# Setup-LiveProbeEnv.ps1 — populate the env vars the mxaccess Rust port's # `live`-feature integration tests and probes expect, fetching credentials # from the homelab Infisical instance via wwtools/secrets/Get-Secret.ps1. # # Usage: # . .\tools\Setup-LiveProbeEnv.ps1 # dot-source — env vars persist in the calling session # . .\tools\Setup-LiveProbeEnv.ps1 -SkipAsbSecret # no Infisical lookup for ASB shared secret (CI/dev fallback) # .\tools\Setup-LiveProbeEnv.ps1 -DryRun # print what would be set without exporting # # Hard rules (per design/00-overview.md "Adjacent tooling" section): # - Credentials are fetched via `wwtools\secrets\Get-Secret.ps1`, which logs # into Infisical fresh on each call (DPAPI session storage doesn't survive # non-interactive contexts). # - We never inline plaintext secrets here. New AVEVA-specific secrets go # into Infisical at `homelab/aveva/system-platform/` (suggested path). # - Sets `MX_LIVE=1` to enable the `live` feature gate in cargo tests. # # Env vars set: # MX_LIVE — "1", enables the `live` cargo feature # MX_NMX_HOST — NMX hostname (default: localhost) # MX_GALAXY_DB — tiberius / SQL Server connection string with integrated security # MX_GALAXY_NAME — Galaxy name (default: $env:MX_GALAXY_NAME or 'ZB' from wwtools/grdb) # MX_TEST_USER — fetched from Infisical: homelab/infrastructure/windows-hosts/WW_VM_ADMIN_USER # MX_TEST_DOMAIN — fetched from Infisical: ...WW_VM_ADMIN_DOMAIN # MX_TEST_PASSWORD — fetched from Infisical: ...WW_VM_ADMIN_PWD # MX_ASB_SHARED_SECRET — fetched from Infisical: homelab/aveva/system-platform/ASB_SHARED_SECRET # (TODO: add this entry to Infisical — currently optional with -SkipAsbSecret) [CmdletBinding()] param( [string]$NmxHost = 'localhost', [string]$GalaxyName = $(if ($env:MX_GALAXY_NAME) { $env:MX_GALAXY_NAME } else { 'ZB' }), [string]$GalaxyServer = 'localhost', [switch]$SkipAsbSecret, [switch]$DryRun ) $ErrorActionPreference = 'Stop' $GetSecret = 'C:\Users\dohertj2\Desktop\wwtools\secrets\Get-Secret.ps1' if (-not (Test-Path $GetSecret)) { throw "Get-Secret.ps1 not found at $GetSecret. wwtools must be installed at C:\Users\dohertj2\Desktop\wwtools per design/00-overview.md 'Adjacent tooling' section." } # Hydrate User-scope env vars into Process scope. Necessary in non-interactive # contexts (Bash → pwsh, scheduled tasks, CI runners) where the User-scope # block from HKCU\Environment is not auto-merged into the process env. foreach ($name in @('INFISICAL_API_URL','INFISICAL_UNIVERSAL_AUTH_CLIENT_ID','INFISICAL_UNIVERSAL_AUTH_CLIENT_SECRET')) { if (-not (Get-Item -Path "Env:$name" -ErrorAction SilentlyContinue)) { $userValue = [Environment]::GetEnvironmentVariable($name, 'User') if ($userValue) { Set-Item -Path "Env:$name" -Value $userValue } } } function Set-LiveEnvVar { param([string]$Name, [string]$Value, [switch]$Sensitive) $display = if ($Sensitive) { '***redacted***' } else { $Value } if ($DryRun) { Write-Host "[DRY] $Name = $display" -ForegroundColor Yellow } else { Set-Item -Path "Env:$Name" -Value $Value Write-Host "[SET] $Name = $display" -ForegroundColor Green } } function Get-InfisicalSecret { param([string]$Key, [string]$Env = 'infrastructure', [string]$Path = '/windows-hosts') try { $value = & $GetSecret -Key $Key -Env $Env -Path $Path 2>&1 if ($LASTEXITCODE -ne 0 -or -not $value) { throw "Get-Secret returned empty for $Env$Path/$Key (exit code $LASTEXITCODE)" } # The infisical CLI occasionally writes an upgrade-available banner # ("A new release of infisical is available: ...") to stderr; the # `2>&1` redirect above merges it into the value stream. Filter # those banner lines so they don't pollute the returned secret. # Take the last non-empty, non-banner line — the actual secret # value is always the final line of `infisical secrets get --plain`. $clean = ($value | Out-String) -split "(`r`n|`n)" | ForEach-Object { $_.Trim() } | Where-Object { $_ -and ($_ -notmatch '^A new release of infisical is available') -and ($_ -notmatch '^Please upgrade ') } if (-not $clean) { throw "Get-Secret produced no usable line for $Env$Path/$Key after banner filtering" } return ($clean | Select-Object -Last 1) } catch { throw "Failed to fetch $Env$Path/$Key from Infisical: $_" } } Write-Host "mxaccess live-probe env setup" -ForegroundColor Cyan Write-Host " source: wwtools/secrets/Get-Secret.ps1 -> https://infisical.dohertylan.com" -ForegroundColor DarkGray Write-Host "" # Non-secret env vars Set-LiveEnvVar -Name 'MX_LIVE' -Value '1' Set-LiveEnvVar -Name 'MX_NMX_HOST' -Value $NmxHost Set-LiveEnvVar -Name 'MX_GALAXY_NAME' -Value $GalaxyName $galaxyDb = "Server=$GalaxyServer;Database=$GalaxyName;Integrated Security=True;TrustServerCertificate=True" Set-LiveEnvVar -Name 'MX_GALAXY_DB' -Value $galaxyDb # Secret-backed env vars Write-Host "" Write-Host "Fetching credentials from Infisical..." -ForegroundColor Cyan $user = Get-InfisicalSecret -Key 'WW_VM_ADMIN_USER' Set-LiveEnvVar -Name 'MX_TEST_USER' -Value $user $domain = Get-InfisicalSecret -Key 'WW_VM_ADMIN_DOMAIN' Set-LiveEnvVar -Name 'MX_TEST_DOMAIN' -Value $domain $password = Get-InfisicalSecret -Key 'WW_VM_ADMIN_PWD' Set-LiveEnvVar -Name 'MX_TEST_PASSWORD' -Value $password -Sensitive if ($SkipAsbSecret) { Write-Host "[SKIP] MX_ASB_SHARED_SECRET (use AsbCredentials::shared_secret(&[u8]) constructor or set manually)" -ForegroundColor Yellow } else { try { $asbSecret = Get-InfisicalSecret -Key 'ASB_SHARED_SECRET' -Env 'aveva' -Path '/system-platform' Set-LiveEnvVar -Name 'MX_ASB_SHARED_SECRET' -Value $asbSecret -Sensitive } catch { Write-Warning "MX_ASB_SHARED_SECRET not yet in Infisical. Add it at homelab/aveva/system-platform/ASB_SHARED_SECRET, or rerun with -SkipAsbSecret. Underlying error: $_" Set-LiveEnvVar -Name 'MX_ASB_SHARED_SECRET' -Value '' -Sensitive } } Write-Host "" Write-Host "Done. Live-probe env is ready." -ForegroundColor Green Write-Host " Run cargo tests with the 'live' feature: cargo test -p mxaccess --features live -- --ignored" -ForegroundColor DarkGray Write-Host " Run a probe example: cargo run -p mxaccess --example session-write" -ForegroundColor DarkGray