Add a ResourceLoader to fetch 1Password secrets using the

1Password CLI, includes a FakeResourceProvider implementation

GitOrigin-RevId: d64ef1c42ed84adcc9200f50049127a1636a0d08

Author: aepifano-square

Diff for: misk-config/api/misk-config.api

@@ -95,6 +95,8 @@ public final class misk/resources/ResourceLoader$Companion {
 
 public final class misk/resources/ResourceLoaderModule : misk/inject/KAbstractModule {
 	public fun <init> ()V
+	public fun <init> (Z)V
+	public synthetic fun <init> (ZILkotlin/jvm/internal/DefaultConstructorMarker;)V
 }
 
 public final class misk/resources/TestingResourceLoaderModule : misk/inject/KAbstractModule {

Diff for: misk-config/src/main/kotlin/misk/resources/ResourceLoaderModule.kt

@@ -10,16 +10,21 @@ import wisp.resources.EnvironmentResourceLoaderBackend
 import wisp.resources.FakeFilesystemLoaderBackend
 import wisp.resources.FilesystemLoaderBackend
 import wisp.resources.MemoryResourceLoaderBackend
+import wisp.resources.FakeResourceLoaderBackend
+import wisp.resources.OnePasswordResourceLoaderBackend
 import wisp.resources.ResourceLoader as WispResourceLoader
 
-class ResourceLoaderModule : KAbstractModule() {
+class ResourceLoaderModule @JvmOverloads constructor(private val isReal: Boolean = true) : KAbstractModule() {
   override fun configure() {
     val mapBinder = newMapBinder<String, WispResourceLoader.Backend>()
 
     mapBinder.addBinding(ClasspathResourceLoaderBackend.SCHEME).toInstance(ClasspathResourceLoaderBackend)
     mapBinder.addBinding(FilesystemLoaderBackend.SCHEME).toInstance(FilesystemLoaderBackend)
     mapBinder.addBinding(MemoryResourceLoaderBackend.SCHEME).toInstance(MemoryResourceLoaderBackend())
     mapBinder.addBinding(EnvironmentResourceLoaderBackend.SCHEME).toInstance(EnvironmentResourceLoaderBackend)
+    if (!isReal) {
+      mapBinder.addBinding(OnePasswordResourceLoaderBackend.SCHEME).toInstance(OnePasswordResourceLoaderBackend)
+    }
   }
 }
 
@@ -45,6 +50,14 @@ class TestingResourceLoaderModule : KAbstractModule() {
   internal fun fakeFilesystemLoaderBackend(
     @ForFakeFiles fakeFiles: Map<String, String>
   ): WispResourceLoader.Backend = FakeFilesystemLoaderBackend(fakeFiles)
+
+  @ProvidesIntoMap
+  @StringMapKey(OnePasswordResourceLoaderBackend.SCHEME)
+  @Singleton
+  @Suppress("unused")
+  internal fun fakeOnePasswordResourceLoaderBackend(
+    @ForFakeFiles fakeFiles: Map<String, String>
+  ): WispResourceLoader.Backend = FakeResourceLoaderBackend(fakeFiles)
 }
 
 @Qualifier

Diff for: misk/src/main/kotlin/misk/MiskServiceModule.kt

@@ -27,7 +27,7 @@ class MiskRealServiceModule @JvmOverloads constructor(
   private val serviceManagerConfig: ServiceManagerConfig = ServiceManagerConfig(),
 ) : KAbstractModule() {
   override fun configure() {
-    install(ResourceLoaderModule())
+    install(ResourceLoaderModule(isReal = true))
     install(RealEnvVarModule())
     install(ClockModule())
     install(SleeperModule())

Diff for: settings.gradle.kts

@@ -8,9 +8,6 @@ pluginManagement {
 }
 
 plugins {
-  // When updating the cash plugin versions, update .buildkite/scripts/copy.bara.sky too
-  id("com.squareup.cash.develocity") version "1.220.1"
-  id("com.squareup.cash.remotecache") version "1.220.1"
   id("com.gradle.develocity") version "3.18.2"
 }
 

Diff for: wisp/wisp-resource-loader-testing/api/wisp-resource-loader-testing.api

@@ -4,3 +4,11 @@ public final class wisp/resources/FakeFilesystemLoaderBackend : wisp/resources/R
 	public fun open (Ljava/lang/String;)Lokio/BufferedSource;
 }
 
+public final class wisp/resources/FakeResourceLoaderBackend : wisp/resources/ResourceLoader$Backend {
+	public fun <init> (Ljava/util/Map;)V
+	public fun checkPath (Ljava/lang/String;)V
+	public fun exists (Ljava/lang/String;)Z
+	public fun list (Ljava/lang/String;)Ljava/util/List;
+	public fun open (Ljava/lang/String;)Lokio/BufferedSource;
+}
+

Diff for: wisp/wisp-resource-loader-testing/src/main/kotlin/wisp/resources/FakeResourceLoaderBackend.kt

@@ -0,0 +1,27 @@
+package wisp.resources
+
+import okio.Buffer
+import okio.BufferedSource
+
+/**
+ * A fake [ResourceLoader.Backend] loads resources from an in-memory map. This does not have the
+ * same well-formed filepath guarantees that [FakeFilesystemLoaderBackend] provides, which assumes
+ * resource paths are file-like and will throw exceptions for malformed resource paths
+ */
+class FakeResourceLoaderBackend(private val fakeResources: Map<String, String>) : ResourceLoader.Backend() {
+  override fun checkPath(path: String) {
+    require(fakeResources.containsKey(path))
+  }
+
+  override fun list(path: String): List<String> {
+    return if (fakeResources.containsKey(path)) listOf(path) else emptyList()
+  }
+
+  override fun open(path: String): BufferedSource? {
+    return fakeResources[path]?.let { Buffer().writeUtf8(it) }
+  }
+
+  override fun exists(path: String): Boolean {
+    return fakeResources.containsKey(path)
+  }
+}

Diff for: wisp/wisp-resource-loader/api/wisp-resource-loader.api

@@ -41,6 +41,30 @@ public final class wisp/resources/MemoryResourceLoaderBackend : wisp/resources/R
 public final class wisp/resources/MemoryResourceLoaderBackend$Companion {
 }
 
+public final class wisp/resources/OnePasswordResourceLoaderBackend : wisp/resources/ResourceLoader$Backend {
+	public static final field INSTANCE Lwisp/resources/OnePasswordResourceLoaderBackend;
+	public static final field SCHEME Ljava/lang/String;
+	public fun checkPath (Ljava/lang/String;)V
+	public fun exists (Ljava/lang/String;)Z
+	public fun list (Ljava/lang/String;)Ljava/util/List;
+	public fun open (Ljava/lang/String;)Lokio/BufferedSource;
+}
+
+public final class wisp/resources/OnePasswordResourcePath {
+	public static final field Companion Lwisp/resources/OnePasswordResourcePath$Companion;
+	public synthetic fun <init> (Ljava/lang/String;Ljava/lang/String;Lkotlin/jvm/internal/DefaultConstructorMarker;)V
+	public final fun asCliArgs ()Ljava/util/List;
+	public final fun asCliArgs (Ljava/lang/String;)Ljava/util/List;
+	public static synthetic fun asCliArgs$default (Lwisp/resources/OnePasswordResourcePath;Ljava/lang/String;ILjava/lang/Object;)Ljava/util/List;
+	public final fun getAccount ()Ljava/lang/String;
+	public final fun getSecretReference ()Ljava/lang/String;
+	public fun toString ()Ljava/lang/String;
+}
+
+public final class wisp/resources/OnePasswordResourcePath$Companion {
+	public final fun fromPath (Ljava/lang/String;)Lwisp/resources/OnePasswordResourcePath;
+}
+
 public class wisp/resources/ResourceLoader {
 	public static final field Companion Lwisp/resources/ResourceLoader$Companion;
 	public fun <init> (Ljava/util/Map;)V

Diff for: wisp/wisp-resource-loader/src/main/kotlin/wisp/resources/OnePasswordResourceLoaderBackend.kt

@@ -0,0 +1,105 @@
+package wisp.resources
+
+import okio.Buffer
+import okio.BufferedSource
+import okio.source
+import java.io.IOException
+
+/**
+ * Read-only resources that are fetched from the 1password-cli (`op`) tool.
+ *
+ * To use, please:
+ * 1. ensure the 1password-cli is installed with `hermit install op` or `brew install 1password-cli`.
+ * 2. make sure to enable the cli integration in the 1password app: https://developer.1password.com/docs/cli/app-integration/#step-1-turn-on-the-app-integration.
+ * 3. check that the secret being accessed is available. You can get the secret-reference by following: https://developer.1password.com/docs/cli/secret-references/#step-1-get-secret-references
+ *
+ * This uses the scheme `1password:`. Secret-references from 1password can therefore be used after
+ * copy-pasting and replacing "op" like so: "1password://secretRef/goes/here". To use a specific
+ * account, add the accountId like so "1password:accountId@//secretRef/goes/here".
+ */
+object OnePasswordResourceLoaderBackend : ResourceLoader.Backend() {
+  const val SCHEME = "1password:"
+
+  override fun checkPath(path: String) {
+    OnePasswordResourcePath.fromPath(path)
+  }
+
+  override fun list(path: String): List<String> {
+    require(path.isNotEmpty())
+
+    return listOf(OnePasswordResourcePath.fromPath(path).toString())
+  }
+
+  override fun exists(path: String): Boolean {
+    return try {
+      fetch(path, "type").size > 0
+    } catch (e: Exception) {
+      false
+    }
+  }
+
+  override fun open(path: String): BufferedSource? {
+    return fetch(path)
+  }
+
+  private fun fetch(path: String, attribute: String? = null): Buffer {
+    val resource = OnePasswordResourcePath.fromPath(path)
+    val command = listOf("op", "read") + resource.asCliArgs(attribute)
+    try {
+      val process = ProcessBuilder().command(command).start()
+
+      val exitCode = process.waitFor()
+      if (exitCode == 0) {
+        return Buffer().apply { writeAll(process.inputStream.source()) }
+      }
+
+      throw NoSuchElementException(
+        "1Password secret $resource could not be found! Please make sure it is available via: `${command.joinToString(" ")}`"
+      )
+    } catch (e: IOException) {
+      throw UnsupportedOperationException(
+        "Error calling the 1password-cli. Please ensure it is installed with `hermit install op` or `brew install 1password-cli`",
+        e,
+      )
+    }
+  }
+}
+
+/**
+ * Represents a 1password secret-reference, with an optional extra account identifier to differentiate
+ * if there are multiple 1password accounts. The secret-reference schema is documented at
+ * https://developer.1password.com/docs/cli/secret-reference-syntax/. The only change for this use
+ * case is the "op:" prefix is not present as the ResourceLoader implementation strips the schema.
+ */
+class OnePasswordResourcePath private constructor(val account: String?, val secretReference: String) {
+  override fun toString(): String {
+    return account?.let { "$it@$secretReference" } ?: secretReference
+  }
+
+ @JvmOverloads
+ fun asCliArgs(attribute: String? = null): List<String> {
+    // For checking a specific attribute of the secret rather than the value (default)
+    val attributeField = attribute?.let { "?attribute=$it" } ?: ""
+    // Add `op:` prefix for the 1password-cli
+    val secretRef = "op:$secretReference$attributeField"
+    // Include account args, if specified
+    if (account != null) {
+      return listOf("--no-newline", "--account", account, secretRef)
+    }
+    return listOf("--no-newline", secretRef)
+  }
+
+  companion object {
+    /** Expects a path in the form "accountId@//secretRef/goes/here" or "//secretRef/goes/here" */
+    fun fromPath(path: String): OnePasswordResourcePath {
+      if (path.contains("@")) {
+        val (account, secretReference) = path.split("@", limit = 2)
+        require(secretReference.startsWith("//")) { "1Password secret reference must start with //" }
+        return OnePasswordResourcePath(account, secretReference)
+      }
+
+      require(path.startsWith("//")) { "1Password secret reference must start with //" }
+      return OnePasswordResourcePath(null, path)
+    }
+  }
+}

Diff for: wisp/wisp-resource-loader/src/test/kotlin/wisp/resources/OnePasswordResourceLoaderBackendTest.kt

@@ -0,0 +1,77 @@
+package wisp.resources
+
+import org.assertj.core.api.Assertions.assertThat
+import org.junit.jupiter.api.Disabled
+import org.junit.jupiter.api.Test
+import kotlin.test.assertEquals
+import kotlin.test.assertFailsWith
+
+class OnePasswordResourceLoaderBackendTest {
+
+  private val resourceLoader: ResourceLoader = ResourceLoader(
+    mapOf(
+      OnePasswordResourceLoaderBackend.SCHEME to OnePasswordResourceLoaderBackend,
+    )
+  )
+
+  private val nonExistentOnePasswordResource = "1password://Employee/Test login for unit tests/does-not-exist"
+  private val existingOnePasswordResource = "1password://Employee/Test login for unit tests/password"
+  private val existingOnePasswordResourceWithAccount = "1password:squareup.1password.com@//Employee/Test login for unit tests/password"
+
+
+  @Test
+  fun onePasswordResourcePath() {
+    val resourcePath = OnePasswordResourcePath.fromPath("//My Vault Name/My Secret Name/field_name_here")
+    assertThat(resourcePath.account).isNull()
+    assertEquals(resourcePath.secretReference, "//My Vault Name/My Secret Name/field_name_here")
+    assertEquals(resourcePath.asCliArgs(), listOf("--no-newline", "op://My Vault Name/My Secret Name/field_name_here"))
+    assertEquals(resourcePath.asCliArgs(attribute = "type"), listOf("--no-newline", "op://My Vault Name/My Secret Name/field_name_here?attribute=type"))
+  }
+
+  @Test
+  fun onePasswordResourcePathWithAccountId() {
+    val resourcePath = OnePasswordResourcePath.fromPath("myAccount.1password.com@//My Vault Name/My Secret Name/field_name_here")
+    assertEquals(resourcePath.account, "myAccount.1password.com")
+    assertEquals(resourcePath.secretReference, "//My Vault Name/My Secret Name/field_name_here")
+    assertEquals(resourcePath.asCliArgs(), listOf("--no-newline", "--account", "myAccount.1password.com", "op://My Vault Name/My Secret Name/field_name_here"))
+    assertEquals(resourcePath.asCliArgs(attribute = "type"), listOf("--no-newline", "--account", "myAccount.1password.com", "op://My Vault Name/My Secret Name/field_name_here?attribute=type"))
+  }
+
+  @Test
+  fun onePasswordResourcePathInvalidFormat() {
+    assertFailsWith<IllegalArgumentException> {
+      OnePasswordResourcePath.fromPath("Malformed Name/field_name_here")
+    }
+
+    assertFailsWith<IllegalArgumentException> {
+      OnePasswordResourcePath.fromPath("myAccount.1password.com@Malformed Name/field_name_here")
+    }
+  }
+
+  @Disabled("Requires no `op` binary on path")
+  @Test
+  fun onePasswordMissingBinary() {
+    assertFailsWith<UnsupportedOperationException> {
+      resourceLoader.utf8(existingOnePasswordResource)
+    }
+  }
+
+  @Disabled("Requires `op` binary on path")
+  @Test
+  fun onePasswordMissingSecret() {
+    assertThat(resourceLoader.exists(nonExistentOnePasswordResource)).isFalse()
+    assertFailsWith<NoSuchElementException> {
+      resourceLoader.utf8(nonExistentOnePasswordResource)
+    }
+  }
+
+  @Disabled("Requires `op` binary on path and a test secret")
+  @Test
+  fun onePasswordReadsSecret() {
+    assertThat(resourceLoader.exists(existingOnePasswordResource)).isTrue()
+    assertThat(resourceLoader.exists(existingOnePasswordResourceWithAccount)).isTrue()
+
+    assertEquals(resourceLoader.utf8(existingOnePasswordResource), "test-value-here")
+    assertEquals(resourceLoader.utf8(existingOnePasswordResourceWithAccount), "test-value-here")
+  }
+}