Merge branch '41-vault-implementation' into 'main'

      echo -e "[\\e[1;91mERROR\\e[0m] $*"

  }

  function fail() {

    log_error "$*"

    exit 1

  }

  function install_custom_and_default_ca_certs() {

      if [[ -z "${DEFAULT_CA_CERTS}" ]]

      then

    fi

  }

  function unscope_variables() {

    _scoped_vars=$(env | awk -F '=' "/^scoped__[a-zA-Z0-9_]+=/ {print \$1}" | sort)

    if [[ -z "$_scoped_vars" ]]; then return; fi

    log_info "Processing scoped variables..."

    for _scoped_var in $_scoped_vars

    do

      _fields=${_scoped_var//__/:}

      _condition=$(echo "$_fields" | cut -d: -f3)

      case "$_condition" in

      if) _not="";;

      ifnot) _not=1;;

      *)

        log_warn "... unrecognized condition \\e[1;91m$_condition\\e[0m in \\e[33;1m${_scoped_var}\\e[0m"

        continue

      ;;

      esac

      _target_var=$(echo "$_fields" | cut -d: -f2)

      _cond_var=$(echo "$_fields" | cut -d: -f4)

      _cond_val=$(eval echo "\$${_cond_var}")

      _test_op=$(echo "$_fields" | cut -d: -f5)

      case "$_test_op" in

      defined)

        if [[ -z "$_not" ]] && [[ -z "$_cond_val" ]]; then continue; 

        elif [[ "$_not" ]] && [[ "$_cond_val" ]]; then continue; 

        fi

        ;;

      equals|startswith|endswith|contains|in|equals_ic|startswith_ic|endswith_ic|contains_ic|in_ic)

        # comparison operator

        # sluggify actual value

        _cond_val=$(echo "$_cond_val" | tr '[:punct:]' '_')

        # retrieve comparison value

        _cmp_val_prefix="scoped__${_target_var}__${_condition}__${_cond_var}__${_test_op}__"

        _cmp_val=${_scoped_var#"$_cmp_val_prefix"}

        # manage 'ignore case'

        if [[ "$_test_op" == *_ic ]]

        then

          # lowercase everything

          _cond_val=$(echo "$_cond_val" | tr '[:upper:]' '[:lower:]')

          _cmp_val=$(echo "$_cmp_val" | tr '[:upper:]' '[:lower:]')

        fi

        case "$_test_op" in

        equals*)

          if [[ -z "$_not" ]] && [[ "$_cond_val" != "$_cmp_val" ]]; then continue; 

          elif [[ "$_not" ]] && [[ "$_cond_val" == "$_cmp_val" ]]; then continue; 

          fi

          ;;

        startswith*)

          if [[ -z "$_not" ]] && [[ "$_cond_val" != "$_cmp_val"* ]]; then continue; 

          elif [[ "$_not" ]] && [[ "$_cond_val" == "$_cmp_val"* ]]; then continue; 

          fi

          ;;

        endswith*)

          if [[ -z "$_not" ]] && [[ "$_cond_val" != *"$_cmp_val" ]]; then continue; 

          elif [[ "$_not" ]] && [[ "$_cond_val" == *"$_cmp_val" ]]; then continue; 

          fi

          ;;

        contains*)

          if [[ -z "$_not" ]] && [[ "$_cond_val" != *"$_cmp_val"* ]]; then continue; 

          elif [[ "$_not" ]] && [[ "$_cond_val" == *"$_cmp_val"* ]]; then continue; 

          fi

          ;;

        in*)

          if [[ -z "$_not" ]] && [[ "__${_cmp_val}__" != *"__${_cond_val}__"* ]]; then continue; 

          elif [[ "$_not" ]] && [[ "__${_cmp_val}__" == *"__${_cond_val}__"* ]]; then continue; 

          fi

          ;;

        esac

        ;;

      *)

        log_warn "... unrecognized test operator \\e[1;91m${_test_op}\\e[0m in \\e[33;1m${_scoped_var}\\e[0m"

        continue

        ;;

      esac

      # matches

      _val=$(eval echo "\$${_target_var}")

      log_info "... apply \\e[32m${_target_var}\\e[0m from \\e[32m\$${_scoped_var}\\e[0m${_val:+ (\\e[33;1moverwrite\\e[0m)}"

      _val=$(eval echo "\$${_scoped_var}")

      export "${_target_var}"="${_val}"

    done

    log_info "... done"

  }

  # evaluate and export a secret

  # - $1: secret variable name

  function eval_secret() {

    name=$1

    value=$(eval echo "\$${name}")

    case "$value" in

    @b64@*)

      decoded=$(mktemp)

      errors=$(mktemp)

      if echo "$value" | cut -c6- | base64 -d > "${decoded}" 2> "${errors}"

      then

        # shellcheck disable=SC2086

        export ${name}="$(cat ${decoded})"

        log_info "Successfully decoded base64 secret \\e[33;1m${name}\\e[0m"

      else

        fail "Failed decoding base64 secret \\e[33;1m${name}\\e[0m:\\n$(sed 's/^/... /g' "${errors}")"

      fi

      ;;

    @hex@*)

      decoded=$(mktemp)

      errors=$(mktemp)

      if echo "$value" | cut -c6- | sed 's/\([0-9A-F]\{2\}\)/\\\\x\1/gI' | xargs printf > "${decoded}" 2> "${errors}"

      then

        # shellcheck disable=SC2086

        export ${name}="$(cat ${decoded})"

        log_info "Successfully decoded hexadecimal secret \\e[33;1m${name}\\e[0m"

      else

        fail "Failed decoding hexadecimal secret \\e[33;1m${name}\\e[0m:\\n$(sed 's/^/... /g' "${errors}")"

      fi

      ;;

    @url@*)

      url=$(echo "$value" | cut -c6-)

      if command -v curl > /dev/null

      then

        decoded=$(mktemp)

        errors=$(mktemp)

        if curl -s -S -f --connect-timeout 5 -o "${decoded}" "$url" 2> "${errors}"

        then

          # shellcheck disable=SC2086

          export ${name}="$(cat ${decoded})"

          log_info "Successfully curl'd secret \\e[33;1m${name}\\e[0m"

        else

          log_warn "Failed getting secret \\e[33;1m${name}\\e[0m:\\n$(sed 's/^/... /g' "${errors}")"

        fi

      elif command -v wget > /dev/null

      then

        decoded=$(mktemp)

        errors=$(mktemp)

        if wget -T 5 -O "${decoded}" "$url" 2> "${errors}"

        then

          # shellcheck disable=SC2086

          export ${name}="$(cat ${decoded})"

          log_info "Successfully wget'd secret \\e[33;1m${name}\\e[0m"

        else

          log_warn "Failed getting secret \\e[33;1m${name}\\e[0m:\\n$(sed 's/^/... /g' "${errors}")"

        fi

      else

        fail "Couldn't get secret \\e[33;1m${name}\\e[0m: no http client found"

      fi

      ;;

    esac

  }

  function eval_all_secrets() {

    encoded_vars=$(env | grep -v '^scoped__' | awk -F '=' '/^[a-zA-Z0-9_]*=@(b64|hex|url)@/ {print $1}')

    for var in $encoded_vars

    do

      eval_secret "$var"

    done

  }

  unscope_variables

  eval_all_secrets

  # ENDSCRIPT