bitwarden · tangowithfoxtrot · Aug 16, 2024 · Feb 20, 2024 · Feb 21, 2024 · Feb 21, 2024
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/crates/bws/Cargo.toml b/crates/bws/Cargo.toml
@@ -15,6 +15,7 @@ repository.workspace = true
 license-file.workspace = true
 
 [dependencies]
+atty = "0.2.14"
 bat = { version = "0.24.0", features = [
     "regex-onig",
 ], default-features = false }
@@ -44,6 +45,8 @@ tokio = { version = "1.36.0", features = ["rt-multi-thread", "macros"] }
 toml = "0.8.10"
 uuid = { version = "^1.7.0", features = ["serde"] }
 
+which = "6.0.0"
+
 [dev-dependencies]
 tempfile = "3.10.0"
 

@@ -1,5 +1,6 @@
-use std::{path::PathBuf, process, str::FromStr};
+use std::{io::Read, path::PathBuf, process, str::FromStr};
 
+use atty::Stream;
 use bitwarden::{
     auth::{login::AccessTokenLoginRequest, AccessToken},
     client::client_settings::ClientSettings,
@@ -27,6 +28,7 @@
 use config::ProfileKey;
 use render::{serialize_response, Output};
 use uuid::Uuid;
+use which::which;
 
 #[derive(Parser, Debug)]
 #[command(name = "bws", version, about = "Bitwarden Secrets CLI", long_about = None)]
@@ -84,6 +86,20 @@
         #[command(subcommand)]
         cmd: SecretCommand,
     },
+    #[command(long_about = "Run a command with secrets injected")]
+    Run {
+        #[arg(help = "The command to run")]
+        command: Vec<String>,
+        #[arg(long, help = "The shell to use")]
+        shell: Option<String>,
+        #[arg(
+            long,
+            help = "Don't inherit environment variables from the current shell"
+        )]
+        no_inherit_env: bool,
+        #[arg(long, help = "The ID of the project to use")]
+        project_id: Option<Uuid>,
+    },
     #[command(long_about = "Create a single item (deprecated)", hide(true))]
     Create {
         #[command(subcommand)]
@@ -222,6 +238,15 @@
     Secret { secret_ids: Vec<Uuid> },
 }
 
+#[derive(Subcommand, Debug)]
+enum RunCommand {
+    Command {
+        command: Vec<String>,
+        project_id: Option<Uuid>,
+        shell: Option<String>,
+    },
+}
+
 #[tokio::main(flavor = "current_thread")]
 async fn main() -> Result<()> {
     env_logger::Builder::from_env(env_logger::Env::default().default_filter_or("info")).init();
@@ -603,6 +628,107 @@
             }
         }
 
+        Commands::Run {
+            command,
+            shell,
+            no_inherit_env,
+            project_id,
+        } => {
+            let shell = match std::env::consts::OS {
+                os if os == "linux" || os == "macos" || os.contains("bsd") => {
+                    shell.unwrap_or_else(|| "sh".to_string())
+                }
+                "windows" => shell.unwrap_or_else(|| "powershell".to_string()),
+                _ => unreachable!(),
+            };
+
+            if which(&shell).is_err() {
+                eprintln!("Error: shell '{}' not found", shell);
+                std::process::exit(1);
+            }
+
+            let user_command = if command.is_empty() {
+                if atty::is(Stream::Stdin) {
+                    eprintln!("{}", Cli::command().render_help().ansi());
+                    std::process::exit(1);
+                }
+
+                let mut buffer = String::new();
+                std::io::stdin().read_to_string(&mut buffer)?;
+                buffer
+            } else {
+                command.join(" ")
+            };
+
+            if user_command.is_empty() {
+                let mut cmd = Cli::command();
+                eprintln!("{}", cmd.render_help().ansi());
+                std::process::exit(1);
+            }
+
+            let res = if let Some(project_id) = project_id {
+                client
+                    .secrets()
+                    .list_by_project(&SecretIdentifiersByProjectRequest { project_id })
+                    .await?
+            } else {
+                client
+                    .secrets()
+                    .list(&SecretIdentifiersRequest { organization_id })
+                    .await?
+            };
+
+            let secret_ids = res.data.into_iter().map(|e| e.id).collect();
+            let secrets = client
+                .secrets()
+                .get_by_ids(SecretsGetRequest { ids: secret_ids })
+                .await?
+                .data;
+
+            let environment = secrets
+                .iter()
+                .map(|s| (s.key.clone(), s.value.clone()))
+                .collect::<std::collections::HashMap<String, String>>();
+
+            let valid_key_regex = regex::Regex::new("^[a-zA-Z_][a-zA-Z0-9_]*$").unwrap();
+
+            for key in environment.keys() {
+                if !valid_key_regex.is_match(key) {
+                    eprintln!(
+                        "Warning: secret '{}' does not have a POSIX-compliant name",
+                        key
+                    );
+                }
+            }
+
+            let mut command = process::Command::new(shell);
+            command
+                .arg("-c")
+                .arg(&user_command)
+                .stdout(process::Stdio::inherit())
+                .stderr(process::Stdio::inherit());
+
+            if no_inherit_env {
+                let path = std::env::var("PATH").unwrap_or_else(|_| "/bin:/usr/bin".to_string());
+                command.env_clear();
+                command.env("PATH", path); // PATH is always necessary
+                command.envs(&environment);
+            } else {
+                command.envs(&environment);
+            }
+
+            let mut child = command.spawn().expect("failed to execute process");
+
+            let exit_status = child.wait().expect("process failed to execute");
+            let exit_code = exit_status.code().unwrap_or(1);
+
+            let _ = child.wait();
+
+            if exit_code != 0 {
+                process::exit(exit_code);
+            }
+        }
+
         Commands::Config { .. } | Commands::Completions { .. } => {
             unreachable!()
         }