bitwarden plugin! (#148)

- initial version of Bitwarden Secrets Manager plugin, along with docs
- Along the way made some small adjustments to the 1password plugin to match. notably that the access token will now be injected (using the type system) by default
- updated 1pass docs
- adjusted how plugin URLs are extracted from package json to respect a directory path

---------

Co-authored-by: Phil Miller <[email protected]>

Author: theoephraim

.changeset/grumpy-poems-change.md

@@ -0,0 +1,8 @@
+---
+"@dmno/1password-plugin": patch
+"@dmno/bitwarden-plugin": patch
+"@dmno/configraph": patch
+"dmno": patch
+---
+
+bitwarden plugin, 1password plugin tweaks, core cleanup

example-repo/.dmno/config.mts

@@ -1,22 +1,21 @@
 import { DmnoBaseTypes, defineDmnoService, configPath, NodeEnvType, switchBy, inject } from 'dmno';
 import { OnePasswordDmnoPlugin, OnePasswordTypes } from '@dmno/1password-plugin';
+import { BitwardenSecretsManagerDmnoPlugin, BitwardenSecretsManagerTypes } from '@dmno/bitwarden-plugin';
 import { EncryptedVaultDmnoPlugin, EncryptedVaultTypes } from '@dmno/encrypted-vault-plugin';
 
 
 
 const OnePassSecretsProd = new OnePasswordDmnoPlugin('1pass/prod', {
-  token: inject(),
+  // token: configPath('..', 'OP_TOKEN_PROD'),
   envItemLink: 'https://start.1password.com/open/i?a=I3GUA2KU6BD3FBHA47QNBIVEV4&v=ut2dftalm3ugmxc6klavms6tfq&i=n4wmgfq77mydg5lebtroa3ykvm&h=dmnoinc.1password.com',
   fallbackToCliBasedAuth: true,
 });
 const OnePassSecretsDev = new OnePasswordDmnoPlugin('1pass', {
-  token: inject(),
   envItemLink: 'https://start.1password.com/open/i?a=I3GUA2KU6BD3FBHA47QNBIVEV4&v=ut2dftalm3ugmxc6klavms6tfq&i=4u4klfhpldobgdxrcjwb2bqsta&h=dmnoinc.1password.com',
   fallbackToCliBasedAuth: true,
-  // token: InjectPluginInputByType,
-  // token: 'asdf',
 });
 
+const BitwardenPlugin = new BitwardenSecretsManagerDmnoPlugin('bitwarden');
 
 const EncryptedVaultSecrets = new EncryptedVaultDmnoPlugin('vault/prod', { name: 'prod', key: inject() });
 // const NonProdVault = new EncryptedVaultDmnoPlugin('vault/dev', {
@@ -67,6 +66,14 @@ export default defineDmnoService({
       value: OnePassSecretsDev.itemByReference("op://dev test/example/username"),
     },
 
+    BWS_TOKEN: {
+      extends: BitwardenSecretsManagerTypes.machineAccountAccessToken,
+    },
+    BWS_ITEM: {
+      value: BitwardenPlugin.secretById('df2246f1-7889-4d1b-a18e-b219001ee3b3'),
+    },
+
+
     SOME_API_KEY: {
       value: switchBy('DMNO_ENV', {
         _default: OnePassSecretsDev.item(),

example-repo/package.json

@@ -10,6 +10,7 @@
   },
   "devDependencies": {
     "@dmno/1password-plugin": "link:../packages/plugins/1password",
+    "@dmno/bitwarden-plugin": "link:../packages/plugins/bitwarden",
     "dmno": "link:../packages/core",
     "@dmno/encrypted-vault-plugin": "link:../packages/plugins/encrypted-vault"
   }

example-repo/pnpm-lock.yaml

@@ -23,10 +23,12 @@ export type PluginPackageMetadata = {
 
 const debug = Debug('configraph:plugins');
 
-
-function cleanGitUrl(repoUrl: string) {
+function cleanGitUrl(repoUrl: string, directoryPath?: string) {
   if (!repoUrl) return;
-  return repoUrl.replace(/^git\+/, '').replace(/\.git$/, '');
+  let url = repoUrl.replace(/^git\+/, '').replace(/\.git$/, '');
+  // TODO: check if this works for non public github repos
+  if (directoryPath) url += `/tree/main/${directoryPath}`;
+  return url;
 }
 
 export abstract class ConfigraphPlugin<
@@ -58,7 +60,7 @@ EntityClass extends ConfigraphEntity = ConfigraphEntity,
       PluginClass.packageMetadata = {
         name: opts.packageJson.name,
         version: opts.packageJson.version,
-        repositoryUrl: cleanGitUrl(opts.packageJson.repository?.url),
+        repositoryUrl: cleanGitUrl(opts.packageJson.repository?.url, opts.packageJson.repository?.directory),
         websiteUrl: opts.packageJson.homepage,
       };
     }

packages/configraph/src/plugin.ts

@@ -8,6 +8,7 @@ import {
 
 import { tryCatch } from '@dmno/ts-lib';
 
+import Debug from 'debug';
 import { findDmnoServices } from '../../config-loader/find-services';
 import { DmnoCommand } from '../lib/dmno-command';
 
@@ -22,6 +23,8 @@ import { CliExitError } from '../lib/cli-error';
 import { detectJsPackageManager } from '../../lib/detect-package-manager';
 import { pathExists } from '../../lib/fs-utils';
 
+const debug = Debug('dmno:init');
+
 const program = new DmnoCommand('init')
   .summary('Sets up dmno')
   .description('Sets up dmno in your repo, and can help add to new packages within your monorepo - safe to run multiple times')
@@ -60,7 +63,7 @@ program.action(async (opts: {
   // console.log('');
 
   const rootPackage = workspaceInfo.workspacePackages[0];
-  console.log(workspaceInfo.workspacePackages);
+  debug(workspaceInfo.workspacePackages);
 
   if (!workspaceInfo.autoSelectedPackage) {
     throw new Error('unable to detect which package you are in... whats happening?');

packages/core/src/cli/commands/init.command.ts

@@ -156,18 +156,24 @@ export default defineConfig({
         }, {
           label: 'Plugins',
           badge: 'New',
-          items: [{
-            label: 'Overview',
-            link: '/docs/plugins/overview/',
-          },
-          {
-            label: 'Encrypted Vaults',
-            link: '/docs/plugins/encrypted-vault/',
-          },
-          {
-            label: '1Password',
-            link: '/docs/plugins/1password/',
-          }],
+          items: [
+            {
+              label: 'Overview',
+              link: '/docs/plugins/overview/',
+            },
+            {
+              label: 'Encrypted Vaults',
+              link: '/docs/plugins/encrypted-vault/',
+            },
+            {
+              label: '1Password',
+              link: '/docs/plugins/1password/',
+            },
+            {
+              label: 'Bitwarden',
+              link: '/docs/plugins/bitwarden/',
+            },
+          ],
         }, {
           label: 'Integrations',
           badge: 'New',

packages/docs-site/astro.config.ts

@@ -17,12 +17,16 @@ Install the package in the service(s) that will use config from 1Password.
 
 -----
 
-After installation, you'll need to initialize the plugin in your dmno config and wire it up to the config path that will hold your 1Password service account token. It's ok if you have not created this service account yet - we'll do that in the next section.
+After installation, you'll need to initialize the plugin in your dmno config and add a service 1password service account token into your config schema. You can explicitly wire the plugin up to the service account token if using multiple tokens at once, or it will be injected by default. It's ok if you have not created this service account yet - we'll do that in the next section.
 
 ```diff lang="ts" title='.dmno/config.mts'
 +import { OnePasswordDmnoPlugin, OnePasswordTypes } from '@dmno/1password-plugin';
 
-+const OnePassBackend = new OnePasswordDmnoPlugin('1pass', {
+// token will be injected using types by default
++const onePassSecrets = new OnePasswordDmnoPlugin('1pass');
+
+// or you can wire up the path explicitly
++const onePassSecrets2 = new OnePasswordDmnoPlugin('1passWithExplicitPath', {
 +  token: configPath('..', 'OP_TOKEN'),
 +});
 
@@ -49,7 +53,7 @@ In a monorepo, you are likely managing secrets for multiple services. If you wil
 import { OnePasswordDmnoPlugin } from '@dmno/1password-plugin';
 
 // 💉 inject the already initialized plugin instead of re-initializing it
-const OnePassBackend = OnePasswordDmnoPlugin.injectInstance('1pass');
+const onePassSecrets = OnePasswordDmnoPlugin.injectInstance('1pass');
 ```
 
 
@@ -94,7 +98,7 @@ During local development, you may find it convenient to skip the service account
 <Steps>
 1. **Opt-in while initializing the plugin**
     ```diff lang="ts" title='.dmno/config.mts'
-    const OnePassBackend = new OnePasswordDmnoPlugin('1pass/dev', {
+    const onePassSecrets = new OnePasswordDmnoPlugin('1pass/dev', {
       token: configPath('..', 'OP_TOKEN'),
     +  fallbackToCliBasedAuth: true,
     });
@@ -149,7 +153,7 @@ Managing lots of individual 1Password items and connecting them to your config c
 Your dmno config should end up looking like this:
 
 ```diff lang="ts" title=".dmno/config.mts"
-const OnePassBackend = new OnePasswordDmnoPlugin('1pass/prod', {
+const onePassSecrets = new OnePasswordDmnoPlugin('1pass/prod', {
   token: configPath('..', 'OP_TOKEN'),
 +  envItemLink: 'https://start.1password.com/open/i?a=I3GUA2KU6BD3FBHA47QNBIVEV4&v=ut2dftalm3ugmxc6klavms6tfq&i=n4wmgfq77mydg5lebtroa3ykvm&h=dmnoinc.1password.com',
 });
@@ -161,7 +165,7 @@ export default defineDmnoService({
     },
 +    SOME_API_KEY: {
 +      sensitive: true,
-+      value: OnePassBackend.item(),
++      value: onePassSecrets.item(),
 +    }
   },
 });
@@ -189,11 +193,11 @@ export default defineDmnoService({
       sensitive: true,
       value: switchBy('APP_ENV', {
         // uses the default key of "SOME_API_SECRET"
-        _default: OnePassBackendDev.item(),
+        _default: onePassSecretsDev.item(),
         // uses overridden key
-        staging: OnePassBackendDev.item('SOME_API_SECRET_STAGING'),
+        staging: onePassSecretsDev.item('SOME_API_SECRET_STAGING'),
         // uses the default key but looking in a different 1pass item
-        staging: OnePassBackendProduction.item(),
+        staging: onePassSecretsProduction.item(),
       }),
     },
   },
@@ -209,18 +213,18 @@ export default defineDmnoService({
   schema: {
     // using item private link
     ITEM_WITH_LINK: {
-      value: OnePassBackend.itemByLink(
+      value: onePassSecrets.itemByLink(
         'https://start.1password.com/open/i?a=I3GUA2KU6BD3FBHA47QNBIVEV4&v=ut2dftalm3ugmxc6klavms6tfq&i=n4wmgfq77mydg5lebtroa3ykvm&h=dmnoinc.1password.com',
         'somefieldid',
       ),
     },
     // using UUIDs
     ITEM_WITH_IDS: {
-      value: OnePassBackend.itemById('vaultUuid', 'itemUuid', 'somefieldid'),
+      value: onePassSecrets.itemById('vaultUuid', 'itemUuid', 'somefieldid'),
     },
     // using item reference url
     ITEM_WITH_REFERENCE: {
-      value: OnePassBackend.itemByReference('op://vaultname/itemname/path'),
+      value: onePassSecrets.itemByReference('op://vaultname/itemname/path'),
     },
   },
 });

packages/docs-site/src/content/docs/docs/plugins/1password.mdx

@@ -0,0 +1,144 @@
+---
+title: Bitwarden plugin
+description: DMNO's Bitwarden plugin allows you to securely access your secrets stored in Bitwarden Secrets Manager.
+npmPackage: "@dmno/bitwarden-plugin"
+---
+
+import { Steps, Icon } from '@astrojs/starlight/components';
+import TabbedCode from '@/components/TabbedCode.astro';
+
+This DMNO plugin allows you to securely access your secrets stored in [Bitwarden Secrets Manager](https://bitwarden.com/products/secrets-manager/). Please note that this plugin is **not compatible with Bitwarden's Password Manager product**. Authentication with Bitwarden uses [Machine Account Access Tokens](https://bitwarden.com/help/access-tokens/).
+
+## Installation & setup
+
+Install the package in the service(s) that will use secrets from Bitwarden.
+
+<TabbedCode packageName="@dmno/bitwarden-plugin" />
+
+-----
+
+After installation, you'll need to initialize the plugin in your `config.mts` and add a config item to hold your machine account access token. You can explicitly wire the plugin up to the service account token if using multiple tokens at once, or it will be injected by default based on the `BitwardenSecretsManagerTypes.machineAccountAccessToken` type. It's ok if you have not created the machine account or access token - we'll do that in the next section.
+
+```diff lang="ts" title='.dmno/config.mts'
++import { BitwardenSecretsManagerDmnoPlugin, BitwardenSecretsManagerTypes } from '@dmno/bitwarden-plugin';
+
+// by default, access token will be injected using types
++const bitwardenPlugin = new BitwardenSecretsManagerDmnoPlugin('bitwarden');
+
+// or you can explicitly wire it up by path
++const bitwardenPlugin2 = new BitwardenSecretsManagerDmnoPlugin('bitwarden', {
++  accessToken: configPath('..', 'BWS_TOKEN')
++});
+
+export default defineDmnoService({
+  schema: {
++    BWS_TOKEN: {
++      extends: BitwardenSecretsManagerTypes.machineAccountAccessToken,
++      // NOTE - the type itself is already marked as sensitive 🔐
++    },
+  },
+});
+```
+
+:::tip[Plugin instance IDs]
+You must give each plugin instance a unique id so we can refer to it in other services and the [`dmno` CLI](/docs/reference/cli/plugin/).
+
+In this case we used `bitwarden`, but you can imagine splitting vaults and access, and having multiple plugin instances - for example `bitwarden/prod` for highly sensitive production secrets and `bitwarden/dev` for everything else.
+:::
+
+### Injecting the plugin in monorepo services
+In a monorepo, you are likely managing secrets for multiple services. If you will be using the same service account(s) to access those secrets, you can initialize a plugin instance once in your root service as seen above, and then inject it in child services. Note we must use that same id we set during initialization.
+
+```typescript title='apps/some-service/.dmno/config.mts'
+import { BitwardenSecretsManagerDmnoPlugin } from '@dmno/bitwarden-plugin';
+
+// 💉 inject the already initialized plugin instead of re-initializing it
+const bitwardenPlugin = BitwardenSecretsManagerDmnoPlugin.injectInstance('bitwarden');
+```
+
+
+------------
+
+## Setup Project & Secrets
+
+If you are already using Bitwarden Secrets Manager, you likely already have existing [projects](https://bitwarden.com/help/projects/) that contain [secrets](https://bitwarden.com/help/secrets/). If so, now would be a good time to review how they are all organized. If not, you should create at least one project, as each secret can have a parent project it belongs to, and access can be granted to projects rather than managing each secret individually.
+
+:::tip[Use projects to segment access]
+You should use multiple projects to segment your secrets following the [Principle of Least Privilege](https://en.wikipedia.org/wiki/Principle_of_least_privilege). This means at minimum, you should have one project for ultra-sensitive production secrets, and another for everything else. How much more you want to break things up is up to you and will depend on your security requirements.
+
+It is technically possible to create secrets without using projects and/or to assign permissions at the individual secret level, but we do not recommend it.
+:::
+
+## Setup Machine Account & Access Tokens
+
+Machine accounts can be granted access to projects, and each machine account can have multiple access tokens with optional expiration. How you want to manage this is up to you, but a sensible approach could be:
+
+- Production machine account has access to all projects
+  - single access token is used at a time
+- Staging/CI machine account has access to all projects except ultra-sensitive prod secrets
+  - each environment/CI/external tool could have a unique access token
+- Dev machine account has access to secrets needed for local dev
+  - each developer could have a unique access token
+
+Expiring tokens are more secure, but require the overhead of rolling those tokens, which must be done manually. Not wanting to cause an outage, you may want to roll them manually without the pressure of a potentially forgotten expiry date. To roll without downtime, create a new token, redeploy, and then decommission the previous token.
+
+### 
+
+
+Machine account access tokens now serve as your _secret-zero_ - which grants access to the rest of your sensitive config stored in Bitwarden. It must be set locally and in deployed environments, but it is sensitive so we must pass in the value as an _override_ rather than storing it within the config. Locally, this usually means storing it in your [`.env.local` file](/docs/guides/env-files/) and on a deployed environment you'll usually set it within some kind of UI, wherever you would normally pass in environment variables.
+
+```diff title=".dmno/.env.local"
++BWS_TOKEN=0.abc123...
+```
+
+Note that the config path of `BWS_TOKEN` is arbitrary and you can see how it was wired up from your config schema to the plugin input in the example above.
+
+------
+
+## Add items to your schema
+
+With the plugin initialized and access wired up, now we must update our config schema to connect specific config values to data stored in Bitwarden secrets.
+
+Items are wired up using the secret UUIDs found in the Bitwarden UI. For example:
+
+```ts
+export default defineDmnoService({
+  schema: {
+    ITEM_WITH_ID: {
+      value: bitwardenPlugin.secretById('abc123-secretuuid-xyz789'),
+    },
+    // example showing a switchBy and multiple plugin instances
+    SWITCHED_ITEM: {
+      value: switchBy('MY_ENV_FLAG', {
+        _default: 'not-sensitive',
+        staging: bitwardenDevSecrets.secretById('0123...'),
+        production: bitwardenProdSecrets.secretById('789...'),
+      }),
+    },
+  },
+});
+```
+
+## Caching
+In order to avoid rate limits and keep dev server restarts extremely fast, we heavily cache data fetched from external sources. After updating secrets in Bitwarden, if the item has been cached, you'll need to clear the cache to see it take effect.
+
+- Use the [`dmno clear-cache` command](/docs/reference/cli/clear-cache/) to clear the cache once
+- The [`dmno resolve`](/docs/reference/cli/resolve/) and [`dmno run`](/docs/reference/cli/run/) commands have cache related flags:
+  - `--skip-cache` - skips caching logic altogether
+  - `--clear-cache` - clears the cache once before continuing as normal
+
+:::tip[Active config iteration]
+While you are actively working on the config itself, `dmno resolve -w --skip-cache` will combine watch mode with skipping cache logic.
+
+Once you are satisfied, clear the cache once more and you are good to go.
+:::
+
+
+## Self-hosted
+In case you are self-hosting Bitwarden Secrets Manager, the `BitwardenSecretsManagerDmnoPlugin` also takes additional inputs for `apiServerUrl` and `identityServerUrl`. The values for this can be found in the Bitwarden UI under `Machine Accounts` > `Config`. See the [Bitwarden docs](https://bitwarden.com/help/machine-accounts/#configuration-information) for more details.
+
+```typescript
+const bitwardenPlugin = new BitwardenSecretsManagerDmnoPlugin('bitwarden', {
+  apiServerUrl: 'https://vault.bitwarden.com/api', // default value
+  identityServerUrl: 'https://vault.bitwarden.com/identity', // default value
+});