bitwarden · tangowithfoxtrot · Aug 16, 2024 · Feb 20, 2024 · Feb 21, 2024 · Feb 21, 2024
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/crates/bws/Cargo.toml b/crates/bws/Cargo.toml
@@ -15,6 +15,7 @@ repository.workspace = true
 license-file.workspace = true
 
 [dependencies]
+atty = "0.2.14"
 bat = { version = "0.24.0", features = [
     "regex-onig",
 ], default-features = false }
@@ -43,6 +44,7 @@ thiserror = "1.0.57"
 tokio = { version = "1.36.0", features = ["rt-multi-thread", "macros"] }
 toml = "0.8.10"
 uuid = { version = "1.7.0", features = ["serde"] }
+which = "6.0.0"
 
 [build-dependencies]
 bitwarden-cli = { workspace = true }
@@ -51,6 +53,8 @@ clap_complete = "4.5.2"
 clap_mangen = "0.2.20"
 uuid = { version = "1.7.0" }
 
+which = "6.0.0"
+
 [dev-dependencies]
 tempfile = "3.10.0"
 

@@ -89,6 +89,20 @@
         #[command(subcommand)]
         cmd: SecretCommand,
     },
+    #[command(long_about = "Run a command with secrets injected")]
+    Run {
+        #[arg(help = "The command to run")]
+        command: Vec<String>,
+        #[arg(long, help = "The shell to use")]
+        shell: Option<String>,
+        #[arg(
+            long,
+            help = "Don't inherit environment variables from the current shell"
+        )]
+        no_inherit_env: bool,
+        #[arg(long, help = "The ID of the project to use")]
+        project_id: Option<Uuid>,
+    },
     #[command(long_about = "Create a single item (deprecated)", hide(true))]
     Create {
         #[command(subcommand)]
@@ -226,3 +240,12 @@
     Project { project_ids: Vec<Uuid> },
     Secret { secret_ids: Vec<Uuid> },
 }
+
+#[derive(Subcommand, Debug)]
+pub(crate) enum RunCommand {
+    Command {
+        command: Vec<String>,
+        project_id: Option<Uuid>,
+        shell: Option<String>,
+    },
+}
@@ -1,5 +1,6 @@
-use std::{path::PathBuf, process, str::FromStr};
+use std::{io::Read, path::PathBuf, process, str::FromStr};
 
+use atty::Stream;
 use bitwarden::{
     auth::{login::AccessTokenLoginRequest, AccessToken},
     client::client_settings::ClientSettings,
@@ -25,6 +26,10 @@
 mod config;
 mod render;
 mod state;
+mod util;
+
+use util::is_valid_posix_name;
+use which::which;
 
 use crate::{cli::*, render::serialize_response};
 
@@ -404,6 +409,102 @@
             }
         }
 
+        Commands::Run {
+            command,
+            shell,
+            no_inherit_env,
+            project_id,
+        } => {
+            let shell = match std::env::consts::OS {
+                "windows" => shell.unwrap_or_else(|| "powershell".to_string()),
+                _ => shell.unwrap_or_else(|| "sh".to_string()),
+            };
+
+            if which(&shell).is_err() {
+                eprintln!("Error: shell '{}' not found", shell);
+                std::process::exit(1);
+            }
+
+            let user_command = if command.is_empty() {
+                if atty::is(Stream::Stdin) {
+                    eprintln!("{}", Cli::command().render_help().ansi());
+                    std::process::exit(1);
+                }
+
+                let mut buffer = String::new();
+                std::io::stdin().read_to_string(&mut buffer)?;
+                buffer
+            } else {
+                command.join(" ")
+            };
+
+            if user_command.is_empty() {
+                let mut cmd = Cli::command();
+                eprintln!("{}", cmd.render_help().ansi());
+                std::process::exit(1);
+            }
+
+            let res = if let Some(project_id) = project_id {
+                client
+                    .secrets()
+                    .list_by_project(&SecretIdentifiersByProjectRequest { project_id })
+                    .await?
+            } else {
+                client
+                    .secrets()
+                    .list(&SecretIdentifiersRequest { organization_id })
+                    .await?
+            };
+
+            let secret_ids = res.data.into_iter().map(|e| e.id).collect();
+            let secrets = client
+                .secrets()
+                .get_by_ids(SecretsGetRequest { ids: secret_ids })
+                .await?
+                .data;
+
+            let environment = secrets
+                .into_iter()
+                .map(|s| (s.key, s.value))
+                .collect::<std::collections::HashMap<String, String>>();
+
+            for key in environment.keys() {
+                if !is_valid_posix_name(key) {
+                    eprintln!(
+                        "Warning: secret '{}' does not have a POSIX-compliant name",
+                        key
+                    );
+                }
+            }
+
+            let mut command = process::Command::new(shell);
+            command
+                .arg("-c")
+                .arg(&user_command)
+                .stdout(process::Stdio::inherit())
+                .stderr(process::Stdio::inherit());
+
+            if no_inherit_env {
+                let path = std::env::var("PATH").unwrap_or_else(|_| "/bin:/usr/bin".to_string());
+                command.env_clear();
+                command.env("PATH", path); // PATH is always necessary
+                command.envs(&environment);
+            } else {
+                command.envs(&environment);
+            }
+
+            let mut child = command.spawn().expect("failed to execute process");
+
+            let exit_status = child.wait().expect("process failed to execute");
+            let exit_code = exit_status.code().unwrap_or(1);
+
+            let _ = child.wait();
+
+            if exit_code != 0 {
+                process::exit(exit_code);
+            }
+        }
+
         Commands::Config { .. } | Commands::Completions { .. } => {
             unreachable!()
         }

@@ -1,3 +1,4 @@
+use crate::util::is_valid_posix_name;
 use bitwarden::secrets_manager::{projects::ProjectResponse, secrets::SecretResponse};
 use bitwarden_cli::Color;
 use chrono::{DateTime, Utc};
@@ -27,15 +28,12 @@
             pretty_print("yaml", &text, color);
         }
         Output::Env => {
-            let valid_key_regex =
-                regex::Regex::new("^[a-zA-Z_][a-zA-Z0-9_]*$").expect("regex is valid");
-
             let mut commented_out = false;
             let mut text: Vec<String> = data
                 .get_values()
                 .into_iter()
                 .map(|row| {
-                    if valid_key_regex.is_match(&row[1]) {
+                    if is_valid_posix_name(&row[1]) {
                         format!("{}=\"{}\"", row[1], row[2])
                     } else {
                         commented_out = true;

@@ -0,0 +1,10 @@
+use regex::Regex;
+
+const VALID_POSIX_NAME_REGEX: &str = "^[a-zA-Z_][a-zA-Z0-9_]*$";
+
+pub(crate) fn is_valid_posix_name(input_text: &str) -> bool {
+    match Regex::new(VALID_POSIX_NAME_REGEX) {
+        Ok(r) => r.is_match(input_text),
+        Err(_) => false,
+    }
+}