From 79fdc6ac749c20eeff04c60b45f3fb7a1b32e110 Mon Sep 17 00:00:00 2001
From: Dax McDonald <31839142+daxmc99@users.noreply.github.com>
Date: Thu, 23 Jul 2020 10:19:33 -0700
Subject: [PATCH] Add init

Adds an init function to read the encryption token from either from the
SOURCEGRAPH_CRYPT_KEY env var or SOURCEGRAPH_SECRET_FILE location. Panics
if no secret key is found.
---
 internal/secrets/crypt_test.go |  1 -
 internal/secrets/init.go       | 51 ++++++++++++++++++++++++++++++++++
 2 files changed, 51 insertions(+), 1 deletion(-)
 create mode 100644 internal/secrets/init.go

diff --git a/internal/secrets/crypt_test.go b/internal/secrets/crypt_test.go
index af1edc8018f5..aa96d1553f6d 100644
--- a/internal/secrets/crypt_test.go
+++ b/internal/secrets/crypt_test.go
@@ -32,7 +32,6 @@ func TestDBEncryptingAndDecrypting(t *testing.T) {
 	if decrypted != toEncrypt {
 		t.Fatalf("failed to decrypt")
 	}
-
 }
 
 // Test the negative result - we should fail to decrypt with bad keys
diff --git a/internal/secrets/init.go b/internal/secrets/init.go
new file mode 100644
index 000000000000..78852d2150eb
--- /dev/null
+++ b/internal/secrets/init.go
@@ -0,0 +1,51 @@
+package secrets
+
+import (
+	"fmt"
+	"io/ioutil"
+	"os"
+)
+
+var CryptObject EncryptionStore
+
+const (
+	sourcegraphCryptEnvvar = "SOURCEGRAPH_CRYPT_KEY"
+	// #nosec G101
+	sourcegraphSecretfileEnvvar = "SOURCEGRAPH_SECRET_FILE"
+	validKeyLength              = 32
+)
+
+func init() {
+	cryptKey, cryptOK := os.LookupEnv(sourcegraphCryptEnvvar)
+
+	// set the default location if none exists
+	secretFile := os.Getenv(sourcegraphSecretfileEnvvar)
+	if secretFile == "" {
+		// #nosec G101
+		secretFile = "/var/lib/sourcegraph/token"
+	}
+
+	_, err := os.Stat(secretFile)
+
+	// a lack of encryption keys means we cannot run the application, hence panic.
+	if err != nil && !cryptOK {
+		panic(fmt.Sprintf("Either specify environment variable %s or provide the secrets file %s.",
+			sourcegraphCryptEnvvar,
+			sourcegraphSecretfileEnvvar))
+	}
+	if err == nil {
+		contents, readErr := ioutil.ReadFile(secretFile)
+		if readErr != nil {
+			panic(fmt.Sprintf("Couldn't read file %s", sourcegraphSecretfileEnvvar))
+		}
+		if len(contents) < validKeyLength {
+			panic(fmt.Sprintf("Key length of %d characters is required.", validKeyLength))
+		}
+		CryptObject.EncryptionKey = contents
+	} else {
+		if len(cryptKey) != validKeyLength {
+			panic(fmt.Sprintf("Key length of %d characters is required.", validKeyLength))
+		}
+		CryptObject.EncryptionKey = []byte(cryptKey)
+	}
+}