From ec16300f4738edacbd9582dd6b3bb83321ed87e2 Mon Sep 17 00:00:00 2001 From: Renovate Bot Date: Sun, 1 Mar 2026 00:04:28 +0000 Subject: [PATCH 1/2] chore(deps): update postgres to v18.3 --- .drone.yml | 8 ++++---- docker-compose.prod.yml | 2 +- docker-compose.yml | 2 +- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/.drone.yml b/.drone.yml index 9eb78f0..1d08a2e 100644 --- a/.drone.yml +++ b/.drone.yml @@ -4,7 +4,7 @@ name: check-fast services: - name: postgres - image: docker.io/library/postgres:18.1 + image: docker.io/library/postgres:18.3 environment: POSTGRES_USER: postgres POSTGRES_PASSWORD: postgres @@ -57,7 +57,7 @@ steps: - mix gettext.extract --check-up-to-date - name: wait_for_postgres - image: docker.io/library/postgres:18.1 + image: docker.io/library/postgres:18.3 commands: # Wait for postgres to become available - | @@ -109,7 +109,7 @@ name: check-full services: - name: postgres - image: docker.io/library/postgres:18.1 + image: docker.io/library/postgres:18.3 environment: POSTGRES_USER: postgres POSTGRES_PASSWORD: postgres @@ -164,7 +164,7 @@ steps: - mix gettext.extract --check-up-to-date - name: wait_for_postgres - image: docker.io/library/postgres:18.1 + image: docker.io/library/postgres:18.3 commands: # Wait for postgres to become available - | diff --git a/docker-compose.prod.yml b/docker-compose.prod.yml index 2c342f9..5ff00f1 100644 --- a/docker-compose.prod.yml +++ b/docker-compose.prod.yml @@ -33,7 +33,7 @@ services: restart: unless-stopped db-prod: - image: postgres:18.1-alpine + image: postgres:18.3-alpine container_name: mv-prod-db environment: POSTGRES_USER: postgres diff --git a/docker-compose.yml b/docker-compose.yml index 6f3861f..c3473b7 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -4,7 +4,7 @@ networks: services: db: - image: postgres:18.1-alpine + image: postgres:18.3-alpine environment: POSTGRES_USER: postgres POSTGRES_PASSWORD: postgres From 3187d408c5a3f0de239fcb84fc4e1fe2c9b8e8c9 Mon Sep 17 00:00:00 2001 From: Moritz Date: Mon, 2 Mar 2026 15:05:50 +0100 Subject: [PATCH 2/2] OIDC: use Application config :oidc from runtime.exs for client secret in prod --- lib/mv/config.ex | 25 ++++++++++++++++++++++--- 1 file changed, 22 insertions(+), 3 deletions(-) diff --git a/lib/mv/config.ex b/lib/mv/config.ex index ec69b18..8b8c088 100644 --- a/lib/mv/config.ex +++ b/lib/mv/config.ex @@ -360,13 +360,29 @@ defmodule Mv.Config do end @doc """ - Returns the OIDC client secret. ENV first, then Settings. + Returns the OIDC client secret. + In production, uses the value from config :mv, :oidc (set by runtime.exs from OIDC_CLIENT_SECRET or OIDC_CLIENT_SECRET_FILE). + Otherwise ENV OIDC_CLIENT_SECRET, then Settings. """ @spec oidc_client_secret() :: String.t() | nil def oidc_client_secret do - env_or_setting("OIDC_CLIENT_SECRET", :oidc_client_secret) + case Application.get_env(:mv, :oidc) do + oidc when is_list(oidc) -> oidc_client_secret_from_config(Keyword.get(oidc, :client_secret)) + _ -> env_or_setting("OIDC_CLIENT_SECRET", :oidc_client_secret) + end end + defp oidc_client_secret_from_config(nil), + do: env_or_setting("OIDC_CLIENT_SECRET", :oidc_client_secret) + + defp oidc_client_secret_from_config(secret) when is_binary(secret) do + s = String.trim(secret) + if s != "", do: s, else: env_or_setting("OIDC_CLIENT_SECRET", :oidc_client_secret) + end + + defp oidc_client_secret_from_config(_), + do: env_or_setting("OIDC_CLIENT_SECRET", :oidc_client_secret) + @doc """ Returns the OIDC admin group name (for role sync). ENV first, then Settings. """ @@ -426,7 +442,10 @@ defmodule Mv.Config do def oidc_client_id_env_set?, do: env_set?("OIDC_CLIENT_ID") def oidc_base_url_env_set?, do: env_set?("OIDC_BASE_URL") def oidc_redirect_uri_env_set?, do: env_set?("OIDC_REDIRECT_URI") - def oidc_client_secret_env_set?, do: env_set?("OIDC_CLIENT_SECRET") + + def oidc_client_secret_env_set?, + do: env_set?("OIDC_CLIENT_SECRET") or env_set?("OIDC_CLIENT_SECRET_FILE") + def oidc_admin_group_name_env_set?, do: env_set?("OIDC_ADMIN_GROUP_NAME") def oidc_groups_claim_env_set?, do: env_set?("OIDC_GROUPS_CLAIM") def oidc_only_env_set?, do: env_set?("OIDC_ONLY")