enpass-cli now has JSON support

basecamp · Nov 7, 2024 · 1814852 · 1814852
1 parent 689efb1
commit 1814852
Show file tree

Hide file tree

Showing 2 changed files with 52 additions and 43 deletions.
diff --git a/lib/kamal/secrets/adapters/enpass.rb b/lib/kamal/secrets/adapters/enpass.rb
@@ -15,10 +15,9 @@ def fetch_secrets(secrets, account:, session:)
       secrets_titles = fetch_secret_titles(secrets)
 
       # Enpass outputs result as stderr, I did not find a way to stub backticks and output to stderr. Open3 did the job.
-      _stdout, stderr, status = Open3.capture3("enpass-cli -vault #{account.shellescape} show #{secrets_titles.map(&:shellescape).join(" ")}")
-      raise RuntimeError, "Could not read #{secrets} from Enpass" unless status.success?
+      result = `enpass-cli -json -vault #{account.shellescape} show #{secrets.map(&:shellescape).join(" ")}`.strip
 
-      parse_result_and_take_secrets(stderr, secrets)
+      parse_result_and_take_secrets(result, secrets)
     end
 
     def check_dependencies!
@@ -31,32 +30,36 @@ def cli_installed?
     end
 
     def fetch_secret_titles(secrets)
-      secrets.reduce(Set.new) do |acc, secret|
-        # Sometimes secrets contain a '/', sometimes not
+      secrets.reduce(Set.new) do |secret_titles, secret|
+        # Sometimes secrets contain a '/', when the intent is to fetch a single password for an item. Example: FooBar/DB_PASSWORD
+        # Another case is, when the intent is to fetch all passwords for an item. Example: FooBar (and FooBar may have multiple different passwords)
         key, separator, value = secret.rpartition("/")
         if key.empty?
-          acc << value
+          secret_titles << value
         else
-          acc << key
+          secret_titles << key
         end
       end.to_a
     end
 
     def parse_result_and_take_secrets(unparsed_result, secrets)
-      unparsed_result.split("\n").reduce({}) do |acc, line|
-        title = line[/title:\s{1}(\w+)/, 1]
-        label = line[/label:\s{1}(.*?)\s{2}/, 1]
-        password = line[/password:\s{1}([^"]+)/, 1]
+      result = JSON.parse(unparsed_result)
+
+      result.reduce({}) do |secrets_with_passwords, item|
+        title = item["title"]
+        label = item["label"]
+        password = item["password"]
+
+        if title && password.present?
+          key = [ title, label ].compact.reject(&:empty?).join("/")
 
-        if title && !password.to_s.empty?
-          key = label.nil? || label.empty? ? title : "#{title}/#{label}"
           if secrets.include?(title) || secrets.include?(key)
-            raise RuntimeError, "#{key} is present more than once" if acc[key]
-            acc[key] = password
+            raise RuntimeError, "#{key} is present more than once" if secrets_with_passwords[key]
+            secrets_with_passwords[key] = password
           end
         end
 
-        acc
+        secrets_with_passwords
       end
     end
 end
diff --git a/test/secrets/enpass_adapter_test.rb b/test/secrets/enpass_adapter_test.rb
@@ -18,11 +18,11 @@ class EnpassAdapterTest < SecretAdapterTestCase
   test "fetch one item" do
     stub_ticks_with("enpass-cli version 2> /dev/null")
 
-    stderr_response = <<~RESULT
-    time="2024-11-03T13:34:39+01:00" level=info msg="> title: FooBar  login:   cat.: computer  label: SECRET_1  password: my-password-1
-    RESULT
-
-    Open3.stubs(:capture3).returns([ "", stderr_response, OpenStruct.new(success?: true) ])
+    stub_ticks
+      .with("enpass-cli -json -vault vault-path show FooBar/SECRET_1")
+      .returns(<<~JSON)
+      [{"category":"computer","label":"SECRET_1","login":"","password":"my-password-1","title":"FooBar","type":"password"}]
+      JSON
 
     json = JSON.parse(shellunescape(run_command("fetch", "FooBar/SECRET_1")))
 
@@ -34,13 +34,15 @@ class EnpassAdapterTest < SecretAdapterTestCase
   test "fetch multiple items" do
     stub_ticks_with("enpass-cli version 2> /dev/null")
 
-    stderr_response = <<~RESULT
-    time="2024-11-03T13:34:39+01:00" level=info msg="> title: FooBar  login:   cat.: computer  label: SECRET_1  password: my-password-1
-    time="2024-11-03T13:34:39+01:00" level=info msg="> title: FooBar  login:   cat.: computer  label: SECRET_2  password: my-password-2
-    time="2024-11-03T13:34:39+01:00" level=info msg="> title: Hello  login:   cat.: computer  label: SECRET_3  password: my-password-3
-    RESULT
-
-    Open3.stubs(:capture3).returns([ "", stderr_response, OpenStruct.new(success?: true) ])
+    stub_ticks
+      .with("enpass-cli -json -vault vault-path show FooBar/SECRET_1 FooBar/SECRET_2")
+      .returns(<<~JSON)
+      [
+        {"category":"computer","label":"SECRET_1","login":"","password":"my-password-1","title":"FooBar","type":"password"},
+        {"category":"computer","label":"SECRET_2","login":"","password":"my-password-2","title":"FooBar","type":"password"},
+        {"category":"computer","label":"SECRET_3","login":"","password":"my-password-1","title":"Hello","type":"password"}
+      ]
+      JSON
 
     json = JSON.parse(shellunescape(run_command("fetch", "FooBar/SECRET_1", "FooBar/SECRET_2")))
 
@@ -52,13 +54,15 @@ class EnpassAdapterTest < SecretAdapterTestCase
   test "fetch multiple items with from" do
     stub_ticks_with("enpass-cli version 2> /dev/null")
 
-    stderr_response = <<~RESULT
-    time="2024-11-03T13:34:39+01:00" level=info msg="> title: FooBar  login:   cat.: computer  label: SECRET_1  password: my-password-1
-    time="2024-11-03T13:34:39+01:00" level=info msg="> title: FooBar  login:   cat.: computer  label: SECRET_2  password: my-password-2
-    time="2024-11-03T13:34:39+01:00" level=info msg="> title: Hello  login:   cat.: computer  label: SECRET_3  password: my-password-3
-    RESULT
-
-    Open3.stubs(:capture3).returns([ "", stderr_response, OpenStruct.new(success?: true) ])
+    stub_ticks
+      .with("enpass-cli -json -vault vault-path show FooBar/SECRET_1 FooBar/SECRET_2")
+      .returns(<<~JSON)
+      [
+        {"category":"computer","label":"SECRET_1","login":"","password":"my-password-1","title":"FooBar","type":"password"},
+        {"category":"computer","label":"SECRET_2","login":"","password":"my-password-2","title":"FooBar","type":"password"},
+        {"category":"computer","label":"SECRET_3","login":"","password":"my-password-1","title":"Hello","type":"password"}
+      ]
+      JSON
 
     json = JSON.parse(shellunescape(run_command("fetch", "--from", "FooBar", "SECRET_1", "SECRET_2")))
 
@@ -70,14 +74,16 @@ class EnpassAdapterTest < SecretAdapterTestCase
   test "fetch all with from" do
     stub_ticks_with("enpass-cli version 2> /dev/null")
 
-    stderr_response = <<~RESULT
-    time="2024-11-03T13:34:39+01:00" level=info msg="> title: FooBar  login:   cat.: computer  label: SECRET_1  password: my-password-1
-    time="2024-11-03T13:34:39+01:00" level=info msg="> title: FooBar  login:   cat.: computer  label: SECRET_2  password: my-password-2
-    time="2024-11-03T13:34:39+01:00" level=info msg="> title: Hello  login:   cat.: computer  label: SECRET_3  password: my-password-3
-    time="2024-11-03T13:34:39+01:00" level=info msg="> title: FooBar  login:   cat.: computer  label:   password: my-password-3
-    RESULT
-
-    Open3.stubs(:capture3).returns([ "", stderr_response, OpenStruct.new(success?: true) ])
+    stub_ticks
+      .with("enpass-cli -json -vault vault-path show FooBar")
+      .returns(<<~JSON)
+      [
+        {"category":"computer","label":"SECRET_1","login":"","password":"my-password-1","title":"FooBar","type":"password"},
+        {"category":"computer","label":"SECRET_2","login":"","password":"my-password-2","title":"FooBar","type":"password"},
+        {"category":"computer","label":"SECRET_3","login":"","password":"my-password-1","title":"Hello","type":"password"},
+        {"category":"computer","label":"","login":"","password":"my-password-3","title":"FooBar","type":"password"}
+      ]
+      JSON
 
     json = JSON.parse(shellunescape(run_command("fetch", "FooBar")))