feat(auth): on startup allow binding env variable on static client se…

…crets (#33) * feat(auth): on startup allow binding environment variable on static client secrets * feat: add codeowners * feat: simplify test
formancehq · Nov 19, 2024 · 66c84cb · 66c84cb
1 parent e5de0bb
commit 66c84cb
Show file tree

Hide file tree

Showing 4 changed files with 97 additions and 0 deletions.
diff --git a/CODEOWNERS b/CODEOWNERS
@@ -0,0 +1,2 @@
+* @formancehq/backend
+* @formancehq/devops
diff --git a/cmd/serve.go b/cmd/serve.go
@@ -12,7 +12,9 @@ import (
 
 	"github.com/formancehq/go-libs/aws/iam"
 	"github.com/formancehq/go-libs/bun/bunconnect"
+	"github.com/formancehq/go-libs/collectionutils"
 	"github.com/formancehq/go-libs/licence"
+	"github.com/formancehq/go-libs/logging"
 
 	"github.com/formancehq/go-libs/otlp"
 	"go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp"
@@ -128,6 +130,14 @@ func newServeCommand() *cobra.Command {
 				}
 			}
 
+			o.Clients = collectionutils.Map(o.Clients, func(client auth.StaticClient) auth.StaticClient {
+				c, err := client.FromEnvironment()
+				if err != nil {
+					logging.FromContext(cmd.Context()).Errorf("error while loading secrets from environment: %v", err)
+				}
+				return c
+			})
+
 			zLogging.SetOutput(cmd.OutOrStdout())
 
 			connectionOptions, err := bunconnect.ConnectionOptionsFromFlags(cmd)

diff --git a/pkg/client.go b/pkg/client.go
@@ -4,6 +4,8 @@ import (
 	"crypto/sha256"
 	"encoding/base64"
 	"errors"
+	"os"
+	"strings"
 
 	"github.com/uptrace/bun"
 
@@ -109,11 +111,33 @@ func (c *Client) GetScopes() []string {
 	return c.Scopes
 }
 
+var (
+	ErrEnvironmentVariableNotFound = errors.New("environment variable not found")
+)
+
 type StaticClient struct {
 	ClientOptions `mapstructure:",squash" yaml:",inline"`
 	Secrets       []string `json:"secrets" yaml:"secrets"`
 }
 
+func (c StaticClient) FromEnvironment() (StaticClient, error) {
+	for i, secret := range c.Secrets {
+		environmentVariable, found := strings.CutPrefix(secret, "$")
+		if !found {
+			continue
+		}
+
+		value := os.Getenv(environmentVariable)
+		if value == "" {
+			return c, ErrEnvironmentVariableNotFound
+		}
+
+		c.Secrets[i] = value
+	}
+
+	return c, nil
+}
+
 func (s StaticClient) ValidateSecret(secret string) error {
 	for _, clientSecret := range s.Secrets {
 		if clientSecret == secret {

diff --git a/pkg/client_test.go b/pkg/client_test.go
@@ -0,0 +1,61 @@
+package auth_test
+
+import (
+	"os"
+	"testing"
+
+	auth "github.com/formancehq/auth/pkg"
+	"github.com/stretchr/testify/require"
+)
+
+func TestStaticClientFromEnvironment(t *testing.T) {
+	type testCase struct {
+		staticClients        []auth.StaticClient
+		environmentVariables map[string]string
+		expectedErr          error
+	}
+
+	testCases := []testCase{
+		{
+			staticClients: []auth.StaticClient{
+				{
+					Secrets: []string{"$SECRET"},
+				},
+			},
+			environmentVariables: map[string]string{
+				"SECRET": "secret",
+			},
+			expectedErr: nil,
+		},
+		{
+			staticClients: []auth.StaticClient{
+				{
+					Secrets: []string{"$ERROR"},
+				},
+			},
+			environmentVariables: map[string]string{},
+			expectedErr:          auth.ErrEnvironmentVariableNotFound,
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run("TestStaticClientFromEnvironment", func(t *testing.T) {
+			for key, value := range tc.environmentVariables {
+				os.Setenv(key, value)
+			}
+
+			for _, staticClient := range tc.staticClients {
+				loadedClient, err := staticClient.FromEnvironment()
+				if tc.expectedErr != nil {
+					require.Error(t, err)
+					require.ErrorIs(t, err, tc.expectedErr)
+					return
+				}
+				for _, secret := range loadedClient.Secrets {
+					require.NotContains(t, secret, "$")
+					require.NotEmpty(t, secret)
+				}
+			}
+		})
+	}
+}