feat(config): add access_key_env and secret_key_env

Author: nickamzol

CHANGELOG.md

@@ -5,7 +5,13 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
-## [0.2.0] - 2024-06-26
+## [Unreleased]
+
+### Added
+
+- Add `secret-key-env` and `access-key-env` options to load secrets from environment variables.
+
+## [0.2.0] - 2024-06-27
 
 ### Added
 
@@ -16,6 +22,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - New `graceful-shutdown` config to enable or disable graceful shutdown for the HTTP server.
 
 ### Changed
+
 - Disabled endpoints will return 503 (Service Unavailable) instead of 404 (Not Found).
 
 ## [0.1.1] - 2024-05-22
@@ -41,3 +48,5 @@ It includes basic support for QIDO-RS, WADO-RS and STOW-RS for the DIMSE backend
     - Implement QIDO-RS using the C-FIND protocol
     - Implement WADO-RS using the C-MOVE protocol
     - Implement STOW-RS using the C-STORE protocol
+
+[0.2.0]: https://github.com/UMEssen/DICOM-RST/releases/tag/v0.2.0

src/backend/mod.rs

@@ -49,12 +49,12 @@ where
 		let ae_config = state
 			.config
 			.aets
-			.iter()
+			.into_iter()
 			.find(|aet_config| aet_config.aet == aet)
 			.ok_or_else(|| (StatusCode::NOT_FOUND, format!("Unknown AET {aet}")))?;
 
 		// TODO: Use a singleton to avoid re-creating on every request.
-		let provider = match &ae_config.backend {
+		let provider = match ae_config.backend {
 			#[cfg(feature = "dimse")]
 			BackendConfig::Dimse { .. } => {
 				let pool = state.pools.get(&ae_config.aet).expect("pool should exist");
@@ -86,7 +86,7 @@ where
 			},
 			BackendConfig::S3(config) => Self {
 				qido: None,
-				wado: Some(Box::new(S3WadoService::new(config))),
+				wado: Some(Box::new(S3WadoService::new(&config))),
 				stow: None,
 			},
 		};

src/backend/s3/wado.rs

@@ -1,23 +1,20 @@
 use crate::api::wado::{InstanceResponse, RetrieveError, RetrieveInstanceRequest, WadoService};
 use crate::backend::dimse::cmove::movescu::MoveError;
 use crate::backend::dimse::wado::DicomMultipartStream;
-use crate::config::{S3Config, S3Credentials, S3EndpointStyle};
+use crate::config::{S3Config, S3EndpointStyle};
 use async_trait::async_trait;
 use aws_config::retry::RetryConfig;
 use aws_config::stalled_stream_protection::StalledStreamProtectionConfig;
 use aws_config::timeout::TimeoutConfig;
-use aws_config::{AppName, Region, SdkConfig};
-use aws_credential_types::provider::future::ProvideCredentials as ProvideCredentialsAsync;
-use aws_sdk_s3::config::{
-	BehaviorVersion, Credentials, ProvideCredentials, SharedCredentialsProvider,
-};
+use aws_config::{AppName, Region};
+use aws_sdk_s3::config::BehaviorVersion;
 use bytes::Buf;
 use dicom::object::FileDicomObject;
 use futures::StreamExt;
 use std::sync::Arc;
 use std::time::Duration;
-use tracing::info;
 use tracing::log::trace;
+use tracing::{info, warn};
 
 use super::S3ClientExt;
 
@@ -27,36 +24,14 @@ pub struct S3WadoService {
 	bucket: String,
 }
 
-impl S3Credentials {
-	#[allow(clippy::unused_async)]
-	async fn load(&self) -> aws_credential_types::provider::Result {
-		Ok(Credentials::new(
-			&self.access_key,
-			&self.secret_key,
-			None,
-			None,
-			"StaticCredentials",
-		))
-	}
-}
-
-impl ProvideCredentials for S3Credentials {
-	fn provide_credentials<'a>(&'a self) -> ProvideCredentialsAsync<'a>
-	where
-		Self: 'a,
-	{
-		ProvideCredentialsAsync::new(self.load())
-	}
-}
-
 impl S3WadoService {
 	pub fn new(config: &S3Config) -> Self {
 		info!("Using S3 endpoint {}", &config.endpoint);
 		let mut builder = aws_sdk_s3::config::Builder::new()
 			.endpoint_url(&config.endpoint)
 			.region(config.region.clone().map(Region::new))
 			.behavior_version(BehaviorVersion::latest())
-			.force_path_style(matches!(config.endpoint_style,  S3EndpointStyle::Path))
+			.force_path_style(matches!(config.endpoint_style, S3EndpointStyle::Path))
 			.retry_config(RetryConfig::adaptive())
 			// Causes issues with long-running requests and high concurrency.
 			// It's okay to stall for some time.
@@ -72,12 +47,11 @@ impl S3WadoService {
 			.app_name(AppName::new("DICOM-RST").expect("valid app name"));
 
 		if let Some(credentials) = &config.credentials {
-			let credentials_provider = S3Credentials {
-				access_key: String::from(&credentials.access_key),
-				secret_key: String::from(&credentials.secret_key),
-			};
-			builder =
-				builder.credentials_provider(SharedCredentialsProvider::new(credentials_provider));
+			if let Ok(resolved_secrets) = credentials.resolve() {
+				builder = builder.credentials_provider(resolved_secrets);
+			} else {
+				warn!("Failed to resolve credentials. Check your environment variables.");
+			}
 		}
 
 		let sdk_config = builder.build();

src/config/mod.rs

@@ -1,5 +1,6 @@
 use crate::types::AE;
 use crate::DEFAULT_AET;
+use aws_credential_types::Credentials as AwsCredentials;
 use serde::de::Error;
 use serde::{Deserialize, Deserializer};
 use std::net::IpAddr;
@@ -57,7 +58,7 @@ pub struct S3Config {
 	pub region: Option<String>,
 	pub concurrency: usize,
 	#[serde(default)]
-	pub credentials: Option<S3Credentials>,
+	pub credentials: Option<S3CredentialsConfig>,
 	#[serde(default)]
 	pub endpoint_style: S3EndpointStyle,
 }
@@ -76,10 +77,49 @@ impl Default for S3EndpointStyle {
 }
 
 #[derive(Debug, Clone, Deserialize)]
-#[serde(rename_all = "kebab-case")]
-pub struct S3Credentials {
-	pub secret_key: String,
-	pub access_key: String,
+#[serde(untagged)]
+pub enum S3CredentialsConfig {
+	#[serde(rename_all = "kebab-case")]
+	Env {
+		access_key_env: String,
+		secret_key_env: String,
+	},
+	#[serde(rename_all = "kebab-case")]
+	Plain {
+		access_key: String,
+		secret_key: String,
+	},
+}
+
+impl S3CredentialsConfig {
+	pub fn resolve(&self) -> Result<AwsCredentials, std::env::VarError> {
+		match &self {
+			Self::Plain {
+				access_key,
+				secret_key,
+			} => Ok(AwsCredentials::new(
+				access_key,
+				secret_key,
+				None,
+				None,
+				"AppConfigProvider",
+			)),
+			Self::Env {
+				access_key_env,
+				secret_key_env,
+			} => {
+				let access_key = std::env::var(access_key_env)?;
+				let secret_key = std::env::var(secret_key_env)?;
+				Ok(AwsCredentials::new(
+					access_key,
+					secret_key,
+					None,
+					None,
+					"EnvVarProvider",
+				))
+			}
+		}
+	}
 }
 
 #[derive(Debug, Clone, Deserialize)]