Merge pull request #1567 from capripot/add_all_fields_one_password_retrieval

feat: Add allowing retrieving all fields for an item
2025-06-17 11:22:10 +01:00
parent 5aa3f7bd4c cbf94fa7f5
commit 4b0afdf42b
2 changed files with 97 additions and 11 deletions
--- a/lib/kamal/secrets/adapters/one_password.rb
+++ b/lib/kamal/secrets/adapters/one_password.rb
@@ -16,10 +16,12 @@ class Kamal::Secrets::Adapters::OnePassword < Kamal::Secrets::Adapters::Base
    end

    def fetch_secrets(secrets, from:, account:, session:)
+      return fetch_all_secrets(from: from, account: account, session: session) if secrets.blank?
+
      {}.tap do |results|
        vaults_items_fields(prefixed_secrets(secrets, from: from)).map do |vault, items|
          items.each do |item, fields|
-            fields_json = JSON.parse(op_item_get(vault, item, fields, account: account, session: session))
+            fields_json = JSON.parse(op_item_get(vault, item, fields: fields, account: account, session: session))
            fields_json = [ fields_json ] if fields.one?

            fields_json.each do |field_json|
@@ -32,6 +34,23 @@ class Kamal::Secrets::Adapters::OnePassword < Kamal::Secrets::Adapters::Base
      end
    end

+    def fetch_all_secrets(from:, account:, session:)
+      {}.tap do |results|
+        vault_items(from).map do |vault, items|
+          items.each do |item|
+
+            fields_json = JSON.parse(op_item_get(vault, item, account: account, session: session)).fetch("fields")
+
+            fields_json.each do |field_json|
+              # The reference is in the form `op://vault/item/field[/field]`
+              field = field_json["reference"].delete_prefix("op://").delete_suffix("/password")
+              results[field] = field_json["value"]
+            end
+          end
+        end
+      end
+    end
+
    def to_options(**options)
      optionize(options.compact).join(" ")
    end
@@ -50,12 +69,22 @@ class Kamal::Secrets::Adapters::OnePassword < Kamal::Secrets::Adapters::Base
      end
    end

-    def op_item_get(vault, item, fields, account:, session:)
-      labels = fields.map { |field| "label=#{field}" }.join(",")
-      options = to_options(vault: vault, fields: labels, format: "json", account: account, session: session.presence)
+    def vault_items(from)
+      from = from.delete_prefix("op://")
+      vault, item = from.split("/")
+      { vault => [ item ]}
+    end

-      `op item get #{item.shellescape} #{options}`.tap do
-        raise RuntimeError, "Could not read #{fields.join(", ")} from #{item} in the #{vault} 1Password vault" unless $?.success?
+    def op_item_get(vault, item, fields: nil, account:, session:)
+      options = { vault: vault, format: "json", account: account, session: session.presence }
+
+      if fields.present?
+        labels = fields.map { |field| "label=#{field}" }.join(",")
+        options.merge!(fields: labels)
+      end
+
+      `op item get #{item.shellescape} #{to_options(**options)}`.tap do
+        raise RuntimeError, "Could not read from #{item} in the #{vault} 1Password vault" unless $?.success?
      end
    end