opdotenv 1.0.0

data/lib/opdotenv/connect_api_client.rb

@@ -0,0 +1,290 @@
+require "net/http"
+require "uri"
+
+module Opdotenv
+  class ConnectApiClient
+    class ConnectApiError < StandardError; end
+
+    NOTES_PLAIN_FIELD = "notesPlain"
+    NOTES_PURPOSE = "NOTES"
+    SECURE_NOTE_CATEGORY = "SECURE_NOTE"
+    LOGIN_CATEGORY = "LOGIN"
+
+    def initialize(base_url:, access_token:, env: ENV)
+      validate_url(base_url)
+      validate_token(access_token)
+      @base_url = base_url.chomp("/")
+      @access_token = access_token
+      @env = env
+    end
+
+    # Parse op:// style path or connect:// style path
+    # op://Vault/Item -> {vault: "Vault", item: "Item", field: nil}
+    # op://Vault/Item/notesPlain -> {vault: "Vault", item: "Item", field: "notesPlain"}
+    # op://Vault/Item/Section/Field -> {vault: "Vault", item: "Item", field: "Field"}
+    def read(path)
+      parsed = parse_path(path)
+      item = get_item(parsed[:vault], parsed[:item])
+
+      if parsed[:field]
+        # Read specific field
+        field = find_field(item, parsed[:field])
+        field ? field["value"] : ""
+      else
+        # Read notesPlain for secure notes
+        notes_field = item["fields"]&.find { |f| f["purpose"] == NOTES_PURPOSE || f["label"] == NOTES_PLAIN_FIELD }
+        notes_field ? notes_field["value"] : ""
+      end
+    end
+
+    def item_get(item_title, vault: nil)
+      # If vault not provided, search all vaults (requires listing vaults)
+      if vault.nil?
+        item = find_item_in_all_vaults(item_title)
+        raise ConnectApiError, "Item '#{item_title}' not found" unless item
+      else
+        vault_id = vault_name_to_id(vault)
+        item = item_by_title_in_vault(vault_id, item_title)
+        raise ConnectApiError, "Item '#{item_title}' not found in vault '#{vault}'" unless item
+      end
+
+      JSON.pretty_generate(item)
+    end
+
+    def find_item_in_all_vaults(item_title)
+      vaults = list_vaults
+      vaults.each do |v|
+        item = item_by_title_in_vault(v["id"], item_title)
+        return item if item
+      end
+      nil
+    end
+
+    def item_create_note(vault:, title:, notes:)
+      vault_id = vault_name_to_id(vault)
+
+      payload = {
+        "vault" => {"id" => vault_id},
+        "title" => title,
+        "category" => SECURE_NOTE_CATEGORY,
+        "fields" => [
+          {
+            "purpose" => NOTES_PURPOSE,
+            "value" => notes
+          }
+        ]
+      }
+
+      response = api_request(:post, "/v1/vaults/#{vault_id}/items", payload)
+      JSON.pretty_generate(response)
+    end
+
+    def item_create_or_update_fields(vault:, item:, fields: {})
+      vault_id = vault_name_to_id(vault)
+
+      # Try to find existing item by title
+      existing = item_by_title_in_vault(vault_id, item)
+
+      if existing
+        # Update using PATCH
+        fields_array = fields.map do |k, v|
+          existing_field = existing["fields"]&.find { |f| f["label"] == k.to_s }
+          if existing_field
+            {
+              "op" => "replace",
+              "path" => "/fields/#{existing_field["id"]}/value",
+              "value" => v.to_s
+            }
+          else
+            {
+              "op" => "add",
+              "path" => "/fields",
+              "value" => {
+                "type" => "CONCEALED",
+                "label" => k.to_s,
+                "value" => v.to_s
+              }
+            }
+          end
+        end
+
+        api_request(:patch, "/v1/vaults/#{vault_id}/items/#{existing["id"]}", fields_array)
+      else
+        # Create new item
+        fields_array = fields.map do |k, v|
+          {
+            "type" => "CONCEALED",
+            "label" => k.to_s,
+            "value" => v.to_s
+          }
+        end
+
+        payload = {
+          "vault" => {"id" => vault_id},
+          "title" => item,
+          "category" => LOGIN_CATEGORY,
+          "fields" => fields_array
+        }
+
+        api_request(:post, "/v1/vaults/#{vault_id}/items", payload)
+      end
+    end
+
+    private
+
+    def parse_path(path)
+      # op://Vault/Item or connect://Vault/Item
+      match = path.match(/\A(?:op|connect):\/\/([^\/]+)\/([^\/]+)(?:\/(.+))?\z/)
+      raise ConnectApiError, "Invalid path format: #{path}" unless match
+
+      {
+        vault: match[1],
+        item: match[2],
+        field: match[3]
+      }
+    end
+
+    def vault_name_to_id(vault_name)
+      @vault_cache ||= {}
+      return @vault_cache[vault_name] if @vault_cache.key?(vault_name)
+
+      vaults = list_vaults
+      vault = vaults.find { |v| v["name"] == vault_name || v["id"] == vault_name }
+      raise ConnectApiError, "Vault '#{vault_name}' not found" unless vault
+
+      @vault_cache[vault_name] = vault["id"]
+    end
+
+    def list_vaults
+      api_request(:get, "/v1/vaults")
+    end
+
+    def get_item(vault_name, item_title)
+      vault_id = vault_name_to_id(vault_name)
+      item = item_by_title_in_vault(vault_id, item_title)
+      raise ConnectApiError, "Item '#{item_title}' not found in vault '#{vault_name}'" unless item
+
+      # Fetch full item details including fields
+      api_request(:get, "/v1/vaults/#{vault_id}/items/#{item["id"]}")
+    end
+
+    def item_by_title_in_vault(vault_id, item_title)
+      # List items and find by title
+      items = api_request(:get, "/v1/vaults/#{vault_id}/items")
+      item = items.find { |i| i["title"] == item_title || i["id"] == item_title }
+      # If found by listing, fetch full details to get fields
+      if item && item["id"]
+        api_request(:get, "/v1/vaults/#{vault_id}/items/#{item["id"]}")
+      else
+        item
+      end
+    end
+
+    def find_field(item, field_name)
+      item["fields"]&.find do |f|
+        f["label"] == field_name ||
+          f["id"] == field_name ||
+          (field_name == NOTES_PLAIN_FIELD && f["purpose"] == NOTES_PURPOSE)
+      end
+    end
+
+    def api_request(method, path, body = nil)
+      uri = build_uri(path)
+      http = build_http_client(uri)
+
+      request = build_request(method, uri, body)
+      response = execute_request_with_retry(http, request)
+
+      handle_response(response, path)
+    end
+
+    def build_uri(path)
+      # Validate path to prevent path traversal attacks
+      # API paths legitimately start with "/", so only check for ".."
+      raise ConnectApiError, "Invalid path: #{path}" if path.include?("..")
+
+      # Use URI.join which handles path normalization safely
+      # URI.join expects base URL without trailing slash for proper joining
+      base_uri = @base_url.end_with?("/") ? @base_url[0..-2] : @base_url
+      normalized_path = path.start_with?("/") ? path : "/#{path}"
+      URI.join(base_uri, normalized_path)
+    end
+
+    def build_http_client(uri)
+      http = Net::HTTP.new(uri.host, uri.port)
+      http.use_ssl = uri.scheme == "https"
+      http.open_timeout = (@env["OPDOTENV_HTTP_OPEN_TIMEOUT"] || 5).to_i
+      http.read_timeout = (@env["OPDOTENV_HTTP_READ_TIMEOUT"] || 10).to_i
+      http
+    end
+
+    def build_request(method, uri, body)
+      request_class = case method
+      when :get then Net::HTTP::Get
+      when :post then Net::HTTP::Post
+      when :put then Net::HTTP::Put
+      when :patch then Net::HTTP::Patch
+      when :delete then Net::HTTP::Delete
+      else raise ConnectApiError, "Unsupported HTTP method: #{method}"
+      end
+
+      request = request_class.new(uri.request_uri)
+      request["Authorization"] = "Bearer #{@access_token}"
+      request["Content-Type"] = "application/json"
+      request.body = JSON.generate(body) if body
+      request
+    end
+
+    def execute_request_with_retry(http, request)
+      attempts = 0
+      begin
+        attempts += 1
+        http.request(request)
+      rescue Timeout::Error, Errno::ECONNRESET
+        raise if attempts >= 2
+        sleep 0.2
+        retry
+      end
+    end
+
+    def handle_response(response, path)
+      code = response.code.to_i
+
+      case code
+      when 200, 204
+        return {} if response.body.empty? || code == 204
+        JSON.parse(response.body)
+      when 401
+        raise ConnectApiError, "Unauthorized: Invalid or missing access token"
+      when 403
+        raise ConnectApiError, "Forbidden: Access denied"
+      when 404
+        raise ConnectApiError, "Not found: #{path}"
+      when 500..599
+        raise ConnectApiError, "API error (#{code}): #{extract_error_message(response)}"
+      else
+        raise ConnectApiError, "API error (#{code}): #{extract_error_message(response)}"
+      end
+    end
+
+    def extract_error_message(response)
+      parsed = JSON.parse(response.body)
+      parsed["message"] || parsed["error"] || response.body
+    rescue JSON::ParserError
+      response.body
+    end
+
+    def validate_url(url)
+      uri = URI.parse(url)
+      unless ["http", "https"].include?(uri.scheme)
+        raise ArgumentError, "Invalid URL scheme: #{uri.scheme}. Must be http or https"
+      end
+    rescue URI::InvalidURIError => e
+      raise ArgumentError, "Invalid URL: #{url} - #{e.message}"
+    end
+
+    def validate_token(token)
+      raise ArgumentError, "Access token cannot be empty" if token.nil? || token.empty?
+    end
+  end
+end

data/lib/opdotenv/exporter.rb

@@ -0,0 +1,59 @@
+module Opdotenv
+  class Exporter
+    # Export data to 1Password
+    # Paths like "op://Vault/.env.development" or "op://Vault/config.json" create Secure Notes (format inferred from item name extension)
+    # Paths like "op://Vault/App" create/update item fields
+    # Format is inferred from item name extension: .env.*, *.json, *.yaml, *.yml
+    # @param path [String] Path like "op://Vault/.env.development", "op://Vault/production.json", or "op://Vault/App"
+    # @param data [Hash] Data to export
+    # @param field_type [Symbol] Format override (:dotenv, :json, :yaml). Default: inferred from path
+    def self.export(path:, data:, field_type: nil, client: nil, env: ENV)
+      client ||= ClientFactory.create(env: env)
+      vault, item = Loader.parse_op_path(path)
+
+      # Extract item name and potential field name
+      # Handle paths like "op://Vault/Item" or "op://Vault/Item Name/field"
+      item_parts = item.split("/")
+      item_name = item_parts.first
+
+      # Check if path matches format patterns (Secure Note) or regular item (fields)
+      if FormatInferrer.matches_format_pattern?(item_name)
+        # Create Secure Note
+        field_type ||= FormatInferrer.infer_from_name(item_name) || :dotenv
+        content = serialize_by_format(data, field_type)
+        client.item_create_note(vault: vault, title: item_name, notes: content)
+      else
+        # Create/update item with fields
+        flat = data.transform_values(&:to_s)
+        client.item_create_or_update_fields(vault: vault, item: item_name, fields: flat)
+      end
+    end
+
+    def self.infer_format_from_item(item)
+      FormatInferrer.infer_from_name(item) || :dotenv
+    end
+
+    def self.serialize_by_format(data, format)
+      case format
+      when :dotenv
+        data.map { |k, v| "#{k}=#{escape_env(v)}" }.join("\n") + "\n"
+      when :json
+        JSON.pretty_generate(data)
+      when :yaml, :yml
+        YAML.dump(data)
+      else
+        raise ArgumentError, "Unsupported format: #{format}. Supported: :dotenv, :json, :yaml"
+      end
+    end
+
+    def self.escape_env(value)
+      s = value.to_s
+      return '""' if s.empty?
+      if s.match?(/\s|["'#]/)
+        '"' + s.gsub('"', '\\"') + '"'
+      else
+        s
+      end
+    end
+  end
+end

data/lib/opdotenv/format_inferrer.rb

@@ -0,0 +1,22 @@
+module Opdotenv
+  # Shared module for format inference from item/field names
+  module FormatInferrer
+    module_function
+
+    DOTENV_PATTERN = /\.env\.?/
+    JSON_EXTENSIONS = [".json"].freeze
+    YAML_EXTENSIONS = [".yaml", ".yml"].freeze
+
+    def infer_from_name(name)
+      return :dotenv if name.match?(DOTENV_PATTERN)
+      return :json if JSON_EXTENSIONS.any? { |ext| name.end_with?(ext) }
+      return :yaml if YAML_EXTENSIONS.any? { |ext| name.end_with?(ext) }
+
+      nil
+    end
+
+    def matches_format_pattern?(name)
+      !infer_from_name(name).nil?
+    end
+  end
+end

data/lib/opdotenv/loader.rb

@@ -0,0 +1,72 @@
+module Opdotenv
+  class Loader
+    NOTES_PURPOSE = "NOTES"
+
+    # Unified loading API
+    # If field_name is set, fetches a single field and parses it with field_type (default: :dotenv)
+    # If field_name is not set, fetches all fields without parsing
+    def self.load(path, field_name: nil, field_type: :dotenv, env: ENV, client: nil, overwrite: true)
+      client ||= ClientFactory.create(env: env)
+
+      data = field_name ? load_field(client, path, field_name, field_type) : load_all_fields(client, path)
+
+      merge_into_env(env, data, overwrite: overwrite)
+      data
+    end
+
+    def self.load_field(client, path, field_name, field_type)
+      field_path = build_field_path(path, field_name)
+      text = client.read(field_path)
+      parse_by_format(text, field_type)
+    end
+
+    def self.load_all_fields(client, path)
+      vault, item = parse_op_path(path)
+      raw_json = client.item_get(item, vault: vault)
+      item_hash = parse_json_safe(raw_json)
+
+      item_hash["fields"]&.each_with_object({}) do |field, env_data|
+        label = field["label"] || field["id"]
+        next unless label
+        next if field["purpose"] == NOTES_PURPOSE # skip notesPlain when fetching all
+        env_data[label.to_s] = (field["value"] || "").to_s
+      end || {}
+    end
+
+    def self.build_field_path(path, field_name)
+      # op CLI requires vault/item/field format
+      # Avoid duplication if field name already in path
+      path.end_with?("/#{field_name}") ? path : "#{path}/#{field_name}"
+    end
+
+    def self.parse_json_safe(json_string)
+      JSON.parse(json_string)
+    rescue JSON::ParserError
+      {}
+    end
+
+    def self.parse_by_format(text, format)
+      case format
+      when :dotenv then Parsers::DotenvParser.parse(text)
+      when :json then Parsers::JsonParser.parse(text)
+      when :yaml, :yml then Parsers::YamlParser.parse(text)
+      else
+        raise ArgumentError, "Unsupported format: #{format}. Supported: :dotenv, :json, :yaml"
+      end
+    end
+
+    def self.parse_op_path(path)
+      m = path.match(/\Aop:\/\/([^\/]*)\/([^\/]*)/)
+      raise ArgumentError, "Invalid op path: #{path}" unless m
+      [m[1], m[2]]
+    end
+
+    def self.merge_into_env(env, hash, overwrite: true)
+      hash.each do |k, v|
+        key = k.to_s
+        next if !overwrite && env.key?(key)
+        env[key] = v.to_s
+      end
+    end
+  end
+end

data/lib/opdotenv/op_client.rb

@@ -0,0 +1,94 @@
+require "json"
+
+module Opdotenv
+  class OpClient
+    class OpError < StandardError; end
+
+    NOTES_PLAIN_FIELD = "notesPlain"
+    SECURE_NOTE_CATEGORY = "secure-note"
+    LOGIN_CATEGORY = "LOGIN"
+
+    def initialize(env: ENV)
+      @env = env
+    end
+
+    def read(path)
+      validate_path(path)
+      out = capture(["op", "read", path])
+      out.strip
+    end
+
+    def item_get(item, vault: nil)
+      args = ["op", "item", "get", item, "--format", "json"]
+      args += ["--vault", vault] if vault
+      capture(args)
+    end
+
+    def item_create_note(vault:, title:, notes:)
+      # Create a Secure Note with given title and notesPlain
+      # Use shell escaping to prevent injection
+      args = [
+        "op", "item", "create",
+        "--category", SECURE_NOTE_CATEGORY,
+        "--title", title,
+        "--vault", vault,
+        "#{NOTES_PLAIN_FIELD}=#{notes}"
+      ]
+      capture(args)
+    end
+
+    def item_create_or_update_fields(vault:, item:, fields: {})
+      exists = item_exists?(item, vault: vault)
+      if exists
+        fields.each do |k, v|
+          # Use shell escaping to prevent injection
+          field_arg = "#{k}=#{v}"
+          capture(["op", "item", "edit", item, "--vault", vault, "--set", field_arg])
+        end
+      else
+        args = ["op", "item", "create", "--title", item, "--vault", vault]
+        fields.each do |k, v|
+          args += ["--set", "#{k}=#{v}"]
+        end
+        capture(args)
+      end
+    end
+
+    private
+
+    def item_exists?(item, vault: nil)
+      args = ["op", "item", "get", item]
+      args += ["--vault", vault] if vault
+      system(*args, out: File::NULL, err: File::NULL)
+    end
+
+    def validate_path(path)
+      return if path.is_a?(String) && path.start_with?("op://")
+
+      raise ArgumentError, "Invalid path format: #{path.inspect}. Must start with 'op://'"
+    end
+
+    def capture(args)
+      # Use exec-style array to prevent shell injection
+      # IO.popen with array arguments avoids shell interpretation
+      out = IO.popen(args, err: [:child, :out]) do |io|
+        io.read
+      end
+      status = $CHILD_STATUS
+
+      # For JSON output, try to parse even if exit code is non-zero
+      # Some op commands may return non-zero but still output valid JSON
+      if args.include?("--format") && args.include?("json")
+        begin
+          JSON.parse(out)
+          return out # Valid JSON, return it even if exit code is non-zero
+        rescue JSON::ParserError
+          # Not valid JSON, fall through to error handling
+        end
+      end
+
+      raise OpError, out if status.nil? || !status.success?
+      out
+    end
+  end
+end

data/lib/opdotenv/parsers/dotenv_parser.rb

@@ -0,0 +1,28 @@
+module Opdotenv
+  module Parsers
+    class DotenvParser
+      def self.parse(text)
+        env = {}
+        text.to_s.each_line do |line|
+          line = line.strip
+          next if line.empty? || line.start_with?("#")
+          # Support KEY=VALUE and KEY="VALUE"; ignore export prefix
+          line = line.sub(/^export\s+/, "")
+          if (m = line.match(/^([A-Za-z_][A-Za-z0-9_]*)\s*=\s*(.*)\z/))
+            key = m[1]
+            raw = m[2]
+            value = if raw.start_with?("\"") && raw.end_with?("\"")
+              raw[1..-2].gsub('\\"', '"')
+            elsif raw.start_with?("'") && raw.end_with?("'")
+              raw[1..-2]
+            else
+              raw
+            end
+            env[key] = value
+          end
+        end
+        env
+      end
+    end
+  end
+end

data/lib/opdotenv/parsers/json_parser.rb

@@ -0,0 +1,28 @@
+module Opdotenv
+  module Parsers
+    class JsonParser
+      def self.parse(text)
+        data = JSON.parse(text.to_s)
+        flatten_to_string_map(data)
+      end
+
+      def self.flatten_to_string_map(obj, prefix = nil, out = {})
+        case obj
+        when Hash
+          obj.each do |k, v|
+            key = prefix ? "#{prefix}_#{k}" : k.to_s
+            flatten_to_string_map(v, key, out)
+          end
+        when Array
+          obj.each_with_index do |v, i|
+            key = prefix ? "#{prefix}_#{i}" : i.to_s
+            flatten_to_string_map(v, key, out)
+          end
+        else
+          out[prefix.to_s] = obj.to_s
+        end
+        out
+      end
+    end
+  end
+end

data/lib/opdotenv/parsers/yaml_parser.rb

@@ -0,0 +1,15 @@
+require "yaml"
+
+module Opdotenv
+  module Parsers
+    class YamlParser
+      # Safe YAML parsing without aliases (aliases can cause DoS attacks)
+      PERMITTED_CLASSES = [Date, Time, Symbol].freeze
+
+      def self.parse(text)
+        data = YAML.safe_load(text.to_s, permitted_classes: PERMITTED_CLASSES, aliases: false)
+        JsonParser.flatten_to_string_map(data)
+      end
+    end
+  end
+end

data/lib/opdotenv/railtie.rb

@@ -0,0 +1,55 @@
+require "opdotenv"
+
+module Opdotenv
+  class Railtie < ::Rails::Railtie
+    # This Railtie ensures opdotenv is automatically required when Rails loads
+    # and provides configuration via Rails.configuration.opdotenv
+
+    config.opdotenv = ActiveSupport::OrderedOptions.new
+    config.opdotenv.sources = []
+    # Optional 1Password Connect settings (alternatively set via ENV)
+    config.opdotenv.connect_url = nil
+    config.opdotenv.connect_token = nil
+    config.opdotenv.overwrite = true
+    config.opdotenv.auto_load = true
+
+    # Hook into Rails initialization to load from 1Password
+    initializer "opdotenv.load", before: :load_environment_config do |app|
+      config = app.config.opdotenv
+
+      next unless config.auto_load
+
+      # Prefer Connect API settings from Rails configuration if provided
+      if config.connect_url && config.connect_token
+        ENV["OP_CONNECT_URL"] = config.connect_url
+        ENV["OP_CONNECT_TOKEN"] = config.connect_token
+      end
+
+      # Load from configured sources
+      # Sources can be strings (simplified format) or hashes (backward compatibility)
+      (config.sources || []).each do |source|
+        parsed = SourceParser.parse(source)
+        next unless parsed[:path]
+
+        overwrite = if source.is_a?(Hash) && (source.key?(:overwrite) || source.key?("overwrite"))
+          parsed[:overwrite]
+        else
+          config.overwrite
+        end
+
+        begin
+          Loader.load(
+            parsed[:path],
+            field_name: parsed[:field_name],
+            field_type: parsed[:field_type],
+            env: ENV,
+            overwrite: overwrite
+          )
+        rescue => e
+          # Only log errors, not warnings, to avoid noise in production
+          Rails.logger&.error("Opdotenv: Failed to load #{parsed[:path]}: #{e.message}")
+        end
+      end
+    end
+  end
+end