Given a path in Vault how do I find who can access it? - hashicorp-vault

Given a policy, I can see what paths it provides access to.
However, I would like to know the opposite: given, a path I want to known which policies define access to it and which users/identities/group have these policies assigned to them?
In short, given a path who can do what with that.
How can I find that with vault command-line client or UI?


The better way is to use the HTTP API like in the following example:
REST_URL="https://VAULT-SERVER/v1"
VAULT_TOKEN="VAULT_TOKEN"
VAULT_PATH="identity"
for p in $(curl --silent --header "X-Vault-Token: $VAULT_TOKEN" --request LIST $REST_URL/sys/policies/acl | jq --raw-output .data.keys[])
do
echo ""
echo "$p"
echo ""
curl --silent --header "X-Vault-Token: $VAULT_TOKEN" --request GET $REST_URL/sys/policies/acl/$p | jq .data.policy | grep --color $VAULT_PATH
done
Result:
admin
"... # Manage identities\npath "identity/*" {\n
capabilities = ["create", "read", "update", "delete",
"list", "sudo"]\n}\n\n ..."
default
"... # Allow a token to look up its own entity by id or
name\npath "identity/entity/id/{{identity.entity.id}}" {\n
capabilities = ["read"]\n}\npath
"identity/entity/name/{{identity.entity.name}}" {\n capabilities =
["read"]\n}\n\n\n ..."
root

Related

Unable to grant secure file permissions to a pipeline via REST API

I have an Azure DevOps pipeline that publishes a secure file to the pipeline library. What I would like to do is immediately grant that file permissions to a pipeline (so that I don't have to go in and manually do so). I have been following this documentation:
https://learn.microsoft.com/en-us/rest/api/azure/devops/approvalsandchecks/pipeline-permissions/update-pipeline-permisions-for-resources
My PATCH method is as follows:
curl --location --request PATCH 'https://dev.azure.com/{myOrganization}/{myProject}/_apis/pipelines/pipelinepermissions?api-version=7.0-preview.1' \
--header 'Authorization: Basic {myAuth} ' \
--header 'Content-Type: application/json' \
--data-raw '[
{
"resource": {
"type": "secureFile",
"id": "{mySecureFileId}"
},
"pipelines": [
{
"id": {myPipelineId},
"authorized": true
}
]
}
]'
For reference, the URL to the secure file is:
https://dev.azure.com/{myOrganization}/{myProject}/_library?itemType=SecureFiles&view=SecureFileView&secureFileId={mySecureFileId}&path={secureFileName}
and the URL to my pipeline is:
https://dev.azure.com/{myOrganization}/{myProject}/_build?definitionId={myPipelineId}&_a=summary
But my response is always:
Status: 200 OK
{
"count": 0,
"value": []
}
No permissions get set. The documentation does say that a 200 response is correct, but the count being 0 means that nothing was patched. I confirmed that the resource type of secureFile is correct when I change the secureFileId or pipelineId to ones that do not exist, I get an expected 404 response.
So as far as I can tell, my syntax and IDs are all correct, but I still have not been able to successfully grant the permissions.
Any ideas?

Instead of using: Pipeline Permissions - Update Pipeline Permisions For Resources, in your scenario, you should use: Pipeline Permissions - Update Pipeline Permisions For Resource
Pipeline Permissions - Update Pipeline Permisions For Resource is used to Authorizes/Unauthorizes a list of definitions for a given resource.
So modify your API as below, it should work:
PATCH https://dev.azure.com/{organization}/{project}/_apis/pipelines/pipelinepermissions/{resourceType}/{resourceId}?api-version=7.0-preview.1
Modify your script as below:
curl --location --request PATCH 'https://dev.azure.com/{organization}/{project}/_apis/pipelines/pipelinepermissions/{resourceType}/{resourceId}?api-version=7.0-preview.1' \
--header 'Authorization: Basic {myAuth} ' \
--header 'Content-Type: application/json' \
--data-raw '[
{
"pipelines": [
{
"id": {myPipelineId},
"authorized": true
}
]
}
]'

Using new github tokens to list and create comments on pull requests

After I switched to the new Github Token format, I am not able anymore to perform a call for this github API:
https://docs.github.com/en/rest/issues/comments#list-issue-comments
My script does the following:
[[ -z "$GITHUB_REPO_SLUG" ]] && export GITHUB_REPO_SLUG="$TRAVIS_REPO_SLUG"
GITHUB_API_BASE_URL="https://api.github.com/repos/${GITHUB_REPO_SLUG}"
GITHUB_AUTH_HEADER="Authorization: token $GITHUB_TOKEN"
comment_ids=$(curl -s -H "$GITHUB_AUTH_HEADER" "$GITHUB_API_BASE_URL/issues/$pull_request_id/comments" \
| jq --arg USER "$GITHUB_USER" -r '. | map(select(.user.login==$USER)) | map(.id) | .[]')
for comment_id in $(echo $comment_ids); do
jq -n -r --arg message "$message" '{ body: $message }' \
| curl -s -H "$GITHUB_AUTH_HEADER" "$GITHUB_API_BASE_URL/issues/comments/$comment_id" -X PATCH --data #- > /dev/null
echo "Edited comment with id $comment_id of PR $pull_request_id"
done
The api call that list comments ids responds:
{
"message": "Not Found",
"documentation_url": "https://docs.github.com/rest/reference/issues#list-issue-comments"
}
This still works using tokens in the old format, but doesn't with tokens in the new format.
Is there any way to use the GHP to call that api?

The github user associated with the github token must be provided writing access to the repository.
Since this was missing API responded 404 (default behaviour set for Github APIs).

How can create a user in ArgoCD with apiKey access only?

I have a shell script in a container, that needs to access the ArgoCD API.
The script asks the API for a token, and then uses this token to restart a deployment.
JSON=$(jq -c -n --arg username "$USER_NAME" --arg password "$PASSWORD" '$ARGS.named')
TOKEN=$(curl -k $ARGOCD_SERVER/api/v1/session -d "$JSON" | jq -r ".token")
PARAMETERS="namespace=$NAMESPACE&resourceName=$RESOURCE_NAME&kind=Deployment&group=apps&version=v1"
curl -k -H "Authorization: Bearer $TOKEN" \
-d "\"restart\"" \
"$ARGOCD_SERVER/api/v1/applications/argocd/resource/actions?$PARAMETERS"
This only seems to work when I have the login option enabled in my argo-cd-cm.yaml enabled.
...
data:
admin.enabled: "false"
accounts.<service-user>: apiKey, login
accounts.<service-user>.enabled: "true"
...
As I am using OIDC for regular users, I would not like this login option to be disabled.
Is there a way to specify an apiKey for a given user in the one of the configmaps?

Yep! This was our configuration (helm values) since 2 years.. Just to confirm
However, make sure to authorize him as well using rbacConfig as below:
server:
config:
accounts.cibotuser: apiKey, login
accounts.cibotuser.enabled: "true"
rbacConfig:
policy.csv: |
p, cibotuser, applications, get, */*,allow
p, cibotuser, applications, sync, */*,allow

How do you create a project in a specific group via GitLab API?

I tried to use GitLab API to create a new project. This worked, but this is in my user space:
curl \
--header "Authorization: Bearer ${GITLAB_API_TOKEN}" \
--request POST \
"https://gitlab.com/api/v4/projects/?name=$test-proj"
But I wanted to do it under a specific group with group_id <group_id> (I blanked it here). The most sensible approach that occured to me was:
curl \
--header "Authorization: Bearer ${GITLAB_API_TOKEN}" \
--request POST \
"https://gitlab.com/api/v4/groups/<group_id>/projects/?name=test-proj
But this did not work. Are there any suggestions on how I could achieve this?
I consulted the following references
https://forum.gitlab.com/t/create-a-new-project-in-a-group-using-api/1552
https://docs.gitlab.com/ee/api/projects.html#create-project
The GitLab documentation mentions the path or namespace_id attribute (although I would actually be in search of a group_id attribute). I am not sure about path and how to specify that. I tried - without success - to retrieve the namespace_id via
curl --header "PRIVATE-TOKEN: ${GITLAB_API_TOKEN}" "https://gitlab.example.com/api/v4/namespaces"
It is well possible that I might not have the rights to do the required operation. Therefore a reference to an official (GitLab) documentation together with a test curl command that works would be very helpful to me - thank you!

For anyone looking for the direct command:
STEP 1:
Navigate as below and identify the group ID from GUI:
Admin Area -> Groups -> GroupName
STEP 2:
Construct the command with two parameters viz., name, namespace_id
curl --header "PRIVATE-TOKEN: <myprivatetoken>" -X POST "https://gitlab.com/api/v4/projects?name=myexpectedrepo&namespace_id=38"

Both users and groups are considered "namespaces" as far as the Gitlab API is concerned, so you can use either a group ID or a username in the namespace_id field. You can see this in use by getting a single namespace with either a Group ID (that you can see in the /groups API call, or from a Group's "profile" page) or a username:
# this will show the namespace details of the Group with ID 54
curl --header "PRIVATE-TOKEN: ${TOKEN}" "https://gitlab.com/api/v4/namespaces/54
# this will show the namespace details of the User with username my-username
curl --header "PRIVATE-TOKEN: ${TOKEN}" "https://gitlab.com/api/v4/namespace/my-username

If you have the appropriate access level, you can assign a git remote to your local repository that includes your group name. Then, the push event will trigger GitLab to create the remote repository.
$ mkdir project_name && cd $_
$ echo "# project_name" > README.md
$ git init; git add .; git commit -m initial
$ GITLAB_HOST="gitlab.com"
$ git remote add origin git#${GITLAB_HOST}:group_name/project_name.git
$ git push origin HEAD
Then, point your browser to ${GITLAB_HOST}/group_name/project_name
https://docs.gitlab.com/ee/user/group/#specify-who-can-add-projects-to-a-group

How can I create a field in Firestore via REST calls

Suppose the ID of my project is test-abcd and the web key is xyz. The database is in test mode.
I have a simple database structure:
users | Paris | admin : "123456"
I would like to add a field robin : "abc123" inside Paris, so the result would be
users | Paris | admin : "123456"
| | robin : "abc123"
I'm trying to do a PATCH in the link
https://firestore.googleapis.com/v1/document.name=projects/test-abcd/databases/(default)/documents/users/Paris/robin/abc123?key=xyz
but it creates a collection and a document instead of a field:
users | Paris | admin : "123456"
| |
| | robin | abc123 |
What am I doing wrong?

According to already mentioned documentation in HTTP request patch you have to add path to document in the Firestore, update mask and the key.
The field you want to add should be in request body. For example when you are using curl for the request, you have to add option --data with parameter:
--data '{"name":"","fields":{"robin":{"stringValue":"abc12345"}}}'
Funny thing is that, according to my tests, name in body, has to be included, however it does not matter what value it is :), so I left it as empty.
I suggest to use nice tool available on mentioned documentation. On the right side of the page there is "Try this API" feature that you can maximize clicking on the square icon (direct link), that is helping to create the request in 3 formats (curl, HTTP and JS). You just need to provide details and the request command will be created. You can easily test created commands there.
I have used it and curl command working on my side is:
curl --request PATCH \
'https://firestore.googleapis.com/v1/projects/my-test-project/databases/(default)/documents/users/Paris?updateMask.fieldPaths=robin&key=[YOUR_API_KEY]' \
--header 'Authorization: Bearer [YOUR_ACCESS_TOKEN]' \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--data '{"name":"","fields":{"robin":{"stringValue":"abc12345"}}}' \
--compressed