diff --git a/Dockerfile b/Dockerfile index 02bf639..d182bdb 100644 --- a/Dockerfile +++ b/Dockerfile @@ -9,6 +9,7 @@ # -e VAULT_ADDR="$VAULT_ADDR" \ # -e GOSTINT_DBAUTH_TOKEN="$token" \ # -e GOSTINT_ROLEID="$roleid" \ +# -e GOSTINT_ROLENAME="gostint-role" \ # -e GOSTINT_DBURL="dbhost:27017" # gostint # diff --git a/jobqueues/jobqueues.go b/jobqueues/jobqueues.go index 64b888c..0f5d620 100644 --- a/jobqueues/jobqueues.go +++ b/jobqueues/jobqueues.go @@ -51,13 +51,18 @@ const gostintGID = 2001 var debug = Debug("jobqueues") +type AppRole struct { + ID string + Name string +} + type PulledImage struct { When time.Time } type JobQueues struct { Db *mgo.Database - AppRoleID string + AppRole *AppRole NodeUUID string PulledImages map[string]PulledImage } @@ -109,9 +114,9 @@ func (job *Job) String() string { } // Init Initialises the job queues loop -func Init(db *mgo.Database, appRoleID string, nodeUUID string) { +func Init(db *mgo.Database, appRole *AppRole, nodeUUID string) { jobQueues.Db = db - jobQueues.AppRoleID = appRoleID + jobQueues.AppRole = appRole jobQueues.PulledImages = make(map[string]PulledImage) jobQueues.NodeUUID = nodeUUID // start go routine to loop on the queues collection for new work @@ -246,7 +251,7 @@ func (job *Job) runRequest() { return } - token, vclient, err := approle.Authenticate(jobQueues.AppRoleID, job.WrapSecretID) + token, vclient, err := approle.Authenticate(jobQueues.AppRole.ID, job.WrapSecretID) if err != nil { job.UpdateJob(bson.M{ "status": "notauthorised", @@ -268,9 +273,12 @@ func (job *Job) runRequest() { }() // Decrypt the payload and merge into jobRequest - resp, err := vclient.Logical().Write("transit/decrypt/gostint", map[string]interface{}{ - "ciphertext": job.Payload, - }) + resp, err := vclient.Logical().Write( + fmt.Sprintf("transit/decrypt/%s", jobQueues.AppRole.Name), + map[string]interface{}{ + "ciphertext": job.Payload, + }, + ) if err != nil { job.UpdateJob(bson.M{ "status": "failed", diff --git a/main.go b/main.go index 822b9b8..66b1eb9 100644 --- a/main.go +++ b/main.go @@ -205,13 +205,17 @@ func main() { // init ping and clean nodeUUID := pingclean.Init(gostintDb) - appRoleID = os.Getenv("GOSTINT_ROLEID") + appRole := jobqueues.AppRole{ + ID: os.Getenv("GOSTINT_ROLEID"), + Name: os.Getenv("GOSTINT_ROLENAME"), + } + // appRoleID = os.Getenv("GOSTINT_ROLEID") // Create RESTful routes router := Routes() // Start job queues - jobqueues.Init(gostintDb, appRoleID, nodeUUID) + jobqueues.Init(gostintDb, &appRole, nodeUUID) // TODO: make non TLS an option from command line parameters // log.Fatal(http.ListenAndServe(":3232", router)) diff --git a/scripts/init_vault.sh b/scripts/init_vault.sh index 738b70f..641a606 100755 --- a/scripts/init_vault.sh +++ b/scripts/init_vault.sh @@ -2,6 +2,8 @@ VAULTVER=0.11.0 +GOSTINT_ROLENAME="gostint-role" + # Install and start Vault server in dev mode wget -qO /tmp/vault.zip https://releases.hashicorp.com/vault/${VAULTVER}/vault_${VAULTVER}_linux_amd64.zip && \ ( cd /usr/local/bin && unzip /tmp/vault.zip ) @@ -58,7 +60,7 @@ echo '=== Enable transit plugin ===============================' vault secrets enable transit echo '=== Create gostint instance transit keyring ==============' -vault write -f transit/keys/gostint +vault write -f transit/keys/$GOSTINT_ROLENAME # Enable Vault AppRole echo '=== enable AppRole auth =================================' @@ -84,12 +86,12 @@ echo '=== Create policy to access transit decrypt gostint for gostint-role ===== curl -s \ --request POST \ --header 'X-Vault-Token: root' \ - --data '{"policy": "path \"transit/decrypt/gostint\" {\n capabilities = [\"update\"]\n}"}' \ + --data '{"policy": "path \"transit/decrypt/'$GOSTINT_ROLENAME'\" {\n capabilities = [\"update\"]\n}"}' \ ${VAULT_ADDR}/v1/sys/policy/gostint-approle-transit-decrypt-gostint # Create named role for gostint echo '=== Create approle role for gostint ======================' -vault write auth/approle/role/gostint-role \ +vault write auth/approle/role/$GOSTINT_ROLENAME \ secret_id_ttl=24h \ secret_id_num_uses=10000 \ token_num_uses=10 \ @@ -98,5 +100,5 @@ vault write auth/approle/role/gostint-role \ policies="gostint-approle-secret-v1,gostint-approle-kv-v2,gostint-approle-transit-decrypt-gostint" # Get RoleID for gostint -export GOSTINT_ROLEID=`vault read -format=yaml -field=data auth/approle/role/gostint-role/role-id | awk '{print $2;}'` -echo "export GOSTINT_ROLEID=$GOSTINT_ROLEID" | tee -a .bashrc +export GOSTINT_ROLEID=`vault read -format=yaml -field=data auth/approle/role/$GOSTINT_ROLENAME/role-id | awk '{print $2;}'` +echo -e "export GOSTINT_ROLEID=$GOSTINT_ROLEID\nexport GOSTINT_ROLENAME=$GOSTINT_ROLENAME" | tee -a .bashrc diff --git a/tests/bats/0100_job1_busybox.sh b/tests/bats/0100_job1_busybox.sh index 2f89538..a8cbf88 100755 --- a/tests/bats/0100_job1_busybox.sh +++ b/tests/bats/0100_job1_busybox.sh @@ -7,7 +7,7 @@ echo "$TOKEN" > $BATS_TMPDIR/token # Get secretId for the approle - WRAPSECRETID=$(vault write -wrap-ttl=144h -f auth/approle/role/gostint-role/secret-id -format=json | jq .wrap_info.token -r) + WRAPSECRETID=$(vault write -wrap-ttl=144h -f auth/approle/role/$GOSTINT_ROLENAME/secret-id -format=json | jq .wrap_info.token -r) echo "WRAPSECRETID: $WRAPSECRETID" >&2 # echo "$WRAPSECRETID" > $BATS_TMPDIR/wrapsecretid @@ -18,7 +18,7 @@ # encrypt job payload using vault transit secret engine B64=$(base64 < ../job1.json) - E=$(vault write transit/encrypt/gostint plaintext="$B64" -format=json | jq .data.ciphertext -r) + E=$(vault write transit/encrypt/$GOSTINT_ROLENAME plaintext="$B64" -format=json | jq .data.ciphertext -r) echo "E: $E" # Put encrypted payload in a cubbyhole of an ephemeral token diff --git a/tests/bats/0110_job2_ansible_ping.sh b/tests/bats/0110_job2_ansible_ping.sh index 048b805..80b5a0b 100755 --- a/tests/bats/0110_job2_ansible_ping.sh +++ b/tests/bats/0110_job2_ansible_ping.sh @@ -7,7 +7,7 @@ echo "$TOKEN" > $BATS_TMPDIR/token # Get secretId for the approle - WRAPSECRETID=$(vault write -wrap-ttl=144h -f auth/approle/role/gostint-role/secret-id -format=json | jq .wrap_info.token -r) + WRAPSECRETID=$(vault write -wrap-ttl=144h -f auth/approle/role/$GOSTINT_ROLENAME/secret-id -format=json | jq .wrap_info.token -r) echo "WRAPSECRETID: $WRAPSECRETID" >&2 # echo "$WRAPSECRETID" > $BATS_TMPDIR/wrapsecretid @@ -17,7 +17,7 @@ # encrypt job payload using vault transit secret engine B64=$(base64 < ../job2_ansible.json) - E=$(vault write transit/encrypt/gostint plaintext="$B64" -format=json | jq .data.ciphertext -r) + E=$(vault write transit/encrypt/$GOSTINT_ROLENAME plaintext="$B64" -format=json | jq .data.ciphertext -r) echo "E: $E" # Put encrypted payload in a cubbyhole of an ephemeral token diff --git a/tests/bats/0120_job3_shell_secrets.sh b/tests/bats/0120_job3_shell_secrets.sh index bab457d..e117e90 100755 --- a/tests/bats/0120_job3_shell_secrets.sh +++ b/tests/bats/0120_job3_shell_secrets.sh @@ -7,7 +7,7 @@ echo "$TOKEN" > $BATS_TMPDIR/token # Get secretId for the approle - WRAPSECRETID=$(vault write -wrap-ttl=144h -f auth/approle/role/gostint-role/secret-id -format=json | jq .wrap_info.token -r) + WRAPSECRETID=$(vault write -wrap-ttl=144h -f auth/approle/role/$GOSTINT_ROLENAME/secret-id -format=json | jq .wrap_info.token -r) echo "WRAPSECRETID: $WRAPSECRETID" >&2 # cat ../job3_shell_content.json | jq ".wrap_secret_id=\"$WRAPSECRETID\"" > $BATS_TMPDIR/job.json @@ -16,7 +16,7 @@ # encrypt job payload using vault transit secret engine B64=$(base64 < ../job3_shell_content.json) - E=$(vault write transit/encrypt/gostint plaintext="$B64" -format=json | jq .data.ciphertext -r) + E=$(vault write transit/encrypt/$GOSTINT_ROLENAME plaintext="$B64" -format=json | jq .data.ciphertext -r) echo "E: $E" # Put encrypted payload in a cubbyhole of an ephemeral token diff --git a/tests/bats/0130_job4_long_sleep_kill.sh b/tests/bats/0130_job4_long_sleep_kill.sh index dd199fe..eb1c98a 100755 --- a/tests/bats/0130_job4_long_sleep_kill.sh +++ b/tests/bats/0130_job4_long_sleep_kill.sh @@ -7,7 +7,7 @@ echo "$TOKEN" > $BATS_TMPDIR/token # Get secretId for the approle - WRAPSECRETID=$(vault write -wrap-ttl=144h -f auth/approle/role/gostint-role/secret-id -format=json | jq .wrap_info.token -r) + WRAPSECRETID=$(vault write -wrap-ttl=144h -f auth/approle/role/$GOSTINT_ROLENAME/secret-id -format=json | jq .wrap_info.token -r) echo "WRAPSECRETID: $WRAPSECRETID" >&2 # cat ../job4_sleep.json | jq ".wrap_secret_id=\"$WRAPSECRETID\"" > $BATS_TMPDIR/job.json @@ -16,7 +16,7 @@ # encrypt job payload using vault transit secret engine B64=$(base64 < ../job4_sleep.json) - E=$(vault write transit/encrypt/gostint plaintext="$B64" -format=json | jq .data.ciphertext -r) + E=$(vault write transit/encrypt/$GOSTINT_ROLENAME plaintext="$B64" -format=json | jq .data.ciphertext -r) echo "E: $E" # Put encrypted payload in a cubbyhole of an ephemeral token diff --git a/tests/bats/0140_job5_terraform_hello.sh b/tests/bats/0140_job5_terraform_hello.sh index 79831fb..d188b06 100755 --- a/tests/bats/0140_job5_terraform_hello.sh +++ b/tests/bats/0140_job5_terraform_hello.sh @@ -13,7 +13,7 @@ echo "$TOKEN" > $BATS_TMPDIR/token # Get secretId for the approle - WRAPSECRETID=$(vault write -wrap-ttl=144h -f auth/approle/role/gostint-role/secret-id -format=json | jq .wrap_info.token -r) + WRAPSECRETID=$(vault write -wrap-ttl=144h -f auth/approle/role/$GOSTINT_ROLENAME/secret-id -format=json | jq .wrap_info.token -r) echo "WRAPSECRETID: $WRAPSECRETID" >&2 # cat ../job5_terraform.json | jq ".wrap_secret_id=\"$WRAPSECRETID\"" > $BATS_TMPDIR/job.json @@ -22,7 +22,7 @@ # encrypt job payload using vault transit secret engine B64=$(base64 < ../job5_terraform.json) - E=$(vault write transit/encrypt/gostint plaintext="$B64" -format=json | jq .data.ciphertext -r) + E=$(vault write transit/encrypt/$GOSTINT_ROLENAME plaintext="$B64" -format=json | jq .data.ciphertext -r) echo "E: $E" # Put encrypted payload in a cubbyhole of an ephemeral token diff --git a/tests/bats/0150_job6_ansible_play.sh b/tests/bats/0150_job6_ansible_play.sh index cf08664..f65d111 100755 --- a/tests/bats/0150_job6_ansible_play.sh +++ b/tests/bats/0150_job6_ansible_play.sh @@ -11,7 +11,7 @@ echo "$TOKEN" > $BATS_TMPDIR/token # Get secretId for the approle - WRAPSECRETID=$(vault write -wrap-ttl=144h -f auth/approle/role/gostint-role/secret-id -format=json | jq .wrap_info.token -r) + WRAPSECRETID=$(vault write -wrap-ttl=144h -f auth/approle/role/$GOSTINT_ROLENAME/secret-id -format=json | jq .wrap_info.token -r) echo "WRAPSECRETID: $WRAPSECRETID" >&2 # cat ../job6_ansible_play.json | jq ".wrap_secret_id=\"$WRAPSECRETID\"" > $BATS_TMPDIR/job.json @@ -20,7 +20,7 @@ # encrypt job payload using vault transit secret engine B64=$(base64 < ../job6_ansible_play.json) - E=$(vault write transit/encrypt/gostint plaintext="$B64" -format=json | jq .data.ciphertext -r) + E=$(vault write transit/encrypt/$GOSTINT_ROLENAME plaintext="$B64" -format=json | jq .data.ciphertext -r) echo "E: $E" # Put encrypted payload in a cubbyhole of an ephemeral token diff --git a/tests/bats/0160_job7_powershell.sh b/tests/bats/0160_job7_powershell.sh index 3cf68c9..c7d3eae 100755 --- a/tests/bats/0160_job7_powershell.sh +++ b/tests/bats/0160_job7_powershell.sh @@ -7,7 +7,7 @@ echo "$TOKEN" > $BATS_TMPDIR/token # Get secretId for the approle - WRAPSECRETID=$(vault write -wrap-ttl=144h -f auth/approle/role/gostint-role/secret-id -format=json | jq .wrap_info.token -r) + WRAPSECRETID=$(vault write -wrap-ttl=144h -f auth/approle/role/$GOSTINT_ROLENAME/secret-id -format=json | jq .wrap_info.token -r) echo "WRAPSECRETID: $WRAPSECRETID" >&2 # cat ../job7_powershell.json | jq ".wrap_secret_id=\"$WRAPSECRETID\"" > $BATS_TMPDIR/job.json @@ -16,7 +16,7 @@ # encrypt job payload using vault transit secret engine B64=$(base64 < ../job7_powershell.json) - E=$(vault write transit/encrypt/gostint plaintext="$B64" -format=json | jq .data.ciphertext -r) + E=$(vault write transit/encrypt/$GOSTINT_ROLENAME plaintext="$B64" -format=json | jq .data.ciphertext -r) echo "E: $E" # Put encrypted payload in a cubbyhole of an ephemeral token diff --git a/tests/bats/0170_job8_kubectl.sh b/tests/bats/0170_job8_kubectl.sh index 8dbca8a..2e715ba 100755 --- a/tests/bats/0170_job8_kubectl.sh +++ b/tests/bats/0170_job8_kubectl.sh @@ -7,7 +7,7 @@ echo "$TOKEN" > $BATS_TMPDIR/token # Get secretId for the approle - WRAPSECRETID=$(vault write -wrap-ttl=144h -f auth/approle/role/gostint-role/secret-id -format=json | jq .wrap_info.token -r) + WRAPSECRETID=$(vault write -wrap-ttl=144h -f auth/approle/role/$GOSTINT_ROLENAME/secret-id -format=json | jq .wrap_info.token -r) echo "WRAPSECRETID: $WRAPSECRETID" >&2 # cat ../job8_kubectl.json | jq ".wrap_secret_id=\"$WRAPSECRETID\"" > $BATS_TMPDIR/job.json @@ -16,7 +16,7 @@ # encrypt job payload using vault transit secret engine B64=$(base64 < ../job8_kubectl.json) - E=$(vault write transit/encrypt/gostint plaintext="$B64" -format=json | jq .data.ciphertext -r) + E=$(vault write transit/encrypt/$GOSTINT_ROLENAME plaintext="$B64" -format=json | jq .data.ciphertext -r) echo "E: $E" # Put encrypted payload in a cubbyhole of an ephemeral token diff --git a/tests/bats/0180_job9_kubectl_helm.sh b/tests/bats/0180_job9_kubectl_helm.sh index 2f7c4ae..2eeaad0 100755 --- a/tests/bats/0180_job9_kubectl_helm.sh +++ b/tests/bats/0180_job9_kubectl_helm.sh @@ -7,7 +7,7 @@ echo "$TOKEN" > $BATS_TMPDIR/token # Get secretId for the approle - WRAPSECRETID=$(vault write -wrap-ttl=144h -f auth/approle/role/gostint-role/secret-id -format=json | jq .wrap_info.token -r) + WRAPSECRETID=$(vault write -wrap-ttl=144h -f auth/approle/role/$GOSTINT_ROLENAME/secret-id -format=json | jq .wrap_info.token -r) echo "WRAPSECRETID: $WRAPSECRETID" >&2 # cat ../job9_kubectl_helm.json | jq ".wrap_secret_id=\"$WRAPSECRETID\"" > $BATS_TMPDIR/job.json @@ -16,7 +16,7 @@ # encrypt job payload using vault transit secret engine B64=$(base64 < ../job9_kubectl_helm.json) - E=$(vault write transit/encrypt/gostint plaintext="$B64" -format=json | jq .data.ciphertext -r) + E=$(vault write transit/encrypt/$GOSTINT_ROLENAME plaintext="$B64" -format=json | jq .data.ciphertext -r) echo "E: $E" # Put encrypted payload in a cubbyhole of an ephemeral token