fujin-secrets-bitwarden 0.16.0__tar.gz

fujin_secrets_bitwarden-0.16.0/PKG-INFO

@@ -0,0 +1,80 @@
+Metadata-Version: 2.3
+Name: fujin-secrets-bitwarden
+Version: 0.16.0
+Summary: Bitwarden secret adapter for Fujin
+Author: Tobi
+Author-email: Tobi <tobidegnon@proton.me>
+Classifier: Programming Language :: Python :: 3 :: Only
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Programming Language :: Python :: 3.14
+Requires-Dist: fujin-cli>=0.16
+Requires-Dist: python-dotenv>=1.0.1
+Requires-Python: >=3.10
+Project-URL: Homepage, https://github.com/Tobi-De/fujin
+Project-URL: Issues, https://github.com/Tobi-De/fujin/issues
+Project-URL: Source, https://github.com/Tobi-De/fujin
+Description-Content-Type: text/markdown
+
+# Fujin Secrets - Bitwarden
+
+Bitwarden secret adapter for Fujin deployment tool.
+
+## Installation
+
+```bash
+pip install fujin-secrets-bitwarden
+```
+
+Or with uv:
+
+```bash
+uv pip install fujin-secrets-bitwarden
+```
+
+## Prerequisites
+
+Download and install the [Bitwarden CLI](https://bitwarden.com/help/cli/#download-and-install) and log in to your account.
+
+You should be able to run `bw get password <name_of_secret>` and get the value for the secret. This is the command that will be executed when pulling your secrets.
+
+## Configuration
+
+Add the following to your `fujin.toml` file:
+
+```toml
+[secrets]
+adapter = "bitwarden"
+password_env = "BW_PASSWORD"
+```
+
+To unlock the Bitwarden vault, the password is required. Set the `BW_PASSWORD` environment variable in your shell. When Fujin signs in, it will always sync the vault first.
+
+Alternatively, you can set the `BW_SESSION` environment variable. If `BW_SESSION` is present, Fujin will use it directly without signing in or syncing the vault. In this case, the `password_env` configuration is not required.
+
+## Usage
+
+In your environment file (`.env` or configured via `envfile` in `fujin.toml`), prefix secret values with `$`:
+
+```env
+DEBUG=False
+AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID
+AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY
+```
+
+The `$` sign indicates to Fujin that it is a secret that should be resolved using the configured adapter.
+
+## How it Works
+
+The adapter:
+1. Authenticates with Bitwarden using `BW_SESSION` or unlocks the vault with the configured password
+2. Syncs the vault (when unlocking)
+3. Resolves all secrets concurrently using `bw get password <name> --raw`
+4. Returns the resolved environment variables
+
+## Related
+
+- [Fujin Documentation](https://github.com/Tobi-De/fujin)
+- [Bitwarden CLI Documentation](https://bitwarden.com/help/cli/)

fujin_secrets_bitwarden-0.16.0/README.md

@@ -0,0 +1,60 @@
+# Fujin Secrets - Bitwarden
+
+Bitwarden secret adapter for Fujin deployment tool.
+
+## Installation
+
+```bash
+pip install fujin-secrets-bitwarden
+```
+
+Or with uv:
+
+```bash
+uv pip install fujin-secrets-bitwarden
+```
+
+## Prerequisites
+
+Download and install the [Bitwarden CLI](https://bitwarden.com/help/cli/#download-and-install) and log in to your account.
+
+You should be able to run `bw get password <name_of_secret>` and get the value for the secret. This is the command that will be executed when pulling your secrets.
+
+## Configuration
+
+Add the following to your `fujin.toml` file:
+
+```toml
+[secrets]
+adapter = "bitwarden"
+password_env = "BW_PASSWORD"
+```
+
+To unlock the Bitwarden vault, the password is required. Set the `BW_PASSWORD` environment variable in your shell. When Fujin signs in, it will always sync the vault first.
+
+Alternatively, you can set the `BW_SESSION` environment variable. If `BW_SESSION` is present, Fujin will use it directly without signing in or syncing the vault. In this case, the `password_env` configuration is not required.
+
+## Usage
+
+In your environment file (`.env` or configured via `envfile` in `fujin.toml`), prefix secret values with `$`:
+
+```env
+DEBUG=False
+AWS_ACCESS_KEY_ID=$AWS_ACCESS_KEY_ID
+AWS_SECRET_ACCESS_KEY=$AWS_SECRET_ACCESS_KEY
+```
+
+The `$` sign indicates to Fujin that it is a secret that should be resolved using the configured adapter.
+
+## How it Works
+
+The adapter:
+1. Authenticates with Bitwarden using `BW_SESSION` or unlocks the vault with the configured password
+2. Syncs the vault (when unlocking)
+3. Resolves all secrets concurrently using `bw get password <name> --raw`
+4. Returns the resolved environment variables
+
+## Related
+
+- [Fujin Documentation](https://github.com/Tobi-De/fujin)
+- [Bitwarden CLI Documentation](https://bitwarden.com/help/cli/)

fujin_secrets_bitwarden-0.16.0/pyproject.toml

@@ -0,0 +1,33 @@
+[build-system]
+build-backend = "uv_build"
+requires = [ "uv-build>=0.9.18,<0.10" ]
+
+[project]
+name = "fujin-secrets-bitwarden"
+version = "0.16.0"
+description = "Bitwarden secret adapter for Fujin"
+readme = "README.md"
+authors = [
+  { name = "Tobi", email = "tobidegnon@proton.me" },
+]
+requires-python = ">=3.10"
+classifiers = [
+  "Programming Language :: Python :: 3 :: Only",
+  "Programming Language :: Python :: 3.10",
+  "Programming Language :: Python :: 3.11",
+  "Programming Language :: Python :: 3.12",
+  "Programming Language :: Python :: 3.13",
+  "Programming Language :: Python :: 3.14",
+]
+dependencies = [
+  "fujin-cli>=0.16",
+  "python-dotenv>=1.0.1",
+]
+
+urls.Homepage = "https://github.com/Tobi-De/fujin"
+urls.Issues = "https://github.com/Tobi-De/fujin/issues"
+urls.Source = "https://github.com/Tobi-De/fujin"
+entry-points."fujin.secrets".bitwarden = "fujin_secrets_bitwarden:bitwarden"
+
+[tool.uv.sources]
+fujin-cli = { workspace = true }

fujin_secrets_bitwarden-0.16.0/src/fujin_secrets_bitwarden/__init__.py

@@ -0,0 +1,165 @@
+"""Bitwarden secret adapter for Fujin."""
+
+from __future__ import annotations
+
+import os
+import subprocess
+from concurrent.futures import ThreadPoolExecutor, as_completed
+from contextlib import closing
+from io import StringIO
+
+from dotenv import dotenv_values
+from fujin.config import SecretConfig
+from fujin.errors import SecretResolutionError
+
+__version__ = "0.1.0"
+
+
+def bitwarden(env_content: str, secret_config: SecretConfig) -> str:
+    """Bitwarden secret adapter.
+
+    Retrieves secrets from Bitwarden vault using the `bw` CLI.
+    Handles concurrent resolution of multiple secrets for performance.
+
+    Configuration:
+        - Requires BW_SESSION environment variable, OR
+        - Set password_env to unlock vault using environment variable
+
+    Example fujin.toml:
+        [secrets]
+        adapter = "bitwarden"
+        password_env = "BW_PASSWORD"  # Optional
+
+    Args:
+        env_content: Raw environment file content
+        secret_config: Secret configuration with adapter settings
+
+    Returns:
+        Resolved environment content with secrets replaced
+
+    Raises:
+        SecretResolutionError: If authentication fails or secret not found
+    """
+    # Parse env file
+    with closing(StringIO(env_content)) as buffer:
+        env_dict = dotenv_values(stream=buffer)
+
+    # Identify secrets (values starting with $)
+    secrets = {
+        key: value for key, value in env_dict.items() if value and value.startswith("$")
+    }
+
+    if not secrets:
+        return env_content
+
+    # Authenticate with Bitwarden
+    session = os.getenv("BW_SESSION")
+    if not session:
+        if not secret_config.password_env:
+            raise SecretResolutionError(
+                "You need to set the password_env to use the bitwarden adapter "
+                "or set the BW_SESSION environment variable",
+                adapter="bitwarden",
+            )
+        session = _signin(secret_config.password_env)
+
+    # Resolve secrets concurrently
+    resolved_secrets = {}
+    with ThreadPoolExecutor() as executor:
+        future_to_key = {
+            executor.submit(_read_secret, secret[1:], session): key
+            for key, secret in secrets.items()
+        }
+
+        for future in as_completed(future_to_key):
+            key = future_to_key[future]
+            try:
+                resolved_secrets[key] = future.result()
+            except Exception as e:
+                raise SecretResolutionError(
+                    f"Failed to retrieve secret for {key}: {e}",
+                    adapter="bitwarden",
+                    key=key,
+                ) from e
+
+    # Merge resolved secrets back into env dict
+    env_dict.update(resolved_secrets)
+
+    return "\n".join(f'{key}="{value}"' for key, value in env_dict.items())
+
+
+def _read_secret(name: str, session: str) -> str:
+    """Read a single secret from Bitwarden.
+
+    Args:
+        name: Secret name/identifier
+        session: Bitwarden session token
+
+    Returns:
+        Secret value
+
+    Raises:
+        SecretResolutionError: If secret not found
+    """
+    result = subprocess.run(
+        [
+            "bw",
+            "get",
+            "password",
+            name,
+            "--raw",
+            "--session",
+            session,
+            "--nointeraction",
+        ],
+        capture_output=True,
+        text=True,
+    )
+
+    if result.returncode != 0:
+        raise SecretResolutionError(
+            f"Password not found for {name}", adapter="bitwarden", key=name
+        )
+
+    return result.stdout.strip()
+
+
+def _signin(password_env: str) -> str:
+    """Unlock Bitwarden vault and return session token.
+
+    Args:
+        password_env: Name of environment variable containing vault password
+
+    Returns:
+        Bitwarden session token
+
+    Raises:
+        SecretResolutionError: If authentication fails
+    """
+    # Sync vault first
+    sync_result = subprocess.run(["bw", "sync"], capture_output=True, text=True)
+    if sync_result.returncode != 0:
+        raise SecretResolutionError(
+            f"Bitwarden sync failed: {sync_result.stdout}", adapter="bitwarden"
+        )
+
+    # Unlock vault
+    unlock_result = subprocess.run(
+        [
+            "bw",
+            "unlock",
+            "--nointeraction",
+            "--passwordenv",
+            password_env,
+            "--raw",
+        ],
+        capture_output=True,
+        text=True,
+    )
+
+    if unlock_result.returncode != 0:
+        raise SecretResolutionError(
+            f"Bitwarden unlock failed: {unlock_result.stderr}", adapter="bitwarden"
+        )
+
+    return unlock_result.stdout.strip()