rigelreyes · November 15, 2019 02:24 · v6 · Nov 15, 2019
diff --git a/andrea_rsa_pol.hcl b/andrea_rsa_pol.hcl
 path "db_rsa_key/*" {
  capabilities = ["read", "list"]
 }
diff --git a/andrea_rsa_pol.json b/andrea_rsa_pol.json
 {
    "policy": "path \"db_rsa_key/*\" {  capabilities = [\"read\", \"list\"]}"
 }
diff --git a/assign_pol.json b/assign_pol.json
 {
  "value": [
    "andrea_rsa",
    "cipol"
  ]
 }
diff --git a/auth_test_cli.sh b/auth_test_cli.sh
 #! /bin/bash auth_test_cli.sh

 # Set env variable
 export VAULT_ADDR=http://127.0.0.1:8200
 export VAULT_TOKEN=AddYourVaultTokenHere

 # Enable Transit db_rsa_key in root namespace
 vault secrets enable -path=db_rsa_key transit
 vault secrets list 
 vault create namespace ci
 vault namespace list

 # Enable LDAP and GitHub
 vault auth enable ldap
 vault auth enable github
 vault auth list

 # Create a new policy in db_rsa_key for Andrea
 vault policy write andrea_rsa andrea_rsa_pol.hcl
 vault policy list

 # Create policy for CI namespace
 export VAULT_NAMESPACE=ci
 vault policy write cipol ci_pol.hcl

 # Assign rsa and ci policy to Andrea on LDAP
 vault write auth/ldap/users/andrea policies=andrea_rsa,cipol
 vault read auth/ldap/users/andrea

 # Assign rsa and ci policy to Andrea on GitHub
 vault write auth/github/map/users/andrea value=andrea_rsa,cipol
 vault read auth/github/map/users/andrea
diff --git a/auth_test_curl.sh b/auth_test_curl.sh
 #! /bin/bash auth_test_curl.sh

 # Set env variable
 export VAULT_ADDR=http://127.0.0.1:8200
 export VAULT_TOKEN=AddYourVaultTokenHere

 # Enable Transit db_rsa_key in root namespace
 curl \
    --header "X-Vault-Token: $VAULT_TOKEN" \
    --request POST \
    --data @db_rsa_key.json \
    $VAULT_ADDR/v1/sys/mounts/db_rsa_key
 curl \
    --header "X-Vault-Token: $VAULT_TOKEN" \
    $VAULT_ADDR/v1/sys/mounts \
    | jq
 curl \
    --header "X-Vault-Token: $VAULT_TOKEN" \
    --request POST \
    $VAULT_ADDR/v1/sys/namespaces/ci
 curl \
    --header "X-Vault-Token: $VAULT_TOKEN" \
    -X LIST \
    $VAULT_ADDR/v1/sys/namespaces \
    | jq

 # Enable LDAP and GitHub
 curl \
    --header "X-Vault-Token: $VAULT_TOKEN" \
    --request POST \
    --data @enable_ldap.json \
    $VAULT_ADDR/v1/sys/auth/ldap
 curl \
    --header "X-Vault-Token: $VAULT_TOKEN" \
    --request POST \
    --data @enable_github.json \
    $VAULT_ADDR/v1/sys/auth/github
 curl \
    --header "X-Vault-Token: $VAULT_TOKEN" \
   $VAULT_ADDR/v1/sys/auth \
   | jq

 # Create a new policy in db_rsa_key for Andrea
 curl \
    --header "X-Vault-Token: $VAULT_TOKEN" \
    --request PUT \
    --data @andrea_rsa_pol.json \
    $VAULT_ADDR/v1/sys/policies/acl/andrea_rsa
 curl \
    -X LIST \
    --header "X-Vault-Token: $VAULT_TOKEN" \
    $VAULT_ADDR/v1/sys/policies/acl \
    | jq

 # Create policy for CI namespace
 export VAULT_NAMESPACE=ci
 curl \
    --header "X-Vault-Token: $VAULT_TOKEN" \
    --header "X-Vault-Namespace: $VAULT_NAMESPACE" \
    --request PUT \
    --data @ci_pol.json \
    $VAULT_ADDR/v1/sys/policies/acl/cipol

 # Assign rsa and ci policy to Andrea on LDAP
 curl \
    --header "X-Vault-Token: $VAULT_TOKEN" \
    --request POST \
    --data @assign_pol.json \
    $VAULT_ADDR/v1/auth/ldap/users/andrea
 curl \
    --header "X-Vault-Token: $VAULT_TOKEN" \
    $VAULT_ADDR/v1/auth/ldap/users/andrea

 # Assign rsa and ci policy to Andrea on GitHub
 curl \
    --header "X-Vault-Token: $VAULT_TOKEN" \
    --request POST \
    --data @assign_pol.json \
    $VAULT_ADDR/v1/auth/ldap/map/users/andrea
 curl \
    --header "X-Vault-Token: $VAULT_TOKEN" \
    $VAULT_ADDR/v1/auth/github/map/users/andrea
diff --git a/ci_pol.hcl b/ci_pol.hcl
 # Manage namespaces
 path "sys/namespaces/*" {
   capabilities = ["create", "read", "update", "delete", "list", "sudo"]
 }

 # Manage policies
 path "sys/policies/acl/*" {
   capabilities = ["create", "read", "update", "delete", "list", "sudo"]
 }

 # List policies
 path "sys/policies/acl" {
  capabilities = ["list"]
 }

 # Enable and manage secrets engines
 path "sys/mounts/*" {
   capabilities = ["create", "read", "update", "delete", "list"]
 }

 # List available secrets engines
 path "sys/mounts" {
  capabilities = [ "read" ]
 }
diff --git a/ci_pol.json b/ci_pol.json
 {
    "policy": "path \"sys/namespaces/*\" {   capabilities = [\"create\", \"read\", \"update\", \"delete\", \"list\", \"sudo\"]}path \"sys/policies/acl/*\" {   capabilities = [\"read\", \"update\", \"list\", \"sudo\"]}path \"sys/policies/acl\" {  capabilities = [\"list\"]}path \"sys/mounts/*\" {   capabilities = [\"create\", \"read\", \"update\", \"delete\", \"list\"]}path \"sys/mounts\" {  capabilities = [ \"read\" ]}"
 }
diff --git a/db_rsa_key.json b/db_rsa_key.json
 {
    "type": "transit"    
 }
diff --git a/enable_github.json b/enable_github.json
 {
    "type": "github",
    "description": "Login with GitHub"
 }
diff --git a/enable_ldap.json b/enable_ldap.json
 {
    "type": "github",
    "description": "Login with GitHub"
 }
	{
	"policy": "path \"db_rsa_key/*\" { capabilities = [\"read\", \"list\"]}"
	}
	#! /bin/bash auth_test_cli.sh

	# Set env variable
	export VAULT_ADDR=http://127.0.0.1:8200
	export VAULT_TOKEN=AddYourVaultTokenHere

	# Enable Transit db_rsa_key in root namespace
	vault secrets enable -path=db_rsa_key transit
	vault secrets list
	vault create namespace ci
	vault namespace list

	# Enable LDAP and GitHub
	vault auth enable ldap
	vault auth enable github
	vault auth list

	# Create a new policy in db_rsa_key for Andrea
	vault policy write andrea_rsa andrea_rsa_pol.hcl
	vault policy list

	# Create policy for CI namespace
	export VAULT_NAMESPACE=ci
	vault policy write cipol ci_pol.hcl

	# Assign rsa and ci policy to Andrea on LDAP
	vault write auth/ldap/users/andrea policies=andrea_rsa,cipol
	vault read auth/ldap/users/andrea

	# Assign rsa and ci policy to Andrea on GitHub
	vault write auth/github/map/users/andrea value=andrea_rsa,cipol
	vault read auth/github/map/users/andrea
	#! /bin/bash auth_test_curl.sh

	# Set env variable
	export VAULT_ADDR=http://127.0.0.1:8200
	export VAULT_TOKEN=AddYourVaultTokenHere

	# Enable Transit db_rsa_key in root namespace
	curl \
	--header "X-Vault-Token: $VAULT_TOKEN" \
	--request POST \
	--data @db_rsa_key.json \
	$VAULT_ADDR/v1/sys/mounts/db_rsa_key
	curl \
	--header "X-Vault-Token: $VAULT_TOKEN" \
	$VAULT_ADDR/v1/sys/mounts \
	\| jq
	curl \
	--header "X-Vault-Token: $VAULT_TOKEN" \
	--request POST \
	$VAULT_ADDR/v1/sys/namespaces/ci
	curl \
	--header "X-Vault-Token: $VAULT_TOKEN" \
	-X LIST \
	$VAULT_ADDR/v1/sys/namespaces \
	\| jq

	# Enable LDAP and GitHub
	curl \
	--header "X-Vault-Token: $VAULT_TOKEN" \
	--request POST \
	--data @enable_ldap.json \
	$VAULT_ADDR/v1/sys/auth/ldap
	curl \
	--header "X-Vault-Token: $VAULT_TOKEN" \
	--request POST \
	--data @enable_github.json \
	$VAULT_ADDR/v1/sys/auth/github
	curl \
	--header "X-Vault-Token: $VAULT_TOKEN" \
	$VAULT_ADDR/v1/sys/auth \
	\| jq

	# Create a new policy in db_rsa_key for Andrea
	curl \
	--header "X-Vault-Token: $VAULT_TOKEN" \
	--request PUT \
	--data @andrea_rsa_pol.json \
	$VAULT_ADDR/v1/sys/policies/acl/andrea_rsa
	curl \
	-X LIST \
	--header "X-Vault-Token: $VAULT_TOKEN" \
	$VAULT_ADDR/v1/sys/policies/acl \
	\| jq

	# Create policy for CI namespace
	export VAULT_NAMESPACE=ci
	curl \
	--header "X-Vault-Token: $VAULT_TOKEN" \
	--header "X-Vault-Namespace: $VAULT_NAMESPACE" \
	--request PUT \
	--data @ci_pol.json \
	$VAULT_ADDR/v1/sys/policies/acl/cipol

	# Assign rsa and ci policy to Andrea on LDAP
	curl \
	--header "X-Vault-Token: $VAULT_TOKEN" \
	--request POST \
	--data @assign_pol.json \
	$VAULT_ADDR/v1/auth/ldap/users/andrea
	curl \
	--header "X-Vault-Token: $VAULT_TOKEN" \
	$VAULT_ADDR/v1/auth/ldap/users/andrea

	# Assign rsa and ci policy to Andrea on GitHub
	curl \
	--header "X-Vault-Token: $VAULT_TOKEN" \
	--request POST \
	--data @assign_pol.json \
	$VAULT_ADDR/v1/auth/ldap/map/users/andrea
	curl \
	--header "X-Vault-Token: $VAULT_TOKEN" \
	$VAULT_ADDR/v1/auth/github/map/users/andrea
	# Manage namespaces
	path "sys/namespaces/*" {
	capabilities = ["create", "read", "update", "delete", "list", "sudo"]
	}

	# Manage policies
	path "sys/policies/acl/*" {
	capabilities = ["create", "read", "update", "delete", "list", "sudo"]
	}

	# List policies
	path "sys/policies/acl" {
	capabilities = ["list"]
	}

	# Enable and manage secrets engines
	path "sys/mounts/*" {
	capabilities = ["create", "read", "update", "delete", "list"]
	}

	# List available secrets engines
	path "sys/mounts" {
	capabilities = [ "read" ]
	}
	{
	"policy": "path \"sys/namespaces/\" { capabilities = [\"create\", \"read\", \"update\", \"delete\", \"list\", \"sudo\"]}path \"sys/policies/acl/\" { capabilities = [\"read\", \"update\", \"list\", \"sudo\"]}path \"sys/policies/acl\" { capabilities = [\"list\"]}path \"sys/mounts/*\" { capabilities = [\"create\", \"read\", \"update\", \"delete\", \"list\"]}path \"sys/mounts\" { capabilities = [ \"read\" ]}"
	}