docketeer-1password 0.0.10__tar.gz

docketeer_1password-0.0.10/.gitignore

@@ -0,0 +1,11 @@
+.venv/
+.envrc.private
+.claude/settings.local.json
+__pycache__/
+*.pyc
+*.egg-info/
+dist/
+build/
+workspace/
+.coverage
+.loq_cache

docketeer_1password-0.0.10/PKG-INFO

@@ -0,0 +1,38 @@
+Metadata-Version: 2.4
+Name: docketeer-1password
+Version: 0.0.10
+Summary: 1Password vault plugin for Docketeer
+Project-URL: Homepage, https://github.com/chrisguidry/docketeer
+Project-URL: Repository, https://github.com/chrisguidry/docketeer
+Project-URL: Issues, https://github.com/chrisguidry/docketeer/issues
+Author-email: Chris Guidry <guid@omg.lol>
+License-Expression: MIT
+Classifier: Development Status :: 3 - Alpha
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Programming Language :: Python :: 3
+Classifier: Topic :: Scientific/Engineering :: Artificial Intelligence
+Classifier: Topic :: Security
+Requires-Python: >=3.12
+Requires-Dist: docketeer
+Description-Content-Type: text/markdown
+
+# docketeer-1password
+
+1Password vault plugin for [Docketeer](https://github.com/chrisguidry/docketeer).
+
+Provides secrets management backed by 1Password via the `op` CLI and service
+account tokens. Secret names use `vault/item/field` paths (e.g.
+`Agent/db-cred/password`).
+
+## Installation
+
+```bash
+pip install docketeer-1password
+```
+
+## Configuration
+
+Set `DOCKETEER_OP_SERVICE_ACCOUNT_TOKEN` in the environment to authenticate
+with 1Password. The plugin translates this to `OP_SERVICE_ACCOUNT_TOKEN` when
+running `op` commands. The service account grants access to one or more
+1Password vaults.

docketeer_1password-0.0.10/README.md

@@ -0,0 +1,20 @@
+# docketeer-1password
+
+1Password vault plugin for [Docketeer](https://github.com/chrisguidry/docketeer).
+
+Provides secrets management backed by 1Password via the `op` CLI and service
+account tokens. Secret names use `vault/item/field` paths (e.g.
+`Agent/db-cred/password`).
+
+## Installation
+
+```bash
+pip install docketeer-1password
+```
+
+## Configuration
+
+Set `DOCKETEER_OP_SERVICE_ACCOUNT_TOKEN` in the environment to authenticate
+with 1Password. The plugin translates this to `OP_SERVICE_ACCOUNT_TOKEN` when
+running `op` commands. The service account grants access to one or more
+1Password vaults.

docketeer_1password-0.0.10/pyproject.toml

@@ -0,0 +1,57 @@
+[project]
+name = "docketeer-1password"
+dynamic = ["version"]
+description = "1Password vault plugin for Docketeer"
+readme = "README.md"
+authors = [
+    { name = "Chris Guidry", email = "guid@omg.lol" }
+]
+license = "MIT"
+requires-python = ">=3.12"
+classifiers = [
+    "Development Status :: 3 - Alpha",
+    "Programming Language :: Python :: 3",
+    "License :: OSI Approved :: MIT License",
+    "Topic :: Security",
+    "Topic :: Scientific/Engineering :: Artificial Intelligence",
+]
+dependencies = [
+    "docketeer",
+]
+
+[project.urls]
+Homepage = "https://github.com/chrisguidry/docketeer"
+Repository = "https://github.com/chrisguidry/docketeer"
+Issues = "https://github.com/chrisguidry/docketeer/issues"
+
+[project.entry-points."docketeer.vault"]
+onepassword = "docketeer_1password"
+
+[build-system]
+requires = ["hatchling", "hatch-vcs"]
+build-backend = "hatchling.build"
+
+[tool.hatch.version]
+source = "vcs"
+raw-options.root = ".."
+
+[tool.hatch.build.targets.wheel]
+packages = ["src/docketeer_1password"]
+
+[tool.uv.sources]
+docketeer = { workspace = true }
+
+[tool.pytest.ini_options]
+minversion = "9.0"
+addopts = [
+    "--import-mode=importlib",
+    "--cov=docketeer_1password",
+    "--cov-config=../pyproject.toml",
+    "--cov-branch",
+    "--cov-report=term-missing",
+    "--cov-fail-under=100",
+]
+asyncio_mode = "auto"
+filterwarnings = [
+    "error",
+]

docketeer_1password-0.0.10/src/docketeer_1password/__init__.py

@@ -0,0 +1,10 @@
+from docketeer import environment
+from docketeer_1password.vault import OnePasswordVault
+
+
+def create_vault() -> OnePasswordVault:
+    token = environment.get_str("OP_SERVICE_ACCOUNT_TOKEN")
+    return OnePasswordVault(token=token)
+
+
+__all__ = ["OnePasswordVault", "create_vault"]

docketeer_1password-0.0.10/src/docketeer_1password/vault.py

@@ -0,0 +1,121 @@
+"""1Password vault implementation using the op CLI."""
+
+import asyncio
+import json
+import os
+
+from docketeer.vault import SecretReference, Vault
+
+
+def _parse_name(name: str) -> tuple[str, str, str]:
+    """Split a 'vault/item/field' path into (vault, item, field)."""
+    parts = name.split("/", 2)
+    if len(parts) != 3:
+        raise ValueError(f"Secret name must be 'vault/item/field', got: {name!r}")
+    return parts[0], parts[1], parts[2]
+
+
+class OnePasswordVault(Vault):
+    """Vault backed by 1Password via the op CLI.
+
+    Auth uses DOCKETEER_OP_SERVICE_ACCOUNT_TOKEN, which gets translated to
+    OP_SERVICE_ACCOUNT_TOKEN in the subprocess environment so the op CLI
+    picks it up.
+    """
+
+    def __init__(self, token: str) -> None:
+        self._token = token
+
+    async def _run_op(self, *args: str) -> str:
+        """Run an op CLI command and return stdout."""
+        env = {**os.environ, "OP_SERVICE_ACCOUNT_TOKEN": self._token}
+        proc = await asyncio.create_subprocess_exec(
+            "op",
+            *args,
+            env=env,
+            stdout=asyncio.subprocess.PIPE,
+            stderr=asyncio.subprocess.PIPE,
+        )
+        stdout, stderr = await proc.communicate()
+        if proc.returncode != 0:
+            raise RuntimeError(
+                f"op {' '.join(args[:2])} failed: {stderr.decode(errors='replace').strip()}"
+            )
+        return stdout.decode(errors="replace").strip()
+
+    async def list(self) -> list[SecretReference]:
+        vaults_raw = await self._run_op("vault", "list", "--format", "json")
+        vaults = json.loads(vaults_raw)
+        if not vaults:
+            return []
+
+        refs: list[SecretReference] = []
+        for v in vaults:
+            vault_name = v["name"]
+            items_raw = await self._run_op(
+                "item", "list", "--vault", v["id"], "--format", "json"
+            )
+            items = json.loads(items_raw)
+            for item in items:
+                detail_raw = await self._run_op(
+                    "item", "get", item["id"], "--vault", v["id"], "--format", "json"
+                )
+                detail = json.loads(detail_raw)
+                for field in detail.get("fields", []):
+                    refs.append(
+                        SecretReference(
+                            name=f"{vault_name}/{item['title']}/{field['label']}"
+                        )
+                    )
+        return refs
+
+    async def resolve(self, name: str) -> str:
+        vault, item, field = _parse_name(name)
+        return await self._run_op(
+            "item",
+            "get",
+            item,
+            "--vault",
+            vault,
+            "--fields",
+            field,
+            "--reveal",
+        )
+
+    async def store(self, name: str, value: str) -> None:
+        vault, item, field = _parse_name(name)
+        await self._run_op(
+            "item",
+            "create",
+            "--category",
+            "Password",
+            "--vault",
+            vault,
+            "--title",
+            item,
+            f"{field}={value}",
+        )
+
+    async def generate(self, name: str, length: int = 32) -> None:
+        vault, item, field = _parse_name(name)
+        await self._run_op(
+            "item",
+            "create",
+            "--category",
+            "Password",
+            "--vault",
+            vault,
+            "--title",
+            item,
+            f"--generate-password={length},letters,digits,symbols",
+        )
+
+    async def delete(self, name: str) -> None:
+        vault, item, field = _parse_name(name)
+        await self._run_op(
+            "item",
+            "delete",
+            item,
+            "--vault",
+            vault,
+        )

docketeer_1password-0.0.10/tests/test_init.py

@@ -0,0 +1,14 @@
+"""Tests for the package entry point."""
+
+import os
+from unittest.mock import patch
+
+from docketeer_1password import create_vault
+from docketeer_1password.vault import OnePasswordVault
+
+
+def test_create_vault_reads_docketeer_env_var():
+    with patch.dict(os.environ, {"DOCKETEER_OP_SERVICE_ACCOUNT_TOKEN": "sa-tok-123"}):
+        vault = create_vault()
+    assert isinstance(vault, OnePasswordVault)
+    assert vault._token == "sa-tok-123"

docketeer_1password-0.0.10/tests/test_vault.py

@@ -0,0 +1,305 @@
+"""Tests for the 1Password vault implementation."""
+
+import json
+from unittest.mock import AsyncMock, patch
+
+import pytest
+
+from docketeer_1password.vault import OnePasswordVault
+
+
+@pytest.fixture()
+def vault() -> OnePasswordVault:
+    return OnePasswordVault(token="test-sa-token")
+
+
+def _mock_op(stdout: str = "", returncode: int = 0) -> AsyncMock:
+    """Create a mock for asyncio.create_subprocess_exec."""
+    proc = AsyncMock()
+    proc.communicate.return_value = (stdout.encode(), b"")
+    proc.returncode = returncode
+    return proc
+
+
+# --- env ---
+
+
+async def test_op_receives_service_account_token(vault: OnePasswordVault):
+    vaults_json = json.dumps([])
+
+    async def fake_exec(*args: object, **kwargs: object) -> AsyncMock:
+        env: dict[str, str] = kwargs.get("env", {})  # type: ignore[assignment]
+        assert env["OP_SERVICE_ACCOUNT_TOKEN"] == "test-sa-token"
+        assert "PATH" in env
+        return _mock_op(vaults_json)
+
+    with patch("asyncio.create_subprocess_exec", side_effect=fake_exec):
+        await vault.list()
+
+
+# --- list ---
+
+
+def _item_detail(fields: list[dict[str, str]]) -> str:
+    """Build a JSON item detail response with the given fields."""
+    return json.dumps({"fields": fields})
+
+
+async def test_list_secrets(vault: OnePasswordVault):
+    vaults_json = json.dumps([{"id": "abc", "name": "Agent"}])
+    items_json = json.dumps(
+        [
+            {"id": "item1", "title": "api-key"},
+            {"id": "item2", "title": "db-cred"},
+        ]
+    )
+    detail1 = _item_detail([{"label": "password", "id": "pw"}])
+    detail2 = _item_detail(
+        [
+            {"label": "username", "id": "un"},
+            {"label": "password", "id": "pw"},
+        ]
+    )
+
+    responses = [vaults_json, items_json, detail1, detail2]
+    call_count = 0
+
+    async def fake_exec(*args: object, **_kwargs: object) -> AsyncMock:
+        nonlocal call_count
+        call_count += 1
+        return _mock_op(responses[call_count - 1])
+
+    with patch("asyncio.create_subprocess_exec", side_effect=fake_exec):
+        refs = await vault.list()
+
+    names = [r.name for r in refs]
+    assert "Agent/api-key/password" in names
+    assert "Agent/db-cred/username" in names
+    assert "Agent/db-cred/password" in names
+
+
+async def test_list_multiple_vaults(vault: OnePasswordVault):
+    vaults_json = json.dumps(
+        [
+            {"id": "v1", "name": "Vault1"},
+            {"id": "v2", "name": "Vault2"},
+        ]
+    )
+    items_v1 = json.dumps([{"id": "i1", "title": "secret-a"}])
+    items_v2 = json.dumps([{"id": "i2", "title": "secret-b"}])
+    detail_a = _item_detail([{"label": "password", "id": "pw"}])
+    detail_b = _item_detail([{"label": "token", "id": "tk"}])
+
+    responses = [vaults_json, items_v1, detail_a, items_v2, detail_b]
+    call_count = 0
+
+    async def fake_exec(*args: object, **_kwargs: object) -> AsyncMock:
+        nonlocal call_count
+        call_count += 1
+        return _mock_op(responses[call_count - 1])
+
+    with patch("asyncio.create_subprocess_exec", side_effect=fake_exec):
+        refs = await vault.list()
+
+    names = {r.name for r in refs}
+    assert names == {"Vault1/secret-a/password", "Vault2/secret-b/token"}
+
+
+async def test_list_empty(vault: OnePasswordVault):
+    vaults_json = json.dumps([{"id": "v1", "name": "Agent"}])
+    items_json = json.dumps([])
+
+    responses = [vaults_json, items_json]
+    call_count = 0
+
+    async def fake_exec(*args: object, **_kwargs: object) -> AsyncMock:
+        nonlocal call_count
+        call_count += 1
+        return _mock_op(responses[call_count - 1])
+
+    with patch("asyncio.create_subprocess_exec", side_effect=fake_exec):
+        refs = await vault.list()
+
+    assert refs == []
+
+
+async def test_list_no_vaults(vault: OnePasswordVault):
+    vaults_json = json.dumps([])
+
+    async def fake_exec(*args: object, **_kwargs: object) -> AsyncMock:
+        return _mock_op(vaults_json)
+
+    with patch("asyncio.create_subprocess_exec", side_effect=fake_exec):
+        refs = await vault.list()
+
+    assert refs == []
+
+
+# --- resolve ---
+
+
+async def test_resolve(vault: OnePasswordVault):
+    async def fake_exec(*args: object, **_kwargs: object) -> AsyncMock:
+        return _mock_op("sk-abc123\n")
+
+    with patch("asyncio.create_subprocess_exec", side_effect=fake_exec) as mock:
+        value = await vault.resolve("Agent/api-key/password")
+
+    assert value == "sk-abc123"
+    cmd = list(mock.call_args.args)
+    assert "--fields" in cmd
+    field_idx = cmd.index("--fields")
+    assert cmd[field_idx + 1] == "password"
+
+
+async def test_resolve_custom_field(vault: OnePasswordVault):
+    async def fake_exec(*args: object, **_kwargs: object) -> AsyncMock:
+        return _mock_op("admin")
+
+    with patch("asyncio.create_subprocess_exec", side_effect=fake_exec) as mock:
+        value = await vault.resolve("Agent/db-cred/username")
+
+    assert value == "admin"
+    cmd = list(mock.call_args.args)
+    field_idx = cmd.index("--fields")
+    assert cmd[field_idx + 1] == "username"
+
+
+async def test_resolve_bad_path(vault: OnePasswordVault):
+    with pytest.raises(ValueError, match="vault/item/field"):
+        await vault.resolve("no-slashes")
+
+
+async def test_resolve_two_parts(vault: OnePasswordVault):
+    with pytest.raises(ValueError, match="vault/item/field"):
+        await vault.resolve("Agent/api-key")
+
+
+async def test_resolve_op_failure(vault: OnePasswordVault):
+    async def fake_exec(*args: object, **_kwargs: object) -> AsyncMock:
+        proc = _mock_op("", returncode=1)
+        proc.communicate.return_value = (b"", b"not found")
+        return proc
+
+    with patch("asyncio.create_subprocess_exec", side_effect=fake_exec):
+        with pytest.raises(RuntimeError, match="not found"):
+            await vault.resolve("Agent/missing/password")
+
+
+# --- store ---
+
+
+async def test_store(vault: OnePasswordVault):
+    async def fake_exec(*args: object, **_kwargs: object) -> AsyncMock:
+        return _mock_op()
+
+    with patch("asyncio.create_subprocess_exec", side_effect=fake_exec) as mock:
+        await vault.store("Agent/new-secret/password", "my-value")
+
+    cmd = list(mock.call_args.args)
+    assert "--vault" in cmd
+    assert "Agent" in cmd
+    assert "--title" in cmd
+    assert "new-secret" in cmd
+    assert "password=my-value" in cmd
+
+
+async def test_store_custom_field(vault: OnePasswordVault):
+    async def fake_exec(*args: object, **_kwargs: object) -> AsyncMock:
+        return _mock_op()
+
+    with patch("asyncio.create_subprocess_exec", side_effect=fake_exec) as mock:
+        await vault.store("Agent/db-cred/api_token", "tok-123")
+
+    cmd = list(mock.call_args.args)
+    assert "api_token=tok-123" in cmd
+
+
+async def test_store_bad_path(vault: OnePasswordVault):
+    with pytest.raises(ValueError, match="vault/item/field"):
+        await vault.store("no-slash", "value")
+
+
+async def test_store_op_failure(vault: OnePasswordVault):
+    async def fake_exec(*args: object, **_kwargs: object) -> AsyncMock:
+        proc = _mock_op("", returncode=1)
+        proc.communicate.return_value = (b"", b"permission denied")
+        return proc
+
+    with patch("asyncio.create_subprocess_exec", side_effect=fake_exec):
+        with pytest.raises(RuntimeError, match="permission denied"):
+            await vault.store("Agent/secret/password", "value")
+
+
+# --- generate ---
+
+
+async def test_generate(vault: OnePasswordVault):
+    async def fake_exec(*args: object, **_kwargs: object) -> AsyncMock:
+        return _mock_op()
+
+    with patch("asyncio.create_subprocess_exec", side_effect=fake_exec) as mock:
+        await vault.generate("Agent/random-key/password", length=24)
+
+    cmd = list(mock.call_args.args)
+    assert any("24" in str(a) for a in cmd)
+
+
+async def test_generate_default_length(vault: OnePasswordVault):
+    async def fake_exec(*args: object, **_kwargs: object) -> AsyncMock:
+        return _mock_op()
+
+    with patch("asyncio.create_subprocess_exec", side_effect=fake_exec) as mock:
+        await vault.generate("Agent/random-key/password")
+
+    cmd = list(mock.call_args.args)
+    assert any("32" in str(a) for a in cmd)
+
+
+async def test_generate_bad_path(vault: OnePasswordVault):
+    with pytest.raises(ValueError, match="vault/item/field"):
+        await vault.generate("no-slash")
+
+
+async def test_generate_op_failure(vault: OnePasswordVault):
+    async def fake_exec(*args: object, **_kwargs: object) -> AsyncMock:
+        proc = _mock_op("", returncode=1)
+        proc.communicate.return_value = (b"", b"error")
+        return proc
+
+    with patch("asyncio.create_subprocess_exec", side_effect=fake_exec):
+        with pytest.raises(RuntimeError, match="error"):
+            await vault.generate("Agent/secret/password")
+
+
+# --- delete ---
+
+
+async def test_delete(vault: OnePasswordVault):
+    async def fake_exec(*args: object, **_kwargs: object) -> AsyncMock:
+        return _mock_op()
+
+    with patch("asyncio.create_subprocess_exec", side_effect=fake_exec) as mock:
+        await vault.delete("Agent/old-secret/password")
+
+    cmd = list(mock.call_args.args)
+    assert "delete" in cmd
+    assert "old-secret" in cmd
+    assert "--vault" in cmd
+    assert "Agent" in cmd
+
+
+async def test_delete_bad_path(vault: OnePasswordVault):
+    with pytest.raises(ValueError, match="vault/item/field"):
+        await vault.delete("no-slash")
+
+
+async def test_delete_op_failure(vault: OnePasswordVault):
+    async def fake_exec(*args: object, **_kwargs: object) -> AsyncMock:
+        proc = _mock_op("", returncode=1)
+        proc.communicate.return_value = (b"", b"not found")
+        return proc
+
+    with patch("asyncio.create_subprocess_exec", side_effect=fake_exec):
+        with pytest.raises(RuntimeError, match="not found"):
+            await vault.delete("Agent/missing/password")