diff --git a/prod.sh b/prod.sh new file mode 100644 index 0000000..add4c67 --- /dev/null +++ b/prod.sh @@ -0,0 +1,143 @@ +#!/usr/bin/env bash +# shellcheck disable=SC1090 + +# Bash3 Boilerplate Setup +set -o errexit +set -o nounset +set -o pipefail +IFS=$'\n\t' + +# Constants +readonly SCRIPT_NAME=$(basename "$0") +readonly SCRIPT_VERSION="1.0" +readonly SCRIPT_AUTHOR="Charles N Wyble" +readonly SCRIPT_DESC="TSYS Secrets Manager - Fetch secrets using the Bitwarden CLI" + +# Configuration +readonly BW_SERVER_URL="https://pwvault.turnsys.com" # Updated Bitwarden server URL + +# Logging and Debugging +readonly LOG_FILE="/tmp/${SCRIPT_NAME}.log" +readonly TIMESTAMP=$(date '+%m-%d-%Y %H:%M:%S') +info() { echo "[INFO] [$TIMESTAMP] $*" | tee -a "$LOG_FILE"; } +error() { echo "[ERROR] [$TIMESTAMP] $*" >&2 | tee -a "$LOG_FILE"; } + +# Default Exit Codes +readonly ERR_BW_NOT_INSTALLED=10 +readonly ERR_BW_SERVER_CONFIG=20 +readonly ERR_SESSION_INVALID=30 +readonly ERR_SECRET_NOT_FOUND=40 + +# Cleanup function to unset session environment variable +cleanup() { + info "Cleaning up and unsetting session environment variable." + unset BW_SESSION +} + +# Function: Setup Bitwarden server configuration +setup_bitwarden_server() { + info "Configuring Bitwarden server to $BW_SERVER_URL..." + # Set the server URL for Bitwarden CLI + if ! bw config --quiet server "$BW_SERVER_URL"; then + error "Failed to configure Bitwarden server." + exit $ERR_BW_SERVER_CONFIG + fi + info "Bitwarden server configured successfully." +} + +# Function: Fetch or initialize Bitwarden session +fetch_bw_session() { + local session_token + + # Check if Bitwarden CLI is installed + if ! command -v bw &>/dev/null; then + error "Bitwarden CLI (bw) is not installed or not in PATH. Please install it and try again." + exit $ERR_BW_NOT_INSTALLED + fi + + # Check for existing session environment variable and reuse if valid + if [[ -n "${BW_SESSION:-}" ]] && bw unlock --check --session "$BW_SESSION" >/dev/null 2>&1; then + info "Using existing Bitwarden session token." + return + fi + + # Unlock the Bitwarden vault and obtain a new session token + info "Unlocking Bitwarden vault..." + + bw login --apikey $BW_CLIENTID $BW_CLIENTSECRET + + session_token=$(bw unlock --passwordenv TSYS_BW_PASSWORD_REACHABLECEO --raw) + if [[ -z "$session_token" ]]; then + error "Failed to unlock Bitwarden vault. Ensure you're logged in using 'bw login'." + exit $ERR_SESSION_INVALID + fi + + export BW_SESSION="$session_token" + info "Session initialized successfully." +} + +# Function: Fetch a secret by name +fetch_secret() { + local secret_name="$1" + local secret_value + + info "Fetching secret '$secret_name' from Bitwarden..." + if ! secret_value=$(bw get password "$secret_name" --session "$BW_SESSION"); then + error "Failed to retrieve the secret '$secret_name'. Ensure the secret exists in the vault." + exit $ERR_SECRET_NOT_FOUND + fi + + if [[ -z "$secret_value" ]]; then + error "Secret '$secret_name' is empty or not found. Check the vault for proper configuration." + exit $ERR_SECRET_NOT_FOUND + fi + +} + +# Function: Display usage instructions +usage() { + cat < + +Options: + -h, --help Display this help message. + +Example: + $SCRIPT_NAME tsys_api_key +EOF +} + +# Main function +main() { + + bw logout || true + + source D:/tsys/secrets/bitwarden/data/apikey-bitwarden-reachableceo + + local secret_name="$1" + + # Setup Bitwarden server and session management + setup_bitwarden_server + fetch_bw_session + + # Fetch the specified secret + secret_value=$(fetch_secret "$secret_name") + info "Secret '$secret_name' fetched successfully." + + echo "Secret value is: $secret_value" + +} + +# Trap signals (Ctrl+C, kill, etc.) to ensure cleanup happens +trap cleanup EXIT INT TERM + +# Argument parsing +if [[ $# -lt 1 ]] || [[ "$1" == "-h" ]] || [[ "$1" == "--help" ]]; then + usage + exit 0 +fi + +main "$1"