Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mechanism for secrets in plugin configuration #538

Closed
simonw opened this issue Jul 3, 2019 · 3 comments
Closed

Mechanism for secrets in plugin configuration #538

simonw opened this issue Jul 3, 2019 · 3 comments
Labels
feature medium

Comments

@simonw
Copy link
Owner

simonw commented Jul 3, 2019

See simonw/datasette-auth-github#1

We need a mechanism where by plugins can tap into "secret" config options without exposing them in the visible metadata.json (where plugin configs currently live, see https://datasette.readthedocs.io/en/stable/plugins.html#plugin-configuration )
@simonw
Copy link
Owner Author

simonw commented Jul 3, 2019

Initial syntax suggestion:

{
    "title": "datasette-auth-github demo",
    "plugins": {
        "datasette-auth-github": {
            "client_id": "986f5d837b45e32ee6dd",
            "client_secret": {"$env": "GITHUB_CLIENT_SECRET"}
        }
    }
}

@simonw
Copy link
Owner Author

simonw commented Jul 3, 2019

Another useful option is the ability to load secrets from a file. This allows the file to have permissions set on it to only be read by the Datasette user. It also interacts well with the Kubernetes secrets mechanism, which is file-based.

{
    "plugins": {
        "datasette-auth-github": {
            "client_id": "986f5d837b45e32ee6dd",
            "client_secret": {"$file": "/secrets/github-client-secret"}
        }
    }
}

simonw added a commit that referenced this issue Jul 4, 2019
@simonw
Documentation for env/file plugin configs, refs #538
bc852cf
@simonw simonw mentioned this issue Jul 4, 2019
Merged
simonw added a commit that referenced this issue Jul 4, 2019
@simonw
Implemented plugin secrets, refs #538
002c9c4
@simonw simonw closed this as completed in a2d4593 Jul 4, 2019
@simonw
Copy link
Owner Author

simonw commented Jul 4, 2019

Re-opening this because I messed it up: the secret options are still visible in /-/metadata because I mutate the dictionary in place!

datasette/datasette/app.py

Lines 273 to 279 in a2d4593

if isinstance(plugin_config, dict):
for key, value in plugin_config.items():
if isinstance(value, dict):
if list(value.keys()) == ["$env"]:
plugin_config[key] = os.environ.get(list(value.values())[0])
elif list(value.keys()) == ["$file"]:
plugin_config[key] = open(list(value.values())[0]).read()

@simonw simonw reopened this Jul 4, 2019
@simonw simonw closed this as completed in 25ff0a8 Jul 4, 2019
@simonw simonw mentioned this issue Jul 6, 2019
Closed
simonw added a commit that referenced this issue Jul 7, 2019
@simonw
Secret plugin configuration options (#539)
a19c787 
Closes #538
simonw added a commit that referenced this issue Jul 7, 2019
@simonw
Fix for accidentally leaking secrets in /-/metadata, closes #538
d6d96dc
simonw added a commit that referenced this issue Nov 11, 2019
@simonw
Secret plugin configuration options (#539)
ec75852 
Closes #538
simonw added a commit that referenced this issue Nov 11, 2019
@simonw
Fix for accidentally leaking secrets in /-/metadata, closes #538
ac0a18d
This was referenced Sep 13, 2023
Merged
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
feature medium
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@simonw