Install 1Password CLI from package repo

Author: taylorific

cookbooks/boxcutter_onepassword/kitchen.yml

@@ -40,6 +40,11 @@ platforms:
       image: boxcutter/dokken-ubuntu-24.04
       pid_one_command: /bin/systemd
 
+  - name: debian-12
+    driver:
+      image: boxcutter/dokken-debian-12
+      pid_one_command: /bin/systemd
+
   - name: centos-stream-9
     driver:
       image: boxcutter/dokken-centos-stream-9
@@ -57,6 +62,16 @@ suites:
       inspec_tests:
         - test/integration/cli
     attributes:
+    lifecycle:
+      pre_converge:
+        - remote: |
+            bash -xc '
+              set +x
+              mkdir -p /etc/cinc
+              ln -s /etc/cinc /etc/chef
+              echo "<%= ENV['OP_SERVICE_ACCOUNT_TOKEN'] %>" > /etc/chef/op_service_account_token
+              set -x
+            '
 
   - name: service-account
     named_run_list: boxcutter_onepassword_test_service_account
@@ -104,4 +119,4 @@ suites:
               echo "<%= ENV['OP_CONNECT_TOKEN'] %>" > /etc/chef/op_connect_token
               echo "<%= ENV['OP_SERVICE_ACCOUNT_TOKEN'] %>" > /etc/chef/op_service_account_token
               set -x
-            '
+            '

cookbooks/boxcutter_onepassword/libraries/onepassword.rb

@@ -1,22 +1,26 @@
 module Boxcutter
   class OnePassword
+    def self.op_whoami(type = 'auto')
+      command = "#{op_cli} whoami"
+      shellout = Mixlib::ShellOut.new(command, :env => op_environment(type))
+      shellout.run_command
+      shellout.error!
+      shellout.stdout.strip
+    end
     def self.op_read(reference, type = 'auto')
       environment = op_environment(type)
-
-      if !::File.exist?('/usr/local/bin/op')
-        install_op_cli
-      end
+      cli = op_cli
 
       # 1Password Connect Server does not support op user get --me
       if ['auto', 'service_account'].include?(type)
-        command = '/usr/local/bin/op user get --me'
+        command = "#{cli} user get --me"
         shellout = Mixlib::ShellOut.new(command, :env => environment)
         shellout.run_command
         shellout.error!
         Chef::Log.debug("boxcutter_onepassword[op_read]: op user get --me\n#{shellout.stdout}")
       end
 
-      command = "/usr/local/bin/op read '#{reference}'"
+      command = "#{cli} read '#{reference}'"
       shellout = Mixlib::ShellOut.new(command, :env => environment)
       shellout.run_command
       shellout.error!
@@ -26,11 +30,7 @@ def self.op_read(reference, type = 'auto')
     def self.op_document_get(item, vault, type = 'auto')
       environment = op_environment(type)
 
-      if !::File.exist?('/usr/local/bin/op')
-        install_op_cli
-      end
-
-      op_document_cmd = ['/usr/local/bin/op', 'document', 'get', "'#{item}'"]
+      op_document_cmd = [op_cli, 'document', 'get', "'#{item}'"]
       op_document_cmd << "--vault '#{vault}'" unless vault.nil?
 
       command = op_document_cmd.join(' ')
@@ -61,10 +61,23 @@ def self.op_environment(type)
       environment
     end
 
+    def self.bootstrap_op_cli
+      '/opt/onepassword/bin/op'
+    end
+
+    def self.op_cli
+      if !::File.exist?('/usr/bin/op')
+        install_bootstrap_op_cli
+        return bootstrap_op_cli
+      end
+
+      '/usr/bin//op'
+    end
+
     # If "op_read" is called during compile time, this might happen before
     # the main default recipe runs to install the cli. Bootstrap the 1Password
     # cli at compile time to ensure things don't fail at this point.
-    def self.install_op_cli
+    def self.install_bootstrap_op_cli
       require 'rbconfig'
       require 'net/http'
       require 'uri'
@@ -73,6 +86,7 @@ def self.install_op_cli
       architecture = RbConfig::CONFIG['host_cpu']
       puts "MISCHA: architecture #{architecture}"
 
+      # https://releases.1password.com/developers/cli/
       url = 'https://cache.agilebits.com/dist/1P/op2/pkg/v2.31.1/op_linux_amd64_v2.31.1.zip'
       if ['aarch64', 'arm64'].include?(architecture)
         url = 'https://cache.agilebits.com/dist/1P/op2/pkg/v2.31.1/op_linux_arm64_v2.31.1.zip'
@@ -94,8 +108,10 @@ def self.install_op_cli
         end
       end
 
-      unzip_file(tmp_path, 'op', '/usr/local/bin')
-      ::File.chmod(0o755, '/usr/local/bin/op')
+      bootstrap_op_cli_dirname = ::File.dirname(bootstrap_op_cli)
+      FileUtils.mkdir_p(bootstrap_op_cli_dirname) unless Dir.exist?(bootstrap_op_cli_dirname)
+      unzip_file(tmp_path, 'op', bootstrap_op_cli_dirname)
+      ::File.chmod(0o755, ::File.join(bootstrap_op_cli_dirname, 'op'))
     end
 
     def self.unzip_file(zip_file, filename, destination)

cookbooks/boxcutter_onepassword/recipes/cli.rb

@@ -16,6 +16,91 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-boxcutter_onepassword_zipfile 'op' do
-  bin_links %w{op}
+case node['platform']
+when 'ubuntu', 'debian'
+  case node['kernel']['machine']
+  when 'x86_64', 'amd64'
+    node.default['fb_apt']['sources']['onepassword'] = {
+      'key' => 'onepassword',
+      'url' => 'https://downloads.1password.com/linux/debian/amd64',
+      'suite' => 'stable',
+      'components' => ['main'],
+    }
+  when 'aarch64', 'arm64'
+    node.default['fb_apt']['sources']['onepassword'] = {
+      'key' => 'onepassword',
+      'url' => 'https://downloads.1password.com/linux/debian/arm64',
+      'suite' => 'stable',
+      'components' => ['main'],
+    }
+  end
+
+  # curl -sS https://downloads.1password.com/linux/keys/1password.asc
+  node.default['fb_apt']['keymap']['onepassword'] = <<~EOS
+    -----BEGIN PGP PUBLIC KEY BLOCK-----
+    
+    mQINBFkeAh4BEACy6fUHiFi/YvXZ2E5Gs7qFL8TSKQGLt0g8w/NtBotMNveW2Nzg
+    aXcmJ2E0aXY7nBRtpIgRRrb7XuskDZwGmVx4PQshaZuIozS0T1kdMitobi4k3g2M
+    551yf1bPWl1neVJ5MmbpknnaIG6VjMHxcRKE0xXDYhpBtt7QQQw1HT8vOjUOXBUf
+    VIj2o7I/+cRGNgDdkbuGRccC8hSGyiWXy4FY8xPvxMSCXoL5w531ewaGl/M+mAOC
+    3c6T7S05CcNN50Z6wulCiDZGvuJ2547E5iU9KClAEchJH9yQ2PkLHy3OQi0lBt+4
+    PmGeBOIxvFVXGbtGGtx6oFZxVaYDzF+BHHHRRdUs75pWzRm5y/3j0j+O4UKLWvMx
+    3SN7gRRu6gP5nvOw6wdyYerci2NHx1JJKlM6d6zxEj+cJ4GoBeJQhJi3UVpDy0Hh
+    TX3iid9Zz1ansQrSujXU2t82695WTGau5sarheDya4niKfVOh4IDMBbA17fnqJbS
+    ttYiL5i4+eqXbkAItdq+skhqqUElrROC0RKiXhX00nHu+ASHYupr/1Ac9/jdk0wG
+    TNb1ue76aBGJHZA0U67onp/MkVEOCv04nHRZbHArM0w52v40VIaUax5ZYfLSOIkq
+    IkPHoywmhR7W6QVlBbjP6zWVrTAWEnPx2VDQVk1CX29n/kM/J1kE60poZQARAQAB
+    tDNDb2RlIHNpZ25pbmcgZm9yIDFQYXNzd29yZCA8Y29kZXNpZ25AMXBhc3N3b3Jk
+    LmNvbT6JAlQEEwEIAD4CGwMFCwkIBwMFFQoJCAsFFgIDAQACHgECF4AWIQQ/75dI
+    Rprb4V2nyoCsLWJ0IBLqIgUCaAf6fgUJHDSngAAKCRCsLWJ0IBLqItFpD/0QlwqC
+    5Z0YX3y8zX1J1uMkL/eQIxHJzq7aJeh7Nh5MofGl9SA0YPhU3JEwyVAZYmXzelMA
+    c65YevrY7VK2yqUi8Oec7OtaMQx3Kf3hxnY69kqfkIJr+qBOZCIofpdpZYFBUyf0
+    bSknt6YOlPQJezJJ0w47n87/Mrqn3BM29x8CQm4ZbbnEp8AjWUysCmwjFoc8os+k
+    pRAylUKE/3WZb/LHErTbGjjX8d/QaCR8HYYGjsBzx3EAxn3/zlpDdoIZ3NGUZ6Eo
+    GWRZHnGDZySMFjBPetYtXKBwPFGxxWxjlH2Me8j0z8jlIl5OmaypIA8b2QSl0BuR
+    CX2fgMnCSOQWK68xTc7+3aV8cqXhVww1j56TrIMCQL/majXd9SWO4AyXsqKC5qv/
+    hTC+x6EulEskgbo+W0Y8wAgO9PA438e5RucLugqSYMNPvXuj1IPY1OncBQagWup0
+    KzBskSox9b44QrC1uPkuMELIvugWAGJ8XpV+PcWsxLIrSBou5sSEmmnT9Q4Uag/u
+    24EEbenbG+6KvIi9QN6fDrryqmmUEBoboXWXEOJrVhjtUg4HH84RNUjF12bd4kcu
+    pwEnZd/31ajITCotC5BcTvm0WGs2dmDQaX+9PlvxRSUWgZjDo7y8QVRMbYOvZ9zY
+    vsIBfsOEMPeJwqarla1aZxSyuv8BFYE/g27dXYkCMwQQAQgAHRYhBPAnWT97ensh
+    T+2Lyy37ftAFej6jBQJZH38iAAoJEC37ftAFej6jNj8QAM5NpjCS0FYP3eLUoGYE
+    CUHKAkCPim37Wuz0E1L8zwg02XQbzwQ/99hpCbsgqm8s/cCIprfJ0ioGnMa25IJN
+    0keLLgocJQHeq+7Dw+tGrqVFU3Dnpyg2F7FBSTL5fvGYtPJe8Om7FFS9bm6nDytk
+    vQ7fnyZxC3l+WyxlcQeYahgW4YIMZ4qOBY+ZE4m+Y2SXTAm3qKIbJJ/oixSVXCJS
+    g964G7A7PN7RMqfKsbwL2ec4CsnOfYl6xe38muPXChvwZtoW1VtNZiBYkKfEOg4U
+    57cJqclNp8GQRXcSfHY3G9hRIaJic6KFrjBlgwVHpRpSxhj1ydp/RghbjUBzuY22
+    hgpHeVdw2wFDVef9st+3XHu6JiEHrGpWjc7VTpCiiYaHAPIFWMu8B9gnQrxc9ZXw
+    0OzS4vu82mAiyitvw+dY3V4U5uo0q56iyswmDs2S2Kn8/510n2vdCqEtaKMV5cV+
+    cnF1aU1PdRct/ZMfqOC+VcfTiS/Svx5/BCie0nIATJGcYtuX9fFd4Z0V3T0N6aM7
+    QENgOny7X/zJgp5dWbgkv3Qyz83rz32cfcv9gSf8yUjV3/NsxrzCeKxFWFn+oPh3
+    +PTforlP1OsyZORh9IgtoQ5Jqk6YYnSsYkJfseZVQigVpaD2nWwSmmQHMnHmwDvP
+    CXKaBqnE2TXnoqXw4o8nSRvYiQEcBBABCAAGBQJZH3WeAAoJEL1Y5xxC89TUrRoH
+    /iGhamPA0Z/ldEtBhSYGj/307UvFywP2tlXTeJqma1XwEBzXvx6j9Xn8pLIlvFh3
+    /ouLmP36bY+Ftj8Im3EWGnmVm5joe5S2hDLQI7FDbWGUwJePDNaMxC/SsvVzkXJz
+    jAvajVAReB3Pu93SfsraNV/nNMGO4ALW+1Z1p/tzgwW7G4YpiXmRZ1EcL688MQKB
+    /B8IrKajadMk5avGsoPc53MFEDOboZ3lA7F9WnuS6OSX3zBqyiPYxWskAiVf2TVK
+    lBU54ptBq8ruhKAQqn54VJ9A3jX31XAcEv1YBw44bPvZzMPxc51ufODSWN80Y5Tu
+    i5hpxQVKjCfhjtBaYrwtTnuIXQQQEQIAHRYhBCIx3/CGnuOliFrn1PeHeivJxAwx
+    BQJZsEYgAAoJEPeHeivJxAwxo6oAn1dFjYZNzLyIhZeKaeIiZwGmq/9EAJ4+fRg9
+    P4I7jHwe0BN3iNAG1nKbGg==
+    =+LeX
+    -----END PGP PUBLIC KEY BLOCK-----
+  EOS
+when 'centos'
+  node.default['fb_yum_repos']['repos']['onepassword'] = {
+    'repos' => {
+      'onepassword' => {
+        'name' => '1Password Stable Channel',
+        'baseurl' => 'https://downloads.1password.com/linux/rpm/stable/$basearch',
+        'gpgcheck' => true,
+        'repo_gpgcheck' => true,
+        'gpgkey' => 'https://downloads.1password.com/linux/keys/1password.asc',
+      },
+    },
+  }
+end
+
+package '1password-cli' do
+  action :upgrade
 end

cookbooks/boxcutter_onepassword/test/cookbooks/boxcutter_onepassword_test/recipes/cli.rb

@@ -3,4 +3,6 @@
 # Recipe:: cli
 #
 
+puts "MISCHA: #{Boxcutter::OnePassword::op_whoami}"
+
 include_recipe 'boxcutter_onepassword::cli'

cookbooks/boxcutter_onepassword/test/integration/cli/cli_test.rb

@@ -1,8 +1,8 @@
-describe command('/opt/op/bin/op -h') do
+describe command('/usr/bin/op -h') do
   its('exit_status') { should eq 0 }
   its('stdout') { should match(/1Password CLI/) }
 end
 
-describe command('/usr/local/bin/op') do
+describe command('/usr/bin/op') do
   it { should exist }
 end