Support reading secrets from systemd credentials

Allow reading OauthClientId and OauthClientSecret from systemd
LoadCredential directives.

Add support for reading the secret key and the session key from
the following files:

$CREDENTIALS_DIRECTORY/OAUTH_CLIENT_ID
$CREDENTIALS_DIRECTORY/OAUTH_CLIENT_SECRET

Author: squalus

CHANGELOG.md

@@ -4,6 +4,8 @@
 
 Coming soon! Please document any work in progress here as part of your PR. It will be moved to the next tag when released.
 
+- [Support reading secrets from systemd credentials](https://github.com/vouch/vouch-proxy/pull/487)
+
 ## v0.37.0
 
 - [allow configurable Write, Read and Idle timeouts for the http server](https://github.com/vouch/vouch-proxy/pull/468)

pkg/cfg/cfg.go

@@ -229,6 +229,13 @@ func configureFromEnv() bool {
 	if err != nil {
 		log.Fatal(err.Error())
 	}
+
+	// try to read secrets provided by systemd
+	if credDir := os.Getenv("CREDENTIALS_DIRECTORY"); credDir != "" {
+		readSystemdSecret(credDir, "OAUTH_CLIENT_ID", &GenOAuth.ClientID)
+		readSystemdSecret(credDir, "OAUTH_CLIENT_SECRET", &GenOAuth.ClientSecret)
+	}
+
 	// did anything change?
 	if !reflect.DeepEqual(preEnvConfig, *Cfg) ||
 		!reflect.DeepEqual(preEnvGenOAuth, *GenOAuth) {
@@ -244,6 +251,23 @@ func configureFromEnv() bool {
 	return false
 }
 
+// try to read a secret from systemd LoadCredential directive, if it hasn't been set yet
+func readSystemdSecret(credDir, name string, outVal *string) {
+	if *outVal != "" {
+		return
+	}
+	credPath := path.Join(credDir, name)
+	val, err := os.ReadFile(credPath)
+	if err != nil {
+		if !os.IsNotExist(err) {
+			log.Info(fmt.Errorf("read systemd secret %s: %w", credPath, err))
+		}
+		return
+	}
+	log.Infof("%s secret read from systemd credential", name)
+	*outVal = string(val)
+}
+
 // ValidateConfiguration confirm the Configuration is valid
 func ValidateConfiguration() error {
 	if Cfg.Testing {