Secrets from environment variables

[nradonicich]

Added a lookup through the use of os.ExpandEnv() to pull secrets from environment variables

• moved password collection to Module unmarshall
• Expand environment variables from Secret and/or Password using os.ExpandEnv()
• Write to module configuration
• Add testing scenarios for valid, invalid/unset password, invalid/unset secret
• Add test in loop to verify against freeradius that a set password works

[devon-mar]

Thanks for the PR!

For your use case, would reading the password/secret from a file work? I've been meaning to add this feature so that secrets can be easily reloaded (and stored in a better way).

[nradonicich]

Unfortunately reading from a file wouldn't be useful in my case as our security team actively scans and alerts for passwords/secrets stored in plaintext. With passing an ENV although I cant gracefully reload new secrets, I can at least have them stored somewhat better than in a file

[devon-mar]

I think it would be better to use an environment variable of the format RADIUS_EXPORTER_<module name>_password (or something similar) rather than using os.ExpandEnv for compatibility purposes. So if the user didn't specify a value in the config file, we would try using the value in the environment variable.

[nradonicich]

This sounds like a better idea, although sadly outside of my go programming capabilities.

[devon-mar]

Shouldn't be that hard - I think we can add something in LoadFromFile that, if the password/secret is empty for the module, attempts to read the value(s) from the environment variable. We would probably have to move around the validation a bit.

If you don't want to or can't, I can implement this.

[devon-mar]

Sorry for the delay, I've implemented secrets from environment variables in the latest release - 0.5.0.