107 lines
3.1 KiB
Bash
Executable file
107 lines
3.1 KiB
Bash
Executable file
#!/usr/bin/env bash
|
|
#
|
|
# vault-debug-policy.sh
|
|
#
|
|
# Admin-Tool für temporäre Debug-Policy in HashiCorp Vault.
|
|
#
|
|
# Features:
|
|
# - assign <certname> : hängt die Debug-Policy an ein Cert-Mapping
|
|
# - remove <certname> : entfernt die Debug-Policy von einem Cert-Mapping
|
|
# - list : zeigt alle Cert-Mappings, die die Debug-Policy aktuell haben
|
|
#
|
|
# Voraussetzung:
|
|
# - Root/Admin-Token muss aktiv sein (VAULT_TOKEN gesetzt).
|
|
# - Vault CLI installiert & VAULT_ADDR gesetzt.
|
|
# - Debug-Policy existiert bereits (siehe unten).
|
|
#
|
|
# ------------------------------------------------------------------------
|
|
# 🛠️ Debug-Policy anlegen (einmalig mit Root ausführen):
|
|
#
|
|
# 1. Datei debug-policy.hcl erstellen:
|
|
# ---------------------------------
|
|
# path "auth/token/lookup-self" {
|
|
# capabilities = ["read"]
|
|
# }
|
|
#
|
|
# path "auth/token/renew-self" {
|
|
# capabilities = ["update"]
|
|
# }
|
|
#
|
|
# 2. Policy ins Vault laden:
|
|
# ------------------------
|
|
# vault policy write debug-policy debug-policy.hcl
|
|
#
|
|
# Danach kannst du mit diesem Skript die Policy temporär anhängen/entfernen.
|
|
# ------------------------------------------------------------------------
|
|
|
|
DEBUG_POLICY="debug-policy" # generischer Name für alle User
|
|
|
|
# Funktion: Usage anzeigen
|
|
usage() {
|
|
echo "Usage: $0 {assign <certname>|remove <certname>|list}"
|
|
exit 1
|
|
}
|
|
|
|
# Funktion: Assign Policy zu Cert-Mapping
|
|
assign_policy() {
|
|
local certname="$1"
|
|
if [[ -z "$certname" ]]; then
|
|
usage
|
|
fi
|
|
|
|
echo "[INFO] Adding debug policy '$DEBUG_POLICY' to cert '$certname' ..."
|
|
# Alte Policies auslesen
|
|
local current_policies
|
|
current_policies=$(vault read -field=policies "auth/cert/certs/$certname")
|
|
|
|
# Neue Policy-Liste bauen
|
|
local new_policies="${current_policies},${DEBUG_POLICY}"
|
|
|
|
# Cert-Mapping updaten
|
|
vault write "auth/cert/certs/$certname" \
|
|
policies="$new_policies"
|
|
|
|
echo "[OK] Cert '$certname' hat jetzt Policies: $new_policies"
|
|
}
|
|
|
|
# Funktion: Remove Policy von Cert-Mapping
|
|
remove_policy() {
|
|
local certname="$1"
|
|
if [[ -z "$certname" ]]; then
|
|
usage
|
|
fi
|
|
|
|
echo "[INFO] Removing debug policy '$DEBUG_POLICY' from cert '$certname' ..."
|
|
# Alte Policies auslesen
|
|
local current_policies
|
|
current_policies=$(vault read -field=policies "auth/cert/certs/$certname")
|
|
|
|
# Debug-Policy herausfiltern
|
|
local new_policies
|
|
new_policies=$(echo "$current_policies" | tr ',' '\n' | grep -v "^${DEBUG_POLICY}$" | paste -sd "," -)
|
|
|
|
vault write "auth/cert/certs/$certname" \
|
|
policies="$new_policies"
|
|
|
|
echo "[OK] Cert '$certname' hat jetzt Policies: $new_policies"
|
|
}
|
|
|
|
# Funktion: Liste aller Certs mit Debug-Policy
|
|
list_with_policy() {
|
|
echo "[INFO] Cert-Mappings mit Debug-Policy '$DEBUG_POLICY':"
|
|
for cert in $(vault list -format=json auth/cert/certs | jq -r '.[]'); do
|
|
policies=$(vault read -field=policies "auth/cert/certs/$cert")
|
|
if echo "$policies" | grep -q "$DEBUG_POLICY"; then
|
|
echo " - $cert ($policies)"
|
|
fi
|
|
done
|
|
}
|
|
|
|
# Main
|
|
case "$1" in
|
|
assign) assign_policy "$2" ;;
|
|
remove) remove_policy "$2" ;;
|
|
list) list_with_policy ;;
|
|
*) usage ;;
|
|
esac
|
|
|