Go to file

ReachableCEO 33ae637781 feat: Complete rewrite of secrets management with production-ready bash script

Major enhancements:
- New secrets-manager.sh script with comprehensive functionality
- Automated Bitwarden CLI installation (snap/npm/direct download)
- Configuration file management with sample template
- Multiple commands: install, get, list, test
- Robust error handling with specific exit codes
- Comprehensive logging and session cleanup
- Security improvements: proper gitignore, credential protection

Documentation:
- Complete README rewrite with detailed usage examples
- Installation instructions and troubleshooting guide
- Command reference and error code documentation
- Security considerations and best practices

Files added:
- secrets-manager.sh: Main production script (replaces poc.sh approach)
- bitwarden-config.conf.sample: Configuration template
- .gitignore: Protects credentials and temporary files

This version combines lessons learned from poc.sh and prod.sh attempts,
providing a single, reliable solution for Bitwarden CLI management on Linux.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

2025-07-15 19:05:52 -05:00

.gitignore

feat: Complete rewrite of secrets management with production-ready bash script

2025-07-15 19:05:52 -05:00

bitwarden-config.conf.sample

feat: Complete rewrite of secrets management with production-ready bash script

2025-07-15 19:05:52 -05:00

LICENSE

Initial commit

2024-11-24 04:02:14 +00:00

poc.sh

full example poc

2024-11-29 14:47:05 -06:00

prod.sh

this is going to get lots of activity soon

2025-07-10 14:03:04 -05:00

README.md

feat: Complete rewrite of secrets management with production-ready bash script

2025-07-15 19:05:52 -05:00

secrets-manager.sh

feat: Complete rewrite of secrets management with production-ready bash script

2025-07-15 19:05:52 -05:00

README.md

TSYS Secrets Manager

A comprehensive bash script solution for managing secrets at TSYS using the Bitwarden CLI. This tool provides automated installation, configuration, and secure secret retrieval from your Bitwarden vault.

Features

Automated Installation: Automatically detects and installs Bitwarden CLI via multiple methods (snap, npm, direct download)
Configuration Management: Uses secure configuration files for server and authentication details
Multiple Commands: Support for installation, secret retrieval, listing, and testing
Robust Error Handling: Comprehensive error codes and detailed logging
Security-First: Proper session management, cleanup, and credential handling
Cross-Platform: Designed for Linux environments with multiple installation fallbacks

Quick Start

Clone and Setup:

git clone <repository-url>
cd KNELSecretsManager
chmod +x secrets-manager.sh

Create Configuration:

cp bitwarden-config.conf.sample bitwarden-config.conf
# Edit bitwarden-config.conf with your actual Bitwarden credentials

Install Bitwarden CLI (if not already installed):
```
./secrets-manager.sh install
```
Test Your Setup:
```
./secrets-manager.sh test
```

Retrieve Secrets:

./secrets-manager.sh get APIKEY-pushover

Configuration

Create a bitwarden-config.conf file based on the provided sample:

# Bitwarden server URL
BW_SERVER_URL="https://pwvault.turnsys.com"

# API credentials (from Bitwarden account settings)
BW_CLIENTID="your_client_id_here"
BW_CLIENTSECRET="your_client_secret_here"

# Master password
BW_PASSWORD="your_master_password_here"

Security Note: The actual configuration file is automatically ignored by git to prevent credential exposure.

Usage

Command Reference

./secrets-manager.sh [OPTIONS] COMMAND [ARGS]

Commands

install - Install Bitwarden CLI
get <secret_name> - Retrieve a specific secret
list - List all available secrets in your vault
test - Test configuration and connectivity

Options

-c, --config FILE - Use specific config file (default: ./bitwarden-config.conf)
-h, --help - Show help message
-v, --version - Show version information

Examples

# Install Bitwarden CLI
./secrets-manager.sh install

# Test your configuration
./secrets-manager.sh test

# Get a specific secret
./secrets-manager.sh get APIKEY-pushover

# List all available secrets
./secrets-manager.sh list

# Use a custom config file
./secrets-manager.sh --config /path/to/custom.conf get my-secret

Using in Scripts

#!/bin/bash
# Example: Load API key into environment variable
export PUSHOVER_API="$(./secrets-manager.sh get APIKEY-pushover)"

# Use the secret in your application
curl -X POST "https://api.pushover.net/1/messages.json" \
  -d "token=$PUSHOVER_API" \
  -d "user=your_user_key" \
  -d "message=Hello from TSYS!"

Installation Methods

The script automatically tries multiple installation methods in order:

Snap Package (if snapd is available)
NPM Global Package (if npm is available)
Direct Binary Download (fallback method)

Error Codes

Code	Description
10	Configuration file not found
20	Bitwarden CLI not installed
30	Bitwarden CLI installation failed
40	Server configuration failed
50	Session/unlock failed
60	Secret not found
70	Login failed

Logging

All operations are logged to /tmp/secrets-manager.sh.log for debugging and audit purposes.

Security Considerations

Configuration files containing credentials are automatically gitignored
Session tokens are properly cleaned up on script exit
Master passwords are handled securely without shell history exposure
All sensitive operations include proper error handling

Legacy Scripts

This repository also contains previous implementations:

poc.sh - Original proof of concept
prod.sh - ChatGPT-assisted production attempt

The new secrets-manager.sh combines the best features of both while adding robust error handling, installation management, and improved security.

Contributing

When contributing to this project:

Test all changes thoroughly
Update documentation as needed
Follow existing code style and conventions
Ensure security best practices are maintained

License

See LICENSE file for details.