2018-07-06 01:03:25 +00:00
|
|
|
#!/usr/bin/env python
|
|
|
|
|
|
|
|
# (c) 2018, Matt Stofko <matt@mjslabs.com>
|
2018-10-19 20:34:56 +00:00
|
|
|
# GNU General Public License v3.0+ (see LICENSE or
|
|
|
|
# https://www.gnu.org/licenses/gpl-3.0.txt)
|
2018-07-06 01:03:25 +00:00
|
|
|
#
|
2018-10-19 20:34:56 +00:00
|
|
|
# This plugin can be run directly by specifying the field followed by a list of
|
|
|
|
# entries, e.g. bitwarden.py password google.com wufoo.com
|
2018-07-06 01:03:25 +00:00
|
|
|
#
|
|
|
|
from __future__ import (absolute_import, division, print_function)
|
|
|
|
__metaclass__ = type
|
|
|
|
|
2018-10-19 20:32:14 +00:00
|
|
|
import json
|
|
|
|
import os
|
|
|
|
import sys
|
|
|
|
|
|
|
|
from subprocess import Popen, PIPE, check_output
|
|
|
|
|
|
|
|
from ansible.errors import AnsibleError
|
|
|
|
from ansible.plugins.lookup import LookupBase
|
|
|
|
|
|
|
|
try:
|
|
|
|
from __main__ import display
|
|
|
|
except ImportError:
|
|
|
|
from ansible.utils.display import Display
|
|
|
|
display = Display()
|
|
|
|
|
|
|
|
|
2018-07-06 01:03:25 +00:00
|
|
|
DOCUMENTATION = """
|
|
|
|
lookup: bitwarden
|
|
|
|
author:
|
|
|
|
- Matt Stofko <matt@mjslabs.com>
|
|
|
|
requirements:
|
|
|
|
- bw (command line utility)
|
|
|
|
- BW_SESSION environment var (from `bw login` or `bw unlock`)
|
|
|
|
short_description: look up data from a bitwarden vault
|
|
|
|
description:
|
2018-10-19 20:34:56 +00:00
|
|
|
- use the bw command line utility to grab one or more items stored in a
|
|
|
|
bitwarden vault
|
2018-07-06 01:03:25 +00:00
|
|
|
options:
|
|
|
|
_terms:
|
|
|
|
description: name of item that contains the field to fetch
|
|
|
|
required: True
|
|
|
|
field:
|
|
|
|
description: field to return from bitwarden
|
|
|
|
default: 'password'
|
2019-11-18 16:05:38 +00:00
|
|
|
custom_field:
|
2018-10-19 20:32:14 +00:00
|
|
|
description: If True, look up named field in custom fields instead
|
|
|
|
of top-level dictionary.
|
2019-11-18 16:05:38 +00:00
|
|
|
sync:
|
2018-10-20 01:11:32 +00:00
|
|
|
description: If True, call `bw sync` before lookup
|
2018-07-06 01:03:25 +00:00
|
|
|
"""
|
|
|
|
|
|
|
|
EXAMPLES = """
|
|
|
|
- name: get 'username' from Bitwarden entry 'Google'
|
|
|
|
debug:
|
|
|
|
msg: "{{ lookup('bitwarden', 'Google', field='username') }}"
|
|
|
|
"""
|
|
|
|
|
|
|
|
RETURN = """
|
|
|
|
_raw:
|
|
|
|
description:
|
|
|
|
- Items from Bitwarden vault
|
|
|
|
"""
|
|
|
|
|
|
|
|
|
|
|
|
class Bitwarden(object):
|
|
|
|
|
|
|
|
def __init__(self, path):
|
|
|
|
self._cli_path = path
|
|
|
|
try:
|
2021-10-30 06:22:14 +00:00
|
|
|
check_output([self._cli_path, "--version"])
|
2018-07-06 01:03:25 +00:00
|
|
|
except OSError:
|
|
|
|
raise AnsibleError("Command not found: {0}".format(self._cli_path))
|
|
|
|
|
|
|
|
@property
|
|
|
|
def cli_path(self):
|
|
|
|
return self._cli_path
|
|
|
|
|
|
|
|
@property
|
|
|
|
def logged_in(self):
|
|
|
|
return 'BW_SESSION' in os.environ
|
|
|
|
|
|
|
|
def _run(self, args):
|
2021-10-30 06:22:14 +00:00
|
|
|
print("%s %s" % (self.cli_path, args))
|
2018-07-06 01:03:25 +00:00
|
|
|
p = Popen([self.cli_path] + args, stdin=PIPE, stdout=PIPE, stderr=PIPE)
|
|
|
|
out, err = p.communicate()
|
|
|
|
rc = p.wait()
|
|
|
|
if rc != 0:
|
2018-10-19 20:34:56 +00:00
|
|
|
display.debug("Received error when running '{0} {1}': {2}"
|
|
|
|
.format(self.cli_path, args, out))
|
2021-10-30 06:22:14 +00:00
|
|
|
if err.startswith(b"Vault is locked."):
|
2018-10-19 20:34:56 +00:00
|
|
|
raise AnsibleError("Error accessing Bitwarden vault. "
|
|
|
|
"Run 'bw unlock' to unlock the vault.")
|
2021-10-30 06:22:14 +00:00
|
|
|
elif err.startswith(b"You are not logged in."):
|
2018-10-19 20:34:56 +00:00
|
|
|
raise AnsibleError("Error accessing Bitwarden vault. "
|
|
|
|
"Run 'bw login' to login.")
|
2021-10-30 06:22:14 +00:00
|
|
|
elif err.startswith(b"Failed to decrypt."):
|
2018-10-19 20:34:56 +00:00
|
|
|
raise AnsibleError("Error accessing Bitwarden vault. "
|
|
|
|
"Make sure BW_SESSION is set properly.")
|
2021-10-30 06:22:14 +00:00
|
|
|
elif err.startswith(b"Not found."):
|
2018-10-19 20:34:56 +00:00
|
|
|
raise AnsibleError("Error accessing Bitwarden vault. "
|
|
|
|
"Specified item not found.")
|
2018-07-06 01:03:25 +00:00
|
|
|
else:
|
2018-10-19 20:34:56 +00:00
|
|
|
raise AnsibleError("Unknown failure in 'bw' command: "
|
2021-10-30 06:22:14 +00:00
|
|
|
"{0}".format(err))
|
2018-07-06 01:03:25 +00:00
|
|
|
return out.strip()
|
|
|
|
|
2018-10-20 01:11:32 +00:00
|
|
|
def sync(self):
|
|
|
|
self._run(['sync'])
|
|
|
|
|
2018-07-06 01:03:25 +00:00
|
|
|
def get_entry(self, key, field):
|
2018-10-20 01:30:56 +00:00
|
|
|
return self._run(["get", field, key]).decode('utf-8')
|
2018-07-06 01:03:25 +00:00
|
|
|
|
2018-10-19 20:32:14 +00:00
|
|
|
def get_custom_field(self, key, field):
|
|
|
|
data = json.loads(self.get_entry(key, 'item'))
|
|
|
|
return next(x for x in data['fields'] if x['name'] == field)['value']
|
|
|
|
|
2018-07-06 01:03:25 +00:00
|
|
|
|
|
|
|
class LookupModule(LookupBase):
|
|
|
|
|
|
|
|
def run(self, terms, variables=None, **kwargs):
|
|
|
|
bw = Bitwarden(path=kwargs.get('path', 'bw'))
|
|
|
|
|
|
|
|
if not bw.logged_in:
|
2018-10-19 20:34:56 +00:00
|
|
|
raise AnsibleError("Not logged into Bitwarden: please run "
|
|
|
|
"'bw login', or 'bw unlock' and set the "
|
|
|
|
"BW_SESSION environment variable first")
|
2018-07-06 01:03:25 +00:00
|
|
|
|
|
|
|
field = kwargs.get('field', 'password')
|
|
|
|
values = []
|
2018-10-20 01:11:32 +00:00
|
|
|
|
|
|
|
if kwargs.get('sync'):
|
|
|
|
bw.sync()
|
|
|
|
|
2018-07-06 01:03:25 +00:00
|
|
|
for term in terms:
|
2018-10-19 20:32:14 +00:00
|
|
|
if kwargs.get('custom_field'):
|
|
|
|
values.append(bw.get_custom_field(term, field))
|
|
|
|
else:
|
|
|
|
values.append(bw.get_entry(term, field))
|
2018-07-06 01:03:25 +00:00
|
|
|
return values
|
|
|
|
|
|
|
|
|
|
|
|
def main():
|
|
|
|
if len(sys.argv) < 3:
|
2018-10-19 20:34:56 +00:00
|
|
|
print("Usage: {0} <field> <name> [name name ...]"
|
|
|
|
.format(os.path.basename(__file__)))
|
2018-07-06 01:03:25 +00:00
|
|
|
return -1
|
|
|
|
|
|
|
|
print(LookupModule().run(sys.argv[2:], None, field=sys.argv[1]))
|
|
|
|
|
|
|
|
return 0
|
|
|
|
|
|
|
|
|
|
|
|
if __name__ == "__main__":
|
|
|
|
sys.exit(main())
|