spacebar/kamal
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #1360 from basecamp/secret-adapter-tidy

Browse Source 
Secret adapter tidy
This commit is contained in:
Donal McBreen
2025-01-17 13:01:21 +00:00
committed by GitHub
parent 93133cd7a9 9f1688da7a
commit 85c1c47c2f
13 changed files with 58 additions and 53 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
lib/kamal/secrets/adapters/aws_secrets_manager.rb
View File

@@ -4,9 +4,9 @@ class Kamal::Secrets::Adapters::AwsSecretsManager < Kamal::Secrets::Adapters::Ba
nil
end
def fetch_secrets(secrets, account:, session:)
def fetch_secrets(secrets, from:, account:, session:)
{}.tap do |results|
get_from_secrets_manager(secrets, account: account).each do |secret|
get_from_secrets_manager(prefixed_secrets(secrets, from: from), account: account).each do |secret|
secret_name = secret["Name"]
secret_string = JSON.parse(secret["SecretString"])

7
lib/kamal/secrets/adapters/base.rb
View File

@@ -7,8 +7,7 @@ class Kamal::Secrets::Adapters::Base
check_dependencies!
session = login(account)
full_secrets = secrets.map { |secret| [ from, secret ].compact.join("/") }
fetch_secrets(full_secrets, account: account, session: session)
fetch_secrets(secrets, from: from, account: account, session: session)
end
def requires_account?
@@ -27,4 +26,8 @@ class Kamal::Secrets::Adapters::Base
def check_dependencies!
raise NotImplementedError
end
def prefixed_secrets(secrets, from:)
secrets.map { |secret| [ from, secret ].compact.join("/") }
end
end

4
lib/kamal/secrets/adapters/bitwarden.rb
View File

@@ -21,9 +21,9 @@ class Kamal::Secrets::Adapters::Bitwarden < Kamal::Secrets::Adapters::Base
session
end
def fetch_secrets(secrets, account:, session:)
def fetch_secrets(secrets, from:, account:, session:)
{}.tap do |results|
items_fields(secrets).each do |item, fields|
items_fields(prefixed_secrets(secrets, from: from)).each do |item, fields|
item_json = run_command("get item #{item.shellescape}", session: session, raw: true)
raise RuntimeError, "Could not read #{item} from Bitwarden" unless $?.success?
item_json = JSON.parse(item_json)

25
lib/kamal/secrets/adapters/bitwarden_secrets_manager.rb
View File

@@ -9,22 +9,16 @@ class Kamal::Secrets::Adapters::BitwardenSecretsManager < Kamal::Secrets::Adapte
LIST_COMMAND = "secret list -o env"
GET_COMMAND = "secret get -o env"
def fetch_secrets(secrets, account:, session:)
def fetch_secrets(secrets, from:, account:, session:)
raise RuntimeError, "You must specify what to retrieve from Bitwarden Secrets Manager" if secrets.length == 0
if secrets.length == 1
if secrets[0] == LIST_ALL_SELECTOR
command = LIST_COMMAND
elsif secrets[0].end_with?(LIST_ALL_FROM_PROJECT_SUFFIX)
project = secrets[0].split(LIST_ALL_FROM_PROJECT_SUFFIX).first
command = "#{LIST_COMMAND} #{project}"
end
end
secrets = prefixed_secrets(secrets, from: from)
command, project = extract_command_and_project(secrets)
{}.tap do |results|
if command.nil?
secrets.each do |secret_uuid|
secret = run_command("#{GET_COMMAND} #{secret_uuid}")
secret = run_command("#{GET_COMMAND} #{secret_uuid.shellescape}")
raise RuntimeError, "Could not read #{secret_uuid} from Bitwarden Secrets Manager" unless $?.success?
key, value = parse_secret(secret)
results[key] = value
@@ -40,6 +34,17 @@ class Kamal::Secrets::Adapters::BitwardenSecretsManager < Kamal::Secrets::Adapte
end
end
def extract_command_and_project(secrets)
if secrets.length == 1
if secrets[0] == LIST_ALL_SELECTOR
[ LIST_COMMAND, nil ]
elsif secrets[0].end_with?(LIST_ALL_FROM_PROJECT_SUFFIX)
project = secrets[0].split(LIST_ALL_FROM_PROJECT_SUFFIX).first
[ "#{LIST_COMMAND} #{project.shellescape}", project ]
end
end
end
def parse_secret(secret)
key, value = secret.split("=", 2)
value = value.gsub(/^"|"$/, "")

26
lib/kamal/secrets/adapters/doppler.rb
View File

@@ -16,8 +16,21 @@ class Kamal::Secrets::Adapters::Doppler < Kamal::Secrets::Adapters::Base
$?.success?
end
def fetch_secrets(secrets, **)
project_and_config_flags = ""
def fetch_secrets(secrets, from:, **)
secrets = prefixed_secrets(secrets, from: from)
flags = secrets_get_flags(secrets)
secret_names = secrets.collect { |s| s.split("/").last }
items = `doppler secrets get #{secret_names.map(&:shellescape).join(" ")} --json #{flags}`
raise RuntimeError, "Could not read #{secrets} from Doppler" unless $?.success?
items = JSON.parse(items)
items.transform_values { |value| value["computed"] }
end
def secrets_get_flags(secrets)
unless service_token_set?
project, config, _ = secrets.first.split("/")
@@ -27,15 +40,6 @@ class Kamal::Secrets::Adapters::Doppler < Kamal::Secrets::Adapters::Base
project_and_config_flags = "-p #{project.shellescape} -c #{config.shellescape}"
end
secret_names = secrets.collect { |s| s.split("/").last }
items = `doppler secrets get #{secret_names.map(&:shellescape).join(" ")} --json #{project_and_config_flags}`
raise RuntimeError, "Could not read #{secrets} from Doppler" unless $?.success?
items = JSON.parse(items)
items.transform_values { |value| value["computed"] }
end
def service_token_set?

13
lib/kamal/secrets/adapters/enpass.rb
View File

@@ -9,16 +9,15 @@
# Fetch only DB_PASSWORD from FooBar item
# `kamal secrets fetch --adapter enpass --from /Users/YOUR_USERNAME/Library/Containers/in.sinew.Enpass-Desktop/Data/Documents/Vaults/primary FooBar/DB_PASSWORD`
class Kamal::Secrets::Adapters::Enpass < Kamal::Secrets::Adapters::Base
def fetch(secrets, account: nil, from:)
check_dependencies!
fetch_secrets(secrets, from)
def requires_account?
false
end
private
def fetch_secrets(secrets, vault)
def fetch_secrets(secrets, from:, account:, session:)
secrets_titles = fetch_secret_titles(secrets)
result = `enpass-cli -json -vault #{vault.shellescape} show #{secrets_titles.map(&:shellescape).join(" ")}`.strip
result = `enpass-cli -json -vault #{from.shellescape} show #{secrets_titles.map(&:shellescape).join(" ")}`.strip
parse_result_and_take_secrets(result, secrets)
end
@@ -32,6 +31,10 @@ class Kamal::Secrets::Adapters::Enpass < Kamal::Secrets::Adapters::Base
$?.success?
end
def login(account)
nil
end
def fetch_secret_titles(secrets)
secrets.reduce(Set.new) do |secret_titles, secret|
# Sometimes secrets contain a '/', when the intent is to fetch a single password for an item. Example: FooBar/DB_PASSWORD

8
lib/kamal/secrets/adapters/gcp_secret_manager.rb
View File

@@ -18,19 +18,19 @@ class Kamal::Secrets::Adapters::GcpSecretManager < Kamal::Secrets::Adapters::Bas
# - "default|my-service-user@example.com" will use the default user, and enable service account impersonation as my-service-user
# - "default|my-service-user@example.com,another-service-user@example.com" same as above, but with an impersonation delegation chain
if !logged_in?
unless logged_in?
`gcloud auth login`
raise RuntimeError, "gcloud is not authenticated, please run `gcloud auth login`" if !logged_in?
raise RuntimeError, "could not login to gcloud" unless logged_in?
end
nil
end
def fetch_secrets(secrets, account:, session:)
def fetch_secrets(secrets, from:, account:, session:)
user, service_account = parse_account(account)
{}.tap do |results|
secrets_with_metadata(secrets).each do |secret, (project, secret_name, secret_version)|
secrets_with_metadata(prefixed_secrets(secrets, from: from)).each do |secret, (project, secret_name, secret_version)|
item_name = "#{project}/#{secret_name}"
results[item_name] = fetch_secret(project, secret_name, secret_version, user, service_account)
raise RuntimeError, "Could not read #{item_name} from Google Secret Manager" unless $?.success?

3
lib/kamal/secrets/adapters/last_pass.rb
View File

@@ -11,7 +11,8 @@ class Kamal::Secrets::Adapters::LastPass < Kamal::Secrets::Adapters::Base
`lpass status --color never`.strip == "Logged in as #{account}."
end
def fetch_secrets(secrets, account:, session:)
def fetch_secrets(secrets, from:, account:, session:)
secrets = prefixed_secrets(secrets, from: from)
items = `lpass show #{secrets.map(&:shellescape).join(" ")} --json`
raise RuntimeError, "Could not read #{secrets} from LastPass" unless $?.success?

4
lib/kamal/secrets/adapters/one_password.rb
View File

@@ -15,9 +15,9 @@ class Kamal::Secrets::Adapters::OnePassword < Kamal::Secrets::Adapters::Base
$?.success?
end
def fetch_secrets(secrets, account:, session:)
def fetch_secrets(secrets, from:, account:, session:)
{}.tap do |results|
vaults_items_fields(secrets).map do |vault, items|
vaults_items_fields(prefixed_secrets(secrets, from: from)).map do |vault, items|
items.each do |item, fields|
fields_json = JSON.parse(op_item_get(vault, item, fields, account: account, session: session))
fields_json = [ fields_json ] if fields.one?

4
lib/kamal/secrets/adapters/test.rb
View File

@@ -4,8 +4,8 @@ class Kamal::Secrets::Adapters::Test < Kamal::Secrets::Adapters::Base
true
end
def fetch_secrets(secrets, account:, session:)
secrets.to_h { |secret| [ secret, secret.reverse ] }
def fetch_secrets(secrets, from:, account:, session:)
prefixed_secrets(secrets, from: from).to_h { |secret| [ secret, secret.reverse ] }
end
def check_dependencies!

5
lib/kamal/secrets/adapters/test_optional_account.rb
View File

@@ -1,5 +0,0 @@
class Kamal::Secrets::Adapters::TestOptionalAccount < Kamal::Secrets::Adapters::Test
def requires_account?
false
end
end

6
test/cli/secrets_test.rb
View File

@@ -13,12 +13,6 @@ class CliSecretsTest < CliTestCase
run_command("fetch", "foo", "bar", "baz", "--adapter", "test")
end
test "fetch without required --account" do
assert_equal \
"\\{\\\"foo\\\":\\\"oof\\\",\\\"bar\\\":\\\"rab\\\",\\\"baz\\\":\\\"zab\\\"\\}",
run_command("fetch", "foo", "bar", "baz", "--adapter", "test_optional_account")
end
test "extract" do
assert_equal "oof", run_command("extract", "foo", "{\"foo\":\"oof\", \"bar\":\"rab\", \"baz\":\"zab\"}")
end

2
test/secrets/gcp_secret_manager_adapter_test.rb
View File

@@ -23,7 +23,7 @@ class GcpSecretManagerAdapterTest < SecretAdapterTestCase
JSON.parse(shellunescape(run_command("fetch", "mypassword")))
end
assert_match(/not authenticated/, error.message)
assert_match(/could not login to gcloud/, error.message)
end
test "fetch with from" do