Struct names and members for secrets.conf

Russ Allbery eagle at eyrie.org
Sun Dec 26 03:57:00 UTC 2021 

Julien ÉLIE <julien at trigofacile.com> writes:

> When using secretsconf->canlockadminsec to access it, I'm wondering
> whether it should not just be:

> cancels {
>     canlockadmin: [ "password" ]
>     canlockuser: [ "anotherpassword" ]
> }

> and we just call secretsconf->canlockadmin.
> When we have dozens of secrets in secrets.conf, it will be weird to always
> add "sec" in the parameter name, won't it?

Agreed.  I kind of like the idea of having a secretsconf (or even just
secrets) variable that holds the secret configuration and retrieving all
the secrets from there.  We could even wrap that in a small library to
make it easier to use everywhere in the source tree.

> That's why it populates secretsconf->canlockadmin(sec).
> Would it be better to have instead:
> - secretsconf->cancels->canlockadmin
> - cancels->canlockadmin
> - cancels_secrets->canlockadmin
> ?

> Maybe the first (secretsconf->cancels->canlockadmin) is better but we
> may also create as many simpler structs as group types in secrets.conf.
> Just asking in case you have a preference or another better idea.

The first has the nice advantage that it's super-obvious in the source
code that you're retrieving a secret, which you should then be careful
with (not log, etc.).

> With the first proposal, I'll probably have to add a
> secretsconf_get_cancels() function to retrieve the cancels groups in the
> secretsconf struct (and then use the result as if it were one of the
> last 2 proposals in fact).

Yeah, I wonder if we could have some sort of API that looks like:

    canlockadmin = get_secret(secrets, "cancels", "canlockadmin");

where get_secret() takes the secrets config_group and then a variable
number of arguments, all strings, that represent the hierarchical path
down to the key that we want.  It would just be a convenience wrapper
around the config_find_group(secrets, "cancels") and then
config_param_string(cancels, "canlockadmin", &data) call.

> If we have something like that in the future in secrets.conf:

> feed news.server.com {
>     login: "login"
>     password : "pass"
> }

> feed news.server2.com {
>     login: "login2"
>     password : "pass2"
> }

> We would have secretsconf->feed being a chained list of structs:

> struct feed {
>     char *tag;
>     char *login;
>     char *password;
>     struct feed *next;  /* next would be for "news.server2.com" tag */
> };

> (assuming we don't use nested groups inside them).

The intent of the config API was that you wouldn't take the config file
and turn it into a chained list up front, but instead you'd iterate
through it each time you needed something with

    feed = config_find_group(secrets, "feed");

and then config_next_group(feed) to get the next.  If that becomes tedious
we could add some config_find_group_by_tag() function that takes both the
group type and the tag.

-- 
Russ Allbery (eagle at eyrie.org)             <https://www.eyrie.org/~eagle/>

    Please send questions to the list rather than mailing me directly.
     <https://www.eyrie.org/~eagle/faqs/questions.html> explains why.

More information about the inn-workers mailing list