From cab97d5f2f30dd2dedfb84daf4644c8ba4c7d1df Mon Sep 17 00:00:00 2001
From: Clement Michaud <clement.michaud34@gmail.com>
Date: Tue, 21 Jan 2020 23:02:03 +0100
Subject: [PATCH] Bind secret environment variable to allow unmarshalling.

---
 internal/configuration/reader.go              | 12 ++++++++++-
 internal/configuration/reader_test.go         | 20 ++++++++++++++-----
 .../configuration/test_resources/config.yml   |  7 -------
 3 files changed, 26 insertions(+), 13 deletions(-)

diff --git a/internal/configuration/reader.go b/internal/configuration/reader.go
index 52f86d817..725bcfda3 100644
--- a/internal/configuration/reader.go
+++ b/internal/configuration/reader.go
@@ -19,7 +19,17 @@ func check(e error) {
 func Read(configPath string) (*schema.Configuration, []error) {
 	viper.SetEnvPrefix("AUTHELIA")
 	viper.SetEnvKeyReplacer(strings.NewReplacer(".", "_"))
-	viper.AutomaticEnv()
+
+	// we need to bind all env variables as long as https://github.com/spf13/viper/issues/761
+	// is not resolved.
+	viper.BindEnv("jwt_secret")
+	viper.BindEnv("duo_api.secret_key")
+	viper.BindEnv("session.secret")
+	viper.BindEnv("authentication_backend.ldap.password")
+	viper.BindEnv("notifier.smtp.password")
+	viper.BindEnv("session.redis.password")
+	viper.BindEnv("storage.mysql.password")
+	viper.BindEnv("storage.postgres.password")
 
 	viper.SetConfigFile(configPath)
 
diff --git a/internal/configuration/reader_test.go b/internal/configuration/reader_test.go
index 7d802fe16..5e455e611 100644
--- a/internal/configuration/reader_test.go
+++ b/internal/configuration/reader_test.go
@@ -9,11 +9,14 @@ import (
 )
 
 func TestShouldParseConfigFile(t *testing.T) {
-	err := os.Setenv("AUTHELIA_JWT_SECRET", "secret_from_env")
-	require.NoError(t, err)
-
-	err = os.Setenv("AUTHELIA_DUO_API_SECRET_KEY", "duo_secret_from_env")
-	require.NoError(t, err)
+	require.NoError(t, os.Setenv("AUTHELIA_JWT_SECRET", "secret_from_env"))
+	require.NoError(t, os.Setenv("AUTHELIA_DUO_API_SECRET_KEY", "duo_secret_from_env"))
+	require.NoError(t, os.Setenv("AUTHELIA_SESSION_SECRET", "session_secret_from_env"))
+	require.NoError(t, os.Setenv("AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD", "ldap_secret_from_env"))
+	require.NoError(t, os.Setenv("AUTHELIA_NOTIFIER_SMTP_PASSWORD", "smtp_secret_from_env"))
+	require.NoError(t, os.Setenv("AUTHELIA_SESSION_REDIS_PASSWORD", "redis_secret_from_env"))
+	require.NoError(t, os.Setenv("AUTHELIA_STORAGE_MYSQL_PASSWORD", "mysql_secret_from_env"))
+	require.NoError(t, os.Setenv("AUTHELIA_STORAGE_POSTGRES_PASSWORD", "postgres_secret_from_env"))
 
 	config, errors := Read("./test_resources/config.yml")
 
@@ -29,6 +32,13 @@ func TestShouldParseConfigFile(t *testing.T) {
 	assert.Equal(t, "ABCDEF", config.DuoAPI.IntegrationKey)
 	assert.Equal(t, "duo_secret_from_env", config.DuoAPI.SecretKey)
 
+	assert.Equal(t, "session_secret_from_env", config.Session.Secret)
+	assert.Equal(t, "ldap_secret_from_env", config.AuthenticationBackend.Ldap.Password)
+	assert.Equal(t, "smtp_secret_from_env", config.Notifier.SMTP.Password)
+	assert.Equal(t, "redis_secret_from_env", config.Session.Redis.Password)
+	assert.Equal(t, "mysql_secret_from_env", config.Storage.MySQL.Password)
+	assert.Equal(t, "postgres_secret_from_env", config.Storage.PostgreSQL.Password)
+
 	assert.Equal(t, "deny", config.AccessControl.DefaultPolicy)
 	assert.Len(t, config.AccessControl.Rules, 11)
 }
diff --git a/internal/configuration/test_resources/config.yml b/internal/configuration/test_resources/config.yml
index 3ba389a5f..8bedc2845 100644
--- a/internal/configuration/test_resources/config.yml
+++ b/internal/configuration/test_resources/config.yml
@@ -4,7 +4,6 @@
 
 host: 127.0.0.1
 port: 9091
-jwt_secret: unsecure_secret
 
 logs_level: debug
 default_redirection_url: https://home.example.com:8080/
@@ -15,7 +14,6 @@ totp:
 duo_api:
   hostname: api-123456789.example.com
   integration_key: ABCDEF
-  secret_key: 1234567890abcdefghifjkl
 
 authentication_backend:
   ldap:
@@ -28,7 +26,6 @@ authentication_backend:
     group_name_attribute: cn
     mail_attribute: mail
     user: cn=admin,dc=example,dc=com
-    password: password
 
 access_control:
   default_policy: deny
@@ -90,14 +87,12 @@ access_control:
 
 session:
   name: authelia_session
-  secret: unsecure_session_secret
   expiration: 3600000 # 1 hour
   inactivity: 300000 # 5 minutes
   domain: example.com
   redis:
     host: 127.0.0.1
     port: 6379
-    password: authelia
 
 regulation:
   max_retries: 3
@@ -110,12 +105,10 @@ storage:
     port: 3306
     database: authelia
     username: authelia
-    password: authelia
 
 notifier:
   smtp:
     username: test
-    password: password
     host: 127.0.0.1
     port: 1025
     sender: admin@example.com