zalary · April 3, 2020 17:42
diff --git a/combined_control_group_policies.sh b/combined_control_group_policies.sh
 #!/bin/bash

 set -aex

 pkill -9 vault || true
 sleep 2s

 tee /tmp/config.hcl <<EOF
 storage "inmem" {}
 listener "tcp" {
    address = "127.0.0.1:8200"
    tls_disable = "true"
 }
 api_addr = "http://127.0.0.1:8200"
 pid_file = "/tmp/vault.pid"
 EOF


 vault server -config /tmp/config.hcl > /tmp/config.log 2>&1 &
 while ! nc -w 1 localhost 8200 </dev/null; do sleep 1; done

 # export VAULT_ADDR='http://127.0.0.1:8200'
 initResponse=$(vault operator init -format=json -key-shares 1 -key-threshold 1)
 unsealKey=$(echo $initResponse | jq -r '.unseal_keys_b64[0]')
 rootToken=$(echo $initResponse| jq -r '.root_token')

 vault operator unseal $unsealKey
 sleep 3s
 vault login $rootToken

 vault policy write admin-reader -<<EOF
 path "sys/policies/acl/admin-reader" {
    capabilities = [ "read" ]
 }
 path "kv/secret" {
    capabilities = [ "update", "list", "read", "delete" ]
    control_group = {
        factor "authorizer" {
            identity {
                approvals= 1
                group_names= [ "approver" ]
            }
        }
    }
 }
 EOF

 vault policy write admin-writer -<<EOF
 path "kv/secret" {
    capabilities = [ "create", "update", "list" ]
 }
 path "sys/policies/acl/admin-writer" {
    capabilities = [ "read" ]
 }
 EOF

 vault policy write approvers-policy -<<EOF
 # To approve the request
 path "sys/control-group/authorize" {
    capabilities = ["create", "update"]
 }

 # To check control group request status
 path "sys/control-group/request" {
    capabilities = ["create", "update"]
 }
 EOF

 ####### marker #######

 # Write sentinel policy to prevent people auto approving their request
 vault write sys/policies/egp/cgroup enforcement_level=hard-mandatory paths="kv/*" policy=- << EOF

 import "controlgroup"

 # https://www.vaultproject.io/docs/enterprise/sentinel/properties.html#control-group-properties

 control_group = func() {
    for controlgroup.authorizations as authz {
        if authz.entity.id == identity.entity.id {
            return false
        }
    }   
    return true
 }

 main = rule {
    control_group()
 }
 EOF

 vault auth enable userpass
 userpassAccessor=$(vault auth list -format=json | jq -r '.["userpass/"].accessor')

 vault write auth/userpass/users/reader password="reader" policies="admin-reader"
 readerToken=$(vault write -format json auth/userpass/login/reader password=reader | jq -r '.auth.client_token')

 vault write auth/userpass/users/writer password="writer" policies="admin-writer"
 writerToken=$(vault write -format json auth/userpass/login/writer password=writer | jq -r '.auth.client_token')

 vault write auth/userpass/users/everything password="everything" policies="admin-writer, admin-reader, approver"
 everythingToken=$(vault write -format json auth/userpass/login/everything password=everything | jq -r '.auth.client_token')

 vault write auth/userpass/users/approver password="approver"
 approverEntityID=$(vault write -format=json identity/entity name="approver" \ policies="default"  | jq -r ".data.id")
 vault write identity/entity-alias name="approver" canonical_id=$approverEntityID  mount_accessor=$userpassAccessor
 vault write identity/group name="approver" policies="approvers-policy" member_entity_ids=$approverEntityID
 approverToken=$(vault write -format json auth/userpass/login/approver password=approver| jq -r '.auth.client_token')

 vault secrets enable kv
 VAULT_TOKEN=$everythingToken vault kv put kv/secret surprise="corona is a really bad virus"

 wrappedResponse=$(VAULT_TOKEN=$everythingToken vault kv get -format json kv/secret)
 wrappingAccessor=$(echo -n $wrappedResponse | jq -r '.wrap_info.accessor')
 wrappingToken=$(echo -n $wrappedResponse | jq -r '.wrap_info.token')

 VAULT_TOKEN=$approverToken vault write sys/control-group/authorize accessor=$wrappingAccessor

 VAULT_TOKEN=$everythingToken vault unwrap $wrappingToken
	#!/bin/bash

	set -aex

	pkill -9 vault \|\| true
	sleep 2s

	tee /tmp/config.hcl <<EOF
	storage "inmem" {}
	listener "tcp" {
	address = "127.0.0.1:8200"
	tls_disable = "true"
	}
	api_addr = "http://127.0.0.1:8200"
	pid_file = "/tmp/vault.pid"
	EOF


	vault server -config /tmp/config.hcl > /tmp/config.log 2>&1 &
	while ! nc -w 1 localhost 8200 </dev/null; do sleep 1; done

	# export VAULT_ADDR='http://127.0.0.1:8200'
	initResponse=$(vault operator init -format=json -key-shares 1 -key-threshold 1)
	unsealKey=$(echo $initResponse \| jq -r '.unseal_keys_b64[0]')
	rootToken=$(echo $initResponse\| jq -r '.root_token')

	vault operator unseal $unsealKey
	sleep 3s
	vault login $rootToken

	vault policy write admin-reader -<<EOF
	path "sys/policies/acl/admin-reader" {
	capabilities = [ "read" ]
	}
	path "kv/secret" {
	capabilities = [ "update", "list", "read", "delete" ]
	control_group = {
	factor "authorizer" {
	identity {
	approvals= 1
	group_names= [ "approver" ]
	}
	}
	}
	}
	EOF

	vault policy write admin-writer -<<EOF
	path "kv/secret" {
	capabilities = [ "create", "update", "list" ]
	}
	path "sys/policies/acl/admin-writer" {
	capabilities = [ "read" ]
	}
	EOF

	vault policy write approvers-policy -<<EOF
	# To approve the request
	path "sys/control-group/authorize" {
	capabilities = ["create", "update"]
	}

	# To check control group request status
	path "sys/control-group/request" {
	capabilities = ["create", "update"]
	}
	EOF

	####### marker #######

	# Write sentinel policy to prevent people auto approving their request
	vault write sys/policies/egp/cgroup enforcement_level=hard-mandatory paths="kv/*" policy=- << EOF

	import "controlgroup"

	# https://www.vaultproject.io/docs/enterprise/sentinel/properties.html#control-group-properties

	control_group = func() {
	for controlgroup.authorizations as authz {
	if authz.entity.id == identity.entity.id {
	return false
	}
	}
	return true
	}

	main = rule {
	control_group()
	}
	EOF

	vault auth enable userpass
	userpassAccessor=$(vault auth list -format=json \| jq -r '.["userpass/"].accessor')

	vault write auth/userpass/users/reader password="reader" policies="admin-reader"
	readerToken=$(vault write -format json auth/userpass/login/reader password=reader \| jq -r '.auth.client_token')

	vault write auth/userpass/users/writer password="writer" policies="admin-writer"
	writerToken=$(vault write -format json auth/userpass/login/writer password=writer \| jq -r '.auth.client_token')

	vault write auth/userpass/users/everything password="everything" policies="admin-writer, admin-reader, approver"
	everythingToken=$(vault write -format json auth/userpass/login/everything password=everything \| jq -r '.auth.client_token')

	vault write auth/userpass/users/approver password="approver"
	approverEntityID=$(vault write -format=json identity/entity name="approver" \ policies="default" \| jq -r ".data.id")
	vault write identity/entity-alias name="approver" canonical_id=$approverEntityID mount_accessor=$userpassAccessor
	vault write identity/group name="approver" policies="approvers-policy" member_entity_ids=$approverEntityID
	approverToken=$(vault write -format json auth/userpass/login/approver password=approver\| jq -r '.auth.client_token')

	vault secrets enable kv
	VAULT_TOKEN=$everythingToken vault kv put kv/secret surprise="corona is a really bad virus"

	wrappedResponse=$(VAULT_TOKEN=$everythingToken vault kv get -format json kv/secret)
	wrappingAccessor=$(echo -n $wrappedResponse \| jq -r '.wrap_info.accessor')
	wrappingToken=$(echo -n $wrappedResponse \| jq -r '.wrap_info.token')

	VAULT_TOKEN=$approverToken vault write sys/control-group/authorize accessor=$wrappingAccessor

	VAULT_TOKEN=$everythingToken vault unwrap $wrappingToken