calcurse-caldav: Support PasswordCommand option

This commit adds a new `Auth/PasswordCommand` option to support security best practices re: handling secrets in CLI program configuration. Prior to this commit, the two available options for specifying a password were: 1. via the `Auth/Password` config parameter, or 2. via a `$CALCURSE_CALDAV_PASSWORD` environment variable. The former is unsafe for obvious reasons; the latter is unsafe because as long as the script is running, its environment can be accessed via $ cat /proc/<pid>/environ and is thus visible to anyone with access to the system. This commit preserves preexisting behavior (for backward compatibility) but removes all mention of option 2 from the README. Since the README example for option 2 used a password command anyway, there is little reason to continue its use, and this commit recommends it be deprecated. Signed-off-by: Lukas Fleischer <lfleischer@calcurse.org>
2022-06-30 23:04:35 -07:00
parent 4cd300f2c4
commit e772c4b6d5
3 changed files with 24 additions and 14 deletions
--- a/contrib/caldav/calcurse-caldav.py
+++ b/contrib/caldav/calcurse-caldav.py
@@ -6,6 +6,7 @@ import configparser
 import os
 import pathlib
 import re
+import shlex
 import subprocess
 import sys
 import textwrap
@@ -30,6 +31,7 @@ class Config:
        self._map = {
            'Auth': {
                'Password': None,
+                'PasswordCommand': None,
                'Username': None,
            },
            'CustomHeaders': {},
@@ -657,9 +659,6 @@ verbose = args.verbose
 debug = args.debug
 debug_raw = args.debug_raw

-# Read environment variables
-password = os.getenv('CALCURSE_CALDAV_PASSWORD')
-
 # Read configuration.
 config = Config(configfn)

@@ -674,7 +673,17 @@ path = config.get('General', 'Path')
 sync_filter = config.get('General', 'SyncFilter')
 verbose = verbose or config.get('General', 'Verbose')

-password = password or config.get('Auth', 'Password')
+if os.getenv('CALCURSE_CALDAV_PASSWORD'):
+    # This approach is deprecated, but preserved for backwards compatibility
+    password = os.getenv('CALCURSE_CALDAV_PASSWORD')
+elif config.get('Auth', 'Password'):
+    password = config.get('Auth', 'Password')
+elif config.get('Auth', 'PasswordCommand'):
+    tokenized_cmd = shlex.split(config.get('Auth', 'PasswordCommand'))
+    password = subprocess.run(tokenized_cmd, capture_output=True).stdout.decode('UTF-8')
+else:
+    password = None
+
 username = config.get('Auth', 'Username')

 client_id = config.get('OAuth2', 'ClientID')