check secret availability before run

lib/secret.sh

@@ -11,7 +11,7 @@
 
 
 # ------------------------------------------------------------------------------
-# Passbolt
+# Get Passbolt
 get_passbolt_secret()
 {
     local name="$1" secret
@@ -37,13 +37,13 @@ export -f get_passbolt_secret
 
 
 # ------------------------------------------------------------------------------
-# File
+# Get File
 get_file_secret()
 {
     local path="$1" secret
 
-    if [[ -z "$path" ]]; then
-        prnt E "get_file_secret: missing path"
+    if [[ -s "$path" ]]; then
+        prnt E "get_file_secret: missing secret file"
         die 10
     fi
     if [[ ! -r "$path" ]]; then
@@ -61,7 +61,7 @@ export -f get_file_secret
 
 
 # ------------------------------------------------------------------------------
-# Environment variable
+# Get Environment variable
 get_var_secret()
 {
     local var="$1" secret
@@ -83,8 +83,9 @@ get_var_secret()
 export -f get_var_secret
 # ------------------------------------------------------------------------------
 
+
 # ------------------------------------------------------------------------------
-# Main dispatcher
+# Main get dispatcher
 # Usage: fetch_secret "scheme:identifier"
 fetch_secret()
 {
@@ -104,6 +105,7 @@ fetch_secret()
         scheme="${ref%%:*}"
         identifier="${ref#*:}"
     fi
+    prnt I "Fetching secret from $scheme, identified with \"$identifier\"..."
 
     func="get_${scheme}_secret"
 
@@ -118,4 +120,76 @@ export -f fetch_secret
 # ------------------------------------------------------------------------------
 
 
+# ------------------------------------------------------------------------------
+# Check Passbolt
+check_passbolt_secret() {
+    local name="$1" found
+
+    if ! command -v passbolt >/dev/null 2>&1; then
+        return 1
+    fi
+
+    found=$(passbolt secret list --json 2>/dev/null | jq -e --arg NAME "$name" \
+        '.[] | select(.name == $NAME) | .secrets[0].data' 2>/dev/null)
+
+    [[ -n "$found" && "$found" != "null" ]]
+}
+export -f check_passbolt_secret
+# ------------------------------------------------------------------------------
+
+
+# ------------------------------------------------------------------------------
+# Check File
+check_file_secret() {
+    local path="$1"
+
+    [[ -r "$path" && -s "$path" ]]
+}
+export -f check_file_secret
+# ------------------------------------------------------------------------------
+
+
+# ------------------------------------------------------------------------------
+# Check Environment variable
+check_var_secret() {
+    local var="$1"
+
+    [[ -n "$var" ]] && printenv "$var" >/dev/null 2>&1
+}
+export -f check_var_secret
+# ------------------------------------------------------------------------------
+
+
+# ------------------------------------------------------------------------------
+# Check Dispatcher
+check_secret() {
+    local ref="$1"
+    local scheme identifier func
+
+    if [[ -z "$ref" ]]; then
+        prnt E "check_secret: no reference provided"
+        return 1
+    fi
+
+    if [[ "$ref" != *:* ]]; then
+        scheme="file"
+        identifier="$ref"
+    else
+        scheme="${ref%%:*}"
+        identifier="${ref#*:}"
+    fi
+
+    func="check_${scheme}_secret"
+
+    if ! declare -f "$func" >/dev/null 2>&1; then
+        prnt E "check_secret: unsupported scheme '$scheme' (no function $func)"
+        return 1
+    fi
+
+    "$func" "$identifier"
+}
+export -f check_secret
+# ------------------------------------------------------------------------------
+
+
 # EOF

modules/conf_ceph.sh

@@ -149,6 +149,9 @@ precheck_conf_ceph()
                 prnt m "you need to export it temporarily in your environment, using the"
                 prnt m "\"CEPH_SECRET\" variable."
                 die 181
+            elif ! check_secret $CEPH_SECRET; then
+                prnt E "The declared $CEPH_SECRET is not accessible."
+                die 183
             fi
             if [[ -z $CEPH_MOUNTS ]]; then
                 prnt E "No CEPH mounts declared, despite reachable servers."