From f1877e721e6c383082f219f973d5ee6dd0ca7c60 Mon Sep 17 00:00:00 2001 From: "Agatha V. Lovelace" Date: Tue, 26 Sep 2023 08:56:52 +0200 Subject: [PATCH 1/3] feat: support reading REST credentials from env --- internal/backend/rest/config.go | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/internal/backend/rest/config.go b/internal/backend/rest/config.go index ba42a0220..8458b0df2 100644 --- a/internal/backend/rest/config.go +++ b/internal/backend/rest/config.go @@ -2,10 +2,12 @@ package rest import ( "net/url" + "os" "strings" "github.com/restic/restic/internal/errors" "github.com/restic/restic/internal/options" + "github.com/restic/restic/internal/restic" ) // Config contains all configuration necessary to connect to a REST server. @@ -70,3 +72,19 @@ func prepareURL(s string) string { } return s } + +var _ restic.ApplyEnvironmenter = &Config{} + +// ApplyEnvironment saves values from the environment to the config. +func (cfg *Config) ApplyEnvironment(prefix string) { + username := cfg.URL.User.Username() + _, pwdSet := cfg.URL.User.Password() + + // Only apply env variable values if neither username nor password are provided. + if username == "" && !pwdSet { + envName := os.Getenv(prefix + "RESTIC_REST_USERNAME") + envPwd := os.Getenv(prefix + "RESTIC_REST_PASSWORD") + + cfg.URL.User = url.UserPassword(envName, envPwd) + } +} From 2089c5431009d8d0758bc61146bd8a128def2473 Mon Sep 17 00:00:00 2001 From: "Agatha V. Lovelace" Date: Tue, 26 Sep 2023 18:35:13 +0200 Subject: [PATCH 2/3] changelog: add unreleased entry --- changelog/unreleased/pull-4480 | 10 ++++++++++ 1 file changed, 10 insertions(+) create mode 100644 changelog/unreleased/pull-4480 diff --git a/changelog/unreleased/pull-4480 b/changelog/unreleased/pull-4480 new file mode 100644 index 000000000..bafbf62e8 --- /dev/null +++ b/changelog/unreleased/pull-4480 @@ -0,0 +1,10 @@ +Enhancement: Allow setting REST password and username via environment variables + +Previously, it was only possible to specify the REST server username and +password in the repository URL, or using the `--repository-file` option. This +meant it was not possible to use authentication in contexts where the repository +URL is public and parts of it are templated by other software. Restic now +allows setting the username and password using the `RESTIC_REST_USERNAME` and +`RESTIC_REST_PASSWORD` variables. + +https://github.com/restic/restic/pull/4480 From 0f97356b211bb409c35fc80ea3156ebdbc799a06 Mon Sep 17 00:00:00 2001 From: "Agatha V. Lovelace" Date: Tue, 26 Sep 2023 18:51:52 +0200 Subject: [PATCH 3/3] docs: add new REST server env variables --- doc/030_preparing_a_new_repo.rst | 8 ++++++++ doc/040_backup.rst | 31 +++++++++++++++++-------------- 2 files changed, 25 insertions(+), 14 deletions(-) diff --git a/doc/030_preparing_a_new_repo.rst b/doc/030_preparing_a_new_repo.rst index 04c189d07..02c406e52 100644 --- a/doc/030_preparing_a_new_repo.rst +++ b/doc/030_preparing_a_new_repo.rst @@ -209,6 +209,14 @@ are some more examples: $ restic -r rest:https://user:pass@host:8000/ init $ restic -r rest:https://user:pass@host:8000/my_backup_repo/ init +The server username and password can be specified using environment +variables as well: + +.. code-block:: console + + $ export RESTIC_REST_USERNAME= + $ export RESTIC_REST_PASSWORD= + If you use TLS, restic will use the system's CA certificates to verify the server certificate. When the verification fails, restic refuses to proceed and exits with an error. If you have your own self-signed certificate, or a custom diff --git a/doc/040_backup.rst b/doc/040_backup.rst index 1655e7eed..a3b280476 100644 --- a/doc/040_backup.rst +++ b/doc/040_backup.rst @@ -593,9 +593,16 @@ environment variables. The following lists these environment variables: AWS_PROFILE Amazon credentials profile (alternative to specifying key and region) AWS_SHARED_CREDENTIALS_FILE Location of the AWS CLI shared credentials file (default: ~/.aws/credentials) - ST_AUTH Auth URL for keystone v1 authentication - ST_USER Username for keystone v1 authentication - ST_KEY Password for keystone v1 authentication + AZURE_ACCOUNT_NAME Account name for Azure + AZURE_ACCOUNT_KEY Account key for Azure + AZURE_ACCOUNT_SAS Shared access signatures (SAS) for Azure + AZURE_ENDPOINT_SUFFIX Endpoint suffix for Azure Storage (default: core.windows.net) + + B2_ACCOUNT_ID Account ID or applicationKeyId for Backblaze B2 + B2_ACCOUNT_KEY Account Key or applicationKey for Backblaze B2 + + GOOGLE_PROJECT_ID Project ID for Google Cloud Storage + GOOGLE_APPLICATION_CREDENTIALS Application Credentials for Google Cloud Storage (e.g. $HOME/.config/gs-secret-restic-key.json) OS_AUTH_URL Auth URL for keystone authentication OS_REGION_NAME Region name for keystone authentication @@ -619,19 +626,15 @@ environment variables. The following lists these environment variables: OS_STORAGE_URL Storage URL for token authentication OS_AUTH_TOKEN Auth token for token authentication - B2_ACCOUNT_ID Account ID or applicationKeyId for Backblaze B2 - B2_ACCOUNT_KEY Account Key or applicationKey for Backblaze B2 - - AZURE_ACCOUNT_NAME Account name for Azure - AZURE_ACCOUNT_KEY Account key for Azure - AZURE_ACCOUNT_SAS Shared access signatures (SAS) for Azure - AZURE_ENDPOINT_SUFFIX Endpoint suffix for Azure Storage (default: core.windows.net) - - GOOGLE_PROJECT_ID Project ID for Google Cloud Storage - GOOGLE_APPLICATION_CREDENTIALS Application Credentials for Google Cloud Storage (e.g. $HOME/.config/gs-secret-restic-key.json) - RCLONE_BWLIMIT rclone bandwidth limit + RESTIC_REST_USERNAME Restic REST Server username + RESTIC_REST_PASSWORD Restic REST Server password + + ST_AUTH Auth URL for keystone v1 authentication + ST_USER Username for keystone v1 authentication + ST_KEY Password for keystone v1 authentication + See :ref:`caching` for the rules concerning cache locations when ``RESTIC_CACHE_DIR`` is not set.