From 09cdccf7a674c6f6be55194dce67f588d090909a Mon Sep 17 00:00:00 2001 From: Omid Andalib <24489388+oandalib@users.noreply.github.com> Date: Sat, 2 Nov 2024 13:51:07 -0700 Subject: [PATCH] feat: add Bitwarden Secrets Manager adapter --- lib/kamal/cli/secrets.rb | 2 +- lib/kamal/secrets/adapters.rb | 1 + lib/kamal/secrets/adapters/base.rb | 2 +- .../adapters/bitwarden_secrets_manager.rb | 32 ++++++++++ .../bitwarden_secrets_manager_adapter_test.rb | 58 +++++++++++++++++++ 5 files changed, 93 insertions(+), 2 deletions(-) create mode 100644 lib/kamal/secrets/adapters/bitwarden_secrets_manager.rb create mode 100644 test/secrets/bitwarden_secrets_manager_adapter_test.rb diff --git a/lib/kamal/cli/secrets.rb b/lib/kamal/cli/secrets.rb index b094be466..0b458f13d 100644 --- a/lib/kamal/cli/secrets.rb +++ b/lib/kamal/cli/secrets.rb @@ -1,7 +1,7 @@ class Kamal::Cli::Secrets < Kamal::Cli::Base desc "fetch [SECRETS...]", "Fetch secrets from a vault" option :adapter, type: :string, aliases: "-a", required: true, desc: "Which vault adapter to use" - option :account, type: :string, required: true, desc: "The account identifier or username" + option :account, type: :string, required: false, desc: "The account identifier or username" option :from, type: :string, required: false, desc: "A vault or folder to fetch the secrets from" option :inline, type: :boolean, required: false, hidden: true def fetch(*secrets) diff --git a/lib/kamal/secrets/adapters.rb b/lib/kamal/secrets/adapters.rb index 439c7208a..19e6daed1 100644 --- a/lib/kamal/secrets/adapters.rb +++ b/lib/kamal/secrets/adapters.rb @@ -3,6 +3,7 @@ module Kamal::Secrets::Adapters def self.lookup(name) name = "one_password" if name.downcase == "1password" name = "last_pass" if name.downcase == "lastpass" + name = "bitwarden_secrets_manager" if name.downcase == "bitwarden-sm" adapter_class(name) end diff --git a/lib/kamal/secrets/adapters/base.rb b/lib/kamal/secrets/adapters/base.rb index 579414aff..2f5e0f4c1 100644 --- a/lib/kamal/secrets/adapters/base.rb +++ b/lib/kamal/secrets/adapters/base.rb @@ -1,7 +1,7 @@ class Kamal::Secrets::Adapters::Base delegate :optionize, to: Kamal::Utils - def fetch(secrets, account:, from: nil) + def fetch(secrets, account: nil, from: nil) check_dependencies! session = login(account) full_secrets = secrets.map { |secret| [ from, secret ].compact.join("/") } diff --git a/lib/kamal/secrets/adapters/bitwarden_secrets_manager.rb b/lib/kamal/secrets/adapters/bitwarden_secrets_manager.rb new file mode 100644 index 000000000..be4b7b76c --- /dev/null +++ b/lib/kamal/secrets/adapters/bitwarden_secrets_manager.rb @@ -0,0 +1,32 @@ +class Kamal::Secrets::Adapters::BitwardenSecretsManager < Kamal::Secrets::Adapters::Base + private + def login(account) + nil + end + + def fetch_secrets(secrets, account:, session:) + {}.tap do |results| + secrets = run_command("secret list -o env") + raise RuntimeError, "Could not read secrets from Bitwarden Secrets Manager" unless $?.success? + secrets.split("\n").each do |secret| + key, value = secret.split("=", 2) + value = value.gsub(/^"|"$/, "") + results[key] = value + end + end + end + + def run_command(command, session: nil) + full_command = [ "bws", command ].join(" ") + `#{full_command}`.strip unless full_command.nil? + end + + def check_dependencies! + raise RuntimeError, "Bitwarden Secrets Manager CLI is not installed" unless cli_installed? + end + + def cli_installed? + `bws --version 2> /dev/null` + $?.success? + end +end diff --git a/test/secrets/bitwarden_secrets_manager_adapter_test.rb b/test/secrets/bitwarden_secrets_manager_adapter_test.rb new file mode 100644 index 000000000..7ff11fd15 --- /dev/null +++ b/test/secrets/bitwarden_secrets_manager_adapter_test.rb @@ -0,0 +1,58 @@ +require "test_helper" + +class BitwardenSecretsManagerAdapterTest < SecretAdapterTestCase + test "fetch" do + stub_ticks.with("bws --version 2> /dev/null") + + stub_ticks + .with("bws secret list -o env") + .returns("KAMAL_REGISTRY_PASSWORD=\"some_password\"\nMY_OTHER_SECRET=\"my=weird\"secret\"") + + actual = shellunescape(run_command("fetch")) + + expected = + '{"KAMAL_REGISTRY_PASSWORD":"some_password","MY_OTHER_SECRET":"my\=weird\"secret"}' + + assert_equal expected, actual + end + + test "fetch empty" do + stub_ticks.with("bws --version 2> /dev/null") + + stub_ticks_with("bws secret list -o env", succeed: false).returns("Error:\n0: Received error message from server") + + error = assert_raises RuntimeError do + (shellunescape(run_command("fetch"))) + end + assert_equal("Could not read secrets from Bitwarden Secrets Manager", error.message) + end + + test "fetch with no session token" do + stub_ticks.with("bws --version 2> /dev/null") + + stub_ticks_with("bws secret list -o env", succeed: false).returns("Error:\n0: Missing access token") + + error = assert_raises RuntimeError do + (shellunescape(run_command("fetch"))) + end + assert_equal("Could not read secrets from Bitwarden Secrets Manager", error.message) + end + + test "fetch without CLI installed" do + stub_ticks_with("bws --version 2> /dev/null", succeed: false) + + error = assert_raises RuntimeError do + shellunescape(run_command("fetch")) + end + assert_equal "Bitwarden Secrets Manager CLI is not installed", error.message + end + + private + def run_command(*command) + stdouted do + Kamal::Cli::Secrets.start \ + [ *command, + "--adapter", "bitwarden-sm" ] + end + end +end