Add InternalTokenURI to load InternalToken from an external file #5812
Conversation
techknowlogick
added
the
type/enhancement
| default: | ||
| log.Fatal(4, "Unsupported URI-Scheme %q (INTERNAL_TOKEN_URL = %q)", tempURI.Scheme, uri) | ||
| } | ||
| return "" |
There was a problem hiding this comment.
This is here for the sake of linter failing due to not having a return, however the above switch case will either return success, or fatal error before reaching this line.
bkcsoft
added
the
lgtm/need 2
Codecov Report
@@ Coverage Diff @@
## master #5812 +/- ##
=========================================
- Coverage 38.82% 38.8% -0.02%
=========================================
Files 359 359
Lines 51137 51175 +38
=========================================
+ Hits 19854 19861 +7
- Misses 28411 28442 +31
Partials 2872 2872
Continue to review full report at Codecov.
|
|
Why don't you write the internal token as an ini file - so you read in the initial file adjust the value of internal token and write it back out. Then, if Uri is not a fully specified URL assume it's file. You should probably absolute that in the same way we do for app.ini at present. Finally if the Uri is nil set it to the current app.ini That way you can lead Uri nil and it will assume Uri is the app.ini file and continue the current behaviour? |
|
Sorry fat fingers! |
|
@lunny With this PR the only time it will try to write to app.ini is if URL is invalid, and token is not set. Edit: Also the ticket is a feature request to move token out of app.ini which this PR allows for |
|
resolved conflicts due to settings module split |
|
Is this still needed since #3531 ? As we provide a simple way to generate valid token to generate a config file. |
|
@sapk yes, as this provides an enhancement so that we can store the secret separately (in docker image we could even use docker secret) |
|
@techknowlogick docker secret are ready only if I remember well so if the it re-write it will still not work. And they are other key to keep secret on the config file. I think that it is a good PR but it is not the good problem. |
|
@sapk in the existing code (and also in PR) it should only write a token to configure ‘if len(token) == 0’ and I am unable to replicate having Gitea write to config if key is already set. This is why I have this set as enhancement rather than bug fix. If this gets merged in, then I can make future enhancement for other secrets in app.ini to read from external sources. |
|
I think store the key to s3 or other place is not a good idea. But if we can support docker secrets or similar place will be better. |
GiteaBot
added
lgtm/need 1
There was a problem hiding this comment.
This worked for me in testing.
One small thing to note @techknowlogick:
The file WILL be created if it does not exist.
Currently the file is not created if it doesn't exist, instead Gitea stops with a Fatal. Looking at the code, that seems intentional, so I'll approve. Just wanted to note it for clarification.
gitea/modules/setting/setting.go
Lines 1260 to 1282 in f666bbc
GiteaBot
added
lgtm/done
|
@jolheiser yes, that is intentional. Thanks for the review :) |
techknowlogick
changed the title
zeripath
changed the title
|
@techknowlogick Any way we can add documentation too? As of right now, I believe this is an undocumented feature? |
(Continuing #4412)
URI HAVE TO start with 'file:' or 'file://'. Possibility to add http/s3 support in the future.
On errors it WILL fail hard (in case of misconfiguration OR the storage not being available)
The file WILL be read if it exists and the token extracted from it.
The file WILL be created if it does not exist.
Closes #3246