Use sensitive output.

Author: lexbritvin

.github/workflows/commit.yml

@@ -22,6 +22,12 @@ jobs:
           make deps build
           ls -lah bin/launchr
           ./bin/launchr keyring:login --url=http://***.git --username="***" --password="***" --keyring-passphrase="***"
+          echo "***" > my_secret
+          ./bin/launchr keyring:login --url=http://***.git --username="***" --password="***" --keyring-passphrase-file="my_secret"
+          
+          LAUNCHR_KEYRING_PASSPHRASE=mypassphrase ./bin/launchr example:shell
+          echo "mypassphrase" > my_secret
+          LAUNCHR_KEYRING_PASSPHRASE_FILE=my_secret ./bin/launchr example:shell
 
   commands-ok:
     name: Ensure main commands do not fail
@@ -39,9 +45,9 @@ jobs:
           whoami
           make deps build
           ls -lah bin/launchr
-          ./bin/launchr keyring:set vaultpass "***" --keyring-passphrase "***"
+          ./bin/launchr keyring:set vaultpass "myvaultpass" --keyring-passphrase "mypassphrase"
           ls -lah .launchr/keyring.yaml.age
-          ./bin/launchr keyring:unset vaultpass --keyring-passphrase "***"
+          ./bin/launchr keyring:unset vaultpass --keyring-passphrase "mypassphrase"
           ls -lah .launchr/keyring.yaml.age
 
   go-linters:

README.md

@@ -12,18 +12,45 @@ launchr login
 
 If an interactive shell is not available, credentials may be provided with flags:
 ```shell
+# Input passphrase directly
 launchr login \
   --url=https://your.gitlab.com \
   --username=USER \
   --password=SECRETPASSWORD \
   --keyring-passphrase=YOURPASSHRPASE
+
+# Get passphrase from a file
+launchr login \
+  --url=https://your.gitlab.com \
+  --username=USER \
+  --password=SECRETPASSWORD \
+  --keyring-passphrase-file=/path/to/your/secret
 ```
 
-Flag `--keyring-passphrase` is available for all launchr commands, for example:
+Flags `--keyring-passphrase` and `--keyring-passphrase-file` are available for all launchr commands, for example:
 ```shell
 launchr compose --keyring-passphrase=YOURPASSHRPASE
+launchr compose --keyring-passphrase-file=/path/to/your/secret
 ```
 
+These flags may be passed as environment variables `LAUNCHR_KEYRING_PASSPHRASE` and `LAUNCHR_KEYRING_PASSPHRASE_FILE`:
+```shell
+LAUNCHR_KEYRING_PASSPHRASE=YOURPASSHRPASE launchr compose
+LAUNCHR_KEYRING_PASSPHRASE_FILE=/path/to/your/secret launchr compose
+```
+
+Flags and environment variables are taken in the following priority:
+1. `--keyring-passphrase`
+2. `LAUNCHR_KEYRING_PASSPHRASE`
+3. `--keyring-passphrase-file`
+4. `LAUNCHR_KEYRING_PASSPHRASE_FILE`
+
+**NB:** If the binary is created with a specific app name like `myappname`, the variable name will change accordingly `MYAPPNAME_KEYRING_PASSPHRASE_FILE`.  
+
+Flag `--keyring-passphrase-file` will also set `LAUNCHR_KEYRING_PASSPHRASE_FILE` for subprocesses.  
+These environment variables are inherited in subprocesses.  
+Using `--keyring-passphrase-file` or `LAUNCHR_KEYRING_PASSPHRASE_FILE` is a preferred way to pass the secret because the secret won't be exposed.
+
 To delete an item from the keyring:
 ```shell
 launchr logout URL

example/actions/shell/action.yaml

@@ -0,0 +1,12 @@
+action:
+  title: test env keyring
+runtime:
+  type: shell
+  script: |
+    echo "Main env:"
+    env | grep "LAUNCHR"
+    {{ .current_bin }} keyring:purge
+    {{ .current_bin }} keyring:set storedsecret "my_secret"
+    echo "Subprocess env:"
+    {{ .current_bin }} example:subshell
+    {{ .current_bin }} keyring:purge

example/actions/subshell/action.yaml

@@ -0,0 +1,13 @@
+action:
+  title: test env keyring
+  options:
+    - name: secret
+      process:
+        - processor: keyring.GetKeyValue
+          options:
+            key: storedsecret
+runtime:
+  type: shell
+  script: |
+    env | grep "LAUNCHR"
+    echo "My secret from keyring: {{ .secret }}"

file.go

@@ -7,6 +7,7 @@ import (
 	"strings"
 
 	"filippo.io/age"
+
 	"github.com/launchrctl/launchr"
 )
 

go.mod

@@ -6,7 +6,7 @@ toolchain go1.23.4
 
 require (
 	filippo.io/age v1.2.1
-	github.com/launchrctl/launchr v0.18.0
+	github.com/launchrctl/launchr v0.18.3-0.20250316225153-b280479eabd0
 	github.com/stretchr/testify v1.10.0
 	golang.org/x/term v0.29.0
 	gopkg.in/yaml.v3 v3.0.1

go.sum

@@ -230,6 +230,8 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/launchrctl/launchr v0.18.0 h1:Kp5iguwl5rx1qo2M3A2eMlhTeefgL5UDKFzP/7B45UE=
 github.com/launchrctl/launchr v0.18.0/go.mod h1:hhJSGcxn1FhD267u0JfNu6u65naTQAVxElnqUTY9nag=
+github.com/launchrctl/launchr v0.18.3-0.20250316225153-b280479eabd0 h1:cOlcoOCphR/qR0Fw2/W8xjbFHF0kuYbRnIZ6M8CXosI=
+github.com/launchrctl/launchr v0.18.3-0.20250316225153-b280479eabd0/go.mod h1:hhJSGcxn1FhD267u0JfNu6u65naTQAVxElnqUTY9nag=
 github.com/lithammer/fuzzysearch v1.1.8 h1:/HIuJnjHuXS8bKaiTMeeDlW2/AyIWk2brx1V8LFgLN4=
 github.com/lithammer/fuzzysearch v1.1.8/go.mod h1:IdqeyBClc3FFqSzYq/MXESsS4S0FsZ5ajtkr5xPLts4=
 github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=

keyring.go

@@ -87,12 +87,14 @@ type keyringService struct {
 	fname string
 	store DataStore
 	cfg   launchr.Config
+	mask  *launchr.SensitiveMask
 }
 
-func newKeyringService(cfg launchr.Config) Keyring {
+func newKeyringService(cfg launchr.Config, mask *launchr.SensitiveMask) Keyring {
 	return &keyringService{
 		fname: cfg.Path(defaultFileYaml),
 		cfg:   cfg,
+		mask:  mask,
 	}
 }
 
@@ -128,7 +130,11 @@ func (k *keyringService) GetForURL(url string) (CredentialsItem, error) {
 	if err != nil {
 		return CredentialsItem{}, err
 	}
-	return s.GetForURL(url)
+	item, err := s.GetForURL(url)
+	if err == nil {
+		k.mask.AddString(item.Password)
+	}
+	return item, err
 }
 
 // GetForKey implements DataStore interface. Uses service default store.
@@ -137,7 +143,11 @@ func (k *keyringService) GetForKey(key string) (KeyValueItem, error) {
 	if err != nil {
 		return KeyValueItem{}, err
 	}
-	return s.GetForKey(key)
+	item, err := s.GetForKey(key)
+	if err == nil {
+		k.mask.AddString(item.Value)
+	}
+	return item, err
 }
 
 // AddItem implements DataStore interface. Uses service default store.

plugin.go

@@ -21,9 +21,15 @@ const (
 	procGetKeyValue   = "keyring.GetKeyValue"
 	errTplNotFoundURL = "%s not found in keyring. Use `%s keyring:login` to add it."
 	errTplNotFoundKey = "%s not found in keyring. Use `%s keyring:set` to add it."
+
+	envVarPassphrase     = launchr.EnvVar("keyring_passphrase")
+	envVarPassphraseFile = launchr.EnvVar("keyring_passphrase_file")
 )
 
-var passphrase string
+var (
+	passphrase     string
+	passphraseFile string
+)
 
 var (
 	//go:embed action.login.yaml
@@ -44,8 +50,9 @@ func init() {
 
 // Plugin is [launchr.Plugin] plugin providing a keyring.
 type Plugin struct {
-	k   Keyring
-	cfg launchr.Config
+	k    Keyring
+	cfg  launchr.Config
+	mask *launchr.SensitiveMask
 }
 
 // PluginInfo implements [launchr.Plugin] interface.
@@ -55,8 +62,9 @@ func (p *Plugin) PluginInfo() launchr.PluginInfo {
 
 // OnAppInit implements [launchr.Plugin] interface.
 func (p *Plugin) OnAppInit(app launchr.App) error {
+	p.mask = app.SensitiveMask()
 	app.GetService(&p.cfg)
-	p.k = newKeyringService(p.cfg)
+	p.k = newKeyringService(p.cfg, p.mask)
 	app.AddService(p.k)
 
 	var m action.Manager
@@ -164,6 +172,20 @@ func (p *Plugin) DiscoverActions(_ context.Context) ([]*action.Action, error) {
 // CobraAddCommands implements [launchr.CobraPlugin] interface to provide keyring functionality.
 func (p *Plugin) CobraAddCommands(rootCmd *launchr.Command) error {
 	rootCmd.PersistentFlags().StringVarP(&passphrase, "keyring-passphrase", "", "", "Passphrase for keyring encryption/decryption")
+	rootCmd.PersistentFlags().StringVarP(&passphraseFile, "keyring-passphrase-file", "", "", "File containing passphrase for keyring encryption/decryption")
+	return nil
+}
+
+// PersistentPreRun implements [launchr.PersistentPreRun] interface.
+func (p *Plugin) PersistentPreRun(_ *launchr.Command, _ []string) error {
+	setPassphrase()
+	// If the passphrase is set with env variables, hide them.
+	if passphraseFile == "" && passphrase != "" {
+		p.mask.AddString(passphrase)
+	}
+	if passphraseFile != "" {
+		p.mask.AddString(passphraseFile)
+	}
 	return nil
 }
 
@@ -310,3 +332,33 @@ func removeKey(k Keyring, key string, all bool) error {
 func purge(k Keyring) error {
 	return k.Destroy()
 }
+
+func setPassphrase() {
+	// Return passphrase if it's already provided.
+	if passphrase != "" {
+		return
+	}
+	// Check env variable for the passphrase.
+	passphrase = envVarPassphrase.Get()
+	if passphrase != "" {
+		return
+	}
+	if envPassFile := envVarPassphraseFile.Get(); passphraseFile == "" && envPassFile != "" {
+		passphraseFile = launchr.MustAbs(envPassFile)
+		// Override to absolute path.
+		_ = envVarPassphraseFile.Set(passphraseFile)
+	}
+
+	// Try to read a secret from a file.
+	if passphraseFile != "" {
+		passphraseFile = launchr.MustAbs(passphraseFile)
+		bytes, err := os.ReadFile(passphraseFile) //nolint:gosec // Filepath checked on previous line.
+		if err != nil {
+			return
+		}
+		passphrase = strings.TrimSpace(string(bytes))
+		// Set env variable for subprocesses.
+		_ = envVarPassphraseFile.Set(passphraseFile)
+		return
+	}
+}

plugin_test.go

@@ -3,6 +3,7 @@ package keyring
 import (
 	"testing"
 
+	"github.com/launchrctl/launchr"
 	"github.com/stretchr/testify/require"
 
 	"github.com/launchrctl/launchr/pkg/action"
@@ -60,6 +61,7 @@ func Test_KeyringProcessor(t *testing.T) {
 	// Prepare services.
 	k := &keyringService{
 		store: &dataStoreYaml{file: &plainFile{fname: "teststorage.yaml"}},
+		mask:  &launchr.SensitiveMask{},
 	}
 	am := action.NewManager()
 	addValueProcessors(am, k)