Add --interactive option for ha auth reset (#558)

sairon · web-flow · commit e7b778aeb00e · 2025-04-09T12:24:03.000+02:00
Add option to perform interactive reset of user password. In that case, when no username argument is provided, a list of existing users is shown first. With username selected or given, prompt for a password is shown, read with no echo to the terminal for privacy. This can be especially useful when the username contains characters that can't be entered in the OS console. While the framebuffer console still may not show all the characters, it may give enough clues to select the users for whom the password should be reset. See: home-assistant/operating-system#3879
diff --git a/client/helper.go b/client/helper.go
@@ -3,11 +3,16 @@ package client
 import (
 	"bufio"
 	"encoding/json"
+	"errors"
 	"fmt"
+	"golang.org/x/term"
 	"io"
 	"net/url"
 	"os"
+	"os/signal"
 	"path"
+	"strconv"
+	"syscall"
 	"time"
 
 	yaml "github.com/ghodss/yaml"
@@ -219,3 +224,76 @@ func AskForConfirmation(prompt string, tries int) bool {
 	}
 	return false
 }
+
+func ReadInteger(prompt string, tries int, min int, max int) (int, error) {
+	reader := bufio.NewReader(os.Stdin)
+	if tries <= 0 {
+		tries = 2
+	}
+
+	for ; tries > 0; tries-- {
+		fmt.Printf("%s [%d-%d]: ", prompt, min, max)
+
+		res, err := reader.ReadString('\n')
+		if err != nil {
+			log.Fatalf("error: %v", err)
+			continue
+		}
+
+		res = strings.TrimSpace(res)
+		if len(res) == 0 {
+			continue
+		}
+
+		val, err := strconv.Atoi(res)
+		if err != nil || val < min || val > max {
+			fmt.Printf("Invalid value. Must be between %d and %d.\n", min, max)
+			continue
+		}
+		return val, nil
+	}
+
+	return 0, errors.New("maximum tries exceeded")
+}
+
+func ReadPassword(repeat bool) (string, error) {
+	initialState, err := term.GetState(syscall.Stdin)
+	if err != nil {
+		return "", err
+	}
+
+	// Make sure terminal is restored on termination
+	signalChan := make(chan os.Signal, 1)
+	signal.Notify(signalChan, syscall.SIGINT, syscall.SIGTERM)
+	go func() {
+		<-signalChan
+		err := term.Restore(syscall.Stdin, initialState)
+		if err != nil {
+			fmt.Println("Failed to restore terminal state!")
+			panic(err)
+		}
+		os.Exit(1)
+	}()
+
+	fmt.Print("Password: ")
+	password, err := term.ReadPassword(syscall.Stdin)
+	fmt.Println()
+	if err != nil {
+		return "", err
+	}
+
+	if repeat {
+		fmt.Print("Password (again): ")
+		password2, err := term.ReadPassword(syscall.Stdin)
+		fmt.Println()
+		if err != nil {
+			return "", err
+		}
+
+		if string(password) != string(password2) {
+			return "", errors.New("passwords do not match")
+		}
+	}
+
+	return string(password), nil
+}
diff --git a/cmd/auth_reset.go b/cmd/auth_reset.go
@@ -8,6 +8,60 @@ import (
 	"github.com/spf13/cobra"
 )
 
+type User struct {
+	Username  string
+	Name      string
+	Owner     bool
+	Active    bool
+	LocalOnly bool
+}
+
+var MsgLimitedAccess = "For security reasons, this command works only from the operating system terminal."
+
+func getUsers() ([]User, error) {
+	resp, err := helper.GenericJSONGet("auth", "list")
+
+	if err != nil {
+		return nil, err
+	}
+
+	var data *helper.Response
+	var result []User
+
+	if resp.IsSuccess() {
+		data = resp.Result().(*helper.Response)
+
+		if data.Result != "ok" {
+			err := fmt.Errorf("error returned from Supervisor: %s", data.Message)
+			return nil, err
+		}
+
+		for _, user := range data.Data["users"].([]interface{}) {
+			user := user.(map[string]interface{})
+			result = append(result, User{
+				Username:  user["username"].(string),
+				Name:      user["name"].(string),
+				Owner:     user["is_owner"].(bool),
+				Active:    user["is_active"].(bool),
+				LocalOnly: user["local_only"].(bool),
+			})
+		}
+	} else {
+		data = resp.Error().(*helper.Response)
+		err := fmt.Errorf("error returned from Supervisor: %s", data.Message)
+		return nil, err
+	}
+
+	return result, nil
+}
+
+func listUsers(users []User) {
+	for i, user := range users {
+		fmt.Printf("- %d: %s (%s)\n", i+1, user.Username, user.Name)
+		fmt.Printf("     owner: %t, active: %t, local only: %t\n", user.Owner, user.Active, user.LocalOnly)
+	}
+}
+
 var authResetCmd = &cobra.Command{
 	Use:     "reset",
 	Aliases: []string{"rst", "change"},
@@ -19,6 +73,7 @@ only work on some locations. For example, the Operating System CLI.
 `,
 	Example: `
   ha authentication reset --username "JohnDoe" --password "123SuperSecret!"
+  ha authentication reset --interactive
 `,
 	ValidArgsFunction: cobra.NoFileCompletions,
 	Args:              cobra.NoArgs,
@@ -40,9 +95,49 @@ only work on some locations. For example, the Operating System CLI.
 			}
 		}
 
+		interactive, _ := cmd.Flags().GetBool("interactive")
+		if interactive {
+			// prompt for user if not given
+			if options["username"] != nil && options["username"] != "" {
+				fmt.Printf("Changing password for user '%s'\n", options["username"])
+			} else {
+				users, err := getUsers()
+				if err != nil {
+					cmd.PrintErrln(MsgLimitedAccess)
+					fmt.Println(err)
+					ExitWithError = true
+					return
+				}
+
+				fmt.Println("List of users:")
+				listUsers(users)
+
+				idx, err := helper.ReadInteger("Select a user to reset the password for", 3, 1, len(users))
+				if err != nil {
+					fmt.Println("Aborted: ", err)
+					ExitWithError = true
+					return
+				}
+
+				user := users[idx-1]
+				fmt.Printf("Changing password for user %d: %s (%s)\n", idx, user.Username, user.Name)
+				options["username"] = user.Username
+			}
+
+			// prompt for password
+			password, err := helper.ReadPassword(true)
+			if err != nil {
+				fmt.Printf("Failed to set password: %v\n", err)
+				ExitWithError = true
+				return
+			}
+			options["password"] = password
+		}
+
+		// change the password
 		resp, err := helper.GenericJSONPost(section, command, options)
 		if err != nil {
-			cmd.PrintErrln("this command is limited due to security reasons, and will only work on some locations. For example, the Operating System terminal.")
+			cmd.PrintErrln(MsgLimitedAccess)
 			fmt.Println(err)
 			ExitWithError = true
 		} else {
@@ -53,9 +148,10 @@ only work on some locations. For example, the Operating System CLI.
 
 func init() {
 	authResetCmd.Flags().String("username", "", "Username to reset the password for")
-	authResetCmd.Flags().String("password", "", "The new password to assign")
-	authResetCmd.MarkFlagRequired("username")
-	authResetCmd.MarkFlagRequired("password")
+	authResetCmd.Flags().String("password", "", "New password to assign. Ignored in interactive mode")
+	authResetCmd.Flags().Bool("interactive", false, "Use interactive prompt for entering username and/or password")
+	authResetCmd.MarkFlagsOneRequired("username", "interactive")
+	authResetCmd.MarkFlagsOneRequired("password", "interactive")
 	authResetCmd.RegisterFlagCompletionFunc("username", cobra.NoFileCompletions)
 	authResetCmd.RegisterFlagCompletionFunc("password", cobra.NoFileCompletions)
 	authCmd.AddCommand(authResetCmd)
