Skip to content

New upsert command options to read client secret from env var or file #1324

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
julien-nc wants to merge 1 commit into
base: main
Choose a base branch
from
Open

New upsert command options to read client secret from env var or file #1324

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
58 changes: 51 additions & 7 deletions lib/Command/UpsertProvider.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -178,6 +178,8 @@ protected function configure() {
->addArgument('identifier', InputArgument::OPTIONAL, 'Administrative identifier name of the provider in the setup')
->addOption('clientid', 'c', InputOption::VALUE_REQUIRED, 'OpenID client identifier')
->addOption('clientsecret', 's', InputOption::VALUE_REQUIRED, 'OpenID client secret')
->addOption('clientsecret-file', null, InputOption::VALUE_REQUIRED, 'File that contains the OpenID client secret')
->addOption('clientsecret-env', null, InputOption::VALUE_REQUIRED, 'Environment variable that contains the OpenID client secret')
->addOption('discoveryuri', 'd', InputOption::VALUE_REQUIRED, 'OpenID discovery endpoint uri')
->addOption('endsessionendpointuri', 'e', InputOption::VALUE_REQUIRED, 'OpenID end session endpoint uri')
->addOption('postlogouturi', 'p', InputOption::VALUE_REQUIRED, 'Post logout URI')
Expand All @@ -192,10 +194,11 @@ protected function execute(InputInterface $input, OutputInterface $output) {
$outputFormat = $input->getOption('output') ?? 'table';

$identifier = $input->getArgument('identifier');
$clientid = $input->getOption('clientid');
$clientsecret = $input->getOption('clientsecret');
if ($clientsecret !== null) {
$clientsecret = $this->crypto->encrypt($clientsecret);
$clientId = $input->getOption('clientid');
try {
$clientSecret = $this->getClientSecretInput($input, $output);
} catch (\Exception $e) {
return 1;
}
$discoveryuri = $input->getOption('discoveryuri');
$endsessionendpointuri = $input->getOption('endsessionendpointuri');
Expand All @@ -218,7 +221,7 @@ protected function execute(InputInterface $input, OutputInterface $output) {
try {
$provider = $this->providerMapper->findProviderByIdentifier($identifier);
} catch (DoesNotExistException $e) {
$output->writeln('Provider not found');
$output->writeln('<error>Provider not found</error>');
return -1;
}
$provider = $this->providerService->getProviderWithSettings($provider->getId());
Expand Down Expand Up @@ -250,7 +253,7 @@ protected function execute(InputInterface $input, OutputInterface $output) {
}
try {
$provider = $this->providerMapper->createOrUpdateProvider(
$identifier, $clientid, $clientsecret, $discoveryuri, $scope, $endsessionendpointuri, $postLogoutUri
$identifier, $clientId, $clientSecret, $discoveryuri, $scope, $endsessionendpointuri, $postLogoutUri
);
// invalidate JWKS cache (even if it was just created)
$this->providerService->setSetting($provider->getId(), ProviderService::SETTING_JWKS_CACHE, '');
Expand Down Expand Up @@ -287,7 +290,7 @@ private function listProviders(InputInterface $input, OutputInterface $output) {
}

if (count($providers) === 0) {
$output->writeln('No providers configured');
$output->writeln('<error>No providers configured</error>');
return 0;
}

Expand All @@ -306,4 +309,45 @@ private function listProviders(InputInterface $input, OutputInterface $output) {
$table->render();
return 0;
}

private function getClientSecretInput(InputInterface $input, OutputInterface $output): ?string {
$clientSecret = $input->getOption('clientsecret');
$clientSecretFile = $input->getOption('clientsecret-file');
$clientSecretEnv = $input->getOption('clientsecret-env');
if (
($clientSecret !== null && $clientSecretFile !== null)
|| ($clientSecret !== null && $clientSecretEnv !== null)
|| ($clientSecretFile !== null && $clientSecretEnv !== null)
) {
$output->writeln('<comment>Only one of "--clientsecret", "--clientsecret-file" or "--clientsecret-env" can be used.</comment>');
throw new \Exception();
}
if ($clientSecret !== null) {
$clientSecret = $this->crypto->encrypt($clientSecret);
}
if ($clientSecretFile) {
$clientSecret = file_get_contents($clientSecretFile);
if (is_string($clientSecret) && $clientSecret !== '') {
$clientSecret = trim($clientSecret);
$clientSecret = $this->crypto->encrypt($clientSecret);
$output->writeln('<info>Client secret loaded from file "' . $clientSecretFile . '"</info>');
} else {
$output->writeln('<error>Client secret file "' . $clientSecretFile . '" could not be read or is empty</error>');
throw new \Exception();
}
}
if ($clientSecretEnv) {
$clientSecret = getenv($clientSecretEnv);
if (is_string($clientSecret) && $clientSecret !== '') {
$clientSecret = trim($clientSecret);
$clientSecret = $this->crypto->encrypt($clientSecret);
$output->writeln('<info>Client secret loaded from environment variable "' . $clientSecretEnv . '"</info>');
} else {
$output->writeln('<error>Client secret environment variable "' . $clientSecretFile . '" could not be read or is empty</error>');
throw new \Exception();
}
}

return $clientSecret;
}
}
Loading