diff --git a/install.sh b/install.sh index 010c279..636206d 100755 --- a/install.sh +++ b/install.sh @@ -33,6 +33,22 @@ TEMP_SCRIPT="/tmp/${TARGET}-$$.sh" if "$NBCRYPT" decrypt "$ENC_FILE" "$TEMP_SCRIPT" 2>/dev/null; then chmod +x "$TEMP_SCRIPT" + + # Load SSH Agent environment if it was created by nbcrypt/BWS setup + # Only load if we don't already have a valid Agent Forward + AGENT_ENV_FILE="/tmp/.nb_agent_env_${USER:-$(id -un)}" + if [ -f "$AGENT_ENV_FILE" ]; then + # Check if we already have a valid SSH_AUTH_SOCK (Agent Forward) + if [ -z "${SSH_AUTH_SOCK:-}" ] || [ ! -S "${SSH_AUTH_SOCK}" ]; then + # No valid agent, safe to load from file + echo "๐Ÿ”‘ Loading SSH Agent environment..." + source "$AGENT_ENV_FILE" + else + # Agent Forward exists, preserve it and skip file loading + echo "๐Ÿ”‘ Using existing SSH Agent Forward (preserved)" + fi + fi + echo "โœ… Executing ${TARGET} setup..." exec bash "$TEMP_SCRIPT" else @@ -42,3 +58,6 @@ else exit 1 fi + + + diff --git a/nbcrypt b/nbcrypt index d00d1c2..f718c7a 100755 --- a/nbcrypt +++ b/nbcrypt @@ -34,6 +34,7 @@ Usage: $SCRIPT_NAME [arguments] Commands: encrypt Encrypt a file using SSH Agent key decrypt Decrypt a file using SSH Agent key + install-bws Install Bitwarden Secrets Manager CLI (bws) check Check if SSH Agent has required key help Show this help message @@ -44,6 +45,7 @@ Requirements: Examples: $SCRIPT_NAME encrypt secrets.txt secrets.enc $SCRIPT_NAME decrypt secrets.enc secrets.txt + $SCRIPT_NAME install-bws $SCRIPT_NAME check EOF @@ -65,27 +67,140 @@ check_dependencies() { } check_ssh_agent() { - # Check if SSH_AUTH_SOCK is set - if [ -z "${SSH_AUTH_SOCK:-}" ]; then - error "SSH Agent is not running or SSH_AUTH_SOCK is not set" - fi - - # Check if ssh-add can connect to agent - if ! ssh-add -l >/dev/null 2>&1; then - local rc=$? - if [ $rc -eq 2 ]; then - error "Cannot connect to SSH Agent" - elif [ $rc -eq 1 ]; then - error "SSH Agent has no identities loaded" + # Check if SSH_AUTH_SOCK is set and valid + if [ -n "${SSH_AUTH_SOCK:-}" ] && [ -S "${SSH_AUTH_SOCK}" ]; then + # Check if ssh-add can connect to agent + if ssh-add -l >/dev/null 2>&1; then + # Check if Ed25519 key is loaded + if ssh-add -l 2>/dev/null | grep -q "ED25519"; then + info "SSH Agent check passed (Ed25519 key found)" + return 0 + fi fi fi - # Check if Ed25519 key is loaded - if ! ssh-add -l 2>/dev/null | grep -q "ED25519"; then - error "No Ed25519 key found in SSH Agent. Please add id_ed25519 with: ssh-add ~/.ssh/id_ed25519" + # No valid agent or no Ed25519 key - try BWS bootstrap + info "No Ed25519 key found in SSH Agent. Attempting BWS bootstrap..." + + # Get BWS access token + local bws_token="${BWS_ACCESS_TOKEN:-}" + if [ -z "$bws_token" ]; then + echo -n "Enter BWS_ACCESS_TOKEN: " >&2 + read -s bws_token + echo >&2 + if [ -z "$bws_token" ]; then + error "BWS_ACCESS_TOKEN is required when SSH Agent has no Ed25519 key" + fi fi - info "SSH Agent check passed (Ed25519 key found)" + # Try to load setup script from BWS + load_bws_setup "$bws_token" + + # Re-check agent after BWS setup + if [ -n "${SSH_AUTH_SOCK:-}" ] && [ -S "${SSH_AUTH_SOCK}" ]; then + if ssh-add -l >/dev/null 2>&1 && ssh-add -l 2>/dev/null | grep -q "ED25519"; then + info "SSH Agent check passed (Ed25519 key found after BWS setup)" + return 0 + fi + fi + + error "No Ed25519 key found in SSH Agent. Please add id_ed25519 with: ssh-add ~/.ssh/id_ed25519" +} + +load_bws_setup() { + local token="$1" + local secret_name="nbloader" + + info "Loading setup script from BWS (secret: $secret_name)..." + + # Check if bws command exists, if not try to install it + if ! command -v bws >/dev/null 2>&1; then + warn "bws command not found. Attempting to install..." + install_bws || error "Failed to install bws CLI" + fi + + # Export token temporarily for bws command + export BWS_ACCESS_TOKEN="$token" + + # Get the secret from BWS + local loader_script + if command -v jq >/dev/null 2>&1; then + loader_script=$(bws secret get "$secret_name" 2>/dev/null | jq -r '.value // empty') + elif command -v python3 >/dev/null 2>&1; then + loader_script=$(bws secret get "$secret_name" 2>/dev/null | python3 -c "import sys, json; print(json.load(sys.stdin).get('value', ''))" 2>/dev/null) + else + # Fallback: try to extract value with grep/sed (fragile but works for simple JSON) + loader_script=$(bws secret get "$secret_name" 2>/dev/null | grep -o '"value": "[^"]*"' | sed 's/"value": "//;s/"$//' | head -1) + fi + + if [ -z "$loader_script" ]; then + error "Failed to retrieve '$secret_name' from BWS. Check your token and secret name." + fi + + # Execute the loader script + info "Executing BWS setup script..." + eval "$loader_script" + + # Load agent environment if it was created + local env_file="/tmp/.nb_agent_env_${USER:-$(id -un)}" + if [ -f "$env_file" ]; then + source "$env_file" + info "SSH Agent environment loaded from $env_file" + fi +} + +install_bws() { + local arch + arch=$(uname -m) + local bws_version="1.0.0" + local bws_bin_dir="${HOME}/.local/bin" + local bws_path="${bws_bin_dir}/bws" + + mkdir -p "$bws_bin_dir" + export PATH="$bws_bin_dir:$PATH" + + # Determine architecture + case "$arch" in + x86_64) + arch="x86_64-unknown-linux-gnu" + ;; + aarch64|arm64) + arch="aarch64-unknown-linux-gnu" + ;; + *) + error "Unsupported architecture: $arch" + ;; + esac + + local zip_name="bws-${arch}-${bws_version}.zip" + local url="https://github.com/bitwarden/sdk-sm/releases/download/bws-v${bws_version}/${zip_name}" + + info "Downloading bws v${bws_version} for ${arch}..." + + # Install dependencies if needed + if ! command -v unzip >/dev/null 2>&1; then + if command -v apt-get >/dev/null 2>&1; then + sudo apt-get update -qq && sudo apt-get install -y unzip >/dev/null 2>&1 + elif command -v yum >/dev/null 2>&1; then + sudo yum install -y unzip >/dev/null 2>&1 + fi + fi + + # Download and extract + local temp_zip="/tmp/${zip_name}" + if command -v wget >/dev/null 2>&1; then + wget -q "$url" -O "$temp_zip" || return 1 + elif command -v curl >/dev/null 2>&1; then + curl -sL "$url" -o "$temp_zip" || return 1 + else + error "wget or curl is required to download bws" + fi + + unzip -o "$temp_zip" -d "$bws_bin_dir" >/dev/null 2>&1 || return 1 + chmod +x "$bws_path" + rm -f "$temp_zip" + + info "bws installed successfully at $bws_path" return 0 } @@ -201,11 +316,14 @@ main() { usage fi - check_dependencies - local command="$1" shift + # install-bws ใ‚ณใƒžใƒณใƒ‰ใฎๅ ดๅˆใฏ check_dependencies ใ‚’ใ‚นใ‚ญใƒƒใƒ— + if [ "$command" != "install-bws" ] && [ "$command" != "help" ] && [ "$command" != "--help" ] && [ "$command" != "-h" ]; then + check_dependencies + fi + case "$command" in encrypt) if [ $# -ne 2 ]; then @@ -223,6 +341,9 @@ main() { check_ssh_agent echo "โœ… All checks passed" ;; + install-bws) + install_bws + ;; help|--help|-h) usage ;; diff --git a/nbmain.sh.enc b/nbmain.sh.enc index f698f77..95995e5 100644 Binary files a/nbmain.sh.enc and b/nbmain.sh.enc differ