vishalnayak/PerfSecondaryTokenRepro.sh

## PerfSecondaryTokenRepro.sh
#!/bin/bash
set -aex

cd dev

pkill -9 vault || true

sleep 5s

vault11() {
	VAULT_ADDR=http://127.0.0.1:8211 vault $@
}

vault12() {
	VAULT_ADDR=http://127.0.0.1:8212 vault $@
}

vault21() {
	VAULT_ADDR=http://127.0.0.1:8221 vault $@
}

vault22() {
	VAULT_ADDR=http://127.0.0.1:8224 vault $@
}

vault11n() {
	VAULT_ADDR=http://127.0.0.1:8211 vault $@
}

vault12n() {
	VAULT_ADDR=http://127.0.0.1:8212 vault $@
}

vault21n() {
	VAULT_ADDR=http://127.0.0.1:8221 vault $@
}

vault22n() {
	VAULT_ADDR=http://127.0.0.1:8224 vault $@
}

cat > config/consul11.hcl -<<EOF
storage "consul" {
	path = "vault1"
	address = "127.0.0.1:8500"
	scheme = "http"
	token = "test"
}
listener "tcp" {
	address = "127.0.0.1:8211"
	tls_disable = true
}
plugin_directory = "/Users/vishal/go/src/github.com/hashicorp/vault/plugin-dir"
disable_mlock = "true"
api_addr = "http://127.0.0.1:8211"
default_lease_ttl = "300h"
max_lease_ttl = "500h"
EOF

cat > config/consul21.hcl -<<EOF
storage "consul" {
	path = "vault2"
	address = "127.0.0.1:8500"
	scheme = "http"
	token = "test"
}
listener "tcp" {
	address = "127.0.0.1:8221"
	tls_disable = true
}
plugin_directory = "/Users/vishal/go/src/github.com/hashicorp/vault/plugin-dir"
disable_mlock = "true"
api_addr = "http://127.0.0.1:8221"
default_lease_ttl = "300h"
max_lease_ttl = "500h"
EOF

cat > config/consul22.hcl -<<EOF
storage "consul" {
	path = "vault2"
	address = "127.0.0.1:8500"
	scheme = "http"
	token = "test"
}
listener "tcp" {
	address = "127.0.0.1:8224"
	tls_disable = true
}
plugin_directory = "/Users/vishal/go/src/github.com/hashicorp/vault/plugin-dir"
disable_mlock = "true"
api_addr = "http://127.0.0.1:8224"
default_lease_ttl = "300h"
max_lease_ttl = "500h"
EOF

rm -rf /tmp/consul11.log
rm -rf /tmp/consul12.log
rm -rf /tmp/consul21.log
vault11 server -config config/consul11.hcl -log-level trace > /tmp/consul12.log 2>&1 &
vault21 server -config config/consul21.hcl -log-level trace > /tmp/consul21.log 2>&1 &

sleep 5s

initResult=$(vault11 operator init -format json -key-shares 1 -key-threshold 1)
unsealKey1=$(echo -n $initResult | jq -r '.unseal_keys_b64[0]')
rootToken1=$(echo -n $initResult | jq -r '.root_token')

echo -n $unsealKey1 > unsealKey1
echo -n $rootToken1 > rootToken1

vault11 operator unseal `cat unsealKey1`
sleep 5s

vault11 login `cat rootToken1`

initResult=$(vault21 operator init -format json -key-shares 1 -key-threshold 1)
unsealKey2=$(echo -n $initResult | jq -r '.unseal_keys_b64[0]')
rootToken2=$(echo -n $initResult | jq -r '.root_token')

echo -n $unsealKey2 > unsealKey2
echo -n $rootToken2 > rootToken2

vault21 operator unseal `cat unsealKey2`

vault11 auth enable userpass
accessor=$(vault11 auth list -format json | jq -r '.["userpass/"].accessor')
vault11 write auth/userpass/users/vishal password=nayak
vault11 write auth/userpass/login/vishal password=nayak
entityID=$(vault11 list -format json identity/entity/id | jq -r '.[0]')
vault11 write identity/entity-alias canonical_id=$entityID mount_accessor=$accessor name=Vishal

sleep 5s

pkill vault

sleep 5s

rm -rf /tmp/consul11.log
rm -rf /tmp/consul21.log
vault11 server -config config/consul11.hcl -log-level trace > /tmp/consul12.log 2>&1 &
vault21 server -config config/consul21.hcl -log-level trace > /tmp/consul21.log 2>&1 &

sleep 5s

vault11 operator unseal $(cat unsealKey1)
vault21 operator unseal $(cat unsealKey2)


vault11 write -f sys/replication/primary/enable
secondaryToken=$(vault11 write -field wrapping_token sys/replication/primary/secondary-token id=asdf)
VAULT_TOKEN=$(cat rootToken2) vault21 write sys/replication/secondary/enable token=$secondaryToken

sleep 10s


grResult=$(vault21 operator generate-root -format json -init)
grNonce=$(echo -n $grResult | jq -r '.nonce')
grOTP=$(echo -n $grResult | jq -r '.otp')
grResult=$(vault21 operator generate-root -nonce $grNonce -format json $unsealKey1)
eToken=$(echo -n $grResult | jq -r '.encoded_token')
rootToken2=$(vault21 operator generate-root -format json -decode $eToken -otp $grOTP)

echo -n $rootToken2 > rootToken2

# Check if the root token can be used by the secondary's active node
vault21 login $(cat rootToken2)

vault22 server -config config/consul22.hcl -log-level trace > /tmp/consul22.log 2>&1 &
sleep 5s

vault22 operator unseal $(cat unsealKey1)
sleep 5s

vault22 status

# Check if the root token can be used by the secondary's standby node
vault22 login $(cat rootToken2)

# Create a token from the standby and use it on both active and standby
token=$(vault22 write -format json auth/userpass/login/vishal password=nayak | jq -r '.auth.client_token')
vault22 login $token
vault21 login $token

# Create a token from the leader and use it on both active and standby
token=$(vault21 write -format json auth/userpass/login/vishal password=nayak | jq -r '.auth.client_token')
vault22 login $token
vault21 login $token
	#!/bin/bash
	set -aex

	cd dev

	pkill -9 vault \|\| true

	sleep 5s

	vault11() {
	VAULT_ADDR=http://127.0.0.1:8211 vault $@
	}

	vault12() {
	VAULT_ADDR=http://127.0.0.1:8212 vault $@
	}

	vault21() {
	VAULT_ADDR=http://127.0.0.1:8221 vault $@
	}

	vault22() {
	VAULT_ADDR=http://127.0.0.1:8224 vault $@
	}

	vault11n() {
	VAULT_ADDR=http://127.0.0.1:8211 vault $@
	}

	vault12n() {
	VAULT_ADDR=http://127.0.0.1:8212 vault $@
	}

	vault21n() {
	VAULT_ADDR=http://127.0.0.1:8221 vault $@
	}

	vault22n() {
	VAULT_ADDR=http://127.0.0.1:8224 vault $@
	}

	cat > config/consul11.hcl -<<EOF
	storage "consul" {
	path = "vault1"
	address = "127.0.0.1:8500"
	scheme = "http"
	token = "test"
	}
	listener "tcp" {
	address = "127.0.0.1:8211"
	tls_disable = true
	}
	plugin_directory = "/Users/vishal/go/src/github.com/hashicorp/vault/plugin-dir"
	disable_mlock = "true"
	api_addr = "http://127.0.0.1:8211"
	default_lease_ttl = "300h"
	max_lease_ttl = "500h"
	EOF

	cat > config/consul21.hcl -<<EOF
	storage "consul" {
	path = "vault2"
	address = "127.0.0.1:8500"
	scheme = "http"
	token = "test"
	}
	listener "tcp" {
	address = "127.0.0.1:8221"
	tls_disable = true
	}
	plugin_directory = "/Users/vishal/go/src/github.com/hashicorp/vault/plugin-dir"
	disable_mlock = "true"
	api_addr = "http://127.0.0.1:8221"
	default_lease_ttl = "300h"
	max_lease_ttl = "500h"
	EOF

	cat > config/consul22.hcl -<<EOF
	storage "consul" {
	path = "vault2"
	address = "127.0.0.1:8500"
	scheme = "http"
	token = "test"
	}
	listener "tcp" {
	address = "127.0.0.1:8224"
	tls_disable = true
	}
	plugin_directory = "/Users/vishal/go/src/github.com/hashicorp/vault/plugin-dir"
	disable_mlock = "true"
	api_addr = "http://127.0.0.1:8224"
	default_lease_ttl = "300h"
	max_lease_ttl = "500h"
	EOF

	rm -rf /tmp/consul11.log
	rm -rf /tmp/consul12.log
	rm -rf /tmp/consul21.log
	vault11 server -config config/consul11.hcl -log-level trace > /tmp/consul12.log 2>&1 &
	vault21 server -config config/consul21.hcl -log-level trace > /tmp/consul21.log 2>&1 &

	sleep 5s

	initResult=$(vault11 operator init -format json -key-shares 1 -key-threshold 1)
	unsealKey1=$(echo -n $initResult \| jq -r '.unseal_keys_b64[0]')
	rootToken1=$(echo -n $initResult \| jq -r '.root_token')

	echo -n $unsealKey1 > unsealKey1
	echo -n $rootToken1 > rootToken1

	vault11 operator unseal `cat unsealKey1`
	sleep 5s

	vault11 login `cat rootToken1`

	initResult=$(vault21 operator init -format json -key-shares 1 -key-threshold 1)
	unsealKey2=$(echo -n $initResult \| jq -r '.unseal_keys_b64[0]')
	rootToken2=$(echo -n $initResult \| jq -r '.root_token')

	echo -n $unsealKey2 > unsealKey2
	echo -n $rootToken2 > rootToken2

	vault21 operator unseal `cat unsealKey2`

	vault11 auth enable userpass
	accessor=$(vault11 auth list -format json \| jq -r '.["userpass/"].accessor')
	vault11 write auth/userpass/users/vishal password=nayak
	vault11 write auth/userpass/login/vishal password=nayak
	entityID=$(vault11 list -format json identity/entity/id \| jq -r '.[0]')
	vault11 write identity/entity-alias canonical_id=$entityID mount_accessor=$accessor name=Vishal

	sleep 5s

	pkill vault

	sleep 5s

	rm -rf /tmp/consul11.log
	rm -rf /tmp/consul21.log
	vault11 server -config config/consul11.hcl -log-level trace > /tmp/consul12.log 2>&1 &
	vault21 server -config config/consul21.hcl -log-level trace > /tmp/consul21.log 2>&1 &

	sleep 5s

	vault11 operator unseal $(cat unsealKey1)
	vault21 operator unseal $(cat unsealKey2)


	vault11 write -f sys/replication/primary/enable
	secondaryToken=$(vault11 write -field wrapping_token sys/replication/primary/secondary-token id=asdf)
	VAULT_TOKEN=$(cat rootToken2) vault21 write sys/replication/secondary/enable token=$secondaryToken

	sleep 10s


	grResult=$(vault21 operator generate-root -format json -init)
	grNonce=$(echo -n $grResult \| jq -r '.nonce')
	grOTP=$(echo -n $grResult \| jq -r '.otp')
	grResult=$(vault21 operator generate-root -nonce $grNonce -format json $unsealKey1)
	eToken=$(echo -n $grResult \| jq -r '.encoded_token')
	rootToken2=$(vault21 operator generate-root -format json -decode $eToken -otp $grOTP)

	echo -n $rootToken2 > rootToken2

	# Check if the root token can be used by the secondary's active node
	vault21 login $(cat rootToken2)

	vault22 server -config config/consul22.hcl -log-level trace > /tmp/consul22.log 2>&1 &
	sleep 5s

	vault22 operator unseal $(cat unsealKey1)
	sleep 5s

	vault22 status

	# Check if the root token can be used by the secondary's standby node
	vault22 login $(cat rootToken2)

	# Create a token from the standby and use it on both active and standby
	token=$(vault22 write -format json auth/userpass/login/vishal password=nayak \| jq -r '.auth.client_token')
	vault22 login $token
	vault21 login $token

	# Create a token from the leader and use it on both active and standby
	token=$(vault21 write -format json auth/userpass/login/vishal password=nayak \| jq -r '.auth.client_token')
	vault22 login $token
	vault21 login $token