Struct names and members for secrets.conf
Julien ÉLIE
julien at trigofacile.com
Sun Dec 26 13:12:34 UTC 2021
Hi Russ,
>> When using secretsconf->canlockadminsec to access it, I'm wondering
>> whether it should not just be:
>
>> cancels {
>> canlockadmin: [ "password" ]
>> canlockuser: [ "anotherpassword" ]
>> }
>
>> and we just call secretsconf->canlockadmin.
>> When we have dozens of secrets in secrets.conf, it will be weird to always
>> add "sec" in the parameter name, won't it?
>
> Agreed. I kind of like the idea of having a secretsconf (or even just
> secrets) variable that holds the secret configuration and retrieving all
> the secrets from there.
OK for "secrets" instead of "secretsconf".
> We could even wrap that in a small library to
> make it easier to use everywhere in the source tree.
Like innconfval does for instance?
A secretsval program that would give the secrets when executed? (so that
they can be retrieved from Perl, Python and shell scripts)
Yet, we may probably want a general program for that, and not a
dedicated one for each configuration file...
Why not add a -f flag (for "file") to innconfval? Default value is
"inn.conf", and it can be set to other file names (like "secrets.conf").
innconfval -f secrets.conf canlockadmin
would then return the list of canlock admin secrets.
>> That's why it populates secretsconf->canlockadmin(sec).
>> Would it be better to have instead:
>> - secretsconf->cancels->canlockadmin
>> - cancels->canlockadmin
>> - cancels_secrets->canlockadmin
>> ?
>
>> Maybe the first (secretsconf->cancels->canlockadmin) is better but we
>> may also create as many simpler structs as group types in secrets.conf.
>> Just asking in case you have a preference or another better idea.
>
> The first has the nice advantage that it's super-obvious in the source
> code that you're retrieving a secret, which you should then be careful
> with (not log, etc.).
Yes, that's a nice advantage.
>> With the first proposal, I'll probably have to add a
>> secretsconf_get_cancels() function to retrieve the cancels groups in the
>> secretsconf struct (and then use the result as if it were one of the
>> last 2 proposals in fact).
>
> Yeah, I wonder if we could have some sort of API that looks like:
>
> canlockadmin = get_secret(secrets, "cancels", "canlockadmin");
>
> where get_secret() takes the secrets config_group and then a variable
> number of arguments, all strings, that represent the hierarchical path
> down to the key that we want. It would just be a convenience wrapper
> around the config_find_group(secrets, "cancels") and then
> config_param_string(cancels, "canlockadmin", &data) call.
Not all secrets are strings. Here, for canlockadmin, it is a vector.
So maybe we need get_secret_list(secrets, "cancels", "canlockadmin") and
another get_secret_string() function for future string secrets?
A drawback of these getter functions is that we'll have to parse the
config_group tree each time we need a secret. That's pretty quick
though, and we do not need them continuously but only for a few actions
(like posting or initial authentication against a peer), contrary to
parameters like inn.conf timeout, wireformat and like.
So it seems probably fine to query the secret in the config_group tree.
>> We would have secretsconf->feed being a chained list of structs:
>
>> struct feed {
>> char *tag;
>> char *login;
>> char *password;
>> struct feed *next; /* next would be for "news.server2.com" tag */
>> };
>
>> (assuming we don't use nested groups inside them).
>
> The intent of the config API was that you wouldn't take the config file
> and turn it into a chained list up front, but instead you'd iterate
> through it each time you needed something with
>
> feed = config_find_group(secrets, "feed");
>
> and then config_next_group(feed) to get the next. If that becomes tedious
> we could add some config_find_group_by_tag() function that takes both the
> group type and the tag.
Oh yes, I understand the principle.
We'll see for the config_find_group_by_tag() later if need be (not
useful for Cancel-Lock).
--
Julien ÉLIE
« Only wimps use tape backup: _real_ men just upload their important
stuff on ftp, and let the rest of the world mirror it ;) » (Linus
Torvalds, 1996)
More information about the inn-workers
mailing list