From c475324617eb055cd53e50df2e3b2d95bcdaa1d4 Mon Sep 17 00:00:00 2001 From: kfox1111 Date: Thu, 2 Jan 2025 14:58:03 -0800 Subject: [PATCH] Enable expand env for oidc discovery provider (#5689) * Enable expand env for oidc discovery provider Fixes: https://github.com/spiffe/spire/issues/5688 Signed-off-by: Kevin Fox * Fix test Signed-off-by: Kevin Fox * Fix lint Signed-off-by: Kevin Fox * Add test Signed-off-by: Kevin Fox * Fix lint Signed-off-by: Kevin Fox * Fix Lint Signed-off-by: Kevin Fox --------- Signed-off-by: Kevin Fox Co-authored-by: Marcos Yacob Signed-off-by: gajibade --- support/oidc-discovery-provider/config.go | 9 ++++++-- .../config_posix_test.go | 10 +++++++++ .../oidc-discovery-provider/config_test.go | 22 +++++++++++++++++-- .../config_windows_test.go | 12 ++++++++++ support/oidc-discovery-provider/main.go | 7 +++--- 5 files changed, 53 insertions(+), 7 deletions(-) diff --git a/support/oidc-discovery-provider/config.go b/support/oidc-discovery-provider/config.go index 7df3eaa615..c32600f940 100644 --- a/support/oidc-discovery-provider/config.go +++ b/support/oidc-discovery-provider/config.go @@ -7,6 +7,7 @@ import ( "time" "github.com/hashicorp/hcl" + "github.com/spiffe/spire/pkg/common/config" "github.com/zeebo/errs" ) @@ -185,12 +186,16 @@ type experimentalWorkloadAPIConfig struct { NamedPipeName string `hcl:"named_pipe_name" json:"named_pipe_name"` } -func LoadConfig(path string) (*Config, error) { +func LoadConfig(path string, expandEnv bool) (*Config, error) { hclBytes, err := os.ReadFile(path) if err != nil { return nil, errs.New("unable to load configuration: %v", err) } - return ParseConfig(string(hclBytes)) + hclString := string(hclBytes) + if expandEnv { + hclString = config.ExpandEnv(hclString) + } + return ParseConfig(hclString) } func ParseConfig(hclConfig string) (_ *Config, err error) { diff --git a/support/oidc-discovery-provider/config_posix_test.go b/support/oidc-discovery-provider/config_posix_test.go index 59d5178c92..bba9706483 100644 --- a/support/oidc-discovery-provider/config_posix_test.go +++ b/support/oidc-discovery-provider/config_posix_test.go @@ -18,6 +18,16 @@ var ( address = "unix:///some/socket/path" } ` + minimalEnvServerAPIConfig = ` + domains = ["${SPIFFE_TRUST_DOMAIN}"] + acme { + email = "admin@${SPIFFE_TRUST_DOMAIN}" + tos_accepted = true + } + server_api { + address = "unix:///some/socket/path" + } +` serverAPIConfig = &ServerAPIConfig{ Address: "unix:///some/socket/path", diff --git a/support/oidc-discovery-provider/config_test.go b/support/oidc-discovery-provider/config_test.go index 483b8a4e68..ebe3e6b1a4 100644 --- a/support/oidc-discovery-provider/config_test.go +++ b/support/oidc-discovery-provider/config_test.go @@ -23,14 +23,32 @@ func TestLoadConfig(t *testing.T) { confPath := filepath.Join(dir, "test.conf") - _, err := LoadConfig(confPath) + _, err := LoadConfig(confPath, false) require.Error(err) require.Contains(err.Error(), "unable to load configuration:") + err = os.WriteFile(confPath, []byte(minimalEnvServerAPIConfig), 0600) + require.NoError(err) + + os.Setenv("SPIFFE_TRUST_DOMAIN", "domain.test") + config, err := LoadConfig(confPath, true) + require.NoError(err) + + require.Equal(&Config{ + LogLevel: defaultLogLevel, + Domains: []string{"domain.test"}, + ACME: &ACMEConfig{ + CacheDir: defaultCacheDir, + Email: "admin@domain.test", + ToSAccepted: true, + }, + ServerAPI: serverAPIConfig, + }, config) + err = os.WriteFile(confPath, []byte(minimalServerAPIConfig), 0600) require.NoError(err) - config, err := LoadConfig(confPath) + config, err = LoadConfig(confPath, false) require.NoError(err) require.Equal(&Config{ diff --git a/support/oidc-discovery-provider/config_windows_test.go b/support/oidc-discovery-provider/config_windows_test.go index 52df60b584..728b81f440 100644 --- a/support/oidc-discovery-provider/config_windows_test.go +++ b/support/oidc-discovery-provider/config_windows_test.go @@ -20,6 +20,18 @@ var ( } } ` + minimalEnvServerAPIConfig = ` + domains = ["${SPIFFE_TRUST_DOMAIN}"] + acme { + email = "admin@${SPIFFE_TRUST_DOMAIN}" + tos_accepted = true + } + server_api { + experimental { + named_pipe_name = "\\name\\for\\server\\api" + } + } +` serverAPIConfig = &ServerAPIConfig{ Experimental: experimentalServerAPIConfig{ diff --git a/support/oidc-discovery-provider/main.go b/support/oidc-discovery-provider/main.go index 0e65d9cb68..feb5e9b216 100644 --- a/support/oidc-discovery-provider/main.go +++ b/support/oidc-discovery-provider/main.go @@ -25,6 +25,7 @@ import ( var ( versionFlag = flag.Bool("version", false, "print version") configFlag = flag.String("config", "oidc-discovery-provider.conf", "configuration file") + expandEnv = flag.Bool("expandEnv", false, "expand environment variables in config file") ) func main() { @@ -35,14 +36,14 @@ func main() { os.Exit(0) } - if err := run(*configFlag); err != nil { + if err := run(*configFlag, *expandEnv); err != nil { fmt.Fprintf(os.Stderr, "%+v\n", err) os.Exit(1) } } -func run(configPath string) error { - config, err := LoadConfig(configPath) +func run(configPath string, expandEnv bool) error { + config, err := LoadConfig(configPath, expandEnv) if err != nil { return err }