Make secret generation more robust

Closes coop-cloud/abra#68.
This commit is contained in:
Luke Murphy 2021-01-01 18:52:32 +01:00
parent 36f1d679ae
commit aa59c1ad43
No known key found for this signature in database
GPG Key ID: 5E2EF5A63E3718CC
2 changed files with 12 additions and 23 deletions

View File

@ -1,6 +1,6 @@
# abra x.x.x (UNRELEASED) # abra x.x.x (UNRELEASED)
- `secret auto` merged into `secret generate` and `app new --auto ` is now `app new --secrets` ([#64](https://git.autonomic.zone/coop-cloud/abra/pulls/64)) - `secret auto` merged into `secret generate` and `app new --auto` is now `app new --secrets` ([#64](https://git.autonomic.zone/coop-cloud/abra/pulls/64))
- Avoid outputting length during secret generation when not in use ([#67](https://git.autonomic.zone/coop-cloud/abra/issues/67)) - Avoid outputting length during secret generation when not in use ([#67](https://git.autonomic.zone/coop-cloud/abra/issues/67))
- Support graceful failure when missing secret generation commands ([44d3ac3a1cb86edc9b9e91eea1a00e70eae14965](https://git.autonomic.zone/coop-cloud/abra/commit/44d3ac3a1cb86edc9b9e91eea1a00e70eae14965)) - Support graceful failure when missing secret generation commands ([44d3ac3a1cb86edc9b9e91eea1a00e70eae14965](https://git.autonomic.zone/coop-cloud/abra/commit/44d3ac3a1cb86edc9b9e91eea1a00e70eae14965))
- Fix secret detection when using new `.env` file format in apps ([55324524ca77141666ffe6cc41b62cc71cf89ace](https://git.autonomic.zone/coop-cloud/abra/commit/55324524ca77141666ffe6cc41b62cc71cf89ace)) - Fix secret detection when using new `.env` file format in apps ([55324524ca77141666ffe6cc41b62cc71cf89ace](https://git.autonomic.zone/coop-cloud/abra/commit/55324524ca77141666ffe6cc41b62cc71cf89ace))
@ -16,6 +16,7 @@
- Use Docker-in-Docker (dind), and `dind-bats-kcov` Docker image, for `make test` ([1600b6277fbbffc4c6de1e4ba799c7bbe72ec6a0](https://git.autonomic.zone/coop-cloud/abra/commit/1600b6277fbbffc4c6de1e4ba799c7bbe72ec6a0)) - Use Docker-in-Docker (dind), and `dind-bats-kcov` Docker image, for `make test` ([1600b6277fbbffc4c6de1e4ba799c7bbe72ec6a0](https://git.autonomic.zone/coop-cloud/abra/commit/1600b6277fbbffc4c6de1e4ba799c7bbe72ec6a0))
- Add built-in documentation using `abra help <subcommand>...`, see [#50](https://git.autonomic.zone/coop-cloud/abra/issues/50) - Add built-in documentation using `abra help <subcommand>...`, see [#50](https://git.autonomic.zone/coop-cloud/abra/issues/50)
- `version` subcommand [e6b24fe](https://git.autonomic.zone/coop-cloud/abra/commit/e6b24fe) - `version` subcommand [e6b24fe](https://git.autonomic.zone/coop-cloud/abra/commit/e6b24fe)
- Use `# length=x` comments to generate passwords with `pwgen` and drop `KEY`/`PASSWORD` logic ([#68](https://git.autonomic.zone/coop-cloud/abra/issues/68))
# abra 0.4.1 (2020-12-24) # abra 0.4.1 (2020-12-24)

32
abra
View File

@ -385,18 +385,8 @@ get_servers() {
} }
get_app_secrets() { get_app_secrets() {
get_app_passwords
get_app_keys
}
get_app_passwords() {
# FIXME 3wc: requires bash 4, use for loop instead # FIXME 3wc: requires bash 4, use for loop instead
mapfile -t PASSWORDS < <(grep "SECRET.*PASSWORD.*VERSION.*" "$ENV_FILE") mapfile -t PASSWORDS < <(grep "SECRET.*VERSION.*" "$ENV_FILE")
}
get_app_keys() {
# FIXME 3wc: requires bash 4, use for loop instead
mapfile -t KEYS < <(grep "SECRET.*KEY.*VERSION.*" "$ENV_FILE")
} }
load_instance() { load_instance() {
@ -457,7 +447,9 @@ parse_secret() {
# shellcheck disable=SC2001 # shellcheck disable=SC2001
abra__length_="$(echo "$SECRET" | sed -e 's/.*[^0-9]\([0-9]\+\)[^0-9]*$/\1/')" abra__length_="$(echo "$SECRET" | sed -e 's/.*[^0-9]\([0-9]\+\)[^0-9]*$/\1/')"
else else
abra__length_=32 # Note(decentral1se): unset this so that a length value from another secret
# definition does not get passed on to another secret generation flow
unset abra__length_
fi fi
abra__secret_="${SECRET%_VERSION=*}" # strip _VERSION=v1 abra__secret_="${SECRET%_VERSION=*}" # strip _VERSION=v1
@ -466,7 +458,7 @@ parse_secret() {
abra__version_="$(echo "$SECRET" | sed -n 's/.*\(v[0-9]\).*/\1/p')" abra__version_="$(echo "$SECRET" | sed -n 's/.*\(v[0-9]\).*/\1/p')"
if [[ "$SECRET" == *"length"* ]]; then if [[ -n "$abra__length_" ]]; then
echo "Generating $abra__secret_, version: $abra__version_, length: $abra__length_" echo "Generating $abra__secret_, version: $abra__version_, length: $abra__length_"
else else
echo "Generating $abra__secret_, version: $abra__version_" echo "Generating $abra__secret_, version: $abra__version_"
@ -497,10 +489,6 @@ auto_gen_secrets (){
for PASSWORD in "${PASSWORDS[@]}"; do for PASSWORD in "${PASSWORDS[@]}"; do
parse_secret "$PASSWORD" parse_secret "$PASSWORD"
done done
for KEY in "${KEYS[@]}"; do
parse_secret "$KEY"
done
} }
####################################### #######################################
@ -671,7 +659,7 @@ sub_app_new (){
get_app_secrets get_app_secrets
if [ "${#PASSWORDS[@]}" -gt 0 ] || [ "${#KEYS[@]}" -gt 0 ] && [ "$abra___secrets" == "true" ]; then if [ "${#PASSWORDS[@]}" -gt 0 ] && [ "$abra___secrets" == "true" ]; then
auto_gen_secrets auto_gen_secrets
fi fi
@ -980,12 +968,12 @@ sub_app_secret_generate(){
auto_gen_secrets auto_gen_secrets
fi fi
if [[ "$SECRET" == *"password"* ]]; then if [[ -n "$LENGTH" ]]; then
require_pwqgen
PWGEN="${abra__cmd_:-pwqgen}"
else
require_pwgen require_pwgen
PWGEN=${abra__cmd_:-pwgen -s "$LENGTH" 1} PWGEN=${abra__cmd_:-pwgen -s "$LENGTH" 1}
else
require_pwqgen
PWGEN="${abra__cmd_:-pwqgen}"
fi fi
if [ -z "$SECRET" ] || [ -z "$VERSION" ] && [ "$abra___all" == "false" ]; then if [ -z "$SECRET" ] || [ -z "$VERSION" ] && [ "$abra___all" == "false" ]; then