creds: Add ImportCredential=

[thirdparty/systemd.git] / src / ask-password / ask-password.c

diff --git a/src/ask-password/ask-password.c b/src/ask-password/ask-password.c
index 6b89f57e1b71a8ebc9b5a4d71b62a85a71f8e518..b45842f1cbc3df5a09c0f3d8e76d6bfc0c0002b8 100644 (file)
--- a/src/ask-password/ask-password.c
+++ b/src/ask-password/ask-password.c
@@ -6,21 +6,26 @@
 #include <unistd.h>
 
 #include "ask-password-api.h"
-#include "def.h"
+#include "build.h"
+#include "constants.h"
 #include "log.h"
 #include "macro.h"
 #include "main-func.h"
+#include "parse-argument.h"
 #include "pretty-print.h"
 #include "strv.h"
+#include "terminal-util.h"
 
 static const char *arg_icon = NULL;
-static const char *arg_id = NULL;
-static const char *arg_keyname = NULL;
+static const char *arg_id = NULL;               /* identifier for 'ask-password' protocol */
+static const char *arg_key_name = NULL;         /* name in kernel keyring */
+static const char *arg_credential_name = NULL;  /* name in $CREDENTIALS_DIRECTORY directory */
 static char *arg_message = NULL;
 static usec_t arg_timeout = DEFAULT_TIMEOUT_USEC;
 static bool arg_multiple = false;
 static bool arg_no_output = false;
 static AskPasswordFlags arg_flags = ASK_PASSWORD_PUSH_CACHE;
+static bool arg_newline = true;
 
 STATIC_DESTRUCTOR_REGISTER(arg_message, freep);
 
@@ -32,21 +37,32 @@ static int help(void) {
         if (r < 0)
                 return log_oom();
 
-        printf("%s [OPTIONS...] MESSAGE\n\n"
-               "Query the user for a system passphrase, via the TTY or an UI agent.\n\n"
+        printf("%1$s [OPTIONS...] MESSAGE\n\n"
+               "%3$sQuery the user for a system passphrase, via the TTY or an UI agent.%4$s\n\n"
                "  -h --help           Show this help\n"
                "     --icon=NAME      Icon name\n"
                "     --id=ID          Query identifier (e.g. \"cryptsetup:/dev/sda5\")\n"
                "     --keyname=NAME   Kernel key name for caching passwords (e.g. \"cryptsetup\")\n"
+               "     --credential=NAME\n"
+               "                      Credential name for ImportCredential=, LoadCredential= or\n"
+               "                      SetCredential= credentials\n"
                "     --timeout=SEC    Timeout in seconds\n"
-               "     --echo           Do not mask input (useful for usernames)\n"
+               "     --echo=yes|no|masked\n"
+               "                      Control whether to show password while typing (echo)\n"
+               "  -e --echo           Equivalent to --echo=yes\n"
+               "     --emoji=yes|no|auto\n"
+               "                      Show a lock and key emoji\n"
                "     --no-tty         Ask question via agent even on TTY\n"
                "     --accept-cached  Accept cached passwords\n"
                "     --multiple       List multiple passwords if available\n"
                "     --no-output      Do not print password to standard output\n"
-               "\nSee the %s for details.\n",
+               "  -n                  Do not suffix password written to standard output with\n"
+               "                      newline\n"
+               "\nSee the %2$s for details.\n",
                program_invocation_short_name,
-               link);
+               link,
+               ansi_highlight(),
+               ansi_normal());
 
         return 0;
 }
@@ -56,7 +72,7 @@ static int parse_argv(int argc, char *argv[]) {
         enum {
                 ARG_ICON = 0x100,
                 ARG_TIMEOUT,
-                ARG_ECHO,
+                ARG_EMOJI,
                 ARG_NO_TTY,
                 ARG_ACCEPT_CACHED,
                 ARG_MULTIPLE,
@@ -64,6 +80,7 @@ static int parse_argv(int argc, char *argv[]) {
                 ARG_KEYNAME,
                 ARG_NO_OUTPUT,
                 ARG_VERSION,
+                ARG_CREDENTIAL,
         };
 
         static const struct option options[] = {
@@ -71,22 +88,31 @@ static int parse_argv(int argc, char *argv[]) {
                 { "version",       no_argument,       NULL, ARG_VERSION       },
                 { "icon",          required_argument, NULL, ARG_ICON          },
                 { "timeout",       required_argument, NULL, ARG_TIMEOUT       },
-                { "echo",          no_argument,       NULL, ARG_ECHO          },
+                { "echo",          optional_argument, NULL, 'e'               },
+                { "emoji",         required_argument, NULL, ARG_EMOJI         },
                 { "no-tty",        no_argument,       NULL, ARG_NO_TTY        },
                 { "accept-cached", no_argument,       NULL, ARG_ACCEPT_CACHED },
                 { "multiple",      no_argument,       NULL, ARG_MULTIPLE      },
                 { "id",            required_argument, NULL, ARG_ID            },
                 { "keyname",       required_argument, NULL, ARG_KEYNAME       },
                 { "no-output",     no_argument,       NULL, ARG_NO_OUTPUT     },
+                { "credential",    required_argument, NULL, ARG_CREDENTIAL    },
                 {}
         };
 
-        int c;
+        const char *emoji = NULL;
+        int c, r;
 
         assert(argc >= 0);
         assert(argv);
 
-        while ((c = getopt_long(argc, argv, "h", options, NULL)) >= 0)
+        /* Note the asymmetry: the long option --echo= allows an optional argument, the short option does
+         * not. */
+
+        /* Resetting to 0 forces the invocation of an internal initialization routine of getopt_long()
+         * that checks for GNU extensions in optstring ('-' or '+' at the beginning). */
+        optind = 0;
+        while ((c = getopt_long(argc, argv, "+hen", options, NULL)) >= 0)
 
                 switch (c) {
 
@@ -101,14 +127,32 @@ static int parse_argv(int argc, char *argv[]) {
                         break;
 
                 case ARG_TIMEOUT:
-                        if (parse_sec(optarg, &arg_timeout) < 0)
-                                return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
-                                                       "Failed to parse --timeout parameter %s",
-                                                       optarg);
+                        r = parse_sec(optarg, &arg_timeout);
+                        if (r < 0)
+                                return log_error_errno(r, "Failed to parse --timeout= parameter: %s", optarg);
+
+                        break;
+
+                case 'e':
+                        if (!optarg) {
+                                /* Short option -e is used, or no argument to long option --echo= */
+                                arg_flags |= ASK_PASSWORD_ECHO;
+                                arg_flags &= ~ASK_PASSWORD_SILENT;
+                        } else if (isempty(optarg) || streq(optarg, "masked"))
+                                /* Empty argument or explicit string "masked" for default behaviour. */
+                                arg_flags &= ~(ASK_PASSWORD_ECHO|ASK_PASSWORD_SILENT);
+                        else {
+                                r = parse_boolean_argument("--echo=", optarg, NULL);
+                                if (r < 0)
+                                        return r;
+
+                                SET_FLAG(arg_flags, ASK_PASSWORD_ECHO, r);
+                                SET_FLAG(arg_flags, ASK_PASSWORD_SILENT, !r);
+                        }
                         break;
 
-                case ARG_ECHO:
-                        arg_flags |= ASK_PASSWORD_ECHO;
+                case ARG_EMOJI:
+                        emoji = optarg;
                         break;
 
                 case ARG_NO_TTY:
@@ -128,24 +172,50 @@ static int parse_argv(int argc, char *argv[]) {
                         break;
 
                 case ARG_KEYNAME:
-                        arg_keyname = optarg;
+                        arg_key_name = optarg;
                         break;
 
                 case ARG_NO_OUTPUT:
                         arg_no_output = true;
                         break;
 
+                case ARG_CREDENTIAL:
+                        arg_credential_name = optarg;
+                        break;
+
+                case 'n':
+                        arg_newline = false;
+                        break;
+
                 case '?':
                         return -EINVAL;
 
                 default:
-                        assert_not_reached("Unhandled option");
+                        assert_not_reached();
                 }
 
+        if (isempty(emoji) || streq(emoji, "auto"))
+                SET_FLAG(arg_flags, ASK_PASSWORD_HIDE_EMOJI, FLAGS_SET(arg_flags, ASK_PASSWORD_ECHO));
+        else {
+                r = parse_boolean_argument("--emoji=", emoji, NULL);
+                if (r < 0)
+                         return r;
+
+                SET_FLAG(arg_flags, ASK_PASSWORD_HIDE_EMOJI, !r);
+        }
+
         if (argc > optind) {
                 arg_message = strv_join(argv + optind, " ");
                 if (!arg_message)
                         return log_oom();
+        } else if (FLAGS_SET(arg_flags, ASK_PASSWORD_ECHO)) {
+                /* By default ask_password_auto() will query with the string "Password: ", which is not right
+                 * when full echo is on, since then it's unlikely a password. Let's hence default to a less
+                 * confusing string in that case. */
+
+                arg_message = strdup("Input:");
+                if (!arg_message)
+                        return log_oom();
         }
 
         return 1;
@@ -154,7 +224,6 @@ static int parse_argv(int argc, char *argv[]) {
 static int run(int argc, char *argv[]) {
         _cleanup_strv_free_erase_ char **l = NULL;
         usec_t timeout;
-        char **p;
         int r;
 
         log_show_color(true);
@@ -170,13 +239,19 @@ static int run(int argc, char *argv[]) {
         else
                 timeout = 0;
 
-        r = ask_password_auto(arg_message, arg_icon, arg_id, arg_keyname, timeout, arg_flags, &l);
+        r = ask_password_auto(arg_message, arg_icon, arg_id, arg_key_name, arg_credential_name ?: "password", timeout, arg_flags, &l);
         if (r < 0)
                 return log_error_errno(r, "Failed to query password: %m");
 
         STRV_FOREACH(p, l) {
-                if (!arg_no_output)
-                        puts(*p);
+                if (!arg_no_output) {
+                        if (arg_newline)
+                                puts(*p);
+                        else
+                                fputs(*p, stdout);
+                }
+
+                fflush(stdout);
 
                 if (!arg_multiple)
                         break;