This is a standalone backend plugin for use with Hashicorp Vault.
This plugin gives a toolbox to exercise various scenarios where malicious a Vault plugin can be used against the Vault server. The plugin is used to validate fixes and mitigations meant to prevent such attacks.
Please note: We take Vault's security and our users' trust very seriously. If you believe you have found a security issue in Vault, please responsibly disclose by contacting us at [email protected].
This is a Vault plugin and is meant to work with Vault. This guide assumes you have already installed Vault and have a basic understanding of how Vault works.
Otherwise, first read this guide on how to get started with Vault.
If you wish to work on this plugin, you'll first need Go installed on your machine.
If you're developing for the first time, run make bootstrap to install the
necessary tools. Bootstrap will also update repository name references if that
has not been performed ever before.
$ make bootstrapTo compile a development version of this plugin, run make or make dev.
This will put the plugin binary in the bin and $GOPATH/bin folders. dev
mode will only generate the binary for your platform and is faster:
$ make devPut the plugin binary into a location of your choice. This directory
will be specified as the plugin_directory
in the Vault config used to start the server.
# config.hcl
plugin_directory = "path/to/plugin/directory"
...Start a Vault server with this config file:
$ vault server -dev -config=path/to/config.hcl ...
...Once the server is started, register the plugin in the Vault server's plugin catalog:
$ SHA256=$(openssl dgst -sha256 $GOPATH/vault-plugin-secrets-myplugin | cut -d ' ' -f2)
$ vault plugin register \
-sha256=$SHA256 \
-command="vault-plugin-secrets-myplugin" \
secrets myplugin
...
Success! Data written to: sys/plugins/catalog/mypluginEnable the secrets engine to use this plugin:
$ vault secrets enable myplugin
...
Successfully enabled 'plugin' at 'myplugin'!To run the tests, invoke make test:
$ make testYou can also specify a TESTARGS variable to filter tests like so:
$ make test TESTARGS='-run=TestConfig'