Skip to main content

Safely fetch secrets from 1Password defined in steno outlines.

Project description

Plover 1Password

Build Status PyPI - Version PyPI - Downloads linting: pylint

This Plover extension plugin contains a meta that allows you to retrieve secrets defined in your 1Password vaults.

Install

[!WARNING] Windows users cannot currently go through the Plover Plugins manager for installation due to this GitHub issue related to getting the 1Password Python SDK library onto PyPI. Please see this issue for installation instructions that will require manual installation via Git.

  1. In the Plover application, open the Plugins Manager (either click the Plugins Manager icon, or from the Tools menu, select Plugins Manager).
  2. From the list of plugins, find plover-1password
  3. Click "Install/Update"
  4. When it finishes installing, restart Plover
  5. Complete the Setup steps
  6. After re-opening Plover, open the Configuration screen (either click the Configuration icon, or from the main Plover application menu, select Preferences...)
  7. Open the Plugins tab
  8. Check the box next to plover_1password to activate the plugin

Setup

Setting up 1Password to allow this plugin to make connections is a bit of an involved process, but you will only have to do it once.

Create a new Vault

Since 1Password does not allow third-party applications to access your Private or Personal vaults, you will need to put secrets you intend to access from Plover into a separate vault. Therefore, either create a new vault specifically for Plover to access, or use another existing non-Private/Personal vault you have.

Individual secrets cannot be shared across vaults, so if you have information in your Personal vault you want Plover to access, you will need to move or copy items from your Personal vault to the vault that Plover will access.

Create a Service Account Token

Follow the steps to create a Service Account, which will enable Plover to talk to 1Password.

This plugin only needs to retrieve secrets from 1Password, so when you get to the "Grant vault access" section of the Service Account creation process, after choosing the vault that Plover will access, set its access permissions to "Read Items" only.

Once the Service Account Token has been generated (and you save it to one of your vaults), you will need to copy the token into a local environment variable called OP_SERVICE_ACCOUNT_TOKEN, as per the requirements of the 1Password Python SDK, which this plugin uses to connect with 1Password:

macOS or Linux

In your .bashrc/.zshrc etc add:

export OP_SERVICE_ACCOUNT_TOKEN=<your-service-account-token>

Windows

In your C:\Users\<user name>\Documents\WindowsPowerShell\Microsoft.Powershell_profile.ps1 etc add:

$ENV:OP_SERVICE_ACCOUNT_TOKEN = "<your-service-account-token>"

Manually install 1Password Python SDK

The 1Password Python SDK is not currently available on PyPI, which means you will need to install it manually directly via URL with the following Python pip command in order for the plugin to work properly:

python -m pip install git+https://git@github.com/1Password/onepassword-sdk-python.git@v0.1.1

Unfortunately, PyPi does not allow direct URL dependencies in projects, so in order to get this plugin on to PyPI, the SDK could not be listed as a required dependency in setup.cfg like:

[options]
install_requires =
    plover >= 4.0.0.dev12
    onepassword @ git+https://git@github.com/1Password/onepassword-sdk-python.git@v0.1.1

This means a manual installation process instead of the plugin automatically doing it for you.

Currently, this GitHub issue is tracking adding the SDK to PyPI, which when closed will eliminate this step.

Install 1Password CLI and turn on desktop app integration

Follow all the steps to Get started with 1Password CLI to install the 1Password Command-line tool, and turn on its 1Password app integration.

Once you have completed this step, a new Copy Secret Reference option will become available to you in the v dropdown menu, next to the Copy button, at the end of each field in your document item. It is these secret references, which can be thought of as references or pointers to where a secret is saved, rather than the value of the secret itself, that will be used directly in steno outline translations. They have the following format:

op://<vault-name>/<item-name>/[section-name/]<field-name>

[!NOTE] Secret references adhere to the following set of syntax rules:

  • alphanumeric characters (a-z, A-Z, 0-9)
  • -, _, . and the whitespace character

Therefore, make sure your vault, item, section, and field names adhere to these rules and do not contain any other types of characters.

How To Use

In your steno outline translations, use the secret references provided by 1Password to specify the secret you wish to retrieve.

For example, the following outline would retrieve the "Mobile" secret defined in a "Plover" vault, within a "Personal" item, under a "Phone" section:

"TPOEPB/TPOEPB": "{:1PASSWORD:op://Plover/Personal/Phone/Mobile}"

If you are publishing or sharing your steno dictionaries publicly, and/or do not want to specify the names of your vaults or items etc in your outlines, you can define them instead within local environment variables on your computer, and the plugin will expand them inline:

macOS or Linux

"TPOEPB/TPOEPB": "{:1PASSWORD:op://$VAULT_NAME/$ITEM_NAME/$SECTION_NAME/Mobile}"

Windows

"TPOEPB/TPOEPB": "{:1PASSWORD:op://$ENV:VAULT_NAME/$ENV:ITEM_NAME/$ENV:SECTION_NAME/Mobile}"

Given that the plugin is making a connection out to 1Password, it can take a few seconds before the secret value actually outputs (or you are shown an error).

[!NOTE] Service account tokens are subject to rate limits by 1Password, but they should be more than enough for normal usage of this plugin.

Development

Clone from GitHub with git and install test-related dependencies:

git clone git@github.com:paulfioravanti/plover-1password.git
cd plover-1password
python -m pip install --editable ".[test]"

If you are a Tmuxinator user, you may find my plover-1password project file of reference.

Python Version

Plover's Python environment currently uses version 3.9 (see Plover's workflow_context.yml to confirm the current version).

So, in order to avoid unexpected issues, use your runtime version manager to make sure your local development environment also uses Python 3.9.x.

Testing

Currently, the only parts able to be tested are ones that do not rely directly on Plover.

Run tests, coverage, and linting with the following commands:

pytest --cov --cov-report=term-missing
pylint plover_1password
mypy plover_1password

To get a HTML test coverage report:

coverage run --module pytest
coverage html
open htmlcov/index.html

If you are a just user, you may find the justfile useful during development in running multiple test commands. You can run the following command from the project root directory:

just --working-directory . --justfile test/justfile

Deploying Changes

After making any code changes, deploy the plugin into Plover with the following command:

plover --script plover_plugins install --editable .

Where plover in the command is a reference to your locally installed version of Plover. See the Invoke Plover from the command line page for details on how to create that reference.

When necessary, the plugin can be uninstalled via the command line with the following command:

plover --script plover_plugins uninstall plover-1password

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

plover_1password-0.3.18.tar.gz (26.1 kB view details)

Uploaded Source

Built Distribution

plover_1password-0.3.18-py3-none-any.whl (25.7 kB view details)

Uploaded Python 3

File details

Details for the file plover_1password-0.3.18.tar.gz.

File metadata

  • Download URL: plover_1password-0.3.18.tar.gz
  • Upload date:
  • Size: 26.1 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/5.1.1 CPython/3.12.7

File hashes

Hashes for plover_1password-0.3.18.tar.gz
Algorithm Hash digest
SHA256 3cc94eac12df8ba5e0dd7b09fd54fc048e13f1f2c7664e2dda33d62d7c1355d9
MD5 3dda0a6013ad352d2bed77ea1083f440
BLAKE2b-256 33fc64475beaf80d6b859a596d00ae2bf70077bad3455cc458ba570f601810e3

See more details on using hashes here.

File details

Details for the file plover_1password-0.3.18-py3-none-any.whl.

File metadata

File hashes

Hashes for plover_1password-0.3.18-py3-none-any.whl
Algorithm Hash digest
SHA256 3f5668ecf14cd5275a3d75f0082987baf7598d7cb4e4b8c3836c6acf7ee84068
MD5 2c346a85b8ca7b6f4f044c13e84b4806
BLAKE2b-256 69a29c631be94f1a47875533a8103b339592a54ab707f002d006127734e8ac87

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page