cfg/bin/git-credential-vault

55 lines
1.4 KiB
Text
Raw Normal View History

#!/usr/bin/env bash
set -euo pipefail
###
# How to use
###
#
# Create a key in Vault `secret/git-credential/<hostname>` so i.e.
# `secret/git-credential/git.luzifer.io` and fill it with key-value
# pairs according to the git-credential spec [1]
#
# So for example this could be the content:
# {
# "protocol": "https", # Force to use HTTPS
# "username": "luzifer", # The username required for the host
# "password": "..." # Password for the given user
# }
#
# The `${key}=${value}` pairs are dumped as they are without further
# processing. Therefore you can override all parameters the
# git-credential spec allows you to set. I recommend to enforce the
# `protocol` field to `https` as this helper is not checking the
# protocol passed but only looks for the `host` value to fetch the
# correct key from Vault.
#
# [1] https://git-scm.com/docs/git-credential
#
###
source "${HOME}/bin/script_framework.sh"
function handle_get() {
while read line; do
local param=$(cut -d '=' -f 1 <<<"${line}")
local value=$(cut -d '=' -f 2- <<<"${line}")
[[ $param == host ]] || continue
vault read -format=json secret/git-credential/${value} 2>/dev/null | jq -r '.data | to_entries[] | [.key, .value] | join("=")' || return 1
info "[git-credential-vault] Read credential for '${value}' from Vault"
done
}
function main() {
local action="${1:-_invalid}"
shift
case ${action} in
get) handle_get ;;
*) return 1 ;;
esac
}
main "$@"