Pass vault name and requested password type to askpass process

miquella · Nov 20, 2019 · e122f09 · e122f09
1 parent c719bd2
commit e122f09
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 6 deletions.
diff --git a/doc/man/vaulted.1 b/doc/man/vaulted.1
@@ -115,6 +115,10 @@ intended to be shown to the user. The askpass implementation then writes the
 password to \fB\fCstdout\fR and returns a success code (0). If a failure code (non\-0)
 is returned, the password input is aborted.
 .PP
+The vault name and requested secret type (password, MFA token etc.) is passed
+to the askpass process in environment variables \fB\fCVAULTED_ENV\fR
+and \fB\fCVAULTED_PASSWORD_TYPE\fR respectively.
+.PP
 Vaulted is intended to integrate seamlessly with existing askpass
 implementations (e.g. \fB\fCssh\-askpass\fR).
 .PP

diff --git a/doc/vaulted.1.md b/doc/vaulted.1.md
@@ -106,6 +106,10 @@ intended to be shown to the user. The askpass implementation then writes the
 password to `stdout` and returns a success code (0). If a failure code (non-0)
 is returned, the password input is aborted.
 
+The vault name and requested secret type (password, MFA token etc.) is passed
+to the askpass process in environment variables `VAULTED_ENV`
+and `VAULTED_PASSWORD_TYPE` respectively.
+
 Vaulted is intended to integrate seamlessly with existing askpass
 implementations (e.g. `ssh-askpass`).
 

diff --git a/steward.go b/steward.go
@@ -55,18 +55,21 @@ func (t *AskPassSteward) GetPassword(operation vaulted.Operation, name string) (
 	switch operation {
 	case vaulted.SealOperation:
 		for firstTry := false; ; firstTry = true {
+			var passwordtype string
 			var prompt string
 			if firstTry {
+				passwordtype = "newpassword"
 				prompt = fmt.Sprintf("'%s' new password: ", name)
 			} else {
+				passwordtype = "newpasswordnomatch"
 				prompt = fmt.Sprintf("'%s' new password (passwords didn't match): ", name)
 			}
-			password, err := t.askpass(prompt)
+			password, err := t.askpass(name, passwordtype, prompt)
 			if err != nil {
 				return "", err
 			}
 
-			confirm, err := t.askpass(fmt.Sprintf("'%s' confirm password: ", name))
+			confirm, err := t.askpass(name, "confirmpassword", fmt.Sprintf("'%s' confirm password: ", name))
 			if err != nil {
 				return "", err
 			}
@@ -77,19 +80,23 @@ func (t *AskPassSteward) GetPassword(operation vaulted.Operation, name string) (
 		}
 
 	case legacy.LegacyOperation:
-		return t.askpass("Legacy Password: ")
+		return t.askpass(name, "legacypassword", "Legacy Password: ")
 
 	default:
-		return t.askpass(fmt.Sprintf("'%s' password: ", name))
+		return t.askpass(name, "password", fmt.Sprintf("'%s' password: ", name))
 	}
 }
 
 func (t *AskPassSteward) GetMFAToken(name string) (string, error) {
-	return t.askpass(fmt.Sprintf("'%s' MFA token: ", name))
+	return t.askpass(name, "mfatoken", fmt.Sprintf("'%s' MFA token: ", name))
 }
 
-func (t *AskPassSteward) askpass(prompt string) (string, error) {
+func (t *AskPassSteward) askpass(name string, passwordtype string, prompt string) (string, error) {
 	cmd := exec.Command(t.Command, prompt)
+	cmd.Env = append(os.Environ(),
+		"VAULTED_ENV=" + name,
+		"VAULTED_PASSWORD_TYPE=" + passwordtype,
+	)
 	output, err := cmd.Output()
 	if err != nil {
 		return "", ErrNoPasswordEntered