-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathsuperexport.sh
executable file
·195 lines (166 loc) · 7.36 KB
/
superexport.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
#!/bin/bash
# _____ _____ _
#/ ___| | ___| | |
#\ `--. _ _ _ __ ___ _ __| |____ ___ __ ___ _ __| |_
# `--. \ | | | '_ \ / _ \ '__| __\ \/ / '_ \ / _ \| '__| __|
#/\__/ / |_| | |_) | __/ | | |___> <| |_) | (_) | | | |_
#\____/ \__,_| .__/ \___|_| \____/_/\_\ .__/ \___/|_| \__|
# | | | |
# |_| |_|
set -euo pipefail
IFS=$'\n\t'
# feel free to change this
superexportfolder=$HOME/.superexport
#######################
# check the variables #
#######################
# superexporter EXPORTED_USERNME username company/project/
if [ $# -lt 4 ]
then
echo " "
echo "error - all four parameters needed"
echo " "
echo "try: superexport MY_KEY name-in-vault companyname/teamname/folder-with-secret a-prefix"
echo " "
echo "MY_KEY - the variable under which you want to make it available"
echo "name-in-vault - should be something like username or password ..."
echo "companyname/teamname/folder-with-secret - under which you find the secrets"
echo "a-prefix - there are maybe many usernames later - so you can give it a specific prefix, so there is no confusion"
exit 1
fi
if [[ -z $1 ]]; then
echo "1st parameter can't be empty - it's the name how it should be exported (how it's used in your project), mostly written in BIG LETTERS"
echo "try: superexport MY_KEY name-in-vault companyname/teamname/folder-with-secret a-prefix"
echo " "
echo "MY_KEY - the variable under which you want to make it available"
echo "name-in-vault - should be something like username or password ..."
echo "companyname/teamname/folder-with-secret - under which you find the secrets"
echo "a-prefix - there are maybe many usernames later - so you can give it a specific prefix, so there is no confusion"
exit 1
fi
if [[ -z $2 ]]; then
echo "2nd parameter can't be empty - it's name under what it is saved in vault"
echo " "
echo "try: superexport MY_KEY name-in-vault companyname/teamname/folder-with-secret a-prefix"
echo " "
echo "MY_KEY - the variable under which you want to make it available"
echo "name-in-vault - should be something like username or password ..."
echo "companyname/teamname/folder-with-secret - under which you find the secrets"
echo "a-prefix - there are maybe many usernames later - so you can give it a specific prefix, so there is no confusion"
exit 1
fi
if [[ -z $3 ]]; then
echo "3rd parameter can't be empty - it's the navigation in vault to the secret"
echo " "
echo "try: superexport MY_KEY name-in-vault companyname/teamname/folder-with-secret a-prefix"
echo " "
echo "MY_KEY - the variable under which you want to make it available"
echo "name-in-vault - should be something like username or password ..."
echo "companyname/teamname/folder-with-secret - under which you find the secrets"
echo "a-prefix - there are maybe many usernames later - so you can give it a specific prefix, so there is no confusion"
exit 1
fi
if [[ -z $4 ]]; then
echo "4th parameter can't be empty - this is the prefix for the secret name in you secret tools - because username can be only used ones"
echo " "
echo "try: superexport MY_KEY name-in-vault companyname/teamname/folder-with-secret a-prefix"
echo " "
echo "MY_KEY - the variable under which you want to make it available"
echo "name-in-vault - should be something like username or password ..."
echo "companyname/teamname/folder-with-secret - under which you find the secrets"
echo "a-prefix - there are maybe many usernames later - so you can give it a specific prefix, so there is no confusion"
exit 1
fi
######################################################
# check if superexportfolder exist, if not create it #
# ####################################################
if [ ! -d "$superexportfolder" ]; then
mkdir "$superexportfolder"
fi
#######################################################
# set the secretname to lowercase and put a prefix on #
#######################################################
## todo check if $4 is set or not
#echo "xxxxxxxxxxx\$1 is $1"
#echo "xxxxxxxxxxx\$4 is $4"
secretname=$(echo "$1" | tr '[:upper:]' '[:lower:]')
secretname=$4-$secretname
#echo "xxxxxxxxxxx\$secretname is $secretname"
###########################################################
# get variables out of vault and export it to the secrets #
###########################################################
export="export $1=\$(vault kv get -field=$2 \"$3\")"
export+="\n"
mac_write_secret_into_foo(){
# echo "start mac_write_secret_into_foo"
if security find-generic-password -a "$USER" -s "$secretname" -w >/dev/null 2>&1; then
security delete-generic-password -a "$USER" -s "$secretname" >/dev/null 2>&1
fi
vault_value=$(vault kv get -field="$2" "$3")
security add-generic-password -a "$USER" -s "$secretname" -w "$vault_value"
# echo "end mac_write_secret_into_foo"
}
linux_write_secret_into_foo(){
# echo "start linux_write_secret_into_foo"
export+="echo \$$1 | secret-tool store --label=\"\$USER $secretname\" \$USER $secretname"
# echo "end linux_write_secret_into_foo"
}
if [[ "$(uname)" == 'Darwin' ]]; then
mac_write_secret_into_foo "$secretname" "$2" "$3"
elif [[ "$(uname)" == 'Linux' ]]; then
linux_write_secret_into_foo "$1" "$secretname"
fi
export+="\n"
create_exported_sh_file(){
# echo "start create_exported_sh_file"
if [ ! -f "$superexportfolder"/.exported.sh ]; then
echo "#!/bin/bash" > "$superexportfolder"/.exported.sh
echo "set -euo pipefail" >> "$superexportfolder"/.exported.sh
echo "IFS=\$'\n\t'" >> "$superexportfolder"/.exported.sh
newlines="\n"
echo -e $newlines >> "$superexportfolder"/.exported.sh
chmod +x "$superexportfolder"/.exported.sh
fi
# echo "end create_exported_sh_file"
}
write_exported_sh_file(){
# echo "start write_exported_sh_file"
echo -e $export >> "$superexportfolder"/.exported.sh
cat "$superexportfolder"/.exported.sh
bash "$superexportfolder"/.exported.sh
# echo "end write_exported_sh_file"
}
create_exported_sh_file
write_exported_sh_file
create_secretreader_sh_file(){
# echo "start create_secretreader_sh_file"
if [ ! -f "$superexportfolder"/.secretreader.sh ]; then
echo "#!/bin/bash" > "$superexportfolder"/.secretreader.sh
chmod +x "$superexportfolder"/.secretreader.sh
fi
# echo "end create_secretreader_sh_file"
}
secretreader=""
mac_reading_passwords_out_of_secrets(){
# echo "start mac_reading_passwords_out_of_secrets"
secretreader="export $1=\$(security find-generic-password -a $USER -s $secretname -w)"
# echo "end mac_reading_passwords_out_of_secrets"
}
linux_reading_passwords_out_of_secrets(){
# echo "start linux_reading_passwords_out_of_secrets"
secretreader="export $1=\$(secret-tool lookup \$USER $secretname)"
# echo "end linux_reading_passwords_out_of_secrets"
}
create_secretreader_sh_file
####################################
# reading passwords out of secrets #
####################################
if [[ "$(uname)" == 'Darwin' ]]; then
mac_reading_passwords_out_of_secrets "$1" "$secretname" "$2" "$3"
elif [[ "$(uname)" == 'Linux' ]]; then
linux_reading_passwords_out_of_secrets "$1" "$secretname"
fi
####################################
# write secretreader
####################################
echo -e "$secretreader" >> "$superexportfolder"/.secretreader.sh