Can I pass bash arguements to an expect environment?

Question

I need to automate an openvpn connection to a server that requires me to enter a password.

I can do this with expect but I don't want to keep the password in plain text in the script.

I found encpass to help encrypt the password which I just need to source and get it to get the encrypted version of the password.

The problem comes when I try to pass the unencrypted password to expect. From what I understand, expect and bash are 2 different environments and bash cannot run expect. What I have so far is the following:

#!/usr/bin/env bash

source encpass.sh

password=$(get_secret)

{
    /usr/bin/expect <<EOF
    spawn openvpn /home/pi/client.ovpn
    expect "Enter Private Key Password:"
    send $password
    interact
EOF
}

The end result is I run this and it starts the VPN and the script enters the password in the prompt.

If there is a simpler way of doing it, please let me know.

I have tried to automate it with just openvpn and a --auth-user-pass switch pointing to a file with the password in it but I couldn't get that working either.

Answer 1

Two ideas spring to mind:

1. if you want to embed expect code into a shell script, use the environment to pass values, and use a quoted heredoc to avoid quoting hell (don't forget to "hit enter" for the send command)

   #!/usr/bin/env bash
   source encpass.sh
   password=$(get_secret)
   export password
   
   /usr/bin/expect <<'EOF'
       spawn openvpn /home/pi/client.ovpn
       expect "Enter Private Key Password:"
       send "$env(password)\r"
       interact
   EOF
   

2. do it all in expect

   #!/usr/bin/env expect
   set password [exec bash -c {source encpass.sh && get_secret}]
   spawn openvpn /home/pi/client.ovpn
   expect "Enter Private Key Password:"
   send "$password\r"
   interact