[fix-secrets-695] config: replace String by PathBuf for *_file
This commit is contained in:
parent
25e5738568
commit
bf283c9924
GPG key ID:
0E496D15096376BE
|
|
@ -1,3 +1,5 @@
|
||||||
|
use std::path::PathBuf;
|
||||||
|
|
||||||
use structopt::StructOpt;
|
use structopt::StructOpt;
|
||||||
|
|
||||||
use garage_util::config::Config;
|
use garage_util::config::Config;
|
||||||
|
|
@ -23,7 +25,7 @@ pub struct Secrets {
|
||||||
/// RPC secret network key, used to replace rpc_secret in config.toml and rpc-secret
|
/// RPC secret network key, used to replace rpc_secret in config.toml and rpc-secret
|
||||||
/// when running the daemon or doing admin operations
|
/// when running the daemon or doing admin operations
|
||||||
#[structopt(long = "rpc-secret-file", env = "GARAGE_RPC_SECRET_FILE")]
|
#[structopt(long = "rpc-secret-file", env = "GARAGE_RPC_SECRET_FILE")]
|
||||||
pub rpc_secret_file: Option<String>,
|
pub rpc_secret_file: Option<PathBuf>,
|
||||||
|
|
||||||
/// Admin API authentication token, replaces admin.admin_token in config.toml when
|
/// Admin API authentication token, replaces admin.admin_token in config.toml when
|
||||||
/// running the Garage daemon
|
/// running the Garage daemon
|
||||||
|
|
@ -33,7 +35,7 @@ pub struct Secrets {
|
||||||
/// Admin API authentication token file path, replaces admin.admin_token in config.toml
|
/// Admin API authentication token file path, replaces admin.admin_token in config.toml
|
||||||
/// and admin-token when running the Garage daemon
|
/// and admin-token when running the Garage daemon
|
||||||
#[structopt(long = "admin-token-file", env = "GARAGE_ADMIN_TOKEN_FILE")]
|
#[structopt(long = "admin-token-file", env = "GARAGE_ADMIN_TOKEN_FILE")]
|
||||||
pub admin_token_file: Option<String>,
|
pub admin_token_file: Option<PathBuf>,
|
||||||
|
|
||||||
/// Metrics API authentication token, replaces admin.metrics_token in config.toml when
|
/// Metrics API authentication token, replaces admin.metrics_token in config.toml when
|
||||||
/// running the Garage daemon
|
/// running the Garage daemon
|
||||||
|
|
@ -43,7 +45,7 @@ pub struct Secrets {
|
||||||
/// Metrics API authentication token file path, replaces admin.metrics_token in config.toml
|
/// Metrics API authentication token file path, replaces admin.metrics_token in config.toml
|
||||||
/// and metrics-token when running the Garage daemon
|
/// and metrics-token when running the Garage daemon
|
||||||
#[structopt(long = "metrics-token-file", env = "GARAGE_METRICS_TOKEN_FILE")]
|
#[structopt(long = "metrics-token-file", env = "GARAGE_METRICS_TOKEN_FILE")]
|
||||||
pub metrics_token_file: Option<String>,
|
pub metrics_token_file: Option<PathBuf>,
|
||||||
}
|
}
|
||||||
|
|
||||||
/// Single function to fill all secrets in the Config struct from their correct source (value
|
/// Single function to fill all secrets in the Config struct from their correct source (value
|
||||||
|
|
@ -85,9 +87,9 @@ pub fn fill_secrets(mut config: Config, secrets: Secrets) -> Result<Config, Erro
|
||||||
|
|
||||||
pub(crate) fn fill_secret(
|
pub(crate) fn fill_secret(
|
||||||
config_secret: &mut Option<String>,
|
config_secret: &mut Option<String>,
|
||||||
config_secret_file: &Option<String>,
|
config_secret_file: &Option<PathBuf>,
|
||||||
cli_secret: &Option<String>,
|
cli_secret: &Option<String>,
|
||||||
cli_secret_file: &Option<String>,
|
cli_secret_file: &Option<PathBuf>,
|
||||||
name: &'static str,
|
name: &'static str,
|
||||||
allow_world_readable: bool,
|
allow_world_readable: bool,
|
||||||
) -> Result<(), Error> {
|
) -> Result<(), Error> {
|
||||||
|
|
@ -117,14 +119,14 @@ pub(crate) fn fill_secret(
|
||||||
Ok(())
|
Ok(())
|
||||||
}
|
}
|
||||||
|
|
||||||
fn read_secret_file(file_path: &String, allow_world_readable: bool) -> Result<String, Error> {
|
fn read_secret_file(file_path: &PathBuf, allow_world_readable: bool) -> Result<String, Error> {
|
||||||
if !allow_world_readable {
|
if !allow_world_readable {
|
||||||
#[cfg(unix)]
|
#[cfg(unix)]
|
||||||
{
|
{
|
||||||
use std::os::unix::fs::MetadataExt;
|
use std::os::unix::fs::MetadataExt;
|
||||||
let metadata = std::fs::metadata(file_path)?;
|
let metadata = std::fs::metadata(file_path)?;
|
||||||
if metadata.mode() & 0o077 != 0 {
|
if metadata.mode() & 0o077 != 0 {
|
||||||
return Err(format!("File {} is world-readable! (mode: 0{:o}, expected 0600)\nRefusing to start until this is fixed, or environment variable GARAGE_ALLOW_WORLD_READABLE_SECRETS is set to true.", file_path, metadata.mode()).into());
|
return Err(format!("File {} is world-readable! (mode: 0{:o}, expected 0600)\nRefusing to start until this is fixed, or environment variable GARAGE_ALLOW_WORLD_READABLE_SECRETS is set to true.", file_path.display(), metadata.mode()).into());
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
@ -260,7 +262,7 @@ mod tests {
|
||||||
let config = fill_secrets(
|
let config = fill_secrets(
|
||||||
config,
|
config,
|
||||||
Secrets {
|
Secrets {
|
||||||
rpc_secret_file: Some(path_secret2.display().to_string()),
|
rpc_secret_file: Some(path_secret2.clone()),
|
||||||
..Default::default()
|
..Default::default()
|
||||||
},
|
},
|
||||||
)?;
|
)?;
|
||||||
|
|
@ -271,7 +273,7 @@ mod tests {
|
||||||
config,
|
config,
|
||||||
Secrets {
|
Secrets {
|
||||||
rpc_secret: Some("baz".into()),
|
rpc_secret: Some("baz".into()),
|
||||||
rpc_secret_file: Some(path_secret2.display().to_string()),
|
rpc_secret_file: Some(path_secret2.clone()),
|
||||||
..Default::default()
|
..Default::default()
|
||||||
}
|
}
|
||||||
)
|
)
|
||||||
|
|
|
||||||
|
|
@ -52,7 +52,7 @@ pub struct Config {
|
||||||
/// RPC secret key: 32 bytes hex encoded
|
/// RPC secret key: 32 bytes hex encoded
|
||||||
pub rpc_secret: Option<String>,
|
pub rpc_secret: Option<String>,
|
||||||
/// Optional file where RPC secret key is read from
|
/// Optional file where RPC secret key is read from
|
||||||
pub rpc_secret_file: Option<String>,
|
pub rpc_secret_file: Option<PathBuf>,
|
||||||
/// Address to bind for RPC
|
/// Address to bind for RPC
|
||||||
pub rpc_bind_addr: SocketAddr,
|
pub rpc_bind_addr: SocketAddr,
|
||||||
/// Public IP address of this node
|
/// Public IP address of this node
|
||||||
|
|
@ -166,12 +166,12 @@ pub struct AdminConfig {
|
||||||
/// Bearer token to use to scrape metrics
|
/// Bearer token to use to scrape metrics
|
||||||
pub metrics_token: Option<String>,
|
pub metrics_token: Option<String>,
|
||||||
/// File to read metrics token from
|
/// File to read metrics token from
|
||||||
pub metrics_token_file: Option<String>,
|
pub metrics_token_file: Option<PathBuf>,
|
||||||
|
|
||||||
/// Bearer token to use to access Admin API endpoints
|
/// Bearer token to use to access Admin API endpoints
|
||||||
pub admin_token: Option<String>,
|
pub admin_token: Option<String>,
|
||||||
/// File to read admin token from
|
/// File to read admin token from
|
||||||
pub admin_token_file: Option<String>,
|
pub admin_token_file: Option<PathBuf>,
|
||||||
|
|
||||||
/// OTLP server to where to export traces
|
/// OTLP server to where to export traces
|
||||||
pub trace_sink: Option<String>,
|
pub trace_sink: Option<String>,
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue