From adf9450f9392d5ec7aced16a281e23346d190622 Mon Sep 17 00:00:00 2001 From: Pierre Smeyers <pierre.smeyers@gmail.com> Date: Sat, 31 Aug 2024 01:00:26 +0200 Subject: [PATCH] feat: standard TBC secrets decoding --- templates/gitlab-ci-renovate.yml | 72 ++++++++++++++++++++++++++++++++ 1 file changed, 72 insertions(+) diff --git a/templates/gitlab-ci-renovate.yml b/templates/gitlab-ci-renovate.yml index e40803a..7a8061c 100644 --- a/templates/gitlab-ci-renovate.yml +++ b/templates/gitlab-ci-renovate.yml @@ -211,7 +211,79 @@ variables: log_info "... done" } + # evaluate and export a secret + # - $1: secret variable name + function eval_secret() { + name=$1 + value=$(eval echo "\$${name}") + case "$value" in + @b64@*) + decoded=$(mktemp) + errors=$(mktemp) + if echo "$value" | cut -c6- | base64 -d > "${decoded}" 2> "${errors}" + then + # shellcheck disable=SC2086 + export ${name}="$(cat ${decoded})" + log_info "Successfully decoded base64 secret \\e[33;1m${name}\\e[0m" + else + fail "Failed decoding base64 secret \\e[33;1m${name}\\e[0m:\\n$(sed 's/^/... /g' "${errors}")" + fi + ;; + @hex@*) + decoded=$(mktemp) + errors=$(mktemp) + if echo "$value" | cut -c6- | sed 's/\([0-9A-F]\{2\}\)/\\\\x\1/gI' | xargs printf > "${decoded}" 2> "${errors}" + then + # shellcheck disable=SC2086 + export ${name}="$(cat ${decoded})" + log_info "Successfully decoded hexadecimal secret \\e[33;1m${name}\\e[0m" + else + fail "Failed decoding hexadecimal secret \\e[33;1m${name}\\e[0m:\\n$(sed 's/^/... /g' "${errors}")" + fi + ;; + @url@*) + url=$(echo "$value" | cut -c6-) + if command -v curl > /dev/null + then + decoded=$(mktemp) + errors=$(mktemp) + if curl -s -S -f --connect-timeout 5 -o "${decoded}" "$url" 2> "${errors}" + then + # shellcheck disable=SC2086 + export ${name}="$(cat ${decoded})" + log_info "Successfully curl'd secret \\e[33;1m${name}\\e[0m" + else + log_warn "Failed getting secret \\e[33;1m${name}\\e[0m:\\n$(sed 's/^/... /g' "${errors}")" + fi + elif command -v wget > /dev/null + then + decoded=$(mktemp) + errors=$(mktemp) + if wget -T 5 -O "${decoded}" "$url" 2> "${errors}" + then + # shellcheck disable=SC2086 + export ${name}="$(cat ${decoded})" + log_info "Successfully wget'd secret \\e[33;1m${name}\\e[0m" + else + log_warn "Failed getting secret \\e[33;1m${name}\\e[0m:\\n$(sed 's/^/... /g' "${errors}")" + fi + else + fail "Couldn't get secret \\e[33;1m${name}\\e[0m: no http client found" + fi + ;; + esac + } + + function eval_all_secrets() { + encoded_vars=$(env | grep -v '^scoped__' | awk -F '=' '/^[a-zA-Z0-9_]*=@(b64|hex|url)@/ {print $1}') + for var in $encoded_vars + do + eval_secret "$var" + done + } + unscope_variables + eval_all_secrets # ENDSCRIPT -- GitLab