#!/usr/bin/env bash
set -euo pipefail

###
# How to use
###
#
# Create a key in Vault `secret/git-credential/<hostname>` so i.e.
# `secret/git-credential/git.luzifer.io` and fill it with key-value
# pairs according to the git-credential spec [1]
#
# So for example this could be the content:
# {
#   "protocol": "https",    # Force to use HTTPS
#   "username": "luzifer",  # The username required for the host
#   "password": "..."       # Password for the given user
# }
#
# The `${key}=${value}` pairs are dumped as they are without further
# processing. Therefore you can override all parameters the
# git-credential spec allows you to set. I recommend to enforce the
# `protocol` field to `https` as this helper is not checking the
# protocol passed but only looks for the `host` value to fetch the
# correct key from Vault.
#
# [1] https://git-scm.com/docs/git-credential
#
###

source "${HOME}/bin/script_framework.sh"

function handle_get() {
  while read line; do
    local param=$(cut -d '=' -f 1 <<<"${line}")
    local value=$(cut -d '=' -f 2- <<<"${line}")

    [[ $param == host ]] || continue

    vault read -format=json secret/git-credential/${value} 2>/dev/null | jq -r '.data | to_entries[] | [.key, .value] | join("=")' || return 1
    info "[git-credential-vault] Read credential for '${value}' from Vault"
  done
}

function main() {
  local action="${1:-_invalid}"
  shift

  case ${action} in
  get) handle_get ;;
  *) return 1 ;;
  esac
}

main "$@"