Support reading pin from file or environment variable
mahrud opened this issue · 1 comments
In the initial release I intentionally left pin-source untouched:
gokeyless/internal/rfc7512/rfc7512.go
Lines 156 to 157 in b3ce625
I propose the following format:
- Read from a file:
pin-source=file:/secrets/mypin - Read from environment variable:
pin-source=env:MYPIN
Alternatively I can have pin-source directly read from a file and add a pin-env attribute for environment variables. Any thoughts?
Also, in the event that both pin-source (or pin-env) and pin-value are defined, which should take priority?
RFC 7512 does mention pin-source=file:/etc/token_pin as example, that seems reasonable to add.
pin-env on the other hand is non-standard and would not work with libraries such as p11-kit. Section 2.4 of RFC 7512 suggests to process the pin-source attribute in the following order:
- A URI such as
file:,http:, etc. - A pipe such as
|<absolute-command-path> - Implementation-specific way.
As env is currently not a registered URI scheme, I guess that pin-source=env:FOO could work.