Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

1Password CLI Shell Plugin #3068

Open
nikolay opened this issue Aug 26, 2024 · 17 comments
Open

1Password CLI Shell Plugin #3068

nikolay opened this issue Aug 26, 2024 · 17 comments
Labels
enhancement New feature or request security

Comments

@nikolay
Copy link

nikolay commented Aug 26, 2024

Feature Overview

https://developer.1password.com/docs/cli/shell-plugins/contribute/

Why is the feature needed?

Otherwise, the AQUA_GITHUB_TOKEN or GITHUB_TOKEN should always be set and exposed in the shell.

Workaround

No response

Example Code

No response

Note

No response

@nikolay nikolay added the enhancement New feature or request label Aug 26, 2024
@suzuki-shunsuke
Copy link
Member

Thank you for your proposal.
I'm not familiar with 1Password CLI Shell Plugin, but this issue means installing 1Password CLI Shell Plugin via aqua?
I'll look into how to install plugins.

aqua doesn't support some plugin mechanism, so I'm not sure if aqua can support 1Password CLI Shell Plugin.
https://aquaproj.github.io/docs/products/aqua-registry/contributing#aqua-cant-support-some-tools-plugin-mechanism

@suzuki-shunsuke
Copy link
Member

I read the document of 1Password CLI Shell Plugin, but I'm not sure what aqua should do.
We need more details.

@suzuki-shunsuke
Copy link
Member

Oh, I see!
This issue means the 1Password CLI Shell Plugin for aqua, which passes GitHub access token to aqua via 1Password.

@nikolay
Copy link
Author

nikolay commented Aug 28, 2024

Yeah, @suzuki-shunsuke, sorry for not being clear. I guess, you support AQUA_GITHUB_TOKEN - I would say it makes sense to pass that and not the generic GITHUB_TOKEN.

@suzuki-shunsuke
Copy link
Member

I'm concern about the overhead of the plugin.
I'm not sure about the detail of the plugin, but if the plugin is executed every time aqua is executed, maybe the overhead affects the user experience.
When you execute tools installed by aqua, aqua is executed.

On the other hand, the plugin would improve the security, and the performance should be measured rather than imagined.

@suzuki-shunsuke
Copy link
Member

I'm not sure about the detail of the plugin, but if the plugin is executed every time aqua is executed, maybe the overhead affects the user experience.

If aqua supports the lazy load of a GitHub access token, this issue would be solved.
lazy load means aqua loads a GitHub access token only when aqua really needs it.

@suzuki-shunsuke
Copy link
Member

I found an interesting library.
It would be nice if aqua can get GitHub Access token from not only 1Password but also other secret stores.
https://github.com/99designs/keyring

@nikolay
Copy link
Author

nikolay commented Oct 8, 2024

@suzuki-shunsuke Yes, that library is used by the famous https://github.com/99designs/aws-vault and https://github.com/common-fate/granted and although there are some more actively developed equivalents, the one you mention is the only one in Go supporting Windows.

@suzuki-shunsuke
Copy link
Member

suzuki-shunsuke commented Oct 11, 2024

https://github.com/99designs/keyring The last update was two years ago.
https://github.com/keybase/go-keychain : For macOS keychain
https://github.com/zalando/go-keyring : This is actively maintained and supports Windows
https://github.com/danieljoos/wincred : Go wrapper around the Windows Credential Manager API functions

@suzuki-shunsuke
Copy link
Member

99designs/keyring works well on macOS.

https://gist.github.com/suzuki-shunsuke/58961369fbe13c76b3052c6ddc0a3893

Usage

$ aqua token set [-stdin]
> ***
$ aqua token remove
$ aqua token get # optional

@suzuki-shunsuke
Copy link
Member

suzuki-shunsuke commented Oct 11, 2024

Hmm. 99designs/keyring doesn't work on macOS without CGO.

CGO_ENABLED=0 go build -o bin/get-nocgo get.go
$ ./bin/get-nocgo 
2024/10/11 16:12:22 set a key: No directory provided for file keyring

https://gist.github.com/suzuki-shunsuke/58961369fbe13c76b3052c6ddc0a3893?permalink_comment_id=5230278#gistcomment-5230278

- CGO_ENABLED=0

@suzuki-shunsuke
Copy link
Member

suzuki-shunsuke commented Oct 11, 2024

zalando/go-keyring#64 (comment) describes the pros and cons of CGO well.
It's hard to make a decision.
We don't want to depend on CGO, but access to macOS keychain via CGO is securer.

Related:

@suzuki-shunsuke
Copy link
Member

📝 GitHub CLI uses zalando/go-keyring.

https://github.com/cli/cli/blob/b91dab44566a44e5f8e43c0cc83724e574320536/go.mod#L45

@suzuki-shunsuke
Copy link
Member

📝 1Password has a SDK for Go.

https://github.com/1Password/onepassword-sdk-go

@suzuki-shunsuke
Copy link
Member

Hi @nikolay , sorry to bother you.
Do you usually use Linux or Windows?
If so, could you help us verify the feature #3174 ?
I usually use macOS so it's difficult to verify the feature on Linux and Windows.

@nikolay
Copy link
Author

nikolay commented Oct 16, 2024

@suzuki-shunsuke No, I'm only on macOS, but I can try on Linux and Windows as well.

@suzuki-shunsuke
Copy link
Member

Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request security
Projects
None yet
Development

No branches or pull requests

2 participants