config: remove validate side effects (#2109)

* config: default shared key * handle additional errors * update grpc addr and grpc insecure * update google cloud service authentication service account * fix set response headers * fix qps * fix test
2025-08-03 00:40:25 +02:00 · 2021-04-22 15:10:50 -06:00 · 2021-04-22 15:10:50 -06:00 · b1d62bb541
commit b1d62bb541
parent 2806b67bee
19 changed files with 138 additions and 81 deletions
--- a/authenticate/authenticate.go
+++ b/authenticate/authenticate.go
@ -20,7 +20,11 @@ import (
 // ValidateOptions checks that configuration are complete and valid.
 // Returns on first error found.
 func ValidateOptions(o *config.Options) error {
-	if _, err := cryptutil.NewAEADCipherFromBase64(o.SharedKey); err != nil {
+	sharedKey, err := o.GetSharedKey()
+	if err != nil {
+		return fmt.Errorf("authenticate: 'SHARED_SECRET' invalid: %w", err)
+	}
+	if _, err := cryptutil.NewAEADCipher(sharedKey); err != nil {
 		return fmt.Errorf("authenticate: 'SHARED_SECRET' invalid: %w", err)
 	}
 	if _, err := cryptutil.NewAEADCipherFromBase64(o.CookieSecret); err != nil {
--- a/authenticate/authenticate_test.go
+++ b/authenticate/authenticate_test.go
@ -39,6 +39,7 @@ func TestOptions_Validate(t *testing.T) {
 	shortCookieLength := newTestOptions(t)
 	shortCookieLength.CookieSecret = "gN3xnvfsAwfCXxnJorGLKUG4l2wC8sS8nfLMhcStPg=="
 	badSharedKey := newTestOptions(t)
+	badSharedKey.Services = "authenticate"
 	badSharedKey.SharedKey = ""
 	badAuthenticateURL := newTestOptions(t)
 	badAuthenticateURL.AuthenticateURLString = "BAD_URL"
--- a/authenticate/state.go
+++ b/authenticate/state.go
@ -78,7 +78,7 @@ func newAuthenticateStateFromConfig(cfg *config.Config) (*authenticateState, err
 	state.redirectURL.Path = cfg.Options.AuthenticateCallbackPath

 	// shared cipher to encrypt data before passing data between services
-	state.sharedKey, err = base64.StdEncoding.DecodeString(cfg.Options.SharedKey)
+	state.sharedKey, err = cfg.Options.GetSharedKey()
 	if err != nil {
 		return nil, err
 	}
@ -140,7 +140,7 @@ func newAuthenticateStateFromConfig(cfg *config.Config) (*authenticateState, err
 		state.jwk.Keys = append(state.jwk.Keys, *jwk)
 	}

-	sharedKey, err := base64.StdEncoding.DecodeString(cfg.Options.SharedKey)
+	sharedKey, err := cfg.Options.GetSharedKey()
 	if err != nil {
 		return nil, err
 	}
@ -157,7 +157,7 @@ func newAuthenticateStateFromConfig(cfg *config.Config) (*authenticateState, err
 		CAFile:                  cfg.Options.CAFile,
 		RequestTimeout:          cfg.Options.GRPCClientTimeout,
 		ClientDNSRoundRobin:     cfg.Options.GRPCClientDNSRoundRobin,
-		WithInsecure:            cfg.Options.GRPCInsecure,
+		WithInsecure:            cfg.Options.GetGRPCInsecure(),
 		InstallationID:          cfg.Options.InstallationID,
 		ServiceName:             cfg.Options.Services,
 		SignedJWTKey:            sharedKey,