Last active
December 4, 2021 21:04
-
-
Save prbinu/3a2e349eac5d265fd8683fcb01a84028 to your computer and use it in GitHub Desktop.
Tests for the Vault PR: https://github.com/hashicorp/vault/pull/13344
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # pre-req: start Vault server (dev) | |
| # Usage: VAULT_TOKEN=<dev-root-token> ./ssh-cert-template-test.sh | |
| vault policy write test -<<EOF | |
| path "ssh-client-signer/sign/my-role" | |
| { | |
| capabilities = ["create", "read", "update"] | |
| } | |
| EOF | |
| vault policy write team-qa -<<EOF | |
| path "ssh-client-signer/sign/my-role" | |
| { | |
| capabilities = ["create", "read", "update"] | |
| } | |
| EOF | |
| vault policy list | |
| # create two users, bob and bsmith in different path (different accessor) | |
| vault auth enable -path="userpass-test" userpass | |
| vault write auth/userpass-test/users/bob password="training" policies="test" | |
| vault auth enable -path="userpass-qa" userpass | |
| vault write auth/userpass-qa/users/bsmith password="training" policies="team-qa" | |
| vault auth list -detailed | |
| vault auth list -format=json | jq -r '.["userpass-test/"].accessor' > accessor_test.txt | |
| vault auth list -format=json | jq -r '.["userpass-qa/"].accessor' > accessor_qa.txt | |
| # setup ssh cert path and role | |
| vault secrets enable -path=ssh-client-signer ssh | |
| vault write ssh-client-signer/config/ca generate_signing_key=true | |
| # the idea is to allow users logged using different (accessor) method (e.g. jwt, userpass, ldap etc.) to use the same SSH role | |
| vault write ssh-client-signer/roles/my-role -<<EOH | |
| { | |
| "allow_user_certificates": true, | |
| "allowed_users": "{{identity.entity.aliases.$(cat accessor_qa.txt).name}},{{identity.entity.aliases.$(cat accessor_test.txt).name}},ubuntu", | |
| "allowed_extensions": "permit-pty,permit-port-forwarding", | |
| "default_extensions": [ | |
| { | |
| "permit-pty": "" | |
| } | |
| ], | |
| "key_type": "ca", | |
| "default_user": "", | |
| "allowed_users_template": true, | |
| "ttl": "30m0s" | |
| } | |
| EOH | |
| # debug statement | |
| vault read -format json ssh-client-signer/roles/my-role | |
| # make sure you have `.ssh/id_rsa.pub` in your home directory | |
| vault write ssh-client-signer/sign/my-role public_key=@$HOME/.ssh/id_rsa.pub | |
| # this will fail | |
| vault write -field=signed_key ssh-client-signer/sign/my-role \ | |
| valid_principals="my-user,ubuntu" \ | |
| public_key=@$HOME/.ssh/id_rsa.pub | ssh-keygen -L -f - | |
| # login as bob | |
| vault login -format=json -method=userpass -path=userpass-test \ | |
| username=bob password=training \ | |
| | jq -r ".auth.client_token" > bob_token.txt | |
| # this will work, but empty principals | |
| VAULT_TOKEN=$(cat bob_token.txt) vault write -field=signed_key ssh-client-signer/sign/my-role \ | |
| public_key=@$HOME/.ssh/id_rsa.pub | ssh-keygen -L -f - | |
| # this will work | |
| VAULT_TOKEN=$(cat bob_token.txt) vault write -field=signed_key ssh-client-signer/sign/my-role \ | |
| valid_principals="bob" \ | |
| public_key=@$HOME/.ssh/id_rsa.pub | ssh-keygen -L -f - | |
| # login as bsmith (different accessor) | |
| vault login -format=json -method=userpass -path=userpass-qa \ | |
| username=bsmith password=training \ | |
| | jq -r ".auth.client_token" > bsmith_token.txt | |
| # this will work! | |
| VAULT_TOKEN=$(cat bsmith_token.txt) vault write -field=signed_key ssh-client-signer/sign/my-role \ | |
| valid_principals="bsmith,ubuntu" \ | |
| public_key=@$HOME/.ssh/id_rsa.pub | ssh-keygen -L -f - |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment