oib/aitbc
1
0
Fork 0
Code Issues Pull Requests Actions 21 Packages Projects Releases Wiki Activity
Files
e4f1a96172bf515ea62e5115506129d63a52b230
aitbc/scripts/utils/load-keystore-secrets.sh
aitbc 04852fc480
Some checks failed
API Endpoint Tests / test-api-endpoints (push) Successful in 19s
Details
Blockchain Synchronization Verification / sync-verification (push) Failing after 2s
Details
Integration Tests / test-service-integration (push) Successful in 3m1s
Details
Multi-Node Blockchain Health Monitoring / health-check (push) Failing after 7s
Details
P2P Network Verification / p2p-verification (push) Successful in 9s
Details
Python Tests / test-python (push) Successful in 28s
Details
Security Scanning / security-scan (push) Successful in 55s
Details
Systemd Sync / sync-systemd (push) Successful in 17s
Details
security: enforce required API_KEY_HASH_SECRET and migrate keystore password to credential system 
Remove default fallback for API_KEY_HASH_SECRET in tenant context middleware and management service, requiring explicit environment variable configuration. Migrate keystore password handling from /etc/aitbc/keystore_password to /etc/aitbc/credentials/keystore_password with 600 permissions. Add load-keystore-secrets.sh pre-start hook and /run/aitbc/secrets/.env environment file to blockchain-node, blockchain
2026-04-28 07:29:51 +02:00

38 lines
1.1 KiB
Bash
Executable File
Raw Blame History

#!/bin/bash
# Load AITBC secrets from credentials directory
# This script is called by systemd services before main process starts
set -e
CREDENTIALS_DIR="/etc/aitbc/credentials"
RUN_DIR="/run/aitbc/secrets"
# Create runtime directory (tmpfs, cleared on reboot)
mkdir -p "$RUN_DIR"
chmod 700 "$RUN_DIR"
# Create .env file from credentials
ENV_FILE="$RUN_DIR/.env"
if [ -f "$CREDENTIALS_DIR/api_hash_secret" ]; then
echo "API_KEY_HASH_SECRET=$(cat $CREDENTIALS_DIR/api_hash_secret)" >> "$ENV_FILE"
fi
if [ -f "$CREDENTIALS_DIR/proposer_id" ]; then
echo "proposer_id=$(cat $CREDENTIALS_DIR/proposer_id)" >> "$ENV_FILE"
fi
if [ -f "$CREDENTIALS_DIR/keystore_password" ]; then
echo "KEYSTORE_PASSWORD=$(cat $CREDENTIALS_DIR/keystore_password)" >> "$ENV_FILE"
fi
# Add non-sensitive config from main .env
if [ -f "/etc/aitbc/.env" ]; then
# Skip lines that are comments or contain migrated secrets
grep -v '^#' /etc/aitbc/.env | grep -v 'API_KEY_HASH_SECRET' | grep -v 'proposer_id' >> "$ENV_FILE" || true
fi
chmod 600 "$ENV_FILE"
echo "Secrets loaded to $ENV_FILE"
Reference in New Issue View Git Blame Copy Permalink