Add env var override to all configuration settings

This allows users to configure VSS-Server entirely through environment
variables, without a configuration file. We hence remove the requirement
that a path to a configuration file always be passed as an
argument.

If a file is passed as an argument, and it does not exist,
we now abort startup.

Also consolidate host and port settings into single socket address
setting.

Author: tankyleo

rust/server/src/main.rs

@@ -9,7 +9,6 @@
 #![deny(rustdoc::private_intra_doc_links)]
 #![deny(missing_docs)]
 
-use std::net::SocketAddr;
 use std::sync::Arc;
 
 use tokio::net::TcpListener;
@@ -25,34 +24,19 @@ use auth_impls::jwt::JWTAuthorizer;
 #[cfg(feature = "sigs")]
 use auth_impls::signature::SignatureValidatingAuthorizer;
 use impls::postgres_store::{PostgresPlaintextBackend, PostgresTlsBackend};
-use util::config::{Config, ServerConfig};
 use vss_service::VssService;
 
 mod util;
 mod vss_service;
 
 fn main() {
 	let args: Vec<String> = std::env::args().collect();
-	if args.len() != 2 {
-		eprintln!("Usage: {} <config-file-path>", args[0]);
-		std::process::exit(1);
-	}
 
-	let Config { server_config: ServerConfig { host, port }, jwt_auth_config, postgresql_config } =
-		match util::config::load_config(&args[1]) {
-			Ok(cfg) => cfg,
-			Err(e) => {
-				eprintln!("Failed to load configuration: {}", e);
-				std::process::exit(1);
-			},
-		};
-	let addr: SocketAddr = match format!("{}:{}", host, port).parse() {
-		Ok(addr) => addr,
-		Err(e) => {
-			eprintln!("Invalid host/port configuration: {}", e);
-			std::process::exit(1);
-		},
-	};
+	let config =
+		util::config::load_configuration(args.get(1).map(|s| s.as_str())).unwrap_or_else(|e| {
+			eprintln!("Failed to load configuration: {}", e);
+			std::process::exit(-1);
+		});
 
 	let runtime = match tokio::runtime::Builder::new_multi_thread().enable_all().build() {
 		Ok(runtime) => Arc::new(runtime),
@@ -74,17 +58,8 @@ fn main() {
 		let mut authorizer: Option<Arc<dyn Authorizer>> = None;
 		#[cfg(feature = "jwt")]
 		{
-			let rsa_pem_env = match std::env::var("VSS_JWT_RSA_PEM") {
-				Ok(env) => Some(env),
-				Err(std::env::VarError::NotPresent) => None,
-				Err(e) => {
-					println!("Failed to load the VSS_JWT_RSA_PEM env var: {}", e);
-					std::process::exit(-1);
-				},
-			};
-			let rsa_pem = rsa_pem_env.or(jwt_auth_config.and_then(|config| config.rsa_pem));
-			if let Some(pem) = rsa_pem {
-				authorizer = match JWTAuthorizer::new(pem.as_str()).await {
+			if let Some(rsa_pem) = config.rsa_pem {
+				authorizer = match JWTAuthorizer::new(&rsa_pem).await {
 					Ok(auth) => {
 						println!("Configured JWT authorizer with RSA public key");
 						Some(Arc::new(auth))
@@ -110,43 +85,47 @@ fn main() {
 			Arc::new(NoopAuthorizer {})
 		};
 
-		let postgresql_config =
-			postgresql_config.expect("PostgreSQLConfig must be defined in config file.");
-		let endpoint = postgresql_config.to_postgresql_endpoint();
-		let default_db = postgresql_config.default_database;
-		let vss_db = postgresql_config.vss_database;
-		let store: Arc<dyn KvStore> = if let Some(tls_config) = postgresql_config.tls {
-			let postgres_tls_backend = match PostgresTlsBackend::new(
-				&endpoint,
-				&default_db,
-				&vss_db,
-				tls_config.crt_pem.as_deref(),
+		let store: Arc<dyn KvStore> = if let Some(crt_pem) = config.tls_config {
+			let postgres_tls_backend = PostgresTlsBackend::new(
+				&config.postgresql_prefix,
+				&config.default_db,
+				&config.vss_db,
+				crt_pem.as_deref(),
 			)
 			.await
-			{
-				Ok(backend) => backend,
-				Err(e) => {
-					println!("Failed to start postgres tls backend: {}", e);
-					std::process::exit(-1);
-				},
-			};
+			.unwrap_or_else(|e| {
+				println!("Failed to start postgres TLS backend: {}", e);
+				std::process::exit(-1);
+			});
+			println!(
+				"Connected to PostgreSQL TLS backend with DSN: {}/{}",
+				config.postgresql_prefix, config.vss_db
+			);
 			Arc::new(postgres_tls_backend)
 		} else {
-			let postgres_plaintext_backend =
-				match PostgresPlaintextBackend::new(&endpoint, &default_db, &vss_db).await {
-					Ok(backend) => backend,
-					Err(e) => {
-						println!("Failed to start postgres plaintext backend: {}", e);
-						std::process::exit(-1);
-					},
-				};
+			let postgres_plaintext_backend = PostgresPlaintextBackend::new(
+				&config.postgresql_prefix,
+				&config.default_db,
+				&config.vss_db,
+			)
+			.await
+			.unwrap_or_else(|e| {
+				println!("Failed to start postgres plaintext backend: {}", e);
+				std::process::exit(-1);
+			});
+			println!(
+				"Connected to PostgreSQL plaintext backend with DSN: {}/{}",
+				config.postgresql_prefix, config.vss_db
+			);
 			Arc::new(postgres_plaintext_backend)
 		};
-		println!("Connected to PostgreSQL backend with DSN: {}/{}", endpoint, vss_db);
 
-		let rest_svc_listener =
-			TcpListener::bind(&addr).await.expect("Failed to bind listening port");
-		println!("Listening for incoming connections on {}", addr);
+		let rest_svc_listener = TcpListener::bind(&config.bind_address).await.unwrap_or_else(|e| {
+			println!("Failed to bind listening port: {}", e);
+			std::process::exit(-1);
+		});
+		println!("Listening for incoming connections on {}", config.bind_address);
+
 		loop {
 			tokio::select! {
 				res = rest_svc_listener.accept() => {

rust/server/src/util/config.rs

@@ -1,58 +1,159 @@
 use serde::Deserialize;
+use std::net::SocketAddr;
 
-#[derive(Deserialize)]
-pub(crate) struct Config {
-	pub(crate) server_config: ServerConfig,
-	pub(crate) jwt_auth_config: Option<JwtAuthConfig>,
-	pub(crate) postgresql_config: Option<PostgreSQLConfig>,
+const BIND_ADDR_VAR: &str = "VSS_BIND_ADDRESS";
+const JWT_RSA_PEM_VAR: &str = "VSS_JWT_RSA_PEM";
+const PSQL_USER_VAR: &str = "VSS_PSQL_USERNAME";
+const PSQL_PASS_VAR: &str = "VSS_PSQL_PASSWORD";
+const PSQL_ADDR_VAR: &str = "VSS_PSQL_ADDRESS";
+const PSQL_DB_VAR: &str = "VSS_PSQL_DEFAULT_DB";
+const PSQL_VSS_DB_VAR: &str = "VSS_PSQL_VSS_DB";
+const PSQL_TLS_VAR: &str = "VSS_PSQL_TLS";
+const PSQL_CERT_PEM_VAR: &str = "VSS_PSQL_CRT_PEM";
+
+// The structure of the toml config file. Any settings specified therein can be overriden by the corresponding
+// environment variable.
+#[derive(Deserialize, Default)]
+struct TomlConfig {
+	server_config: Option<ServerConfig>,
+	jwt_auth_config: Option<JwtAuthConfig>,
+	postgresql_config: Option<PostgreSQLConfig>,
 }
 
 #[derive(Deserialize)]
-pub(crate) struct ServerConfig {
-	pub(crate) host: String,
-	pub(crate) port: u16,
+struct ServerConfig {
+	bind_address: Option<SocketAddr>,
 }
 
 #[derive(Deserialize)]
-pub(crate) struct JwtAuthConfig {
-	pub(crate) rsa_pem: Option<String>,
+struct JwtAuthConfig {
+	rsa_pem: Option<String>,
 }
 
 #[derive(Deserialize)]
-pub(crate) struct PostgreSQLConfig {
-	pub(crate) username: Option<String>, // Optional in TOML, can be overridden by env
-	pub(crate) password: Option<String>, // Optional in TOML, can be overridden by env
-	pub(crate) host: String,
-	pub(crate) port: u16,
-	pub(crate) default_database: String,
-	pub(crate) vss_database: String,
-	pub(crate) tls: Option<TlsConfig>,
+struct PostgreSQLConfig {
+	username: Option<String>,
+	password: Option<String>,
+	address: Option<SocketAddr>,
+	default_database: Option<String>,
+	vss_database: Option<String>,
+	tls: Option<TlsConfig>,
 }
 
 #[derive(Deserialize)]
-pub(crate) struct TlsConfig {
-	pub(crate) crt_pem: Option<String>,
-}
-
-impl PostgreSQLConfig {
-	pub(crate) fn to_postgresql_endpoint(&self) -> String {
-		let username_env = std::env::var("VSS_POSTGRESQL_USERNAME");
-		let username = username_env.as_ref()
-			.ok()
-			.or_else(|| self.username.as_ref())
-			.expect("PostgreSQL database username must be provided in config or env var VSS_POSTGRESQL_USERNAME must be set.");
-		let password_env = std::env::var("VSS_POSTGRESQL_PASSWORD");
-		let password = password_env.as_ref()
-			.ok()
-			.or_else(|| self.password.as_ref())
-			.expect("PostgreSQL database password must be provided in config or env var VSS_POSTGRESQL_PASSWORD must be set.");
-
-		format!("postgresql://{}:{}@{}:{}", username, password, self.host, self.port)
+struct TlsConfig {
+	crt_pem: Option<String>,
+}
+
+// Encapsulates the result of reading both the environment variables and the config file.
+pub(crate) struct Configuration {
+	pub(crate) bind_address: SocketAddr,
+	pub(crate) rsa_pem: Option<String>,
+	pub(crate) postgresql_prefix: String,
+	pub(crate) default_db: String,
+	pub(crate) vss_db: String,
+	pub(crate) tls_config: Option<Option<String>>,
+}
+
+#[inline]
+fn read_env(env_var: &str) -> Result<Option<String>, String> {
+	match std::env::var(env_var) {
+		Ok(env) => Ok(Some(env)),
+		Err(std::env::VarError::NotPresent) => Ok(None),
+		Err(e) => Err(format!("Failed to load the {} environment variable: {}", env_var, e)),
 	}
 }
 
-pub(crate) fn load_config(config_path: &str) -> Result<Config, Box<dyn std::error::Error>> {
-	let config_str = std::fs::read_to_string(config_path)?;
-	let config: Config = toml::from_str(&config_str)?;
-	Ok(config)
+#[inline]
+fn read_config<'a, T: std::fmt::Display>(
+	env: Option<T>, config: Option<T>, item: &str, var_name: &str,
+) -> Result<T, String> {
+	env.or(config).ok_or(format!(
+		"{} must be provided in the configuration file or the environment variable {} must be set.",
+		item, var_name
+	))
+}
+
+pub(crate) fn load_configuration(config_file_path: Option<&str>) -> Result<Configuration, String> {
+	let TomlConfig { server_config, jwt_auth_config, postgresql_config } = match config_file_path {
+		Some(path) => {
+			let config_file = std::fs::read_to_string(path)
+				.map_err(|e| format!("Failed to read configuration file: {}", e))?;
+			toml::from_str(&config_file)
+				.map_err(|e| format!("Failed to parse configuration file: {}", e))?
+		},
+		None => TomlConfig::default(), // All fields are set to `None`
+	};
+
+	let bind_address_env = read_env(BIND_ADDR_VAR)?
+		.map(|addr| {
+			addr.parse().map_err(|e| {
+				format!("Unable to parse the bind address environment variable: {}", e)
+			})
+		})
+		.transpose()?;
+	let bind_address = read_config(
+		bind_address_env,
+		server_config.and_then(|c| c.bind_address),
+		"VSS server bind address",
+		BIND_ADDR_VAR,
+	)?;
+
+	let rsa_pem_env = read_env(JWT_RSA_PEM_VAR)?;
+	let rsa_pem = rsa_pem_env.or(jwt_auth_config.and_then(|config| config.rsa_pem));
+
+	let username_env = read_env(PSQL_USER_VAR)?;
+	let password_env = read_env(PSQL_PASS_VAR)?;
+	let address_env: Option<SocketAddr> = read_env(PSQL_ADDR_VAR)?
+		.map(|address| {
+			address.parse().map_err(|e| {
+				format!("Unable to parse the postgresql address environment variable: {}", e)
+			})
+		})
+		.transpose()?;
+	let default_db_env = read_env(PSQL_DB_VAR)?;
+	let vss_db_env = read_env(PSQL_VSS_DB_VAR)?;
+	let tls_config_env = read_env(PSQL_TLS_VAR)?;
+	let crt_pem_env = read_env(PSQL_CERT_PEM_VAR)?;
+
+	let (
+		username_config,
+		password_config,
+		address_config,
+		default_db_config,
+		vss_db_config,
+		tls_config,
+	) = match postgresql_config {
+		Some(c) => (
+			c.username,
+			c.password,
+			c.address,
+			c.default_database,
+			c.vss_database,
+			c.tls.map(|tls| tls.crt_pem),
+		),
+		None => (None, None, None, None, None, None),
+	};
+
+	let username =
+		read_config(username_env, username_config, "PostgreSQL database username", PSQL_USER_VAR)?;
+	let password =
+		read_config(password_env, password_config, "PostgreSQL database password", PSQL_PASS_VAR)?;
+	let address =
+		read_config(address_env, address_config, "PostgreSQL service address", PSQL_ADDR_VAR)?;
+	let default_db = read_config(
+		default_db_env,
+		default_db_config,
+		"PostgreSQL default database name",
+		PSQL_DB_VAR,
+	)?;
+	let vss_db =
+		read_config(vss_db_env, vss_db_config, "PostgreSQL vss database name", PSQL_VSS_DB_VAR)?;
+
+	let tls_config =
+		crt_pem_env.map(|pem| Some(pem)).or(tls_config_env.map(|_| None)).or(tls_config);
+
+	let postgresql_prefix = format!("postgresql://{}:{}@{}", username, password, address);
+
+	Ok(Configuration { bind_address, rsa_pem, postgresql_prefix, default_db, vss_db, tls_config })
 }

rust/server/vss-server-config.toml

@@ -1,6 +1,5 @@
 [server_config]
-host = "127.0.0.1"
-port = 8080
+bind_address = "127.0.0.1:8080" # Optional in TOML, can be overridden by env var `VSS_BIND_ADDRESS`
 
 # Uncomment the table below to verify JWT tokens in the HTTP Authorization header against the given RSA public key,
 # can be overridden by env var `VSS_JWT_RSA_PEM`
@@ -11,17 +10,16 @@ port = 8080
 # """
 
 [postgresql_config]
-username = "postgres"  # Optional in TOML, can be overridden by env var `VSS_POSTGRESQL_USERNAME`
-password = "postgres"  # Optional in TOML, can be overridden by env var `VSS_POSTGRESQL_PASSWORD`
-host = "localhost"
-port = 5432
+username = "postgres"          # Optional in TOML, can be overridden by env var `VSS_PSQL_USERNAME`
+password = "postgres"          # Optional in TOML, can be overridden by env var `VSS_PSQL_PASSWORD`
+address = "127.0.0.1:5432"     # Optional in TOML, can be overridden by env var `VSS_PSQL_ADDRESS`
 # We first connect to `default_database` to create `vss_database` if it does not exist
-default_database = "postgres"
-vss_database = "vss"
+default_database = "postgres"  # Optional in TOML, can be overridden by env var `VSS_PSQL_DEFAULT_DB`
+vss_database = "vss"           # Optional in TOML, can be overridden by env var `VSS_PSQL_VSS_DB`
 
-# [postgresql_config.tls]  # Uncomment to make TLS connections to the postgres database
+# [postgresql_config.tls]  # Uncomment, or set env var `VSS_PSQL_TLS` to make TLS connections to the postgres database
 #
-# Uncomment the lines below to add a root certificate to your trusted root certificates
+# Uncomment the lines below, or set `VSS_PSQL_CRT_PEM`, to add a root certificate to your trusted root certificates
 #
 # crt_pem = """
 # -----BEGIN CERTIFICATE-----