From e2c2f77459ce444f50fbfd17e52cafd441fb1f19 Mon Sep 17 00:00:00 2001 From: LeeW Date: Thu, 13 Feb 2025 16:40:52 +0100 Subject: [PATCH] refactor - consolidate into main function --- bin/update_sops.sh | 187 +++++++++++++++++++++++---------------------- 1 file changed, 95 insertions(+), 92 deletions(-) diff --git a/bin/update_sops.sh b/bin/update_sops.sh index 57f016c..a596a7e 100755 --- a/bin/update_sops.sh +++ b/bin/update_sops.sh @@ -113,99 +113,102 @@ fn_sops_updatekeys_and_verify(){ GPG_TTY=$(tty) sops -d "${sops_enc_file}" } -# "anchor" for actions relevant to this script -repo_root="$(realpath $(dirname "${BASH_SOURCE[0]}")/..)" -# OPTIONS: ARGPARSING and VALIDATION -# assume location of script as running directly from repo with keys (instead of as a standalone packaged tool) -keyfiles_dir="${repo_root}" -# assume location of secrets config file in pwd -sops_config_dir="${PWD}" -# path to role definitions -roles_def_dir="${repo_root}/roles" -# optional: -opt_list_roles=0 -# optional: specify "roles" -roles_list=() -# optional: secrets files to be updated -secrets_file_list=() - -while (( $# >= 1 ));do - cur="${1}"; - case $cur in - # ARGS: print this help - -h|--help) echo "# ARGUMENTS:"; grep -A 1 '# ARGS:' "${BASH_SOURCE[0]}"; exit 0 ;; - # ARGS: dir containing gpg keyfiles - -k|--key|--keyfiles) keyfiles_dir="${2}"; shift ;; - # ARGS: dir containing .sops.yaml (sops config file) - -c|--config_dir) sops_config_dir="${2}"; shift ;; - # ARGS: [optional] show list of roles and exit - -lr|--list_roles) opt_list_roles=1 ;; - # ARGS: [optional] [list] specify "roles" which correspond to e.g. job roles, projects, etc - -r|--role) roles_list+=( "${2}" ); shift ;; - # ARGS: [optional] [list] specify files containing sops-encrypted secrets - -s|--secrets_file|-f|--file) secrets_file_list+=( "${2}" ); shift ;; - # ARGS: [optional] [list] specify files containing sops-encrypted secrets - *) secrets_file_list+=( "${cur}" ) - esac - shift; -done - -# Resolve Parameters -# ... i.e. combine,override,etc options which interact -if [[ "${#roles_list[@]}" -eq 1 ]]; then - # simply change keyfiles_dir to the "roles" dir - keyfiles_dir="${roles_def_dir}/${roles_list[0]}" -elif [[ "${#roles_list[@]}" -gt 1 ]]; then - >&2 echo "# ERROR: only specify one role" - exit 1 -fi - -# VALIDATE INPUTS -keyfiles_dir="$(realpath "${keyfiles_dir}")" -test -d "${keyfiles_dir}" || (echo "E: specify dir containing keyfiles; invalid dir: '${keyfiles_dir}'" && exit 1) -sops_config_dir="$(realpath "${sops_config_dir}")" -test -d "${sops_config_dir}" || (echo "E: specify dir containing .sops.yaml, invalid dir: '${sops_config_dir}'" && exit 1) -sops_config="${sops_config_dir}/.sops.yaml" -# create it! # test -e "${sops_config}" || (echo "E: could not locate .sops.yaml, tried ${sops_config}" && exit 1) -if [[ "${#secrets_file_list[@]}" != "0" ]]; then - for secrets_file in "${secrets_file_list[@]}"; do - test -e "${secrets_file}" || (echo "E: could not locate file with secrets, tried: ${secrets_file}" && exit 1) +function main(){ + # "anchor" for actions relevant to this script + repo_root="$(realpath $(dirname "${BASH_SOURCE[0]}")/..)" + # OPTIONS: ARGPARSING and VALIDATION + # assume location of script as running directly from repo with keys (instead of as a standalone packaged tool) + keyfiles_dir="${repo_root}" + # assume location of secrets config file in pwd + sops_config_dir="${PWD}" + # path to role definitions + roles_def_dir="${repo_root}/roles" + # optional: + opt_list_roles=0 + # optional: specify "roles" + roles_list=() + # optional: secrets files to be updated + secrets_file_list=() + + while (( $# >= 1 ));do + cur="${1}"; + case $cur in + # ARGS: print this help + -h|--help) echo "# ARGUMENTS:"; grep -A 1 '# ARGS:' "${BASH_SOURCE[0]}"; exit 0 ;; + # ARGS: dir containing gpg keyfiles + -k|--key|--keyfiles) keyfiles_dir="${2}"; shift ;; + # ARGS: dir containing .sops.yaml (sops config file) + -c|--config_dir) sops_config_dir="${2}"; shift ;; + # ARGS: [optional] show list of roles and exit + -lr|--list_roles) opt_list_roles=1 ;; + # ARGS: [optional] [list] specify "roles" which correspond to e.g. job roles, projects, etc + -r|--role) roles_list+=( "${2}" ); shift ;; + # ARGS: [optional] [list] specify files containing sops-encrypted secrets + -s|--secrets_file|-f|--file) secrets_file_list+=( "${2}" ); shift ;; + # ARGS: [optional] [list] specify files containing sops-encrypted secrets + *) secrets_file_list+=( "${cur}" ) + esac + shift; done -fi -# /VALIDATE INPUTS -# /OPTIONS: ARGPARSING and VALIDATION - -# BEGIN -if [[ "${opt_list_roles}" -eq 1 ]]; then - # list available roles and exit - pushd "${roles_def_dir}" > /dev/null 2>&1 - >&2 echo "# INFO: listing roles" - ls -1d * - exit 0 + + # Resolve Parameters + # ... i.e. combine,override,etc options which interact + if [[ "${#roles_list[@]}" -eq 1 ]]; then + # simply change keyfiles_dir to the "roles" dir + keyfiles_dir="${roles_def_dir}/${roles_list[0]}" + elif [[ "${#roles_list[@]}" -gt 1 ]]; then + >&2 echo "# ERROR: only specify one role" + exit 1 + fi + + # VALIDATE INPUTS + keyfiles_dir="$(realpath "${keyfiles_dir}")" + test -d "${keyfiles_dir}" || (echo "E: specify dir containing keyfiles; invalid dir: '${keyfiles_dir}'" && exit 1) + sops_config_dir="$(realpath "${sops_config_dir}")" + test -d "${sops_config_dir}" || (echo "E: specify dir containing .sops.yaml, invalid dir: '${sops_config_dir}'" && exit 1) + sops_config="${sops_config_dir}/.sops.yaml" + # create it! # test -e "${sops_config}" || (echo "E: could not locate .sops.yaml, tried ${sops_config}" && exit 1) + if [[ "${#secrets_file_list[@]}" != "0" ]]; then + for secrets_file in "${secrets_file_list[@]}"; do + test -e "${secrets_file}" || (echo "E: could not locate file with secrets, tried: ${secrets_file}" && exit 1) + done + fi + # /VALIDATE INPUTS + # /OPTIONS: ARGPARSING and VALIDATION + + # BEGIN + if [[ "${opt_list_roles}" -eq 1 ]]; then + # list available roles and exit + pushd "${roles_def_dir}" > /dev/null 2>&1 + >&2 echo "# INFO: listing roles" + ls -1d * + exit 0 + popd > /dev/null 2>&1 + fi + + # UPDATE SOPS CONFIG + # locate sops config + if [[ ! -e "${sops_config}" ]]; then + # dev note: '2> /dev/null' to disable debug output + sops_config="$(fn_sops_locate_config_in_git_repo 2> /dev/null)" + fi + + # update sops config + # TODO: remove the 'pushd;popd' workaround and make the functions aware of the dir being read + pushd "${keyfiles_dir}" > /dev/null 2>&1 + (fn_sops_generate_config) > "${sops_config}" popd > /dev/null 2>&1 -fi - -# UPDATE SOPS CONFIG -# locate sops config -if [[ ! -e "${sops_config}" ]]; then - # dev note: '2> /dev/null' to disable debug output - sops_config="$(fn_sops_locate_config_in_git_repo 2> /dev/null)" -fi - -# update sops config -# TODO: remove the 'pushd;popd' workaround and make the functions aware of the dir being read -pushd "${keyfiles_dir}" > /dev/null 2>&1 -(fn_sops_generate_config) > "${sops_config}" -popd > /dev/null 2>&1 - -# VERIFY -if [[ "${#secrets_file_list[@]}" != "0" ]]; then - for secrets_file in "${secrets_file_list[@]}"; do - fn_sops_updatekeys_and_verify "${secrets_file}" - done - echo "# SUCESS: all users with keys in this dir should have functional keys" -else - echo "# WARN: no secrets file passed in, make sure to call 'sops updatekeys' on secrets files" -fi + # VERIFY + if [[ "${#secrets_file_list[@]}" != "0" ]]; then + for secrets_file in "${secrets_file_list[@]}"; do + fn_sops_updatekeys_and_verify "${secrets_file}" + done + echo "# SUCESS: all users with keys in this dir should have functional keys" + else + echo "# WARN: no secrets file passed in, make sure to call 'sops updatekeys' on secrets files" + fi +} + +main "${@}" exit