Merge pull request #26 from masinger/develop

Release v0.0.1

.github/dependabot.yml

@@ -0,0 +1,11 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: "gomod"
+    directory: "/"
+    schedule:
+      interval: "daily"

.github/workflows/release.yml

@@ -0,0 +1,84 @@
+name: Release
+
+on:
+  push:
+    tags: [ "v*" ]
+
+jobs:
+  build:
+
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v3
+
+      - name: Set up Go
+        uses: actions/setup-go@v3
+        with:
+          go-version: 1.20.0
+
+      - name: Build
+        run: make build
+
+      - name: Create release
+        uses: actions/create-release@v1
+        id: create_release
+        with:
+          draft: false
+          prerelease: false
+          release_name: ${{ github.ref_name }}
+          tag_name: ${{ github.ref }}
+          body: |
+            Refer to this version's entry within the [CHANGELOG.md](CHANGELOG.md) for further release information.
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+
+      - name: Upload Linux x64 artifact
+        uses: actions/upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+        with:
+          upload_url: ${{ steps.create_release.outputs.upload_url }}
+          asset_path: ./bin/incredible-linux-amd64
+          asset_name: incredible-linux-amd64
+          asset_content_type: application/x-elf
+
+      - name: Upload Linux arm64 artifact
+        uses: actions/upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+        with:
+          upload_url: ${{ steps.create_release.outputs.upload_url }}
+          asset_path: ./bin/incredible-linux-arm64
+          asset_name: incredible-linux-arm64
+          asset_content_type: application/x-elf
+
+      - name: Upload Windows x64 artifact
+        uses: actions/upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+        with:
+          upload_url: ${{ steps.create_release.outputs.upload_url }}
+          asset_path: ./bin/incredible-windows-amd64.exe
+          asset_name: incredible-windows-amd64.exe
+          asset_content_type: application/x-msdownload
+
+      - name: Upload MacOS amd64 artifact
+        uses: actions/upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+        with:
+          upload_url: ${{ steps.create_release.outputs.upload_url }}
+          asset_path: ./bin/incredible-darwin-amd64
+          asset_name: incredible-darwin-amd64
+          asset_content_type: application/octet-stream
+
+      - name: Upload MacOS arm64 artifact
+        uses: actions/upload-release-asset@v1
+        env:
+          GITHUB_TOKEN: ${{ github.token }}
+        with:
+          upload_url: ${{ steps.create_release.outputs.upload_url }}
+          asset_path: ./bin/incredible-darwin-arm64
+          asset_name: incredible-darwin-arm64
+          asset_content_type: application/octet-steam

.gitignore

@@ -4,3 +4,6 @@
 
 # Example
 example/
+
+# Output
+bin/

CHANGELOG.md

@@ -0,0 +1,41 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
+###  Added
+### Fixed
+### Changed
+### Removed
+
+<!-- Unreleased Template
+###  Added
+### Fixed
+### Changed
+### Removed
+--->
+
+<!-- Version Template
+## vMAJOR.MINOR.PATCH
+**Date**: YYYY-MM-DD
+
+General description
+
+COPY FROM UNRELEASED
+--->
+
+## v0.0.1
+**Date**: 2023-06-13
+
+This is the initial release of `incredible`.
+
+###  Added
+1. JSON-Schema describing the mapping file (`incredible.yml`)
+2. Initial CLI implementation
+3. Support for 
+   1. Bitwarden
+   2. Azure Key Vault

README.md

@@ -0,0 +1,163 @@
+# Incredible [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE)
+Incredible is a CLI tool that loads secrets (passwords, tokens, files) from secure sources and maps them to usable environment variables.
+
+The goal of this tool is to avoid
+- having to add sensitive values into your Bash profile
+- permanently storing confidential files on the system
+- manually copying secrets from your password manager into your bash
+
+Just configure your desired environment variables (see ["The solution"](#the-solution)) and run your program with
+
+```shell
+incredible <MY_PROGRAM>
+```
+and it will be able to access them.
+
+## Supported sources
+
+| Source                                                                  | Requirements                                              | Value Support | File Support | Help                     |
+|-------------------------------------------------------------------------|-----------------------------------------------------------|---------------|--------------|--------------------------|
+| [Bitwarden](https://bitwarden.com)                                      | [Bitwarden Cli](https://bitwarden.com/help/cli/)          | ✅             | ✅            | [Help](#bitwarden)       |
+| [Azure Key Vault](https://azure.microsoft.com/en-us/products/key-vault) | [Azure Cli](https://learn.microsoft.com/en-us/cli/azure/) | ✅             | ❌            | [Help](#azure-key-vault) |
+
+
+## How does it work?
+`incredible` can best be understood as an interfaces to various credential/password/secret managers.
+
+### The problem
+
+Without `incredible`, one could easily come up with a script that automatically fetches a value from a password manager and exposes it using an environment variable, which can then be consumed by another tool or script. 
+
+You know - something like this:
+````shell
+export MY_CLIENT_SECRET=$(generic-password-manager get secret super-secret-oidc-secret)
+````
+This scripted solution should do the job just fine.
+Starting from that approach, a variety of problems and questions arise when it comes to working with multiple secrets, environments, team members and secret providers.
+
+For example:
+- How can I set multiple secrets, If my environment needs them? 
+- What if one of them required secrets is a file?
+- How do I clean up my environment after the variables and files are no longer needed?
+- How can I switch between contexts requiring the same variables set to different values?
+
+### The solution
+`incredible` tries to simplify working with secrets as much as possible by providing a unified configuration file.
+This configuration file specifies the required environment variables and where they can be obtained from. 
+Once a program is started with `incredible <MY_EXEC>`, `incredible` will fetch all required values and cleans them up once your program exits.
+
+The configuration file (usually named `incredible.yml`) looks like this:
+
+````yaml
+assets: # List of all assets to be loaded
+  - src: # The src property tells incredible, where the secret's value can be obtained from
+      azureKeyVaultSecret: {} # set this, when loading from an Azure Key Value
+      bitwarden: {} # set this, when loading from a Bitwarden vault
+    mappings:
+      - env: 
+          name: TARGET_VARIABLE # the name of the environment variable, that should hold the obtained secret
+````
+
+The JSON schema at https://raw.githubusercontent.com/masinger/incredible/main/schema.json can be used to enable code completion and validation (if supported by your editor).
+
+See [Sources](#sources) for more information on how to configure the `src` property.
+
+
+### Feature list
+- Fetch secret values from various providers (as listed in "[Supported sources](#supported-sources)")
+- Fetch files from various providers, storing them in temporary files
+- Removal of created temporary files, once incredible exits
+- Usage of context specific environment variables (the `incredible.yml` within the current or the first ancestor directory will be used)
+
+## Sources
+
+### Bitwarden
+
+#### Requirements
+
+- [Bitwarden Cli](https://bitwarden.com/help/cli/) must be installed
+
+#### General
+
+The Bitwarden source requires the identifier of the Bitwarden entry to be used.
+The id can be obtained using the Bitwarden cli or by clicking on the entry (within the web
+vault - https://vault.bitwarden.com) and inspecting the browser URL once the detail dialog opens.
+
+#### Secret value from password
+
+The following shows the minimal configuration required in order to read the password stored in entry `123-test-id` and
+map it to the environment variable named `MY_SECRET_PW`.
+
+```yaml
+assets:
+  - src:
+      bitwarden:
+        entry: 123-test-id # entry id
+        field: password # optional, default: "password" 
+    mappings:
+      - env:
+          name: MY_SECRET_PW
+```
+
+#### Secret value from password
+
+If we set the property `field` to `"username"`, the entry's username will be used instead.
+
+````yaml
+assets:
+  - src:
+      bitwarden:
+        entry: 123-test-id # entry id
+        field: username
+    mappings:
+      - env:
+          name: MY_SECRET_USER
+````
+
+#### Secret file from attachment
+In order to load a secret file from a Bitwarden entry's attachment, the name of the attachment must be provided using the `attachment` property.
+The environment variable `MY_SECRET_FILE_PATH` will then hold the filepath to the loaded file.
+
+````yaml
+assets:
+  - src: 
+      bitwarden: 
+        entry: 12345-12345-12345-abcd-12345 # Entry id
+        attachment: my-attachment.txt # file name as shown in Bitwarden
+    mappings:
+      - env: 
+          name: MY_SECRET_FILE_PATH
+````
+
+### Azure Key Vault
+
+#### Requirements
+
+- [Azure Cli](https://learn.microsoft.com/en-us/cli/azure/) must be installed
+
+#### Obtaining a value from a Azure Key Vault secret
+Sourcing values from an Azure Key Vault Secret requires the secrets unique identifier,
+which can be obtained by running
+
+````shell
+az keyvault secrete show --vault-name <NAME_OF_YOUR_KEYVAULT> --name <NAME_OF_YOUR_SECRET>
+````
+
+> **Warning**
+> The returned entry id statically refers to the current secret's version.
+> In order to always use the current version, omit the last path segment.
+
+The following mapping will load the newest value of an Azure Key Vault secret and store it within the environment variable `MY_SECRET_VALUE`:
+````yaml
+assets:
+  - src: 
+      azureKeyVaultSecret:
+        # Key Vault Secret's id (the lat version path segment is omitted, in order to always use the newest value)
+        itemId: https://MY_TEST_KEYVAULT.vault.azure.net/secrets/MY_TEST_ENTRY
+    mappings:
+      - env: 
+          name: MY_SECRET_VALUE
+````
+
+
+

SECURITY.txt

@@ -0,0 +1,21 @@
+-----BEGIN PGP SIGNED MESSAGE-----
+Hash: SHA256
+
+Contact: mailto:marcel.singer@live.de
+Expires: 2024-06-10T10:00:00.000Z
+Encryption: https://keys.openpgp.org/vks/v1/by-fingerprint/78BBD1E6DE5E7F332D7E2562662DA03FFA9DD870
+Preferred-Languages: en, de
+-----BEGIN PGP SIGNATURE-----
+
+iQGzBAEBCAAdFiEEeLvR5t5efzMtfiViZi2gP/qd2HAFAmSEjpgACgkQZi2gP/qd
+2HBEwwv/fKIF9ArYpGrpTU5voEDeUputjMoJQl9zX2qXLWeMjWJdSYocHhRQ7skd
+tjL4jkI2hz5oEEc/6Ccoszy1c3xw4OTa7A7oHGHi77gxkplj6q3LYPrAjIArHtbq
+AywNbytd3KOigPbcXq8oiOAqwCklzjJ73dMLgILwRwtowduJnoBYZZz+2LKMORdN
+oEVFZ3WzPFnf6uuoVUbNd/D2APWxoDlINP1eS3TjAy/SKvCudirutozsgf4sCqTJ
+YOH3et/60YGU3JafjF8cXpFyx+aL3PSFWC3tdrloScgej5P/W6ZT5JuNcZrmzHeV
+SopyCWsjpHMZbi+/dTBS48eV1nKzd6kXIiGXW30AWqP6Wp+h4e64Oz3zOhtsMZgI
+qI5c5UvsqU5J0YGzMWxSDfSnfdNt/81knoJsBz4RCWV2cVk6VM6hMPIOOg9YOhv6
+afYArzv0L7cDsbsDkopImFyoQfQTWZ3pHwEGXSlYdEpuuDj3KU9ShiF2oAY0Dc5Y
+HW50rMEs
+=8nhK
+-----END PGP SIGNATURE-----