feat: add config directive to pass wechat api secret via file

Ref: #2498
Signed-off-by: Christoph Maser <christoph.maser+github@gmail.com>

Author: TheMeier

config/notifiers.go

@@ -636,15 +636,16 @@ type WechatConfig struct {
 
 	HTTPConfig *commoncfg.HTTPClientConfig `yaml:"http_config,omitempty" json:"http_config,omitempty"`
 
-	APISecret   Secret `yaml:"api_secret,omitempty" json:"api_secret,omitempty"`
-	CorpID      string `yaml:"corp_id,omitempty" json:"corp_id,omitempty"`
-	Message     string `yaml:"message,omitempty" json:"message,omitempty"`
-	APIURL      *URL   `yaml:"api_url,omitempty" json:"api_url,omitempty"`
-	ToUser      string `yaml:"to_user,omitempty" json:"to_user,omitempty"`
-	ToParty     string `yaml:"to_party,omitempty" json:"to_party,omitempty"`
-	ToTag       string `yaml:"to_tag,omitempty" json:"to_tag,omitempty"`
-	AgentID     string `yaml:"agent_id,omitempty" json:"agent_id,omitempty"`
-	MessageType string `yaml:"message_type,omitempty" json:"message_type,omitempty"`
+	APISecret     Secret `yaml:"api_secret,omitempty" json:"api_secret,omitempty"`
+	APISecretFile string `yaml:"api_secret_file,omitempty" json:"api_secret_file,omitempty"`
+	CorpID        string `yaml:"corp_id,omitempty" json:"corp_id,omitempty"`
+	Message       string `yaml:"message,omitempty" json:"message,omitempty"`
+	APIURL        *URL   `yaml:"api_url,omitempty" json:"api_url,omitempty"`
+	ToUser        string `yaml:"to_user,omitempty" json:"to_user,omitempty"`
+	ToParty       string `yaml:"to_party,omitempty" json:"to_party,omitempty"`
+	ToTag         string `yaml:"to_tag,omitempty" json:"to_tag,omitempty"`
+	AgentID       string `yaml:"agent_id,omitempty" json:"agent_id,omitempty"`
+	MessageType   string `yaml:"message_type,omitempty" json:"message_type,omitempty"`
 }
 
 const wechatValidTypesRe = `^(text|markdown)$`
@@ -667,6 +668,10 @@ func (c *WechatConfig) UnmarshalYAML(unmarshal func(any) error) error {
 		return fmt.Errorf("weChat message type %q does not match valid options %s", c.MessageType, wechatValidTypesRe)
 	}
 
+	if c.APISecret != "" && len(c.APISecretFile) > 0 {
+		return errors.New("at most one of api_secret & api_secret_file must be configured")
+	}
+
 	return nil
 }
 

notify/wechat/wechat.go

@@ -23,6 +23,8 @@ import (
 	"log/slog"
 	"net/http"
 	"net/url"
+	"os"
+	"strings"
 	"time"
 
 	commoncfg "github.com/prometheus/common/config"
@@ -97,7 +99,11 @@ func (n *Notifier) Notify(ctx context.Context, as ...*types.Alert) (bool, error)
 	// Refresh AccessToken over 2 hours
 	if n.accessToken == "" || time.Since(n.accessTokenAt) > 2*time.Hour {
 		parameters := url.Values{}
-		parameters.Add("corpsecret", tmpl(string(n.conf.APISecret)))
+		apiSecret, err := n.getApiSecret()
+		if err != nil {
+			return false, err
+		}
+		parameters.Add("corpsecret", tmpl(apiSecret))
 		parameters.Add("corpid", tmpl(string(n.conf.CorpID)))
 		if err != nil {
 			return false, fmt.Errorf("templating error: %w", err)
@@ -194,3 +200,14 @@ func (n *Notifier) Notify(ctx context.Context, as ...*types.Alert) (bool, error)
 
 	return false, errors.New(weResp.Error)
 }
+
+func (n *Notifier) getApiSecret() (string, error) {
+	if len(n.conf.APISecretFile) > 0 {
+		content, err := os.ReadFile(n.conf.APISecretFile)
+		if err != nil {
+			return "", err
+		}
+		return strings.TrimSpace(string(content)), nil
+	}
+	return string(n.conf.APISecret), nil
+}

notify/wechat/wechat_test.go

@@ -16,6 +16,7 @@ package wechat
 import (
 	"fmt"
 	"net/http"
+	"os"
 	"testing"
 
 	commoncfg "github.com/prometheus/common/config"
@@ -90,3 +91,34 @@ func TestWechatMessageTypeSelector(t *testing.T) {
 
 	test.AssertNotifyLeaksNoSecret(ctx, t, notifier, secret, token)
 }
+
+func TestGetApiSecretFromSecret(t *testing.T) {
+	n := &Notifier{conf: &config.WechatConfig{APISecret: config.Secret("shhh")}}
+	s, err := n.getApiSecret()
+	require.NoError(t, err)
+	require.Equal(t, "shhh", s)
+}
+
+func TestGetApiSecretFromFile(t *testing.T) {
+	tmpFile, err := os.CreateTemp(t.TempDir(), "wechat-secret-*")
+	require.NoError(t, err)
+	secretContent := "file-secret\n"
+	_, err = tmpFile.WriteString(secretContent)
+	require.NoError(t, err)
+	require.NoError(t, tmpFile.Close())
+
+	n := &Notifier{conf: &config.WechatConfig{APISecretFile: tmpFile.Name()}}
+	s, err := n.getApiSecret()
+	require.NoError(t, err)
+	require.Equal(t, "file-secret", s)
+}
+
+func TestGetApiSecretFromMissingFile(t *testing.T) {
+	n := &Notifier{conf: &config.WechatConfig{APISecretFile: "/non/existent/wechat-secret.txt"}}
+	s, err := n.getApiSecret()
+	var pathErr *os.PathError
+	require.ErrorAs(t, err, &pathErr)
+	require.Equal(t, "/non/existent/wechat-secret.txt", pathErr.Path)
+	require.ErrorIs(t, err, os.ErrNotExist)
+	require.Empty(t, s)
+}