Merge branch 'neo/env-token-configs' into 'master'

feat: support env token placeholders in DBLab configs

Closes #707

See merge request postgres-ai/database-lab!1140

Author: agneum

engine/cmd/cli/commands/config/environment.go

@@ -9,6 +9,7 @@ import (
 	"github.com/urfave/cli/v2"
 
 	"gitlab.com/postgres-ai/database-lab/v3/cmd/cli/commands"
+	"gitlab.com/postgres-ai/database-lab/v3/pkg/config/envvar"
 )
 
 // DefaultBranch defines the name of data branch.
@@ -32,6 +33,14 @@ type Environment struct {
 	Branching      Branching  `yaml:"branching" json:"branching"`
 }
 
+// ResolvedToken returns the token with "${VAR}" / "$VAR" environment
+// references expanded. It returns an error if any referenced variable is unset
+// so a missing env var fails loudly instead of silently producing an empty
+// token that would be rejected by the API as unauthorized.
+func (e Environment) ResolvedToken() (string, error) {
+	return envvar.ExpandStrict(e.Token)
+}
+
 // Forwarding defines configuration for port forwarding.
 type Forwarding struct {
 	ServerURL    string `yaml:"server_url" json:"server_url"`

engine/cmd/cli/commands/config/environment_test.go

@@ -0,0 +1,44 @@
+package config
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestEnvironmentResolvedToken(t *testing.T) {
+	t.Run("expands environment placeholders", func(t *testing.T) {
+		t.Setenv("DBLAB_TOKEN", "secret-from-env")
+
+		env := Environment{Token: "${DBLAB_TOKEN}"}
+
+		got, err := env.ResolvedToken()
+		require.NoError(t, err)
+		assert.Equal(t, "secret-from-env", got)
+	})
+
+	t.Run("preserves plain values", func(t *testing.T) {
+		env := Environment{Token: "plain-secret"}
+
+		got, err := env.ResolvedToken()
+		require.NoError(t, err)
+		assert.Equal(t, "plain-secret", got)
+	})
+
+	t.Run("empty token round-trips without lookup", func(t *testing.T) {
+		env := Environment{Token: ""}
+
+		got, err := env.ResolvedToken()
+		require.NoError(t, err)
+		assert.Empty(t, got)
+	})
+
+	t.Run("errors on unset variable", func(t *testing.T) {
+		env := Environment{Token: "${DBLAB_TOKEN_MISSING}"}
+
+		_, err := env.ResolvedToken()
+		require.Error(t, err)
+		assert.Contains(t, err.Error(), `"DBLAB_TOKEN_MISSING" is not set`)
+	})
+}

engine/cmd/cli/main.go

@@ -135,7 +135,12 @@ func loadEnvironmentParams(c *cli.Context) error {
 		}
 
 		if !c.IsSet(commands.TokenKey) {
-			if err := c.Set(commands.TokenKey, env.Token); err != nil {
+			token, err := env.ResolvedToken()
+			if err != nil {
+				return err
+			}
+
+			if err := c.Set(commands.TokenKey, token); err != nil {
 				return err
 			}
 		}

engine/configs/config.example.ci_checker.yml

@@ -15,15 +15,15 @@ app:
   # If the integration with Postgres.ai Platform is configured
   # (see below, "platform: ..." configuration),
   # tokens (including personal) generated on the Platform may be used.
-  verificationToken: "secret_token"
+  verificationToken: "${CI_CHECKER_VERIFICATION_TOKEN}"
 
 # Database Lab instance that starts clone to check DB migrations.
 dle:
   # URL of Database Lab API server
   url: "https://dblab.domain.com"
 
   # Secret token used to communicate with the Database Lab Engine API.
-  verificationToken: "checker_secret_token"
+  verificationToken: "${DBLAB_VERIFICATION_TOKEN}"
 
 # Integration with Postgres.ai Platform instance. It may be either
 # SaaS (https://postgres.ai) of self-managed instance (usually located inside
@@ -33,7 +33,7 @@ platform:
   url: "https://postgres.ai/api/general"
 
   # Postgres.ai Platform API secret token.
-  accessToken: "platform_access_token"
+  accessToken: "${PGAI_PLATFORM_ACCESS_TOKEN}"
 
   # Enable authorization with personal tokens of the organization's members.
   # If false: all users must use "verificationToken" value for any API request
@@ -47,7 +47,7 @@ source:
   type: "github"
 
   # Access token for getting source code from version control system.
-  token: "vcs_secret_token"
+  token: "${VCS_ACCESS_TOKEN}"
 
 runner:
   # Docker image containing tools for executing database migration commands.

engine/configs/config.example.logical_generic.yml

@@ -1,7 +1,7 @@
 # Copy this configuration to: ~/.dblab/engine/configs/server.yml
 # Configuration reference guide: https://postgres.ai/docs/reference-guides/database-lab-engine-configuration-reference
 server:
-  verificationToken: "secret_token" # Primary auth token; can be empty (not recommended); for multi-user mode, use DBLab EE
+  verificationToken: "${DBLAB_VERIFICATION_TOKEN}" # Primary auth token; can be empty (not recommended); for multi-user mode, use DBLab EE
   port: 2345 # API server port; default: "2345"
   disableConfigModification: false # When true, configuration changes via API/CLI/UI are disabled; default: "false"
 
@@ -191,6 +191,6 @@ platform:
 #
 #  projectName: "project_name" # Project name
 #  orgKey: "org_key" # Organization key
-#  accessToken: "platform_access_token" # Token for authorization in Platform API; get it at https://postgres.ai/console/YOUR_ORG_NAME/tokens
+#  accessToken: "${PGAI_PLATFORM_ACCESS_TOKEN}" # Token for authorization in Platform API; get it at https://postgres.ai/console/YOUR_ORG_NAME/tokens
 #  enablePersonalTokens: true # Enable authorization with personal tokens of the organization's members.
 #

engine/configs/config.example.logical_rds_iam.yml

@@ -1,7 +1,7 @@
 # Copy this configuration to: ~/.dblab/engine/configs/server.yml
 # Configuration reference guide: https://postgres.ai/docs/reference-guides/database-lab-engine-configuration-reference
 server:
-  verificationToken: "secret_token" # Primary auth token; can be empty (not recommended); for multi-user mode, use DBLab EE
+  verificationToken: "${DBLAB_VERIFICATION_TOKEN}" # Primary auth token; can be empty (not recommended); for multi-user mode, use DBLab EE
   port: 2345 # API server port; default: "2345"
   disableConfigModification: false # When true, configuration changes via API/CLI/UI are disabled; default: "false"
 
@@ -191,6 +191,6 @@ platform:
 #
 #  projectName: "project_name" # Project name
 #  orgKey: "org_key" # Organization key
-#  accessToken: "platform_access_token" # Token for authorization in Platform API; get it at https://postgres.ai/console/YOUR_ORG_NAME/tokens
+#  accessToken: "${PGAI_PLATFORM_ACCESS_TOKEN}" # Token for authorization in Platform API; get it at https://postgres.ai/console/YOUR_ORG_NAME/tokens
 #  enablePersonalTokens: true # Enable authorization with personal tokens of the organization's members.
 #

engine/configs/config.example.physical_generic.yml

@@ -1,7 +1,7 @@
 # Copy this configuration to: ~/.dblab/engine/configs/server.yml
 # Configuration reference guide: https://postgres.ai/docs/reference-guides/database-lab-engine-configuration-reference
 server:
-  verificationToken: "secret_token" # Primary auth token; can be empty (not recommended); for multi-user mode, use DBLab EE
+  verificationToken: "${DBLAB_VERIFICATION_TOKEN}" # Primary auth token; can be empty (not recommended); for multi-user mode, use DBLab EE
   port: 2345 # API server port; default: "2345"
   disableConfigModification: false # When true, configuration changes via API/CLI/UI are disabled; default: "false"
 
@@ -172,6 +172,6 @@ platform:
 #
 #  projectName: "project_name" # Project name
 #  orgKey: "org_key" # Organization key
-#  accessToken: "platform_access_token" # Token for authorization in Platform API; get it at https://postgres.ai/console/YOUR_ORG_NAME/tokens
+#  accessToken: "${PGAI_PLATFORM_ACCESS_TOKEN}" # Token for authorization in Platform API; get it at https://postgres.ai/console/YOUR_ORG_NAME/tokens
 #  enablePersonalTokens: true # Enable authorization with personal tokens of the organization's members.
 #

engine/configs/config.example.physical_pgbackrest.yml

@@ -1,7 +1,7 @@
 # Copy this configuration to: ~/.dblab/engine/configs/server.yml
 # Configuration reference guide: https://postgres.ai/docs/reference-guides/database-lab-engine-configuration-reference
 server:
-  verificationToken: "secret_token" # Primary auth token; can be empty (not recommended); for multi-user mode, use DBLab EE
+  verificationToken: "${DBLAB_VERIFICATION_TOKEN}" # Primary auth token; can be empty (not recommended); for multi-user mode, use DBLab EE
   port: 2345 # API server port; default: "2345"
   disableConfigModification: false # When true, configuration changes via API/CLI/UI are disabled; default: "false"
 
@@ -202,6 +202,6 @@ platform:
 #
 #  projectName: "project_name" # Project name
 #  orgKey: "org_key" # Organization key
-#  accessToken: "platform_access_token" # Token for authorization in Platform API; get it at https://postgres.ai/console/YOUR_ORG_NAME/tokens
+#  accessToken: "${PGAI_PLATFORM_ACCESS_TOKEN}" # Token for authorization in Platform API; get it at https://postgres.ai/console/YOUR_ORG_NAME/tokens
 #  enablePersonalTokens: true # Enable authorization with personal tokens of the organization's members.
 #

engine/configs/config.example.physical_walg.yml

@@ -1,7 +1,7 @@
 # Copy this configuration to: ~/.dblab/engine/configs/server.yml
 # Configuration reference guide: https://postgres.ai/docs/reference-guides/database-lab-engine-configuration-reference
 server:
-  verificationToken: "secret_token" # Primary auth token; can be empty (not recommended); for multi-user mode, use DBLab EE
+  verificationToken: "${DBLAB_VERIFICATION_TOKEN}" # Primary auth token; can be empty (not recommended); for multi-user mode, use DBLab EE
   port: 2345 # API server port; default: "2345"
   disableConfigModification: false # When true, configuration changes via API/CLI/UI are disabled; default: "false"
 
@@ -175,6 +175,6 @@ platform:
 #
 #  projectName: "project_name" # Project name
 #  orgKey: "org_key" # Organization key
-#  accessToken: "platform_access_token" # Token for authorization in Platform API; get it at https://postgres.ai/console/YOUR_ORG_NAME/tokens
+#  accessToken: "${PGAI_PLATFORM_ACCESS_TOKEN}" # Token for authorization in Platform API; get it at https://postgres.ai/console/YOUR_ORG_NAME/tokens
 #  enablePersonalTokens: true # Enable authorization with personal tokens of the organization's members.
 #

engine/internal/runci/config.go

@@ -13,6 +13,7 @@ import (
 
 	"gitlab.com/postgres-ai/database-lab/v3/internal/platform"
 	"gitlab.com/postgres-ai/database-lab/v3/internal/runci/source"
+	"gitlab.com/postgres-ai/database-lab/v3/pkg/config/envvar"
 	"gitlab.com/postgres-ai/database-lab/v3/pkg/util"
 )
 
@@ -67,5 +68,14 @@ func LoadConfiguration() (*Config, error) {
 		return nil, errors.WithMessagef(err, "error parsing %s config", configPath)
 	}
 
+	if err := envvar.ExpandFields([]envvar.Field{
+		{Name: "app.verificationToken", Ptr: &cfg.App.VerificationToken},
+		{Name: "dle.verificationToken", Ptr: &cfg.DLE.VerificationToken},
+		{Name: "platform.accessToken", Ptr: &cfg.Platform.AccessToken},
+		{Name: "source.token", Ptr: &cfg.Source.Token},
+	}); err != nil {
+		return nil, errors.Wrap(err, "failed to resolve environment placeholders")
+	}
+
 	return cfg, nil
 }