chrishoffman/mfa-ping.sh

## mfa-ping.sh
#!/bin/bash

## Tools required
# brew install jq
# Vault Enterprise binary in the PATH

## Vault Server Command (separate terminal)
# VAULT_LICENSE=<vault license> vault server -dev -dev-root-token-id=root

export VAULT_ADDR=http://127.0.0.1:8200
export VAULT_TOKEN=root

MFA_NAME=my_mfa
POLICY_NAME=mfa-policy
PINGID_SETTINGS_FILE="<base64 settings file>"

# Set up userpass
vault auth enable userpass
vault write auth/userpass/users/testuser password="password"
USERPASS_ACCESSOR=$(vault auth list -format=json | jq -r '.["userpass/"].accessor')

# Create MFA key
vault write sys/mfa/method/pingid/$MFA_NAME mount_accessor=$USERPASS_ACCESSOR settings_file_base64="$PINGID_SETTINGS_FILE"

# Write some data
vault kv put secret/foo abc=123

# Create policy
POLICY="path \"secret/data/foo\" {
  capabilities = [\"read\"]
  mfa_methods  = [\"$MFA_NAME\"]
}
"
vault policy write $POLICY_NAME - <<< $POLICY

# Generate an identity
ENTITY_ID=$(vault write -f -format=json identity/entity policies=$POLICY_NAME | jq -r .data.id)

# Attach entity to user
vault write identity/entity-alias name=testuser canonical_id=$ENTITY_ID mount_accessor=$USERPASS_ACCESSOR

# Generate a token for logging in
USER_TOKEN=$(vault login -format=json -method=userpass username=testuser password=password | \
    jq -r .auth.client_token)
echo $USER_TOKEN

# Do not pass mfa to mfa protected path
VAULT_TOKEN=$USER_TOKEN vault kv get secret/foo # Should fail

# Generic read command because `vault kv` does not seem to support the mfa code
echo "VAULT_TOKEN=$USER_TOKEN vault read -format=json secret/data/foo | jq .data.data"
VAULT_TOKEN=$USER_TOKEN vault read -format=json secret/data/foo | jq .data.data # Should succeed

## mfa-totp.sh
#!/bin/bash

## Tools required
# brew install oath-tools qrencode jq
# Vault Enterprise binary in the PATH

## Vault Server Command (separate terminal)
# VAULT_LICENSE=<vault license> vault server -dev -dev-root-token-id=root

export VAULT_ADDR=http://127.0.0.1:8200
export VAULT_TOKEN=root

TOTP_NAME=my_totp
TOTP_DIGITS=6
TOTP_ALGORITHM=SHA256
TOTP_PERIOD=30
TOTP_ISSUER=Vault

# Set up userpass
vault auth enable userpass
vault write auth/userpass/users/test_user password="password"
USERPASS_ACCESSOR=$(vault auth list -format=json | jq -r '.["userpass/"].accessor')

# Create MFA key
vault write sys/mfa/method/totp/$TOTP_NAME issuer=$TOTP_ISSUER algorithm=$TOTP_ALGORITHM digits=$TOTP_DIGITS period=$TOTP_PERIOD

# Write some data
vault kv put secret/foo abc=123

# Create policy
POLICY="path \"secret/data/foo\" {
  capabilities = [\"read\"]
  mfa_methods  = [\"$TOTP_NAME\"]
}
"
vault policy write totp-policy - <<< $POLICY

# Generate an identity
ENTITY_ID=$(vault write -f -format=json identity/entity policies=totp-policy | jq -r .data.id)

# Attach entity to user
vault write identity/entity-alias name=test_user canonical_id=$ENTITY_ID mount_accessor=$USERPASS_ACCESSOR

# Attached MFA to Entity
MFA_CONFIG=$(vault write -f -format=json sys/mfa/method/totp/$TOTP_NAME/admin-generate entity_id=$ENTITY_ID)
MFA_SECRET=$(jq -r .data.url <<< $MFA_CONFIG | \
    cut -d'=' -f6)

# Display QR code, cannot use URL returned since Google Authenticator seems to require the secret
# to be the first parameter
MFA_URL="otpauth://totp/$TOTP_ISSUER:$ENTITY_ID?secret=$MFA_SECRET&issuer=$TOTP_ISSUER&algorithm=$TOTP_ALGORITHM&digits=$TOTP_DIGITS&period=$TOTP_PERIOD"
qrencode -t ansiutf8 <<< $MFA_URL

# Generate a token for logging in
USER_TOKEN=$(vault login -format=json -method=userpass username=test_user password=password | \
    jq -r .auth.client_token)

# Generate TOTP code
MFA_CODE=$(oathtool --totp=$TOTP_ALGORITHM --time-step-size=$TOTP_PERIOD --base32 $MFA_SECRET)

# Do not pass mfa to mfa protected path
VAULT_TOKEN=$USER_TOKEN vault kv get secret/foo # Should fail

# Generic read command because `vault kv` does not seem to support the mfa code
VAULT_TOKEN=$USER_TOKEN vault read -mfa $TOTP_NAME:$MFA_CODE -format=json secret/data/foo | jq .data.data # Should succeed
	#!/bin/bash

	## Tools required
	# brew install jq
	# Vault Enterprise binary in the PATH

	## Vault Server Command (separate terminal)
	# VAULT_LICENSE=<vault license> vault server -dev -dev-root-token-id=root

	export VAULT_ADDR=http://127.0.0.1:8200
	export VAULT_TOKEN=root

	MFA_NAME=my_mfa
	POLICY_NAME=mfa-policy
	PINGID_SETTINGS_FILE="<base64 settings file>"

	# Set up userpass
	vault auth enable userpass
	vault write auth/userpass/users/testuser password="password"
	USERPASS_ACCESSOR=$(vault auth list -format=json \| jq -r '.["userpass/"].accessor')

	# Create MFA key
	vault write sys/mfa/method/pingid/$MFA_NAME mount_accessor=$USERPASS_ACCESSOR settings_file_base64="$PINGID_SETTINGS_FILE"

	# Write some data
	vault kv put secret/foo abc=123

	# Create policy
	POLICY="path \"secret/data/foo\" {
	capabilities = [\"read\"]
	mfa_methods = [\"$MFA_NAME\"]
	}
	"
	vault policy write $POLICY_NAME - <<< $POLICY

	# Generate an identity
	ENTITY_ID=$(vault write -f -format=json identity/entity policies=$POLICY_NAME \| jq -r .data.id)

	# Attach entity to user
	vault write identity/entity-alias name=testuser canonical_id=$ENTITY_ID mount_accessor=$USERPASS_ACCESSOR

	# Generate a token for logging in
	USER_TOKEN=$(vault login -format=json -method=userpass username=testuser password=password \| \
	jq -r .auth.client_token)
	echo $USER_TOKEN

	# Do not pass mfa to mfa protected path
	VAULT_TOKEN=$USER_TOKEN vault kv get secret/foo # Should fail

	# Generic read command because `vault kv` does not seem to support the mfa code
	echo "VAULT_TOKEN=$USER_TOKEN vault read -format=json secret/data/foo \| jq .data.data"
	VAULT_TOKEN=$USER_TOKEN vault read -format=json secret/data/foo \| jq .data.data # Should succeed
	#!/bin/bash

	## Tools required
	# brew install oath-tools qrencode jq
	# Vault Enterprise binary in the PATH

	## Vault Server Command (separate terminal)
	# VAULT_LICENSE=<vault license> vault server -dev -dev-root-token-id=root

	export VAULT_ADDR=http://127.0.0.1:8200
	export VAULT_TOKEN=root

	TOTP_NAME=my_totp
	TOTP_DIGITS=6
	TOTP_ALGORITHM=SHA256
	TOTP_PERIOD=30
	TOTP_ISSUER=Vault

	# Set up userpass
	vault auth enable userpass
	vault write auth/userpass/users/test_user password="password"
	USERPASS_ACCESSOR=$(vault auth list -format=json \| jq -r '.["userpass/"].accessor')

	# Create MFA key
	vault write sys/mfa/method/totp/$TOTP_NAME issuer=$TOTP_ISSUER algorithm=$TOTP_ALGORITHM digits=$TOTP_DIGITS period=$TOTP_PERIOD

	# Write some data
	vault kv put secret/foo abc=123

	# Create policy
	POLICY="path \"secret/data/foo\" {
	capabilities = [\"read\"]
	mfa_methods = [\"$TOTP_NAME\"]
	}
	"
	vault policy write totp-policy - <<< $POLICY

	# Generate an identity
	ENTITY_ID=$(vault write -f -format=json identity/entity policies=totp-policy \| jq -r .data.id)

	# Attach entity to user
	vault write identity/entity-alias name=test_user canonical_id=$ENTITY_ID mount_accessor=$USERPASS_ACCESSOR

	# Attached MFA to Entity
	MFA_CONFIG=$(vault write -f -format=json sys/mfa/method/totp/$TOTP_NAME/admin-generate entity_id=$ENTITY_ID)
	MFA_SECRET=$(jq -r .data.url <<< $MFA_CONFIG \| \
	cut -d'=' -f6)

	# Display QR code, cannot use URL returned since Google Authenticator seems to require the secret
	# to be the first parameter
	MFA_URL="otpauth://totp/$TOTP_ISSUER:$ENTITY_ID?secret=$MFA_SECRET&issuer=$TOTP_ISSUER&algorithm=$TOTP_ALGORITHM&digits=$TOTP_DIGITS&period=$TOTP_PERIOD"
	qrencode -t ansiutf8 <<< $MFA_URL

	# Generate a token for logging in
	USER_TOKEN=$(vault login -format=json -method=userpass username=test_user password=password \| \
	jq -r .auth.client_token)

	# Generate TOTP code
	MFA_CODE=$(oathtool --totp=$TOTP_ALGORITHM --time-step-size=$TOTP_PERIOD --base32 $MFA_SECRET)

	# Do not pass mfa to mfa protected path
	VAULT_TOKEN=$USER_TOKEN vault kv get secret/foo # Should fail

	# Generic read command because `vault kv` does not seem to support the mfa code
	VAULT_TOKEN=$USER_TOKEN vault read -mfa $TOTP_NAME:$MFA_CODE -format=json secret/data/foo \| jq .data.data # Should succeed