Add support for op cli V2

Author: edif2008

internals/onepassword/client_v2.go

@@ -0,0 +1,137 @@
+package onepassword
+
+import (
+	"encoding/json"
+	"fmt"
+	"io/ioutil"
+	"os"
+)
+
+type OPV2Client struct {
+	version string
+	isV2    bool
+}
+
+func (op *OPV2Client) IsV2() bool {
+	return op.isV2
+}
+
+func (op *OPV2Client) CreateVault(name string) error {
+	_, err := execOP("vault", "create", name)
+	if err != nil {
+		return fmt.Errorf("could not create vault '%s': %s", name, err)
+	}
+	return nil
+}
+
+func (op *OPV2Client) CreateItem(vault string, template *ItemTemplate, title string) error {
+	jsonTemplate, err := json.Marshal(template)
+	if err != nil {
+		return err
+	}
+
+	tempJSONFile, err := ioutil.TempFile(os.TempDir(), "jsonTemplate-")
+	if err != nil {
+		return err
+	}
+	defer os.Remove(tempJSONFile.Name())
+
+	if _, err = tempJSONFile.Write(jsonTemplate); err != nil {
+		return err
+	}
+
+	_, err = execOP("item", "create", "--category=apicredential", "--vault="+vault, "--template="+tempJSONFile.Name(), "--title="+title)
+	if err != nil {
+		return err
+	}
+
+	err = tempJSONFile.Close()
+	return err
+}
+
+func (op *OPV2Client) SetField(vault, item, field, value string) error {
+	_, err := execOP("item", "edit", item, fmt.Sprintf(`%s=%s`, field, value), "--vault="+vault)
+	if err != nil {
+		return fmt.Errorf("could not set field '%s'.'%s'.'%s'", vault, item, field)
+	}
+	return nil
+}
+
+// GetFields returns a title-to-value map of the fields from the first section of the given 1Password item.
+// The rest of the fields are ignored as the migration tool only stores information in the first
+// section of each item.
+func (op *OPV2Client) GetFields(vault, item string) (map[string]string, error) {
+	opItem := struct {
+		Fields []v2ItemFieldTemplate `json:"fields"`
+	}{}
+	opItemJSON, err := execOP("item", "get", item, "--vault="+vault, "--format=json")
+	if err != nil {
+		return nil, fmt.Errorf("could not get item '%s'.'%s' from 1Password: %s", vault, item, err)
+	}
+	err = json.Unmarshal(opItemJSON, &opItem)
+	if err != nil {
+		return nil, fmt.Errorf("unexpected format of 1Password item in `op get item` command output: %s", err)
+	}
+
+	fields := make(map[string]string, len(opItem.Fields))
+	for _, field := range opItem.Fields {
+		fields[field.Label] = field.Value
+	}
+	return fields, nil
+}
+
+type v2ItemFieldTemplate struct {
+	ID    string `json:"id"`
+	Type  string `json:"type"`
+	Label string `json:"label"`
+	Value string `json:"value"`
+}
+
+func (op *OPV2Client) ExistsVault(vaultName string) (bool, error) {
+	vaultsBytes, err := execOP("vault", "list", "--format=json")
+	if err != nil {
+		return false, fmt.Errorf("could not list vaults: %s", err)
+	}
+
+	vaultsJSON := make([]struct {
+		UUID string `json:"uuid"`
+		Name string `json:"name"`
+	}, 0)
+
+	err = json.Unmarshal(vaultsBytes, &vaultsJSON)
+	if err != nil {
+		return false, fmt.Errorf("unexpected format of `op list vaults`: %s", vaultsBytes)
+	}
+
+	for _, vault := range vaultsJSON {
+		if vault.Name == vaultName {
+			return true, nil
+		}
+	}
+
+	return false, nil
+}
+
+func (op *OPV2Client) ExistsItemInVault(vault string, itemName string) (bool, error) {
+	itemsBytes, err := execOP("item", "list", "--vault="+vault, "--format=json")
+	if err != nil {
+		return false, fmt.Errorf("could not list items in vault %s: %s", vault, err)
+	}
+
+	itemsJSON := make([]struct {
+		Title string `json:"title"`
+	}, 0)
+
+	err = json.Unmarshal(itemsBytes, &itemsJSON)
+	if err != nil {
+		return false, fmt.Errorf("unexpected format of `op list items`: %s", itemsBytes)
+	}
+
+	for _, item := range itemsJSON {
+		if item.Title == itemName {
+			return true, nil
+		}
+	}
+
+	return false, nil
+}

internals/onepassword/onepassword.go

@@ -14,15 +14,54 @@ import (
 	"github.com/mitchellh/go-homedir"
 )
 
-func CreateVault(name string) error {
+type OPClient interface {
+	IsV2() bool
+	CreateVault(name string) error
+	CreateItem(vault string, template *ItemTemplate, title string) error
+	SetField(vault, item, field, value string) error
+	GetFields(vault, item string) (map[string]string, error)
+	ExistsVault(vaultName string) (bool, error)
+	ExistsItemInVault(vault string, itemName string) (bool, error)
+}
+
+func GetOPClient() (OPClient, error) {
+	out, err := execOP("--version")
+	if err != nil {
+		return nil, err
+	}
+
+	version := strings.TrimSpace(string(out))
+
+	if strings.HasPrefix(version, "2.") {
+		return &OPV2Client{
+			version: version,
+			isV2:    true,
+		}, nil
+	}
+	return &OPV1Client{
+		version: version,
+		isV2:    false,
+	}, nil
+}
+
+type OPV1Client struct {
+	version string
+	isV2    bool
+}
+
+func (op *OPV1Client) IsV2() bool {
+	return op.isV2
+}
+
+func (op *OPV1Client) CreateVault(name string) error {
 	_, err := execOP("create", "vault", name)
 	if err != nil {
 		return fmt.Errorf("could not create vault '%s': %s", name, err)
 	}
 	return nil
 }
 
-func CreateItem(vault string, template *ItemTemplate, title string) error {
+func (op *OPV1Client) CreateItem(vault string, template *ItemTemplate, title string) error {
 	jsonTemplate, err := json.Marshal(template)
 	if err != nil {
 		return err
@@ -34,7 +73,7 @@ func CreateItem(vault string, template *ItemTemplate, title string) error {
 	return err
 }
 
-func SetField(vault, item, field, value string) error {
+func (op *OPV1Client) SetField(vault, item, field, value string) error {
 	_, err := execOP("edit", "item", item, fmt.Sprintf(`%s=%s`, field, value), "--vault="+vault)
 	if err != nil {
 		return fmt.Errorf("could not set field '%s'.'%s'.'%s'", vault, item, field)
@@ -45,7 +84,7 @@ func SetField(vault, item, field, value string) error {
 // GetFields returns a title-to-value map of the fields from the first section of the given 1Password item.
 // The rest of the fields are ignored as the migration tool only stores information in the first
 // section of each item.
-func GetFields(vault, item string) (map[string]string, error) {
+func (op *OPV1Client) GetFields(vault, item string) (map[string]string, error) {
 	opItem := struct {
 		Details ItemTemplate `json:"details"`
 	}{}
@@ -108,7 +147,7 @@ type itemFieldTemplate struct {
 }
 
 func execOP(args ...string) ([]byte, error) {
-	command := exec.Command("op", args...)
+	command := exec.Command("op1", args...)
 	command.Stderr = os.Stderr
 	var out bytes.Buffer
 	command.Stdout = &out
@@ -203,7 +242,7 @@ func GetSignInAddress() (string, error) {
 	return "", fmt.Errorf("unexpected format of 1password config file at %s: missing account entry for latest used account", path)
 }
 
-func ExistsVault(vaultName string) (bool, error) {
+func (op *OPV1Client) ExistsVault(vaultName string) (bool, error) {
 	vaultsBytes, err := execOP("list", "vaults")
 	if err != nil {
 		return false, fmt.Errorf("could not list vaults: %s", err)
@@ -228,7 +267,7 @@ func ExistsVault(vaultName string) (bool, error) {
 	return false, nil
 }
 
-func ExistsItemInVault(vault string, itemName string) (bool, error) {
+func (op *OPV1Client) ExistsItemInVault(vault string, itemName string) (bool, error) {
 	itemsBytes, err := execOP("list", "items", "--vault", vault)
 	if err != nil {
 		return false, fmt.Errorf("could not list items in vault %s: %s", vault, err)

internals/secrethub/migrate.go

@@ -239,11 +239,18 @@ func (cmd *MigratePlanCommand) Run() error {
 
 	plan := newPlan()
 
-	signInAddress, err := onepassword.GetSignInAddress()
+	opClient, err := onepassword.GetOPClient()
 	if err != nil {
 		return err
 	}
-	plan.SignInAddress = signInAddress
+
+	if !opClient.IsV2() {
+		signInAddress, err := onepassword.GetSignInAddress()
+		if err != nil {
+			return err
+		}
+		plan.SignInAddress = signInAddress
+	}
 
 	if len(cmd.paths) == 0 {
 		err := cmd.addReposToPlan(client, nil, plan)
@@ -464,15 +471,16 @@ type change interface {
 }
 
 type vaultCreation struct {
-	vault string
+	vault    string
+	opClient onepassword.OPClient
 }
 
 func (c vaultCreation) Vault() string {
 	return c.vault
 }
 
 func (c vaultCreation) Apply() error {
-	return onepassword.CreateVault(c.vault)
+	return c.opClient.CreateVault(c.vault)
 }
 
 func (c vaultCreation) Print(w io.Writer) {
@@ -483,14 +491,15 @@ type itemCreation struct {
 	vault        string
 	item         string
 	itemTemplate *onepassword.ItemTemplate
+	opClient     onepassword.OPClient
 }
 
 func (c itemCreation) Vault() string {
 	return c.vault
 }
 
 func (c itemCreation) Apply() error {
-	return onepassword.CreateItem(c.vault, c.itemTemplate, c.item)
+	return c.opClient.CreateItem(c.vault, c.itemTemplate, c.item)
 }
 
 func (c itemCreation) Print(w io.Writer) {
@@ -501,6 +510,7 @@ type itemUpdate struct {
 	vault       string
 	item        string
 	fieldValues map[string]string
+	opClient    onepassword.OPClient
 }
 
 func (c itemUpdate) Vault() string {
@@ -509,7 +519,7 @@ func (c itemUpdate) Vault() string {
 
 func (c itemUpdate) Apply() error {
 	for field, value := range c.fieldValues {
-		err := onepassword.SetField(c.vault, c.item, field, value)
+		err := c.opClient.SetField(c.vault, c.item, field, value)
 		if err != nil {
 			return err
 		}
@@ -530,17 +540,24 @@ func (cmd *MigrateApplyCommand) Run() error {
 		return err
 	}
 
-	err = onepassword.EnsureSignedIn()
+	opClient, err := onepassword.GetOPClient()
 	if err != nil {
 		return err
 	}
 
-	signInAddress, err := onepassword.GetSignInAddress()
-	if err != nil {
-		return err
-	}
-	if signInAddress != plan.SignInAddress {
-		return fmt.Errorf("op is signed in to a different account than planned. Run `eval $(op signin %s) to login to the desired account or change the sign-in-address in the plan", plan.SignInAddress)
+	if !opClient.IsV2() {
+		err = onepassword.EnsureSignedIn()
+		if err != nil {
+			return err
+		}
+
+		signInAddress, err := onepassword.GetSignInAddress()
+		if err != nil {
+			return err
+		}
+		if signInAddress != plan.SignInAddress {
+			return fmt.Errorf("op is signed in to a different account than planned. Run `eval $(op signin %s) to login to the desired account or change the sign-in-address in the plan", plan.SignInAddress)
+		}
 	}
 
 	client, err := cmd.newClient()
@@ -559,19 +576,22 @@ func (cmd *MigrateApplyCommand) Run() error {
 	i := 1
 	for _, vault := range plan.vaults {
 		fmt.Fprintf(cmd.io.Output(), "[%d/%d] Checking vault: %s\n", i, len(plan.vaults), vault.Name)
-		vaultExists, err := onepassword.ExistsVault(vault.Name)
+		vaultExists, err := opClient.ExistsVault(vault.Name)
 		if err != nil {
 			return fmt.Errorf("could not check vault existence: %s", err)
 		}
 		if !vaultExists {
-			changes = append(changes, vaultCreation{vault: vault.Name})
+			changes = append(changes, vaultCreation{
+				vault:    vault.Name,
+				opClient: opClient,
+			})
 			vaultCreateCount++
 		}
 
 		for _, item := range vault.Items {
 			itemExists := false
 			if vaultExists {
-				itemExists, err = onepassword.ExistsItemInVault(vault.Name, item.Name)
+				itemExists, err = opClient.ExistsItemInVault(vault.Name, item.Name)
 				if err != nil {
 					return err
 				}
@@ -591,10 +611,11 @@ func (cmd *MigrateApplyCommand) Run() error {
 					vault:        vault.Name,
 					item:         item.Name,
 					itemTemplate: template,
+					opClient:     opClient,
 				})
 				itemCreateCount++
 			} else {
-				opFields, err := onepassword.GetFields(vault.Name, item.Name)
+				opFields, err := opClient.GetFields(vault.Name, item.Name)
 				if err != nil {
 					return err
 				}
@@ -622,6 +643,7 @@ func (cmd *MigrateApplyCommand) Run() error {
 						vault:       vault.Name,
 						item:        item.Name,
 						fieldValues: fieldsToUpdate,
+						opClient:    opClient,
 					})
 				}
 			}