heroes / salt

Clone
Source Code
GIT

Files

adjust-ci-pipeline anikitin/mirrorcache anikitin/t_allow_jinja_in_secrets anikitin/web_mirrors__proxy_mirrorcache bootloader cboltz-borgbackup cboltz-relnotes-15.3 cboltz-scar-sshd doc-o-o gateway hellcp/matrix-synapse-workers-syntax hellcp/paste-sync ifconfig infra libvirt lrupp-production-patch-08358 lrupp/add_identification lrupp/remove_login_interface lrupp/retire lrupp/serve_www mailman micro monitoring-restart paste-socket postfix-aliases production repositories set-secret-detection-config-1 sysctl update-access-crtmgr
  1.   sysctl
  2.   bin
  3.   test_secrets.sh
Blob Blame History Raw 
#!/bin/bash

# Script that validates that the pillar/secret/*/*.sls files contain the
# appropriate header, and that none other pillar files contain this header or
# any secrets

set -Ceu

HEADER_REGEX='^(#!yaml\|gpg|#!gpg\|yaml|#!jinja\|yaml\|gpg)$'
HEADER_EMPTY='^(# empty)$'
STATUS=0

SECRETS_SLS=$(find pillar/secrets -name '*.sls' 2> /dev/null)
if [[ -n $SECRETS_SLS ]];  then
    for secret_sls in ${SECRETS_SLS[@]}; do
        HEADER_LINE="$(head -n 1 $secret_sls)"
	if [[ ! "$HEADER_LINE" =~ $HEADER_REGEX && ! ( "$HEADER_LINE" =~ $HEADER_EMPTY && "$(wc -l < $secret_sls)" == 1 ) ]]; then
            echo "The first line in $secret_sls is not matching \"$HEADER_REGEX\""
            STATUS=1
        fi
    done
fi

for sls in $(find pillar/ -not -path 'pillar/secrets/*' -name '*.sls'); do
    if $(grep -Eq "$HEADER_REGEX" $sls); then
        echo "$sls matches \"$HEADER_REGEX\", please remove such lines from non-secret pillar files"
        STATUS=1
    fi
    if $(grep -q "BEGIN GPG MESSAGE" $sls); then
        echo "$sls contains secrets. Please move them to pillar/secrets/${sls#*/}"
        STATUS=1
    fi
done

exit $STATUS
Powered by Pagure 5.13.3
DocumentationAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.