Merge pull request #4480 from AgathaSorceress/add-rest-auth-env

Support reading basic auth credentials for REST server from environment variables
2024-11-25 06:07:44 +00:00 · 2023-10-21 17:41:08 +00:00 · 2023-10-21 17:41:08 +00:00 · 7f05af02b9
commit 7f05af02b9
parent eabc177a42 0f97356b21
4 changed files with 53 additions and 14 deletions
--- a/changelog/unreleased/pull-4480
+++ b/changelog/unreleased/pull-4480
@ -0,0 +1,10 @@
+Enhancement: Allow setting REST password and username via environment variables
+
+Previously, it was only possible to specify the REST server username and
+password in the repository URL, or using the `--repository-file` option. This
+meant it was not possible to use authentication in contexts where the repository
+URL is public and parts of it are templated by other software. Restic now
+allows setting the username and password using the `RESTIC_REST_USERNAME` and
+`RESTIC_REST_PASSWORD` variables.
+
+https://github.com/restic/restic/pull/4480
--- a/doc/030_preparing_a_new_repo.rst
+++ b/doc/030_preparing_a_new_repo.rst
@ -211,6 +211,14 @@ are some more examples:
    $ restic -r rest:https://user:pass@host:8000/ init
    $ restic -r rest:https://user:pass@host:8000/my_backup_repo/ init

+The server username and password can be specified using environment
+variables as well:
+
+.. code-block:: console
+
+    $ export RESTIC_REST_USERNAME=<MY_REST_SERVER_USERNAME>
+    $ export RESTIC_REST_PASSWORD=<MY_REST_SERVER_PASSWORD>
+
 If you use TLS, restic will use the system's CA certificates to verify the
 server certificate. When the verification fails, restic refuses to proceed and
 exits with an error. If you have your own self-signed certificate, or a custom
--- a/doc/040_backup.rst
+++ b/doc/040_backup.rst
@ -593,9 +593,16 @@ environment variables. The following lists these environment variables:
    AWS_PROFILE                         Amazon credentials profile (alternative to specifying key and region)
    AWS_SHARED_CREDENTIALS_FILE         Location of the AWS CLI shared credentials file (default: ~/.aws/credentials)

-    ST_AUTH                             Auth URL for keystone v1 authentication
-    ST_USER                             Username for keystone v1 authentication
-    ST_KEY                              Password for keystone v1 authentication
+    AZURE_ACCOUNT_NAME                  Account name for Azure
+    AZURE_ACCOUNT_KEY                   Account key for Azure
+    AZURE_ACCOUNT_SAS                   Shared access signatures (SAS) for Azure
+    AZURE_ENDPOINT_SUFFIX               Endpoint suffix for Azure Storage (default: core.windows.net)
+
+    B2_ACCOUNT_ID                       Account ID or applicationKeyId for Backblaze B2
+    B2_ACCOUNT_KEY                      Account Key or applicationKey for Backblaze B2
+
+    GOOGLE_PROJECT_ID                   Project ID for Google Cloud Storage
+    GOOGLE_APPLICATION_CREDENTIALS      Application Credentials for Google Cloud Storage (e.g. $HOME/.config/gs-secret-restic-key.json)

    OS_AUTH_URL                         Auth URL for keystone authentication
    OS_REGION_NAME                      Region name for keystone authentication
@ -619,19 +626,15 @@ environment variables. The following lists these environment variables:
    OS_STORAGE_URL                      Storage URL for token authentication
    OS_AUTH_TOKEN                       Auth token for token authentication

-    B2_ACCOUNT_ID                       Account ID or applicationKeyId for Backblaze B2
-    B2_ACCOUNT_KEY                      Account Key or applicationKey for Backblaze B2
-
-    AZURE_ACCOUNT_NAME                  Account name for Azure
-    AZURE_ACCOUNT_KEY                   Account key for Azure
-    AZURE_ACCOUNT_SAS                   Shared access signatures (SAS) for Azure
-    AZURE_ENDPOINT_SUFFIX               Endpoint suffix for Azure Storage (default: core.windows.net)
-
-    GOOGLE_PROJECT_ID                   Project ID for Google Cloud Storage
-    GOOGLE_APPLICATION_CREDENTIALS      Application Credentials for Google Cloud Storage (e.g. $HOME/.config/gs-secret-restic-key.json)
-
    RCLONE_BWLIMIT                      rclone bandwidth limit

+    RESTIC_REST_USERNAME                Restic REST Server username
+    RESTIC_REST_PASSWORD                Restic REST Server password
+
+    ST_AUTH                             Auth URL for keystone v1 authentication
+    ST_USER                             Username for keystone v1 authentication
+    ST_KEY                              Password for keystone v1 authentication
+
 See :ref:`caching` for the rules concerning cache locations when
 ``RESTIC_CACHE_DIR`` is not set.

--- a/internal/backend/rest/config.go
+++ b/internal/backend/rest/config.go
@ -2,10 +2,12 @@ package rest

 import (
 	"net/url"
+	"os"
 	"strings"

 	"github.com/restic/restic/internal/errors"
 	"github.com/restic/restic/internal/options"
+	"github.com/restic/restic/internal/restic"
 )

 // Config contains all configuration necessary to connect to a REST server.
@ -70,3 +72,19 @@ func prepareURL(s string) string {
 	}
 	return s
 }
+
+var _ restic.ApplyEnvironmenter = &Config{}
+
+// ApplyEnvironment saves values from the environment to the config.
+func (cfg *Config) ApplyEnvironment(prefix string) {
+	username := cfg.URL.User.Username()
+	_, pwdSet := cfg.URL.User.Password()
+
+	// Only apply env variable values if neither username nor password are provided.
+	if username == "" && !pwdSet {
+		envName := os.Getenv(prefix + "RESTIC_REST_USERNAME")
+		envPwd := os.Getenv(prefix + "RESTIC_REST_PASSWORD")
+
+		cfg.URL.User = url.UserPassword(envName, envPwd)
+	}
+}