op and Fish Shell environment

rrosson

Has anyone figured out how to get op cli tool setup to use with the fish shell yet? Also looking for possibilities to pull in passwords to use with iTerm as a side note. :)

---

_1Password Version:6.8.1
_OS Version:macOS Sierra

cohix

@rrosson Thanks for the interest in the tool :) We're definitely looking to gauge the interest in different shells that our users like. We could theoretically add a --fish flag on the signin command, but we'll be evaluating those one by one. For now, you can either copy the environment variable name and value from the outputted command (and set the variable in the "fish" way), or you can use the --output=raw flag on the signin command and then pass the raw token to any command using the --session=[token] flag on any command.

You can see all the session management options in our documentation!

As for use with iTerm, what did you have in mind?

rrosson

@cohix Thanks I will dig deeper in to the fish shell, was just trying to avoid on re-inventing the wheel. :)

As for iTerm I was wondering if anyone put anything together that would take advantage of calling 1P when ssh'ing to a host.

cohix

SSH makes things hard as it uses interactive prompts for non-pubkey authentication, so automating that is a little difficult. We're investigating ways to make this easier. For example, if your SSH key is in a 1Password document and you want to use it on a machine temporarily, you could write a script that:

• downloads the key into the ~/.ssh directory
• performs the ssh command with the -i flag to specify the keyfile to use
• delete the key

Something to consider :)

rrosson

I think I have figured out what to add to my fish shell environment. Included below:
### 1password CLI (op) ###
set -x OP_SESSION_<shorthand name> $1
eval (op signin <shorthand name>)

If anyone has any better solutions please share.
-Ron

cohix

@rrosson Nice! Would that be a shell script? What is the argument being passed into the script ($1) ?

I'm a zsh man myself so I'm not too familiar with fish.

rrosson

This is added to your config.fish located in ~/.config/fish. The '$1' is the place holder for the token that is given once you have successfully signed into 1P.

Fish shell does not include export, so a little googling around of converting export to something fish could use led me to what I shared. Hopefully another user who uses the fish shell will comes by and sees it and corrects it if I made any errors or assumptions. :)

rickfillion

@rrosson : regarding iTerm... have you taken a look at how sudolikeaboss works? It's built to work with 1Password for Mac, but if I'm remembering how it works correctly, doing something like it for op would be feasible.

https://github.com/ravenac95/sudolikeaboss

Rick

smerrell

I made a function in Fish that looks like this

function op_signin
      set cmd (op signin $argv | sed '/#/d; s/export/set -gx/; s/=/ /; s/"//g')
      eval $cmd
end

You could either use it like op_signin <shorthand_name> or replace the $argv with the shorthand name.

You likely could also put the two lines in the function in your fish.config I just don't want it to prompt me to log into op every time I open a new shell.

rrosson

@smerrell Thank You, Thank you,

cohix

That's awesome @smerrell, thank you for posting that!

skunkwerks

\o/ I never found a tidy solution for this.. awesome!

rickfillion

:)

sam.doran

@cohix I'd love to see better fish support. While the function @rrosson made is nice, it's much more complicated than op signin returning shell specific syntax for fish. I'd love to see the shell detection be handled in op. I know it's a pain for developers, but it makes it way better for developers. I use rbenv and pyenv and they both have mechanisms for detecting the shell and returning appropriate syntax.

This is the fish shell syntax that needs to be returned by op signin in order to use it:

set -gx OP_SESSION_<subdomain> XLC6cHkeSHByBqrikXt36fdMVLLdHuoACNFUrNMuRXQ

And it'd be used in fish with this command: eval (op signin <subdomain>) for adding to the docs if the feature ever is added.

Thanks for making this utility! It greatly expands the ways I can use 1Password programatically.

sam.doran

@cohix I actually discovered something very useful just now. fish ships with an export function for bash compatibility:

function export --description 'Set env variable. Alias for `set -gx` for bash compatibility.'

That means you don't need to do anything in op to account for fish, which is nice. It also means I just run eval (op signin <subdomain>), it prompts for password, and then it sets the OP_SESSION_<subdomain> environment variable. This means you can just add a simple update to the docs for fish rather than having to make code change.

sam.doran

For anyone interested, you can fully automate the login to op by leveraging macOS Keychain.

HUGE CAVEAT

This requires you to store your 1Password master password in the macOS Keychain which you should not do unless:
1. You use a very strong password for your macOS user account, equal to or greater than your 1Password master password.
2. You do not share your macOS user account with others
3. Your Mac is configured to automatically lock after a period of time
4. Your Mac's hard drive is encrypted (optional, though highly recommended)

If you create a password in Keychain Access, you can access it using the security command line tool. You can then pass than to op login.

eval (echo (security find-generic-password -a <passoword entry name> -w) | op signin <subdomain>)

That's the fish syntax but it can easily be adapted other shells.

rickfillion

That's a great tip, @sam.doran. And thank you for adding the caveats.

Rick

sam.doran

Simplified version of the auto-login one liner from above:

fish: eval (security find-generic-password -a <passoword entry name> -w | op signin <subdomain>)
bash: eval $(security find-generic-password -a <passoword entry name> -w | op signin <subdomain>)

rickfillion

Even better. :)

Rick