summaryrefslogtreecommitdiff
path: root/test/integration/targets/lookup_hashi_vault/lookup_hashi_vault/tasks/token_test.yml
blob: 20c1af791eed65f6f8f560d84d8c98b311cd4d01 (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58

- vars:
    user_token: '{{ user_token_cmd.stdout }}'
  block:
    - name: 'Fetch secrets using "hashi_vault" lookup'
      set_fact:
        gen_secret1: "{{ lookup('hashi_vault', conn_params ~ 'secret=' ~ vault_gen_path ~ '/secret1 auth_method=token token=' ~ user_token) }}"
        gen_secret2: "{{ lookup('hashi_vault', conn_params ~ 'secret=' ~ vault_gen_path ~ '/secret2 token=' ~ user_token) }}"
        kv1_secret1: "{{ lookup('hashi_vault', conn_params ~ 'secret=' ~ vault_kv1_path ~ '/secret1 auth_method=token token=' ~ user_token) }}"
        kv1_secret2: "{{ lookup('hashi_vault', conn_params ~ 'secret=' ~ vault_kv1_path ~ '/secret2 token=' ~ user_token) }}"
        kv2_secret1: "{{ lookup('hashi_vault', conn_params ~ 'secret=' ~ vault_kv2_path ~ '/secret1 auth_method=token token=' ~ user_token) }}"
        kv2_secret2: "{{ lookup('hashi_vault', conn_params ~ 'secret=' ~ vault_kv2_path ~ '/secret2 token=' ~ user_token) }}"

    - name: 'Check secret generic values'
      fail:
        msg: 'unexpected secret values'
      when: gen_secret1['value'] != 'foo1' or gen_secret2['value'] != 'foo2'

    - name: 'Check secret kv1 values'
      fail:
        msg: 'unexpected secret values'
      when: kv1_secret1['value'] != 'foo1' or kv1_secret2['value'] != 'foo2'

    - name: 'Check secret kv2 values'
      fail:
        msg: 'unexpected secret values'
      when: kv2_secret1['value'] != 'foo1' or kv2_secret2['value'] != 'foo2'

    - name: 'Failure expected when erroneous credentials are used'
      vars:
        secret_wrong_cred: "{{ lookup('hashi_vault', conn_params ~ 'secret=' ~ vault_kv2_path ~ '/secret2 auth_method=token token=wrong_token') }}"
      debug:
        msg: 'Failure is expected ({{ secret_wrong_cred }})'
      register: test_wrong_cred
      ignore_errors: true

    - name: 'Failure expected when unauthorized secret is read'
      vars:
        secret_unauthorized: "{{ lookup('hashi_vault', conn_params ~ 'secret=' ~ vault_kv2_path ~ '/secret3 token=' ~ user_token) }}"
      debug:
        msg: 'Failure is expected ({{ secret_unauthorized }})'
      register: test_unauthorized
      ignore_errors: true

    - name: 'Failure expected when inexistent secret is read'
      vars:
        secret_inexistent: "{{ lookup('hashi_vault', conn_params ~ 'secret=' ~ vault_kv2_path ~ '/secret4 token=' ~ user_token) }}"
      debug:
        msg: 'Failure is expected ({{ secret_inexistent }})'
      register: test_inexistent
      ignore_errors: true

    - name: 'Check expected failures'
      assert:
        msg: "an expected failure didn't occur"
        that:
          - test_wrong_cred is failed
          - test_unauthorized is failed
          - test_inexistent is failed
View Lorry Controller Status