mirror of
https://github.com/MaksTinyWorkshop/_Assistant_Lead_Tech
synced 2026-04-06 13:31:43 +02:00
95 lines
2.4 KiB
Bash
Executable File
95 lines
2.4 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
|
|
_sync_project_secrets() {
|
|
source "$LEADTECH/scripts/env_paths.sh" || { echo "env_paths.sh introuvable" >&2; return 1; }
|
|
|
|
if [ ! -f "$SECRETS_KDBX" ]; then
|
|
echo "Coffre introuvable : $SECRETS_KDBX" >&2
|
|
return 1
|
|
fi
|
|
|
|
if ! command -v keepassxc-cli >/dev/null 2>&1; then
|
|
echo "keepassxc-cli introuvable" >&2
|
|
return 1
|
|
fi
|
|
|
|
if ! command -v expect >/dev/null 2>&1; then
|
|
echo "expect introuvable" >&2
|
|
return 1
|
|
fi
|
|
|
|
# Nom du projet = nom du dossier courant
|
|
local project_name
|
|
project_name="$(basename "$PWD")"
|
|
local kdbx_group="Racine/projects/$project_name"
|
|
local target_file="$PWD/.env"
|
|
|
|
echo "Projet détecté : $project_name" >&2
|
|
echo "Groupe KeePass : $kdbx_group" >&2
|
|
|
|
if [ -z "${KDBX_PASSWORD:-}" ]; then
|
|
printf "Mot de passe KeePassXC : " >&2
|
|
stty -echo
|
|
IFS= read -r KDBX_PASSWORD
|
|
stty echo
|
|
printf '\n' >&2
|
|
fi
|
|
|
|
echo "Sync des secrets projet..." >&2
|
|
|
|
# Export CSV complet — une seule ouverture du coffre
|
|
local csv
|
|
csv=$(KDBX_PASSWORD="$KDBX_PASSWORD" SECRETS_KDBX="$SECRETS_KDBX" expect <<'EOF'
|
|
log_user 0
|
|
set timeout 30
|
|
spawn keepassxc-cli export --format csv $env(SECRETS_KDBX)
|
|
expect "Saisir le mot de passe pour déverrouiller*"
|
|
send -- "$env(KDBX_PASSWORD)\r"
|
|
expect eof
|
|
catch wait result
|
|
puts -nonewline $expect_out(buffer)
|
|
exit [lindex $result 3]
|
|
EOF
|
|
) || {
|
|
echo "Impossible d'exporter le coffre." >&2
|
|
return 1
|
|
}
|
|
|
|
local rendered_lines=""
|
|
local loaded=0
|
|
|
|
while IFS=',' read -r group title username password rest; do
|
|
group="${group//\"/}"
|
|
title="${title//\"/}"
|
|
password="${password//\"/}"
|
|
|
|
[[ "$group" != "$kdbx_group" && "$group" != "$kdbx_group/"* ]] && continue
|
|
|
|
local var_name="$title"
|
|
if ! printf '%s' "$var_name" | grep -Eq '^[A-Z_][A-Z0-9_]*$'; then
|
|
echo "Nom invalide ignoré : $var_name" >&2
|
|
continue
|
|
fi
|
|
|
|
[ -z "$password" ] && { echo "Valeur vide ignorée : $var_name" >&2; continue; }
|
|
|
|
rendered_lines+="$var_name=$password"$'\n'
|
|
loaded=$((loaded + 1))
|
|
|
|
done <<< "$csv"
|
|
|
|
if [ "$loaded" -eq 0 ]; then
|
|
echo "Aucun secret trouvé pour le projet '$project_name' (groupe : $kdbx_group)." >&2
|
|
return 1
|
|
fi
|
|
|
|
printf '%s' "$rendered_lines" > "$target_file"
|
|
chmod 600 "$target_file"
|
|
|
|
echo "Secrets écrits dans : $target_file"
|
|
echo "Secrets chargés : $loaded"
|
|
}
|
|
|
|
_sync_project_secrets
|
|
unset -f _sync_project_secrets
|