feat: support pass cred store #1070

Shubhranshu153 · 2024-08-22T22:03:34Z

Issue #, if available:

Description of changes:
Feature to support pass cred store.

TODO:

Add unit test
Add documentation

Testing done:

Env:

sudo yum install pass -y
curl -fsSL https://github.com/docker/docker-credential-helpers/releases/download/v0.8.2/docker-credential-pass-v0.8.2.linux-amd64 -o docker-credential-pass
chmod +x /usr/local/bin/docker-credential-pass
sudo mv docker-credential-pass /usr/local/bin/

Test:

Initialize Pass: sudo finch pass-init
Config finch at /home/shubhum.linux/.finch/config.json:

{
        "credsStore": "pass"
}

Get Account creds (any account)
Run ECR login: aws ecr get-login-password --region us-west-2 | sudo DOCKER_CONFIG=/home/shubhum.linux/.finch/ ./_output/bin/finch login --username AWS --password-stdin .dkr.ecr.us-west-2.amazonaws.com
Delete Pass: sudo finch pass-delete

I've reviewed the guidance in CONTRIBUTING.md

License Acceptance

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

Signed-off-by: Shubharanshu Mahapatra <shubhum@amazon.com>

pendo324 · 2024-08-23T14:48:42Z

cmd/finch/pass_init_native.go

+)
+
+func (pia *passInitAction) initGpgKey() command.Command {
+	passphrase := pwgen.GeneratePassword(passphraseLength, true)


Since we're not even asking users to enter a passphrase, can't we do this behind the scenes? Should we instead have a mechanism that initializes the cred store whenever a user modifies their creds_helpers to include pass?

deletion is problematic,
i would prefer not taking responsibility of key management, if its done with a command customer has responsibility to manage key lifecycle.

We can still have the commands, but if the commands require 0 user input, I don't see the harm in doing it for them

i still feel if we create it the lifecycle is on us to manage for example key rotation etc. if it is automatically done finch has to won the management of the key.

What's the purpose of key rotation for a key where we don't even care about the password?

if the key is compromised, we probably want to rotate it, and having set time to rotate it probably makes it harder to breach within certain time period.

swagatbora90 · 2024-08-23T18:02:57Z

cmd/finch/pass_init_native.go

+	passphrase := pwgen.GeneratePassword(passphraseLength, true)
+	ecc := command.NewExecCmdCreator()
+	cmd := ecc.Create(
+		"gpg2", "--batch", "--passphrase", passphrase, "--quick-gen-key", "finch")


Does this key expire after some default period?

key doesnt expire, the key creation is owned by the customer so they would need to remove it.

feat: support pass cred store

ee6209b

Signed-off-by: Shubharanshu Mahapatra <shubhum@amazon.com>

pendo324 reviewed Aug 23, 2024

View reviewed changes

swagatbora90 reviewed Aug 23, 2024

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

feat: support pass cred store #1070

feat: support pass cred store #1070

Shubhranshu153 commented Aug 22, 2024 •

edited by pendo324

Loading

pendo324 Aug 23, 2024

Shubhranshu153 Aug 23, 2024

pendo324 Aug 23, 2024

Shubhranshu153 Aug 23, 2024

pendo324 Aug 23, 2024

Shubhranshu153 Aug 23, 2024

swagatbora90 Aug 23, 2024

Shubhranshu153 Aug 23, 2024

feat: support pass cred store #1070

Are you sure you want to change the base?

feat: support pass cred store #1070

Conversation

Shubhranshu153 commented Aug 22, 2024 • edited by pendo324 Loading

License Acceptance

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Shubhranshu153 commented Aug 22, 2024 •

edited by pendo324

Loading