From d51c9d74857aca3c2f172609297266968bc7f809 Mon Sep 17 00:00:00 2001 From: Elizabeth Alexander Hunt Date: Mon, 12 May 2025 09:40:12 -0700 Subject: The big refactor TM --- worker/secret/bitwarden.ts | 153 +++++++++++++++++++++++++++++++++++++++++++++ worker/secret/ivault.ts | 24 +++++++ worker/secret/mod.ts | 2 + 3 files changed, 179 insertions(+) create mode 100644 worker/secret/bitwarden.ts create mode 100644 worker/secret/ivault.ts create mode 100644 worker/secret/mod.ts (limited to 'worker/secret') diff --git a/worker/secret/bitwarden.ts b/worker/secret/bitwarden.ts new file mode 100644 index 0000000..0172a1b --- /dev/null +++ b/worker/secret/bitwarden.ts @@ -0,0 +1,153 @@ +import { + Either, + getRequiredEnvVars, + getStdout, + type IEither, + type ITraceable, + type LogMetricTraceSupplier, + Metric, + TraceUtil, +} from "@emprespresso/pengueno"; +import type { IVault, SecretItem } from "./mod.ts"; + +type TClient = ITraceable; +type TKey = string; +type TItemId = string; +export class Bitwarden implements IVault { + constructor(private readonly config: BitwardenConfig) {} + + public unlock(client: TClient) { + return client.move(this.config) + .bimap(TraceUtil.withMetricTrace(Bitwarden.loginMetric)) + .flatMap((tConfig) => + tConfig.move(`bw config server ${tConfig.get().server}`).map(getStdout) + ) + .map(async (tEitherWithConfig) => { + const eitherWithConfig = await tEitherWithConfig.get(); + tEitherWithConfig.trace.trace("logging in~ ^.^"); + return eitherWithConfig.flatMapAsync((_) => + tEitherWithConfig.move("bw login --apikey --quiet").map(getStdout) + .get() + ); + }) + .peek(async (tEitherWithAuthd) => { + const eitherWithAuthd = await tEitherWithAuthd.get(); + return tEitherWithAuthd.trace.trace( + eitherWithAuthd.fold((err, _val) => + Bitwarden.loginMetric[err ? "failure" : "success"] + ), + ); + }) + .map(async (tEitherWithAuthd) => { + const eitherWithAuthd = await tEitherWithAuthd.get(); + tEitherWithAuthd.trace.trace("unlocking the secret vault~ (◕ᴗ◕✿)"); + return eitherWithAuthd.flatMapAsync((_) => + tEitherWithAuthd.move("bw unlock --passwordenv BW_PASSWORD --raw") + .map(getStdout) + .get() + ); + }) + .peek(async (tEitherWithSession) => { + const eitherWithAuthd = await tEitherWithSession.get(); + return tEitherWithSession.trace.trace( + eitherWithAuthd.fold((err, _val) => + Bitwarden.unlockVaultMetric[err ? "failure" : "success"] + ), + ); + }) + .get(); + } + + public fetchSecret( + client: TClient, + key: string, + item: string, + ): Promise> { + return client.move(key) + .bimap(TraceUtil.withMetricTrace(Bitwarden.fetchSecretMetric)) + .peek((tSession) => + tSession.trace.trace(`looking for your secret ${item} (⑅˘꒳˘)`) + ) + .flatMap((tSession) => + tSession.move("bw list items").map((listCmd) => + getStdout(listCmd, { env: { BW_SESSION: tSession.get() } }) + ) + ) + .map( + TraceUtil.promiseify((tEitherItemsJson) => + tEitherItemsJson.get() + .flatMap((itemsJson): IEither> => + Either.fromFailable(() => JSON.parse(itemsJson)) + ) + .flatMap((itemsList): IEither => { + const secret = itemsList.find(({ name }) => name === item); + if (!secret) { + return Either.left( + new Error(`couldn't find the item ${item} (。•́︿•̀。)`), + ); + } + return Either.right(secret); + }) + ), + ) + .peek(async (tEitherWithSecret) => { + const eitherWithSecret = await tEitherWithSecret.get(); + return tEitherWithSecret.trace.trace( + eitherWithSecret.fold((err, _val) => + Bitwarden.fetchSecretMetric[err ? "failure" : "success"] + ), + ); + }) + .get(); + } + + public lock(client: TClient, key: TKey) { + return client.move(key) + .bimap(TraceUtil.withMetricTrace(Bitwarden.lockVaultMetric)) + .peek((tSession) => + tSession.trace.trace(`taking care of locking the vault :3`) + ) + .flatMap((tSession) => + tSession.move("bw lock").map((lockCmd) => + getStdout(lockCmd, { env: { BW_SESSION: tSession.get() } }) + ) + ) + .peek(async (tEitherWithLocked) => { + const eitherWithLocked = await tEitherWithLocked.get(); + return eitherWithLocked.fold((err, _val) => { + tEitherWithLocked.trace.trace( + Bitwarden.lockVaultMetric[err ? "failure" : "success"], + ); + if (err) return; + tEitherWithLocked.trace.trace( + "all locked up and secure now~ (。•̀ᴗ-)✧", + ); + }); + }) + .get(); + } + + public static getConfigFromEnvironment(): IEither { + return getRequiredEnvVars([ + "BW_SERVER", + "BW_CLIENTSECRET", + "BW_CLIENTID", + "BW_PASSWORD", + ]).mapRight(({ BW_SERVER, BW_CLIENTSECRET, BW_CLIENTID }) => ({ + clientId: BW_CLIENTID, + secret: BW_CLIENTSECRET, + server: BW_SERVER, + })); + } + + private static loginMetric = Metric.fromName("Bitwarden.login"); + private static unlockVaultMetric = Metric.fromName("Bitwarden.unlockVault"); + private static fetchSecretMetric = Metric.fromName("Bitwarden.fetchSecret"); + private static lockVaultMetric = Metric.fromName("Bitwarden.lock"); +} + +export interface BitwardenConfig { + server: string; + secret: string; + clientId: string; +} diff --git a/worker/secret/ivault.ts b/worker/secret/ivault.ts new file mode 100644 index 0000000..e101e56 --- /dev/null +++ b/worker/secret/ivault.ts @@ -0,0 +1,24 @@ +import type { IEither } from "@emprespresso/pengueno"; + +export interface LoginItem { + login: { + username: string; + password: string; + }; +} + +export interface SecureNote { + notes: string; +} + +export type SecretItem = LoginItem | SecureNote; +export interface IVault { + unlock: (client: TClient) => Promise>; + lock: (client: TClient, key: TKey) => Promise>; + + fetchSecret: ( + client: TClient, + key: TKey, + item: TItemId, + ) => Promise>; +} diff --git a/worker/secret/mod.ts b/worker/secret/mod.ts new file mode 100644 index 0000000..70a1ea9 --- /dev/null +++ b/worker/secret/mod.ts @@ -0,0 +1,2 @@ +export * from "./ivault.ts"; +export * from "./bitwarden.ts"; -- cgit v1.2.3-70-g09d2