Remove ".sh" from file names.

Refactor so it does not rely on PWD being the repo basedir. Fix assumptions about HG and GIT use.
2014-08-28 20:47:32 +00:00
parent c903bdc575
commit f387bc9f30
12 changed files with 113 additions and 95 deletions
--- a/bin/_blackbox_common.sh
+++ b/bin/_blackbox_common.sh
@@ -1,32 +1,38 @@
+#!/usr/bin/env bash

 #
 # Common constants and functions used by the blackbox_* utilities.
 #

-KEYRINGDIR=keyrings/live
+# Usage:
+#   . _blackbox_common.sh
+
+# Where in the VCS repo should the blackbox data be found?
+: ${BLACKBOXDATA:=keyrings/live} ;   # If BLACKBOXDATA not set, set it.
+
+set -e
+
+# Outputs a string that is the base directory of this VCS repo.
+# By side-effect, sets the variable VCS_TYPE to either 'git', 'hg',
+# or 'unknown'.
+function _determine_vcs_base_and_type() {
+  if hg root 2>/dev/null ; then
+    VCS_TYPE=hg
+  elif git rev-parse --show-toplevel 2>/dev/null ; then
+    VCS_TYPE=git
+  else
+    echo /dev/null
+    VCS_TYPE=unknown
+  fi
+}
+
+REPOBASE=$(_determine_vcs_base_and_type)
+KEYRINGDIR="$REPOBASE/$BLACKBOXDATA"
 BB_ADMINS="${KEYRINGDIR}/blackbox-admins.txt"
 BB_FILES="${KEYRINGDIR}/blackbox-files.txt"
 SECRING="${KEYRINGDIR}/secring.gpg"
 PUBRING="${KEYRINGDIR}/pubring.gpg"

-# Exit with error if the environment is not right.
-function fail_if_bad_environment() {
-  # Current checked:
-  #   Nothing.
-
-  :
-
-  # TODO: Consider: cd $(git rev-parse --show-toplevel)
-  # And: hg root
-
-  ## Are we in the base directory.
-  #if [[ ! $(pwd) =~ \/puppet$ ]]; then
-  #  echo 'ERROR: Please run this script from the base directory.'
-  #  echo 'Exiting...'
-  #  exit 1
-  #fi
-}
-
 # Exit with error if a file exists.
 function fail_if_exists() {
  if [[ -f "$1" ]]; then
@@ -183,19 +189,9 @@ function enumerate_subdirs() {
  done <"$listfile" | sort -u
 }

-# Are we in git, hg, or other repo?
+# Are we in git, hg, or unknown repo?
 function which_vcs() {
-  if [[ -d .git ]]; then
-    echo git
-  elif [[ -d .hg ]]; then
-    echo hg
-  elif git rev-parse --git-dir > /dev/null 2>&1 ; then
-    echo git
-  elif hg status >/dev/null 2>&1 ; then
-    echo hg
-  else
-    echo other
-  fi
+  echo "$REPO_TYPE"
 }

 # Is this file in the current repo?
--- a/bin/blackbox_addadmin
+++ b/bin/blackbox_addadmin
@@ -0,0 +1,17 @@
+#!/usr/bin/env bash
+
+#
+# blackbox_addadmin -- Add an admin to the system
+#
+#
+# Example:
+#    blackbox_addadmin tal@example.com
+#
+
+. _blackbox_common.sh
+
+# Add the email address to the BB_ADMINS file.  Remove any duplicates.
+
+# The file must exist for sort to act as we expect.
+touch "$BB_ADMINS"
+sort  -fdu -o "$BB_ADMINS" <(echo "$1") "$BB_ADMINS"
--- a/bin/blackbox_addadmin.sh
+++ b/bin/blackbox_addadmin.sh
@@ -1,7 +0,0 @@
-#!/usr/bin/env bash
-
-set -e
-
-cd keyrings/live
-touch blackbox-admins.txt
-sort  -fdu -o blackbox-admins.txt <(echo "$1") blackbox-admins.txt
--- a/bin/blackbox_edit_end.sh
+++ b/bin/blackbox_edit_end.sh
@@ -1,13 +1,11 @@
-#!/bin/bash
+#!/usr/bin/env bash

 #
-# blackbox_edit_end.sh -- Re-encrypt file after edits.
+# blackbox_edit_end -- Re-encrypt file after edits.
 #

-source blackbox_common.sh
-set -e
+. _blackbox_common.sh

-fail_if_bad_environment
 unencrypted_file=$(get_unencrypted_filename "$1")
 encrypted_file=$(get_encrypted_filename "$1")
 echo ========== PLAINFILE "$unencrypted_file"
--- a/bin/blackbox_edit_start.sh
+++ b/bin/blackbox_edit_start.sh
@@ -4,10 +4,7 @@
 # blackbox_edit_start.sh -- Decrypt a file for editing.
 #

-source blackbox_common.sh
-set -e
-
-fail_if_bad_environment
+. _blackbox_common.sh

 for param in """$@""" ; do
  unencrypted_file=$(get_unencrypted_filename "$param")
--- a/bin/blackbox_postdeploy.sh
+++ b/bin/blackbox_postdeploy.sh
@@ -4,14 +4,16 @@
 # blackbox_postdeploy.sh -- Decrypt all blackbox files.
 #

-: ${BASEDIR:=/etc/puppet} ;
-: ${CHGRP:=chgrp} ;
+# Since this is often run in a security-critical situation, we
+# force /usr/bin and /bin to the front of the PATH.
+export PATH=/usr/bin:/bin:"$PATH"

-cd "$BASEDIR"
-export PATH=/usr/bin:/bin:"$BASEDIR"/bin:"$PATH"
+. _blackbox_common.sh

-source blackbox_common.sh
-set -e
+# If we aren't in a repo, assume /etc/puppet.
+if [[ "$REPOBASE" = "/dev/null" ]]; then
+  REPOBASE=/etc/puppet
+fi

 prepare_keychain

--- a/bin/blackbox_register_new_file.sh
+++ b/bin/blackbox_register_new_file.sh
@@ -3,15 +3,13 @@
 #
 # blackbox_register_new_file.sh -- Enroll a new file in the blackbox system.
 #
-# Takes a previously unencrypted file and enters it into the blackbox
-# system.  It will be kept in HG as an encrypted file.  On deployment
-# to the puppet masters, it will be decrypted.  The puppet masters
-# refer to the unencrypted filename.
+# Takes a previously unencrypted file and enrolls it into the blackbox
+# system.  It will be kept in the repo as an encrypted file.  On deployment
+# to systems that need the plaintext (unencrypted) versions, run
+# blackbox_postdeploy.sh to decrypt all the files.

-source blackbox_common.sh
-set -e
+. _blackbox_common.sh

-fail_if_bad_environment
 unencrypted_file=$(get_unencrypted_filename "$1")
 encrypted_file=$(get_encrypted_filename "$1")

@@ -30,21 +28,18 @@ prepare_keychain
 encrypt_file "$unencrypted_file" "$encrypted_file"
 add_filename_to_cryptlist "$unencrypted_file"

-# TODO(tlim): The code below should be rewritten to check
-# for HG vs. GIT use and DTRT depending.
-
 # Is the unencrypted file already in HG? (ie. are we correcting a bad situation)
 SECRETSEXPOSED=$(is_in_vcs ${unencrypted_file})
 echo "========== CREATED: ${encrypted_file}"
 echo "========== UPDATING REPO:"
 shred_file "$unencrypted_file"

-# NOTE(tlim): Because we use $VCSCMD, we can only use commands that
-# work for both git and hg.
 VCSCMD=$(which_vcs)
 if $SECRETSEXPOSED ; then
  rm_from_vcs "$unencrypted_file"
  $VCSCMD add "$encrypted_file"
+  # NOTE(tlim): Because we use $VCSCMD as a command, we can only use commands
+  # that work for both git and hg.
  COMMIT_FILES="$BB_FILES $encrypted_file $unencrypted_file"
 else
  COMMIT_FILES="$BB_FILES $encrypted_file"
@@ -52,6 +47,6 @@ fi
 echo 'NOTE: "already tracked!" messages are safe to ignore.'
 $VCSCMD add $BB_FILES $encrypted_file
 $VCSCMD commit -m"registered in blackbox: ${unencrypted_file}" $COMMIT_FILES
-echo "========== UPDATING HG: DONE"
+echo "========== UPDATING VCS: DONE"
 echo "Local repo updated.  Please push when ready."
 echo "    $VCSCMD push"
--- a/bin/blackbox_start
+++ b/bin/blackbox_start
@@ -4,9 +4,7 @@
 # blackbox_edit_start.sh -- Decrypt a file for editing.
 #

-source blackbox_common.sh
-
-fail_if_bad_environment
+. _blackbox_common.sh

 for param in """$@""" ; do
  unencrypted_file=$(get_unencrypted_filename "$param")
--- a/bin/blackbox_update_all_files.sh
+++ b/bin/blackbox_update_all_files.sh
@@ -4,10 +4,7 @@
 # blackbox_edit_end.sh -- Re-encrypt file after edits.
 #

-source blackbox_common.sh
-set -e
-
-fail_if_bad_environment
+. _blackbox_common.sh

 if [[ -z $GPG_AGENT_INFO ]]; then
  echo 'WARNING: You probably want to run gpg-agent as'
@@ -53,8 +50,12 @@ done
 fail_if_keychain_has_secrets

 echo '========== COMMITING TO HG:'
-hg commit -m'Re-encrypted keys' $(awk <$BB_FILES '{ print $1 ".gpg" }' )
+VCSCMD=$(which_vcs)
+$VCSCMD commit -m'Re-encrypted keys' $(awk <$BB_FILES '{ print $1 ".gpg" }' )
+# NOTE(tlim): Because we use $VCSCMD as a command, we can only use commands
+# that work for both git and hg. That's pretty lazy. We should add
+# a function to _blackbox_common.sh that commits a file.

 echo '========== DONE.'
 echo 'Likely next step:'
-echo '    hg push'
+echo "    ${VCSCMD} push"