Summon has examples of unofficial "provider wrappers" somewhere (e.g. gopass)

[mordax7]

Currently we have no place to add small wrapper code somewhere that can easily be used with tools that are not initially designed for summon but that can be with minimal effort.

AC:

• Provide a place to store these example wrappers
• Add link to main readme for them
• Add this (gopass) wrapper to those examples

---

Original Issue below

Summary

Got a problem when using Gopass as a provider because of some functionalities that Gopass provides which breaks Summon. In Gopass you can, of course, store your secret but you can also add comments to the secret do describe it, or you can even use it to add a second password to it if required. For example this is how my AWS user entry looks like in Gopass:

$ gopass show some/aws/path/username
DEDUCTED_IAM_CONSOLE_PASSWORD
accesskey: DEDUCTED_IAM_ACCESS_KEY
account: DEDUCTED_ACCOUNT_NAME
region: DEDUCTED_AWS_REGION
secretkey: DEDUCTED_IAM_SECRET_KEY
username: DEDUCTED_IAM_USERNAME

The first line from the output is the "password" which in my case is the password from the AWS Console, this way I can use the Gopass bridge to login to the webiste via my browser by auto filling the password and username automatically. If I want access to any other resource from this secret, I can do it by calling the key gopass show some/aws/path/username secretkey. This will output just the value of secretkey. This command I can use to fill my environment variable dynamically for example.
But this is a problem for summon, since it will try to grab the whole output of the Gopass and pipe it trough, instead of forwarding just the password.

Steps to Reproduce

Steps to reproduce the behavior:

1. Write comments under your password in Gopass, for example a username
2. User summon to use that secret

Expected Results

It uses just the password stored in Gopass.

Actual Results (including error logs, if applicable)

It uses the whole output, including comments beneath the password.

Additional Information

It would be a nice feature to have the possibility of writing a key from a comment beneath a password, and get the value of it.

[sgnn7]

Hmm... this would be a tricky thing to do since that would require a different API for just this one specific "provider" (I'm using the term loosely here since it's not a native summon provider).

I almost feel like this would be very easy to solve on the clientside by making a simple bash script to wrap gopass because the best alternative is writing a whole new provider repo to support this. Would this work for you (Linux/*nix)?

Add this content to a file gopass_provider and make it executable (chmod +x gopass_provider):

#!/bin/bash -e
set -o pipefail

# Strips all parts of path before last `/`
var_path="${1%/*}"
if [[ "$var_path" == "" ]]; then
  echo "Missing variable path!"
  exit 1
fi

# Only returns the item after last `/`
secret_id="${1##*/}"
if [[ "$secret_id" == "" ]] || [[ "$secret_id" == "$var_path" ]]; then
  echo "Missing secret ID path!"
  exit 1
fi

if ! gopass show "${var_path}" | grep "^${secret_id}: " | awk '{$1=""; print substr($0,2)}'; then
  echo "Could not find '$secret_id' in '$var_path'!"
  exit 1
fi

Edit: in your secrets.yml you would set the secret ID as some/aws/path/username/secretkey if you use this file

[mordax7]

Here a similar attempt with an @ as an attribute separator:

#!/usr/bin/env bash

attribute=${1##*@}
path=${1%%@*}

/usr/bin/gopass $path $attribute

Maybe it would be worth to document these "provider wrappers"?

[sgnn7]

Excellent point - do you mind testing this one out first (since I do not have a gopass setup)?

[mordax7]

@sgnn7 yours works.

As an alternative gopass provider to yours:

#!/usr/bin/env bash
set -euo pipefail

if [[ "${1}" == "--version" ]]; then
  gopass --version
  exit 0
fi

path="${1%%@*}" # Strips all parts of path before last `@`
attribute="${1##*@}" # Only returns the item after last `@`

if [[ "${path}" == "" ]]; then
  echo "Missing variable path!"
  exit 1
fi

if [[ "${attribute}" == "" ]]; then
  gopass show "${path}" | head -1
else
  gopass show "${path}" "${attribute}"
fi

Needs the following secrets.yml syntax:

FOO: !var aws/iam/foo/bar@username
BAR: !var aws/iam/foo/bar@region

A similar approach to yours, with the difference that you need to separates the attribute from the path at the @ sign. Also added the possibility to pass trough the --version flag to gopass, see:

summon/internal/command/flags.go

Line 44 in 36c7536

cli.BoolFlag{

[sgnn7]

Awesome and thank you! Let me update the title/description of this issue a bit now and see if I can get some wider stakeholder approval on this.

CC: @cyberark/community-and-integrations-team @izgeri

[mordax7]

I experienced some problems with Gopass and this wrapper.
Here the Log:

gpg-agent[8795]: Clearing pinentry cache which caused error Cannot allocate memory
gpg-agent[8795]: failed to unprotect the secret key: Cannot allocate memory
gpg-agent[8795]: failed to read the secret key
gpg-agent[8795]: command 'PKDECRYPT' failed: Cannot allocate memory <Pinentry>

After some digging around I found out that, since I have my GPG key encrypted, gpg-agent will use Pinentry to ask the user via a interface for a password. I found out that if I had more then 5 entries in one of my gopass secrets and I tried to pull them out with the summon Wrapper script above, my gpg-agent could not allocate enough memory to decrypt the secret. I didnt dig deeper into this problem, but I would guess that since I have saved my password, to unlock my gpg key, in Pinentry, it ran out of memory once it had to decrypt more the the 5 entries.

FIX:
In the .gnupg/gpg-agent.conf add the line:

auto-expand-secmem

Explanation from https://www.gnupg.org/documentation/manuals/gnupg/Agent-Options.html:
Allow Libgcrypt to expand its secure memory area as required. The optional value n is a non-negative integer with a suggested size in bytes of each additionally allocated secure memory area. The value is rounded up to the next 32 KiB; usual C style prefixes are allowed. For an heavy loaded gpg-agent with many concurrent connection this option avoids sign or decrypt errors due to out of secure memory error returns.

[sgnn7]

Hey @xMordax,
After discussing this a bit with the other stakeholders, we agreed that we should find a way for this to get added to the repo but we are not sure yet what the best place for these kind of wrappers are. Let me see if I can find some time this week or next to figure that out and I'll update this thread.

PS: Great find on the GPG issue!

[sgnn7]

Hey @xMordax again - sorry for dropping the ball on this but we've been pretty busy on the team lately on other projects so we have not had much time to look into this but someone from my team (probably not myself) will be working on this.

Notes below are for whoever takes on this task

Things that need to be done:

• Create a folder of wrapper scripts with included documentation on how to use them
• Add information about wrapper scripts and how to use them in main README (this may already be there now)
• Add links to this directory and each individual wrapper to the main README
• Add gopass wrapper:
  • Add this and/or this wrapper as the first wrapper script(s)
  • Add a README for this wrapper

Additional notes

The path structure should probably be something like this:

summon/
| - bin/
...
| - contrib/
|   | -  wrapper/
|   |   | -  gopass/
|   |   |   | - README.md
|   |   |   | - gopass
|   |   | -  fooprovider/
|   |   |   | - README.md
|   |   |   | - fooprovider
...

[boazmichaely]

Published in CyberArk Aha! idea portal