Option to add staticPasswords from environment variables

This commit is contained in:
krishnadurai 2019-12-13 16:33:21 -08:00
parent 64b269d1c1
commit 91cbd466a5
3 changed files with 179 additions and 6 deletions

View File

@ -85,10 +85,11 @@ type password storage.Password
func (p *password) UnmarshalJSON(b []byte) error { func (p *password) UnmarshalJSON(b []byte) error {
var data struct { var data struct {
Email string `json:"email"` Email string `json:"email"`
Username string `json:"username"` Username string `json:"username"`
UserID string `json:"userID"` UserID string `json:"userID"`
Hash string `json:"hash"` Hash string `json:"hash"`
HashFromEnv string `json:"hashFromEnv"`
} }
if err := json.Unmarshal(b, &data); err != nil { if err := json.Unmarshal(b, &data); err != nil {
return err return err
@ -99,7 +100,11 @@ func (p *password) UnmarshalJSON(b []byte) error {
UserID: data.UserID, UserID: data.UserID,
}) })
if len(data.Hash) == 0 { if len(data.Hash) == 0 {
return fmt.Errorf("no password hash provided") if len(data.HashFromEnv) > 0 {
data.Hash = os.Getenv(data.HashFromEnv)
} else {
return fmt.Errorf("no password hash provided")
}
} }
// If this value is a valid bcrypt, use it. // If this value is a valid bcrypt, use it.

View File

@ -1,9 +1,11 @@
package main package main
import ( import (
"github.com/dexidp/dex/server" "os"
"testing" "testing"
"github.com/dexidp/dex/server"
"github.com/ghodss/yaml" "github.com/ghodss/yaml"
"github.com/kylelemons/godebug/pretty" "github.com/kylelemons/godebug/pretty"
@ -15,6 +17,8 @@ import (
var _ = yaml.YAMLToJSON var _ = yaml.YAMLToJSON
const testHashStaticPasswordEnv = "FOO_PASSWORD"
func TestValidConfiguration(t *testing.T) { func TestValidConfiguration(t *testing.T) {
configuration := Config{ configuration := Config{
Issuer: "http://127.0.0.1:5556/dex", Issuer: "http://127.0.0.1:5556/dex",
@ -213,3 +217,164 @@ logger:
} }
} }
func TestUnmarshalConfigWithEnv(t *testing.T) {
staticPasswordEnv := os.Getenv(testHashStaticPasswordEnv)
if staticPasswordEnv == "" {
t.Skipf("test environment variable %q not set, skipping", testHashStaticPasswordEnv)
}
rawConfig := []byte(`
issuer: http://127.0.0.1:5556/dex
storage:
type: postgres
config:
host: 10.0.0.1
port: 65432
maxOpenConns: 5
maxIdleConns: 3
connMaxLifetime: 30
connectionTimeout: 3
web:
http: 127.0.0.1:5556
frontend:
dir: ./web
extra:
foo: bar
staticClients:
- id: example-app
redirectURIs:
- 'http://127.0.0.1:5555/callback'
name: 'Example App'
secret: ZXhhbXBsZS1hcHAtc2VjcmV0
oauth2:
alwaysShowLoginScreen: true
connectors:
- type: mockCallback
id: mock
name: Example
- type: oidc
id: google
name: Google
config:
issuer: https://accounts.google.com
clientID: foo
clientSecret: bar
redirectURI: http://127.0.0.1:5556/dex/callback/google
enablePasswordDB: true
staticPasswords:
- email: "admin@example.com"
# bcrypt hash of the string "password"
hash: "$2a$10$33EMT0cVYVlPy6WAMCLsceLYjWhuHpbz5yuZxu/GAFj03J9Lytjuy"
username: "admin"
userID: "08a8684b-db88-4b73-90a9-3cd1661f5466"
- email: "foo@example.com"
hashFromEnv: "FOO_PASSWORD"
username: "foo"
userID: "41331323-6f44-45e6-b3b9-2c4b60c02be5"
expiry:
signingKeys: "7h"
idTokens: "25h"
authRequests: "25h"
logger:
level: "debug"
format: "json"
`)
want := Config{
Issuer: "http://127.0.0.1:5556/dex",
Storage: Storage{
Type: "postgres",
Config: &sql.Postgres{
NetworkDB: sql.NetworkDB{
Host: "10.0.0.1",
Port: 65432,
MaxOpenConns: 5,
MaxIdleConns: 3,
ConnMaxLifetime: 30,
ConnectionTimeout: 3,
},
},
},
Web: Web{
HTTP: "127.0.0.1:5556",
},
Frontend: server.WebConfig{
Dir: "./web",
Extra: map[string]string{
"foo": "bar",
},
},
StaticClients: []storage.Client{
{
ID: "example-app",
Secret: "ZXhhbXBsZS1hcHAtc2VjcmV0",
Name: "Example App",
RedirectURIs: []string{
"http://127.0.0.1:5555/callback",
},
},
},
OAuth2: OAuth2{
AlwaysShowLoginScreen: true,
},
StaticConnectors: []Connector{
{
Type: "mockCallback",
ID: "mock",
Name: "Example",
Config: &mock.CallbackConfig{},
},
{
Type: "oidc",
ID: "google",
Name: "Google",
Config: &oidc.Config{
Issuer: "https://accounts.google.com",
ClientID: "foo",
ClientSecret: "bar",
RedirectURI: "http://127.0.0.1:5556/dex/callback/google",
},
},
},
EnablePasswordDB: true,
StaticPasswords: []password{
{
Email: "admin@example.com",
Hash: []byte("$2a$10$33EMT0cVYVlPy6WAMCLsceLYjWhuHpbz5yuZxu/GAFj03J9Lytjuy"),
Username: "admin",
UserID: "08a8684b-db88-4b73-90a9-3cd1661f5466",
},
{
Email: "foo@example.com",
Hash: []byte("$2a$10$33EMT0cVYVlPy6WAMCLsceLYjWhuHpbz5yuZxu/GAFj03J9Lytjuy"),
Username: "foo",
UserID: "41331323-6f44-45e6-b3b9-2c4b60c02be5",
},
},
Expiry: Expiry{
SigningKeys: "7h",
IDTokens: "25h",
AuthRequests: "25h",
},
Logger: Logger{
Level: "debug",
Format: "json",
},
}
var c Config
if err := yaml.Unmarshal(rawConfig, &c); err != nil {
t.Fatalf("failed to decode config: %v", err)
}
if diff := pretty.Compare(c, want); diff != "" {
t.Errorf("got!=want: %s", diff)
}
}

View File

@ -292,6 +292,9 @@ type Password struct {
// Bcrypt encoded hash of the password. This package enforces a min cost value of 10 // Bcrypt encoded hash of the password. This package enforces a min cost value of 10
Hash []byte `json:"hash"` Hash []byte `json:"hash"`
// Bcrypt encoded hash of the password set in environment variable of this name.
HashFromEnv string `json:"hashFromEnv"`
// Optional username to display. NOT used during login. // Optional username to display. NOT used during login.
Username string `json:"username"` Username string `json:"username"`