#!/bin/bash
#
# Author: Daniel Lundin <dln@arity.se>
#
# Convenience script to hide sensitive variables on the command line.
# Uses keyctl to store secrets in the keyring.
#
# Example usage: mycommand --user=foo --password=$(pw mypass)

set -eo pipefail

purge=0
ttl=${PW_TTL:-259200}

usage() { echo "Usage: $0 [-t SECONDS] [-f] SECRET_NAME" 1>&2; exit 1; }

while getopts ":ft:" o; do
  case "${o}" in
    f)
      purge=1
      ;;
    t)
      ttl=${OPTARG}
      ;;
    *)
      usage
      ;;
  esac
done
shift $((OPTIND-1))

var="$1"
shift || usage
[ -z "$1" ] || usage

key="pw.${var}"

if [ "${purge}" == "1" ]; then
  keyctl purge user "${key}" >>/dev/null 2>&1 || true
fi

out=$(systemd-ask-password --accept-cached --keyname="${key}" "${var}:")
key_id=$(keyctl request user "${key}" 2>/dev/null)
keyctl timeout "$key_id" "$ttl"

printf "%s" "$out"