From ada03a032597161fc25a3aced8b8003a16c0ea08 Mon Sep 17 00:00:00 2001
From: volodymyrZotov <volodymyr.zotov@gmail.com>
Date: Thu, 11 Aug 2022 16:39:39 +0300
Subject: [PATCH] use cli to retrieve secrets if signed in via connect

---
 entrypoint.sh | 133 +-------------------------------------------------
 1 file changed, 2 insertions(+), 131 deletions(-)

diff --git a/entrypoint.sh b/entrypoint.sh
index 7efa705..fcc1963 100755
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -92,130 +92,6 @@ extract_from_op_env() {
   unset IFS
 }
 
-# Load environment variables using connect service. Iterate over hem to find 1Password references, load the secret values,
-# and make them available as environment variables in the next steps.
-extract_from_connect() {
-  curl_headers=(-H "Content-Type: application/json" -H "Authorization: Bearer $OP_CONNECT_TOKEN")
-  IFS=$'\n'
-
-  for possible_ref in $(printenv | grep "=op://" | grep -v "^#"); do
-    env_var=$(echo "$possible_ref" | cut -d '=' -f1)
-    ref=$(printenv $env_var)
-
-    if [[ ! $ref == "op://"* ]]; then
-      echo "Not really a reference: $ref"
-      continue
-    fi
-
-    path=$(echo $ref | sed -e "s/^op:\/\///")
-    if [ $(echo "$path" | tr -cd '/' | wc -c) -lt 2 ]; then
-      echo "Expected path to be in format op://<vault>/<item>[/<section>]/<field>: $ref"
-      continue
-    fi
-
-    echo "Populating variable: $env_var"
-
-    vault=""
-    item=""
-    section=""
-    field=""
-    i=0
-    IFS="/"
-    for component in $path; do
-      ((i+=1))
-      case "$i" in
-        1) vault=$component ;;
-        2) item=$component ;;
-        3) section=$component ;;
-        4) field=$component ;;
-      esac
-    done
-    unset IFS
-
-    # If field is not set, it may have wrongfully been interpreted as the section.
-    if [ -z "$field" ]; then
-      field="$section"
-      section=""
-    fi
-
-    if [[ $(echo -n $(echo $vault | grep "^[a-z0-9]*$") | wc -c) -ne 26 ]]; then
-      echo "Getting vault ID from vault name: $vault"
-      vault=$(curl -sSf "${curl_headers[@]}" "$OP_CONNECT_HOST/v1/vaults?filter=name%20eq%20%22$vault%22" | jq -r '.[0] | .id')
-      if [ -z "$vault" ]; then
-        echo "Could not find vault ID for vault: $vault"
-        exit 1
-      fi
-    fi
-
-    if [[ $(echo -n $(echo $item | grep "^[a-z0-9]*$") | wc -c) -ne 26 ]]; then
-      echo "Getting item ID from vault $vault..."
-      item=$(curl -sSf "${curl_headers[@]}" "$OP_CONNECT_HOST/v1/vaults/$vault/items?filter=title%20eq%20%22$item%22" | jq -r '.[0] | .id')
-      if [ -z "$item" ]; then
-        echo "Could not find item ID for item: $item"
-        exit 1
-      fi
-    fi
-
-    echo "Loading item $item from vault $vault..."
-    item_json=$(curl -sSf "${curl_headers[@]}" "$OP_CONNECT_HOST/v1/vaults/$vault/items/$item")
-
-    jq_field_selector=".id == \"$field\" or .label == \"$field\""
-    jq_section_selector=".section == null"
-
-    # If the reference contains a section, edit the jq selector to take that into account.
-    if [ -n "$section" ]; then
-      echo "Looking for section: $section"
-      section_id=$(echo "$item_json" | jq -r ".sections[] | select(.id == \"$section\" or .label == \"$section\") | .id")
-      jq_section_selector=".section.id == \"$section_id\""
-    fi
-
-    jq_secret_selector="$jq_section_selector and ($jq_field_selector)"
-
-    echo "Looking for field: $field"
-    secret_field_json=$(echo "$item_json" | jq -r "first(.fields[] | select($jq_secret_selector))")
-
-    field_type=$(echo "$secret_field_json" | jq -r '.type')
-    field_purpose=$(echo "$secret_field_json" | jq -r '.purpose')
-    secret_value=$(echo "$secret_field_json" | jq -r '.value')
-
-    if [ -z "$secret_value" ]; then
-      echo "Could not find or access secret $ref"
-      exit 1
-    fi
-
-    # If the field is marked as concealed or is a note, register a mask
-    # for the secret to prevent accidental log exposure.
-    if [ "$field_type" == "CONCEALED" ] || [ "$field_purpose" == "NOTES" ]; then
-      # To support multiline secrets, escape percent signs and add a mask per line.
-      escaped_mask_value=$(echo "$secret_value" | sed -e 's/%/%25/g')
-      IFS=$'\n'
-      for line in $escaped_mask_value; do
-        if [ "${#line}" -lt 3 ]; then
-          # To avoid false positives and unreadable logs, omit mask for lines that are too short.
-          continue
-        fi
-        echo "::add-mask::$line"
-      done
-      unset IFS
-    fi
-
-    # To support multiline secrets, we'll use the heredoc syntax to populate the environment variables.
-    # As the heredoc identifier, we'll use a randomly generated 64-character string,
-    # so that collisions are practically impossible.
-    random_heredoc_identifier=$(openssl rand -hex 16)
-
-    {
-      # Populate env var, using heredoc syntax with generated identifier
-      echo "$env_var<<${random_heredoc_identifier}"
-      echo "$secret_value"
-      echo "${random_heredoc_identifier}"
-    } >> $GITHUB_ENV
-
-    managed_variables+=("$env_var")
-  done
-  unset IFS
-}
-
 read -r -a managed_variables <<< "$(printenv $managed_variables_var)"
 
 if [ -z "$OP_CONNECT_TOKEN" ] || [ -z "$OP_CONNECT_HOST" ]; then
@@ -230,13 +106,8 @@ fi
 printf "Authenticated with %s \n" $auth_type
 
 unset_prev_secrets
-
-if [ "$auth_type" == "$SERVICE_ACCOUNT" ]; then
-  install_op_cli
-  extract_from_op_env
-elif [ "$auth_type" == "$CONNECT" ]; then
-  extract_from_connect
-fi
+install_op_cli
+extract_from_op_env
 
 # Add extra env var that lists which secrets are managed by 1Password so that in a later step
 # these can be unset again.