163 lines
5.1 KiB
Bash
Executable File
163 lines
5.1 KiB
Bash
Executable File
#!/bin/bash
|
|
# Git credential helper for 1Password CLI
|
|
# This script integrates with Git's credential system to fetch credentials from 1Password
|
|
|
|
set -euo pipefail
|
|
|
|
# Source utilities for logging
|
|
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
|
if [ -f "$SCRIPT_DIR/utils.sh" ]; then
|
|
source "$SCRIPT_DIR/utils.sh"
|
|
fi
|
|
|
|
# Function to check if 1Password CLI is available and signed in
|
|
check_op_cli() {
|
|
if ! command -v op >/dev/null 2>&1; then
|
|
echo "Error: 1Password CLI (op) not found. Please install it first." >&2
|
|
return 1
|
|
fi
|
|
|
|
# Check if signed in
|
|
if ! op account list >/dev/null 2>&1; then
|
|
echo "Error: Not signed in to 1Password CLI. Please run 'op signin' first." >&2
|
|
return 1
|
|
fi
|
|
|
|
return 0
|
|
}
|
|
|
|
# Parse Git credential input
|
|
parse_input() {
|
|
while IFS= read -r line; do
|
|
if [ -z "$line" ]; then
|
|
break
|
|
fi
|
|
|
|
case "$line" in
|
|
protocol=*)
|
|
protocol="${line#protocol=}"
|
|
;;
|
|
host=*)
|
|
host="${line#host=}"
|
|
;;
|
|
username=*)
|
|
username="${line#username=}"
|
|
;;
|
|
password=*)
|
|
password="${line#password=}"
|
|
;;
|
|
esac
|
|
done
|
|
}
|
|
|
|
# Get credentials from 1Password
|
|
get_credentials() {
|
|
local search_term="$1"
|
|
|
|
# Try to find item by URL/host first
|
|
local item_uuid
|
|
if ! item_uuid=$(op item list --format=json 2>/dev/null | jq -r --arg host "$search_term" '
|
|
.[] | select(
|
|
((.urls // [])[] | select(.href != null and (.href | type) == "string") | .href | test($host; "i")) or
|
|
((.title // "") | type == "string" and test($host; "i")) or
|
|
((.additional_information // "") | type == "string" and test($host; "i"))
|
|
) | .id' | head -1 2>/dev/null); then
|
|
# If the complex search fails, try a simpler approach
|
|
item_uuid=""
|
|
fi
|
|
|
|
if [ -z "$item_uuid" ]; then
|
|
# Fallback: simple search by title containing the host
|
|
if ! item_uuid=$(op item list --format=json 2>/dev/null | jq -r --arg host "$search_term" '
|
|
.[] | select((.title // "") != "" and ((.title // "") | type == "string") and ((.title // "") | test($host; "i"))) | .id' | head -1 2>/dev/null); then
|
|
item_uuid=""
|
|
fi
|
|
fi
|
|
|
|
if [ -z "$item_uuid" ]; then
|
|
echo "No matching item found in 1Password for: $search_term" >&2
|
|
return 1
|
|
fi
|
|
|
|
# Get the item details
|
|
local item_json
|
|
if ! item_json=$(op item get "$item_uuid" --format=json 2>/dev/null); then
|
|
echo "Failed to retrieve item from 1Password" >&2
|
|
return 1
|
|
fi
|
|
|
|
# Extract username and password
|
|
local op_username op_password
|
|
op_username=$(echo "$item_json" | jq -r '(.fields // [])[] | select((.id // "") == "username" or ((.label // "") | type == "string" and test("username"; "i"))) | .value // empty' | head -1 2>/dev/null)
|
|
op_password=$(echo "$item_json" | jq -r '(.fields // [])[] | select((.id // "") == "password" or ((.label // "") | type == "string" and test("password|token"; "i"))) | .value // empty' | head -1 2>/dev/null)
|
|
|
|
# If standard fields don't work, try common field names
|
|
if [ -z "$op_username" ]; then
|
|
op_username=$(echo "$item_json" | jq -r '(.fields // [])[] | select((.label // "") | type == "string" and test("user|login"; "i")) | .value // empty' | head -1 2>/dev/null)
|
|
fi
|
|
|
|
if [ -z "$op_password" ]; then
|
|
op_password=$(echo "$item_json" | jq -r '(.fields // [])[] | select((.label // "") | type == "string" and test("pass|token|secret"; "i")) | .value // empty' | head -1 2>/dev/null)
|
|
fi
|
|
|
|
if [ -z "$op_username" ] || [ -z "$op_password" ]; then
|
|
echo "Username or password not found in 1Password item" >&2
|
|
echo "Available fields:" >&2
|
|
echo "$item_json" | jq -r '(.fields // [])[] | " - \(.label // .id // "unknown")"' 2>/dev/null >&2
|
|
return 1
|
|
fi
|
|
|
|
echo "username=$op_username"
|
|
echo "password=$op_password"
|
|
}
|
|
|
|
# Main credential helper logic
|
|
case "${1:-}" in
|
|
get)
|
|
# Initialize variables
|
|
protocol=""
|
|
host=""
|
|
username=""
|
|
password=""
|
|
|
|
# Parse input from Git
|
|
parse_input
|
|
|
|
# Only handle HTTPS requests
|
|
if [ "$protocol" != "https" ]; then
|
|
exit 0
|
|
fi
|
|
|
|
# Check 1Password CLI availability
|
|
if ! check_op_cli; then
|
|
exit 1
|
|
fi
|
|
|
|
# Search for credentials
|
|
if [ -n "$host" ]; then
|
|
if get_credentials "$host"; then
|
|
exit 0
|
|
fi
|
|
fi
|
|
|
|
# If we get here, no credentials were found
|
|
exit 1
|
|
;;
|
|
|
|
store)
|
|
# We don't store credentials in 1Password via this helper
|
|
# Users should add them manually to 1Password
|
|
exit 0
|
|
;;
|
|
|
|
erase)
|
|
# We don't erase credentials from 1Password via this helper
|
|
exit 0
|
|
;;
|
|
|
|
*)
|
|
echo "Usage: $0 {get|store|erase}" >&2
|
|
exit 1
|
|
;;
|
|
esac
|