telday/MFA Setup.bash

## MFA Setup.bash
#!/usr/bin/env bash

set -ex

CONJUR_IMAGE=registry.tld/conjur-appliance:5.0-stable
TEMP_DIRECTORY="$PWD/mfa-tmp"
mkdir -p $TEMP_DIRECTORY
mkdir -p $TEMP_DIRECTORY/policy
echo 'MyP@ssword1!!!' > "$TEMP_DIRECTORY/admin_password"

cat <<POLICY > $TEMP_DIRECTORY/policy/app.yaml
- !user ellis.wright@cyberark.com

- !policy
  id: conjur/authn-oidc/okta
  body:
    - !webservice
    - !webservice status
    - !variable token-ttl

    - !variable provider-uri
    - !variable client-id
    - !variable client-secret
    - !variable redirect_uri
    - !variable claim-mapping

    - !variable state
    - !variable nonce

    - !group users
    - !permit
      role: !group users
      privilege: [ read, authenticate ]
      resource: !webservice

    - !group operators
    - !permit
      role: !group operators
      privilege: [ read ]
      resource: !webservice status

- !policy
  id: conjur/authn-oidc/okta-cli
  body:
    - !webservice
    - !webservice status
    - !variable token-ttl

    - !variable provider-uri
    - !variable client-id
    - !variable client-secret
    - !variable redirect_uri
    - !variable claim-mapping

    - !variable state
    - !variable nonce

    - !group users
    - !permit
      role: !group users
      privilege: [ read, authenticate ]
      resource: !webservice

    - !group operators
    - !permit
      role: !group operators
      privilege: [ read ]
      resource: !webservice status

- !grant
  members:
  - !user ellis.wright@cyberark.com
  role: !group conjur/authn-oidc/okta/users

- !grant
  members:
  - !user ellis.wright@cyberark.com
  role: !group conjur/authn-oidc/okta-cli/users
POLICY


docker network create conjur
docker run --rm --entrypoint "/bin/cat" $CONJUR_IMAGE /usr/share/doc/conjur/examples/seccomp.json > ./seccomp.json

docker run \
  --name conjur-leader \
  --detach \
  --restart=unless-stopped \
  --network conjur \
  --publish 443:443 \
  --security-opt seccomp=seccomp.json \
  --volume "$TEMP_DIRECTORY/seed:/seed" \
  $CONJUR_IMAGE

docker exec conjur-leader evoke configure master \
  --hostname=conjur-leader \
  --accept-eula \
  --admin-password="$(<$TEMP_DIRECTORY/admin_password)" \
  my-org

# CLI
docker run -dit --rm \
  --network conjur \
  --volume "$TEMP_DIRECTORY/cli-leader:/root" \
  --name conjur_init \
  cyberark/conjur-cli:5
docker exec -it conjur_init bash -c 'yes "yes" | conjur init --account=my-org --url=https://conjur-leader'
docker stop conjur_init

docker run --rm \
  --network conjur \
  --volume "$TEMP_DIRECTORY/cli-leader:/root" \
  cyberark/conjur-cli:5 \
  authn login \
  --username=admin \
  --password="$(<$TEMP_DIRECTORY/admin_password)"

cli_exec(){
  docker run --rm \
    --network conjur \
    --volume "$TEMP_DIRECTORY/cli-leader:/root" \
    --volume "$TEMP_DIRECTORY/policy:/policy" \
    cyberark/conjur-cli:5 $1
}

# Load the app policy
cli_exec 'policy load root /policy/app.yaml'

PROVIDER_URI="https://dev-66055106.okta.com/oauth2/default"
CLIENT_ID="<id here>"
CLIENT_SECRET="<secret here>"
UI_REDIRECT_URI="https://localhost/ui/authn-oidc/okta/callback"
CLI_REDIRECT_URL="http://127.0.0.1:8888/callback"

# Load the UI variables
cli_exec "variable values add conjur/authn-oidc/okta/provider-uri $PROVIDER_URI"
cli_exec "variable values add conjur/authn-oidc/okta/client-id $CLIENT_ID"
cli_exec "variable values add conjur/authn-oidc/okta/client-secret $CLIENT_SECRET"
cli_exec "variable values add conjur/authn-oidc/okta/redirect_uri $UI_REDIRECT_URI"
cli_exec "variable values add conjur/authn-oidc/okta/claim-mapping email"
cli_exec "variable values add conjur/authn-oidc/okta/token-ttl PT5M"

# Load the CLI variables
cli_exec "variable values add conjur/authn-oidc/okta-cli/provider-uri $PROVIDER_URI"
cli_exec "variable values add conjur/authn-oidc/okta-cli/client-id $CLIENT_ID"
cli_exec "variable values add conjur/authn-oidc/okta-cli/client-secret $CLIENT_SECRET"
cli_exec "variable values add conjur/authn-oidc/okta-cli/redirect_uri $CLI_REDIRECT_URL"
cli_exec "variable values add conjur/authn-oidc/okta-cli/claim-mapping email"
cli_exec "variable values add conjur/authn-oidc/okta-cli/token-ttl PT1M"
	#!/usr/bin/env bash

	set -ex

	CONJUR_IMAGE=registry.tld/conjur-appliance:5.0-stable
	TEMP_DIRECTORY="$PWD/mfa-tmp"
	mkdir -p $TEMP_DIRECTORY
	mkdir -p $TEMP_DIRECTORY/policy
	echo 'MyP@ssword1!!!' > "$TEMP_DIRECTORY/admin_password"

	cat <<POLICY > $TEMP_DIRECTORY/policy/app.yaml
	- !user ellis.wright@cyberark.com

	- !policy
	id: conjur/authn-oidc/okta
	body:
	- !webservice
	- !webservice status
	- !variable token-ttl

	- !variable provider-uri
	- !variable client-id
	- !variable client-secret
	- !variable redirect_uri
	- !variable claim-mapping

	- !variable state
	- !variable nonce

	- !group users
	- !permit
	role: !group users
	privilege: [ read, authenticate ]
	resource: !webservice

	- !group operators
	- !permit
	role: !group operators
	privilege: [ read ]
	resource: !webservice status

	- !policy
	id: conjur/authn-oidc/okta-cli
	body:
	- !webservice
	- !webservice status
	- !variable token-ttl

	- !variable provider-uri
	- !variable client-id
	- !variable client-secret
	- !variable redirect_uri
	- !variable claim-mapping

	- !variable state
	- !variable nonce

	- !group users
	- !permit
	role: !group users
	privilege: [ read, authenticate ]
	resource: !webservice

	- !group operators
	- !permit
	role: !group operators
	privilege: [ read ]
	resource: !webservice status

	- !grant
	members:
	- !user ellis.wright@cyberark.com
	role: !group conjur/authn-oidc/okta/users

	- !grant
	members:
	- !user ellis.wright@cyberark.com
	role: !group conjur/authn-oidc/okta-cli/users
	POLICY


	docker network create conjur
	docker run --rm --entrypoint "/bin/cat" $CONJUR_IMAGE /usr/share/doc/conjur/examples/seccomp.json > ./seccomp.json

	docker run \
	--name conjur-leader \
	--detach \
	--restart=unless-stopped \
	--network conjur \
	--publish 443:443 \
	--security-opt seccomp=seccomp.json \
	--volume "$TEMP_DIRECTORY/seed:/seed" \
	$CONJUR_IMAGE

	docker exec conjur-leader evoke configure master \
	--hostname=conjur-leader \
	--accept-eula \
	--admin-password="$(<$TEMP_DIRECTORY/admin_password)" \
	my-org

	# CLI
	docker run -dit --rm \
	--network conjur \
	--volume "$TEMP_DIRECTORY/cli-leader:/root" \
	--name conjur_init \
	cyberark/conjur-cli:5
	docker exec -it conjur_init bash -c 'yes "yes" \| conjur init --account=my-org --url=https://conjur-leader'
	docker stop conjur_init

	docker run --rm \
	--network conjur \
	--volume "$TEMP_DIRECTORY/cli-leader:/root" \
	cyberark/conjur-cli:5 \
	authn login \
	--username=admin \
	--password="$(<$TEMP_DIRECTORY/admin_password)"

	cli_exec(){
	docker run --rm \
	--network conjur \
	--volume "$TEMP_DIRECTORY/cli-leader:/root" \
	--volume "$TEMP_DIRECTORY/policy:/policy" \
	cyberark/conjur-cli:5 $1
	}

	# Load the app policy
	cli_exec 'policy load root /policy/app.yaml'

	PROVIDER_URI="https://dev-66055106.okta.com/oauth2/default"
	CLIENT_ID="<id here>"
	CLIENT_SECRET="<secret here>"
	UI_REDIRECT_URI="https://localhost/ui/authn-oidc/okta/callback"
	CLI_REDIRECT_URL="http://127.0.0.1:8888/callback"

	# Load the UI variables
	cli_exec "variable values add conjur/authn-oidc/okta/provider-uri $PROVIDER_URI"
	cli_exec "variable values add conjur/authn-oidc/okta/client-id $CLIENT_ID"
	cli_exec "variable values add conjur/authn-oidc/okta/client-secret $CLIENT_SECRET"
	cli_exec "variable values add conjur/authn-oidc/okta/redirect_uri $UI_REDIRECT_URI"
	cli_exec "variable values add conjur/authn-oidc/okta/claim-mapping email"
	cli_exec "variable values add conjur/authn-oidc/okta/token-ttl PT5M"

	# Load the CLI variables
	cli_exec "variable values add conjur/authn-oidc/okta-cli/provider-uri $PROVIDER_URI"
	cli_exec "variable values add conjur/authn-oidc/okta-cli/client-id $CLIENT_ID"
	cli_exec "variable values add conjur/authn-oidc/okta-cli/client-secret $CLIENT_SECRET"
	cli_exec "variable values add conjur/authn-oidc/okta-cli/redirect_uri $CLI_REDIRECT_URL"
	cli_exec "variable values add conjur/authn-oidc/okta-cli/claim-mapping email"
	cli_exec "variable values add conjur/authn-oidc/okta-cli/token-ttl PT1M"