From 0dfbf77b7feee85317fde154e6fc85cc0d9e5ac5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A9bastien=20MB?= <seb@essembeh.org>
Date: Sun, 12 Jun 2022 22:44:14 +0200
Subject: [PATCH] Allow database password to be read from environ

- add 'password_env' key in config to read databases passwords firectly
  from environment variable
---
 borgmatic/config/schema.yaml  | 18 ++++++++++++++++++
 borgmatic/hooks/mongodb.py    |  6 ++++++
 borgmatic/hooks/mysql.py      | 11 +++++++++--
 borgmatic/hooks/postgresql.py |  6 ++++++
 4 files changed, 39 insertions(+), 2 deletions(-)

diff --git a/borgmatic/config/schema.yaml b/borgmatic/config/schema.yaml
index 02caf792..435f3919 100644
--- a/borgmatic/config/schema.yaml
+++ b/borgmatic/config/schema.yaml
@@ -704,6 +704,12 @@ properties:
                                 without a password or you create a ~/.pgpass
                                 file.
                             example: trustsome1
+                        password_env:
+                            type: string
+                            description: |
+                                Environment variable containing the password with
+                                which to connect to the database.
+                            example: MY_PASSWORD
                         format:
                             type: string
                             enum: ['plain', 'custom', 'directory', 'tar']
@@ -802,6 +808,12 @@ properties:
                                 configured to trust the configured username
                                 without a password.
                             example: trustsome1
+                        password_env:
+                            type: string
+                            description: |
+                                Environment variable containing the password with
+                                which to connect to the database.
+                            example: MY_PASSWORD
                         list_options:
                             type: string
                             description: |
@@ -864,6 +876,12 @@ properties:
                                 Password with which to connect to the database.
                                 Skip it if no authentication is needed.
                             example: trustsome1
+                        password_env:
+                            type: string
+                            description: |
+                                Environment variable containing the password with
+                                which to connect to the database.
+                            example: MY_PASSWORD
                         authentication_database:
                             type: string
                             description: |
diff --git a/borgmatic/hooks/mongodb.py b/borgmatic/hooks/mongodb.py
index feb4955d..aaff6813 100644
--- a/borgmatic/hooks/mongodb.py
+++ b/borgmatic/hooks/mongodb.py
@@ -1,4 +1,5 @@
 import logging
+from os import environ
 
 from borgmatic.execute import execute_command, execute_command_with_processes
 from borgmatic.hooks import dump
@@ -72,6 +73,11 @@ def build_dump_command(database, dump_filename, dump_format):
         command.extend(('--username', database['username']))
     if 'password' in database:
         command.extend(('--password', database['password']))
+    elif 'password_env' in database:
+        password_key = database['password_env']
+        if password_key not in environ:
+            raise ValueError("Cannot find MongoDB password in env variable: " + password_key)
+        command.extend(('--password', environ[password_key]))
     if 'authentication_database' in database:
         command.extend(('--authenticationDatabase', database['authentication_database']))
     if not all_databases:
diff --git a/borgmatic/hooks/mysql.py b/borgmatic/hooks/mysql.py
index 96031cba..7e180a10 100644
--- a/borgmatic/hooks/mysql.py
+++ b/borgmatic/hooks/mysql.py
@@ -1,5 +1,5 @@
 import logging
-
+from os import environ
 from borgmatic.execute import execute_command, execute_command_with_processes
 from borgmatic.hooks import dump
 
@@ -73,7 +73,14 @@ def dump_databases(databases, log_prefix, location_config, dry_run):
         dump_filename = dump.make_database_dump_filename(
             make_dump_path(location_config), requested_name, database.get('hostname')
         )
-        extra_environment = {'MYSQL_PWD': database['password']} if 'password' in database else None
+        extra_environment = None
+        if 'password' in database:
+            extra_environment = {'MYSQL_PWD': database['password']}
+        elif 'password_env' in database:
+            password_key = database['password_env']
+            if password_key not in environ:
+                raise ValueError("Cannot find MySQL password in env variable: " + password_key)
+            extra_environment = {'MYSQL_PWD': environ[password_key]}
         dump_database_names = database_names_to_dump(
             database, extra_environment, log_prefix, dry_run_label
         )
diff --git a/borgmatic/hooks/postgresql.py b/borgmatic/hooks/postgresql.py
index f5660901..31000c9d 100644
--- a/borgmatic/hooks/postgresql.py
+++ b/borgmatic/hooks/postgresql.py
@@ -1,4 +1,5 @@
 import logging
+from os import environ
 
 from borgmatic.execute import execute_command, execute_command_with_processes
 from borgmatic.hooks import dump
@@ -22,6 +23,11 @@ def make_extra_environment(database):
     extra = dict()
     if 'password' in database:
         extra['PGPASSWORD'] = database['password']
+    elif 'password_env' in database:
+        password_key = database['password_env']
+        if password_key not in environ:
+            raise ValueError("Cannot find PostgreSQL password in env variable: " + password_key)
+        extra['PGPASSWORD'] = environ[password_key]
     extra['PGSSLMODE'] = database.get('ssl_mode', 'disable')
     if 'ssl_cert' in database:
         extra['PGSSLCERT'] = database['ssl_cert']