From 67d1ba5c7cb039023d2d058033f1dd1d9ba46479 Mon Sep 17 00:00:00 2001 From: MaksTinyWorkshop Date: Thu, 26 Mar 2026 17:18:01 +0100 Subject: [PATCH] =?UTF-8?q?feat(scripts):=20ajout=20sync-project=20?= =?UTF-8?q?=E2=80=94=20g=C3=A9n=C3=A8re=20le=20.env=20projet=20depuis=20Ke?= =?UTF-8?q?ePass?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- scripts/aliases.sh | 3 ++ scripts/sync-project-secrets.sh | 94 +++++++++++++++++++++++++++++++++ 2 files changed, 97 insertions(+) create mode 100755 scripts/sync-project-secrets.sh diff --git a/scripts/aliases.sh b/scripts/aliases.sh index 3945a79..39e7115 100755 --- a/scripts/aliases.sh +++ b/scripts/aliases.sh @@ -34,3 +34,6 @@ alias loadg="source \"\$LEADTECH/scripts/load-global-secrets.sh\"" # Sync service secrets (KeePass → service.env) alias sync-service="source \"\$LEADTECH/scripts/sync-service-secrets.sh\"" + +# Sync project secrets (KeePass → .env du projet courant) +alias sync-project="source \"\$LEADTECH/scripts/sync-project-secrets.sh\"" diff --git a/scripts/sync-project-secrets.sh b/scripts/sync-project-secrets.sh new file mode 100755 index 0000000..98f2a74 --- /dev/null +++ b/scripts/sync-project-secrets.sh @@ -0,0 +1,94 @@ +#!/usr/bin/env bash + +_sync_project_secrets() { + source "$LEADTECH/scripts/env_paths.sh" || { echo "env_paths.sh introuvable" >&2; return 1; } + + if [ ! -f "$SECRETS_KDBX" ]; then + echo "Coffre introuvable : $SECRETS_KDBX" >&2 + return 1 + fi + + if ! command -v keepassxc-cli >/dev/null 2>&1; then + echo "keepassxc-cli introuvable" >&2 + return 1 + fi + + if ! command -v expect >/dev/null 2>&1; then + echo "expect introuvable" >&2 + return 1 + fi + + # Nom du projet = nom du dossier courant + local project_name + project_name="$(basename "$PWD")" + local kdbx_group="Racine/projects/$project_name" + local target_file="$PWD/.env" + + echo "Projet détecté : $project_name" >&2 + echo "Groupe KeePass : $kdbx_group" >&2 + + if [ -z "${KDBX_PASSWORD:-}" ]; then + printf "Mot de passe KeePassXC : " >&2 + stty -echo + IFS= read -r KDBX_PASSWORD + stty echo + printf '\n' >&2 + fi + + echo "Sync des secrets projet..." >&2 + + # Export CSV complet — une seule ouverture du coffre + local csv + csv=$(KDBX_PASSWORD="$KDBX_PASSWORD" SECRETS_KDBX="$SECRETS_KDBX" expect <<'EOF' + log_user 0 + set timeout 30 + spawn keepassxc-cli export --format csv $env(SECRETS_KDBX) + expect "Saisir le mot de passe pour déverrouiller*" + send -- "$env(KDBX_PASSWORD)\r" + expect eof + catch wait result + puts -nonewline $expect_out(buffer) + exit [lindex $result 3] +EOF + ) || { + echo "Impossible d'exporter le coffre." >&2 + return 1 + } + + local rendered_lines="" + local loaded=0 + + while IFS=',' read -r group title username password rest; do + group="${group//\"/}" + title="${title//\"/}" + password="${password//\"/}" + + [[ "$group" != "$kdbx_group" && "$group" != "$kdbx_group/"* ]] && continue + + local var_name="$title" + if ! printf '%s' "$var_name" | grep -Eq '^[A-Z_][A-Z0-9_]*$'; then + echo "Nom invalide ignoré : $var_name" >&2 + continue + fi + + [ -z "$password" ] && { echo "Valeur vide ignorée : $var_name" >&2; continue; } + + rendered_lines+="$var_name=$password"$'\n' + loaded=$((loaded + 1)) + + done <<< "$csv" + + if [ "$loaded" -eq 0 ]; then + echo "Aucun secret trouvé pour le projet '$project_name' (groupe : $kdbx_group)." >&2 + return 1 + fi + + printf '%s' "$rendered_lines" > "$target_file" + chmod 600 "$target_file" + + echo "Secrets écrits dans : $target_file" + echo "Secrets chargés : $loaded" +} + +_sync_project_secrets +unset -f _sync_project_secrets