Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow to disable os.ExpandEnv for storage + connector configs by env variable DEX_EXPAND_ENV = false #1902

Merged
merged 1 commit into from
Jan 1, 2021
Merged

Allow to disable os.ExpandEnv for storage + connector configs by env variable DEX_EXPAND_ENV = false #1902

merged 1 commit into from
Jan 1, 2021

Conversation

heidemn-faro
Copy link
Contributor

@heidemn-faro heidemn-faro commented Dec 29, 2020
edited
Loading

Overview

Closes #1876

What this PR does / why we need it

See issue + release note below.

Special notes for your reviewer

@sagikazarmark I guess this one is for you, since you commented on the issue.

Does this PR introduce a user-facing change?

By setting the env variable `DEX_EXPAND_ENV` to `false`, the user can disable env expansion in storage and connector configs.
This is an opt-in change: Env expansion is still enabled by default.

It can be useful to disable env expansion to avoid workarounds e.g. if you use templating to generate dex-config.yaml, and some of your values (e.g. the LDAP bindPW) may include dollar characters.

sagikazarmark
sagikazarmark reviewed Dec 29, 2020
View reviewed changes
cmd/dex/config.go Outdated
// True by default, to avoid a breaking change.
// False if the env variable "DEX_EXPAND_ENV" is set to "0".
func isExpandEnvEnabled() bool {
return os.Getenv("DEX_EXPAND_ENV") != "0"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about using ParseBool instead? Then a whole bunch of other boolean-like values can be accepted. false/true comes to mind as better alternatives to 0/1 and I'd also use those in the documentation instead of 0/1.

Obviously this means that you have to look up the env first.

Also, thinking about the variable name: since this is true by default, I wonder if it would make sense to use DEX_NO_EXPAND_ENV instead.

Copy link

@heidemn heidemn Dec 30, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about using ParseBool instead?

Sounds good, will do that.

I wonder if it would make sense to use DEX_NO_EXPAND_ENV instead.

I'm not a big fan of this, for the following reasons:

  • Consider DEX_NO_EXPAND_ENV=false, which is a double negation. I wanted to avoid that case.
  • In case that we later change the default to "don't expand", we would have to change back the variable name DEX_NO_EXPAND_ENV -> DEX_EXPAND_ENV.

E.g. the OpenLDAP Docker image also uses LDAP_...=false instead of LDAP_NO_...=true:
LDAP_READONLY_USER: Add a read only user. Defaults to false
LDAP_TLS: Add openldap TLS capabilities. [...] Defaults to true
Definitely you will also find many software projects that use your suggestion ..._NO_..., just wanted to show one example for my suggestion.

But if you insist, I can still change it.

@heidemn-faro heidemn-faro changed the title Allow admin to disable os.ExpandEnv for storage + connector configs by env variable DEX_EXPAND_ENV = 0 Allow to disable os.ExpandEnv for storage + connector configs by env variable DEX_EXPAND_ENV = false Dec 30, 2020
@heidemn-faro heidemn-faro force-pushed the feature/no-expand-env branch 2 times, most recently from a383803 to c6d8035 Compare December 30, 2020 16:58
@heidemn-faro
Copy link
Contributor Author

@sagikazarmark please take another look, and let me know if further changes are required.

sagikazarmark
sagikazarmark reviewed Dec 30, 2020
View reviewed changes
cmd/dex/config.go Outdated
// Default, for downwards-compatibility: DEX_EXPAND_ENV = true
return true, nil
}
return strconv.ParseBool(dexExpandEnv)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The reason I thought a negated variable name might be better is because variable expansion should be true by default, even if the content of the variable is considered invalid.

I agree it sounds bad, but I think we can keep DEX_EXPAND_ENV: I think we should handle the error returned by ParseBool: if there is an error, it should return true, otherwise return the parsed value. I think it's okay to silently fall back to true when the value of the variable is empty for example or some gibberish.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh no, then I spent too much effort on the tests etc.... But you're right, silently using the default seems fine.

@heidemn-faro
Allow to disable os.ExpandEnv for storage + connector configs by env …
4cb5577 
…variable DEX_EXPAND_ENV = false

Signed-off-by: Martin Heide <martin.heide@faro.com>
@heidemn-faro
Copy link
Contributor Author

@sagikazarmark please take a 3rd look :-) Simplified as requested.

@heidemn heidemn mentioned this pull request Dec 31, 2020
Merged
sagikazarmark
sagikazarmark approved these changes Jan 1, 2021
View reviewed changes
Copy link
Member

@sagikazarmark sagikazarmark left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @heidemn

@sagikazarmark sagikazarmark added this to the v2.28.0 milestone Jan 1, 2021
@sagikazarmark sagikazarmark merged commit 4f0744c into dexidp:master Jan 1, 2021
@heidemn
Copy link

heidemn commented Jan 1, 2021

Thanks for reviewing @sagikazarmark , and happy new year!

xtremerui pushed a commit to concourse/dex that referenced this pull request Mar 16, 2021
upstream dex release: v2.28.0
ef54461 
The official docker release for this release can be pulled from

```
ghcr.io/dexidp/dex:v2.28.0
```

**Features:**

- Add c_hash to id_token, issued on /auth endpoint, when in hybrid flow (dexidp#1773, @HEllRZA)
- Allow configuration of returned auth proxy header (dexidp#1839, @seuf)
- Allow to disable os.ExpandEnv for storage + connector configs by env variable DEX_EXPAND_ENV = false (dexidp#1902, @heidemn-faro)
- Added the possibility to activate lowercase for UPN-Strings (dexidp#1888, @VF-mbrauer)
- Add "Cache-control: no-store" and "Pragma: no-cache" headers to token responses (dexidp#1948, @nabokihms)
- Add gomplate to the docker image (dexidp#1893, @nabokihms)
- Graceful shutdown (dexidp#1963, @nabokihms)
- Allow public clients created with API to have no client_secret (dexidp#1871, @spohner)

**Bugfixes:**

- Fix the etcd PKCE AuthCode deserialization (dexidp#1908, @bnu0)
- Fix garbage collection logging of device codes and device request (dexidp#1918, @nabokihms)
- Discovery endpoint contains updated claims and auth methods (dexidp#1951, @nabokihms)
- Return invalid_grant error if auth code is invalid or expired (dexidp#1952, @nabokihms)
- Return an error to auth requests with the "request" parameter (dexidp#1956, @nabokihms)

**Minor changes:**

- Change default themes to light/dark (dexidp#1858, @nabokihms)
- Various developer experience improvements
- Dependency upgrades
- Tons of small fixes and changes
@thesuperzapper thesuperzapper mentioned this pull request May 11, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@heidemn heidemn heidemn left review comments

@sagikazarmark sagikazarmark sagikazarmark approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v2.28.0
Development

Successfully merging this pull request may close these issues.

Allow to disable env variable expansion by setting DEX_EXPAND_ENV = false
3 participants
@heidemn-faro @heidemn @sagikazarmark