BitwardenWrapper.psm1

enum BitwardenMfaMethod {
    Authenticator   = 0
    Email           = 1
    Yubikey         = 2
}

enum BitwardenItemType {
    Undefined       = 0
    Login           = 1
    SecureNote      = 2
    Card            = 3
    Identity        = 4
}

enum BitwardenUriMatchType {
    Domain          = 0
    Host            = 1
    StartsWith      = 2
    Exact           = 3
    Regex           = 4
    Never           = 5
}

enum BitwardenFieldType {
    Text            = 0
    Hidden          = 1
    Boolean         = 2
}

enum BitwardenOrganizationUserType {
    Owner           = 0
    Admin           = 1
    User            = 2
    Manager         = 3
}

enum BitwardenOrganizationUserStatus {
    Invited         = 0
    Accepted        = 1
    Confirmed       = 2
}

$ModuleCacheFolder = Join-Path '~' '.config' 'BitwardenWrapper'
if ( -not( Test-Path -Path $ModuleCacheFolder ) ) {
    New-Item -Path $ModuleCacheFolder -ItemType Directory -ErrorAction Stop > $null
}

if ( -not $env:BITWARDENCLI_APPDATA_DIR ) {

    # tell bitwarden where to store data
    $env:BITWARDENCLI_APPDATA_DIR = Join-Path ( $ModuleCacheFolder | Resolve-Path | Convert-Path ) 'appdata'

}

# file indication that bitwarden is unlocked
# allows sharing lock status across sessions
$UnlockedFile = Join-Path $env:BITWARDENCLI_APPDATA_DIR '.unlocked'

# file storing session key
$SessionXmlPath = Join-Path $env:BITWARDENCLI_APPDATA_DIR 'session.xml'
if ( -not( Test-Path Env:\BW_SESSION ) -and ( Test-Path $SessionXmlPath -PathType Leaf ) ) {
    $env:BW_SESSION = (Import-Clixml -Path $SessionXmlPath).GetNetworkCredential().Password
}

# if a bw application exists in the Cache folder we'll use
# that, otherwise use the version that matches this module
$BitwardenCLI = Get-Command (Join-Path $ModuleCacheFolder 'bw') -CommandType Application -ErrorAction SilentlyContinue
if ( -not $BitwardenCLI ) {

    $Platform = 'Unsupported'
    if ( $IsMacOS   ) { $Platform = 'MacOS'   }
    if ( $IsLinux   ) { $Platform = 'Linux'   }
    if ( $IsWindows ) { $Platform = 'Windows' }
    if ( $Platform -eq 'Unsupported' ) {
        Write-Error "You appear to be using an unsupported platform. Please manually install a bw-cli binary into $ModuleCacheFolder." -ErrorAction Stop
    }

    $ModuleVersion = (Import-PowerShellDataFile -Path (Join-Path $PSScriptRoot 'BitwardenWrapper.psd1')).ModuleVersion

    $DefaultPath = Join-Path $ModuleCacheFolder ( 'bw' + ('','.exe')[$IsWindows] )
    $TargetPath  = Join-Path $ModuleCacheFolder ( 'bw-v' + $ModuleVersion + ('','.exe')[$IsWindows] )

    if ( Test-Path -Path $TargetPath ) {

        $BitwardenCLI = Get-Command $TargetPath -CommandType Application -ErrorAction Stop

    } else {

        Write-Warning "Downloading Bitwarden CLI v$ModuleVersion..."

        $DownloadUri = "https://github.com/bitwarden/clients/releases/download/cli-v{0}/bw-{1}-{0}.zip" -f $ModuleVersion, $Platform.ToLower()
        $DownloadPath = Join-Path $ModuleCacheFolder 'bw-cli.zip'
    
        Invoke-WebRequest -UseBasicParsing -Uri $DownloadUri -OutFile $DownloadPath

        Expand-Archive -Path $DownloadPath -DestinationPath $ModuleCacheFolder -Force
        Remove-Item -Path $DownloadPath -Force -Confirm:$false -ErrorAction SilentlyContinue
        Get-Item -Path $DefaultPath | Move-Item -Destination $TargetPath
        if ( $Platform -ne 'Windows' ) {
            chmod +x $TargetPath
        }
    
        $BitwardenCLI = Get-Command $TargetPath -CommandType Application -ErrorAction Stop

    }

}

New-Alias -Name 'bw-cli' -Value $BitwardenCLI.Path

function bw {
    <#
    .SYNOPSIS
    The Bitwarden command-line interface (CLI) is a powerful, fully-featured tool for accessing and managing your Vault.
    .DESCRIPTION
    The Bitwarden command-line interface (CLI) is a powerful, fully-featured tool for accessing and managing your Vault.
    Most features that you find in other Bitwarden client applications (Desktop, Browser Extension, etc.) are available
    from the CLI. The Bitwarden CLI is self-documented. From the command line, learn about the available commands using:
    bw --help
    #>

    process {

        [System.Collections.Generic.List[string]]$ArgumentsList = $args

        # run bw and capture result
        if ( $_ ) {
            [string[]] $Result = $_ | & $Script:BitwardenCLI @ArgumentsList
        } else {
            [string[]] $Result = & $Script:BitwardenCLI @ArgumentsList
        }

        # remove the .unlocked file if the command is lock
        # unlocked file just used to allow easy detection of
        # lock status for prompt decoration and auto locking
        # scripts
        if ( $ArgumentsList.IndexOf('lock') -ge 0 ) {
            Remove-Item $Script:UnlockedFile -ErrorAction SilentlyContinue
        }
        
        # if --raw is specified we just return the result
        # without doing any post processing
        if ( $ArgumentsList.IndexOf('--raw') -ge 0 ) { return $Result }
        
        # try to parse the result as JSON
        try {
        
            [object[]]$JsonResult = $Result | ConvertFrom-Json -Depth 99 -ErrorAction SilentlyContinue
            
        } catch {
        
            Write-Verbose 'JSON Parse Message:'
            Write-Verbose $_.Exception.Message
        
        }

        # if parsing is successful we do some post processing
        if ( $JsonResult ) {

            Write-Verbose 'Processing JSON output...'

            $JsonResult.ForEach({

                if ( $_.type ) {
                
                    if ( $_.object -eq 'item' ) {
                        
                        [BitwardenItemType]$_.type = [int]$_.type
                    
                    } elseif ( $_.object -eq 'org-member' ) {
                        
                        [BitwardenOrganizationUserType]$_.type = [int]$_.type
                        [BitwardenOrganizationUserStatus]$_.status = [int]$_.status

                    }

                }

                if ( $_.login ) {

                    if ( $null -ne $_.login.password ) {

                        $_.login.password = ConvertTo-SecureString -String $_.login.password -AsPlainText -Force

                    } else {

                        $_.login.password = [System.Security.SecureString]::new()

                    }

                    $_.login | Add-Member -MemberType NoteProperty -Name credential -Value ([pscredential]::new( $_.login.username, $_.login.password ))

                    $_.login.uris.ForEach({ [BitwardenUriMatchType]$_.match = [int]$_.match })
                
                }

                if ( $_.passwordHistory ) {

                    $_.passwordHistory.ForEach({
            
                        $_.password = ConvertTo-SecureString -String $_.password -AsPlainText -Force
                        
                    })

                }

                if ( $_.identity.ssn ) {

                    $_.identity.ssn = ConvertTo-SecureString -String $_.identity.ssn -AsPlainText -Force
                    
                }

                if ( $_.fields ) {

                    $_.fields.ForEach({

                        [BitwardenFieldType]$_.type = [int]$_.type

                        if ( $_.type -eq [BitwardenFieldType]::Hidden ) {

                            $_.value = ConvertTo-SecureString -String $_.value -AsPlainText -Force

                        }
                    
                    })

                }

                if ( $_.status ) {
                    if ( $_.status -eq 'unlocked' ) {
                        New-Item $Script:UnlockedFile -Force > $null
                    } else {
                        Remove-Item $Script:UnlockedFile -ErrorAction SilentlyContinue
                    }
                }

                $_

            })

        }
        
        else {

            Write-Verbose 'Processing text output...'

            # look for session key
            if ( $Result -and $Result[-1] -like '*--session*' ) {

                Write-Verbose 'Found session key, unlocking...'

                New-Item $Script:UnlockedFile -Force > $null

                $env:BW_SESSION = $Result[-1].Trim().Split(' ')[-1]

                # export session key into cache
                [pscredential]::new( 'SessionKey', ( $env:BW_SESSION | ConvertTo-SecureString -AsPlainText -Force) ) | Export-Clixml -Path $Script:SessionXmlPath

                $Result[0]

            } else {

                $Result

            }

        }

    }

}

if ( $IsWindows ) {
    New-Alias -Name 'bw.exe' -Value 'bw'
}


# Scriptblock for Test-BWAutoComplete and the argument completer
$AutoCompleteScript = {
    param( $WordToComplete, $CommandAst, $CursorPosition )

    # Instantiate the AutoComplete configuration
    $AutoCompleteJson = '{"Version":"2024.3.1","Switches":[{"Name":"--pretty","Values":null},{"Name":"--raw","Values":null},{"Name":"--response","Values":null},{"Name":"--cleanexit","Values":null},{"Name":"--quiet","Values":null},{"Name":"--nointeraction","Values":null},{"Name":"--session","Values":[""]},{"Name":"--version","Values":null},{"Name":"--help","Values":null}],"Commands":[{"Name":"login","Switches":[{"Name":"--method","Values":[0,1,3]},{"Name":"--code","Values":[""]},{"Name":"--sso","Values":null},{"Name":"--apikey","Values":null},{"Name":"--passwordenv","Values":[""]},{"Name":"--passwordfile","Values":[""]},{"Name":"--check","Values":null},{"Name":"--help","Values":null}],"Params":[{"Name":"email","Values":[""]},{"Name":"password","Values":[""]}]},{"Name":"logout","Switches":[{"Name":"--help","Values":null}],"Params":[]},{"Name":"lock","Switches":[{"Name":"--help","Values":null}],"Params":[]},{"Name":"unlock","Switches":[{"Name":"--check","Values":null},{"Name":"--passwordenv","Values":[""]},{"Name":"--passwordfile","Values":[""]},{"Name":"--help","Values":null}],"Params":[{"Name":"password","Values":[""]}]},{"Name":"sync","Switches":[{"Name":"--force","Values":null},{"Name":"--last","Values":null},{"Name":"--help","Values":null}],"Params":[]},{"Name":"generate","Switches":[{"Name":"--uppercase","Values":null},{"Name":"--lowercase","Values":null},{"Name":"--number","Values":null},{"Name":"--special","Values":null},{"Name":"--passphrase","Values":null},{"Name":"--length","Values":[""]},{"Name":"--words","Values":[""]},{"Name":"--minNumber","Values":[""]},{"Name":"--minSpecial","Values":[""]},{"Name":"--separator","Values":[""]},{"Name":"--capitalize","Values":null},{"Name":"--includeNumber","Values":null},{"Name":"--ambiguous","Values":null},{"Name":"--help","Values":null}],"Params":[]},{"Name":"encode","Switches":[{"Name":"--help","Values":null}],"Params":[]},{"Name":"config","Switches":[{"Name":"--api","Values":[""]},{"Name":"--identity","Values":[""]},{"Name":"--icons","Values":[""]},{"Name":"--notifications","Values":[""]},{"Name":"--events","Values":[""]},{"Name":"--help","Values":null}],"Params":[{"Name":"setting","Values":[""]},{"Name":"value","Values":[""]}]},{"Name":"update","Switches":[{"Name":"--help","Values":null}],"Params":[]},{"Name":"completion","Switches":[{"Name":"--shell","Values":"zsh"},{"Name":"--help","Values":null}],"Params":[]},{"Name":"status","Switches":[{"Name":"--help","Values":null}],"Params":[]},{"Name":"serve","Switches":[{"Name":"--hostname","Values":[""]},{"Name":"--port","Values":[""]},{"Name":"--help","Values":null}],"Params":[]},{"Name":"list","Switches":[{"Name":"--search","Values":[""]},{"Name":"--url","Values":[""]},{"Name":"--folderid","Values":[""]},{"Name":"--collectionid","Values":[""]},{"Name":"--organizationid","Values":[""]},{"Name":"--trash","Values":null},{"Name":"--help","Values":null}],"Params":[{"Name":"object","Values":["items","folders","collections","org-collections","org-members","organizations"]}]},{"Name":"get","Switches":[{"Name":"--itemid","Values":[""]},{"Name":"--output","Values":[""]},{"Name":"--organizationid","Values":[""]},{"Name":"--help","Values":null}],"Params":[{"Name":"object","Values":["item","username","password","uri","totp","notes","exposed","attachment","folder","collection","org-collection","organization","template","fingerprint","send"]},{"Name":"id","Values":[""]}]},{"Name":"create","Switches":[{"Name":"--file","Values":[""]},{"Name":"--itemid","Values":[""]},{"Name":"--organizationid","Values":[""]},{"Name":"--help","Values":null}],"Params":[{"Name":"object","Values":["item","attachment","folder","org-collection"]},{"Name":"encodedJson","Values":[""]}]},{"Name":"edit","Switches":[{"Name":"--organizationid","Values":[""]},{"Name":"--help","Values":null}],"Params":[{"Name":"object","Values":["item","item-collections","folder","org-collection"]},{"Name":"id","Values":[""]},{"Name":"encodedJson","Values":[""]}]},{"Name":"delete","Switches":[{"Name":"--itemid","Values":[""]},{"Name":"--organizationid","Values":[""]},{"Name":"--permanent","Values":null},{"Name":"--help","Values":null}],"Params":[{"Name":"object","Values":["item","attachment","folder","org-collection"]},{"Name":"id","Values":[""]}]},{"Name":"restore","Switches":[{"Name":"--help","Values":null}],"Params":[{"Name":"object","Values":["item"]},{"Name":"id","Values":[""]}]},{"Name":"move","Switches":[{"Name":"--help","Values":null}],"Params":[{"Name":"id","Values":[""]},{"Name":"organizationId","Values":[""]},{"Name":"encodedJson","Values":[""]}]},{"Name":"confirm","Switches":[{"Name":"--organizationid","Values":[""]},{"Name":"--help","Values":null}],"Params":[{"Name":"object","Values":["org-member"]},{"Name":"id","Values":[""]}]},{"Name":"import","Switches":[{"Name":"--formats","Values":null},{"Name":"--organizationid","Values":[""]},{"Name":"--help","Values":null}],"Params":[{"Name":"format","Values":[""]},{"Name":"input","Values":[""]}]},{"Name":"export","Switches":[{"Name":"--output","Values":[""]},{"Name":"--format","Values":["csv","json"]},{"Name":"--password","Values":[""]},{"Name":"--organizationid","Values":[""]},{"Name":"--help","Values":null}],"Params":[]},{"Name":"share","Switches":[{"Name":"--help","Values":null}],"Params":[{"Name":"id","Values":[""]},{"Name":"organizationId","Values":[""]},{"Name":"encodedJson","Values":[""]}]},{"Name":"send","Switches":[{"Name":"--file","Values":null},{"Name":"--deleteInDays","Values":[""]},{"Name":"--maxAccessCount","Values":[""]},{"Name":"--hidden","Values":null},{"Name":"--name","Values":[""]},{"Name":"--notes","Values":[""]},{"Name":"--fullObject","Values":null},{"Name":"--help","Values":null}],"Params":[{"Name":"command","Values":[""]},{"Name":"data","Values":[""]}]},{"Name":"receive","Switches":[{"Name":"--password","Values":[""]},{"Name":"--passwordenv","Values":[""]},{"Name":"--passwordfile","Values":[""]},{"Name":"--obj","Values":null},{"Name":"--output","Values":[""]},{"Name":"--help","Values":null}],"Params":[{"Name":"url","Values":[""]}]},{"Name":"help","Switches":[{"Name":"--pretty","Values":null},{"Name":"--raw","Values":null},{"Name":"--response","Values":null},{"Name":"--cleanexit","Values":null},{"Name":"--quiet","Values":null},{"Name":"--nointeraction","Values":null},{"Name":"--session","Values":[""]},{"Name":"--version","Values":null},{"Name":"--help","Values":null}],"Params":[]}]}'
    $AutoCompleteConfiguration = $AutoCompleteJson | ConvertFrom-Json -Depth 99

    # trim off the command name and the $WordToComplete
    $ArgumentsList = $CommandAst -replace '^bw(?:\.exe)?\s+' -replace "\s*$WordToComplete$"

    # split the $ArgumentsList into an array
    [string[]] $ArgumentsArray = Invoke-Expression "&{`$args} $ArgumentsList"

    # filter for returned values
    $MatchFilter = { $_ -notin $ArgumentsArray -and $_ -like "$WordToComplete*" }

    # check for the current command, returns first command that appears in the
    # $ArgumentsArray ignoring parameters any other strings
    $CurrentCommand = $AutoCompleteConfiguration.Commands | Where-Object { $ArgumentsArray -contains $_.Name }
    $CurrentSwitch = $null

    # if there are elements in the ArgumentsArray get the current switch argument
    # if it requires a value be provided
    if ( $ArgumentsArray.Count -ne 0 ) {
        
        if ( $CurrentCommand ) {
            $CurrentSwitch = $CurrentCommand.Switches | Where-Object { $_.Name -eq $ArgumentsArray[-1] -and $null -ne $_.Values } | Select-Object -First 1
        } else {
            $CurrentSwitch = $AutoCompleteConfiguration.Switches | Where-Object { $_.Name -eq $ArgumentsArray[-1] -and $null -ne $_.Values } | Select-Object -First 1
        }

        # if the last argument is a switch with a completer then we do that
        if ( $CurrentSwitch ) {
            if ( $CurrentSwitch.Values ) {
                return $CurrentSwitch.Values |
                    Where-Object $MatchFilter
            }
            return $WordToComplete
        }

    }

    # if the $ArgumentsArray is empty OR there is no $CurrentCommand then we
    # output all of the commands and common parameters that match the last
    # $WordToComplete
    if ( $ArgumentsArray.Count -eq 0 -or -not $CurrentCommand ) {

        return $AutoCompleteConfiguration.Commands.Name + $AutoCompleteConfiguration.Switches.Name |
            Where-Object $MatchFilter

    }

    # if the last complete argument is the command name and there are params for this
    # command then we want to force parameter configuration
    [string[]] $NonSwitchParamsAfterCommand = $ArgumentsArray | Select-Object -Skip ( $ArgumentsArray.IndexOf($CurrentCommand.Name) + 1 ) | Where-Object { $_ -notlike '--*' }
    if ( $WordToComplete -notlike '-*' -and $NonSwitchParamsAfterCommand.Count -lt $CurrentCommand.Params.Count ) {
        $CurrentParam = $CurrentCommand.Params | Select-Object -Skip $NonSwitchParamsAfterCommand.Count -First 1
        if ( $CurrentParam.Values ) {
            return $CurrentParam.Values |
                Where-Object $MatchFilter
        }
        return $WordToComplete
    }

    # if we get here then all we have left is switches for the current command
    return $CurrentCommand.Switches.Name |
        Where-Object $MatchFilter

}

Register-ArgumentCompleter -CommandName bw -ScriptBlock $AutoCompleteScript
Register-ArgumentCompleter -CommandName bw-cli -ScriptBlock $AutoCompleteScript

# testing script, not exported by default
New-Item -Path Function:\Test-BWAutoComplete -Value $AutoCompleteScript

function Get-BWCredential {
    
    param(

        [Parameter( Position = 1)]
        [Alias( 'UserName', 'Email' )]
        [string]
        $Search,

        [string]
        $Url,

        [ValidateSet( 'Choose', 'Error' )]
        [string]
        $MultipleAction = 'Error'

    )
    
    [System.Collections.Generic.List[string]]$SearchParams = 'list', 'items'

    if ( $Search ) {
        $SearchParams.Add( '--search' )
        $SearchParams.Add( $Search )
    }

    if ( $Url ) {
        $SearchParams.Add( '--url' )
        $SearchParams.Add( $Url )
    }

    [object[]]$Result = bw @SearchParams | Where-Object { $_.login.credential }

    if ( $Result.Count -eq 0 ) {
        Write-Error 'No results returned'
        return
    }

    if ( $Result.Count -gt 1 -and $MultipleAction -eq 'Error' ) {
        Write-Error 'Multiple entries returned'
        return
    }
    
    $Result | Select-BWCredential

}

function Select-BWCredential {
    <#
    .SYNOPSIS
    Select a credential from those returned from the Bitwarden CLI
     
    .DESCRIPTION
    Select a credential from those returned from the Bitwarden CLI
    #>

    param(

        [Parameter( Mandatory = $true, ValueFromPipeline = $true )]
        [pscustomobject[]]
        $BitwardenItems

    )

    begin {

        $ChooserProperties = @(
            @{ Name = ' '     ; Expression = { '{0,3})' -f $Result.IndexOf($_)            } }
            @{ Name = 'Name'     ; Expression = { $_.name                                    } }
            @{ Name = 'UserName' ; Expression = { $_.login.username                          } }
            @{ Name = 'Uri'      ; Expression = { $_.login.uris.uri | Select-Object -First 1 } }
        )

        [System.Collections.ArrayList]$Result = @()

    }

    process {

        $BitwardenItems.Where({ $_.login }) | ForEach-Object { $Result.Add($_) > $null }

    }

    end {

        if ( $Result.Count -eq 0 ) {
            Write-Error 'No results returned'
            return
        }
        
        if ( $Result.Count -gt 1 ) {
    
            $Result | Select-Object $ChooserProperties | Format-Table | Out-Host
            
            $Selection = ( Read-Host 'Selection' ) -as [int]
    
        }
        else {

            $Selection = 0
        
        }
    
        if ( $null -eq $Result[$Selection] ) { return }

        $Credential = $Result[$Selection].login.credential

        if ( -not [string]::IsNullOrEmpty( $Result[$Selection].login.totp ) ) {
            $Credential | Add-Member -MemberType ScriptProperty -Name TOTP -Value ([scriptblock]::Create("bw get totp $($Result[$Selection].id) --raw"))
        }
    
        return $Result[$Selection].login.credential

    }

}