Add option to fetch server secret from file

Ref #1138

internal/config/identity.go

@@ -15,6 +15,12 @@
 
 package config
 
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+)
+
 // IdentityConfig is the configuration for the identity provider
 type IdentityConfig struct {
 	Cli    CliIdentityConfig    `mapstructure:"cli"`
@@ -41,4 +47,18 @@ type ServerIdentityConfig struct {
 	ClientId string `mapstructure:"client_id" default:"mediator-server"`
 	// ClientSecret is the client secret for the mediator server
 	ClientSecret string `mapstructure:"client_secret" default:"secret"`
+	// ClientSecretFile is the location of a file containing the client secret for the mediator server (optional)
+	ClientSecretFile string `mapstructure:"client_secret_file"`
+}
+
+// GetClientSecret returns the mediator-server client secret
+func (sic *ServerIdentityConfig) GetClientSecret() (string, error) {
+	if sic.ClientSecretFile != "" {
+		data, err := os.ReadFile(filepath.Clean(sic.ClientSecretFile))
+		if err != nil {
+			return "", err
+		}
+		return string(data), fmt.Errorf("failed to read mediator secret from file: %w", err)
+	}
+	return sic.ClientSecret, nil
 }

internal/controlplane/handlers_user.go

@@ -163,9 +163,14 @@ func (s *Server) DeleteUser(ctx context.Context,
 
 	tokenUrl := parsedURL.JoinPath("realms", s.cfg.Identity.Server.Realm, "protocol/openid-connect/token")
 
+	clientSecret, err := s.cfg.Identity.Server.GetClientSecret()
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to get client secret: %v", err)
+	}
+
 	clientCredentials := clientcredentials.Config{
 		ClientID:     s.cfg.Identity.Server.ClientId,
-		ClientSecret: s.cfg.Identity.Server.ClientSecret,
+		ClientSecret: clientSecret,
 		TokenURL:     tokenUrl.String(),
 	}