/// <summary> /// Start The Scenario /// </summary> /// <returns></returns> public async Task Run() { // Create the mounts and policies and store in Vault await CreateBackendMounts(); await CreatePolicies(); // Mount the Secret Engine _secretEngine = (KV2SecretEngine)_masterVaultAgent.ConnectToSecretBackend(EnumSecretBackendTypes.KeyValueV2, _beKV2Name, _beKV2Name); // Mount the Authentication Engine, so roles can login _appRoleAuthEngine = (AppRoleAuthEngine)_masterVaultAgent.ConnectAuthenticationBackend(EnumBackendTypes.A_AppRole, _AppBEName, _AppBEName); // Create the roles - assigning policies to the roles roleMother = await CreateRole("roleMother", _policyHouse_Full.Name); roleFather = await CreateRole("roleFather", _policyHouse_Full.Name); roleTeenager = await CreateRole("roleTeenager", _policyTeenagerBedroom_Full.Name, _policyKitchenRefrigerator_Write.Name, _policyHouseOnly_Read.Name, _policyKitchen_Write.Name); roleToddler = await CreateRole("roleToddler", _policyToddlerBedroom_Full.Name); // Create Login SIDS for each role _sidMother = await _appRoleAuthEngine.CreateSecretID(roleMother.Name); _sidFather = await _appRoleAuthEngine.CreateSecretID(roleFather.Name); _sidTeenager = await _appRoleAuthEngine.CreateSecretID(roleTeenager.Name); _sidToddler = await _appRoleAuthEngine.CreateSecretID(roleToddler.Name); // Set the Mother role to have full access. KV2Secret a = new KV2Secret(HOUSE.HOUSE_PATH); await SaveSecret(_secretEngine, a); // It's important to note: Up to now we have been using the Master token to create objects, secret stores, policies and the initial House Secret. From here forward each // user will login and perform the actions under their user ID. await Perform_MotherTasks(); await Perform_TeenTasks(); }
/// <summary> /// We will walk thru the following sequence: /// - Create a new Vault authentication backend for App Roles /// - Create a set of policies that roles will use to restrict access /// - Create a set of roles that will be used to provide tokens to "applications" /// - Create tokens against those roles. /// - Test the access of those tokens to confirm they have the necessary permissions. /// </summary> /// <returns></returns> public async Task Run() { try { // Create the backends if they do not exist. await CreateBackendMounts(); // Create all the necessary policies. await CreatePoliciesController(); // Create the roles and assign the policies. roleMaster = await CreateRole("roleMaster", _polRoleMaster.Name); role1 = await CreateRole("role1", _polRole1.Name); role2 = await CreateRole("role2", _polRole2.Name); // roleAppA = await CreateRole("roleAppA", _polCommon.Name, _polSharedDB.Name); // roleAppB = await CreateRole("roleAppB", _polCommon.Name, _polSharedDB.Name); roleAppA = await CreateRole("roleAppA", _polRoleAppA.Name, _polSharedDB.Name); roleAppB = await CreateRole("roleAppB", _polRoleAppB.Name, _polSharedDB.Name, _polSharedEmail.Name); // Create Secret ID's for each of the Application Roles _SIDRoleMaster = await _appRoleAuthEngine.CreateSecretID(roleMaster.Name); _SIDRole1 = await _appRoleAuthEngine.CreateSecretID(role1.Name); _SIDRole2 = await _appRoleAuthEngine.CreateSecretID(role2.Name); _SIDRoleAppA = await _appRoleAuthEngine.CreateSecretID(roleAppA.Name); _SIDRoleAppB = await _appRoleAuthEngine.CreateSecretID(roleAppB.Name); // Main testing logic begins here. // For this sequence of steps we need to create a new instance of the Vault as we will be connecting via the new token. We connect to the requested backend. /* * VaultAgentAPI A_VaultAgentAPI = new VaultAgentAPI("SecretRole A",_vaultAgent.IP,_vaultAgent.Port); * AppRoleAuthEngine A_appRoleAuthEngine = (AppRoleAuthEngine) A_VaultAgentAPI.ConnectAuthenticationBackend(EnumBackendTypes.A_AppRole, _beAuthName, _beAuthName); * KV2SecretEngine A_KV2SecretEngine = * (KV2SecretEngine) A_VaultAgentAPI.ConnectToSecretBackend (EnumSecretBackendTypes.KeyValueV2, "Test KV2 Secrets", _beKV2Name); */ await PerformRoleMasterTasks(); // Role1 can create any secret/subsecret on the path1/ and appdata/ paths await PerformRole1Tasks(); // Perform RoleAppA tasks await PerformRoleATasks(); // Perform RoleAppB tasks await PerformRoleBTasks(); // Role2 can only read anything found within path1/ await PerformRole2Tasks(); return; // List current roles. Create role if does not exist. Read the role. List the roles again. /* * List<string> appRoles = await AppRole_ListRoles(); * if (!appRoles.Contains(_AppRoleName)) { * await AppRole_Create(); * } * * await ReadRole(); * * appRoles = await AppRole_ListRoles(); * * // Now get a role ID * string roleID = await _appRoleAuthEngine.ReadRoleID(_AppRoleName); * * // Now delete the app role. * bool rc = await _appRoleAuthEngine.DeleteRole(_AppRoleName); */ } catch (Exception e) { Console.WriteLine("Error: {0}", e.Message); } }
public async Task TestTemplatedPolicies() { string appBE = _uniqueKeys.GetKey("appTE"); string kv2BE = _uniqueKeys.GetKey("kv2TE"); // 1A - Setup backends needed for testing. // We need to setup a KV2 Secrets engine and also an AppRole Backend. // Create an Authentication method of App Role. - This only needs to be done when the Auth method is created. AuthMethod am = new AuthMethod(appBE, EnumAuthMethods.AppRole); await _vaultSystemBackend.AuthEnable(am); // Create a KV2 Secret Mount if it does not exist. VaultSystemBackend vaultSystemBackend = new VaultSystemBackend(_vaultAgentAPI.TokenID, _vaultAgentAPI); await vaultSystemBackend.SysMountCreate(kv2BE, "ClientTest KeyValue 2 Secrets", EnumSecretBackendTypes.KeyValueV2); // 1B. Now we can connect to the backends. VaultAgentAPI vault = await VaultServerRef.ConnectVault("PolicyBECapa"); //new VaultAgentAPI("capability", _vaultAgentAPI.IP, _vaultAgentAPI.Port, _vaultAgentAPI.TokenID); AppRoleAuthEngine authEngine = (AppRoleAuthEngine)vault.ConnectAuthenticationBackend(EnumBackendTypes.A_AppRole, appBE, appBE); KV2SecretEngine secretEngine = (KV2SecretEngine)vault.ConnectToSecretBackend(EnumSecretBackendTypes.KeyValueV2, "KV2 Secrets", kv2BE); IdentitySecretEngine idEngine = (IdentitySecretEngine)_vaultAgentAPI.ConnectToSecretBackend(EnumSecretBackendTypes.Identity); // 1C - Write out some values. TestContext.WriteLine("App Role Auth Backend: {0}", authEngine.Name); TestContext.WriteLine("KV2 Secret Backend: {0}", secretEngine.Name); // 2. Setup the policy to provide the permissions to test against. VaultPolicyContainer policyContainer = new VaultPolicyContainer("capa"); // 3. Now create an App Role & Secret ID. The app role in this case has no policies - it will get them from the Entity. string roleName = _uniqueKeys.GetKey("role"); AppRole appRole = new AppRole(roleName); appRole = await authEngine.SaveRoleAndReturnRoleObject(appRole); AppRoleSecret secretID = await authEngine.CreateSecretID(appRole.Name); // 4. Create an Entity and Entity Alias. // 4A. Get Authentication backend accessor. Dictionary <string, AuthMethod> authMethods = await vaultSystemBackend.AuthListAll(); AuthMethod authMethod = authMethods[authEngine.Name + "/"]; Assert.IsNotNull(authMethod, "B10: Expected to find the authentication backend. But did not."); string mountAccessor = authMethod.Accessor; // 4B. Create an entity for the app role. string name = _uniqueKeys.GetKey("EAR"); Entity entity = new Entity(roleName); entity.Policies.Add(policyContainer.Name); // 4C. Now save entity entity = await idEngine.SaveEntity(entity); Assert.IsNotNull(entity, "B20: Expected to receive an Entity object"); // 4D. Write out some values TestContext.WriteLine("Entity Name: {0}", entity.Name); TestContext.WriteLine("Entity ID: {0}", entity.Id); // 5. Create an alias that ties the Entity we just created to the AppRole in the authentication backend. Guid roleID = new Guid(appRole.RoleID); Guid aliasGuid = await idEngine.SaveAlias(entity.Id, mountAccessor, appRole.RoleID); Assert.AreNotEqual(aliasGuid.ToString(), Guid.Empty.ToString()); // 5B. Re-read the entity - it should now contain the alias. Entity fullEntity = await idEngine.ReadEntity(entity.Id); Assert.AreEqual(1, fullEntity.Aliases.Count, "B30: Expected the full entity to now contain the alias ID."); // 6. Now define the policy and save to Vault. policyContainer.PolicyPaths.Clear(); string appPath1 = "app/{{identity.entity.aliases." + mountAccessor + ".name}}/*"; VaultPolicyPathItem vppi1 = new VaultPolicyPathItem(kv2BE, "data/" + appPath1); VaultPolicyPathItem vppi2 = new VaultPolicyPathItem(kv2BE, "data/app/appA/subItem/*"); VaultPolicyPathItem vppi3 = new VaultPolicyPathItem(kv2BE, "data/shared/common/*"); VaultPolicyPathItem vppi4 = new VaultPolicyPathItem(kv2BE, "data/shared/info/*"); vppi1.FullControl = true; vppi2.FullControl = true; vppi3.CRUDAllowed = true; vppi4.ReadAllowed = true; policyContainer.AddPolicyPathObject(vppi1); policyContainer.AddPolicyPathObject(vppi2); policyContainer.AddPolicyPathObject(vppi3); policyContainer.AddPolicyPathObject(vppi4); await _vaultSystemBackend.SysPoliciesACLCreate(policyContainer); // 7. Now we can login to get a token.. Validate the entity policy has been set on token. Token token = await authEngine.Login(appRole.RoleID, secretID.ID); Assert.IsNotNull("B40: A valid token was not received."); CollectionAssert.Contains(token.IdentityPolicies, policyContainer.Name, "B100: Did not find the policy that should have been applied from the entity."); // 8. Now we can finally test the capabilities of that token. List <string> paths = new List <string>(); string pathBase = kv2BE + "/data/app/" + fullEntity.Aliases[0].Name + "/config"; string metaBase = kv2BE + "/metadata/app" + fullEntity.Aliases[0].Name + "/config"; string path1 = pathBase; string path2 = pathBase + "/subItem"; string path3 = kv2BE + "/data/shared/common/testEntry"; paths.Add(path1); paths.Add(path2); paths.Add(path3); Dictionary <string, List <string> > permissions; permissions = await _vaultSystemBackend.GetTokenCapabilityOnPaths(token.ID, paths); // 9. Validate the permission results. Assert.AreEqual(3, permissions.Count, "B130: Expected to receive 3 permission objects back."); Assert.AreEqual(6, permissions[path1].Count, "B140: Expected the item: " + path1 + " to contain 6 permissions."); Assert.AreEqual(6, permissions[path2].Count, "B150: Expected the item: " + path2 + " to contain 6 permissions."); Assert.AreEqual(4, permissions[path3].Count, "B160: Expected the item: " + path3 + " to contain 3 permissions."); CollectionAssert.Contains(permissions[path3], "create", "B170: Expected the permission to be create for path: " + path3); CollectionAssert.Contains(permissions[path3], "read", "B171: Expected the permission to be read for path: " + path3); CollectionAssert.Contains(permissions[path3], "update", "B172: Expected the permission to be update for path: " + path3); CollectionAssert.Contains(permissions[path3], "delete", "B173: Expected the permission to be read for path: " + path3); // 10. Try to create a secret at path 1 string secName1 = _uniqueKeys.GetKey("sec1"); KV2Secret secret1 = new KV2Secret("config", "app/" + fullEntity.Aliases[0].Name); secret1.Attributes.Add("version", "v12.2"); Assert.True(await secretEngine.SaveSecret(secret1, KV2EnumSecretSaveOptions.AlwaysAllow), "B200: Save of secret did not work. Check permissions."); // 11. Create and delete a secret at path3. KV2Secret secret2 = new KV2Secret("options", "shared/common/testEntry"); secret2.Attributes.Add("color", "blue"); secret2.Attributes.Add("size", "Large"); Assert.True(await secretEngine.SaveSecret(secret2, KV2EnumSecretSaveOptions.AlwaysAllow), "B210: Save of secret2 failed."); // Now delete it. Assert.True(await secretEngine.DeleteSecretVersion(secret2)); }
public async Task TestCapabilitiesFunctionality() { string appBE = _uniqueKeys.GetKey("appBE"); string kv2BE = _uniqueKeys.GetKey("kv2BE"); // 1 - Setup backends needed for testing. // We need to setup a KV2 Secrets engine and also an AppRole Backend. // Create an Authentication method of App Role. - This only needs to be done when the Auth method is created. AuthMethod am = new AuthMethod(appBE, EnumAuthMethods.AppRole); await _vaultSystemBackend.AuthEnable(am); // Create a KV2 Secret Mount if it does not exist. await _vaultSystemBackend.SysMountCreate(kv2BE, "ClientTest KeyValue 2 Secrets", EnumSecretBackendTypes.KeyValueV2); // Now we create secret backend VaultAgentAPI vault = await VaultServerRef.ConnectVault("PolicyBeCapa2"); AppRoleAuthEngine authEngine = (AppRoleAuthEngine)vault.ConnectAuthenticationBackend(EnumBackendTypes.A_AppRole, appBE, appBE); KV2SecretEngine secretEngine = (KV2SecretEngine)vault.ConnectToSecretBackend(EnumSecretBackendTypes.KeyValueV2, "KV2 Secrets", kv2BE); // 2. Setup the policy to provide the permissions to test against. VaultPolicyContainer policyContainer = new VaultPolicyContainer("capa"); VaultPolicyPathItem vppi1 = new VaultPolicyPathItem(kv2BE, "data/app/appA/*"); VaultPolicyPathItem vppi2 = new VaultPolicyPathItem(kv2BE + "data/app/appA/subItem/*"); VaultPolicyPathItem vppi3 = new VaultPolicyPathItem(kv2BE + "metadata/app/appA/*"); VaultPolicyPathItem vppi4 = new VaultPolicyPathItem(kv2BE + "data/shared/*"); vppi1.FullControl = true; vppi2.FullControl = true; vppi3.ReadAllowed = true; vppi4.ReadAllowed = true; policyContainer.AddPolicyPathObject(vppi1); policyContainer.AddPolicyPathObject(vppi2); policyContainer.AddPolicyPathObject(vppi3); policyContainer.AddPolicyPathObject(vppi4); await _vaultSystemBackend.SysPoliciesACLCreate(policyContainer); // 3. Now create an App Role & Secret ID string roleName = _uniqueKeys.GetKey("role"); AppRole appRole = new AppRole(roleName); appRole.Policies.Add(policyContainer.Name); appRole = await authEngine.SaveRoleAndReturnRoleObject(appRole); AppRoleSecret secretID = await authEngine.CreateSecretID(appRole.Name); // 4. Now we can create a token against that Token token = await authEngine.Login(appRole.RoleID, secretID.ID); // 5. Now we can finally test the capabilities of that token. List <string> paths = new List <string>(); string path1 = kv2BE + "/data/app/appA/subItem"; string path2 = kv2BE + "/data/app/appB/subItem"; string path3 = kv2BE + "/noaccess/app/appA"; string path4 = kv2BE + "/data/noaccess/app/appA/subItem"; paths.Add(path1); paths.Add(path2); paths.Add(path3); paths.Add(path4); Dictionary <string, List <string> > permissions; permissions = await _vaultSystemBackend.GetTokenCapabilityOnPaths(token.ID, paths); // 6. Validate the results. Assert.AreEqual(4, permissions.Count, "A10: Expected to receive 4 permission objects back."); Assert.AreEqual(6, permissions[path1].Count, "A20: Expected the item: " + path1 + " to contain 6 permissions."); Assert.AreEqual(1, permissions[path2].Count, "A30: Expected the item: " + path2 + " to contain 1 deny permission."); CollectionAssert.Contains(permissions[path2], "deny", "A35: Expected the permission to be deny for path: " + path2); Assert.AreEqual(1, permissions[path3].Count, "A40: Expected the item: " + path3 + " to contain 1 deny permission."); CollectionAssert.Contains(permissions[path3], "deny", "A35: Expected the permission to be deny for path: " + path3); Assert.AreEqual(1, permissions[path4].Count, "A40: Expected the item: " + path4 + " to contain 1 deny permission."); CollectionAssert.Contains(permissions[path4], "deny", "A35: Expected the permission to be deny for path: " + path4); }