aboutsummaryrefslogtreecommitdiff
path: root/src/garage/secrets.rs
diff options
context:
space:
mode:
authorAlex Auvolat <alex@adnab.me>2024-01-16 12:12:27 +0100
committerAlex Auvolat <alex@adnab.me>2024-01-16 12:12:27 +0100
commit4c5be79b8015510618ad1df7451c50e3f2659978 (patch)
tree09f2dbdd30f8464c2d1f27532a690a46258aedb9 /src/garage/secrets.rs
parentd91a1de7315373271bce72088a4c73007f2154e8 (diff)
parent083e982f5fd0e88e496da7d67734abd8927f3f98 (diff)
downloadgarage-4c5be79b8015510618ad1df7451c50e3f2659978.tar.gz
garage-4c5be79b8015510618ad1df7451c50e3f2659978.zip
Merge tag 'v0.8.5' into sync-08-09
Garage v0.8.5 This minor release includes the following improvements and fixes: New features: - Configuration: make LMDB's `map_size` configurable and make `block_size` and `sled_cache_capacity` expressable as strings (such as `10M`) (#628, #630) - Add support for binding to Unix sockets for the S3, K2V, Admin and Web API servers (#640) - Move the `convert_db` command into the main Garage binary (#645) - Add support for specifying RPC secret and admin tokens as environment variables (#643) - Add `allow_world_readable_secrets` option to config file (#663, #685) Bug fixes: - Use `statvfs` instead of mount list to determine free space in metadata/data directories (#611, #631) - Add missing casts to fix 32-bit build (#632) - Fix error when none of the HTTP servers (S3/K2V/Admin/Web) is started and fix shutdown hang (#613, #633) - Add missing CORS headers to PostObject response (#609, #656) - Monitoring: finer histogram boundaries in Prometheus exported metrics (#531, #686) Other: - Documentation improvements (#641)
Diffstat (limited to 'src/garage/secrets.rs')
-rw-r--r--src/garage/secrets.rs318
1 files changed, 318 insertions, 0 deletions
diff --git a/src/garage/secrets.rs b/src/garage/secrets.rs
new file mode 100644
index 00000000..e96be9e4
--- /dev/null
+++ b/src/garage/secrets.rs
@@ -0,0 +1,318 @@
+use structopt::StructOpt;
+
+use garage_util::config::Config;
+use garage_util::error::Error;
+
+/// Structure for secret values or paths that are passed as CLI arguments or environment
+/// variables, instead of in the config file.
+#[derive(StructOpt, Debug, Default, Clone)]
+pub struct Secrets {
+ /// Skip permission check on files containing secrets
+ #[cfg(unix)]
+ #[structopt(
+ long = "allow-world-readable-secrets",
+ env = "GARAGE_ALLOW_WORLD_READABLE_SECRETS"
+ )]
+ pub allow_world_readable_secrets: Option<bool>,
+
+ /// RPC secret network key, used to replace rpc_secret in config.toml when running the
+ /// daemon or doing admin operations
+ #[structopt(short = "s", long = "rpc-secret", env = "GARAGE_RPC_SECRET")]
+ pub rpc_secret: Option<String>,
+
+ /// RPC secret network key, used to replace rpc_secret in config.toml and rpc-secret
+ /// when running the daemon or doing admin operations
+ #[structopt(long = "rpc-secret-file", env = "GARAGE_RPC_SECRET_FILE")]
+ pub rpc_secret_file: Option<String>,
+
+ /// Admin API authentication token, replaces admin.admin_token in config.toml when
+ /// running the Garage daemon
+ #[structopt(long = "admin-token", env = "GARAGE_ADMIN_TOKEN")]
+ pub admin_token: Option<String>,
+
+ /// Admin API authentication token file path, replaces admin.admin_token in config.toml
+ /// and admin-token when running the Garage daemon
+ #[structopt(long = "admin-token-file", env = "GARAGE_ADMIN_TOKEN_FILE")]
+ pub admin_token_file: Option<String>,
+
+ /// Metrics API authentication token, replaces admin.metrics_token in config.toml when
+ /// running the Garage daemon
+ #[structopt(long = "metrics-token", env = "GARAGE_METRICS_TOKEN")]
+ pub metrics_token: Option<String>,
+
+ /// Metrics API authentication token file path, replaces admin.metrics_token in config.toml
+ /// and metrics-token when running the Garage daemon
+ #[structopt(long = "metrics-token-file", env = "GARAGE_METRICS_TOKEN_FILE")]
+ pub metrics_token_file: Option<String>,
+}
+
+/// Single function to fill all secrets in the Config struct from their correct source (value
+/// from config or CLI param or env variable or read from a file specified in config or CLI
+/// param or env variable)
+pub fn fill_secrets(mut config: Config, secrets: Secrets) -> Result<Config, Error> {
+ let allow_world_readable = secrets
+ .allow_world_readable_secrets
+ .unwrap_or(config.allow_world_readable_secrets);
+
+ fill_secret(
+ &mut config.rpc_secret,
+ &config.rpc_secret_file,
+ &secrets.rpc_secret,
+ &secrets.rpc_secret_file,
+ "rpc_secret",
+ allow_world_readable,
+ )?;
+
+ fill_secret(
+ &mut config.admin.admin_token,
+ &config.admin.admin_token_file,
+ &secrets.admin_token,
+ &secrets.admin_token_file,
+ "admin.admin_token",
+ allow_world_readable,
+ )?;
+ fill_secret(
+ &mut config.admin.metrics_token,
+ &config.admin.metrics_token_file,
+ &secrets.metrics_token,
+ &secrets.metrics_token_file,
+ "admin.metrics_token",
+ allow_world_readable,
+ )?;
+
+ Ok(config)
+}
+
+fn fill_secret(
+ config_secret: &mut Option<String>,
+ config_secret_file: &Option<String>,
+ cli_secret: &Option<String>,
+ cli_secret_file: &Option<String>,
+ name: &'static str,
+ allow_world_readable: bool,
+) -> Result<(), Error> {
+ let cli_value = match (&cli_secret, &cli_secret_file) {
+ (Some(_), Some(_)) => {
+ return Err(format!("only one of `{}` and `{}_file` can be set", name, name).into());
+ }
+ (Some(secret), None) => Some(secret.to_string()),
+ (None, Some(file)) => Some(read_secret_file(file, allow_world_readable)?),
+ (None, None) => None,
+ };
+
+ if let Some(val) = cli_value {
+ if config_secret.is_some() || config_secret_file.is_some() {
+ debug!("Overriding secret `{}` using value specified using CLI argument or environnement variable.", name);
+ }
+
+ *config_secret = Some(val);
+ } else if let Some(file_path) = &config_secret_file {
+ if config_secret.is_some() {
+ return Err(format!("only one of `{}` and `{}_file` can be set", name, name).into());
+ }
+
+ *config_secret = Some(read_secret_file(file_path, allow_world_readable)?);
+ }
+
+ Ok(())
+}
+
+fn read_secret_file(file_path: &String, allow_world_readable: bool) -> Result<String, Error> {
+ if !allow_world_readable {
+ #[cfg(unix)]
+ {
+ use std::os::unix::fs::MetadataExt;
+ let metadata = std::fs::metadata(file_path)?;
+ if metadata.mode() & 0o077 != 0 {
+ return Err(format!("File {} is world-readable! (mode: 0{:o}, expected 0600)\nRefusing to start until this is fixed, or environment variable GARAGE_ALLOW_WORLD_READABLE_SECRETS is set to true.", file_path, metadata.mode()).into());
+ }
+ }
+ }
+
+ let secret_buf = std::fs::read_to_string(file_path)?;
+
+ // trim_end: allows for use case such as `echo "$(openssl rand -hex 32)" > somefile`.
+ // also editors sometimes add a trailing newline
+ Ok(String::from(secret_buf.trim_end()))
+}
+
+#[cfg(test)]
+mod tests {
+ use std::fs::File;
+ use std::io::Write;
+
+ use garage_util::config::read_config;
+ use garage_util::error::Error;
+
+ use super::*;
+
+ #[test]
+ fn test_rpc_secret_file_works() -> Result<(), Error> {
+ let path_secret = mktemp::Temp::new_file()?;
+ let mut file_secret = File::create(path_secret.as_path())?;
+ writeln!(file_secret, "foo")?;
+ drop(file_secret);
+
+ let path_config = mktemp::Temp::new_file()?;
+ let mut file_config = File::create(path_config.as_path())?;
+ let path_secret_path = path_secret.as_path();
+ writeln!(
+ file_config,
+ r#"
+ metadata_dir = "/tmp/garage/meta"
+ data_dir = "/tmp/garage/data"
+ replication_mode = "3"
+ rpc_bind_addr = "[::]:3901"
+ rpc_secret_file = "{}"
+
+ [s3_api]
+ s3_region = "garage"
+ api_bind_addr = "[::]:3900"
+ "#,
+ path_secret_path.display()
+ )?;
+ drop(file_config);
+
+ // Second configuration file, same as previous one
+ // except it allows world-readable secrets.
+ let path_config_allow_world_readable = mktemp::Temp::new_file()?;
+ let mut file_config_allow_world_readable =
+ File::create(path_config_allow_world_readable.as_path())?;
+ writeln!(
+ file_config_allow_world_readable,
+ r#"
+ metadata_dir = "/tmp/garage/meta"
+ data_dir = "/tmp/garage/data"
+ replication_mode = "3"
+ rpc_bind_addr = "[::]:3901"
+ rpc_secret_file = "{}"
+ allow_world_readable_secrets = true
+
+ [s3_api]
+ s3_region = "garage"
+ api_bind_addr = "[::]:3900"
+ "#,
+ path_secret_path.display()
+ )?;
+ drop(file_config_allow_world_readable);
+
+ let config = read_config(path_config.to_path_buf())?;
+ let config = fill_secrets(config, Secrets::default())?;
+ assert_eq!("foo", config.rpc_secret.unwrap());
+
+ // ---- Check non world-readable secrets config ----
+ #[cfg(unix)]
+ {
+ let secrets_allow_world_readable = Secrets {
+ allow_world_readable_secrets: Some(true),
+ ..Default::default()
+ };
+ let secrets_no_allow_world_readable = Secrets {
+ allow_world_readable_secrets: Some(false),
+ ..Default::default()
+ };
+
+ use std::os::unix::fs::PermissionsExt;
+ let metadata = std::fs::metadata(&path_secret_path)?;
+ let mut perm = metadata.permissions();
+ perm.set_mode(0o660);
+ std::fs::set_permissions(&path_secret_path, perm)?;
+
+ // Config file that just specifies the path
+ let config = read_config(path_config.to_path_buf())?;
+ assert!(fill_secrets(config, Secrets::default()).is_err());
+
+ let config = read_config(path_config.to_path_buf())?;
+ assert!(fill_secrets(config, secrets_allow_world_readable.clone()).is_ok());
+
+ let config = read_config(path_config.to_path_buf())?;
+ assert!(fill_secrets(config, secrets_no_allow_world_readable.clone()).is_err());
+
+ // Config file that also specifies to allow world_readable_secrets
+ let config = read_config(path_config_allow_world_readable.to_path_buf())?;
+ assert!(fill_secrets(config, Secrets::default()).is_ok());
+
+ let config = read_config(path_config_allow_world_readable.to_path_buf())?;
+ assert!(fill_secrets(config, secrets_allow_world_readable).is_ok());
+
+ let config = read_config(path_config_allow_world_readable.to_path_buf())?;
+ assert!(fill_secrets(config, secrets_no_allow_world_readable).is_err());
+ }
+
+ // ---- Check alternative secrets specified on CLI ----
+
+ let path_secret2 = mktemp::Temp::new_file()?;
+ let mut file_secret2 = File::create(path_secret2.as_path())?;
+ writeln!(file_secret2, "bar")?;
+ drop(file_secret2);
+
+ let config = read_config(path_config.to_path_buf())?;
+ let config = fill_secrets(
+ config,
+ Secrets {
+ rpc_secret: Some("baz".into()),
+ ..Default::default()
+ },
+ )?;
+ assert_eq!(config.rpc_secret.as_deref(), Some("baz"));
+
+ let config = read_config(path_config.to_path_buf())?;
+ let config = fill_secrets(
+ config,
+ Secrets {
+ rpc_secret_file: Some(path_secret2.display().to_string()),
+ ..Default::default()
+ },
+ )?;
+ assert_eq!(config.rpc_secret.as_deref(), Some("bar"));
+
+ let config = read_config(path_config.to_path_buf())?;
+ assert!(fill_secrets(
+ config,
+ Secrets {
+ rpc_secret: Some("baz".into()),
+ rpc_secret_file: Some(path_secret2.display().to_string()),
+ ..Default::default()
+ }
+ )
+ .is_err());
+
+ drop(path_secret);
+ drop(path_secret2);
+ drop(path_config);
+ drop(path_config_allow_world_readable);
+
+ Ok(())
+ }
+
+ #[test]
+ fn test_rcp_secret_and_rpc_secret_file_cannot_be_set_both() -> Result<(), Error> {
+ let path_config = mktemp::Temp::new_file()?;
+ let mut file_config = File::create(path_config.as_path())?;
+ writeln!(
+ file_config,
+ r#"
+ metadata_dir = "/tmp/garage/meta"
+ data_dir = "/tmp/garage/data"
+ replication_mode = "3"
+ rpc_bind_addr = "[::]:3901"
+ rpc_secret= "dummy"
+ rpc_secret_file = "dummy"
+
+ [s3_api]
+ s3_region = "garage"
+ api_bind_addr = "[::]:3900"
+ "#
+ )?;
+ let config = read_config(path_config.to_path_buf())?;
+ assert_eq!(
+ "only one of `rpc_secret` and `rpc_secret_file` can be set",
+ fill_secrets(config, Secrets::default())
+ .unwrap_err()
+ .to_string()
+ );
+ drop(path_config);
+ drop(file_config);
+ Ok(())
+ }
+}