How do I add connections with secure secrets?
cseickel opened this issue · comments
This is kind of 3 parter:
- It's not clear how to add connections. I see from the help file that you can add connections from the setup config, I think that should be prominently displayed on the README because it's the first thing a new user will need to do.
- It would be really great if we could add connections interactively while it is running, with a user command and/or buffer local mapping on the sidebar.
- I don't see any way that I can configure a connection without storing the password in plain text.
It would be ideal if it could pull a password from pass on linux, and/or read them from environment variables. I use doppler a lot at work, so it would be convenient for me to just configure connections using environment variable substitution and then I can run nvim with doppler to get those variables. for example:
connections = {
-- example:
-- {
-- name = "example-pg",
-- type = "postgres",
-- url = "postgres://${DB_USER}:${DB_PASSWORD}@${DB_HOST}:${DB_PORT}/${DB_NAME}",
-- },or maybe if you just have your own internal way of specifying placeholders for secrets, you can then add a separate section for secrets, like:
connections = {
example:
{
name = "example-pg",
type = "postgres",
url = "postgres://{{SECRET_USER}}:{{SECRET_PASSWORD}}host:5432/mydb",
secrets: {
user: { source="env", key="WORK_DB_USER" }, -- pull from environment variables
password: { source="pass", key="work_db_password" } -- pull from `pass`
}
},
Hi @cseickel,
thanks for the suggestions.
All are valid points in my opinion.
- and 2. are pretty straight forward, whereas 3. would need a bit of thinking.
To add on top of 3.:
- add a simple file for project local configs (just a list of connections.
- environment variables seem the most straight forward so I preffer it over integrating pass (although I wouldn't say it's completely out of the question - maybe sometime in the future?).
- I think we go with the first syntax option you mentioned (
${{}}) and just inject env vars once connecting to the db. That would probably be enough for now. - I like the concept with proprietary secrets you created, but I fear it could get a bit confusing for new users - I need sit on it a bit.
That's an approximate TODO for this issue, I would love to hear your thoughts about it.
Other than that I'll start working on that as soon as I have some extra time.
I think we go with the first syntax option you mentioned (${{}}) and just inject env vars once connecting to the db. That would probably be enough for now.
I agree that seems like the simplest way to go about it, and users can do a lot to roll their own solutions that inject env variables. One thing that may trip you up there is if you are checking the variables from an external (go) process, will it see the same env variables that are in nvim's process? If not then it might not work out.
For # 3, on further thought it would probably be a maintenance nightmare. It might be simpler to just integrate your own secret storage with an encrypted file. I'm sure there are go libraries you can use, and the input could just be an interactive prompt if the password was not set in the config.
One thing that may trip you up there is if you are checking the variables from an external (go) process, will it see the same env variables that are in nvim's process? If not then it might not work out.
I thought about that, yeah - one can also have a plugin that messes with vim.env jn lua - so we would need to read env in lua in my opinion - I'd still like to test go first - it might even work.
I also thought about an encrypted file - sounds like a good Idea to me!
closed with #9