feat: add 1Password CLI integration for secure credential managementFeature/1password integration#157
Open
lsudduth2 wants to merge 3 commits into
Open
Conversation
This commit integrates 1Password CLI to allow users to retrieve credentials from their secure 1Password vault instead of storing them in environment variables or passing them as command-line arguments. ## New Features ### 1Password Helper Module (nac_collector/onepassword_helper.py) - Implements secure credential retrieval via 1Password CLI (`op`) - check_op_cli_available(): Validates 1Password CLI installation - get_op_item(): Retrieves items from 1Password vault with error handling - extract_credentials(): Intelligently parses username, password, and URL from 1Password item fields with case-insensitive matching - get_credentials_from_op(): High-level API for credential retrieval - Comprehensive error handling with custom OnePasswordError exception - Supports item references by name, UUID, or share link ### CLI Integration (nac_collector/cli/main.py) - New --op-item option to specify 1Password item reference - Environment variable support via NAC_OP_ITEM - Credential precedence order: 1. 1Password credentials (if --op-item provided) 2. Explicit CLI options (--username, --password, --url) 3. Environment variables (NAC_USERNAME, NAC_PASSWORD, NAC_URL) - Maintains full backward compatibility with existing authentication methods - CLI options override 1Password values for flexibility ### Documentation (README.md) - New "Authentication Options" section with detailed examples - 1Password setup instructions and prerequisites - Usage examples for all authentication methods - Clear explanation of credential precedence ### Tests (tests/test_onepassword_helper.py) - 17 comprehensive unit tests covering all functionality - Tests for CLI availability checks - Item retrieval with success and error scenarios - Credential extraction with various field formats - Edge cases: missing fields, timeouts, invalid JSON - All tests passing with full type safety ## Security Benefits - Credentials remain in secure 1Password vault - No credentials stored in environment variables or shell history - Supports 1Password's security features (2FA, biometric unlock) - Reduces risk of credential exposure in logs or process listings ## Technical Details - Type-safe implementation with mypy validation - Subprocess timeout protection (30s for item retrieval, 5s for availability) - Robust error handling and user-friendly error messages - Zero external dependencies beyond 1Password CLI ## Testing - All 17 unit tests passing - Type checking (mypy): ✓ Success - Linting (ruff): ✓ All checks passed - Test coverage includes success paths and error conditions - End-to-end tested with live SD-WAN deployment 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
Fixes authentication failure when using URLs with SSO bypass paths like /login.html for local credential authentication. ## Problem When using 1Password items with SSO bypass URLs (e.g., https://vmanage.../login.html), the authentication would succeed but subsequent API calls would fail with 404 errors because the base URL included the /login.html path. Example: - Login POST: https://vmanage.../login.html/j_security_check ✅ 200 OK - Token GET: https://vmanage.../login.html/dataservice/client/token ❌ 404 ## Solution Enhanced the SD-WAN authenticate() method to: 1. Use the full URL (with /login.html) for authentication 2. Automatically detect and strip common login paths for API calls 3. Apply the cleaned base URL for all subsequent requests Supported SSO bypass paths: - /login.html (Cisco SD-WAN SSO bypass) - /login - /index.html ## Changes - nac_collector/controller/sdwan.py: - Added login path detection and stripping logic - Uses full URL for authentication, base URL for API calls - Debug logging when SSO bypass path detected - Updated docstring to document SSO bypass handling - nac_collector/onepassword_helper.py: - Updated docstring to clarify URL paths are preserved - Documents that /login.html paths are intentional for SSO bypass ## Testing - Authentication: ✅ Successful with SSO bypass URL - Token retrieval: ✅ Successful after URL normalization - Data collection: ✅ Completed successfully - End-to-end validation with production deployment 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
Prevents accidental commit of nac-collector output files containing collected network configuration data. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Overview
Adds 1Password CLI integration to securely retrieve credentials from 1Password vault, eliminating the need to store credentials in environment
variables or pass them via command line.
Features
--op-itemoption to specify 1Password item reference/login.htmlpathsChanges
nac_collector/onepassword_helper.py- 1Password CLI integrationnac_collector/cli/main.py- Added--op-itemoptionnac_collector/controller/sdwan.py- SSO bypass URL handlingtests/test_onepassword_helper.py- 17 comprehensive unit testsTesting
Usage