-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathvault.sh
177 lines (149 loc) · 3.31 KB
/
vault.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
#!/usr/bin/env bash
shlibs.vault.usage() {
cat <<EOF
shlibs-vault: [parameters] command
Parameters
-k|--key <path to the key file>
-v|--vault <path to the vault file>
-s|--sep <seperator for the passed envs, defaults to comma ",">
-e|--envs <comma (or --sep) seperated strings of env names to be exported>
Commands
- export-envs Exports the passed variables
- view Prints the content of the vault
Example
source /usr/local/bin/shlibs/index.sh
envs="db_password,master_pwd"
key="/tmp/key"
vault="/tmp/secrets.env"
shlibs-vault --key "$key" --vault "$vault" --envs "${envs}" export-envs
export | grep db_password
export | grep master_pwd
EOF
}
shlibs.vault.decrypt() {
local vault="$1"
local key="$2"
for var in "${vault}" "${key}"; do
if [ ! -f "${var}" ]; then
log_error "File does not exist at '${var}'"
exit 2
fi
done
cat "${vault}" | nanvault -p "${key}"
}
shlibs.vault.export-env() {
local env="${1}"
log_debug "$env"
while IFS= read -r line; do
if [[ $line == "$env="* ]]; then
printf "%s\n" "$line"
fi
done
}
shlibs.vault.export-envs() {
local vault=$1
local key=$2
shift 2
if (($# > 0)); then
for env; do
log_debug "$env"
# set -o allexport
result=$(shlibs.vault.decrypt $vault $key | shlibs.vault.export-env ${env})
log_debug "Result: $result"
eval "export \"$result\""
# set +o allexport
done
else
log_warn "No ENVS defined to be exported"
fi
}
shlibs.vault.parse-env-string() {
local -n ref=$1
local env_string="$2"
local delimiter="${3:-,}"
ref=($(echo $env_string | tr "${delimiter}" "\n"))
}
shlibs.vault() {
local OPTIND ignore
local OPTARG
_optspec=":hv:e:k:s:-:"
_envs=()
_sep=","
log_debug "vault '$_vault'"
log_debug "key: '$_key'"
log_debug "env-string: '${_env_string}'"
log_debug "seperator: '$_sep'"
while getopts "$_optspec" optchar; do
case "${optchar}" in
-)
case "${OPTARG}" in
envs)
_env_string="${!OPTIND}"
OPTIND=$(($OPTIND + 1))
;;
key)
_key="${!OPTIND}"
OPTIND=$(($OPTIND + 1))
;;
sep)
_sep="${!OPTIND}"
OPTIND=$(($OPTIND + 1))
;;
vault)
_vault="${!OPTIND}"
OPTIND=$(($OPTIND + 1))
;;
help)
_shlibs-vault-usage
;;
*)
shlibs.getopts.catch-unknown-opt "--"
;;
esac
;;
e)
env_string="${OPTARG}"
;;
k)
key="${OPTARG}"
;;
s)
sep="${OPTARG}"
;;
v)
vault="${OPTARG}"
;;
h)
_shlibs-vault-usage
;;
*)
shlibs.getopts.catch-unknown-opt "-"
;;
esac
done
shift "$((OPTIND - 1))"
case "$*" in
export-envs)
log_debug "vault '$_vault'"
log_debug "key: '$_key'"
log_debug "env-string: '${_env_string}'"
log_debug "seperator: '$_sep'"
shlibs.vault.parse-env-string _envs $_env_string "${_sep:-,}"
log_debug "parsed envs: '${_envs[@]}'"
log_info "Exporting variables: ${_envs[@]}"
shlibs.vault.export-envs $_vault $_key ${_envs[@]}
;;
view)
shlibs.vault.decrypt $_vault $_key
;;
*)
shlibs.vault.usage
;;
esac
unset _env_string
unset _vault
unset _key
unset _envs
unset OPTIND
unset OPTARG
}