[report,collect] Add env var and prompt options for encryption

Adds a new `--encrypt` option that may be used in place of the existing
encrypt-related options. If used alongside `--batch`, this new option
will cause sos to set encryption options based on the `SOSENCRYPTKEY` or
`SOSENCRYPTPASS` environment variables. This allows users to leverage
this functionality without potentially leaking the values into `ps`-like
output inside the archive.

If `--batch` is not used, then this option prompts the user to select
the type of method to use and then provide the value in-line, or to use
the env var option.

Signed-off-by: Jake Hunsaker <jhunsake@redhat.com>

4 files changed, 86 insertions, 0 deletions

diff --git a/man/en/sos-report.1 b/man/en/sos-report.1
index e3477398..5b2b1d58 100644
--- a/man/en/sos-report.1
+++ b/man/en/sos-report.1
@@ -33,6 +33,7 @@ sos report \- Collect and package diagnostic and support data
           [--skip-files files]\fR
           [--allow-system-changes]\fR
           [-z|--compression-type method]\fR
+          [--encrypt]\fR
           [--encrypt-key KEY]\fR
           [--encrypt-pass PASS]\fR
           [--upload] [--upload-url url] [--upload-user user]\fR
@@ -222,6 +223,26 @@ Run commands even if they can change the system (e.g. load kernel modules).
 .B \-z, \--compression-type METHOD
 Override the default compression type specified by the active policy.
 .TP
+.B \-\-encrypt
+Encrypt the resulting archive, and determine the method by which that encryption
+is done by either a user prompt or environment variables.
+
+When run with \fB--batch\fR, using this option will cause sos to look for either the
+\fBSOSENCRYPTKEY\fR or \fBSOSENCRYPTPASS\fR environment variables. If set, this will
+implicitly enable the \fB--encrypt-key\fR or \fB--encrypt-pass\fR options, respectively,
+to the values set by the environment variable. This enables the use of these options
+without directly setting those options in a config file or command line string. Note that
+use of an encryption key has precedence over a passphrase.
+
+Otherwise, using this option will cause sos to prompt the user to choose the method
+of encryption to use. Choices will be [P]assphrase, [K]ey, [E]nv vars, or [N]o encryption.
+If passphrase or key the user will then be prompted for the respective value, env vars will
+cause sos to source the information in the manner stated above, and choosing no encryption
+will disable encryption.
+
+See the sections on \fB--encrypt-key\fR and \fB--encrypt-pass\fR below for more
+information.
+.TP
 .B \--encrypt-key KEY
 Encrypts the resulting archive that sosreport produces using GPG. KEY must be
 an existing key in the user's keyring as GPG does not allow for keyfiles.
diff --git a/man/en/sos.1 b/man/en/sos.1
index c335b7e1..2d5a9721 100644
--- a/man/en/sos.1
+++ b/man/en/sos.1
@@ -82,6 +82,26 @@ to be set across all components.
 .B \-\-batch
 Do not prompt interactively, user will not be prompted for any data
 .TP
+.B \-\-encrypt
+Encrypt the resulting archive, and determine the method by which that encryption
+is done by either a user prompt or environment variables.
+
+When run with \fB--batch\fR, using this option will cause sos to look for either the
+\fBSOSENCRYPTKEY\fR or \fBSOSENCRYPTPASS\fR environment variables. If set, this will
+implicitly enable the \fB--encrypt-key\fR or \fB--encrypt-pass\fR options, respectively,
+to the values set by the environment variable. This enables the use of these options
+without directly setting those options in a config file or command line string. Note that
+use of an encryption key has precedence over a passphrase.
+
+Otherwise, using this option will cause sos to prompt the user to choose the method
+of encryption to use. Choices will be [P]assphrase, [K]ey, [E]nv vars, or [N]o encryption.
+If passphrase or key the user will then be prompted for the respective value, env vars will
+cause sos to source the information in the manner stated above, and choosing no encryption
+will disable encryption.
+
+See the sections on \fB--encrypt-key\fR and \fB--encrypt-pass\fR below for more
+information.
+.TP
 .B \--encrypt-key KEY
 Encrypts the resulting archive that sosreport produces using GPG. KEY must be
 an existing key in the user's keyring as GPG does not allow for keyfiles.
diff --git a/sos/__init__.py b/sos/__init__.py
index 023e57e3..0f64fcea 100644
--- a/sos/__init__.py
+++ b/sos/__init__.py
@@ -159,6 +159,11 @@ class SoS():
 
         # Group to make tarball encryption (via GPG/password) exclusive
         encrypt_grp = global_grp.add_mutually_exclusive_group()
+        encrypt_grp.add_argument("--encrypt", default=False,
+                                 action="store_true",
+                                 help=("Encrypt the archive, either prompting "
+                                       "for a password/key or referencing "
+                                       "an environment variable"))
         encrypt_grp.add_argument("--encrypt-key",
                                  help="Encrypt the archive using a GPG "
                                       "key-pair")
diff --git a/sos/component.py b/sos/component.py
index d68a76cb..e568a08a 100644
--- a/sos/component.py
+++ b/sos/component.py
@@ -18,6 +18,7 @@ import time
 
 from argparse import SUPPRESS
 from datetime import datetime
+from getpass import getpass
 from shutil import rmtree
 from pathlib import Path
 from sos import __version__
@@ -58,6 +59,7 @@ class SoSComponent():
         "compression_type": 'auto',
         "config_file": '/etc/sos/sos.conf',
         "debug": False,
+        "encrypt": False,
         "encrypt_key": None,
         "encrypt_pass": None,
         "quiet": False,
@@ -266,7 +268,45 @@ class SoSComponent():
             print("Failed to finish cleanup: %s\nContents may remain in %s"
                   % (err, self.tmpdir))
 
+    def _set_encrypt_from_env_vars(self):
+        msg = ('No encryption environment variables set, archive will not be '
+               'encrypted')
+        if os.environ.get('SOSENCRYPTKEY'):
+            self.opts.encrypt_key = os.environ.get('SOSENCRYPTKEY')
+            msg = 'Encryption key set via environment variable'
+        elif os.environ.get('SOSENCRYPTPASS'):
+            self.opts.encrypt_pass = os.environ.get('SOSENCRYPTPASS')
+            msg = 'Encryption passphrase set via environment variable'
+        self.soslog.info(msg)
+        self.ui_log.info(msg)
+
+    def _get_encryption_method(self):
+        if not self.opts.batch:
+            _enc = None
+            while _enc not in ('P', 'K', 'E', 'N'):
+                _enc = input((
+                    'Specify encryption method [P]assphrase, [K]ey, [E]nv '
+                    'vars, [N]o encryption: '
+                )).upper()
+            if _enc == 'P':
+                self.opts.encrypt_pass = getpass('Specify encryption '
+                                                 'passphrase: ')
+            elif _enc == 'K':
+                self.opts.encrypt_key = input('Specify encryption key: ')
+            elif _enc == 'E':
+                self._set_encrypt_from_env_vars()
+            else:
+                self.opts.encrypt_key = None
+                self.opts.encrypt_pass = None
+                self.soslog.info("User specified --encrypt, but chose no "
+                                 "encryption when prompted.")
+                self.ui_log.warn("Archive will not be encrypted")
+        else:
+            self._set_encrypt_from_env_vars()
+
     def setup_archive(self, name=''):
+        if self.opts.encrypt:
+            self._get_encryption_method()
         enc_opts = {
             'encrypt': True if (self.opts.encrypt_pass or
                                 self.opts.encrypt_key) else False,