mail: Update mail-check to work with pass-coffin

Updated code to be able to run a password command chosen individually, as well as a post-password command. Used in this instance to `pass open` a password store in a coffin/tomb before actually trying to read passwords out of it.
2022-01-28 18:32:06 +01:00 · 2022-01-28 18:32:06 +01:00 · ea95ca7dfa
parent 572fa471ae
commit ea95ca7dfa
2 changed files with 22 additions and 8 deletions
--- a/mail/.config/isync/mbsyncrc
+++ b/mail/.config/isync/mbsyncrc
@ -3,8 +3,8 @@
 IMAPAccount gmail
 # Address to connect to
 Host imap.gmail.com
-UserCmd "gpg2 --decrypt --no-tty --quiet --no-verbose --for-your-eyes-only --pinentry-mode ask ~/.local/share/pass/misc/aerc-gmail-app-password.gpg | grep username | cut -d: -f2"
-PassCmd "gpg2 --decrypt --no-tty --quiet --no-verbose --for-your-eyes-only --pinentry-mode ask ~/.local/share/pass/misc/aerc-gmail-app-password.gpg | head -n1"
+UserCmd "pass show misc/aerc-gmail-app-password | grep username | cut -d: -f2"
+PassCmd "pass show misc/aerc-gmail-app-password | head -n1"
 # To store the password in an encrypted file use PassCmd instead of Pass
 # PassCmd "gpg2 -q --for-your-eyes-only --no-tty -d ~/.mailpass.gpg"
 #
--- a/mail/.local/bin/mail-check
+++ b/mail/.local/bin/mail-check
@ -1,4 +1,4 @@
-#!/usr/bin/env sh
+#!/usr/bin/env bash
 #
 # Runs mbsync, with pre-hooks and post-hooks
 # by default, the pre-hook first runs imapfilter
@ -38,7 +38,9 @@
 # MBSYNC_NOTIFY=1
 # MBSYNC_PASSWORD_FILE="/path/to/gpg/file.gpg"

-PASSWORD_FILE="${MBSYNC_PASSWORD_FILE:-$HOME/.local/share/pass/misc/aerc-gmail-app-password.gpg}"
+# What to run before and after decrypting the password file.
+PASSWORD_CMD="pass open -t 1min"
+# POST_PASSWORD_CMD=""

 prehook() {
    if [ -n "$MBSYNC_PRE" ]; then
@ -83,7 +85,7 @@ checkonline() {
 # warn user that he has to enter his password in a moment
 # to stop catching him offguard or entering something by accident
 checkwarnuser() {
-    agt=$(gpg2 --decrypt --no-tty --quiet --no-verbose --for-your-eyes-only --pinentry-mode cancel "$PASSWORD_FILE" 2>&1)
+    enablegpgagent
    if echo "$agt" | grep -qE 'No secret key'; then
        notify "Mail" "Password phrase needed!"
        sleep 2.5
@ -91,10 +93,22 @@ checkwarnuser() {
 }

 enablegpgagent() {
-    ## get password from user
-    agt=$(gpg2 --decrypt --no-tty --quiet --no-verbose --for-your-eyes-only --pinentry-mode ask "$PASSWORD_FILE" 2>&1)
+    [ -n "$agt" ] && return
+
+    if [ -n "$PASSWORD_CMD" ]; then
+        IFS=" " read -r -a PASSWORD_CMD <<<"$PASSWORD_CMD"
+        # shellcheck disable=SC2068
+        agt=$(${PASSWORD_CMD[@]})
+    fi
+
+    if [ -n "$POST_PASSWORD_CMD" ]; then
+        IFS=" " read -r -a POST_PASSWORD_CMD <<<"$POST_PASSWORD_CMD"
+        "${POST_PASSWORD_CMD[@]}"
+    fi
+
    ## exit program after first failed attempt
-    if echo "$agt" | grep -qE 'decryption failed'; then
+    if echo "$agt" | grep -qE 'decryption failed' ||
+        echo "$agt" | grep -qE 'No such file'; then
        notify "Mail" "Process aborted."
        exit 1
    fi