Vault snap testing

vault-tests.md

Smoke tests for the vault snap

(based on https://www.vaultproject.io/intro/index.html)

First, build and install the vault snap:

1. git clone https://github.com/elopio/vault
2. cd vault
3. git checkout snapcraft
4. sudo apt install snapcraft
5. snapcraft
6. sudo snap install vault*.snap

Print the help:

$ vault
$ vault -help
$ vault help
usage: vault [-version] [-help] <command> [args]
[...]

Print the version:

$ vault version
$ vault -version
Vault v0.6.2-dev

Start the Dev Server:

$ vault server -dev
==> WARNING: Dev mode is enabled!
[...]
export VAULT_ADDR='http://127.0.0.1:8200'
[...]
Unseal Key: [...]
Root Token: [...]
[...]
==> Vault server started! Log data will stream in below:
[...]

Take note of the VAULT_ADDR value, the Unseal Key and Root Token.

Open another terminal and set the server address:

$ export VAULT_ADDR='http://127.0.0.1:8200'

Check the server status:

$ vault status
Sealed: false
Key Shares: 1
Key Threshold: 1
Unseal Progress: 0

High-Availability Enabled: false

Write a secret:

$ vault write secret/hello value=world
Success! Data written to: secret/hello

Read a secret:

$ vault read secret/hello
Key             	Value
---             	-----
refresh_interval	720h0m0s
value           	world

Delete a secret:

$ vault delete secret/hello
Success! Deleted 'secret/hello' if it existed.

Mount a backend:

$ vault mount generic
Successfully mounted 'generic' at 'generic'!

Inspect mounts:

$ vault mounts
Path        Type       Default TTL  Max TTL  Description
cubbyhole/  cubbyhole  n/a          n/a      per-token private secret storage
generic/    generic    system       system   
secret/     generic    system       system   generic secret storage
sys/        system     n/a          n/a      system endpoints used for control, policy and debugging

Unmount a backend:

$ vault unmount generic/
Successfully unmounted 'generic/'!

The next steps require an the $ACCESS_KEY_ID and $SECRET_ACCESS_KEY from an AWS account.

Mount the AWS backend:

$ vault mount aws
Successfully mounted 'aws' at 'aws'!

Configure the backend:

$ vault write aws/config/root\ 
  access_key=$ACCESS_KEY_ID \
  secret_key=$SECRET_ACCESS_KEY
Success! Data written to: aws/config/root

Create a role:

$ cat > ~/snap/vault/policy.json <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1426528957000",
      "Effect": "Allow",
      "Action": [
        "ec2:*"
      ],
      "Resource": [
        "*"
      ]
    }
  ]
}
EOF
$ vault write aws/roles/deploy policy=@~/snap/vault/policy.json
Success! Data written to: aws/roles/deploy

Generate a secret:

$ vault read aws/creds/deploy
Key            	Value
---            	-----
lease_id       	aws/creds/deploy/[...]
lease_duration 	720h0m0s
lease_renewable	true
access_key     	[...]
secret_key      [...]
security_token 	<nil>

Take note of the lease_id.

Revoke a secret:

$ vault revoke aws/creds/deploy/$LEASE_ID
Success! Revoked the secret with ID 'aws/creds/deploy/[...]', if it existed.

Print the path help:

$ vault path-help aws
[...]

Create a token:

$ vault token-create
Key            	Value
---            	-----
token          	[...]
token_accessor  [...]
token_duration 	0
token_renewable	true
token_policies 	[root]

Take note of the token value.

Revoke a token:

$ vault token-revoke $TOKEN
Success! Token revoked if it existed.

Authenticate with a token: (using the Root Token that was printed when the dev server started)

$ vault auth $ROOT_TOKEN
Successfully authenticated! You are now logged in.
token: [...]
token_duration: 0
token_policies: [root]

The next step requires a GitHub account that's part of an ORGANIZATION and has a $PERSONAL_ACCESS_TOKEN with the user scope.

Authenticate with GitHub:

$ vault auth-enable github
Successfully enabled 'github' at 'github'!

$ vault write auth/github/config organization=$ORGANIZATION
Success! Data written to: auth/github/config

$ vault auth -method=github token=$PERSONAL_ACCESS_TOKEN
Successfully authenticated! You are now logged in.
The token below is already saved in the session. You do not
need to "vault auth" again with the token.
token: [...]
token_duration: 2592000
token_policies: [default]

Disable an authentication backend:

$ vault auth $ROOT_TOKEN
[...]
$ vault auth-disable github
Disabled auth provider at path 'github'!

Write a policy:

$ cat > ~/snap/vault/acl.hcl <<EOF
path "secret/*" {
  policy = "write"
}

path "secret/foo" {
  policy = "read"
}

path "auth/token/lookup-self" {
  policy = "read"
}
EOF

$ vault policy-write secret ~/snap/vault/acl.hcl
Policy 'secret' written.

Print policies:

$ vault policies
[...]
$ vault policies secret
[...]

Create a token for the policy:

$ vault token-create -policy="secret"
Key            	Value
---            	-----
token          	[...]
token_accessor 	[...]
token_duration 	720h0m0s
token_renewable	true
token_policies 	[default secret]

Take note of the token.

Authenticate:

$ vault auth $TOKEN
Successfully authenticated! You are now logged in.
token: [...]
token_duration: 2591912
token_policies: [default, secret]

Write to an allowed path:

$ vault write secret/bar value=yes
Success! Data written to: secret/bar

Try to write to a denied path:

$ vault write secret/foo value=yes
Error writing data to secret/foo: Error making API request.

URL: PUT http://127.0.0.1:8200/v1/secret/foo
Code: 403. Errors:

* permission denied

https://github.com/hashicorp/vault/blob/master/command/server/test-fixtures/config.hcl

https://www.amon.cx/blog/managing-all-secrets-with-vault/

https://www.vaultproject.io/docs/secrets/aws/