WhatsARanjit/ns.sh

## ns.sh
# Setup namespaces
$ export VAULT_ADDR=http://127.0.0.1:8200
$ vault namespace create foo
Key     Value
---     -----
id      zI8gb
path    foo/
$ vault namespace create bar
Key     Value
---     -----
id      izkrE
path    bar/

# Setup auth
$ vault auth enable -namespace=foo userpass
Success! Enabled userpass auth method at: userpass/
$ vault auth enable -namespace=bar userpass
Success! Enabled userpass auth method at: userpass/

# Setup users in each namespace
$ vault write \
  -namespace=foo \
  auth/userpass/users/foo_user \
  password=Password1! \
  policies=foo

Success! Data written to: auth/userpass/users/foo_user
$ vault write \
  -namespace=bar \
  auth/userpass/users/bar_user \
  password=Password1! \
  policies=bar
Success! Data written to: auth/userpass/users/bar_user

# Create secrets in each namespace
$ vault secrets enable -namespace=foo kv
Success! Enabled the kv secrets engine at: kv/
$ vault kv put -namespace=foo kv/test value=foo
Success! Data written to: kv/test

$ vault secrets enable -namespace=bar kv
Success! Enabled the kv secrets engine at: kv/
$ vault kv put -namespace=bar kv/test value=bar
Success! Data written to: kv/test

# Create KV policy in each
$ vault policy write -namespace=foo foo - << EOF
path "kv/test" {
  capabilities = ["read", "update", "list"]
}
EOF
Success! Uploaded policy: foo

$ vault policy write -namespace=bar bar - << EOF
path "kv/test" {
  capabilities = ["read", "update", "list"]
}
EOF
Success! Uploaded policy: bar

# Client count baseline
$ vault-auditor parse /tmp/audit

Distinct Entities: 0
Non-Entity Tokens: 1
Total Clients: 1
Total files processed: 1
Date range: 2021-02-23T18:10:23Z - 2021-02-23T18:25:12Z

# Log into foo namespace and get KV
$ vault login \
  -namespace=foo \
  -method=userpass \
  username=foo_user \
  password=Password1!

Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key                    Value
---                    -----
token                  s.rvOhQ41PV5yhLe05WhqYge3g.zI8gb
token_accessor         bMzrT645hR8nnzBNzkXpJjXN.zI8gb
token_duration         768h
token_renewable        true
token_policies         ["default" "foo"]
identity_policies      []
policies               ["default" "foo"]
token_meta_username    foo_user

$ VAULT_TOKEN=s.rvOhQ41PV5yhLe05WhqYge3g.zI8gb \
  vault kv get \
  -namespace=foo \
  kv/test
==== Data ====
Key      Value
---      -----
value    foo

# Client check-in
$ vault-auditor parse /tmp/audit

Distinct Entities: 1
Non-Entity Tokens: 1
Total Clients: 2
Total files processed: 1
Date range: 2021-02-23T18:10:23Z - 2021-02-23T18:30:25Z

###-> 1 new entity

# Log into bar namespace and get KV
$ vault login \
  -namespace=bar \
  -method=userpass \
  username=bar_user \
  password=Password1!

Success! You are now authenticated. The token information displayed below
is already stored in the token helper. You do NOT need to run "vault login"
again. Future Vault requests will automatically use this token.

Key                    Value
---                    -----
token                  s.NWr83zTjiHDiBvwiyTajnrYW.izkrE
token_accessor         NjpLEKlu7lRgZEsqr0zz2OcI.izkrE
token_duration         768h
token_renewable        true
token_policies         ["bar" "default"]
identity_policies      []
policies               ["bar" "default"]
token_meta_username    bar_user

$ VAULT_TOKEN=s.NWr83zTjiHDiBvwiyTajnrYW.izkrE \
  vault kv get \
  -namespace=bar \
  kv/test
==== Data ====
Key      Value
---      -----
value    bar

###-> 1 new entity

## Attempt to use bar token in foo namespace
$ VAULT_TOKEN=s.NWr83zTjiHDiBvwiyTajnrYW.izkrE \
  vault kv get \
  -namespace=foo \
  kv/test
Error making API request.

URL: GET http://127.0.0.1:8200/v1/sys/internal/ui/mounts/kv/test
Code: 403. Errors:

* preflight capability check returned 403, please ensure client's policies grant access to path "kv/test/"

## Lookup entity IDs for foo_user and bar_user
$ export FOO_ID=$(curl -s \
  -H "X-Vault-Token: root" \
  -H "X-Vault-Namespace: foo" \
  -X LIST \
  http://127.0.0.1:8200/v1/identity/entity/id \
  | jq -r '.data.keys[0]')
$ echo $FOO_ID
0d562dbf-c57f-2d55-ccfd-3dfb52b0fc64

$ export BAR_ID=$(curl -s \
  -H "X-Vault-Token: root" \
  -H "X-Vault-Namespace: bar" \
  -X LIST \
  http://127.0.0.1:8200/v1/identity/entity/id \
  | jq -r '.data.keys[0]')
echo $BAR_ID
17bd8cd1-9c07-84e0-03f9-027635663e79

# Merge foo_user entity into bar_user entity
$ curl -s \
  -H "X-Vault-Token: root" \
  -H "X-Vault-Namespace: bar" \
  -X POST \
  -d "{\"to_entity_id\": \"$BAR_ID\", \"from_entity_ids\": \"$FOO_ID\"}" \
  http://127.0.0.1:8200/v1/identity/entity/merge
{"errors":["entity id to merge from does not belong to this namespace"]}

##-> FAIL: Can't do it!
	# Setup namespaces
	$ export VAULT_ADDR=http://127.0.0.1:8200
	$ vault namespace create foo
	Key Value
	--- -----
	id zI8gb
	path foo/
	$ vault namespace create bar
	Key Value
	--- -----
	id izkrE
	path bar/

	# Setup auth
	$ vault auth enable -namespace=foo userpass
	Success! Enabled userpass auth method at: userpass/
	$ vault auth enable -namespace=bar userpass
	Success! Enabled userpass auth method at: userpass/

	# Setup users in each namespace
	$ vault write \
	-namespace=foo \
	auth/userpass/users/foo_user \
	password=Password1! \
	policies=foo

	Success! Data written to: auth/userpass/users/foo_user
	$ vault write \
	-namespace=bar \
	auth/userpass/users/bar_user \
	password=Password1! \
	policies=bar
	Success! Data written to: auth/userpass/users/bar_user

	# Create secrets in each namespace
	$ vault secrets enable -namespace=foo kv
	Success! Enabled the kv secrets engine at: kv/
	$ vault kv put -namespace=foo kv/test value=foo
	Success! Data written to: kv/test

	$ vault secrets enable -namespace=bar kv
	Success! Enabled the kv secrets engine at: kv/
	$ vault kv put -namespace=bar kv/test value=bar
	Success! Data written to: kv/test

	# Create KV policy in each
	$ vault policy write -namespace=foo foo - << EOF
	path "kv/test" {
	capabilities = ["read", "update", "list"]
	}
	EOF
	Success! Uploaded policy: foo

	$ vault policy write -namespace=bar bar - << EOF
	path "kv/test" {
	capabilities = ["read", "update", "list"]
	}
	EOF
	Success! Uploaded policy: bar

	# Client count baseline
	$ vault-auditor parse /tmp/audit

	Distinct Entities: 0
	Non-Entity Tokens: 1
	Total Clients: 1
	Total files processed: 1
	Date range: 2021-02-23T18:10:23Z - 2021-02-23T18:25:12Z

	# Log into foo namespace and get KV
	$ vault login \
	-namespace=foo \
	-method=userpass \
	username=foo_user \
	password=Password1!

	Success! You are now authenticated. The token information displayed below
	is already stored in the token helper. You do NOT need to run "vault login"
	again. Future Vault requests will automatically use this token.

	Key Value
	--- -----
	token s.rvOhQ41PV5yhLe05WhqYge3g.zI8gb
	token_accessor bMzrT645hR8nnzBNzkXpJjXN.zI8gb
	token_duration 768h
	token_renewable true
	token_policies ["default" "foo"]
	identity_policies []
	policies ["default" "foo"]
	token_meta_username foo_user

	$ VAULT_TOKEN=s.rvOhQ41PV5yhLe05WhqYge3g.zI8gb \
	vault kv get \
	-namespace=foo \
	kv/test
	==== Data ====
	Key Value
	--- -----
	value foo

	# Client check-in
	$ vault-auditor parse /tmp/audit

	Distinct Entities: 1
	Non-Entity Tokens: 1
	Total Clients: 2
	Total files processed: 1
	Date range: 2021-02-23T18:10:23Z - 2021-02-23T18:30:25Z

	###-> 1 new entity

	# Log into bar namespace and get KV
	$ vault login \
	-namespace=bar \
	-method=userpass \
	username=bar_user \
	password=Password1!

	Success! You are now authenticated. The token information displayed below
	is already stored in the token helper. You do NOT need to run "vault login"
	again. Future Vault requests will automatically use this token.

	Key Value
	--- -----
	token s.NWr83zTjiHDiBvwiyTajnrYW.izkrE
	token_accessor NjpLEKlu7lRgZEsqr0zz2OcI.izkrE
	token_duration 768h
	token_renewable true
	token_policies ["bar" "default"]
	identity_policies []
	policies ["bar" "default"]
	token_meta_username bar_user

	$ VAULT_TOKEN=s.NWr83zTjiHDiBvwiyTajnrYW.izkrE \
	vault kv get \
	-namespace=bar \
	kv/test
	==== Data ====
	Key Value
	--- -----
	value bar

	###-> 1 new entity

	## Attempt to use bar token in foo namespace
	$ VAULT_TOKEN=s.NWr83zTjiHDiBvwiyTajnrYW.izkrE \
	vault kv get \
	-namespace=foo \
	kv/test
	Error making API request.

	URL: GET http://127.0.0.1:8200/v1/sys/internal/ui/mounts/kv/test
	Code: 403. Errors:

	* preflight capability check returned 403, please ensure client's policies grant access to path "kv/test/"

	## Lookup entity IDs for foo_user and bar_user
	$ export FOO_ID=$(curl -s \
	-H "X-Vault-Token: root" \
	-H "X-Vault-Namespace: foo" \
	-X LIST \
	http://127.0.0.1:8200/v1/identity/entity/id \
	\| jq -r '.data.keys[0]')
	$ echo $FOO_ID
	0d562dbf-c57f-2d55-ccfd-3dfb52b0fc64

	$ export BAR_ID=$(curl -s \
	-H "X-Vault-Token: root" \
	-H "X-Vault-Namespace: bar" \
	-X LIST \
	http://127.0.0.1:8200/v1/identity/entity/id \
	\| jq -r '.data.keys[0]')
	echo $BAR_ID
	17bd8cd1-9c07-84e0-03f9-027635663e79

	# Merge foo_user entity into bar_user entity
	$ curl -s \
	-H "X-Vault-Token: root" \
	-H "X-Vault-Namespace: bar" \
	-X POST \
	-d "{\"to_entity_id\": \"$BAR_ID\", \"from_entity_ids\": \"$FOO_ID\"}" \
	http://127.0.0.1:8200/v1/identity/entity/merge
	{"errors":["entity id to merge from does not belong to this namespace"]}

	##-> FAIL: Can't do it!