toru-vault 0.1.4__tar.gz → 0.3.0__tar.gz

{toru_vault-0.1.4 → toru_vault-0.3.0}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: toru-vault
-Version: 0.1.4
+Version: 0.3.0
 Summary: ToruVault: A simple Python package for managing Bitwarden secrets
 Author: Toru AI
 Author-email: ToruAI <mpaszynski@toruai.com>
@@ -28,7 +28,7 @@ Dynamic: requires-python
 A simple Python package for managing Bitwarden secrets with enhanced security.
 
 
-![Version](https://img.shields.io/badge/version-1.0.0-blue)
+![Version](https://img.shields.io/badge/version-0.3.0-blue)
 ![Python](https://img.shields.io/badge/python-3.10%2B-blue)
 ![License](https://img.shields.io/badge/license-MIT-green)
 
@@ -37,8 +37,8 @@ A simple Python package for managing Bitwarden secrets with enhanced security.
 - Load secrets from Bitwarden Secret Manager into environment variables
 - Get secrets as a Python dictionary
 - Filter secrets by project ID
-- Secure in-memory caching with encryption
-- Automatic cache expiration (5 minutes)
+- JIT decryption of individual secrets
+- No persistent caching of decrypted values
 - Secure file permissions for state storage
 - Machine-specific secret protection
 - Secure credential storage using OS keyring
@@ -118,6 +118,7 @@ Alternatively, you can set the following environment variables:
 - `BWS_TOKEN`: Your Bitwarden access token
 - `ORGANIZATION_ID`: Your Bitwarden organization ID
 - `STATE_FILE`: Path to the state file (must be in an existing directory)
+- `PROJECT_ID` (optional): Your Bitwarden project ID to filter secrets
 - `API_URL` (optional): Defaults to "https://api.bitwarden.com"
 - `IDENTITY_URL` (optional): Defaults to "https://identity.bitwarden.com"
 
@@ -159,6 +160,11 @@ print(os.environ.get("SECRET_NAME"))
 # Load secrets for a specific project
 vault.env_load(project_id="your-project-id")
 
+# Alternatively, set PROJECT_ID environment variable and call without parameter
+# export PROJECT_ID="your-project-id"  # Linux/macOS
+# set PROJECT_ID=your-project-id     # Windows
+vault.env_load()  # Will use PROJECT_ID from environment
+
 # Override existing environment variables (default: False)
 vault.env_load(override=True)
 ```
@@ -178,6 +184,11 @@ secrets = vault.get(refresh=True)
 # Get secrets for a specific project
 secrets = vault.get(project_id="your-project-id")
 
+# Alternatively, set PROJECT_ID environment variable and call without parameter
+# export PROJECT_ID="your-project-id"  # Linux/macOS
+# set PROJECT_ID=your-project-id     # Windows
+secrets = vault.get()  # Will use PROJECT_ID from environment
+
 # Use in-memory encryption instead of system keyring
 secrets = vault.get(use_keyring=False)
 ```
@@ -199,11 +210,10 @@ vault.env_load_all(override=True)
 The vault package includes several security enhancements:
 
 1. **OS Keyring Integration**: Securely stores BWS_TOKEN, ORGANIZATION_ID, and STATE_FILE in your OS keyring
-2. **Memory Protection**: Secrets are encrypted in memory using Fernet encryption (AES-128)
-3. **Lazy Decryption**: Secrets are only decrypted when explicitly accessed
-4. **Cache Expiration**: Cached secrets expire after 5 minutes by default
-5. **Secure File Permissions**: Sets secure permissions on state files
-6. **Machine-Specific Encryption**: Uses machine-specific identifiers for encryption keys
+2. **Memory Protection**: Secrets are individually encrypted in memory using Fernet encryption (AES-128)
+3. **JIT Decryption**: Secrets are only decrypted when explicitly accessed and never stored in decrypted form
+4. **Secure File Permissions**: Sets secure permissions on state files
+5. **Machine-Specific Encryption**: Uses machine-specific identifiers for encryption keys
 7. **Cache Clearing**: Automatically clears secret cache on program exit
 8. **Environment Variable Protection**: Doesn't override existing environment variables by default
 9. **Secure Key Derivation**: Uses PBKDF2 with SHA-256 for key derivation

{toru_vault-0.1.4 → toru_vault-0.3.0}/README.md

@@ -5,7 +5,7 @@
 A simple Python package for managing Bitwarden secrets with enhanced security.
 
 
-![Version](https://img.shields.io/badge/version-1.0.0-blue)
+![Version](https://img.shields.io/badge/version-0.3.0-blue)
 ![Python](https://img.shields.io/badge/python-3.10%2B-blue)
 ![License](https://img.shields.io/badge/license-MIT-green)
 
@@ -14,8 +14,8 @@ A simple Python package for managing Bitwarden secrets with enhanced security.
 - Load secrets from Bitwarden Secret Manager into environment variables
 - Get secrets as a Python dictionary
 - Filter secrets by project ID
-- Secure in-memory caching with encryption
-- Automatic cache expiration (5 minutes)
+- JIT decryption of individual secrets
+- No persistent caching of decrypted values
 - Secure file permissions for state storage
 - Machine-specific secret protection
 - Secure credential storage using OS keyring
@@ -95,6 +95,7 @@ Alternatively, you can set the following environment variables:
 - `BWS_TOKEN`: Your Bitwarden access token
 - `ORGANIZATION_ID`: Your Bitwarden organization ID
 - `STATE_FILE`: Path to the state file (must be in an existing directory)
+- `PROJECT_ID` (optional): Your Bitwarden project ID to filter secrets
 - `API_URL` (optional): Defaults to "https://api.bitwarden.com"
 - `IDENTITY_URL` (optional): Defaults to "https://identity.bitwarden.com"
 
@@ -136,6 +137,11 @@ print(os.environ.get("SECRET_NAME"))
 # Load secrets for a specific project
 vault.env_load(project_id="your-project-id")
 
+# Alternatively, set PROJECT_ID environment variable and call without parameter
+# export PROJECT_ID="your-project-id"  # Linux/macOS
+# set PROJECT_ID=your-project-id     # Windows
+vault.env_load()  # Will use PROJECT_ID from environment
+
 # Override existing environment variables (default: False)
 vault.env_load(override=True)
 ```
@@ -155,6 +161,11 @@ secrets = vault.get(refresh=True)
 # Get secrets for a specific project
 secrets = vault.get(project_id="your-project-id")
 
+# Alternatively, set PROJECT_ID environment variable and call without parameter
+# export PROJECT_ID="your-project-id"  # Linux/macOS
+# set PROJECT_ID=your-project-id     # Windows
+secrets = vault.get()  # Will use PROJECT_ID from environment
+
 # Use in-memory encryption instead of system keyring
 secrets = vault.get(use_keyring=False)
 ```
@@ -176,11 +187,10 @@ vault.env_load_all(override=True)
 The vault package includes several security enhancements:
 
 1. **OS Keyring Integration**: Securely stores BWS_TOKEN, ORGANIZATION_ID, and STATE_FILE in your OS keyring
-2. **Memory Protection**: Secrets are encrypted in memory using Fernet encryption (AES-128)
-3. **Lazy Decryption**: Secrets are only decrypted when explicitly accessed
-4. **Cache Expiration**: Cached secrets expire after 5 minutes by default
-5. **Secure File Permissions**: Sets secure permissions on state files
-6. **Machine-Specific Encryption**: Uses machine-specific identifiers for encryption keys
+2. **Memory Protection**: Secrets are individually encrypted in memory using Fernet encryption (AES-128)
+3. **JIT Decryption**: Secrets are only decrypted when explicitly accessed and never stored in decrypted form
+4. **Secure File Permissions**: Sets secure permissions on state files
+5. **Machine-Specific Encryption**: Uses machine-specific identifiers for encryption keys
 7. **Cache Clearing**: Automatically clears secret cache on program exit
 8. **Environment Variable Protection**: Doesn't override existing environment variables by default
 9. **Secure Key Derivation**: Uses PBKDF2 with SHA-256 for key derivation

{toru_vault-0.1.4 → toru_vault-0.3.0}/pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "toru-vault"
-version = "0.1.4"
+version = "0.3.0"
 description = "ToruVault: A simple Python package for managing Bitwarden secrets"
 readme = "README.md"
 authors = [

{toru_vault-0.1.4 → toru_vault-0.3.0}/setup.py

@@ -1,8 +1,8 @@
-from setuptools import setup, find_packages
+from setuptools import setup
 
 setup(
     name="toru-vault",
-    version='0.1.4',
+    version='0.3.0',
     packages=["toru_vault"],
     install_requires=[
         "bitwarden-sdk",

toru_vault-0.3.0/tests/test_env_load.py

@@ -0,0 +1,101 @@
+import os
+import pytest
+from unittest.mock import patch, MagicMock
+
+from toru_vault.vault import env_load, env_load_all
+
+class TestEnvLoad:
+    
+    def test_env_load_single_project(self, mock_env_vars, mock_initialize_client, mock_bitwarden_client):
+        """Test loading secrets from a single project into environment variables"""
+        # Clear any existing test environment variables
+        if "TEST_SECRET1" in os.environ:
+            del os.environ["TEST_SECRET1"]
+        if "TEST_SECRET2" in os.environ:
+            del os.environ["TEST_SECRET2"]
+            
+        # Call the function with a specific project
+        env_load(project_id="project1")
+        
+        # Verify Bitwarden client was initialized
+        mock_initialize_client.assert_called_once()
+        
+        # Verify secrets synchronization was performed
+        mock_bitwarden_client.secrets().sync.assert_called_once()
+        
+        # Verify environment variables were set
+        assert os.environ["TEST_SECRET1"] == "test_value1"
+        assert os.environ["TEST_SECRET2"] == "test_value2"
+        
+        # Test overriding
+        os.environ["TEST_SECRET1"] = "existing_value"
+        
+        # Call with override=False, shouldn't change existing value
+        env_load(project_id="project1", override=False)
+        assert os.environ["TEST_SECRET1"] == "existing_value"
+        
+        # Call with override=True, should change existing value
+        env_load(project_id="project1", override=True)
+        assert os.environ["TEST_SECRET1"] == "test_value1"
+    
+    def test_env_load_all(self, mock_env_vars, mock_initialize_client, mock_bitwarden_client):
+        """Test loading secrets from all projects into environment variables"""
+        # Clear any existing test environment variables
+        if "TEST_SECRET1" in os.environ:
+            del os.environ["TEST_SECRET1"]
+        if "TEST_SECRET2" in os.environ:
+            del os.environ["TEST_SECRET2"]
+        
+        # Call the function to load all secrets
+        env_load_all()
+        
+        # Verify Bitwarden client was initialized
+        mock_initialize_client.assert_called_once()
+        
+        # Verify secrets synchronization was performed
+        mock_bitwarden_client.secrets().sync.assert_called_once()
+        
+        # Verify secrets were fetched with list and get_by_ids
+        mock_bitwarden_client.secrets().list.assert_called_once()
+        mock_bitwarden_client.secrets().get_by_ids.assert_called_once()
+        
+        # Verify environment variables were set
+        assert os.environ["TEST_SECRET1"] == "test_value1"
+        assert os.environ["TEST_SECRET2"] == "test_value2"
+        
+        # Test overriding
+        os.environ["TEST_SECRET1"] = "existing_value"
+        
+        # Call with override=False, shouldn't change existing value
+        env_load_all(override=False)
+        assert os.environ["TEST_SECRET1"] == "existing_value"
+        
+        # Call with override=True, should change existing value
+        env_load_all(override=True)
+        assert os.environ["TEST_SECRET1"] == "test_value1"
+    
+    def test_env_load_missing_organization_id(self, mock_env_vars):
+        """Test env_load behavior when organization_id is missing"""
+        # Remove organization ID from environment
+        if "ORGANIZATION_ID" in os.environ:
+            del os.environ["ORGANIZATION_ID"]
+        
+        # Should not raise exception, just return without doing anything
+        env_load(project_id="project1")
+        
+        # Verify no environment variables were set
+        assert "TEST_SECRET1" not in os.environ
+        assert "TEST_SECRET2" not in os.environ
+    
+    def test_env_load_all_missing_organization_id(self, mock_env_vars):
+        """Test env_load_all behavior when organization_id is missing"""
+        # Remove organization ID from environment
+        if "ORGANIZATION_ID" in os.environ:
+            del os.environ["ORGANIZATION_ID"]
+        
+        # Should not raise exception, just return without doing anything
+        env_load_all()
+        
+        # Verify no environment variables were set
+        assert "TEST_SECRET1" not in os.environ
+        assert "TEST_SECRET2" not in os.environ

toru_vault-0.3.0/tests/test_vault_encryption.py

@@ -0,0 +1,124 @@
+import pytest
+import os
+from unittest.mock import patch, MagicMock
+
+from toru_vault.in_memory import (
+    _encrypt_secret,
+    _decrypt_secret,
+    _encrypt_secrets,
+    _decrypt_secrets,
+    create_secrets_dict
+)
+
+class TestEncryption:
+    """Tests for encryption/decryption implementation"""
+    
+    def test_single_secret_encryption_decryption(self):
+        """Test individual secret encryption and decryption"""
+        secret_value = "super-sensitive-value"
+        
+        # Encrypt the secret
+        encrypted = _encrypt_secret(secret_value)
+        assert encrypted is not None
+        assert ":" in encrypted  # Should contain salt and encrypted data
+        
+        # Should not be the same as original
+        assert encrypted != secret_value
+        
+        # Decrypt the secret
+        decrypted = _decrypt_secret(encrypted)
+        assert decrypted == secret_value
+
+    def test_multiple_secrets_encryption_decryption(self):
+        """Test encryption and decryption of multiple secrets"""
+        secrets = {
+            "API_KEY": "secret-api-key",
+            "PASSWORD": "secret-password",
+            "TOKEN": "secret-token"
+        }
+        
+        # Encrypt dictionary of secrets
+        encrypted_secrets = _encrypt_secrets(secrets)
+        assert encrypted_secrets is not None
+        
+        # Ensure each value is encrypted
+        for key, value in encrypted_secrets.items():
+            assert ":" in value  # Should contain salt and encrypted data
+            assert value != secrets[key]  # Should not match original value
+        
+        # Decrypt all secrets
+        decrypted_secrets = _decrypt_secrets(encrypted_secrets)
+        assert decrypted_secrets is not None
+        
+        # Ensure decrypted values match original
+        for key, value in secrets.items():
+            assert decrypted_secrets[key] == value
+
+    def test_decryption_in_memory(self):
+        """Test decryption in non-keyring mode"""
+        # Create test secrets
+        test_secrets = {
+            "API_KEY": "test-api-key",
+            "DB_PASSWORD": "test-db-password" 
+        }
+        
+        # Create secret keys set
+        secret_keys = set(test_secrets.keys())
+        
+        # Create LazySecretsDict with in-memory decryption
+        secrets_dict = create_secrets_dict(
+            secret_keys,
+            "test_org_id",
+            "test_project_id",
+            test_secrets,  # Direct use of secrets
+            False         # No keyring
+        )
+        
+        # Access each secret and verify correct values
+        for key, expected_value in test_secrets.items():
+            assert secrets_dict[key] == expected_value
+
+    @patch("keyring.get_password")
+    @patch("keyring.set_password")
+    def test_decryption_with_keyring(self, mock_set_password, mock_get_password):
+        """Test decryption with keyring enabled"""
+        # Create test secrets
+        test_secrets = {
+            "API_KEY": "test-api-key",
+            "DB_PASSWORD": "test-db-password" 
+        }
+        
+        # Mock keyring to return encrypted values
+        def mock_get_side_effect(service_name, key):
+            # Return encrypted version of the test secret
+            if key in test_secrets:
+                return _encrypt_secret(test_secrets[key])
+            return None
+            
+        mock_get_password.side_effect = mock_get_side_effect
+        
+        # Create secret keys set
+        secret_keys = set(test_secrets.keys())
+        organization_id = "test_org_id"
+        project_id = "test_project_id"
+        
+        # Create LazySecretsDict with keyring decryption
+        secrets_dict = create_secrets_dict(
+            secret_keys,
+            organization_id,
+            project_id,
+            test_secrets,  # Used to initialize keyring
+            True           # Use keyring
+        )
+        
+        # Verify secrets were encrypted and stored in keyring
+        assert mock_set_password.call_count == len(test_secrets)
+        
+        # Access each secret and verify decryption
+        for key, expected_value in test_secrets.items():
+            # Value should be decrypted from keyring when accessed
+            assert secrets_dict[key] == expected_value
+            
+
+    
+

toru_vault-0.3.0/tests/test_vault_jit.py

@@ -0,0 +1,79 @@
+import pytest
+import os
+from unittest.mock import patch, MagicMock
+
+class TestVaultDecryption:
+    """Test encryption/decryption with vault API functions"""
+    
+    def test_get_in_memory(self, mock_initialize_client, mock_env_vars):
+        """Test retrieval with get() using in-memory mode"""
+        from toru_vault import vault
+        
+        # Get secrets with in-memory storage (no keyring)
+        secrets = vault.get("project1", use_keyring=False)
+        
+        # Verify we got the expected keys
+        assert "TEST_SECRET1" in secrets
+        assert "TEST_SECRET2" in secrets
+        
+        # Access secrets and verify values 
+        assert secrets["TEST_SECRET1"] == "test_value1"
+        assert secrets["TEST_SECRET2"] == "test_value2"
+        
+
+    
+    @patch("keyring.get_password")
+    @patch("keyring.set_password")
+    def test_get_with_keyring(self, mock_set, mock_get, mock_initialize_client, mock_env_vars):
+        """Test decryption with get() using keyring"""
+        from toru_vault import vault
+        from toru_vault.in_memory import _encrypt_secret, _decrypt_secret
+        
+        # Setup keyring mock to simulate stored encrypted values
+        def mock_get_side_effect(service_name, key):
+            if key == "TEST_SECRET1":
+                return _encrypt_secret("test_value1")
+            elif key == "TEST_SECRET2":
+                return _encrypt_secret("test_value2")
+            return None
+            
+        mock_get.side_effect = mock_get_side_effect
+        
+        # Get secrets using keyring
+        secrets = vault.get("project1", use_keyring=True)
+        
+        # Access both secrets sequentially to test individual decryption
+        value1 = secrets["TEST_SECRET1"]
+        assert value1 == "test_value1"
+        
+        value2 = secrets["TEST_SECRET2"]
+        assert value2 == "test_value2"
+        
+        # Verify we called get_password at least twice, plus once for org_id lookup
+        # Expected number: 2 secret lookups + 1 for ORGANIZATION_ID
+        assert mock_get.call_count >= 3
+        
+    # Tests for env_load and env_load_all removed as they already exist in TestEnvLoad
+            
+    def test_get_all(self, mock_initialize_client, mock_env_vars):
+        """Test decryption with get_all()"""
+        with patch("toru_vault.vault.get") as mock_get:
+            from toru_vault import vault
+            
+            # Setup mock get to return test secrets
+            mock_get.return_value = {
+                "TEST_SECRET1": "test_value1",
+                "TEST_SECRET2": "test_value2"
+            }
+            
+            # Call get_all
+            all_secrets = vault.get_all(use_keyring=False)
+            
+            # Verify get was called for the project
+            mock_get.assert_called_once_with("project1", use_keyring=False)
+            
+            # Verify expected secrets are in result
+            assert "TEST_SECRET1" in all_secrets
+            assert all_secrets["TEST_SECRET1"] == "test_value1"
+            assert "TEST_SECRET2" in all_secrets
+            assert all_secrets["TEST_SECRET2"] == "test_value2"

{toru_vault-0.1.4 → toru_vault-0.3.0}/toru_vault/__init__.py

@@ -2,4 +2,5 @@
 # Import functions from the core module
 from .vault import env_load, env_load_all, get, get_all
 
+__version__ = "0.2.0"
 __all__ = ["env_load", "env_load_all", "get", "get_all"]

{toru_vault-0.1.4 → toru_vault-0.3.0}/toru_vault/__main__.py

@@ -7,9 +7,32 @@ import os
 import sys
 import getpass
 
-from .vault import (_initialize_client, set_to_keyring, _get_from_keyring_or_env,
-                   _KEYRING_BWS_TOKEN_KEY, _KEYRING_ORG_ID_KEY, _KEYRING_STATE_FILE_KEY, 
-                   _KEYRING_AVAILABLE)
+from .vault import (_initialize_client, _get_from_keyring_or_env,
+                   _KEYRING_SERVICE_NAME, _KEYRING_BWS_TOKEN_KEY, _KEYRING_ORG_ID_KEY, 
+                   _KEYRING_STATE_FILE_KEY, _KEYRING_AVAILABLE)
+
+
+def _set_to_keyring(key, value):
+    """
+    Set a value to keyring
+    
+    Args:
+        key (str): Key in keyring
+        value (str): Value to store
+    
+    Returns:
+        bool: True if successful, False otherwise
+    """
+    if not _KEYRING_AVAILABLE:
+        return False
+    
+    try:
+        import keyring
+        keyring.set_password(_KEYRING_SERVICE_NAME, key, value)
+        return True
+    except Exception as e:
+        print(f"Failed to set {key} to keyring: {e}")
+        return False
 
 
 def list_projects(organization_id=None):
@@ -103,21 +126,21 @@ def init_vault():
     # Store in keyring
     if _KEYRING_AVAILABLE:
         if existing_token != token or not existing_token:
-            if set_to_keyring(_KEYRING_BWS_TOKEN_KEY, token):
+            if _set_to_keyring(_KEYRING_BWS_TOKEN_KEY, token):
                 print("BWS_TOKEN stored in keyring")
             else:
                 print("Failed to store BWS_TOKEN in keyring")
                 return False
         
         if existing_org_id != org_id or not existing_org_id:
-            if set_to_keyring(_KEYRING_ORG_ID_KEY, org_id):
+            if _set_to_keyring(_KEYRING_ORG_ID_KEY, org_id):
                 print("ORGANIZATION_ID stored in keyring")
             else:
                 print("Failed to store ORGANIZATION_ID in keyring")
                 return False
         
         if existing_state_file != state_file or not existing_state_file:
-            if set_to_keyring(_KEYRING_STATE_FILE_KEY, state_file):
+            if _set_to_keyring(_KEYRING_STATE_FILE_KEY, state_file):
                 print("STATE_FILE stored in keyring")
             else:
                 print("Failed to store STATE_FILE in keyring")