Chezmoi cannot connect to 1password's CLI interface on Pop_OS! 22.04

dmlo commented 1 year ago

Describe the bug

Chezmoi template command onepasswordRead cannot connect to 1password's CLI interface on Pop_OS! 22.04:

$ op read op://private/<snip>/username
<correct result, my email address>

$ chezmoi execute-template '{{ onepasswordRead "op://private/<snip>/username" }}'                                                                     
[ERROR] 2023/01/11 08:52:32 connecting to desktop app: read: connection reset, make sure the CLI is correctly installed and Connect with 1Password CLI is enabled in the 1Password app
chezmoi: template: arg1:1:3: executing "arg1" at <onepasswordRead "op://private/<snip>/username">: error calling onepasswordRead: /usr/bin/op signin --raw: exit status 1

To reproduce

Install chezmoi 2.29.1
Install 1password 8.9.12
Install 1password-cli 2.12.0
Sign in to 1password
Verify correct operation of op command
Execute chezmoi execute-template '{{ onepasswordRead "op://private/<snip>/username" }}'

Expected behavior

Chezmoi should connect to 1password's CLI command op and retrieve the requested token.

Output of command with the `--verbose` flag

$ chezmoi --verbose execute-template '{{ onepasswordRead "op://private/apple/username" }}'
[ERROR] 2023/01/11 08:59:22 connecting to desktop app: read: connection reset, make sure the CLI is correctly installed and Connect with 1Password CLI is enabled in the 1Password app
chezmoi: template: arg1:1:3: executing "arg1" at <onepasswordRead "op://private/apple/username">: error calling onepasswordRead: /usr/bin/op signin --raw: exit status 1

Output of `chezmoi doctor`

$ chezmoi doctor
RESULT    CHECK                MESSAGE
ok        version              v2.29.1, commit 5e7063ec11bb85efcf8e0c152dcd7dd674ed2d90, built at 2023-01-02T15:50:04Z, built by goreleaser
ok        latest-version       v2.29.1
ok        os-arch              linux/amd64 (Pop!_OS 22.04 LTS)
ok        uname                Linux elena 6.0.12-76060006-generic #202212290932~1671652965~22.04~452ea9d SMP PREEMPT_DYNAMIC Wed D x86_64 x86_64 x86_64 GNU/Linux
ok        go-version           go1.19.4 (gc)
ok        executable           ~/.asdf/installs/chezmoi/2.29.1/bin/chezmoi
ok        upgrade-method       replace-executable
ok        config-file          no config file found
warning   source-dir           ~/.local/share/chezmoi is a git working tree (dirty)
ok        suspicious-entries   no suspicious entries
warning   working-tree         ~/.local/share/chezmoi is a git working tree (dirty)
ok        dest-dir             ~ is a directory
ok        umask                002
ok        cd-command           found /usr/bin/zsh
ok        cd-args              /usr/bin/zsh
info      diff-command         not set
ok        edit-command         found /usr/bin/nano
ok        edit-args            /usr/bin/nano
ok        git-command          found /usr/bin/git, version 2.34.1
warning   merge-command        vimdiff not found in $PATH
ok        shell-command        found /usr/bin/zsh
ok        shell-args           /usr/bin/zsh
info      age-command          age not found in $PATH
ok        gpg-command          found /usr/bin/gpg, version 2.2.27
info      pinentry-command     not set
ok        1password-command    found /usr/bin/op, version 2.12.0
info      bitwarden-command    bw not found in $PATH
info      gopass-command       gopass not found in $PATH
info      keepassxc-command    keepassxc-cli not found in $PATH
info      keepassxc-db         not set
info      keeper-command       keeper not found in $PATH
info      lastpass-command     lpass not found in $PATH
info      pass-command         pass not found in $PATH
info      passhole-command     ph not found in $PATH
info      vault-command        vault not found in $PATH
info      secret-command       not set

Additional context

Reproduced on two Pop_OS! 22.04 machines.
Reproduced under bash and zsh
Could not reproduce on MacOS: the command completed as expected
Other non-1password template commands execute as expected

Debug output:

$ chezmoi execute-template '{{ onepasswordRead "op://private/apple/username" }}' --debug
2023-01-11T09:03:17-04:00 INF persistentPreRunRootE args=["/home/dan/.asdf/installs/chezmoi/2.29.1/bin/chezmoi","execute-template","{{ onepasswordRead \"op://private/apple/username\" }}","--debug"] goVersion=go1.19.4 version={"builtBy":"goreleaser","commit":"5e7063ec11bb85efcf8e0c152dcd7dd674ed2d90","date":"2023-01-02T15:50:04Z","version":"2.29.1"}
2023-01-11T09:03:17-04:00 INF Stat component=system name=/home/dan/.local/share/chezmoi/.git
2023-01-11T09:03:17-04:00 ERR ReadFile error="open /home/dan/.local/share/chezmoi/.chezmoiroot: no such file or directory" component=system data= name=/home/dan/.local/share/chezmoi/.chezmoiroot size=0
2023-01-11T09:03:17-04:00 ERR ReadFile error="open /home/dan/.local/share/chezmoi/.chezmoiversion: no such file or directory" component=system data= name=/home/dan/.local/share/chezmoi/.chezmoiversion size=0
2023-01-11T09:03:17-04:00 INF Stat component=system name=/home/dan/.local/share/chezmoi
2023-01-11T09:03:17-04:00 INF Stat component=system name=/home/dan/.local/share/chezmoi
2023-01-11T09:03:17-04:00 INF ReadDir component=system name=/home/dan/.local/share/chezmoi
2023-01-11T09:03:17-04:00 INF ReadDir component=system name=/home/dan/.local/share/chezmoi/.git
2023-01-11T09:03:17-04:00 INF ReadDir component=system name=/home/dan/.local/share/chezmoi/.git/branches
2023-01-11T09:03:17-04:00 INF ReadDir component=system name=/home/dan/.local/share/chezmoi/.git/hooks
2023-01-11T09:03:17-04:00 INF ReadDir component=system name=/home/dan/.local/share/chezmoi/.git/info
2023-01-11T09:03:17-04:00 INF ReadDir component=system name=/home/dan/.local/share/chezmoi/.git/logs
2023-01-11T09:03:17-04:00 INF ReadDir component=system name=/home/dan/.local/share/chezmoi/.git/logs/refs
2023-01-11T09:03:17-04:00 INF ReadDir component=system name=/home/dan/.local/share/chezmoi/.git/logs/refs/heads
2023-01-11T09:03:17-04:00 INF ReadDir component=system name=/home/dan/.local/share/chezmoi/.git/logs/refs/remotes
2023-01-11T09:03:17-04:00 INF ReadDir component=system name=/home/dan/.local/share/chezmoi/.git/logs/refs/remotes/origin
2023-01-11T09:03:17-04:00 INF ReadDir component=system name=/home/dan/.local/share/chezmoi/.git/objects
2023-01-11T09:03:17-04:00 INF ReadDir component=system name=/home/dan/.local/share/chezmoi/.git/objects/06
2023-01-11T09:03:17-04:00 INF ReadDir component=system name=/home/dan/.local/share/chezmoi/.git/objects/10
2023-01-11T09:03:17-04:00 INF ReadDir component=system name=/home/dan/.local/share/chezmoi/.git/objects/19
2023-01-11T09:03:17-04:00 INF ReadDir component=system name=/home/dan/.local/share/chezmoi/.git/objects/22
2023-01-11T09:03:17-04:00 INF ReadDir component=system name=/home/dan/.local/share/chezmoi/.git/objects/31
2023-01-11T09:03:17-04:00 INF ReadDir component=system name=/home/dan/.local/share/chezmoi/.git/objects/41
2023-01-11T09:03:17-04:00 INF ReadDir component=system name=/home/dan/.local/share/chezmoi/.git/objects/44
2023-01-11T09:03:17-04:00 INF ReadDir component=system name=/home/dan/.local/share/chezmoi/.git/objects/54
2023-01-11T09:03:17-04:00 INF ReadDir component=system name=/home/dan/.local/share/chezmoi/.git/objects/5f
2023-01-11T09:03:17-04:00 INF ReadDir component=system name=/home/dan/.local/share/chezmoi/.git/objects/74
2023-01-11T09:03:17-04:00 INF ReadDir component=system name=/home/dan/.local/share/chezmoi/.git/objects/75
2023-01-11T09:03:17-04:00 INF ReadDir component=system name=/home/dan/.local/share/chezmoi/.git/objects/7d
2023-01-11T09:03:17-04:00 INF ReadDir component=system name=/home/dan/.local/share/chezmoi/.git/objects/85
2023-01-11T09:03:17-04:00 INF ReadDir component=system name=/home/dan/.local/share/chezmoi/.git/objects/8a
2023-01-11T09:03:17-04:00 INF ReadDir component=system name=/home/dan/.local/share/chezmoi/.git/objects/8e
2023-01-11T09:03:17-04:00 INF ReadDir component=system name=/home/dan/.local/share/chezmoi/.git/objects/9b
2023-01-11T09:03:17-04:00 INF ReadDir component=system name=/home/dan/.local/share/chezmoi/.git/objects/a0
2023-01-11T09:03:17-04:00 INF ReadDir component=system name=/home/dan/.local/share/chezmoi/.git/objects/a6
2023-01-11T09:03:17-04:00 INF ReadDir component=system name=/home/dan/.local/share/chezmoi/.git/objects/bf
2023-01-11T09:03:17-04:00 INF ReadDir component=system name=/home/dan/.local/share/chezmoi/.git/objects/c7
2023-01-11T09:03:17-04:00 INF ReadDir component=system name=/home/dan/.local/share/chezmoi/.git/objects/cc
2023-01-11T09:03:17-04:00 INF ReadDir component=system name=/home/dan/.local/share/chezmoi/.git/objects/ce
2023-01-11T09:03:17-04:00 INF ReadDir component=system name=/home/dan/.local/share/chezmoi/.git/objects/d0
2023-01-11T09:03:17-04:00 INF ReadDir component=system name=/home/dan/.local/share/chezmoi/.git/objects/df
2023-01-11T09:03:17-04:00 INF ReadDir component=system name=/home/dan/.local/share/chezmoi/.git/objects/e5
2023-01-11T09:03:17-04:00 INF ReadDir component=system name=/home/dan/.local/share/chezmoi/.git/objects/e6
2023-01-11T09:03:17-04:00 INF ReadDir component=system name=/home/dan/.local/share/chezmoi/.git/objects/ed
2023-01-11T09:03:17-04:00 INF ReadDir component=system name=/home/dan/.local/share/chezmoi/.git/objects/f3
2023-01-11T09:03:17-04:00 INF ReadDir component=system name=/home/dan/.local/share/chezmoi/.git/objects/f5
2023-01-11T09:03:17-04:00 INF ReadDir component=system name=/home/dan/.local/share/chezmoi/.git/objects/f6
2023-01-11T09:03:17-04:00 INF ReadDir component=system name=/home/dan/.local/share/chezmoi/.git/objects/info
2023-01-11T09:03:17-04:00 INF ReadDir component=system name=/home/dan/.local/share/chezmoi/.git/objects/pack
2023-01-11T09:03:17-04:00 INF ReadDir component=system name=/home/dan/.local/share/chezmoi/.git/refs
2023-01-11T09:03:17-04:00 INF ReadDir component=system name=/home/dan/.local/share/chezmoi/.git/refs/heads
2023-01-11T09:03:17-04:00 INF ReadDir component=system name=/home/dan/.local/share/chezmoi/.git/refs/remotes
2023-01-11T09:03:17-04:00 INF ReadDir component=system name=/home/dan/.local/share/chezmoi/.git/refs/remotes/origin
2023-01-11T09:03:17-04:00 INF ReadDir component=system name=/home/dan/.local/share/chezmoi/.git/refs/tags
2023-01-11T09:03:17-04:00 INF ReadDir component=system name=/home/dan/.local/share/chezmoi/Scripts
2023-01-11T09:03:17-04:00 INF ReadDir component=system name=/home/dan/.local/share/chezmoi/dot_aws
2023-01-11T09:03:17-04:00 INF ReadDir component=system name=/home/dan/.local/share/chezmoi/private_dot_ssh
[ERROR] 2023/01/11 09:03:17 connecting to desktop app: read: connection reset, make sure the CLI is correctly installed and Connect with 1Password CLI is enabled in the 1Password app
2023-01-11T09:03:17-04:00 ERR Output error="exit status 1" args=["op","signin","--raw"] duration=4.638792ms exitCode=1 output= path=/usr/bin/op size=0 userTime=4.88
chezmoi: template: arg1:1:3: executing "arg1" at <onepasswordRead "op://private/apple/username">: error calling onepasswordRead: /usr/bin/op signin --raw: exit status 1

Executing op signin --raw executes correctly (no output).

$ op signin --raw

$ op signin --raw --debug
9:08AM | DEBUG | NM request: NmRequestAccounts
9:08AM | DEBUG | NM response: Success
9:08AM | DEBUG | NM request: NmRequestAccounts
9:08AM | DEBUG | NM response: Success
9:08AM | DEBUG | NM request: NmRequestAuthorization
9:08AM | DEBUG | NM response: Success
9:08AM | DEBUG | NM request: NmRequestAccounts
9:08AM | DEBUG | NM response: Success

Thank you for your time.

twpayne commented 1 year ago

I think what is happening here is:

1Password uses polkit.
polkit does a bunch of checks on the client (the 1Password CLI, op, in this case) to determine whether it is allowed to connect to the server (the 1Password app, in this case).
The configuration of polkit on Pop_OS! prevents op from connecting to the 1Password server when op is executed by chezmoi.

The evidence I have to support this belief is;

chezmoi's 1Password integration works on many other distributions.
The error message from op when run by chezmoi includes connecting to desktop app: read: connection reset implying that the connection is made and then immediately dropped.

I use 1Password myself for my own secrets, and chezmoi works fine on Ubuntu 22.04 and Ubuntu 22.10. I vaguely recall seeing the same issue as you see when I briefly experimented with Pop_OS!. I did not investigate further at the time however.

I think you need to configure polkit on your machine to allow chezmoi to connect to 1Password. For reference, here is the content of /usr/share/polkit-1/actions/com.1password.1Password.policy on my Ubuntu 22.10 machine where chezmoi is allowed to talk to 1Password:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE policyconfig PUBLIC
 "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
 "http://www.freedesktop.org/standards/PolicyKit/1.0/policyconfig.dtd">

<policyconfig>
    <action id="com.1password.1Password.unlock">
      <description>Unlock 1Password</description>
      <message>Authenticate to unlock 1Password</message>
      <defaults>
        <allow_any>auth_self</allow_any>
        <allow_inactive>auth_self</allow_inactive>
        <allow_active>auth_self</allow_active>
      </defaults>
    </action>
    <action id="com.1password.1Password.authorizeCLI">
      <description>Authorize CLI</description>
      <message>1Password CLI is trying to access your 1Password account.</message>
      <defaults>
        <allow_any>auth_self</allow_any>
        <allow_inactive>auth_self</allow_inactive>
        <allow_active>auth_self</allow_active>
      </defaults>
      <annotate key="org.freedesktop.policykit.owner">unix-user:twp </annotate>
    </action>
    <action id="com.1password.1Password.authorizeSshAgent">
      <description>Authorize SSH Agent</description>
      <message>1Password SSH Agent is trying to access your 1Password account.</message>
      <defaults>
        <allow_any>auth_self</allow_any>
        <allow_inactive>auth_self</allow_inactive>
        <allow_active>auth_self</allow_active>
      </defaults>
      <annotate key="org.freedesktop.policykit.owner">unix-user:twp </annotate>
     </action>
</policyconfig>

Note that my username is twp. You will need to replace twp with dan in the above.

Hope this helps as a starting point. This is a 1Password/Pop_OS! issue, not a chezmoi issue.

dmlo commented 1 year ago

@twpayne thank you very much for your prompt and detailed reply!

I diffed your com.1password.1Password.policy file against my own and the only difference was the username.

On a hunch I set up a Ubuntu VM and ran through my repro steps above and got the same error.

That in turn got me thinking that there must be something different about my installation to yours.

Back on Pop_OS! I uninstalled my copy of chezmoi (installed via asdf) and instead used the direct binary install, and the command succeeded.

So the actual problem is something to do with the way asdf does things.

Thank you again for your time. Closing as my problem is resolved.

twpayne / chezmoi