use approle name in vault paths.

goethite · Sep 7, 2018 · c110ffd · c110ffd
1 parent a4316d1
commit c110ffd
Show file tree

Hide file tree

Showing 13 changed files with 47 additions and 32 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -9,6 +9,7 @@
 #     -e VAULT_ADDR="$VAULT_ADDR" \
 #     -e GOSTINT_DBAUTH_TOKEN="$token" \
 #     -e GOSTINT_ROLEID="$roleid" \
+#     -e GOSTINT_ROLENAME="gostint-role" \
 #     -e GOSTINT_DBURL="dbhost:27017"
 #     gostint
 #

diff --git a/jobqueues/jobqueues.go b/jobqueues/jobqueues.go
@@ -51,13 +51,18 @@ const gostintGID = 2001
 
 var debug = Debug("jobqueues")
 
+type AppRole struct {
+	ID   string
+	Name string
+}
+
 type PulledImage struct {
 	When time.Time
 }
 
 type JobQueues struct {
 	Db           *mgo.Database
-	AppRoleID    string
+	AppRole      *AppRole
 	NodeUUID     string
 	PulledImages map[string]PulledImage
 }
@@ -109,9 +114,9 @@ func (job *Job) String() string {
 }
 
 // Init Initialises the job queues loop
-func Init(db *mgo.Database, appRoleID string, nodeUUID string) {
+func Init(db *mgo.Database, appRole *AppRole, nodeUUID string) {
 	jobQueues.Db = db
-	jobQueues.AppRoleID = appRoleID
+	jobQueues.AppRole = appRole
 	jobQueues.PulledImages = make(map[string]PulledImage)
 	jobQueues.NodeUUID = nodeUUID
 	// start go routine to loop on the queues collection for new work
@@ -246,7 +251,7 @@ func (job *Job) runRequest() {
 		return
 	}
 
-	token, vclient, err := approle.Authenticate(jobQueues.AppRoleID, job.WrapSecretID)
+	token, vclient, err := approle.Authenticate(jobQueues.AppRole.ID, job.WrapSecretID)
 	if err != nil {
 		job.UpdateJob(bson.M{
 			"status": "notauthorised",
@@ -268,9 +273,12 @@ func (job *Job) runRequest() {
 	}()
 
 	// Decrypt the payload and merge into jobRequest
-	resp, err := vclient.Logical().Write("transit/decrypt/gostint", map[string]interface{}{
-		"ciphertext": job.Payload,
-	})
+	resp, err := vclient.Logical().Write(
+		fmt.Sprintf("transit/decrypt/%s", jobQueues.AppRole.Name),
+		map[string]interface{}{
+			"ciphertext": job.Payload,
+		},
+	)
 	if err != nil {
 		job.UpdateJob(bson.M{
 			"status": "failed",

diff --git a/main.go b/main.go
@@ -205,13 +205,17 @@ func main() {
 	// init ping and clean
 	nodeUUID := pingclean.Init(gostintDb)
 
-	appRoleID = os.Getenv("GOSTINT_ROLEID")
+	appRole := jobqueues.AppRole{
+		ID:   os.Getenv("GOSTINT_ROLEID"),
+		Name: os.Getenv("GOSTINT_ROLENAME"),
+	}
+	// appRoleID = os.Getenv("GOSTINT_ROLEID")
 
 	// Create RESTful routes
 	router := Routes()
 
 	// Start job queues
-	jobqueues.Init(gostintDb, appRoleID, nodeUUID)
+	jobqueues.Init(gostintDb, &appRole, nodeUUID)
 
 	// TODO: make non TLS an option from command line parameters
 	// log.Fatal(http.ListenAndServe(":3232", router))

diff --git a/scripts/init_vault.sh b/scripts/init_vault.sh
@@ -2,6 +2,8 @@
 
 VAULTVER=0.11.0
 
+GOSTINT_ROLENAME="gostint-role"
+
 # Install and start Vault server in dev mode
 wget -qO /tmp/vault.zip https://releases.hashicorp.com/vault/${VAULTVER}/vault_${VAULTVER}_linux_amd64.zip && \
    ( cd /usr/local/bin && unzip /tmp/vault.zip )
@@ -58,7 +60,7 @@ echo '=== Enable transit plugin ==============================='
 vault secrets enable transit
 
 echo '=== Create gostint instance transit keyring =============='
-vault write -f transit/keys/gostint
+vault write -f transit/keys/$GOSTINT_ROLENAME
 
 # Enable Vault AppRole
 echo '=== enable AppRole auth ================================='
@@ -84,12 +86,12 @@ echo '=== Create policy to access transit decrypt gostint for gostint-role =====
 curl -s \
   --request POST \
   --header 'X-Vault-Token: root' \
-  --data '{"policy": "path \"transit/decrypt/gostint\" {\n  capabilities = [\"update\"]\n}"}' \
+  --data '{"policy": "path \"transit/decrypt/'$GOSTINT_ROLENAME'\" {\n  capabilities = [\"update\"]\n}"}' \
   ${VAULT_ADDR}/v1/sys/policy/gostint-approle-transit-decrypt-gostint
 
 # Create named role for gostint
 echo '=== Create approle role for gostint ======================'
-vault write auth/approle/role/gostint-role \
+vault write auth/approle/role/$GOSTINT_ROLENAME \
   secret_id_ttl=24h \
   secret_id_num_uses=10000 \
   token_num_uses=10 \
@@ -98,5 +100,5 @@ vault write auth/approle/role/gostint-role \
   policies="gostint-approle-secret-v1,gostint-approle-kv-v2,gostint-approle-transit-decrypt-gostint"
 
 # Get RoleID for gostint
-export GOSTINT_ROLEID=`vault read -format=yaml -field=data auth/approle/role/gostint-role/role-id | awk '{print $2;}'`
-echo "export GOSTINT_ROLEID=$GOSTINT_ROLEID" | tee -a .bashrc
+export GOSTINT_ROLEID=`vault read -format=yaml -field=data auth/approle/role/$GOSTINT_ROLENAME/role-id | awk '{print $2;}'`
+echo -e "export GOSTINT_ROLEID=$GOSTINT_ROLEID\nexport GOSTINT_ROLENAME=$GOSTINT_ROLENAME" | tee -a .bashrc
diff --git a/tests/bats/0100_job1_busybox.sh b/tests/bats/0100_job1_busybox.sh
@@ -7,7 +7,7 @@
   echo "$TOKEN" > $BATS_TMPDIR/token
 
   # Get secretId for the approle
-  WRAPSECRETID=$(vault write -wrap-ttl=144h -f auth/approle/role/gostint-role/secret-id -format=json | jq .wrap_info.token -r)
+  WRAPSECRETID=$(vault write -wrap-ttl=144h -f auth/approle/role/$GOSTINT_ROLENAME/secret-id -format=json | jq .wrap_info.token -r)
   echo "WRAPSECRETID: $WRAPSECRETID" >&2
   # echo "$WRAPSECRETID" > $BATS_TMPDIR/wrapsecretid
 
@@ -18,7 +18,7 @@
 
   # encrypt job payload using vault transit secret engine
   B64=$(base64 < ../job1.json)
-  E=$(vault write transit/encrypt/gostint plaintext="$B64" -format=json | jq .data.ciphertext -r)
+  E=$(vault write transit/encrypt/$GOSTINT_ROLENAME plaintext="$B64" -format=json | jq .data.ciphertext -r)
   echo "E: $E"
 
   # Put encrypted payload in a cubbyhole of an ephemeral token

diff --git a/tests/bats/0110_job2_ansible_ping.sh b/tests/bats/0110_job2_ansible_ping.sh
@@ -7,7 +7,7 @@
   echo "$TOKEN" > $BATS_TMPDIR/token
 
   # Get secretId for the approle
-  WRAPSECRETID=$(vault write -wrap-ttl=144h -f auth/approle/role/gostint-role/secret-id -format=json | jq .wrap_info.token -r)
+  WRAPSECRETID=$(vault write -wrap-ttl=144h -f auth/approle/role/$GOSTINT_ROLENAME/secret-id -format=json | jq .wrap_info.token -r)
   echo "WRAPSECRETID: $WRAPSECRETID" >&2
   # echo "$WRAPSECRETID" > $BATS_TMPDIR/wrapsecretid
 
@@ -17,7 +17,7 @@
 
   # encrypt job payload using vault transit secret engine
   B64=$(base64 < ../job2_ansible.json)
-  E=$(vault write transit/encrypt/gostint plaintext="$B64" -format=json | jq .data.ciphertext -r)
+  E=$(vault write transit/encrypt/$GOSTINT_ROLENAME plaintext="$B64" -format=json | jq .data.ciphertext -r)
   echo "E: $E"
 
   # Put encrypted payload in a cubbyhole of an ephemeral token

diff --git a/tests/bats/0120_job3_shell_secrets.sh b/tests/bats/0120_job3_shell_secrets.sh
@@ -7,7 +7,7 @@
   echo "$TOKEN" > $BATS_TMPDIR/token
 
   # Get secretId for the approle
-  WRAPSECRETID=$(vault write -wrap-ttl=144h -f auth/approle/role/gostint-role/secret-id -format=json | jq .wrap_info.token -r)
+  WRAPSECRETID=$(vault write -wrap-ttl=144h -f auth/approle/role/$GOSTINT_ROLENAME/secret-id -format=json | jq .wrap_info.token -r)
   echo "WRAPSECRETID: $WRAPSECRETID" >&2
 
   # cat ../job3_shell_content.json | jq ".wrap_secret_id=\"$WRAPSECRETID\"" > $BATS_TMPDIR/job.json
@@ -16,7 +16,7 @@
 
   # encrypt job payload using vault transit secret engine
   B64=$(base64 < ../job3_shell_content.json)
-  E=$(vault write transit/encrypt/gostint plaintext="$B64" -format=json | jq .data.ciphertext -r)
+  E=$(vault write transit/encrypt/$GOSTINT_ROLENAME plaintext="$B64" -format=json | jq .data.ciphertext -r)
   echo "E: $E"
 
   # Put encrypted payload in a cubbyhole of an ephemeral token

diff --git a/tests/bats/0130_job4_long_sleep_kill.sh b/tests/bats/0130_job4_long_sleep_kill.sh
@@ -7,7 +7,7 @@
   echo "$TOKEN" > $BATS_TMPDIR/token
 
   # Get secretId for the approle
-  WRAPSECRETID=$(vault write -wrap-ttl=144h -f auth/approle/role/gostint-role/secret-id -format=json | jq .wrap_info.token -r)
+  WRAPSECRETID=$(vault write -wrap-ttl=144h -f auth/approle/role/$GOSTINT_ROLENAME/secret-id -format=json | jq .wrap_info.token -r)
   echo "WRAPSECRETID: $WRAPSECRETID" >&2
 
   # cat ../job4_sleep.json | jq ".wrap_secret_id=\"$WRAPSECRETID\"" > $BATS_TMPDIR/job.json
@@ -16,7 +16,7 @@
 
   # encrypt job payload using vault transit secret engine
   B64=$(base64 < ../job4_sleep.json)
-  E=$(vault write transit/encrypt/gostint plaintext="$B64" -format=json | jq .data.ciphertext -r)
+  E=$(vault write transit/encrypt/$GOSTINT_ROLENAME plaintext="$B64" -format=json | jq .data.ciphertext -r)
   echo "E: $E"
 
   # Put encrypted payload in a cubbyhole of an ephemeral token

diff --git a/tests/bats/0140_job5_terraform_hello.sh b/tests/bats/0140_job5_terraform_hello.sh
@@ -13,7 +13,7 @@
   echo "$TOKEN" > $BATS_TMPDIR/token
 
   # Get secretId for the approle
-  WRAPSECRETID=$(vault write -wrap-ttl=144h -f auth/approle/role/gostint-role/secret-id -format=json | jq .wrap_info.token -r)
+  WRAPSECRETID=$(vault write -wrap-ttl=144h -f auth/approle/role/$GOSTINT_ROLENAME/secret-id -format=json | jq .wrap_info.token -r)
   echo "WRAPSECRETID: $WRAPSECRETID" >&2
 
   # cat ../job5_terraform.json | jq ".wrap_secret_id=\"$WRAPSECRETID\"" > $BATS_TMPDIR/job.json
@@ -22,7 +22,7 @@
 
   # encrypt job payload using vault transit secret engine
   B64=$(base64 < ../job5_terraform.json)
-  E=$(vault write transit/encrypt/gostint plaintext="$B64" -format=json | jq .data.ciphertext -r)
+  E=$(vault write transit/encrypt/$GOSTINT_ROLENAME plaintext="$B64" -format=json | jq .data.ciphertext -r)
   echo "E: $E"
 
   # Put encrypted payload in a cubbyhole of an ephemeral token

diff --git a/tests/bats/0150_job6_ansible_play.sh b/tests/bats/0150_job6_ansible_play.sh
@@ -11,7 +11,7 @@
   echo "$TOKEN" > $BATS_TMPDIR/token
 
   # Get secretId for the approle
-  WRAPSECRETID=$(vault write -wrap-ttl=144h -f auth/approle/role/gostint-role/secret-id -format=json | jq .wrap_info.token -r)
+  WRAPSECRETID=$(vault write -wrap-ttl=144h -f auth/approle/role/$GOSTINT_ROLENAME/secret-id -format=json | jq .wrap_info.token -r)
   echo "WRAPSECRETID: $WRAPSECRETID" >&2
 
   # cat ../job6_ansible_play.json | jq ".wrap_secret_id=\"$WRAPSECRETID\"" > $BATS_TMPDIR/job.json
@@ -20,7 +20,7 @@
 
   # encrypt job payload using vault transit secret engine
   B64=$(base64 < ../job6_ansible_play.json)
-  E=$(vault write transit/encrypt/gostint plaintext="$B64" -format=json | jq .data.ciphertext -r)
+  E=$(vault write transit/encrypt/$GOSTINT_ROLENAME plaintext="$B64" -format=json | jq .data.ciphertext -r)
   echo "E: $E"
 
   # Put encrypted payload in a cubbyhole of an ephemeral token

diff --git a/tests/bats/0160_job7_powershell.sh b/tests/bats/0160_job7_powershell.sh
@@ -7,7 +7,7 @@
   echo "$TOKEN" > $BATS_TMPDIR/token
 
   # Get secretId for the approle
-  WRAPSECRETID=$(vault write -wrap-ttl=144h -f auth/approle/role/gostint-role/secret-id -format=json | jq .wrap_info.token -r)
+  WRAPSECRETID=$(vault write -wrap-ttl=144h -f auth/approle/role/$GOSTINT_ROLENAME/secret-id -format=json | jq .wrap_info.token -r)
   echo "WRAPSECRETID: $WRAPSECRETID" >&2
 
   # cat ../job7_powershell.json | jq ".wrap_secret_id=\"$WRAPSECRETID\"" > $BATS_TMPDIR/job.json
@@ -16,7 +16,7 @@
 
   # encrypt job payload using vault transit secret engine
   B64=$(base64 < ../job7_powershell.json)
-  E=$(vault write transit/encrypt/gostint plaintext="$B64" -format=json | jq .data.ciphertext -r)
+  E=$(vault write transit/encrypt/$GOSTINT_ROLENAME plaintext="$B64" -format=json | jq .data.ciphertext -r)
   echo "E: $E"
 
   # Put encrypted payload in a cubbyhole of an ephemeral token

diff --git a/tests/bats/0170_job8_kubectl.sh b/tests/bats/0170_job8_kubectl.sh
@@ -7,7 +7,7 @@
   echo "$TOKEN" > $BATS_TMPDIR/token
 
   # Get secretId for the approle
-  WRAPSECRETID=$(vault write -wrap-ttl=144h -f auth/approle/role/gostint-role/secret-id -format=json | jq .wrap_info.token -r)
+  WRAPSECRETID=$(vault write -wrap-ttl=144h -f auth/approle/role/$GOSTINT_ROLENAME/secret-id -format=json | jq .wrap_info.token -r)
   echo "WRAPSECRETID: $WRAPSECRETID" >&2
 
   # cat ../job8_kubectl.json | jq ".wrap_secret_id=\"$WRAPSECRETID\"" > $BATS_TMPDIR/job.json
@@ -16,7 +16,7 @@
 
   # encrypt job payload using vault transit secret engine
   B64=$(base64 < ../job8_kubectl.json)
-  E=$(vault write transit/encrypt/gostint plaintext="$B64" -format=json | jq .data.ciphertext -r)
+  E=$(vault write transit/encrypt/$GOSTINT_ROLENAME plaintext="$B64" -format=json | jq .data.ciphertext -r)
   echo "E: $E"
 
   # Put encrypted payload in a cubbyhole of an ephemeral token

diff --git a/tests/bats/0180_job9_kubectl_helm.sh b/tests/bats/0180_job9_kubectl_helm.sh
@@ -7,7 +7,7 @@
   echo "$TOKEN" > $BATS_TMPDIR/token
 
   # Get secretId for the approle
-  WRAPSECRETID=$(vault write -wrap-ttl=144h -f auth/approle/role/gostint-role/secret-id -format=json | jq .wrap_info.token -r)
+  WRAPSECRETID=$(vault write -wrap-ttl=144h -f auth/approle/role/$GOSTINT_ROLENAME/secret-id -format=json | jq .wrap_info.token -r)
   echo "WRAPSECRETID: $WRAPSECRETID" >&2
 
   # cat ../job9_kubectl_helm.json | jq ".wrap_secret_id=\"$WRAPSECRETID\"" > $BATS_TMPDIR/job.json
@@ -16,7 +16,7 @@
 
   # encrypt job payload using vault transit secret engine
   B64=$(base64 < ../job9_kubectl_helm.json)
-  E=$(vault write transit/encrypt/gostint plaintext="$B64" -format=json | jq .data.ciphertext -r)
+  E=$(vault write transit/encrypt/$GOSTINT_ROLENAME plaintext="$B64" -format=json | jq .data.ciphertext -r)
   echo "E: $E"
 
   # Put encrypted payload in a cubbyhole of an ephemeral token