stack_master 1.6.0 → 1.7.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: d216bf1e417bc7697836e0230001c1749003c2283f445949c421b6d4b0563531
-  data.tar.gz: f6ed61cce6faf2db17bbed962468566c2595539825ff55b28c47b88010bb3085
+  metadata.gz: 036bf21949ad62f2e2231601d79f5e1def278e977a1b3db99864660337b937c3
+  data.tar.gz: 5e1bf67cd1dad710c635aaf602300b4e216e0348439bdb49b8164157fbdd278f
 SHA512:
-  metadata.gz: efd061aebfa9663472c30c6600cb23743c21c00a822b6c148fe450f95393adbc7ffdcb2a56d4763998dac5df8255affb82b65e0ae7e6e366501344c532598381
-  data.tar.gz: 1dc8add657de7383e1b104b75bea7edbf3ccb4e035cd581655192882be30e445c68955984f3bd39a01e79d26e47ecce508c8d365b5dcd5fc9379eaf89e3784fa
+  metadata.gz: d1ca2edc398dddfa06d718906b524618a1a01fa8a09abbe47333f73c38810c42cf8ce2319fab4aa1f6774623a380d6adee41996325437d00545b1e927805e16d
+  data.tar.gz: 8c31bc5c440f20efa567b977096e02c87054919eeb2cbde9fc88a7890c343b313e21d6e5b399ab670a6f3148239bcabf473680674bd0202a646401c125430dc5

data/README.md

@@ -256,6 +256,23 @@ you will likely want to set the parameter to NoEcho in your template.
 db_password:
   parameter_store: ssm_parameter_name
 ```
+### 1Password Lookup
+An Alternative to the alternative secret store is accessing 1password secrets using the 1password cli (`op`).
+You declare a 1password lookup with the following parameters in your parameters file:
+
+```
+parameters/database.yml
+database_password:
+  one_password:
+    title: production database
+    vault: Shared
+    type: password
+```
+
+1password stores the name of the secret in the `title`. You can pass the `vault` you expect the secret to be in.
+Currently we support two types of secrets, `password`s and `secureNote`s. All values must be declared, there are no defaults.
+
+For more information on 1password cli please see [here](https://support.1password.com/command-line-getting-started/)
 
 ### Security Group
 

data/lib/stack_master.rb

@@ -69,6 +69,7 @@ module StackMaster
     autoload :LatestAmi, 'stack_master/parameter_resolvers/latest_ami'
     autoload :Env, 'stack_master/parameter_resolvers/env'
     autoload :ParameterStore, 'stack_master/parameter_resolvers/parameter_store'
+    autoload :OnePassword, 'stack_master/parameter_resolvers/one_password'
   end
 
   module AwsDriver

data/lib/stack_master/parameter_resolvers/one_password.rb

@@ -0,0 +1,85 @@
+module StackMaster
+  module ParameterResolvers
+    class OnePassword < Resolver
+      OnePasswordNotFound = Class.new(StandardError)
+      OnePasswordNotAbleToAuthenticate = Class.new(StandardError)
+      OnePasswordBinaryNotFound = Class.new(StandardError)
+      OnePasswordInvalidResponse = Class.new(StandardError)
+
+      array_resolver
+
+      def initialize(config, stack_definition)
+        @config = config
+        @stack_definition = stack_definition
+      end
+
+      def resolve(params={})
+        raise OnePasswordNotAbleToAuthenticate, "1password requires the `OP_SESSION_<name>` to be set, (remember to sign in?)" if ENV.keys.grep(/OP_SESSION_\w+$/).empty?    
+        get_items(params)
+      end
+
+      private
+
+      def validate_op_installed?
+        %x(op --version)
+      rescue Errno::ENOENT => exception
+        raise OnePasswordBinaryNotFound, "The op cli needs to be installed and in the PATH, #{exception}"
+      end
+
+      def validate_response?(item)
+        item.match(/\[LOG\].+(?<error>\(.+)$/)  do |i|
+          raise OnePasswordNotFound, "Failed to return item from 1password, #{i['error']}"
+        end
+        JSON.parse(item)
+      rescue JSON::ParserError => exception
+        raise OnePasswordInvalidResponse, "Failed to parse JSON returned, #{item}: #{exception}"
+      end
+
+      def is_login_item?(data)
+        data.details.password.nil?
+      end
+
+      def password_item(data)
+        data.details.password 
+      end
+
+      def login_item(data)
+        data.details.fields[1].value
+      end
+
+      def op_get_item(item, vault)
+        validate_op_installed?
+        item = %x(op get item --vault='#{vault}' '#{item}' 2>&1)
+        item if validate_response?(item)
+      end
+
+      def create_struct(title, vault)
+        JSON.parse(op_get_item(title, vault), object_class: OpenStruct)
+      end
+
+      def get_password(title, vault)
+        # There are two types of password that can be returned.
+        # One is attached to a Login item in 1Password
+        # the other is to a Password item.
+        if is_login_item?(create_struct(title, vault))
+          login_item(create_struct(title, vault))
+        else
+          password_item(create_struct(title, vault))
+        end
+      end
+
+      def get_secure_note(title, vault)
+        create_struct(title, vault).details.notesPlain
+      end
+
+      def get_items(params)
+        case params['type']
+        when 'password'
+          return get_password(params['title'], params['vault'])
+        when 'secureNote'
+          return get_secure_note(params['title'], params['vault'])
+        end
+      end
+    end
+  end
+end

data/lib/stack_master/version.rb

@@ -1,3 +1,3 @@
 module StackMaster
-  VERSION = "1.6.0"
+  VERSION = "1.7.0"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: stack_master
 version: !ruby/object:Gem::Version
-  version: 1.6.0
+  version: 1.7.0
 platform: ruby
 authors:
 - Steve Hodgkiss
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-05-11 00:00:00.000000000 Z
+date: 2018-05-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -398,6 +398,7 @@ files:
 - lib/stack_master/parameter_resolvers/env.rb
 - lib/stack_master/parameter_resolvers/latest_ami.rb
 - lib/stack_master/parameter_resolvers/latest_ami_by_tags.rb
+- lib/stack_master/parameter_resolvers/one_password.rb
 - lib/stack_master/parameter_resolvers/parameter_store.rb
 - lib/stack_master/parameter_resolvers/secret.rb
 - lib/stack_master/parameter_resolvers/security_group.rb