mirror of
https://github.com/hashicorp/vault.git
synced 2025-08-06 22:57:02 +02:00
47 lines
1.3 KiB
Bash
47 lines
1.3 KiB
Bash
#!/usr/bin/env bash
|
|
# Copyright (c) HashiCorp, Inc.
|
|
# SPDX-License-Identifier: BUSL-1.1
|
|
|
|
set -e
|
|
|
|
fail() {
|
|
echo "$1" 1>&2
|
|
exit 1
|
|
}
|
|
|
|
log() {
|
|
echo "[DEBUG] $1" >&2
|
|
}
|
|
|
|
[[ -z "$VERIFY_SSH_SECRETS" ]] && fail "VERIFY_SSH_SECRETS env variable has not been set"
|
|
[[ -z "$CA_KEY_TYPE" ]] && fail "CA_KEY_TYPE env variable has not been set"
|
|
[[ -z "$VAULT_ADDR" ]] && fail "VAULT_ADDR env variable has not been set"
|
|
[[ -z "$VAULT_TOKEN" ]] && fail "VAULT_TOKEN env variable has not been set"
|
|
[[ -z "$VAULT_INSTALL_DIR" ]] && fail "VAULT_INSTALL_DIR env variable has not been set"
|
|
|
|
if [[ "$VERIFY_SSH_SECRETS" == "false" ]]; then
|
|
log "VERIFY_SSH_SECRETS is false; exiting script"
|
|
exit 0
|
|
fi
|
|
|
|
binpath=${VAULT_INSTALL_DIR}/vault
|
|
test -x "$binpath" || fail "unable to locate vault binary at $binpath"
|
|
|
|
export VAULT_FORMAT=json
|
|
|
|
# Read the SSH CA configuration from Vault
|
|
if ! ca_output=$("$binpath" read "ssh/config/ca" 2>&1); then
|
|
fail "failed to read ssh/config/ca: $ca_output"
|
|
fi
|
|
|
|
# Extract the CA public key
|
|
ca_public_key=$(jq -r '.data.public_key' <<< "$ca_output")
|
|
|
|
# Extract the first word (key type) from the public key
|
|
key_type=$(awk '{print $1}' <<< "$ca_public_key")
|
|
|
|
# Verify that the key type matches the expected key type
|
|
if [[ "$key_type" != "$CA_KEY_TYPE" ]]; then
|
|
fail "CA key type mismatch: expected $CA_KEY_TYPE, got $key_type"
|
|
fi
|