Manage secrets outside of server_config.json

Author: barnabasdomozi

docs/web/server_config.md

@@ -115,3 +115,15 @@ By default the server will use the value from your host configured by the
 ## Authentication
 For authentication configuration options and which options can be reloaded see
 the [Authentication](authentication.md) documentation.
+
+## Secrets
+Optionally, one can store sensitive data (e.g., passwords, secret tokens) outside
+of `server_config.json`. To do this, create a separate `secrets.json` file 
+in the server's *workspace* folder. In `server_config.json`, replace sensitive data 
+with `$SECRET:NAME_OF_SECRET$`.
+Then, secrets can be defined in `secrets.json`, as an example:
+```json
+{
+  "NAME_OF_SECRET": "MySecurePassword123"
+}
+```

web/server/codechecker_server/server.py

@@ -1127,9 +1127,12 @@ def start_server(config_directory, package_data, port, config_sql_server,
                      "created at '%s'", server_cfg_file)
             shutil.copyfile(example_cfg_file, server_cfg_file)
 
+    secrets_file = os.path.join(config_directory, 'secrets.json')
+
     try:
         manager = session_manager.SessionManager(
             server_cfg_file,
+            secrets_file,
             force_auth)
 
     except IOError as ioerr:
@@ -1138,8 +1141,7 @@ def start_server(config_directory, package_data, port, config_sql_server,
                   "is missing or can not be read!")
         sys.exit(1)
     except ValueError as verr:
-        LOG.debug(verr)
-        LOG.error("The server's configuration file is invalid!")
+        LOG.error(verr)
         sys.exit(1)
 
     if not skip_db_cleanup:

web/server/codechecker_server/session_manager.py

@@ -163,7 +163,7 @@ class SessionManager:
     CodeChecker server.
     """
 
-    def __init__(self, configuration_file, force_auth=False):
+    def __init__(self, configuration_file, secrets_file, force_auth=False):
         """
         Initialise a new Session Manager on the server.
 
@@ -176,6 +176,7 @@ def __init__(self, configuration_file, force_auth=False):
         self.__logins_since_prune = 0
         self.__sessions = []
         self.__configuration_file = configuration_file
+        self.__secrets_file = secrets_file
 
         self.scfg_dict = self.__get_config_dict()
 
@@ -409,6 +410,38 @@ def __get_config_dict(self):
             # have been parsed from it.
             raise ValueError("Server configuration file was invalid, or "
                              "empty.")
+
+        LOG.debug(self.__secrets_file)
+        if os.path.exists(self.__secrets_file):
+            secrets_dict = load_json(self.__secrets_file, {})
+            check_file_owner_rw(self.__secrets_file)
+        else:
+            secrets_dict = {}
+
+        secret_re = re.compile(r'^\$SECRET:[a-zA-Z0-9_-]+\$$')
+
+        def resolve_secrets_failed(var):
+            if not os.path.exists(self.__secrets_file):
+                LOG.error("Secrets were used in server configuration file, "
+                          f"but {self.__secrets_file} does not exist!")
+
+            raise ValueError(f"Secret '{var}' could not "
+                "be resolved in server configuration file.")
+
+        def resolve_secrets(d):
+            items = d.items() if isinstance(d, dict) else enumerate(d)
+
+            for k, v in items:
+                if isinstance(v, dict) or isinstance(v, list):
+                    resolve_secrets(v)
+                elif isinstance(v, str) and secret_re.search(v):
+                    secret_var = v.split(':')[1][:-1]
+                    if secret_var in secrets_dict:
+                        d[k] = secrets_dict[secret_var]
+                    else:
+                        resolve_secrets_failed(secret_var)
+
+        resolve_secrets(cfg_dict)
         return cfg_dict
 
     def reload_config(self):