cmd/dex: only expand from env for storages and connectors

Bcrypt'd hashes have "$" characters in them. This means that #667
(accepting actually bcrypted values) combined with #627 (expanding
config with environment variables) broke the example config.

For now, allow storages and connectors to expand their configs from
the environment, but don't do this anywhere else.
This commit is contained in:
Eric Chiang 2016-11-03 21:08:50 -07:00
parent ce703a7fe1
commit 015e7cf606
4 changed files with 10 additions and 10 deletions

View File

@ -4,6 +4,7 @@ import (
"encoding/base64" "encoding/base64"
"encoding/json" "encoding/json"
"fmt" "fmt"
"os"
"golang.org/x/crypto/bcrypt" "golang.org/x/crypto/bcrypt"
@ -145,7 +146,8 @@ func (s *Storage) UnmarshalJSON(b []byte) error {
storageConfig := f() storageConfig := f()
if len(store.Config) != 0 { if len(store.Config) != 0 {
if err := json.Unmarshal([]byte(store.Config), storageConfig); err != nil { data := []byte(os.ExpandEnv(string(store.Config)))
if err := json.Unmarshal(data, storageConfig); err != nil {
return fmt.Errorf("parse storace config: %v", err) return fmt.Errorf("parse storace config: %v", err)
} }
} }
@ -199,7 +201,8 @@ func (c *Connector) UnmarshalJSON(b []byte) error {
connConfig := f() connConfig := f()
if len(conn.Config) != 0 { if len(conn.Config) != 0 {
if err := json.Unmarshal([]byte(conn.Config), connConfig); err != nil { data := []byte(os.ExpandEnv(string(conn.Config)))
if err := json.Unmarshal(data, connConfig); err != nil {
return fmt.Errorf("parse connector config: %v", err) return fmt.Errorf("parse connector config: %v", err)
} }
} }

View File

@ -39,9 +39,8 @@ connectors:
name: Google name: Google
config: config:
issuer: https://accounts.google.com issuer: https://accounts.google.com
# Config values starting with a "$" will read from the environment. clientID: foo
clientID: $GOOGLE_CLIENT_ID clientSecret: bar
clientSecret: $GOOGLE_CLIENT_SECRET
redirectURI: http://127.0.0.1:5556/dex/callback/google redirectURI: http://127.0.0.1:5556/dex/callback/google
enablePasswordDB: true enablePasswordDB: true
@ -96,8 +95,8 @@ expiry:
Name: "Google", Name: "Google",
Config: &oidc.Config{ Config: &oidc.Config{
Issuer: "https://accounts.google.com", Issuer: "https://accounts.google.com",
ClientID: "$GOOGLE_CLIENT_ID", ClientID: "foo",
ClientSecret: "$GOOGLE_CLIENT_SECRET", ClientSecret: "bar",
RedirectURI: "http://127.0.0.1:5556/dex/callback/google", RedirectURI: "http://127.0.0.1:5556/dex/callback/google",
}, },
}, },

View File

@ -9,7 +9,6 @@ import (
"log" "log"
"net" "net"
"net/http" "net/http"
"os"
"time" "time"
"github.com/ghodss/yaml" "github.com/ghodss/yaml"
@ -48,7 +47,6 @@ func serve(cmd *cobra.Command, args []string) error {
if err != nil { if err != nil {
return fmt.Errorf("read config file %s: %v", configFile, err) return fmt.Errorf("read config file %s: %v", configFile, err)
} }
configData = []byte(os.ExpandEnv(string(configData)))
var c Config var c Config
if err := yaml.Unmarshal(configData, &c); err != nil { if err := yaml.Unmarshal(configData, &c); err != nil {

View File

@ -58,7 +58,7 @@ enablePasswordDB: true
staticPasswords: staticPasswords:
- email: "admin@example.com" - email: "admin@example.com"
# bcrypt hash of the string "password" # bcrypt hash of the string "password"
hash: "$2a$10$33EMT0cVYVlPy6WAMCLsceLYjWhuHpbz5yuZxu/GAFj03J9Lytjuy" hash: "$2a$10$2b2cU8CPhOTaGrs1HRQuAueS7JTT5ZHsHSzYiFPm1leZck7Mc8T4W"
username: "admin" username: "admin"
userID: "08a8684b-db88-4b73-90a9-3cd1661f5466" userID: "08a8684b-db88-4b73-90a9-3cd1661f5466"