Add support for reading AES backend password from external command

Fixes muesli#362

cfg/aesbackend.go

@@ -31,13 +31,20 @@ import (
 	"os"
 	"path/filepath"
 
+	"os/exec"
+	"strings"
+
 	"golang.org/x/crypto/scrypt"
 )
 
 // PasswordEnvVar defines the environment variable name that should
 // contain the configuration password.
 const PasswordEnvVar = "BEEHIVE_CONFIG_PASSWORD"
 
+// PasswordCmdEnvVar defines the environment variable name that should
+// contain the external command to get the configuration password
+const PasswordCmdEnvVar = "BEEHIVE_CONFIG_PASSWORD_COMMAND"
+
 // EncryptedHeaderPrefix is added to the encrypted configuration
 // to make it possible to detect it's an encrypted configuration file
 const EncryptedHeaderPrefix = "beehiveconf+"
@@ -227,6 +234,15 @@ func getPassword(u *url.URL) (string, error) {
 	if p != "" {
 		return p, nil
 	}
+	if cmd := os.Getenv(PasswordCmdEnvVar); cmd != "" {
+		args := strings.Split(cmd, " ")
+		cmd := exec.Command(args[0], args[1:]...)
+		output, err := cmd.Output()
+		if err != nil {
+			return "", err
+		}
+		return strings.TrimSpace(string(output)), nil
+	}
 
 	if u != nil && u.User != nil {
 		p = u.User.Username()

docs/config_encryption.md

@@ -29,7 +29,12 @@ Will happily detect and load an encrypted configuration file.
 
 ## Using user keyrings to store the password
 
-A sample wrapper script (Linux only) is provided in [tools/encrypted-config-wrapper] that will read the configuration password from the sessions's keyring.
+You can also set the `BEEHIVE_CONFIG_PASSWORD_COMMAND` environment variable to automatically retrieve the password from an external command.
+For example this environment setting will retrieve the password using the Secret Service API (Gnome Keyring):
+
+```
+export BEEHIVE_CONFIG_PASSWORD_COMMAND="secret-tool lookup user behive"
+```
 
 Something similar could be written to do it on macOS using Keychain and its `security(1)` CLI.