search

plyint / encpass.sh

Lightweight solution for using encrypted passwords in shell scripts
MIT License
598 stars 43 forks source link

get_secret error #17

Closed przytula closed 4 years ago

przytula commented 4 years ago

a small problem anyhow I removed all - download encpass.sh again and did [dbadmin@luechdb61 scripts]$ ./encpass.sh add db2Deploy.sh dbllua2 Adding secret "dbllua2" to bucket "db2Deploy.sh"... Enter dbllua2: Confirm dbllua2: repeated for different users retrieve : ok [dbadmin@luechdb61 scripts]$ ./encpass.sh show db2Deploy.sh: dbllua1 = 9iOU0TBSXafvqKnH037c dbllua2 = wwxICOwW0HJkjzrez49P dbllud1 = VCYzqhvc8C1XMW6Uvfzc dbllud2 = TgdTi4WJec3x55J17AwF but when using [dbadmin@luechdb61 scripts]$ get_secret db2Deploy.sh dbllua2 basename: invalid option -- 'b' Try 'basename --help' for more information. wwxICOwW0HJkjzrez49P the password is correct bu complaining about basename is this correct or only valid if called from db2Deploy.sh best regards, Guy

przytula commented 4 years ago

and another issue when invoking encpass.sh in current shell from command line : no message - ok when loading encpass.sh from script I get [dbadmin@luechdb61 scripts]$ ./db2Deploy.sh -s scr.sql -m deploy.lst -e d handling script_name scr.sql for server_name : luechdb61 dbname : IEEINT trace1 <-- the echo I forced Command not recognized. See "encpass.sh help" for a list commands. ..

---------------------------------------------------

    ## get password from encrypted file -------------
    ## --------------------------------------------------

echo "trace1" . ./encpass.sh

ahnick commented 4 years ago

To your first issue, the "get_secret" function is only designed to be used from within another shell script, which is why you are receiving that error message. If you'd like to see the contents of a secret directly from the command line you can use the following command

./encpass.sh show db2Deploy.sh dbllua2

To your second issue, it looks like what is happening is that the parameters being passed into the shell script db2Deploy.sh are being passed along to encpass.sh when it is being sourced. This causes encpass.sh to try interpret the parameters as commands. What you will need to do is ensure that no additional arguments are being passed to encpass.sh when it is being sourced. There are a couple different ways to accomplish this...

One way is to call "set --" before sourcing encpass.sh to clear the positional parameters. For example:

#!/bin/sh
set --
. ./encpass.sh

The only problem is that you will need to save off the positional parameters into variables, before clearing them; otherwise, you won't have them available later on in the script.

#!/bin/sh
var1=$1
set --
. ./encpass.sh

If you have a lot of variables that is somewhat annoying to do and then if your script was referring to positional parameters now you have to go and update it to use the variable names. A nicer way is to save all the positional parameters at once and then restore them.

#!/bin/sh
VARS=$@
set --
. ./encpass.sh
set -- $VARS

That's much better, but it is a bit messy. A final way I might suggest is to create a single line include function that you call and you can take advantage of the shells automatic scoping of the positional variables when a function is called.

#!/bin/sh
include() { file=$1; shift; . $file ; }
include ./encpass.sh

The bonus to this method is that now you can reuse that include function for other scripts if necessary.

ahnick commented 4 years ago

@przytula After thinking about it a bit further, I was able to add support to encpass.sh to still be sourced even if arbitrary arguments are passed to it from a calling script. I still think it's probably a better practice to prevent the arguments in the calling script from being passed into encpass.sh to begin with, but I can see how this is confusing from the user's perspective; therefore, I decided to add a bit more robust handling on the encpass.sh side. If you pull the latest encpass.sh from the master branch it should just work for you.

Also, I went ahead and pushed some simple import/export capabilities for secrets in this pull request that I had been holding back for a while. The import/export stuff still needs a bit more work, but it is definitely usable in its current state. Note, right now there is no support for exporting keys as I want to make sure this is done only when an explicit flag and password are passed to the export command. (This will be implemented in an upcoming release)

przytula commented 4 years ago

thanks for all update/help although I never use positional parameters I added the set -- before calling encpass this resolved the problem best regards, Guy

ahnick commented 4 years ago

Great, glad it worked out. If you need more help or run into something else, just open another issue.