From 8d7a6403b5b2355e57e6f94f915f9f508043c6f1 Mon Sep 17 00:00:00 2001 From: Aleksandr Lossenko Date: Thu, 7 Nov 2024 17:44:28 +0100 Subject: [PATCH] enpass-cli now has JSON support --- lib/kamal/secrets/adapters/enpass.rb | 35 ++++++++-------- test/secrets/enpass_adapter_test.rb | 60 +++++++++++++++------------- 2 files changed, 52 insertions(+), 43 deletions(-) diff --git a/lib/kamal/secrets/adapters/enpass.rb b/lib/kamal/secrets/adapters/enpass.rb index 61636032..773d1418 100644 --- a/lib/kamal/secrets/adapters/enpass.rb +++ b/lib/kamal/secrets/adapters/enpass.rb @@ -15,10 +15,9 @@ class Kamal::Secrets::Adapters::Enpass < Kamal::Secrets::Adapters::Base secrets_titles = fetch_secret_titles(secrets) # Enpass outputs result as stderr, I did not find a way to stub backticks and output to stderr. Open3 did the job. - _stdout, stderr, status = Open3.capture3("enpass-cli -vault #{account.shellescape} show #{secrets_titles.map(&:shellescape).join(" ")}") - raise RuntimeError, "Could not read #{secrets} from Enpass" unless status.success? + result = `enpass-cli -json -vault #{account.shellescape} show #{secrets.map(&:shellescape).join(" ")}`.strip - parse_result_and_take_secrets(stderr, secrets) + parse_result_and_take_secrets(result, secrets) end def check_dependencies! @@ -31,32 +30,36 @@ class Kamal::Secrets::Adapters::Enpass < Kamal::Secrets::Adapters::Base end def fetch_secret_titles(secrets) - secrets.reduce(Set.new) do |acc, secret| - # Sometimes secrets contain a '/', sometimes not + secrets.reduce(Set.new) do |secret_titles, secret| + # Sometimes secrets contain a '/', when the intent is to fetch a single password for an item. Example: FooBar/DB_PASSWORD + # Another case is, when the intent is to fetch all passwords for an item. Example: FooBar (and FooBar may have multiple different passwords) key, separator, value = secret.rpartition("/") if key.empty? - acc << value + secret_titles << value else - acc << key + secret_titles << key end end.to_a end def parse_result_and_take_secrets(unparsed_result, secrets) - unparsed_result.split("\n").reduce({}) do |acc, line| - title = line[/title:\s{1}(\w+)/, 1] - label = line[/label:\s{1}(.*?)\s{2}/, 1] - password = line[/password:\s{1}([^"]+)/, 1] + result = JSON.parse(unparsed_result) + + result.reduce({}) do |secrets_with_passwords, item| + title = item["title"] + label = item["label"] + password = item["password"] + + if title && password.present? + key = [ title, label ].compact.reject(&:empty?).join("/") - if title && !password.to_s.empty? - key = label.nil? || label.empty? ? title : "#{title}/#{label}" if secrets.include?(title) || secrets.include?(key) - raise RuntimeError, "#{key} is present more than once" if acc[key] - acc[key] = password + raise RuntimeError, "#{key} is present more than once" if secrets_with_passwords[key] + secrets_with_passwords[key] = password end end - acc + secrets_with_passwords end end end diff --git a/test/secrets/enpass_adapter_test.rb b/test/secrets/enpass_adapter_test.rb index d64bb6f6..852c7c9b 100644 --- a/test/secrets/enpass_adapter_test.rb +++ b/test/secrets/enpass_adapter_test.rb @@ -18,11 +18,11 @@ class EnpassAdapterTest < SecretAdapterTestCase test "fetch one item" do stub_ticks_with("enpass-cli version 2> /dev/null") - stderr_response = <<~RESULT - time="2024-11-03T13:34:39+01:00" level=info msg="> title: FooBar login: cat.: computer label: SECRET_1 password: my-password-1 - RESULT - - Open3.stubs(:capture3).returns([ "", stderr_response, OpenStruct.new(success?: true) ]) + stub_ticks + .with("enpass-cli -json -vault vault-path show FooBar/SECRET_1") + .returns(<<~JSON) + [{"category":"computer","label":"SECRET_1","login":"","password":"my-password-1","title":"FooBar","type":"password"}] + JSON json = JSON.parse(shellunescape(run_command("fetch", "FooBar/SECRET_1"))) @@ -34,13 +34,15 @@ class EnpassAdapterTest < SecretAdapterTestCase test "fetch multiple items" do stub_ticks_with("enpass-cli version 2> /dev/null") - stderr_response = <<~RESULT - time="2024-11-03T13:34:39+01:00" level=info msg="> title: FooBar login: cat.: computer label: SECRET_1 password: my-password-1 - time="2024-11-03T13:34:39+01:00" level=info msg="> title: FooBar login: cat.: computer label: SECRET_2 password: my-password-2 - time="2024-11-03T13:34:39+01:00" level=info msg="> title: Hello login: cat.: computer label: SECRET_3 password: my-password-3 - RESULT - - Open3.stubs(:capture3).returns([ "", stderr_response, OpenStruct.new(success?: true) ]) + stub_ticks + .with("enpass-cli -json -vault vault-path show FooBar/SECRET_1 FooBar/SECRET_2") + .returns(<<~JSON) + [ + {"category":"computer","label":"SECRET_1","login":"","password":"my-password-1","title":"FooBar","type":"password"}, + {"category":"computer","label":"SECRET_2","login":"","password":"my-password-2","title":"FooBar","type":"password"}, + {"category":"computer","label":"SECRET_3","login":"","password":"my-password-1","title":"Hello","type":"password"} + ] + JSON json = JSON.parse(shellunescape(run_command("fetch", "FooBar/SECRET_1", "FooBar/SECRET_2"))) @@ -52,13 +54,15 @@ class EnpassAdapterTest < SecretAdapterTestCase test "fetch multiple items with from" do stub_ticks_with("enpass-cli version 2> /dev/null") - stderr_response = <<~RESULT - time="2024-11-03T13:34:39+01:00" level=info msg="> title: FooBar login: cat.: computer label: SECRET_1 password: my-password-1 - time="2024-11-03T13:34:39+01:00" level=info msg="> title: FooBar login: cat.: computer label: SECRET_2 password: my-password-2 - time="2024-11-03T13:34:39+01:00" level=info msg="> title: Hello login: cat.: computer label: SECRET_3 password: my-password-3 - RESULT - - Open3.stubs(:capture3).returns([ "", stderr_response, OpenStruct.new(success?: true) ]) + stub_ticks + .with("enpass-cli -json -vault vault-path show FooBar/SECRET_1 FooBar/SECRET_2") + .returns(<<~JSON) + [ + {"category":"computer","label":"SECRET_1","login":"","password":"my-password-1","title":"FooBar","type":"password"}, + {"category":"computer","label":"SECRET_2","login":"","password":"my-password-2","title":"FooBar","type":"password"}, + {"category":"computer","label":"SECRET_3","login":"","password":"my-password-1","title":"Hello","type":"password"} + ] + JSON json = JSON.parse(shellunescape(run_command("fetch", "--from", "FooBar", "SECRET_1", "SECRET_2"))) @@ -70,14 +74,16 @@ class EnpassAdapterTest < SecretAdapterTestCase test "fetch all with from" do stub_ticks_with("enpass-cli version 2> /dev/null") - stderr_response = <<~RESULT - time="2024-11-03T13:34:39+01:00" level=info msg="> title: FooBar login: cat.: computer label: SECRET_1 password: my-password-1 - time="2024-11-03T13:34:39+01:00" level=info msg="> title: FooBar login: cat.: computer label: SECRET_2 password: my-password-2 - time="2024-11-03T13:34:39+01:00" level=info msg="> title: Hello login: cat.: computer label: SECRET_3 password: my-password-3 - time="2024-11-03T13:34:39+01:00" level=info msg="> title: FooBar login: cat.: computer label: password: my-password-3 - RESULT - - Open3.stubs(:capture3).returns([ "", stderr_response, OpenStruct.new(success?: true) ]) + stub_ticks + .with("enpass-cli -json -vault vault-path show FooBar") + .returns(<<~JSON) + [ + {"category":"computer","label":"SECRET_1","login":"","password":"my-password-1","title":"FooBar","type":"password"}, + {"category":"computer","label":"SECRET_2","login":"","password":"my-password-2","title":"FooBar","type":"password"}, + {"category":"computer","label":"SECRET_3","login":"","password":"my-password-1","title":"Hello","type":"password"}, + {"category":"computer","label":"","login":"","password":"my-password-3","title":"FooBar","type":"password"} + ] + JSON json = JSON.parse(shellunescape(run_command("fetch", "FooBar")))