From 59827556c321493748e0c5aeda08c070ce6c8eb7 Mon Sep 17 00:00:00 2001
From: MattMonk <monk.matthew@gmail.com>
Date: Tue, 20 Aug 2024 14:57:53 +0100
Subject: [PATCH] Add warnings about using the password option

---
 docs/intro.md                               |  2 ++
 snakemake_storage_plugin_xrootd/__init__.py | 12 +++++++++++-
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/docs/intro.md b/docs/intro.md
index 32c49de..438e348 100644
--- a/docs/intro.md
+++ b/docs/intro.md
@@ -5,3 +5,5 @@ Currently, only files can be used as inputs or outputs and not directories.
 The plugin can be used without specifying any options relating to the URLs, in which case all information must be contained in the URL passed by the user.
 
 The options for `host`, `port`, `username`, `password` and `url_decorator` can be specifed to make the URLs shorter and easier to use.
+
+Please note: if the `password` option is supplied (even implicitly via the environment variable `SNAKEMAKE_STORAGE_XROOTD_PASSWORD`) it will be displayed in plaintext as part of the XRootD URLs when Snakemake prints information about a rule. Only use the `password` option in trusted environments.
diff --git a/snakemake_storage_plugin_xrootd/__init__.py b/snakemake_storage_plugin_xrootd/__init__.py
index b386af0..72680c9 100644
--- a/snakemake_storage_plugin_xrootd/__init__.py
+++ b/snakemake_storage_plugin_xrootd/__init__.py
@@ -75,7 +75,10 @@ class StorageProviderSettings(StorageProviderSettingsBase):
     password: Optional[str] = field(
         default=None,
         metadata={
-            "help": "The password to use for authentication",
+            "help": "The password to use for authentication. NOTE: Only use this "
+            "setting in trusted environments! Snakemake will print the "
+            "password in plaintext as part of the XRootD URLs used in the "
+            "inputs/outputs of jobs.",
             "env_var": True,
             "required": False,
         },
@@ -94,6 +97,13 @@ class StorageProvider(StorageProviderBase):
     def __post_init__(self):
         self.username = self.settings.username
         self.password = self.settings.password
+        if self.password is not None:
+            get_logger().warning(
+                "A password has been specified -- it will be printed "
+                "in plaintext when Snakemake displays the "
+                "inputs/outputs of jobs! Only use this option in "
+                "trusted environments."
+            )
         self.host = self.settings.host
         self.port = self.settings.port
         self.url_decorator = self.settings.url_decorator