64 lines
1.4 KiB
Bash
64 lines
1.4 KiB
Bash
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
|
|
usage() {
|
|
cat <<'EOF'
|
|
Usage: rotate-policy-cli-secret.sh [--output <path>] [--dry-run]
|
|
|
|
Generates a new random shared secret suitable for the Authority
|
|
`policy-cli` client and optionally writes it to the target file
|
|
in `etc/secrets/` with the standard header comment.
|
|
|
|
Options:
|
|
--output <path> Destination file (default: etc/secrets/policy-cli.secret)
|
|
--dry-run Print the generated secret to stdout without writing.
|
|
-h, --help Show this help.
|
|
EOF
|
|
}
|
|
|
|
OUTPUT="etc/secrets/policy-cli.secret"
|
|
DRY_RUN=0
|
|
|
|
while [[ $# -gt 0 ]]; do
|
|
case "$1" in
|
|
--output)
|
|
OUTPUT="$2"
|
|
shift 2
|
|
;;
|
|
--dry-run)
|
|
DRY_RUN=1
|
|
shift
|
|
;;
|
|
-h|--help)
|
|
usage
|
|
exit 0
|
|
;;
|
|
*)
|
|
echo "Unknown argument: $1" >&2
|
|
usage >&2
|
|
exit 1
|
|
;;
|
|
esac
|
|
done
|
|
|
|
if ! command -v openssl >/dev/null 2>&1; then
|
|
echo "openssl is required to generate secrets" >&2
|
|
exit 1
|
|
fi
|
|
|
|
# Generate a 48-byte random secret, base64 encoded without padding.
|
|
RAW_SECRET=$(openssl rand -base64 48 | tr -d '\n=')
|
|
SECRET="policy-cli-${RAW_SECRET}"
|
|
|
|
if [[ "$DRY_RUN" -eq 1 ]]; then
|
|
echo "$SECRET"
|
|
exit 0
|
|
fi
|
|
|
|
cat <<EOF > "$OUTPUT"
|
|
# generated $(date -u +%Y-%m-%dT%H:%M:%SZ) via scripts/rotate-policy-cli-secret.sh
|
|
$SECRET
|
|
EOF
|
|
|
|
echo "Wrote new policy-cli secret to $OUTPUT"
|