feat(config): Support environment variable replacement syntax. (#343)

Replace placeholder in configuration of the form "${MY_ENV_VAR}" with the actual environment variable.

Closes #332

Signed-off-by: Lennard Eijsackers <[email protected]>

Author: Blokje5

config/config.go

@@ -1,9 +1,11 @@
 package config
 
 import (
+	"bytes"
 	"crypto/tls"
 	"fmt"
 	"os"
+	"regexp"
 	"strings"
 	"time"
 
@@ -1131,6 +1133,9 @@ func LoadFile(filename string) (*Config, error) {
 	if err != nil {
 		return nil, err
 	}
+
+	content = findAndReplacePlaceholders(content)
+
 	cfg := &Config{}
 	if err := yaml.Unmarshal(content, cfg); err != nil {
 		return nil, err
@@ -1162,6 +1167,22 @@ func LoadFile(filename string) (*Config, error) {
 	return cfg, nil
 }
 
+var envVarRegex = regexp.MustCompile(`\${([a-zA-Z_][a-zA-Z0-9_]*)}`)
+
+// findAndReplacePlaceholders finds all environment variables placeholders in the config.
+// Each placeholder is a string like ${VAR_NAME}. They will be replaced with the value of the
+// corresponding environment variable. It returns the new content with replaced placeholders.
+func findAndReplacePlaceholders(content []byte) []byte {
+	for _, match := range envVarRegex.FindAllSubmatch(content, -1) {
+		envVar := os.Getenv(string(match[1]))
+		if envVar != "" {
+			content = bytes.ReplaceAll(content, match[0], []byte(envVar))
+		}
+	}
+
+	return content
+}
+
 func (c Config) checkVulnerabilities() error {
 	if c.HackMePlease {
 		return nil

config/config_test.go

@@ -4,6 +4,7 @@ import (
 	"bytes"
 	"fmt"
 	"net"
+	"os"
 	"testing"
 	"time"
 
@@ -932,3 +933,32 @@ connection_pool:
 
 	}
 }
+
+func TestConfigReplaceEnvVars(t *testing.T) {
+	var testCases = []struct {
+		name             string
+		file             string
+		expectedPassword string
+	}{
+		{
+			"replace env vars with the style of ${}",
+			"testdata/envvars.simple.yml",
+			"MyPassword",
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			os.Setenv("CHPROXY_PASSWORD", tc.expectedPassword)
+
+			cfg, err := LoadFile(tc.file)
+			if err != nil {
+				t.Fatalf("unexpected error: %s", err)
+			}
+			got := cfg.Users[0].Password
+			if got != tc.expectedPassword {
+				t.Fatalf("got password %v; expected to have: %v", got, tc.expectedPassword)
+			}
+		})
+	}
+}

config/testdata/envvars.simple.yml

@@ -0,0 +1,14 @@
+server:
+  http:
+    listen_addr: ":8080"
+    allowed_networks: ["127.0.0.1"]
+
+users:
+  - name: "default"
+    password: ${CHPROXY_PASSWORD}
+    to_cluster: "cluster"
+    to_user: "default"
+
+clusters:
+  - name: "cluster"
+    nodes: ["127.0.0.1:8123"]

docs/content/en/configuration/security.md

@@ -13,3 +13,13 @@ By default `chproxy` tries detecting the most obvious configuration errors such
 
 Special option `hack_me_please: true` may be used for disabling all the security-related checks during config validation (if you are feeling lucky :) ).
 
+For sensitive configuration options, such as user passwords, chproxy supports loading configuration from environment variables. In order to load a configuration variable from a environment variable, a placeholder needs to be put in it's place
+in the configuration file. Placeholder are of the form `${ENV_VAR_NAME}`. As an example, to load a user password from the environment variable `MY_PASSWORD` you can use a placeholder as in the following snippet:
+
+```yaml
+users:
+  - name: "default"
+    password: ${MY_PASSWORD}
+```
+
+This will be replaced by the actual environment variable once the configuration is (re)loaded from disk. If the environment variable isn't found the placeholder will remain and won't be replaced.