114 lines
3.2 KiB
Bash
114 lines
3.2 KiB
Bash
#!/bin/bash
|
|
# ------------------------------------------------------------------------------
|
|
# Secret management functions
|
|
# This file is part of the init.sh project
|
|
# Copyright (c) 2025 Geoffray Levasseur <fatalerrors@geoffray-levasseur.org>
|
|
# ------------------------------------------------------------------------------
|
|
# This file is distributed under 3-clause BSD license.
|
|
# The complete license agreement can be obtained at:
|
|
# https://opensource.org/licenses/BSD-3-Clause
|
|
# ------------------------------------------------------------------------------
|
|
|
|
|
|
# ------------------------------------------------------------------------------
|
|
# Passbolt
|
|
get_passbolt_secret() {
|
|
local name="$1" secret
|
|
|
|
if ! command -v passbolt >/dev/null 2>&1; then
|
|
prnt E "Passbolt CLI not found (required to fetch passbolt:$name)."
|
|
return 3
|
|
fi
|
|
|
|
# Exemple basé sur CLI Passbolt + jq
|
|
secret=$(passbolt secret list --json 2>/dev/null | jq -r --arg NAME "$name" \
|
|
'.[] | select(.name == $NAME) | .secrets[0].data' 2>/dev/null)
|
|
|
|
if [[ -z "$secret" || "$secret" == "null" ]]; then
|
|
prnt E "Secret '$name' not found in Passbolt."
|
|
return 4
|
|
fi
|
|
|
|
printf '%s' "$secret"
|
|
}
|
|
# ------------------------------------------------------------------------------
|
|
|
|
|
|
# ------------------------------------------------------------------------------
|
|
# File
|
|
get_file_secret() {
|
|
local path="$1" secret
|
|
|
|
if [[ -z "$path" ]]; then
|
|
prnt E "get_file_secret: missing path"
|
|
return 5
|
|
fi
|
|
if [[ ! -r "$path" ]]; then
|
|
prnt E "get_file_secret: '$path' not readable"
|
|
return 6
|
|
fi
|
|
|
|
secret=$(<"$path")
|
|
secret="${secret%$'\r'}"
|
|
secret="${secret%$'\n'}"
|
|
printf '%s' "$secret"
|
|
}
|
|
# ------------------------------------------------------------------------------
|
|
|
|
|
|
# ------------------------------------------------------------------------------
|
|
# Environment variable
|
|
get_var_secret() {
|
|
local var="$1" secret
|
|
|
|
if [[ -z "$var" ]]; then
|
|
prnt E "get_var_secret: missing variable name"
|
|
return 7
|
|
fi
|
|
if ! printenv "$var" >/dev/null 2>&1; then
|
|
prnt E "get_var_secret: variable '$var' not set"
|
|
return 8
|
|
fi
|
|
|
|
secret="$(printenv "$var")"
|
|
secret="${secret%$'\r'}"
|
|
secret="${secret%$'\n'}"
|
|
printf '%s' "$secret"
|
|
}
|
|
# ------------------------------------------------------------------------------
|
|
|
|
# ------------------------------------------------------------------------------
|
|
# Main dispatcher
|
|
# Usage: fetch_secret "scheme:identifier"
|
|
fetch_secret() {
|
|
local ref="$1"
|
|
local scheme identifier func
|
|
|
|
if [[ -z "$ref" ]]; then
|
|
prnt E "fetch_secret: no reference provided"
|
|
return 1
|
|
fi
|
|
|
|
# par défaut, si pas de scheme -> "file"
|
|
if [[ "$ref" != *:* ]]; then
|
|
scheme="file"
|
|
identifier="$ref"
|
|
else
|
|
scheme="${ref%%:*}"
|
|
identifier="${ref#*:}"
|
|
fi
|
|
|
|
func="get_${scheme}_secret"
|
|
|
|
if ! declare -f "$func" >/dev/null 2>&1; then
|
|
prnt E "fetch_secret: unsupported scheme '$scheme' (no function $func)"
|
|
return 2
|
|
fi
|
|
|
|
"$func" "$identifier"
|
|
}
|
|
export -f fetch_secret
|
|
# ------------------------------------------------------------------------------
|
|
|
|
|
|
# EOF |