2023-08-25 15:44:14 +00:00
|
|
|
#!/usr/bin/env bash
|
|
|
|
|
set -euo pipefail
|
|
|
|
|
|
2023-08-25 15:53:44 +00:00
|
|
|
###
|
|
|
|
|
# How to use
|
|
|
|
|
###
|
|
|
|
|
#
|
|
|
|
|
# Create a key in Vault `secret/git-credential/<hostname>` so i.e.
|
|
|
|
|
# `secret/git-credential/git.luzifer.io` and fill it with key-value
|
|
|
|
|
# pairs according to the git-credential spec [1]
|
|
|
|
|
#
|
|
|
|
|
# So for example this could be the content:
|
|
|
|
|
# {
|
|
|
|
|
# "protocol": "https", # Force to use HTTPS
|
|
|
|
|
# "username": "luzifer", # The username required for the host
|
|
|
|
|
# "password": "..." # Password for the given user
|
|
|
|
|
# }
|
|
|
|
|
#
|
|
|
|
|
# The `${key}=${value}` pairs are dumped as they are without further
|
|
|
|
|
# processing. Therefore you can override all parameters the
|
|
|
|
|
# git-credential spec allows you to set. I recommend to enforce the
|
|
|
|
|
# `protocol` field to `https` as this helper is not checking the
|
|
|
|
|
# protocol passed but only looks for the `host` value to fetch the
|
|
|
|
|
# correct key from Vault.
|
|
|
|
|
#
|
|
|
|
|
# [1] https://git-scm.com/docs/git-credential
|
|
|
|
|
#
|
|
|
|
|
###
|
|
|
|
|
|
2023-08-25 15:44:14 +00:00
|
|
|
source "${HOME}/bin/script_framework.sh"
|
|
|
|
|
|
|
|
|
|
function handle_get() {
|
|
|
|
|
while read line; do
|
|
|
|
|
local param=$(cut -d '=' -f 1 <<<"${line}")
|
|
|
|
|
local value=$(cut -d '=' -f 2- <<<"${line}")
|
|
|
|
|
|
|
|
|
|
[[ $param == host ]] || continue
|
|
|
|
|
|
|
|
|
|
vault read -format=json secret/git-credential/${value} 2>/dev/null | jq -r '.data | to_entries[] | [.key, .value] | join("=")' || return 1
|
|
|
|
|
info "[git-credential-vault] Read credential for '${value}' from Vault"
|
|
|
|
|
done
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
function main() {
|
|
|
|
|
local action="${1:-_invalid}"
|
|
|
|
|
shift
|
|
|
|
|
|
|
|
|
|
case ${action} in
|
|
|
|
|
get) handle_get ;;
|
|
|
|
|
*) return 1 ;;
|
|
|
|
|
esac
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
main "$@"
|
