maxime.fleury/_Assistant_Lead_Tech
1
0
Fork 0
mirror of https://github.com/MaksTinyWorkshop/_Assistant_Lead_Tech synced 2026-04-06 21:41:42 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
ba772da50c855bce1e255e00f3abd7c31f3c6abe
_Assistant_Lead_Tech/scripts/load-global-secrets.sh

92 lines
2.3 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
_load_global_secrets() {
source "$LEADTECH/scripts/env_paths.sh" || { echo "env_paths.sh introuvable" >&2; return 1; }
if [ ! -f "$SECRETS_KDBX" ]; then
echo "Coffre introuvable : $SECRETS_KDBX" >&2
return 1
fi
if ! command -v keepassxc-cli >/dev/null 2>&1; then
echo "keepassxc-cli introuvable" >&2
return 1
fi
if ! command -v expect >/dev/null 2>&1; then
echo "expect introuvable" >&2
return 1
fi
if [ -z "${KDBX_PASSWORD:-}" ]; then
printf "Mot de passe KeePassXC : " >&2
stty -echo
IFS= read -r KDBX_PASSWORD
stty echo
printf '\n' >&2
fi
echo "Chargement des secrets globaux..." >&2
# Export CSV complet — une seule ouverture du coffre
local csv
csv=$(KDBX_PASSWORD="$KDBX_PASSWORD" SECRETS_KDBX="$SECRETS_KDBX" expect <<'EOF'
log_user 0
set timeout 30
spawn keepassxc-cli export --format csv $env(SECRETS_KDBX)
expect "Saisir le mot de passe pour déverrouiller*"
send -- "$env(KDBX_PASSWORD)\r"
expect eof
catch wait result
puts -nonewline $expect_out(buffer)
exit [lindex $result 3]
EOF
) || {
echo "Impossible d'exporter le coffre." >&2
return 1
}
# Parser le CSV avec python3 — gère les champs multilignes et les virgules dans les valeurs
# On cherche la ligne d'en-tête CSV pour ignorer le bruit du buffer expect
local pairs
pairs=$(printf '%s' "$csv" | python3 -c "
import sys, csv, re, io
raw = sys.stdin.read()
# Trouver la ligne d'en-tête CSV
start = raw.find('\"Group\"')
if start == -1:
sys.exit(0)
clean = raw[start:]
reader = csv.DictReader(io.StringIO(clean))
for row in reader:
group = row.get('Group', '')
title = row.get('Title', '')
password = row.get('Password', '')
if group != 'Racine/global' and not group.startswith('Racine/global/'):
continue
if not re.match(r'^[A-Z_][A-Z0-9_]*\$', title):
continue
if not password:
continue
print(title + '=' + password)
")
if [ -z "$pairs" ]; then
echo "Aucun secret global chargé." >&2
return 1
fi
local loaded=0
while IFS='=' read -r var_name value; do
[ -z "$var_name" ] && continue
export "$var_name=$value"
loaded=$((loaded + 1))
done <<< "$pairs"
echo "Secrets chargés : $loaded"
}
_load_global_secrets
unset -f _load_global_secrets
Reference in New Issue View Git Blame Copy Permalink