Unblock credential broker warden-sign pilot
This commit is contained in:
@@ -451,7 +451,7 @@ class BaoRunner:
|
||||
"--",
|
||||
"sh",
|
||||
"-c",
|
||||
'read -r BAO_TOKEN; export BAO_TOKEN; exec bao "$@"',
|
||||
'read -r BAO_TOKEN; export BAO_TOKEN; export VAULT_TOKEN="$BAO_TOKEN"; exec bao "$@"',
|
||||
"sh",
|
||||
]
|
||||
+ args
|
||||
|
||||
@@ -63,7 +63,7 @@ class BaoRunner:
|
||||
"--",
|
||||
"sh",
|
||||
"-c",
|
||||
'read -r BAO_TOKEN; export BAO_TOKEN; exec bao "$@"',
|
||||
'read -r BAO_TOKEN; export BAO_TOKEN; export VAULT_TOKEN="$BAO_TOKEN"; exec bao "$@"',
|
||||
"sh",
|
||||
]
|
||||
+ args
|
||||
|
||||
@@ -7,6 +7,7 @@ import json
|
||||
import shlex
|
||||
import subprocess
|
||||
import sys
|
||||
import tempfile
|
||||
from pathlib import Path
|
||||
from typing import Any
|
||||
|
||||
@@ -68,7 +69,7 @@ class BaoRunner:
|
||||
"--",
|
||||
"sh",
|
||||
"-c",
|
||||
'read -r BAO_TOKEN; export BAO_TOKEN; exec bao "$@"',
|
||||
'read -r BAO_TOKEN; export BAO_TOKEN; export VAULT_TOKEN="$BAO_TOKEN"; exec bao "$@"',
|
||||
"sh",
|
||||
]
|
||||
+ args
|
||||
@@ -110,7 +111,7 @@ def run_with_token(
|
||||
"--",
|
||||
"sh",
|
||||
"-c",
|
||||
'read -r BAO_TOKEN; export BAO_TOKEN; exec bao "$@"',
|
||||
'read -r BAO_TOKEN; export BAO_TOKEN; export VAULT_TOKEN="$BAO_TOKEN"; exec bao "$@"',
|
||||
"sh",
|
||||
]
|
||||
+ args
|
||||
@@ -126,7 +127,7 @@ def read_token(
|
||||
if dry_run or use_token_helper:
|
||||
return None
|
||||
if token_file:
|
||||
path = Path(token_file)
|
||||
path = Path(token_file).expanduser()
|
||||
if not path.exists():
|
||||
raise SystemExit(f"ERROR: OPENBAO_TOKEN_FILE does not exist: {path}")
|
||||
lines = path.read_text(encoding="utf-8").splitlines()
|
||||
@@ -180,18 +181,21 @@ def issue_smoke_token(
|
||||
) -> None:
|
||||
openbao = grant["openbao"]
|
||||
ttl = grant["ttl"]["default"]
|
||||
policies = openbao["policies"]
|
||||
result = runner.run(
|
||||
[
|
||||
"token",
|
||||
"create",
|
||||
f"-role={openbao['token_role']}",
|
||||
f"-policy={policies[0]}",
|
||||
f"-ttl={ttl}",
|
||||
"-format=json",
|
||||
],
|
||||
quiet=True,
|
||||
)
|
||||
args = [
|
||||
"token",
|
||||
"create",
|
||||
f"-role={openbao['token_role']}",
|
||||
f"-ttl={ttl}",
|
||||
"-format=json",
|
||||
]
|
||||
for policy in openbao["policies"]:
|
||||
args.append(f"-policy={policy}")
|
||||
result = runner.run(args, quiet=True, check=False)
|
||||
if result.returncode != 0:
|
||||
raise SystemExit(
|
||||
f"ERROR: token create failed (rc={result.returncode}): "
|
||||
f"{(result.stderr or result.stdout or '').strip()}"
|
||||
)
|
||||
try:
|
||||
payload = json.loads(result.stdout)
|
||||
auth = payload.get("auth") or payload.get("data") or {}
|
||||
@@ -203,33 +207,49 @@ def issue_smoke_token(
|
||||
) from exc
|
||||
|
||||
try:
|
||||
with tempfile.TemporaryDirectory() as tmpdir:
|
||||
key_path = Path(tmpdir) / "warden-sign-smoke_ed25519"
|
||||
keygen = subprocess.run(
|
||||
["ssh-keygen", "-q", "-t", "ed25519", "-N", "", "-f", str(key_path)],
|
||||
capture_output=True,
|
||||
text=True,
|
||||
check=False,
|
||||
)
|
||||
if keygen.returncode != 0:
|
||||
raise SystemExit(
|
||||
"ERROR: could not generate smoke SSH key: "
|
||||
f"{(keygen.stderr or keygen.stdout).strip()}"
|
||||
)
|
||||
public_key = key_path.with_suffix(key_path.suffix + ".pub").read_text(encoding="utf-8").strip()
|
||||
|
||||
positive = run_with_token(
|
||||
kubectl=kubectl,
|
||||
namespace=namespace,
|
||||
release=release,
|
||||
token=child_token,
|
||||
args=["list", "ssh/roles"],
|
||||
args=["write", "-field=signed_key", "ssh/sign/agt-role", f"public_key={public_key}"],
|
||||
check=False,
|
||||
)
|
||||
if positive.returncode != 0:
|
||||
if positive.returncode != 0 or not positive.stdout.strip():
|
||||
raise SystemExit(
|
||||
"ERROR: child token could not list ssh/roles with warden-sign policy"
|
||||
"ERROR: child token could not sign with ssh/sign/agt-role: "
|
||||
f"{(positive.stderr or positive.stdout).strip()}"
|
||||
)
|
||||
print("OK: child token can list ssh/roles")
|
||||
print("OK: child token can sign with ssh/sign/agt-role")
|
||||
|
||||
negative = run_with_token(
|
||||
kubectl=kubectl,
|
||||
namespace=namespace,
|
||||
release=release,
|
||||
token=child_token,
|
||||
args=["secrets", "list"],
|
||||
args=["policy", "read", "warden-sign"],
|
||||
check=False,
|
||||
)
|
||||
if negative.returncode == 0:
|
||||
raise SystemExit("ERROR: child token unexpectedly listed secret engines")
|
||||
print("OK: child token cannot list secret engines")
|
||||
raise SystemExit("ERROR: child token unexpectedly read policy metadata")
|
||||
print("OK: child token cannot read policy metadata")
|
||||
finally:
|
||||
runner.run(["token", "revoke-accessor", accessor], quiet=True)
|
||||
runner.run(["write", "auth/token/revoke-accessor", f"accessor={accessor}"], quiet=True)
|
||||
print("OK: smoke child token revoked by accessor")
|
||||
|
||||
|
||||
|
||||
Reference in New Issue
Block a user