From a012d3fd0fe6c839c5709740b774b86b50798515 Mon Sep 17 00:00:00 2001
From: deajan <ozy@netpower.fr>
Date: Tue, 23 Apr 2024 10:08:31 +0200
Subject: [PATCH] Add manager password env variable support

---
 SECURITY.md            |  3 ++-
 npbackup/__main__.py   | 12 +++---------
 npbackup/gui/config.py |  4 +++-
 3 files changed, 8 insertions(+), 11 deletions(-)

diff --git a/SECURITY.md b/SECURITY.md
index 2c7d6fe..89d774c 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -47,5 +47,6 @@ to show actual secrets.
 
 # NPF-SEC-00009: Manager password in CLI mode
 
-When using `--show-config --manager-password password`, we should only show unencrypted config if password is set.  
+When using `--show-config` or right click `show unecrypted`, we should only show unencrypted config if password is set.  
+Envivironmnt variable `NPBACKUP_MANAGER_PASSWORD` will be read to verify access.
 Also, when wrong password is entered, we should wait in order to reduce brute force attacks.
\ No newline at end of file
diff --git a/npbackup/__main__.py b/npbackup/__main__.py
index 8d96373..8158955 100644
--- a/npbackup/__main__.py
+++ b/npbackup/__main__.py
@@ -238,13 +238,6 @@ This is free software, and you are welcome to redistribute it under certain cond
         required=False,
         help="Show full inherited configuration for current repo",
     )
-    parser.add_argument(
-        "--manager-password",
-        type=str,
-        default=None,
-        required=False,
-        help="Optional manager password when showing config",
-    )
     parser.add_argument(
         "--external-backend-binary",
         type=str,
@@ -341,10 +334,11 @@ This is free software, and you are welcome to redistribute it under certain cond
         # NPF-SEC-00009
         # Load an anonymous version of the repo config
         show_encrypted = False
-        if args.manager_password:
+        manager_password = os.environ.get("NPBACKUP_MANAGER_PASSWORD", None)
+        if manager_password:
             __current_manager_password = repo_config.g("__current_manager_password")
             if __current_manager_password:
-                if __current_manager_password == args.manager_password:
+                if __current_manager_password == manager_password:
                     show_encrypted = True
                 else:
                     # NPF-SEC
diff --git a/npbackup/gui/config.py b/npbackup/gui/config.py
index 530ac94..359ec9e 100644
--- a/npbackup/gui/config.py
+++ b/npbackup/gui/config.py
@@ -1834,7 +1834,9 @@ def config_gui(full_config: dict, config_file: str):
             manager_password = configuration.get_manager_password(
                 full_config, object_name
             )
-            if ask_manager_password(manager_password):
+            # NPF-SEC-00009
+            env_manager_password = os.environ.get("NPBACKUP_MANAGER_PASSWORD", None)
+            if (env_manager_password and env_manager_password == manager_password) or ask_manager_password(manager_password):
                 update_object_gui(values["-OBJECT-SELECT-"], unencrypted=True)
                 update_global_gui(full_config, unencrypted=True)
             continue