1password op commandline no longer works since desktop app integration was introduced

rprije commented 1 year ago

Describe the bug

When running any op command the error

[ERROR] 2023/09/30 12:23:42 connecting to desktop app: read: connection reset, make sure the CLI is correctly installed and Connect with 1Password CLI is enabled in the 1Password app

is displayed.

Steps To Reproduce

Steps to reproduce the behavior:

Install the _1password and _1password-gui packages
Run 1password to launch the GUI
Ensure settings -> Developer -> Connect with 1Password CLI is enabled
Attempt any op command such as op signin
Get the above error

Expected behavior

I expect the CLI to correctly integrate with the GUI and perform my required commands

Additional context

I've included the failing portion of the strace. It seems to be returning 133 (ENOSPC) when attempting to write to the GUI socket:

2100179 <... read resumed>"\0", 16)     = 1
2100174 epoll_ctl(4, EPOLL_CTL_ADD, 7, {events=EPOLLIN|EPOLLOUT|EPOLLRDHUP|EPOLLET, data={u32=1951461760, u64=139704352698752}} <unfinished ...>
2100179 epoll_pwait(4,  <unfinished ...>
2100174 <... epoll_ctl resumed>)        = 0
2100179 <... epoll_pwait resumed>[{events=EPOLLOUT, data={u32=1951461760, u64=139704352698752}}], 128, 0, NULL, 0) = 1
2100174 getsockname(7,  <unfinished ...>
2100179 epoll_pwait(4,  <unfinished ...>
2100174 <... getsockname resumed>{sa_family=AF_UNIX}, [112 => 2]) = 0
2100174 getpeername(7, {sa_family=AF_UNIX, sun_path="/run/user/1000/1Password-BrowserSupport.sock"}, [112 => 47]) = 0
2100174 getegid()                       = 1000
2100174 getgid()                        = 1000
2100174 write(7, "\201\0\0\0{\"callbackId\":1,\"invocation\":{\"type\":\"NmRequestAccounts\",\"content\":{\"version\":1,\"userRequested\":true,\"supportsDelegation\":true}}}", 133) = 133
2100174 futex(0xc000088548, FUTEX_WAKE_PRIVATE, 1) = 1
2100176 <... futex resumed>)            = 0
2100174 read(7,  <unfinished ...>
2100176 futex(0xc000088548, FUTEX_WAIT_PRIVATE, 0, NULL <unfinished ...>
2100174 <... read resumed>0xc000452a1c, 4) = -1 EAGAIN (Resource temporarily unavailable)
2100174 futex(0x19b0a88, FUTEX_WAIT_PRIVATE, 0, NULL <unfinished ...>
2100179 <... epoll_pwait resumed>[{events=EPOLLIN|EPOLLOUT|EPOLLERR|EPOLLHUP|EPOLLRDHUP, data={u32=1951461760, u64=139704352698752}}], 128, 4999, NULL, 0) = 1
2100179 read(7, 0xc000452a1c, 4)        = -1 ECONNRESET (Connection reset by peer)
2100179 futex(0x19b0a88, FUTEX_WAKE_PRIVATE, 1 <unfinished ...>
2100174 <... futex resumed>)            = 0
2100179 <... futex resumed>)            = 1
2100174 epoll_pwait(4, [], 128, 0, NULL, 0) = 0
2100179 write(2, "[ERROR] 2023/09/30 11:57:43 connecting to desktop app: read: connection reset, make sure the CLI is correctly installed and Connect with 1Password CLI is enabled in the 1Password app\n", 183 <unfinished ...>

However the /run/user/1000 tmpfs volume is at 1% usage with 2.4G available and no other disks are full either.

Notify maintainers

@joelburget @marsam @savannidgerinel @matthewpi

Metadata

Please run nix-shell -p nix-info --run "nix-info -m" and paste the result.

[user@system:~]$ nix-shell -p nix-info --run "nix-info -m"
 - system: `"x86_64-linux"`
 - host os: `Linux 6.1.35, NixOS, 23.05 (Stoat), 23.05pre-git`
 - multi-user?: `yes`
 - sandbox: `yes`
 - version: `nix-env (Nix) 2.13.5`
 - channels(root): `"nixos-22.11"`
 - channels(rob-prije): `""`
 - nixpkgs: `/nix/var/nix/profiles/per-user/root/channels/nixos`

(I don't install via nix channels. I currently have installed the version at https://github.com/NixOS/nixpkgs/archive/5cfafa12d57374f48bcc36fda3274ada276cf69e.tar.gz)

pluiedev commented 1 year ago

Could also reproduce on my system after upgrading to v8.10.16 (#256365). Could 1Password be attempting to communicate via some channel that's just broken on Nix?

savannidgerinel commented 1 year ago

Hey, y'all. Unfortunately, I've never used the CLI, so I don't know how the CLI communications work. I suspect that it is different from integration with the browser extension, though I'm only guessing on that. I only did work to make the browser extension work in Nix. I think it likely that we will need to add on to the Nix module for the CLI as well, but I cannot give you any advice at the moment on how to do that.

I'd suggest filing a support request. Even though I'm on vacation this week, there are a few other Nix users who may be able to help, and it is something that I can work on when I return next week.

matthewpi commented 1 year ago

~~I cannot reproduce this, it's working fine for me. I use both browser extensions hooked into the 1Password GUI app, the SSH agent, and occasionally the op CLI.~~

Versions:

_1password-gui-beta: 1Password for Linux 8.10.16 (81016043)
_1password: 2.21.0

If you disable the Use rich approval prompt setting (under the Developer tab) it works. I have been running with that setting disabled for awhile now since in a previous update (I believe when they added the new prompt), it was broken on NixOS but I'm unsure if that was ever resolved.

pluiedev commented 1 year ago

~I cannot reproduce this, it's working fine for me. I use both browser extensions hooked into the 1Password GUI app, the SSH agent, and occasionally the op CLI.~

Versions:
* `_1password-gui-beta`: 1Password for Linux 8.10.16 (81016043)

* `_1password`: 2.21.0
If you disable the Use rich approval prompt setting (under the Developer tab) which may be why it works for me. I have been running with that setting disabled for awhile now since in a previous update (I believe when they added the new prompt), it was broken on NixOS but I'm unsure if that was ever resolved.

Can repro! Looks like the new approval prompt is just broken on Nix, then?

rprije commented 11 months ago

I don't seem to have the "Use rich approval prompt" option. My 1Password GUI's About says its version 8.10.9. When I go to Developer the only options are a "Set Up SSH Agent" button and a "Connect with 1Password CLI` toggle box which I have enabled.

This seems as though there's a hidden dependency on an external prompt program I don't have.

gfranxman commented 8 months ago

FWIW, the same on osx with latest everything.

OS: Sonoma 14.2.1 (23C71)

1password app: 1Password for Mac 8.9.11 (80911019)

Touch ID is on, required every 2 weeks
updates are installed automatically from the production release channel
connect with 1password cli is on
use the ssh agent is off

op command line: 2.24.0

installed with brew
link from /opt/homebrew/bin/op -> /opt/homebrew/Caskroom/1password-cli/2.24.0/op
link from /usr/local/bin/op -> /opt/homebrew/Caskroom/1password-cli/2.24.0/op

$ which op
/usr/local/bin/op

$ op signin
[ERROR] 2024/01/26 10:43:32 connecting to desktop app: 1Password CLI couldn't connect to the 1Password desktop app. To fix this, update the desktop app to the latest version. If you're still having trouble connecting, restart the app. If you're using version 8.10.12 or earlier of the app, the 1Password CLI binary must be located in /usr/local/bin/op.

tuxerator commented 8 months ago

Not that I'm very knowledgeable about NIx but to me it seems to be a permissions error (see https://1password.community/discussion/128029/can-not-connect-to-desktop-app)

WARN  2024-02-13T10:23:55.079 tokio-runtime-worker(ThreadId(7)) [1P:op-ipc/src/ipc/unix.rs:402] invalid group attempted to connect, rejecting remote

The 1Password docs say the op binary has to be owned by the onepassword-cli group and executed with that group (https://developer.1password.com/docs/cli/get-started#step-1-install-1password-cli).

Unfortunately I'm not really familiar with how nix handles /nix/store and how you can handle such permission requirements.

pluiedev commented 8 months ago

Not that I'm very knowledgeable about NIx but to me it seems to be a permissions error (see https://1password.community/discussion/128029/can-not-connect-to-desktop-app)
WARN  2024-02-13T10:23:55.079 tokio-runtime-worker(ThreadId(7)) [1P:op-ipc/src/ipc/unix.rs:402] invalid group attempted to connect, rejecting remote
The 1Password docs say the op binary has to be owned by the onepassword-cli group and executed with that group (https://developer.1password.com/docs/cli/get-started#step-1-install-1password-cli).

Unfortunately I'm not really familiar with how nix handles /nix/store and how you can handle such permission requirements.

Huh... this is definitely not trivial. Currently all files in /nix/store are owned by root, and there's no way for nixpkgs to make the group by itself.

Best way forward would probably be to make a NixOS module for the CLI, add the group to the system, and give root the group. The user then has to add the group to themself manually unless we find a way to automagically do so.

savannidgerinel commented 8 months ago

Oh, there already is a CLI module. You can enable it with programs._1password.enable = true. Back when I read this I was either not thinking clearly, or I assumed that you were installing with the modules.

In fact, reviewing the thread, it looks like you're not using the module in either case. You can add these lines to configuration.nix:

  programs._1password-gui.enable = true;
  programs._1password.enable = true;

And, if you want to unlock 1Password with the system unlock:

  programs._1password-gui.polkitPolicyOwners = [ "your-username-here" ];

pluiedev commented 8 months ago

Oh, there already is a CLI module. You can enable it with programs._1password.enable = true. Back when I read this I was either not thinking clearly, or I assumed that you were installing with the modules.

I am using the module for it but evidently I forgot about that :woman_facepalming: Seems like I couldn't reproduce it now (op signin works just fine) and I dunno how it is for others

alobaidizt commented 7 months ago

I got the same error on macOS

[ERROR] 2024/02/25 19:33:44 connecting to desktop app: 1Password CLI couldn't connect to the 1Password desktop app. To fix this, update the desktop app to the latest version. If you're still having trouble connecting, restart the app. If you're using version 8.10.12 or earlier of the app, the 1Password CLI binary must be located in /usr/local/bin/op.

I'm on latest 1Password app and 1Password CLI.

In order to get around this error all I had done was reseting the "Integrate with 1Password CLI" checkbox in 1Password app developer setting.

brizzbuzz commented 7 months ago

I'm running into the same problem on nixos, unfortunately toggling on/off through settings does not fix the problem for me. Strangely, it does seem like the initial connection works, as I can turn off the integration in the GUI, then, attempt to enable through the CLI (which, in turn, launches the GUI).

Toggling the settings at that point produces a success message, immediately followed by the original error message

$ op signin                                                                                                                                   02/27/24 10:10:52 AM
Would you like to turn on the 1Password app integration? This allows you to sign in to 1Password CLI using the 1Password app. [Y/n] y
Unlock 1Password and select 'Integrate with 1Password CLI' in the Settings window that opens. To use Touch ID, Windows Hello, or another system authentication option with 1Password CL
I, navigate to the Security tab and turn it on.
Waiting for setting to change. To cancel, enter Ctrl + C.
All set! Let's 🚀
[ERROR] 2024/02/27 10:11:00 connecting to desktop app: read: connection reset, make sure
 1Password CLI is installed correctly, then open the 1Password app, select 1Password > S
ettings > Developer and make sure the 'Integrate with 1Password CLI' setting is turned o
n. If you're still having trouble connecting, restart the app.

savannidgerinel commented 7 months ago

I got the same error on macOS
[ERROR] 2024/02/25 19:33:44 connecting to desktop app: 1Password CLI couldn't connect to the 1Password desktop app. To fix this, update the desktop app to the latest version. If you're still having trouble connecting, restart the app. If you're using version 8.10.12 or earlier of the app, the 1Password CLI binary must be located in /usr/local/bin/op.
I'm on latest 1Password app and 1Password CLI.

In order to get around this error all I had done was reseting the "Integrate with 1Password CLI" checkbox in 1Password app developer setting.

This is never going to work. The integration requires some tools be installed with suid and owned by particular users. You just can't do that outside modules installed via NixOS.

brizzbuzz commented 7 months ago

This is never going to work.

Very much sounds like he got it to work. FWIW I also have 1password + cli on MacOS working, managed through Nix (nix-homebrew in the case of the GUI). The problems I have are on my NixOS desktop.

rprije commented 7 months ago

Oh, there already is a CLI module. You can enable it with programs._1password.enable = true. Back when I read this I was either not thinking clearly, or I assumed that you were installing with the modules.

In fact, reviewing the thread, it looks like you're not using the module in either case. You can add these lines to configuration.nix:
  programs._1password-gui.enable = true;
  programs._1password.enable = true;
And, if you want to unlock 1Password with the system unlock:
  programs._1password-gui.polkitPolicyOwners = [ "your-username-here" ];

This turned out to be my problem. Enabling these has fixed my op command line and improved my overall experience with the GUI integrating better with the Chrome extension among other things. Thank you so much! I'm closing this issue out.