Skip to content

Instantly share code, notes, and snippets.

Avatar

Jeff Mitchell jefferai

View GitHub Profile
View -
diff --git a/builtin/credential/approle/path_role.go b/builtin/credential/approle/path_role.go
index 171fa8c..c2a4949 100644
--- a/builtin/credential/approle/path_role.go
+++ b/builtin/credential/approle/path_role.go
@@ -1452,7 +1452,7 @@ func (b *backend) handleRoleSecretIDCommon(req *logical.Request, data *framework
Metadata: make(map[string]string),
}
- if err = strutil.ParseArbitraryKeyValues(data.Get("metadata").(string), secretIDStorage.Metadata); err != nil {
+ if err = strutil.ParseArbitraryKeyValues(data.Get("metadata").(string), secretIDStorage.Metadata, ","); err != nil {
View -
diff --git a/builtin/credential/approle/path_role.go b/builtin/credential/approle/path_role.go
index 171fa8c..c2a4949 100644
--- a/builtin/credential/approle/path_role.go
+++ b/builtin/credential/approle/path_role.go
@@ -1452,7 +1452,7 @@ func (b *backend) handleRoleSecretIDCommon(req *logical.Request, data *framework
Metadata: make(map[string]string),
}
- if err = strutil.ParseArbitraryKeyValues(data.Get("metadata").(string), secretIDStorage.Metadata); err != nil {
+ if err = strutil.ParseArbitraryKeyValues(data.Get("metadata").(string), secretIDStorage.Metadata, ","); err != nil {
View -
diff --git a/builtin/credential/approle/path_role.go b/builtin/credential/approle/path_role.go
index 171fa8c..c2a4949 100644
--- a/builtin/credential/approle/path_role.go
+++ b/builtin/credential/approle/path_role.go
@@ -1452,7 +1452,7 @@ func (b *backend) handleRoleSecretIDCommon(req *logical.Request, data *framework
Metadata: make(map[string]string),
}
- if err = strutil.ParseArbitraryKeyValues(data.Get("metadata").(string), secretIDStorage.Metadata); err != nil {
+ if err = strutil.ParseArbitraryKeyValues(data.Get("metadata").(string), secretIDStorage.Metadata, ","); err != nil {
@jefferai
jefferai / find_destroy_consul_tokens.sh
Last active May 12, 2018
Script to find and destroy Consul tokens created by Vault
View find_destroy_consul_tokens.sh
#!/bin/bash
# Tested with jq 1.5. Should work with jq >= 1.4.
# Note: this script is an example to show how tokens can be listed
# and managed by jq into a removal function. You should not use this
# script as-is, in particular without examining the list output to
# exclude unwanted tokens from being removed. For instance, if
# your management token for Vault itself (storage, or the Consul
# dynamic backend) has a name that begins with "Vault", this
View -
diff --git a/builtin/logical/pki/crl_util.go b/builtin/logical/pki/crl_util.go
index b433e25..45624ac 100644
--- a/builtin/logical/pki/crl_util.go
+++ b/builtin/logical/pki/crl_util.go
@@ -18,6 +18,15 @@ type revocationInfo struct {
// Revokes a cert, and tries to be smart about error recovery
func revokeCert(b *backend, req *logical.Request, serial string) (*logical.Response, error) {
+ // As this backend is self-contained and this function does not hook into
+ // third parties to manage users or resources, if the mount is tainted,
@jefferai
jefferai / pkitest.sh
Created Jan 20, 2016
PKI test script
View pkitest.sh
#!/bin/bash
vault mount -path=rootpki pki
vault mount-tune -max-lease-ttl="175200h" rootpki
vault write rootpki/root/generate/exported common_name=example.com ttl="175200h"
vault write rootpki/root/generate/internal common_name=example.com ttl="175200h"
vault write rootpki/intermediate/generate/exported common_name=example.com ttl="175200h"
vault write rootpki/intermediate/generate/internal common_name=example.com ttl="175200h"
vault mount -path=intermediatepki pki
vault mount-tune -max-lease-ttl="8760h" intermediatepki
@jefferai
jefferai / gist:a9b02179da554475b859
Created Oct 7, 2015
Example of new PKI capabilities
View gist:a9b02179da554475b859
#!/bin/bash
vault mount -path=rootpki pki
vault mount-tune -max-lease-ttl="175200h" rootpki
vault mount -path=intermediatepki pki
vault mount-tune -max-lease-ttl="17520h" intermediatepki
http POST http://127.0.0.1:8200/v1/rootpki/config/ca/generate/root/exported X-Vault-Token:$(cat ~/.vault-token) pki_address="http://vault.example.com/v1/rootpki" common_name=root.com ttl="175200h" | jq -r .data.certificate > currroot.pem
openssl x509 -in currroot.pem -noout -text
http POST http://127.0.0.1:8200/v1/intermediatepki/config/ca/generate/intermediate/exported X-Vault-Token:$(cat ~/.vault-token) pki_address="http://vault.example.com/v1/rootpki" | jq -r .data.csr > currcsr.pem
http POST http://127.0.0.1:8200/v1/rootpki/config/ca/sign X-Vault-Token:$(cat ~/.vault-token) pki_address="http://vault.example.com/v1/intermediatepki" common_name=intermediate.com ttl="17519h" csr=@currcsr.pem | jq -r .data.certificate > currcert.pem
View keybase.md

Keybase proof

I hereby claim:

  • I am jefferai on github.
  • I am jefferai (https://keybase.io/jefferai) on keybase.
  • I have a public key whose fingerprint is 0F80 1F51 8EC8 53DA FF61 1E83 6528 EFCA C6CA A3DB

To claim this, I am signing this object:

View gist:7461cce52179b22dae5e
> http http://127.0.0.1:8500/v1/catalog/register Datacenter="dc1" Node="node1" Address="10.0.0.1" Service:='{"ID": "redis1", "Service": "redis", "Tags": ["tag1"], "Address": "1.2.3.4", "Port": 1234}'
HTTP/1.1 200 OK
Content-Length: 4
Content-Type: application/json
Date: Thu, 03 Sep 2015 11:07:22 GMT
true
> http http://127.0.0.1:8500/v1/catalog/register Datacenter="dc1" Node="node2" Address="10.0.0.2" Service:='{"ID": "redis2", "Service": "redis", "Tags": ["tag2"], "Address": "5.6.7.8", "Port": 5678}'
HTTP/1.1 200 OK
@jefferai
jefferai / gist:e2bebc3bb97fed521666
Last active Mar 30, 2019
Example of Vault PKI (X509) backend issuing certificates to client and server, which then perform TLS mutual auth
View gist:e2bebc3bb97fed521666
package main
import (
"crypto/tls"
"fmt"
"html"
"io/ioutil"
"log"
"net"
"net/http"
You can’t perform that action at this time.