Merge 3924128 into backport/vault-30189/briefly-neutral-joey

hashicorp · Sep 9, 2024 · 258d0bf · 258d0bf
2 parents e0d368c + 3924128
commit 258d0bf
Show file tree

Hide file tree

Showing 36 changed files with 1,615 additions and 351 deletions.
diff --git a/enos/Makefile b/enos/Makefile
@@ -2,10 +2,10 @@
 default: check-fmt shellcheck
 
 .PHONY: check-fmt
-check-fmt: check-fmt-enos check-fmt-modules
+check-fmt: check-fmt-enos check-fmt-modules check-shfmt
 
 .PHONY: fmt
-fmt: fmt-enos fmt-modules
+fmt: fmt-enos fmt-modules shfmt
 
 .PHONY: check-fmt-enos
 check-fmt-enos:

diff --git a/enos/enos-descriptions.hcl b/enos/enos-descriptions.hcl
@@ -126,12 +126,6 @@ globals {
       'await-server-removal'.
     EOF
 
-    verify_read_test_data = <<-EOF
-      Verify that we are able to read test data we've written in prior steps. This includes:
-        - Auth user policies
-        - Kv data
-    EOF
-
     verify_replication_status = <<-EOF
       Verify that the default replication status is correct depending on the edition of Vault that
       been deployed. When testing a Community Edition of Vault we'll ensure that replication is not
@@ -163,12 +157,22 @@ globals {
       Vault's reported seal type matches our configuration.
     EOF
 
-    verify_write_test_data = <<-EOF
-      Verify that vault is capable mounting engines and writing data to them. These currently include:
-        - Mount the auth engine
-        - Mount the kv engine
-        - Write auth user policies
-        - Write kv data
+    verify_secrets_engines_create = <<-EOF
+      Verify that Vault is capable mounting, configuring, and using various secrets engines and auth
+      methods. These currently include:
+        - v1/auth/userpass/*
+        - v1/identity/*
+        - v1/kv/*
+        - v1/sys/policy/*
+    EOF
+
+    verify_secrets_engines_read = <<-EOF
+      Verify that data that we've created previously is still valid, consistent, and duarable.
+      This includes:
+        - v1/auth/userpass/*
+        - v1/identity/*
+        - v1/kv/*
+        - v1/sys/policy/*
     EOF
 
     verify_ui = <<-EOF

diff --git a/enos/enos-dev-scenario-pr-replication.hcl b/enos/enos-dev-scenario-pr-replication.hcl
@@ -722,7 +722,7 @@ scenario "dev_pr_replication" {
     description = <<-EOF
       Enable the auth userpass method and create a new user.
     EOF
-    module      = module.vault_verify_write_data
+    module      = module.vault_verify_secrets_engines_create
     depends_on  = [step.get_primary_cluster_ips]
 
 

diff --git a/enos/enos-modules.hcl b/enos/enos-modules.hcl
@@ -281,46 +281,39 @@ module "vault_verify_dr_replication" {
   vault_install_dir = var.vault_install_dir
 }
 
-module "vault_verify_raft_auto_join_voter" {
-  source = "./modules/vault_verify_raft_auto_join_voter"
+module "vault_verify_secrets_engines_create" {
+  source = "./modules/verify_secrets_engines/modules/create"
 
-  vault_install_dir       = var.vault_install_dir
-  vault_cluster_addr_port = global.ports["vault_cluster"]["port"]
+  vault_install_dir = var.vault_install_dir
 }
 
+module "vault_verify_secrets_engines_read" {
+  source = "./modules/verify_secrets_engines/modules/read"
+
+  vault_install_dir = var.vault_install_dir
+}
 
 module "vault_verify_default_lcq" {
   source = "./modules/vault_verify_default_lcq"
 
   vault_autopilot_default_max_leases = "300000"
 }
 
-module "vault_verify_replication" {
-  source = "./modules/vault_verify_replication"
-}
-
-module "vault_verify_read_data" {
-  source = "./modules/vault_verify_read_data"
-
-  vault_install_dir = var.vault_install_dir
-}
-
 module "vault_verify_performance_replication" {
   source = "./modules/vault_verify_performance_replication"
 
   vault_install_dir = var.vault_install_dir
 }
 
-module "vault_verify_version" {
-  source = "./modules/vault_verify_version"
+module "vault_verify_raft_auto_join_voter" {
+  source = "./modules/vault_verify_raft_auto_join_voter"
 
-  vault_install_dir = var.vault_install_dir
+  vault_install_dir       = var.vault_install_dir
+  vault_cluster_addr_port = global.ports["vault_cluster"]["port"]
 }
 
-module "vault_verify_write_data" {
-  source = "./modules/vault_verify_write_data"
-
-  vault_install_dir = var.vault_install_dir
+module "vault_verify_replication" {
+  source = "./modules/vault_verify_replication"
 }
 
 module "vault_verify_ui" {
@@ -339,6 +332,12 @@ module "vault_verify_unsealed" {
   vault_install_dir = var.vault_install_dir
 }
 
+module "vault_verify_version" {
+  source = "./modules/vault_verify_version"
+
+  vault_install_dir = var.vault_install_dir
+}
+
 module "vault_wait_for_leader" {
   source = "./modules/vault_wait_for_leader"
 
@@ -364,3 +363,4 @@ module "vault_verify_billing_start_date" {
   vault_instance_count    = var.vault_instance_count
   vault_cluster_addr_port = global.ports["vault_cluster"]["port"]
 }
+
diff --git a/enos/enos-qualities.hcl b/enos/enos-qualities.hcl
@@ -72,8 +72,79 @@ quality "vault_agent_log_template" {
   description = global.description.verify_agent_output
 }
 
+quality "vault_api_auth_userpass_login_write" {
+  description = "The v1/auth/userpass/login/<user> Vault API creates a token for a user"
+}
+
+quality "vault_api_auth_userpass_user_write" {
+  description = "The v1/auth/userpass/users/<user> Vault API associates a policy with a user"
+}
+
+quality "vault_api_identity_entity_read" {
+  description = <<-EOF
+    The v1/identity/entity Vault API returns an identity entity, has the correct metadata, and is
+    associated with the expected entity-alias, groups, and policies
+  EOF
+}
+
+quality "vault_api_identity_entity_write" {
+  description = "The v1/identity/entity Vault API creates an identity entity"
+}
+
+quality "vault_api_identity_entity_alias_write" {
+  description = "The v1/identity/entity-alias Vault API creates an identity entity alias"
+}
+
+quality "vault_api_identity_group_write" {
+  description = "The v1/identity/group/<group> Vault API creates an identity group"
+}
+
+quality "vault_api_identity_oidc_config_read" {
+  description = <<-EOF
+    The v1/identity/oidc/config Vault API returns the built-in identity secrets engine configuration
+  EOF
+}
+
+quality "vault_api_identity_oidc_config_write" {
+  description = "The v1/identity/oidc/config Vault API configures the built-in identity secrets engine"
+}
+
+quality "vault_api_identity_oidc_introspect_write" {
+  description = "The v1/identity/oidc/introspect Vault API creates introspect verifies the active state of a signed OIDC token"
+}
+
+quality "vault_api_identity_oidc_key_read" {
+  description = <<-EOF
+    The v1/identity/oidc/key Vault API returns the OIDC signing key and verifies the key's algorithm,
+    rotation_period, and verification_ttl are correct
+  EOF
+}
+
+quality "vault_api_identity_oidc_key_write" {
+  description = "The v1/identity/oidc/key Vault API creates an OIDC signing key"
+}
+
+quality "vault_api_identity_oidc_key_rotate_write" {
+  description = "The v1/identity/oidc/key/<name>/rotate Vault API rotates an OIDC signing key and applies a new verification TTL"
+}
+
+quality "vault_api_identity_oidc_role_read" {
+  description = <<-EOF
+    The v1/identity/oidc/role Vault API returns the OIDC role and verifies that the roles key and
+    ttl are corect.
+  EOF
+}
+
+quality "vault_api_identity_oidc_role_write" {
+  description = "The v1/identity/oidc/role Vault API creates an OIDC role associated with a key and clients"
+}
+
+quality "vault_api_identity_oidc_token_read" {
+  description = "The v1/identity/oidc/token Vault API creates an OIDC token associated with a role"
+}
+
 quality "vault_api_sys_auth_userpass_user_write" {
-  description = "The v1/sys/auth/userpass/users/<user> Vault API associates a policy with a user"
+  description = "The v1/sys/auth/userpass/users/<user> Vault API associates a superuser policy with a user"
 }
 
 quality "vault_api_sys_config_read" {
@@ -110,7 +181,7 @@ quality "vault_api_sys_metrics_vault_core_replication_write_undo_logs_enabled" {
 }
 
 quality "vault_api_sys_policy_write" {
-  description = "The v1/sys/policy Vault API writes a superuser policy"
+  description = "The v1/sys/policy Vault API writes a policy"
 }
 
 quality "vault_api_sys_quotas_lease_count_read_max_leases_default" {
@@ -435,6 +506,10 @@ quality "vault_mount_auth" {
   description = "Vault mounts the auth engine"
 }
 
+quality "vault_mount_identity" {
+  description = "Vault mounts the identity engine"
+}
+
 quality "vault_mount_kv" {
   description = "Vault mounts the kv engine"
 }
@@ -487,10 +562,6 @@ quality "vault_seal_pkcs11" {
   description = "Vault auto-unseals with the pkcs11 seal"
 }
 
-quality "vault_secrets_auth_user_policy_write" {
-  description = "Vault creates auth user policies with the root token"
-}
-
 quality "vault_secrets_kv_read" {
   description = "Vault kv secrets engine data is readable"
 }

diff --git a/enos/enos-scenario-agent.hcl b/enos/enos-scenario-agent.hcl
@@ -455,20 +455,32 @@ scenario "agent" {
     }
   }
 
-  step "verify_write_test_data" {
-    description = global.description.verify_write_test_data
-    module      = module.vault_verify_write_data
+  step "verify_secrets_engines_create" {
+    description = global.description.verify_secrets_engines_create
+    module      = module.vault_verify_secrets_engines_create
     depends_on  = [step.verify_vault_unsealed]
 
     providers = {
       enos = local.enos_provider[matrix.distro]
     }
 
     verifies = [
-      quality.vault_secrets_auth_user_policy_write,
-      quality.vault_secrets_kv_write,
+      quality.vault_api_auth_userpass_login_write,
+      quality.vault_api_auth_userpass_user_write,
+      quality.vault_api_identity_entity_write,
+      quality.vault_api_identity_entity_alias_write,
+      quality.vault_api_identity_group_write,
+      quality.vault_api_identity_oidc_config_write,
+      quality.vault_api_identity_oidc_introspect_write,
+      quality.vault_api_identity_oidc_key_write,
+      quality.vault_api_identity_oidc_key_rotate_write,
+      quality.vault_api_identity_oidc_role_write,
+      quality.vault_api_identity_oidc_token_read,
+      quality.vault_api_sys_auth_userpass_user_write,
+      quality.vault_api_sys_policy_write,
       quality.vault_mount_auth,
       quality.vault_mount_kv,
+      quality.vault_secrets_kv_write,
     ]
 
     variables {
@@ -523,21 +535,29 @@ scenario "agent" {
     }
   }
 
-  step "verify_read_test_data" {
-    description = global.description.verify_read_test_data
-    module      = module.vault_verify_read_data
+  step "verify_secrets_engines_read" {
+    description = global.description.verify_secrets_engines_read
+    module      = module.vault_verify_secrets_engines_read
     depends_on = [
-      step.verify_write_test_data,
+      step.verify_secrets_engines_create,
       step.verify_replication
     ]
 
     providers = {
       enos = local.enos_provider[matrix.distro]
     }
 
-    verifies = quality.vault_secrets_kv_read
+    verifies = [
+      quality.vault_api_auth_userpass_login_write,
+      quality.vault_api_identity_entity_read,
+      quality.vault_api_identity_oidc_config_read,
+      quality.vault_api_identity_oidc_key_read,
+      quality.vault_api_identity_oidc_role_read,
+      quality.vault_secrets_kv_read
+    ]
 
     variables {
+      create_state      = step.verify_secrets_engines_create.state
       hosts             = step.get_vault_cluster_ips.follower_hosts
       vault_addr        = step.create_vault_cluster.api_addr_localhost
       vault_install_dir = global.vault_install_dir[matrix.artifact_type]
@@ -606,6 +626,11 @@ scenario "agent" {
     value       = step.create_vault_cluster.recovery_keys_hex
   }
 
+  output "secrets_engines_state" {
+    description = "The state of configured secrets engines"
+    value       = step.verify_secrets_engines_create.state
+  }
+
   output "seal_attributes" {
     description = "The Vault cluster seal attributes"
     value       = step.create_seal_key.attributes