netosecret.sh - bash script CLI

#!/bin/bash

# Ensure the script does not print or store sensitive data
export HISTIGNORE='*echo*:*base64*'

# Default values
url="https://api.netography.com/api/v1"
output_file="netosecret.env"
envname="NETOSECRET"

# Help function
print_usage() {
    echo "Usage: $0 [shortname] [appname] [OPTIONS]
Options:
  [shortname]                 Set the shortname
  [appname]                   Set the appname
  --env                       Read all variables from environment
  --envfile <filename>        Read environment variables from the file
  --url <value>               Set a custom API URL
  --appkey <value>            Set the appkey (prompt if not provided)
  --sharedsecret <value>      Set the sharedsecret (prompt if not provided)
  --save <path>               Save to env file (default netosecret.env)
  --envname <name>            Variable name to write to in envfile (default NETOSECRET)
  --print                     Print the encoded netosecret
  --decode                    Decode NETOSECRET and print the JSON (contains secrets)
  -h, --help                  Display this help message

netosecret is a tool to generate a single base64 encoded string containing all 
5 components needed to authenticate to the Netography API (url, shortname, 
appname, sharedsecret, appkey).  The 5 components are stored as key/values in 
a JSON object for encoding/decoding.  

If used with the --env or --envfile option, the script will read from environment
in this order:
  URL: NETO__API__URL, NETO_URL, NETO__URL
  APPNAME: NETO__API__APP_NAME, NETO_APP_NAME, NETO_APPNAME
  SHORTNAME: NETO__API__SHORTNAME, NETO_SHORTNAME, NETO__SHORTNAME
  SHAREDSECRET: NETO__API__CREDENTIALS__SHARED_SECRET, NETO_SHAREDSECRET, NETO__SHAREDSECRET, NETO_SHARED_SECRET
  APPKEY: NETO__API__CREDENTIALS__APP_KEY, NETO__APPKEY, NETO__APP_KEY, NETO_APPKEY

netosecret JSON object format:
{
  \"url\": \"<url>\", \"shortname\": \"<shortname>\", \"appname\": \"<appname>\",
  \"sharedsecret\": \"<sharedsecret>\", \"appkey\": \"<appkey>\"
}"

}

# Function to get value from environment variables with fallbacks
get_env_value() {
    local is_secret="$1"
    shift
    local keys=("$@")
    for key in "${keys[@]}"; do
        local value=$(printenv "$key")
        if [ -n "$value" ]; then
            echo "$value"
            if [ "$is_secret" = true ]; then
                value="******"
            fi
            echo "Read from env $key=$value" >&2
            return
        fi
    done
}

# Parse positional arguments
if [[ "$#" -gt 0 && "$1" != "-"* ]]; then
    shortname="$1"
    shift
fi

if [[ "$#" -gt 0 && "$1" != "-"* ]]; then
    appname="$1"
    shift
fi

# Parse command-line options
while [[ "$#" -gt 0 ]]; do
    case $1 in
        --url) url="$2"; shift ;;
        --appkey) appkey="$2"; shift ;;
        --sharedsecret) sharedsecret="$2"; shift ;;
        --save) output_file="$2"; shift ;;
        --env) use_env=true ;;
        --envfile) envfile="$2"; shift ;;
        --envname) envname="$2"; shift ;;
        --print) print_output=true ;;
        --decode) decode_secret=true; shift ;;
        -h|--help) print_usage; exit 0 ;;
        *) echo "Unknown parameter passed: $1"; print_usage; exit 1 ;;
    esac
    shift
done

# If envfile is specified, read values from the file first
if [ -n "$envfile" ]; then
    export $(grep -v '^#' "$envfile" | xargs)
fi


# Handle the decode option
if [ "$decode_secret" = true ]; then
        netosecret_to_decode=$(printenv "$envname")
        if [ -z "$netosecret_to_decode" ]; then
            read -s -p "Enter netosecret: " netosecret_to_decode      
            if [ -z "$netosecret_to_decode" ]; then
                echo "Error: No encoded string provided and $envname is not set in the environment."
                exit 1
            fi
        fi
    echo $netosecret_to_decode | base64 --decode
    exit 0
fi

# If --env is specified or envfile is read, read values from environment variables
if [ "$use_env" = true ] || [ -n "$envfile" ]; then
    url=$(get_env_value false "NETO__API__URL" "NETO_URL" "NETO__URL")
    appname=$(get_env_value false "NETO__API__APP_NAME" "NETO_APP_NAME" "NETO_APPNAME")
    shortname=$(get_env_value false "NETO__API__SHORTNAME" "NETO_SHORTNAME" "NETO__SHORTNAME")
    sharedsecret=$(get_env_value true "NETO__API__CREDENTIALS__SHARED_SECRET" "NETO_SHAREDSECRET" "NETO__SHAREDSECRET" "NETO_SHARED_SECRET")
    appkey=$(get_env_value true "NETO__API__CREDENTIALS__APP_KEY" "NETO__APPKEY" "NETO__APP_KEY" "NETO_APPKEY")
fi

# Prompt for required values if not set
[ -z "$shortname" ] && read -p "Enter shortname: " shortname
[ -z "$appname" ] && read -p "Enter appname: " appname
if [ -z "$appkey" ]; then
  read -s -p "Enter appkey: " appkey
  echo
fi
if [ -z "$sharedsecret" ]; then
  read -s -p "Enter sharedsecret: " sharedsecret
  echo
fi

# Ensure all required fields are set
if [ -z "$shortname" ] || [ -z "$appname" ] || [ -z "$appkey" ] || [ -z "$sharedsecret" ]; then
    echo "Error: All fields (shortname, appname, url, appkey, sharedsecret) must be provided."
    exit 1
fi

# Create the JSON object with the URL
json=$(cat <<EOF
{
  "url": "$url",
  "shortname": "$shortname",
  "appname": "$appname",
  "sharedsecret": "$sharedsecret",
  "appkey": "$appkey"
}
EOF
)

# Encode the JSON object to Base64
encoded=$(echo -n "$json" | base64)

# Output based on provided options
if [ "$print_output" ]; then
    echo "$encoded"
else
    echo "$envname=$encoded" > "$output_file"
    echo "netosecret saved to $output_file"
fi

# Clear sensitive data from environment variables
unset json
unset encoded
unset appkey
unset sharedsecret