From 99c3ec68203c0b2764a49724ecb9ecc26b520482 Mon Sep 17 00:00:00 2001
From: Yann Soubeyrand <yann.soubeyrand@gmx.fr>
Date: Thu, 18 Apr 2019 13:55:08 +0200
Subject: [PATCH] Add ability to set ID and Secret from environment variables
 for static clients

Having ID and Secret in clear inside configuration files for static
clients is not ideal. This commit allows setting these from environment
variables.

Signed-off-by: Yann Soubeyrand <yann.soubeyrand@gmx.fr>
---
 cmd/dex/serve.go   | 23 ++++++++++++++++++++++-
 storage/storage.go |  6 ++++--
 2 files changed, 26 insertions(+), 3 deletions(-)

diff --git a/cmd/dex/serve.go b/cmd/dex/serve.go
index 86f02c78..27fba306 100644
--- a/cmd/dex/serve.go
+++ b/cmd/dex/serve.go
@@ -153,7 +153,28 @@ func serve(cmd *cobra.Command, args []string) error {
 	logger.Infof("config storage: %s", c.Storage.Type)
 
 	if len(c.StaticClients) > 0 {
-		for _, client := range c.StaticClients {
+		for i, client := range c.StaticClients {
+			if client.Name == "" {
+				return fmt.Errorf("invalid config: Name field is required for a client")
+			}
+			if client.ID == "" && client.IDEnv == "" {
+				return fmt.Errorf("invalid config: ID or IDEnv field is required for a client")
+			}
+			if client.IDEnv != "" {
+				if client.ID != "" {
+					return fmt.Errorf("invalid config: ID and IDEnv fields are exclusive for client %q", client.ID)
+				}
+				c.StaticClients[i].ID = os.Getenv(client.IDEnv)
+			}
+			if client.Secret == "" && client.SecretEnv == "" {
+				return fmt.Errorf("invalid config: Secret or SecretEnv field is required for client %q", client.ID)
+			}
+			if client.SecretEnv != "" {
+				if client.Secret != "" {
+					return fmt.Errorf("invalid config: Secret and SecretEnv fields are exclusive for client %q", client.ID)
+				}
+				c.StaticClients[i].Secret = os.Getenv(client.SecretEnv)
+			}
 			logger.Infof("config static client: %s", client.Name)
 		}
 		s = storage.WithStaticClients(s, c.StaticClients)
diff --git a/storage/storage.go b/storage/storage.go
index 42ecd8ed..5bbb2b3f 100644
--- a/storage/storage.go
+++ b/storage/storage.go
@@ -113,8 +113,10 @@ type Storage interface {
 //   * Public clients: https://developers.google.com/api-client-library/python/auth/installed-app
 type Client struct {
 	// Client ID and secret used to identify the client.
-	ID     string `json:"id" yaml:"id"`
-	Secret string `json:"secret" yaml:"secret"`
+	ID        string `json:"id" yaml:"id"`
+	IDEnv     string `json:"idEnv" yaml:"idEnv"`
+	Secret    string `json:"secret" yaml:"secret"`
+	SecretEnv string `json:"secretEnv" yaml:"secretEnv"`
 
 	// A registered set of redirect URIs. When redirecting from dex to the client, the URI
 	// requested to redirect to MUST match one of these values, unless the client is "public".
-- 
GitLab