summaryrefslogtreecommitdiff
path: root/core/utils/vault-init.sh
diff options
context:
space:
mode:
Diffstat (limited to 'core/utils/vault-init.sh')
-rwxr-xr-xcore/utils/vault-init.sh97
1 files changed, 97 insertions, 0 deletions
diff --git a/core/utils/vault-init.sh b/core/utils/vault-init.sh
new file mode 100755
index 0000000..3055a10
--- /dev/null
+++ b/core/utils/vault-init.sh
@@ -0,0 +1,97 @@
+#!/bin/bash
+# ShFlow Vault Initializer
+# License: GPLv3
+# Author: Luis GuLo
+# Version: 1.3.0
+# Dependencies: gpg
+
+set -euo pipefail
+
+# 📁 Rutas defensivas
+PROJECT_ROOT="${SHFLOW_HOME:-$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)}"
+VAULT_DIR="$PROJECT_ROOT/core/vault"
+VAULT_KEY="${VAULT_KEY:-$HOME/.shflow.key}"
+VAULT_PUBKEY="${VAULT_PUBKEY:-$HOME/.shflow.pub}"
+
+# 🧩 Cargar render_msg si no está disponible
+COMMON_LIB="$PROJECT_ROOT/core/lib/translate_msg.sh"
+if ! declare -f render_msg &>/dev/null; then
+ [[ -f "$COMMON_LIB" ]] && source "$COMMON_LIB"
+fi
+
+# 🌐 Cargar traducciones
+lang="${SHFLOW_LANG:-es}"
+trfile="$PROJECT_ROOT/core/utils/vault-init.tr.${lang}"
+declare -A tr
+if [[ -f "$trfile" ]]; then while IFS='=' read -r k v; do tr["$k"]="$v"; done < "$trfile"; fi
+
+generate_key() {
+ echo "${tr[gen_key]:-🔐 Generando nueva clave simétrica...}"
+ head -c 64 /dev/urandom | base64 > "$VAULT_KEY"
+ chmod 600 "$VAULT_KEY"
+ echo "$(render_msg "${tr[key_created]}" "path=$VAULT_KEY")"
+}
+
+rotate_key() {
+ echo "${tr[rotate_start]:-🔄 Rotando clave y re-cifrando secretos...}"
+ local OLD_KEY="$VAULT_KEY.old"
+
+ cp "$VAULT_KEY" "$OLD_KEY"
+ generate_key
+
+ for file in "$VAULT_DIR"/*.gpg; do
+ key=$(basename "$file" .gpg)
+ echo "$(render_msg "${tr[recrypt]}" "key=$key")"
+ gpg --quiet --batch --yes --passphrase-file "$OLD_KEY" -d "$file" | \
+ gpg --symmetric --batch --yes --passphrase-file "$VAULT_KEY" -o "$VAULT_DIR/$key.gpg.new"
+ mv "$VAULT_DIR/$key.gpg.new" "$VAULT_DIR/$key.gpg"
+ done
+
+ echo "$(render_msg "${tr[rotate_done]}" "path=$OLD_KEY")"
+}
+
+status() {
+ echo "${tr[status_title]:-📊 Estado del Vault}"
+ echo "-------------------"
+ echo "$(render_msg "${tr[sym_key]}" "status=$( [ -f "$VAULT_KEY" ] && echo "${tr[present]}" || echo "${tr[absent]}")")"
+ echo "$(render_msg "${tr[pub_key]}" "status=$( [ -f "$VAULT_PUBKEY" ] && echo "${tr[present]}" || echo "${tr[absent]}")")"
+ echo "$(render_msg "${tr[vault_path]}" "path=$VAULT_DIR")"
+ echo "$(render_msg "${tr[secrets]}" "count=$(ls "$VAULT_DIR"/*.gpg 2>/dev/null | wc -l)")"
+ echo "$(render_msg "${tr[last_mod]}" "date=$(date -r "$VAULT_KEY" '+%Y-%m-%d %H:%M:%S' 2>/dev/null)")"
+}
+
+generate_pubkey() {
+ echo "${tr[asym_start]:-🔐 Configurando cifrado asimétrico...}"
+ echo "${tr[asym_hint]:-⚠️ Se requiere que la clave pública esté exportada previamente.}"
+ echo " gpg --export -a 'usuario@dominio' > $VAULT_PUBKEY"
+ if [ -f "$VAULT_PUBKEY" ]; then
+ echo "$(render_msg "${tr[pubkey_found]}" "path=$VAULT_PUBKEY")"
+ else
+ echo "${tr[pubkey_missing]:-❌ Clave pública no encontrada. Exporta primero con GPG.}"
+ exit 1
+ fi
+}
+
+main() {
+ case "${1:-}" in
+ --rotate)
+ [ -f "$VAULT_KEY" ] || { echo "${tr[no_key]:-❌ No existe clave actual. Ejecuta sin --rotate primero.}"; exit 1; }
+ rotate_key
+ ;;
+ --status)
+ status
+ ;;
+ --asymmetric)
+ generate_pubkey
+ ;;
+ *)
+ if [ -f "$VAULT_KEY" ]; then
+ echo "$(render_msg "${tr[key_exists]}" "path=$VAULT_KEY")"
+ else
+ generate_key
+ fi
+ ;;
+ esac
+}
+
+main "$@"
generated by cgit v1.2.3 (git 2.46.0) at 2026-01-17 17:00:32 +0000