I hereby claim:
- I am jefferai on github.
- I am jefferai (https://keybase.io/jefferai) on keybase.
- I have a public key whose fingerprint is 0F80 1F51 8EC8 53DA FF61 1E83 6528 EFCA C6CA A3DB
To claim this, I am signing this object:
Jeff Mitchell jefferai
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| diff --git a/builtin/credential/approle/path_role.go b/builtin/credential/approle/path_role.go | |
| index 171fa8c..c2a4949 100644 | |
| --- a/builtin/credential/approle/path_role.go | |
| +++ b/builtin/credential/approle/path_role.go | |
| @@ -1452,7 +1452,7 @@ func (b *backend) handleRoleSecretIDCommon(req *logical.Request, data *framework | |
| Metadata: make(map[string]string), | |
| } | |
| - if err = strutil.ParseArbitraryKeyValues(data.Get("metadata").(string), secretIDStorage.Metadata); err != nil { | |
| + if err = strutil.ParseArbitraryKeyValues(data.Get("metadata").(string), secretIDStorage.Metadata, ","); err != nil { |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| diff --git a/builtin/credential/approle/path_role.go b/builtin/credential/approle/path_role.go | |
| index 171fa8c..c2a4949 100644 | |
| --- a/builtin/credential/approle/path_role.go | |
| +++ b/builtin/credential/approle/path_role.go | |
| @@ -1452,7 +1452,7 @@ func (b *backend) handleRoleSecretIDCommon(req *logical.Request, data *framework | |
| Metadata: make(map[string]string), | |
| } | |
| - if err = strutil.ParseArbitraryKeyValues(data.Get("metadata").(string), secretIDStorage.Metadata); err != nil { | |
| + if err = strutil.ParseArbitraryKeyValues(data.Get("metadata").(string), secretIDStorage.Metadata, ","); err != nil { |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| diff --git a/builtin/credential/approle/path_role.go b/builtin/credential/approle/path_role.go | |
| index 171fa8c..c2a4949 100644 | |
| --- a/builtin/credential/approle/path_role.go | |
| +++ b/builtin/credential/approle/path_role.go | |
| @@ -1452,7 +1452,7 @@ func (b *backend) handleRoleSecretIDCommon(req *logical.Request, data *framework | |
| Metadata: make(map[string]string), | |
| } | |
| - if err = strutil.ParseArbitraryKeyValues(data.Get("metadata").(string), secretIDStorage.Metadata); err != nil { | |
| + if err = strutil.ParseArbitraryKeyValues(data.Get("metadata").(string), secretIDStorage.Metadata, ","); err != nil { |
jefferai
/ find_destroy_consul_tokens.sh
Last active
May 12, 2018 02:51
Script to find and destroy Consul tokens created by Vault
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # Tested with jq 1.5. Should work with jq >= 1.4. | |
| # Note: this script is an example to show how tokens can be listed | |
| # and managed by jq into a removal function. You should not use this | |
| # script as-is, in particular without examining the list output to | |
| # exclude unwanted tokens from being removed. For instance, if | |
| # your management token for Vault itself (storage, or the Consul | |
| # dynamic backend) has a name that begins with "Vault", this |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| diff --git a/builtin/logical/pki/crl_util.go b/builtin/logical/pki/crl_util.go | |
| index b433e25..45624ac 100644 | |
| --- a/builtin/logical/pki/crl_util.go | |
| +++ b/builtin/logical/pki/crl_util.go | |
| @@ -18,6 +18,15 @@ type revocationInfo struct { | |
| // Revokes a cert, and tries to be smart about error recovery | |
| func revokeCert(b *backend, req *logical.Request, serial string) (*logical.Response, error) { | |
| + // As this backend is self-contained and this function does not hook into | |
| + // third parties to manage users or resources, if the mount is tainted, |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| vault mount -path=rootpki pki | |
| vault mount-tune -max-lease-ttl="175200h" rootpki | |
| vault write rootpki/root/generate/exported common_name=example.com ttl="175200h" | |
| vault write rootpki/root/generate/internal common_name=example.com ttl="175200h" | |
| vault write rootpki/intermediate/generate/exported common_name=example.com ttl="175200h" | |
| vault write rootpki/intermediate/generate/internal common_name=example.com ttl="175200h" | |
| vault mount -path=intermediatepki pki | |
| vault mount-tune -max-lease-ttl="8760h" intermediatepki |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| vault mount -path=rootpki pki | |
| vault mount-tune -max-lease-ttl="175200h" rootpki | |
| vault mount -path=intermediatepki pki | |
| vault mount-tune -max-lease-ttl="17520h" intermediatepki | |
| http POST http://127.0.0.1:8200/v1/rootpki/config/ca/generate/root/exported X-Vault-Token:$(cat ~/.vault-token) pki_address="http://vault.example.com/v1/rootpki" common_name=root.com ttl="175200h" | jq -r .data.certificate > currroot.pem | |
| openssl x509 -in currroot.pem -noout -text | |
| http POST http://127.0.0.1:8200/v1/intermediatepki/config/ca/generate/intermediate/exported X-Vault-Token:$(cat ~/.vault-token) pki_address="http://vault.example.com/v1/rootpki" | jq -r .data.csr > currcsr.pem | |
| http POST http://127.0.0.1:8200/v1/rootpki/config/ca/sign X-Vault-Token:$(cat ~/.vault-token) pki_address="http://vault.example.com/v1/intermediatepki" common_name=intermediate.com ttl="17519h" csr=@currcsr.pem | jq -r .data.certificate > currcert.pem |
jefferai
/ keybase.md
Created
September 22, 2015 19:51
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| > http http://127.0.0.1:8500/v1/catalog/register Datacenter="dc1" Node="node1" Address="10.0.0.1" Service:='{"ID": "redis1", "Service": "redis", "Tags": ["tag1"], "Address": "1.2.3.4", "Port": 1234}' | |
| HTTP/1.1 200 OK | |
| Content-Length: 4 | |
| Content-Type: application/json | |
| Date: Thu, 03 Sep 2015 11:07:22 GMT | |
| true | |
| > http http://127.0.0.1:8500/v1/catalog/register Datacenter="dc1" Node="node2" Address="10.0.0.2" Service:='{"ID": "redis2", "Service": "redis", "Tags": ["tag2"], "Address": "5.6.7.8", "Port": 5678}' | |
| HTTP/1.1 200 OK |
jefferai
/ gist:e2bebc3bb97fed521666
Last active
May 20, 2022 13:29
Example of Vault PKI (X509) backend issuing certificates to client and server, which then perform TLS mutual auth
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package main | |
| import ( | |
| "crypto/tls" | |
| "fmt" | |
| "html" | |
| "io/ioutil" | |
| "log" | |
| "net" | |
| "net/http" |
NewerOlder