#!/usr/bin/env bash _load_global_secrets() { source "$LEADTECH/scripts/env_paths.sh" || { echo "env_paths.sh introuvable" >&2; return 1; } if [ ! -f "$SECRETS_KDBX" ]; then echo "Coffre introuvable : $SECRETS_KDBX" >&2 return 1 fi if ! command -v keepassxc-cli >/dev/null 2>&1; then echo "keepassxc-cli introuvable" >&2 return 1 fi if ! command -v expect >/dev/null 2>&1; then echo "expect introuvable" >&2 return 1 fi if [ -z "${KDBX_PASSWORD:-}" ]; then printf "Mot de passe KeePassXC : " >&2 stty -echo IFS= read -r KDBX_PASSWORD stty echo printf '\n' >&2 fi echo "Chargement des secrets globaux..." >&2 # Export CSV complet — une seule ouverture du coffre local csv csv=$(KDBX_PASSWORD="$KDBX_PASSWORD" SECRETS_KDBX="$SECRETS_KDBX" expect <<'EOF' log_user 0 set timeout 30 spawn keepassxc-cli export --format csv $env(SECRETS_KDBX) expect "Saisir le mot de passe pour déverrouiller*" send -- "$env(KDBX_PASSWORD)\r" expect eof catch wait result puts -nonewline $expect_out(buffer) exit [lindex $result 3] EOF ) || { echo "Impossible d'exporter le coffre." >&2 return 1 } # Parser le CSV avec python3 — gère les champs multilignes et les virgules dans les valeurs local pairs pairs=$(python3 - <<'PYEOF' <<< "$csv" import sys, csv, re reader = csv.DictReader(sys.stdin) for row in reader: group = row.get("Group", "") title = row.get("Title", "") password = row.get("Password", "") if group != "Racine/global" and not group.startswith("Racine/global/"): continue if not re.match(r'^[A-Z_][A-Z0-9_]*$', title): continue if not password: continue print(f"{title}={password}") PYEOF ) if [ -z "$pairs" ]; then echo "Aucun secret global chargé." >&2 return 1 fi local loaded=0 while IFS='=' read -r var_name value; do [ -z "$var_name" ] && continue export "$var_name=$value" loaded=$((loaded + 1)) done <<< "$pairs" echo "Secrets chargés : $loaded" } _load_global_secrets unset -f _load_global_secrets