From bd12d85309da129188bfb07308359bf663447276 Mon Sep 17 00:00:00 2001
From: Adar Nimrod <nimrod@shore.co.il>
Date: Sat, 14 Aug 2021 23:19:18 +0300
Subject: [PATCH] Secure templates.

Use template and passhole to generate files instead of a bunch of echo
and printf commands.
---
 .aws/credentials.j2          |  8 +++++
 .bashrc.private.j2           |  7 ++++
 .bundle/config.j2            |  3 ++
 .config/gem/gemrc.j2         | 10 ++++++
 .config/python-gitlab.cfg.j2 |  9 +++++
 Makefile                     | 65 +++++++++++-------------------------
 6 files changed, 56 insertions(+), 46 deletions(-)
 create mode 100644 .aws/credentials.j2
 create mode 100644 .bashrc.private.j2
 create mode 100644 .bundle/config.j2
 create mode 100644 .config/gem/gemrc.j2
 create mode 100644 .config/python-gitlab.cfg.j2

diff --git a/.aws/credentials.j2 b/.aws/credentials.j2
new file mode 100644
index 0000000..76c3be8
--- /dev/null
+++ b/.aws/credentials.j2
@@ -0,0 +1,8 @@
+# vim: ft=cfg
+[shore]
+aws_access_key_id = {{ run(["ph", "show", "--field", "UserName", "shore.co.il/AWS CLI"])["stdout"] }}
+aws_secret_access_key = {{ run(["ph", "show", "--field", "Password", "shore.co.il/AWS CLI"])["stdout"] }}
+
+[smile]
+aws_access_key_id = {{ run(["ph", "show", "--field", "UserName", "Smile/AWS CLI"])["stdout"] }}
+aws_secret_access_key = {{ run(["ph", "show", "--field", "Password", "Smile/AWS CLI"])["stdout"] }}
diff --git a/.bashrc.private.j2 b/.bashrc.private.j2
new file mode 100644
index 0000000..dab2e8b
--- /dev/null
+++ b/.bashrc.private.j2
@@ -0,0 +1,7 @@
+# vim: ft=bash
+export GITLAB_TOKEN='{{ run(["ph", "show", "--field", "Password", "shore.co.il/GitLab token"])["stdout"] }}'
+export GITLAB_PRIVATE_TOKEN="$GITLAB_TOKEN"
+export GITLAB_REGISTRATION_TOKEN='{{ run(["ph", "show", "--field", "Password", "shore.co.il/GitLab runner registration token"])["stdout"] }}'
+export GITHUB_TOKEN='{{ run(["ph", "show", "--field", "CLI token", "Web Sites/GitHub"])["stdout"] }}'
+{% set nc_password = run(["ph", "show", "--field", "Password", "shore.co.il/LDAP"])["stdout"] %}
+export RCLONE_CONFIG_NEXTCLOUD_PASS='{{ run(["rclone", "obscure", nc_password]) }}'
diff --git a/.bundle/config.j2 b/.bundle/config.j2
new file mode 100644
index 0000000..0dbaff7
--- /dev/null
+++ b/.bundle/config.j2
@@ -0,0 +1,3 @@
+# vim:ft=yaml
+---
+BUNDLE_HTTPS://RUBYGEMS__PKG__GITHUB__COM/SMILE-IO/: '{{ run(["ph", "show", "--field", "UserName", "Web Sites/GitHub"])["stdout"] }}:{{ run(["ph", "show", "--field", "Smile gem token", "Web Sites/GitHub"])["stdout"] }}'
diff --git a/.config/gem/gemrc.j2 b/.config/gem/gemrc.j2
new file mode 100644
index 0000000..d75d87b
--- /dev/null
+++ b/.config/gem/gemrc.j2
@@ -0,0 +1,10 @@
+# vim: ft=yaml
+---
+:backtrace: false
+:bulk_threshold: 1000
+:sources:
+- https://rubygems.org/
+- https://{{ run(["ph", "show", "--field", "UserName", "Web Sites/GitHub"])["stdout"] }}:{{ run(["ph", "show", "--field", "Smile gem token", "Web Sites/GitHub"])["stdout"] }}@rubygems.pkg.github.com/smile-io/
+:update_sources: true
+:verbose: true
+:concurrent_downloads: 8
diff --git a/.config/python-gitlab.cfg.j2 b/.config/python-gitlab.cfg.j2
new file mode 100644
index 0000000..5a51c00
--- /dev/null
+++ b/.config/python-gitlab.cfg.j2
@@ -0,0 +1,9 @@
+# vim: ft=cfg
+[global]
+default = shore.co.il
+ssl_verify = true
+
+[shore.co.il]
+url = https://git.shore.co.il/
+private_token = {{ run(["ph", "show", "--field", "Password", "shore.co.il/GitLab token"])["stdout"] }}
+api_version = 4
diff --git a/Makefile b/Makefile
index cf903fb..dd643af 100644
--- a/Makefile
+++ b/Makefile
@@ -29,14 +29,6 @@ all: .config/pythonrc.py
 	$(mkd)
 	$(download) https://raw.githubusercontent.com/lonetwin/pythonrc/0.8.4/pythonrc.py
 
-all: .bashrc.private
-.bashrc.private: Documents/Database.kdbx
-	echo "export GITLAB_TOKEN='$$(ph show --field Password 'shore.co.il/GitLab token')'" > '$@'
-	echo 'export GITLAB_PRIVATE_TOKEN="$$GITLAB_TOKEN"' >> '$@'
-	echo "export GITLAB_REGISTRATION_TOKEN='$$(ph show --field Password 'shore.co.il/GitLab runner registration token')'" >> '$@'
-	echo "export GITHUB_TOKEN='$$(ph show --field 'CLI token' 'Web Sites/GitHub')'" >> '$@'
-	printf "export RCLONE_CONFIG_NEXTCLOUD_PASS='%s'\n" "$$(rclone obscure "$$(ph show --field 'Password' 'shore.co.il/LDAP')")" >> '$@'
-
 all: .ssh/config
 .ssh/config: $(ssh_configs)
 	$(mkd)
@@ -58,52 +50,33 @@ all: .ssh/authorized_keys
 	$(mkd)
 	-$(ansible-local) -m authorized_key -a "user=$$(whoami) key='$$(cat .ssh/localhost.pub)' key_options='from=\"127.0.0.1/8\"'"
 
+all: .gnupg/trustdb.gpg
+.gnupg/trustdb.gpg: Documents/Database.kdbx
+	ph show --field 'Notes' 'GPG/D3B913DE36AB5565DCAC91C6A322378C61339ECD' | gpg --import
+	echo 'D3B913DE36AB5565DCAC91C6A322378C61339ECD:6:' | gpg --import-ownertrust
+	chmod 600 '$@'
+
+all: .bashrc.private
+.bashrc.private: .bashrc.private.j2 Documents/Database.kdbx
+	$(mkd)
+	template '$<' > '$@'
+
 all: .config/python-gitlab.cfg
-.config/python-gitlab.cfg: Documents/Database.kdbx
+.config/python-gitlab.cfg: .config/python-gitlab.cfg.j2 Documents/Database.kdbx
 	$(mkd)
-	echo '[global]' > '$@'
-	echo 'default = shore.co.il' >> '$@'
-	echo 'ssl_verify = true' >> '$@'
-	echo '' >> '$@'
-	echo '[shore.co.il]' >> '$@'
-	echo 'url = https://git.shore.co.il/' >> '$@'
-	echo "private_token = $$(ph show --field Password 'shore.co.il/GitLab token')" >> '$@'
-	echo 'api_version = 4' >> '$@'
+	template '$<' > '$@'
 
 all: .config/gem/gemrc
-.config/gem/gemrc: Documents/Database.kdbx
+.config/gem/gemrc: .config/gem/gemrc.j2 Documents/Database.kdbx
 	$(mkd)
-	echo '# vim: ft=yaml' > '$@'
-	echo '---' >> '$@'
-	echo ':backtrace: false' >> '$@'
-	echo ':bulk_threshold: 1000' >> '$@'
-	echo ':sources:' >> '$@'
-	echo '- https://rubygems.org/' >> '$@'
-	echo "- https://$$(ph show --field 'UserName' 'Web Sites/GitHub'):$$(ph show --field 'Smile gem token' 'Web Sites/GitHub')@rubygems.pkg.github.com/smile-io/" >> '$@'
-	echo ':update_sources: true' >> '$@'
-	echo ':verbose: true' >> '$@'
-	echo ':concurrent_downloads: 8' >> '$@'
+	template '$<' > '$@'
 
 all: .bundle/config
-.bundle/config: Documents/Database.kdbx
+.bundle/config: .bundle/config.j2 Documents/Database.kdbx
 	$(mkd)
-	echo '# vim:ft=yaml' > '$@'
-	echo '---' >> '$@'
-	echo "BUNDLE_HTTPS://RUBYGEMS__PKG__GITHUB__COM/SMILE-IO/: '$$(ph show --field 'UserName' 'Web Sites/GitHub'):$$(ph show --field 'Smile gem token' 'Web Sites/GitHub')'" >> '$@'
+	template '$<' > '$@'
 
 all: .aws/credentials
-.aws/credentials: Documents/Database.kdbx
+.aws/credentials: .aws/credentials.j2 Documents/Database.kdbx
 	$(mkd)
-	echo '[shore]' > '$@'
-	echo "aws_access_key_id = $$(ph show --field 'UserName' 'shore.co.il/AWS CLI')" >> '$@'
-	echo "aws_secret_access_key = $$(ph show --field 'Password' 'shore.co.il/AWS CLI')" >> '$@'
-	echo '' >> '$@'
-	echo '[smile]' > '$@'
-	echo "aws_access_key_id = $$(ph show --field 'UserName' 'Smile/AWS CLI')" >> '$@'
-	echo "aws_secret_access_key = $$(ph show --field 'Password' 'Smile/AWS CLI')" >> '$@'
-
-all: .gnupg/trustdb.gpg
-.gnupg/trustdb.gpg: Documents/Database.kdbx
-	ph show --field 'Notes' 'GPG/D3B913DE36AB5565DCAC91C6A322378C61339ECD' | gpg --import
-	echo 'D3B913DE36AB5565DCAC91C6A322378C61339ECD:6:' | gpg --import-ownertrust
-	chmod 600 '$@'
+	template '$<' > '$@'
-- 
GitLab