feat: [#412] allow to overwrite auth secret conf opt with env var

You can overwrite the `auth::secret_key` in the config file:

```toml
[auth]
email_on_signup = "Optional"
min_password_length = 6
max_password_length = 64
secret_key = "MaxVerstappenWC2021"
```

With an env var: `TORRUST_INDEX_AUTH_SECRET_KEY`.

That will make it easier to inject secrets when you use docker without
modifying the configuration file: `config.toml`.

.env.local

@@ -1,7 +1,7 @@
 DATABASE_URL=sqlite://storage/database/data.db?mode=rwc
 TORRUST_INDEX_CONFIG=
+TORRUST_INDEX_AUTH_SECRET_KEY=MaxVerstappenWC2021
 USER_ID=1000
 TORRUST_TRACKER_CONFIG=
 TORRUST_TRACKER_DATABASE_DRIVER=sqlite3
 TORRUST_TRACKER_API_ADMIN_TOKEN=MyAccessToken
-

README.md

@@ -93,13 +93,16 @@ _Optionally, you may choose to supply the entire configuration as an environment
 TORRUST_INDEX_CONFIG=$(cat "./storage/index/etc/index.toml") cargo run
 ```
 
-_For deployment, you __should__ override the `tracker_api_token` by using an environmental variable:_
+_For deployment, you __should__ override:
+
+- The `tracker_api_token` and the `index_auth_secret_key` by using environmental variables:_
 
 ```sh
 # Please use the secret that you generated for the torrust-tracker configuration.
 # Override secret in configuration using an environmental variable
 TORRUST_INDEX_CONFIG=$(cat "./storage/index/etc/index.toml") \
  TORRUST_INDEX_TRACKER_API_TOKEN=$(cat "./storage/tracker/lib/tracker_api_admin_token.secret") \
+ TORRUST_INDEX_AUTH_SECRET_KEY="MaxVerstappenWC2021" \
  cargo run
 ```
 

compose.yaml

@@ -13,6 +13,7 @@ services:
  - TORRUST_INDEX_DATABASE=${TORRUST_INDEX_DATABASE:-e2e_testing_sqlite3}
  - TORRUST_INDEX_DATABASE_DRIVER=${TORRUST_INDEX_DATABASE_DRIVER:-sqlite3}
  - TORRUST_INDEX_TRACKER_API_TOKEN=${TORRUST_INDEX_TRACKER_API_TOKEN:-MyAccessToken}
+ - TORRUST_INDEX_AUTH_SECRET_KEY=${TORRUST_INDEX_AUTH_SECRET_KEY:-MaxVerstappenWC2021}
  networks:
  - server_side
  ports:

contrib/dev-tools/container/e2e/sqlite/e2e-env-up.sh

@@ -8,6 +8,7 @@ USER_ID=${USER_ID:-1000} \
  TORRUST_INDEX_DATABASE="e2e_testing_sqlite3" \
  TORRUST_INDEX_DATABASE_DRIVER="sqlite3" \
  TORRUST_INDEX_TRACKER_API_TOKEN="MyAccessToken" \
+ TORRUST_INDEX_AUTH_SECRET_KEY="MaxVerstappenWC2021" \
  TORRUST_TRACKER_CONFIG=$(cat ./share/default/config/tracker.e2e.container.sqlite3.toml) \
  TORRUST_TRACKER_DATABASE="e2e_testing_sqlite3" \
  TORRUST_TRACKER_DATABASE_DRIVER="sqlite3" \

docs/containers.md

@@ -149,6 +149,7 @@ The following environmental variables can be set:
 
 - `TORRUST_INDEX_PATH_CONFIG` - The in-container path to the index configuration file, (default: `"/etc/torrust/index/index.toml"`).
 - `TORRUST_INDEX_TRACKER_API_TOKEN` - Override of the admin token. If set, this value overrides any value set in the config.
+- `TORRUST_INDEX_AUTH_SECRET_KEY` - Override of the auth secret key. If set, this value overrides any value set in the config.
 - `TORRUST_INDEX_DATABASE_DRIVER` - The database type used for the container, (options: `sqlite3`, `mysql`, default `sqlite3`). Please Note: This dose not override the database configuration within the `.toml` config file.
 - `TORRUST_INDEX_CONFIG` - Load config from this environmental variable instead from a file, (i.e: `TORRUST_INDEX_CONFIG=$(cat index-index.toml)`).
 - `USER_ID` - The user id for the runtime crated `torrust` user. Please Note: This user id should match the ownership of the host-mapped volumes, (default `1000`).
@@ -201,6 +202,7 @@ mkdir -p ./storage/index/lib/ ./storage/index/log/ ./storage/index/etc/
 ## Run Torrust Index Container Image
 docker run -it \
  --env TORRUST_INDEX_TRACKER_API_TOKEN="MySecretToken" \
+ --env TORRUST_INDEX_AUTH_SECRET_KEY="MaxVerstappenWC2021" \
  --env USER_ID="$(id -u)" \
  --publish 0.0.0.0:3001:3001/tcp \
  --volume ./storage/index/lib:/var/lib/torrust/index:Z \

share/default/config/index.container.mysql.toml

@@ -1,12 +1,12 @@
+# Please override the following settings with environmental variable!
+# tracker::token -> `TORRUST_INDEX_TRACKER_API_TOKEN`
+# auth::secret_key -> `TORRUST_INDEX_AUTH_SECRET_KEY`
+
 log_level = "info"
 
 [website]
 name = "Torrust"
 
-# Please override the tracker token setting the
-# `TORRUST_INDEX_TRACKER_API_TOKEN`
-# environmental variable!
-
 [tracker]
 url = "udp://tracker:6969"
 mode = "Public"

share/default/config/index.e2e.container.mysql.toml

@@ -1,12 +1,12 @@
+# Please override the following settings with environmental variable!
+# tracker::token -> `TORRUST_INDEX_TRACKER_API_TOKEN`
+# auth::secret_key -> `TORRUST_INDEX_AUTH_SECRET_KEY`
+
 log_level = "info"
 
 [website]
 name = "Torrust"
 
-# Please override the tracker token setting the
-# `TORRUST_INDEX_TRACKER_API_TOKEN`
-# environmental variable!
-
 [tracker]
 url = "udp://tracker:6969"
 mode = "Public"

share/default/config/index.e2e.container.sqlite3.toml

@@ -1,12 +1,12 @@
+# Please override the following settings with environmental variable!
+# tracker::token -> `TORRUST_INDEX_TRACKER_API_TOKEN`
+# auth::secret_key -> `TORRUST_INDEX_AUTH_SECRET_KEY`
+
 log_level = "info"
 
 [website]
 name = "Torrust"
 
-# Please override the tracker token setting the
-# `TORRUST_INDEX_TRACKER_API_TOKEN`
-# environmental variable!
-
 [tracker]
 url = "udp://tracker:6969"
 mode = "Public"

src/bootstrap/config.rs

@@ -13,6 +13,9 @@ const ENV_VAR_CONFIG: &str = "TORRUST_INDEX_CONFIG";
 /// Token needed to communicate with the Torrust Tracker
 const ENV_VAR_API_ADMIN_TOKEN: &str = "TORRUST_INDEX_TRACKER_API_TOKEN";
 
+/// Secret key used to encrypt and decrypt
+const ENV_VAR_AUTH_SECRET_KEY: &str = "TORRUST_INDEX_AUTH_SECRET_KEY";
+
 /// The `index.toml` file location.
 pub const ENV_VAR_PATH_CONFIG: &str = "TORRUST_INDEX_PATH_CONFIG";
 
@@ -44,6 +47,7 @@ pub fn initialize_configuration() -> Configuration {
  ENV_VAR_PATH_CONFIG.to_string(),
  DEFAULT_PATH_CONFIG.to_string(),
  ENV_VAR_API_ADMIN_TOKEN.to_string(),
+ ENV_VAR_AUTH_SECRET_KEY.to_string(),
  )
  .unwrap();
 

src/config.rs

@@ -15,6 +15,7 @@ use torrust_index_located_error::{Located, LocatedError};
 pub struct Info {
  index_toml: String,
  tracker_api_token: Option<String>,
+ auth_secret_key: Option<String>,
 }
 
 impl Info {
@@ -24,8 +25,8 @@ impl Info {
  ///
  /// ```no_run
  /// # use torrust_index::config::Info;
- /// # let (env_var_config, env_var_path_config, default_path_config, env_var_tracker_api_token) = ("".to_string(), "".to_string(), "".to_string(), "".to_string());
- /// let result = Info::new(env_var_config, env_var_path_config, default_path_config, env_var_tracker_api_token);
+ /// # let (env_var_config, env_var_path_config, default_path_config, env_var_tracker_api_token, env_var_auth_secret_key) = ("".to_string(), "".to_string(), "".to_string(), "".to_string(), "".to_string());
+ /// let result = Info::new(env_var_config, env_var_path_config, default_path_config, env_var_tracker_api_token, env_var_auth_secret_key);
  /// ```
  ///
  /// # Errors
@@ -38,6 +39,7 @@ impl Info {
  env_var_path_config: String,
  default_path_config: String,
  env_var_tracker_api_token: String,
+ env_var_auth_secret_key: String,
  ) -> Result<Self, Error> {
  let index_toml = if let Ok(index_toml) = env::var(&env_var_config) {
  println!("Loading configuration from env var {env_var_config} ...");
@@ -61,11 +63,14 @@ impl Info {
  .parse()
  .map_err(|_e: std::convert::Infallible| Error::Infallible)?
  };
+
  let tracker_api_token = env::var(env_var_tracker_api_token).ok();
+ let auth_secret_key = env::var(env_var_auth_secret_key).ok();
 
  Ok(Self {
  index_toml,
  tracker_api_token,
+ auth_secret_key,
  })
  }
 }
@@ -239,6 +244,12 @@ impl Default for Auth {
  }
 }
 
+impl Auth {
+ fn override_secret_key(&mut self, secret_key: &str) {
+ self.secret_key = secret_key.to_string();
+ }
+}
+
 /// Database configuration.
 #[derive(Debug, Clone, Serialize, Deserialize)]
 pub struct Database {
@@ -390,6 +401,10 @@ impl TorrustIndex {
  self.tracker.override_tracker_api_token(tracker_api_token);
  }
 
+ fn override_auth_secret_key(&mut self, auth_secret_key: &str) {
+ self.auth.override_secret_key(auth_secret_key);
+ }
+
  pub fn remove_secrets(&mut self) {
  self.tracker.token = "***".to_owned();
  self.database.connect_url = "***".to_owned();
@@ -457,7 +472,10 @@ impl Configuration {
  /// Loads the configuration from the `Info` struct. The whole
  /// configuration in toml format is included in the `info.index_toml` string.
  ///
- /// Optionally will override the tracker api token.
+ /// Optionally will override the:
+ ///
+ /// - Tracker api token.
+ /// - The auth secret key.
  ///
  /// # Errors
  ///
@@ -472,6 +490,10 @@ impl Configuration {
  index_config.override_tracker_api_token(token);
  };
 
+ if let Some(ref secret_key) = info.auth_secret_key {
+ index_config.override_auth_secret_key(secret_key);
+ };
+
  Ok(Configuration {
  settings: RwLock::new(index_config),
  config_path: None,

tests/e2e/config.rs

@@ -14,6 +14,9 @@ const ENV_VAR_CONFIG: &str = "TORRUST_INDEX_E2E_CONFIG";
 /// Token needed to communicate with the Torrust Tracker
 const ENV_VAR_API_ADMIN_TOKEN: &str = "TORRUST_INDEX_E2E_TRACKER_API_TOKEN";
 
+/// Secret key used to encrypt and decrypt
+const ENV_VAR_AUTH_SECRET_KEY: &str = "TORRUST_INDEX_E2E_AUTH_SECRET_KEY";
+
 /// The `index.toml` file location.
 pub const ENV_VAR_PATH_CONFIG: &str = "TORRUST_INDEX_E2E_PATH_CONFIG";
 
@@ -48,6 +51,7 @@ pub fn initialize_configuration() -> Configuration {
  ENV_VAR_PATH_CONFIG.to_string(),
  DEFAULT_PATH_CONFIG.to_string(),
  ENV_VAR_API_ADMIN_TOKEN.to_string(),
+ ENV_VAR_AUTH_SECRET_KEY.to_string(),
  )
  .unwrap();