Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Provider forces use of biometric unlock, even when desktop app is not installed #204

Open
YenTheFirst opened this issue Oct 29, 2024 · 1 comment
Open

Provider forces use of biometric unlock, even when desktop app is not installed #204

YenTheFirst opened this issue Oct 29, 2024 · 1 comment
Labels
bug Something isn't working

Comments

@YenTheFirst
Copy link

Your environment

Terraform Provider Version: 2.1.2

Connect Server Version: N/A

CLI Version: 2.24.0

OS: Linux, ubuntu 24.04, kernel 6.8.0-47

Terraform Version: 1.5.7

What happened?

I configured a simple data source, and executed terraform plan.
It hung for a few seconds, then failed with the error

Unable to read vault, got error: op error: connecting to desktop app: cannot connect to 1Password app, make sure it is running

What did you expect to happen?

I expected it to either prompt for a password, or, to use the results of a recent op signin, and fetch the data.

Steps to reproduce

  1. Install the op cli, but not the desktop app.
  2. Configure a basic data resource in terraform
terraform {
  required_providers {
    onepassword = {
      source = "1Password/onepassword"
      version = "2.1.2"
    }
  }
}

provider "onepassword" {
  account = "https://myaccount.1password.com"
}

data "onepassword_vault" "the-vault" {
  name = "the-vault"
}

data "onepassword_item" "relevant-item" {
  vault = data.onepassword_vault.the-vault.uuid
  title   = "Important Item"
}
  1. disable biometric unlock, login to op, and terraform plan.
$ export OP_BIOMETRIC_UNLOCK_ENABLED=false
$ eval $(op signin)
$ terraform plan
  1. Observe the error
╷
│ Error: Client Error
│ 
│   with data.onepassword_vault.the-vault,
│   on test.tf line 36, in data "onepassword_vault" "the-vault":
│   36: data "onepassword_vault" "the-vault" {
│ 
│ Unable to read vault, got error: op error: connecting to desktop app: cannot connect to 1Password app, make sure it
│ is running
╵
Releasing state lock. This may take a few moments...

Notes

Debugging this with strace, I noticed that OP_BIOMETRIC_UNLOCK_ENABLED was being overriden to true, regardless of whether I'd specified otherwise in the outer environment.

It looks like this is currently encoded here

terraform-provider-onepassword/internal/onepassword/cli/op.go

Line 258 in b942ecf

cmd.Env = append(cmd.Env, "OP_BIOMETRIC_UNLOCK_ENABLED=true")
, to always set OP_BIOMETRIC_UNLOCK_ENABLED=true when using an account URL, instead of connect or a service token.

however, that behavior doesn't seem to be documented, and it's quite inconvenient. The relevant PR (#167) doesn't seem to say why it was added - though I'm unaware if the history goes back further.
@YenTheFirst YenTheFirst added the bug Something isn't working label Oct 29, 2024
@SimonBarendse SimonBarendse mentioned this issue Oct 30, 2024
Open
@framigni
Copy link

Indeed, confirming the bug here. It's very inconvenient, because my station does not have biometrics and I'd rather much prefer not having the desktop app

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@YenTheFirst @framigni