Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Adds an init function to read the encryption token from either from the SOURCEGRAPH_CRYPT_KEY env var or SOURCEGRAPH_SECRET_FILE location. Panics if no secret key is found.
- Loading branch information
Showing
2 changed files
with
51 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
package secrets | ||
|
||
import ( | ||
"fmt" | ||
"io/ioutil" | ||
"os" | ||
) | ||
|
||
var CryptObject EncryptionStore | ||
|
||
const ( | ||
sourcegraphCryptEnvvar = "SOURCEGRAPH_CRYPT_KEY" | ||
// #nosec G101 | ||
sourcegraphSecretfileEnvvar = "SOURCEGRAPH_SECRET_FILE" | ||
validKeyLength = 32 | ||
) | ||
|
||
func init() { | ||
cryptKey, cryptOK := os.LookupEnv(sourcegraphCryptEnvvar) | ||
|
||
// set the default location if none exists | ||
secretFile := os.Getenv(sourcegraphSecretfileEnvvar) | ||
if secretFile == "" { | ||
// #nosec G101 | ||
secretFile = "/var/lib/sourcegraph/token" | ||
} | ||
|
||
_, err := os.Stat(secretFile) | ||
|
||
// a lack of encryption keys means we cannot run the application, hence panic. | ||
if err != nil && !cryptOK { | ||
panic(fmt.Sprintf("Either specify environment variable %s or provide the secrets file %s.", | ||
sourcegraphCryptEnvvar, | ||
sourcegraphSecretfileEnvvar)) | ||
} | ||
if err == nil { | ||
contents, readErr := ioutil.ReadFile(secretFile) | ||
if readErr != nil { | ||
panic(fmt.Sprintf("Couldn't read file %s", sourcegraphSecretfileEnvvar)) | ||
} | ||
if len(contents) < validKeyLength { | ||
panic(fmt.Sprintf("Key length of %d characters is required.", validKeyLength)) | ||
} | ||
CryptObject.EncryptionKey = contents | ||
} else { | ||
if len(cryptKey) != validKeyLength { | ||
panic(fmt.Sprintf("Key length of %d characters is required.", validKeyLength)) | ||
} | ||
CryptObject.EncryptionKey = []byte(cryptKey) | ||
} | ||
} |