> did you find a solution?
Sort of. I wrote a Dynamic Folders script in Python using passbolt-python-api that works well enough but the entire process leaves a lot to be desired. That’s not any fault of Royal TS, though. The way Passbolt works is somewhat complicated, with all of the client-side key management and encryption handled by the browser plugin. My script has to mimic that in every way and it’s a lot more complicated than I’d like.
- Each user needs to have Gpg4win installed with Kleopatra running and holding a copy of their Passbolt private key, which is exported from the browser plugin via the Keys inspector.
- Each user needs to have a “Passbolt Credentials” object in their application document containing their Passbolt private key fingerprint (as the username) and passphrase (as the password).
- Users share a single Royal TS document that contains the dynamic folder object with a custom property for the Server URL set to our internal Passbolt server and the document Credentials set to the “Passbolt Credentials” object from the application document.
- The actual script lives in a virtualenv next to the shared document and contains a custom PassboltProAPI class that I wrote, which inherits the PassboltAPI class from passbolt-python-api and adds some functions for exporting the folder hierarchy with resources exported as Dynamic Credentials.
- The dynamic folder object contains a few stubs of code in the Dynamic Folder Script and Dynamic Credential Script to call my PassboltProAPI class and dump the output (a Python dict) to the JSON data format expected by Royal TS.
Overall it works but it’s not great. I have many thoughts on its current state:
- This requires a lot more setup than the browser plugin, complicating new user adoption and user PC migrations.
- The user’s private key remains unlocked while the script is running and sensitive data are transmitted in plain-text between the Python script and Royal TS, albeit for a short time.
- I’d like to eliminate Gpg4win and store the private key and passphrase in Royal TS. Not sure how to pass the private key as a byte array from Royal TS to the Python script or how to use the key directly with python-gnupg.
- Haven’t figured out a good way to perform MFA since it was introduced in Passbolt. Without a good solution for MFA, no one is actually using this aside from my own testing.
- I think Royal’s new TOTP generation feature should work for MFA but I need to look into it further. This feature was just added two weeks ago with version 7.03.50102.
If there’s interest, I’ll see if I can get permission to open source it and post it to my GitHub. Although I doubt that’s going to happen until I can solve the MFA problem, since that’s holding us back from actually using this internally.