Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unable to load Bitwarden Credentials in Dynamic Folder #107

Open
vpv-snbe opened this issue Jun 13, 2024 · 17 comments
Open

Unable to load Bitwarden Credentials in Dynamic Folder #107

vpv-snbe opened this issue Jun 13, 2024 · 17 comments
Labels
help wanted Extra attention is needed

Comments

@vpv-snbe
Copy link

Hi all,

today I try to connect RoyalTS to Bitwarden via dynamic folder.
I created a dynamic folder with the powershell-script and inserted the values of my self-hosted Bitwarden-Server.

After clicking on "Reload" in RoyalTS, I get the error message "At least one token couldn't be resolved" and following in the details:
global:OutputEncoding\r\n
CustomProperty.BitWardenCLIExecutable
CustomProperty.BitWardenServerURL
CustomProperty.APIClientID
CustomProperty.APIClientSecret
CustomProperty.AccountPassword
(
(
(

Any idea what I'm doing wrong?

@StefanKoell
Copy link
Member

Can you post a screenshot of the error message and the dynamic folder configuration (with sensitive data redacted)? Also, does it actually populate the dynamic folder?

@vpv-snbe
Copy link
Author

Hi StefanKoell,

I have come one step further. I still get the error message about the token, but the credentials are loaded into the dynamic folder.

However, it only works if I specify a fixed folder in line 190 of the script. As soon as the script is supposed to load several folders, it continues to run endlessly.

foreach ($folder in $tmpFolders**[0]**) {
if ($null -ne $folder.id) {
$tF = @{ Type = "Folder"; ID = $folder.id; Name = $folder.name; Objects = [array]@(Get-VaultItems -folderId $folder.id); }
if ($tF.Objects.Count -ne 0) { $final.Objects[0].Objects += $tF; $tF = $null }
} else {
# Add default folder
$tF = @{ Type = "Folder"; ID = "nofolder"; Name = "No folder"; Objects = [array]@(Get-VaultItems -folderId null); }
if ($tF.Objects.Count -ne 0) { $final.Objects[0].Objects += $tF; $tF = $null }
}
}

Translated with DeepL.com (free version)

@StefanKoell
Copy link
Member

I'm still not sure what the error message is or how it is presented. For scripts where tokens are replaced you may always get warnings that tokens cannot be resolved because the parser may try to identify tokens based on some $ variables in the script. These warnings can/should just be ignored.

Regarding the other isue, I'm not sure how I can help because I'm not really familiar with the bitwarden API. Maybe someone else who has experience with bitwarden's API can help here.

@StefanKoell StefanKoell added the help wanted Extra attention is needed label Jun 14, 2024
@vpv-snbe
Copy link
Author

Sorry, forgot to add the screenshot from the error message.

Bitwarden_RoyalTS_Token-Error

To the other issue:
When I run the script directly in ISE I see that sometimes I got the entries from bitwarden, sometimes not.
In the case I get no credentials, the process get stuck in different points.

@StefanKoell
Copy link
Member

Thanks for the screenshot. The warning can be ignored and is actually expected for scripting languages which also use $ chars extensively. It will not really affect the token resolution.

I find it odd, that even in the ISE you get inconsistent results. Not sure what's going on. Maybe the bitwarden backend can give some insights.

@vpv-snbe
Copy link
Author

Thank you for the info, I will ignore these error-message.

I try to find something in the bitwarden backend, nothing found yet.
The import breaks on different folders, sometimes on first or second, sometimes it works. In the last test, script hanged at folder "Firewall".
Maybe anyone has an idea where to look for this error?

Folder overview:
Bitwarden_CLI_Folders

Script with added status-logging:
Bitwarden_CLI_Skript

@StefanKoell
Copy link
Member

Maybe Bitwarden support can help? Could also be an isolated issue with the specific instance/installation.

@tmsadm693
Copy link

Same Problem here - I try to use different bw.exe Versions but with no luck

@GrinGrin
Copy link

GrinGrin commented Aug 7, 2024

Hi all,

I did not had a lot of time recently to work on this until recently. I also was blocked with an issue in the latest version of the BitWarden CLI tool (bw.exe) that seems to not work anymore with API key (complains about bad master password even if correct when unlocking the vault) 😒
I had to revert back to the older version 2023.12.1 in order to get it working again... (maybe a more recent version can work, I did not test all versions!)

Anyway, I've recently reworked the whole script to make a better use of the navigation's treeview instead of having folders and subfolders at the same level.
sample_dynamicfolder

Unfortunately right now the script is working but not ready for daily use as it now make calls to the vault for each folders/collections and it take way too long as it's not a real REST API under the hood!

For example in my setup, with 540+ credentials/notes splitted between 1 personal vault, 2 organizations and 3 collections, it took a little bit more than 3 minutes to load 😣

As I also had to work on this at my day job, I'll try to use the embedded API endpoint of the CLI tool bw serve as it seems way quicker !
As the command does not run in background, I just had to figure out how to launch it in a background thread, make all calls and terminate the thread, all from the powershell script executed by RoyalTS 😥

I'll keep you informed as soon as I have a working version 🤞

@GrinGrin
Copy link

GrinGrin commented Aug 8, 2024

Well ...

That was way much easier than I though to convert the script ... And it is mind blowing !
bitwarden_cli_vs_rest

Both request the same vault on the same instance, the first using "legacy" calls to bw.exe to get every folders/orgs/collections & their content each time, the second is using bw.exe serve to use the REST gateway.
I just had to convert all Invoke-Command -ScriptBloc to Invoke-WebRequest and adapt the property of the resulting object to access the data 😱

I'll check that the result is fully compliant with my vault content. I also spotted some encoding errors to correct.
But I think a working test script won't be to long to get.

Stay tuned ! 😜

@GrinGrin
Copy link

GrinGrin commented Aug 9, 2024

Hi all !

I've pushed an update to the template on my fork of the repo.

Can you test if it works for you before I open a PR ?

Please note the following known issues:

  • I have mitigated as much as I can an issue in the part processing items in personal vault without a folder set in order to prevent fetching all items without folder set from the collections you have access to. The API allow filtering on folder with an Id or "null" but specifying organizationId/collectionId is just seen as a OR and fetch everything, so I inverted the filter to items without a collection Id and then filter the result for items without a folder Id 😖
  • On very large setups (like organizations with very large collections presented to the user), fetch time can go up significantly (count in minutes). Even with REST that is quicker it can be long to the CLI utility to get the data back from the server!
  • In the fist version of the script, I've prevented the duplicates of items shared between your vault and a collection but the current implementation reach its limits if items are presented into multiple collections, leading to a duplicates error and aborting the loading. To keep the treeview capabilities I need to change how the final array is build and be able to search through it to find duplicates ...
    image

On instances with small amount of objects it can works pretty well but can struggle with large organizations.
One way to mitigate that may be to take a look at some filtering options like this:
image

Based on criterias (with or without wildcards), instead of loading everything, I may be able to limit a bit. Adding filtering on the items name can also be an option ... 🤔

Let me know what you think!
Thanks for your feedbacks !

Best Regards,
Nicolas.

@David4Es
Copy link

Hi Nicolas,

I've been testing your code for a couple of days, and it's working flawlessly 👍 And it's really fast, way faster than code from royalapplications toolbox 🙏

Where can I find filtering options you've mentioned in your post?

Many thanks and have a nice day,
David

@David4Es
Copy link

Hi Nicolas,

as a part of testing of your fork I changed my Bitwarden KDF algorithm, rotated API Key and set accordingly custom properties of Dynamic Folder. But I was getting errors that Bitwarden Key or payload has changed (Lock the user to clear the key at crypto_service_CryptoService) when opening my Royal TS file. After a little bit of experimenting, I've found out deleting file
%AppData%\Roaming\Bitwarden CLI\data.json did the trick,
So, maybe after changing API Client Secret in custom properties of dynamic folder, it'd be advisable to delete the file %AppData%\Roaming\Bitwarden CLI\data.json, if it exists. What do you think?

Also, I'm still curious, where can I find filtering options you've mentioned in your post?

Thanks for your response and have a nice day,
David

@eiabea
Copy link
Contributor

eiabea commented Dec 13, 2024

@GrinGrin thank you for your fork! I just transformed the current powershell script from the legacy rdfe format to the new rdfx format which makes it much easier to compare the scripts.

I also transformed your version 2.0 and looked into it. I really like your approach and would love to add your script as a separate file like Bitwarden (PowerShell websocket).rdfx into the Bitwarden samples folder

The transform PR of the current file can be found here: #116

@n1ck-unikat
Copy link

hello, can we add the new ssh key item by the way? with the new version ( feature flag) we can store ssh keys in the new ssh-key item, thats where great when the script loaded thats item also, so we can put safe ssh keys to royalapp. thanks

@eiabea
Copy link
Contributor

eiabea commented Jan 7, 2025

@n1ck-unikat I just looked into this feature and find it quite interesting, could you please open up a new ticket for this feature request?

@n1ck-unikat
Copy link

@eiabea yes i make a new ticket!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
help wanted Extra attention is needed
Projects
None yet
Development

No branches or pull requests

7 participants