{"id":14008493,"url":"https://github.com/mulbc/vaultPass","last_synced_at":"2025-07-24T03:32:54.446Z","repository":{"id":45911635,"uuid":"162138315","full_name":"mulbc/vaultPass","owner":"mulbc","description":"A Chrome extension to leverage Hashicorp Vault as Credential Storage for teams","archived":false,"fork":true,"pushed_at":"2024-06-03T07:51:48.000Z","size":306,"stargazers_count":94,"open_issues_count":5,"forks_count":38,"subscribers_count":7,"default_branch":"master","last_synced_at":"2024-08-10T11:03:41.842Z","etag":null,"topics":["browser-extension","credential-manager","password-manager","vault"],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":"Dmitry1987/vault-chrome-extension","license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mulbc.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2018-12-17T13:54:42.000Z","updated_at":"2024-07-25T04:39:02.000Z","dependencies_parsed_at":"2023-02-09T19:30:26.184Z","dependency_job_id":null,"html_url":"https://github.com/mulbc/vaultPass","commit_stats":null,"previous_names":[],"tags_count":9,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mulbc%2FvaultPass","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mulbc%2FvaultPass/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mulbc%2FvaultPass/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mulbc%2FvaultPass/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mulbc","download_url":"https://codeload.github.com/mulbc/vaultPass/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":227410704,"owners_count":17774787,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["browser-extension","credential-manager","password-manager","vault"],"created_at":"2024-08-10T11:01:44.087Z","updated_at":"2024-11-30T19:31:10.542Z","avatar_url":"https://github.com/mulbc.png","language":"JavaScript","funding_links":[],"categories":["JavaScript"],"sub_categories":[],"readme":"# vaultPass\n\nA Browser extension to leverage Hashicorp Vault as Credential Storage for teams\n\nA project started on a Hackathon @ ironSource by [Dimitry1987](https://github.com/Dmitry1987) and continued by [Chris Blum](https://github.com/zeichenanonym)\n\n**Get it:**\\\n\u0026nbsp;\u0026nbsp; [Chrome Store](https://chrome.google.com/webstore/detail/vaultpass/kbndeonibamcpiibocdhlagccdlmefco)\\\n\u0026nbsp;\u0026nbsp; [Firefox AMO](https://addons.mozilla.org/en-GB/firefox/addon/vaultpass/)\n\n## Current features\n\n1. Connect to Vault and get Token\n2. Get list of potential credentials in Popup\n3. Select credentials from popup and have them filled into the website\n4. Copy username \u0026 password to the clipboard\n\n### Token grabber\n\nThe token grabber feature allows this plugin to effectively use any Vault authentication method, including ones that don't use a username-password (such as OIDC or GitHub). In order to use this feature, log into Vault via your preferred authentication method, and press the **Get token from Vault** button in Options, **while on the Vault browser window**. All login-related fields of the plugin can be left empty, even the Vault URL.\n\n## Requirements\n\n1. Vault needs to be prepared to use this extension.\n   Usernames and passwords we wish to retrieve from Vault need to be defined in a KV store.\n   Version 1 and 2 of the KV store are supported - only differences are the Vault policies you will have to write.\n\n2. By default, secrets should be created using the following path template:\n   `/secret/vaultPass/[someOrg]/[url]` where:\n\n   - `someOrg` will be some organisational level in your company to separate access levels\n     - You can activate and deactivate these \"folders\" in options\n   - `url` is a RegEx used to match the website's URL that the credentials are for\n     - Be aware that \\*, ?, ., \\\\, ^, $ (and potentially others...) have a special meaning when in a regular expression hence might not trigger the behaviour that you might expect. Check your regular expression using an online tools like regex101.com if in doubt.\n\nExamples:\n`/secret/vaultPass/marketing/github.com` to define credentials for any URLs that contains `github.com`\n`/secret/vaultPass/accounting/api.*.github.com(.au){0,1}` to define credentials for any URLs that contains `api` followed by anything then ends with `github.com` or `gitlab.com.au`\n\n3. Each secret should have _at least_ one `username` key and one `password` key with the respective information.\n\nExample:\n\n```\n{\n  \"username\": \"john.smith@internet.com\",\n  \"password\": \"mySecretPassword\"\n}\n```\n\n4. However, if you have more than one valid set of credentials for the same website, you can define multiple pairs of username/password combinations. Just add them with an additional suffix ensuring that each username has a corresponding password.\n\nExample:\n\n```\n{\n  \"username\": \"myusername\",\n  \"password\": \"mypassword\",\n  \"username.2\": \"other username\",\n  \"password.2\": \"other password\",\n  \"username for test\": \"test username\",\n  \"password for test\": \"test password\"\n}\n```\n\n5. Get a Token via the options page of this extension\n\n**_NOTE:_** You can now store your credentials in any KV store within your Vault instance, not just `/secret/vaultPass`\nJust specify your custom secrets' path in the Options page of the extension.\n\n## Example policies\n\nThere are two short docs to get your started with access policies:\n\n- [KV version 1](docs/access_policies_v1.md)\n- [KV version 2](docs/access_policies_v2.md)\n\nIf you just installed Vault - you probably have Version 2.\n\n## TODO\n\n- Create application specific Token instead of using the user-token\n- Write (new) credentials to Vault\n  - Out of scope --\u003e Do this directly in Vault for now\n\n## Notes\n\nTested with Vault 1.0.x\n\n## Contribute\n\n### Pre-Commit Hook\n\nIf you contribute, please install the [pre-commit Hook](https://pre-commit.com/).\nIf you have no idea what I am talking about - it's as easy as this:\n\n```bash\npip install pre-commit\npre-commit install\n```\n\nThis will install the hook and will run [checks](.pre-commit-config.yaml) before you commit changes.\n\n### Setup development Vault instance\n\nAfterwards you can set up a development Vault instance using the `./start_dev_environment.sh` script. The script will use docker (also works with podman) to start a local Vault in dev mode and configure a user `mitchellh` with password `foo` for the userpass module. There is a default VaultPass secret for `google.com`.\n\nYou can also reach the Vault Web UI via http://localhost:8200/ui and login with the `myroot` token.\n\nNEW: This will now also spin up an openLDAP test server based on https://github.com/rroemhild/docker-test-openldap and configure Vault to use it.\n\nWhen you run the script, the output should look like this:\n\n```bash\n$ ./start_dev_environment.sh\n9c2b08a15a299bfea63287c6bb5a8a9c6a41a761ff8f79372423a0488e69e2fb\ne59529399f56c8fc0c17c8e1bb52ebf00a6092533cf0f3d3c63de8bcf43a2273\nSuccess! You are now authenticated. The token information displayed below\nis already stored in the token helper. You do NOT need to run \"vault login\"\nagain. Future Vault requests will automatically use this token.\n\nKey                  Value\n---                  -----\ntoken                myroot\ntoken_accessor       z3Xe85dqSit2jEuA6VbsoF08\ntoken_duration       ∞\ntoken_renewable      false\ntoken_policies       [\"root\"]\nidentity_policies    []\npolicies             [\"root\"]\nKey              Value\n---              -----\ncreated_time     2022-05-25T15:00:13.317169405Z\ndeletion_time    n/a\ndestroyed        false\nversion          1\nKey              Value\n---              -----\ncreated_time     2022-05-25T15:00:13.349194927Z\ndeletion_time    n/a\ndestroyed        false\nversion          1\nSuccess! Enabled userpass auth method at: userpass/\nSuccess! Data written to: auth/userpass/users/mitchellh\nSuccess! Data written to: sys/policy/default\nSuccess! Enabled ldap auth method at: ldap/\nSuccess! Data written to: auth/ldap/config\nSuccess! Data written to: auth/ldap/groups/admin_staff\n```\n\nAfterwards you can login to this Vault instance with the VaultPass extension like this:\n![VaultPass dev login](docs/VaultPassDevLogin.png 'VaultPass dev login')\n\nUse `foo` as the password for the `mitchellh` user.\n\nThis user has access to the secrets in the `Admin` folder and no access to the secrets in the `Denied` folder. This is defined in the [dev_default.hcl](dev_default.hcl) file and applied by the [start_dev_environment.sh](start_dev_environment.sh) script.\n\nYou can now also login as any \"Futurama\" user from https://github.com/rroemhild/docker-test-openldap.\nUsers from the \"admin_staff\" group are configured to get the \"admin\" profile.\nYou can test it like this:\n\n```bash\n$ docker exec -it --env 'VAULT_ADDR=http://127.0.0.1:8200' dev-vault sh -c 'vault login -method=ldap username=hermes'\nPassword (will be hidden):\nSuccess! You are now authenticated. The token information displayed below\nis already stored in the token helper. You do NOT need to run \"vault login\"\nagain. Future Vault requests will automatically use this token.\n\nKey                    Value\n---                    -----\ntoken                  s.TNZp1LHcq9M20SALGIahcEx4\ntoken_accessor         MLdc6OSfP9sKgiTQ5pZx8LJ0\ntoken_duration         768h\ntoken_renewable        true\ntoken_policies         [\"admin\" \"default\"]\nidentity_policies      []\npolicies               [\"admin\" \"default\"]\ntoken_meta_username    hermes\n```\n\nAs you can see, we logged in as \"hermes\" who is member of the \"admin_staff\" group and we get the default and admin policy applied. If we try the same as fry, we only get the default policy applied:\n\n```bash\n$ docker exec -it --env 'VAULT_ADDR=http://127.0.0.1:8200' dev-vault sh -c 'vault login -method=ldap username=fry'\nPassword (will be hidden):\nSuccess! You are now authenticated. The token information displayed below\nis already stored in the token helper. You do NOT need to run \"vault login\"\nagain. Future Vault requests will automatically use this token.\n\nKey                    Value\n---                    -----\ntoken                  s.XaSJRNGW6Iy4aSpLFN50szQT\ntoken_accessor         3hSyjqyEr00XHT0tdwQiPHKZ\ntoken_duration         768h\ntoken_renewable        true\ntoken_policies         [\"admin\" \"default\"]\nidentity_policies      []\npolicies               [\"admin\" \"default\"]\ntoken_meta_username    fry\n```\n\nNOTE: Username and Password are the same for all users supplied via ldap ;)\n\nTo stop and delete this Vault instance run this command:\n\n```bash\ndocker pod rm -f vaultpass-dev\n```\n\nAfterwards it can be recreated with the [start_dev_environment.sh](start_dev_environment.sh) script.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmulbc%2FvaultPass","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmulbc%2FvaultPass","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmulbc%2FvaultPass/lists"}