Merge pull request #62 from 1Password/sl/add-create-vault-from-input-script

adding script that creates vaults based on a list of vault names provided as a text file to the script

Author: scottisloud

account-management/README.md

@@ -6,29 +6,50 @@ These examples are intended to demonstrate how the 1Password command line tool c
 
 ## Script Descriptions
 
-### [vault-details.sh](vault-details.sh)
+### [`create_vaults_from_input.py`](./create_vaults_from_input.py)
+This script will create a vault for each vault name in a file passed to the script with the `--file=` flag. Optionally remove your own access to the vault after creating it by running the script with the `--remove-me` flag. 
+
+#### Usage
+1. Install 1Password's CLI tool folowing the directions for your operating system here: https://developer.1password.com/docs/cli/get-started
+2. In the 1Password desktop application enable the integration with the CLI, as documented here: https://developer.1password.com/docs/cli/get-started#step-2-turn-on-the-1password-desktop-app-integration
+3. Open a terminal window and confirm:
+  4. the 1Password CLI (called `op`) is installed and working, and the desktop application integration is enabled, by trying `op signin` and signing into the desired 1Password account. 
+  5. Ensure that you have a version of python installed by running `python --version` or `python3 --version` (ideally you have at least python 3.7). 
+6. Download this script to a folder on your computer (e.g., `~/Downloads`). 
+7. In your terminal, move to that folder (e.g., `cd ~/Downloads`)
+8. Run the script by executing `python3 create_vaults_from_input.py --file=path/to/input/list` 
+
+
+#### Options
+By default, when a person creates a vault, they are the "vault creator" and have full permissions for each vault they create. More than likely this will be desirable in your situation. 
+
+However, if you'd like to have your access revoked so that you are not directly assigned to the vault after it's created, run the script using the `--remove-me` flag. 
+* Note that even if you remove yourself from the vaults, members of the Owners and Administrators groups will still have "Manage Vault" permissions on these vaults, and will be able to manage their own or others' access to them. 
+* To work around some current rate limiting issues related to permissions commands in the CLI, using the `--remove-me` flag will result in the script taking considerably longer to run (the script has an 11 second delay for each vault when modifying permissions to avoid rate limiting).
+
+### [`vault-details.sh`](vault-details.sh)
 
 When run by a member of the Owners group, this script provides the vault name, the number of items in the vault, the last time the vault contents were updated, and list which users and groups have access to that vault along with their permissions.
 
 When run by a non-Owner, it will provide these details for all vaults the user running the script has access to.
 
-### [remove-export-all-groups-and-vaults.sh](remove-export-all-groups-and-vault.sh)
+### [`remove-export-all-groups-and-vaults.sh`](remove-export-all-groups-and-vault.sh)
 
 When run by a member of the Owners group, this script will remove the `export items` permission for every vault that every group has access to without exception.
 
 When run by a non-Owner, this script will remove the `export` permission on vaults that the person running the script also has the `manage vault` permissions for.
 
-### [vault-permission-change.sh](vault-permission-change.sh)
+### [`vault-permission-change.sh`](vault-permission-change.sh)
 
 This script, when run by an a user with the `manage vault` (manage access) permission, will remove or add the specified vault permission(s) for the specified group(s) from all vaults (excluding Private vaults). This could be useful if you are looking to systematically remove the Administrators `manage vault` (manage access) permission from all created shared vaults, this leaving this permission to the default owners group. 
 
-### [bulk-group-prefix-update.sh](bulk-group-prefix-update.sh)
+### [`bulk-group-prefix-update.sh`](bulk-group-prefix-update.sh)
 
 This script, when run by an Owner or Administrator, will change the prefix of all group names according to your specifications. This is particularly helpful if you are needing to change an existing naming scheme.
 If you want to add prefixes where one doesn't already exist, then you can modify the `sed` substitution to: `sed 's/^/PREFIX/g'` to add a prefix to all groups.
 This does not change the name of any built in groups (e.g., "Administrators", "Owners", "Team Members").
 
-### [compliance-export.sh](compliance-export.sh)
+### [`compliance-export.sh`](compliance-export.sh)
 
 This script, when run by an adminstrator, will output all items within the specified scope (e.g., with a specific tag) as a long-formatted CSV. The export excludes any concealed fields such as password fields.
 This script may be helpful if you need to have someone verify the accuracy of the details of a 1Password item without revealing any secret values stored in that item.

account-management/create_vaults_from_input.py

@@ -0,0 +1,124 @@
+#!/usr/bin/python3
+import argparse
+import csv
+import json
+import subprocess
+import sys
+import time
+
+parser = argparse.ArgumentParser(
+    "Create a 1Password vault for each name in a list of vault names provided as a plaintext file using the --file flag.",
+    "By default, you will have full permissions on each vault created by this script."
+    "User the --remove-me flag if you'd like to revoke your own access to the vault after it is created. Members of the Owners and Administrators groups will still be able to manage this vault.",
+)
+parser.add_argument(
+    "--file",
+    action="store",
+    dest="filepath",
+    help="Specify the path to a CSV file containing the required input data.",
+    required=True,
+)
+
+parser.add_argument(
+    "--remove-me",
+    action="store_true",
+    dest="removeMe",
+    help="Remove yourself from the vaults created by this script. To avoid rate limiting, this aggressively throttles the script and each vault will take 11 seconds to process.",
+)
+
+args = parser.parse_args()
+
+
+# Get the User UUID of the person running the script. This is required for other parts of the script.
+def getMyUUID() -> str:
+    print("Ensuring you're signed into 1Password and obtaining your User ID.\n")
+    r = subprocess.run(["op", "whoami", "--format=json"], capture_output=True)
+
+    # Catch error and kill process
+    if r.returncode != 0:
+        sys.exit(
+            f"🔴 Unable to get your user UUID. Make sure you are are signed into the 1Password CLI. Error: {r.stderr.decode('utf-8')}"
+        )
+    print(f"🟢 Obtained your User ID: {json.loads(r.stdout)['user_uuid']} \n")
+    return json.loads(r.stdout)["user_uuid"]
+
+
+# Grants the group access to the corrosponding vault with defined permissions.
+def createVaultWithName(vault: str):
+    retries = 0
+    maxRetries = 3
+    print(f"\t⌛ Attempting to create vault called {vault}.")
+    while retries < maxRetries:
+        r = subprocess.run(
+            [
+                "op",
+                "vault",
+                "create",
+                vault,
+            ],
+            capture_output=True,
+        )
+        # time.sleep(11)
+        # Handle rate limit error
+        if "rate-limited" in r.stderr.decode("utf-8"):
+            # Retry after waiting for 60 seconds
+            print(r.stderr.decode("utf-8"))
+            print("💤 Sleeping for 10 minutes, go grab a coffee.")
+            time.sleep(600)
+            retries += 1
+        # Catch error but continue
+        elif r.returncode != 0 and "rate-limited" not in r.stderr.decode("utf-8"):
+            print(
+                f"\t🔴 Unable to create vault named '{vault}'. Error: ",
+                r.stderr.decode("utf-8"),
+            )
+            break
+        else:
+            print(f"\t🟢 Successfully created '{vault}'")
+            break
+
+
+# Revokes vault access for the person running the script.
+def removeCreatorPermissionsFor(vault: str, userID: str):
+    retries = 0
+    maxRetries = 3
+    print(f"\t⌛ Attempting to remove your access to the newly created vault {vault}.")
+    while retries < maxRetries:
+        r = subprocess.run(
+            ["op", "vault", "user", "revoke", f"--user={userID}", f"--vault={vault}"],
+            capture_output=True,
+        )
+        time.sleep(11)
+        # Handle rate limit error
+        if "rate-limited" in r.stderr.decode("utf-8"):
+            # Retry after waiting for 60 seconds
+            print(r.stderr.decode("utf-8"))
+            print("💤 Sleeping for 10 minutes, go grab a coffee.")
+            time.sleep(600)
+            retries += 1
+        # Catch error but continue
+        elif r.returncode != 0 and "rate-limited" not in r.stderr.decode("utf-8"):
+            print(
+                f"\t🔴 There was an issue removing your access to the vault {vault}. Error: ",
+                r.stderr.decode("utf-8"),
+            )
+            return
+        print(f"\t🟢 Succeeded in removing your access to vault {vault}.\n\n")
+        return
+
+
+def main():
+    myUUID: str = getMyUUID()
+    # Open the csv passed via the --file flag
+    with open(args.filepath, "r", newline="", encoding="utf-8") as inputFile:
+        csvReader = csv.reader(inputFile, skipinitialspace=True)
+        for row in csvReader:
+            vault: str = row[0].strip()
+            createVaultWithName(vault)
+
+            # If --remove-me flag was used, remove the script-runner's permission
+            if args.removeMe:
+                removeCreatorPermissionsFor(vault, myUUID)
+
+
+main()