Removed ENV loading and added complete responsibility of user configs to yaml file (even name of env variables in case of secrets)

Author: PythonHacker24

cmd/laclm/main.go

@@ -70,14 +70,8 @@ func exec() error {
 		os.Exit(1)
 	}
 
-	/*
-		load environment variables
-		if there is an error or environment variables are not set, then it will exit with code 1
-	*/
-	config.LoadEnv()
-
 	fmt.Println("loaded config")
-	
+
 	/* 
 		true for production, false for development mode 
 		logger is only for http server and core components (after this step)

config.yaml

@@ -4,7 +4,7 @@
 app:
   name: laclm-dev
   version: v1.1
-  debug_mode: true 
+  debug_mode: false 
 
 # backend server deployment configs
 server:
@@ -15,7 +15,7 @@ server:
 database:
   transaction_logs_redis: 
     address: localhost
-    password: testingpassword
+    password: ${LACLM_TRANS_REDIS_PASSWORD} 
     db: 1
 
 # logging configurations
@@ -37,6 +37,11 @@ filesystem_servers:
 # authentication information
 authentication:
   ldap:
+    tls: true 
+    address: "ldaps://ldap.example.com"
+    admin_dn: ${LACLM_LDAP_ADMIN_DN}
+    admin_password: ${LACLM_LDAP_ADMIN_PASSWORD} 
 
 backend_security:
+  jwt_secret_key: ${JWT_SECRET_KEY}
   jwt_expiry: 1

config/authentication.go

@@ -0,0 +1,55 @@
+package config
+
+import (
+	"errors"
+
+	"github.com/MakeNowJust/heredoc"
+)
+
+/* authentication parameters */
+type Authentication struct {
+	LDAPConfig		LDAPConfig 	`yaml:"ldap"`
+}
+
+/* ldap authentication parameters */
+type LDAPConfig struct {
+	TLS             bool		`yaml:"tls"`
+	Address			string 		`yaml:"address"`
+	AdminDN 		string		`yaml:"admin_dn"`
+	AdminPassword	string		`yaml:"admin_password"`
+}
+
+/* normalization function */
+func (a *Authentication) Normalize() error {
+	return a.LDAPConfig.Normalize()
+}
+
+func (l *LDAPConfig) Normalize() error {
+	/* TLS will be false by default */
+
+	if l.Address == "" {
+		return errors.New(heredoc.Doc(`
+			LDAP address is not specified in the configuration file. 
+
+			Please check the docs for more information: 
+		`))
+	}
+
+	if l.AdminDN == "" {
+		return errors.New(heredoc.Doc(`
+			LDAP admin DN is not specified in the configuration file. 
+
+			Please check the docs for more information: 
+		`))
+	}
+
+	if l.AdminPassword == "" {
+		return errors.New(heredoc.Doc(`
+			LDAP admin password is not specified in the configuration file. 
+
+			Please check the docs for more information: 
+		`))
+	}
+	
+	return nil
+}

config/backend_security.go

@@ -1,12 +1,27 @@
 package config
 
+import (
+	"errors"
+
+	"github.com/MakeNowJust/heredoc"
+)
+
 /* backend security configs */
 type BackendSecurity struct {
-	JWTExpiry int `yaml:"jwt_expiry"`
+	JWTTokenSecret 	string 	`yaml:"jwt_secret_token"`
+	JWTExpiry 		int 	`yaml:"jwt_expiry"`
 }
 
 /* normalization function */
 func (b *BackendSecurity) Normalize() error {
+	if b.JWTTokenSecret == "" {
+		return errors.New(heredoc.Doc(`
+			Transaction Log Redis Address is not specified in the configuration file. 
+
+			Please check the docs for more information: 
+		`)) 
+	}
+
 	if b.JWTExpiry == 0 {
 		b.JWTExpiry = 1
 	}

config/config.go

@@ -5,9 +5,6 @@ import "fmt"
 /* globally accessible yaml config */
 var BackendConfig Config
 
-/* globally accessible environment variables */
-var EnvConfig EnvironmentConfig
-
 /* complete yaml config for global usage */
 type Config struct {
 	AppInfo           App                 `yaml:"app"`
@@ -16,11 +13,7 @@ type Config struct {
 	Logging           Logging             `yaml:"logging"`
 	FileSystemServers []FileSystemServers `yaml:"filesystem_servers"`
 	BackendSecurity   BackendSecurity     `yaml:"backend_security"`
-}
-
-/* complete environment variables configs for global usage */
-type EnvironmentConfig struct {
-	JWTSecret string
+	Authentication	  Authentication	  `yaml:"authentication"`
 }
 
 /* complete config normalizer function */
@@ -51,5 +44,9 @@ func (c *Config) Normalize() error {
 		return fmt.Errorf("backend security configuration error: %w", err) 
 	}
 
+	if err := c.Authentication.Normalize(); err != nil {
+		return fmt.Errorf("authentication configuration error: %w", err)
+	}
+
 	return nil
 }

config/loader.go

@@ -4,7 +4,6 @@ import (
 	"fmt"
 	"os"
 
-	"go.uber.org/zap"
 	"gopkg.in/yaml.v3"
 	"github.com/davecgh/go-spew/spew"
 )
@@ -27,14 +26,18 @@ func LoadConfig(path string) error {
 
     }
 
+	/* expand all environment variables in the yaml config */
+	expanded := os.ExpandEnv(string(data))
+
 	/* unmarshal the yaml file to defined struct */
-    err = yaml.Unmarshal(data, &BackendConfig)
+    err = yaml.Unmarshal([]byte(expanded), &BackendConfig)
     if err != nil {
 		return fmt.Errorf("config loading error %w", 
 			err,
 		)
     }
 
+	/* write the config file in console if in debug mode */
 	if BackendConfig.AppInfo.DebugMode {
 		fmt.Println("Contents of Config File (debug mode ON)")
 		spew.Dump(BackendConfig)
@@ -44,15 +47,3 @@ func LoadConfig(path string) error {
 	/* normalize the complete backend config before proceeding */
 	return BackendConfig.Normalize()
 }
-
-/* loads environment variables */
-func LoadEnv() {
-
-	/* get the JWT_SECRET_KEY from environment variable */
-	secret := os.Getenv("JWT_SECRET_KEY")
-    if secret == "" {
-        zap.L().Fatal("JWT_SECRET_KEY environment variable not set")
-    }
-	
-	EnvConfig.JWTSecret = secret
-}

internal/authentication/authentication.go

@@ -24,7 +24,7 @@ func GenerateJWT(username string) (string, error) {
 		"exp":      time.Now().Add(time.Hour * time.Duration(expiryHours)).Unix(),
 	})
 
-	return token.SignedString([]byte(config.EnvConfig.JWTSecret))
+	return token.SignedString([]byte(config.BackendConfig.BackendSecurity.JWTTokenSecret))
 }
 
 /* validate JWT token and return claims */
@@ -33,7 +33,7 @@ func ValidateJWT(tokenString string) (jwt.MapClaims, error) {
 		if _, ok := token.Method.(*jwt.SigningMethodHMAC); !ok {
 			return nil, fmt.Errorf("unexpected signing method")
 		}
-		return config.EnvConfig.JWTSecret, nil
+		return config.BackendConfig.BackendSecurity.JWTTokenSecret, nil
 	})
 
 	if err != nil {

internal/ldap/ldap.go

@@ -1,10 +1,13 @@
 package ldap
 
 import (
+	"os"
+	"crypto/tls"
 	"fmt"
-	"go.uber.org/zap"
 
+	"github.com/PythonHacker24/linux-acl-management-backend/config"
 	"github.com/go-ldap/ldap/v3"
+	"go.uber.org/zap"
 )
 
 /* authenticate a user with ldap */
@@ -18,8 +21,22 @@ func AuthenticateUser(username, password, searchbase string) bool {
 		reducing unauthorized access in edge cases
 	*/
 
+	var l *ldap.Conn
+	var err error
+	ldapAddress := config.BackendConfig.Authentication.LDAPConfig.Address
+
+	if config.BackendConfig.Authentication.LDAPConfig.TLS {
+		l, err = ldap.DialURL(ldapAddress, ldap.DialWithTLSConfig(&tls.Config{
+
+			/* true if using self-signed certs (not recommended) */
+			InsecureSkipVerify: false,
+		}))
+	} else {
+		l, err = ldap.DialURL(ldapAddress)
+	}
+
 	/* dial to the ldap server */
-	l, err := ldap.DialURL("")
+	l, err = ldap.DialURL("")
 	if err != nil {
 		zap.L().Error("Failed to connect to LDAP Server",
 			zap.Error(err),
@@ -28,8 +45,12 @@ func AuthenticateUser(username, password, searchbase string) bool {
 	}
 	defer l.Close()
 
+	/* securely fetch LDAP credentials from the environment */
+	adminDN := os.Getenv("LDAP_ADMIN_DN")
+	adminPassword := os.Getenv("LDAP_ADMIN_PASSWORD")
+
 	/* authenticating with the ldap server with admin */
-	err = l.Bind("", "")
+	err = l.Bind(adminDN, adminPassword)
 	if err != nil {
 		zap.L().Error("Admin authentication failed",
 			zap.Error(err),