Import upstream commits (#79)

* ufs: improve error handling

Signed-off-by: Matthew Penner <me@matthewp.io>

* chore: remove outdated `wings-api.paw`

Signed-off-by: Matthew Penner <me@matthewp.io>

* chore: add `.editorconfig`

Signed-off-by: Matthew Penner <me@matthewp.io>

* feat: add support for loading token from env and file (`WINGS_TOKEN` and `WINGS_TOKEN_ID`)

Signed-off-by: Matthew Penner <me@matthewp.io>

* system: fix test relying on reflection to determine if mutex is locked

Signed-off-by: Matthew Penner <me@matthewp.io>

* fix: `Duplicated key token in config` panic

Signed-off-by: Matthew Penner <me@matthewp.io>

* fix: use of old `AuthenticationToken` value

Signed-off-by: Matthew Penner <me@matthewp.io>

* config: handle old `AuthenticationToken` value

Signed-off-by: Matthew Penner <me@matthewp.io>

* chore: avoid exiting if config file is not writable

---------

Signed-off-by: Matthew Penner <me@matthewp.io>
Co-authored-by: Matthew Penner <me@matthewp.io>

Author: QuintenQVD0

.editorconfig

@@ -0,0 +1,21 @@
+root = true
+
+[*]
+indent_style = tab
+indent_size = 4
+tab_width = 4
+end_of_line = lf
+charset = utf-8
+trim_trailing_whitespace = true
+insert_final_newline = true
+
+[*.go]
+max_line_length = 100
+
+[*.md]
+trim_trailing_whitespace = false
+
+[*.{md,nix,yaml}]
+indent_style = space
+indent_size = 2
+tab_width = 2

cmd/root.go

@@ -14,6 +14,7 @@ import (
 	"runtime"
 	"strconv"
 	"strings"
+	"syscall"
 	"time"
 
 	"github.com/NYTimes/logrotate"
@@ -127,6 +128,7 @@ func rootCmdRun(cmd *cobra.Command, _ []string) {
 
 	if err := config.ConfigureTimezone(); err != nil {
 		log.WithField("error", err).Fatal("failed to detect system timezone or use supplied configuration value")
+		return
 	}
 	log.WithField("timezone", config.Get().System.Timezone).Info("configured wings with system timezone")
 	if err := config.ConfigureDirectories(); err != nil {
@@ -135,6 +137,7 @@ func rootCmdRun(cmd *cobra.Command, _ []string) {
 	}
 	if err := config.EnsurePelicanUser(); err != nil {
 		log.WithField("error", err).Fatal("failed to create pelican system user")
+		return
 	}
 	log.WithFields(log.Fields{
 		"username": config.Get().System.Username,
@@ -146,29 +149,37 @@ func rootCmdRun(cmd *cobra.Command, _ []string) {
 		return
 	}
 
+	t := config.Get().Token
 	pclient := remote.New(
 		config.Get().PanelLocation,
-		remote.WithCredentials(config.Get().AuthenticationTokenId, config.Get().AuthenticationToken),
+		remote.WithCredentials(t.ID, t.Token),
 		remote.WithHttpClient(&http.Client{
 			Timeout: time.Second * time.Duration(config.Get().RemoteQuery.Timeout),
 		}),
 	)
 
 	if err := database.Initialize(); err != nil {
 		log.WithField("error", err).Fatal("failed to initialize database")
+		return
 	}
 
 	manager, err := server.NewManager(cmd.Context(), pclient)
 	if err != nil {
 		log.WithField("error", err).Fatal("failed to load server configurations")
+		return
 	}
 
 	if err := environment.ConfigureDocker(cmd.Context()); err != nil {
 		log.WithField("error", err).Fatal("failed to configure docker environment")
+		return
 	}
 
 	if err := config.WriteToDisk(config.Get()); err != nil {
-		log.WithField("error", err).Fatal("failed to write configuration to disk")
+		if !errors.Is(err, syscall.EROFS) {
+			log.WithField("error", err).Error("failed to write configuration to disk")
+		} else {
+			log.WithField("error", err).Debug("failed to write configuration to disk")
+		}
 	}
 
 	// Just for some nice log output.

config/config.go

@@ -1,6 +1,7 @@
 package config
 
 import (
+	"bytes"
 	"context"
 	"crypto/tls"
 	"fmt"
@@ -287,7 +288,14 @@ type ConsoleThrottles struct {
 	Period uint64 `json:"line_reset_interval" yaml:"line_reset_interval" default:"100"`
 }
 
+type Token struct {
+	ID    string
+	Token string
+}
+
 type Configuration struct {
+	Token Token `json:"-" yaml:"-"`
+
 	// The location from which this configuration instance was instantiated.
 	path string
 
@@ -375,21 +383,26 @@ func NewAtPath(path string) (*Configuration, error) {
 // will be paused until it is complete.
 func Set(c *Configuration) {
 	mu.Lock()
-	if _config == nil || _config.AuthenticationToken != c.AuthenticationToken {
-		_jwtAlgo = jwt.NewHS256([]byte(c.AuthenticationToken))
+	defer mu.Unlock()
+	token := c.Token.Token
+	if token == "" {
+		c.Token.Token = c.AuthenticationToken
+		token = c.Token.Token
+	}
+	if _config == nil || _config.Token.Token != token {
+		_jwtAlgo = jwt.NewHS256([]byte(token))
 	}
 	_config = c
-	mu.Unlock()
 }
 
 // SetDebugViaFlag tracks if the application is running in debug mode because of
 // a command line flag argument. If so we do not want to store that configuration
 // change to the disk.
 func SetDebugViaFlag(d bool) {
 	mu.Lock()
+	defer mu.Unlock()
 	_config.Debug = d
 	_debugViaFlag = d
-	mu.Unlock()
 }
 
 // Get returns the global configuration instance. This is a thread-safe operation
@@ -414,8 +427,8 @@ func Get() *Configuration {
 // the global configuration.
 func Update(callback func(c *Configuration)) {
 	mu.Lock()
+	defer mu.Unlock()
 	callback(_config)
-	mu.Unlock()
 }
 
 // GetJwtAlgorithm returns the in-memory JWT algorithm.
@@ -540,6 +553,26 @@ func FromFile(path string) error {
 		return err
 	}
 
+	c.Token = Token{
+		ID:    os.Getenv("WINGS_TOKEN_ID"),
+		Token: os.Getenv("WINGS_TOKEN"),
+	}
+	if c.Token.ID == "" {
+		c.Token.ID = c.AuthenticationTokenId
+	}
+	if c.Token.Token == "" {
+		c.Token.Token = c.AuthenticationToken
+	}
+
+	c.Token.ID, err = Expand(c.Token.ID)
+	if err != nil {
+		return err
+	}
+	c.Token.Token, err = Expand(c.Token.Token)
+	if err != nil {
+		return err
+	}
+
 	// Store this configuration in the global state.
 	Set(c)
 	return nil
@@ -748,3 +781,36 @@ func UseOpenat2() bool {
 		return true
 	}
 }
+
+// Expand expands an input string by calling [os.ExpandEnv] to expand all
+// environment variables, then checks if the value is prefixed with `file://`
+// to support reading the value from a file.
+//
+// NOTE: the order of expanding environment variables first then checking if
+// the value references a file is important. This behaviour allows a user to
+// pass a value like `file://${CREDENTIALS_DIRECTORY}/token` to allow us to
+// work with credentials loaded by systemd's `LoadCredential` (or `LoadCredentialEncrypted`)
+// options without the user needing to assume the path of `CREDENTIALS_DIRECTORY`
+// or use a preStart script to read the files for us.
+func Expand(v string) (string, error) {
+	// Expand environment variables within the string.
+	//
+	// NOTE: this may cause issues if the string contains `$` and doesn't intend
+	// on getting expanded, however we are using this for our tokens which are
+	// all alphanumeric characters only.
+	v = os.ExpandEnv(v)
+
+	// Handle files.
+	const filePrefix = "file://"
+	if strings.HasPrefix(v, filePrefix) {
+		p := v[len(filePrefix):]
+
+		b, err := os.ReadFile(p)
+		if err != nil {
+			return "", nil
+		}
+		v = string(bytes.TrimRight(bytes.TrimRight(b, "\r"), "\n"))
+	}
+
+	return v, nil
+}