From 0d431d086c967ee5bdf67d0bd568c06c1a504111 Mon Sep 17 00:00:00 2001 From: Joachim Desroches Date: Wed, 27 Jan 2021 16:06:28 +0100 Subject: [PATCH] Split initializing the password store from generating passwords. --- type/__pass/gencode-local | 20 +++---- type/__pass/man.rst | 16 ++---- type/__pass_init/gencode-local | 43 ++++++++++++++ type/__pass_init/man.rst | 56 +++++++++++++++++++ type/__pass_init/parameter/required | 1 + .../parameter/required_multiple | 0 type/__pass_init/singleton | 0 7 files changed, 115 insertions(+), 21 deletions(-) create mode 100755 type/__pass_init/gencode-local create mode 100644 type/__pass_init/man.rst create mode 100644 type/__pass_init/parameter/required rename type/{__pass => __pass_init}/parameter/required_multiple (100%) create mode 100644 type/__pass_init/singleton diff --git a/type/__pass/gencode-local b/type/__pass/gencode-local index e9e983c..e1277fa 100755 --- a/type/__pass/gencode-local +++ b/type/__pass/gencode-local @@ -46,25 +46,25 @@ then NOSYMB="-n" fi -# Load required GPG ID parameters. -set -- -while read -r id; -do - set -- "$@" "$id" -done < "${__object:?}/parameter/gpgid" - # Load required password store location parameter. PASSWORD_STORE_DIR="$(cat "${__object:?}/parameter/storedir")" export PASSWORD_STORE_DIR -# Run every time in case GPG IDs are updated. -pass init "$@" >/dev/null +# Check if the password store is initialized. +if ! pass ls >/dev/null 2>&1; +then + cat <<- EOF >&2 + __pass: this type requires the password store to be initialized. + See cdist-type__pass_init(7) and pass(1) for more information. + EOF + exit 1; +fi # Generate a password if it does not already exist. if [ ! -f "${PASSWORD_STORE_DIR}/${__object_id:?}.gpg" ]; then # shellcheck disable=SC2086 - pass generate $NOSYMB "${__object_id:?}" $LENGTH + pass generate $NOSYMB "${__object_id:?}" $LENGTH >/dev/null fi # Send it out to the messages. diff --git a/type/__pass/man.rst b/type/__pass/man.rst index 60bc6f8..ea9b93c 100644 --- a/type/__pass/man.rst +++ b/type/__pass/man.rst @@ -14,9 +14,6 @@ types depending on this one should require it. This enables an administrator to ensure a password exists using this type and then, from another type, use it as need be. -This type also sets the GPG IDs used to encrypt the password store: beware that -the IDs passed in the last ran invocation of the type will be the ones set for -the store. REQUIRED PARAMETERS ------------------- @@ -25,11 +22,6 @@ storedir created if it does not exist). -REQUIRED MULTIPLE PARAMETERS ----------------------------- -gpgid - The GPG IDs of the public keys used to encrypt the password store. - OPTIONAL PARAMETERS ------------------- length @@ -37,6 +29,7 @@ length it exists, this has no effect (and hence will not update the password, even if the length is different from the one specified). + BOOLEAN PARAMETERS ------------------ no-symbols @@ -52,18 +45,19 @@ looks up in the cdist messages to find it: .. code-block:: sh - __pass database/services/arandomservice + require=__pass_init \ + __pass database/services/arandomservice \ --storedir password/store/location - --gpgpid 92296965EAA1DD86A93284EF7B21E5AA32FB9810 require='__pass/database/services/arandomservice' \ __othertype --password database/service/arandomservice + -- SEE ALSO -------- -`pass`\ (7) +`pass`\ (7), `cdist-type__pass_init`\ (7) AUTHORS diff --git a/type/__pass_init/gencode-local b/type/__pass_init/gencode-local new file mode 100755 index 0000000..0be44d9 --- /dev/null +++ b/type/__pass_init/gencode-local @@ -0,0 +1,43 @@ +#!/bin/sh -e +# +# 2020 Joachim Desroches (joachim.desroches@epfl.ch) +# +# This file is part of cdist. +# +# cdist is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# cdist is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with cdist. If not, see . +# + +# Check pass is installed. +command -v pass >/dev/null 2>&1 || + { + cat <<- EOF >&2 + __pass_init: this type requires pass installed. + See https://www.passwordstore.org/. + EOF + exit 1; + } + +# Load required GPG ID parameters. +set -- +while read -r id; +do + set -- "$@" "$id" +done < "${__object:?}/parameter/gpgid" + +# Load required password store location parameter. +PASSWORD_STORE_DIR="$(cat "${__object:?}/parameter/storedir")" +export PASSWORD_STORE_DIR + +# Do our work. +pass init "$@" >/dev/null diff --git a/type/__pass_init/man.rst b/type/__pass_init/man.rst new file mode 100644 index 0000000..7a8d01e --- /dev/null +++ b/type/__pass_init/man.rst @@ -0,0 +1,56 @@ +cdist-type__pass_init(7) +======================== + +NAME +---- +cdist-type__pass_init - Initialize a local password store. + + +DESCRIPTION +----------- +This type is intented to be used as a prerequisite to the +cdist-type__pass(7) type. It will set up a pass(1) password +store with the provided GPP2(1) public encryption key IDs. + + +REQUIRED PARAMETERS +------------------- +storedir + The host-local directory where the password store is to be found (or + created if it does not exist). + + +REQUIRED MULTIPLE PARAMETERS +---------------------------- +gpgid + The GPG IDs of the public keys used to encrypt the password store. + + +EXAMPLES +-------- + +.. code-block:: sh + + # Setup a repository with a GPG ID + __pass_init + --storedir password/store/location + --gpgpid 92296965EAA1DD86A93284EF7B21E5AA32FB9810 + +-- + +SEE ALSO +-------- +`pass`\ (7), `cdist-type__pass`\ (7) + + +AUTHORS +------- +Joachim Desroches + + +COPYING +------- +Copyright \(C) 2021 Joachim Desroches. You can redistribute it +and/or modify it under the terms of the GNU General Public License as +published by the Free Software Foundation, either version 3 of the +License, or (at your option) any later version. diff --git a/type/__pass_init/parameter/required b/type/__pass_init/parameter/required new file mode 100644 index 0000000..f2fc3a2 --- /dev/null +++ b/type/__pass_init/parameter/required @@ -0,0 +1 @@ +storedir diff --git a/type/__pass/parameter/required_multiple b/type/__pass_init/parameter/required_multiple similarity index 100% rename from type/__pass/parameter/required_multiple rename to type/__pass_init/parameter/required_multiple diff --git a/type/__pass_init/singleton b/type/__pass_init/singleton new file mode 100644 index 0000000..e69de29