telday/selective-replication-test.sh

## selective-replication-test.sh
#!/usr/bin/env bash
set -ex

echo 'MyP@ssword1!!!' > admin_password

git clone git@github.com:conjurinc/appliance.git
pushd appliance
  summon --environment artifactory ./bin/build-appliance-image
popd

CONJUR_IMAGE="$(<appliance/NAME):$(<appliance/TAG)"
rm -rf appliance

mkdir policy

cat <<APP > policy/app.yaml
- !variable us-only
- !host us-based-app

- !permit
  resource: !variable us-only
  role: !host us-based-app
  privileges: [ read, execute ]
APP

cat <<-USREPLICATION > policy/permit-us-replication.yaml
- !permit
  resource: !variable us-only
  role: !group
    account: system
    id: conjur/replication-sets/us/replicated-data
  privileges: [ read, execute ]
USREPLICATION

setup(){
  docker run --rm --entrypoint "/bin/cat" $CONJUR_IMAGE /usr/share/doc/conjur/examples/seccomp.json > ./seccomp.json

  docker network create conjur
  mkdir -p seed

  docker run \
    --name conjur-leader \
    --network conjur \
    --detach \
    --restart=unless-stopped \
    --security-opt seccomp=seccomp.json \
    --volume "$PWD/seed:/seed" \
    $CONJUR_IMAGE

  docker run \
    --name conjur-follower-us \
    --network conjur \
    --detach \
    --restart=unless-stopped \
    --security-opt seccomp=seccomp.json \
    --volume "$PWD/seed:/seed" \
    $CONJUR_IMAGE

  docker exec conjur-leader evoke configure master \
    --hostname=conjur-leader \
    --accept-eula \
    --admin-password="$(<admin_password)" \
    my-org

  docker exec conjur-leader evoke replication-set list
  docker exec conjur-leader curl -k https://localhost/health | jq

  # CLI container
  docker run -it --rm \
    --network conjur \
    --volume "$PWD/cli-leader:/root" \
    cyberark/conjur-cli:5 \
    init \
    --account=my-org \
    --url=https://conjur-leader

  docker run --rm \
    --network conjur \
    --volume "$PWD/cli-leader:/root" \
    cyberark/conjur-cli:5 \
    authn login \
    --username=admin \
    --password="$(<admin_password)"

  docker run --rm \
    --network conjur \
    --volume "$PWD/cli-leader:/root" \
    --volume "$PWD/policy:/policy" \
    cyberark/conjur-cli:5 \
    policy load root /policy/app.yaml
}

create_replication_sets(){
  docker exec conjur-leader evoke replication-set create us
  docker exec conjur-leader evoke replication-set list
  docker exec conjur-leader curl -k https://localhost/health | jq

  docker run --rm \
    --network conjur \
    --volume "$PWD/cli-leader:/root" \
    --volume "$PWD/policy:/policy" \
    cyberark/conjur-cli:5 \
    policy load root /policy/permit-us-replication.yaml

  # This will list resources that will replicate
  docker exec conjur-leader bash -c $'
    chpst -u conjur psql -c "
      SELECT resource_id
      FROM resources
      WHERE is_role_allowed_to(
        \'system:group:conjur/replication-sets/us/replicated-data\',
        \'read\',
        resource_id
      );"
  '
}

create_us_replication_follower(){
  docker exec conjur-leader bash -c 'evoke seed follower --replication-set us conjur-follower-us > /seed/follower-us.tar'
  docker exec conjur-follower-us evoke unpack seed /seed/follower-us.tar
  docker exec conjur-follower-us evoke configure follower
  docker exec conjur-follower-us curl -k https://localhost/health | jq
}

init_follower_cli_container(){
  # Init follower cli container
  docker run -it --rm \
    --network conjur \
    --volume "$PWD/cli-us:/root" \
    cyberark/conjur-cli:5 \
    init \
    --account=my-org \
    --url=https://conjur-follower-us

  docker run --rm \
    --network conjur \
    --volume "$PWD/cli-us:/root" \
    cyberark/conjur-cli:5 \
    authn login \
    --username=admin \
    --password="$(<admin_password)"
}

follower_cli_exec(){
  docker run -it --rm \
    --network conjur \
    --volume "$PWD/cli-us:/root" \
    cyberark/conjur-cli:5 $1
}

set_secret_values(){
  docker run --rm \
    --network conjur \
    --volume "$PWD/cli-leader:/root" \
    cyberark/conjur-cli:5 \
    variable values add \
    us-only \
    'us-data'

  # Retrieve the secret value from follower
  follower_cli_exec 'variable value us-only'
}

setup
create_replication_sets
create_us_replication_follower
init_follower_cli_container
set_secret_values

docker exec conjur-leader evoke replication-set delete -f us

follower_cli_exec 'variable value us-only'
sleep 300
follower_cli_exec 'variable value us-only'
	#!/usr/bin/env bash
	set -ex

	echo 'MyP@ssword1!!!' > admin_password

	git clone git@github.com:conjurinc/appliance.git
	pushd appliance
	summon --environment artifactory ./bin/build-appliance-image
	popd

	CONJUR_IMAGE="$(<appliance/NAME):$(<appliance/TAG)"
	rm -rf appliance

	mkdir policy

	cat <<APP > policy/app.yaml
	- !variable us-only
	- !host us-based-app

	- !permit
	resource: !variable us-only
	role: !host us-based-app
	privileges: [ read, execute ]
	APP

	cat <<-USREPLICATION > policy/permit-us-replication.yaml
	- !permit
	resource: !variable us-only
	role: !group
	account: system
	id: conjur/replication-sets/us/replicated-data
	privileges: [ read, execute ]
	USREPLICATION

	setup(){
	docker run --rm --entrypoint "/bin/cat" $CONJUR_IMAGE /usr/share/doc/conjur/examples/seccomp.json > ./seccomp.json

	docker network create conjur
	mkdir -p seed

	docker run \
	--name conjur-leader \
	--network conjur \
	--detach \
	--restart=unless-stopped \
	--security-opt seccomp=seccomp.json \
	--volume "$PWD/seed:/seed" \
	$CONJUR_IMAGE

	docker run \
	--name conjur-follower-us \
	--network conjur \
	--detach \
	--restart=unless-stopped \
	--security-opt seccomp=seccomp.json \
	--volume "$PWD/seed:/seed" \
	$CONJUR_IMAGE

	docker exec conjur-leader evoke configure master \
	--hostname=conjur-leader \
	--accept-eula \
	--admin-password="$(<admin_password)" \
	my-org

	docker exec conjur-leader evoke replication-set list
	docker exec conjur-leader curl -k https://localhost/health \| jq

	# CLI container
	docker run -it --rm \
	--network conjur \
	--volume "$PWD/cli-leader:/root" \
	cyberark/conjur-cli:5 \
	init \
	--account=my-org \
	--url=https://conjur-leader

	docker run --rm \
	--network conjur \
	--volume "$PWD/cli-leader:/root" \
	cyberark/conjur-cli:5 \
	authn login \
	--username=admin \
	--password="$(<admin_password)"

	docker run --rm \
	--network conjur \
	--volume "$PWD/cli-leader:/root" \
	--volume "$PWD/policy:/policy" \
	cyberark/conjur-cli:5 \
	policy load root /policy/app.yaml
	}

	create_replication_sets(){
	docker exec conjur-leader evoke replication-set create us
	docker exec conjur-leader evoke replication-set list
	docker exec conjur-leader curl -k https://localhost/health \| jq

	docker run --rm \
	--network conjur \
	--volume "$PWD/cli-leader:/root" \
	--volume "$PWD/policy:/policy" \
	cyberark/conjur-cli:5 \
	policy load root /policy/permit-us-replication.yaml

	# This will list resources that will replicate
	docker exec conjur-leader bash -c $'
	chpst -u conjur psql -c "
	SELECT resource_id
	FROM resources
	WHERE is_role_allowed_to(
	\'system:group:conjur/replication-sets/us/replicated-data\',
	\'read\',
	resource_id
	);"
	'
	}

	create_us_replication_follower(){
	docker exec conjur-leader bash -c 'evoke seed follower --replication-set us conjur-follower-us > /seed/follower-us.tar'
	docker exec conjur-follower-us evoke unpack seed /seed/follower-us.tar
	docker exec conjur-follower-us evoke configure follower
	docker exec conjur-follower-us curl -k https://localhost/health \| jq
	}

	init_follower_cli_container(){
	# Init follower cli container
	docker run -it --rm \
	--network conjur \
	--volume "$PWD/cli-us:/root" \
	cyberark/conjur-cli:5 \
	init \
	--account=my-org \
	--url=https://conjur-follower-us

	docker run --rm \
	--network conjur \
	--volume "$PWD/cli-us:/root" \
	cyberark/conjur-cli:5 \
	authn login \
	--username=admin \
	--password="$(<admin_password)"
	}

	follower_cli_exec(){
	docker run -it --rm \
	--network conjur \
	--volume "$PWD/cli-us:/root" \
	cyberark/conjur-cli:5 $1
	}

	set_secret_values(){
	docker run --rm \
	--network conjur \
	--volume "$PWD/cli-leader:/root" \
	cyberark/conjur-cli:5 \
	variable values add \
	us-only \
	'us-data'

	# Retrieve the secret value from follower
	follower_cli_exec 'variable value us-only'
	}

	setup
	create_replication_sets
	create_us_replication_follower
	init_follower_cli_container
	set_secret_values

	docker exec conjur-leader evoke replication-set delete -f us

	follower_cli_exec 'variable value us-only'
	sleep 300
	follower_cli_exec 'variable value us-only'