Add support for using shell env variables in config.json

During startup, envsubst(1) is used to replace env vars
in config.json and it is copied to /etc.

cloudrun-malware-scanner/Dockerfile

@@ -48,6 +48,7 @@ RUN export DEBIAN_FRONTEND=noninteractive && \
         gnupg \
         jq \
         gawk \
+        gettext-base \
         clamav-daemon \
         clamav-freshclam \
         python3-crcmod && \

cloudrun-malware-scanner/bootstrap.sh

@@ -64,13 +64,18 @@ done &
 service clamav-daemon stop &
 service clamav-freshclam stop &
 
-# Get name of CVD Mirror bucket from config file.
+# Check and perform shell-varable substitution on config file, copying it to /etc
 #
 CONFIG_FILE=./config.json
 if [[ ! -e "${CONFIG_FILE}" ]] ; then
     Log ERROR main "${CONFIG_FILE} does not exist"
     exit 1
 fi
+envsubst < "${CONFIG_FILE}" > /etc/malware-scanner-config.json
+CONFIG_FILE=/etc/malware-scanner-config.json
+
+# Get name of CVD Mirror bucket from config file
+#
 CVD_MIRROR_BUCKET=$(/usr/bin/jq -r '.ClamCvdMirrorBucket' "${CONFIG_FILE}")
 if [[ -z "${CVD_MIRROR_BUCKET}" || "${CVD_MIRROR_BUCKET}" = "null" ]] ; then
     Log ERROR main "ClamCvdMirrorBucket is not defined in ${CONFIG_FILE}"
@@ -164,4 +169,4 @@ service clamav-freshclam force-reload &
 
 # Run node server process
 Log INFO main "Starting malware-scanner service"
-npm start
+npm start "${CONFIG_FILE}"

cloudrun-malware-scanner/config.json.tmpl

@@ -8,6 +8,9 @@
     "",
     "'ClamCvdMirrorBucket' is a GCS bucket used to mirror the clamav database definition files to prevent overloading the Clam servers",
     "and being rate limited/blacklisted. Its contents are maintained by the updateCvdMirror.sh script"
+    "",
+    "Shell environmental variable substitution is supported in this file.",
+    "At runtime, it will be copied to /etc"
   ],
   "buckets": [
     {

cloudrun-malware-scanner/server.js

@@ -44,12 +44,10 @@ const CLAMD_TIMEOUT = 600000;
 // large enough.
 const MAX_FILE_SIZE = 500000000; // 500MiB
 
-const CONFIG_FILE = './config.json';
-
 /**
  * Configuration object.
  *
- * Values are read from the CONFIG_FILE
+ * Values are read from the JSON configuration file.
  * See {@link readAndVerifyConfig}.
  *
  * @type {{
@@ -321,25 +319,28 @@ async function moveProcessedFile(filename, isClean, config) {
 }
 
 /**
- * Read configuration from CONFIG_FILE
+ * Read configuration from JSON configuration file.
  * and store in BUCKET_CONFIG global
  *
  * @async
+ * @param {string} configFile
  */
-async function readAndVerifyConfig() {
+async function readAndVerifyConfig(configFile) {
+  logger.info(`Using configuration file: ${configFile}`);
+
   try {
-    const config = require(CONFIG_FILE);
+    const config = require(configFile);
     delete config.comments;
     Object.assign(BUCKET_CONFIG, config);
   } catch (e) {
     logger.fatal(
         {err: e},
-        `Unable to read JSON file from ${CONFIG_FILE}`);
-    throw new Error(`Invalid configuration ${CONFIG_FILE}`);
+        `Unable to read JSON file from ${configFile}`);
+    throw new Error(`Invalid configuration ${configFile}`);
   }
 
   if (BUCKET_CONFIG.buckets.length === 0) {
-    logger.fatal(`No buckets configured for scanning in ${CONFIG_FILE}`);
+    logger.fatal(`No buckets configured for scanning in ${configFile}`);
     throw new Error('No buckets configured');
   }
 
@@ -360,7 +361,7 @@ async function readAndVerifyConfig() {
         config.unscanned === config.quarantined ||
         config.clean === config.quarantined) {
       logger.fatal(
-          `Error in ${CONFIG_FILE} buckets[${x}]: bucket names are not unique`);
+          `Error in ${configFile} buckets[${x}]: bucket names are not unique`);
       success = false;
     }
   }
@@ -440,7 +441,16 @@ async function run() {
     projectId = await (new GoogleAuth().getProjectId());
   }
   await metrics.init(projectId);
-  await readAndVerifyConfig();
+
+  let configFile;
+  if(process.argv.length >= 3) {
+    configFile = process.argv[2];
+  } else {
+    configFile = "./config.json"
+  }
+  await readAndVerifyConfig(configFile);
+  process.exit(1);
+
   await waitForClamD();
 
   app.listen(PORT, () => {