From 7dfd58a4051152467e8b9a7fb4c199c42af6e0b4 Mon Sep 17 00:00:00 2001
From: Frederic Gurr <frederic.gurr@eclipse-foundation.org>
Date: Fri, 20 Mar 2026 14:49:32 +0100
Subject: [PATCH 1/2] Optionally read VAULT_PASSWORD from .vaulctl file

---
 secretsmanager/vaultctl.sh | 35 +++++++++++++++++++++++++++++++++--
 1 file changed, 33 insertions(+), 2 deletions(-)

diff --git a/secretsmanager/vaultctl.sh b/secretsmanager/vaultctl.sh
index 68dda93..100d5bd 100755
--- a/secretsmanager/vaultctl.sh
+++ b/secretsmanager/vaultctl.sh
@@ -115,6 +115,26 @@ load_username_from_config() {
     return 1
 }
 
+# Load password from config
+load_password_from_config() {
+    if [[ -f "$CONFIG_FILE" ]]; then
+        # Safely parse VAULT_PASSWORD from config without executing the file
+        local line password
+        line="$(grep -m1 '^VAULT_PASSWORD=' "$CONFIG_FILE" 2>/dev/null || true)"
+        if [[ -n "$line" ]]; then
+            password="${line#VAULT_PASSWORD=}"
+            # Remove optional surrounding double quotes
+            password="${password%\"}"
+            password="${password#\"}"
+            if [[ -n "$password" ]]; then
+                VAULT_PASSWORD="$password"
+                return 0
+            fi
+        fi
+    fi
+    return 1
+}
+
 # Save username to config
 save_username_to_config() {
     local username="$1"
@@ -159,8 +179,19 @@ get_vault_username() {
 vault_ldap_login() {
     log_info "Logging in to Vault using LDAP method..."
     log_info "Vault address: $VAULT_ADDR"
-    
-    if vault login -method=ldap -address="$VAULT_ADDR" username="$VAULT_USERNAME" >/dev/null; then
+
+    local password_argument=""
+    # Try to load from config
+    if load_password_from_config; then
+        log_info "Using saved password."
+        return 0
+    fi
+
+    if [[ -n $VAULT_PASSWORD ]]; then
+      password_argument="password=$VAULT_PASSWORD"
+    fi
+
+    if vault login -method=ldap -address="$VAULT_ADDR" username="$VAULT_USERNAME" $password_argument >/dev/null; then
         log_success "Vault login successful"
         
         # Load the token that was just saved

From d3dfbb591618fc77802c35469f826daf2e3c909a Mon Sep 17 00:00:00 2001
From: Frederic Gurr <frederic.gurr@eclipse-foundation.org>
Date: Fri, 20 Mar 2026 15:24:36 +0100
Subject: [PATCH 2/2] Remove return statement and fix order of arguments in
 vault login call

---
 secretsmanager/vaultctl.sh | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/secretsmanager/vaultctl.sh b/secretsmanager/vaultctl.sh
index 100d5bd..bd211fc 100755
--- a/secretsmanager/vaultctl.sh
+++ b/secretsmanager/vaultctl.sh
@@ -184,14 +184,13 @@ vault_ldap_login() {
     # Try to load from config
     if load_password_from_config; then
         log_info "Using saved password."
-        return 0
     fi
 
     if [[ -n $VAULT_PASSWORD ]]; then
       password_argument="password=$VAULT_PASSWORD"
     fi
 
-    if vault login -method=ldap -address="$VAULT_ADDR" username="$VAULT_USERNAME" $password_argument >/dev/null; then
+    if vault login -address="$VAULT_ADDR" -method=ldap username="$VAULT_USERNAME" $password_argument; then
         log_success "Vault login successful"
         
         # Load the token that was just saved