feat: remove deprecated shell scripts and add Python alternatives for all of them
Some checks failed
Nix Format Check / check-format (push) Failing after 37s
Some checks failed
Nix Format Check / check-format (push) Failing after 37s
This commit is contained in:
168
bin/actions/secrets.py
Executable file
168
bin/actions/secrets.py
Executable file
@@ -0,0 +1,168 @@
|
||||
#!/usr/bin/env python3
|
||||
|
||||
import os
|
||||
import sys
|
||||
import subprocess
|
||||
import hashlib
|
||||
import glob
|
||||
|
||||
# Import helper functions
|
||||
sys.path.append(os.path.join(os.path.expanduser("~/.dotfiles"), "bin"))
|
||||
from helpers.functions import printfe, run_command
|
||||
|
||||
def is_wsl():
|
||||
"""Check if running under WSL"""
|
||||
try:
|
||||
with open('/proc/version', 'r') as f:
|
||||
return 'microsoft' in f.read().lower()
|
||||
except:
|
||||
return False
|
||||
|
||||
def get_password():
|
||||
"""Get password from 1Password"""
|
||||
# Choose the appropriate op command based on WSL status
|
||||
op_cmd = "op.exe" if is_wsl() else "op"
|
||||
|
||||
# Try to get the password
|
||||
success, output = run_command([op_cmd, "item", "get", "Dotfiles Secrets", "--fields", "password"])
|
||||
|
||||
if not success:
|
||||
printfe("red", "Failed to fetch password from 1Password.")
|
||||
return None
|
||||
|
||||
# Check if we need to use a token
|
||||
if "use 'op item get" in output:
|
||||
# Extract the token
|
||||
token = output.split("use 'op item get ")[1].split(" --")[0]
|
||||
printfe("cyan", f"Got fetch token: {token}")
|
||||
|
||||
# Use the token to get the actual password
|
||||
success, password = run_command(
|
||||
[op_cmd, "item", "get", token, "--reveal", "--fields", "password"]
|
||||
)
|
||||
if not success:
|
||||
return None
|
||||
return password
|
||||
else:
|
||||
# We already got the password
|
||||
return output
|
||||
|
||||
def prompt_for_password():
|
||||
"""Ask for password manually"""
|
||||
import getpass
|
||||
printfe("cyan", "Enter the password manually: ")
|
||||
password = getpass.getpass("")
|
||||
|
||||
if not password:
|
||||
printfe("red", "Password cannot be empty.")
|
||||
sys.exit(1)
|
||||
|
||||
printfe("green", "Password entered successfully.")
|
||||
return password
|
||||
|
||||
def calculate_checksum(file_path):
|
||||
"""Calculate SHA256 checksum of a file"""
|
||||
sha256_hash = hashlib.sha256()
|
||||
with open(file_path, "rb") as f:
|
||||
for byte_block in iter(lambda: f.read(4096), b""):
|
||||
sha256_hash.update(byte_block)
|
||||
return sha256_hash.hexdigest()
|
||||
|
||||
def encrypt_folder(folder_path, password):
|
||||
"""Recursively encrypt files in a folder"""
|
||||
for item in glob.glob(os.path.join(folder_path, "*")):
|
||||
# Skip .gpg and .sha256 files
|
||||
if item.endswith(".gpg") or item.endswith(".sha256"):
|
||||
continue
|
||||
|
||||
# Handle directories recursively
|
||||
if os.path.isdir(item):
|
||||
encrypt_folder(item, password)
|
||||
continue
|
||||
|
||||
# Calculate current checksum
|
||||
current_checksum = calculate_checksum(item)
|
||||
checksum_file = f"{item}.sha256"
|
||||
|
||||
# Check if file changed since last encryption
|
||||
if os.path.exists(checksum_file):
|
||||
with open(checksum_file, 'r') as f:
|
||||
previous_checksum = f.read().strip()
|
||||
|
||||
if current_checksum == previous_checksum:
|
||||
continue
|
||||
|
||||
# Remove existing .gpg file if it exists
|
||||
gpg_file = f"{item}.gpg"
|
||||
if os.path.exists(gpg_file):
|
||||
os.remove(gpg_file)
|
||||
|
||||
# Encrypt the file
|
||||
printfe("cyan", f"Encrypting {item}...")
|
||||
cmd = [
|
||||
"gpg", "--quiet", "--batch", "--yes", "--symmetric",
|
||||
"--cipher-algo", "AES256", "--armor",
|
||||
"--passphrase", password,
|
||||
"--output", gpg_file, item
|
||||
]
|
||||
|
||||
success, _ = run_command(cmd)
|
||||
if success:
|
||||
printfe("cyan", f"Staging {item} for commit...")
|
||||
run_command(["git", "add", "-f", gpg_file])
|
||||
|
||||
# Update checksum file
|
||||
with open(checksum_file, 'w') as f:
|
||||
f.write(current_checksum)
|
||||
else:
|
||||
printfe("red", f"Failed to encrypt {item}")
|
||||
|
||||
def decrypt_folder(folder_path, password):
|
||||
"""Recursively decrypt files in a folder"""
|
||||
for item in glob.glob(os.path.join(folder_path, "*")):
|
||||
# Handle .gpg files
|
||||
if item.endswith(".gpg"):
|
||||
output_file = item[:-4] # Remove .gpg extension
|
||||
printfe("cyan", f"Decrypting {item}...")
|
||||
|
||||
cmd = [
|
||||
"gpg", "--quiet", "--batch", "--yes", "--decrypt",
|
||||
"--passphrase", password,
|
||||
"--output", output_file, item
|
||||
]
|
||||
|
||||
success, _ = run_command(cmd)
|
||||
if not success:
|
||||
printfe("red", f"Failed to decrypt {item}")
|
||||
|
||||
# Process directories recursively
|
||||
elif os.path.isdir(item):
|
||||
printfe("cyan", f"Decrypting folder {item}...")
|
||||
decrypt_folder(item, password)
|
||||
|
||||
def main():
|
||||
if len(sys.argv) != 2 or sys.argv[1] not in ["encrypt", "decrypt"]:
|
||||
printfe("red", "Usage: secrets.py [encrypt|decrypt]")
|
||||
return 1
|
||||
|
||||
# Get the dotfiles path
|
||||
dotfiles_path = os.environ.get("DOTFILES_PATH", os.path.expanduser("~/.dotfiles"))
|
||||
secrets_path = os.path.join(dotfiles_path, "secrets")
|
||||
|
||||
# Get the password
|
||||
password = get_password()
|
||||
if not password:
|
||||
password = prompt_for_password()
|
||||
|
||||
# Perform the requested action
|
||||
if sys.argv[1] == "encrypt":
|
||||
printfe("cyan", "Encrypting secrets...")
|
||||
encrypt_folder(secrets_path, password)
|
||||
else: # decrypt
|
||||
printfe("cyan", "Decrypting secrets...")
|
||||
decrypt_folder(secrets_path, password)
|
||||
|
||||
return 0
|
||||
|
||||
if __name__ == "__main__":
|
||||
sys.exit(main())
|
Reference in New Issue
Block a user