Use minimal Vault permissions in integration test

.github/workflows/lint-and-test.yaml

@@ -83,5 +83,6 @@ jobs:
           VALIDATE_PYTHON_ISORT: false
           VALIDATE_PYTHON_MYPY: false
           VALIDATE_PYTHON_PYLINT: false
+          VALIDATE_SHELL_SHFMT: false
           DEFAULT_BRANCH: main
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.sops.yaml

@@ -0,0 +1,4 @@
+---
+
+creation_rules:
+  - pgp: 17E608319C69AE121E3D2DA4B8D8531495B2E77C

integration/.local.sops.env

@@ -0,0 +1,11 @@
+HV4GHA_ACCOUNT=andreaso
+HV4GHA_APP_ID=368468
+HV4GHA_APP_KEY_B64=ENC[AES256_GCM,data:Zv+R5qE1gAx5bIpvAwStJCQcnPpl/RrfQKLjlo3I2EqtNrk+mMTXRIcCFKHyubzhrfpcm8TgYM/XQeom710Oy+RzyJICfrGREG3vL6WbDEbNmvai2InQAaub2XHLI/RNcUqHTKN+4YH7OlawFnjcCyB2/JsraKvKKO+DXw9GYU4Liy/gnhJQsG4FTSoX2Yp/Bn4lp/bWUYdruMTPvlwqtbPd2Vnu81MaPLcnzDcW8oj+rvUYfkZzTOMzb+Hm0yaofS3zJu3OkVMX6L5KXbG/a9vSdjZ9W1m6u69cgtZ7El8fURRnxVeKawCzNykvQhknYEcuvSJ9+fC+D40S57t3I71b8CRzlhVd/1CYqbzj6AjWIq7ME7U0CC6IudB22x2EA4l4Vz5/YVt1UvgM6BlvF5F/rjtsN02MBvJVCN3DrbKthZ9g0Oa16z58Zv73Po1tbxpcEsvhjnHds6Uu1X+ex3NlOYD2StQqEMt3QSLiAGq6Sri8g5JaiFoMFJQYqwMrmVckvL4HvZNBvFWqd/0cpi0JSJPBO8W3Jg/rOjiONpHwEPxTPf/eayAaS28xjbk0tT2ZUjSnZLhnYyH23DiP5sOrfrv/f3vfEODhGZyOklDhPV1eEExfPRa4iuuj8CnEBJUyZM90LX0FfMPsHtvA0EAKI7Km8lq8CU7a94ZeWYPbZSkNHWnOZm2OT+vFrDuKCPR2n1r414KUWLad+ohKPgGRNGILVqebPhjfQFyBA61l1+n38cVWJTW4kpEOft5RTZqmiZwTwvDPHTXLEVn8rwMzSRtvjK4uWVPqepF4WdKYyCMMfPSCcTu50hCV1R4y5HBe3Erupo9cuUQ7ziZE7INEGYhSUZggliR8cGjRZwU9aqN39te4H2Xov6+3I8ZO+GVJi9AWlvRoK6yi2LhNh2lTSdPdKagS0E4dwvTzVOCNgmGxfKhbVNwnUM7XcJalX14TD7uoBdFU8lC5cUSHo5fOiytbr0FFL8k4rYj9V/FVU+gc4nf8aOU5MO5pwf+abJTaRgSlIMFEwtzRNzuJuqIt7bcbqssn/fvqO4fyaAmFMRLuvpgZ+0iu63vCx4KyLFzQWOUGgVJSTIIRybybrBrInEsHBxfpE42H3uLC7tFEb5/o1wSJDz5r02C6BJ2kQSfjSvI5p2uuxZ+JjsPFFzrzFAz64Yh3gSAOemcKD5oKdVxnOOuJ1BZxqwM8MelWLbdyMTSI1waEcvQ5qIqzqM4R7UAHNH4JF1Yqs7Too7zIiw+6Tmh8cOTYSx0sfowJFoavSQMM555TCPwJFmYAjzcQPallcucRaVvZt7jFVlMNCUfJZrgMr3KjTWw+Tm4b3CToUIRsaOLrnuI/ICxDZcob6qe/yQWnAB4n7fnhgNg38VY/8O0DvmPVK6woPJPn0VlCfKXb/jKcmLOMyw7hvHtUoCBjcopo/BYVNINmrcPFMdHUfLbW0cT2hVX0Qyi/DqwFGPqGaKZ/85/W+aKu3hwOOYRNfqG2tlyRwOnGAbkelUTQUGpVIC3bM9wWuoOTiKjTOpEhwNc4pacRfJxnjoGti1E3FJroSuJjapjOJDjB21h+Eu/BGlRmfHhpzvP1ExwSBWlId9bDjjHhXFpa+PSvVPKGb5vcEy3psOUkKHddiMoph9QgywNH8GZsOwMUtSCoM3oEI2CHQvhbfILPEK8ttBAmJnGvbL1rTtQfJQSuSykGzLwWR9y4CJ0tG+1gwOh/Imn3OBYnpR7pA2Rkg8JPqFMeGzygcYeGEMMlF6pQBfQC1sipnoo8sKVufEVvBtzZZol7AwN6n9WBtBjCETzC0b7c3PzeprzGreII48cnEjhNweBC52bb/OvFEIm9QoKM09oWeHgq1Eaphe5motZJLkhBZ45z7F45cviWkVqsWpgSfR9CVlCTBcwdQENASTPjCxIGhD/pjhtxngUUGIAgAFdywEjCuLQ1xDiPs5uY8ttA0tuiZ0z8CL2zLVJy9nOQ2WBlU8G5eqqaT+XP76ejbujif9yUTo2AZc7wLY060aLqT2KdhfHcY2pNUL0nhTR4WBNBhJO3/BlCcb/zsB5BZhKLPC/5vu1tQzTAHg6ko2jmeO4ghZOglKbqthu4h0YYUbKg0NBGn1lxpymC7+uyjSg0onqN6znXj8UViutSRNOxJ1hc4aChRrCZr9IVsgSyr9UEIzBejOq1kglz7OMBPftlMQgZFDUQSOQQliF3iKxpjO/Gvw4cDWu4m2z0BsiMN87Xd5NWfCNHNbPv/68Cn4CmuRYB9CSkEK+ulImtHy4+dTuAcEknlvg0jveJF+vyKSGimKEEqAic8/rQpabqnT2CLvxY4BfTqU5ko+WIqq8G3WTHorffH9SZrwqRACOGUcDGQExSeJlKcPgYDlRvLjOuYG6jdaVBGu5u2Z8d0OIb+A4silJY678smWoJIUdmh8lxpR9IY1wqm1Vvv49rA3rezT9z3+LKHEfJ06ZeGEYmfTTG7biFfLyFJPotcIzui8L8R8zFT2fegh2QjY2h4Cl4sJGgqhuvxthZiYW65//zKQVsCK9hODl2BfwT8kjhdCSDlCQPIs89obNnbgtCwDx8JgWySrPonvaojoCMNzGuoRYkmXtR9JaE4D0PILT+uIpinuWqtJ4jaTLlxqRMr4Zcthmk4ChMAcJ+fUxFFKhDEOTPV0LSzIWPC0xQa9Eik3KsOfx+6TGaOM7SMU2j0aRhFgtfDA9wNf+x9NBNyFsFc3BhddvxsfPRc61LQvqqTqME/AL6O3Us64YI78U134JLONPmi5A+PejxuD5VDjKT2TTgbAZtjqFulHZDJoofyW/BSZx+FqQPGHa2Eb0owPci4rSZS5tsObcaOeX8oUjahAfx5PO+NmXVVQvNH1Un7QQtHjEL0/s/6CEcl/wQlrkeHa5nIZxXEiNL+2uVmy+NcTdJ8VsUoGDRm0n5z5gex/IPWJWHDy1SUZQvbWPV0nhelcUNpbGJ5g==,iv:0uFoJJhU04sqSdp6U8bX4Rq9+tfeA7uGpTbVsat7kos=,tag:ekXPW+tdJifc7K+3JxUYwg==,type:str]
+HV4GHA_TEST_REPO=hv4gha
+sops_encrypted_regex=^HV4GHA_APP_KEY_B64$
+sops_lastmodified=2024-05-18T10:16:42Z
+sops_mac=ENC[AES256_GCM,data:Lhoodi/FawomUOsCPWfesbAK6X3k/XNUfi05yp8oza8yNuXrRzNEGW1rHrHHj55/o/ZTNHdtDKaGpVDiCGsvJENnianGghADXvH3lRnDf7ly9YhYSwqEN2AES66ontwHxQvH+2Sbk09uRnGtXOygMiZ1BY+XRYKU/Zd2J6nWCt0=,iv:5Kow4prwKrqCgsgmhV3SI8CxR/yXh2ocEVCguydTdzQ=,tag:mhQ5xlJr8Iw04DYT+jYkFw==,type:str]
+sops_pgp__list_0__map_created_at=2024-05-18T10:05:25Z
+sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nwV4D2VOvz+iLZv8SAQdARf9i6HtOiBdf+ugeHQ6YV3QKka/fQipO8ovZGY5AQQUw\nlyJ6ZB/W9EuPFTh1LwHZgqPhhC8Gy8c3A5Q5ysS1F1mNBYtRDJYGXPUa6m+f2+dE\n0lEBSlcdwsryiXgb0lrIgwDXoT1tmVf45vzUIzeLvnCleajycNZyHPprLLdkt52E\n1W2VdBFnr87wrcIErdEVyQbL25m/s3y5QvK9HASgMA/hT8k=\n=n7p3\n-----END PGP MESSAGE-----
+sops_pgp__list_0__map_fp=17E608319C69AE121E3D2DA4B8D8531495B2E77C
+sops_version=3.8.1

integration/docker-compose.yaml

@@ -1,6 +1,5 @@
 ---
 
-version: "3.8"
 services:
   testrun-py310-constrained:
     cap_drop:
@@ -18,7 +17,8 @@ services:
     environment:
       HV4GHA_KEYNAME: test-310-constrained
       HV4GHA_VAULT_ADDR: http://vault-server:8200
-      HV4GHA_VAULT_TOKEN: BatteryStaple
+      HVGHA_VAULT_IMPORT_TOKEN: CorrectHorseImportKey
+      HVGHA_VAULT_SIGN_TOKEN: CorrectHorseSignJWT
     env_file: .env
     command: [import, issue, issue-scoped]
     depends_on:
@@ -39,7 +39,8 @@ services:
     environment:
       HV4GHA_KEYNAME: test-310-unconstrained
       HV4GHA_VAULT_ADDR: http://vault-server:8200
-      HV4GHA_VAULT_TOKEN: BatteryStaple
+      HVGHA_VAULT_IMPORT_TOKEN: CorrectHorseImportKey
+      HVGHA_VAULT_SIGN_TOKEN: CorrectHorseSignJWT
     env_file: .env
     command: [import, issue, issue-scoped]
     depends_on:
@@ -61,7 +62,8 @@ services:
     environment:
       HV4GHA_KEYNAME: test-311-constrained
       HV4GHA_VAULT_ADDR: http://vault-server:8200
-      HV4GHA_VAULT_TOKEN: BatteryStaple
+      HVGHA_VAULT_IMPORT_TOKEN: CorrectHorseImportKey
+      HVGHA_VAULT_SIGN_TOKEN: CorrectHorseSignJWT
     env_file: .env
     command: [import, issue, issue-scoped]
     depends_on:
@@ -82,7 +84,8 @@ services:
     environment:
       HV4GHA_KEYNAME: test-311-unconstrained
       HV4GHA_VAULT_ADDR: http://vault-server:8200
-      HV4GHA_VAULT_TOKEN: BatteryStaple
+      HVGHA_VAULT_IMPORT_TOKEN: CorrectHorseImportKey
+      HVGHA_VAULT_SIGN_TOKEN: CorrectHorseSignJWT
     env_file: .env
     command: [import, issue, issue-scoped]
     depends_on:
@@ -104,7 +107,8 @@ services:
     environment:
       HV4GHA_KEYNAME: test-312-constrained
       HV4GHA_VAULT_ADDR: http://vault-server:8200
-      HV4GHA_VAULT_TOKEN: BatteryStaple
+      HVGHA_VAULT_IMPORT_TOKEN: CorrectHorseImportKey
+      HVGHA_VAULT_SIGN_TOKEN: CorrectHorseSignJWT
     env_file: .env
     command: [import, issue, issue-scoped]
     depends_on:
@@ -125,7 +129,8 @@ services:
     environment:
       HV4GHA_KEYNAME: test-312-unconstrained
       HV4GHA_VAULT_ADDR: http://vault-server:8200
-      HV4GHA_VAULT_TOKEN: BatteryStaple
+      HVGHA_VAULT_IMPORT_TOKEN: CorrectHorseImportKey
+      HVGHA_VAULT_SIGN_TOKEN: CorrectHorseSignJWT
     env_file: .env
     command: [import, issue, issue-scoped]
     depends_on:
@@ -134,10 +139,13 @@ services:
   vault-setup:
     image: hashicorp/vault
     environment:
+      HVGHA_VAULT_IMPORT_TOKEN: CorrectHorseImportKey
+      HVGHA_VAULT_SIGN_TOKEN: CorrectHorseSignJWT
       VAULT_TOKEN: BatteryStaple
       VAULT_ADDR: http://vault-server:8200
-    entrypoint: /bin/vault
-    command: [secrets, enable, transit]
+    volumes:
+      - ./setup:/mnt/setup
+    entrypoint: /mnt/setup
     depends_on:
       vault-server:
         condition: service_healthy

integration/setup

@@ -0,0 +1,34 @@
+#!/bin/ash
+set -o errexit
+set -o nounset
+set -o noglob
+set -o pipefail
+
+# Required env variables
+: "$VAULT_ADDR"
+: "$VAULT_TOKEN"
+: "$HVGHA_VAULT_IMPORT_TOKEN"
+: "$HVGHA_VAULT_SIGN_TOKEN"
+
+vault secrets enable transit
+
+cat <<EOF |
+path "transit/wrapping_key" {
+  capabilities = ["read"]
+}
+
+path "transit/keys/+/import" {
+  capabilities = ["update"]
+}
+EOF
+vault policy write import-key -
+
+cat <<EOF |
+path "transit/sign/+" {
+  capabilities = ["update"]
+}
+EOF
+vault policy write sign-token -
+
+vault token create -no-default-policy -policy=import-key -id="$HVGHA_VAULT_IMPORT_TOKEN" -field=token
+vault token create -no-default-policy -policy=sign-token -id="$HVGHA_VAULT_SIGN_TOKEN" -field=token

integration/testrun.py

@@ -28,7 +28,7 @@ def key_import() -> None:
         pem_key=b64decode(os.environ["HV4GHA_APP_KEY_B64"]),
         key_name=os.environ["HV4GHA_KEYNAME"],
         vault_addr=os.environ["HV4GHA_VAULT_ADDR"],
-        vault_token=os.environ["HV4GHA_VAULT_TOKEN"],
+        vault_token=os.environ["HVGHA_VAULT_IMPORT_TOKEN"],
     )
 
 
@@ -38,7 +38,7 @@ def issue() -> None:
     issue_access_token(
         key_name=os.environ["HV4GHA_KEYNAME"],
         vault_addr=os.environ["HV4GHA_VAULT_ADDR"],
-        vault_token=os.environ["HV4GHA_VAULT_TOKEN"],
+        vault_token=os.environ["HVGHA_VAULT_SIGN_TOKEN"],
         app_id=os.environ["HV4GHA_APP_ID"],
         account=os.environ["HV4GHA_ACCOUNT"],
     )
@@ -52,7 +52,7 @@ def issue_scoped() -> None:
     access_token: TokenResponse = issue_access_token(
         key_name=os.environ["HV4GHA_KEYNAME"],
         vault_addr=os.environ["HV4GHA_VAULT_ADDR"],
-        vault_token=os.environ["HV4GHA_VAULT_TOKEN"],
+        vault_token=os.environ["HVGHA_VAULT_SIGN_TOKEN"],
         app_id=os.environ["HV4GHA_APP_ID"],
         account=os.environ["HV4GHA_ACCOUNT"],
         permissions=req_perms,