Feature request: pass cacert and tls-client-cert content as environment variables

[mcnilz]

Output of restic version

restic 0.9.0 compiled with go1.10.2 on linux/amd64
restic 0.9.0 compiled with go1.10.2 on freebsd/amd64

What should restic do differently? Which functionality do you think we should add?

Instead of --cacert and --tls-client-cert it should be possible to pass the certificate content (not the filenames) as environment variables.

What are you trying to do?

I want to write a bash script to run restic connecting to rclone that contains all credentials needed to connect. Right now I am creating temporary files with the certs. That is a bit ugly.

Did restic help you or made you happy in any way?

I love restic (and rclone). I was very happy when I found it. Just a single working binary. No python dependencies. The feature set is awesome 👍

[MichaelEischer]

As a relatively convenient work-around it should be possible to use process substitution like this: restic --cacert <(echo $RESTIC_CACERT) ...

[mcnilz]

It is not secure to pass credentials as parameters on command line because other processes/users can see them on the process list (ps).

[MichaelEischer]

With the process substitution restic get's a file name like /dev/fd/63 into which a child shell executing echo $RESTIC_CACERT writes. And from what I see, bash does not pass command line arguments to it's child shell. So I don't see where this would create a security problem.

[smlx]

The other problem with process substitution is that it is not part of POSIX shell, so only works in bash (and possibly zsh etc.).

[stephan2012]

In my use-case, I run restic in a Kubernetes cluster and also provide a deployment that offers a kind of restic shell for convenient interactive restores. Here, it would be helpful to accept the CA certificate as an environment variable so the user does not have to manually pass --cacert option.

[root-ali]

hi @MichaelEischer
can I work on this issue?

[MichaelEischer]

@root-ali Sure, go ahead.

[arjunajesh]

@root-ali Are you still working on this?
if not, I would like to work on this issue @MichaelEischer

To be clear, the environment variable should contain the contents of the certificate rather than the file, correct? I noticed that the --cacert flag takes multiple certificate files. In the case of multiple certificates, how should the env variable store and separate the contents of multiple certs?

[MichaelEischer]

To be clear, the environment variable should contain the contents of the certificate rather than the file, correct?

Hmm, my search for other software that reads the certificate directly from an environment variable barely provided any results. So I'm wondering whether it's a good idea to support passing the content of these files via an environment variable.

Just passing the filename via an environment variable would be the much easier option and should also address some of the use cases. I think it would be enough to at least solve the use case of @stephan2012 .

In the case of multiple certificates, how should the env variable store and separate the contents of multiple certs?

It's possible to concatenate multiple certificates into a single file. The certificate parsing currently uses pool.AppendCertsFromPEM(b) for each file, which is able to handle multiple certificates at once.

[arjunajesh]

I've implemented this feature and I have created a pull request. However this is my first time contributing to open source, so I am unsure about how and where to implement test cases for my changes. I am also unsure about the most appropriate location to update the docs. I added just two lines of code that will read two environment variables during initialization.