fix(onepassword): support native item IDs

[chadxz]

Why?

The 1Password Connect provider's findItem() used
strfmt.IsUUID() to decide whether remoteRef.key is an item ID
or a title. This check only matches RFC 4122 UUIDs, but
1Password has never used that format — their IDs are
26-character lowercase alphanumeric strings matching
[\da-z]{26}, as defined in the Connect server OpenAPI
spec. The IsUUID gate was dead code from day one,
meaning ID-based lookups never actually worked.

This matters because 1Password's "Copy Secret Reference"
feature emits native item IDs instead of titles whenever the
title contains special characters (e.g. parentheses). Users
following that workflow get "key not found" errors with no
obvious indication of why some items work and others don't.

How?

• Verified against the 1Password Connect OpenAPI spec that
  IDs are defined as ^[\da-z]{26}$ — not RFC 4122 UUIDs.
  Confirmed the Connect SDK's own isValidUUID() uses the
  same 26-char alphanumeric pattern.
• Replaced strfmt.IsUUID() with isNativeItemID() that
  matches the actual 1Password ID format.
• Removed the strfmt import and demoted kube-openapi from
  a direct to indirect dependency.
• Tested against a live 1Password Connect server using items
  with special characters in their titles (the exact scenario
  from the bug report). Verified both native ID and title
  lookups work correctly.

Note: the same dead strfmt.IsUUID() check exists in the
1Password SDK provider (onepasswordsdk/client.go). That
provider would need the same fix applied separately.

---

Fixes #6070.

Fix 1Password Connect provider to recognize native item IDs

Problem: The provider used strfmt.IsUUID() to distinguish IDs from titles, which only matches RFC 4122 UUIDs. 1Password native item IDs are 26-character lowercase alphanumeric strings (^[\da-z]{26}$), so native ID lookups never occurred and caused "key not found" errors.

Solution: Replace strfmt.IsUUID() with a new isNativeItemID() regex-based check and update findItem() to use it. Remove the strfmt import and demote kube-openapi from a direct to an indirect dependency.

Changes:

• Add regexp import, compile ^[\da-z]{26}$ pattern, and implement isNativeItemID().
• Use isNativeItemID() in findItem() to enable native ID-based retrievals.
• Adjust go.mod to make kube-openapi an indirect dependency.
• Update tests to cover native item ID and title lookups; add a test for isNativeItemID().
• Verified against a live 1Password Connect server (items with special characters in titles).

Notes: A duplicate insertion of the native ID helper/pattern was observed in the patch and should be removed. The same bad UUID check exists in the 1Password SDK provider and needs the same fix separately.

Fixes #6070

[chadxz]

@Skarlso when you have a build I can try in my live environment let me know and I'll do it

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ab7505e6-ac21-4a17-9123-4577c2cda4b1

📥 Commits

Reviewing files that changed from the base of the PR and between 5369c3a and 677d673.

📒 Files selected for processing (3)

• providers/v1/onepassword/go.mod
• providers/v1/onepassword/onepassword.go
• providers/v1/onepassword/onepassword_test.go

🚧 Files skipped from review as they are similar to previous changes (3)

• providers/v1/onepassword/onepassword_test.go
• providers/v1/onepassword/go.mod
• providers/v1/onepassword/onepassword.go

---

Walkthrough

Removed a direct kube-openapi dependency and introduced regex-based native item ID detection (pattern ^[\da-z]{26}$) in OnePassword provider; imports and item-lookup logic updated accordingly. Tests were adjusted to use and validate native item IDs.

Changes

Cohort / File(s)	Summary
Dependency Management providers/v1/onepassword/go.mod	Moved k8s.io/kube-openapi from a direct require to an indirect require (same version reference).
Native Item ID Validation providers/v1/onepassword/onepassword.go	Added regexp import, introduced nativeItemIDPattern and isNativeItemID(); replaced strfmt/UUID-based checks with isNativeItemID() in item lookup/control flow. Duplicate declarations observed in the patch.
Test Coverage Updates providers/v1/onepassword/onepassword_test.go	Replaced UUIDs with native item ID constants in tests, added tests for native ID retrieval and isNativeItemID() validation; updated mocks and expectations to match native ID usage.

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	PR successfully implements support for native 1Password item IDs by replacing strfmt.IsUUID() with pattern matching for 26-char IDs, directly addressing issue #6070.
Out of Scope Changes check	✅ Passed	All changes are focused on supporting native item IDs in the Connect provider; no unrelated modifications detected.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[Skarlso]

Hi. :) I'm afraid we don't have builds for forks. You'll have to build and push it to a registry yourself.

But that should be really easy. We even have make commands for it.

[Skarlso]

This should still be able to match old patterns, right? Meaning existing things will not break?

[chadxz]

the IsUUID was never a valid check. 1Password items don't use UUIDs for their ids, they use the format implemented in this PR.

[Skarlso]

gotcha 👍

[chadxz]

no problem I'll give it a go and report back

[chadxz]

Testing

Tested against a live 1Password Connect server (v1.7.3) in a
staging Kubernetes cluster.

Test case

Created an ExternalSecret referencing a native 1Password item
ID (q67brkpmww57auubr3bzocvehy) — an item titled "Cloudflare
Account-Owned API Token (Staging)", which is exactly the
scenario described in #6070 (special characters in the title
cause "Copy Secret Reference" to emit the native ID).

apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
  name: native-id-test
  namespace: platform
spec:
  refreshInterval: "0"
  secretStoreRef:
    kind: SecretStore
    name: 1password-connect
  data:
    - secretKey: api-token
      remoteRef:
        key: "q67brkpmww57auubr3bzocvehy"
        property: "API Token"

Results

Upstream v1.2.0 — fails with the exact error from the bug
report:

key not found in 1Password Vaults:
  q67brkpmww57auubr3bzocvehy in: map[Platform - Staging:1]

This PR — syncs successfully:

NAME             STATUS         READY
native-id-test   SecretSynced   True

The resulting Kubernetes Secret contained the correct
40-character API token value.

No regression for title-based lookups

Also verified on the patched image that looking up the same
item by its full title still works:

remoteRef:
  key: "Cloudflare Account-Owned API Token (Staging)"
  property: "API Token"

This synced successfully with the same 40-character value.

[chadxz]

Let me know if there's more I can do here.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud