pass command instead of password in zuliprc #1581
Conversation
|
Hello @Gopinath-Mahendiran, it seems like you have referenced #1502 in your pull request description, but you have not referenced them in your commit message description(s). Referencing an issue in a commit message automatically closes the corresponding issue when the commit is merged, which makes the issue tracker easier to manage. Please run An example of a correctly-formatted commit: To learn how to write a great commit message, please refer to our guide. |
Gopinath-Mahendiran
changed the title
Gopinath-Mahendiran
force-pushed
the
Gopinath-Mahendiran
branch
2 times, most recently
from
c165d04 to
0e5ca88
Compare
zulipbot
added
size: XL
Gopinath-Mahendiran
force-pushed
the
Gopinath-Mahendiran
branch
from
0e5ca88 to
4ea856e
Compare
Gopinath-Mahendiran
force-pushed
the
Gopinath-Mahendiran
branch
from
4ea856e to
a1132b8
Compare
There was a problem hiding this comment.
@Gopinath-Mahendiran It looks like you have the right idea here now 👍
I've left some inline comments, since there are a few adjustments still to be made, but it's easier to point them out in the code now.
We can include this only in Terminal, but as Tim said, you could add it to the general Zulip python library instead. That would of course affect where the initial changes are made - but we could still document how it works for those using it in Terminal as a follow-up here, or perhaps wrap options in command-line flags.
You've updated some test code to match the code, but where you've added code it'd be useful to have new tests to demonstrate the functionality. I may have missed that - the last commit is rather large and full of unrelated changes.
zulipterminal/core.py
Outdated
| @@ -137,6 +139,25 @@ def raise_exception_in_main_thread( | |||
| self._exception_info = exc_info | |||
| self._critical_exception = critical | |||
| os.write(self._exception_pipe, b"1") | |||
|
|
|||
| def get_api_key(self,config_file: str) -> Optional[str]: | |||
There was a problem hiding this comment.
If we're including this in the Terminal app, this should be integrated into the existing code in run.py, where we handle elements in the config file.
Alternatively, as discussed on chat.zulip.org, you could add this to the zulip package in the python-zulip-api repository, since it could then load it transparently in the Client initializer when we use it in Terminal.
There was a problem hiding this comment.
Moved the logic for retrieving the API key (get_api_key) to the python-zulip-api repository as part of PR #86
zulipterminal/cli/run.py
Outdated
| f.write(f"[api]\nemail={login_id}\nkey={api_key}\nsite={server_url}") | ||
| f.write(f"[api]\nemail={login_id}\n# Fill the passcmd field with a command that outputs the API key.\n# The API key is temporarily stored in the 'zulip_key' file at {os.path.dirname(os.path.abspath(to_path))}.\n# After storing the key in a password manager, replace the cmd.\npasscmd=cat zulip_key\nsite={server_url}") |
There was a problem hiding this comment.
Automatic creation is likely to be a rare enough feature, that we can leave this element for now, but if the commit is tidied up we can move it to the end to more easily merge the earlier commit(s).
There was a problem hiding this comment.
Removed the implementation responsible for automatic creation
zulipterminal/cli/run.py
Outdated
| return "" | ||
| except FileExistsError: | ||
| return f"zuliprc already exists at {to_path}" | ||
| except OSError as ex: | ||
| return f"{ex.__class__.__name__}: zuliprc could not be created at {to_path}" | ||
|
|
||
| def _write_zulip_key(to_path: str, *, api_key: str) -> str: |
There was a problem hiding this comment.
This function is very similar to the function above. Instead of adding a near-duplicate, it is preferable to refactor the existing code and then use that new version for the feature commit.
There was a problem hiding this comment.
refactored the function by removing duplicate-lines
zulipterminal/cli/run.py
Outdated
| if not save_zulipkey_failure: | ||
| print(f"Generated API key saved at {zulip_key_path}") | ||
| else: | ||
| exit_with_error(save_zuliprc_failure) | ||
|
|
||
| if not save_zuliprc_failure : | ||
| print(f"Generated config file saved at {zuliprc_path}") | ||
| else: | ||
| exit_with_error(save_zuliprc_failure) |
There was a problem hiding this comment.
If this saved only one file, what would you expect to happen?
There was a problem hiding this comment.
could you explain this in detail?
There was a problem hiding this comment.
Does it make sense to (only) save one file, if there is an error saving the other?
There was a problem hiding this comment.
Ensured that if an error occurs during the creation of one file, the other files are not created, maintaining consistency.
| @@ -257,6 +265,7 @@ transparency=disabled | |||
| # editor: nano | |||
| ``` | |||
|
|
|||
|
|
|||
There was a problem hiding this comment.
Please check for unnecessary additions.
| configuration conssist of two file: | ||
| - zulip_key, file contains the api_key | ||
| - zuliprc, file consist of login configurations | ||
|
|
||
| The `zulip_key`contains only the api_key. | ||
|
|
There was a problem hiding this comment.
The zulip_key (or similar) file is intended to be optional, so that zuliprc files in a previous format (and current, from the web app) work correctly.
For that reason anything like this part should likely be further down.
Since this documents the way the zuliprc file works, whether only for the Terminal app, or for all apps using the python zulip package (when we use the updated package, if so), it should be clear that it refers to the [api] part of the config.
| key=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx | ||
| passcmd=cat zulip_key |
There was a problem hiding this comment.
Since this needs to be optional, and if in Terminal only will be specific to us, it needs to be briefly documented in the sample file, and commented out - see how we document the Terminal options further below.
| @@ -207,6 +207,12 @@ to get the hang of things. | |||
|
|
|||
| ## Configuration | |||
There was a problem hiding this comment.
This last commit is not just a docs update. If there are changes to tidy other commits, they belong combined with those commits. That will ensure that all the linting and tests passes on each commit individually, rather than just over the branch.
If you have other changes, they belong in new commits specific to those improvements.
pyproject.toml
Outdated
| markers = [ | ||
| "wsl: marks tests as WSL specific", | ||
| "quoted_content: marks tests dealing with quoted content rendering", | ||
| ] |
neiljp
added
PR awaiting update
|
I will work towards the changes |
Gopinath-Mahendiran
force-pushed
the
Gopinath-Mahendiran
branch
2 times, most recently
from
e516da9 to
daba4fd
Compare
Gopinath-Mahendiran
force-pushed
the
Gopinath-Mahendiran
branch
from
daba4fd to
c872d7d
Compare
|
@neiljp, updated the code as discussed. Let me know if it looks good. |
What does this PR do, and why?
This PR updates the default config generation logic in zulip-term to support a more secure way of managing Zulip API keys. Instead of writing the API key directly into the zuliprc file, we now generate:
• a zuliprc file with a passcmd field
• a zulip_key file containing just the API key
• zulip_key: A temporary file that contains only the API key.
• zuliprc: [api]: contains Zulip login configuration (email, server URL, and now passcmd)
Here’s how the new auto-generated zuliprc file looks:
If you’re downloading a zuliprc file from your Zulip account (which includes the key field), you’re encouraged to manually replace the key line with a passcmd, like this:
You can (and should) later replace cat zulip_key with a command tied to your preferred secret storage tool
Outstanding aspect(s)
External discussion & connections
topicHow did you test this?
Self-review checklist for each commit