Add resolve_credentials() for standalone credential resolution

alberefe · alberefe · commit a91b6fb5b89b · 2026-03-08T15:43:58.000+01:00
Add a framework-agnostic resolve_credentials() function that fetches
and extracts credentials from Bitwarden or HashiCorp Vault in a single
call. This allows any caller (BackendCommand, KingArthur, scripts) to
resolve secrets without depending on Perceval's CLI layer.

- Add resolve_credentials() with field extraction helpers
- Add SecretsManagerFactory for lazy manager instantiation
- Export resolve_credentials and HashicorpVaultError from package
- Add tests for all credential resolution paths
- Document usage in README

Signed-off-by: Alberto Ferrer Sánchez &lt;alberefe@gmail.com&gt;
diff --git a/README.md b/README.md
@@ -259,6 +259,89 @@ Field Descriptions
 
 The module uses the [hvac](https://hvac.readthedocs.io/) Python library to interact with HashiCorp Vault.
 
+### `resolve_credentials()` — Unified credential resolution
+
+The `resolve_credentials()` function provides a high-level interface to
+fetch and extract credentials from any supported secrets manager in a single
+call. It handles manager instantiation, authentication, secret retrieval,
+field extraction, and cleanup automatically.
+
+This function is designed to work independently of any CLI framework, making
+it usable from Perceval's `BackendCommand`, KingArthur, or any custom script.
+
+#### Example
+
+```python
+from grimoirelab_toolkit.credential_manager import resolve_credentials
+
+# Bitwarden example
+credentials = resolve_credentials(
+    manager_type='bitwarden',
+    manager_config={
+        'client_id': 'your-client-id',
+        'client_secret': 'your-client-secret',
+        'master_password': 'your-master-password',
+    },
+    item_name='GitHub',
+    field_names=['api_token', 'user'],
+)
+# credentials = {'api_token': 'ghp_...', 'user': 'myuser'}
+
+# HashiCorp example
+credentials = resolve_credentials(
+    manager_type='hashicorp',
+    manager_config={
+        'vault_url': 'https://vault.example.com',
+        'token': 'hvs.your-token',
+    },
+    item_name='secret/my-service',
+    field_names=['api_token'],
+)
+```
+
+#### Parameters
+
+- `manager_type` (`str`) — `"bitwarden"` or `"hashicorp"`
+- `manager_config` (`dict`) — Manager-specific authentication credentials (see below)
+- `item_name` (`str`) — Name/path of the secret item in the vault
+- `field_names` (`list[str]`) — List of field names to look up in the vault. Field names must match the names used when storing the secret.
+
+#### Manager config by provider
+
+- **Bitwarden**: `client_id`, `client_secret`, `master_password`
+- **HashiCorp**: `vault_url`, `token`, `certificate` (optional)
+
+#### Return value
+
+A `dict[str, str]` mapping field names to resolved string values.
+Only fields that were found are included in the result. Missing fields
+produce a warning log and are omitted (partial results are valid).
+
+#### Field extraction behavior
+
+Each manager returns secrets in a different format. `resolve_credentials()`
+normalizes the extraction:
+
+- **Bitwarden**: Checks `item['login']` dict first (for username, password),
+  then searches the `item['fields']` array (for custom fields like API tokens).
+- **HashiCorp**: Reads from `secret['data']['data'][field_name]`.
+
+#### Error handling
+
+- Unsupported `manager_type` raises `ValueError`
+- Empty `item_name` raises `ValueError`
+- Secret item not found raises `CredentialNotFoundError`
+- Individual missing fields are skipped with a warning (no error)
+- For Bitwarden, `logout()` is always called in a `finally` block
+
+### Optional dependencies (lazy imports)
+
+The secrets manager providers use lazy imports, so you only need to install
+the dependencies for the provider you actually use:
+
+- **Bitwarden**: requires `bw` CLI on `PATH` (no Python package needed)
+- **HashiCorp**: requires `hvac` (`poetry install --with hashicorp-manager`)
+
 ## License
 
 Licensed under GNU General Public License (GPL), version 3 or later.
diff --git a/grimoirelab_toolkit/credential_manager/__init__.py b/grimoirelab_toolkit/credential_manager/__init__.py
@@ -15,16 +15,16 @@
 # You should have received a copy of the GNU General Public License
 # along with this program. If not, see <http://www.gnu.org/licenses/>.
 #
-# Author:
-#     Alberto Ferrer Sánchez (alberefe@gmail.com)
-#
+
 
 from .bw_manager import BitwardenManager
+from .credential_manager import resolve_credentials
 from .exceptions import (
     CredentialManagerError,
     InvalidCredentialsError,
     CredentialNotFoundError,
     BitwardenCLIError,
+    HashicorpVaultError,
 )
 
 __all__ = [
@@ -33,4 +33,6 @@
     "InvalidCredentialsError",
     "CredentialNotFoundError",
     "BitwardenCLIError",
+    "HashicorpVaultError",
+    "resolve_credentials",
 ]
diff --git a/grimoirelab_toolkit/credential_manager/bw_manager.py b/grimoirelab_toolkit/credential_manager/bw_manager.py
@@ -14,9 +14,8 @@
 # You should have received a copy of the GNU General Public License
 # along with this program. If not, see <http://www.gnu.org/licenses/>.
 #
-# Author:
-#       Alberto Ferrer Sánchez (alberefe@gmail.com)
-#
+
+
 import json
 import subprocess
 import logging
diff --git a/grimoirelab_toolkit/credential_manager/credential_manager.py b/grimoirelab_toolkit/credential_manager/credential_manager.py
@@ -0,0 +1,148 @@
+#
+#
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+
+import logging
+
+from .secrets_manager_factory import SecretsManagerFactory
+
+logger = logging.getLogger(__name__)
+
+SUPPORTED_MANAGERS = ("bitwarden", "hashicorp")
+
+
+def _extract_bitwarden_field(item, field_name):
+    """Extract a field value from a Bitwarden item.
+
+    Searches in the 'login' dict first, then in the 'fields' array.
+
+    :param dict item: The Bitwarden item dictionary
+    :param str field_name: The name of the field to extract
+
+    :returns: The field value or None if not found
+    :rtype: str or None
+    """
+    # Check login fields first (username, password, etc.)
+    login_data = item.get('login', {})
+    if login_data and field_name in login_data:
+        return login_data[field_name]
+
+    # Check custom fields array
+    for field in item.get('fields', []):
+        if field.get('name') == field_name:
+            return field.get('value')
+
+    return None
+
+
+def _extract_hashicorp_field(secret, field_name):
+    """Extract a field value from a HashiCorp Vault secret.
+
+    Reads from secret['data']['data'][field_name].
+
+    :param dict secret: The HashiCorp Vault secret dictionary
+    :param str field_name: The name of the field to extract
+
+    :returns: The field value or None if not found
+    :rtype: str or None
+    """
+    secret_data = secret.get('data', {}).get('data', {})
+    return secret_data.get(field_name)
+
+
+def resolve_credentials(
+    manager_type: str,
+    manager_config: dict,
+    item_name: str,
+    field_names: list[str],
+) -> dict[str, str]:
+    """Resolve credentials from a secrets manager.
+
+    Fetches a secret item from the specified secrets manager and extracts
+    the requested fields. Field names in the vault must match the parameter
+    names expected by Perceval (e.g. 'api_token', 'user', 'password').
+
+    :param str manager_type: The secrets manager to use
+        ('bitwarden' or 'hashicorp')
+    :param dict manager_config: Manager-specific authentication config.
+        Bitwarden: {'client_id', 'client_secret', 'master_password'}
+        HashiCorp: {'vault_url', 'token', 'certificate'}
+    :param str item_name: Name/path of the secret item in the vault
+    :param list field_names: List of field names to look up in the vault.
+        Example: ['api_token', 'user', 'password']
+
+    :returns: Dict mapping field names to resolved string values.
+        Only fields that were found are included.
+    :rtype: dict[str, str]
+
+    :raises ValueError: If manager_type is unsupported or item_name is empty
+    :raises CredentialNotFoundError: If the secret item is not found
+    :raises CredentialManagerError: If manager authentication fails
+    """
+    if manager_type not in SUPPORTED_MANAGERS:
+        raise ValueError(
+            f"Unsupported secrets manager: '{manager_type}'. "
+            f"Supported: {', '.join(SUPPORTED_MANAGERS)}"
+        )
+
+    if not item_name:
+        raise ValueError("item_name must be non-empty")
+
+    if not field_names:
+        return {}
+
+    result = {}
+
+    if manager_type == 'bitwarden':
+        manager = SecretsManagerFactory.get_bitwarden_manager(
+            manager_config['client_id'],
+            manager_config['client_secret'],
+            manager_config['master_password'],
+        )
+        manager.login()
+        try:
+            item = manager.get_secret(item_name)
+            for field_name in field_names:
+                value = _extract_bitwarden_field(item, field_name)
+                if value is None:
+                    logger.warning(
+                        "Field '%s' not found in Bitwarden item '%s'",
+                        field_name, item_name,
+                    )
+                    continue
+                result[field_name] = value
+        finally:
+            manager.logout()
+
+    elif manager_type == 'hashicorp':
+        manager = SecretsManagerFactory.get_hashicorp_manager(
+            manager_config['vault_url'],
+            manager_config['token'],
+            manager_config.get('certificate'),
+        )
+        secret = manager.get_secret(item_name)
+        for field_name in field_names:
+            value = _extract_hashicorp_field(secret, field_name)
+            if value is None:
+                logger.warning(
+                    "Field '%s' not found in HashiCorp secret '%s'",
+                    field_name, item_name,
+                )
+                continue
+            result[field_name] = value
+
+    return result
diff --git a/grimoirelab_toolkit/credential_manager/exceptions.py b/grimoirelab_toolkit/credential_manager/exceptions.py
@@ -15,9 +15,7 @@
 # You should have received a copy of the GNU General Public License
 # along with this program. If not, see <http://www.gnu.org/licenses/>.
 #
-# Author:
-#     Alberto Ferrer Sánchez (alberefe@gmail.com)
-#
+
 
 """Custom exceptions for the credential manager module."""
 
diff --git a/grimoirelab_toolkit/credential_manager/secrets_manager_factory.py b/grimoirelab_toolkit/credential_manager/secrets_manager_factory.py
@@ -0,0 +1,92 @@
+#
+#
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+
+import logging
+
+from .exceptions import HashicorpVaultError
+
+logger = logging.getLogger(__name__)
+
+
+class SecretsManagerFactory:
+    """Factory for creating secrets manager instances.
+
+    This class defines static methods to create instances of different
+    secrets manager implementations. The workflow is:
+
+    bw_manager = SecretsManagerFactory.get_bitwarden_manager(client_id, client_secret, master_password)
+    hc_manager = SecretsManagerFactory.get_hashicorp_manager(vault_url, token, certificate)
+
+    Each factory method handles the instantiation of the appropriate
+    manager class with the required credentials and configuration,
+    providing a centralized way to create secrets manager objects.
+
+    The factory validates required parameters before creating instances
+    and raises appropriate exceptions if credentials are missing or invalid.
+    """
+
+    @staticmethod
+    def get_bitwarden_manager(client_id: str, client_secret: str, master_password: str):
+        """Create a BitwardenManager instance.
+
+        Creates and returns a new BitwardenManager instance using the
+        provided API credentials and master password.
+
+        :param str client_id: Bitwarden API client ID
+        :param str client_secret: Bitwarden API client secret
+        :param str master_password: Master password for unlocking the vault
+
+        :returns: A new BitwardenManager instance
+        :rtype: BitwardenManager
+
+        :raises BitwardenCLIError: If Bitwarden CLI is not found in PATH
+        """
+        from .bw_manager import BitwardenManager
+
+        logger.debug("Creating new Bitwarden manager")
+
+        return BitwardenManager(client_id, client_secret, master_password)
+
+    @staticmethod
+    def get_hashicorp_manager(
+        vault_url: str, token: str, certificate: str | bool = None
+    ):
+        """Create a HashicorpManager instance.
+
+        Creates and returns a new HashicorpManager instance using the
+        provided Vault URL, authentication token, and certificate settings.
+
+        :param str vault_url: The URL of the HashiCorp Vault
+        :param str token: The access token for authentication
+        :param Union[str, bool, None] certificate: TLS verification setting. Either a boolean to indicate whether TLS
+            verification should be performed, a string pointing at the CA bundle to use for
+            verification
+
+        :returns: A new HashicorpManager instance
+        :rtype: HashicorpManager
+
+        :raises HashicorpVaultError: If required credentials cannot be obtained
+        """
+        from .hc_manager import HashicorpManager
+
+        logger.debug("Creating new Hashicorp manager")
+
+        if not all([vault_url, token]):
+            raise HashicorpVaultError("HashiCorp Vault requires vault_url and token")
+
+        return HashicorpManager(vault_url, token, certificate)
diff --git a/releases/unreleased/standalone-credential-resolution.yaml b/releases/unreleased/standalone-credential-resolution.yaml
@@ -0,0 +1,7 @@
+title: 'Add standalone credential resolution function'
+category: added
+author: Alberto Ferrer Sánchez <alberefe@gmail.com>
+issue:
+notes: >
+    Add resolve_credentials() function that allows resolving credentials
+    from configuration without requiring the full GrimoireLab framework.
diff --git a/tests/test_resolve_credentials.py b/tests/test_resolve_credentials.py

Original file line number	Diff line number	Diff line change
`@@ -15,9 +15,7 @@`
`15`	`15`	`# You should have received a copy of the GNU General Public License`
`16`	`16`	`# along with this program. If not, see <http://www.gnu.org/licenses/>.`
`17`	`17`	`#`
`18`		`-# Author:`
`19`		`-# Alberto Ferrer Sánchez (alberefe@gmail.com)`
`20`		`-#`
	`18`	`+`
`21`	`19`
`22`	`20`	`"""Custom exceptions for the credential manager module."""`
`23`	`21`