op inject: how to escape resolved secrets?

Options
manselmi
manselmi
Community Member
edited May 2023 in CLI

Hi there! 👋

I have a question regarding the template syntax in templated config files. Does the template syntax allow for escaping the resolved secrets or applying filters to them?

For example (I wouldn't actually handle auth this way), suppose I have a templated JSON file config.json.tpl

{
  "Credentials": {
    "Username": "{{ op://vault/item/section/username }}",
    "Password": "{{ op://vault/item/section/password }}",
    "TOTP": {{ op://vault/item/section/totp?attribute=otp }}
  }
}

and I render the template with op inject --in-file config.json.tpl. How can I JSON-escape the result of resolving {{ op://vault/item/section/password }} in case it contains " or \?

I would prefer to use op inject instead of op run as some apps don't allow for secrets to be configured via environment variables. Also, there are some risks associated with doing so. Also, I would prefer not to replace op inject with multiple invocations of op read because I'd prefer to avoid multiple op invocations to get all needed secrets. Finally, I could use op item get <item> --vault <vault> --format json and transform the output with jq to get what I need without worrying about escaping anything… but then I'd need write a jq filter for each invocation of op item get (a single 1Password item might not contain all needed secrets).

IMO it'd be more user-friendly to be able to write a template similar to this:

{
  "Credentials": {
    "Username": {{ op://vault/item/section/username | json_encode }},
    "Password": {{ op://vault/item/section/password | json_encode }},
    "TOTP": {{ op://vault/item/section/totp?attribute=otp | int }}
  }
}

(json_encode and int are example filters from the Tera template engine for Rust.)

This way I wouldn't need to worry about " or \ in the password and could ensure the TOTP was an integer without leading zeroes if I needed that for some reason (this is a contrived example).

What are your thoughts on this?

Thanks!

1Password Version: 8.10.1
Extension Version: 2.8.1
OS Version: macOS 13.2.1
Browser:_ Chrome

Comments

  • Jack.P_1P
    Jack.P_1P
    Options

    Hi @manselmi:

    Thanks for your feedback! While I can't promise anything, I'll share your thoughts with the team.

    Jack

  • manselmi
    manselmi
    Community Member
    Options

    Thanks @Jack.P_1P , I appreciate your response and relaying my thoughts to the team.

This discussion has been closed.