Avoid exposing passwords in the process list, use a password file.

2024-01-19 21:43:32 +01:00 · 2024-01-19 21:43:32 +01:00 · 57ec856f49
commit 57ec856f49
parent 917b45aadc
7 changed files with 156 additions and 131 deletions
--- a/roles/lmn_vm/files/uploadseed
+++ b/roles/lmn_vm/files/uploadseed
@ -7,24 +7,34 @@ import ssl
 import argparse

 parser = argparse.ArgumentParser(description='Upload a file to the bittorrent seeder.')
-parser.add_argument('--rpc-server', required=True,
-                    help='the RPC server IPaddress:port')
-parser.add_argument('--rpc-secret', required=True,
-                    help='the RPC secret')
+parser.add_argument('--server', required=True,
+                    help="the server address and RPC port like 'IPaddress:port'")
 parser.add_argument('--dht-port', required=True,
                    help='the DHT port the RPC server is listening on')
-parser.add_argument('--no-cert', action='store_true',
-                    help='do not use SSL certificate')
-parser.add_argument('--cert', help='the certificate to use for verification')
-parser.add_argument('file', help='the file to upload')
+pwgrp = parser.add_mutually_exclusive_group(required=True)
+pwgrp.add_argument('--passwd',
+                   help='the RPC secret. Either this or --pwdfile needs to be ' \
+                   'provided')
+pwgrp.add_argument('--pwdfile',
+                   help="file containing the RPC secret in the form " \
+                   "'secret = \"token:SECRET\"'. " \
+                   'Either this or --secret needs to be provided')
+certgrp = parser.add_mutually_exclusive_group(required=True)
+certgrp.add_argument('--no-cert', action='store_true',
+                     help='do not use SSL certificate')
+certgrp.add_argument('--cert', help='the certificate to use for verification')
+parser.add_argument('FILE', help='the file to upload')

 args = parser.parse_args()

-rpcseeder = 'https://' + args.rpc_server + '/rpc'
-secret = 'token:' + args.rpc_secret
-dhtentry = args.rpc_server.split(':')[0] + ':' + args.dht_port
-file2send = args.file
+rpcseeder = 'https://' + args.server + '/rpc'
+dhtentry = args.server.split(':')[0] + ':' + args.dht_port
+file2send = args.FILE
 torrent = '/tmp/' + os.path.basename(file2send) + '.torrent'
+if args.passwd:
+    secret = 'token:' + args.passwd
+else:
+    exec(open(args.pwdfile).read())

 ssl_ctx = ssl.create_default_context()
 if args.no_cert: