Add ability to read secrets from files

api/Dockerfile

@@ -1,6 +1,8 @@
 # This dockerfile builds the API and runs it on a minimal container with the Datastore adaptor
 
 FROM rust:latest as builder
+ARG adaptor=sql-adaptor
+
 
 # Install CA Certs for Hyper
 RUN apt-get install -y --no-install-recommends ca-certificates
@@ -11,7 +13,7 @@ COPY . .
 # Will build and cache the binary and dependent crates in release mode
 RUN --mount=type=cache,target=/usr/local/cargo,from=rust:latest,source=/usr/local/cargo \
     --mount=type=cache,target=target \
-    cargo build --release --features datastore-adaptor && mv ./target/release/crabfit-api ./api
+    cargo build --release --features $adaptor && mv ./target/release/crabfit-api ./api
 
 # Runtime image
 FROM debian:bullseye-slim

api/adaptors/sql/Cargo.toml

@@ -12,3 +12,4 @@ async-std = { version = "1", features = ["attributes", "tokio1"] }
 sea-orm-migration = "0.11.0"
 serde_json = "1.0.96"
 chrono = "0.4.24"
+url = "2.5.4"

api/adaptors/sql/src/lib.rs

@@ -1,4 +1,4 @@
-use std::{env, error::Error};
+use std::{env, error::Error, fs};
 
 use async_trait::async_trait;
 use chrono::{DateTime, Utc};
@@ -13,6 +13,7 @@ use sea_orm::{
     TransactionError, TransactionTrait, TryIntoModel,
 };
 use serde_json::json;
+use url::Url;
 
 mod entity;
 mod migration;
@@ -180,11 +181,29 @@ async fn get_stats_row(db: &DatabaseConnection) -> Result<stats::ActiveModel, Db
     })
 }
 
-impl SqlAdaptor {
-    pub async fn new() -> Self {
+fn get_connection_string() -> String {
     let connection_string =
         env::var("DATABASE_URL").expect("Expected DATABASE_URL environment variable");
 
+    if let Some(password_file_location) = env::var_os("DATABASE_PASSWORD_FILE") {
+        // The password can be left out of the URL, we add it from the specified
+        // file (presumably under /run/secrets/)
+        let password = fs::read(&password_file_location).unwrap_or_else(|err| {
+            panic!("could not read database password from {password_file_location:?}\n\t{err:?}")
+        });
+        let mut url = Url::parse(&connection_string).expect("invalid connection string");
+        url.set_password(Some(String::from_utf8_lossy(password.as_slice()).as_ref()))
+            .unwrap_or_else(|_| panic!("invalid database URL: {connection_string:?}"));
+        url.to_string()
+    } else {
+        connection_string
+    }
+}
+
+impl SqlAdaptor {
+    pub async fn new() -> Self {
+        let connection_string = get_connection_string();
+
         // Connect to the database
         let db = Database::connect(&connection_string)
             .await

api/src/routes/tasks.rs

@@ -1,4 +1,4 @@
-use std::env;
+use std::{env, fs};
 
 use axum::{extract, http::HeaderMap};
 use chrono::{Duration, Utc};
@@ -28,7 +28,17 @@ pub async fn cleanup<A: Adaptor>(
         .get("X-Cron-Key")
         .map(|k| k.to_str().unwrap_or_default().into())
         .unwrap_or_default();
-    let env_key = env::var("CRON_KEY").unwrap_or_default();
+    let env_key = if let Ok(key) = env::var("CRON_KEY") {
+        key
+    } else if let Some(path) = env::var_os("CRON_KEY_FILE") {
+        let Ok(key) = fs::read(&path) else {
+            println!("Error reading CRON_KEY_FILE at {path:?}");
+            return Err(ApiError::NotAuthorized);
+        };
+        String::from_utf8_lossy(key.as_slice()).into()
+    } else {
+        Default::default()
+    };
     if !env_key.is_empty() && cron_key_header != env_key {
         return Err(ApiError::NotAuthorized);
     }