V9.14.024.2026.06.11

Signed-off-by: Marc S. Weidner <msw@coresecret.dev>
2026-06-11 17:11:22 +01:00
parent 9ef535554a
commit 97596fbcba
63 changed files with 767 additions and 200 deletions
@@ -76,7 +76,6 @@ guard_sourcing || return "${ERR_GUARD_SRCE}"
 #   ERR__SSH__PORT: on failure
 #######################################
 arg_parser() {
-  declare primordial_key_regex='^[A-Za-z0-9._@%+=:,~-]+$'
  declare primordial_url_regex='^https://[A-Za-z0-9.-]+/[A-Za-z0-9._~/%+=:@,-]+\.git$'

  while [[ $# -gt 0 ]]; do
@@ -109,6 +108,16 @@ arg_parser() {
          shift 1
          ;;

+        -l | --logo)
+          if [[ -n "${2-}" && "${2}" != -* ]]; then
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
+            printf "\e[91m❌ Error: --logo MUST NOT be followed by an argument.\e[0m\n" >&2
+            read -p -r $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
+            exit "${ERR_ARG_MSMTCH}"
+          fi
+          shift 1
+          ;;
+
        -v | --version)
          if [[ -n "${2-}" && "${2}" != -* ]]; then
            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
@@ -134,10 +143,9 @@ arg_parser() {
          ;;

        --build-directory)
-          declare -gx VAR_HANDLER_BUILD_DIR="${2}"
-          if [[ ! "${VAR_HANDLER_BUILD_DIR}" =~ ^/ ]]; then
+          declare -gx VAR_HANDLER_BUILD_DIR="${2-}"
+          if ! validate_build_dir_argument "${VAR_HANDLER_BUILD_DIR}"; then
            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
-            printf "\e[91m❌ Error: --build-directory MUST be an absolute path. Got: '%s'\n" "${VAR_HANDLER_BUILD_DIR}" >&2
            exit "${ERR_NOTABSPATH}"
          fi
          declare -gx VAR_BUILD_LOG="${VAR_HANDLER_BUILD_DIR}/cdlb_${VAR_ISO8601}_build.log"
@@ -266,18 +274,28 @@ arg_parser() {
          ;;

        --key_age=*)
+          declare key_age="${1#*=}"
+          if ! validate_secret_filename "--key_age" "${key_age}"; then
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
+            exit "${ERR_ARG_MSMTCH}"
+          fi
          # shellcheck disable=SC2034
          declare -gx VAR_AGE="true"
          # shellcheck disable=SC2034
-          declare -gx VAR_AGE_KEY="${1#*=}"
+          declare -gx VAR_AGE_KEY="${key_age}"
          shift 1
          ;;

        --key_luks=*)
+          declare key_luks="${1#*=}"
+          if ! validate_secret_filename "--key_luks" "${key_luks}"; then
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
+            exit "${ERR_ARG_MSMTCH}"
+          fi
          # shellcheck disable=SC2034
          declare -gx VAR_LUKS="true"
          # shellcheck disable=SC2034
-          declare -gx VAR_LUKS_KEY="${1#*=}"
+          declare -gx VAR_LUKS_KEY="${key_luks}"
          shift 1
          ;;

@@ -296,7 +314,7 @@ arg_parser() {
        --primordial-key)
          declare primordial_key="${2-}"

-          if [[ -n "${primordial_key}" && "${primordial_key}" != -* && "${primordial_key}" != "." && "${primordial_key}" != ".." && "${primordial_key}" != */* && "${primordial_key}" =~ ${primordial_key_regex} ]]; then
+          if validate_secret_filename "--primordial-key" "${primordial_key}"; then

            # shellcheck disable=SC2034
            declare -gx VAR_PRIMORDIAL_KEY="${primordial_key}"
@@ -315,7 +333,7 @@ arg_parser() {
        --primordial-key=*)
          declare primordial_key="${1#*=}"

-          if [[ -n "${primordial_key}" && "${primordial_key}" != "." && "${primordial_key}" != ".." && "${primordial_key}" != */* && "${primordial_key}" =~ ${primordial_key_regex} ]]; then
+          if validate_secret_filename "--primordial-key" "${primordial_key}"; then

            # shellcheck disable=SC2034
            declare -gx VAR_PRIMORDIAL_KEY="${primordial_key}"
@@ -461,7 +479,7 @@ arg_parser() {
          ;;

        --root-password-file)
-          declare pw_file="${2}"
+          declare pw_file="${2-}"

          if [[ -z "${pw_file}" ]]; then

@@ -473,10 +491,9 @@ arg_parser() {

          fi

-          if [[ ! -f "${pw_file}" ]]; then
+          if ! validate_secret_absolute_file_basics "--root-password-file" "${pw_file}"; then

            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
-            printf "\e[91m❌ Error: --root-password-file password file '%s' does not exist.\e[0m\n" "${pw_file}" >&2
            # shellcheck disable=SC2162
            read -p  $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
            exit "${ERR_MISS_PWD_F}"
@@ -507,6 +524,13 @@ arg_parser() {
            }
          fi

+          validate_secret_file_path "--root-password-file" "${pw_file}" || {
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
+            # shellcheck disable=SC2162
+            read -p  $'\e[92m✅ Press \'ENTER\' to exit the script ... \e[0m'
+            exit "${ERR_RGHT_PWD_F}"
+          }
+
          declare plaintext_pw
          ### No tracing for security reasons ----------------------------------------------------------------------------------
          [[ "${VAR_EARLY_DEBUG}" == "true" ]] && set +x
@@ -606,16 +630,26 @@ arg_parser() {
          ;;

        --signing_ca=*)
+          declare signing_ca="${1#*=}"
+          if ! validate_secret_filename "--signing_ca" "${signing_ca}"; then
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
+            exit "${ERR_ARG_MSMTCH}"
+          fi
          # shellcheck disable=SC2034
-          declare -gx VAR_SIGNING_CA="${1#*=}"
+          declare -gx VAR_SIGNING_CA="${signing_ca}"
          shift 1
          ;;

        --signing_key=*)
+          declare signing_key="${1#*=}"
+          if ! validate_secret_filename "--signing_key" "${signing_key}"; then
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
+            exit "${ERR_ARG_MSMTCH}"
+          fi
          # shellcheck disable=SC2034
          declare -gx VAR_SIGNER="true"
          # shellcheck disable=SC2034
-          declare -gx VAR_SIGNING_KEY="${1#*=}"
+          declare -gx VAR_SIGNING_KEY="${signing_key}"
          shift 1
          ;;

@@ -626,8 +660,13 @@ arg_parser() {
          ;;

        --signing_key_pass=*)
+          declare signing_key_pass="${1#*=}"
+          if ! validate_secret_filename "--signing_key_pass" "${signing_key_pass}"; then
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
+            exit "${ERR_ARG_MSMTCH}"
+          fi
          # shellcheck disable=SC2034
-          declare -gx VAR_SIGNING_KEY_PASS="${1#*=}"
+          declare -gx VAR_SIGNING_KEY_PASS="${signing_key_pass}"
          shift 1
          ;;

@@ -694,8 +733,13 @@ arg_parser() {
          ;;

        --ssh-pubkey)
+          declare ssh_pubkey="${2-}"
+          if ! validate_ssh_pubkey_directory "${ssh_pubkey}"; then
+            if ! ${VAR_HANDLER_AUTOBUILD}; then boot_screen_cleaner; fi
+            exit "${ERR_ARG_MSMTCH}"
+          fi
          # shellcheck disable=SC2034
-          declare -gx VAR_SSHPUBKEY="${2}"
+          declare -gx VAR_SSHPUBKEY="${ssh_pubkey}"
          shift 2
          ;;