From: Omar Polo Subject: Re: RFC: secrets for gotd To: Stefan Sperling Cc: gameoftrees@openbsd.org Date: Sun, 25 Aug 2024 23:19:20 +0200 On 2024/08/25 20:31:37 +0200, Stefan Sperling wrote: > On Sun, Aug 25, 2024 at 07:46:01PM +0200, Omar Polo wrote: > > Currently gotd.conf holds some sensible data for http notifications in > > plain. Furthermore gotd.conf has to be world-readable to not break > > gotsh(1). > > gitwrapper, not gotsh woops, right! > > So, here's a proposal to break out the secrets in a separate config file > > which can (and must) be owned by root and not world-readable. When > > parsing the files for gotsh(1) or similar purpose we can skip the > > "include". > > > > It's mostly about syntax and taste, hence an RFC instead of a diff. > > Let's bikeshed a bit and once we reach a consensus I'll start working on > > it. > > > > While here I couldn't help but also try to move "insecure" before "url", > > because otherwise I would read it as "insecure auth", which could also be > > fine, or "insecure hmac" which is... curious :) > > I agree that moving the insecure keyword to the front makes sense. > > > # /etc/gotd.secrets.conf > > auth "xyz" { > > username "flan" > > password "flan123!" > > } > > > > hmac "abc" { > > secret "o0wgEB5QyRRKUwHlobeVX1JguCvkTBBohhQnINbxaOs=" > > } > > > > > > # /etc/gotd.conf > > include secret "/etc/gotd.secrets.conf" # root-owned; skipped by gotsh > > I would prefer "include secrets" since the file can contain multiple > secrets. yeah, it reads better. > > repository "src.git" { > > path "/var/git/src.git" > > permit rw :developers > > permit ro anonymous > > > > notify { > > branch "main" > > > > insecure url "http://some.other.host:8080/foo" auth "xyz" > > # or > > insecure url "http://..." hmac "abc" > > # or even both > > } > > } > > > > > > Using for `url "..." auth' an undefined label or an hmac value will > > produce an error. Likewise for `url "..." hmac'. > > > > > > Opinions? > > I like this proposal. I don't see a problem with implementing this. > > Is there any specific reason you didn't copy the smtpd table-based design? > I was thinking we could probably just steal code from there. My first idea was something table-like, but then I realized it wouldn't fit well here. smtpd tables work by attaching a table to a rule, as in: listen on all auth Then, at runtime, smtpd will lookup the table foo for some key (username in this case). With gotd we don't have this kind of queries at runtime. We have to specify in the configuration the key too. The config would look like: url "..." auth "flan" at which point we might just give `auth "flan"`. At that point, why not also use a {}-style syntax for the secret file too? It helps to visually distinguish the entries that are used for hmac and HTTP auth. but also something more smtpd-table could work for me. # /etc/gotd.secrets.conf flan s3cr3tp4ssw0rd secret1 ...