aboutsummaryrefslogblamecommitdiff
path: root/src/garage/secrets.rs
blob: c40c3cc9a3350454b8b2de143fef64aeec5e0042 (plain) (tree)























































































































































































































































































                                                                                                                                                                                                                                                                      
use structopt::StructOpt;

use garage_util::config::Config;
use garage_util::error::Error;

/// Structure for secret values or paths that are passed as CLI arguments or environment
/// variables, instead of in the config file.
#[derive(StructOpt, Debug, Default, Clone)]
pub struct Secrets {
	/// Skip permission check on files containing secrets
	#[cfg(unix)]
	#[structopt(
		long = "allow-world-readable-secrets",
		env = "GARAGE_ALLOW_WORLD_READABLE_SECRETS"
	)]
	pub allow_world_readable_secrets: Option<bool>,

	/// RPC secret network key, used to replace rpc_secret in config.toml when running the
	/// daemon or doing admin operations
	#[structopt(short = "s", long = "rpc-secret", env = "GARAGE_RPC_SECRET")]
	pub rpc_secret: Option<String>,

	/// RPC secret network key, used to replace rpc_secret in config.toml and rpc-secret
	/// when running the daemon or doing admin operations
	#[structopt(long = "rpc-secret-file", env = "GARAGE_RPC_SECRET_FILE")]
	pub rpc_secret_file: Option<String>,

	/// Admin API authentication token, replaces admin.admin_token in config.toml when
	/// running the Garage daemon
	#[structopt(long = "admin-token", env = "GARAGE_ADMIN_TOKEN")]
	pub admin_token: Option<String>,

	/// Admin API authentication token file path, replaces admin.admin_token in config.toml
	/// and admin-token when running the Garage daemon
	#[structopt(long = "admin-token-file", env = "GARAGE_ADMIN_TOKEN_FILE")]
	pub admin_token_file: Option<String>,

	/// Metrics API authentication token, replaces admin.metrics_token in config.toml when
	/// running the Garage daemon
	#[structopt(long = "metrics-token", env = "GARAGE_METRICS_TOKEN")]
	pub metrics_token: Option<String>,

	/// Metrics API authentication token file path, replaces admin.metrics_token in config.toml
	/// and metrics-token when running the Garage daemon
	#[structopt(long = "metrics-token-file", env = "GARAGE_METRICS_TOKEN_FILE")]
	pub metrics_token_file: Option<String>,
}

/// Single function to fill all secrets in the Config struct from their correct source (value
/// from config or CLI param or env variable or read from a file specified in config or CLI
/// param or env variable)
pub fn fill_secrets(mut config: Config, secrets: Secrets) -> Result<Config, Error> {
	let allow_world_readable = secrets
		.allow_world_readable_secrets
		.unwrap_or(config.allow_world_readable_secrets);

	fill_secret(
		&mut config.rpc_secret,
		&config.rpc_secret_file,
		&secrets.rpc_secret,
		&secrets.rpc_secret_file,
		"rpc_secret",
		allow_world_readable,
	)?;

	fill_secret(
		&mut config.admin.admin_token,
		&config.admin.admin_token_file,
		&secrets.admin_token,
		&secrets.admin_token_file,
		"admin.admin_token",
		allow_world_readable,
	)?;
	fill_secret(
		&mut config.admin.metrics_token,
		&config.admin.metrics_token_file,
		&secrets.metrics_token,
		&secrets.metrics_token_file,
		"admin.metrics_token",
		allow_world_readable,
	)?;

	Ok(config)
}

fn fill_secret(
	config_secret: &mut Option<String>,
	config_secret_file: &Option<String>,
	cli_secret: &Option<String>,
	cli_secret_file: &Option<String>,
	name: &'static str,
	allow_world_readable: bool,
) -> Result<(), Error> {
	let cli_value = match (&cli_secret, &cli_secret_file) {
		(Some(_), Some(_)) => {
			return Err(format!("only one of `{}` and `{}_file` can be set", name, name).into());
		}
		(Some(secret), None) => Some(secret.to_string()),
		(None, Some(file)) => Some(read_secret_file(file, allow_world_readable)?),
		(None, None) => None,
	};

	if let Some(val) = cli_value {
		if config_secret.is_some() || config_secret_file.is_some() {
			debug!("Overriding secret `{}` using value specified using CLI argument or environnement variable.", name);
		}

		*config_secret = Some(val);
	} else if let Some(file_path) = &config_secret_file {
		if config_secret.is_some() {
			return Err(format!("only one of `{}` and `{}_file` can be set", name, name).into());
		}

		*config_secret = Some(read_secret_file(file_path, allow_world_readable)?);
	}

	Ok(())
}

fn read_secret_file(file_path: &String, allow_world_readable: bool) -> Result<String, Error> {
	if !allow_world_readable {
		#[cfg(unix)]
		{
			use std::os::unix::fs::MetadataExt;
			let metadata = std::fs::metadata(file_path)?;
			if metadata.mode() & 0o077 != 0 {
				return Err(format!("File {} is world-readable! (mode: 0{:o}, expected 0600)\nRefusing to start until this is fixed, or environment variable GARAGE_ALLOW_WORLD_READABLE_SECRETS is set to true.", file_path, metadata.mode()).into());
			}
		}
	}

	let secret_buf = std::fs::read_to_string(file_path)?;

	// trim_end: allows for use case such as `echo "$(openssl rand -hex 32)" > somefile`.
	//           also editors sometimes add a trailing newline
	Ok(String::from(secret_buf.trim_end()))
}

#[cfg(test)]
mod tests {
	use std::fs::File;
	use std::io::Write;

	use garage_util::config::read_config;
	use garage_util::error::Error;

	use super::*;

	#[test]
	fn test_rpc_secret_file_works() -> Result<(), Error> {
		let path_secret = mktemp::Temp::new_file()?;
		let mut file_secret = File::create(path_secret.as_path())?;
		writeln!(file_secret, "foo")?;
		drop(file_secret);

		let path_config = mktemp::Temp::new_file()?;
		let mut file_config = File::create(path_config.as_path())?;
		let path_secret_path = path_secret.as_path();
		writeln!(
			file_config,
			r#"
			metadata_dir = "/tmp/garage/meta"
			data_dir = "/tmp/garage/data"
			replication_mode = "3"
			rpc_bind_addr = "[::]:3901"
			rpc_secret_file = "{}"

			[s3_api]
			s3_region = "garage"
			api_bind_addr = "[::]:3900"
			"#,
			path_secret_path.display()
		)?;
		drop(file_config);

		// Second configuration file, same as previous one
		// except it allows world-readable secrets.
		let path_config_allow_world_readable = mktemp::Temp::new_file()?;
		let mut file_config_allow_world_readable =
			File::create(path_config_allow_world_readable.as_path())?;
		writeln!(
			file_config_allow_world_readable,
			r#"
			metadata_dir = "/tmp/garage/meta"
			data_dir = "/tmp/garage/data"
			replication_mode = "3"
			rpc_bind_addr = "[::]:3901"
			rpc_secret_file = "{}"
			allow_world_readable_secrets = true

			[s3_api]
			s3_region = "garage"
			api_bind_addr = "[::]:3900"
			"#,
			path_secret_path.display()
		)?;
		drop(file_config_allow_world_readable);

		let config = read_config(path_config.to_path_buf())?;
		let config = fill_secrets(config, Secrets::default())?;
		assert_eq!("foo", config.rpc_secret.unwrap());

		#[cfg(unix)]
		{
			// Check non world-readable secrets config

			let secrets_allow_world_readable = Secrets {
				allow_world_readable_secrets: Some(true),
				..Default::default()
			};
			let secrets_no_allow_world_readable = Secrets {
				allow_world_readable_secrets: Some(false),
				..Default::default()
			};

			use std::os::unix::fs::PermissionsExt;
			let metadata = std::fs::metadata(&path_secret_path)?;
			let mut perm = metadata.permissions();
			perm.set_mode(0o660);
			std::fs::set_permissions(&path_secret_path, perm)?;

			// Config file that just specifies the path
			let config = read_config(path_config.to_path_buf())?;
			assert!(fill_secrets(config, Secrets::default()).is_err());

			let config = read_config(path_config.to_path_buf())?;
			assert!(fill_secrets(config, secrets_allow_world_readable.clone()).is_ok());

			let config = read_config(path_config.to_path_buf())?;
			assert!(fill_secrets(config, secrets_no_allow_world_readable.clone()).is_err());

			// Config file that also specifies to allow world_readable_secrets
			let config = read_config(path_config_allow_world_readable.to_path_buf())?;
			assert!(fill_secrets(config, Secrets::default()).is_ok());

			let config = read_config(path_config_allow_world_readable.to_path_buf())?;
			assert!(fill_secrets(config, secrets_allow_world_readable).is_ok());

			let config = read_config(path_config_allow_world_readable.to_path_buf())?;
			assert!(fill_secrets(config, secrets_no_allow_world_readable).is_err());
		}

		drop(path_secret);
		drop(path_config);
		drop(path_config_allow_world_readable);

		Ok(())
	}

	#[test]
	fn test_rcp_secret_and_rpc_secret_file_cannot_be_set_both() -> Result<(), Error> {
		let path_config = mktemp::Temp::new_file()?;
		let mut file_config = File::create(path_config.as_path())?;
		writeln!(
			file_config,
			r#"
			metadata_dir = "/tmp/garage/meta"
			data_dir = "/tmp/garage/data"
			replication_mode = "3"
			rpc_bind_addr = "[::]:3901"
			rpc_secret= "dummy"
			rpc_secret_file = "dummy"

			[s3_api]
			s3_region = "garage"
			api_bind_addr = "[::]:3900"
			"#
		)?;
		let config = read_config(path_config.to_path_buf())?;
		assert_eq!(
			"only one of `rpc_secret` and `rpc_secret_file` can be set",
			fill_secrets(config, Secrets::default())
				.unwrap_err()
				.to_string()
		);
		drop(path_config);
		drop(file_config);
		Ok(())
	}
}