Vault Extensions
Project Overview
This project extended the functionality of Vault to give it a quicker CLI and some automation options. Some of the features were inspired by the standard unix password manager, pass, where the user could quickly navigate to passwords using the tab autocomplete feature. I utilized text prediciton algorithm that would allow the user to quickly navigate to secrets in vault without having to type in the entire path to anything. I also created command shortcuts for things like new key generation and allowed the user to copy secrets to the clipboard for a set duration of time, which would protect the user from accidently pasting sensitive information elsewhere. Furthermore, this program can be given a text file list of accounts on servers and automatically generate and re-assign passwords to those accounts in Vault.
Available Commands Within This Program
Inputing help
will display the available commands.
TARGET
is the end of the vault file path (webserver1.com for example)
KEY
is the key stored in vault. This program allows you to input the key as either account:user
or just user
engine
-> displays all of the directories under the inputed secrets engine (sysadmin/, desktop_support/, etc.)- Also used to switch between secrets engines.
-c TARGET KEY
-> copies the key value for a given target for 45 seconds. (-c webserver1.com account:student
will copy the password for student on cannoli)- In Progress
-c -f FILENAME
-> copies the key values for the keys within a .txt file. This is useful for changing passwords after theput -f FILENAME
command has generated new ones and recorded them in vault. TARGET KEY
-> just prints the key value to the terminal without copying.list PATH
-> equivalent tovault kv list PATH
.get TARGET
-> equivalent tovault kv get PATH
but you can just use the end of the path instead of typing out the whole thing. It will display the full path as well as the keys.prev
-> copies your previous input to the clipboard so that you can re-enter it.put TARGET KEY NEW_VALUE(or random)
-> replaces a value for a given key/account. If the new value inputed israndom
, then a random 32-byte hex number will be generated and used as the new value.put -f FILENAME
-> given a list of targets and keys within a .txt file, this command will interate through each line and assign random 32-byte hex numbers to each key value. The content of the .txt file should be formatted like so:TARGET KEY
random
-> uses the vault api to generate and print out a random 32-byte hex number. Precede this with-c
to copy that number to the clipboard.
You can also type in all other vault commands available, just without vault
:
For example, you can type kv list sysadmin/
which would be equivalent to executing vault kv list sysadmin
outside of this program.
Auto-Complete Feature
This program contains an auto-complete feature that will fill in your input if you did not type it all the way or if it was spelled incorrectly. For example, if you wanted to copy the password for the student account on webserver1.com and you just typed in -c cann stud
the auto-complete feature will be able to complete the input for you and send the correct command to the vault server.
Single Command Execution With Command-Line Arguments
You can use this program with command line arguments for executing single commands. You just need to export the vault address once before using the program and run the binary with your username, password, and command as command line flags:
$ export VAULT_ADDR=https://myserver.com
$ ./vaultplugin user password secrets_engine command
Ex:
$ ./vaultplugin grant grantpassword sysadmin -c cannnoli student
Alternatively, you can login to vault before using the program by executing the command:
$ vault login -method=userpass username=user password=pass
Then you can run the program with:
$ ./vaultplugin none none sysadmin -c cannnoli student
If this method is chosen, vault API calls will not work, but all CLI vault commands will still function correctly.
The program will terminate upon the completion of the command.
Copying To The Clipbard For A Set Duration
Utilizes imported clipbard program from here
Import this program if binary will be recompiled.
Platforms:
- OSX
- Windows 7 or later
- Linux, Unix (requires ‘xclip’ or ‘xsel’ command to be installed)
Generating Random Numbers using API
Method | Path |
---|---|
POST |
/sys/tools/random(/:bytes) |
Parameters
bytes
(int: 32)
- Specifies the number of bytes to return. This value can be specified either in the request body, or as a part of the URL.format
(string: "base64)
- Specifies the output encoding. Valid options arehex
orbase64
Payload:
{
"format": "hex"
}
Request:
$ curl \
--header "X-Vault-Token: ..." \
--request POST \
--data @payload.json \
http://127.0.0.1:8200/v1/sys/tools/random/32
Sample Response:
{
"data": {
"random_bytes": "dGhlIHF1aWNrIGJyb3duIGZveAo="
}
}
Image source: www.hashicorp.com