diff options
| author | Alex Auvolat <alex@adnab.me> | 2023-10-26 11:27:56 +0200 |
|---|---|---|
| committer | Alex Auvolat <alex@adnab.me> | 2023-10-26 11:27:56 +0200 |
| commit | b1ee3e54ba7f34a32d4098fdbaa481da3363a81c (patch) | |
| tree | 0fc09b937c16567894e6492a5f33cfe5b11f7ee8 /src/util | |
| parent | f4d3905d157869d98f9855cba77b4ba452012703 (diff) | |
| parent | 4b3dee2ca3be35d2df73626ad36a8cddedc41e6f (diff) | |
| download | garage-sync-08-09.tar.gz garage-sync-08-09.zip | |
Merge branch 'main-0.8.x' into sync-08-09sync-08-09
Diffstat (limited to 'src/util')
| -rw-r--r-- | src/util/config.rs | 35 |
1 files changed, 19 insertions, 16 deletions
diff --git a/src/util/config.rs b/src/util/config.rs index ad5c8e1f..365f3245 100644 --- a/src/util/config.rs +++ b/src/util/config.rs @@ -265,6 +265,24 @@ pub fn read_config(config_file: PathBuf) -> Result<Config, Error> { Ok(parsed_config) } +pub fn read_secret_file(file_path: &String) -> Result<String, Error> { + #[cfg(unix)] + if std::env::var("GARAGE_ALLOW_WORLD_READABLE_SECRETS").as_deref() != Ok("true") { + use std::os::unix::fs::MetadataExt; + let metadata = std::fs::metadata(file_path)?; + if metadata.mode() & 0o077 != 0 { + return Err(format!("File {} is world-readable! (mode: 0{:o}, expected 0600)\nRefusing to start until this is fixed, or environment variable GARAGE_ALLOW_WORLD_READABLE_SECRETS is set to true.", file_path, metadata.mode()).into()); + } + } + let mut file = std::fs::OpenOptions::new().read(true).open(file_path)?; + let mut secret_buf = String::new(); + file.read_to_string(&mut secret_buf)?; + + // trim_end: allows for use case such as `echo "$(openssl rand -hex 32)" > somefile`. + // also editors sometimes add a trailing newline + Ok(String::from(secret_buf.trim_end())) +} + fn secret_from_file( secret: &mut Option<String>, secret_file: &Option<String>, @@ -277,22 +295,7 @@ fn secret_from_file( (Some(_), Some(_)) => { return Err(format!("only one of `{}` and `{}_file` can be set", name, name).into()); } - (None, Some(file_path)) => { - #[cfg(unix)] - if std::env::var("GARAGE_ALLOW_WORLD_READABLE_SECRETS").as_deref() != Ok("true") { - use std::os::unix::fs::MetadataExt; - let metadata = std::fs::metadata(file_path)?; - if metadata.mode() & 0o077 != 0 { - return Err(format!("File {} is world-readable! (mode: 0{:o}, expected 0600)\nRefusing to start until this is fixed, or environment variable GARAGE_ALLOW_WORLD_READABLE_SECRETS is set to true.", file_path, metadata.mode()).into()); - } - } - let mut file = std::fs::OpenOptions::new().read(true).open(file_path)?; - let mut secret_buf = String::new(); - file.read_to_string(&mut secret_buf)?; - // trim_end: allows for use case such as `echo "$(openssl rand -hex 32)" > somefile`. - // also editors sometimes add a trailing newline - *secret = Some(String::from(secret_buf.trim_end())); - } + (None, Some(file_path)) => *secret = Some(read_secret_file(file_path)?), } Ok(()) } |