forked from mozilla/github-org-scripts
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathset_secrets_in_env.sh
executable file
·59 lines (56 loc) · 2.42 KB
/
set_secrets_in_env.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
#!/usr/bin/env bash
# this file is to be sourced only, and only by the Makefile
if [[ "$0" != "${BASH_SOURCE}" ]]; then
: # do the normal stuff
else
: # not sourced
echo "${0##*/}: not sourced. Run: source $0 $(test $# -gt 0 && printf " %q" "$@")" 1>&2
exit 1
fi
# to support non-secops users, allow the credentials to be pre configured via
# environment variables.
# We require either:
# 1. all 3 credentials are supplied via envronment variables &
# SECOPS_SOPS_PATH is empty, or
# 2. SECOPS_SOPS_PATH is supplied & valid, and all 3 credentials are empty
# In this case, the relative path to the actual credentials file must be
# passed as the first arguement
# 3. if --develop is passed, just set vars with bogus values
# 4. if --unset is passed, clear the vars
if [[ "$1" == "--unset" ]]; then
unset GITHUB_PAT CIS_CLIENT_ID CIS_CLIENT_SECRET SECOPS_SOPS_PATH
elif [[ "$1" == "--develop" ]]; then
export GITHUB_PAT=developj CIS_CLIENT_ID=developj CIS_CLIENT_SECRET=developj
elif [[ -n $GITHUB_PAT && -n $CIS_CLIENT_ID && -n $CIS_CLIENT_SECRET \
&& -z $SECOPS_SOPS_PATH ]]; then
# nothing to do
:
elif [[ -n $SECOPS_SOPS_PATH
&& -z "${GITHUB_PAT}${CIS_CLIENT_ID}${CIS_CLIENT_SECRET}" ]] ; then
if [[ -d $SECOPS_SOPS_PATH && -n "$1" ]]; then
SOPS_credentials="$1"
if ! [[ -r ${SOPS_credentials} ]] ; then
echo "No such file ${SOPS_credentials}" >/dev/stderr
return 1
fi
export GITHUB_PAT="$(sops -d --extract "[\"GitHub creds\"][\"token\"]" "${SOPS_credentials}")"
# if we didn't get anything, something's wrong with config
if [[ -z $GITHUB_PAT ]]; then
echo "Improperly configured SOPS, see $BASH_SOURCE" >/dev/stderr
# don't exit, as we're being sourced and don't want to kill our shell :)
return 1
fi
export CIS_CLIENT_ID="$(sops -d --extract "[\"Person API creds\"][\"person api client id\"]" "${SOPS_credentials}")"
export CIS_CLIENT_SECRET="$(sops -d --extract "[\"Person API creds\"][\"person api client secret\"]" "${SOPS_credentials}")"
else
if [[ -z "$1" ]] ; then
echo "Missing arg for SOPS_credentials" >/dev/stderr
else
echo "Improperly configured SOPS, see $BASH_SOURCE" >/dev/stderr
fi
return 1
fi
else
echo "Improperly configured credentials. See $BASH_SOURCE" >/dev/stderr
return 1
fi