Uploaded image for project: 'OpenDJ'
  1. OpenDJ
  2. OPENDJ-5902

Secrets: support retrieval of CLI arguments from environment variables and files




      DJ CLI tools often have arguments which represent secrets or credentials of some sort, such as passwords or key store PINs. It is tempting to pass the credential to the tool directly:

      $ mytool --somePassword "myPassword"

      However, the clear text password is exposed directly on the terminal and may be retrieved later on via the shell history or my querying the running processes by using a tool such as "ps -f".

      The user may attempt to avoid this by passing the credential via an environment variable or a file:

      $ mytool --somePassword $PASSWORD
      $ mytool --somePassword `cat password.txt`

      However, it is still possible to discover the password using a tool like "ps -f". As a workaround our tools often provide an additional argument for passing in the credential via a file. However, this leads to a proliferation of command line arguments and still doesn't make it easy to use environment variables.

      It would be better if we took a similar approach to Java's keytool command:

      $ man keytool
             --storepass[:env| :file] argument
                    The password that is used to protect the integrity of the keystore.
                    If the modifier env or file is not specified, then the password has the value argument, which must be at least 6
                    characters long. Otherwise, the password is retrieved as follows:
                    · env: Retrieve the password from the environment variable named argument.
                    · file: Retrieve the password from the file named argument.

      This should be relatively easy to support, especially for the long argument form, by simply updating the ArgumentParser code to detect arguments of the form "xxx:env" or "xxx:file" in com.forgerock.opendj.cli.ArgumentParser#parseArgumentWithLongId(). We may be able to also support this format for single character arguments, but only for non-boolean arguments where the argument value is separated from the argument name with a space.

      Once this issue is complete it should be possible to deprecate all file based arguments as well as the com.forgerock.opendj.cli.FileBasedArgument itself.


          Issue Links



              ondrej.fuchsik Ondrej Fuchsik
              matthew Matthew Swift
              Dev Assignee:
              Cedric Tran-Xuan Cedric Tran-Xuan
              QA Assignee:
              Ondrej Fuchsik Ondrej Fuchsik
              0 Vote for this issue
              4 Start watching this issue