"GOT", but the "O" is a cute, smiling pufferfish. Index | Thread | Search

From:
Omar Polo <op@omarpolo.com>
Subject:
Re: RFC: secrets for gotd
To:
Stefan Sperling <stsp@stsp.name>
Cc:
gameoftrees@openbsd.org
Date:
Mon, 26 Aug 2024 09:23:01 +0200

Download raw body.

Thread
On 2024/08/26 09:13:51 +0200, Stefan Sperling <stsp@stsp.name> wrote:
> On Sun, Aug 25, 2024 at 11:19:20PM +0200, Omar Polo wrote:
> > At that point, why not also use a {}-style syntax for the secret file
> > too?  It helps to visually distinguish the entries that are used for
> > hmac and HTTP auth.
> > 
> > but also something more smtpd-table could work for me.
> > 
> > 	# /etc/gotd.secrets.conf
> > 	flan		s3cr3tp4ssw0rd
> > 	secret1		<hmac-secret>
> > 	...
> > 
> 
> I think a distinct syntax like this would be better. Otherwise, users
> could be misled into assuming secrets could be added inline to the
> main config file, while we really must require a separate file to
> satisfy gitwrapper.

oh, that's a very good point i haven't considered.

> To keep the types of secrets visually distinct we could use a
> parse.y METHOD NAME STRING syntax, where METHOD indicates the
> type of authentication credential:
> 
>  	auth flan "s3cr3tp4ssw0rd"
>  	hmac secret1 "hmac-secret"

I like this.

> Perhaps we should even have separate parse.y files for secrets and
> the main config file, rather than including the secrets file in the
> main config somehow like smtpd-style tables would do.
> Upon startup, if the secrets file is present then gotd would parse the
> secrets first, then parse /etc/gotd.conf with all secrets available
> for validation.

couple of things:

 - not sure we can use two different .y files in the same executable;
   yacc symbols will clash.  I can hand roll a parser though, no problem.

 - since we allow to specify the config file via -f, maybe we could
   allow the same for the secret file?