npm - @kustodian/plugin-1password - Versions diffs - 1.0.0 - Mend

@kustodian/plugin-1password 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/package.json ADDED Viewed

@@ -0,0 +1,45 @@
+{
+  "name": "@kustodian/plugin-1password",
+  "version": "1.0.0",
+  "description": "1Password secret provider plugin for Kustodian",
+  "type": "module",
+  "main": "./src/index.ts",
+  "types": "./src/index.ts",
+  "exports": {
+    ".": {
+      "types": "./src/index.ts",
+      "import": "./src/index.ts"
+    }
+  },
+  "files": [
+    "src"
+  ],
+  "scripts": {
+    "test": "bun test",
+    "test:watch": "bun test --watch",
+    "typecheck": "bun run tsc --noEmit"
+  },
+  "keywords": [
+    "kustodian",
+    "plugin",
+    "1password",
+    "secrets",
+    "kubernetes"
+  ],
+  "author": "Luca Silverentand <luca@onezero.company>",
+  "license": "MIT",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/lucasilverentand/kustodian.git",
+    "directory": "plugins/1password"
+  },
+  "publishConfig": {
+    "registry": "https://npm.pkg.github.com"
+  },
+  "dependencies": {
+    "@kustodian/core": "workspace:*",
+    "@kustodian/plugins": "workspace:*",
+    "@kustodian/schema": "workspace:*"
+  },
+  "devDependencies": {}
+}

package/src/executor.ts ADDED Viewed

@@ -0,0 +1,190 @@
+import { execFile } from 'node:child_process';
+import { promisify } from 'node:util';
+import { Errors, type ResultType, failure, success } from '@kustodian/core';
+import type { KustodianErrorType } from '@kustodian/core';
+import { DEFAULT_TIMEOUT, type OnePasswordPluginOptionsType } from './types.js';
+const exec_file_async = promisify(execFile);
+/**
+ * Result of a command execution.
+ */
+export interface CommandResultType {
+  stdout: string;
+  stderr: string;
+  exit_code: number;
+}
+/**
+ * Options for command execution.
+ */
+export interface ExecOptionsType {
+  cwd?: string | undefined;
+  timeout?: number | undefined;
+  env?: Record<string, string> | undefined;
+}
+/**
+ * Executes a command and returns the result.
+ * Uses execFile instead of exec for security (no shell invocation).
+ */
+export async function exec_command(
+  command: string,
+  args: string[] = [],
+  options: ExecOptionsType = {},
+): Promise<ResultType<CommandResultType, KustodianErrorType>> {
+  try {
+    const { stdout, stderr } = await exec_file_async(command, args, {
+      cwd: options.cwd,
+      timeout: options.timeout,
+      env: { ...process.env, ...options.env },
+    });
+    return success({
+      stdout,
+      stderr,
+      exit_code: 0,
+    });
+  } catch (error) {
+    if (is_exec_error(error)) {
+      return success({
+        stdout: error.stdout ?? '',
+        stderr: error.stderr ?? '',
+        exit_code: error.code ?? 1,
+      });
+    }
+    return failure(Errors.unknown(`Failed to execute command: ${command}`, error));
+  }
+}
+/**
+ * Type guard for exec errors.
+ */
+function is_exec_error(
+  error: unknown,
+): error is { stdout?: string; stderr?: string; code?: number } {
+  return (
+    typeof error === 'object' &&
+    error !== null &&
+    ('stdout' in error || 'stderr' in error || 'code' in error)
+  );
+}
+/**
+ * Gets environment variables for 1Password CLI authentication.
+ */
+function get_op_auth_env(options: OnePasswordPluginOptionsType): Record<string, string> {
+  const env: Record<string, string> = {};
+  const token = options.service_account_token ?? process.env['OP_SERVICE_ACCOUNT_TOKEN'];
+  if (token) {
+    env['OP_SERVICE_ACCOUNT_TOKEN'] = token;
+  }
+  return env;
+}
+/**
+ * Checks if op CLI is available in the system PATH.
+ */
+export async function check_op_available(): Promise<ResultType<string, KustodianErrorType>> {
+  const result = await exec_command('op', ['--version']);
+  if (!result.success) {
+    return result;
+  }
+  if (result.value.exit_code !== 0) {
+    return failure(Errors.secret_cli_not_found('1Password', 'op'));
+  }
+  // Parse version from output (e.g., "2.30.0")
+  const version = result.value.stdout.trim();
+  return success(version);
+}
+/**
+ * Reads a single secret from 1Password.
+ */
+export async function op_read(
+  ref: string,
+  options: OnePasswordPluginOptionsType = {},
+): Promise<ResultType<string, KustodianErrorType>> {
+  const timeout = options.timeout ?? DEFAULT_TIMEOUT;
+  const env = get_op_auth_env(options);
+  const result = await exec_command('op', ['read', ref], {
+    timeout,
+    env,
+  });
+  if (!result.success) {
+    return result;
+  }
+  const { stdout, stderr, exit_code } = result.value;
+  if (exit_code !== 0) {
+    // Parse specific error types from stderr
+    const stderr_lower = stderr.toLowerCase();
+    if (
+      stderr_lower.includes('not found') ||
+      stderr_lower.includes("doesn't exist") ||
+      stderr_lower.includes('no item')
+    ) {
+      return failure(Errors.secret_not_found('1Password', ref));
+    }
+    if (
+      stderr_lower.includes('sign in') ||
+      stderr_lower.includes('authentication') ||
+      stderr_lower.includes('unauthorized') ||
+      stderr_lower.includes('not signed in')
+    ) {
+      return failure(Errors.secret_auth_error('1Password', stderr));
+    }
+    if (stderr_lower.includes('timeout')) {
+      return failure(Errors.secret_timeout('1Password', timeout));
+    }
+    return failure(Errors.unknown(`1Password error: ${stderr}`));
+  }
+  return success(stdout.trim());
+}
+/**
+ * Reads multiple secrets from 1Password in batch.
+ */
+export async function op_read_batch(
+  refs: string[],
+  options: OnePasswordPluginOptionsType = {},
+): Promise<ResultType<Record<string, string>, KustodianErrorType>> {
+  if (refs.length === 0) {
+    return success({});
+  }
+  const results: Record<string, string> = {};
+  // Read secrets sequentially for now
+  for (const ref of refs) {
+    const result = await op_read(ref, options);
+    if (!result.success) {
+      if (options.fail_on_missing !== false) {
+        return result;
+      }
+      // Skip missing secrets if fail_on_missing is false
+      continue;
+    }
+    results[ref] = result.value;
+  }
+  return success(results);
+}

package/src/index.ts ADDED Viewed

@@ -0,0 +1,24 @@
+// Plugin exports
+export { create_onepassword_plugin, plugin } from './plugin.js';
+export { plugin as default } from './plugin.js';
+// Executor exports
+export {
+  check_op_available,
+  exec_command,
+  op_read,
+  op_read_batch,
+  type CommandResultType,
+  type ExecOptionsType,
+} from './executor.js';
+// Resolver exports
+export { resolve_onepassword_substitutions } from './resolver.js';
+// Types
+export {
+  parse_onepassword_ref,
+  DEFAULT_TIMEOUT,
+  type OnePasswordPluginOptionsType,
+  type OnePasswordRefType,
+} from './types.js';

package/src/plugin.ts ADDED Viewed

@@ -0,0 +1,118 @@
+import { success } from '@kustodian/core';
+import type {
+  CommandType,
+  HookContextType,
+  HookEventType,
+  KustodianPluginType,
+  PluginCommandContributionType,
+  PluginHookContributionType,
+  PluginManifestType,
+} from '@kustodian/plugins';
+import { check_op_available, op_read } from './executor.js';
+import type { OnePasswordPluginOptionsType } from './types.js';
+/**
+ * 1Password plugin manifest.
+ */
+const manifest: PluginManifestType = {
+  name: '@kustodian/plugin-1password',
+  version: '0.1.0',
+  description: '1Password secret provider for Kustodian',
+  capabilities: ['commands', 'hooks'],
+};
+/**
+ * Creates the 1Password plugin.
+ */
+export function create_onepassword_plugin(
+  options: OnePasswordPluginOptionsType = {},
+): KustodianPluginType {
+  return {
+    manifest,
+    async activate() {
+      // Verify CLI availability on activation (warning only)
+      const check_result = await check_op_available();
+      if (!check_result.success) {
+        console.warn('1Password CLI (op) not found - secret resolution may fail');
+      }
+      return success(undefined);
+    },
+    async deactivate() {
+      return success(undefined);
+    },
+    get_commands(): PluginCommandContributionType[] {
+      const onepassword_command: CommandType = {
+        name: '1password',
+        description: '1Password secret management commands',
+        subcommands: [
+          {
+            name: 'check',
+            description: 'Check 1Password CLI availability and authentication',
+            handler: async () => {
+              const result = await check_op_available();
+              if (result.success) {
+                console.log(`1Password CLI version: ${result.value}`);
+                return success(undefined);
+              }
+              console.error('1Password CLI not available');
+              return result;
+            },
+          },
+          {
+            name: 'test',
+            description: 'Test reading a secret reference',
+            arguments: [
+              {
+                name: 'ref',
+                description: 'Secret reference (op://vault/item/field)',
+                required: true,
+              },
+            ],
+            handler: async (ctx) => {
+              const ref = ctx.args[0];
+              if (!ref) {
+                console.error('Missing secret reference');
+                return success(undefined);
+              }
+              const result = await op_read(ref, options);
+              if (result.success) {
+                console.log('Secret retrieved successfully (value hidden)');
+                console.log(`Length: ${result.value.length} characters`);
+                return success(undefined);
+              }
+              console.error(`Failed to read secret: ${result.error.message}`);
+              return result;
+            },
+          },
+        ],
+      };
+      return [{ command: onepassword_command }];
+    },
+    get_hooks(): PluginHookContributionType[] {
+      return [
+        {
+          event: 'generator:after_resolve',
+          priority: 50, // Run before default (100) to inject secrets early
+          handler: async (_event: HookEventType, ctx: HookContextType) => {
+            // Hook for secret injection will be implemented in generator integration
+            return success(ctx);
+          },
+        },
+      ];
+    },
+  };
+}
+/**
+ * Default plugin export.
+ */
+export const plugin = create_onepassword_plugin();
+export default plugin;

package/src/resolver.ts ADDED Viewed

@@ -0,0 +1,46 @@
+import { type ResultType, failure, success } from '@kustodian/core';
+import type { KustodianErrorType } from '@kustodian/core';
+import type { OnePasswordSubstitutionType } from '@kustodian/schema';
+import { op_read } from './executor.js';
+import type { OnePasswordPluginOptionsType } from './types.js';
+/**
+ * Resolves 1Password substitutions to actual secret values.
+ * Returns a map from substitution name to resolved value.
+ */
+export async function resolve_onepassword_substitutions(
+  substitutions: OnePasswordSubstitutionType[],
+  options: OnePasswordPluginOptionsType = {},
+): Promise<ResultType<Record<string, string>, KustodianErrorType>> {
+  if (substitutions.length === 0) {
+    return success({});
+  }
+  const results: Record<string, string> = {};
+  for (const sub of substitutions) {
+    const result = await op_read(sub.ref, options);
+    if (!result.success) {
+      // If we have a default and fail_on_missing is false, use the default
+      if (sub.default !== undefined && options.fail_on_missing === false) {
+        results[sub.name] = sub.default;
+        continue;
+      }
+      // If we have a default, use it
+      if (sub.default !== undefined) {
+        results[sub.name] = sub.default;
+        continue;
+      }
+      // Otherwise, propagate the error
+      return failure(result.error);
+    }
+    results[sub.name] = result.value;
+  }
+  return success(results);
+}

package/src/types.ts ADDED Viewed

@@ -0,0 +1,57 @@
+/**
+ * Options for the 1Password plugin.
+ */
+export interface OnePasswordPluginOptionsType {
+  /** Service account token (can also be set via OP_SERVICE_ACCOUNT_TOKEN env var) */
+  service_account_token?: string | undefined;
+  /** Timeout for CLI operations in milliseconds (default: 30000) */
+  timeout?: number | undefined;
+  /** Whether to fail on missing secrets (default: true) */
+  fail_on_missing?: boolean | undefined;
+}
+/**
+ * Parsed 1Password reference.
+ */
+export interface OnePasswordRefType {
+  vault: string;
+  item: string;
+  section?: string | undefined;
+  field: string;
+}
+/**
+ * Default timeout for 1Password CLI operations.
+ */
+export const DEFAULT_TIMEOUT = 30000;
+/**
+ * Parses a 1Password secret reference.
+ * Format: op://vault/item[/section]/field
+ */
+export function parse_onepassword_ref(ref: string): OnePasswordRefType | undefined {
+  // Match: op://vault/item/field or op://vault/item/section/field
+  const match = ref.match(/^op:\/\/([^/]+)\/([^/]+)\/(?:([^/]+)\/)?([^/]+)$/);
+  if (!match) {
+    return undefined;
+  }
+  const [, vault, item, section, field] = match;
+  // If section is undefined, the field is in position 3
+  if (field === undefined) {
+    return {
+      vault: vault!,
+      item: item!,
+      field: section!,
+    };
+  }
+  return {
+    vault: vault!,
+    item: item!,
+    section,
+    field,
+  };
+}