How can we help you today?

Start a new topic
Discussions Royal TS (for Windows) Ideas

Passbolt integration

We use Passbolt for storing passwords in our team and currently we have to manually update credentials between Passbolt and Royal TS whenever they're added or changed. It would be nice to hook into our existing Passbolt system for selecting "existing credentials" on items in Royal TS.


Passbolt API Documentation

1 person likes this idea
3 CommentsSorted by Oldest First

Hi Greg,


thanks for the feedback. Because it's quite challenging for us to familiarize with every possible product out there, we create a powerful and easy to use interface to integrate such products in Royal TS - assuming you have some scripting experience.


Most of these integrations (dynamic folder scripts) are community driven and created/maintained by our users who are actually using these products in production. You can find samples for existing scripts here:

https://www.royalapps.com/go/dynamicfolder-samples


For more information about dynamic folders, see:

https://www.royalapps.com/go/help-ts-win-v6-ref-dynamic-folder

https://www.royalapps.com/go/rjson-documentation


You're welcome to submit your script(s) by submitting PRs to that repository.


If you have any questions, let us know.


Regards,
Stefan

Hi,


did you find a solution?


Does royalts work with passbolt now, or is there a chance to connect passbolt and royal ts?


Best regards,

Katharina Primetshofer

> did you find a solution?


Sort of. I wrote a Dynamic Folders script in Python using passbolt-python-api that works well enough but the entire process leaves a lot to be desired. That's not any fault of Royal TS, though. The way Passbolt works is somewhat complicated, with all of the client-side key management and encryption handled by the browser plugin. My script has to mimic that in every way and it's a lot more complicated than I'd like.

  • Each user needs to have Gpg4win installed with Kleopatra running and holding a copy of their Passbolt private key, which is exported from the browser plugin via the Keys inspector.
  • Each user needs to have a "Passbolt Credentials" object in their application document containing their Passbolt private key fingerprint (as the username) and passphrase (as the password).
  • Users share a single Royal TS document that contains the dynamic folder object with a custom property for the Server URL set to our internal Passbolt server and the document Credentials set to the "Passbolt Credentials" object from the application document.
  • The actual script lives in a virtualenv next to the shared document and contains a custom PassboltProAPI class that I wrote, which inherits the PassboltAPI class from passbolt-python-api and adds some functions for exporting the folder hierarchy with resources exported as Dynamic Credentials.
  • The dynamic folder object contains a few stubs of code in the Dynamic Folder Script and Dynamic Credential Script to call my PassboltProAPI class and dump the output (a Python dict) to the JSON data format expected by Royal TS.
Overall it works but it's not great. I have many thoughts on its current state:
  • This requires a lot more setup than the browser plugin, complicating new user adoption and user PC migrations.
  • The user's private key remains unlocked while the script is running and sensitive data are transmitted in plain-text between the Python script and Royal TS, albeit for a short time.
  • I'd like to eliminate Gpg4win and store the private key and passphrase in Royal TS. Not sure how to pass the private key as a byte[] array from Royal TS to the Python script or how to use the key directly with python-gnupg.
  • Haven't figured out a good way to perform MFA since it was introduced in Passbolt. Without a good solution for MFA, no one is actually using this aside from my own testing.
  • I think Royal's new TOTP generation feature should work for MFA but I need to look into it further. This feature was just added two weeks ago with version 7.03.50102.
If there's interest, I'll see if I can get permission to open source it and post it to my GitHub. Although I doubt that's going to happen until I can solve the MFA problem, since that's holding us back from actually using this internally.

Login or Signup to post a comment
More topics in Ideas
See all 635 topics