add support to enpass

2024-11-03 15:27:54 +01:00
parent 9cf8da64c4
commit d6c4411e97
2 changed files with 158 additions and 0 deletions
--- a/lib/kamal/secrets/adapters/enpass.rb
+++ b/lib/kamal/secrets/adapters/enpass.rb
@@ -0,0 +1,59 @@
+require "open3"
+
+class Kamal::Secrets::Adapters::Enpass < Kamal::Secrets::Adapters::Base
+  private
+    def login(account)
+      # There is no concept of session in enpass-cli
+      true
+    end
+
+    def fetch_secrets(secrets, account:, session:)
+      secrets_titles = fetch_secret_titles(secrets)
+
+      # Enpass outputs result as stderr, I did not find a way to stub backticks and output to stderr. Open3 did the job.
+      _stdout, stderr, status = Open3.capture3("enpass-cli -vault #{account.shellescape} show #{secrets_titles.map(&:shellescape).join(" ")}")
+      raise RuntimeError, "Could not read #{secrets} from Enpass" unless status.success?
+
+      parse_result_and_take_secrets(stderr, secrets)
+    end
+
+    def check_dependencies!
+      raise RuntimeError, "Enpass CLI is not installed" unless cli_installed?
+    end
+
+    def cli_installed?
+      `enpass-cli version 2> /dev/null`
+      $?.success?
+    end
+
+    def fetch_secret_titles(secrets)
+      secrets.reduce(Set.new) do |acc, secret|
+        # Use rpartition to split the string at the last '/'
+        key, separator, value = secret.rpartition("/")
+        if key.empty?
+          acc << value
+        else
+          acc << key
+        end
+      end.to_a
+    end
+
+    def parse_result_and_take_secrets(unparsed_result, secrets)
+      unparsed_result.split("\n").reduce({}) do |acc, line|
+        title = line[/title:\s*(\w+)/, 1]
+        label = line[/label:\s*(.*?)\s{2}/, 1]
+        password = line[/password:\s*([^"]+)/, 1]
+
+        # If title and label are not empty and password is defined, add to the hash
+        if title && !password.to_s.empty?
+          key = label.nil? || label.empty? ? title : "#{title}/#{label}"
+          if secrets.include?(title) || secrets.include?(key)
+            raise RuntimeError, "#{key} is present more than once" if acc[key]
+            acc[key] = password
+          end
+        end
+
+        acc
+      end
+    end
+end