Make the --credential flag a credential reader and source

Author: Marton6

go.mod

@@ -17,7 +17,7 @@ require (
 	github.com/op/go-logging v0.0.0-20160315200505-970db520ece7
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/secrethub/demo-app v0.1.0
-	github.com/secrethub/secrethub-go v0.31.0
+	github.com/secrethub/secrethub-go v0.30.1-0.20201215150659-e5f45b9d8a0d
 	github.com/zalando/go-keyring v0.0.0-20190208082241-fbe81aec3a07
 	golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550
 	golang.org/x/sys v0.0.0-20200501052902-10377860bb8e

go.sum

@@ -182,6 +182,8 @@ github.com/secrethub/secrethub-go v0.29.1-0.20200728110331-9d7b31301226/go.mod h
 github.com/secrethub/secrethub-go v0.29.1-0.20200728110331-9d7b31301226/go.mod h1:tDeBtyjfFQX3UqgaZfY+H4dYkcGfiVzrwLDf0XtfOrw=
 github.com/secrethub/secrethub-go v0.30.0 h1:Nh1twPDwPbYQj/cYc1NG+j7sv76LZiXLPovyV83tZj0=
 github.com/secrethub/secrethub-go v0.30.0/go.mod h1:tDeBtyjfFQX3UqgaZfY+H4dYkcGfiVzrwLDf0XtfOrw=
+github.com/secrethub/secrethub-go v0.30.1-0.20201215150659-e5f45b9d8a0d h1:5HtPCmZWsK3hLHyT825lhp6361uu3gRFJFN7MLr36ec=
+github.com/secrethub/secrethub-go v0.30.1-0.20201215150659-e5f45b9d8a0d/go.mod h1:ZIco8Y0G0Pi0Vb7pQROjvEKgSreZiRMLhAbzWUneUSQ=
 github.com/secrethub/secrethub-go v0.31.0 h1:0KoG0KHBOa5knkvf3K0f6sKuPSQ5VGPXLD4ttC9Eul8=
 github.com/secrethub/secrethub-go v0.31.0/go.mod h1:ZIco8Y0G0Pi0Vb7pQROjvEKgSreZiRMLhAbzWUneUSQ=
 github.com/stretchr/objx v0.1.0 h1:4G4v2dO3VZwixGIRoQ5Lfboy6nUhCyYzaqnIAPPhYs4=

internals/secrethub/credential_store.go

@@ -36,8 +36,7 @@ func NewCredentialConfig(io ui.IO) CredentialConfig {
 
 type credentialConfig struct {
 	configDir                    ConfigDir
-	AccountCredential            string
-	credentialFlag               *cli.Flag
+	credentialReader             *flagCredentialReader
 	credentialPassphrase         string
 	CredentialPassphraseCacheTTL time.Duration
 	io                           ui.IO
@@ -55,8 +54,7 @@ func (store *credentialConfig) IsPassphraseSet() bool {
 // The environment variables of these flags are also checked on the client, but checking them here allows us to fail fast.
 func (store *credentialConfig) Register(r FlagRegisterer) {
 	r.Flag("config-dir", "The absolute path to a custom configuration directory. Defaults to $HOME/.secrethub").Default("").PlaceHolder("CONFIG-DIR").SetValue(&store.configDir)
-	store.credentialFlag = r.Flag("credential", "Use a specific account credential to authenticate to the API. This overrides the credential stored in the configuration directory.")
-	store.credentialFlag.StringVar(&store.AccountCredential)
+	store.credentialReader = credentialReader(r.Flag("credential", "Use a specific account credential to authenticate to the API. This overrides the credential stored in the configuration directory."))
 	r.Flag("p", "").Short('p').Hidden().NoEnvar().StringVar(&store.credentialPassphrase) // Shorthand -p is deprecated. Use --credential-passphrase instead.
 	r.Flag("credential-passphrase", "The passphrase to unlock your credential file. When set, it will not prompt for the passphrase, nor cache it in the OS keyring. Please only use this if you know what you're doing and ensure your passphrase doesn't end up in bash history.").StringVar(&store.credentialPassphrase)
 	r.Flag("credential-passphrase-cache-ttl", "Cache the credential passphrase in the OS keyring for this duration. The cache is automatically cleared after the timer runs out. Each time the passphrase is read from the cache the timer is reset. Passphrase caching is turned on by default for 5 minutes. Turn it off by setting the duration to 0.").Default("5m").DurationVar(&store.CredentialPassphraseCacheTTL)
@@ -74,16 +72,38 @@ func (store *credentialConfig) Import() (credentials.Key, error) {
 }
 
 func (store *credentialConfig) getCredentialReader() credentials.Reader {
-	if store.AccountCredential == "" {
+	if store.credentialReader.value == "" {
 		return store.configDir.Credential()
 	}
-	if store.credentialFlag.HasEnvarValue() {
-		return credentials.FromEnv("SECRETHUB_CREDENTIAL")
-	}
-	return credentials.FromString(store.AccountCredential)
+	return store.credentialReader
 }
 
 // PassphraseReader returns a PassphraseReader configured by the flags.
 func (store *credentialConfig) PassphraseReader() credentials.Reader {
 	return NewPassphraseReader(store.io, store.credentialPassphrase, store.CredentialPassphraseCacheTTL)
 }
+
+// credentialReader returns a credential reader and source that reads from the given flag (and its corresponding env var).
+func credentialReader(flag *cli.Flag) *flagCredentialReader {
+	reader := flagCredentialReader{Flag: flag}
+	flag.StringVar(&reader.value)
+	flag.IsSetByUser(&reader.setByUser)
+	return &reader
+}
+
+type flagCredentialReader struct {
+	*cli.Flag
+	value     string
+	setByUser bool
+}
+
+func (f *flagCredentialReader) Read() ([]byte, error) {
+	return []byte(f.value), nil
+}
+
+func (f *flagCredentialReader) Source() string {
+	if f.HasEnvarValue() && !f.setByUser {
+		return "$SECRETHUB_CREDENTIAL"
+	}
+	return "--credential"
+}