diff --git a/secrets/transit/vault-transit-rewrap-example/AppDb.cs b/secrets/transit/vault-transit-rewrap-example/AppDb.cs deleted file mode 100644 index a51dee23..00000000 --- a/secrets/transit/vault-transit-rewrap-example/AppDb.cs +++ /dev/null @@ -1,20 +0,0 @@ -using System; -using MySql.Data.MySqlClient; - -namespace RewrapExample -{ - public class AppDb : IDisposable - { - public readonly MySqlConnection Connection; - - public AppDb() - { - Connection = new MySqlConnection("host=127.0.0.1;port=3306;user id=vault;password=vaultpw;database=my_app;"); - } - - public void Dispose() - { - Connection.Close(); - } - } -} diff --git a/secrets/transit/vault-transit-rewrap-example/DBHelper.cs b/secrets/transit/vault-transit-rewrap-example/DBHelper.cs deleted file mode 100644 index 55b5bd54..00000000 --- a/secrets/transit/vault-transit-rewrap-example/DBHelper.cs +++ /dev/null @@ -1,151 +0,0 @@ -using System; -using System.Collections.Generic; -using System.Data.Common; -using System.Threading.Tasks; - -namespace RewrapExample -{ - - class DBHelper - { - public static async Task CreateTablesAsync() - { - using (var db = new AppDb()) - { - await db.Connection.OpenAsync(); - using (var cmd = db.Connection.CreateCommand()) - { - string command = "CREATE TABLE IF NOT EXISTS `user_data`(" + - "`user_id` INT(11) NOT NULL AUTO_INCREMENT, " + - "`user_name` VARCHAR(256) NOT NULL," + - "`first_name` VARCHAR(256) NULL, " + - "`last_name` VARCHAR(256) NULL, " + - "`address` VARCHAR(256) NOT NULL, " + - "`city` VARCHAR(256) NOT NULL," + - "`state` VARCHAR(256) NOT NULL," + - "`postcode` VARCHAR(256) NOT NULL," + - "`email` VARCHAR(256) NOT NULL," + - "`dob` VARCHAR(256) NULL," + - "PRIMARY KEY (user_id) " + - ") engine=InnoDB;"; - cmd.CommandText = command; - - - await cmd.ExecuteNonQueryAsync(); - Console.WriteLine("Create (if not exist) user_data table"); - } - } - } - - public static async Task CreateDBAsync() - { - using (var db = new AppDb()) - { - await db.Connection.OpenAsync(); - using (var cmd = db.Connection.CreateCommand()) - { - string command = "CREATE DATABASE IF NOT EXISTS my_app"; - cmd.CommandText = command; - - - await cmd.ExecuteNonQueryAsync(); - Console.WriteLine("Created (if not exist) my_app DB"); - } - } - } - - public static async Task InsertRecordAsyc(Record r) - { - using (var db = new AppDb()) - { - await db.Connection.OpenAsync(); - using (var cmd = db.Connection.CreateCommand()) - { - - string command = "INSERT INTO `user_data` " + - "(`user_name`, `first_name`, `last_name`, `address`, " + - "`city`, `state`, `postcode`, `email`, `dob`) " + - $"VALUES (\"{r.Login.Username}\", \"{r.Name.First}\", \"{r.Name.Last}\", " + - $"\"{r.Location.Street}\", \"{r.Location.City}\", \"{r.Location.State}\", " + - $"\"{r.Location.Postcode}\", \"{r.Email}\", \"{r.DOB}\");"; - - cmd.CommandText = command; - - var rowsAffected = await cmd.ExecuteNonQueryAsync(); - //Console.WriteLine($"Created {rowsAffected} rows"); - } - } - } - - // update encrypted fields with rewrapped data - public static async Task UpdateRecordAsyc(Record r) - { - using (var db = new AppDb()) - { - await db.Connection.OpenAsync(); - using (var cmd = db.Connection.CreateCommand()) - { - - string command = "UPDATE `user_data` " + - $"SET `address` = \"{r.Location.Street}\", " + - $"`dob` = \"{r.DOB}\", " + - $"`email` = \"{r.Email}\" " + - $"WHERE `user_id` = {r.Id.Value}"; - - cmd.CommandText = command; - - await cmd.ExecuteNonQueryAsync(); - } - } - } - - // Find records that need to be rewrapped - public static async Task> FindRecordsToRewrap(int keyVersion) - { - // select fields that are encrypted - using (var db = new AppDb()) - { - var users = new List(); - await db.Connection.OpenAsync(); - using (var cmd = db.Connection.CreateCommand()) - { - int count = 0; - string command = "SELECT `user_id`, `email`,`dob`, `address` " + - "FROM `user_data` " + - $"WHERE `dob` NOT LIKE \"vault:v{keyVersion}:%\" " + - $"OR `email` NOT LIKE \"vault:v{keyVersion}:%\" " + - $"OR `address` NOT LIKE \"vault:v{keyVersion}:%\" "; - - - cmd.CommandText = command; - - var reader = await cmd.ExecuteReaderAsync(); - - while (reader.Read()) - { - count++; - var user_id = reader.GetInt32(0); - var email = reader.GetString(1); - var dob = reader.GetString(2); - var address = reader.GetString(3); - - RewrapExample.Location addr = new Location(); - addr.Street = address; - RewrapExample.Id id = new Id(); - id.Value = user_id.ToString(); - - Record r = new Record - { - Id = id, - DOB = dob, - Email = email, - Location = addr, - }; - users.Add(r); - } - } - return users; - } - } - } -} diff --git a/secrets/transit/vault-transit-rewrap-example/Program.cs b/secrets/transit/vault-transit-rewrap-example/Program.cs deleted file mode 100644 index 6a8c9839..00000000 --- a/secrets/transit/vault-transit-rewrap-example/Program.cs +++ /dev/null @@ -1,75 +0,0 @@ -using System; -using System.Collections.Generic; -using System.Net.Http; -using System.Net.Http.Headers; -using System.Threading.Tasks; -using Newtonsoft.Json; - -namespace RewrapExample -{ - class Program - { - static VaultClient client = null; - static void Main(string[] args) - { - // Get our env vars - string vaultUri = Environment.GetEnvironmentVariable("VAULT_ADDR"); - string token = Environment.GetEnvironmentVariable("VAULT_TOKEN"); - string transitKeyName = Environment.GetEnvironmentVariable("VAULT_TRANSIT_KEY"); - string shouldSeed = Environment.GetEnvironmentVariable("SHOULD_SEED_USERS"); - string numRecords = Environment.GetEnvironmentVariable("NUMBER_SEED_USERS"); - - Console.WriteLine("Connecting to Vault server..."); - - // initialize Vault client - if (null == client) - { - client = new VaultClient(vaultUri, token, transitKeyName); - } - - InitDBAsync().GetAwaiter().GetResult(); - - // seed the database with random user records if necessary - if (null != shouldSeed) { - SeedDB(numRecords).GetAwaiter().GetResult(); - Console.WriteLine("Seeded the database..."); - } - - // get latest key version and rewrap if necessary - Console.WriteLine("Moving rewrap..."); - RewrapAsync().GetAwaiter().GetResult(); - } - - static async Task InitDBAsync() - { - await DBHelper.CreateDBAsync(); - await DBHelper.CreateTablesAsync(); - - } - - // Download records from the randomuser api, and encrypt some - // fields so we can rewrap them later - static async Task SeedDB(string numRecords) - { - WebHelper.ApiResults apiResults = await WebHelper.GetUserRecordsAsync(numRecords); - var tasks = new List(); - foreach (var record in apiResults.Records) { - ICollection encryptValues = new List(); - record.DOB = await client.EncryptValue(record.DOB); - record.Location.Street = await client.EncryptValue(record.Location.Street); - record.Email = await client.EncryptValue(record.Email); - tasks.Add(DBHelper.InsertRecordAsyc(record)); - } - await Task.WhenAll(tasks); - - } - static async Task RewrapAsync() { - int v = await client.GetLatestTransitKeyVersion(); - Console.WriteLine($"Current Key Version: {v}"); - List users = await DBHelper.FindRecordsToRewrap(v); - Console.WriteLine($"Found {users.Count} records to rewrap."); - await client.ReWrapRecords(users); - - } - } -} diff --git a/secrets/transit/vault-transit-rewrap-example/README.md b/secrets/transit/vault-transit-rewrap-example/README.md deleted file mode 100644 index e59df432..00000000 --- a/secrets/transit/vault-transit-rewrap-example/README.md +++ /dev/null @@ -1,47 +0,0 @@ -# Vault Transit Rewrap Record After Key Rotation Example - -These assets are provided to perform the tasks described in the [Transit Secret Re-wrapping](https://www.vaultproject.io/guides/encryption/transit-rewrap.html) guide. - ---- - -## Demo Script Guide - -The following files are provided as demo scripts: - -- `demo_setup.sh` performs [Step 1 through 3](https://www.vaultproject.io/guides/encryption/transit-rewrap.html#steps) in the guide - * Pull and run mysql server 5.7 docker container - * Enable transit secret engine - * Create `my_app_key` encryption key - * Create `rewrap_example` policy - * Generate a token to be used by the app -- `run-app.sh` performs [Step 4](https://www.vaultproject.io/guides/encryption/transit-rewrap.html#step4) in the guide - * Runs the example app - * Prints out the commends to explore the MySQL DB -- `rewrap_example.sh` performs [Step 5](https://www.vaultproject.io/guides/encryption/transit-rewrap.html#step-5-rotate-the-encryption-keys) in the guide - * Read the `my_app_key` details BEFORE the key rotation - * Rotate the `my_app_key` encryption key - * Read the `my_app_key` details AFTER the key rotation - * Prints out the command to set the `min_decryption_version` -- `cleanup.sh` re-set your environment - - -### Demo Workflow - -> **NOTE:** DON'T FORGET that this demo requires [.NET Core and Docker](https://www.vaultproject.io/guides/encryption/transit-rewrap.html#prerequisites) to run the sample app. - -1. Run `demo_setup.sh` - -2. Run `run_app.sh` - - Open another terminal - - Copy and paste the suggested commands to explorer the `user_data` table in mysql - -3. Run `rewrap_example.sh` a couple of times and review the key version - -4. Run `run_app.sh` again - - See the data in the `user_data` table are now rewrapped with the _latest_ encryption key version - -To demonstrate the minimum key version restriction feature, repeat #3 and then run the commands suggested in the output (`vault write transit/keys/my_app_key/config min_decryption_version=3`). And then, repeat #4. - -Finally, run `cleanup.sh` to re-set your environment so that you can repeat the demo as necessary. - -> **WARNING:** The `cleanup.sh` disables the transit secret engine. All encryption keys will be deleted. If you are working against a shared Vault server, you might want to ***manually*** clean up the environment instead. diff --git a/secrets/transit/vault-transit-rewrap-example/Record.cs b/secrets/transit/vault-transit-rewrap-example/Record.cs deleted file mode 100644 index 7af7318d..00000000 --- a/secrets/transit/vault-transit-rewrap-example/Record.cs +++ /dev/null @@ -1,56 +0,0 @@ -namespace RewrapExample -{ - public class Name - { - public string Title { get; set; } - public string First { get; set; } - public string Last { get; set; } - } - - public class Location - { - public string Street { get; set; } - public string City { get; set; } - public string State { get; set; } - public string Postcode { get; set; } - } - - public class Login - { - public string Username { get; set; } - public string Password { get; set; } - public string Salt { get; set; } - public string Md5 { get; set; } - public string Sha1 { get; set; } - public string Sha256 { get; set; } - } - - public class Id - { - public string Name { get; set; } - public string Value { get; set; } - } - - public class Picture - { - public string Large { get; set; } - public string Medium { get; set; } - public string Thumbnail { get; set; } - } - - public class Record - { - public string Gender { get; set; } - public Name Name { get; set; } - public Location Location { get; set; } - public string Email { get; set; } - public Login Login { get; set; } - public string DOB { get; set; } - public string Registered { get; set; } - public string Phone { get; set; } - public string Cell { get; set; } - public Id Id { get; set; } - public Picture Picture { get; set; } - public string Nationality { get; set; } - } -} \ No newline at end of file diff --git a/secrets/transit/vault-transit-rewrap-example/VaultClient.cs b/secrets/transit/vault-transit-rewrap-example/VaultClient.cs deleted file mode 100644 index 7beb7ff5..00000000 --- a/secrets/transit/vault-transit-rewrap-example/VaultClient.cs +++ /dev/null @@ -1,83 +0,0 @@ -using System; -using System.Collections.Generic; -using System.Text; -using System.Threading.Tasks; -using VaultSharp; -using VaultSharp.Backends.Authentication.Models; -using VaultSharp.Backends.Authentication.Models.Token; - - -namespace RewrapExample -{ - class VaultClient - { - IVaultClient client; - string transitKeyName; - const string keyPath = "/transit/keys/"; - - public VaultClient(string vaultAddr, string vaultToken, string keyName) - { - Uri vaultUri = new Uri(vaultAddr); - IAuthenticationInfo tokenAuthenticationInfo = new TokenAuthenticationInfo(vaultToken); - client = VaultClientFactory.CreateVaultClient(vaultUri, tokenAuthenticationInfo); - transitKeyName = keyName; - } - - // get latest transit key version - public async Task GetLatestTransitKeyVersion() - { - int keyVersion = -1; - var resp = await client.ReadSecretAsync(keyPath + transitKeyName); - if (resp.Data.ContainsKey("latest_version")) - { - keyVersion = (int)(long)resp.Data["latest_version"]; - } - - return keyVersion; - } - - // rewrap endpoint, possible to upload batches of records, but that is - // not currently supported by the VaultSharp client. You can specify things like - // alternate mount point, context for derived keys, etc. Please see the documentation: - // https://github.com/rajanadar/VaultSharp - public async Task ReWrapValue(string ciphertext) - { - var result = await client.TransitRewrapWithLatestEncryptionKeyAsync(transitKeyName, ciphertext); - return result.Data.CipherText; - } - - private string base64(string value) - { - byte[] bytes = Encoding.UTF8.GetBytes(value); - return Convert.ToBase64String(bytes); - } - - // encrypt data, required for seeding - public async Task EncryptValue(string plainText) - { - var ciphertext = await client.TransitEncryptAsync(transitKeyName, base64(plainText)); - return ciphertext.Data.CipherText; - } - - public async Task ReWrapRecords(ICollection users) - { - int count = 0; - ICollection tasks = new List(); - foreach (Record user in users) - { - count++; - user.Location.Street = await ReWrapValue(user.Location.Street); - user.DOB = await ReWrapValue(user.DOB); - user.Email = await ReWrapValue(user.Email); - - tasks.Add(DBHelper.UpdateRecordAsyc(user)); - if (count % 10 == 0) - { - Console.WriteLine($"Wrapped another 10 records: {count} so far..."); - await Task.WhenAll(); - } - } - await Task.WhenAll(tasks); - } - } -} \ No newline at end of file diff --git a/secrets/transit/vault-transit-rewrap-example/WebHelper.cs b/secrets/transit/vault-transit-rewrap-example/WebHelper.cs deleted file mode 100644 index a4c5c412..00000000 --- a/secrets/transit/vault-transit-rewrap-example/WebHelper.cs +++ /dev/null @@ -1,41 +0,0 @@ -using System; -using System.Collections.Generic; -using System.Net.Http; -using System.Net.Http.Headers; -using System.Threading.Tasks; -using Newtonsoft.Json; - -namespace RewrapExample -{ - class WebHelper - { - public static HttpClient client = new HttpClient(); - - public class ApiResults - { - [JsonProperty("results")] - public IEnumerable Records { get; set; } - } - - public static async Task GetUserRecordsAsync(string numRecords) - { - var n = null == numRecords ? "500" : numRecords; - string baseUrl = "https://randomuser.me"; - string query = $"/api/?results={n}&nat=us"; - //WebHelper.client.BaseAddress = new Uri(baseUrl); - WebHelper.client.DefaultRequestHeaders.Accept.Clear(); - WebHelper.client.DefaultRequestHeaders.Accept.Add( - new MediaTypeWithQualityHeaderValue("application/json") - ); - - ApiResults records = null; - HttpResponseMessage response = await client.GetAsync(baseUrl + query); - if (response.IsSuccessStatusCode) - { - string resp = await response.Content.ReadAsStringAsync(); - records = JsonConvert.DeserializeObject(resp); - } - return records; - } - } -} \ No newline at end of file diff --git a/secrets/transit/vault-transit-rewrap-example/cleanup.sh b/secrets/transit/vault-transit-rewrap-example/cleanup.sh deleted file mode 100755 index 7715acc8..00000000 --- a/secrets/transit/vault-transit-rewrap-example/cleanup.sh +++ /dev/null @@ -1,22 +0,0 @@ -#!/bin/bash - -# Disable transit secret engine -vault secrets disable transit - -# Delete the app-token.txt file -rm app-token.txt - -# Delete the generated /bin directory -rm -r bin - -# Delete the generated /obj directory -rm -r obj - -echo "" -echo "#---------------------------------------" -echo "# To clear data in the user_data table" -echo "#---------------------------------------" -echo " docker exec -it mysql-rewrap mysql -uroot -proot" -echo " mysql> USE my_app" -echo " mysql> DELETE FROM user_data;" -echo "" diff --git a/secrets/transit/vault-transit-rewrap-example/demo_setup.sh b/secrets/transit/vault-transit-rewrap-example/demo_setup.sh deleted file mode 100755 index 591c1b48..00000000 --- a/secrets/transit/vault-transit-rewrap-example/demo_setup.sh +++ /dev/null @@ -1,36 +0,0 @@ -#!/bin/bash - -# INITIAL SETUP: RUN ONLY ONCE - -# -------- -# Step 1 -# -------- -# Pull the latest mysql container image -docker pull mysql/mysql-server:5.7 - -# Create a directory for our data (change the following line if running on Windows) -mkdir ~/rewrap-data - -# Run the container. The following command creates a database named 'my_app', -# specifies the root user password as 'root', and adds a user named vault -docker run --name mysql-rewrap -p 3306:3306 -v ~/rewrap-data/var/lib/mysql -e MYSQL_ROOT_PASSWORD=root -e MYSQL_ROOT_HOST=% -e MYSQL_DATABASE=my_app -e MYSQL_USER=vault -e MYSQL_PASSWORD=vaultpw -d mysql/mysql-server:5.7 - -# -------- -# Step 2 -# -------- -# VAULT_SKIP_VERIFY=true - -echo "Enabling transit secret engine" -vault secrets enable transit - -echo "Creating an encryption key, my_app_key" -vault write -f transit/keys/my_app_key - -# -------- -# Step 3 -# -------- -echo "Create rewrap example policy" -vault policy write rewrap_example ./rewrap_example.hcl - -echo "Create a token for the sample app to use and save it in app-token.txt" -vault token create -policy=rewrap_example -format=json | jq -r ".auth.client_token" > app-token.txt diff --git a/secrets/transit/vault-transit-rewrap-example/rewrap_demo.sh b/secrets/transit/vault-transit-rewrap-example/rewrap_demo.sh deleted file mode 100755 index 7952e2c8..00000000 --- a/secrets/transit/vault-transit-rewrap-example/rewrap_demo.sh +++ /dev/null @@ -1,30 +0,0 @@ -#!/bin/bash - -#--------------- -# Step 5 -#--------------- -echo "---------------------------" -echo " CURRENT key information " -echo "---------------------------" -vault read transit/keys/my_app_key -echo "" - -echo "-----------------------------" -echo " Rotate the encryption key " -echo "-----------------------------" -vault write -f transit/keys/my_app_key/rotate -echo "" - -echo "--------------------------------------------" -echo " Key information AFTER the key rotation " -echo "--------------------------------------------" -vault read transit/keys/my_app_key -echo "" - -echo "==========================================================================" -echo " To set the min_decryption_version, run: " -echo " vault write transit/keys/my_app_key/config min_decryption_version=3 " -echo " & " -echo " vault read transit/keys/my_app_key " -echo "==========================================================================" -echo "" diff --git a/secrets/transit/vault-transit-rewrap-example/rewrap_example.csproj b/secrets/transit/vault-transit-rewrap-example/rewrap_example.csproj deleted file mode 100644 index e84b23ce..00000000 --- a/secrets/transit/vault-transit-rewrap-example/rewrap_example.csproj +++ /dev/null @@ -1,14 +0,0 @@ - - - - Exe - netcoreapp2.0 - - - - - - - - - diff --git a/secrets/transit/vault-transit-rewrap-example/rewrap_example.hcl b/secrets/transit/vault-transit-rewrap-example/rewrap_example.hcl deleted file mode 100644 index 21a30cad..00000000 --- a/secrets/transit/vault-transit-rewrap-example/rewrap_example.hcl +++ /dev/null @@ -1,13 +0,0 @@ -path "transit/keys/my_app_key" { - capabilities = ["read"] -} - -path "transit/rewrap/my_app_key" { - capabilities = ["update"] -} - -# This last policy is needed to seed the database as part of the example. -# It can be omitted if seeding is not required -path "transit/encrypt/my_app_key" { - capabilities = ["update"] -} diff --git a/secrets/transit/vault-transit-rewrap-example/run-app.sh b/secrets/transit/vault-transit-rewrap-example/run-app.sh deleted file mode 100755 index a1dc8537..00000000 --- a/secrets/transit/vault-transit-rewrap-example/run-app.sh +++ /dev/null @@ -1,13 +0,0 @@ -#!/bin/bash - -VAULT_TOKEN=$(cat app-token.txt) VAULT_ADDR=$VAULT_ADDR VAULT_TRANSIT_KEY=my_app_key SHOULD_SEED_USERS=true dotnet run - -echo "" -echo "#------------------------------------" -echo "# To view the data in the MySQL DB" -echo "#------------------------------------" -echo " docker exec -it mysql-rewrap mysql -uroot -proot" -echo " mysql> USE my_app" -echo " mysql> DESC user_data;" -echo " mysql> SELECT * FROM user_data WHERE dob LIKE \"vault:v1%\" limit 10;" -echo ""