#!/usr/bin/env bash _load_global_secrets() { source "$LEADTECH/scripts/env_paths.sh" || { echo "env_paths.sh introuvable" >&2; return 1; } if [ ! -f "$SECRETS_KDBX" ]; then echo "Coffre introuvable : $SECRETS_KDBX" >&2 return 1 fi if ! command -v keepassxc-cli >/dev/null 2>&1; then echo "keepassxc-cli introuvable" >&2 return 1 fi if ! command -v expect >/dev/null 2>&1; then echo "expect introuvable" >&2 return 1 fi if [ -z "${KDBX_PASSWORD:-}" ]; then printf "Mot de passe KeePassXC : " >&2 stty -echo IFS= read -r KDBX_PASSWORD stty echo printf '\n' >&2 fi echo "Chargement des secrets globaux..." >&2 echo "DEBUG: SECRETS_KDBX=$SECRETS_KDBX" >&2 # Export CSV complet — une seule ouverture du coffre local csv csv=$(KDBX_PASSWORD="$KDBX_PASSWORD" SECRETS_KDBX="$SECRETS_KDBX" expect <<'EOF' log_user 0 set timeout 30 spawn keepassxc-cli export --format csv $env(SECRETS_KDBX) expect "Saisir le mot de passe pour déverrouiller*" send -- "$env(KDBX_PASSWORD)\r" expect eof catch wait result puts -nonewline $expect_out(buffer) exit [lindex $result 3] EOF ) || { echo "Impossible d'exporter le coffre." >&2 return 1 } echo "DEBUG: csv length=${#csv}" >&2 echo "DEBUG: csv first 100 chars=${csv:0:100}" >&2 # Parser le CSV avec python3 — gère les champs multilignes et les virgules dans les valeurs local pairs pairs=$(printf '%s' "$csv" | python3 -c " import sys, csv, re reader = csv.DictReader(sys.stdin) for row in reader: group = row.get('Group', '') title = row.get('Title', '') password = row.get('Password', '') if group != 'Racine/global' and not group.startswith('Racine/global/'): continue if not re.match(r'^[A-Z_][A-Z0-9_]*\$', title): continue if not password: continue print(title + '=' + password) ") if [ -z "$pairs" ]; then echo "Aucun secret global chargé." >&2 return 1 fi local loaded=0 while IFS='=' read -r var_name value; do [ -z "$var_name" ] && continue export "$var_name=$value" loaded=$((loaded + 1)) done <<< "$pairs" echo "Secrets chargés : $loaded" } _load_global_secrets unset -f _load_global_secrets