kamal 1.8.3 → 2.7.0

data/lib/kamal/secrets/adapters/enpass.rb

@@ -0,0 +1,71 @@
+##
+# Enpass is different from most password managers, in a way that it's offline and doesn't need an account.
+#
+# Usage
+#
+# Fetch all password from FooBar item
+# `kamal secrets fetch --adapter enpass --from /Users/YOUR_USERNAME/Library/Containers/in.sinew.Enpass-Desktop/Data/Documents/Vaults/primary FooBar`
+#
+# Fetch only DB_PASSWORD from FooBar item
+# `kamal secrets fetch --adapter enpass --from /Users/YOUR_USERNAME/Library/Containers/in.sinew.Enpass-Desktop/Data/Documents/Vaults/primary FooBar/DB_PASSWORD`
+class Kamal::Secrets::Adapters::Enpass < Kamal::Secrets::Adapters::Base
+  def requires_account?
+    false
+  end
+
+  private
+    def fetch_secrets(secrets, from:, account:, session:)
+      secrets_titles = fetch_secret_titles(secrets)
+
+      result = `enpass-cli -json -vault #{from.shellescape} show #{secrets_titles.map(&:shellescape).join(" ")}`.strip
+
+      parse_result_and_take_secrets(result, secrets)
+    end
+
+    def check_dependencies!
+      raise RuntimeError, "Enpass CLI is not installed" unless cli_installed?
+    end
+
+    def cli_installed?
+      `enpass-cli version 2> /dev/null`
+      $?.success?
+    end
+
+    def login(account)
+      nil
+    end
+
+    def fetch_secret_titles(secrets)
+      secrets.reduce(Set.new) do |secret_titles, secret|
+        # Sometimes secrets contain a '/', when the intent is to fetch a single password for an item. Example: FooBar/DB_PASSWORD
+        # Another case is, when the intent is to fetch all passwords for an item. Example: FooBar (and FooBar may have multiple different passwords)
+        key, separator, value = secret.rpartition("/")
+        if key.empty?
+          secret_titles << value
+        else
+          secret_titles << key
+        end
+      end.to_a
+    end
+
+    def parse_result_and_take_secrets(unparsed_result, secrets)
+      result = JSON.parse(unparsed_result)
+
+      result.reduce({}) do |secrets_with_passwords, item|
+        title = item["title"]
+        label = item["label"]
+        password = item["password"]
+
+        if title && password.present?
+          key = [ title, label ].compact.reject(&:empty?).join("/")
+
+          if secrets.include?(title) || secrets.include?(key)
+            raise RuntimeError, "#{key} is present more than once" if secrets_with_passwords[key]
+            secrets_with_passwords[key] = password
+          end
+        end
+
+        secrets_with_passwords
+      end
+    end
+end

data/lib/kamal/secrets/adapters/gcp_secret_manager.rb

@@ -0,0 +1,112 @@
+class Kamal::Secrets::Adapters::GcpSecretManager < Kamal::Secrets::Adapters::Base
+  private
+    def login(account)
+      # Since only the account option is passed from the cli, we'll use it for both account and service account
+      # impersonation.
+      #
+      # Syntax:
+      # ACCOUNT: USER | USER "|" DELEGATION_CHAIN
+      # USER: DEFAULT_USER | EMAIL
+      # DELEGATION_CHAIN: EMAIL | EMAIL "," DELEGATION_CHAIN
+      # EMAIL: <The email address of the user or service account, like "my-user@example.com" >
+      # DEFAULT_USER: "default"
+      #
+      # Some valid examples:
+      # - "my-user@example.com" sets the user
+      # - "my-user@example.com|my-service-user@example.com" will use my-user and enable service account impersonation as my-service-user
+      # - "default" will use the default user and no impersonation
+      # - "default|my-service-user@example.com" will use the default user, and enable service account impersonation as my-service-user
+      # - "default|my-service-user@example.com,another-service-user@example.com" same as above, but with an impersonation delegation chain
+
+      unless logged_in?
+        `gcloud auth login`
+        raise RuntimeError, "could not login to gcloud" unless logged_in?
+      end
+
+      nil
+    end
+
+    def fetch_secrets(secrets, from:, account:, session:)
+      user, service_account = parse_account(account)
+
+      {}.tap do |results|
+        secrets_with_metadata(prefixed_secrets(secrets, from: from)).each do |secret, (project, secret_name, secret_version)|
+          item_name = "#{project}/#{secret_name}"
+          results[item_name] = fetch_secret(project, secret_name, secret_version, user, service_account)
+          raise RuntimeError, "Could not read #{item_name} from Google Secret Manager" unless $?.success?
+        end
+      end
+    end
+
+    def fetch_secret(project, secret_name, secret_version, user, service_account)
+      secret = run_command(
+        "secrets versions access #{secret_version.shellescape} --secret=#{secret_name.shellescape}",
+        project: project,
+        user: user,
+        service_account: service_account
+      )
+      Base64.decode64(secret.dig("payload", "data"))
+    end
+
+    # The secret needs to at least contain a secret name, but project name, and secret version can also be specified.
+    #
+    # The string "default" can be used to refer to the default project configured for gcloud.
+    #
+    # The version can be either the string "latest", or a version number.
+    #
+    # The following formats are valid:
+    #
+    # - The following are all equivalent, and sets project: default, secret name: my-secret, version: latest
+    #   - "my-secret"
+    #   - "default/my-secret"
+    #   - "default/my-secret/latest"
+    #   - "my-secret/latest" in combination with --from=default
+    # - "my-secret/123" (only in combination with --from=some-project) -> project: some-project, secret name: my-secret, version: 123
+    # - "some-project/my-secret/123" -> project: some-project, secret name: my-secret, version: 123
+    def secrets_with_metadata(secrets)
+      {}.tap do |items|
+        secrets.each do |secret|
+          parts = secret.split("/")
+          parts.unshift("default") if parts.length == 1
+          project = parts.shift
+          secret_name = parts.shift
+          secret_version = parts.shift || "latest"
+
+          items[secret] = [ project, secret_name, secret_version ]
+        end
+      end
+    end
+
+    def run_command(command, project: "default", user: "default", service_account: nil)
+      full_command = [ "gcloud", command ]
+      full_command << "--project=#{project.shellescape}" unless project == "default"
+      full_command << "--account=#{user.shellescape}" unless user == "default"
+      full_command << "--impersonate-service-account=#{service_account.shellescape}" if service_account
+      full_command << "--format=json"
+      full_command = full_command.join(" ")
+
+      result = `#{full_command}`.strip
+      JSON.parse(result)
+    end
+
+    def check_dependencies!
+      raise RuntimeError, "gcloud CLI is not installed" unless cli_installed?
+    end
+
+    def cli_installed?
+      `gcloud --version 2> /dev/null`
+      $?.success?
+    end
+
+    def logged_in?
+      JSON.parse(`gcloud auth list --format=json`).any?
+    end
+
+    def parse_account(account)
+      account.split("|", 2)
+    end
+
+    def is_user?(candidate)
+      candidate.include?("@")
+    end
+end

data/lib/kamal/secrets/adapters/last_pass.rb

@@ -0,0 +1,40 @@
+class Kamal::Secrets::Adapters::LastPass < Kamal::Secrets::Adapters::Base
+  private
+    def login(account)
+      unless loggedin?(account)
+        `lpass login #{account.shellescape}`
+        raise RuntimeError, "Failed to login to LastPass" unless $?.success?
+      end
+    end
+
+    def loggedin?(account)
+      `lpass status --color never`.strip == "Logged in as #{account}."
+    end
+
+    def fetch_secrets(secrets, from:, account:, session:)
+      secrets = prefixed_secrets(secrets, from: from)
+      items = `lpass show #{secrets.map(&:shellescape).join(" ")} --json`
+      raise RuntimeError, "Could not read #{secrets} from LastPass" unless $?.success?
+
+      items = JSON.parse(items)
+
+      {}.tap do |results|
+        items.each do |item|
+          results[item["fullname"]] = item["password"]
+        end
+
+        if (missing_items = secrets - results.keys).any?
+          raise RuntimeError, "Could not find #{missing_items.join(", ")} in LastPass"
+        end
+      end
+    end
+
+    def check_dependencies!
+      raise RuntimeError, "LastPass CLI is not installed" unless cli_installed?
+    end
+
+    def cli_installed?
+      `lpass --version 2> /dev/null`
+      $?.success?
+    end
+end

data/lib/kamal/secrets/adapters/one_password.rb

@@ -0,0 +1,104 @@
+class Kamal::Secrets::Adapters::OnePassword < Kamal::Secrets::Adapters::Base
+  delegate :optionize, to: Kamal::Utils
+
+  private
+    def login(account)
+      unless loggedin?(account)
+        `op signin #{to_options(account: account, force: true, raw: true)}`.tap do
+          raise RuntimeError, "Failed to login to 1Password" unless $?.success?
+        end
+      end
+    end
+
+    def loggedin?(account)
+      `op account get --account #{account.shellescape} 2> /dev/null`
+      $?.success?
+    end
+
+    def fetch_secrets(secrets, from:, account:, session:)
+      if secrets.blank?
+        fetch_all_secrets(from: from, account: account, session: session) if secrets.blank?
+      else
+        fetch_specified_secrets(secrets, from: from, account: account, session: session)
+      end
+    end
+
+    def fetch_specified_secrets(secrets, from:, account:, session:)
+      {}.tap do |results|
+        vaults_items_fields(prefixed_secrets(secrets, from: from)).map do |vault, items|
+          items.each do |item, fields|
+            fields_json = JSON.parse(op_item_get(vault, item, fields: fields, account: account, session: session))
+            fields_json = [ fields_json ] if fields.one?
+
+            results.merge!(fields_map(fields_json))
+          end
+        end
+      end
+    end
+
+    def fetch_all_secrets(from:, account:, session:)
+      {}.tap do |results|
+        vault_items(from).each do |vault, items|
+          items.each do |item|
+            fields_json = JSON.parse(op_item_get(vault, item, account: account, session: session)).fetch("fields")
+
+            results.merge!(fields_map(fields_json))
+          end
+        end
+      end
+    end
+
+    def to_options(**options)
+      optionize(options.compact).join(" ")
+    end
+
+    def vaults_items_fields(secrets)
+      {}.tap do |vaults|
+        secrets.each do |secret|
+          secret = secret.delete_prefix("op://")
+          vault, item, *fields = secret.split("/")
+          fields << "password" if fields.empty?
+
+          vaults[vault] ||= {}
+          vaults[vault][item] ||= []
+          vaults[vault][item] << fields.join(".")
+        end
+      end
+    end
+
+    def vault_items(from)
+      from = from.delete_prefix("op://")
+      vault, item = from.split("/")
+      { vault => [ item ] }
+    end
+
+    def fields_map(fields_json)
+      fields_json.to_h do |field_json|
+        # The reference is in the form `op://vault/item/field[/field]`
+        field = field_json["reference"].delete_prefix("op://").delete_suffix("/password")
+        [ field, field_json["value"] ]
+      end
+    end
+
+    def op_item_get(vault, item, fields: nil, account:, session:)
+      options = { vault: vault, format: "json", account: account, session: session.presence }
+
+      if fields.present?
+        labels = fields.map { |field| "label=#{field}" }.join(",")
+        options.merge!(fields: labels)
+      end
+
+      `op item get #{item.shellescape} #{to_options(**options)}`.tap do
+        raise RuntimeError, "Could not read #{"#{fields.join(", ")} " if fields.present?}from #{item} in the #{vault} 1Password vault" unless $?.success?
+      end
+    end
+
+    def check_dependencies!
+      raise RuntimeError, "1Password CLI is not installed" unless cli_installed?
+    end
+
+    def cli_installed?
+      `op --version 2> /dev/null`
+      $?.success?
+    end
+end

data/lib/kamal/secrets/adapters/passbolt.rb

@@ -0,0 +1,130 @@
+class Kamal::Secrets::Adapters::Passbolt < Kamal::Secrets::Adapters::Base
+  def requires_account?
+    false
+  end
+
+  private
+
+    def login(*)
+      `passbolt verify`
+      raise RuntimeError, "Failed to login to Passbolt" unless $?.success?
+    end
+
+    def fetch_secrets(secrets, from:, **)
+      secrets = prefixed_secrets(secrets, from: from)
+      raise ArgumentError, "No secrets given to fetch" if secrets.empty?
+
+      secret_names = secrets.collect { |s| s.split("/").last }
+      folders = secrets_get_folders(secrets)
+
+      # build filter conditions for each secret with its corresponding folder
+      filter_conditions = []
+      secrets.each do |secret|
+        parts = secret.split("/")
+        secret_name = parts.last
+
+        if parts.size > 1
+          # get the folder path without the secret name
+          folder_path = parts[0..-2]
+
+          # find the most nested folder for this path
+          current_folder = nil
+          current_path = []
+
+          folder_path.each do |folder_name|
+            current_path << folder_name
+            matching_folders = folders.select { |f| get_folder_path(f, folders) == current_path.join("/") }
+            current_folder = matching_folders.first if matching_folders.any?
+          end
+
+          if current_folder
+            filter_conditions << "(Name == #{secret_name.shellescape.inspect} && FolderParentID == #{current_folder["id"].shellescape.inspect})"
+          end
+        else
+          # for root level secrets (no folders)
+          filter_conditions << "Name == #{secret_name.shellescape.inspect}"
+        end
+      end
+
+      filter_condition = filter_conditions.any? ? "--filter '#{filter_conditions.join(" || ")}'" : ""
+      items = `passbolt list resources #{filter_condition} #{folders.map { |item| "--folder #{item["id"]}" }.join(" ")} --json`
+      raise RuntimeError, "Could not read #{secrets} from Passbolt" unless $?.success?
+
+      items = JSON.parse(items)
+      found_names = items.map { |item| item["name"] }
+      missing_secrets = secret_names - found_names
+      raise RuntimeError, "Could not find the following secrets in Passbolt: #{missing_secrets.join(", ")}" if missing_secrets.any?
+
+      items.to_h { |item| [ item["name"], item["password"] ] }
+    end
+
+    def secrets_get_folders(secrets)
+      # extract all folder paths (both parent and nested)
+      folder_paths = secrets
+        .select { |s| s.include?("/") }
+        .map { |s| s.split("/")[0..-2] } # get all parts except the secret name
+        .uniq
+
+      return [] if folder_paths.empty?
+
+      all_folders = []
+
+      # first get all top-level folders
+      parent_folders = folder_paths.map(&:first).uniq
+      filter_condition = "--filter '#{parent_folders.map { |name| "Name == #{name.shellescape.inspect}" }.join(" || ")}'"
+      fetch_folders = `passbolt list folders #{filter_condition} --json`
+      raise RuntimeError, "Could not read folders from Passbolt" unless $?.success?
+
+      parent_folder_items = JSON.parse(fetch_folders)
+      all_folders.concat(parent_folder_items)
+
+      # get nested folders for each parent
+      folder_paths.each do |path|
+        next if path.size <= 1 # skip non-nested folders
+
+        parent = path[0]
+        parent_folder = parent_folder_items.find { |f| f["name"] == parent }
+        next unless parent_folder
+
+        # for each nested level, get the folders using the parent's ID
+        current_parent = parent_folder
+        path[1..-1].each do |folder_name|
+          filter_condition = "--filter 'Name == #{folder_name.shellescape.inspect} && FolderParentID == #{current_parent["id"].shellescape.inspect}'"
+          fetch_nested = `passbolt list folders #{filter_condition} --json`
+          next unless $?.success?
+
+          nested_folders = JSON.parse(fetch_nested)
+          break if nested_folders.empty?
+
+          all_folders.concat(nested_folders)
+          current_parent = nested_folders.first
+        end
+      end
+
+      # check if we found all required folders
+      found_paths = all_folders.map { |f| get_folder_path(f, all_folders) }
+      missing_paths = folder_paths.map { |path| path.join("/") } - found_paths
+      raise RuntimeError, "Could not find the following folders in Passbolt: #{missing_paths.join(", ")}" if missing_paths.any?
+
+      all_folders
+    end
+
+    def get_folder_path(folder, all_folders, path = [])
+      path.unshift(folder["name"])
+      return path.join("/") if folder["folder_parent_id"].to_s.empty?
+
+      parent = all_folders.find { |f| f["id"] == folder["folder_parent_id"] }
+      return path.join("/") unless parent
+
+      get_folder_path(parent, all_folders, path)
+    end
+
+    def check_dependencies!
+      raise RuntimeError, "Passbolt CLI is not installed" unless cli_installed?
+    end
+
+    def cli_installed?
+      `passbolt --version 2> /dev/null`
+      $?.success?
+    end
+end

data/lib/kamal/secrets/adapters/test.rb

@@ -0,0 +1,14 @@
+class Kamal::Secrets::Adapters::Test < Kamal::Secrets::Adapters::Base
+  private
+    def login(account)
+      true
+    end
+
+    def fetch_secrets(secrets, from:, account:, session:)
+      prefixed_secrets(secrets, from: from).to_h { |secret| [ secret, secret.reverse ] }
+    end
+
+    def check_dependencies!
+      # no op
+    end
+end

data/lib/kamal/secrets/adapters.rb

@@ -0,0 +1,16 @@
+require "active_support/core_ext/string/inflections"
+module Kamal::Secrets::Adapters
+  def self.lookup(name)
+    name = "one_password" if name.downcase == "1password"
+    name = "last_pass" if name.downcase == "lastpass"
+    name = "gcp_secret_manager" if name.downcase == "gcp"
+    name = "bitwarden_secrets_manager" if name.downcase == "bitwarden-sm"
+    adapter_class(name)
+  end
+
+  def self.adapter_class(name)
+    Object.const_get("Kamal::Secrets::Adapters::#{name.camelize}").new
+  rescue NameError => e
+    raise RuntimeError, "Unknown secrets adapter: #{name}"
+  end
+end

data/lib/kamal/secrets/dotenv/inline_command_substitution.rb

@@ -0,0 +1,33 @@
+class Kamal::Secrets::Dotenv::InlineCommandSubstitution
+  class << self
+    def install!
+      ::Dotenv::Parser.substitutions.map! { |sub| sub == ::Dotenv::Substitutions::Command ? self : sub }
+    end
+
+    def call(value, env, overwrite: false)
+      # Process interpolated shell commands
+      value.gsub(Dotenv::Substitutions::Command.singleton_class::INTERPOLATED_SHELL_COMMAND) do |*|
+        # Eliminate opening and closing parentheses
+        command = $LAST_MATCH_INFO[:cmd][1..-2]
+
+        if $LAST_MATCH_INFO[:backslash]
+          # Command is escaped, don't replace it.
+          $LAST_MATCH_INFO[0][1..]
+        else
+          command = ::Dotenv::Substitutions::Variable.call(command, env)
+          if command =~ /\A\s*kamal\s*secrets\s+/
+            # Inline the command
+            inline_secrets_command(command)
+          else
+            # Execute the command and return the value
+            `#{command}`.chomp
+          end
+        end
+      end
+    end
+
+    def inline_secrets_command(command)
+      Kamal::Cli::Main.start(command.shellsplit[1..] + [ "--inline" ]).chomp
+    end
+  end
+end

data/lib/kamal/secrets.rb

@@ -0,0 +1,42 @@
+require "dotenv"
+
+class Kamal::Secrets
+  Kamal::Secrets::Dotenv::InlineCommandSubstitution.install!
+
+  def initialize(destination: nil)
+    @destination = destination
+    @mutex = Mutex.new
+  end
+
+  def [](key)
+    # Fetching secrets may ask the user for input, so ensure only one thread does that
+    @mutex.synchronize do
+      secrets.fetch(key)
+    end
+  rescue KeyError
+    if secrets_files.present?
+      raise Kamal::ConfigurationError, "Secret '#{key}' not found in #{secrets_files.join(", ")}"
+    else
+      raise Kamal::ConfigurationError, "Secret '#{key}' not found, no secret files (#{secrets_filenames.join(", ")}) provided"
+    end
+  end
+
+  def to_h
+    secrets
+  end
+
+  def secrets_files
+    @secrets_files ||= secrets_filenames.select { |f| File.exist?(f) }
+  end
+
+  private
+    def secrets
+      @secrets ||= secrets_files.inject({}) do |secrets, secrets_file|
+        secrets.merge!(::Dotenv.parse(secrets_file, overwrite: true))
+      end
+    end
+
+    def secrets_filenames
+      [ ".kamal/secrets-common", ".kamal/secrets#{(".#{@destination}" if @destination)}" ]
+    end
+end

data/lib/kamal/sshkit_with_ext.rb

@@ -3,6 +3,7 @@ require "sshkit/dsl"
 require "net/scp"
 require "active_support/core_ext/hash/deep_merge"
 require "json"
+require "concurrent/atomic/semaphore"
 
 class SSHKit::Backend::Abstract
   def capture_with_info(*args, **kwargs)

data/lib/kamal/utils.rb

@@ -1,3 +1,5 @@
+require "active_support/core_ext/object/try"
+
 module Kamal::Utils
   extend self
 
@@ -10,6 +12,8 @@ module Kamal::Utils
         attr = "#{key}=#{escape_shell_value(value)}"
         attr = self.sensitive(attr, redaction: "#{key}=[REDACTED]") if sensitive
         [ argument, attr ]
+      elsif value == false
+        [ argument, "#{key}=false" ]
       else
         [ argument, key ]
       end
@@ -54,6 +58,12 @@ module Kamal::Utils
 
   # Escape a value to make it safe for shell use.
   def escape_shell_value(value)
+    value.to_s.scan(/[\x00-\x7F]+|[^\x00-\x7F]+/) \
+      .map { |part| part.ascii_only? ? escape_ascii_shell_value(part) : part }
+      .join
+  end
+
+  def escape_ascii_shell_value(value)
     value.to_s.dump
       .gsub(/`/, '\\\\`')
       .gsub(DOLLAR_SIGN_WITHOUT_SHELL_EXPANSION_REGEX, '\$')
@@ -77,4 +87,24 @@ module Kamal::Utils
   def stable_sort!(elements, &block)
     elements.sort_by!.with_index { |element, index| [ block.call(element), index ] }
   end
+
+  def join_commands(commands)
+    commands.map(&:strip).join(" ")
+  end
+
+  def docker_arch
+    arch = `docker info --format '{{.Architecture}}'`.strip
+    case arch
+    when /aarch64/
+      "arm64"
+    when /x86_64/
+      "amd64"
+    else
+      arch
+    end
+  end
+
+  def older_version?(version, other_version)
+    Gem::Version.new(version.delete_prefix("v")) < Gem::Version.new(other_version.delete_prefix("v"))
+  end
 end

data/lib/kamal/version.rb

@@ -1,3 +1,3 @@
 module Kamal
-  VERSION = "1.8.3"
+  VERSION = "2.7.0"
 end

data/lib/kamal.rb

@@ -5,8 +5,10 @@ end
 require "active_support"
 require "zeitwerk"
 require "yaml"
+require "tmpdir"
+require "pathname"
 
 loader = Zeitwerk::Loader.for_gem
 loader.ignore(File.join(__dir__, "kamal", "sshkit_with_ext.rb"))
 loader.setup
-loader.eager_load # We need all commands loaded.
+loader.eager_load_namespace(Kamal::Cli) # We need all commands loaded.