use a boostrap token, then switch

G-Research · Oct 2, 2024 · 66b5536 · 66b5536
1 parent a37ec0a
commit 66b5536
Show file tree

Hide file tree

Showing 6 changed files with 68 additions and 23 deletions.
diff --git a/app/lib/clients/vault.rb b/app/lib/clients/vault.rb
@@ -1,29 +1,28 @@
 module Clients
   class Vault
-    class << self
-      private
+      class_attribute :token
 
-      def client
-        ::Vault::Client.new(
-          address: vault_address,
-          token: vault_token
-        )
-      end
+      class << self
+        private
 
-      def vault_address
-        Rails.configuration.astral[:vault_addr]
-      end
+        def client
+          ::Vault::Client.new(
+            address: address,
+            token: token
+          )
+        end
 
-      def vault_token
-        Rails.configuration.astral[:vault_token]
-      end
+        def address
+          Rails.configuration.astral[:vault_addr]
+        end
 
-      def enable_engine(mount, type)
-        client.sys.mount(mount, type, "#{type} secrets engine")
-      end
+        def enable_engine(mount, type)
+          client.sys.mount(mount, type, "#{type} secrets engine")
+        end
     end
   end
 
   require_relative "vault/key_value"
   require_relative "vault/certificate"
+  require_relative "vault/policy"
 end
diff --git a/app/lib/clients/vault/certificate.rb b/app/lib/clients/vault/certificate.rb
@@ -64,8 +64,8 @@ def configure_root_ca
         File.write("tmp/#{root_ca_mount}.crt", root_cert)
 
         client.logical.write("#{root_ca_mount}/config/cluster",
-                            path: "#{vault_address}/v1/#{root_ca_mount}",
-                            aia_path: "#{vault_address}/v1/#{root_ca_mount}")
+                            path: "#{address}/v1/#{root_ca_mount}",
+                            aia_path: "#{address}/v1/#{root_ca_mount}")
 
         client.logical.write("#{root_ca_mount}/config/urls",
                             issuing_certificates: "{{cluster_aia_path}}/issuer/{{issuer_id}}/der",
@@ -100,8 +100,8 @@ def sign_cert
       def configure_ca
         # Configure the intermediate CA
         client.logical.write("#{intermediate_ca_mount}/config/cluster",
-                             path: "#{vault_address}/v1/#{intermediate_ca_mount}",
-                             aia_path: "#{vault_address}/v1/#{intermediate_ca_mount}")
+                             path: "#{address}/v1/#{intermediate_ca_mount}",
+                             aia_path: "#{address}/v1/#{intermediate_ca_mount}")
 
         # Configure the role for issuing certs
         issuer_ref = client.logical.read("#{intermediate_ca_mount}/config/issuers").data[:default]

diff --git a/app/lib/clients/vault/key_value.rb b/app/lib/clients/vault/key_value.rb
@@ -6,7 +6,6 @@ def kv_read(path)
       end
 
       def kv_write(path, data)
-        configure_kv
         client.logical.write("#{kv_mount}/data/#{path}", data: data)
       end
 

diff --git a/app/lib/clients/vault/policy.rb b/app/lib/clients/vault/policy.rb
@@ -0,0 +1,37 @@
+module Clients
+  class Vault
+    class << self
+      def rotate_token
+        create_astral_policy
+        token = create_astral_token
+        Clients::Vault.token = token
+      end
+
+      private
+
+      def create_astral_policy
+        policy = <<-HCL
+        path "#{intermediate_ca_mount}/roles/astral" {
+          capabilities = ["read", "list"]
+        }
+        path "#{intermediate_ca_mount}/issue/astral" {
+          capabilities = ["create", "update"]
+        }
+        path "#{kv_mount}/data/*" {
+          capabilities = ["create", "read", "update", "delete", "list"]
+        }
+        HCL
+
+        client.sys.put_policy("astral_policy", policy)
+      end
+
+      def create_astral_token
+        token = client.auth_token.create(
+          policies: [ "astral_policy" ],
+          ttl: "24h"
+        )
+        token.auth.client_token
+      end
+    end
+  end
+end
diff --git a/config/application.rb b/config/application.rb
@@ -33,8 +33,11 @@ class Application < Rails::Application
     config.astral = config_for :astral
 
     config.after_initialize do
+      # bootstrap with provided token, then rotate
+      Clients::Vault.token = Rails.configuration.astral[:vault_token]
       Clients::Vault.configure_kv
       Clients::Vault.configure_pki
+      Clients::Vault.rotate_token
     end
   end
 end
diff --git a/test/lib/clients/vault_test.rb b/test/lib/clients/vault_test.rb
@@ -6,11 +6,14 @@ class VaultTest < ActiveSupport::TestCase
 
   setup do
     @client = Clients::Vault
+    @token = Clients::Vault.token
+    Clients::Vault.token = vault_token
     @root_ca_mount = SecureRandom.hex(4)
     @intermediate_ca_mount = SecureRandom.hex(4)
   end
 
   teardown do
+    Clients::Vault.token = @token
     vault_client.sys.unmount(root_ca_mount)
     vault_client.sys.unmount(intermediate_ca_mount)
   end
@@ -53,11 +56,15 @@ class VaultTest < ActiveSupport::TestCase
   def vault_client
     ::Vault::Client.new(
           address: vault_addr,
-          token: Rails.configuration.astral[:vault_token]
+          token: vault_token
     )
   end
 
   def vault_addr
     Rails.configuration.astral[:vault_addr]
   end
+
+  def vault_token
+    Rails.configuration.astral[:vault_token]
+  end
 end
-Original file line number
+Diff line change
@@ Expand Up / @@ -6,7 +6,6 @@ def kv_read(path) @@
           end
           def kv_write(path, data)
-            configure_kv
             client.logical.write("#{kv_mount}/data/#{path}", data: data)
           end
@@ Expand Down @@