Add manager password env variable support

2025-10-06 03:35:26 +08:00 · 2024-04-23 10:08:31 +02:00 · 2024-04-23 10:08:31 +02:00 · a012d3fd0f
commit a012d3fd0f
parent 50e6969e57
3 changed files with 8 additions and 11 deletions
--- a/SECURITY.md
+++ b/SECURITY.md
@ -47,5 +47,6 @@ to show actual secrets.

 # NPF-SEC-00009: Manager password in CLI mode

-When using `--show-config --manager-password password`, we should only show unencrypted config if password is set.  
+When using `--show-config` or right click `show unecrypted`, we should only show unencrypted config if password is set.  
+Envivironmnt variable `NPBACKUP_MANAGER_PASSWORD` will be read to verify access.
 Also, when wrong password is entered, we should wait in order to reduce brute force attacks.
--- a/npbackup/main.py
+++ b/npbackup/main.py
@ -238,13 +238,6 @@ This is free software, and you are welcome to redistribute it under certain cond
        required=False,
        help="Show full inherited configuration for current repo",
    )
-    parser.add_argument(
-        "--manager-password",
-        type=str,
-        default=None,
-        required=False,
-        help="Optional manager password when showing config",
-    )
    parser.add_argument(
        "--external-backend-binary",
        type=str,
@ -341,10 +334,11 @@ This is free software, and you are welcome to redistribute it under certain cond
        # NPF-SEC-00009
        # Load an anonymous version of the repo config
        show_encrypted = False
-        if args.manager_password:
+        manager_password = os.environ.get("NPBACKUP_MANAGER_PASSWORD", None)
+        if manager_password:
            __current_manager_password = repo_config.g("__current_manager_password")
            if __current_manager_password:
-                if __current_manager_password == args.manager_password:
+                if __current_manager_password == manager_password:
                    show_encrypted = True
                else:
                    # NPF-SEC
--- a/npbackup/gui/config.py
+++ b/npbackup/gui/config.py
@ -1834,7 +1834,9 @@ def config_gui(full_config: dict, config_file: str):
            manager_password = configuration.get_manager_password(
                full_config, object_name
            )
-            if ask_manager_password(manager_password):
+            # NPF-SEC-00009
+            env_manager_password = os.environ.get("NPBACKUP_MANAGER_PASSWORD", None)
+            if (env_manager_password and env_manager_password == manager_password) or ask_manager_password(manager_password):
                update_object_gui(values["-OBJECT-SELECT-"], unencrypted=True)
                update_global_gui(full_config, unencrypted=True)
            continue