2022-08-31 10:47:18 +02:00
|
|
|
#!/bin/bash
|
2022-08-31 12:00:41 +02:00
|
|
|
#
|
|
|
|
|
# Author: Daniel Lundin <dln@arity.se>
|
|
|
|
|
#
|
|
|
|
|
# Convenience script to hide sensitive variables on the command line.
|
|
|
|
|
# Uses keyctl to store secrets in the keyring.
|
|
|
|
|
#
|
|
|
|
|
# Example usage: mycommand --user=foo --password=$(pw mypass)
|
|
|
|
|
|
|
|
|
|
set -eo pipefail
|
2022-08-31 10:47:18 +02:00
|
|
|
|
|
|
|
|
purge=0
|
|
|
|
|
ttl=${PW_TTL:-259200}
|
|
|
|
|
|
2022-08-31 12:00:41 +02:00
|
|
|
usage() { echo "Usage: $0 [-t SECONDS] [-f] SECRET_NAME" 1>&2; exit 1; }
|
2022-08-31 10:47:18 +02:00
|
|
|
|
|
|
|
|
while getopts ":ft:" o; do
|
|
|
|
|
case "${o}" in
|
|
|
|
|
f)
|
|
|
|
|
purge=1
|
|
|
|
|
;;
|
|
|
|
|
t)
|
|
|
|
|
ttl=${OPTARG}
|
|
|
|
|
;;
|
|
|
|
|
*)
|
|
|
|
|
usage
|
|
|
|
|
;;
|
|
|
|
|
esac
|
|
|
|
|
done
|
|
|
|
|
shift $((OPTIND-1))
|
|
|
|
|
|
|
|
|
|
var="$1"
|
2022-08-31 12:00:41 +02:00
|
|
|
shift || usage
|
|
|
|
|
[ -z "$1" ] || usage
|
2022-08-31 10:47:18 +02:00
|
|
|
|
|
|
|
|
key="pw.${var}"
|
2022-08-31 12:00:41 +02:00
|
|
|
|
2022-08-31 10:47:18 +02:00
|
|
|
if [ "${purge}" == "1" ]; then
|
|
|
|
|
keyctl purge user "${key}" >>/dev/null 2>&1 || true
|
|
|
|
|
fi
|
2022-08-31 12:00:41 +02:00
|
|
|
|
2022-08-31 10:47:18 +02:00
|
|
|
out=$(systemd-ask-password --accept-cached --keyname="${key}" "${var}:")
|
|
|
|
|
key_id=$(keyctl request user "${key}" 2>/dev/null)
|
|
|
|
|
keyctl timeout "$key_id" "$ttl"
|
|
|
|
|
|
2022-08-31 12:00:41 +02:00
|
|
|
printf "%s" "$out"
|
