Add helper commands to assist migration to 1Password Secrets Automation

Add commands to plan and execute a migration of secrets to 1Passsword and a command to assist in using those secrets with the 1Password Kubernetes operator.

Author: SimonBarendse

go.mod

@@ -23,6 +23,6 @@ require (
 	golang.org/x/term v0.0.0-20201210144234-2321bbc49cbf
 	golang.org/x/text v0.3.2
 	google.golang.org/api v0.26.0
-	gopkg.in/yaml.v2 v2.2.2
+	gopkg.in/yaml.v2 v2.4.0
 	gotest.tools v2.2.0+incompatible
 )

go.sum

@@ -473,6 +473,8 @@ gopkg.in/yaml.v2 v2.0.0-20170812160011-eb3733d160e7/go.mod h1:JAlM8MvJe8wmxCU4Bl
 gopkg.in/yaml.v2 v2.2.1/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
+gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo=
 gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=

internals/cli/app.go

@@ -317,8 +317,11 @@ func (c *CommandClause) BindArguments(params []Argument) {
 func (c *CommandClause) BindArgumentsArr(param Argument) {
 	c.Args = []Argument{param}
 	c.AddPreRunE(func(cmd *cobra.Command, args []string) error {
-		if err := c.validateArgumentsArrCount(args); err != nil {
-			return err
+		if param.Required {
+			err := c.validateArgumentsArrCount(args)
+			if err != nil {
+				return err
+			}
 		}
 		return ArgumentArrRegister(param, args)
 	})

internals/cli/cobra_template.go

@@ -397,7 +397,9 @@ var UsageTemplate = `Usage:
 {{if .Cmd.Runnable}} {{(useLine .Cmd .Args)}}{{end}}
 {{- if .Cmd.HasAvailableSubCommands}}  {{ .Cmd.CommandPath}} [command]{{end}}
 
-{{if ne .Cmd.Long ""}}{{ .Cmd.Long | trim }}{{ else }}{{ .Cmd.Short | trim }}{{end}}
+{{if ne .Cmd.Long ""}}{{ .Cmd.Short | trim }}
+
+{{ .Cmd.Long | trim }}{{ else }}{{ .Cmd.Short | trim }}{{end}}
 {{- if gt (len .Cmd.Aliases) 0}}
 
 Aliases:

internals/onepassword/onepassword.go

@@ -0,0 +1,186 @@
+package onepassword
+
+import (
+	"bytes"
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"os"
+	"os/exec"
+	"path/filepath"
+	"strings"
+
+	"github.com/mitchellh/go-homedir"
+)
+
+func CreateVault(name string) error {
+	_, err := execOP("create", "vault", name)
+	if err != nil {
+		return fmt.Errorf("could not create vault '%s': %s", name, err)
+	}
+	return nil
+}
+
+func CreateItem(vault string, template *ItemTemplate, title string) error {
+	jsonTemplate, err := json.Marshal(template)
+	if err != nil {
+		return err
+	}
+
+	encodedTemplate := base64.RawURLEncoding.EncodeToString(jsonTemplate)
+
+	_, err = execOP("create", "item", "login", "--vault="+vault, encodedTemplate, "title="+title)
+	return err
+}
+
+func NewItemTemplate() *ItemTemplate {
+	return &ItemTemplate{
+		Sections: []sectionTemplate{
+			{
+				Name:  "",
+				Title: "",
+			},
+		},
+	}
+}
+
+type ItemTemplate struct {
+	Sections []sectionTemplate `json:"sections"`
+}
+
+type sectionTemplate struct {
+	Name   string              `json:"name"`
+	Title  string              `json:"title"`
+	Fields []itemFieldTemplate `json:"fields"`
+}
+
+func (tpl *ItemTemplate) AddField(name, value string, concealed bool) {
+	designation := "concealed"
+	if !concealed {
+		designation = "string"
+	}
+
+	tpl.Sections[0].Fields = append(tpl.Sections[0].Fields, itemFieldTemplate{
+		Designation: designation,
+		Name:        name,
+		Type:        name,
+		Value:       value,
+	})
+}
+
+type itemFieldTemplate struct {
+	Designation string `json:"k"`
+	Name        string `json:"n"`
+	Type        string `json:"t"`
+	Value       string `json:"v"`
+}
+
+func execOP(args ...string) ([]byte, error) {
+	command := exec.Command("op", args...)
+	command.Stderr = os.Stderr
+	var out bytes.Buffer
+	command.Stdout = &out
+
+	err := command.Run()
+	if err != nil {
+		return nil, fmt.Errorf("1password: op %s: %s", strings.Join(args, " "), err)
+	}
+
+	return out.Bytes(), nil
+}
+
+func EnsureSignedIn() error {
+	for _, env := range os.Environ() {
+		if strings.HasPrefix(env, "OP_SESSION") {
+			return nil
+		}
+	}
+
+	return fmt.Errorf("OP_SESSION environment variable not found, run `eval $(op signin)` to set one")
+}
+
+func GetSignInAddress() (string, error) {
+	home, err := homedir.Dir()
+	if err != nil {
+		return "", err
+	}
+
+	path := filepath.Join(home, ".op", "config")
+	bytes, err := ioutil.ReadFile(path)
+	if err != nil {
+		fmt.Errorf("could not read 1password config file at %s", path)
+	}
+
+	config := struct {
+		LatestSignin string `json:"latest_signin"`
+		Accounts     []struct {
+			Shorthand string `json:"shorthand"`
+			URL       string `json:"url"`
+		} `json:"accounts"`
+	}{}
+
+	err = json.Unmarshal(bytes, &config)
+	if err != nil {
+		return "", fmt.Errorf("unexpected format of 1password config file at %s", path)
+	}
+
+	for _, account := range config.Accounts {
+		if account.Shorthand == config.LatestSignin {
+			return account.URL, nil
+		}
+	}
+
+	return "", fmt.Errorf("unexpected format of 1password config file at %s: missing account entry for latest used account", path)
+}
+
+func ExistsVault(vaultName string) (bool, error) {
+	vaultsBytes, err := execOP("list", "vaults")
+	if err != nil {
+		return false, fmt.Errorf("could not list vaults: %s", err)
+	}
+
+	vaultsJSON := make([]struct {
+		UUID string `json:"uuid"`
+		Name string `json:"name"`
+	}, 0)
+
+	err = json.Unmarshal(vaultsBytes, &vaultsJSON)
+	if err != nil {
+		return false, fmt.Errorf("unexpected format of `op list vaults`: %s", vaultsBytes)
+	}
+
+	for _, vault := range vaultsJSON {
+		if vault.Name == vaultName {
+			return true, nil
+		}
+	}
+
+	return false, nil
+}
+
+func ExistsItemInVault(vault string, itemName string) (bool, error) {
+	itemsBytes, err := execOP("list", "items", "--vault", vault)
+	if err != nil {
+		return false, fmt.Errorf("could not list items in vault %s: %s", vault, err)
+	}
+
+	itemsJSON := make([]struct {
+		Overview struct {
+			Title string `json:"title"`
+		} `json:"overview"`
+	}, 0)
+
+	err = json.Unmarshal(itemsBytes, &itemsJSON)
+	if err != nil {
+		return false, fmt.Errorf("unexpected format of `op list items`: %s", itemsBytes)
+	}
+
+	for _, item := range itemsJSON {
+		if item.Overview.Title == itemName {
+			return true, nil
+		}
+	}
+
+	return false, nil
+}

internals/secrethub/app.go

@@ -151,6 +151,7 @@ func (app *App) registerCommands() {
 	NewEnvCommand(app.io, app.clientFactory.NewClient).Register(app.cli)
 
 	// Commands
+	NewMigrateCommand(app.io, app.clientFactory.NewClient).Register(app.cli)
 	NewInitCommand(app.io, app.clientFactory.NewClientWithCredentials, app.credentialStore).Register(app.cli)
 	NewSignUpCommand(app.io).Register(app.cli)
 	NewWriteCommand(app.io, app.clientFactory.NewClient).Register(app.cli)