Оффлайн
- Регистрация
- 1 Мар 2015
- Сообщения
- 1,481
- Баллы
- 155
I like it's available as a command line tool and is pretty ubiquitous across platforms.
This allows me to compose a of http request against a test environment, check everything worked as expected and then copy those requests from my terminal with the intent of running on production.
Easy - it's all just plain text now, do a find-and-replace on the hostname and it's ready to go!
Here's a hypothetical I've prepared featuring some very important resources I'm going to alter.
curl -X DELETE
However an interface like that should want to authenticate who is conducting such a privileged operation. For this, many still use .
Basic auth just needs me to base64 encode the username and password and pop it in the Authorization header, so I'll just grab the password out of the secrets management system and do that...
cat 'admin:p4ssw0rd' | base64
(Glad we're spending 5K a year on Vault to protect that /s)
OK, it's ready:
curl -H 'Authorization: YWRtaW46cDRzc3cwcmQK' -X DELETE
To get that run in production it might require me to:
You really don't want to put that Authorization header value in any of those.
echo YWRtaW46cDRzc3cwcmQK | base64 --decode
Yeah, no.
But here curl can help you, with -u, you --user you.
curl -u admin -X DELETE
Note there is no secret or encoding of a secret in the command, instead, you get an interactive prompt!
Enter host password for user 'admin':
No longer do you have to instruct someone (or future you) how to encode the password and modify the curl command. Just retrieve it when needed and supply to the prompt, curl takes care of the encoding and addition of the header for you.
OK I'm off to rotate that password above now. Get some special characters in it and make it longerer.
Here we go: .$@[BD:O]_'=M0H;mzkgLOUr1
And yes, here we have another nice benefit of using the interactive prompt. I no longer have to worry about escaping that lot correctly in a shell.
There are other benefits to avoiding secrets being present in any commands you are running in a shell, more knowledgable people feel free to chime in on the comments.
If want to know more around authentication with curl this is an excellent summary of options available including alternate schemes to Basic Auth and how to authenticate against proxies.
()
Thanks for reading.
This allows me to compose a of http request against a test environment, check everything worked as expected and then copy those requests from my terminal with the intent of running on production.
Easy - it's all just plain text now, do a find-and-replace on the hostname and it's ready to go!
Here's a hypothetical I've prepared featuring some very important resources I'm going to alter.
curl -X DELETE
However an interface like that should want to authenticate who is conducting such a privileged operation. For this, many still use .
Basic auth just needs me to base64 encode the username and password and pop it in the Authorization header, so I'll just grab the password out of the secrets management system and do that...
cat 'admin:p4ssw0rd' | base64
(Glad we're spending 5K a year on Vault to protect that /s)
OK, it's ready:
curl -H 'Authorization: YWRtaW46cDRzc3cwcmQK' -X DELETE
To get that run in production it might require me to:
- send it to a colleague
- commit to a git repository
- document in some implementation plan (change management)
You really don't want to put that Authorization header value in any of those.
echo YWRtaW46cDRzc3cwcmQK | base64 --decode
Yeah, no.
But here curl can help you, with -u, you --user you.
curl -u admin -X DELETE
Note there is no secret or encoding of a secret in the command, instead, you get an interactive prompt!
Enter host password for user 'admin':
No longer do you have to instruct someone (or future you) how to encode the password and modify the curl command. Just retrieve it when needed and supply to the prompt, curl takes care of the encoding and addition of the header for you.
OK I'm off to rotate that password above now. Get some special characters in it and make it longerer.
Here we go: .$@[BD:O]_'=M0H;mzkgLOUr1
And yes, here we have another nice benefit of using the interactive prompt. I no longer have to worry about escaping that lot correctly in a shell.
There are other benefits to avoiding secrets being present in any commands you are running in a shell, more knowledgable people feel free to chime in on the comments.
If want to know more around authentication with curl this is an excellent summary of options available including alternate schemes to Basic Auth and how to authenticate against proxies.
()
Thanks for reading.