feat: read secrets from env/file

2025-04-17 09:39:38 +02:00 · 2025-04-17 09:39:38 +02:00 · 0c721e9296
commit 0c721e9296
parent e25fc5ed64
3 changed files with 66 additions and 4 deletions
--- a/flake.nix
+++ b/flake.nix
@ -41,6 +41,11 @@
          ]);

          shellHook = ''
+            export OIDC_CLIENT_ID="putzplan"
+            export OIDC_BASE_URL="http://127.0.0.1:9091"
+            export OIDC_CLIENT_SECRET_FILE="${pkgs.writeText "client_secret" "insecure_secret"}"
+            export OIDC_REDIRECT_URI="http://127.0.0.1:4000/auth"
+
            # allows mix to work on the local directory
            mkdir -p .nix/{mix,hex}
            export MIX_HOME=$PWD/.nix/mix
--- a/lib/putzplan/accounts/user.ex
+++ b/lib/putzplan/accounts/user.ex
@ -23,11 +23,11 @@ defmodule Putzplan.Accounts.User do

    strategies do
      oidc :oidc do
-        client_id "putzplan"
-        base_url "http://127.0.0.1:9091"
-        client_secret "insecure_secret"
+        client_id Putzplan.Secrets
+        base_url Putzplan.Secrets
+        client_secret Putzplan.Secrets
        nonce true
-        redirect_uri "http://127.0.0.1:4000/auth"
+        redirect_uri Putzplan.Secrets
        authorization_params scope: "profile email"
      end
    end
--- a/lib/putzplan/secrets.ex
+++ b/lib/putzplan/secrets.ex
@ -1,7 +1,64 @@
 defmodule Putzplan.Secrets do
+  require Logger
  use AshAuthentication.Secret

  def secret_for([:authentication, :tokens, :signing_secret], Putzplan.Accounts.User, _opts, _ctx) do
    Application.fetch_env(:putzplan, :token_signing_secret)
  end
+
+  def secret_for([:authentication, :strategies, :oidc, name], Putzplan.Accounts.User, _opts, _ctx)
+      when is_atom(name) do
+    name
+    |> Atom.to_string()
+    |> String.upcase()
+    |> secret_from_env()
+    |> dbg
+  end
+
+  defp secret_from_env(name) do
+    name
+    |> from_file
+    |> case do
+      :not_set ->
+        from_env(name)
+
+      other ->
+        other
+    end
+    |> case do
+      {:error, error} ->
+        Logger.error(error)
+        :error
+
+      {:ok, _secret} = ok ->
+        ok
+    end
+  end
+
+  defp from_file(name) do
+    env_name = "OIDC_" <> name <> "_FILE"
+
+    with {:env, {:ok, value}} <- {:env, System.fetch_env(env_name)},
+         {:file, {:ok, contents}} <- {:file, File.read(value)} do
+      {:ok, contents}
+    else
+      {:env, :error} ->
+        Logger.info("#{env_name} is not set trying OIDC_#{name}.")
+        :not_set
+
+      {:file, _} ->
+        {:error, "Error reading secret file for #{name}."}
+    end
+  end
+
+  defp from_env(name) do
+    env_name = "OIDC_#{name}"
+
+    env_name
+    |> System.fetch_env()
+    |> case do
+      :error -> {:error, "#{env_name} is not set!"}
+      other -> other
+    end
+  end
 end