aquaproj / aqua

Declarative CLI Version manager written in Go. Support Lazy Install, Registry, and continuous update with Renovate. CLI version is switched seamlessly
https://aquaproj.github.io
904 stars 40 forks source link

1Password CLI Shell Plugin #3068

Open nikolay opened 3 months ago

nikolay commented 3 months ago

Feature Overview

https://developer.1password.com/docs/cli/shell-plugins/contribute/

Why is the feature needed?

Otherwise, the AQUA_GITHUB_TOKEN or GITHUB_TOKEN should always be set and exposed in the shell.

Workaround

No response

Example Code

No response

Note

No response

suzuki-shunsuke commented 3 months ago

Thank you for your proposal. I'm not familiar with 1Password CLI Shell Plugin, but this issue means installing 1Password CLI Shell Plugin via aqua? I'll look into how to install plugins.

aqua doesn't support some plugin mechanism, so I'm not sure if aqua can support 1Password CLI Shell Plugin. https://aquaproj.github.io/docs/products/aqua-registry/contributing#aqua-cant-support-some-tools-plugin-mechanism

suzuki-shunsuke commented 3 months ago

I read the document of 1Password CLI Shell Plugin, but I'm not sure what aqua should do. We need more details.

suzuki-shunsuke commented 3 months ago

Oh, I see! This issue means the 1Password CLI Shell Plugin for aqua, which passes GitHub access token to aqua via 1Password.

nikolay commented 3 months ago

Yeah, @suzuki-shunsuke, sorry for not being clear. I guess, you support AQUA_GITHUB_TOKEN - I would say it makes sense to pass that and not the generic GITHUB_TOKEN.

suzuki-shunsuke commented 3 months ago

I'm concern about the overhead of the plugin. I'm not sure about the detail of the plugin, but if the plugin is executed every time aqua is executed, maybe the overhead affects the user experience. When you execute tools installed by aqua, aqua is executed.

On the other hand, the plugin would improve the security, and the performance should be measured rather than imagined.

suzuki-shunsuke commented 2 months ago

I'm not sure about the detail of the plugin, but if the plugin is executed every time aqua is executed, maybe the overhead affects the user experience.

If aqua supports the lazy load of a GitHub access token, this issue would be solved. lazy load means aqua loads a GitHub access token only when aqua really needs it.

suzuki-shunsuke commented 1 month ago

I found an interesting library. It would be nice if aqua can get GitHub Access token from not only 1Password but also other secret stores. https://github.com/99designs/keyring

nikolay commented 1 month ago

@suzuki-shunsuke Yes, that library is used by the famous https://github.com/99designs/aws-vault and https://github.com/common-fate/granted and although there are some more actively developed equivalents, the one you mention is the only one in Go supporting Windows.

suzuki-shunsuke commented 1 month ago

https://github.com/99designs/keyring The last update was two years ago. https://github.com/keybase/go-keychain : For macOS keychain https://github.com/zalando/go-keyring : This is actively maintained and supports Windows https://github.com/danieljoos/wincred : Go wrapper around the Windows Credential Manager API functions

suzuki-shunsuke commented 1 month ago

99designs/keyring works well on macOS.

https://gist.github.com/suzuki-shunsuke/58961369fbe13c76b3052c6ddc0a3893

Usage

$ aqua token set [-stdin]
> ***
$ aqua token remove
$ aqua token get # optional
suzuki-shunsuke commented 1 month ago

Hmm. 99designs/keyring doesn't work on macOS without CGO.

CGO_ENABLED=0 go build -o bin/get-nocgo get.go
$ ./bin/get-nocgo 
2024/10/11 16:12:22 set a key: No directory provided for file keyring

https://gist.github.com/suzuki-shunsuke/58961369fbe13c76b3052c6ddc0a3893?permalink_comment_id=5230278#gistcomment-5230278

https://github.com/aquaproj/aqua/blob/4e08dea281d1adad7b88c19dbef99c134857b2e6/.goreleaser.yml#L15

suzuki-shunsuke commented 1 month ago

https://github.com/zalando/go-keyring/issues/64#issuecomment-1793669498 describes the pros and cons of CGO well. It's hard to make a decision. We don't want to depend on CGO, but access to macOS keychain via CGO is securer.

Related:

suzuki-shunsuke commented 1 month ago

📝 GitHub CLI uses zalando/go-keyring.

https://github.com/cli/cli/blob/b91dab44566a44e5f8e43c0cc83724e574320536/go.mod#L45

suzuki-shunsuke commented 1 month ago

📝 1Password has a SDK for Go.

https://github.com/1Password/onepassword-sdk-go

suzuki-shunsuke commented 1 month ago

Hi @nikolay , sorry to bother you. Do you usually use Linux or Windows? If so, could you help us verify the feature https://github.com/aquaproj/aqua/pull/3174 ? I usually use macOS so it's difficult to verify the feature on Linux and Windows.

nikolay commented 1 month ago

@suzuki-shunsuke No, I'm only on macOS, but I can try on Linux and Windows as well.

suzuki-shunsuke commented 1 month ago

Thank you!