Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bitwarden provider #1515

Closed
sHaggYcaT opened this issue Sep 4, 2022 · 5 comments
Closed

Bitwarden provider #1515

sHaggYcaT opened this issue Sep 4, 2022 · 5 comments

Comments

@sHaggYcaT
Copy link

Copy of Bitwarden provider #1309 and external-secrets/kubernetes-external-secrets#675

It's an opensource and self-hosted security manager. Previous issue were closed because of incompatibility:

Hi @jdomag ! We can only support providers that have HTTP APIs / GRPC, and it would be better if they had a go sdk as well. Is that the case for Bitwarden?
If not, I'd rather close this issue until it is compatible. We are not going to install a cli to handle communications with a given provider. This was the same approach for 1 password provider - we only started considering it when a go sdk became available.

Actually, bitwarden has HTTP API (a standard/swagger REST API):
@gusfcarvalho
Copy link
Member

gusfcarvalho commented Sep 4, 2022
edited
Loading

hey @sHaggYcaT! Do you have any examples you can reference to which uses this API for getting the sensitive information? AFAIK (and from the documentation link you've just sent), there was no public method to return sensitive information.

There is even a notice on the documentation page forwarding you to use the CLI:

For management of Vault items, use the [CLI](https://bitwarden.com/help/cli/). Access to Vault items relies on Vault decryption, which must be done with a Master Password.

@sHaggYcaT
Copy link
Author

OK. Than, I think, it doesn't work this way

@folliehiyuki
Copy link

https://bitwarden.com/help/vault-management-api has API endpoints to manage secret items. Note that they are exposed via bw serve command (not endpoints of the Bitwarden server) and doesn't have any authentication or encryption mechanism (already handled via bw serve middleman) so they shouldn't be served publicly.

This has quite a lot of limitations and security issues but I think it's worth looking into.

@WoozyMasta
Copy link

https://pkg.go.dev/github.com/cozy/cozy-stack/web/bitwarden

Package bitwarden exposes an API compatible with the Bitwarden Open-Soure apps.

@adalinesimonian
Copy link

https://pkg.go.dev/github.com/cozy/cozy-stack/web/bitwarden

Package bitwarden exposes an API compatible with the Bitwarden Open-Soure apps.

From what I can tell, that Go client package is being used precisely for the same purpose in the Cozy stack — as a vault backend for application secrets. Correct me if I'm wrong. It also seems to be actively maintained.

@gusfcarvalho, now that this package is available, could Bitwarden be re-considered as a provider in external-secrets?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@WoozyMasta @sHaggYcaT @adalinesimonian @gusfcarvalho @folliehiyuki