Improve handling of secret_file

The secret file path is only read when needed, and, as root, is read from /etc/secret.eny
radiospiel · Oct 16, 2019 · ec7300f · ec7300f
1 parent 8e53428
commit ec7300f
Showing 1 changed file with 23 additions and 17 deletions.
diff --git a/src/golang/envy/secret.go b/src/golang/envy/secret.go
@@ -11,14 +11,34 @@ var _secretFile string
 
 func secretFile() string {
 	if _secretFile == "" {
-		panic("_secretFile must be set")
+		_secretFile = determineSecretFile()
 	}
 
 	return _secretFile
 }
 
-func setSecretFile(secretFile string) {
-	_secretFile = secretFile
+const ENVY_BASE_NAME = ".secret.envy"
+
+func determineSecretFile() string {
+	path, ok := os.LookupEnv("ENVY_SECRET_PATH")
+	if ok {
+		log.Printf("DBG load secret from %s (as per ENVY_SECRET_PATH)", path)
+		return path
+	}
+
+	/*
+	 * when running as root read setcret from /etc/secret.envy
+	 */
+
+	if os.Geteuid() == 0 {
+		path = "/etc/" + ENVY_BASE_NAME
+	} else {
+		path = os.Getenv("HOME") + "/" + ENVY_BASE_NAME
+	}
+
+	log.Printf("DBG load secret from %s", path)
+
+	return path
 }
 
 /*
@@ -38,17 +58,3 @@ func readSecret() []byte {
 
 	return binary_secret
 }
-
-const ENVY_BASE_NAME = ".secret.envy"
-
-func init() {
-	path, ok := os.LookupEnv("ENVY_SECRET_PATH")
-	if ok {
-		log.Printf("DBG load secret from %s (as per ENVY_SECRET_PATH)", path)
-	} else {
-		path = os.Getenv("HOME") + "/" + ENVY_BASE_NAME
-		log.Printf("DBG load secret from %s", path)
-	}
-
-	setSecretFile(path)
-}