diff --git a/.gitignore b/.gitignore index ad2e049..f9ba2eb 100644 --- a/.gitignore +++ b/.gitignore @@ -1,2 +1,4 @@ .docker-export results +*.enc +.env diff --git a/CHANGELOG.md b/CHANGELOG.md index 9a14298..8064890 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,11 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [1.2.0](https://hub.docker.com/r/mastermindzh/bw-export/tags) + +- Added support for apikey authorization + - Skips 2 factor authentication + ## [1.1.1] Cleaned up the export.sh script from extraneous documentation and a useless empty echo. diff --git a/Dockerfile b/Dockerfile index a2dd100..4127b7b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -2,11 +2,11 @@ FROM node:lts-slim # install openssl RUN apt-get update && \ - apt-get install -y --no-install-recommends openssl && \ + apt-get install -y --no-install-recommends openssl expect && \ rm -rf /var/cache/apk/* # install bitwarden-cli -RUN npm install -g @bitwarden/cli@2023.2.0 +RUN npm install -g @bitwarden/cli # add the export script RUN mkdir -p /opt/bw-export diff --git a/README.md b/README.md index 5594112..225e7f0 100644 --- a/README.md +++ b/README.md @@ -41,14 +41,17 @@ To decrypt that simply run OpenSSL with the same params in export mode: You can tweak a lot of the internal workings of bw-export with simple environmental variables. The list below outlines most of them: -| Variable | Default value | Description | -| ------------------- | ---------------------------------------- | -------------------------------------------------------------- | -| BW_ACCOUNT | `bitwarden_vault_test@mastermindzh.tech` | Bitwarden email address | -| BW_PASS | `VGhpc0lzQVZhdWx0UGFzc3dvcmQK` | Bitwarden password | -| BW_FILENAME_PREFIX | `bitwarden_vault_export_` | Prefix to use for generated files ($prefix$timestamp.enc) | -| BW_TIMESTAMP | `Y-%m-%d %H:%M:%S` | Timestamp to use for generated files | -| BW_EXPORT_FOLDER | `export` | Folder to put export files in | -| BW_FOLDER_STRUCTURE | `Y/%m` | Date/timestamp to generate folders | -| BW_PASSWORD_ENCODE | `base64` | "plain", or "base64", depending on whether you encoded BW_PASS | -| BW_OPENSSL_OPTIONS | `aes-256-cbc -pbkdf2 -iter 100000` | Options passed to openssl's "enc" command | -| BW_ENCRYPTION_PASS | `$BW_PASS` (same value as BW_PASS) | Password to encrypt the json file | +| Variable | Default value | Description | +| ------------------- | ----------------------------------------- | --------------------------------------------------------------------- | +| BW_ACCOUNT | `bitwarden_vault_test@mastermindzh.tech` | Bitwarden email address | +| BW_PASS | `VGhpc0lzQVZhdWx0UGFzc3dvcmQK` | Bitwarden password | +| BW_FILENAME_PREFIX | `bitwarden_vault_export_` | Prefix to use for generated files ($prefix$timestamp.enc) | +| BW_TIMESTAMP | `Y-%m-%d %H:%M:%S` | Timestamp to use for generated files | +| BW_EXPORT_FOLDER | `export` | Folder to put export files in | +| BW_FOLDER_STRUCTURE | `Y/%m` | Date/timestamp to generate folders | +| BW_PASSWORD_ENCODE | `base64` | "plain", or "base64", depending on whether you encoded BW_PASS | +| BW_OPENSSL_OPTIONS | `aes-256-cbc -pbkdf2 -iter 100000` | Options passed to openssl's "enc" command | +| BW_ENCRYPTION_PASS | `$BW_PASS` (same value as BW_PASS) | Password to encrypt the json file | +| BW_AUTH_METHOD | password | Whether to login with a password or apikey (apikey required for 2fa) | +| BW_CLIENT_ID | user.cc433b96-4767-432f-85a5-b11100d4faa6 | Bitwarden client id | +| BW_APIKEY | OG1LS3RSVzdXVWRZN25UWEgwdkdOUVMzV0QzVTZr | Bitwarden api key | diff --git a/export.sh b/export.sh index cabbde0..3e8ba3a 100644 --- a/export.sh +++ b/export.sh @@ -9,8 +9,13 @@ bw_logout() { } # environment variables -BW_ACCOUNT=${BW_ACCOUNT:-"bitwarden_vault_test@mastermindzh.tech"} -BW_PASS=${BW_PASS:-"VGhpc0lzQVZhdWx0UGFzc3dvcmQK"} +# BW_AUTH_METHOD=${BW_AUTH_METHOD:-"password"} +BW_AUTH_METHOD=${BW_AUTH_METHOD:-"apikey"} +BW_CLIENT_ID=${BW_CLIENT_ID:-"fake_client_id"} +BW_APIKEY=${BW_APIKEY:-"fake_apikey"} + +BW_ACCOUNT=${BW_ACCOUNT:-"fake_account"} +BW_PASS=${BW_PASS:-"fake_password"} BW_FILENAME_PREFIX=${BW_FILENAME_PREFIX:-"bitwarden_vault_export_"} BW_TIMESTAMP=${BW_TIMESTAMP:-"+%Y-%m-%d %H:%M:%S"} BW_EXPORT_FOLDER=${BW_EXPORT_FOLDER:-"/export"} @@ -23,6 +28,7 @@ BW_ENCRYPTION_PASS=${BW_ENCRYPTION_PASS:-"$BW_PASS"} BW_INTERNAL_TIMESTAMP=$(date "$BW_TIMESTAMP") BW_INTERNAL_PASSWORD="$BW_PASS" BW_INTERNAL_ENCRYPTION_PASS="$BW_ENCRYPTION_PASS" +BW_INTERNAL_API_KEY="$BW_APIKEY" BW_INTERNAL_FOLDER_STRUCTURE="$BW_EXPORT_FOLDER" BW_ENC_OUTPUT_FILE="$BW_FILENAME_PREFIX$BW_INTERNAL_TIMESTAMP.enc" if [ -n "$BW_FOLDER_STRUCTURE" ]; then @@ -39,6 +45,7 @@ case $BW_PASSWORD_ENCODE in "base64") BW_INTERNAL_PASSWORD=$(echo "$BW_INTERNAL_PASSWORD" | base64 -d) BW_INTERNAL_ENCRYPTION_PASS=$(echo "$BW_INTERNAL_ENCRYPTION_PASS" | base64 -d) + BW_INTERNAL_API_KEY=$(echo "$BW_INTERNAL_API_KEY" | base64 -d) ;; "none" | "plain") echo "using un-encoded password." @@ -51,7 +58,31 @@ case $BW_PASSWORD_ENCODE in esac #login -BW_SESSION=$(bw login "$BW_ACCOUNT" "$BW_INTERNAL_PASSWORD" --raw) +case $BW_AUTH_METHOD in + +"password") + BW_SESSION=$(bw login "$BW_ACCOUNT" "$BW_INTERNAL_PASSWORD" --raw) + ;; +"apikey") + + export BW_CLIENT_ID=$BW_CLIENT_ID + export BW_INTERNAL_API_KEY=$BW_INTERNAL_API_KEY + expect >/dev/null <<'EOF' + spawn bw login --apikey + expect "client_id:" + send "$env(BW_CLIENT_ID)\n" + expect "client_secret:" + send "$env(BW_INTERNAL_API_KEY)\n" + expect eof +EOF + + BW_SESSION=$(bw unlock --raw "$BW_INTERNAL_PASSWORD") + ;; +*) + echo "unrecognized authorization method." + exit 1 + ;; +esac # commands echo "Exporting to \"$BW_ENC_OUTPUT_FILE\"" @@ -59,6 +90,9 @@ bw --raw --session "$BW_SESSION" export --format json | openssl enc $BW_OPENSSL_ bw_logout # make sure none of these are available later +unset BW_CLIENT_ID +unset BW_APIKEY +unset BW_INTERNAL_API_KEY unset BW_SESSION unset BW_ACCOUNT unset BW_PASS diff --git a/package.json b/package.json index 18736b7..07e1273 100644 --- a/package.json +++ b/package.json @@ -1,10 +1,12 @@ { "name": "bw-export", - "version": "1.1.1", + "version": "1.2.0", "description": "bw-export is a simple bash script that exports a raw, encrypted JSON copy of your Bitwarden vault.", "main": "export.sh", "scripts": { - "docker-build": "docker build -t bw-export .", + "start": "export $(cat .env | xargs) && bash export.sh", + "build": "docker build -t bw-export .", + "test": "docker run -v \"$PWD\":/export bw-export:latest", "publish": "bash docker-publish.sh" }, "repository": {