From 327d7167c1d33f3c5947418b9feff35ad3cfecbe Mon Sep 17 00:00:00 2001 From: Aleksandr Lossenko Date: Thu, 7 Nov 2024 18:13:37 +0100 Subject: [PATCH] make --account optional and pass Enpass vault in --from --- lib/kamal/cli/secrets.rb | 2 +- lib/kamal/secrets/adapters/enpass.rb | 25 +++++++++++++---------- test/secrets/enpass_adapter_test.rb | 30 +++------------------------- 3 files changed, 19 insertions(+), 38 deletions(-) diff --git a/lib/kamal/cli/secrets.rb b/lib/kamal/cli/secrets.rb index b094be466..0b458f13d 100644 --- a/lib/kamal/cli/secrets.rb +++ b/lib/kamal/cli/secrets.rb @@ -1,7 +1,7 @@ class Kamal::Cli::Secrets < Kamal::Cli::Base desc "fetch [SECRETS...]", "Fetch secrets from a vault" option :adapter, type: :string, aliases: "-a", required: true, desc: "Which vault adapter to use" - option :account, type: :string, required: true, desc: "The account identifier or username" + option :account, type: :string, required: false, desc: "The account identifier or username" option :from, type: :string, required: false, desc: "A vault or folder to fetch the secrets from" option :inline, type: :boolean, required: false, hidden: true def fetch(*secrets) diff --git a/lib/kamal/secrets/adapters/enpass.rb b/lib/kamal/secrets/adapters/enpass.rb index 8f11536d4..68fe41a9c 100644 --- a/lib/kamal/secrets/adapters/enpass.rb +++ b/lib/kamal/secrets/adapters/enpass.rb @@ -1,19 +1,24 @@ ## -# Enpass is different from most password managers, in a way that it's offline. A path to a vault is treated as account. +# Enpass is different from most password managers, in a way that it's offline and doesn't need an account. # -# Pass it like so: `kamal secrets fetch --adapter enpass --account /Users/YOUR_USERNAME/Library/Containers/in.sinew.Enpass-Desktop/Data/Documents/Vaults/primary --from MY_PROD_SERVER` +# Usage +# +# Fetch all password from FooBar item +# `kamal secrets fetch --adapter enpass --from /Users/YOUR_USERNAME/Library/Containers/in.sinew.Enpass-Desktop/Data/Documents/Vaults/primary FooBar` +# +# Fetch only DB_PASSWORD from FooBar item +# `kamal secrets fetch --adapter enpass --from /Users/YOUR_USERNAME/Library/Containers/in.sinew.Enpass-Desktop/Data/Documents/Vaults/primary FooBar/DB_PASSWORD` class Kamal::Secrets::Adapters::Enpass < Kamal::Secrets::Adapters::Base - private - def login(account) - # There is no concept of session in enpass-cli - true - end + def fetch(secrets, account: nil, from:) + check_dependencies! + fetch_secrets(secrets, from) + end - def fetch_secrets(secrets, account:, session:) + private + def fetch_secrets(secrets, vault) secrets_titles = fetch_secret_titles(secrets) - # Enpass outputs result as stderr, I did not find a way to stub backticks and output to stderr. Open3 did the job. - result = `enpass-cli -json -vault #{account.shellescape} show #{secrets.map(&:shellescape).join(" ")}`.strip + result = `enpass-cli -json -vault #{vault.shellescape} show #{secrets_titles.map(&:shellescape).join(" ")}`.strip parse_result_and_take_secrets(result, secrets) end diff --git a/test/secrets/enpass_adapter_test.rb b/test/secrets/enpass_adapter_test.rb index 852c7c9bf..edc49613c 100644 --- a/test/secrets/enpass_adapter_test.rb +++ b/test/secrets/enpass_adapter_test.rb @@ -1,10 +1,6 @@ require "test_helper" class EnpassAdapterTest < SecretAdapterTestCase - setup do - `true` # Ensure $? is 0 - end - test "fetch without CLI installed" do stub_ticks_with("enpass-cli version 2> /dev/null", succeed: false) @@ -19,7 +15,7 @@ class EnpassAdapterTest < SecretAdapterTestCase stub_ticks_with("enpass-cli version 2> /dev/null") stub_ticks - .with("enpass-cli -json -vault vault-path show FooBar/SECRET_1") + .with("enpass-cli -json -vault vault-path show FooBar") .returns(<<~JSON) [{"category":"computer","label":"SECRET_1","login":"","password":"my-password-1","title":"FooBar","type":"password"}] JSON @@ -35,7 +31,7 @@ class EnpassAdapterTest < SecretAdapterTestCase stub_ticks_with("enpass-cli version 2> /dev/null") stub_ticks - .with("enpass-cli -json -vault vault-path show FooBar/SECRET_1 FooBar/SECRET_2") + .with("enpass-cli -json -vault vault-path show FooBar") .returns(<<~JSON) [ {"category":"computer","label":"SECRET_1","login":"","password":"my-password-1","title":"FooBar","type":"password"}, @@ -51,26 +47,6 @@ class EnpassAdapterTest < SecretAdapterTestCase assert_equal expected_json, json end - test "fetch multiple items with from" do - stub_ticks_with("enpass-cli version 2> /dev/null") - - stub_ticks - .with("enpass-cli -json -vault vault-path show FooBar/SECRET_1 FooBar/SECRET_2") - .returns(<<~JSON) - [ - {"category":"computer","label":"SECRET_1","login":"","password":"my-password-1","title":"FooBar","type":"password"}, - {"category":"computer","label":"SECRET_2","login":"","password":"my-password-2","title":"FooBar","type":"password"}, - {"category":"computer","label":"SECRET_3","login":"","password":"my-password-1","title":"Hello","type":"password"} - ] - JSON - - json = JSON.parse(shellunescape(run_command("fetch", "--from", "FooBar", "SECRET_1", "SECRET_2"))) - - expected_json = { "FooBar/SECRET_1" => "my-password-1", "FooBar/SECRET_2" => "my-password-2" } - - assert_equal expected_json, json - end - test "fetch all with from" do stub_ticks_with("enpass-cli version 2> /dev/null") @@ -99,7 +75,7 @@ def run_command(*command) [ *command, "-c", "test/fixtures/deploy_with_accessories.yml", "--adapter", "enpass", - "--account", "vault-path" ] + "--from", "vault-path" ] end end end