Demonstrating the Enterprise MFA workflow

mfa-ping.sh

#!/bin/bash

## Tools required
# brew install jq
# Vault Enterprise binary in the PATH

## Vault Server Command (separate terminal)
# VAULT_LICENSE=<vault license> vault server -dev -dev-root-token-id=root

export VAULT_ADDR=http://127.0.0.1:8200
export VAULT_TOKEN=root

MFA_NAME=my_mfa
POLICY_NAME=mfa-policy
PINGID_SETTINGS_FILE="<base64 settings file>"

# Set up userpass
vault auth enable userpass
vault write auth/userpass/users/testuser password="password"
USERPASS_ACCESSOR=$(vault auth list -format=json | jq -r '.["userpass/"].accessor')

# Create MFA key
vault write sys/mfa/method/pingid/$MFA_NAME mount_accessor=$USERPASS_ACCESSOR settings_file_base64="$PINGID_SETTINGS_FILE"

# Write some data
vault kv put secret/foo abc=123

# Create policy
POLICY="path \"secret/data/foo\" {
  capabilities = [\"read\"]
  mfa_methods  = [\"$MFA_NAME\"]
}
"
vault policy write $POLICY_NAME - <<< $POLICY

# Generate an identity
ENTITY_ID=$(vault write -f -format=json identity/entity policies=$POLICY_NAME | jq -r .data.id)

# Attach entity to user
vault write identity/entity-alias name=testuser canonical_id=$ENTITY_ID mount_accessor=$USERPASS_ACCESSOR

# Generate a token for logging in
USER_TOKEN=$(vault login -format=json -method=userpass username=testuser password=password | \
    jq -r .auth.client_token)
echo $USER_TOKEN

# Do not pass mfa to mfa protected path
VAULT_TOKEN=$USER_TOKEN vault kv get secret/foo # Should fail

# Generic read command because `vault kv` does not seem to support the mfa code
echo "VAULT_TOKEN=$USER_TOKEN vault read -format=json secret/data/foo | jq .data.data"
VAULT_TOKEN=$USER_TOKEN vault read -format=json secret/data/foo | jq .data.data # Should succeed

mfa-totp.sh

#!/bin/bash

## Tools required
# brew install oath-tools qrencode jq
# Vault Enterprise binary in the PATH

## Vault Server Command (separate terminal)
# VAULT_LICENSE=<vault license> vault server -dev -dev-root-token-id=root

export VAULT_ADDR=http://127.0.0.1:8200
export VAULT_TOKEN=root

TOTP_NAME=my_totp
TOTP_DIGITS=6
TOTP_ALGORITHM=SHA256
TOTP_PERIOD=30
TOTP_ISSUER=Vault

# Set up userpass
vault auth enable userpass
vault write auth/userpass/users/test_user password="password"
USERPASS_ACCESSOR=$(vault auth list -format=json | jq -r '.["userpass/"].accessor')

# Create MFA key
vault write sys/mfa/method/totp/$TOTP_NAME issuer=$TOTP_ISSUER algorithm=$TOTP_ALGORITHM digits=$TOTP_DIGITS period=$TOTP_PERIOD

# Write some data
vault kv put secret/foo abc=123

# Create policy
POLICY="path \"secret/data/foo\" {
  capabilities = [\"read\"]
  mfa_methods  = [\"$TOTP_NAME\"]
}
"
vault policy write totp-policy - <<< $POLICY

# Generate an identity
ENTITY_ID=$(vault write -f -format=json identity/entity policies=totp-policy | jq -r .data.id)

# Attach entity to user
vault write identity/entity-alias name=test_user canonical_id=$ENTITY_ID mount_accessor=$USERPASS_ACCESSOR

# Attached MFA to Entity
MFA_CONFIG=$(vault write -f -format=json sys/mfa/method/totp/$TOTP_NAME/admin-generate entity_id=$ENTITY_ID)
MFA_SECRET=$(jq -r .data.url <<< $MFA_CONFIG | \
    cut -d'=' -f6)

# Display QR code, cannot use URL returned since Google Authenticator seems to require the secret
# to be the first parameter
MFA_URL="otpauth://totp/$TOTP_ISSUER:$ENTITY_ID?secret=$MFA_SECRET&issuer=$TOTP_ISSUER&algorithm=$TOTP_ALGORITHM&digits=$TOTP_DIGITS&period=$TOTP_PERIOD"
qrencode -t ansiutf8 <<< $MFA_URL

# Generate a token for logging in
USER_TOKEN=$(vault login -format=json -method=userpass username=test_user password=password | \
    jq -r .auth.client_token)

# Generate TOTP code
MFA_CODE=$(oathtool --totp=$TOTP_ALGORITHM --time-step-size=$TOTP_PERIOD --base32 $MFA_SECRET)

# Do not pass mfa to mfa protected path
VAULT_TOKEN=$USER_TOKEN vault kv get secret/foo # Should fail

# Generic read command because `vault kv` does not seem to support the mfa code
VAULT_TOKEN=$USER_TOKEN vault read -mfa $TOTP_NAME:$MFA_CODE -format=json secret/data/foo | jq .data.data # Should succeed