#!/bin/bash

## The following command starts Vault in development mode
## specifiying a root token value of 'root'
##
# VAULT_UI=true vault server -dev -dev-root-token-id="root"

## Login with root token
## Good for demo mode, should only be used on production cluster
## during initial configuration
vault login root

## Create an administrative policy named 'vault-admin'
echo '
path "*" {
    capabilities = ["create", "read", "update", "delete", "list", "sudo"]
}' | vault policy write vault-admin -


## Create a normal user policy named 'user'
echo '
path "sys/mounts" {
  capabilities = ["list","read"]
}
path "secret/*" {
  capabilities = ["list", "read"]
}
path "kv1/mysecret" {
  capabilities = ["create", "read", "update", "delete", "list"]
}
path "kv1-very-secret/*" {
  capabilities = ["list", "read"]
}
path "kv2/data/secret" {
  capabilities = ["list", "read"]
}' | vault policy write user -
```

## Write some secrets
## remembering we are still logged in as root
vault secrets enable -version=1 -path=kv1 kv
vault kv put kv1/mysecret username=bart password=simpson
vault secrets enable -version=1 -path=kv1-very-secret kv
vault kv put kv1-very-secret/mysecret admin_user=root admin_password=P@55w3rd
vault secrets enable -version=1 -path=kv1-super-secret kv
vault kv put kv1-super-secret/sensitive key=value password=35616164316lasfdasfasdfasdfasdfasf
vault secrets enable -version=2 -path=kv2 kv
vault kv put kv2/secret username=admin password=qwertyasdf
vault kv put kv2/othersecrets username=root password=QWERTYUIOSDFGHJ


## Enable the userpass authentcation mode 
vault auth enable userpass

## Create an administrative user, and a normal user
## These users will correlate to the policies created in previous steps
vault write auth/userpass/users/vault password=vault policies=vault-admin
vault write auth/userpass/users/test password=test policies=user


## Login with normal user
vault login -method=userpass username=test password=test

## Read secret paths as normal user
## The 'user' policy does not allow the last operation (read kv1-super-secret deny by default)
vault kv get kv1/mysecret
vault kv get kv1-very-secret/mysecret
vault kv get kv1-super-secret/sensitive

## Write secret paths as normal user to versioned kv path
## neither operation is allowed due to policy
vault kv put kv2/secret username=moe password=syzslak
vault kv put kv2/othersecrets admin_user=root admin_password=passw3rD

## Read secret paths as normal user from versioned kv path
## Second operation fails due to policy
vault kv get kv2/secret
vault kv get kv2/othersecrets 

## Create template file for consul-template
echo -n 'this is my fake config file 
[config]{{ with $secret := secret "kv1/mysecret" }}
username={{$secret.Data.username}}
password={{$secret.Data.password}}{{ end }}
'> file.tpl

## Execute consul template to render file to stdout
## This assumes you have consul-template installed
consul-template -log-level=err -template=file.tpl -once -dry

## Enable PKI backend for certificate issuance
vault login root
mkdir -p /tmp/certs/

## Enable PKI secret engine for root CA
vault secrets enable -path vault-ca-root -max-lease-ttl=87600h pki

## Generate root CA certificate
vault write -format=json vault-ca-root/root/generate/internal \
  common_name="vault-ca-root" ttl=87600h | tee \
  >(jq -r .data.certificate > /tmp/certs/ca.pem) \
  >(jq -r .data.issuing_ca > /tmp/certs/issuing_ca.pem) \
  >(jq -r .data.private_key > /tmp/certs/ca-key.pem)

## Enable & configure PKI secret engine for intermediate
vault secrets enable -path vault-ca-intermediate pki
vault secrets tune -max-lease-ttl=87600h vault-ca-intermediate

## Generate intermediate
vault write -format=json vault-ca-intermediate/intermediate/generate/internal \
  common_name="vault-ca-intermediate" ttl=43800h | tee \
  >(jq -r .data.csr > /tmp/certs/vault-ca-intermediate.csr) \
  >(jq -r .data.private_key > /tmp/certs/vault-ca-intermediate.pem)

## Sign the intermediate by the root CA
vault write -format=json vault-ca-root/root/sign-intermediate \
  csr=@/tmp/certs/vault-ca-intermediate.csr \
  common_name="vault-ca-intermediate" ttl=43800h | tee \
  >(jq -r .data.certificate > /tmp/certs/vault-ca-intermediate.pem) \
  >(jq -r .data.issuing_ca > /tmp/certs/vault-ca-intermediate_issuing_ca.pem)
vault write vault-ca-intermediate/intermediate/set-signed certificate=@/tmp/certs/vault-ca-intermediate.pem

## Create a role
vault write vault-ca-intermediate/roles/example-dot-com allow_any_name=true max_ttl="1m"

## Generate a certificate
vault write vault-ca-intermediate/issue/example-dot-com common_name=foo.example.com

## Create template for use with Consul-template
echo -n '{{ with secret "vault-ca-intermediate/issue/example-dot-com" "common_name=foo.example.com" }}
{{ .Data.certificate }}
{{ .Data.private_key }}
{{ end }}' > cert.tpl

## Use consul-template to render template to stdout
consul-template -log-level=err -template=cert.tpl -once -dry

## Use consul-template to render template to file
consul-template -log-level=err -template=cert.tpl:file.crt -once

## verify cert with openssl
openssl x509 -in file.crt -text -noout