"GOT", but the "O" is a cute, smiling pufferfish. Index | Thread | Search

From:
Stefan Sperling <stsp@stsp.name>
Subject:
Re: RFC: secrets for gotd
To:
Omar Polo <op@omarpolo.com>
Cc:
gameoftrees@openbsd.org
Date:
Mon, 26 Aug 2024 09:13:51 +0200

Download raw body.

Thread
On Sun, Aug 25, 2024 at 11:19:20PM +0200, Omar Polo wrote:
> At that point, why not also use a {}-style syntax for the secret file
> too?  It helps to visually distinguish the entries that are used for
> hmac and HTTP auth.
> 
> but also something more smtpd-table could work for me.
> 
> 	# /etc/gotd.secrets.conf
> 	flan		s3cr3tp4ssw0rd
> 	secret1		<hmac-secret>
> 	...
> 

I think a distinct syntax like this would be better. Otherwise, users
could be misled into assuming secrets could be added inline to the
main config file, while we really must require a separate file to
satisfy gitwrapper.

To keep the types of secrets visually distinct we could use a
parse.y METHOD NAME STRING syntax, where METHOD indicates the
type of authentication credential:

 	auth flan "s3cr3tp4ssw0rd"
 	hmac secret1 "hmac-secret"

Perhaps we should even have separate parse.y files for secrets and
the main config file, rather than including the secrets file in the
main config somehow like smtpd-style tables would do.
Upon startup, if the secrets file is present then gotd would parse the
secrets first, then parse /etc/gotd.conf with all secrets available
for validation.