fickit: Handle secrets more seriously

2024-03-23 18:03:08 +01:00 · 2024-03-23 18:03:08 +01:00 · dc5350c20f
commit dc5350c20f
parent c3e6cadb70
3 changed files with 81 additions and 7 deletions
--- a/admin/main.go
+++ b/admin/main.go
@ -3,6 +3,7 @@ package main
 import (
 	"flag"
 	"io/fs"
+	"io/ioutil"
 	"log"
 	"net/http"
 	"os"
@ -10,6 +11,7 @@ import (
 	"path"
 	"path/filepath"
 	"strconv"
+	"strings"
 	"syscall"

 	"srs.epita.fr/fic-server/admin/api"
@ -39,9 +41,29 @@ func main() {
 	}
 	if v, exists := os.LookupEnv("FICOIDC_SECRET"); exists {
 		api.OidcSecret = v
+	} else if v, exists := os.LookupEnv("FICOIDC_SECRET_FILE"); exists {
+		fd, err := os.Open(v)
+		if err != nil {
+			log.Fatal("Unable to open FICOIDC_SECRET_FILE:", err)
+		}
+
+		b, _ := ioutil.ReadAll(fd)
+		api.OidcSecret = strings.TrimSpace(string(b))
+
+		fd.Close()
 	}
 	if v, exists := os.LookupEnv("FICCA_PASS"); exists {
 		pki.SetCAPassword(v)
+	} else if v, exists := os.LookupEnv("FICCA_PASS_FILE"); exists {
+		fd, err := os.Open(v)
+		if err != nil {
+			log.Fatal("Unable to open FICCA_PASS_FILE:", err)
+		}
+
+		b, _ := ioutil.ReadAll(fd)
+		pki.SetCAPassword(strings.TrimSpace(string(b)))
+
+		fd.Close()
 	} else {
 		log.Println("WARNING: no password defined for the CA, will use empty password to secure CA private key")
 		log.Println("WARNING:    PLEASE DEFINE ENVIRONMENT VARIABLE: FICCA_PASS")
@ -54,6 +76,16 @@ func main() {
 	}
 	if v, exists := os.LookupEnv("FICCLOUD_PASS"); exists {
 		cloudPassword = v
+	} else if v, exists := os.LookupEnv("FICCLOUD_PASS_FILE"); exists {
+		fd, err := os.Open(v)
+		if err != nil {
+			log.Fatal("Unable to open FICCLOUD_PASS_FILE:", err)
+		}
+
+		b, _ := ioutil.ReadAll(fd)
+		cloudPassword = strings.TrimSpace(string(b))
+
+		fd.Close()
 	}
 	if v, exists := os.LookupEnv("FIC_BASEURL"); exists {
 		baseURL = v