Figure out a better way to provide authentication details / credentials

[arvindsv]

• Providing it on the command-line could be insecure.
• Even if provided as environment variables, it might not be ideal.
• Ideally: An auth token, with a granular scope which allows only preflight checks.

[marques-work]

@arvindsv Will add interactive prompts when not all args present — will that do until we finish the token auth work?

[tomzo]

I think env variables are quite convenient and much better than CLI args.
A file with password wouldn't be so bad either as long as user can sustain its permissions at 0600.

How about a solution like hashicorp vault?

User can run vault login which expects some auth method to be used. This generates a temporary token and saves it in something like ~/.vault-token.

For now I guess we could be saving password to a file ~/.gocd-cli-secret, so that user does not have to provide it on each request.

[marques-work]

@tomzo theoretically, we get the environment variables free because we're using the spf13/viper package. I need to write some tests to ensure it works as designed.

We do already support the password files. ./gocd config <config key> stores its values (credentials, base GoCD server url) on disk already, so we don't need to provide in a request. however, it's plaintext (yaml).

[marques-work]

I think one of the ugly things that @arvindsv was pointing out was that by passing credentials as args means they are echoed to the terminal in plain sight, which is not ideal. The other is that the passwords are exposed in plaintext on disk. Auth tokens would reduce these risks.

[marques-work]

For basic auth:

• make password optional.
• if not specified, prompt for password without echoing
• already should support reading from ENV; the appropriate environment variable to set is auth.password

$ env auth.password=mysecretpasswd

For token auth:

• Backend implemented. Wire up front end to allow setting via command
• Implement api call to create tokens as well
• Make gocd accept piped input. Then things like this are possible:

$ <some command to generate token, e.g., curl> | gocd config auth-token -