docker-credential-helpers icon indicating copy to clipboard operation
docker-credential-helpers copied to clipboard

Published 20 hours ago verified publisher icon docker

Add a credential helper for gopass

Open sudoforge opened this issue 6 years ago • 6 comments

Background Information

gopass is a rewrite of pass written in Go. It provides a very similar interface to zx2c4's pass, while adding some additional functionality that helps using the password manager within team or multi-team environments, such as mounting external stores, encrypting different blobs for different recipients, etc.

It has a configuration file, located at $XDG_CONFIG_HOME/gopass/config.yml, example below:

root:
  askformore: false
  autoclip: true
  autoimport: true
  autosync: true
  check_recipient_hash: false
  cliptimeout: 45
  concurrency: 1
  editrecipients: false
  nocolor: false
  noconfirm: false
  nopager: false
  notifications: true
  path: gpgcli-gitcli-fs+file:///home/username/code/src/github.com/username/my-personal-store
  recipient_hash: {}
  safecontent: false
  usesymbols: false
mounts:
  work:
    askformore: false
    autoclip: true
    autoimport: true
    autosync: true
    check_recipient_hash: false
    cliptimeout: 45
    concurrency: 1
    editrecipients: false
    nocolor: false
    noconfirm: false
    nopager: false
    notifications: true
    path: gpgcli-gitcli-fs+file:///home/username/code/src/git.company.com/username/my-work-store
    recipient_hash: {}
    safecontent: false
    usesymbols: false

The root dictionary, above, holds the configuration for the root ("default") store. The mounts list provides zero or more dictionaries for additional stores which are "mounted" at the top-level name (the mount's name). For example, with the above configuration:

$ gopass foo

would attempt to access and decrypt foo.gpg in /home/username/code/src/github.com/username/my-personal-store, and

$ gopass work/foo

would attempt to access and decrypt foo.gpg in /home/username/code/src/git.company.com/username/my-work-store.

Proposal

I personally switched over to gopass some time ago, as I found it more intuitive than pass when I began managing passwords for clients and other organizations. It would be great to have a credential helper that interfaced with gopass. I currently utilize pass only because it is the only available credential helper that appeals to me; I would like to remove this dependency and utilize the password manager I use for everything else.

Note: I'm drafting this issue here, but fully plan on contributing to the project and writing this helper myself within the next few weeks. If this would be ill received, please advise.

sudoforge avatar Mar 29 '19 21:03 sudoforge

How different is the gopass cli interface from pass? I was going through https://github.com/docker/docker-credential-helpers/blob/master/pass/pass_linux.go and it seems that the helper just invokes the pass command.

Was wondering if a symlink that points /usr/bin/pass to /usr/bin/gopass work?

captn3m0 avatar Apr 09 '19 21:04 captn3m0

@captn3m0 It's not all that different, and at the core, for a user with one password store and who doesn't store additional metadata within it, /usr/bin/pass and /usr/bin/gopass are fairly interchangeable. The difference mostly lies in the fact that gopass supports the management of additional, external "mounts" - separate, unrelated repositories (see my example in the original issue comment); additionally, metadata can be stored/accessed within any particular entry:

$ gopass foo
mysupersucretpassword
username: sudoforge
favorite_color: green

$ gopass foo favorite_color
green

Personally, I'd prefer if the gopass credential helper allowed for the specification of an entry to use - if such an entry is provided, then the token is stored and accessed as metadata, rather than generating one or more new entries altogether.

On a side note from that, I've noticed (but not yet opened or searched existing issues for) several bugs in the pass implementation as it exists today -- so even if it would work, I wouldn't want to reimplement it for gopass or use it to support gopass - although it can serve as a good base or example to start from.

sudoforge avatar Apr 09 '19 21:04 sudoforge

There are some slight command-line arguments incompatibilities. It still can be used almost as-is, by using a simple compatibility wrapper installed as pass:

#!/usr/bin/env bash
if [[ $1 == "--clip" ]]; then
   # xmonad pass prompt
    exec gopass show "$@"
elif [[ $1 == "ls" && $# == 1 ]]; then
    # proton-bridge
    # no fancy chars in output
    exec gopass ls -f
elif [[ $1 == "rm" && $2 == "-rf" ]]; then
    # proton-bridge
    # `-rf` as single arg is not supported, split them in 2
    shift 2
    exec gopass rm -r -f "$@"
else
  exec gopass "$@"
fi

binarin avatar Dec 14 '21 09:12 binarin

I had trouble getting docker-credential-pass to work with podman and gopass, even after adding @binarin 's script above to my $PATH as pass.

To make it work, I had to:

  1. Add credential-helpers = [ "pass" ] to /etc/containers/registries.conf.d/gopass.conf
  2. ln -s ~/.local/share/gopass/stores/root ~/.password-store. See https://github.com/docker/docker-credential-helpers/blob/master/pass/pass.go#L106

alexisph avatar Jan 29 '22 20:01 alexisph

To make it work, I had to:

  1. ln -s ~/.local/share/gopass/stores/root ~/.password-store. See https://github.com/docker/docker-credential-helpers/blob/master/pass/pass.go#L106

You could set PASSWORD_STORE_DIR instead of keeping that symlink around.

sudoforge avatar Jan 29 '22 20:01 sudoforge