Split initializing the password store from generating passwords.

2021-01-27 16:06:28 +01:00 · 2021-01-27 16:06:28 +01:00 · 0d431d086c
parent 1b2d41a34a
commit 0d431d086c
7 changed files with 115 additions and 21 deletions
--- a/type/__pass/gencode-local
+++ b/type/__pass/gencode-local
@ -46,25 +46,25 @@ then
 	NOSYMB="-n"
 fi

-# Load required GPG ID parameters.
-set --
-while read -r id;
-do
-	set -- "$@" "$id"
-done < "${__object:?}/parameter/gpgid"
-
 # Load required password store location parameter.
 PASSWORD_STORE_DIR="$(cat "${__object:?}/parameter/storedir")"
 export PASSWORD_STORE_DIR

-# Run every time in case GPG IDs are updated.
-pass init "$@" >/dev/null
+# Check if the password store is initialized.
+if ! pass ls >/dev/null 2>&1;
+then
+	cat <<- EOF >&2
+	__pass: this type requires the password store to be initialized.
+	See cdist-type__pass_init(7) and pass(1) for more information.
+	EOF
+	exit 1;
+fi

 # Generate a password if it does not already exist.
 if [ ! -f "${PASSWORD_STORE_DIR}/${__object_id:?}.gpg" ];
 then
 	# shellcheck disable=SC2086
-	pass generate $NOSYMB "${__object_id:?}" $LENGTH
+	pass generate $NOSYMB "${__object_id:?}" $LENGTH >/dev/null
 fi

 # Send it out to the messages.
--- a/type/__pass/man.rst
+++ b/type/__pass/man.rst
@ -14,9 +14,6 @@ types depending on this one should require it. This enables an administrator to
 ensure a password exists using this type and then, from another type, use it as
 need be.

-This type also sets the GPG IDs used to encrypt the password store: beware that
-the IDs passed in the last ran invocation of the type will be the ones set for
-the store.

 REQUIRED PARAMETERS
 -------------------
@ -25,11 +22,6 @@ storedir
    created if it does not exist).


-REQUIRED MULTIPLE PARAMETERS
----------------------------
-gpgid
-    The GPG IDs of the public keys used to encrypt the password store.
-
 OPTIONAL PARAMETERS
 -------------------
 length
@ -37,6 +29,7 @@ length
    it exists, this has no effect (and hence will not update the password, even
    if the length is different from the one specified).

+
 BOOLEAN PARAMETERS
 ------------------
 no-symbols
@ -52,18 +45,19 @@ looks up in the cdist messages to find it:

 .. code-block:: sh

-    __pass database/services/arandomservice
+    require=__pass_init \
+    __pass database/services/arandomservice \
        --storedir password/store/location
-        --gpgpid 92296965EAA1DD86A93284EF7B21E5AA32FB9810

   require='__pass/database/services/arandomservice' \
     __othertype --password database/service/arandomservice

+
 --

 SEE ALSO
 --------
-`pass`\ (7)
+`pass`\ (7), `cdist-type__pass_init`\ (7)


 AUTHORS
--- a/type/__pass_init/gencode-local
+++ b/type/__pass_init/gencode-local
@ -0,0 +1,43 @@
+#!/bin/sh -e
+#
+# 2020 Joachim Desroches (joachim.desroches@epfl.ch)
+#
+# This file is part of cdist.
+#
+# cdist is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# cdist is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with cdist. If not, see <http://www.gnu.org/licenses/>.
+#
+
+# Check pass is installed.
+command -v pass >/dev/null 2>&1 ||
+	{
+		cat <<- EOF >&2
+		__pass_init: this type requires pass installed.
+		See https://www.passwordstore.org/.
+		EOF
+		exit 1;
+	}
+
+# Load required GPG ID parameters.
+set --
+while read -r id;
+do
+	set -- "$@" "$id"
+done < "${__object:?}/parameter/gpgid"
+
+# Load required password store location parameter.
+PASSWORD_STORE_DIR="$(cat "${__object:?}/parameter/storedir")"
+export PASSWORD_STORE_DIR
+
+# Do our work.
+pass init "$@" >/dev/null
--- a/type/__pass_init/man.rst
+++ b/type/__pass_init/man.rst
@ -0,0 +1,56 @@
+cdist-type__pass_init(7)
+========================
+
+NAME
+----
+cdist-type__pass_init - Initialize a local password store.
+
+
+DESCRIPTION
+-----------
+This type is intented to be used as a prerequisite to the
+cdist-type__pass(7) type. It will set up a pass(1) password
+store with the provided GPP2(1) public encryption key IDs.
+
+
+REQUIRED PARAMETERS
+-------------------
+storedir
+    The host-local directory where the password store is to be found (or
+    created if it does not exist).
+
+
+REQUIRED MULTIPLE PARAMETERS
+----------------------------
+gpgid
+    The GPG IDs of the public keys used to encrypt the password store.
+
+
+EXAMPLES
+--------
+
+.. code-block:: sh
+
+    # Setup a repository with a GPG ID
+    __pass_init
+        --storedir password/store/location
+        --gpgpid 92296965EAA1DD86A93284EF7B21E5AA32FB9810
+
+--
+
+SEE ALSO
+--------
+`pass`\ (7), `cdist-type__pass`\ (7)
+
+
+AUTHORS
+-------
+Joachim Desroches <joachim.desroches@epfl.ch>
+
+
+COPYING
+-------
+Copyright \(C) 2021 Joachim Desroches. You can redistribute it
+and/or modify it under the terms of the GNU General Public License as
+published by the Free Software Foundation, either version 3 of the
+License, or (at your option) any later version.
--- a/type/__pass_init/parameter/required
+++ b/type/__pass_init/parameter/required
@ -0,0 +1 @@
+storedir
--- a/type/__pass_init/parameter/required_multiple
+++ b/type/__pass_init/parameter/required_multiple
--- a/type/__pass_init/singleton
+++ b/type/__pass_init/singleton