Unable to load Bitwarden Credentials in Dynamic Folder

[vpv-snbe]

Hi all,

today I try to connect RoyalTS to Bitwarden via dynamic folder. I created a dynamic folder with the powershell-script and inserted the values of my self-hosted Bitwarden-Server.

After clicking on "Reload" in RoyalTS, I get the error message "At least one token couldn't be resolved" and following in the details: global:OutputEncoding\r\n CustomProperty.BitWardenCLIExecutable CustomProperty.BitWardenServerURL CustomProperty.APIClientID CustomProperty.APIClientSecret CustomProperty.AccountPassword ( ( (

Any idea what I'm doing wrong?

[StefanKoell]

Can you post a screenshot of the error message and the dynamic folder configuration (with sensitive data redacted)? Also, does it actually populate the dynamic folder?

[vpv-snbe]

Hi StefanKoell,

I have come one step further. I still get the error message about the token, but the credentials are loaded into the dynamic folder.

However, it only works if I specify a fixed folder in line 190 of the script. As soon as the script is supposed to load several folders, it continues to run endlessly.

foreach ($folder in $tmpFolders[0]) { if ($null -ne $folder.id) { $tF = @{ Type = "Folder"; ID = $folder.id; Name = $folder.name; Objects = [array]@(Get-VaultItems -folderId $folder.id); } if ($tF.Objects.Count -ne 0) { $final.Objects[0].Objects += $tF; $tF = $null } } else {

Add default folder

  $tF = @{ Type = "Folder"; ID = "nofolder"; Name = "No folder"; Objects = [array]@(Get-VaultItems -folderId null); }
  if ($tF.Objects.Count -ne 0) { $final.Objects[0].Objects += $tF; $tF = $null }
}

}

Translated with DeepL.com (free version)

[StefanKoell]

I'm still not sure what the error message is or how it is presented. For scripts where tokens are replaced you may always get warnings that tokens cannot be resolved because the parser may try to identify tokens based on some $ variables in the script. These warnings can/should just be ignored.

Regarding the other isue, I'm not sure how I can help because I'm not really familiar with the bitwarden API. Maybe someone else who has experience with bitwarden's API can help here.

[vpv-snbe]

Sorry, forgot to add the screenshot from the error message.

To the other issue: When I run the script directly in ISE I see that sometimes I got the entries from bitwarden, sometimes not. In the case I get no credentials, the process get stuck in different points.

[StefanKoell]

Thanks for the screenshot. The warning can be ignored and is actually expected for scripting languages which also use $ chars extensively. It will not really affect the token resolution.

I find it odd, that even in the ISE you get inconsistent results. Not sure what's going on. Maybe the bitwarden backend can give some insights.

[vpv-snbe]

Thank you for the info, I will ignore these error-message.

I try to find something in the bitwarden backend, nothing found yet. The import breaks on different folders, sometimes on first or second, sometimes it works. In the last test, script hanged at folder "Firewall". Maybe anyone has an idea where to look for this error?

Folder overview:

Script with added status-logging:

[StefanKoell]

Maybe Bitwarden support can help? Could also be an isolated issue with the specific instance/installation.

[tmsadm693]

Same Problem here - I try to use different bw.exe Versions but with no luck

[GrinGrin]

Hi all,

I did not had a lot of time recently to work on this until recently. I also was blocked with an issue in the latest version of the BitWarden CLI tool (bw.exe) that seems to not work anymore with API key (complains about bad master password even if correct when unlocking the vault) 😒 I had to revert back to the older version 2023.12.1 in order to get it working again... (maybe a more recent version can work, I did not test all versions!)

Anyway, I've recently reworked the whole script to make a better use of the navigation's treeview instead of having folders and subfolders at the same level.

Unfortunately right now the script is working but not ready for daily use as it now make calls to the vault for each folders/collections and it take way too long as it's not a real REST API under the hood!

For example in my setup, with 540+ credentials/notes splitted between 1 personal vault, 2 organizations and 3 collections, it took a little bit more than 3 minutes to load 😣

As I also had to work on this at my day job, I'll try to use the embedded API endpoint of the CLI tool bw serve as it seems way quicker ! As the command does not run in background, I just had to figure out how to launch it in a background thread, make all calls and terminate the thread, all from the powershell script executed by RoyalTS 😥

I'll keep you informed as soon as I have a working version 🤞

[GrinGrin]

Well ...

That was way much easier than I though to convert the script ... And it is mind blowing !

Both request the same vault on the same instance, the first using "legacy" calls to bw.exe to get every folders/orgs/collections & their content each time, the second is using bw.exe serve to use the REST gateway. I just had to convert all Invoke-Command -ScriptBloc to Invoke-WebRequest and adapt the property of the resulting object to access the data 😱

I'll check that the result is fully compliant with my vault content. I also spotted some encoding errors to correct. But I think a working test script won't be to long to get.

Stay tuned ! 😜

[GrinGrin]

Hi all !

I've pushed an update to the template on my fork of the repo.

Can you test if it works for you before I open a PR ?

Please note the following known issues:

• I have mitigated as much as I can an issue in the part processing items in personal vault without a folder set in order to prevent fetching all items without folder set from the collections you have access to. The API allow filtering on folder with an Id or "null" but specifying organizationId/collectionId is just seen as a OR and fetch everything, so I inverted the filter to items without a collection Id and then filter the result for items without a folder Id 😖
• On very large setups (like organizations with very large collections presented to the user), fetch time can go up significantly (count in minutes). Even with REST that is quicker it can be long to the CLI utility to get the data back from the server!
• In the fist version of the script, I've prevented the duplicates of items shared between your vault and a collection but the current implementation reach its limits if items are presented into multiple collections, leading to a duplicates error and aborting the loading. To keep the treeview capabilities I need to change how the final array is build and be able to search through it to find duplicates ...

On instances with small amount of objects it can works pretty well but can struggle with large organizations. One way to mitigate that may be to take a look at some filtering options like this:

Based on criterias (with or without wildcards), instead of loading everything, I may be able to limit a bit. Adding filtering on the items name can also be an option ... 🤔

Let me know what you think! Thanks for your feedbacks !

Best Regards, Nicolas.