Pull YAML configuration values from environment

Add logic so that a YAML tag of the form !ENV indicates
that a value of the form ${SOME_ENVIRONMENT_VARIABLE} should
be replaced with the value of the process environment variable
of the same name.

Author: skoranda

doc/README.md

@@ -29,9 +29,23 @@ apt-get install libffi-dev libssl-dev xmlsec1
 Alternatively the application can be installed directly from PyPI (`pip install satosa`), or the [Docker image](https://hub.docker.com/r/satosa/) can be used.
 
 # Configuration
+SATOSA is configured using YAML.
+
 All default configuration files, as well as an example WSGI application for the proxy, can be found
 in the [example directory](../example).
 
+A configuration value that includes the tag !ENV will have a value of the form `${SOME_ENVIRONMENT_VARIABLE}`
+replaced with the value from the process environment variable of the same name. For example if the file
+`ldap_attribute_store.yaml' includes
+
+```
+bind_password: !ENV ${LDAP_BIND_PASSWORD}
+```
+
+and the SATOSA process environment includes the environment variable `LDAP_BIND_PASSWORD` with
+value `my_password` then the configuration for `bind_password` will be `my_password`.
+
+
 ## <a name="proxy_conf" style="color:#000000">SATOSA proxy configuration</a>: `proxy_conf.yaml.example`
 | Parameter name | Data type | Example value | Description |
 | -------------- | --------- | ------------- | ----------- |

example/plugins/microservices/ldap_attribute_store.yaml.example

@@ -8,7 +8,8 @@ config:
   "":
       ldap_url: ldaps://ldap.example.org
       bind_dn: cn=admin,dc=example,dc=org
-      bind_password: xxxxxxxx
+      # Obtain bind password from environment variable LDAP_BIND_PASSWORD.
+      bind_password: !ENV ${LDAP_BIND_PASSWORD}
       search_base: ou=People,dc=example,dc=org
       read_only: true
       auto_bind: true

src/satosa/satosa_config.py

@@ -3,6 +3,7 @@
 """
 import logging
 import os
+import re
 
 import yaml
 
@@ -143,6 +144,33 @@ def _load_yaml(self, config_file):
         :param config_file: config to load. Can be file path or yaml string
         :return: Loaded config
         """
+        # Tag to indicate environment variable: !ENV
+        tag = '!ENV'
+
+        # Pattern for environment variable: ${word}
+        pattern = re.compile('.*?\${(\w+)}.*?')
+
+        yaml.SafeLoader.add_implicit_resolver(tag, pattern, None)
+
+        def constructor_env_variables(loader, node):
+            """
+            Extracts the environment variable from the node's value.
+            :param yaml.Loader loader: the yaml loader
+            :param node: the current node in the yaml
+            :return: value of the environment variable
+            """
+            value = loader.construct_scalar(node)
+            match = pattern.findall(value)
+            if match:
+                new_value = value
+                for m in match:
+                    new_value = new_value.replace('${' + m + '}',
+                                                  os.environ.get(m, m))
+                return new_value
+            return value
+
+        yaml.SafeLoader.add_constructor(tag, constructor_env_variables)
+
         try:
             with open(os.path.abspath(config_file)) as f:
                 return yaml.safe_load(f.read())

tests/satosa/test_satosa_config.py

@@ -1,4 +1,5 @@
 import json
+import os
 from unittest.mock import mock_open, patch
 
 import pytest
@@ -7,6 +8,7 @@
 from satosa.exception import SATOSAConfigurationError
 from satosa.satosa_config import SATOSAConfig
 
+TEST_RESOURCE_BASE_PATH = os.path.join(os.path.dirname(__file__), "../test_resources")
 
 class TestSATOSAConfig:
     @pytest.fixture
@@ -73,3 +75,10 @@ def test_can_read_endpoint_configs_from_file(self, satosa_config_dict, modules_k
 
         with pytest.raises(SATOSAConfigurationError):
             SATOSAConfig(satosa_config_dict)
+
+    def test_can_substitute_from_environment_variable(self, monkeypatch):
+        monkeypatch.setenv("SATOSA_COOKIE_STATE_NAME", "oatmeal_raisin")
+        config = SATOSAConfig(os.path.join(TEST_RESOURCE_BASE_PATH,
+                              "proxy_conf_environment_test.yaml"))
+
+        assert config["COOKIE_STATE_NAME"] == 'oatmeal_raisin'