Skip to content

Commit

Permalink
[VAULT-30189] enos: verify identity and OIDC tokens (#28274)
Browse files Browse the repository at this point in the history
* [VAULT-30189] enos: verify identity and OIDC tokens

Expand our baseline API and data verification by including the identity
and identity OIDC tokens secrets engines. We now create a test entity,
entity-alias, identity group, various policies, and associate them with
the entity. For the OIDC side, we now configure the OIDC issuer, create
and rotate named keys, create and associate roles with the named key,
and issue and introspect tokens.

During a second phase we also verify that the those some entities,
groups, keys, roles, config, etc all exist with the expected values.
This is useful to test durability after upgrades, migrations, etc.

This change also includes new updates our prior `auth/userpass` and `kv`
verification. We had two modules that were loosely coupled and
interdependent. This restructures those both into a singular module with
child modules and fixes the assumed values by requiring the read module
to verify against the created state.

Going forward we can continue to extend this secrets engine verification
module with additional create and read checks for new secrets engines.

Signed-off-by: Ryan Cragun <me@ryan.ec>
  • Loading branch information
ryancragun authored Sep 9, 2024
1 parent 149c78f commit 3924128
Show file tree
Hide file tree
Showing 36 changed files with 1,615 additions and 351 deletions.
4 changes: 2 additions & 2 deletions enos/Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,10 @@
default: check-fmt shellcheck

.PHONY: check-fmt
check-fmt: check-fmt-enos check-fmt-modules
check-fmt: check-fmt-enos check-fmt-modules check-shfmt

.PHONY: fmt
fmt: fmt-enos fmt-modules
fmt: fmt-enos fmt-modules shfmt

.PHONY: check-fmt-enos
check-fmt-enos:
Expand Down
28 changes: 16 additions & 12 deletions enos/enos-descriptions.hcl
Original file line number Diff line number Diff line change
Expand Up @@ -126,12 +126,6 @@ globals {
'await-server-removal'.
EOF

verify_read_test_data = <<-EOF
Verify that we are able to read test data we've written in prior steps. This includes:
- Auth user policies
- Kv data
EOF

verify_replication_status = <<-EOF
Verify that the default replication status is correct depending on the edition of Vault that
been deployed. When testing a Community Edition of Vault we'll ensure that replication is not
Expand Down Expand Up @@ -163,12 +157,22 @@ globals {
Vault's reported seal type matches our configuration.
EOF

verify_write_test_data = <<-EOF
Verify that vault is capable mounting engines and writing data to them. These currently include:
- Mount the auth engine
- Mount the kv engine
- Write auth user policies
- Write kv data
verify_secrets_engines_create = <<-EOF
Verify that Vault is capable mounting, configuring, and using various secrets engines and auth
methods. These currently include:
- v1/auth/userpass/*
- v1/identity/*
- v1/kv/*
- v1/sys/policy/*
EOF

verify_secrets_engines_read = <<-EOF
Verify that data that we've created previously is still valid, consistent, and duarable.
This includes:
- v1/auth/userpass/*
- v1/identity/*
- v1/kv/*
- v1/sys/policy/*
EOF

verify_ui = <<-EOF
Expand Down
2 changes: 1 addition & 1 deletion enos/enos-dev-scenario-pr-replication.hcl
Original file line number Diff line number Diff line change
Expand Up @@ -722,7 +722,7 @@ scenario "dev_pr_replication" {
description = <<-EOF
Enable the auth userpass method and create a new user.
EOF
module = module.vault_verify_write_data
module = module.vault_verify_secrets_engines_create
depends_on = [step.get_primary_cluster_ips]


Expand Down
42 changes: 21 additions & 21 deletions enos/enos-modules.hcl
Original file line number Diff line number Diff line change
Expand Up @@ -281,46 +281,39 @@ module "vault_verify_dr_replication" {
vault_install_dir = var.vault_install_dir
}

module "vault_verify_raft_auto_join_voter" {
source = "./modules/vault_verify_raft_auto_join_voter"
module "vault_verify_secrets_engines_create" {
source = "./modules/verify_secrets_engines/modules/create"

vault_install_dir = var.vault_install_dir
vault_cluster_addr_port = global.ports["vault_cluster"]["port"]
vault_install_dir = var.vault_install_dir
}

module "vault_verify_secrets_engines_read" {
source = "./modules/verify_secrets_engines/modules/read"

vault_install_dir = var.vault_install_dir
}

module "vault_verify_default_lcq" {
source = "./modules/vault_verify_default_lcq"

vault_autopilot_default_max_leases = "300000"
}

module "vault_verify_replication" {
source = "./modules/vault_verify_replication"
}

module "vault_verify_read_data" {
source = "./modules/vault_verify_read_data"

vault_install_dir = var.vault_install_dir
}

module "vault_verify_performance_replication" {
source = "./modules/vault_verify_performance_replication"

vault_install_dir = var.vault_install_dir
}

module "vault_verify_version" {
source = "./modules/vault_verify_version"
module "vault_verify_raft_auto_join_voter" {
source = "./modules/vault_verify_raft_auto_join_voter"

vault_install_dir = var.vault_install_dir
vault_install_dir = var.vault_install_dir
vault_cluster_addr_port = global.ports["vault_cluster"]["port"]
}

module "vault_verify_write_data" {
source = "./modules/vault_verify_write_data"

vault_install_dir = var.vault_install_dir
module "vault_verify_replication" {
source = "./modules/vault_verify_replication"
}

module "vault_verify_ui" {
Expand All @@ -339,6 +332,12 @@ module "vault_verify_unsealed" {
vault_install_dir = var.vault_install_dir
}

module "vault_verify_version" {
source = "./modules/vault_verify_version"

vault_install_dir = var.vault_install_dir
}

module "vault_wait_for_leader" {
source = "./modules/vault_wait_for_leader"

Expand All @@ -364,3 +363,4 @@ module "vault_verify_billing_start_date" {
vault_instance_count = var.vault_instance_count
vault_cluster_addr_port = global.ports["vault_cluster"]["port"]
}

83 changes: 77 additions & 6 deletions enos/enos-qualities.hcl
Original file line number Diff line number Diff line change
Expand Up @@ -72,8 +72,79 @@ quality "vault_agent_log_template" {
description = global.description.verify_agent_output
}

quality "vault_api_auth_userpass_login_write" {
description = "The v1/auth/userpass/login/<user> Vault API creates a token for a user"
}

quality "vault_api_auth_userpass_user_write" {
description = "The v1/auth/userpass/users/<user> Vault API associates a policy with a user"
}

quality "vault_api_identity_entity_read" {
description = <<-EOF
The v1/identity/entity Vault API returns an identity entity, has the correct metadata, and is
associated with the expected entity-alias, groups, and policies
EOF
}

quality "vault_api_identity_entity_write" {
description = "The v1/identity/entity Vault API creates an identity entity"
}

quality "vault_api_identity_entity_alias_write" {
description = "The v1/identity/entity-alias Vault API creates an identity entity alias"
}

quality "vault_api_identity_group_write" {
description = "The v1/identity/group/<group> Vault API creates an identity group"
}

quality "vault_api_identity_oidc_config_read" {
description = <<-EOF
The v1/identity/oidc/config Vault API returns the built-in identity secrets engine configuration
EOF
}

quality "vault_api_identity_oidc_config_write" {
description = "The v1/identity/oidc/config Vault API configures the built-in identity secrets engine"
}

quality "vault_api_identity_oidc_introspect_write" {
description = "The v1/identity/oidc/introspect Vault API creates introspect verifies the active state of a signed OIDC token"
}

quality "vault_api_identity_oidc_key_read" {
description = <<-EOF
The v1/identity/oidc/key Vault API returns the OIDC signing key and verifies the key's algorithm,
rotation_period, and verification_ttl are correct
EOF
}

quality "vault_api_identity_oidc_key_write" {
description = "The v1/identity/oidc/key Vault API creates an OIDC signing key"
}

quality "vault_api_identity_oidc_key_rotate_write" {
description = "The v1/identity/oidc/key/<name>/rotate Vault API rotates an OIDC signing key and applies a new verification TTL"
}

quality "vault_api_identity_oidc_role_read" {
description = <<-EOF
The v1/identity/oidc/role Vault API returns the OIDC role and verifies that the roles key and
ttl are corect.
EOF
}

quality "vault_api_identity_oidc_role_write" {
description = "The v1/identity/oidc/role Vault API creates an OIDC role associated with a key and clients"
}

quality "vault_api_identity_oidc_token_read" {
description = "The v1/identity/oidc/token Vault API creates an OIDC token associated with a role"
}

quality "vault_api_sys_auth_userpass_user_write" {
description = "The v1/sys/auth/userpass/users/<user> Vault API associates a policy with a user"
description = "The v1/sys/auth/userpass/users/<user> Vault API associates a superuser policy with a user"
}

quality "vault_api_sys_config_read" {
Expand Down Expand Up @@ -110,7 +181,7 @@ quality "vault_api_sys_metrics_vault_core_replication_write_undo_logs_enabled" {
}

quality "vault_api_sys_policy_write" {
description = "The v1/sys/policy Vault API writes a superuser policy"
description = "The v1/sys/policy Vault API writes a policy"
}

quality "vault_api_sys_quotas_lease_count_read_max_leases_default" {
Expand Down Expand Up @@ -435,6 +506,10 @@ quality "vault_mount_auth" {
description = "Vault mounts the auth engine"
}

quality "vault_mount_identity" {
description = "Vault mounts the identity engine"
}

quality "vault_mount_kv" {
description = "Vault mounts the kv engine"
}
Expand Down Expand Up @@ -487,10 +562,6 @@ quality "vault_seal_pkcs11" {
description = "Vault auto-unseals with the pkcs11 seal"
}

quality "vault_secrets_auth_user_policy_write" {
description = "Vault creates auth user policies with the root token"
}

quality "vault_secrets_kv_read" {
description = "Vault kv secrets engine data is readable"
}
Expand Down
45 changes: 35 additions & 10 deletions enos/enos-scenario-agent.hcl
Original file line number Diff line number Diff line change
Expand Up @@ -455,20 +455,32 @@ scenario "agent" {
}
}

step "verify_write_test_data" {
description = global.description.verify_write_test_data
module = module.vault_verify_write_data
step "verify_secrets_engines_create" {
description = global.description.verify_secrets_engines_create
module = module.vault_verify_secrets_engines_create
depends_on = [step.verify_vault_unsealed]

providers = {
enos = local.enos_provider[matrix.distro]
}

verifies = [
quality.vault_secrets_auth_user_policy_write,
quality.vault_secrets_kv_write,
quality.vault_api_auth_userpass_login_write,
quality.vault_api_auth_userpass_user_write,
quality.vault_api_identity_entity_write,
quality.vault_api_identity_entity_alias_write,
quality.vault_api_identity_group_write,
quality.vault_api_identity_oidc_config_write,
quality.vault_api_identity_oidc_introspect_write,
quality.vault_api_identity_oidc_key_write,
quality.vault_api_identity_oidc_key_rotate_write,
quality.vault_api_identity_oidc_role_write,
quality.vault_api_identity_oidc_token_read,
quality.vault_api_sys_auth_userpass_user_write,
quality.vault_api_sys_policy_write,
quality.vault_mount_auth,
quality.vault_mount_kv,
quality.vault_secrets_kv_write,
]

variables {
Expand Down Expand Up @@ -523,21 +535,29 @@ scenario "agent" {
}
}

step "verify_read_test_data" {
description = global.description.verify_read_test_data
module = module.vault_verify_read_data
step "verify_secrets_engines_read" {
description = global.description.verify_secrets_engines_read
module = module.vault_verify_secrets_engines_read
depends_on = [
step.verify_write_test_data,
step.verify_secrets_engines_create,
step.verify_replication
]

providers = {
enos = local.enos_provider[matrix.distro]
}

verifies = quality.vault_secrets_kv_read
verifies = [
quality.vault_api_auth_userpass_login_write,
quality.vault_api_identity_entity_read,
quality.vault_api_identity_oidc_config_read,
quality.vault_api_identity_oidc_key_read,
quality.vault_api_identity_oidc_role_read,
quality.vault_secrets_kv_read
]

variables {
create_state = step.verify_secrets_engines_create.state
hosts = step.get_vault_cluster_ips.follower_hosts
vault_addr = step.create_vault_cluster.api_addr_localhost
vault_install_dir = global.vault_install_dir[matrix.artifact_type]
Expand Down Expand Up @@ -606,6 +626,11 @@ scenario "agent" {
value = step.create_vault_cluster.recovery_keys_hex
}

output "secrets_engines_state" {
description = "The state of configured secrets engines"
value = step.verify_secrets_engines_create.state
}

output "seal_attributes" {
description = "The Vault cluster seal attributes"
value = step.create_seal_key.attributes
Expand Down
Loading

0 comments on commit 3924128

Please sign in to comment.