mirror of
https://github.com/hashicorp/vault.git
synced 2025-08-27 09:31:10 +02:00
3b31b3e939
Verify vault secret integrity in unauthenticated I/O streams (audit log, STDOUT/STDERR via the systemd journal) by scanning the text with Vault Radar. We search for both known and unknown secrets by using an index of KVV2 values and also by radar's built-in heuristics for credentials, secrets, and keys. The verification has been added to many scenarios where a slight time increase is allowed, as we now have to install Vault Radar and scan the text. In practice this adds less than 10 seconds to the overall duration of a scenario. In the in-place upgrade scenario we explicitly exclude this verification when upgrading from a version that we know will fail the check. We also make the verification opt-in so as to not require a Vault Radar license to run Enos scenarios, though it will always be enabled in CI. As part of this we also update our enos workflow to utilize secret values from our self-hosted Vault when executing in the vault-enterprise repo context. Signed-off-by: Ryan Cragun <me@ryan.ec>
83 lines
2.1 KiB
Bash
83 lines
2.1 KiB
Bash
#!/usr/bin/env bash
|
|
# Copyright (c) HashiCorp, Inc.
|
|
# SPDX-License-Identifier: BUSL-1.1
|
|
|
|
set -e
|
|
|
|
fail() {
|
|
echo "$1" 1>&2
|
|
exit 1
|
|
}
|
|
|
|
[[ -z "$AES_LABEL" ]] && fail "AES_LABEL env variable has not been set"
|
|
[[ -z "$HMAC_LABEL" ]] && fail "HMAC_LABEL env variable has not been set"
|
|
[[ -z "$PIN" ]] && fail "PIN env variable has not been set"
|
|
[[ -z "$SO_PIN" ]] && fail "SO_PIN env variable has not been set"
|
|
[[ -z "$TOKEN_LABEL" ]] && fail "TOKEN_LABEL env variable has not been set"
|
|
[[ -z "$TOKEN_DIR" ]] && fail "TOKEN_DIR env variable has not been set"
|
|
|
|
if ! type softhsm2-util &> /dev/null; then
|
|
fail "unable to locate softhsm2-util in PATH. Have you installed softhsm?"
|
|
fi
|
|
|
|
if ! type pkcs11-tool &> /dev/null; then
|
|
fail "unable to locate pkcs11-tool in PATH. Have you installed opensc?"
|
|
fi
|
|
|
|
# Create an HSM slot and return the slot number in decimal value.
|
|
create_slot() {
|
|
sudo softhsm2-util --init-token --free --so-pin="$SO_PIN" --pin="$PIN" --label="$TOKEN_LABEL" | grep -oE '[0-9]+$'
|
|
}
|
|
|
|
# Find the location of our softhsm shared object.
|
|
find_softhsm_so() {
|
|
sudo find /usr -type f -name libsofthsm2.so -print -quit
|
|
}
|
|
|
|
# Create key a key in the slot. Args: module, key label, id number, key type
|
|
keygen() {
|
|
sudo pkcs11-tool --keygen --usage-sign --private --sensitive --usage-wrap \
|
|
--module "$1" \
|
|
-p "$PIN" \
|
|
--token-label "$TOKEN_LABEL" \
|
|
--label "$2" \
|
|
--id "$3" \
|
|
--key-type "$4"
|
|
}
|
|
|
|
# Create our softhsm slot and keys
|
|
main() {
|
|
local slot
|
|
if ! slot=$(create_slot); then
|
|
fail "failed to create softhsm token slot"
|
|
fi
|
|
|
|
local so
|
|
if ! so=$(find_softhsm_so); then
|
|
fail "unable to locate libsofthsm2.so shared object"
|
|
fi
|
|
|
|
if ! keygen "$so" "$AES_LABEL" 1 'AES:32' 1>&2; then
|
|
fail "failed to create AES key"
|
|
fi
|
|
|
|
if ! keygen "$so" "$HMAC_LABEL" 2 'GENERIC:32' 1>&2; then
|
|
fail "failed to create HMAC key"
|
|
fi
|
|
|
|
# Return our seal configuration attributes as JSON
|
|
cat << EOF
|
|
{
|
|
"lib": "${so}",
|
|
"slot": "${slot}",
|
|
"pin": "${PIN}",
|
|
"key_label": "${AES_LABEL}",
|
|
"hmac_key_label": "${HMAC_LABEL}",
|
|
"generate_key": "false"
|
|
}
|
|
EOF
|
|
exit 0
|
|
}
|
|
|
|
main
|