boardwalkd (enh/security): Enable click generation of envvars for opt…

…ions (#70)

* boardwalkd (enh/security): Enable click generation of envvars for options

Specifies context settings for the Click cli.command() for `serve` in
boardwalkd, so that any click.options have environment variables automatically
created and checked for values, using the `BOARDWALKD` prefix.

Tagged as security-related as the key driving factor behind this change was to
enable use of the `--slack-webhook-url` and `--slack-error-webhook-url` from
envvars, because the webhooks URLs are considered secret, and consequently they
should not be passed on the command line where they can wind up in the shell history.

Resolves #69.
Resolves Backblaze SVRENG-270.

* Standardize envvar naming for boardwalkd to use the BOARDWALKD_ prefix

Updates the BOARDWALK_SECRET, BOARDWALK_GOOGLE_OAUTH_CLIENT_ID, and BOARDWALK_GOOGLE_OAUTH_SECRET to use BOARDWALKD_ as the prefix instead of the prior BOARDWALK_, as we now use click's auto envvar prefix feature with BOARDWALKD as the prefix.

Makefile

@@ -33,7 +33,6 @@ ifdef BOARDWALKD_SLACK_WEBHOOK_URL
 		--develop \
 		--host-header-pattern="(localhost|127\.0\.0\.1)" \
 		--port=8888 \
-		--slack-webhook-url="$(BOARDWALKD_SLACK_WEBHOOK_URL)" \
 		--url='http://localhost:8888'
 else
 	poetry run boardwalkd serve \

pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "poetry.core.masonry.api"
 
 [tool.poetry]
 name = "boardwalk"
-version = "0.8.16"
+version = "0.8.17"
 description = "Boardwalk is a linear Ansible workflow engine"
 readme = "README.md"
 authors = [

src/boardwalkd/cli.py

@@ -15,6 +15,10 @@
 
 logging.basicConfig(level=logging.INFO)
 
+CONTEXT_SETTINGS: dict = dict(
+    auto_envvar_prefix="BOARDWALKD",
+)
+
 
 @click.group()
 def cli():
@@ -27,7 +31,7 @@ def cli():
     pass
 
 
-@cli.command()
+@cli.command(context_settings=CONTEXT_SETTINGS)
 @click.option(
     "--auth-expire-days",
     help=(
@@ -52,7 +56,7 @@ def cli():
         "All requests are performed as an 'anonymous' default user\n\n"
         "google_oauth\n\n"
         "Uses Google Oauth2 to identify users by their Google account email address."
-        " BOARDWALK_GOOGLE_OAUTH_CLIENT_ID and BOARDWALK_GOOGLE_OAUTH_SECRET"
+        " BOARDWALKD_GOOGLE_OAUTH_CLIENT_ID and BOARDWALKD_GOOGLE_OAUTH_SECRET"
         " environment variables must be set. The authorized redirect URI should be"
         " https://<hostname>/auth/login"
     ),
@@ -105,6 +109,7 @@ def cli():
     help="A Slack webhook URL to broadcast all key events to",
     type=str,
     default=None,
+    show_envvar=True,
 )
 @click.option(
     "--slack-error-webhook-url",
@@ -114,6 +119,7 @@ def cli():
     ),
     type=str,
     default=None,
+    show_envvar=True,
 )
 @click.option(
     "--tls-crt",

src/boardwalkd/server.py

@@ -869,7 +869,7 @@ def make_app(
     # Set-up authentication
     if auth_method != "anonymous":
         try:
-            settings["cookie_secret"] = os.environ["BOARDWALK_SECRET"]
+            settings["cookie_secret"] = os.environ["BOARDWALKD_SECRET"]
         except KeyError:
             raise BoardwalkException(
                 (
@@ -886,13 +886,13 @@ def make_app(
         case "google_oauth":
             try:
                 settings["google_oauth"] = {
-                    "key": os.environ["BOARDWALK_GOOGLE_OAUTH_CLIENT_ID"],
-                    "secret": os.environ["BOARDWALK_GOOGLE_OAUTH_SECRET"],
+                    "key": os.environ["BOARDWALKD_GOOGLE_OAUTH_CLIENT_ID"],
+                    "secret": os.environ["BOARDWALKD_GOOGLE_OAUTH_SECRET"],
                 }
             except KeyError:
                 raise BoardwalkException(
                     (
-                        "BOARDWALK_GOOGLE_OAUTH_CLIENT_ID and BOARDWALK_GOOGLE_OAUTH_SECRET env vars"
+                        "BOARDWALKD_GOOGLE_OAUTH_CLIENT_ID and BOARDWALKD_GOOGLE_OAUTH_SECRET env vars"
                         " are required when auth_method is google_oauth"
                     )
                 )