tools/secretstore: decrypt secrets when requesting plaintext path

2019-04-09 13:29:21 +02:00 · 2019-04-09 13:29:21 +02:00 · c10f00b7da
parent 598a079f57
commit c10f00b7da
1 changed files with 9 additions and 2 deletions
--- a/tools/secretstore.py
+++ b/tools/secretstore.py
@ -46,13 +46,20 @@ class SecretStore(object):
        return os.path.exists(c) or os.path.exists(p)

    def plaintext(self, suffix):
-        return os.path.join(self.proot, suffix)
+        p = os.path.join(self.proot, suffix)
+        c = os.path.join(self.croot, suffix)
+
+        if not os.path.exists(p) or os.path.getctime(p) < os.path.getctime(c):
+            logger.info("Decrypting {} ({})...".format(suffix, c))
+            decrypt(c, p)
+
+        return p

    def open(self, suffix, mode, *a, **kw):
        p = os.path.join(self.proot, suffix)
        c = os.path.join(self.croot, suffix)
        if 'w' in mode:
-            return open(p, mode, *a, *kw)
+            return open(p, mode, *a, **kw)

        if not self.exists(suffix):
            raise SecretStoreMissing("Secret {} does not exist".format(suffix))