koma77/sops_merger.sh

## sops_merger.sh
#!/bin/bash
#set -x

# .gitattributes
# *.yml merge=sopsmerge
#
# .git/config
#[merge "sopsmerger"]
#  name = A custom merge driver used to resolve conflicts in sops encrypted files
#  driver = sops_merge.sh %O %A %B %P

echo ""
echo "############################"
echo "# SOPS merge driver called #"
echo "############################"
echo ""

if test "$#" -ne 4 ; then
    echo "Wrong number of parameters"
    exit 1
fi


ANCESTOR=$1
MINE=$2
MINE_COPY=$2_COPY
OTHER=$3
FILE=$4

if ! grep -P -C10000 '(sops|sops"):' $FILE | grep -q "version:"; then
    err -1 "File is not encprypted"
fi

EXT=$(echo $FILE | awk -F'.' '{ print "."$(NF) }')

TMPDIR=$(mktemp -d)

echo $TMPDIR

if ! [ -d "$TMPDIR" ] || ! [ -x "$TMPDIR" ]; then
    rmdir "${TMPDIR}"
    err -1 "Temp directory not created or not accessible"
fi

T_ANCESTOR=$TMPDIR/$(basename $ANCESTOR)$EXT
T_MINE=$TMPDIR/$(basename $MINE)$EXT
T_MINE_COPY=$TMPDIR/$(basename $MINE_COPY)$EXT
T_OTHER=$TMPDIR/$(basename $OTHER)$EXT

cleanup() {
    rm -f "$T_ANCESTOR" "$T_MINE" "$T_MINE_COPY" "$T_OTHER"
    rm -rf "$TMPDIR"
}

err() {
    if [ -n "${2}" ]; then
        echo >&2 $2
    fi
    exit $1
}

trap cleanup INT TERM EXIT

cp $ANCESTOR $T_ANCESTOR
cp $MINE $T_MINE
cp $MINE $T_MINE_COPY
cp $OTHER $T_OTHER


### decrypt
sops -d $T_ANCESTOR
[ $? -eq 0 ] || err -1 "Decryption error: Abort merge"
sops -i -d $T_MINE
[ $? -eq 0 ] || err -1 "Decryption error: Abort merge"
sops -i -d $T_OTHER
[ $? -eq 0 ] || err -1 "Decryption error: Abort merge"


git-merge-file -L "Ours" -L "Common Ancestor" -L "Theirs" ${T_MINE} ${T_ANCESTOR} ${T_OTHER}
res=$?
[ $res -ge 0 ] || err -2 "Git merge error."
[ $res -eq 3 ] && "${VISUAL:-"${EDITOR:-vi}"}" "$T_MINE" || err -2 "Editing canceled"

### encrypt by overriding decrypted content in sops editing session
MERGED=$T_MINE
export MERGED
export EDITOR='bash -c "cat $MERGED > $0"'

sops $T_MINE_COPY
[ $? -eq 0 ] || err -3 "Re-encryption error"

cp $T_MINE_COPY $MINE
	#!/bin/bash
	#set -x

	# .gitattributes
	# *.yml merge=sopsmerge
	#
	# .git/config
	#[merge "sopsmerger"]
	# name = A custom merge driver used to resolve conflicts in sops encrypted files
	# driver = sops_merge.sh %O %A %B %P

	echo ""
	echo "############################"
	echo "# SOPS merge driver called #"
	echo "############################"
	echo ""

	if test "$#" -ne 4 ; then
	echo "Wrong number of parameters"
	exit 1
	fi


	ANCESTOR=$1
	MINE=$2
	MINE_COPY=$2_COPY
	OTHER=$3
	FILE=$4

	if ! grep -P -C10000 '(sops\|sops"):' $FILE \| grep -q "version:"; then
	err -1 "File is not encprypted"
	fi

	EXT=$(echo $FILE \| awk -F'.' '{ print "."$(NF) }')

	TMPDIR=$(mktemp -d)

	echo $TMPDIR

	if ! [ -d "$TMPDIR" ] \|\| ! [ -x "$TMPDIR" ]; then
	rmdir "${TMPDIR}"
	err -1 "Temp directory not created or not accessible"
	fi

	T_ANCESTOR=$TMPDIR/$(basename $ANCESTOR)$EXT
	T_MINE=$TMPDIR/$(basename $MINE)$EXT
	T_MINE_COPY=$TMPDIR/$(basename $MINE_COPY)$EXT
	T_OTHER=$TMPDIR/$(basename $OTHER)$EXT

	cleanup() {
	rm -f "$T_ANCESTOR" "$T_MINE" "$T_MINE_COPY" "$T_OTHER"
	rm -rf "$TMPDIR"
	}

	err() {
	if [ -n "${2}" ]; then
	echo >&2 $2
	fi
	exit $1
	}

	trap cleanup INT TERM EXIT

	cp $ANCESTOR $T_ANCESTOR
	cp $MINE $T_MINE
	cp $MINE $T_MINE_COPY
	cp $OTHER $T_OTHER


	### decrypt
	sops -d $T_ANCESTOR
	[ $? -eq 0 ] \|\| err -1 "Decryption error: Abort merge"
	sops -i -d $T_MINE
	[ $? -eq 0 ] \|\| err -1 "Decryption error: Abort merge"
	sops -i -d $T_OTHER
	[ $? -eq 0 ] \|\| err -1 "Decryption error: Abort merge"


	git-merge-file -L "Ours" -L "Common Ancestor" -L "Theirs" ${T_MINE} ${T_ANCESTOR} ${T_OTHER}
	res=$?
	[ $res -ge 0 ] \|\| err -2 "Git merge error."
	[ $res -eq 3 ] && "${VISUAL:-"${EDITOR:-vi}"}" "$T_MINE" \|\| err -2 "Editing canceled"

	### encrypt by overriding decrypted content in sops editing session
	MERGED=$T_MINE
	export MERGED
	export EDITOR='bash -c "cat $MERGED > $0"'

	sops $T_MINE_COPY
	[ $? -eq 0 ] \|\| err -3 "Re-encryption error"

	cp $T_MINE_COPY $MINE