split logic for connect and service_account flows

entrypoint.sh

@@ -2,24 +2,16 @@
 # shellcheck disable=SC2046,SC2001,SC2086
 set -e
 
-# Install op-cli
-if [[ "$OSTYPE" == "linux-gnu"* ]]; then
-  curl -sSfLo op.zip "https://bucket.agilebits.com/cli-private-beta/v2/op_linux_amd64_v2-alpha2.zip"
-elif [[ "$OSTYPE" == "darwin"* ]]; then
-  curl -sSfLo op.zip "https://bucket.agilebits.com/cli-private-beta/v2/op_darwin_amd64_v2-alpha2.zip"
-fi
-unzip -od /usr/local/bin/ op.zip && rm op.zip
-
-if [ -z "$OP_CONNECT_TOKEN" ] || [ -z "$OP_CONNECT_HOST" ]; then
-  echo "\$OP_CONNECT_TOKEN and \$OP_CONNECT_HOST must be set"
-  exit 1
-fi
+readonly CONNECT="CONNECT"
+readonly SERVICE_ACCOUNT="SERVICE_ACCOUNT"
 
+auth_type=$CONNECT
 managed_variables_var="OP_MANAGED_VARIABLES"
-IFS=',' read -r -a managed_variables <<< "$(printenv $managed_variables_var)"
+IFS=','
 
 # Unset all secrets managed by 1Password if `unset-previous` is set.
-if [ "$INPUT_UNSET_PREVIOUS" == "true" ]; then
+unset_prev_secrets() {
+  if [ "$INPUT_UNSET_PREVIOUS" == "true" ]; then
     echo "Unsetting previous values..."
 
     # Find environment variables that are managed by 1Password.
@@ -33,12 +25,24 @@ if [ "$INPUT_UNSET_PREVIOUS" == "true" ]; then
     done
 
     managed_variables=()
-fi
+  fi
+}
+
+# Install op-cli
+install_op_cli() {
+  if [[ "$OSTYPE" == "linux-gnu"* ]]; then
+    curl -sSfLo op.zip "https://bucket.agilebits.com/cli-private-beta/v2/op_linux_amd64_v2-alpha2.zip"
+  elif [[ "$OSTYPE" == "darwin"* ]]; then
+    curl -sSfLo op.zip "https://bucket.agilebits.com/cli-private-beta/v2/op_darwin_amd64_v2-alpha2.zip"
+  fi
+  unzip -od /usr/local/bin/ op.zip && rm op.zip
+}
 
 # Iterate over environment varables to find 1Password references, load the secret values, 
 # and make them available as environment variables in the next steps.
-IFS=$'\n'
-for env_var in $(op env ls); do
+extract_from_op_env() {
+  IFS=$'\n'
+  for env_var in $(op env ls); do
     ref=$(printenv $env_var)
 
     echo "Populating variable: $env_var"
@@ -75,8 +79,6 @@ for env_var in $(op env ls); do
         echo "${random_heredoc_identifier}"
       } >> $GITHUB_ENV
 
-    managed_variables+=("$env_var")
-
     else
       # Prepare the secret_value to be outputed properly (especially multiline secrets)
       secret_value=$(echo "$secret_value" | awk -v ORS='%0A' '1')
@@ -84,8 +86,33 @@ for env_var in $(op env ls); do
       echo "::set-output name=$env_var::$secret_value"
     fi
 
-done
-unset IFS
+  managed_variables+=("$env_var")
+
+  done
+  unset IFS
+}
+
+read -r -a managed_variables <<< "$(printenv $managed_variables_var)"
+
+if [ -z "$OP_CONNECT_TOKEN" ] || [ -z "$OP_CONNECT_HOST" ]; then
+  if [ -z "$OP_SERVICE_ACCOUNT_TOKEN" ]; then
+    echo "(\$OP_CONNECT_TOKEN and \$OP_CONNECT_HOST) or \$OP_SERVICE_ACCOUNT_TOKEN must be set"
+    exit 1
+  fi
+
+  auth_type=$SERVICE_ACCOUNT
+fi
+
+printf "Authenticated with %s \n" $auth_type
+
+unset_prev_secrets
+
+if [ "$auth_type" == "$SERVICE_ACCOUNT" ]; then
+  install_op_cli
+  extract_from_op_env
+elif [ "$auth_type" == "$CONNECT" ]; then
+  echo "Fetch via connect"
+fi
 
 # Add extra env var that lists which secrets are managed by 1Password so that in a later step
 # these can be unset again.