Added secrets loading

Author: nisseknudsen

make87/config.py

@@ -1,10 +1,35 @@
 import os
+import re
 from typing import Union, Dict, TypeVar, Callable, Any
 
 from make87.models import ApplicationConfig
 
 CONFIG_ENV_VAR = "MAKE87_CONFIG"
 
+# Match pattern: ${secret.XYZ} with optional whitespace
+SECRET_PATTERN = re.compile(r"^\s*\$\{secret\.([A-Za-z0-9_]+)\}\s*$")
+
+
+def _resolve_secrets(obj):
+    # Recursively resolve secrets in dicts/lists
+    if isinstance(obj, dict):
+        return {k: _resolve_secrets(v) for k, v in obj.items()}
+    elif isinstance(obj, list):
+        return [_resolve_secrets(item) for item in obj]
+    elif isinstance(obj, str):
+        match = SECRET_PATTERN.match(obj)
+        if match:
+            secret_name = match.group(1)
+            secret_path = f"/run/secrets/{secret_name}.secret"
+            try:
+                with open(secret_path, "r") as f:
+                    return f.read().strip()
+            except Exception as e:
+                raise RuntimeError(f"Failed to load secret '{secret_name}' from {secret_path}: {e}")
+        return obj
+    else:
+        return obj
+
 
 def load_config_from_env(var: str = CONFIG_ENV_VAR) -> ApplicationConfig:
     """
@@ -14,19 +39,23 @@ def load_config_from_env(var: str = CONFIG_ENV_VAR) -> ApplicationConfig:
     raw = os.environ.get(var)
     if not raw:
         raise RuntimeError(f"Required env var {var} missing!")
-    return ApplicationConfig.model_validate_json(raw)
+    config = ApplicationConfig.model_validate_json(raw)
+    config.config = _resolve_secrets(config.config)
+    return config
 
 
 def load_config_from_json(json_data: Union[str, Dict]) -> ApplicationConfig:
     """
     Load and validate ApplicationConfig from a JSON string or dict.
     """
     if isinstance(json_data, str):
-        return ApplicationConfig.model_validate_json(json_data)
+        config = ApplicationConfig.model_validate_json(json_data)
     elif isinstance(json_data, dict):
-        return ApplicationConfig.model_validate(json_data)
+        config = ApplicationConfig.model_validate(json_data)
     else:
         raise TypeError("json_data must be a JSON string or dict.")
+    config.config = _resolve_secrets(config.config)
+    return config
 
 
 T = TypeVar("T")

tests/unit/config/test_config.py

@@ -0,0 +1,60 @@
+import os
+import tempfile
+import pytest
+
+from make87.config import load_config_from_json, get_config_value
+
+
+class DummyAppConfig:
+    def __init__(self, config):
+        self.config = config
+
+
+def test_secret_resolution(monkeypatch):
+    # Create a temporary secret file
+    with tempfile.TemporaryDirectory() as tmpdir:
+        secret_name = "MYSECRET"
+        secret_value = "supersecret"
+        secret_file = os.path.join(tmpdir, f"{secret_name}.secret")
+        with open(secret_file, "w") as f:
+            f.write(secret_value)
+
+        # Patch open to redirect /run/secrets/MYSECRET.secret to our temp file
+        import builtins
+
+        real_open = builtins.open
+
+        def fake_open(path, *args, **kwargs):
+            if path == f"/run/secrets/{secret_name}.secret":
+                return real_open(secret_file, *args, **kwargs)
+            return real_open(path, *args, **kwargs)
+
+        monkeypatch.setattr("builtins.open", fake_open)
+
+        # Provide all required fields for ApplicationConfig
+        config_dict = {
+            "application_info": {
+                "application_id": "app-id",
+                "application_name": "dummy",
+                "deployed_application_id": "deploy-id",
+                "deployed_application_name": "dummy-deploy",
+                "is_release_version": False,
+                "name": "dummy",  # legacy/extra, ignored if not in model
+                "system_id": "sys-id",
+                "version": "1.0",
+            },
+            "interfaces": {},
+            "peripherals": {"peripherals": []},
+            "config": {"password": "${secret.MYSECRET}"},
+        }
+        config = load_config_from_json(config_dict)
+        assert config.config["password"] == secret_value
+
+
+def test_get_config_value():
+    config = DummyAppConfig({"foo": 123, "bar": "baz"})
+    assert get_config_value(config, "foo") == 123
+    assert get_config_value(config, "bar") == "baz"
+    assert get_config_value(config, "missing", default="x") == "x"
+    with pytest.raises(KeyError):
+        get_config_value(config, "missing2")