Picture

Jeff Ploughman · Jeff Ploughman · commit bc1d72eed310 · 2018-06-07T11:31:23.000-04:00
diff --git a/.gitignore b/.gitignore
@@ -2,5 +2,7 @@
 **/releases
 **/*.crt
 **/*.pem
+**/test
+**/test/*
 **/config.sh
 **/build.sh
diff --git a/DELEGATED.md b/DELEGATED.md
@@ -8,6 +8,10 @@ I have built 2 Vault plugins - [the trustee plugin](https://github.com/immutabil
 
 There are a handful of ways the Trustee plugin can be used effectively in conjunction with the JWT-Auth plugin. I will start with a very simple use case: 
 
+![Delegated Authentication](./doc/delegated.png?raw=true "Delegated Authentication Flow")
+
+It must be pointed out: **the Web Service above can use a completely separate Vault for the Trustee plugin than it uses for authentication (JWT-Auth plugin).** This is because the Trustee's address is all the JWT-Auth plugin needs to **trust** to validate the JWT.
+
 ## Governance by Proxy
 
 Imagine that you have an identity in Active Directory: You have a user ID and you are the member of a handful of Active Directory groups. One of these groups is `pay-master-group`. Your membership in this group means that you are allowed to cut checks from a bank account (`123412341234`) that holds millions of dollars.
diff --git a/doc/delegated.png b/doc/delegated.png
diff --git a/test/jwt-auth.bats b/test/jwt-auth.bats
@@ -4,27 +4,27 @@ setup() {
   if [ ! -f jwtRS256.key ]; then
     ssh-keygen -t rsa -b 4096 -P "" -f jwtRS256.key
     openssl rsa -in jwtRS256.key -pubout -outform PEM -out jwtRS256.key.pub
-    echo {\"sub\":\"goober\",\"groups\": [\"test\"]} | jwt -key jwtRS256.key -alg RS256 -sign - > jwt.json
+    echo {\"sub\":\"goober\",\"group\": [\"test\"]} | jwt -key jwtRS256.key -alg RS256 -sign - > jwt.json
   fi
 }
 
 @test "test configure jwt-auth" {
-  run vault write auth/jwt-auth/config jwt_signer=@jwtRS256.key.pub ttl=60m max_ttl=300m
+  run vault write auth/test/jwt/config jwt_signer=@jwtRS256.key.pub trustee_list="0xF7353BEd87798F6fB95493D2b5D6025761a66f51" ttl=60m max_ttl=300m
     [ "$status" -eq 0 ]
 }
 
 @test "test map policies to role" {
   run vault policy write test test.hcl
     [ "$status" -eq 0 ]
-  run vault write auth/jwt-auth/map/claims/test value=test
+  run vault write auth/test/jwt/map/claims/test value=test
     [ "$status" -eq 0 ]
-  run vault write auth/jwt-auth/map/users/goober value=goober
+  run vault write auth/test/jwt/map/users/goober value=goober
     [ "$status" -eq 0 ]
 }
 
 
 @test "test auth as goober" {
-  results=$(vault write -format=json auth/jwt-auth/login token=@jwt.json | jq .auth)
+  results=$(vault write -format=json auth/test/jwt/login token=@jwt.json | jq .auth)
   username=$(echo $results | jq .metadata.username | tr -d '"')
     [ "$username" == "goober" ]
 }
