feat(secretflags) refactor password flags to use SecretFlag

- searched for 'password' and 'secret' to find usages
- checked usages of printer.PromptForPassword

Author: cgoetz-inovex

docs/stackit_beta_alb_observability-credentials_update.md

@@ -22,7 +22,7 @@ stackit beta alb observability-credentials update CREDENTIAL_REF_ARG [flags]
 ```
   -d, --displayname string   Displayname for the credentials
   -h, --help                 Help for "stackit beta alb observability-credentials update"
-      --password string      Password. Can be a string or a file path, if prefixed with "@" (example: @./password.txt).
+      --password string      Password. Can be a string (deprecated) or a file path, if prefixed with '@' (example: @./secret.txt). Will be read from stdin when empty.
   -u, --username string      Username for the credentials
 ```
 

docs/stackit_beta_cdn_distribution_create.md

@@ -35,6 +35,7 @@ stackit beta cdn distribution create [flags]
       --blocked-ips strings                       Comma-separated list of IPv4 addresses to block (e.g., '10.0.0.8,127.0.0.1')
       --bucket                                    Use Object Storage backend
       --bucket-credentials-access-key-id string   Access Key ID for Object Storage backend
+      --bucket-password string                    Bucket-Password. Can be a string (deprecated) or a file path, if prefixed with '@' (example: @./secret.txt). Will be read from stdin when empty.
       --bucket-region string                      Region for Object Storage backend
       --bucket-url string                         Bucket URL for Object Storage backend
       --default-cache-duration string             ISO8601 duration string for default cache duration (e.g., 'PT1H30M' for 1 hour and 30 minutes)
@@ -44,6 +45,7 @@ stackit beta cdn distribution create [flags]
       --http-origin-request-headers strings       Origin request headers for HTTP backend in the format 'HeaderName: HeaderValue', repeatable. WARNING: do not store sensitive values in the headers!
       --http-origin-url string                    Origin URL for HTTP backend
       --loki                                      Enable Loki log sink for the CDN distribution
+      --loki-password string                      Loki-Password. Can be a string (deprecated) or a file path, if prefixed with '@' (example: @./secret.txt). Will be read from stdin when empty.
       --loki-push-url string                      Push URL for log sink
       --loki-username string                      Username for log sink
       --monthly-limit-bytes int                   Monthly limit in bytes for the CDN distribution

docs/stackit_beta_cdn_distribution_update.md

@@ -24,6 +24,7 @@ stackit beta cdn distribution update [flags]
       --blocked-ips strings                       Comma-separated list of IPv4 addresses to block (e.g., '10.0.0.8,127.0.0.1')
       --bucket                                    Use Object Storage backend
       --bucket-credentials-access-key-id string   Access Key ID for Object Storage backend
+      --bucket-password string                    Bucket-Password. Can be a string (deprecated) or a file path, if prefixed with '@' (example: @./secret.txt). Will be read from stdin when empty.
       --bucket-region string                      Region for Object Storage backend
       --bucket-url string                         Bucket URL for Object Storage backend
       --default-cache-duration string             ISO8601 duration string for default cache duration (e.g., 'PT1H30M' for 1 hour and 30 minutes)
@@ -33,6 +34,7 @@ stackit beta cdn distribution update [flags]
       --http-origin-request-headers strings       Origin request headers for HTTP backend in the format 'HeaderName: HeaderValue', repeatable. WARNING: do not store sensitive values in the headers!
       --http-origin-url string                    Origin URL for HTTP backend
       --loki                                      Enable Loki log sink for the CDN distribution
+      --loki-password string                      Loki-Password. Can be a string (deprecated) or a file path, if prefixed with '@' (example: @./secret.txt). Will be read from stdin when empty.
       --loki-push-url string                      Push URL for log sink
       --loki-username string                      Username for log sink
       --monthly-limit-bytes int                   Monthly limit in bytes for the CDN distribution

docs/stackit_beta_intake_user_create.md

@@ -28,7 +28,7 @@ stackit beta intake user create [flags]
   -h, --help                    Help for "stackit beta intake user create"
       --intake-id string        The UUID of the Intake to associate the user with
       --labels stringToString   Labels in key=value format, separated by commas (default [])
-      --password string         Password for the user. Must contain lower, upper, number, and special characters (min 12 chars)
+      --password string         Password. Can be a string (deprecated) or a file path, if prefixed with '@' (example: @./secret.txt). Will be read from stdin when empty. Must contain lower, upper, number, and special characters (min 12 chars)
       --type string             Type of user. One of 'intake' (default) or 'dead-letter' (default "intake")
 ```
 

docs/stackit_beta_intake_user_update.md

@@ -28,7 +28,7 @@ stackit beta intake user update USER_ID [flags]
   -h, --help                    Help for "stackit beta intake user update"
       --intake-id string        Intake ID
       --labels stringToString   Labels in key=value format, separated by commas. Example: --labels "key1=value1,key2=value2". (default [])
-      --password string         Password for the user. Must contain lower, upper, number, and special characters (min 12 chars)
+      --password string         Password. Can be a string (deprecated) or a file path, if prefixed with '@' (example: @./secret.txt). Will be read from stdin when empty. Must contain lower, upper, number, and special characters (min 12 chars)
       --type string             Type of user. One of 'intake' or 'dead-letter'
 ```
 

docs/stackit_load-balancer_observability-credentials_add.md

@@ -25,7 +25,7 @@ stackit load-balancer observability-credentials add [flags]
 ```
       --display-name string   Credentials display name
   -h, --help                  Help for "stackit load-balancer observability-credentials add"
-      --password string       Password. Can be a string or a file path, if prefixed with "@" (example: @./password.txt).
+      --password string       Password. Can be a string (deprecated) or a file path, if prefixed with '@' (example: @./secret.txt). Will be read from stdin when empty.
       --username string       Username
 ```
 

docs/stackit_load-balancer_observability-credentials_update.md

@@ -25,7 +25,7 @@ stackit load-balancer observability-credentials update CREDENTIALS_REF [flags]
 ```
       --display-name string   Credentials name
   -h, --help                  Help for "stackit load-balancer observability-credentials update"
-      --password string       Password. Can be a string or a file path, if prefixed with "@" (example: @./password.txt).
+      --password string       Password. Can be a string (deprecated) or a file path, if prefixed with '@' (example: @./secret.txt). Will be read from stdin when empty.
       --username string       Username
 ```
 

internal/cmd/beta/alb/observability-credentials/update/update.go

@@ -82,14 +82,15 @@ func NewCmd(params *types.CmdParams) *cobra.Command {
 			return outputResult(params.Printer, model, resp)
 		},
 	}
-	configureFlags(cmd)
+	configureFlags(cmd, params)
 	return cmd
 }
 
-func configureFlags(cmd *cobra.Command) {
+func configureFlags(cmd *cobra.Command, params *types.CmdParams) {
 	cmd.Flags().StringP(usernameFlag, "u", "", "Username for the credentials")
 	cmd.Flags().StringP(displaynameFlag, "d", "", "Displayname for the credentials")
-	cmd.Flags().Var(flags.ReadFromFileFlag(), passwordFlag, `Password. Can be a string or a file path, if prefixed with "@" (example: @./password.txt).`)
+	password := flags.SecretFlag(passwordFlag, params)
+	cmd.Flags().Var(password, passwordFlag, password.Usage())
 
 	cobra.CheckErr(flags.MarkFlagsRequired(cmd, displaynameFlag, usernameFlag))
 }
@@ -116,7 +117,7 @@ func parseInput(p *print.Printer, cmd *cobra.Command, inputArgs []string) inputM
 		Username:        flags.FlagToStringPointer(p, cmd, usernameFlag),
 		Displayname:     flags.FlagToStringPointer(p, cmd, displaynameFlag),
 		CredentialsRef:  &inputArgs[0],
-		Password:        flags.FlagToStringPointer(p, cmd, passwordFlag),
+		Password:        flags.SecretFlagToStringPointer(p, cmd, passwordFlag),
 	}
 
 	p.DebugInputModel(model)

internal/cmd/beta/cdn/distribution/create/create.go

@@ -30,12 +30,14 @@ const (
 	flagBucket                       = "bucket"
 	flagBucketURL                    = "bucket-url"
 	flagBucketCredentialsAccessKeyID = "bucket-credentials-access-key-id" //nolint:gosec // linter false positive
+	flagBucketPassword               = "bucket-password"
 	flagBucketRegion                 = "bucket-region"
 	flagBlockedCountries             = "blocked-countries"
 	flagBlockedIPs                   = "blocked-ips"
 	flagDefaultCacheDuration         = "default-cache-duration"
 	flagLoki                         = "loki"
 	flagLokiUsername                 = "loki-username"
+	flagLokiPassword                 = "loki-password"
 	flagLokiPushURL                  = "loki-push-url"
 	flagMonthlyLimitBytes            = "monthly-limit-bytes"
 	flagOptimizer                    = "optimizer"
@@ -119,20 +121,6 @@ func NewCmd(params *types.CmdParams) *cobra.Command {
 			if err != nil {
 				return err
 			}
-			if model.Bucket != nil {
-				pw, err := params.Printer.PromptForPassword("enter your secret access key for the object storage bucket: ")
-				if err != nil {
-					return fmt.Errorf("reading secret access key: %w", err)
-				}
-				model.Bucket.Password = pw
-			}
-			if model.Loki != nil {
-				pw, err := params.Printer.PromptForPassword("enter your password for the loki log sink: ")
-				if err != nil {
-					return fmt.Errorf("reading loki password: %w", err)
-				}
-				model.Loki.Password = pw
-			}
 
 			apiClient, err := client.ConfigureClient(params.Printer, params.CliVersion)
 			if err != nil {
@@ -161,11 +149,11 @@ func NewCmd(params *types.CmdParams) *cobra.Command {
 			return outputResult(params.Printer, model.OutputFormat, projectLabel, resp)
 		},
 	}
-	configureFlags(cmd)
+	configureFlags(cmd, params)
 	return cmd
 }
 
-func configureFlags(cmd *cobra.Command) {
+func configureFlags(cmd *cobra.Command, params *types.CmdParams) {
 	cmd.Flags().Var(flags.EnumSliceFlag(false, []string{}, sdkUtils.EnumSliceToStringSlice(cdn.AllowedRegionEnumValues)...), flagRegion, fmt.Sprintf("Regions in which content should be cached, multiple of: %q", cdn.AllowedRegionEnumValues))
 	cmd.Flags().Bool(flagHTTP, false, "Use HTTP backend")
 	cmd.Flags().String(flagHTTPOriginURL, "", "Origin URL for HTTP backend")
@@ -174,12 +162,16 @@ func configureFlags(cmd *cobra.Command) {
 	cmd.Flags().Bool(flagBucket, false, "Use Object Storage backend")
 	cmd.Flags().String(flagBucketURL, "", "Bucket URL for Object Storage backend")
 	cmd.Flags().String(flagBucketCredentialsAccessKeyID, "", "Access Key ID for Object Storage backend")
+	bucketPassword := flags.SecretFlag(flagBucketPassword, params)
+	cmd.Flags().Var(bucketPassword, flagBucketPassword, bucketPassword.Usage())
 	cmd.Flags().String(flagBucketRegion, "", "Region for Object Storage backend")
 	cmd.Flags().StringSlice(flagBlockedCountries, []string{}, "Comma-separated list of ISO 3166-1 alpha-2 country codes to block (e.g., 'US,DE,FR')")
 	cmd.Flags().StringSlice(flagBlockedIPs, []string{}, "Comma-separated list of IPv4 addresses to block (e.g., '10.0.0.8,127.0.0.1')")
 	cmd.Flags().String(flagDefaultCacheDuration, "", "ISO8601 duration string for default cache duration (e.g., 'PT1H30M' for 1 hour and 30 minutes)")
 	cmd.Flags().Bool(flagLoki, false, "Enable Loki log sink for the CDN distribution")
 	cmd.Flags().String(flagLokiUsername, "", "Username for log sink")
+	lokiPassword := flags.SecretFlag(flagLokiPassword, params)
+	cmd.Flags().Var(lokiPassword, flagLokiPassword, lokiPassword.Usage())
 	cmd.Flags().String(flagLokiPushURL, "", "Push URL for log sink")
 	cmd.Flags().Int64(flagMonthlyLimitBytes, 0, "Monthly limit in bytes for the CDN distribution")
 	cmd.Flags().Bool(flagOptimizer, false, "Enable optimizer for the CDN distribution (paid feature).")
@@ -229,11 +221,12 @@ func parseInput(p *print.Printer, cmd *cobra.Command, _ []string) (*inputModel,
 		bucketURL := flags.FlagToStringValue(p, cmd, flagBucketURL)
 		accessKeyID := flags.FlagToStringValue(p, cmd, flagBucketCredentialsAccessKeyID)
 		region := flags.FlagToStringValue(p, cmd, flagBucketRegion)
+		password := flags.SecretFlagToString(p, cmd, flagBucketPassword)
 
 		bucket = &bucketInputModel{
 			URL:         bucketURL,
 			AccessKeyID: accessKeyID,
-			Password:    "",
+			Password:    password,
 			Region:      region,
 		}
 	}
@@ -248,7 +241,7 @@ func parseInput(p *print.Printer, cmd *cobra.Command, _ []string) (*inputModel,
 		loki = &lokiInputModel{
 			Username: flags.FlagToStringValue(p, cmd, flagLokiUsername),
 			PushURL:  flags.FlagToStringValue(p, cmd, flagLokiPushURL),
-			Password: "",
+			Password: flags.SecretFlagToString(p, cmd, flagLokiPassword),
 		}
 	}
 

internal/cmd/beta/cdn/distribution/update/update.go

@@ -31,12 +31,14 @@ const (
 	flagBucket                       = "bucket"
 	flagBucketURL                    = "bucket-url"
 	flagBucketCredentialsAccessKeyID = "bucket-credentials-access-key-id" //nolint:gosec // linter false positive
+	flagBucketPassword               = "bucket-password"
 	flagBucketRegion                 = "bucket-region"
 	flagBlockedCountries             = "blocked-countries"
 	flagBlockedIPs                   = "blocked-ips"
 	flagDefaultCacheDuration         = "default-cache-duration"
 	flagLoki                         = "loki"
 	flagLokiUsername                 = "loki-username"
+	flagLokiPassword                 = "loki-password"
 	flagLokiPushURL                  = "loki-push-url"
 	flagMonthlyLimitBytes            = "monthly-limit-bytes"
 	flagOptimizer                    = "optimizer"
@@ -93,20 +95,6 @@ func NewCmd(params *types.CmdParams) *cobra.Command {
 			if err != nil {
 				return err
 			}
-			if model.Bucket != nil {
-				pw, err := params.Printer.PromptForPassword("enter your secret access key for the object storage bucket: ")
-				if err != nil {
-					return fmt.Errorf("reading secret access key: %w", err)
-				}
-				model.Bucket.Password = pw
-			}
-			if model.Loki != nil {
-				pw, err := params.Printer.PromptForPassword("enter your password for the loki log sink: ")
-				if err != nil {
-					return fmt.Errorf("reading loki password: %w", err)
-				}
-				model.Loki.Password = pw
-			}
 
 			apiClient, err := client.ConfigureClient(params.Printer, params.CliVersion)
 			if err != nil {
@@ -134,11 +122,11 @@ func NewCmd(params *types.CmdParams) *cobra.Command {
 			return outputResult(params.Printer, model.OutputFormat, projectLabel, resp)
 		},
 	}
-	configureFlags(cmd)
+	configureFlags(cmd, params)
 	return cmd
 }
 
-func configureFlags(cmd *cobra.Command) {
+func configureFlags(cmd *cobra.Command, params *types.CmdParams) {
 	cmd.Flags().Var(flags.EnumSliceFlag(false, []string{}, sdkUtils.EnumSliceToStringSlice(cdn.AllowedRegionEnumValues)...), flagRegions, fmt.Sprintf("Regions in which content should be cached, multiple of: %q", cdn.AllowedRegionEnumValues))
 	cmd.Flags().Bool(flagHTTP, false, "Use HTTP backend")
 	cmd.Flags().String(flagHTTPOriginURL, "", "Origin URL for HTTP backend")
@@ -147,12 +135,16 @@ func configureFlags(cmd *cobra.Command) {
 	cmd.Flags().Bool(flagBucket, false, "Use Object Storage backend")
 	cmd.Flags().String(flagBucketURL, "", "Bucket URL for Object Storage backend")
 	cmd.Flags().String(flagBucketCredentialsAccessKeyID, "", "Access Key ID for Object Storage backend")
+	bucketPassword := flags.SecretFlag(flagBucketPassword, params)
+	cmd.Flags().Var(bucketPassword, flagBucketPassword, bucketPassword.Usage())
 	cmd.Flags().String(flagBucketRegion, "", "Region for Object Storage backend")
 	cmd.Flags().StringSlice(flagBlockedCountries, []string{}, "Comma-separated list of ISO 3166-1 alpha-2 country codes to block (e.g., 'US,DE,FR')")
 	cmd.Flags().StringSlice(flagBlockedIPs, []string{}, "Comma-separated list of IPv4 addresses to block (e.g., '10.0.0.8,127.0.0.1')")
 	cmd.Flags().String(flagDefaultCacheDuration, "", "ISO8601 duration string for default cache duration (e.g., 'PT1H30M' for 1 hour and 30 minutes)")
 	cmd.Flags().Bool(flagLoki, false, "Enable Loki log sink for the CDN distribution")
 	cmd.Flags().String(flagLokiUsername, "", "Username for log sink")
+	lokiPassword := flags.SecretFlag(flagLokiPassword, params)
+	cmd.Flags().Var(lokiPassword, flagLokiPassword, lokiPassword.Usage())
 	cmd.Flags().String(flagLokiPushURL, "", "Push URL for log sink")
 	cmd.Flags().Int64(flagMonthlyLimitBytes, 0, "Monthly limit in bytes for the CDN distribution")
 	cmd.Flags().Bool(flagOptimizer, false, "Enable optimizer for the CDN distribution (paid feature).")
@@ -200,11 +192,12 @@ func parseInput(p *print.Printer, cmd *cobra.Command, inputArgs []string) (*inpu
 		bucketURL := flags.FlagToStringValue(p, cmd, flagBucketURL)
 		accessKeyID := flags.FlagToStringValue(p, cmd, flagBucketCredentialsAccessKeyID)
 		region := flags.FlagToStringValue(p, cmd, flagBucketRegion)
+		password := flags.SecretFlagToString(p, cmd, flagBucketPassword)
 
 		bucket = &bucketInputModel{
 			URL:         bucketURL,
 			AccessKeyID: accessKeyID,
-			Password:    "",
+			Password:    password,
 			Region:      region,
 		}
 	}
@@ -219,7 +212,7 @@ func parseInput(p *print.Printer, cmd *cobra.Command, inputArgs []string) (*inpu
 		loki = &lokiInputModel{
 			Username: flags.FlagToStringValue(p, cmd, flagLokiUsername),
 			PushURL:  flags.FlagToStringValue(p, cmd, flagLokiPushURL),
-			Password: "",
+			Password: flags.SecretFlagToString(p, cmd, flagLokiPassword),
 		}
 	}