Skip to content

Manage secrets outside of server_config.json #4633

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
bruntib merged 5 commits into from
Aug 7, 2025
Merged

Manage secrets outside of server_config.json #4633

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
58f71ca
Manage secrets outside of server_config.json
barnabasdomozi Jul 15, 2025
f45126b
Also read secrets from environmental variables.
barnabasdomozi Jul 18, 2025
8dd17bc
Fix minor styling issue in resolve_variables
barnabasdomozi Jul 30, 2025
bc8ac1f
Fix lint test
barnabasdomozi Jul 30, 2025
1aa7514
Extended docs with an example dictionary secret
barnabasdomozi Aug 6, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
29 changes: 29 additions & 0 deletions docs/web/server_config.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -115,3 +115,32 @@ By default the server will use the value from your host configured by the
## Authentication
For authentication configuration options and which options can be reloaded see
the [Authentication](authentication.md) documentation.

## Secrets

### server_secrets.json
Optionally, one can store sensitive data (e.g., passwords, secret tokens) outside
of `server_config.json`. To do this, create a separate `server_secrets.json` file
in the server's *workspace* folder. In `server_config.json`, replace sensitive data
with `$SECRET:NAME_OF_SECRET$`.
Then, secrets can be defined in `server_secrets.json`, as an example:
```json
{
"NAME_OF_SECRET": "MySecurePassword123"
}
```
Alternatively, one can also define entire sections as a secret, for instance:
```json
{
"NAME_OF_SECRET": {
"enabled" : true,
"client_id" : "<ExampleClientID>",
"client_secret": "<ExampleClientSecret>"
}
}
```

### Environmental variables
Alternatively, CodeChecker can also read sensitive data from environmental variables.
To do this, replace sensitive data in `server_config.json` with `$ENV:VARIABLE_NAME$`.
In this case, value will be read from environmental variable `VARIABLE_NAME`.
6 changes: 4 additions & 2 deletions web/server/codechecker_server/server.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1127,9 +1127,12 @@ def start_server(config_directory, package_data, port, config_sql_server,
"created at '%s'", server_cfg_file)
shutil.copyfile(example_cfg_file, server_cfg_file)

server_secrets_file = os.path.join(config_directory, 'server_secrets.json')

try:
manager = session_manager.SessionManager(
server_cfg_file,
server_secrets_file,
force_auth)

except IOError as ioerr:
Expand All @@ -1138,8 +1141,7 @@ def start_server(config_directory, package_data, port, config_sql_server,
"is missing or can not be read!")
sys.exit(1)
except ValueError as verr:
LOG.debug(verr)
LOG.error("The server's configuration file is invalid!")
LOG.error(verr)
sys.exit(1)

if not skip_db_cleanup:
Expand Down
43 changes: 42 additions & 1 deletion web/server/codechecker_server/session_manager.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -163,7 +163,7 @@ class SessionManager:
CodeChecker server.
"""

def __init__(self, configuration_file, force_auth=False):
def __init__(self, configuration_file, secrets_file, force_auth=False):
"""
Initialise a new Session Manager on the server.

Expand All @@ -176,6 +176,7 @@ def __init__(self, configuration_file, force_auth=False):
self.__logins_since_prune = 0
self.__sessions = []
self.__configuration_file = configuration_file
self.__secrets_file = secrets_file

self.scfg_dict = self.__get_config_dict()

Expand Down Expand Up @@ -409,6 +410,46 @@ def __get_config_dict(self):
# have been parsed from it.
raise ValueError("Server configuration file was invalid, or "
"empty.")

LOG.debug(self.__secrets_file)
if os.path.exists(self.__secrets_file):
secrets_dict = load_json(self.__secrets_file, {})
check_file_owner_rw(self.__secrets_file)
else:
secrets_dict = {}
Comment thread
Discookie marked this conversation as resolved.

secret_re = re.compile(r'^\$SECRET:[a-zA-Z0-9_-]+\$$')
env_re = re.compile(r'^\$ENV:[a-zA-Z0-9_-]+\$$')

def resolve_variables_failed(var):
if (secret_re.search(var) and
not os.path.exists(self.__secrets_file)):
LOG.error("Secrets were used in server configuration file, "
f"but {self.__secrets_file} does not exist!")

raise ValueError(f"Variable '{var}' could not "
"be resolved in server configuration file.")

def resolve_variables(d):
items = d.items() if isinstance(d, dict) else enumerate(d)

for k, v in items:
if isinstance(v, (dict, list)):
resolve_variables(v)
elif isinstance(v, str):
secret_matched = secret_re.search(v)
env_matched = env_re.search(v)

if secret_matched or env_matched:
var_name = v.split(':')[1][:-1]
if secret_matched and var_name in secrets_dict:
d[k] = secrets_dict[var_name]
elif env_matched and var_name in os.environ:
d[k] = os.environ[var_name]
else:
resolve_variables_failed(v)

resolve_variables(cfg_dict)
return cfg_dict

def reload_config(self):
Expand Down
Loading