From 02cfe326d3226f8dfffeda445c3de736b64288d7 Mon Sep 17 00:00:00 2001
From: lub <git@lubiland.de>
Date: Sun, 30 Aug 2020 01:04:36 +0200
Subject: [PATCH] support using files for SECRET_KEY and DB_PW

this enables usage of e.g. docker swarm secrets instead of exposing the
passwords directly via environment variables

just use DB_PW_FILE and SECRET_KEY_FILE instead of DB_PW and SECRET_KEY
---
 core/admin/mailu/configuration.py | 11 ++++++++++-
 webmails/roundcube/config.inc.php |  2 +-
 2 files changed, 11 insertions(+), 2 deletions(-)

diff --git a/core/admin/mailu/configuration.py b/core/admin/mailu/configuration.py
index 66b0b832..eacf7803 100644
--- a/core/admin/mailu/configuration.py
+++ b/core/admin/mailu/configuration.py
@@ -100,6 +100,15 @@ class ConfigManager(dict):
         if self.config["WEBMAIL"] != "none":
             self.config["WEBMAIL_ADDRESS"] = self.get_host_address("WEBMAIL")
 
+    def __get_env(self, key, value):
+        key_file = key + "_FILE"
+        if key_file in os.environ:
+            with open(os.environ.get(key_file)) as file:
+                value_from_file = file.read()
+            return value_from_file.strip()
+        else:
+            return os.environ.get(key, value)
+
     def __coerce_value(self, value):
         if isinstance(value, str) and value.lower() in ('true','yes'):
             return True
@@ -111,7 +120,7 @@ class ConfigManager(dict):
         self.config.update(app.config)
         # get environment variables
         self.config.update({
-            key: self.__coerce_value(os.environ.get(key, value))
+            key: self.__coerce_value(self.__get_env(key, value))
             for key, value in DEFAULT_CONFIG.items()
         })
         self.resolve_hosts()
diff --git a/webmails/roundcube/config.inc.php b/webmails/roundcube/config.inc.php
index eb40047a..627b96a7 100644
--- a/webmails/roundcube/config.inc.php
+++ b/webmails/roundcube/config.inc.php
@@ -5,7 +5,7 @@ $config = array();
 // Generals
 $config['db_dsnw'] = getenv('DB_DSNW');;
 $config['temp_dir'] = '/tmp/';
-$config['des_key'] = getenv('SECRET_KEY');
+$config['des_key'] = getenv('SECRET_KEY') ? getenv('SECRET_KEY') : trim(file_get_contents(getenv('SECRET_KEY_FILE')));
 $config['cipher_method'] = 'AES-256-CBC';
 $config['identities_level'] = 0;
 $config['reply_all_mode'] = 1;