From 70d3ec94d245f020d4ab48ab3ab34f4f5ce35ade Mon Sep 17 00:00:00 2001
From: Luke Murphy <lukewm@riseup.net>
Date: Mon, 13 Apr 2020 13:09:32 +0200
Subject: [PATCH] Add sudo pass and trim up vault pass command

---
 commands              |  5 +++++
 functions             | 29 ++++++++++++++++++++++-------
 subcommands/sudo-pass |  8 ++++++++
 3 files changed, 35 insertions(+), 7 deletions(-)
 create mode 100755 subcommands/sudo-pass

diff --git a/commands b/commands
index c88dd60..2387f1d 100755
--- a/commands
+++ b/commands
@@ -12,6 +12,7 @@ case "$1" in
       declare desc="return ansible-deploy plugin help content"
       cat<<help_content
     ansible-deploy:vault-pass appname, Add new app vault password for decrypting secrets
+    ansible-deploy:sudo-pass, Add system Dokku user sudo password for sudo escalation
 help_content
     }
 
@@ -35,6 +36,10 @@ help_desc
     dokku-ansible-deploy-vault-pass-cmd "$@"
     ;;
 
+  sudo-pass)
+    dokku-ansible-deploy-sudo-pass-cmd
+    ;;
+
   *)
     exit "$DOKKU_NOT_IMPLEMENTED_EXIT"
     ;;
diff --git a/functions b/functions
index 4696483..e0a2314 100755
--- a/functions
+++ b/functions
@@ -27,35 +27,50 @@ dokku-ansible-deploy-vault-pass-cmd() {
   declare desc="add new app vault password for decryption of passwords"
 
   declare APP="$2"
-  declare vault_file="$DOKKU_LIB_ROOT/data/deploy.d/$APP/.vault-password.sh"
+  declare VAULT_FILE="$DOKKU_LIB_ROOT/data/deploy.d/$APP/.vault.sh"
 
   if [[ ! -n "$APP" ]]; then
     dokku_col_log_info1_quiet "missing app name, try 'dokku ansible-deploy:vault-pass myappname'"
     exit 1
   fi
 
-  if [[ -f $vault_file ]]; then
+  if [[ -f $VAULT_FILE ]]; then
     dokku_col_log_info1_quiet "Vault password already setup for $APP"
     exit 0
   fi
 
   # shellcheck disable=SC2162 disable=SC2116 disable=SC2006
-  read -p "Please enter your vault password for $APP: `echo $'\n> '`" vault_password
+  read -p "Please enter your vault password for $APP: `echo $'\n> '`" VAULT_PASSWD
 
   if [[ ! -d "$DOKKU_LIB_ROOT/data/deploy.d/$APP" ]]; then
+    dokku_col_log_info1_quiet "Creating $DOKKU_LIB_ROOT/data/deploy.d/$APP"
     mkdir -p "$DOKKU_LIB_ROOT/data/deploy.d/$APP"
   fi
-  dokku_col_log_info1_quiet "Created $DOKKU_LIB_ROOT/data/deploy.d/$APP"
 
   { echo "#!/bin/bash";
     echo "";
     echo "set -eu -o pipefail";
     echo "";
-    echo "echo \"$vault_password\""; } > "$vault_file"
+    echo "echo \"$VAULT_PASSWD\""; } > "$VAULT_FILE"
 
-  chmod +x "$vault_file"
+  chmod +x "$VAULT_FILE"
 
-  dokku_col_log_info1_quiet "Generated $vault_file for $APP"
+  dokku_col_log_info1_quiet "Generated $VAULT_FILE for $APP"
+}
+
+dokku-ansible-deploy-sudo-pass-cmd() {
+  # shellcheck disable=SC2034
+  declare desc="add new dokku user sudo password for sudo escalation"
+
+  declare VARS_FILE="$DOKKU_LIB_ROOT/data/deploy.d/vars.yml"
+
+  # shellcheck disable=SC2162 disable=SC2116 disable=SC2006
+  read -p "Please enter your Dokku system user sudo password: `echo $'\n> '`" SUDO_PASSWD
+
+  { echo "---";
+    echo "ansible_become_password: \"$SUDO_PASSWD\""; } > "$VARS_FILE"
+
+  dokku_col_log_info1_quiet "Generated $VARS_FILE"
 }
 
 dokku-ansible-deploy-dependencies() {
diff --git a/subcommands/sudo-pass b/subcommands/sudo-pass
new file mode 100755
index 0000000..51568f3
--- /dev/null
+++ b/subcommands/sudo-pass
@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+
+set -eo pipefail; [[ $DOKKU_TRACE ]] && set -x
+
+# shellcheck disable=SC1090
+source "$PLUGIN_AVAILABLE_PATH/ansible-deploy/functions"
+
+dokku-ansible-deploy-sudo-pass-cmd "$@"