Secrets should not allowed on command line

author: Sean Carroll <scarroll@gitlab.com> 2019-10-18 15:39:48 +0300
committer: Sean Carroll <scarroll@gitlab.com> 2019-10-18 15:39:48 +0300
commit: 64a49c238c56655d32211e5cc4436b5fcaa2d396 (patch)
tree: ec29e5c172d2b4350481209b67da42bc2c70a594
parent: fc8f04d5fef6d36568f751e0ebb724a22959cb96 (diff)
3 files changed, 97 insertions, 28 deletions
diff --git a/internal/deprecatedargs/deprecatedargs.go b/internal/deprecatedargs/deprecatedargs.go
new file mode 100644
index 00000000..56219e47
--- /dev/null
+++ b/internal/deprecatedargs/deprecatedargs.go
@@ -0,0 +1,29 @@
+package deprecatedargs
+
+import (
+	"fmt"
+	"strings"
+)
+
+var deprecatedArgs = []string{"-auth-client-id", "-auth-client-secret", "-auth-secret", "-sentry-dsn"}
+
+// Validate checks if deprecated params have been used
+func Validate(args []string) error {
+	foundDeprecatedArgs := []string{}
+	argMap := make(map[string]bool)
+
+	for _, arg := range args {
+		argMap[arg] = true
+	}
+
+	for _, deprecatedArg := range deprecatedArgs {
+		if argMap[deprecatedArg] {
+			foundDeprecatedArgs = append(foundDeprecatedArgs, deprecatedArg)
+		}
+	}
+
+	if len(foundDeprecatedArgs) > 0 {
+		return fmt.Errorf("Deprecation message: %s should not be passed as a command line arguments", strings.Join(foundDeprecatedArgs, ", "))
+	}
+	return nil
+}
diff --git a/internal/deprecatedargs/deprecatedargs_test.go b/internal/deprecatedargs/deprecatedargs_test.go
new file mode 100644
index 00000000..b1ebeb41
--- /dev/null
+++ b/internal/deprecatedargs/deprecatedargs_test.go
@@ -0,0 +1,33 @@
+package deprecatedargs
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestValidParams(t *testing.T) {
+	args := []string{"gitlab-pages",
+		"-listen-http", ":3010",
+		"-artifacts-server", "http://192.168.1.123:3000/api/v4",
+		"-pages-domain", "127.0.0.1.xip.io"}
+	res := Validate(args)
+	require.Nil(t, res)
+}
+
+func TestInvalidParms(t *testing.T) {
+	tests := map[string][]string{
+		"Client ID passed":     []string{"gitlab-pages", "-auth-client-id", "abc123"},
+		"Client secret passed": []string{"gitlab-pages", "-auth-client-secret", "abc123"},
+		"Auth secret passed":   []string{"gitlab-pages", "-auth-secret", "abc123"},
+		"Sentry DSN passed":    []string{"gitlab-pages", "-sentry-dsn", "abc123"},
+		"Multiple keys passed": []string{"gitlab-pages", "-auth-client-id", "abc123", "-auth-client-secret", "abc123"},
+	}
+
+	for name, args := range tests {
+		t.Run(name, func(t *testing.T) {
+			err := Validate(args)
+			require.Error(t, err)
+		})
+	}
+}
diff --git a/main.go b/main.go
index 8c3ded3d..9b56d1b4 100644
--- a/main.go
+++ b/main.go
@@ -12,6 +12,7 @@ import (
 	log "github.com/sirupsen/logrus"
 	"gitlab.com/gitlab-org/labkit/errortracking"
 
+	"gitlab.com/gitlab-org/gitlab-pages/internal/deprecatedargs"
 	"gitlab.com/gitlab-org/gitlab-pages/internal/host"
 	"gitlab.com/gitlab-org/gitlab-pages/internal/logging"
 	"gitlab.com/gitlab-org/gitlab-pages/internal/tlsconfig"
@@ -203,30 +204,9 @@ func initErrorReporting(sentryDSN, sentryEnvironment string) {
 		errortracking.WithSentryEnvironment(sentryEnvironment))
 }
 
-func appMain() {
-	var showVersion = flag.Bool("version", false, "Show version")
-
-	flag.String(flag.DefaultConfigFlagname, "", "path to config file")
-	flag.Parse()
-	if err := tlsconfig.ValidateTLSVersions(*tlsMinVersion, *tlsMaxVersion); err != nil {
-		fatal(err)
-	}
-
-	printVersion(*showVersion, VERSION)
-
-	err := logging.ConfigureLogging(*logFormat, *logVerbose)
-	if err != nil {
-		log.WithError(err).Fatal("Failed to initialize logging")
-	}
-
-	log.WithFields(log.Fields{
-		"version":  VERSION,
-		"revision": REVISION,
-	}).Print("GitLab Pages Daemon")
-	log.Printf("URL: https://gitlab.com/gitlab-org/gitlab-pages")
-
-	if err := os.Chdir(*pagesRoot); err != nil {
-		fatal(err)
+func loadConfig() appConfig {
+	if err := deprecatedargs.Validate(os.Args[1:]); err != nil {
+		log.WithError(err)
 	}
 
 	config := configFromFlags()
@@ -264,14 +244,41 @@ func appMain() {
 		"tls-min-version":               *tlsMinVersion,
 		"tls-max-version":               *tlsMaxVersion,
 		"use-http-2":                    config.HTTP2,
-		"auth-secret":                   config.StoreSecret,
 		"gitlab-server":                 config.GitLabServer,
-		"auth-client-id":                config.ClientID,
-		"auth-client-secret":            config.ClientSecret,
 		"auth-redirect-uri":             config.RedirectURI,
-		"sentry-dsn":                    config.SentryDSN,
 	}).Debug("Start daemon with configuration")
 
+	return config
+}
+
+func appMain() {
+	var showVersion = flag.Bool("version", false, "Show version")
+
+	flag.String(flag.DefaultConfigFlagname, "", "path to config file")
+	flag.Parse()
+	if err := tlsconfig.ValidateTLSVersions(*tlsMinVersion, *tlsMaxVersion); err != nil {
+		fatal(err)
+	}
+
+	printVersion(*showVersion, VERSION)
+
+	err := logging.ConfigureLogging(*logFormat, *logVerbose)
+	if err != nil {
+		log.WithError(err).Fatal("Failed to initialize logging")
+	}
+
+	log.WithFields(log.Fields{
+		"version":  VERSION,
+		"revision": REVISION,
+	}).Print("GitLab Pages Daemon")
+	log.Printf("URL: https://gitlab.com/gitlab-org/gitlab-pages")
+
+	if err := os.Chdir(*pagesRoot); err != nil {
+		fatal(err)
+	}
+
+	config := loadConfig()
+
 	for _, cs := range [][]io.Closer{
 		createAppListeners(&config),
 		createMetricsListener(&config),
author	Sean Carroll <scarroll@gitlab.com>	2019-10-18 15:39:48 +0300
committer	Sean Carroll <scarroll@gitlab.com>	2019-10-18 15:39:48 +0300
commit	64a49c238c56655d32211e5cc4436b5fcaa2d396 (patch)
tree	ec29e5c172d2b4350481209b67da42bc2c70a594
parent	fc8f04d5fef6d36568f751e0ebb724a22959cb96 (diff)