OnePassword, LastPass + Bitwarden adapters
This commit is contained in:
Donal McBreen
@@ -2,9 +2,12 @@ class Kamal::Cli::Secrets < Kamal::Cli::Base
|
||||
desc "fetch [ITEM] [FIELDS...]", "Fetch secrets from a vault"
|
||||
option :adapter, type: :string, aliases: "-a", required: true, desc: "Which vault adapter to use"
|
||||
option :account, type: :string, aliases: "-a", required: true, desc: "The account identifier or username"
|
||||
def fetch(item, *fields)
|
||||
option :location, type: :string, aliases: "-a", required: false, desc: "A vault or folder to fetch the secrets from"
|
||||
def fetch(*secrets)
|
||||
ENV["KAMAL_SECRETS_KILL_PARENT"] = "1"
|
||||
puts JSON.dump(adapter(options[:adapter]).fetch(item, fields, account: options[:account])).shellescape
|
||||
|
||||
results = adapter(options[:adapter]).fetch(secrets, **options.slice(:account, :location).symbolize_keys)
|
||||
puts JSON.dump(results).shellescape
|
||||
end
|
||||
|
||||
desc "extract", "Extract a single secret from the results of a fetch call"
|
||||
|
||||
@@ -1,12 +1,14 @@
|
||||
require "active_support/core_ext/string/inflections"
|
||||
module Kamal::Secrets::Adapters
|
||||
def self.lookup(name)
|
||||
case name
|
||||
when "1password"
|
||||
Kamal::Secrets::Adapters::OnePassword.new
|
||||
else
|
||||
Object.const_get("Kamal::Secrets::Adapters::#{name.camelize}").new
|
||||
end
|
||||
rescue NameError
|
||||
name = "one_password" if name.downcase == "1password"
|
||||
name = "last_pass" if name.downcase == "lastpass"
|
||||
adapter_class(name)
|
||||
end
|
||||
|
||||
def self.adapter_class(name)
|
||||
Object.const_get("Kamal::Secrets::Adapters::#{name.camelize}").new
|
||||
rescue NameError => e
|
||||
raise RuntimeError, "Unknown secrets adapter: #{name}"
|
||||
end
|
||||
end
|
||||
|
||||
@@ -1,40 +1,61 @@
|
||||
class Kamal::Secrets::Adapters::OnePassword
|
||||
class Kamal::Secrets::Adapters::OnePassword < Kamal::Secrets::Adapters::Base
|
||||
delegate :optionize, to: Kamal::Utils
|
||||
|
||||
def fetch(item, fields, account: nil)
|
||||
# session may be nil if logging in with the app CLI integration
|
||||
session = signin(account)
|
||||
vault, vault_item = item.split("/")
|
||||
labels = fields.map { |field| "label=#{field}" }.join(",")
|
||||
options = to_options(vault: vault, fields: labels, format: "json", account: account, session: session.presence)
|
||||
|
||||
secrets_json = `op item get #{vault_item} #{options}`.tap do
|
||||
raise RuntimeError, "Could not read #{labels} from #{vault_item} in the #{vault} 1Password vault" unless $?.success?
|
||||
end
|
||||
|
||||
{}.tap do |secrets|
|
||||
JSON.parse(secrets_json).each do |secret_json|
|
||||
# The reference is in the form `op://vault/item/field[/field]`
|
||||
field = secret_json["reference"].delete_prefix("op://#{item}/")
|
||||
secrets[field] = secret_json["value"]
|
||||
secrets[field.split("/").last] = secret_json["value"]
|
||||
private
|
||||
def login(account)
|
||||
unless loggedin?(account)
|
||||
`op signin #{to_options(account: account, force: true, raw: true)}`.tap do
|
||||
raise RuntimeError, "Failed to login to 1Password" unless $?.success?
|
||||
end
|
||||
end
|
||||
end
|
||||
rescue => e
|
||||
$stderr.puts " \e[31mERROR (#{e.class}): #{e.message}\e[0m"
|
||||
|
||||
Process.kill("INT", Process.ppid) if ENV["KAMAL_SECRETS_KILL_PARENT"]
|
||||
exit 1
|
||||
end
|
||||
def loggedin?(account)
|
||||
`op account get --account #{account}`
|
||||
$?.success?
|
||||
end
|
||||
|
||||
private
|
||||
def signin(account)
|
||||
`op signin #{to_options(account: account, force: true, raw: true)}`.tap do
|
||||
raise RuntimeError, "Failed to login to 1Password" unless $?.success?
|
||||
def fetch_from_vault(secrets, account:, session:)
|
||||
{}.tap do |results|
|
||||
vaults_items_fields(secrets).map do |vault, items|
|
||||
items.each do |item, fields|
|
||||
fields_json = JSON.parse(op_item_get(vault, item, fields, account: account, session: session))
|
||||
fields_json = [ fields_json ] if fields.one?
|
||||
|
||||
fields_json.each do |field_json|
|
||||
# The reference is in the form `op://vault/item/field[/field]`
|
||||
field = field_json["reference"].delete_suffix("/password")
|
||||
results[field] = field_json["value"]
|
||||
results[field.split("/").last] = field_json["value"]
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
def to_options(**options)
|
||||
optionize(options.compact).join(" ")
|
||||
end
|
||||
|
||||
def vaults_items_fields(secrets)
|
||||
{}.tap do |vaults|
|
||||
secrets.each do |secret|
|
||||
vault, item, *fields = secret.split("/")
|
||||
fields << "password" if fields.empty?
|
||||
|
||||
vaults[vault] ||= {}
|
||||
vaults[vault][item] ||= []
|
||||
vaults[vault][item] << fields.join(".")
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
def op_item_get(vault, item, fields, account:, session:)
|
||||
labels = fields.map { |field| "label=#{field}" }.join(",")
|
||||
options = to_options(vault: vault, fields: labels, format: "json", account: account, session: session.presence)
|
||||
|
||||
`op item get #{item} #{options}`.tap do
|
||||
raise RuntimeError, "Could not read #{fields.join(", ")} from #{item} in the #{vault} 1Password vault" unless $?.success?
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
Reference in New Issue
Block a user