feat(jans-cedarling): Load bootstrap properties from environment variables

docs/cedarling/cedarling-properties.md

@@ -129,6 +129,11 @@ use cedarling::BootstrapConfig;
 
 let config =
     BootstrapConfig::load_from_file("./path/to/your/config.json").unwrap();
+
+// OR from environment variables
+let config =
+    BootstrapConfig::from_raw_config_and_env(None).unwrap();
+
 ```
 
 ### Loading From JSON

jans-cedarling/bindings/cedarling_python/PYTHON_TYPES.md

@@ -34,6 +34,14 @@ Methods
     :returns: A BootstrapConfig instance
 
     :raises ValueError: If a provided value is invalid or decoding fails.
+
+.. method:: from_env(config=None) -> BootstrapConfig
+
+    Loads the bootstrap config from environment variables, optionally merging with provided config.
+
+    :param config: Optional dictionary with additional configuration to merge with environment variables.
+    :returns: A BootstrapConfig instance
+    :raises ValueError: If a provided value is invalid or decoding fails.
 ___
 
 Cedarling

jans-cedarling/bindings/cedarling_python/cedarling_python.pyi

@@ -112,6 +112,25 @@ class BootstrapConfig:
         """
         ...
 
+    @staticmethod
+    def from_env(options: Dict | None = None) -> BootstrapConfig:
+        """
+        Loads the configuration from environment variables.
+
+        Reads environment variables matching the configuration keys listed in the
+        class documentation. All required keys must be present in the environment.
+        You can specify dict, but keys from environment variables have bigger priority.
+
+        Returns:
+            BootstrapConfig: An instance of the configuration class.
+
+        Raises:
+            KeyError: If any required environment variable is missing.
+            ValueError: If a provided value is invalid or extraction fails.
+        """
+        ...
+
+
 @final
 class Cedarling:
 
@@ -139,6 +158,7 @@ class Request:
                  resource: ResourceData,
                  context: Dict[str, Any]) -> None: ...
 
+
 @final
 class Tokens:
     access_token: str | None

jans-cedarling/bindings/cedarling_python/example.py

@@ -7,8 +7,24 @@
 from cedarling_python import Cedarling
 from cedarling_python import ResourceData, Request
 import time
+import yaml
+import os
 
-bootstrap_config = BootstrapConfig.load_from_file("./example_files/sample_bootstrap_props.yaml")
+
+def load_yaml_to_env(yaml_path):
+    with open(yaml_path, 'r') as file:
+        config = yaml.safe_load(file)
+
+    for key, value in config.items():
+        if value is not None:  # Skip null values
+            os.environ[key] = str(value)
+
+
+bootstrap_config = BootstrapConfig.load_from_file(
+    "./example_files/sample_bootstrap_props.yaml")
+
+# Create config from environment variables
+# bootstrap_config = BootstrapConfig.from_env()
 
 # initialize cedarling instance
 # all values in the bootstrap_config is parsed and validated at this step.

jans-cedarling/bindings/cedarling_python/example_files/sample_bootstrap_props.yaml

@@ -38,7 +38,6 @@ CEDARLING_ID_TOKEN_TRUST_MODE: strict
 CEDARLING_LOCK: disabled
 CEDARLING_LOCK_MASTER_CONFIGURATION_URI: null
 CEDARLING_DYNAMIC_CONFIGURATION: disabled
-CEDARLING_LOCK_SSA_JWT: 0
 CEDARLING_AUDIT_HEALTH_INTERVAL: 0
 CEDARLING_AUDIT_TELEMETRY_INTERVAL: 0
 CEDARLING_LISTEN_SSE: disabled

jans-cedarling/bindings/cedarling_python/src/config/bootstrap_config.rs

@@ -39,6 +39,14 @@ use pyo3::types::PyDict;
 ///     :returns: A BootstrapConfig instance
 ///
 ///     :raises ValueError: If a provided value is invalid or decoding fails.
+///
+/// .. method:: from_env(config=None) -> BootstrapConfig
+///
+///     Loads the bootstrap config from environment variables, optionally merging with provided config.
+///
+///     :param config: Optional dictionary with additional configuration to merge with environment variables.
+///     :returns: A BootstrapConfig instance
+///     :raises ValueError: If a provided value is invalid or decoding fails.
 #[pyclass]
 pub struct BootstrapConfig {
     inner: cedarling::BootstrapConfig,
@@ -55,6 +63,23 @@ impl BootstrapConfig {
         Ok(Self { inner })
     }
 
+    #[staticmethod]
+    #[pyo3(signature = (config=None))]
+    fn from_env(config: Option<Bound<'_, PyDict>>) -> PyResult<Self> {
+        let inner = if let Some(c) = config {
+            let source: cedarling::BootstrapConfigRaw = serde_pyobject::from_pyobject(c)
+                .map_err(|e| PyValueError::new_err(e.to_string()))?;
+
+            cedarling::BootstrapConfig::from_raw_config_and_env(Some(source))
+                .map_err(|e| PyValueError::new_err(e.to_string()))?
+        } else {
+            cedarling::BootstrapConfig::from_raw_config_and_env(None)
+                .map_err(|e| PyValueError::new_err(e.to_string()))?
+        };
+
+        Ok(Self { inner })
+    }
+
     #[staticmethod]
     pub fn load_from_file(path: &str) -> PyResult<Self> {
         let inner = cedarling::BootstrapConfig::load_from_file(path).map_err(|e| match e {

jans-cedarling/cedarling/src/blocking.rs

@@ -7,10 +7,10 @@
 
 //! Blocking client of Cedarling
 
-use crate::Cedarling as AsyncCedarling;
 use crate::{
     AuthorizeError, AuthorizeResult, BootstrapConfig, InitCedarlingError, LogStorage, Request,
 };
+use crate::{BootstrapConfigRaw, Cedarling as AsyncCedarling};
 use std::sync::Arc;
 use tokio::runtime::Runtime;
 
@@ -23,7 +23,17 @@ pub struct Cedarling {
 }
 
 impl Cedarling {
-    /// Builder
+    /// Create a new instance of the Cedarling application.
+    /// Initialize instance from enviroment variables and from config.
+    /// Configuration structure has lower priority.
+    pub fn new_with_env(
+        raw_config: Option<BootstrapConfigRaw>,
+    ) -> Result<Cedarling, InitCedarlingError> {
+        let config = BootstrapConfig::from_raw_config_and_env(raw_config)?;
+        Self::new(&config)
+    }
+
+    /// Create a new instance of the Cedarling application.
     pub fn new(config: &BootstrapConfig) -> Result<Cedarling, InitCedarlingError> {
         let rt = Runtime::new().map_err(InitCedarlingError::RuntimeInit)?;
 

jans-cedarling/cedarling/src/bootstrap_config/decode.rs

@@ -3,7 +3,11 @@
 //
 // Copyright (c) 2024, Gluu, Inc.
 
-use std::collections::HashSet;
+// to avoid a lot of `cfg` macros
+#![allow(unused_imports)]
+
+use std::collections::{HashMap, HashSet};
+use std::env;
 use std::fmt::Display;
 use std::fs;
 use std::path::Path;
@@ -13,15 +17,20 @@ use jsonwebtoken::Algorithm;
 use serde::{Deserialize, Deserializer, Serialize};
 
 use super::authorization_config::AuthorizationConfig;
+use super::json_util::fallback_deserialize;
 use super::{
     BootstrapConfig, BootstrapConfigLoadingError, IdTokenTrustMode, JwtConfig, LogConfig,
     LogTypeConfig, MemoryLogConfig, PolicyStoreConfig, PolicyStoreSource, TokenValidationConfig,
 };
 use crate::log::LogLevel;
 
-#[derive(Deserialize, PartialEq, Debug, Default)]
+#[derive(Deserialize, Serialize, PartialEq, Debug, Default)]
 /// Struct that represent mapping mapping `Bootstrap properties` to be JSON and YAML compatible
 /// from [link](https://github.com/JanssenProject/jans/wiki/Cedarling-Nativity-Plan#bootstrap-properties)
+///
+/// This structure is used to deserialize values from ENV VARS so json keys is same as keys in environment variables
+//
+//  All fields should be available to parse from string, because env vars always string.
 pub struct BootstrapConfigRaw {
     ///  Human friendly identifier for the application
     #[serde(rename = "CEDARLING_APPLICATION_NAME")]
@@ -50,14 +59,17 @@ pub struct BootstrapConfigRaw {
     /// If `log_type` is set to [`LogType::Memory`], this is the TTL (time to live) of
     /// log entities in seconds.
     #[serde(rename = "CEDARLING_LOG_TTL", default)]
+    #[serde(deserialize_with = "fallback_deserialize")]
     pub log_ttl: Option<u64>,
 
     /// List of claims to map from user entity, such as ["sub", "email", "username", ...]
     #[serde(rename = "CEDARLING_DECISION_LOG_USER_CLAIMS", default)]
+    #[serde(deserialize_with = "fallback_deserialize")]
     pub decision_log_user_claims: Vec<String>,
 
     /// List of claims to map from user entity, such as ["client_id", "rp_id", ...]
     #[serde(rename = "CEDARLING_DECISION_LOG_WORKLOAD_CLAIMS", default)]
+    #[serde(deserialize_with = "fallback_deserialize")]
     pub decision_log_workload_claims: Vec<String>,
 
     /// Token claims that will be used for decision logging.
@@ -84,22 +96,27 @@ pub struct BootstrapConfigRaw {
 
     /// Mapping name of cedar schema User entity
     #[serde(rename = "CEDARLING_MAPPING_USER", default)]
+    #[serde(deserialize_with = "fallback_deserialize")]
     pub mapping_user: Option<String>,
 
     /// Mapping name of cedar schema Workload entity.
     #[serde(rename = "CEDARLING_MAPPING_WORKLOAD", default)]
+    #[serde(deserialize_with = "fallback_deserialize")]
     pub mapping_workload: Option<String>,
 
     /// Mapping name of cedar schema id_token entity.
     #[serde(rename = "CEDARLING_MAPPING_ID_TOKEN", default)]
+    #[serde(deserialize_with = "fallback_deserialize")]
     pub mapping_id_token: Option<String>,
 
     /// Mapping name of cedar schema access_token entity.
     #[serde(rename = "CEDARLING_MAPPING_ACCESS_TOKEN", default)]
+    #[serde(deserialize_with = "fallback_deserialize")]
     pub mapping_access_token: Option<String>,
 
     /// Mapping name of cedar schema userinfo_token entity.
     #[serde(rename = "CEDARLING_MAPPING_USERINFO_TOKEN", default)]
+    #[serde(deserialize_with = "fallback_deserialize")]
     pub mapping_userinfo_token: Option<String>,
 
     /// Path to a local file pointing containing a JWKS.
@@ -112,6 +129,7 @@ pub struct BootstrapConfigRaw {
 
     /// JSON object with policy store
     #[serde(rename = "CEDARLING_LOCAL_POLICY_STORE", default)]
+    #[serde(deserialize_with = "fallback_deserialize")]
     pub local_policy_store: Option<String>,
 
     /// Path to a Policy Store JSON file
@@ -126,6 +144,7 @@ pub struct BootstrapConfigRaw {
     ///
     /// This requires that an `iss` (Issuer) claim is present on each token.
     #[serde(rename = "CEDARLING_JWT_SIG_VALIDATION", default)]
+    #[serde(deserialize_with = "fallback_deserialize")]
     pub jwt_sig_validation: FeatureToggle,
 
     /// Whether to check the status of the JWT. On startup.
@@ -136,10 +155,12 @@ pub struct BootstrapConfigRaw {
     ///
     /// [`IETF Draft`]: https://datatracker.ietf.org/doc/draft-ietf-oauth-status-list/
     #[serde(rename = "CEDARLING_JWT_STATUS_VALIDATION", default)]
+    #[serde(deserialize_with = "fallback_deserialize")]
     pub jwt_status_validation: FeatureToggle,
 
     /// Cedarling will only accept tokens signed with these algorithms.
     #[serde(rename = "CEDARLING_JWT_SIGNATURE_ALGORITHMS_SUPPORTED", default)]
+    #[serde(deserialize_with = "fallback_deserialize")]
     pub jwt_signature_algorithms_supported: HashSet<Algorithm>,
 
     /// When enabled, the `iss` (Issuer) claim must be present in the Access Token and
@@ -222,6 +243,7 @@ pub struct BootstrapConfigRaw {
     ///
     /// ***Required*** if `LOCK == Enabled`.
     #[serde(rename = "CEDARLING_LOCK_MASTER_CONFIGURATION_URI", default)]
+    #[serde(deserialize_with = "fallback_deserialize")]
     pub lock_master_configuration_uri: Option<String>,
 
     /// Controls whether Cedarling should listen for SSE config updates.
@@ -239,14 +261,17 @@ pub struct BootstrapConfigRaw {
 
     /// How often to send log messages to Lock Master (0 to turn off trasmission).
     #[serde(rename = "CEDARLING_AUDIT_LOG_INTERVAL", default)]
+    #[serde(deserialize_with = "fallback_deserialize")]
     pub audit_log_interval: u64,
 
     /// How often to send health messages to Lock Master (0 to turn off transmission).
     #[serde(rename = "CEDARLING_AUDIT_HEALTH_INTERVAL", default)]
+    #[serde(deserialize_with = "fallback_deserialize")]
     pub audit_health_interval: u64,
 
     /// How often to send telemetry messages to Lock Master (0 to turn off transmission).
     #[serde(rename = "CEDARLING_AUDIT_TELEMETRY_INTERVAL", default)]
+    #[serde(deserialize_with = "fallback_deserialize")]
     pub audit_health_telemetry_interval: u64,
 
     /// Controls whether Cedarling should listen for updates from the Lock Server.
@@ -255,7 +280,7 @@ pub struct BootstrapConfigRaw {
 }
 
 /// Type of logger
-#[derive(Debug, PartialEq, Deserialize, Default)]
+#[derive(Debug, PartialEq, Deserialize, Serialize, Default)]
 #[serde(rename_all = "lowercase")]
 pub enum LoggerType {
     /// Disabled logger
@@ -300,7 +325,7 @@ impl Display for LoggerType {
 }
 
 /// Enum varians that represent if feature is enabled or disabled
-#[derive(Debug, PartialEq, Deserialize, Default, Copy, Clone)]
+#[derive(Debug, PartialEq, Deserialize, Serialize, Default, Copy, Clone)]
 #[serde(rename_all = "lowercase")]
 pub enum FeatureToggle {
     /// Represent as disabled.
@@ -428,7 +453,41 @@ pub struct ParseFeatureToggleError {
     value: String,
 }
 
+/// Get environment variables related to `Cedarling`
+#[cfg(not(target_arch = "wasm32"))]
+fn cedarling_env_vars() -> HashMap<String, serde_json::Value> {
+    env::vars()
+        .filter_map(|(k, v)| {
+            k.starts_with("CEDARLING_")
+                .then_some((k, serde_json::json!(v)))
+        })
+        .collect()
+}
+
 impl BootstrapConfig {
+    /// Construct `BootstrapConfig` from environment variables and `BootstrapConfigRaw` config
+    //
+    // Simple implementation that map input structure to JSON map
+    // and map environment variables with prefix `CEDARLING_` to JSON map. And merge it.
+    #[cfg(not(target_arch = "wasm32"))]
+    pub fn from_raw_config_and_env(
+        raw: Option<BootstrapConfigRaw>,
+    ) -> Result<Self, BootstrapConfigLoadingError> {
+        let mut json_config_params = serde_json::json!(raw.unwrap_or_default())
+            .as_object()
+            .map(|v| v.to_owned())
+            .unwrap_or_default();
+
+        cedarling_env_vars().into_iter().for_each(|(k, v)| {
+            // update map with values from env variables
+            json_config_params.insert(k, v);
+        });
+
+        let config_raw = BootstrapConfigRaw::deserialize(json_config_params)?;
+
+        Self::from_raw_config(&config_raw)
+    }
+
     /// Construct an instance from BootstrapConfigRaw
     pub fn from_raw_config(raw: &BootstrapConfigRaw) -> Result<Self, BootstrapConfigLoadingError> {
         if !raw.workload_authz.is_enabled() && !raw.user_authz.is_enabled() {
@@ -559,7 +618,7 @@ pub fn parse_option_string<'de, D>(deserializer: D) -> Result<Option<String>, D:
 where
     D: Deserializer<'de>,
 {
-    let value = Option::<String>::deserialize(deserializer)?;
+    let value: Option<String> = fallback_deserialize(deserializer)?;
 
     Ok(value.filter(|s| !s.is_empty()))
 }