From: Daan De Meyer <daan.j.demeyer@gmail.com>
Date: Sun, 12 Mar 2023 17:23:01 +0000 (+0100)
Subject: Extend credentials support
X-Git-Tag: v15~296^2~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=29be6e19298196403ce776bb77621b675228f4f2;p=thirdparty%2Fmkosi.git

Extend credentials support

We now also read credentials from mkosi.credentials/. If a file in
mkosi.credentials/ is executable, we run the file and use its output
as the credential.
---

diff --git a/mkosi.md b/mkosi.md
index 886a23aac..aa60b9f93 100644
--- a/mkosi.md
+++ b/mkosi.md
@@ -1220,6 +1220,14 @@ local directory:
   used as the repository directory for extra repository files. See
   the `RepositoryDirectories` option for more information.
 
+* The **`mkosi.credentials/`** directory is used as a
+  source of extra credentials similar to the `Credentials=` option. For
+  each file in the directory, the filename will be used as the credential
+  name and the file contents become the credential value, or, if the file is
+  executable, mkosi will execute the file and the command's
+  output to stdout will be used as the credential value. Output to stderr will be ignored. 
+  Credentials configured with `Credentials=` take precedence over files in `mkosi.credentials`.
+
 All these files are optional.
 
 Note that the location of all these files may also be configured
diff --git a/mkosi/__init__.py b/mkosi/__init__.py
index cf8bfa266..89dd76dc7 100644
--- a/mkosi/__init__.py
+++ b/mkosi/__init__.py
@@ -2353,12 +2353,26 @@ def normalize_script(path: Optional[Path]) -> Optional[Path]:
     return Path(path).absolute()
 
 
-def default_credentials() -> dict[str, str]:
-    tz = run(["timedatectl", "show", "-p", "Timezone", "--value"], text=True, stdout=subprocess.PIPE).stdout.strip()
+def load_credentials(args: argparse.Namespace) -> dict[str, str]:
+    creds = {}
+
+    d = Path("mkosi.credentials")
+    if d.is_dir():
+        for e in d.iterdir():
+            if os.access(e, os.X_OK):
+                creds[e.name] = run([e], text=True, stdout=subprocess.PIPE).stdout
+            else:
+                creds[e.name] = e.read_text()
 
-    return {
-        "firstboot.timezone": tz,
-    }
+    for s in args.credentials:
+        key, _, value = s.partition("=")
+        creds[key] = value
+
+    if "firstboot.timezone" not in creds:
+        tz = run(["timedatectl", "show", "-p", "Timezone", "--value"], text=True, stdout=subprocess.PIPE).stdout.strip()
+        creds["firstboot.timezone"] = tz
+
+    return creds
 
 
 def load_args(args: argparse.Namespace) -> MkosiConfig:
@@ -2510,14 +2524,7 @@ def load_args(args: argparse.Namespace) -> MkosiConfig:
     else:
         args.environment = {}
 
-    if args.credentials:
-        credentials = default_credentials()
-        for s in args.credentials:
-            key, _, value = s.partition("=")
-            credentials[key] = value
-        args.credentials = credentials
-    else:
-        args.credentials = default_credentials()
+    args.credentials = load_credentials(args)
 
     if args.cache_path is not None:
         args.cache_path = args.cache_path.absolute()