From bf283c99240787c7ffeba8ff3222283ee9fc61aa Mon Sep 17 00:00:00 2001 From: Alex Auvolat Date: Mon, 12 Feb 2024 11:35:57 +0100 Subject: [fix-secrets-695] config: replace String by PathBuf for *_file --- src/garage/secrets.rs | 20 +++++++++++--------- src/util/config.rs | 6 +++--- 2 files changed, 14 insertions(+), 12 deletions(-) diff --git a/src/garage/secrets.rs b/src/garage/secrets.rs index a2c64cef..c3d704aa 100644 --- a/src/garage/secrets.rs +++ b/src/garage/secrets.rs @@ -1,3 +1,5 @@ +use std::path::PathBuf; + use structopt::StructOpt; use garage_util::config::Config; @@ -23,7 +25,7 @@ pub struct Secrets { /// RPC secret network key, used to replace rpc_secret in config.toml and rpc-secret /// when running the daemon or doing admin operations #[structopt(long = "rpc-secret-file", env = "GARAGE_RPC_SECRET_FILE")] - pub rpc_secret_file: Option, + pub rpc_secret_file: Option, /// Admin API authentication token, replaces admin.admin_token in config.toml when /// running the Garage daemon @@ -33,7 +35,7 @@ pub struct Secrets { /// Admin API authentication token file path, replaces admin.admin_token in config.toml /// and admin-token when running the Garage daemon #[structopt(long = "admin-token-file", env = "GARAGE_ADMIN_TOKEN_FILE")] - pub admin_token_file: Option, + pub admin_token_file: Option, /// Metrics API authentication token, replaces admin.metrics_token in config.toml when /// running the Garage daemon @@ -43,7 +45,7 @@ pub struct Secrets { /// Metrics API authentication token file path, replaces admin.metrics_token in config.toml /// and metrics-token when running the Garage daemon #[structopt(long = "metrics-token-file", env = "GARAGE_METRICS_TOKEN_FILE")] - pub metrics_token_file: Option, + pub metrics_token_file: Option, } /// Single function to fill all secrets in the Config struct from their correct source (value @@ -85,9 +87,9 @@ pub fn fill_secrets(mut config: Config, secrets: Secrets) -> Result, - config_secret_file: &Option, + config_secret_file: &Option, cli_secret: &Option, - cli_secret_file: &Option, + cli_secret_file: &Option, name: &'static str, allow_world_readable: bool, ) -> Result<(), Error> { @@ -117,14 +119,14 @@ pub(crate) fn fill_secret( Ok(()) } -fn read_secret_file(file_path: &String, allow_world_readable: bool) -> Result { +fn read_secret_file(file_path: &PathBuf, allow_world_readable: bool) -> Result { if !allow_world_readable { #[cfg(unix)] { use std::os::unix::fs::MetadataExt; let metadata = std::fs::metadata(file_path)?; if metadata.mode() & 0o077 != 0 { - return Err(format!("File {} is world-readable! (mode: 0{:o}, expected 0600)\nRefusing to start until this is fixed, or environment variable GARAGE_ALLOW_WORLD_READABLE_SECRETS is set to true.", file_path, metadata.mode()).into()); + return Err(format!("File {} is world-readable! (mode: 0{:o}, expected 0600)\nRefusing to start until this is fixed, or environment variable GARAGE_ALLOW_WORLD_READABLE_SECRETS is set to true.", file_path.display(), metadata.mode()).into()); } } } @@ -260,7 +262,7 @@ mod tests { let config = fill_secrets( config, Secrets { - rpc_secret_file: Some(path_secret2.display().to_string()), + rpc_secret_file: Some(path_secret2.clone()), ..Default::default() }, )?; @@ -271,7 +273,7 @@ mod tests { config, Secrets { rpc_secret: Some("baz".into()), - rpc_secret_file: Some(path_secret2.display().to_string()), + rpc_secret_file: Some(path_secret2.clone()), ..Default::default() } ) diff --git a/src/util/config.rs b/src/util/config.rs index 65c0b5c0..a9a72110 100644 --- a/src/util/config.rs +++ b/src/util/config.rs @@ -52,7 +52,7 @@ pub struct Config { /// RPC secret key: 32 bytes hex encoded pub rpc_secret: Option, /// Optional file where RPC secret key is read from - pub rpc_secret_file: Option, + pub rpc_secret_file: Option, /// Address to bind for RPC pub rpc_bind_addr: SocketAddr, /// Public IP address of this node @@ -166,12 +166,12 @@ pub struct AdminConfig { /// Bearer token to use to scrape metrics pub metrics_token: Option, /// File to read metrics token from - pub metrics_token_file: Option, + pub metrics_token_file: Option, /// Bearer token to use to access Admin API endpoints pub admin_token: Option, /// File to read admin token from - pub admin_token_file: Option, + pub admin_token_file: Option, /// OTLP server to where to export traces pub trace_sink: Option, -- cgit v1.2.3