diff options
-rw-r--r-- | .envrc | 1 | ||||
-rw-r--r-- | .gitignore | 1 | ||||
-rw-r--r-- | Cargo.lock | 1 | ||||
-rw-r--r-- | Cargo.nix | 5 | ||||
-rw-r--r-- | doc/book/development/devenv.md | 2 | ||||
-rw-r--r-- | doc/book/reference-manual/configuration.md | 6 | ||||
-rw-r--r-- | flake.lock | 16 | ||||
-rw-r--r-- | flake.nix | 42 | ||||
-rw-r--r-- | src/garage/main.rs | 2 | ||||
-rw-r--r-- | src/model/garage.rs | 2 | ||||
-rw-r--r-- | src/util/Cargo.toml | 2 | ||||
-rw-r--r-- | src/util/config.rs | 152 |
12 files changed, 208 insertions, 24 deletions
@@ -0,0 +1 @@ +use flake @@ -3,3 +3,4 @@ /pki **/*.rs.bk *.swp +/.direnv
\ No newline at end of file @@ -1276,6 +1276,7 @@ dependencies = [ "http", "hyper", "lazy_static", + "mktemp", "netapp", "opentelemetry", "rand 0.8.5", @@ -32,7 +32,7 @@ args@{ ignoreLockHash, }: let - nixifiedLockHash = "b6aeefc112eb232904b24398f4e5da776c8ee2c13d427a26dbdf1732205d4fc9"; + nixifiedLockHash = "8461dcfb984a8d042fecb5745d5da17912135dbf2a8ef7e6c3ae8e64c03d9744"; workspaceSrc = if args.workspaceSrc == null then ./. else args.workspaceSrc; currentLockHash = builtins.hashFile "sha256" (workspaceSrc + /Cargo.lock); lockHashIgnored = if ignoreLockHash @@ -1820,6 +1820,9 @@ in tracing = (rustPackages."registry+https://github.com/rust-lang/crates.io-index".tracing."0.1.32" { inherit profileName; }).out; xxhash_rust = (rustPackages."registry+https://github.com/rust-lang/crates.io-index".xxhash-rust."0.8.4" { inherit profileName; }).out; }; + devDependencies = { + mktemp = (rustPackages."registry+https://github.com/rust-lang/crates.io-index".mktemp."0.4.1" { inherit profileName; }).out; + }; }); "unknown".garage_web."0.8.1" = overridableMkRustCrate (profileName: rec { diff --git a/doc/book/development/devenv.md b/doc/book/development/devenv.md index c2ef4e7d..8d7d2e95 100644 --- a/doc/book/development/devenv.md +++ b/doc/book/development/devenv.md @@ -39,7 +39,7 @@ Now you can enter our nix-shell, all the required packages will be downloaded bu nix-shell ``` -You can use the traditionnal Rust development workflow: +You can use the traditional Rust development workflow: ```bash cargo build # compile the project diff --git a/doc/book/reference-manual/configuration.md b/doc/book/reference-manual/configuration.md index 2d9c3f0c..353963ef 100644 --- a/doc/book/reference-manual/configuration.md +++ b/doc/book/reference-manual/configuration.md @@ -96,7 +96,7 @@ Performance characteristics of the different DB engines are as follows: - Sled: the default database engine, which tends to produce large data files and also has performance issues, especially when the metadata folder - is on a traditionnal HDD and not on SSD. + is on a traditional HDD and not on SSD. - LMDB: the recommended alternative on 64-bit systems, much more space-efficiant and slightly faster. Note that the data format of LMDB is not portable between architectures, so for instance the Garage database of an x86-64 @@ -267,6 +267,10 @@ This key should be specified here in the form of a 32-byte hex-encoded random string. Such a string can be generated with a command such as `openssl rand -hex 32`. +### `rpc_secret_file` + +Like `rpc_secret` above, just that this is the path to a file that Garage will try to read the secret from. + ### `rpc_bind_addr` The address and port on which to bind for inter-cluster communcations @@ -55,6 +55,21 @@ "type": "github" } }, + "flake-utils_2": { + "locked": { + "lastModified": 1667395993, + "narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, "nixpkgs": { "locked": { "lastModified": 1665657542, @@ -74,6 +89,7 @@ "root": { "inputs": { "cargo2nix": "cargo2nix", + "flake-utils": "flake-utils_2", "nixpkgs": "nixpkgs" } }, @@ -7,22 +7,30 @@ url = "github:Alexis211/cargo2nix/a7a61179b66054904ef6a195d8da736eaaa06c36"; inputs.nixpkgs.follows = "nixpkgs"; }; + inputs.flake-utils.url = "github:numtide/flake-utils"; - outputs = { self, nixpkgs, cargo2nix }: let - git_version = self.lastModifiedDate; - compile = import ./nix/compile.nix; - forAllSystems = nixpkgs.lib.genAttrs nixpkgs.lib.systems.flakeExposed; - in - { - packages = forAllSystems (system: { - default = (compile { - inherit system git_version; - pkgsSrc = nixpkgs; - cargo2nixOverlay = cargo2nix.overlays.default; - release = true; - }).workspace.garage { - compileMode = "build"; - }; - }); - }; + outputs = { self, nixpkgs, cargo2nix, flake-utils }: + let + git_version = self.lastModifiedDate; + compile = import ./nix/compile.nix; + in flake-utils.lib.eachDefaultSystem (system: + let pkgs = nixpkgs.legacyPackages.${system}; + in { + packages = { + default = (compile { + inherit system git_version; + pkgsSrc = nixpkgs; + cargo2nixOverlay = cargo2nix.overlays.default; + release = true; + }).workspace.garage { compileMode = "build"; }; + }; + devShell = ((compile { + inherit system git_version; + pkgsSrc = nixpkgs; + cargo2nixOverlay = cargo2nix.overlays.default; + release = false; + }).workspaceShell { + packages = [ pkgs.rustfmt cargo2nix.packages.${system}.default ]; + }); + }); } diff --git a/src/garage/main.rs b/src/garage/main.rs index 107b1389..736e11ec 100644 --- a/src/garage/main.rs +++ b/src/garage/main.rs @@ -173,7 +173,7 @@ async fn cli_command(opt: Opt) -> Result<(), Error> { let net_key_hex_str = opt .rpc_secret .as_ref() - .or_else(|| config.as_ref().map(|c| &c.rpc_secret)) + .or_else(|| config.as_ref().and_then(|c| c.rpc_secret.as_ref())) .ok_or("No RPC secret provided")?; let network_key = NetworkKey::from_slice( &hex::decode(net_key_hex_str).err_context("Invalid RPC secret key (bad hex)")?[..], diff --git a/src/model/garage.rs b/src/model/garage.rs index ac1846ce..ffa54dc5 100644 --- a/src/model/garage.rs +++ b/src/model/garage.rs @@ -159,7 +159,7 @@ impl Garage { }; let network_key = NetworkKey::from_slice( - &hex::decode(&config.rpc_secret).expect("Invalid RPC secret key")[..], + &hex::decode(&config.rpc_secret.as_ref().unwrap()).expect("Invalid RPC secret key")[..], ) .expect("Invalid RPC secret key"); diff --git a/src/util/Cargo.toml b/src/util/Cargo.toml index 32e9c851..1017b1ce 100644 --- a/src/util/Cargo.toml +++ b/src/util/Cargo.toml @@ -47,6 +47,8 @@ hyper = "0.14" opentelemetry = { version = "0.17", features = [ "rt-tokio", "metrics", "trace" ] } +[dev-dependencies] +mktemp = "0.4" [features] k2v = [] diff --git a/src/util/config.rs b/src/util/config.rs index 04f8375a..f0a881aa 100644 --- a/src/util/config.rs +++ b/src/util/config.rs @@ -34,7 +34,11 @@ pub struct Config { pub compression_level: Option<i32>, /// RPC secret key: 32 bytes hex encoded - pub rpc_secret: String, + /// Note: When using `read_config` this should never be `None` + pub rpc_secret: Option<String>, + + /// Optional file where RPC secret key is read from + pub rpc_secret_file: Option<String>, /// Address to bind for RPC pub rpc_bind_addr: SocketAddr, @@ -177,7 +181,31 @@ pub fn read_config(config_file: PathBuf) -> Result<Config, Error> { let mut config = String::new(); file.read_to_string(&mut config)?; - Ok(toml::from_str(&config)?) + let mut parsed_config: Config = toml::from_str(&config)?; + + match (&parsed_config.rpc_secret, &parsed_config.rpc_secret_file) { + (Some(_), None) => { + // no-op + } + (Some(_), Some(_)) => { + return Err("only one of `rpc_secret` and `rpc_secret_file` can be set".into()) + } + (None, Some(rpc_secret_file_path_string)) => { + let mut rpc_secret_file = std::fs::OpenOptions::new() + .read(true) + .open(rpc_secret_file_path_string)?; + let mut rpc_secret_from_file = String::new(); + rpc_secret_file.read_to_string(&mut rpc_secret_from_file)?; + // trim_end: allows for use case such as `echo "$(openssl rand -hex 32)" > somefile`. + // also editors sometimes add a trailing newline + parsed_config.rpc_secret = Some(String::from(rpc_secret_from_file.trim_end())); + } + (None, None) => { + return Err("either `rpc_secret` or `rpc_secret_file` needs to be set".into()) + } + }; + + Ok(parsed_config) } fn default_compression() -> Option<i32> { @@ -233,3 +261,123 @@ where deserializer.deserialize_any(OptionVisitor) } + +#[cfg(test)] +mod tests { + use crate::error::Error; + use std::fs::File; + use std::io::Write; + + #[test] + fn test_rpc_secret_is_required() -> Result<(), Error> { + let path1 = mktemp::Temp::new_file()?; + let mut file1 = File::create(path1.as_path())?; + writeln!( + file1, + r#" + metadata_dir = "/tmp/garage/meta" + data_dir = "/tmp/garage/data" + replication_mode = "3" + rpc_bind_addr = "[::]:3901" + + [s3_api] + s3_region = "garage" + api_bind_addr = "[::]:3900" + "# + )?; + assert_eq!( + "either `rpc_secret` or `rpc_secret_file` needs to be set", + super::read_config(path1.to_path_buf()) + .unwrap_err() + .to_string() + ); + drop(path1); + drop(file1); + + let path2 = mktemp::Temp::new_file()?; + let mut file2 = File::create(path2.as_path())?; + writeln!( + file2, + r#" + metadata_dir = "/tmp/garage/meta" + data_dir = "/tmp/garage/data" + replication_mode = "3" + rpc_bind_addr = "[::]:3901" + rpc_secret = "foo" + + [s3_api] + s3_region = "garage" + api_bind_addr = "[::]:3900" + "# + )?; + + let config = super::read_config(path2.to_path_buf())?; + assert_eq!("foo", config.rpc_secret.unwrap()); + drop(path2); + drop(file2); + + Ok(()) + } + + #[test] + fn test_rpc_secret_file_works() -> Result<(), Error> { + let path_secret = mktemp::Temp::new_file()?; + let mut file_secret = File::create(path_secret.as_path())?; + writeln!(file_secret, "foo")?; + drop(file_secret); + + let path_config = mktemp::Temp::new_file()?; + let mut file_config = File::create(path_config.as_path())?; + let path_secret_path = path_secret.as_path().display(); + writeln!( + file_config, + r#" + metadata_dir = "/tmp/garage/meta" + data_dir = "/tmp/garage/data" + replication_mode = "3" + rpc_bind_addr = "[::]:3901" + rpc_secret_file = "{path_secret_path}" + + [s3_api] + s3_region = "garage" + api_bind_addr = "[::]:3900" + "# + )?; + let config = super::read_config(path_config.to_path_buf())?; + assert_eq!("foo", config.rpc_secret.unwrap()); + drop(path_config); + drop(path_secret); + drop(file_config); + Ok(()) + } + + #[test] + fn test_rcp_secret_and_rpc_secret_file_cannot_be_set_both() -> Result<(), Error> { + let path_config = mktemp::Temp::new_file()?; + let mut file_config = File::create(path_config.as_path())?; + writeln!( + file_config, + r#" + metadata_dir = "/tmp/garage/meta" + data_dir = "/tmp/garage/data" + replication_mode = "3" + rpc_bind_addr = "[::]:3901" + rpc_secret= "dummy" + rpc_secret_file = "dummy" + + [s3_api] + s3_region = "garage" + api_bind_addr = "[::]:3900" + "# + )?; + assert_eq!( + "only one of `rpc_secret` and `rpc_secret_file` can be set", + super::read_config(path_config.to_path_buf()) + .unwrap_err() + .to_string() + ); + drop(path_config); + drop(file_config); + Ok(()) + } +} |