diff options
| author | luisgulo <luisgulo@gmail.com> | 2025-10-24 18:01:10 +0200 |
|---|---|---|
| committer | luisgulo <luisgulo@gmail.com> | 2025-10-24 18:01:10 +0200 |
| commit | 533e79ba959143f0459431a486bfb85c56c72ddc (patch) | |
| tree | 91974de1bbbdc4c51c76ed591fc5c6e02a3342b6 /core/utils/vault-init.sh | |
| parent | 45019c81cfd0fc1d18dce18cdfd5f127c6d61073 (diff) | |
Releasing code version 1.8.0
Diffstat (limited to 'core/utils/vault-init.sh')
| -rwxr-xr-x | core/utils/vault-init.sh | 97 |
1 files changed, 97 insertions, 0 deletions
diff --git a/core/utils/vault-init.sh b/core/utils/vault-init.sh new file mode 100755 index 0000000..3055a10 --- /dev/null +++ b/core/utils/vault-init.sh @@ -0,0 +1,97 @@ +#!/bin/bash +# ShFlow Vault Initializer +# License: GPLv3 +# Author: Luis GuLo +# Version: 1.3.0 +# Dependencies: gpg + +set -euo pipefail + +# 📁 Rutas defensivas +PROJECT_ROOT="${SHFLOW_HOME:-$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)}" +VAULT_DIR="$PROJECT_ROOT/core/vault" +VAULT_KEY="${VAULT_KEY:-$HOME/.shflow.key}" +VAULT_PUBKEY="${VAULT_PUBKEY:-$HOME/.shflow.pub}" + +# 🧩 Cargar render_msg si no está disponible +COMMON_LIB="$PROJECT_ROOT/core/lib/translate_msg.sh" +if ! declare -f render_msg &>/dev/null; then + [[ -f "$COMMON_LIB" ]] && source "$COMMON_LIB" +fi + +# 🌐 Cargar traducciones +lang="${SHFLOW_LANG:-es}" +trfile="$PROJECT_ROOT/core/utils/vault-init.tr.${lang}" +declare -A tr +if [[ -f "$trfile" ]]; then while IFS='=' read -r k v; do tr["$k"]="$v"; done < "$trfile"; fi + +generate_key() { + echo "${tr[gen_key]:-🔐 Generando nueva clave simétrica...}" + head -c 64 /dev/urandom | base64 > "$VAULT_KEY" + chmod 600 "$VAULT_KEY" + echo "$(render_msg "${tr[key_created]}" "path=$VAULT_KEY")" +} + +rotate_key() { + echo "${tr[rotate_start]:-🔄 Rotando clave y re-cifrando secretos...}" + local OLD_KEY="$VAULT_KEY.old" + + cp "$VAULT_KEY" "$OLD_KEY" + generate_key + + for file in "$VAULT_DIR"/*.gpg; do + key=$(basename "$file" .gpg) + echo "$(render_msg "${tr[recrypt]}" "key=$key")" + gpg --quiet --batch --yes --passphrase-file "$OLD_KEY" -d "$file" | \ + gpg --symmetric --batch --yes --passphrase-file "$VAULT_KEY" -o "$VAULT_DIR/$key.gpg.new" + mv "$VAULT_DIR/$key.gpg.new" "$VAULT_DIR/$key.gpg" + done + + echo "$(render_msg "${tr[rotate_done]}" "path=$OLD_KEY")" +} + +status() { + echo "${tr[status_title]:-📊 Estado del Vault}" + echo "-------------------" + echo "$(render_msg "${tr[sym_key]}" "status=$( [ -f "$VAULT_KEY" ] && echo "${tr[present]}" || echo "${tr[absent]}")")" + echo "$(render_msg "${tr[pub_key]}" "status=$( [ -f "$VAULT_PUBKEY" ] && echo "${tr[present]}" || echo "${tr[absent]}")")" + echo "$(render_msg "${tr[vault_path]}" "path=$VAULT_DIR")" + echo "$(render_msg "${tr[secrets]}" "count=$(ls "$VAULT_DIR"/*.gpg 2>/dev/null | wc -l)")" + echo "$(render_msg "${tr[last_mod]}" "date=$(date -r "$VAULT_KEY" '+%Y-%m-%d %H:%M:%S' 2>/dev/null)")" +} + +generate_pubkey() { + echo "${tr[asym_start]:-🔐 Configurando cifrado asimétrico...}" + echo "${tr[asym_hint]:-⚠️ Se requiere que la clave pública esté exportada previamente.}" + echo " gpg --export -a 'usuario@dominio' > $VAULT_PUBKEY" + if [ -f "$VAULT_PUBKEY" ]; then + echo "$(render_msg "${tr[pubkey_found]}" "path=$VAULT_PUBKEY")" + else + echo "${tr[pubkey_missing]:-❌ Clave pública no encontrada. Exporta primero con GPG.}" + exit 1 + fi +} + +main() { + case "${1:-}" in + --rotate) + [ -f "$VAULT_KEY" ] || { echo "${tr[no_key]:-❌ No existe clave actual. Ejecuta sin --rotate primero.}"; exit 1; } + rotate_key + ;; + --status) + status + ;; + --asymmetric) + generate_pubkey + ;; + *) + if [ -f "$VAULT_KEY" ]; then + echo "$(render_msg "${tr[key_exists]}" "path=$VAULT_KEY")" + else + generate_key + fi + ;; + esac +} + +main "$@" |