feat: allow usage of a environment variable or secret for sensitive p…

…arams

Signed-off-by: Thibault Piron <[email protected]>

ldapauth.go

@@ -46,6 +46,7 @@ type Config struct {
 	CacheCookiePath            string   `json:"cacheCookiePath,omitempty" yaml:"cacheCookiePath,omitempty"`
 	CacheCookieSecure          bool     `json:"cacheCookieSecure,omitempty" yaml:"cacheCookieSecure,omitempty"`
 	CacheKey                   string   `json:"cacheKey,omitempty" yaml:"cacheKey,omitempty"`
+	CacheKeyLabel              string   `json:"cacheKeyLabel,omitempty" yaml:"cacheKeyLabel,omitempty"`
 	UseTLS                     bool     `json:"useTls,omitempty" yaml:"useTls,omitempty"`
 	StartTLS                   bool     `json:"startTls,omitempty" yaml:"startTls,omitempty"`
 	CertificateAuthority       string   `json:"certificateAuthority,omitempty" yaml:"certificateAuthority,omitempty"`
@@ -55,6 +56,7 @@ type Config struct {
 	BaseDN                     string   `json:"baseDn,omitempty" yaml:"baseDn,omitempty"`
 	BindDN                     string   `json:"bindDn,omitempty" yaml:"bindDn,omitempty"`
 	BindPassword               string   `json:"bindPassword,omitempty" yaml:"bindPassword,omitempty"`
+	BindPasswordLabel          string   `json:"bindPasswordLabel,omitempty" yaml:"bindPasswordLabel,omitempty"`
 	ForwardUsername            bool     `json:"forwardUsername,omitempty" yaml:"forwardUsername,omitempty"`
 	ForwardUsernameHeader      string   `json:"forwardUsernameHeader,omitempty" yaml:"forwardUsernameHeader,omitempty"`
 	ForwardAuthorization       bool     `json:"forwardAuthorization,omitempty" yaml:"forwardAuthorization,omitempty"`
@@ -78,6 +80,7 @@ func CreateConfig() *Config {
 		CacheCookiePath:            "",
 		CacheCookieSecure:          false,
 		CacheKey:                   "super-secret-key",
+		CacheKeyLabel:              "LDAP_AUTH_CACHE_KEY",
 		UseTLS:                     false,
 		StartTLS:                   false,
 		CertificateAuthority:       "",
@@ -87,6 +90,7 @@ func CreateConfig() *Config {
 		BaseDN:                     "",
 		BindDN:                     "",
 		BindPassword:               "",
+		BindPasswordLabel:          "LDAP_AUTH_BIND_PASSWORD",
 		ForwardUsername:            true,
 		ForwardUsernameHeader:      "Username",
 		ForwardAuthorization:       false,
@@ -112,6 +116,22 @@ func New(ctx context.Context, next http.Handler, config *Config, name string) (h
 
 	LoggerINFO.Printf("Starting %s Middleware...", name)
 
+	if config.BindDN != "" && config.BindPassword == "" {
+		bindPasswordLabel := "LDAP_AUTH_BIND_PASSWORD"
+		if config.BindPasswordLabel != "" {
+			bindPasswordLabel = config.BindPasswordLabel
+		}
+		config.BindPassword = getSecret(bindPasswordLabel)
+	}
+
+	if config.CacheKey != "" {
+		cacheKeyLabel := "LDAP_AUTH_CACHE_KEY"
+		if config.CacheKeyLabel != "" {
+			cacheKeyLabel = config.CacheKeyLabel
+		}
+		config.CacheKey = getSecret(cacheKeyLabel)
+	}
+
 	LogConfigParams(config)
 
 	// Create new session with CacheKey and CacheTimeout.
@@ -557,3 +577,19 @@ func LogConfigParams(config *Config) {
 		LoggerDEBUG.Printf(fmt.Sprint(typeOfS.Field(i).Name, " => '", v.Field(i).Interface(), "'"))
 	}
 }
+
+// retrieve a secret value from environment variable or secret on the FS
+func getSecret(label string) string {
+	bindPassword := os.Getenv(strings.ToUpper(label))
+
+	if bindPassword != "" {
+		return bindPassword
+	}
+
+	b, err := os.ReadFile(fmt.Sprintf("/run/secrets/%s", strings.ToLower(label)))
+	if err != nil {
+		LoggerERROR.Printf("could not load secret %s: %s", label, err)
+		return ""
+	}
+	return strings.TrimSpace(string(b))
+}

readme.md

@@ -161,6 +161,23 @@ Needs `traefik` >= [`v2.8.5`](https://github.com/traefik/traefik/releases/tag/v2
 _Optional, Default: `super-secret-key`_
 
 The key used to encrypt session cookie information. You `must` use a strong value here.
+You can also use a secret or a environment variable, see `bindPasswordLabel`.
+
+
+#### `cacheKeyLabel`
+
+_Optional, Default: `"LDAP_AUTH_CACHE_KEY"`_
+
+Only used when `cacheKey` is not set.
+This allow the user to choose the name or the environment variable or the file name.
+To be consistent with other traefik plugins, the environment variable should be upper case, and file name lower case.
+
+Example:
+cacheKeyLabel=my_cache_key_label
+The environment variable `MY_CACHE_KEY_LABEL` or a file containing the password should be mounted to `/run/secrets/my_cache_key_label`.
+Typically, with docker you can use a secret named `my_cache_key_label`.
+
+The environment variable will be used if both options are set.
 
 ##### `useTLS`
 _Optional, Default: `false`_
@@ -244,6 +261,21 @@ The domain name to bind to in order to authenticate to the LDAP server when runn
 _Optional, Default: `""`_
 
 The password corresponding to the `bindDN` specified when running in [`Search Mode`](#search-mode), is used in order to authenticate to the LDAP server.
+You can also use a secret or a environment variable, see `bindPasswordLabel`.
+
+##### `bindPasswordLabel`
+_Optional, Default: `"LDAP_AUTH_BIND_PASSWORD"`_
+
+Only used when `bindDN` is not empty, and `bindPassword` is not set.
+This allow the user to choose the name or the environment variable or the file name.
+To be consistent with other traefik plugins, the environment variable should be upper case, and file name lower case.
+
+Example:
+bindPasswordLabel=my_bind_password_label
+The environment variable `MY_BIND_PASSWORD_LABEL` or a file containing the password should be mounted to `/run/secrets/my_bind_password_label`.
+Typically, with docker you can use a secret named `my_bind_password_label`.
+
+The environment variable will be used if both options are set.
 
 ##### `forwardUsername`