From 6db37ae63e7ed0973cde2fb6515bc7fa83c7c399 Mon Sep 17 00:00:00 2001
From: Andrei Pavel <andrei@isc.org>
Date: Wed, 14 Apr 2021 15:44:38 +0300
Subject: [PATCH] [#1675] kea-admin: KEA_ADMIN_DB_PASSWORD env var

---
 ChangeLog                      | 14 +++++---------
 doc/sphinx/man/kea-admin.8.rst |  4 +++-
 src/bin/admin/kea-admin.in     |  9 +++++++++
 3 files changed, 17 insertions(+), 10 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 86f99d26a9..b131d99532 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,15 +1,11 @@
 1885.	[func]		andrei
 	kea-admin is now able to interactively ask for a password if no
 	parameter follows the -p or the --password parameters. This
-	requires the user to give it as the last parameter. If another
-	option starting with dash follows, that would be taken as the
-	actual password, would not be processed as it should have been
-	and all your parameters will be offset by one. Checking if the
-	word that follows starts with dash is also not possible because
-	that would not allow for passwords starting with dash. Feedback
-	of the password to the terminal is cut off to prevent
-	over-the-shoulder snooping and other social engineering
-	techniques.
+	requires the user to give it as the last parameter. The entered
+	password is not echoed back to the terminal in order to prevent
+	over-the-shoulder snooping or other social engineering
+	techniques. Alternatively, you can set the password via the
+	KEA_ADMIN_DB_PASSWORD environment variable.
 	(Gitlab #1675)
 
 1884.	[doc]		fdupont
diff --git a/doc/sphinx/man/kea-admin.8.rst b/doc/sphinx/man/kea-admin.8.rst
index 2e615c1b6a..153702c92b 100644
--- a/doc/sphinx/man/kea-admin.8.rst
+++ b/doc/sphinx/man/kea-admin.8.rst
@@ -72,7 +72,9 @@ Arguments
 ``-p|--password password``
    Specifies the password when connecting to a database.
    If only ``-p`` or ``--password`` is given, the user is prompted for a password.
-   If not specified at all, the default value of **keatest** is used.
+   If not specified at all, the **KEA_ADMIN_DB_PASSWORD** environment variable
+   is checked for a value and used if it exists.
+   Otherwise the default value of **keatest** is used.
 
 ``-n|--name database-name``
    Specifies the name of the database to connect to. If not specified, the
diff --git a/src/bin/admin/kea-admin.in b/src/bin/admin/kea-admin.in
index d7bb5639dc..2d1939130f 100644
--- a/src/bin/admin/kea-admin.in
+++ b/src/bin/admin/kea-admin.in
@@ -749,6 +749,7 @@ do
             ;;
         # Specify database password
         -p|--password)
+            password_parameter_passed=true
             # If there is at least one more parameter following...
             if test "${#}" -gt 1; then
                 # Then take it as password.
@@ -819,6 +820,14 @@ do
     shift
 done
 
+# After all the parameters have been parsed, check environment variables.
+if test -z "${password_parameter_passed+x}"; then
+    if test -n "${KEA_ADMIN_DB_PASSWORD+x}"; then
+        printf 'Using the value of KEA_ADMIN_DB_PASSWORD for authentication...\n'
+        db_password="${KEA_ADMIN_DB_PASSWORD}"
+    fi
+fi
+
 case ${command} in
     # Initialize the database
     db-init)