-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathbwpwd
More file actions
executable file
·214 lines (179 loc) · 8.03 KB
/
bwpwd
File metadata and controls
executable file
·214 lines (179 loc) · 8.03 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
#!/usr/bin/env bash
# bwpwd - programatically fetch passwords, secure notes, ssh keys from Bitwarden vault. Can be called from other scripts - see call_bwpwd for usage
# ──────────────────────────────────────────────────────
# Author: Don Ferris
# Created: [22-10-2025]
# Current Revision: v1.3
# ──────────────────────────────────────────────────────
# Revision History
# ----------------
# v1.3 — 2025-10-24 — Removed -n switch; now accept the item name as a positional argument (bwpwd "item name"). Kept robust session-handling for already-logged-in cases and safe token extraction.
# v1.2 — 2025-10-24 — Removed debug output, clarified -n usage (now supports -n or positional arg), improved session handling for already-logged-in cases.
# v1.1 — 2025-10-22 — Added ability to call script, passing "-n [vault item name]" at the command line. Vault item name doesn't have to be precise; script will prompt, offering multiple choice menus.
# v1.0 — 2025-10-21 — Initial script. Tested, working, supports MFA. (Only tested with TOTP 2FA using Authy code generator.)
########
# --- Configuration ---
BW_EMAIL="bitwarden@donnybahama.com"
BW_PASSWORD_FILE="$HOME/.bwpwd"
SESSION_FILE="/tmp/bw_session.key"
# ASSUMPTION: Standard Bitwarden Cloud Server.
BW_SERVER_URL="https://vault.bitwarden.com"
# -----------------------------------------------
# --- Setup and Initialization ---
# -----------------------------------------------
# Check for master password file
if [ ! -f "$BW_PASSWORD_FILE" ]; then
echo "ERROR: Bitwarden password file not found at $BW_PASSWORD_FILE" >&2
exit 1
fi
# Ensure the CLI is configured for the correct server.
bw config server "$BW_SERVER_URL" > /dev/null 2>&1 || true
# Check for 'jq' utility (required for parsing JSON output)
if ! command -v jq &> /dev/null; then
echo "ERROR: The 'jq' utility is required for script functionality. Please install it." >&2
exit 1
fi
# -----------------------------------------------
# --- Positional argument handling (no -n switch) ---
# -----------------------------------------------
ITEM_NAME=""
INVOKED_WITH_ARG=0
if [ -n "$1" ]; then
ITEM_NAME="$1"
INVOKED_WITH_ARG=1
fi
# -----------------------------------------------
# --- Functions (Login/Unlock Logic) ---
# -----------------------------------------------
perform_login_or_unlock() {
local return_code
local raw_output
local SESSION_KEY
# First attempt: try an unlock (works if already logged in)
raw_output=$(bw unlock --passwordfile "$BW_PASSWORD_FILE" --raw 2>&1)
return_code=$?
if [ $return_code -ne 0 ]; then
# If unlock failed, try a fresh login (interactive TOTP)
echo -n "2FA Required: Enter your 6-digit authenticator code: " >&2
read -r BW_2FA_CODE
raw_output=$(bw login "$BW_EMAIL" --passwordfile "$BW_PASSWORD_FILE" --method totp --code "$BW_2FA_CODE" --raw 2>&1)
return_code=$?
# If login failed but said "already logged in", try unlock again.
if [ $return_code -ne 0 ]; then
if printf '%s\n' "$raw_output" | grep -qi 'already logged in'; then
raw_output=$(bw unlock --passwordfile "$BW_PASSWORD_FILE" --raw 2>&1)
return_code=$?
fi
fi
fi
# Safe extraction of a plausible session token:
SESSION_KEY=$(printf '%s\n' "$raw_output" \
| tr -cs 'A-Za-z0-9_+/=-' '\n' \
| awk 'length($0) >= 32 { print; exit }')
if [ -n "$SESSION_KEY" ] && [ $return_code -eq 0 ]; then
export BW_SESSION="$SESSION_KEY"
# Save session to file with restrictive permissions
umask 177
printf '%s' "$SESSION_KEY" > "$SESSION_FILE"
chmod 600 "$SESSION_FILE" 2>/dev/null || true
return 0
else
echo "ERROR: Bitwarden command failed to produce a valid session key (exit $return_code)." >&2
echo "Raw output was:" >&2
echo "$raw_output" >&2
return 1
fi
}
# -----------------------------------------------
# --- Main Script Logic ---
# -----------------------------------------------
# --- 1. Check for Existing Valid Session Key ---
if [ -f "$SESSION_FILE" ]; then
export BW_SESSION=$(cat "$SESSION_FILE")
# Validate the session by calling a harmless non-interactive command (sync).
if bw sync --session "$BW_SESSION" >/dev/null 2>&1; then
:
else
unset BW_SESSION
rm -f "$SESSION_FILE"
fi
fi
# --- 2. Login if no valid session key was found ---
if [ -z "$BW_SESSION" ]; then
perform_login_or_unlock || exit 1
fi
# --- 3. Retrieve PASSWORD (Accepts positional arg or prompt) ---
if [ -n "$BW_SESSION" ]; then
if [ -z "$ITEM_NAME" ]; then
echo -n "Enter the vault item name to retrieve (or search term for a Password): " >&2
read -r ITEM_NAME
fi
if [ -z "$ITEM_NAME" ]; then
echo "ERROR: No item name provided. Exiting." >&2
exit 1
fi
# Force sync to prevent stale data issues
if ! bw sync --session "$BW_SESSION" >/dev/null 2>&1; then
echo "ERROR: Failed to synchronize Bitwarden vault. Cannot retrieve password." >&2
exit 1
fi
# We use bw list items to handle single/multiple results gracefully
SEARCH_RESULTS_JSON=$(bw list items --search "$ITEM_NAME" --session "$BW_SESSION")
ITEM_COUNT=$(echo "$SEARCH_RESULTS_JSON" | jq 'length')
if [ "$ITEM_COUNT" -eq 0 ]; then
echo "ERROR: No results found for '$ITEM_NAME'." >&2
exit 1
fi
# --- Single Result Path (Prints only content to STDOUT) ---
if [ "$ITEM_COUNT" -eq 1 ]; then
VAULT_PASSWORD=$(echo "$SEARCH_RESULTS_JSON" | jq -r '.[0].login.password')
if [ -n "$VAULT_PASSWORD" ] && [ "$VAULT_PASSWORD" != "null" ]; then
echo "$VAULT_PASSWORD"
else
echo "ERROR: Item found but has no stored password (or unexpected format)." >&2
exit 1
fi
# --- Multiple Results Path (Interactive/Non-Interactive Failure) ---
else
if [ $INVOKED_WITH_ARG -eq 1 ]; then
# If positional arg was provided non-interactively, we can't select
echo "ERROR: Multiple items found for '$ITEM_NAME'. Cannot select non-interactively. Please use a more specific search term." >&2
echo "Found items:" >&2
echo "$SEARCH_RESULTS_JSON" | jq -r '.[] | .name' >&2
exit 1
fi
# Interactive selection
ITEM_LIST=$(echo "$SEARCH_RESULTS_JSON" | jq -r '.[] | .name + "|" + (.login.username // "N/A") + "|" + .id')
COUNTER=1
declare -a IDS
echo "------------------------------------------------------------------" >&2
echo " # | Name | Username" >&2
echo "------------------------------------------------------------------" >&2
while IFS='|' read -r NAME USERNAME ID; do
echo "$COUNTER | $NAME | $USERNAME" >&2
IDS+=("$ID")
COUNTER=$((COUNTER + 1))
done <<< "$ITEM_LIST"
echo "------------------------------------------------------------------" >&2
while true; do
echo -n "Enter the number of the item you want to retrieve (1-$ITEM_COUNT): " >&2
read -r SELECTION
if [[ "$SELECTION" =~ ^[0-9]+$ ]] && [ "$SELECTION" -ge 1 ] && [ "$SELECTION" -le "$ITEM_COUNT" ]; then
break
else
echo "Invalid selection. Please enter a number between 1 and $ITEM_COUNT." >&2
fi
done
SELECTED_ID="${IDS[$SELECTION-1]}"
VAULT_PASSWORD=$(bw get password "$SELECTED_ID" --session "$BW_SESSION")
if [ -n "$VAULT_PASSWORD" ]; then
echo "$VAULT_PASSWORD"
else
echo "ERROR: Failed to retrieve password using the selected ID." >&2
exit 1
fi
fi
else
echo "FATAL ERROR: BW_SESSION is not set after all login attempts. Cannot proceed." >&2
exit 1
fi