Created
December 19, 2015 13:30
-
-
Save daveadams/c791415d860fd0c1623f to your computer and use it in GitHub Desktop.
ACL policy and tests for Hashicorp Vault
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| echo -n "Starting vault... " | |
| vault server -dev &> vault-server.log & | |
| vault_pid=$! | |
| echo OK | |
| shutdown() { trap "" EXIT; echo -n 'Shutting down... '; kill -9 $vault_pid; echo OK; exit $1; } | |
| trap "shutdown 0" EXIT | |
| trap "echo; echo 'Got interrupt signal!'; shutdown 255" INT | |
| trap "echo; echo 'ERROR!'; shutdown 1" ERR | |
| export VAULT_ADDR=http://127.0.0.1:8200 | |
| export VAULT_TOKEN= | |
| echo -n "Waiting for vault to initialize... " | |
| sleep 2 | |
| echo OK | |
| echo | |
| echo "Setting up backend:" | |
| vault auth-enable userpass | |
| echo | |
| echo "Generating secrets:" | |
| vault write secret/A secret=testing | |
| vault write secret/A/B secret=testing | |
| vault write secret/A/B/C secret=testing | |
| vault write secret/A/B/C/D secret=testing | |
| echo | |
| echo "Generating policies:" | |
| vault policy-write policy0 - <<EOF | |
| path "secret/A" { policy = "write" } | |
| path "secret/A/*" { policy = "write" } | |
| EOF | |
| vault policy-write policy1 - <<EOF | |
| path "secret/A/B" { policy = "write" } | |
| path "secret/A/B/*" { policy = "write" } | |
| EOF | |
| vault policy-write policy2 - <<EOF | |
| path "secret/A" { policy = "read" } | |
| path "secret/A/B" { policy = "read" } | |
| path "secret/A/B/C" { policy = "write" } | |
| EOF | |
| vault policy-write policy3 - <<EOF | |
| path "secret/A/B/C/D" { policy = "write" } | |
| EOF | |
| echo | |
| echo "Creating users:" | |
| vault write auth/userpass/users/user0 \ | |
| password=password0 \ | |
| policies=policy0 | |
| vault write auth/userpass/users/user1 \ | |
| password=password1 \ | |
| policies=policy1 | |
| vault write auth/userpass/users/user2 \ | |
| password=password2 \ | |
| policies=policy2 | |
| vault write auth/userpass/users/user3 \ | |
| password=password3 \ | |
| policies=policy3 | |
| reset() { pass_count=0; fail_count=0; } | |
| pass() { echo pass; pass_count=$(( $pass_count + 1 )); } | |
| fail() { echo FAIL; fail_count=$(( $fail_count + 1 )); } | |
| assert() { | |
| echo -n "Testing '$1'... " | |
| eval "$2" &>/dev/null && pass || fail | |
| } | |
| assert_not() { | |
| echo -n "Testing '$1'... " | |
| eval "$2" &>/dev/null && fail || pass | |
| } | |
| report() { | |
| total_pass_count=$(( $total_pass_count + $pass_count )) | |
| total_test_count=$(( $total_test_count + $pass_count + $fail_count )) | |
| echo "$pass_count/$(( $pass_count + $fail_count )) tests passed" | |
| } | |
| common_tests() { | |
| assert_not "$1 cannot write secret/other" \ | |
| "vault write secret/other secret=$1" | |
| assert_not "$1 cannot read secret/other" \ | |
| "vault read secret/other" | |
| assert_not "$1 cannot create new users" \ | |
| "vault write auth/userpass/users/user10 password=xyz policies=policy0" | |
| assert_not "$1 cannot create new policies" \ | |
| "vault policy-write hacker - <<< 'path \"auth/*\" { policy = \"write\" }'" | |
| } | |
| echo | |
| echo "Testing user0 access:" | |
| echo | |
| reset | |
| vault auth -method=userpass username=user0 password=password0 | |
| echo | |
| for key in A A/B A/B/C A/B/C/D | |
| do | |
| assert "user0 can read secret/$key" "vault read secret/$key" | |
| done | |
| for key in A A/B A/Q A/B/C A/B/Z A/B/C/D A/B/C/W A/B/C/D/Y | |
| do | |
| assert "user0 can write secret/$key" "vault write secret/$key secret=user0" | |
| done | |
| common_tests user0 | |
| echo | |
| report | |
| echo | |
| echo "Testing user1 access:" | |
| echo | |
| reset | |
| vault auth -method=userpass username=user1 password=password1 | |
| echo | |
| for key in A/B A/B/C A/B/C/D | |
| do | |
| assert "user1 can read secret/$key" "vault read secret/$key" | |
| done | |
| for key in A/B A/B/C A/B/Z A/B/C/D A/B/C/W A/B/C/D/Y | |
| do | |
| assert "user1 can write secret/$key" "vault write secret/$key secret=user1" | |
| done | |
| assert_not "user1 cannot write secret/A" \ | |
| "vault write secret/A secret=user1" | |
| common_tests user1 | |
| echo | |
| report | |
| echo | |
| echo "Testing user2 access:" | |
| echo | |
| reset | |
| vault auth -method=userpass username=user2 password=password2 | |
| echo | |
| for key in A A/B A/B/C | |
| do | |
| assert "user2 can read secret/$key" "vault read secret/$key" | |
| done | |
| assert_not "user2 cannot read secret/A/B/C/D" "vault read secret/A/B/C/D" | |
| assert "user2 can write secret/A/B/C" "vault write secret/A/B/C secret=user2" | |
| for key in A A/Q A/B A/B/Z A/B/C/D A/B/C/W A/B/C/D/Y | |
| do | |
| assert_not "user2 cannot write secret/$key" "vault write secret/$key secret=user2" | |
| done | |
| common_tests user2 | |
| echo | |
| report | |
| echo | |
| echo "Testing user3 access:" | |
| echo | |
| reset | |
| vault auth -method=userpass username=user3 password=password3 | |
| echo | |
| for key in A A/B A/B/C | |
| do | |
| assert_not "user3 cannot read secret/$key" "vault read secret/$key" | |
| done | |
| assert "user3 can read secret/A/B/C/D" "vault read secret/A/B/C/D" | |
| assert "user3 can write secret/A/B/C/D" "vault write secret/A/B/C/D secret=user3" | |
| for key in A A/Q A/B A/B/Z A/B/C A/B/C/W A/B/C/D/Y | |
| do | |
| assert_not "user3 cannot write secret/$key" "vault write secret/$key secret=user3" | |
| done | |
| common_tests user3 | |
| echo | |
| report | |
| echo | |
| echo "$total_pass_count/$total_test_count tests passed overall" | |
| (( $total_test_count == $total_pass_count )) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Starting vault... OK | |
| Waiting for vault to initialize... OK | |
| Setting up backend: | |
| Successfully enabled 'userpass' at 'userpass'! | |
| Generating secrets: | |
| Success! Data written to: secret/A | |
| Success! Data written to: secret/A/B | |
| Success! Data written to: secret/A/B/C | |
| Success! Data written to: secret/A/B/C/D | |
| Generating policies: | |
| Policy 'policy0' written. | |
| Policy 'policy1' written. | |
| Policy 'policy2' written. | |
| Policy 'policy3' written. | |
| Creating users: | |
| Success! Data written to: auth/userpass/users/user0 | |
| Success! Data written to: auth/userpass/users/user1 | |
| Success! Data written to: auth/userpass/users/user2 | |
| Success! Data written to: auth/userpass/users/user3 | |
| Testing user0 access: | |
| Successfully authenticated! | |
| token: f5210db3-94d6-f2e0-7f79-136b52ae910e | |
| token_duration: 2592000 | |
| token_policies: [policy0, default] | |
| Testing 'user0 can read secret/A'... pass | |
| Testing 'user0 can read secret/A/B'... pass | |
| Testing 'user0 can read secret/A/B/C'... pass | |
| Testing 'user0 can read secret/A/B/C/D'... pass | |
| Testing 'user0 can write secret/A'... pass | |
| Testing 'user0 can write secret/A/B'... pass | |
| Testing 'user0 can write secret/A/Q'... pass | |
| Testing 'user0 can write secret/A/B/C'... pass | |
| Testing 'user0 can write secret/A/B/Z'... pass | |
| Testing 'user0 can write secret/A/B/C/D'... pass | |
| Testing 'user0 can write secret/A/B/C/W'... pass | |
| Testing 'user0 can write secret/A/B/C/D/Y'... pass | |
| Testing 'user0 cannot write secret/other'... pass | |
| Testing 'user0 cannot read secret/other'... pass | |
| Testing 'user0 cannot create new users'... pass | |
| Testing 'user0 cannot create new policies'... pass | |
| 16/16 tests passed | |
| Testing user1 access: | |
| Successfully authenticated! | |
| token: 15c94cbb-2112-39fc-0094-32a54d05b887 | |
| token_duration: 2592000 | |
| token_policies: [policy1, default] | |
| Testing 'user1 can read secret/A/B'... pass | |
| Testing 'user1 can read secret/A/B/C'... pass | |
| Testing 'user1 can read secret/A/B/C/D'... pass | |
| Testing 'user1 can write secret/A/B'... pass | |
| Testing 'user1 can write secret/A/B/C'... pass | |
| Testing 'user1 can write secret/A/B/Z'... pass | |
| Testing 'user1 can write secret/A/B/C/D'... pass | |
| Testing 'user1 can write secret/A/B/C/W'... pass | |
| Testing 'user1 can write secret/A/B/C/D/Y'... pass | |
| Testing 'user1 cannot write secret/A'... pass | |
| Testing 'user1 cannot write secret/other'... pass | |
| Testing 'user1 cannot read secret/other'... pass | |
| Testing 'user1 cannot create new users'... pass | |
| Testing 'user1 cannot create new policies'... pass | |
| 14/14 tests passed | |
| Testing user2 access: | |
| Successfully authenticated! | |
| token: d0267328-709a-7f0c-5dc0-3a39df234a7a | |
| token_duration: 2592000 | |
| token_policies: [policy2, default] | |
| Testing 'user2 can read secret/A'... pass | |
| Testing 'user2 can read secret/A/B'... pass | |
| Testing 'user2 can read secret/A/B/C'... pass | |
| Testing 'user2 cannot read secret/A/B/C/D'... pass | |
| Testing 'user2 can write secret/A/B/C'... pass | |
| Testing 'user2 cannot write secret/A'... pass | |
| Testing 'user2 cannot write secret/A/Q'... pass | |
| Testing 'user2 cannot write secret/A/B'... pass | |
| Testing 'user2 cannot write secret/A/B/Z'... pass | |
| Testing 'user2 cannot write secret/A/B/C/D'... pass | |
| Testing 'user2 cannot write secret/A/B/C/W'... pass | |
| Testing 'user2 cannot write secret/A/B/C/D/Y'... pass | |
| Testing 'user2 cannot write secret/other'... pass | |
| Testing 'user2 cannot read secret/other'... pass | |
| Testing 'user2 cannot create new users'... pass | |
| Testing 'user2 cannot create new policies'... pass | |
| 16/16 tests passed | |
| Testing user3 access: | |
| Successfully authenticated! | |
| token: b4aa6845-ed10-b595-ac17-2885a4eabb8c | |
| token_duration: 2592000 | |
| token_policies: [policy3, default] | |
| Testing 'user3 cannot read secret/A'... pass | |
| Testing 'user3 cannot read secret/A/B'... pass | |
| Testing 'user3 cannot read secret/A/B/C'... pass | |
| Testing 'user3 can read secret/A/B/C/D'... pass | |
| Testing 'user3 can write secret/A/B/C/D'... pass | |
| Testing 'user3 cannot write secret/A'... pass | |
| Testing 'user3 cannot write secret/A/Q'... pass | |
| Testing 'user3 cannot write secret/A/B'... pass | |
| Testing 'user3 cannot write secret/A/B/Z'... pass | |
| Testing 'user3 cannot write secret/A/B/C'... pass | |
| Testing 'user3 cannot write secret/A/B/C/W'... pass | |
| Testing 'user3 cannot write secret/A/B/C/D/Y'... pass | |
| Testing 'user3 cannot write secret/other'... pass | |
| Testing 'user3 cannot read secret/other'... pass | |
| Testing 'user3 cannot create new users'... pass | |
| Testing 'user3 cannot create new policies'... pass | |
| 16/16 tests passed | |
| 62/62 tests passed overall | |
| Shutting down... OK |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment