Use docker-credential-helper to manage secrets

Store service credentials securely in the stores supported by docker:
- https://github.com/docker/docker-credential-helpers#available-programs

Introduces a top-level config property, "secretStore" and additional
command line arguments to manage the stored secrets.

The value of secretStore is used to find a helper command,
`docker-credential-<secretStore>`.

The docker project currently provides 4 store helpers:
- "osxkeychain" (OS X only)
- "secretservice" (Linux only)
- "wincred" (Windows only)
- "pass" (any OS supporting pass, which uses gpg2)

Docker-for-desktop installs the credential helpers above, as well as
"desktop" (docker-credential-desktop).

Generic installation instructions for the helpers:
- https://github.com/docker/docker-credential-helpers#installation

Users could provide additional helpers, the only requirement is that the
helper implements the credential store protocol:
- https://github.com/docker/docker-credential-helpers#development

The credential protocol is open, and new credential stores can be
implemented by any CLI satisfying the protocol:
- https://github.com/docker/docker-credential-helpers#development

The modifications to existing modules is not tested due to lack
of API keys, but demonstrates the unobtrusive changes required to
use the secret store.

flags/flags.go

@@ -4,7 +4,9 @@ import (
 	"fmt"
 	"os"
 	"path/filepath"
+	"strings"
 
+	"github.com/chzyer/readline"
 	goFlags "github.com/jessevdk/go-flags"
 	"github.com/olebedev/config"
 	"github.com/wtfutil/wtf/cfg"
@@ -17,10 +19,26 @@ type Flags struct {
 	Module  string `short:"m" long:"module" optional:"yes" description:"Display info about a specific module, i.e.: 'wtfutil -m=todo'"`
 	Profile bool   `short:"p" long:"profile" optional:"yes" description:"Profile application memory usage"`
 	Version bool   `short:"v" long:"version" description:"Show version info"`
+	// Work-around go-flags misfeatures. If any sub-command is defined
+	// then `wtf` (no sub-commands, the common usage), is warned about.
+	Opt struct {
+		Cmd  string   `positional-arg-name:"command"`
+		Args []string `positional-arg-name:"args"`
+	} `positional-args:"yes"`
 
 	hasCustom bool
 }
 
+var EXTRA = `
+Commands:
+  save-secret <service>
+    service      Service URL or module name of secret.
+  Save a secret into the secret store. The secret will be prompted for.
+  Requires wtf.secretStore to be configured.  See individual modules for
+  information on what service and secret means for their configuration,
+  not all modules use secrets.
+`
+
 // NewFlags creates an instance of Flags
 func NewFlags() *Flags {
 	flags := Flags{}
@@ -46,6 +64,58 @@ func (flags *Flags) RenderIf(version, date string, config *config.Config) {
 		fmt.Printf("%s (%s)\n", version, date)
 		os.Exit(0)
 	}
+
+	if flags.Opt.Cmd == "" {
+		return
+	}
+
+	switch cmd := flags.Opt.Cmd; cmd {
+	case "save-secret":
+		var service, secret string
+		args := flags.Opt.Args
+
+		if len(args) < 1 || args[0] == "" {
+			fmt.Fprintf(os.Stderr, "save-secret: service required, see `%s --help`\n", os.Args[0])
+			os.Exit(1)
+		}
+
+		service = args[0]
+
+		if len(args) > 1 {
+			fmt.Fprintf(os.Stderr, "save-secret: too many arguments, see `%s --help`\n", os.Args[0])
+			os.Exit(1)
+		}
+
+		b, err := readline.Password("Secret: ")
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "Error: %v\n", err)
+			os.Exit(1)
+		}
+		secret = string(b)
+		secret = strings.TrimSpace(secret)
+
+		if secret == "" {
+			fmt.Fprintf(os.Stderr, "save-secret: secret required, see `%s --help`\n", os.Args[0])
+			os.Exit(1)
+		}
+
+		err = cfg.StoreSecret(config, &cfg.Secret{
+			Service:  service,
+			Secret:   secret,
+			Username: "default",
+		})
+
+		if err != nil {
+			fmt.Fprintf(os.Stderr, "Saving secret for service %q: %s\n", service, err.Error())
+			os.Exit(1)
+		}
+
+		fmt.Printf("Saved secret for service %q\n", service)
+		os.Exit(0)
+	default:
+		fmt.Fprintf(os.Stderr, "Command `%s` is not supported, try `%s --help`\n", cmd, os.Args[0])
+		os.Exit(1)
+	}
 }
 
 // HasCustomConfig returns TRUE if a config path was passed in, FALSE if one was not
@@ -68,6 +138,7 @@ func (flags *Flags) Parse() {
 	parser := goFlags.NewParser(flags, goFlags.Default)
 	if _, err := parser.Parse(); err != nil {
 		if flagsErr, ok := err.(*goFlags.Error); ok && flagsErr.Type == goFlags.ErrHelp {
+			fmt.Println(EXTRA)
 			os.Exit(0)
 		}
 	}