mirror of
https://github.com/MaksTinyWorkshop/_Assistant_Lead_Tech
synced 2026-04-06 13:31:43 +02:00
94 lines
2.4 KiB
Bash
Executable File
94 lines
2.4 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
|
|
_load_global_secrets() {
|
|
source "$LEADTECH/scripts/env_paths.sh" || { echo "env_paths.sh introuvable" >&2; return 1; }
|
|
|
|
if [ ! -f "$SECRETS_KDBX" ]; then
|
|
echo "Coffre introuvable : $SECRETS_KDBX" >&2
|
|
return 1
|
|
fi
|
|
|
|
if ! command -v keepassxc-cli >/dev/null 2>&1; then
|
|
echo "keepassxc-cli introuvable" >&2
|
|
return 1
|
|
fi
|
|
|
|
if ! command -v expect >/dev/null 2>&1; then
|
|
echo "expect introuvable" >&2
|
|
return 1
|
|
fi
|
|
|
|
if [ -z "${KDBX_PASSWORD:-}" ]; then
|
|
printf "Mot de passe KeePassXC : " >&2
|
|
stty -echo
|
|
IFS= read -r KDBX_PASSWORD
|
|
stty echo
|
|
printf '\n' >&2
|
|
fi
|
|
|
|
echo "Chargement des secrets globaux..." >&2
|
|
|
|
# Export CSV complet — log_file capture tout dès le début du spawn
|
|
local tmpfile
|
|
tmpfile=$(mktemp)
|
|
KDBX_PASSWORD="$KDBX_PASSWORD" SECRETS_KDBX="$SECRETS_KDBX" TMPFILE="$tmpfile" expect <<'EOF'
|
|
log_user 0
|
|
log_file -noappend $env(TMPFILE)
|
|
set timeout 30
|
|
spawn keepassxc-cli export --format csv $env(SECRETS_KDBX)
|
|
expect "Saisir le mot de passe pour déverrouiller*"
|
|
send -- "$env(KDBX_PASSWORD)\r"
|
|
expect eof
|
|
catch wait result
|
|
exit [lindex $result 3]
|
|
EOF
|
|
local rc=$?
|
|
local csv
|
|
csv=$(cat "$tmpfile")
|
|
rm -f "$tmpfile"
|
|
[ $rc -ne 0 ] && { echo "Impossible d'exporter le coffre." >&2; return 1; }
|
|
|
|
# Parser le CSV avec python3 — gère les champs multilignes et les virgules dans les valeurs
|
|
# On cherche la ligne d'en-tête CSV pour ignorer le bruit du buffer expect
|
|
local pairs
|
|
pairs=$(printf '%s' "$csv" | python3 -c "
|
|
import sys, csv, re, io
|
|
|
|
raw = sys.stdin.read()
|
|
# Trouver la ligne d'en-tête CSV
|
|
start = raw.find('\"Group\"')
|
|
if start == -1:
|
|
sys.exit(0)
|
|
clean = raw[start:]
|
|
reader = csv.DictReader(io.StringIO(clean))
|
|
for row in reader:
|
|
group = row.get('Group', '')
|
|
title = row.get('Title', '')
|
|
password = row.get('Password', '')
|
|
if group != 'Racine/global' and not group.startswith('Racine/global/'):
|
|
continue
|
|
if not re.match(r'^[A-Z_][A-Z0-9_]*\$', title):
|
|
continue
|
|
if not password:
|
|
continue
|
|
print(title + '=' + password)
|
|
")
|
|
|
|
if [ -z "$pairs" ]; then
|
|
echo "Aucun secret global chargé." >&2
|
|
return 1
|
|
fi
|
|
|
|
local loaded=0
|
|
while IFS='=' read -r var_name value; do
|
|
[ -z "$var_name" ] && continue
|
|
export "$var_name=$value"
|
|
loaded=$((loaded + 1))
|
|
done <<< "$pairs"
|
|
|
|
echo "Secrets chargés : $loaded"
|
|
}
|
|
|
|
_load_global_secrets
|
|
unset -f _load_global_secrets
|