fix(scripts): corriger les chemins de groupes KeePass (supprimer préfixe Racine/)

2026-04-06 13:31:43 +02:00 · 2026-03-26 17:31:00 +01:00
parent 67d1ba5c7c
commit 8079bb50df
3 changed files with 19 additions and 38 deletions
--- a/scripts/load-global-secrets.sh
+++ b/scripts/load-global-secrets.sh
@@ -53,7 +53,7 @@ EOF
    title="${title//\"/}"
    password="${password//\"/}"
-    [[ "$group" != "Racine/global" && "$group" != "Racine/global/"* ]] && continue
+    [[ "$group" != "global" && "$group" != "global/"* ]] && continue
    local var_name="$title"
    if ! printf '%s' "$var_name" | grep -Eq '^[A-Z_][A-Z0-9_]*$'; then
--- a/scripts/sync-project-secrets.sh
+++ b/scripts/sync-project-secrets.sh
@@ -21,11 +21,11 @@ _sync_project_secrets() {
  # Nom du projet = nom du dossier courant
  local project_name
  project_name="$(basename "$PWD")"
-  local kdbx_group="Racine/projects/$project_name"
+  local entry_path="projects/$project_name"
  local target_file="$PWD/.env"
  echo "Projet détecté : $project_name" >&2
-  echo "Groupe KeePass : $kdbx_group" >&2
+  echo "Entrée KeePass : $entry_path" >&2
  if [ -z "${KDBX_PASSWORD:-}" ]; then
    printf "Mot de passe KeePassXC : " >&2
@@ -35,14 +35,14 @@ _sync_project_secrets() {
    printf '\n' >&2
  fi
-  echo "Sync des secrets projet..." >&2
+  echo "Récupération des secrets projet..." >&2
-  # Export CSV complet — une seule ouverture du coffre
+  # Lire le champ Notes de l'entrée — une seule ouverture du coffre
-  local csv
+  local notes
-  csv=$(KDBX_PASSWORD="$KDBX_PASSWORD" SECRETS_KDBX="$SECRETS_KDBX" expect <<'EOF'
+  notes=$(KDBX_PASSWORD="$KDBX_PASSWORD" SECRETS_KDBX="$SECRETS_KDBX" ENTRY_PATH="$entry_path" expect <<'EOF'
    log_user 0
-    set timeout 30
+    set timeout 15
-    spawn keepassxc-cli export --format csv $env(SECRETS_KDBX)
+    spawn keepassxc-cli show -a notes $env(SECRETS_KDBX) $env(ENTRY_PATH)
    expect "Saisir le mot de passe pour déverrouiller*"
    send -- "$env(KDBX_PASSWORD)\r"
    expect eof
@@ -51,43 +51,24 @@ _sync_project_secrets() {
    exit [lindex $result 3]
 EOF
  ) || {
-    echo "Impossible d'exporter le coffre." >&2
+    echo "Impossible de lire l'entrée '$entry_path'." >&2
    return 1
  }
-  local rendered_lines=""
+  if [ -z "$notes" ]; then
-  local loaded=0
+    echo "Le champ Notes est vide pour '$project_name'." >&2
  while IFS=',' read -r group title username password rest; do
    group="${group//\"/}"
    title="${title//\"/}"
    password="${password//\"/}"
    [[ "$group" != "$kdbx_group" && "$group" != "$kdbx_group/"* ]] && continue
    local var_name="$title"
    if ! printf '%s' "$var_name" | grep -Eq '^[A-Z_][A-Z0-9_]*$'; then
      echo "Nom invalide ignoré : $var_name" >&2
      continue
    fi
    [ -z "$password" ] && { echo "Valeur vide ignorée : $var_name" >&2; continue; }
    rendered_lines+="$var_name=$password"$'\n'
    loaded=$((loaded + 1))
  done <<< "$csv"
  if [ "$loaded" -eq 0 ]; then
    echo "Aucun secret trouvé pour le projet '$project_name' (groupe : $kdbx_group)." >&2
    return 1
  fi
-  printf '%s' "$rendered_lines" > "$target_file"
+  # Écrire le .env
  printf '%s\n' "$notes" > "$target_file"
  chmod 600 "$target_file"
  local loaded
  loaded=$(grep -c '.' "$target_file" || true)
  echo "Secrets écrits dans : $target_file"
-  echo "Secrets chargés : $loaded"
+  echo "Lignes écrites : $loaded"
 }
 _sync_project_secrets
--- a/scripts/sync-service-secrets.sh
+++ b/scripts/sync-service-secrets.sh
@@ -70,7 +70,7 @@ EOF
    password="${password//\"/}"
    # Filtrer le groupe services
-    [[ "$group" != "Racine/services" && "$group" != "Racine/services/"* ]] && continue
+    [[ "$group" != "services" && "$group" != "services/"* ]] && continue
    # Le nom de variable = titre de l'entrée
    local var_name="$title"