Bitwarden Session One-liner not valid anymore

[jeankhawand]

Describe the bug

use Bitwarden Session One-liner to automate login and unlock and then rely on chezmoi runtime to handle filling secrets via .tmpl files

To reproduce

1. I do have run_onchange_before_install-bw-cli.sh which install bw cli and then execute export BW_SESSION=$(bw {login,unlock} --raw)
2. get error Email address is invalid
3. chezmoi exit with error calling bitwarden: /path/to/bitwarden/bin/bw get item cf_api_key: exit status 1

Expected behavior

should proceed with filling templates file

Output of command with the --verbose flag

Email address is invalid.
chezmoi: template: dot_zshrc.tmpl:19:4: executing " dot_zshrc.tmpl" at <bitwarden "item" "cf_api_key">: error calling bitwarden: /path/to/bitwarden/bin/bw get item cf_api_key: exit status 1

Output of chezmoi doctor

```console $ chezmoi doctor RESULT CHECK MESSAGE ok version v2.33.3, commit fe6010e8b2518ddabfcd5f58236763b4f2e90ff8, built at 2023-04-21T20:41:23Z, built by goreleaser ok latest-version v2.33.3 ok os-arch linux/arm64 (Ubuntu 22.04 LTS (Jammy Jellyfish)) ok uname Linux ubuntu-linux-22-04-desktop 5.15.0-70-generic #77-Ubuntu SMP Tue Mar 21 15:58:51 UTC 2023 aarch64 aarch64 aarch64 GNU/Linux ok go-version go1.20.3 (gc) ok executable /snap/chezmoi/663/chezmoi ok upgrade-method snap-refresh ok config-file ~/.config/chezmoi/chezmoi.toml, last modified 2023-04-23T20:49:47+02:00 ok source-dir ~/.local/share/chezmoi is a git working tree (clean) warning suspicious-entries ~/.local/share/chezmoi/home/.chezmoiexternal.tmpl ok working-tree ~/.local/share/chezmoi is a git working tree (clean) ok dest-dir ~ is a directory ok umask 002 ok cd-command found /bin/bash ok cd-args /bin/bash info diff-command not set ok edit-command found /usr/bin/vi ok edit-args /usr/bin/vi ok git-command found /usr/bin/git, version 2.34.1 ok merge-command found /usr/bin/vimdiff ok shell-command found /bin/bash ok shell-args /bin/bash info age-command age not found in $PATH ok gpg-command found /usr/bin/gpg, version 2.2.27 info pinentry-command not set info 1password-command op not found in $PATH ok bitwarden-command found ~/.nvm/versions/node/v18.16.0/bin/bw, version 2023.3.0 info dashlane-command dcli not found in $PATH info gopass-command gopass not found in $PATH info keepassxc-command keepassxc-cli not found in $PATH info keepassxc-db not set info keeper-command keeper not found in $PATH info lastpass-command lpass not found in $PATH info pass-command pass not found in $PATH info passhole-command ph not found in $PATH info rbw-command rbw not found in $PATH info vault-command vault not found in $PATH info secret-command not set ```

Additional context

• how can I automate login, unlock and set BW_SESSION using a similar approach to this one-liner method? Is there a way using chezmoi functions?

Update doc

⚠️ since this approach is no longer valid – it will break chezmoi from completing init. Instead, user should have bitwarden installed and logged in and unlocked to proceed with chezmoi init https://github.com/twpayne/chezmoi/blob/899338d4069cc4102cf7d18f658db222d8b64508/assets/chezmoi.io/docs/user-guide/password-managers/bitwarden.md?plain=1#L21-L27

[halostatue]

The current one-liner tip is slightly confusing as it means that you either want to use export BW_SESSION=$(bw login --raw) or export BW_SESSION=$(bw unlock --raw) depending on whether you have previously logged into BitWarden. A change to say something like that below would likely be less confusing.

!!! tip "Bitwarden Session One-liner" 

     Set `BW_SESSION` automatically with: 

     ```console 
     $ export BW_SESSION=$(bw login --raw) # OR
     $ export BW_SESSION=$(bw unlock --raw)

When you run `bw {login,unlock}` it’s trying to login with the email `unlock`, which isn’t valid.

Regardless, the approach of using `run_onchange_before_install-bw-cli.sh` cannot work as shell scripts are always run as subprocesses and they cannot affect the chezmoi operating environment. That is, the `export BW_SESSION` line in your script *will not carry* back into chezmoi or any other scripts. `export BW_SESSION` must be called *prior* to running `chezmoi`.

Alternatively, you could consider using [rbw](https://github.com/doy/rbw) which doesn’t have the same restrictions on session management. It would require changing from `bitwarden*` functions to `rbw*` functions for data retrieval (and there are differences between the functions).

Further thinking:

In *theory*, `pkg/cmd/bitwardentemplatefuncs.go` could be updated to have a `bitwardenGetOrRefreshSessionToken` approach similar to that found for 1Password in `pkg/cmd/onepasswordtemplatefuncs.go` (`onepasswordGetOrRefreshSessionToken`), but there would probably be other changes required to fully support those features. Base *solely* on reading the [Bitwarden documentation](https://bitwarden.com/help/cli/#log-in-to-multiple-accounts), chezmoi would need to:

1. Know the default value for `$BITWARDENCLI_APPDATA_DIR` and check for the existence of `data.json`. More likely, we would need to read it and know the presence of certain keys to know that the account is logged in.
2. If the account is known to be logged in, then execute `bw unlock --raw` like `onepasswordGetOrRefreshSessionToken`.
3. If we wanted to support multiple accounts, the various Bitwarden functions would need to be extended to support a parameter that *translates* back into and appropriate `$BITWARDEN_CLI_APPDATA_DIR` value. This would either be further configuration in `chezmoi.toml` so that you can use shorthand values or would need to be actual directories.

This would be something that someone who uses Bitwarden would need to develop (that is, not me), and preferably someone who has access to multiple Bitwarden accounts.

**Similar** approaches would need to be taken for `rbw*` support of multiple accounts, but since earlier this year it supports running multiple instances of the rbw daemon for different profiles (see doy/rbw#93 for the feature PR) with `RBW_PROFILE`. Again, someone who uses Bitwarden and rbw would need to develop this feature further.