Safely fetch secrets from 1Password defined in steno outlines.
Project description
Plover 1Password
This Plover extension plugin contains a meta that allows you to retrieve secrets defined in your 1Password vaults.
Install
- In the Plover application, open the Plugins Manager (either click the Plugins
Manager icon, or from the
Tools
menu, selectPlugins Manager
). - From the list of plugins, find
plover-1password
- Click "Install/Update"
- When it finishes installing, restart Plover
- Complete the Setup steps
- After re-opening Plover, open the Configuration screen (either click the
Configuration icon, or from the main Plover application menu, select
Preferences...
) - Open the Plugins tab
- Check the box next to
plover_1password
to activate the plugin
Setup
Setting up 1Password to allow this plugin to make connections is a bit of an involved process, but you will only have to do it once.
Create a new Vault
Since 1Password does not allow third-party applications to access your Private or Personal vaults, you will need to put secrets you intend to access from Plover into a separate vault. Therefore, either create a new vault specifically for Plover to access, or use another existing non-Private/Personal vault you have.
Individual secrets cannot be shared across vaults, so if you have information in your Personal vault you want Plover to access, you will need to move or copy items from your Personal vault to the vault that Plover will access.
Create a Service Account Token
Follow the steps to create a Service Account, which will enable Plover to talk to 1Password.
This plugin only needs to retrieve secrets from 1Password, so when you get to the "Grant vault access" section of the Service Account creation process, after choosing the vault that Plover will access, set its access permissions to "Read Items" only.
Once the Service Account Token has been generated (and you save it to one of
your vaults), you will need to copy the token into a local environment
variable called $OP_SERVICE_ACCOUNT_TOKEN
, as per the requirements of the
1Password Python SDK, which this plugin uses to connect with 1Password:
macOS or Linux
export OP_SERVICE_ACCOUNT_TOKEN=<your-service-account-token>
Windows
$Env:OP_SERVICE_ACCOUNT_TOKEN = "<your-service-account-token>"
Manually install 1Password Python SDK
The 1Password Python SDK is not currently available on PyPI, which means you will need to install it manually directly via URL with the following Python pip command in order for the plugin to work properly:
python -m pip install git+https://git@github.com/1Password/onepassword-sdk-python.git@v0.1.1
Unfortunately, PyPi does not allow direct URL dependencies in projects, so
in order to get this plugin on to PyPI, the SDK could not be listed as an
install_requires
library (eg
onepassword @ git+ssh://git@github.com/1Password/onepassword-sdk-python.git@v0.1.1
,
meaning a manual installation process instead of the plugin automatically doing
it for you.
Currently, this GitHub issue is tracking adding the SDK to PyPI.
Install 1Password CLI and turn on desktop app integration
Follow all the steps to Get started with 1Password CLI to install the 1Password Command-line tool, and turn on its 1Password app integration.
Once you have completed this step, a new Copy Secret Reference option will
become available to you in the v
dropdown menu, next to the Copy button, at
the end of each field in your document item. It is these secret references,
which can be thought of as references or pointers to where a secret is saved,
rather than the value of the secret itself, that will be used directly in steno
outline translations. They have the following format:
op://<vault-name>/<item-name>/[section-name/]<field-name>
[!NOTE] Secret references adhere to the following set of syntax rules:
- alphanumeric characters (
a-z
,A-Z
,0-9
)-
,_
,.
and the whitespace characterTherefore, make sure your vault, item, section, and field names adhere to these rules and do not contain any other types of characters.
How To Use
In your steno outline translations, use the secret references provided by 1Password to specify the secret you wish to retrieve.
For example, the following outline would retrieve the "Mobile" secret defined in a "Plover" vault, within a "Personal" item, under a "Phone" section:
"TPOEPB/TPOEPB": "{:1PASSWORD:op://Plover/Personal/Phone/Mobile}"
If you are publishing or sharing your steno dictionaries publicly, and/or do not want to specify the names of your vaults or items etc in your outlines, you can define them instead within local environment variables on your computer, and the plugin will expand them inline:
macOS or Linux
"TPOEPB/TPOEPB": "{:1PASSWORD:op://$VAULT_NAME/$ITEM_NAME/$SECTION_NAME/Mobile}"
Windows
"TPOEPB/TPOEPB": "{:1PASSWORD:op://$ENV:VAULT_NAME/$ENV:ITEM_NAME/$ENV:SECTION_NAME/Mobile}"
Given that the plugin is making a connection out to 1Password, it can take a few seconds before the secret value actually outputs (or you are shown an error).
[!NOTE] Service account tokens are subject to rate limits by 1Password, but they should be more than enough for normal usage of this plugin.
Development
Clone from GitHub with git and install test-related dependencies:
git clone git@github.com:paulfioravanti/plover-1password.git
cd plover-1password
python -m pip install --editable ".[test]"
If you are a Tmuxinator user, you may find my plover-1password project file of reference.
Python Version
Plover's Python environment currently uses version 3.9 (see Plover's
workflow_context.yml
to confirm the current version).
So, in order to avoid unexpected issues, use your runtime version manager to make sure your local development environment also uses Python 3.9.x.
Testing
- Pytest with pytest-asyncio are used for testing in this plugin.
- Coverage.py and pytest-cov are used for test coverage, and to run coverage within Pytest
- Pylint is used for code quality
- Mypy is used for static type checking
Currently, the only parts able to be tested are ones that do not rely directly on Plover.
Run tests, coverage, and linting with the following commands:
pytest --cov --cov-report=term-missing
pylint plover_1password
mypy plover_1password
To get a HTML test coverage report:
coverage run --module pytest
coverage html
open htmlcov/index.html
If you are a just
user, you may find the justfile
useful during
development in running multiple test commands. You can run the following command
from the project root directory:
just --working-directory . --justfile test/justfile
Deploying Changes
After making any code changes, deploy the plugin into Plover with the following command:
plover --script plover_plugins install --editable .
Where
plover
in the command is a reference to your locally installed version of Plover. See the Invoke Plover from the command line page for details on how to create that reference.
When necessary, the plugin can be uninstalled via the command line with the following command:
plover --script plover_plugins uninstall plover-1password
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file plover_1password-0.3.15.tar.gz
.
File metadata
- Download URL: plover_1password-0.3.15.tar.gz
- Upload date:
- Size: 25.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/5.1.1 CPython/3.12.6
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | fe1c136031f411e77d028825ce9bfb0a4d8d4de577c31438abeb340ab52fc11f |
|
MD5 | 72976b6de97794ddda69fdf1f10d047c |
|
BLAKE2b-256 | ce5a89ecc634206ccab07f1d377ee5dcaef6b724822084bbd79d452e09f20e7e |
File details
Details for the file plover_1password-0.3.15-py3-none-any.whl
.
File metadata
- Download URL: plover_1password-0.3.15-py3-none-any.whl
- Upload date:
- Size: 25.0 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/5.1.1 CPython/3.12.6
File hashes
Algorithm | Hash digest | |
---|---|---|
SHA256 | e0a9c27119e8ddfdb9af6df48b95b4afcdb1323dfea989696e851690c63c29f8 |
|
MD5 | 18dda26ebb0ffb845f6248342dc2bf2a |
|
BLAKE2b-256 | 1ad8779c3a8c750d3896d33f532adda319fcd0dc0da5fdb1f267d6eb2b04b19e |