zalary/combined_control_group_policies.sh

## combined_control_group_policies.sh
#!/bin/bash

set -aex

pkill -9 vault || true
sleep 2s

tee /tmp/config.hcl <<EOF
storage "inmem" {}
listener "tcp" {
    address = "127.0.0.1:8200"
    tls_disable = "true"
}
api_addr = "http://127.0.0.1:8200"
pid_file = "/tmp/vault.pid"
EOF


vault server -config /tmp/config.hcl > /tmp/config.log 2>&1 &
while ! nc -w 1 localhost 8200 </dev/null; do sleep 1; done

# export VAULT_ADDR='http://127.0.0.1:8200'
initResponse=$(vault operator init -format=json -key-shares 1 -key-threshold 1)
unsealKey=$(echo $initResponse | jq -r '.unseal_keys_b64[0]')
rootToken=$(echo $initResponse| jq -r '.root_token')

vault operator unseal $unsealKey
sleep 3s
vault login $rootToken

vault policy write admin-reader -<<EOF
path "sys/policies/acl/admin-reader" {
    capabilities = [ "read" ]
}
path "kv/secret" {
    capabilities = [ "update", "list", "read", "delete" ]
    control_group = {
        factor "authorizer" {
            identity {
                approvals= 1
                group_names= [ "approver" ]
            }
        }
    }
}
EOF

vault policy write admin-writer -<<EOF
path "kv/secret" {
    capabilities = [ "create", "update", "list" ]
}
path "sys/policies/acl/admin-writer" {
    capabilities = [ "read" ]
}
EOF

vault policy write approvers-policy -<<EOF
# To approve the request
path "sys/control-group/authorize" {
    capabilities = ["create", "update"]
}

# To check control group request status
path "sys/control-group/request" {
    capabilities = ["create", "update"]
}
EOF

####### marker #######

# Write sentinel policy to prevent people auto approving their request
vault write sys/policies/egp/cgroup enforcement_level=hard-mandatory paths="kv/*" policy=- << EOF

import "controlgroup"

# https://www.vaultproject.io/docs/enterprise/sentinel/properties.html#control-group-properties

control_group = func() {
    for controlgroup.authorizations as authz {
        if authz.entity.id == identity.entity.id {
            return false
        }
    }
    return true
}

main = rule {
    control_group()
}
EOF

vault auth enable userpass
userpassAccessor=$(vault auth list -format=json | jq -r '.["userpass/"].accessor')

vault write auth/userpass/users/reader password="reader" policies="admin-reader"
readerToken=$(vault write -format json auth/userpass/login/reader password=reader | jq -r '.auth.client_token')

vault write auth/userpass/users/writer password="writer" policies="admin-writer"
writerToken=$(vault write -format json auth/userpass/login/writer password=writer | jq -r '.auth.client_token')

vault write auth/userpass/users/everything password="everything" policies="admin-writer, admin-reader, approver"
everythingToken=$(vault write -format json auth/userpass/login/everything password=everything | jq -r '.auth.client_token')

vault write auth/userpass/users/approver password="approver"
approverEntityID=$(vault write -format=json identity/entity name="approver" \ policies="default"  | jq -r ".data.id")
vault write identity/entity-alias name="approver" canonical_id=$approverEntityID  mount_accessor=$userpassAccessor
vault write identity/group name="approver" policies="approvers-policy" member_entity_ids=$approverEntityID
approverToken=$(vault write -format json auth/userpass/login/approver password=approver| jq -r '.auth.client_token')

vault secrets enable kv
VAULT_TOKEN=$everythingToken vault kv put kv/secret surprise="corona is a really bad virus"

wrappedResponse=$(VAULT_TOKEN=$everythingToken vault kv get -format json kv/secret)
wrappingAccessor=$(echo -n $wrappedResponse | jq -r '.wrap_info.accessor')
wrappingToken=$(echo -n $wrappedResponse | jq -r '.wrap_info.token')

VAULT_TOKEN=$approverToken vault write sys/control-group/authorize accessor=$wrappingAccessor

VAULT_TOKEN=$everythingToken vault unwrap $wrappingToken
	#!/bin/bash

	set -aex

	pkill -9 vault \|\| true
	sleep 2s

	tee /tmp/config.hcl <<EOF
	storage "inmem" {}
	listener "tcp" {
	address = "127.0.0.1:8200"
	tls_disable = "true"
	}
	api_addr = "http://127.0.0.1:8200"
	pid_file = "/tmp/vault.pid"
	EOF


	vault server -config /tmp/config.hcl > /tmp/config.log 2>&1 &
	while ! nc -w 1 localhost 8200 </dev/null; do sleep 1; done

	# export VAULT_ADDR='http://127.0.0.1:8200'
	initResponse=$(vault operator init -format=json -key-shares 1 -key-threshold 1)
	unsealKey=$(echo $initResponse \| jq -r '.unseal_keys_b64[0]')
	rootToken=$(echo $initResponse\| jq -r '.root_token')

	vault operator unseal $unsealKey
	sleep 3s
	vault login $rootToken

	vault policy write admin-reader -<<EOF
	path "sys/policies/acl/admin-reader" {
	capabilities = [ "read" ]
	}
	path "kv/secret" {
	capabilities = [ "update", "list", "read", "delete" ]
	control_group = {
	factor "authorizer" {
	identity {
	approvals= 1
	group_names= [ "approver" ]
	}
	}
	}
	}
	EOF

	vault policy write admin-writer -<<EOF
	path "kv/secret" {
	capabilities = [ "create", "update", "list" ]
	}
	path "sys/policies/acl/admin-writer" {
	capabilities = [ "read" ]
	}
	EOF

	vault policy write approvers-policy -<<EOF
	# To approve the request
	path "sys/control-group/authorize" {
	capabilities = ["create", "update"]
	}

	# To check control group request status
	path "sys/control-group/request" {
	capabilities = ["create", "update"]
	}
	EOF

	####### marker #######

	# Write sentinel policy to prevent people auto approving their request
	vault write sys/policies/egp/cgroup enforcement_level=hard-mandatory paths="kv/*" policy=- << EOF

	import "controlgroup"

	# https://www.vaultproject.io/docs/enterprise/sentinel/properties.html#control-group-properties

	control_group = func() {
	for controlgroup.authorizations as authz {
	if authz.entity.id == identity.entity.id {
	return false
	}
	}
	return true
	}

	main = rule {
	control_group()
	}
	EOF

	vault auth enable userpass
	userpassAccessor=$(vault auth list -format=json \| jq -r '.["userpass/"].accessor')

	vault write auth/userpass/users/reader password="reader" policies="admin-reader"
	readerToken=$(vault write -format json auth/userpass/login/reader password=reader \| jq -r '.auth.client_token')

	vault write auth/userpass/users/writer password="writer" policies="admin-writer"
	writerToken=$(vault write -format json auth/userpass/login/writer password=writer \| jq -r '.auth.client_token')

	vault write auth/userpass/users/everything password="everything" policies="admin-writer, admin-reader, approver"
	everythingToken=$(vault write -format json auth/userpass/login/everything password=everything \| jq -r '.auth.client_token')

	vault write auth/userpass/users/approver password="approver"
	approverEntityID=$(vault write -format=json identity/entity name="approver" \ policies="default" \| jq -r ".data.id")
	vault write identity/entity-alias name="approver" canonical_id=$approverEntityID mount_accessor=$userpassAccessor
	vault write identity/group name="approver" policies="approvers-policy" member_entity_ids=$approverEntityID
	approverToken=$(vault write -format json auth/userpass/login/approver password=approver\| jq -r '.auth.client_token')

	vault secrets enable kv
	VAULT_TOKEN=$everythingToken vault kv put kv/secret surprise="corona is a really bad virus"

	wrappedResponse=$(VAULT_TOKEN=$everythingToken vault kv get -format json kv/secret)
	wrappingAccessor=$(echo -n $wrappedResponse \| jq -r '.wrap_info.accessor')
	wrappingToken=$(echo -n $wrappedResponse \| jq -r '.wrap_info.token')

	VAULT_TOKEN=$approverToken vault write sys/control-group/authorize accessor=$wrappingAccessor

	VAULT_TOKEN=$everythingToken vault unwrap $wrappingToken