diff options
author | Raccoon | 2017-03-03 09:27:57 +0800 |
---|---|---|
committer | GitHub | 2017-03-03 09:27:57 +0800 |
commit | bbde79c7d7f958e2e9e599f7bd8e58a275137707 (patch) | |
tree | 053538d49b92121e29e0e576d2e5e0b249d28537 | |
parent | 0bea4da6238b1f46562b146b32d88fc8d8b9060a (diff) | |
parent | 48592d692c2b8a71e3ca9e7f0bc34f230eea1542 (diff) |
Merge pull request #325 from SISheogorath/feature/addSecrets
Add basics for secret management by Docker 1.13
Diffstat (limited to '')
-rw-r--r-- | lib/config.js | 57 |
1 files changed, 31 insertions, 26 deletions
diff --git a/lib/config.js b/lib/config.js index a14bf978..1e5838e8 100644 --- a/lib/config.js +++ b/lib/config.js @@ -1,12 +1,16 @@ // external modules var fs = require('fs'); var path = require('path'); +var fs = require('fs'); // configs var env = process.env.NODE_ENV || 'development'; var config = require(path.join(__dirname, '..', 'config.json'))[env]; var debug = process.env.DEBUG ? (process.env.DEBUG === 'true') : ((typeof config.debug === 'boolean') ? config.debug : (env === 'development')); +// Create function that reads docker secrets but fails fast in case of a non docker environment +var handleDockerSecret = fs.existsSync('/run/secrets/') ? function(secret){return fs.existsSync('/run/secrets/' + secret) ? fs.readFileSync('/run/secrets/' + secret) : null;)} : function () {return null} + // url var domain = process.env.DOMAIN || process.env.HMD_DOMAIN || config.domain || ''; var urlpath = process.env.URL_PATH || process.env.HMD_URL_PATH || config.urlpath || ''; @@ -37,10 +41,10 @@ var dburl = process.env.HMD_DB_URL || process.env.DATABASE_URL || config.dburl; var db = config.db || {}; // ssl path -var sslkeypath = config.sslkeypath || ''; -var sslcertpath = config.sslcertpath || ''; -var sslcapath = config.sslcapath || ''; -var dhparampath = config.dhparampath || ''; +var sslkeypath = (fs.existsSync('/run/secrets/key.pem') ? '/run/secrets/key.pem' : null) || config.sslkeypath || ''; +var sslcertpath = (fs.existsSync('/run/secrets/cert.pem') ? '/run/secrets/cert.pem' : null) || config.sslcertpath || ''; +var sslcapath = (fs.existsSync('/run/secrets/ca.pem') ? '/run/secrets/ca.pem' : null) || config.sslcapath || ''; +var dhparampath = (fs.existsSync('/run/secrets/dhparam.pem') ? '/run/secrets/dhparam.pem' : null) || config.dhparampath || ''; // other path var tmppath = config.tmppath || './tmp'; @@ -54,7 +58,7 @@ var slidepath = config.slidepath || './public/views/slide.ejs'; // session var sessionname = config.sessionname || 'connect.sid'; -var sessionsecret = config.sessionsecret || 'secret'; +var sessionsecret = handleDockerSecret('sessionsecret') || config.sessionsecret || 'secret'; var sessionlife = config.sessionlife || 14 * 24 * 60 * 60 * 1000; //14 days // static files @@ -72,37 +76,38 @@ var imageUploadType = process.env.HMD_IMAGE_UPLOAD_TYPE || config.imageUploadTyp config.s3 = config.s3 || {}; var s3 = { - accessKeyId: process.env.HMD_S3_ACCESS_KEY_ID || config.s3.accessKeyId, - secretAccessKey: process.env.HMD_S3_SECRET_ACCESS_KEY || config.s3.secretAccessKey, + accessKeyId: handleDockerSecret('s3_acccessKeyId') || process.env.HMD_S3_ACCESS_KEY_ID || config.s3.accessKeyId, + secretAccessKey: handleDockerSecret('s3_secretAccessKey') || process.env.HMD_S3_SECRET_ACCESS_KEY || config.s3.secretAccessKey, region: process.env.HMD_S3_REGION || config.s3.region } var s3bucket = process.env.HMD_S3_BUCKET || config.s3.bucket; // auth -var facebook = (process.env.HMD_FACEBOOK_CLIENTID && process.env.HMD_FACEBOOK_CLIENTSECRET) ? { - clientID: process.env.HMD_FACEBOOK_CLIENTID, - clientSecret: process.env.HMD_FACEBOOK_CLIENTSECRET +var facebook = (process.env.HMD_FACEBOOK_CLIENTID && process.env.HMD_FACEBOOK_CLIENTSECRET || fs.existsSync('/run/secrets/facebook_clientID') && fs.existsSync('/run/secrets/facebook_clientSecret')) ? { + clientID: handleDockerSecret('facebook_clientID') || process.env.HMD_FACEBOOK_CLIENTID, + clientSecret: handleDockerSecret('facebook_clientSecret') || process.env.HMD_FACEBOOK_CLIENTSECRET } : config.facebook || false; -var twitter = (process.env.HMD_TWITTER_CONSUMERKEY && process.env.HMD_TWITTER_CONSUMERSECRET) ? { - consumerKey: process.env.HMD_TWITTER_CONSUMERKEY, - consumerSecret: process.env.HMD_TWITTER_CONSUMERSECRET +var twitter = (process.env.HMD_TWITTER_CONSUMERKEY && process.env.HMD_TWITTER_CONSUMERSECRET || fs.existsSync('/run/secrets/twitter_consumerKey') && fs.existsSync('/run/secrets/twitter_consumerSecret')) ? { + consumerKey: handleDockerSecret('twitter_consumerKey') || process.env.HMD_TWITTER_CONSUMERKEY, + consumerSecret: handleDockerSecret('twitter_consumerSecret') || process.env.HMD_TWITTER_CONSUMERSECRET } : config.twitter || false; -var github = (process.env.HMD_GITHUB_CLIENTID && process.env.HMD_GITHUB_CLIENTSECRET) ? { - clientID: process.env.HMD_GITHUB_CLIENTID, - clientSecret: process.env.HMD_GITHUB_CLIENTSECRET +var github = (process.env.HMD_GITHUB_CLIENTID && process.env.HMD_GITHUB_CLIENTSECRET || fs.existsSync('/run/secrets/github_clientID') && fs.existsSync('/run/secrets/github_clientSecret')) ? { + clientID: handleDockerSecret('github_clientID') || process.env.HMD_GITHUB_CLIENTID, + clientSecret: handleDockerSecret('github_clientSecret') || process.env.HMD_GITHUB_CLIENTSECRET } : config.github || false; -var gitlab = (process.env.HMD_GITLAB_CLIENTID && process.env.HMD_GITLAB_CLIENTSECRET) ? { +var gitlab = (process.env.HMD_GITLAB_CLIENTID && process.env.HMD_GITLAB_CLIENTSECRET || fs.existsSync('/run/secrets/gitlab_clientID') && fs.existsSync('/run/secrets/gitlab_clientSecret')) ? { baseURL: process.env.HMD_GITLAB_BASEURL, - clientID: process.env.HMD_GITLAB_CLIENTID, - clientSecret: process.env.HMD_GITLAB_CLIENTSECRET + clientID: handleDockerSecret('gitlab_clientID') || process.env.HMD_GITLAB_CLIENTID, + clientSecret: handleDockerSecret('gitlab_clientSecret') || process.env.HMD_GITLAB_CLIENTSECRET } : config.gitlab || false; -var dropbox = (process.env.HMD_DROPBOX_CLIENTID && process.env.HMD_DROPBOX_CLIENTSECRET) ? { - clientID: process.env.HMD_DROPBOX_CLIENTID, - clientSecret: process.env.HMD_DROPBOX_CLIENTSECRET +var dropbox = ((process.env.HMD_DROPBOX_CLIENTID && process.env.HMD_DROPBOX_CLIENTSECRET) || (fs.existsSync('/run/secrets/dropbox_clientID') && fs.existsSync('/run/secrets/dropbox_clientSecret'))) ? { + clientID: handleDockerSecret('dropbox_clientID') || process.env.HMD_DROPBOX_CLIENTID, + clientSecret: handleDockerSecret('dropbox_clientSecret') || process.env.HMD_DROPBOX_CLIENTSECRET } : (config.dropbox && config.dropbox.clientID && config.dropbox.clientSecret && config.dropbox) || false; -var google = (process.env.HMD_GOOGLE_CLIENTID && process.env.HMD_GOOGLE_CLIENTSECRET) ? { - clientID: process.env.HMD_GOOGLE_CLIENTID, - clientSecret: process.env.HMD_GOOGLE_CLIENTSECRET +var google = ((process.env.HMD_GOOGLE_CLIENTID && process.env.HMD_GOOGLE_CLIENTSECRET) + || (fs.existsSync('/run/secrets/google_clientID') && fs.existsSync('/run/secrets/google_clientSecret'))) ? { + clientID: handleDockerSecret('google_clientID') || process.env.HMD_GOOGLE_CLIENTID, + clientSecret: handleDockerSecret('google_clientSecret') || process.env.HMD_GOOGLE_CLIENTSECRET } : (config.google && config.google.clientID && config.google.clientSecret && config.google) || false; var ldap = config.ldap || (( process.env.HMD_LDAP_URL || @@ -146,7 +151,7 @@ if (process.env.HMD_LDAP_TLS_CA) { if (process.env.HMD_LDAP_PROVIDERNAME) { ldap.providerName = process.env.HMD_LDAP_PROVIDERNAME; } -var imgur = process.env.HMD_IMGUR_CLIENTID || config.imgur || false; +var imgur = handleDockerSecret('imgur_clientid') || process.env.HMD_IMGUR_CLIENTID || config.imgur || false; var email = process.env.HMD_EMAIL ? (process.env.HMD_EMAIL === 'true') : !!config.email; var allowemailregister = process.env.HMD_ALLOW_EMAIL_REGISTER ? (process.env.HMD_ALLOW_EMAIL_REGISTER === 'true') : ((typeof config.allowemailregister === 'boolean') ? config.allowemailregister : true); |