From 0214abb58c90136578d4611981091ac8c1f1614b Mon Sep 17 00:00:00 2001
From: Luke Massa <lmassa@tripadvisor.com>
Date: Fri, 6 Sep 2019 14:37:52 -0400
Subject: [PATCH] Add option to put secret in a file

---
 README.md             |  1 +
 nginx/conf/nginx.conf |  1 +
 nginx/lua/auth.lua    | 18 +++++++++++++++++-
 3 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index fcf9d33..6cbb2fc 100644
--- a/README.md
+++ b/README.md
@@ -26,6 +26,7 @@ environment variables is used in this image:
 * `OID_DISCOVERY`: OpenID provider well-known discovery URL
 * `OID_CLIENT_ID`: OpenID Client ID
 * `OID_CLIENT_SECRET`: OpenID Client Secret
+* `OID_CLIENT_SECRET_FILE`: File to pull the OpenID Client Secret from (i.e. if you don't want to store it in an environment variable)
 * `OIDC_AUTH_METHOD`: OpenID Connect authentication method (`client_secret_basic` or `client_secret_post`)
 * `OIDC_RENEW_ACCESS_TOKEN_ON_EXPIERY`: Enable silent renew of access token (`true` or `false`)
 
diff --git a/nginx/conf/nginx.conf b/nginx/conf/nginx.conf
index ca23892..84446df 100644
--- a/nginx/conf/nginx.conf
+++ b/nginx/conf/nginx.conf
@@ -12,6 +12,7 @@ env OID_SESSION_NAME;
 env OID_DISCOVERY;
 env OID_CLIENT_ID;
 env OID_CLIENT_SECRET;
+env OID_CLIENT_SECRET_FILE;
 env OID_REDIRECT_PATH;
 env OIDC_AUTH_SCOPE;
 env OIDC_AUTH_METHOD;
diff --git a/nginx/lua/auth.lua b/nginx/lua/auth.lua
index ee79f09..de270d0 100644
--- a/nginx/lua/auth.lua
+++ b/nginx/lua/auth.lua
@@ -1,8 +1,24 @@
+if os.getenv("OID_CLIENT_SECRET_FILE") then
+    filename = os.getenv("OID_CLIENT_SECRET_FILE")
+    local f = io.open(filename, "rb")
+    if not f then
+        ngx.status = 500
+        ngx.header.content_type = 'text/html';
+
+        ngx.say("Could not find filename for OID_CLIENT_SECRET_FILE: " .. filename)
+        ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR)
+    end
+
+    oid_secret = f.read(f)
+else
+    oid_secret = os.getenv("OID_CLIENT_SECRET")
+end
+
 local opts = {
     redirect_uri_path = os.getenv("OID_REDIRECT_PATH") or "/redirect_uri",
     discovery = os.getenv("OID_DISCOVERY"),
     client_id = os.getenv("OID_CLIENT_ID"),
-    client_secret = os.getenv("OID_CLIENT_SECRET"),
+    client_secret = oid_secret,
     token_endpoint_auth_method = os.getenv("OIDC_AUTH_METHOD") or "client_secret_basic",
     renew_access_token_on_expiry = os.getenv("OIDC_RENEW_ACCESS_TOKEN_ON_EXPIERY") ~= "false",
     scope = os.getenv("OIDC_AUTH_SCOPE") or "openid",