toru-vault 0.1.0__py3-none-any.whl

toru_vault/__init__.py

@@ -0,0 +1,5 @@
+#!/usr/bin/env python3
+# Import functions from the core module
+from .vault import env_load, env_load_all, get, get_all
+
+__all__ = ["env_load", "env_load_all", "get", "get_all"]

toru_vault/__main__.py

@@ -0,0 +1,182 @@
+#!/usr/bin/env python3
+"""
+Command-line interface for the vault package.
+"""
+import argparse
+import os
+import sys
+import getpass
+
+from .vault import (_initialize_client, set_to_keyring, _get_from_keyring_or_env,
+                   _KEYRING_BWS_TOKEN_KEY, _KEYRING_ORG_ID_KEY, _KEYRING_STATE_FILE_KEY, 
+                   _KEYRING_AVAILABLE)
+
+
+def list_projects(organization_id=None):
+    """
+    List all projects and their IDs for the given organization.
+    
+    Args:
+        organization_id (str, optional): Organization ID
+    
+    Returns:
+        list: List of projects
+    """
+    # Check for organization ID
+    if not organization_id:
+        organization_id = _get_from_keyring_or_env(_KEYRING_ORG_ID_KEY, "ORGANIZATION_ID")
+        if not organization_id:
+            print("Error: ORGANIZATION_ID not found in keyring or environment variable")
+            sys.exit(1)
+    
+    try:
+        # Initialize client
+        client = _initialize_client()
+        
+        # Get all projects
+        projects = client.projects().list(organization_id)
+        
+        if not hasattr(projects, 'data') or not hasattr(projects.data, 'data'):
+            print("No projects found or invalid response format")
+            return []
+        
+        return projects.data.data
+    except Exception as e:
+        print(f"Error listing projects: {e}")
+        sys.exit(1)
+
+
+def init_vault():
+    """
+    Initialize vault by storing BWS_TOKEN, ORGANIZATION_ID, and STATE_FILE in keyring.
+    
+    Returns:
+        bool: True if initialization was successful
+    """
+    # Check if keyring is available
+    if not _KEYRING_AVAILABLE:
+        print("Error: keyring package is not available. Cannot securely store credentials.")
+        return False
+
+    # Get existing values
+    existing_token = _get_from_keyring_or_env(_KEYRING_BWS_TOKEN_KEY, "BWS_TOKEN")
+    existing_org_id = _get_from_keyring_or_env(_KEYRING_ORG_ID_KEY, "ORGANIZATION_ID")
+    existing_state_file = _get_from_keyring_or_env(_KEYRING_STATE_FILE_KEY, "STATE_FILE")
+    
+    # Suggest current directory for STATE_FILE if not set
+    current_dir = os.getcwd()
+    suggested_state_file = os.path.join(current_dir, "state")
+    
+    # Ask for BWS_TOKEN or use existing
+    if existing_token:
+        print(f"Found existing BWS_TOKEN {'in keyring' if _KEYRING_AVAILABLE else 'in environment'}")
+        new_token = getpass.getpass("Enter new BWS_TOKEN (leave empty to keep existing): ")
+        token = new_token if new_token else existing_token
+    else:
+        token = getpass.getpass("Enter BWS_TOKEN: ")
+        if not token:
+            print("Error: BWS_TOKEN is required")
+            return False
+    
+    # Ask for ORGANIZATION_ID or use existing
+    if existing_org_id:
+        print(f"Found existing ORGANIZATION_ID {'in keyring' if _KEYRING_AVAILABLE else 'in environment'}")
+        new_org_id = input("Enter new ORGANIZATION_ID (leave empty to keep existing): ")
+        org_id = new_org_id if new_org_id else existing_org_id
+    else:
+        org_id = input("Enter ORGANIZATION_ID: ")
+        if not org_id:
+            print("Error: ORGANIZATION_ID is required")
+            return False
+    
+    # Ask for STATE_FILE or use existing
+    if existing_state_file:
+        print(f"Found existing STATE_FILE {'in keyring' if _KEYRING_AVAILABLE else 'in environment'}: {existing_state_file}")
+        new_state_file = input(f"Enter new STATE_FILE path (leave empty to keep existing, default: {suggested_state_file}): ")
+        state_file = new_state_file if new_state_file else existing_state_file
+    else:
+        state_file = input(f"Enter STATE_FILE path (default: {suggested_state_file}): ")
+        if not state_file:
+            state_file = suggested_state_file
+            print(f"Using default STATE_FILE path: {state_file}")
+    
+    # Store in keyring
+    if _KEYRING_AVAILABLE:
+        if existing_token != token or not existing_token:
+            if set_to_keyring(_KEYRING_BWS_TOKEN_KEY, token):
+                print("BWS_TOKEN stored in keyring")
+            else:
+                print("Failed to store BWS_TOKEN in keyring")
+                return False
+        
+        if existing_org_id != org_id or not existing_org_id:
+            if set_to_keyring(_KEYRING_ORG_ID_KEY, org_id):
+                print("ORGANIZATION_ID stored in keyring")
+            else:
+                print("Failed to store ORGANIZATION_ID in keyring")
+                return False
+        
+        if existing_state_file != state_file or not existing_state_file:
+            if set_to_keyring(_KEYRING_STATE_FILE_KEY, state_file):
+                print("STATE_FILE stored in keyring")
+            else:
+                print("Failed to store STATE_FILE in keyring")
+                return False
+    else:
+        # Store in environment variables if keyring is not available
+        os.environ["BWS_TOKEN"] = token
+        os.environ["ORGANIZATION_ID"] = org_id
+        os.environ["STATE_FILE"] = state_file
+        print("Credentials stored in environment variables (not persistent)")
+    
+    # Ensure state file directory exists
+    state_dir = os.path.dirname(state_file)
+    if state_dir and not os.path.exists(state_dir):
+        try:
+            os.makedirs(state_dir, exist_ok=True)
+            print(f"Created directory for STATE_FILE: {state_dir}")
+        except Exception as e:
+            print(f"Warning: Could not create state directory: {e}")
+    
+    print("\nVault initialization completed successfully")
+    return True
+
+
+def main():
+    """
+    Main entry point for the command-line interface.
+    """
+    parser = argparse.ArgumentParser(description="Bitwarden Secret Manager CLI")
+    subparsers = parser.add_subparsers(dest="command", help="Command to run")
+    
+    # List command
+    list_parser = subparsers.add_parser("list", help="List projects")
+    list_parser.add_argument("--org-id", "-o", help="Organization ID")
+    
+    # Init command
+    subparsers.add_parser("init", help="Initialize vault with BWS_TOKEN and ORGANIZATION_ID")
+    
+    # Parse arguments
+    args = parser.parse_args()
+    
+    # Execute command
+    if args.command == "list":
+        projects = list_projects(args.org_id)
+        if projects:
+            print("\nAvailable Projects:")
+            print("===================")
+            for project in projects:
+                print(f"ID: {project.id}")
+                print(f"Name: {project.name}")
+                print(f"Created: {project.creation_date}")
+                print("-" * 50)
+        else:
+            print("No projects found")
+    elif args.command == "init":
+        init_vault()
+    else:
+        parser.print_help()
+
+
+if __name__ == "__main__":
+    main()

toru_vault/lazy_dict.py

@@ -0,0 +1,87 @@
+from collections.abc import MutableMapping
+from typing import Dict, Optional, Callable, Set, Iterator, Tuple
+
+class LazySecretsDict(MutableMapping):
+    """
+    A dictionary-like class that only loads/decrypts secrets when they are accessed.
+    When container=True, it uses the existing encryption methods.
+    When container=False, it uses OS keyring for secure storage.
+    """
+    
+    def __init__(self, 
+                 secret_keys: Set[str], 
+                 getter_func: Callable[[str], str],
+                 setter_func: Optional[Callable[[str, str], None]] = None,
+                 deleter_func: Optional[Callable[[str], None]] = None):
+        """
+        Initialize the lazy dictionary with a list of available keys and functions to retrieve/set/delete values.
+        
+        Args:
+            secret_keys: Set of keys that are available in this dictionary
+            getter_func: Function that takes a key and returns the secret value
+            setter_func: Optional function to set a value for a key
+            deleter_func: Optional function to delete a key
+        """
+        self._keys = secret_keys
+        self._getter = getter_func
+        self._setter = setter_func
+        self._deleter = deleter_func
+        self._cache: Dict[str, str] = {}
+    
+    def __getitem__(self, key: str) -> str:
+        """Get an item from the dictionary, fetching/decrypting it on first access."""
+        if key not in self._keys:
+            raise KeyError(key)
+            
+        # If not in cache, fetch it
+        if key not in self._cache:
+            value = self._getter(key)
+            if value is None:
+                raise KeyError(f"Failed to retrieve value for key: {key}")
+            self._cache[key] = value
+            
+        return self._cache[key]
+    
+    def __setitem__(self, key: str, value: str) -> None:
+        """Set an item in the dictionary."""
+        if self._setter is None:
+            raise NotImplementedError("This dictionary does not support item assignment")
+        
+        self._setter(key, value)
+        self._cache[key] = value
+        self._keys.add(key)
+    
+    def __delitem__(self, key: str) -> None:
+        """Delete an item from the dictionary."""
+        if self._deleter is None:
+            raise NotImplementedError("This dictionary does not support item deletion")
+            
+        if key not in self._keys:
+            raise KeyError(key)
+            
+        self._deleter(key)
+        if key in self._cache:
+            del self._cache[key]
+        self._keys.remove(key)
+    
+    def __iter__(self) -> Iterator[str]:
+        """Return an iterator over the keys."""
+        return iter(self._keys)
+    
+    def __len__(self) -> int:
+        """Return the number of keys."""
+        return len(self._keys)
+    
+    def items(self) -> Iterator[Tuple[str, str]]:
+        """Return an iterator over (key, value) pairs."""
+        for key in self._keys:
+            yield (key, self[key])
+            
+    def keys(self) -> Set[str]:
+        """Return the set of keys."""
+        return self._keys.copy()
+    
+    def values(self) -> Iterator[str]:
+        """Return an iterator over values."""
+        for key in self._keys:
+            yield self[key]

toru_vault/py.typed

@@ -0,0 +1 @@
+

toru_vault/vault.py

@@ -0,0 +1,532 @@
+#!/usr/bin/env python3
+import os
+import logging
+import time
+import json
+import tempfile
+import stat
+import atexit
+import secrets as pysecrets
+from typing import Dict, Optional, Tuple
+from bitwarden_sdk import BitwardenClient, DeviceType, client_settings_from_dict
+from cryptography.fernet import Fernet
+from cryptography.hazmat.primitives import hashes
+from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC
+import base64
+from .lazy_dict import LazySecretsDict
+
+# Try importing keyring - it might not be available in container environments
+try:
+    import keyring
+    _KEYRING_AVAILABLE = True
+except ImportError:
+    _KEYRING_AVAILABLE = False
+
+# Setup minimal logging
+logger = logging.getLogger(__name__)
+
+# Constants for keyring storage
+_KEYRING_SERVICE_NAME = "bitwarden_vault"
+_KEYRING_BWS_TOKEN_KEY = "bws_token"
+_KEYRING_ORG_ID_KEY = "organization_id"
+_KEYRING_STATE_FILE_KEY = "state_file"
+
+# Secure cache configuration
+_SECRET_CACHE_TIMEOUT = 300  # 5 minutes
+_secrets_cache: Dict[str, Tuple[float, Dict[str, str]]] = {}
+
+def _generate_encryption_key(salt: bytes = None) -> Tuple[bytes, bytes]:
+    """
+    Generate an encryption key for securing the cache
+    
+    Args:
+        salt (bytes, optional): Salt for key derivation
+        
+    Returns:
+        Tuple[bytes, bytes]: Key and salt
+    """
+    if salt is None:
+        salt = os.urandom(16)
+    
+    # Generate a key from the machine-specific information and random salt
+    machine_id = _get_machine_id()
+    password = machine_id.encode()
+    
+    kdf = PBKDF2HMAC(
+        algorithm=hashes.SHA256(),
+        length=32,
+        salt=salt,
+        iterations=100000,
+    )
+    key = base64.urlsafe_b64encode(kdf.derive(password))
+    return key, salt
+
+def _get_machine_id() -> str:
+    """Get a unique identifier for the current machine"""
+    # Try platform-specific methods to get a machine ID
+    machine_id = ""
+    
+    if os.path.exists('/etc/machine-id'):
+        with open('/etc/machine-id', 'r') as f:
+            machine_id = f.read().strip()
+    elif os.path.exists('/var/lib/dbus/machine-id'):
+        with open('/var/lib/dbus/machine-id', 'r') as f:
+            machine_id = f.read().strip()
+    elif os.name == 'nt':  # Windows
+        import subprocess
+        try:
+            result = subprocess.run(['wmic', 'csproduct', 'get', 'UUID'], capture_output=True, text=True)
+            if result.returncode == 0:
+                machine_id = result.stdout.strip().split('\n')[-1].strip()
+        except (FileNotFoundError, subprocess.SubprocessError):
+            pass
+    
+    # Fallback if we couldn't get a machine ID
+    if not machine_id:
+        # Use a combination of hostname and a persisted random value
+        import socket
+        hostname = socket.gethostname()
+        
+        # Create a persistent random ID
+        id_file = os.path.join(tempfile.gettempdir(), '.vault_machine_id')
+        if os.path.exists(id_file):
+            try:
+                with open(id_file, 'r') as f:
+                    random_id = f.read().strip()
+            except Exception:
+                random_id = pysecrets.token_hex(16)
+        else:
+            random_id = pysecrets.token_hex(16)
+            try:
+                # Try to save it with restricted permissions
+                with open(id_file, 'w') as f:
+                    f.write(random_id)
+                os.chmod(id_file, stat.S_IRUSR | stat.S_IWUSR)  # 0600 permissions
+            except Exception:
+                pass
+                
+        machine_id = f"{hostname}-{random_id}"
+    
+    return machine_id
+
+def _encrypt_secrets(secrets_dict: Dict[str, str]) -> Optional[str]:
+    """
+    Encrypt secrets dictionary
+    
+    Args:
+        secrets_dict (Dict[str, str]): Dictionary of secrets
+        
+    Returns:
+        Optional[str]: Encrypted data or None if encryption fails
+    """
+    try:
+        key, salt = _generate_encryption_key()
+        if not key:
+            return None
+            
+        # Encrypt the serialized secrets
+        f = Fernet(key)
+        encrypted_data = f.encrypt(json.dumps(secrets_dict).encode())
+        
+        # Store along with the salt
+        return base64.urlsafe_b64encode(salt).decode() + ":" + encrypted_data.decode()
+    except Exception as e:
+        logger.warning(f"Failed to encrypt secrets: {e}")
+        return None
+
+def _decrypt_secrets(encrypted_data: str) -> Optional[Dict[str, str]]:
+    """
+    Decrypt secrets
+    
+    Args:
+        encrypted_data (str): Encrypted data
+        
+    Returns:
+        Optional[Dict[str, str]]: Decrypted secrets dictionary or None if decryption fails
+    """
+    try:
+        # Split salt and encrypted data
+        salt_b64, encrypted = encrypted_data.split(":", 1)
+        salt = base64.urlsafe_b64decode(salt_b64)
+        
+        # Regenerate the key with the same salt
+        key, _ = _generate_encryption_key(salt)
+        if not key:
+            return None
+            
+        # Decrypt the data
+        f = Fernet(key)
+        decrypted_data = f.decrypt(encrypted.encode())
+        
+        return json.loads(decrypted_data.decode())
+    except Exception as e:
+        logger.warning(f"Failed to decrypt secrets: {e}")
+        return None
+
+def _secure_state_file(state_path: str) -> None:
+    """
+    Ensure the state file has secure permissions
+    
+    Args:
+        state_path (str): Path to the state file
+    """
+    try:
+        if os.path.exists(state_path):
+            if os.name == 'posix':  # Linux/Mac
+                os.chmod(state_path, stat.S_IRUSR | stat.S_IWUSR)  # 0600 permissions
+            elif os.name == 'nt':  # Windows
+                import subprocess
+                subprocess.run(['icacls', state_path, '/inheritance:r', '/grant:r', f'{os.getlogin()}:(F)'], 
+                               capture_output=True)
+    except Exception as e:
+        logger.warning(f"Could not set secure permissions on state file: {e}")
+
+def _clear_cache() -> None:
+    """Clear the secrets cache on exit"""
+    global _secrets_cache
+    _secrets_cache = {}
+    
+# Register the cache clearing function to run on exit
+atexit.register(_clear_cache)
+
+def _get_from_keyring_or_env(key, env_var):
+    """
+    Get a value from keyring or environment variable
+    
+    Args:
+        key (str): Key in keyring
+        env_var (str): Environment variable name
+    
+    Returns:
+        str: Value from keyring or environment variable
+    """
+    value = None
+    
+    # Try keyring first if available
+    if _KEYRING_AVAILABLE:
+        try:
+            value = keyring.get_password(_KEYRING_SERVICE_NAME, key)
+        except Exception as e:
+            logger.warning(f"Failed to get {key} from keyring: {e}")
+    
+    # Fall back to environment variable
+    if not value:
+        value = os.getenv(env_var)
+    
+    return value
+
+def set_to_keyring(key, value):
+    """
+    Set a value to keyring
+    
+    Args:
+        key (str): Key in keyring
+        value (str): Value to store
+    
+    Returns:
+        bool: True if successful, False otherwise
+    """
+    if not _KEYRING_AVAILABLE:
+        return False
+    
+    try:
+        keyring.set_password(_KEYRING_SERVICE_NAME, key, value)
+        return True
+    except Exception as e:
+        logger.warning(f"Failed to set {key} to keyring: {e}")
+        return False
+
+def _initialize_client():
+    """
+    Initialize the Bitwarden client
+    """
+    # Get environment variables with defaults
+    api_url = os.getenv("API_URL", "https://api.bitwarden.com")
+    identity_url = os.getenv("IDENTITY_URL", "https://identity.bitwarden.com")
+    
+    # Get BWS_TOKEN from keyring or environment variable
+    bws_token = _get_from_keyring_or_env(_KEYRING_BWS_TOKEN_KEY, "BWS_TOKEN")
+    
+    # Get STATE_FILE from keyring or environment variable
+    state_path = _get_from_keyring_or_env(_KEYRING_STATE_FILE_KEY, "STATE_FILE")
+    
+    # Validate required environment variables
+    if not bws_token:
+        raise ValueError("BWS_TOKEN not found in keyring or environment variable")
+    if not state_path:
+        raise ValueError("STATE_FILE not found in keyring or environment variable")
+        
+    # Ensure state file directory exists
+    state_dir = os.path.dirname(state_path)
+    if state_dir and not os.path.exists(state_dir):
+        try:
+            os.makedirs(state_dir, exist_ok=True)
+            # Secure the directory if possible
+            if os.name == 'posix':  # Linux/Mac
+                os.chmod(state_dir, stat.S_IRUSR | stat.S_IWUSR | stat.S_IXUSR)  # 0700 permissions
+        except Exception as e:
+            logger.warning(f"Could not create state directory with secure permissions: {e}")
+    
+    # Secure the state file
+    _secure_state_file(state_path)
+    
+    # Create and initialize the client
+    client = BitwardenClient(
+        client_settings_from_dict({
+            "apiUrl": api_url,
+            "deviceType": DeviceType.SDK,
+            "identityUrl": identity_url,
+            "userAgent": "Python",
+        })
+    )
+    
+    # Authenticate with the Secrets Manager Access Token
+    client.auth().login_access_token(bws_token, state_path)
+    
+    return client
+
+def _load_secrets(project_id=None):
+    """
+    Load secrets from Bitwarden
+    
+    Args:
+        project_id (str): Project ID to filter secrets
+    
+    Returns:
+        dict: Dictionary of secrets with their names as keys
+    """
+    # Initialize client with credentials from environment or keyring
+    try:
+        client = _initialize_client()
+    except Exception as e:
+        logger.error(f"Failed to initialize Bitwarden client: {e}")
+        return {}
+    
+    # Get ORGANIZATION_ID from keyring or environment variable
+    organization_id = _get_from_keyring_or_env(_KEYRING_ORG_ID_KEY, "ORGANIZATION_ID")
+    if not organization_id:
+        logger.error("ORGANIZATION_ID not found in keyring or environment variable")
+        return {}
+    
+    # Get secrets from BitWarden
+    try:
+        # Sync secrets to ensure we have the latest
+        client.secrets().sync(organization_id, None)
+        
+        # Initialize empty secrets dictionary
+        secrets = {}
+        
+        # Retrieve all secrets
+        all_secrets = client.secrets().list(organization_id)
+        
+        # Validate response format
+        if not hasattr(all_secrets, 'data') or not hasattr(all_secrets.data, 'data'):
+            return {}
+        
+        # We need to collect all secret IDs first
+        secret_ids = []
+        for secret in all_secrets.data.data:
+            secret_ids.append(secret.id)
+        
+        # If we have secret IDs, fetch their values
+        if secret_ids:
+            # Get detailed information for all secrets by their IDs
+            secrets_detailed = client.secrets().get_by_ids(secret_ids)
+            
+            # Validate response format
+            if not hasattr(secrets_detailed, 'data') or not hasattr(secrets_detailed.data, 'data'):
+                return {}
+            
+            # Process each secret
+            for secret in secrets_detailed.data.data:
+                # Extract the project ID
+                secret_project_id = getattr(secret, 'project_id', None)
+                
+                # Check if this secret belongs to the specified project
+                if project_id and secret_project_id is not None and project_id != str(secret_project_id):
+                    continue
+                
+                # Add the secret to our dictionary
+                secrets[secret.key] = secret.value
+        
+        # Update the cache with encryption
+        encrypted_data = _encrypt_secrets(secrets)
+        if encrypted_data:
+            _secrets_cache[f"{organization_id}:{project_id or ''}"] = (time.time(), encrypted_data)
+        else:
+            _secrets_cache[f"{organization_id}:{project_id or ''}"] = (time.time(), secrets.copy())
+        
+        return secrets
+    except Exception as e:
+        logger.error(f"Error loading secrets: {e}")
+        raise
+
+def env_load(project_id=None, override=False):
+    """
+    Load all secrets related to the project into environmental variables.
+    
+    Args:
+        project_id (str, optional): Project ID to filter secrets
+        override (bool, optional): Whether to override existing environment variables
+    """
+    # Get all secrets from BWS
+    secrets = _load_secrets(project_id)
+    
+    # Set environment variables
+    for key, value in secrets.items():
+        if override or key not in os.environ:
+            os.environ[key] = value
+
+def env_load_all(override=False):
+    """
+    Load all secrets from all projects that user has access to into environment variables
+    
+    Args:
+        override (bool, optional): Whether to override existing environment variables
+    """
+    # Get ORGANIZATION_ID from keyring or environment variable
+    organization_id = _get_from_keyring_or_env(_KEYRING_ORG_ID_KEY, "ORGANIZATION_ID")
+    
+    # Initialize Bitwarden client
+    try:
+        client = _initialize_client()
+    except Exception as e:
+        logger.error(f"Failed to initialize Bitwarden client: {e}")
+        return
+    
+    try:
+        # Sync to ensure we have the latest data
+        client.secrets().sync(organization_id, None)
+        
+        # Get all projects
+        projects_response = client.projects().list(organization_id)
+        
+        # Validate response format
+        if not hasattr(projects_response, 'data') or not hasattr(projects_response.data, 'data'):
+            logger.warning(f"No projects found in organization {organization_id}")
+            return
+        
+        # Process each project
+        for project in projects_response.data.data:
+            if hasattr(project, 'id'):
+                project_id = str(project.id)
+                
+                # Load environment variables for this project
+                try:
+                    # Get the secrets for this project and set them as environment variables
+                    env_load(project_id=project_id, override=override)
+                    logger.info(f"Loaded secrets from project: {getattr(project, 'name', project_id)}")
+                except Exception as e:
+                    logger.warning(f"Failed to load secrets from project {project_id}: {e}")
+                
+    except Exception as e:
+        logger.error(f"Failed to load all secrets into environment variables: {e}")
+
+def get(project_id=None, refresh=False, use_keyring=True):
+    """
+    Return a dictionary of all project secrets
+    
+    Args:
+        project_id (str, optional): Project ID to filter secrets
+        refresh (bool, optional): Force refresh the secrets cache
+        use_keyring (bool, optional): Whether to use system keyring (True) or in-memory encryption (False)
+        
+    Returns:
+        dict: Dictionary of secrets with their names as keys, using lazy loading
+    """
+    # Get ORGANIZATION_ID from keyring or environment variable
+    organization_id = _get_from_keyring_or_env(_KEYRING_ORG_ID_KEY, "ORGANIZATION_ID")
+    
+    # Build the service name for keyring storage
+    service_name = f"vault_{organization_id or 'default'}"
+    
+    # Function to either fetch from keyring or decrypt from cache based on container flag
+    def _load_decrypted_secrets():
+        # Check if we need to force a refresh
+        if refresh:
+            return _load_secrets(project_id)
+        
+        # Otherwise try to use cached values first
+        cache_key = f"{organization_id}:{project_id or ''}"
+        current_time = time.time()
+        
+        if cache_key in _secrets_cache:
+            timestamp, encrypted_secrets = _secrets_cache[cache_key]
+            
+            # If cache hasn't expired
+            if current_time - timestamp < _SECRET_CACHE_TIMEOUT:
+                # If we have encryption, try to decrypt
+                if encrypted_secrets:
+                    decrypted_secrets = _decrypt_secrets(encrypted_secrets)
+                    if decrypted_secrets:
+                        return decrypted_secrets
+                # Otherwise return the unencrypted data (backward compatibility)
+                elif isinstance(encrypted_secrets, dict):
+                    return encrypted_secrets.copy()
+        
+        # If we couldn't get from cache, load fresh
+        return _load_secrets(project_id)
+    
+    # Get all secrets and their keys
+    all_secrets = _load_decrypted_secrets()
+    secret_keys = set(all_secrets.keys())
+    
+    # Store secrets in keyring if available and requested
+    keyring_usable = _KEYRING_AVAILABLE and use_keyring
+    if keyring_usable:
+        for key, value in all_secrets.items():
+            keyring.set_password(service_name, key, value)
+    
+    # When keyring is unavailable or not requested (likely in container)
+    if not keyring_usable:
+        # Create a dictionary of cached secrets for container mode
+        container_secrets = {}
+        encrypted_data = None
+        cache_key = f"{organization_id}:{project_id or ''}"
+        
+        # If we have a cached encrypted version, use that
+        if cache_key in _secrets_cache:
+            _, encrypted_data = _secrets_cache[cache_key]
+            
+        # Create getter function for container mode
+        def _container_getter(key):
+            if key in container_secrets:
+                return container_secrets[key]
+            
+            # If not in memory cache, check if we have pre-loaded decrypted secrets
+            if all_secrets and key in all_secrets:
+                container_secrets[key] = all_secrets[key]
+                return container_secrets[key]
+                
+            # Otherwise, try to decrypt from cache
+            if encrypted_data and not isinstance(encrypted_data, dict):
+                decrypted = _decrypt_secrets(encrypted_data)
+                if decrypted and key in decrypted:
+                    container_secrets[key] = decrypted[key]
+                    return container_secrets[key]
+                
+            # If all else fails, load from API
+            fresh_secrets = _load_secrets(project_id)
+            if key in fresh_secrets:
+                container_secrets[key] = fresh_secrets[key]
+                return container_secrets[key]
+                
+            return None
+        
+        # Create the lazy dictionary with container getter
+        return LazySecretsDict(secret_keys, _container_getter)
+    else:
+        # Create getter function for keyring mode
+        def _keyring_getter(key):
+            return keyring.get_password(service_name, key)
+            
+        # Create setter function for keyring mode
+        def _keyring_setter(key, value):
+            keyring.set_password(service_name, key, value)
+            
+        # Create deleter function for keyring mode
+        def _keyring_deleter(key):
+            keyring.delete_password(service_name, key)
+        
+        # Create the lazy dictionary with keyring getter/setter/deleter
+        return LazySecretsDict(secret_keys, _keyring_getter, _keyring_setter, _keyring_deleter)

toru_vault-0.1.0.dist-info/METADATA

@@ -0,0 +1,250 @@
+Metadata-Version: 2.4
+Name: toru-vault
+Version: 0.1.0
+Summary: ToruVault: A simple Python package for managing Bitwarden secrets
+Author: Toru AI
+Author-email: ToruAI <mpaszynski@toruai.com>
+License: MIT
+Project-URL: Homepage, https://github.com/ToruAI/vault
+Project-URL: Issues, https://github.com/ToruAI/vault/issues
+Classifier: Programming Language :: Python :: 3
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Operating System :: OS Independent
+Requires-Python: >=3.6
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: bitwarden-sdk
+Requires-Dist: cryptography>=36.0.0
+Dynamic: author
+Dynamic: license-file
+Dynamic: requires-python
+
+<p align="center">
+  <img src="img/logo.svg" alt="ToruVault Logo" width="300"/>
+</p>
+
+# ToruVault
+
+A simple Python package for managing Bitwarden secrets with enhanced security.
+
+
+![Version](https://img.shields.io/badge/version-1.0.0-blue)
+![Python](https://img.shields.io/badge/python-3.10%2B-blue)
+![License](https://img.shields.io/badge/license-MIT-green)
+
+## Features
+
+- Load secrets from Bitwarden Secret Manager into environment variables
+- Get secrets as a Python dictionary
+- Filter secrets by project ID
+- Secure in-memory caching with encryption
+- Automatic cache expiration (5 minutes)
+- Secure file permissions for state storage
+- Machine-specific secret protection
+- Secure credential storage using OS keyring
+
+## Installation
+
+### Using UV (Recommended)
+
+```bash
+# Install UV if you don't have it already
+curl -LsSf https://astral.sh/uv/install.sh | sh
+
+# Install toru-vault package
+uv pip install toru-vault
+
+# Or install in a virtual environment (recommended)
+uv venv create -p python3.10 .venv
+source .venv/bin/activate  # On Windows: .venv\Scripts\activate
+uv pip install toru-vault
+```
+
+
+This will automatically install all required dependencies:
+- bitwarden-sdk - For interfacing with Bitwarden API
+- keyring - For secure credential storage
+- cryptography - For encryption/decryption operations
+
+### From Source with UV
+
+```bash
+# Clone the repository
+git clone https://github.com/ToruAI/vault.git
+cd vault
+
+uv venv create -p python3.10 .venv
+source .venv/bin/activate  # On Windows: .venv\Scripts\activate
+
+# Install dependencies
+uv pip install -r requirements.txt 
+
+# Install in development mode
+uv pip install -e .
+```
+
+## Configuration
+
+You have two options for configuring the vault:
+
+### Option 1: Initialize with Keyring Storage (Recommended)
+
+The most secure way to set up vault is to use your operating system's secure keyring:
+
+```bash
+# Initialize vault with secure keyring storage
+python -m vault init
+```
+
+This will prompt you to enter:
+- Your Bitwarden access token (BWS_TOKEN)
+- Your Bitwarden organization ID (ORGANIZATION_ID)
+- The path to the state file (STATE_FILE)
+
+[How to get the BWS_TOKEN, ORGANIZATION_ID, and STATE_FILE](#Bitwarden-Secrets)
+
+These credentials will be securely stored in your OS keyring and used automatically by the vault.
+
+### Option 2: Environment Variables
+
+Alternatively, you can set the following environment variables:
+
+- `BWS_TOKEN`: Your Bitwarden access token
+- `ORGANIZATION_ID`: Your Bitwarden organization ID
+- `STATE_FILE`: Path to the state file (must be in an existing directory)
+- `API_URL` (optional): Defaults to "https://api.bitwarden.com"
+- `IDENTITY_URL` (optional): Defaults to "https://identity.bitwarden.com"
+
+Setting these environment variables is useful for container environments or when keyring is not available.
+
+## CLI Commands
+
+### Initialize Vault
+
+```bash
+# Set up vault with secure credential storage
+python -m vault init
+```
+
+### Listing Available Projects
+
+```bash
+# List all projects in your organization
+python -m vault list 
+
+# With a specific organization ID
+python -m vault list --org-id YOUR_ORGANIZATION_ID
+```
+
+## Python Usage
+
+### Loading secrets into environment variables
+
+```python
+import toru_vault as vault
+
+# Load all secrets into environment variables
+vault.env_load()
+
+# Now you can access secrets as environment variables
+import os
+print(os.environ.get("SECRET_NAME"))
+
+# Load secrets for a specific project
+vault.env_load(project_id="your-project-id")
+
+# Override existing environment variables (default: False)
+vault.env_load(override=True)
+```
+
+### Getting secrets as a dictionary
+
+```python
+import toru_vault as vault
+
+# Get all secrets as a dictionary
+secrets = vault.get()
+print(secrets["SECRET_NAME"])  # Secret is only decrypted when accessed
+
+# Force refresh the cache
+secrets = vault.get(refresh=True)
+
+# Get secrets for a specific project
+secrets = vault.get(project_id="your-project-id")
+
+# Use in-memory encryption instead of system keyring
+secrets = vault.get(use_keyring=False)
+```
+
+### Loading secrets from all projects
+
+```python
+import toru_vault as vault
+
+# Load secrets from all projects you have access to into environment variables
+vault.env_load_all()
+
+# Override existing environment variables (default: False)
+vault.env_load_all(override=True)
+```
+
+## Security Features
+
+The vault package includes several security enhancements:
+
+1. **OS Keyring Integration**: Securely stores BWS_TOKEN, ORGANIZATION_ID, and STATE_FILE in your OS keyring
+2. **Memory Protection**: Secrets are encrypted in memory using Fernet encryption (AES-128)
+3. **Lazy Decryption**: Secrets are only decrypted when explicitly accessed
+4. **Cache Expiration**: Cached secrets expire after 5 minutes by default
+5. **Secure File Permissions**: Sets secure permissions on state files
+6. **Machine-Specific Encryption**: Uses machine-specific identifiers for encryption keys
+7. **Cache Clearing**: Automatically clears secret cache on program exit
+8. **Environment Variable Protection**: Doesn't override existing environment variables by default
+9. **Secure Key Derivation**: Uses PBKDF2 with SHA-256 for key derivation
+10. **No Direct Storage**: Never stores secrets in plain text on disk
+
+## Bitwarden Secrets
+
+### BWS_TOKEN
+
+Your Bitwarden access token. You can get it from the Bitwarden web app:
+
+1. Log in to your Bitwarden account
+2. Go to Secret Manager at left bottom
+3. Go to the "Machine accounts" section
+4. Create new machine account.
+5. Go to Access Token Tab
+![image](img/token-tab.png)
+6. This is your `BWS_TOKEN`. 
+
+Remember that you need to assign access to the machine account for the projects you want to use.
+
+### ORGANIZATION_ID
+
+Your Bitwarden organization ID. You can get it from the Bitwarden web app:
+
+1. Log in to your Bitwarden account
+2. Go to Secret Manager at left bottom
+3. Go to the "Machine accounts" section
+4. Create new machine account.
+5. Go to Config Tab
+6. There is your `ORGANIZATION_ID`.
+
+### STATE_FILE
+
+The `STATE_FILE` is used by the login_access_token method to store persistent authentication state information after successfully logging in with an access token. 
+
+You can set it to any existing file path. 
+
+## Security Best Practices
+
+When working with secrets, always follow these important guidelines:
+
+1. **Never Embed Keys in Code**: Always use environment variables, keyring, or secure secret management systems.
+2. **Never Commit Secrets**: Add secret files and credentials to your `.gitignore` file.
+3. **Use Key Rotation**: Regularly rotate your access tokens as a security measure.
+4. **Limit Access**: Only provide access to secrets on a need-to-know basis.
+5. **Monitor Usage**: Regularly audit which applications and users are accessing your secrets.
+6. **Use Environment-Specific Secrets**: Use different secrets for development, staging, and production environments.
+
+Remember that the vault package is designed to protect secrets once they're in your system, but you must handle the initial configuration securely.

toru_vault-0.1.0.dist-info/RECORD

@@ -0,0 +1,11 @@
+toru_vault/__init__.py,sha256=Co9SSa9gFFTME0YcMzA1vEqJxs045-0kYfdP9GxGasU,177
+toru_vault/__main__.py,sha256=KRw1dF3tK71DDmAac30tbBgSBRCNyCLOe1NylNXxRi4,6702
+toru_vault/lazy_dict.py,sha256=OZVD-VYQHFRzMw1dOPXpagnddAJNNCZKtcdmTiio4lk,3232
+toru_vault/py.typed,sha256=AbpHGcgLb-kRsJGnwFEktk7uzpZOCcBY74-YBdrKVGs,1
+toru_vault/vault.py,sha256=RLJanRaVnOb4SCvKjJiZJYlUX2QBHRzqpI-Z_vp32Jk,18981
+toru_vault-0.1.0.dist-info/licenses/LICENSE,sha256=TbuuchABSutbmmaI1M232F22GsaI88_hwEvto5w_Ux4,1063
+toru_vault-0.1.0.dist-info/METADATA,sha256=FJ5_wb8Wj5zgnBPwtTT0440UAtxWffymw2s1MGHhxhM,7665
+toru_vault-0.1.0.dist-info/WHEEL,sha256=A8Eltl-h0W-qZDVezsLjjslosEH_pdYC2lQ0JcbgCzs,91
+toru_vault-0.1.0.dist-info/entry_points.txt,sha256=dfqkbNftpmAv0iKzVgdkjymkCfj3TwzUrQm2PO7Xgxs,56
+toru_vault-0.1.0.dist-info/top_level.txt,sha256=c9ulQ18kKs3HbkI5oeoLmnFTknjC0rY1BwsNLJKDua8,11
+toru_vault-0.1.0.dist-info/RECORD,,

toru_vault-0.1.0.dist-info/WHEEL

@@ -0,0 +1,5 @@
+Wheel-Version: 1.0
+Generator: setuptools (80.7.0)
+Root-Is-Purelib: true
+Tag: py3-none-any
+

toru_vault-0.1.0.dist-info/entry_points.txt

@@ -0,0 +1,2 @@
+[console_scripts]
+toru-vault = toru_vault.__main__:main

toru_vault-0.1.0.dist-info/licenses/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 ToruAI
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

toru_vault-0.1.0.dist-info/top_level.txt

@@ -0,0 +1 @@
+toru_vault