diff options
Diffstat (limited to 'test/integration/targets/incidental_lookup_hashi_vault/lookup_hashi_vault')
8 files changed, 331 insertions, 0 deletions
diff --git a/test/integration/targets/incidental_lookup_hashi_vault/lookup_hashi_vault/defaults/main.yml b/test/integration/targets/incidental_lookup_hashi_vault/lookup_hashi_vault/defaults/main.yml new file mode 100644 index 0000000000..f1f6dd981d --- /dev/null +++ b/test/integration/targets/incidental_lookup_hashi_vault/lookup_hashi_vault/defaults/main.yml @@ -0,0 +1,4 @@ +--- +vault_gen_path: 'gen/testproject' +vault_kv1_path: 'kv1/testproject' +vault_kv2_path: 'kv2/data/testproject' diff --git a/test/integration/targets/incidental_lookup_hashi_vault/lookup_hashi_vault/tasks/approle_setup.yml b/test/integration/targets/incidental_lookup_hashi_vault/lookup_hashi_vault/tasks/approle_setup.yml new file mode 100644 index 0000000000..63307728a3 --- /dev/null +++ b/test/integration/targets/incidental_lookup_hashi_vault/lookup_hashi_vault/tasks/approle_setup.yml @@ -0,0 +1,21 @@ +- name: 'Create an approle policy' + shell: "echo '{{ policy }}' | {{ vault_cmd }} policy write approle-policy -" + vars: + policy: | + path "auth/approle/login" { + capabilities = [ "create", "read" ] + } + +- name: 'Enable the AppRole auth method' + command: '{{ vault_cmd }} auth enable approle' + +- name: 'Create a named role' + command: '{{ vault_cmd }} write auth/approle/role/test-role policies="test-policy,approle-policy"' + +- name: 'Fetch the RoleID of the AppRole' + command: '{{ vault_cmd }} read -field=role_id auth/approle/role/test-role/role-id' + register: role_id_cmd + +- name: 'Get a SecretID issued against the AppRole' + command: '{{ vault_cmd }} write -field=secret_id -f auth/approle/role/test-role/secret-id' + register: secret_id_cmd diff --git a/test/integration/targets/incidental_lookup_hashi_vault/lookup_hashi_vault/tasks/approle_test.yml b/test/integration/targets/incidental_lookup_hashi_vault/lookup_hashi_vault/tasks/approle_test.yml new file mode 100644 index 0000000000..44eb5ed18d --- /dev/null +++ b/test/integration/targets/incidental_lookup_hashi_vault/lookup_hashi_vault/tasks/approle_test.yml @@ -0,0 +1,45 @@ +- vars: + role_id: '{{ role_id_cmd.stdout }}' + secret_id: '{{ secret_id_cmd.stdout }}' + block: + - name: 'Fetch secrets using "hashi_vault" lookup' + set_fact: + secret1: "{{ lookup('hashi_vault', conn_params ~ 'secret=' ~ vault_kv2_path ~ '/secret1 auth_method=approle secret_id=' ~ secret_id ~ ' role_id=' ~ role_id) }}" + secret2: "{{ lookup('hashi_vault', conn_params ~ 'secret=' ~ vault_kv2_path ~ '/secret2 auth_method=approle secret_id=' ~ secret_id ~ ' role_id=' ~ role_id) }}" + + - name: 'Check secret values' + fail: + msg: 'unexpected secret values' + when: secret1['value'] != 'foo1' or secret2['value'] != 'foo2' + + - name: 'Failure expected when erroneous credentials are used' + vars: + secret_wrong_cred: "{{ lookup('hashi_vault', conn_params ~ 'secret=' ~ vault_kv2_path ~ '/secret2 auth_method=approle secret_id=toto role_id=' ~ role_id) }}" + debug: + msg: 'Failure is expected ({{ secret_wrong_cred }})' + register: test_wrong_cred + ignore_errors: true + + - name: 'Failure expected when unauthorized secret is read' + vars: + secret_unauthorized: "{{ lookup('hashi_vault', conn_params ~ 'secret=' ~ vault_kv2_path ~ '/secret3 auth_method=approle secret_id=' ~ secret_id ~ ' role_id=' ~ role_id) }}" + debug: + msg: 'Failure is expected ({{ secret_unauthorized }})' + register: test_unauthorized + ignore_errors: true + + - name: 'Failure expected when inexistent secret is read' + vars: + secret_inexistent: "{{ lookup('hashi_vault', conn_params ~ 'secret=' ~ vault_kv2_path ~ '/secret4 auth_method=approle secret_id=' ~ secret_id ~ ' role_id=' ~ role_id) }}" + debug: + msg: 'Failure is expected ({{ secret_inexistent }})' + register: test_inexistent + ignore_errors: true + + - name: 'Check expected failures' + assert: + msg: "an expected failure didn't occur" + that: + - test_wrong_cred is failed + - test_unauthorized is failed + - test_inexistent is failed diff --git a/test/integration/targets/incidental_lookup_hashi_vault/lookup_hashi_vault/tasks/main.yml b/test/integration/targets/incidental_lookup_hashi_vault/lookup_hashi_vault/tasks/main.yml new file mode 100644 index 0000000000..42fd0907f3 --- /dev/null +++ b/test/integration/targets/incidental_lookup_hashi_vault/lookup_hashi_vault/tasks/main.yml @@ -0,0 +1,155 @@ +--- +- name: Install Hashi Vault on controlled node and test + + vars: + vault_version: '0.11.0' + vault_uri: 'https://ansible-ci-files.s3.amazonaws.com/test/integration/targets/lookup_hashi_vault/vault_{{ vault_version }}_{{ ansible_system | lower }}_{{ vault_arch }}.zip' + vault_cmd: '{{ local_temp_dir }}/vault' + + block: + - name: Create a local temporary directory + tempfile: + state: directory + register: tempfile_result + + - set_fact: + local_temp_dir: '{{ tempfile_result.path }}' + + - when: pyopenssl_version.stdout is version('0.15', '>=') + block: + - name: Generate privatekey + openssl_privatekey: + path: '{{ local_temp_dir }}/privatekey.pem' + + - name: Generate CSR + openssl_csr: + path: '{{ local_temp_dir }}/csr.csr' + privatekey_path: '{{ local_temp_dir }}/privatekey.pem' + subject: + commonName: localhost + + - name: Generate selfsigned certificate + openssl_certificate: + path: '{{ local_temp_dir }}/cert.pem' + csr_path: '{{ local_temp_dir }}/csr.csr' + privatekey_path: '{{ local_temp_dir }}/privatekey.pem' + provider: selfsigned + selfsigned_digest: sha256 + register: selfsigned_certificate + + - name: 'Install unzip' + package: + name: unzip + when: ansible_distribution != "MacOSX" # unzip already installed + + - assert: + # Linux: x86_64, FreeBSD: amd64 + that: ansible_architecture in ['i386', 'x86_64', 'amd64'] + - set_fact: + vault_arch: '386' + when: ansible_architecture == 'i386' + - set_fact: + vault_arch: amd64 + when: ansible_architecture in ['x86_64', 'amd64'] + + - name: 'Download vault binary' + unarchive: + src: '{{ vault_uri }}' + dest: '{{ local_temp_dir }}' + remote_src: true + + - environment: + # used by vault command + VAULT_DEV_ROOT_TOKEN_ID: '47542cbc-6bf8-4fba-8eda-02e0a0d29a0a' + block: + - name: 'Create configuration file' + template: + src: vault_config.hcl.j2 + dest: '{{ local_temp_dir }}/vault_config.hcl' + + - name: 'Start vault service' + environment: + VAULT_ADDR: 'http://localhost:8200' + block: + - name: 'Start vault server (dev mode enabled)' + shell: 'nohup {{ vault_cmd }} server -dev -config {{ local_temp_dir }}/vault_config.hcl </dev/null >/dev/null 2>&1 &' + + - name: 'Create generic secrets engine' + command: '{{ vault_cmd }} secrets enable -path=gen generic' + + - name: 'Create KV v1 secrets engine' + command: '{{ vault_cmd }} secrets enable -path=kv1 -version=1 kv' + + - name: 'Create KV v2 secrets engine' + command: '{{ vault_cmd }} secrets enable -path=kv2 -version=2 kv' + + - name: 'Create a test policy' + shell: "echo '{{ policy }}' | {{ vault_cmd }} policy write test-policy -" + vars: + policy: | + path "{{ vault_gen_path }}/secret1" { + capabilities = ["read"] + } + path "{{ vault_gen_path }}/secret2" { + capabilities = ["read", "update"] + } + path "{{ vault_gen_path }}/secret3" { + capabilities = ["deny"] + } + path "{{ vault_kv1_path }}/secret1" { + capabilities = ["read"] + } + path "{{ vault_kv1_path }}/secret2" { + capabilities = ["read", "update"] + } + path "{{ vault_kv1_path }}/secret3" { + capabilities = ["deny"] + } + path "{{ vault_kv2_path }}/secret1" { + capabilities = ["read"] + } + path "{{ vault_kv2_path }}/secret2" { + capabilities = ["read", "update"] + } + path "{{ vault_kv2_path }}/secret3" { + capabilities = ["deny"] + } + + - name: 'Create generic secrets' + command: '{{ vault_cmd }} write {{ vault_gen_path }}/secret{{ item }} value=foo{{ item }}' + loop: [1, 2, 3] + + - name: 'Create KV v1 secrets' + command: '{{ vault_cmd }} kv put {{ vault_kv1_path }}/secret{{ item }} value=foo{{ item }}' + loop: [1, 2, 3] + + - name: 'Create KV v2 secrets' + command: '{{ vault_cmd }} kv put {{ vault_kv2_path | regex_replace("/data") }}/secret{{ item }} value=foo{{ item }}' + loop: [1, 2, 3] + + - name: setup approle auth + import_tasks: approle_setup.yml + when: ansible_distribution != 'RedHat' or ansible_distribution_major_version is version('7', '>') + + - name: setup token auth + import_tasks: token_setup.yml + + - import_tasks: tests.yml + vars: + auth_type: approle + when: ansible_distribution != 'RedHat' or ansible_distribution_major_version is version('7', '>') + + - import_tasks: tests.yml + vars: + auth_type: token + + always: + - name: 'Kill vault process' + shell: "kill $(cat {{ local_temp_dir }}/vault.pid)" + ignore_errors: true + + always: + - name: 'Delete temp dir' + file: + path: '{{ local_temp_dir }}' + state: absent diff --git a/test/integration/targets/incidental_lookup_hashi_vault/lookup_hashi_vault/tasks/tests.yml b/test/integration/targets/incidental_lookup_hashi_vault/lookup_hashi_vault/tasks/tests.yml new file mode 100644 index 0000000000..198f587a77 --- /dev/null +++ b/test/integration/targets/incidental_lookup_hashi_vault/lookup_hashi_vault/tasks/tests.yml @@ -0,0 +1,35 @@ +- name: 'test {{ auth_type }} auth without SSL (lookup parameters)' + include_tasks: '{{ auth_type }}_test.yml' + vars: + conn_params: 'url=http://localhost:8200 ' + +- name: 'test {{ auth_type }} auth without SSL (environment variable)' + include_tasks: '{{ auth_type }}_test.yml' + args: + apply: + vars: + conn_params: '' + environment: + VAULT_ADDR: 'http://localhost:8200' + +- when: pyopenssl_version.stdout is version('0.15', '>=') + block: + - name: 'test {{ auth_type }} auth with certs (validation enabled, lookup parameters)' + include_tasks: '{{ auth_type }}_test.yml' + vars: + conn_params: 'url=https://localhost:8201 ca_cert={{ local_temp_dir }}/cert.pem validate_certs=True ' + + - name: 'test {{ auth_type }} auth with certs (validation enabled, environment variables)' + include_tasks: '{{ auth_type }}_test.yml' + args: + apply: + vars: + conn_params: '' + environment: + VAULT_ADDR: 'https://localhost:8201' + VAULT_CACERT: '{{ local_temp_dir }}/cert.pem' + + - name: 'test {{ auth_type }} auth with certs (validation disabled, lookup parameters)' + include_tasks: '{{ auth_type }}_test.yml' + vars: + conn_params: 'url=https://localhost:8201 validate_certs=False ' diff --git a/test/integration/targets/incidental_lookup_hashi_vault/lookup_hashi_vault/tasks/token_setup.yml b/test/integration/targets/incidental_lookup_hashi_vault/lookup_hashi_vault/tasks/token_setup.yml new file mode 100644 index 0000000000..d5ce280346 --- /dev/null +++ b/test/integration/targets/incidental_lookup_hashi_vault/lookup_hashi_vault/tasks/token_setup.yml @@ -0,0 +1,3 @@ +- name: 'Create a test credentials (token)' + command: '{{ vault_cmd }} token create -policy test-policy -field token' + register: user_token_cmd diff --git a/test/integration/targets/incidental_lookup_hashi_vault/lookup_hashi_vault/tasks/token_test.yml b/test/integration/targets/incidental_lookup_hashi_vault/lookup_hashi_vault/tasks/token_test.yml new file mode 100644 index 0000000000..20c1af791e --- /dev/null +++ b/test/integration/targets/incidental_lookup_hashi_vault/lookup_hashi_vault/tasks/token_test.yml @@ -0,0 +1,58 @@ +- vars: + user_token: '{{ user_token_cmd.stdout }}' + block: + - name: 'Fetch secrets using "hashi_vault" lookup' + set_fact: + gen_secret1: "{{ lookup('hashi_vault', conn_params ~ 'secret=' ~ vault_gen_path ~ '/secret1 auth_method=token token=' ~ user_token) }}" + gen_secret2: "{{ lookup('hashi_vault', conn_params ~ 'secret=' ~ vault_gen_path ~ '/secret2 token=' ~ user_token) }}" + kv1_secret1: "{{ lookup('hashi_vault', conn_params ~ 'secret=' ~ vault_kv1_path ~ '/secret1 auth_method=token token=' ~ user_token) }}" + kv1_secret2: "{{ lookup('hashi_vault', conn_params ~ 'secret=' ~ vault_kv1_path ~ '/secret2 token=' ~ user_token) }}" + kv2_secret1: "{{ lookup('hashi_vault', conn_params ~ 'secret=' ~ vault_kv2_path ~ '/secret1 auth_method=token token=' ~ user_token) }}" + kv2_secret2: "{{ lookup('hashi_vault', conn_params ~ 'secret=' ~ vault_kv2_path ~ '/secret2 token=' ~ user_token) }}" + + - name: 'Check secret generic values' + fail: + msg: 'unexpected secret values' + when: gen_secret1['value'] != 'foo1' or gen_secret2['value'] != 'foo2' + + - name: 'Check secret kv1 values' + fail: + msg: 'unexpected secret values' + when: kv1_secret1['value'] != 'foo1' or kv1_secret2['value'] != 'foo2' + + - name: 'Check secret kv2 values' + fail: + msg: 'unexpected secret values' + when: kv2_secret1['value'] != 'foo1' or kv2_secret2['value'] != 'foo2' + + - name: 'Failure expected when erroneous credentials are used' + vars: + secret_wrong_cred: "{{ lookup('hashi_vault', conn_params ~ 'secret=' ~ vault_kv2_path ~ '/secret2 auth_method=token token=wrong_token') }}" + debug: + msg: 'Failure is expected ({{ secret_wrong_cred }})' + register: test_wrong_cred + ignore_errors: true + + - name: 'Failure expected when unauthorized secret is read' + vars: + secret_unauthorized: "{{ lookup('hashi_vault', conn_params ~ 'secret=' ~ vault_kv2_path ~ '/secret3 token=' ~ user_token) }}" + debug: + msg: 'Failure is expected ({{ secret_unauthorized }})' + register: test_unauthorized + ignore_errors: true + + - name: 'Failure expected when inexistent secret is read' + vars: + secret_inexistent: "{{ lookup('hashi_vault', conn_params ~ 'secret=' ~ vault_kv2_path ~ '/secret4 token=' ~ user_token) }}" + debug: + msg: 'Failure is expected ({{ secret_inexistent }})' + register: test_inexistent + ignore_errors: true + + - name: 'Check expected failures' + assert: + msg: "an expected failure didn't occur" + that: + - test_wrong_cred is failed + - test_unauthorized is failed + - test_inexistent is failed diff --git a/test/integration/targets/incidental_lookup_hashi_vault/lookup_hashi_vault/templates/vault_config.hcl.j2 b/test/integration/targets/incidental_lookup_hashi_vault/lookup_hashi_vault/templates/vault_config.hcl.j2 new file mode 100644 index 0000000000..effc90ba90 --- /dev/null +++ b/test/integration/targets/incidental_lookup_hashi_vault/lookup_hashi_vault/templates/vault_config.hcl.j2 @@ -0,0 +1,10 @@ +# {{ ansible_managed }} +pid_file = "{{ local_temp_dir }}/vault.pid" +{% if pyopenssl_version.stdout is version('0.15', '>=') %} +listener "tcp" { + tls_key_file = "{{ local_temp_dir }}/privatekey.pem" + tls_cert_file = "{{ local_temp_dir }}/cert.pem" + tls_disable = false + address = "localhost:8201" +} +{% endif %} |