
 import (
 	"time"
 
+	"github.com/secrethub/secrethub-cli/internals/cli"
+
 	"github.com/secrethub/secrethub-go/pkg/secrethub/configdir"
 	"github.com/secrethub/secrethub-go/pkg/secrethub/credentials"
 
@@ -34,7 +36,7 @@ func NewCredentialConfig(io ui.IO) CredentialConfig {
 
 type credentialConfig struct {
 	configDir                    ConfigDir
-	AccountCredential            string
+	credentialReader             *flagCredentialReader
 	credentialPassphrase         string
 	CredentialPassphraseCacheTTL time.Duration
 	io                           ui.IO
@@ -49,9 +51,10 @@ func (store *credentialConfig) IsPassphraseSet() bool {
 }
 
 // Register registers the flags for configuring the store on the provided Registerer.
+// The environment variables of these flags are also checked on the client, but checking them here allows us to fail fast.
 func (store *credentialConfig) Register(r FlagRegisterer) {
 	r.Flag("config-dir", "The absolute path to a custom configuration directory. Defaults to $HOME/.secrethub").Default("").PlaceHolder("CONFIG-DIR").SetValue(&store.configDir)
-	r.Flag("credential", "Use a specific account credential to authenticate to the API. This overrides the credential stored in the configuration directory.").StringVar(&store.AccountCredential)
+	store.credentialReader = credentialReader(r.Flag("credential", "Use a specific account credential to authenticate to the API. This overrides the credential stored in the configuration directory."))
 	r.Flag("p", "").Short('p').Hidden().NoEnvar().StringVar(&store.credentialPassphrase) // Shorthand -p is deprecated. Use --credential-passphrase instead.
 	r.Flag("credential-passphrase", "The passphrase to unlock your credential file. When set, it will not prompt for the passphrase, nor cache it in the OS keyring. Please only use this if you know what you're doing and ensure your passphrase doesn't end up in bash history.").StringVar(&store.credentialPassphrase)
 	r.Flag("credential-passphrase-cache-ttl", "Cache the credential passphrase in the OS keyring for this duration. The cache is automatically cleared after the timer runs out. Each time the passphrase is read from the cache the timer is reset. Passphrase caching is turned on by default for 5 minutes. Turn it off by setting the duration to 0.").Default("5m").DurationVar(&store.CredentialPassphraseCacheTTL)
@@ -69,13 +72,38 @@ func (store *credentialConfig) Import() (credentials.Key, error) {
 }
 
 func (store *credentialConfig) getCredentialReader() credentials.Reader {
-	if store.AccountCredential != "" {
-		return credentials.FromString(store.AccountCredential)
+	if store.credentialReader.value == "" {
+		return store.configDir.Credential()
 	}
-	return store.configDir.Credential()
+	return store.credentialReader
 }
 
 // PassphraseReader returns a PassphraseReader configured by the flags.
 func (store *credentialConfig) PassphraseReader() credentials.Reader {
 	return NewPassphraseReader(store.io, store.credentialPassphrase, store.CredentialPassphraseCacheTTL)
 }
+
+// credentialReader returns a credential reader and source that reads from the given flag (and its corresponding env var).
+func credentialReader(flag *cli.Flag) *flagCredentialReader {
+	reader := flagCredentialReader{Flag: flag}
+	flag.StringVar(&reader.value)
+	flag.IsSetByUser(&reader.setByUser)
+	return &reader
+}
+
+type flagCredentialReader struct {
+	*cli.Flag
+	value     string
+	setByUser bool
+}
+
+func (f *flagCredentialReader) Read() ([]byte, error) {
+	return []byte(f.value), nil
+}
+
+func (f *flagCredentialReader) Source() string {
+	if f.HasEnvarValue() && !f.setByUser {
+		return "$SECRETHUB_CREDENTIAL"
+	}
+	return "--credential"
+}
diff --git a/secrethub b/secrethub

Original file line number	Diff line number	Diff line change
`@@ -40,6 +40,7 @@ type clientFactory struct {`
`40`	`40`	`}`
`41`	`41`
`42`	`42`	`// Register the flags for configuration on a cli application.`
	`43`	`+// The environment variables of these flags are also checked on the client, but checking them here allows us to fail fast.`
`43`	`44`	`func (f *clientFactory) Register(r FlagRegisterer) {`
`44`	`45`	`r.Flag("api-remote", "The SecretHub API address, don't set this unless you know what you're doing.").Hidden().URLVar(&f.ServerURL)`
`45`	`46`	r.Flag("identity-provider", "Enable native authentication with a trusted identity provider. Options are `aws` (IAM + KMS), `gcp` (IAM + KMS) and `key`. When you run the CLI on one of the platforms, you can leverage their respective identity providers to do native keyless authentication. Defaults to key, which uses the default credential sourced from a file, command-line flag, or environment variable. ").Default("key").StringVar(&f.identityProvider)