func ReadOptionsFromEnv()

in proxy/lib/proxy/options.go [88:177]

• 38 lines of code
• 3 McCabe index (conditional complexity)

func ReadOptionsFromEnv() *Options {
	// FHIR_ISSUER: the "iss" claim expected in the SMARTonFHIR token.
	// Example: FHIR_ISSUER: "https://personas-staging-dot-hcls-data-connect-demo.appspot.com/oidc"
	fhirIssuer := osenv.MustVar("FHIR_ISSUER")

	// AUDIENCE: a string that represents the expected audience for the access
	// token. It may be set to the same string as the Token Issuer's client ID
	// depending on how the Token Issuer populates the claim.
	// Example: AUDIENCE: "https://fhirproxy-staging-dot-hcls-data-connect-demo.appspot.com"
	audience := osenv.MustVar("AUDIENCE")

	// FHIR_ISSUER_CLIENT_ID: the Relying Party client ID for the proxy as allocated by
	// the token issuer IDP. This may be used when the proxy calls OIDC
	// endpoints.
	// Example: FHIR_ISSUER_CLIENT_ID: "abcdefg1234567"
	fhirIssuerClientID := os.Getenv("FHIR_ISSUER_CLIENT_ID")

	// FHIR_ISSUER_CLIENT_SECRET: the Relying Party client secret for the proxy as
	// allocated by the token issuer IDP. This may be used when the proxy calls
	// OIDC endpoints.
	// Example: FHIR_ISSUER_CLIENT_SECRET: "0000-000-000000-00"
	fhirIssuerClientSecret := os.Getenv("FHIR_ISSUER_CLIENT_SECRET")

	// PROXY_TO: the FHIR service root URL.
	// Example: PROXY_TO: "https://healthcare.googleapis.com"
	proxyTo := osenv.MustVar("PROXY_TO")

	// SERVICE_ACCOUNT_NAME: the service account name for the proxy to use when calling
	// the FHIR (PROXY_TO) endpoints. Default is "fhirproxy".
	// Example: SERVICE_ACCOUNT_NAME: "fhirproxy"
	serviceAccountName := osenv.VarWithDefault("SERVICE_ACCOUNT_NAME", "fhirproxy")

	// ALLOWED_PATH_PREFIX: a comma-delimited set of Healthcare API paths to
	// proxy. This provides the ability to limit which projects, datasets etc.
	// with which the proxy may be used.
	// Example: ALLOWED_PATH_PREFIX: "/v1/projects/gcp-project/locations/us-central1/datasets/a"
	allowedPathPrefix := splitValuesByCommas(osenv.MustVar("ALLOWED_PATH_PREFIX"))
	if err := validateAllowedPathPrefix(allowedPathPrefix); err != nil {
		glog.Exitf("Invalid ALLOWED_PATH_PREFIX %v", err)
	}

	// CLIENTS_OF_PROXY: a set of key/value pairs of client applications that
	// are able to access the proxy. When non-empty, all clients of this proxy
	// must pass in X-Client-ID and X-Client-Secret headers with their requests
	// and match one of the entries on this list, or else the request will be
	// unauthorized.
	// Example: CLIENTS_OF_PROXY: "client_1=secret_1;client_2=secret_2"
	clientsOfProxy, err := parseClientsOfProxy(os.Getenv("CLIENTS_OF_PROXY"))
	if err != nil {
		glog.Exitf("Invalid CLIENTS_OF_PROXY %v", err)
	}

	// REMOVE_SCOPES: a comma-delimited set of scopes to remove from the
	// X-Authorization-Scope header that the proxy includes in its requests
	// to downstream servers.
	// Example: REMOVE_SCOPES: "openid,profile,email"
	removeScopes := splitValuesByCommas(osenv.MustVar("REMOVE_SCOPES"))

	useUserinfoToVerifyAccessToken := os.Getenv("USE_USERINFO_TO_VERIFY_ACCESSTOKEN") == "true"

	// WELL_KNOWN_AUTHORIZATION_ENDPOINT: url to authorize for access token
	// example: https://example.com/authoriize
	wellKnownAuthorizationEndpoint := osenv.MustVar("WELL_KNOWN_AUTHORIZATION_ENDPOINT")
	// WELL_KNOWN_TOKEN_ENDPOINT: url to exchange token using auth code or refresh token for access token
	// example: https://example.com/token
	wellKnownTokenEndpoint := osenv.MustVar("WELL_KNOWN_TOKEN_ENDPOINT")
	// WELL_KNOWN_CAPABILITIES: a comma-delimited set of capabilities,
	// see https://hl7.org/fhir/smart-app-launch/conformance/index.html#capability-sets
	wellKnownCapabilities := splitValuesByCommas(osenv.MustVar("WELL_KNOWN_CAPABILITIES"))

	// USE_SECRET_MANAGER : use GCP SecretManager to store client secret and issuer secret.
	useSecretManager := os.Getenv("USE_SECRET_MANAGER") == "true"

	return &Options{
		FhirIssuer:                     fhirIssuer,
		Audience:                       audience,
		FhirIssuerClientID:             fhirIssuerClientID,
		FhirIssuerClientSecret:         fhirIssuerClientSecret,
		ProxyTo:                        proxyTo,
		ServiceAccountName:             serviceAccountName,
		AllowedPathPrefix:              allowedPathPrefix,
		ClientsOfProxy:                 clientsOfProxy,
		RemoveScopes:                   stringset.New(removeScopes...),
		UseUserinfoToVerifyAccessToken: useUserinfoToVerifyAccessToken,
		UseSecretManager:               useSecretManager,
		WellKnownAuthorizationEndpoint: wellKnownAuthorizationEndpoint,
		WellKnownTokenEndpoint:         wellKnownTokenEndpoint,
		WellKnownCapabilities:          wellKnownCapabilities,
	}
}