Feat/stackitcli 318 secret flags 3 (#1377)

* refac(io) set IO once in main to allow overriding with in memory io in tests

`print.Printer` had a reference to a `cobra.Command` for using its IO
streams. Each Command also used a Printer, resulting in an awkward
circular dependency.
Refactored Printer to use IO streams directly. When using the application
these are set in `main`, when used in tests these can be set to
`bytes.Buffer`s.
Also replaced usages of `os.Args` with just a string slice. Also set
in `main`.
`cobra.Command`s `Args` and IO-streams are set in `NewRootCmd` with
`traverseCommands`.
`CmdParams` also has an `fs.FS`, currently unused but will allow using
the real FS during regular use and an in-memory-FS during tests.

This change prepares the application for integrative testing while keeping
good isolation. Generally speaking the goal is to move all things with
side effects into main (compare with https://grafana.com/blog/how-i-write-http-services-in-go-after-13-years/#func-main-only-calls-run)

* fix(fmt) run formatter

* fix(test) adapt cli args after changing arg slicing

* feat(secret flag) add reusable secret flag implementation, update guide

Had to split implementation into two parts: `Set()` and `SecretFlagToSP`.
Set is only called when an argument is specified on the command line.
So moving the `PromptForPassword` logic into `Set` does not work.

I'm not sure if the current solution with a specialized `*ToStringPointer`
func is the way to go. So I've only refactored `obs-credentials add`
as an example.

* fix(docs) generate docs

* fix(lint) fix linting errors

* fix(secretflag) use title case when printing flag usage

* fix(fmt) run formatter

* feat(secretflags) refactor password flags to use SecretFlag

- searched for 'password' and 'secret' to find usages
- checked usages of printer.PromptForPassword

Author: cgoetz-inovex

docs/stackit_beta_alb_observability-credentials_update.md

@@ -22,7 +22,7 @@ stackit beta alb observability-credentials update CREDENTIAL_REF_ARG [flags]
 ```
   -d, --displayname string   Displayname for the credentials
   -h, --help                 Help for "stackit beta alb observability-credentials update"
-      --password string      Password. Can be a string or a file path, if prefixed with "@" (example: @./password.txt).
+      --password string      Password. Can be a string (deprecated) or a file path, if prefixed with '@' (example: @./secret.txt). Will be read from stdin when empty.
   -u, --username string      Username for the credentials
 ```
 

docs/stackit_beta_cdn_distribution_create.md

@@ -35,6 +35,7 @@ stackit beta cdn distribution create [flags]
       --blocked-ips strings                       Comma-separated list of IPv4 addresses to block (e.g., '10.0.0.8,127.0.0.1')
       --bucket                                    Use Object Storage backend
       --bucket-credentials-access-key-id string   Access Key ID for Object Storage backend
+      --bucket-password string                    Bucket-Password. Can be a string (deprecated) or a file path, if prefixed with '@' (example: @./secret.txt). Will be read from stdin when empty.
       --bucket-region string                      Region for Object Storage backend
       --bucket-url string                         Bucket URL for Object Storage backend
       --default-cache-duration string             ISO8601 duration string for default cache duration (e.g., 'PT1H30M' for 1 hour and 30 minutes)
@@ -44,6 +45,7 @@ stackit beta cdn distribution create [flags]
       --http-origin-request-headers strings       Origin request headers for HTTP backend in the format 'HeaderName: HeaderValue', repeatable. WARNING: do not store sensitive values in the headers!
       --http-origin-url string                    Origin URL for HTTP backend
       --loki                                      Enable Loki log sink for the CDN distribution
+      --loki-password string                      Loki-Password. Can be a string (deprecated) or a file path, if prefixed with '@' (example: @./secret.txt). Will be read from stdin when empty.
       --loki-push-url string                      Push URL for log sink
       --loki-username string                      Username for log sink
       --monthly-limit-bytes int                   Monthly limit in bytes for the CDN distribution

docs/stackit_beta_cdn_distribution_update.md

@@ -24,6 +24,7 @@ stackit beta cdn distribution update [flags]
       --blocked-ips strings                       Comma-separated list of IPv4 addresses to block (e.g., '10.0.0.8,127.0.0.1')
       --bucket                                    Use Object Storage backend
       --bucket-credentials-access-key-id string   Access Key ID for Object Storage backend
+      --bucket-password string                    Bucket-Password. Can be a string (deprecated) or a file path, if prefixed with '@' (example: @./secret.txt). Will be read from stdin when empty.
       --bucket-region string                      Region for Object Storage backend
       --bucket-url string                         Bucket URL for Object Storage backend
       --default-cache-duration string             ISO8601 duration string for default cache duration (e.g., 'PT1H30M' for 1 hour and 30 minutes)
@@ -33,6 +34,7 @@ stackit beta cdn distribution update [flags]
       --http-origin-request-headers strings       Origin request headers for HTTP backend in the format 'HeaderName: HeaderValue', repeatable. WARNING: do not store sensitive values in the headers!
       --http-origin-url string                    Origin URL for HTTP backend
       --loki                                      Enable Loki log sink for the CDN distribution
+      --loki-password string                      Loki-Password. Can be a string (deprecated) or a file path, if prefixed with '@' (example: @./secret.txt). Will be read from stdin when empty.
       --loki-push-url string                      Push URL for log sink
       --loki-username string                      Username for log sink
       --monthly-limit-bytes int                   Monthly limit in bytes for the CDN distribution

docs/stackit_beta_intake_user_create.md

@@ -28,7 +28,7 @@ stackit beta intake user create [flags]
   -h, --help                    Help for "stackit beta intake user create"
       --intake-id string        The UUID of the Intake to associate the user with
       --labels stringToString   Labels in key=value format, separated by commas (default [])
-      --password string         Password for the user. Must contain lower, upper, number, and special characters (min 12 chars)
+      --password string         Password. Can be a string (deprecated) or a file path, if prefixed with '@' (example: @./secret.txt). Will be read from stdin when empty. Must contain lower, upper, number, and special characters (min 12 chars)
       --type string             Type of user. One of 'intake' (default) or 'dead-letter' (default "intake")
 ```
 

docs/stackit_beta_intake_user_update.md

@@ -28,7 +28,7 @@ stackit beta intake user update USER_ID [flags]
   -h, --help                    Help for "stackit beta intake user update"
       --intake-id string        Intake ID
       --labels stringToString   Labels in key=value format, separated by commas. Example: --labels "key1=value1,key2=value2". (default [])
-      --password string         Password for the user. Must contain lower, upper, number, and special characters (min 12 chars)
+      --password string         Password. Can be a string (deprecated) or a file path, if prefixed with '@' (example: @./secret.txt). Will be read from stdin when empty. Must contain lower, upper, number, and special characters (min 12 chars)
       --type string             Type of user. One of 'intake' or 'dead-letter'
 ```
 

docs/stackit_load-balancer_observability-credentials_add.md

@@ -25,7 +25,7 @@ stackit load-balancer observability-credentials add [flags]
 ```
       --display-name string   Credentials display name
   -h, --help                  Help for "stackit load-balancer observability-credentials add"
-      --password string       Password. Can be a string or a file path, if prefixed with "@" (example: @./password.txt).
+      --password string       Password. Can be a string (deprecated) or a file path, if prefixed with '@' (example: @./secret.txt). Will be read from stdin when empty.
       --username string       Username
 ```
 

docs/stackit_load-balancer_observability-credentials_update.md

@@ -25,7 +25,7 @@ stackit load-balancer observability-credentials update CREDENTIALS_REF [flags]
 ```
       --display-name string   Credentials name
   -h, --help                  Help for "stackit load-balancer observability-credentials update"
-      --password string       Password. Can be a string or a file path, if prefixed with "@" (example: @./password.txt).
+      --password string       Password. Can be a string (deprecated) or a file path, if prefixed with '@' (example: @./secret.txt). Will be read from stdin when empty.
       --username string       Username
 ```
 

internal/cmd/beta/alb/observability-credentials/update/update.go

@@ -82,14 +82,15 @@ func NewCmd(params *types.CmdParams) *cobra.Command {
 			return outputResult(params.Printer, model, resp)
 		},
 	}
-	configureFlags(cmd)
+	configureFlags(cmd, params)
 	return cmd
 }
 
-func configureFlags(cmd *cobra.Command) {
+func configureFlags(cmd *cobra.Command, params *types.CmdParams) {
 	cmd.Flags().StringP(usernameFlag, "u", "", "Username for the credentials")
 	cmd.Flags().StringP(displaynameFlag, "d", "", "Displayname for the credentials")
-	cmd.Flags().Var(flags.ReadFromFileFlag(), passwordFlag, `Password. Can be a string or a file path, if prefixed with "@" (example: @./password.txt).`)
+	password := flags.SecretFlag(passwordFlag, params)
+	cmd.Flags().Var(password, passwordFlag, password.Usage())
 
 	cobra.CheckErr(flags.MarkFlagsRequired(cmd, displaynameFlag, usernameFlag))
 }
@@ -116,7 +117,7 @@ func parseInput(p *print.Printer, cmd *cobra.Command, inputArgs []string) inputM
 		Username:        flags.FlagToStringPointer(p, cmd, usernameFlag),
 		Displayname:     flags.FlagToStringPointer(p, cmd, displaynameFlag),
 		CredentialsRef:  &inputArgs[0],
-		Password:        flags.FlagToStringPointer(p, cmd, passwordFlag),
+		Password:        flags.SecretFlagToStringPointer(p, cmd, passwordFlag),
 	}
 
 	p.DebugInputModel(model)

internal/cmd/beta/cdn/distribution/create/create.go

@@ -30,12 +30,14 @@ const (
 	flagBucket                       = "bucket"
 	flagBucketURL                    = "bucket-url"
 	flagBucketCredentialsAccessKeyID = "bucket-credentials-access-key-id" //nolint:gosec // linter false positive
+	flagBucketPassword               = "bucket-password"
 	flagBucketRegion                 = "bucket-region"
 	flagBlockedCountries             = "blocked-countries"
 	flagBlockedIPs                   = "blocked-ips"
 	flagDefaultCacheDuration         = "default-cache-duration"
 	flagLoki                         = "loki"
 	flagLokiUsername                 = "loki-username"
+	flagLokiPassword                 = "loki-password"
 	flagLokiPushURL                  = "loki-push-url"
 	flagMonthlyLimitBytes            = "monthly-limit-bytes"
 	flagOptimizer                    = "optimizer"
@@ -119,20 +121,6 @@ func NewCmd(params *types.CmdParams) *cobra.Command {
 			if err != nil {
 				return err
 			}
-			if model.Bucket != nil {
-				pw, err := params.Printer.PromptForPassword("enter your secret access key for the object storage bucket: ")
-				if err != nil {
-					return fmt.Errorf("reading secret access key: %w", err)
-				}
-				model.Bucket.Password = pw
-			}
-			if model.Loki != nil {
-				pw, err := params.Printer.PromptForPassword("enter your password for the loki log sink: ")
-				if err != nil {
-					return fmt.Errorf("reading loki password: %w", err)
-				}
-				model.Loki.Password = pw
-			}
 
 			apiClient, err := client.ConfigureClient(params.Printer, params.CliVersion)
 			if err != nil {
@@ -161,11 +149,11 @@ func NewCmd(params *types.CmdParams) *cobra.Command {
 			return outputResult(params.Printer, model.OutputFormat, projectLabel, resp)
 		},
 	}
-	configureFlags(cmd)
+	configureFlags(cmd, params)
 	return cmd
 }
 
-func configureFlags(cmd *cobra.Command) {
+func configureFlags(cmd *cobra.Command, params *types.CmdParams) {
 	cmd.Flags().Var(flags.EnumSliceFlag(false, []string{}, sdkUtils.EnumSliceToStringSlice(cdn.AllowedRegionEnumValues)...), flagRegion, fmt.Sprintf("Regions in which content should be cached, multiple of: %q", cdn.AllowedRegionEnumValues))
 	cmd.Flags().Bool(flagHTTP, false, "Use HTTP backend")
 	cmd.Flags().String(flagHTTPOriginURL, "", "Origin URL for HTTP backend")
@@ -174,12 +162,16 @@ func configureFlags(cmd *cobra.Command) {
 	cmd.Flags().Bool(flagBucket, false, "Use Object Storage backend")
 	cmd.Flags().String(flagBucketURL, "", "Bucket URL for Object Storage backend")
 	cmd.Flags().String(flagBucketCredentialsAccessKeyID, "", "Access Key ID for Object Storage backend")
+	bucketPassword := flags.SecretFlag(flagBucketPassword, params)
+	cmd.Flags().Var(bucketPassword, flagBucketPassword, bucketPassword.Usage())
 	cmd.Flags().String(flagBucketRegion, "", "Region for Object Storage backend")
 	cmd.Flags().StringSlice(flagBlockedCountries, []string{}, "Comma-separated list of ISO 3166-1 alpha-2 country codes to block (e.g., 'US,DE,FR')")
 	cmd.Flags().StringSlice(flagBlockedIPs, []string{}, "Comma-separated list of IPv4 addresses to block (e.g., '10.0.0.8,127.0.0.1')")
 	cmd.Flags().String(flagDefaultCacheDuration, "", "ISO8601 duration string for default cache duration (e.g., 'PT1H30M' for 1 hour and 30 minutes)")
 	cmd.Flags().Bool(flagLoki, false, "Enable Loki log sink for the CDN distribution")
 	cmd.Flags().String(flagLokiUsername, "", "Username for log sink")
+	lokiPassword := flags.SecretFlag(flagLokiPassword, params)
+	cmd.Flags().Var(lokiPassword, flagLokiPassword, lokiPassword.Usage())
 	cmd.Flags().String(flagLokiPushURL, "", "Push URL for log sink")
 	cmd.Flags().Int64(flagMonthlyLimitBytes, 0, "Monthly limit in bytes for the CDN distribution")
 	cmd.Flags().Bool(flagOptimizer, false, "Enable optimizer for the CDN distribution (paid feature).")
@@ -229,11 +221,12 @@ func parseInput(p *print.Printer, cmd *cobra.Command, _ []string) (*inputModel,
 		bucketURL := flags.FlagToStringValue(p, cmd, flagBucketURL)
 		accessKeyID := flags.FlagToStringValue(p, cmd, flagBucketCredentialsAccessKeyID)
 		region := flags.FlagToStringValue(p, cmd, flagBucketRegion)
+		password := flags.SecretFlagToString(p, cmd, flagBucketPassword)
 
 		bucket = &bucketInputModel{
 			URL:         bucketURL,
 			AccessKeyID: accessKeyID,
-			Password:    "",
+			Password:    password,
 			Region:      region,
 		}
 	}
@@ -248,7 +241,7 @@ func parseInput(p *print.Printer, cmd *cobra.Command, _ []string) (*inputModel,
 		loki = &lokiInputModel{
 			Username: flags.FlagToStringValue(p, cmd, flagLokiUsername),
 			PushURL:  flags.FlagToStringValue(p, cmd, flagLokiPushURL),
-			Password: "",
+			Password: flags.SecretFlagToString(p, cmd, flagLokiPassword),
 		}
 	}
 

internal/cmd/beta/cdn/distribution/update/update.go

@@ -31,12 +31,14 @@ const (
 	flagBucket                       = "bucket"
 	flagBucketURL                    = "bucket-url"
 	flagBucketCredentialsAccessKeyID = "bucket-credentials-access-key-id" //nolint:gosec // linter false positive
+	flagBucketPassword               = "bucket-password"
 	flagBucketRegion                 = "bucket-region"
 	flagBlockedCountries             = "blocked-countries"
 	flagBlockedIPs                   = "blocked-ips"
 	flagDefaultCacheDuration         = "default-cache-duration"
 	flagLoki                         = "loki"
 	flagLokiUsername                 = "loki-username"
+	flagLokiPassword                 = "loki-password"
 	flagLokiPushURL                  = "loki-push-url"
 	flagMonthlyLimitBytes            = "monthly-limit-bytes"
 	flagOptimizer                    = "optimizer"
@@ -93,20 +95,6 @@ func NewCmd(params *types.CmdParams) *cobra.Command {
 			if err != nil {
 				return err
 			}
-			if model.Bucket != nil {
-				pw, err := params.Printer.PromptForPassword("enter your secret access key for the object storage bucket: ")
-				if err != nil {
-					return fmt.Errorf("reading secret access key: %w", err)
-				}
-				model.Bucket.Password = pw
-			}
-			if model.Loki != nil {
-				pw, err := params.Printer.PromptForPassword("enter your password for the loki log sink: ")
-				if err != nil {
-					return fmt.Errorf("reading loki password: %w", err)
-				}
-				model.Loki.Password = pw
-			}
 
 			apiClient, err := client.ConfigureClient(params.Printer, params.CliVersion)
 			if err != nil {
@@ -134,11 +122,11 @@ func NewCmd(params *types.CmdParams) *cobra.Command {
 			return outputResult(params.Printer, model.OutputFormat, projectLabel, resp)
 		},
 	}
-	configureFlags(cmd)
+	configureFlags(cmd, params)
 	return cmd
 }
 
-func configureFlags(cmd *cobra.Command) {
+func configureFlags(cmd *cobra.Command, params *types.CmdParams) {
 	cmd.Flags().Var(flags.EnumSliceFlag(false, []string{}, sdkUtils.EnumSliceToStringSlice(cdn.AllowedRegionEnumValues)...), flagRegions, fmt.Sprintf("Regions in which content should be cached, multiple of: %q", cdn.AllowedRegionEnumValues))
 	cmd.Flags().Bool(flagHTTP, false, "Use HTTP backend")
 	cmd.Flags().String(flagHTTPOriginURL, "", "Origin URL for HTTP backend")
@@ -147,12 +135,16 @@ func configureFlags(cmd *cobra.Command) {
 	cmd.Flags().Bool(flagBucket, false, "Use Object Storage backend")
 	cmd.Flags().String(flagBucketURL, "", "Bucket URL for Object Storage backend")
 	cmd.Flags().String(flagBucketCredentialsAccessKeyID, "", "Access Key ID for Object Storage backend")
+	bucketPassword := flags.SecretFlag(flagBucketPassword, params)
+	cmd.Flags().Var(bucketPassword, flagBucketPassword, bucketPassword.Usage())
 	cmd.Flags().String(flagBucketRegion, "", "Region for Object Storage backend")
 	cmd.Flags().StringSlice(flagBlockedCountries, []string{}, "Comma-separated list of ISO 3166-1 alpha-2 country codes to block (e.g., 'US,DE,FR')")
 	cmd.Flags().StringSlice(flagBlockedIPs, []string{}, "Comma-separated list of IPv4 addresses to block (e.g., '10.0.0.8,127.0.0.1')")
 	cmd.Flags().String(flagDefaultCacheDuration, "", "ISO8601 duration string for default cache duration (e.g., 'PT1H30M' for 1 hour and 30 minutes)")
 	cmd.Flags().Bool(flagLoki, false, "Enable Loki log sink for the CDN distribution")
 	cmd.Flags().String(flagLokiUsername, "", "Username for log sink")
+	lokiPassword := flags.SecretFlag(flagLokiPassword, params)
+	cmd.Flags().Var(lokiPassword, flagLokiPassword, lokiPassword.Usage())
 	cmd.Flags().String(flagLokiPushURL, "", "Push URL for log sink")
 	cmd.Flags().Int64(flagMonthlyLimitBytes, 0, "Monthly limit in bytes for the CDN distribution")
 	cmd.Flags().Bool(flagOptimizer, false, "Enable optimizer for the CDN distribution (paid feature).")
@@ -200,11 +192,12 @@ func parseInput(p *print.Printer, cmd *cobra.Command, inputArgs []string) (*inpu
 		bucketURL := flags.FlagToStringValue(p, cmd, flagBucketURL)
 		accessKeyID := flags.FlagToStringValue(p, cmd, flagBucketCredentialsAccessKeyID)
 		region := flags.FlagToStringValue(p, cmd, flagBucketRegion)
+		password := flags.SecretFlagToString(p, cmd, flagBucketPassword)
 
 		bucket = &bucketInputModel{
 			URL:         bucketURL,
 			AccessKeyID: accessKeyID,
-			Password:    "",
+			Password:    password,
 			Region:      region,
 		}
 	}
@@ -219,7 +212,7 @@ func parseInput(p *print.Printer, cmd *cobra.Command, inputArgs []string) (*inpu
 		loki = &lokiInputModel{
 			Username: flags.FlagToStringValue(p, cmd, flagLokiUsername),
 			PushURL:  flags.FlagToStringValue(p, cmd, flagLokiPushURL),
-			Password: "",
+			Password: flags.SecretFlagToString(p, cmd, flagLokiPassword),
 		}
 	}