msw/CISS.debian.installer
SHA256
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

V8.00.000.2025.06.17
All checks were successful
🛡️ Shell Script Linting / 🛡️ Shell Script Linting (push) Successful in 1m48s
Details

Browse Source 
Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
This commit is contained in:
Marc S. Weidner
2025-10-24 21:52:02 +01:00
parent ef4224cc88
commit 8ad39056cf
1 changed files with 20 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
func/cdi_1250_yaml/1256_secret_parser.sh
View File

@@ -122,7 +122,7 @@ yaml_secret() {
### Declare Arrays, HashMaps, and Variables. ### Declare Arrays, HashMaps, and Variables.
declare -r SOPS_AGE_KEY_FILE="/root/.config/sops/age/keys.txt" declare -r SOPS_AGE_KEY_FILE="/root/.config/sops/age/keys.txt"
declare secrets_encrypted="" secrets_yaml="${CISS_SECRETS_SOURCE}" \ declare secrets_encrypted="" secrets_yaml="${CISS_SECRETS_SOURCE}" \
__path="" __path_wo_prefix="" __pipe_fd="" __umask="" __value="" __varname="" __yq_expr="" __path="" __path_wo_prefix="" __pipe_fd="" __umask="" __value="" __varname=""
secrets_encrypted="$(yq -r '.secrets.x_files // false' -- "${secrets_yaml}")" || secrets_encrypted="false" secrets_encrypted="$(yq -r '.secrets.x_files // false' -- "${secrets_yaml}")" || secrets_encrypted="false"
@@ -142,32 +142,33 @@ yaml_secret() {
__umask=$(umask) __umask=$(umask)
umask 0077 umask 0077
### Build a single streaming producer: (sops -d |) yq -rj '...'
### yq emits: <path_wo_value>\0<plain_value>\0 -> for each secret.
### No newlines between results (-j), only NUL (\u0000) separators -> robust with arbitrary value content.
# shellcheck disable=SC2016
__yq_expr='
paths(scalars) as $p
| select($p[0] == "secrets" and $p[-1] == "value")
| ($p[0:-1] | join(".")) # E.g. "secrets.db.password".
+ "\u0000"
+ ((getpath($p) // "") | tostring) # Plain scalar value; coerce non-strings.
+ "\u0000"
'
### Create the producer as a process substitution. ### Create the producer as a process substitution.
if [[ "${secrets_encrypted}" == "true" ]]; then if [[ "${secrets_encrypted}" == "true" ]]; then
### Decrypt once, stream into yq; avoid storing full doc in memory. ### Decrypt once, stream into yq; avoid storing full doc in memory; emits '<path>\0<value>\0' for each 'secrets.*.value'
# shellcheck disable=SC1083,SC2312 # shellcheck disable=SC2016,SC2312
exec {__pipe_fd}< <( exec {__pipe_fd}< <(
sops -d --input-type=yaml --output-type=yaml -- "${secrets_yaml}" | yq -r --join-output "${__yq_expr}" - sops -d --input-type=yaml --output-type=yaml -- "${secrets_yaml}" | yq -r -N -0 '
paths(scalars) as $p
| select($p[0] == "secrets" and $p[-1] == "value")
| ($p[0:-1] | join(".")), ((getpath($p) // "") | tostring)
' -
) )
else else
# shellcheck disable=SC1083,SC2312 ### One-pass producer: emits '<path>\0<value>\0' for each 'secrets.*.value'
exec {__pipe_fd}< <( yq -r --join-output "${__yq_expr}" -- "${secrets_yaml}") # -r : raw scalars
# -N : no "---" doc separators
# -0 : NUL between *each* result
# shellcheck disable=SC2016,SC2312
exec {__pipe_fd}< <(
yq -r -N -0 '
paths(scalars) as $p
| select($p[0] == "secrets" and $p[-1] == "value")
| ($p[0:-1] | join(".")), ((getpath($p) // "") | tostring)
' -- "${secrets_yaml}"
)
fi fi