V8.00.000.2025.06.17

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2025-10-26 16:48:17 +00:00
parent 1c83813ec4
commit 85c46f3c4c
5 changed files with 42 additions and 41 deletions
--- a/ciss_debian_installer.sh
+++ b/ciss_debian_installer.sh
@@ -24,7 +24,7 @@
 # TODO: Copying Log Files to final System
 # TODO: Integrate CISS.debian.installer calling arguments and preseed.yaml into CISS.debian.live.builder build chain?
 # TODO: Reboot function for Autoinstall, Clean Exit, Flush Logs, luksClose, umount
-# TODO: Implement loop_pass() for other passwords 0105_arg_nuke_converter.sh
+# TODO: Implement loop_pass() for other passwords 1257_yaml_xnuke.sh
 # TODO: Implement / Integrate IP, Port validation CDI_1200

 ### WHY BASH?
@@ -198,10 +198,6 @@ arg_parser "$@"
 info_echo "0103_arg_priority_check.sh"
 arg_priority_check

-### HASHING PASSWORDS.
-info_echo "0105_arg_nuke_converter.sh"
-nuke_passphrase
-

 ### CDI_1250
 info_echo "1250_yaml_parser.sh"
@@ -213,9 +209,12 @@ yaml_reader
 info_echo "1252_yaml_validator.sh"
 yaml_validator

-info_echo "1256_secret_parser.sh"
+info_echo "1256_yaml_xfiles.sh"
 yaml_secret

+info_echo "1257_yaml_xnuke.sh"
+nuke_passphrase
+

 ### CDI_3200
 info_echo "3200_partitioning.sh"
--- a/func/cdi_1250_yaml/1256_yaml_xfiles.sh
+++ b/func/cdi_1250_yaml/1256_yaml_xfiles.sh
@@ -122,6 +122,7 @@ ciss_secrets_wiper() {
 readonly -f ciss_secrets_wiper

 #######################################
+# Purpose:
 #   Parsing of only "*.value" keys from 'SECRETS.yaml' into Bash globals.
 #   If the file contains SOPS markers, decrypt once (streaming) with sops/age, then yq parses in a single pass.
 #   No base64, plain values preserved (including newlines). No repeated per-key decrypts or yq calls.
@@ -143,8 +144,6 @@ readonly -f ciss_secrets_wiper
 #   ERR_MISSING_AGE_KEY: on failure
 #######################################
 yaml_secret() {
-  # TODO: Remove debug echos
-
  ### Declare Arrays, HashMaps, and Variables.
  declare -r  SOPS_AGE_KEY_FILE="${CISS_SECRETS_AGE}"
  declare -a  __names=()
@@ -155,8 +154,7 @@ yaml_secret() {
  __umask=$(umask)
  umask 0077

-  # TODO: guard_trace on
-  #guard_trace on
+  guard_trace on

  secrets_encrypted="$(yq -r '.secrets.x_files // false' -- "${secrets_if}")" || secrets_encrypted="false"
  do_log "debug" "file_only" "1256() 'secrets_encrypted' according to secrets.x_files: '${secrets_encrypted}'."
@@ -209,6 +207,8 @@ yaml_secret() {
  # shellcheck disable=SC1091 source=./${__SECRETS}
  source "${__SECRETS}"

+  ciss_secrets_wiper "${__SECRETS}"
+
  # shellcheck disable=SC2312
  mapfile -t __names < <(printf '%s\n' "${!secrets_@}")

@@ -216,33 +216,30 @@ yaml_secret() {

    ### Keep only *_value variables
    [[ "${__name}" == *_value ]] || continue
-    echo "__name ${__name}"

    ### Validate strict Bash identifier (defensive: strip accidental CR).
    __name="${__name%$'\r'}"
    [[ "${__name}" =~ ^[A-Za-z_][A-Za-z0-9_]*$ ]] || continue
-    echo "__name ${__name}"

    ### Only read if actually set; indirect check without triggering nounset.
    if [[ -n "${!__name+x}" ]]; then
+
      __val="${!__name}"
-      echo "__val ${__val}"
+
    else
+
      __val=""
-      echo "__val ${__val}"
+
    fi

    ### Strip suffix/prefix for the map key.
    __base="${__name%_value}"
-    echo "__base ${__base}"
    __path_wo_prefix="${__base#secrets_}"
-    echo "__path_wo_prefix ${__path_wo_prefix}"

    ### Canonical CISS name.
    __varname="$(ciss_secret_varname_from_path "${__path_wo_prefix}")"
-    echo "__varname ${__varname}"

-    # Assign verbatim (preserves newlines)
+    ### Assign verbatim (preserves newlines).
    unset -v "${__varname}"
    declare -g "${__varname}"
    printf -v "${__varname}" '%s' "${__val}"
@@ -253,16 +250,14 @@ yaml_secret() {

  ### Hygiene: remove the intermediate variables to reduce secret surface, e.g., unset 'secrets_*_value' after transfer.
  for __name in "${__names[@]}"; do
+
    unset -v "${__name}"
+
  done

  umask "${__umask}"

-  echo "Inside 1256()"
-  sleep 60
-
-  # TODO: guard_trace off
-  #guard_trace off
+  guard_trace off

  guard_dir; return 0
 }
--- a/lib/cdi_0100_arg/0105_arg_nuke_converter.sh
+++ b/lib/cdi_0100_arg/0105_arg_nuke_converter.sh
@@ -15,18 +15,21 @@ guard_sourcing || return "${ERR_GUARD_SOURCE}"
 #######################################
 # Generates 'nuke=HASH' Bootparameter.
 # Globals:
+#   CISS_SECRET_LUKS_NUKE
 #   DIR_CNF
 #   VAR_NUKE_HASH
 # Arguments:
 #   None
 # Returns:
 #   0: on success
-#   ERR_GENERATE_SALT
-#   ERR_READ_NUKE_FILE
+#   ERR_GENERATE_SALT: on failure
 #######################################
 nuke_passphrase() {
-  declare -r var_nuke_pwd_file="${DIR_CNF}/password_luks_nuke.txt"
-  declare    var_temp_nuke_hash="" var_temp_plain_nuke_pwd="" var_salt="" var_nuke_rounds=""
+  #guard_trace on
+
+  ### Declare Arrays, HashMaps, and Variables.
+  declare    var_nuke_pwd="${CISS_SECRET_LUKS_NUKE}"
+  declare    var_temp_nuke_hash="" var_salt="" var_nuke_rounds=""

  # shellcheck disable=SC2312
  var_nuke_rounds="$(
@@ -40,30 +43,34 @@ nuke_passphrase() {
  ' "${DIR_CNF}/partitioning.yaml" | head -n1
  )"

-  [[ ! -f "${var_nuke_pwd_file}" ]] && return 0
-
-  guard_trace on
-  if ! read_password_file "${var_nuke_pwd_file}" var_temp_plain_nuke_pwd; then
-    return "${ERR_READ_NUKE_FILE}"
-  fi
-  guard_trace off
+  [[ -z "${var_nuke_pwd}" ]] && return 0


  if ! var_salt="$(generate_salt)"; then
+
    return "${ERR_GENERATE_SALT}"
+
  fi

-
-  guard_trace on
-  var_temp_nuke_hash=$(mkpasswd --method=sha-512 --salt="${var_salt}" --rounds="${var_nuke_rounds:-8388608}" "${var_temp_plain_nuke_pwd}")
-  guard_trace off
+  var_temp_nuke_hash=$(mkpasswd --method=sha-512 --salt="${var_salt}" --rounds="${var_nuke_rounds:-8388608}" "${var_nuke_pwd}")

  declare -grx VAR_NUKE_HASH="${var_temp_nuke_hash}"
-  unset var_temp_nuke_hash var_temp_plain_nuke_pwd
+
+  echo "Inside 1257"
+  echo "CISS_SECRET_LUKS_NUKE: ${CISS_SECRET_LUKS_NUKE}"
+
+  unset var_temp_nuke_hash var_nuke_pwd CISS_SECRET_LUKS_NUKE

  do_log "debug" "file_only" "0105() NUKE hash starts with: [${VAR_NUKE_HASH:0:32}...]"

+  #guard_trace off
+
+  echo "Inside 1257"
+  sleep 60
+
  guard_dir; return 0
 }
-
+### Prevents accidental 'unset -f'.
+# shellcheck disable=SC2034
+readonly -f nuke_passphrase
 # vim: number et ts=2 sw=2 sts=2 ai tw=128 ft=sh
--- a/meta_loader_func.sh
+++ b/meta_loader_func.sh
@@ -29,6 +29,7 @@ source_guard "./func/cdi_1250_yaml/1250_yaml_parser.sh"
 source_guard "./func/cdi_1250_yaml/1251_yaml_reader.sh"
 source_guard "./func/cdi_1250_yaml/1252_yaml_validator.sh"
 source_guard "./func/cdi_1250_yaml/1256_yaml_xfiles.sh"
+source_guard "./func/cdi_1250_yaml/1257_yaml_xnuke.sh"

 ### cdi_3200_partitioning
 source_guard "./func/cdi_3200_partitioning/3200_partitioning.sh"
--- a/meta_loader_lib.sh
+++ b/meta_loader_lib.sh
@@ -42,7 +42,6 @@ source_guard "./lib/cdi_0100_arg/0101_arg_sanitizer.sh"
 source_guard "./lib/cdi_0100_arg/0102_arg_parser.sh"
 source_guard "./lib/cdi_0100_arg/0103_arg_priority_check.sh"
 source_guard "./lib/cdi_0100_arg/0104_arg_passphrase_modules.sh"
-source_guard "./lib/cdi_0100_arg/0105_arg_nuke_converter.sh"

 source_guard "./lib/cdi_0110_interactive/0110_dialog_kernel.sh"
 source_guard "./lib/cdi_0110_interactive/0115_dialog_notes.sh"