KNEL/KNELSecretsManager
2
0
Fork 0
Code Pull Requests Actions Packages Releases Activity

feat: Complete rewrite of secrets management with production-ready bash script

Browse Source 
Major enhancements:
- New secrets-manager.sh script with comprehensive functionality
- Automated Bitwarden CLI installation (snap/npm/direct download)
- Configuration file management with sample template
- Multiple commands: install, get, list, test
- Robust error handling with specific exit codes
- Comprehensive logging and session cleanup
- Security improvements: proper gitignore, credential protection

Documentation:
- Complete README rewrite with detailed usage examples
- Installation instructions and troubleshooting guide
- Command reference and error code documentation
- Security considerations and best practices

Files added:
- secrets-manager.sh: Main production script (replaces poc.sh approach)
- bitwarden-config.conf.sample: Configuration template
- .gitignore: Protects credentials and temporary files

This version combines lessons learned from poc.sh and prod.sh attempts,
providing a single, reliable solution for Bitwarden CLI management on Linux.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
Charles N Wyble - admin
2025-07-15 19:05:52 -05:00
parent bcda9c05f9
commit 33ae637781
4 changed files with 498 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

291
secrets-manager.sh Normal file
View File

@@ -0,0 +1,291 @@
#!/usr/bin/env bash
# TSYS Secrets Manager - Complete Bitwarden CLI management script
# Handles installation, configuration, authentication, and secret retrieval
set -o errexit
set -o nounset
set -o pipefail
IFS=$'\n\t'
readonly SCRIPT_NAME=$(basename "$0")
readonly SCRIPT_VERSION="2.0"
readonly SCRIPT_DESC="TSYS Secrets Manager - Complete Bitwarden CLI solution"
readonly DEFAULT_CONFIG_FILE="./bitwarden-config.conf"
readonly LOG_FILE="/tmp/${SCRIPT_NAME}.log"
readonly TIMESTAMP=$(date '+%Y-%m-%d %H:%M:%S')
info() { echo "[INFO] [$TIMESTAMP] $*" | tee -a "$LOG_FILE"; }
warn() { echo "[WARN] [$TIMESTAMP] $*" | tee -a "$LOG_FILE"; }
error() { echo "[ERROR] [$TIMESTAMP] $*" >&2 | tee -a "$LOG_FILE"; }
readonly ERR_CONFIG_NOT_FOUND=10
readonly ERR_BW_NOT_INSTALLED=20
readonly ERR_BW_INSTALL_FAILED=30
readonly ERR_BW_SERVER_CONFIG=40
readonly ERR_SESSION_INVALID=50
readonly ERR_SECRET_NOT_FOUND=60
readonly ERR_LOGIN_FAILED=70
cleanup() {
info "Cleaning up session data..."
unset BW_SESSION 2>/dev/null || true
}
install_bitwarden_cli() {
info "Checking if Bitwarden CLI is installed..."
if command -v bw &>/dev/null; then
local version=$(bw --version)
info "Bitwarden CLI already installed: $version"
return 0
fi
info "Installing Bitwarden CLI..."
if command -v snap &>/dev/null; then
info "Installing via snap..."
if sudo snap install bw; then
info "Bitwarden CLI installed successfully via snap"
return 0
fi
fi
if command -v npm &>/dev/null; then
info "Installing via npm..."
if sudo npm install -g @bitwarden/cli; then
info "Bitwarden CLI installed successfully via npm"
return 0
fi
fi
info "Installing via direct download..."
local bw_url="https://github.com/bitwarden/clients/releases/latest/download/bw-linux-1.22.1.zip"
local temp_dir=$(mktemp -d)
if command -v wget &>/dev/null; then
wget -O "$temp_dir/bw.zip" "$bw_url"
elif command -v curl &>/dev/null; then
curl -L -o "$temp_dir/bw.zip" "$bw_url"
else
error "Neither wget nor curl available for download"
exit $ERR_BW_INSTALL_FAILED
fi
if command -v unzip &>/dev/null; then
unzip "$temp_dir/bw.zip" -d "$temp_dir"
sudo mv "$temp_dir/bw" /usr/local/bin/
sudo chmod +x /usr/local/bin/bw
rm -rf "$temp_dir"
info "Bitwarden CLI installed successfully via direct download"
else
error "unzip not available to extract Bitwarden CLI"
exit $ERR_BW_INSTALL_FAILED
fi
}
load_config() {
local config_file="${1:-$DEFAULT_CONFIG_FILE}"
if [[ ! -f "$config_file" ]]; then
error "Configuration file not found: $config_file"
error "Please create a configuration file or use --config option"
exit $ERR_CONFIG_NOT_FOUND
fi
info "Loading configuration from: $config_file"
source "$config_file"
if [[ -z "${BW_SERVER_URL:-}" ]]; then
error "BW_SERVER_URL not defined in config file"
exit $ERR_CONFIG_NOT_FOUND
fi
if [[ -z "${BW_CLIENTID:-}" ]] || [[ -z "${BW_CLIENTSECRET:-}" ]]; then
error "BW_CLIENTID and BW_CLIENTSECRET must be defined in config file"
exit $ERR_CONFIG_NOT_FOUND
fi
if [[ -z "${BW_PASSWORD:-}" ]]; then
error "BW_PASSWORD must be defined in config file"
exit $ERR_CONFIG_NOT_FOUND
fi
}
setup_bitwarden_server() {
info "Configuring Bitwarden server to $BW_SERVER_URL..."
if ! bw config server "$BW_SERVER_URL" >/dev/null 2>&1; then
error "Failed to configure Bitwarden server"
exit $ERR_BW_SERVER_CONFIG
fi
info "Bitwarden server configured successfully"
}
login_and_unlock() {
info "Logging out any existing session..."
bw logout >/dev/null 2>&1 || true
info "Logging in with API key..."
if ! bw login --apikey "$BW_CLIENTID" "$BW_CLIENTSECRET" >/dev/null 2>&1; then
error "Failed to login with API key"
exit $ERR_LOGIN_FAILED
fi
info "Unlocking vault..."
local session_token
session_token=$(echo "$BW_PASSWORD" | bw unlock --raw 2>/dev/null)
if [[ -z "$session_token" ]]; then
error "Failed to unlock vault with provided password"
exit $ERR_SESSION_INVALID
fi
export BW_SESSION="$session_token"
info "Vault unlocked successfully"
}
fetch_secret() {
local secret_name="$1"
local secret_value
info "Fetching secret: $secret_name"
if ! secret_value=$(bw get password "$secret_name" --session "$BW_SESSION" 2>/dev/null); then
error "Failed to retrieve secret: $secret_name"
exit $ERR_SECRET_NOT_FOUND
fi
if [[ -z "$secret_value" ]]; then
error "Secret '$secret_name' is empty or not found"
exit $ERR_SECRET_NOT_FOUND
fi
echo "$secret_value"
}
list_secrets() {
info "Listing all available items..."
bw list items --session "$BW_SESSION" | jq -r '.[] | .name' 2>/dev/null || {
bw list items --session "$BW_SESSION" | grep '"name"' | cut -d'"' -f4
}
}
usage() {
cat <<EOF
$SCRIPT_DESC
Usage:
$SCRIPT_NAME [OPTIONS] COMMAND [ARGS]
Commands:
install Install Bitwarden CLI
get <secret_name> Retrieve a specific secret
list List all available secrets
test Test configuration and connectivity
Options:
-c, --config FILE Use specific config file (default: $DEFAULT_CONFIG_FILE)
-h, --help Show this help message
-v, --version Show version information
Examples:
$SCRIPT_NAME install
$SCRIPT_NAME get APIKEY-pushover
$SCRIPT_NAME list
$SCRIPT_NAME --config /path/to/config.conf get my-secret
Environment Variables (can be set in config file):
BW_SERVER_URL Bitwarden server URL
BW_CLIENTID API client ID
BW_CLIENTSECRET API client secret
BW_PASSWORD Master password
EOF
}
main() {
local config_file="$DEFAULT_CONFIG_FILE"
local command=""
while [[ $# -gt 0 ]]; do
case $1 in
-c|--config)
config_file="$2"
shift 2
;;
-h|--help)
usage
exit 0
;;
-v|--version)
echo "$SCRIPT_NAME version $SCRIPT_VERSION"
exit 0
;;
install)
command="install"
shift
;;
get)
command="get"
secret_name="$2"
shift 2
;;
list)
command="list"
shift
;;
test)
command="test"
shift
;;
*)
error "Unknown option: $1"
usage
exit 1
;;
esac
done
case "$command" in
install)
install_bitwarden_cli
;;
get)
if [[ -z "${secret_name:-}" ]]; then
error "Secret name required for 'get' command"
usage
exit 1
fi
load_config "$config_file"
install_bitwarden_cli
setup_bitwarden_server
login_and_unlock
fetch_secret "$secret_name"
;;
list)
load_config "$config_file"
install_bitwarden_cli
setup_bitwarden_server
login_and_unlock
list_secrets
;;
test)
load_config "$config_file"
install_bitwarden_cli
setup_bitwarden_server
login_and_unlock
info "Configuration test successful!"
;;
*)
error "No command specified"
usage
exit 1
;;
esac
}
trap cleanup EXIT INT TERM
main "$@"