From: Omar Polo Subject: Re: RFC: secrets for gotd To: Stefan Sperling Cc: gameoftrees@openbsd.org Date: Mon, 26 Aug 2024 09:23:01 +0200 On 2024/08/26 09:13:51 +0200, Stefan Sperling wrote: > On Sun, Aug 25, 2024 at 11:19:20PM +0200, Omar Polo wrote: > > At that point, why not also use a {}-style syntax for the secret file > > too? It helps to visually distinguish the entries that are used for > > hmac and HTTP auth. > > > > but also something more smtpd-table could work for me. > > > > # /etc/gotd.secrets.conf > > flan s3cr3tp4ssw0rd > > secret1 > > ... > > > > I think a distinct syntax like this would be better. Otherwise, users > could be misled into assuming secrets could be added inline to the > main config file, while we really must require a separate file to > satisfy gitwrapper. oh, that's a very good point i haven't considered. > To keep the types of secrets visually distinct we could use a > parse.y METHOD NAME STRING syntax, where METHOD indicates the > type of authentication credential: > > auth flan "s3cr3tp4ssw0rd" > hmac secret1 "hmac-secret" I like this. > Perhaps we should even have separate parse.y files for secrets and > the main config file, rather than including the secrets file in the > main config somehow like smtpd-style tables would do. > Upon startup, if the secrets file is present then gotd would parse the > secrets first, then parse /etc/gotd.conf with all secrets available > for validation. couple of things: - not sure we can use two different .y files in the same executable; yacc symbols will clash. I can hand roll a parser though, no problem. - since we allow to specify the config file via -f, maybe we could allow the same for the secret file?