stack_master 1.6.0-x64-mingw32 → 1.7.0-x64-mingw32

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 8047714e53694bdbdc5df17e1251890f837ce9e8
-  data.tar.gz: 91b1ddd6984d7db56c4f753a30746586d771b044
+  metadata.gz: 9d4199278b4ed423d09c699b662ecc7a99c697ee
+  data.tar.gz: 6b69af6fbd70de239ccb3d07e1c9e39ecbf9c263
 SHA512:
-  metadata.gz: 4e1e69e10b0b9ec16ab50a8d9b8aaebe7cb0ca19e2e8a68c9273e9902106846d66fbb57c2cc6357414c3e9b08759d732335b0bd2cb965c2f714187f4fc7195c9
-  data.tar.gz: 272c24b02149e636e06f6c4a8f5178e7e7efcd1746eed8b743974c94c6d397233b359989b817b318213235728b350011018168cdd559ab3012e22ed9f9c8ce07
+  metadata.gz: 92508145673fd052cb612ddbfa88cb2eb60ed764aba323794731a392f216a131e86603cb9caa42b8cede4b70ff30cc9ff074331502ec1e5519fdfde143c467df
+  data.tar.gz: 47716e152071f601e5b1790719e93aa5eeded7c048ede84053ccd94189b092732dcaf5f0abad34be6a4c5aec809ab6c72eb1a54d01bfb84c98c1232f70fc60a2

data/README.md

@@ -256,6 +256,23 @@ you will likely want to set the parameter to NoEcho in your template.
 db_password:
   parameter_store: ssm_parameter_name
 ```
+### 1Password Lookup
+An Alternative to the alternative secret store is accessing 1password secrets using the 1password cli (`op`).
+You declare a 1password lookup with the following parameters in your parameters file:
+
+```
+parameters/database.yml
+database_password:
+  one_password:
+    title: production database
+    vault: Shared
+    type: password
+```
+
+1password stores the name of the secret in the `title`. You can pass the `vault` you expect the secret to be in.
+Currently we support two types of secrets, `password`s and `secureNote`s. All values must be declared, there are no defaults.
+
+For more information on 1password cli please see [here](https://support.1password.com/command-line-getting-started/)
 
 ### Security Group
 

data/lib/stack_master.rb

@@ -69,6 +69,7 @@ module StackMaster
     autoload :LatestAmi, 'stack_master/parameter_resolvers/latest_ami'
     autoload :Env, 'stack_master/parameter_resolvers/env'
     autoload :ParameterStore, 'stack_master/parameter_resolvers/parameter_store'
+    autoload :OnePassword, 'stack_master/parameter_resolvers/one_password'
   end
 
   module AwsDriver

data/lib/stack_master/parameter_resolvers/one_password.rb

@@ -0,0 +1,85 @@
+module StackMaster
+  module ParameterResolvers
+    class OnePassword < Resolver
+      OnePasswordNotFound = Class.new(StandardError)
+      OnePasswordNotAbleToAuthenticate = Class.new(StandardError)
+      OnePasswordBinaryNotFound = Class.new(StandardError)
+      OnePasswordInvalidResponse = Class.new(StandardError)
+
+      array_resolver
+
+      def initialize(config, stack_definition)
+        @config = config
+        @stack_definition = stack_definition
+      end
+
+      def resolve(params={})
+        raise OnePasswordNotAbleToAuthenticate, "1password requires the `OP_SESSION_<name>` to be set, (remember to sign in?)" if ENV.keys.grep(/OP_SESSION_\w+$/).empty?    
+        get_items(params)
+      end
+
+      private
+
+      def validate_op_installed?
+        %x(op --version)
+      rescue Errno::ENOENT => exception
+        raise OnePasswordBinaryNotFound, "The op cli needs to be installed and in the PATH, #{exception}"
+      end
+
+      def validate_response?(item)
+        item.match(/\[LOG\].+(?<error>\(.+)$/)  do |i|
+          raise OnePasswordNotFound, "Failed to return item from 1password, #{i['error']}"
+        end
+        JSON.parse(item)
+      rescue JSON::ParserError => exception
+        raise OnePasswordInvalidResponse, "Failed to parse JSON returned, #{item}: #{exception}"
+      end
+
+      def is_login_item?(data)
+        data.details.password.nil?
+      end
+
+      def password_item(data)
+        data.details.password 
+      end
+
+      def login_item(data)
+        data.details.fields[1].value
+      end
+
+      def op_get_item(item, vault)
+        validate_op_installed?
+        item = %x(op get item --vault='#{vault}' '#{item}' 2>&1)
+        item if validate_response?(item)
+      end
+
+      def create_struct(title, vault)
+        JSON.parse(op_get_item(title, vault), object_class: OpenStruct)
+      end
+
+      def get_password(title, vault)
+        # There are two types of password that can be returned.
+        # One is attached to a Login item in 1Password
+        # the other is to a Password item.
+        if is_login_item?(create_struct(title, vault))
+          login_item(create_struct(title, vault))
+        else
+          password_item(create_struct(title, vault))
+        end
+      end
+
+      def get_secure_note(title, vault)
+        create_struct(title, vault).details.notesPlain
+      end
+
+      def get_items(params)
+        case params['type']
+        when 'password'
+          return get_password(params['title'], params['vault'])
+        when 'secureNote'
+          return get_secure_note(params['title'], params['vault'])
+        end
+      end
+    end
+  end
+end

data/lib/stack_master/version.rb

@@ -1,3 +1,3 @@
 module StackMaster
-  VERSION = "1.6.0"
+  VERSION = "1.7.0"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: stack_master
 version: !ruby/object:Gem::Version
-  version: 1.6.0
+  version: 1.7.0
 platform: x64-mingw32
 authors:
 - Steve Hodgkiss
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-05-11 00:00:00.000000000 Z
+date: 2018-05-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -384,6 +384,7 @@ files:
 - lib/stack_master/parameter_resolvers/env.rb
 - lib/stack_master/parameter_resolvers/latest_ami.rb
 - lib/stack_master/parameter_resolvers/latest_ami_by_tags.rb
+- lib/stack_master/parameter_resolvers/one_password.rb
 - lib/stack_master/parameter_resolvers/parameter_store.rb
 - lib/stack_master/parameter_resolvers/secret.rb
 - lib/stack_master/parameter_resolvers/security_group.rb