Bitwarden Multiple Password Prompts

[mkasberg]

Hi! I've been a happy Chezmoi user for years, thanks for building it.

I store some secrets (like ssh keys, for example) in Bitwarden, using Chezmoi's bitwarden template functions to drop the secrets into my dotfiles. And the functionality's great! The main issue I'm running into is if I don't unlock my vault for a session with export BW_SESSION=<key> before starting chezmoi, I'll have to re-enter my password several times as chezmoi apply runs (once for each bw get).

I've been working around this for a while by always making sure I set BW_SESSION on the CLI before running chezmoi (and I do have a script for doing so quickly). But I inevitably forget, and it's an annoyance that I have to remember this. It would simplify things a lot if I could enter my password at most once per chezmoi run.

I've skimmed the Chezmoi code (although I don't frequently use Go), and it seems like the reason I'm re-prompted for my password on each item is that Chezmoi just runs bw get repeatedly (and the bw CLI has no mechanism I'm aware of to persist the login, aside from the BW_SESSION ENV var). It seems like there might be a relatively simple fix (near bitwardentemplatefuncs, I think) that would first check if the vault is unlocked, and if not unlock it and remember the session key for re-use (by running something like bw unlock --raw before running other bw get commands). Is this an area where you'd be open to a PR? Or are there any other suggestions I should try? Not necessarily promising I can do a PR for this (and it might take me a while if I try), but I might be interested in trying if the approach seems reasonable.

[halostatue]

You are correct that there is a way to do this. See:

• Add a way to set environment variables in hooks #4485 (comment)
• Cannot set environment variable in read-source-state pre hook #3729 (comment)
• `apply` command custom flags #3657 (reply in thread)

Look at the implementation of the onepasswordtemplatefuncs to see how 1Password does this (this isn't something that affects me these days because the biometric solution with TouchID is so good, but it worked for years before I had biometric unlock).

The only trick is that we would want to run bw lock at the end of a chezmoi run where bw unlock was run at any time (if BW_SESSION is set before starting, never run bw lock; if not and we run bw unlock, we would want to run bw lock.)

The other alternative (as noted above) would be to use rbw as a better interface to Bitwarden.

[twpayne]

This makes sense to implement, as we already have similar functionality for 1Password.

I have some spare time at the moment, so I'll create a PR.

[twpayne]

I've implemented this in #4576. @mkasberg would you be able to test this?

[mkasberg]

Awesome! Yes, I'll test it for you - hopefully tonight, or sometime this weekend at the latest.