WIP WIP WIP

kubernetes · Sep 25, 2023 · 374c838 · 374c838
1 parent 2779555
commit 374c838
Showing 1 changed file with 40 additions and 34 deletions.
diff --git a/main.go b/main.go
@@ -106,7 +106,6 @@ const (
 
 const defaultDirMode = os.FileMode(0775) // subject to umask
 
-// FIXME: should this carry SSH keys?  if so, sub-structs?
 type credential struct {
 	URL          string `json:"url"`
 	Username     string `json:"username"`
@@ -832,21 +831,27 @@ func main() {
 		}
 	}
 
-	if *flPassword != "" && *flPasswordFile != "" {
-		handleConfigError(log, true, "ERROR: only one of --password and --password-file may be specified")
-	}
 	if *flUsername != "" {
 		if *flPassword == "" && *flPasswordFile == "" {
-			handleConfigError(log, true, "ERROR: --password or --password-file must be set when --username is specified")
+			handleConfigError(log, true, "ERROR: --password or --password-file must be specified when --username is specified")
+		}
+		if *flPassword != "" && *flPasswordFile != "" {
+			handleConfigError(log, true, "ERROR: only one of --password and --password-file may be specified")
+		}
+	} else {
+		if *flPassword != "" {
+			handleConfigError(log, true, "ERROR: --password may only be specified when --username is specified")
+		}
+		if *flPasswordFile != "" {
+			handleConfigError(log, true, "ERROR: --password-file may only be specified when --username is specified")
 		}
 	}
 	//FIXME: mutex wih flCredentials?
 
-	credentials := []credential{}
 	if len(*flCredentials) > 0 {
 		for _, cred := range *flCredentials {
 			if cred.URL == "" {
-				//FIXME: can it default to --repo?
+				//FIXME: can it default to --repo?  Then --username can be deprecated
 				handleConfigError(log, true, "ERROR: --credential URL must be specified")
 			}
 			if cred.Username == "" {
@@ -858,8 +863,6 @@ func main() {
 			if cred.Password != "" && cred.PasswordFile != "" {
 				handleConfigError(log, true, "ERROR: only one of --credential password and password-file may be specified")
 			}
-			//FIXME: askpass for this purpose, too?
-			credentials = append(credentials, cred)
 		}
 	}
 
@@ -919,6 +922,17 @@ func main() {
 	absLink := makeAbsPath(*flLink, absRoot)
 	absTouchFile := makeAbsPath(*flTouchFile, absRoot)
 
+	// Merge credential sources.
+	if *flUsername != "" {
+		cred := credential{
+			URL:          *flRepo,
+			Username:     *flUsername,
+			Password:     *flPassword,
+			PasswordFile: *flPasswordFile,
+		}
+		*flCredentials = append([]credential{cred}, (*flCredentials)...)
+	}
+
 	if *flAddUser {
 		if err := addUser(); err != nil {
 			log.Error(err, "ERROR: can't add user")
@@ -965,19 +979,9 @@ func main() {
 		os.Exit(1)
 	}
 
-	// FIXME: merge into flCredentials
-	if *flUsername != "" {
-		if *flPasswordFile != "" {
-			passwordFileBytes, err := os.ReadFile(*flPasswordFile)
-			if err != nil {
-				log.Error(err, "can't read password file", "file", *flPasswordFile)
-				os.Exit(1)
-			}
-			*flPassword = string(passwordFileBytes)
-		}
-	}
-	//FIXME: merge
-	for _, cred := range credentials {
+	// Finish populating credentials.
+	for i := range *flCredentials {
+		cred := &(*flCredentials)[i]
 		if cred.PasswordFile != "" {
 			passwordFileBytes, err := os.ReadFile(cred.PasswordFile)
 			if err != nil {
@@ -1107,14 +1111,8 @@ func main() {
 
 	// Craft a function that can be called to refresh credentials when needed.
 	refreshCreds := func(ctx context.Context) error {
-		//FIXME: still mutually exclusive?
 		// These should all be mutually-exclusive configs.
-		if *flUsername != "" {
-			if err := git.StoreCredentials(ctx, git.repo, *flUsername, *flPassword); err != nil {
-				return err
-			}
-		}
-		for _, cred := range credentials {
+		for _, cred := range *flCredentials {
 			if err := git.StoreCredentials(ctx, cred.URL, cred.Username, cred.Password); err != nil {
 				return err
 			}
@@ -1292,6 +1290,11 @@ func logSafeFlags() []string {
 		arg := fl.Name
 		val := fl.Value.String()
 
+		// Don't log empty values
+		if val == "" {
+			return
+		}
+
 		// Handle --password
 		if arg == "password" {
 			val = redactedString
@@ -1302,11 +1305,14 @@ func logSafeFlags() []string {
 		}
 		// Handle --credential
 		if arg == "credential" {
-			//FIXME: convert the flag to a []credential and blank fields here
-		}
-		// Don't log empty values
-		if val == "" {
-			return
+			slv := *(fl.Value.(*credentialSliceValue)) // make a copy
+			for i := range slv.value {
+				cred := &slv.value[i]
+				if cred.Password != "" {
+					cred.Password = redactedString
+				}
+			}
+			val = slv.String()
 		}
 
 		ret = append(ret, "--"+arg+"="+val)