Created
January 13, 2023 16:25
-
-
Save telday/11475e260802161481db145081c791de to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/usr/bin/env bash | |
set -ex | |
CONJUR_IMAGE=registry.tld/conjur-appliance:5.0-stable | |
TEMP_DIRECTORY="$PWD/mfa-tmp" | |
mkdir -p $TEMP_DIRECTORY | |
mkdir -p $TEMP_DIRECTORY/policy | |
echo 'MyP@ssword1!!!' > "$TEMP_DIRECTORY/admin_password" | |
cat <<POLICY > $TEMP_DIRECTORY/policy/app.yaml | |
- !user ellis.wright@cyberark.com | |
- !policy | |
id: conjur/authn-oidc/okta | |
body: | |
- !webservice | |
- !webservice status | |
- !variable token-ttl | |
- !variable provider-uri | |
- !variable client-id | |
- !variable client-secret | |
- !variable redirect_uri | |
- !variable claim-mapping | |
- !variable state | |
- !variable nonce | |
- !group users | |
- !permit | |
role: !group users | |
privilege: [ read, authenticate ] | |
resource: !webservice | |
- !group operators | |
- !permit | |
role: !group operators | |
privilege: [ read ] | |
resource: !webservice status | |
- !policy | |
id: conjur/authn-oidc/okta-cli | |
body: | |
- !webservice | |
- !webservice status | |
- !variable token-ttl | |
- !variable provider-uri | |
- !variable client-id | |
- !variable client-secret | |
- !variable redirect_uri | |
- !variable claim-mapping | |
- !variable state | |
- !variable nonce | |
- !group users | |
- !permit | |
role: !group users | |
privilege: [ read, authenticate ] | |
resource: !webservice | |
- !group operators | |
- !permit | |
role: !group operators | |
privilege: [ read ] | |
resource: !webservice status | |
- !grant | |
members: | |
- !user ellis.wright@cyberark.com | |
role: !group conjur/authn-oidc/okta/users | |
- !grant | |
members: | |
- !user ellis.wright@cyberark.com | |
role: !group conjur/authn-oidc/okta-cli/users | |
POLICY | |
docker network create conjur | |
docker run --rm --entrypoint "/bin/cat" $CONJUR_IMAGE /usr/share/doc/conjur/examples/seccomp.json > ./seccomp.json | |
docker run \ | |
--name conjur-leader \ | |
--detach \ | |
--restart=unless-stopped \ | |
--network conjur \ | |
--publish 443:443 \ | |
--security-opt seccomp=seccomp.json \ | |
--volume "$TEMP_DIRECTORY/seed:/seed" \ | |
$CONJUR_IMAGE | |
docker exec conjur-leader evoke configure master \ | |
--hostname=conjur-leader \ | |
--accept-eula \ | |
--admin-password="$(<$TEMP_DIRECTORY/admin_password)" \ | |
my-org | |
# CLI | |
docker run -dit --rm \ | |
--network conjur \ | |
--volume "$TEMP_DIRECTORY/cli-leader:/root" \ | |
--name conjur_init \ | |
cyberark/conjur-cli:5 | |
docker exec -it conjur_init bash -c 'yes "yes" | conjur init --account=my-org --url=https://conjur-leader' | |
docker stop conjur_init | |
docker run --rm \ | |
--network conjur \ | |
--volume "$TEMP_DIRECTORY/cli-leader:/root" \ | |
cyberark/conjur-cli:5 \ | |
authn login \ | |
--username=admin \ | |
--password="$(<$TEMP_DIRECTORY/admin_password)" | |
cli_exec(){ | |
docker run --rm \ | |
--network conjur \ | |
--volume "$TEMP_DIRECTORY/cli-leader:/root" \ | |
--volume "$TEMP_DIRECTORY/policy:/policy" \ | |
cyberark/conjur-cli:5 $1 | |
} | |
# Load the app policy | |
cli_exec 'policy load root /policy/app.yaml' | |
PROVIDER_URI="https://dev-66055106.okta.com/oauth2/default" | |
CLIENT_ID="<id here>" | |
CLIENT_SECRET="<secret here>" | |
UI_REDIRECT_URI="https://localhost/ui/authn-oidc/okta/callback" | |
CLI_REDIRECT_URL="http://127.0.0.1:8888/callback" | |
# Load the UI variables | |
cli_exec "variable values add conjur/authn-oidc/okta/provider-uri $PROVIDER_URI" | |
cli_exec "variable values add conjur/authn-oidc/okta/client-id $CLIENT_ID" | |
cli_exec "variable values add conjur/authn-oidc/okta/client-secret $CLIENT_SECRET" | |
cli_exec "variable values add conjur/authn-oidc/okta/redirect_uri $UI_REDIRECT_URI" | |
cli_exec "variable values add conjur/authn-oidc/okta/claim-mapping email" | |
cli_exec "variable values add conjur/authn-oidc/okta/token-ttl PT5M" | |
# Load the CLI variables | |
cli_exec "variable values add conjur/authn-oidc/okta-cli/provider-uri $PROVIDER_URI" | |
cli_exec "variable values add conjur/authn-oidc/okta-cli/client-id $CLIENT_ID" | |
cli_exec "variable values add conjur/authn-oidc/okta-cli/client-secret $CLIENT_SECRET" | |
cli_exec "variable values add conjur/authn-oidc/okta-cli/redirect_uri $CLI_REDIRECT_URL" | |
cli_exec "variable values add conjur/authn-oidc/okta-cli/claim-mapping email" | |
cli_exec "variable values add conjur/authn-oidc/okta-cli/token-ttl PT1M" |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment