Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Reading secret from stdin is broken when database configuration is enabled #2126

Closed
wolfgangwalther opened this issue Jan 16, 2022 · 3 comments
Closed

Reading secret from stdin is broken when database configuration is enabled #2126

wolfgangwalther opened this issue Jan 16, 2022 · 3 comments
Labels
bug config related to the configuration options

Comments

@wolfgangwalther
Copy link
Member

While hacking on #2112 I noticed this is broken. Run the following in nix-shell:

echo "test" | PGRST_DB_CONFIG=false postgrest-with-postgresql-14 -f test/io/fixtures.sql \
  postgrest-run --dump-config test/io/configs/secret-from-file.config
...
jwt-secret = "test" # expected
...

echo "test" | PGRST_DB_CONFIG=true postgrest-with-postgresql-14 -f test/io/fixtures.sql \
  postgrest-run --dump-config test/io/configs/secret-from-file.config
...
jwt-secret = "" # bad!
...

I assume it's because reading from @/dev/stdin doesn't work twice... but that's what we're doing when re-loading the config from the database. That makes me wonder whether reloading the config via signal works. I guess it doesn't either... - just confirmed that. It doesn't work either.

So basically reading the secret from @/dev/stdin (as we do in the io tests) is broken in many ways. Now I wonder - do we actually officially support that at all? I can't find anything in the docs about it.

I'm leaning towards just rewriting the test-cases here and maybe adding a hint in the docs, that reading from @/dev/stdin is not supported.
@wolfgangwalther wolfgangwalther added bug config related to the configuration options labels Jan 16, 2022
wolfgangwalther added a commit to wolfgangwalther/postgrest that referenced this issue Jan 16, 2022
@wolfgangwalther
test: Make io tests use environment variables instead of config files…
b49aba0 
… where possible.

Load jwt secret from file instead of stdin in tests, because stdin is not supported when reloading the config. Resolves PostgREST#2126.
@steve-chavez
Copy link
Member

that reading from @/dev/stdin is not supported.

How about leaving it as a bug? Not so long ago I recommended @/dev/stdin to a company that didn't want the secret to be stored in any way(no env var or db or logs).

I remember testing this before and the tests helped me in not breaking it.. a regression must have happened somewhere.

@wolfgangwalther
Copy link
Member Author

a regression must have happened somewhere.

That "regression" was the addition of reloading the config file. It must be broken since then. It's quite simple:

We don't make any difference between reading from a regular file and reading from @/dev/stdin anywhere in the code. Reading the same regular file twice will return the same token - but reading @/dev/stdin a second time will not.

The tests have always only accounted for that first read - but never for the reload. So it has been broken ever since.

@wolfgangwalther
Copy link
Member Author

Because I needed to refactor the tests a little bit, I added a more explicit test to read the secret from stdin together with a (currently skipped) test that demonstrates the failure case in #2112.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug config related to the configuration options
Milestone
No milestone
Development

No branches or pull requests
2 participants
@steve-chavez @wolfgangwalther