diff --git a/lib/kamal/secrets/adapters/enpass.rb b/lib/kamal/secrets/adapters/enpass.rb new file mode 100644 index 000000000..68fe41a9c --- /dev/null +++ b/lib/kamal/secrets/adapters/enpass.rb @@ -0,0 +1,68 @@ +## +# Enpass is different from most password managers, in a way that it's offline and doesn't need an account. +# +# Usage +# +# Fetch all password from FooBar item +# `kamal secrets fetch --adapter enpass --from /Users/YOUR_USERNAME/Library/Containers/in.sinew.Enpass-Desktop/Data/Documents/Vaults/primary FooBar` +# +# Fetch only DB_PASSWORD from FooBar item +# `kamal secrets fetch --adapter enpass --from /Users/YOUR_USERNAME/Library/Containers/in.sinew.Enpass-Desktop/Data/Documents/Vaults/primary FooBar/DB_PASSWORD` +class Kamal::Secrets::Adapters::Enpass < Kamal::Secrets::Adapters::Base + def fetch(secrets, account: nil, from:) + check_dependencies! + fetch_secrets(secrets, from) + end + + private + def fetch_secrets(secrets, vault) + secrets_titles = fetch_secret_titles(secrets) + + result = `enpass-cli -json -vault #{vault.shellescape} show #{secrets_titles.map(&:shellescape).join(" ")}`.strip + + parse_result_and_take_secrets(result, secrets) + end + + def check_dependencies! + raise RuntimeError, "Enpass CLI is not installed" unless cli_installed? + end + + def cli_installed? + `enpass-cli version 2> /dev/null` + $?.success? + end + + def fetch_secret_titles(secrets) + secrets.reduce(Set.new) do |secret_titles, secret| + # Sometimes secrets contain a '/', when the intent is to fetch a single password for an item. Example: FooBar/DB_PASSWORD + # Another case is, when the intent is to fetch all passwords for an item. Example: FooBar (and FooBar may have multiple different passwords) + key, separator, value = secret.rpartition("/") + if key.empty? + secret_titles << value + else + secret_titles << key + end + end.to_a + end + + def parse_result_and_take_secrets(unparsed_result, secrets) + result = JSON.parse(unparsed_result) + + result.reduce({}) do |secrets_with_passwords, item| + title = item["title"] + label = item["label"] + password = item["password"] + + if title && password.present? + key = [ title, label ].compact.reject(&:empty?).join("/") + + if secrets.include?(title) || secrets.include?(key) + raise RuntimeError, "#{key} is present more than once" if secrets_with_passwords[key] + secrets_with_passwords[key] = password + end + end + + secrets_with_passwords + end + end +end diff --git a/test/secrets/enpass_adapter_test.rb b/test/secrets/enpass_adapter_test.rb new file mode 100644 index 000000000..edc49613c --- /dev/null +++ b/test/secrets/enpass_adapter_test.rb @@ -0,0 +1,81 @@ +require "test_helper" + +class EnpassAdapterTest < SecretAdapterTestCase + test "fetch without CLI installed" do + stub_ticks_with("enpass-cli version 2> /dev/null", succeed: false) + + error = assert_raises RuntimeError do + JSON.parse(shellunescape(run_command("fetch", "mynote"))) + end + + assert_equal "Enpass CLI is not installed", error.message + end + + test "fetch one item" do + stub_ticks_with("enpass-cli version 2> /dev/null") + + stub_ticks + .with("enpass-cli -json -vault vault-path show FooBar") + .returns(<<~JSON) + [{"category":"computer","label":"SECRET_1","login":"","password":"my-password-1","title":"FooBar","type":"password"}] + JSON + + json = JSON.parse(shellunescape(run_command("fetch", "FooBar/SECRET_1"))) + + expected_json = { "FooBar/SECRET_1" => "my-password-1" } + + assert_equal expected_json, json + end + + test "fetch multiple items" do + stub_ticks_with("enpass-cli version 2> /dev/null") + + stub_ticks + .with("enpass-cli -json -vault vault-path show FooBar") + .returns(<<~JSON) + [ + {"category":"computer","label":"SECRET_1","login":"","password":"my-password-1","title":"FooBar","type":"password"}, + {"category":"computer","label":"SECRET_2","login":"","password":"my-password-2","title":"FooBar","type":"password"}, + {"category":"computer","label":"SECRET_3","login":"","password":"my-password-1","title":"Hello","type":"password"} + ] + JSON + + json = JSON.parse(shellunescape(run_command("fetch", "FooBar/SECRET_1", "FooBar/SECRET_2"))) + + expected_json = { "FooBar/SECRET_1" => "my-password-1", "FooBar/SECRET_2" => "my-password-2" } + + assert_equal expected_json, json + end + + test "fetch all with from" do + stub_ticks_with("enpass-cli version 2> /dev/null") + + stub_ticks + .with("enpass-cli -json -vault vault-path show FooBar") + .returns(<<~JSON) + [ + {"category":"computer","label":"SECRET_1","login":"","password":"my-password-1","title":"FooBar","type":"password"}, + {"category":"computer","label":"SECRET_2","login":"","password":"my-password-2","title":"FooBar","type":"password"}, + {"category":"computer","label":"SECRET_3","login":"","password":"my-password-1","title":"Hello","type":"password"}, + {"category":"computer","label":"","login":"","password":"my-password-3","title":"FooBar","type":"password"} + ] + JSON + + json = JSON.parse(shellunescape(run_command("fetch", "FooBar"))) + + expected_json = { "FooBar/SECRET_1" => "my-password-1", "FooBar/SECRET_2" => "my-password-2", "FooBar" => "my-password-3" } + + assert_equal expected_json, json + end + + private + def run_command(*command) + stdouted do + Kamal::Cli::Secrets.start \ + [ *command, + "-c", "test/fixtures/deploy_with_accessories.yml", + "--adapter", "enpass", + "--from", "vault-path" ] + end + end +end