vault/enos/modules/vault_verify_version/scripts/verify-cli-version.sh

#!/usr/bin/env bash
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1

# Verify the Vault "version" includes the correct base version, build date,
# revision SHA, and edition metadata.
set -e

fail() {
  echo "$1" 1>&2
  exit 1
}

[[ -z "$VAULT_ADDR" ]] && fail "VAULT_ADDR env variable has not been set"
[[ -z "$VAULT_BUILD_DATE" ]] && fail "VAULT_BUILD_DATE env variable has not been set"
[[ -z "$VAULT_EDITION" ]] && fail "VAULT_EDITION env variable has not been set"
[[ -z "$VAULT_INSTALL_DIR" ]] && fail "VAULT_INSTALL_DIR env variable has not been set"
[[ -z "$VAULT_REVISION" ]] && fail "VAULT_REVISION env variable has not been set"
[[ -z "$VAULT_TOKEN" ]] && fail "VAULT_TOKEN env variable has not been set"
[[ -z "$VAULT_VERSION" ]] && fail "VAULT_VERSION env variable has not been set"

binpath=${VAULT_INSTALL_DIR}/vault
edition=${VAULT_EDITION}
version=${VAULT_VERSION}
sha=${VAULT_REVISION}
build_date=${VAULT_BUILD_DATE}

test -x "$binpath" || fail "unable to locate vault binary at $binpath"
version_expected="Vault v$version ($sha), built $build_date"

case "$edition" in
  *ce) ;;
  *ent) ;;
  *ent.hsm) version_expected="$version_expected (cgo)" ;;
  *ent.fips1402) version_expected="$version_expected (cgo)" ;;
  *ent.hsm.fips1402) version_expected="$version_expected (cgo)" ;;
  *) fail "Unknown Vault edition: ($edition)" ;;
esac

version_expected_nosha=$(echo "$version_expected" | awk '!($3="")' | sed 's/  / /' | sed -e 's/[[:space:]]*$//')
version_output=$("$binpath" version)

if [[ "$version_output" == "$version_expected_nosha" ]] || [[ "$version_output" == "$version_expected" ]]; then
  echo "Version verification succeeded!"
else
  msg="$(printf "\nThe Vault cluster did not match the expected version, expected:\n%s\nor\n%s\ngot:\n%s" "$version_expected" "$version_expected_nosha" "$version_output")"
  if type diff &> /dev/null; then
    # Diff exits non-zero if we have a diff, which we want, so we'll guard against failing early.
    if ! version_diff=$(diff  <(echo "$version_expected")  <(echo "$version_output") -u -L expected -L got); then
      msg="$(printf "\nThe Vault cluster did not match the expected version:\n%s" "$version_diff")"
    fi
  fi

  fail "$msg"
fi
[VAULT-2937] Verify the `/sys/version-history` in enos scenarios (#27947) When verifying the Vault version, in addition to verifying the CLI version we also check that the `/sys/version-history` contains the expected version. As part of this we also fix a bug where when doing an in-place upgrade with a Debian or Redhat package we also remove the self-managed `vault.service` systemd unit to ensure that correctly start up using the new version of Vault. Signed-off-by: Ryan Cragun <me@ryan.ec> 2024-08-02 15:26:39 -04:00			`#!/usr/bin/env bash`
			`# Copyright (c) HashiCorp, Inc.`
			`# SPDX-License-Identifier: BUSL-1.1`

			`# Verify the Vault "version" includes the correct base version, build date,`
			`# revision SHA, and edition metadata.`
			`set -e`

			`fail() {`
			`echo "$1" 1>&2`
			`exit 1`
			`}`

			`[[ -z "$VAULT_ADDR" ]] && fail "VAULT_ADDR env variable has not been set"`
			`[[ -z "$VAULT_BUILD_DATE" ]] && fail "VAULT_BUILD_DATE env variable has not been set"`
			`[[ -z "$VAULT_EDITION" ]] && fail "VAULT_EDITION env variable has not been set"`
			`[[ -z "$VAULT_INSTALL_DIR" ]] && fail "VAULT_INSTALL_DIR env variable has not been set"`
			`[[ -z "$VAULT_REVISION" ]] && fail "VAULT_REVISION env variable has not been set"`
			`[[ -z "$VAULT_TOKEN" ]] && fail "VAULT_TOKEN env variable has not been set"`
			`[[ -z "$VAULT_VERSION" ]] && fail "VAULT_VERSION env variable has not been set"`

			`binpath=${VAULT_INSTALL_DIR}/vault`
			`edition=${VAULT_EDITION}`
			`version=${VAULT_VERSION}`
			`sha=${VAULT_REVISION}`
			`build_date=${VAULT_BUILD_DATE}`

			`test -x "$binpath" \|\| fail "unable to locate vault binary at $binpath"`
			`version_expected="Vault v$version ($sha), built $build_date"`

			`case "$edition" in`
			`*ce) ;;`
			`*ent) ;;`
enos: add shfmt formatting to enos module scripts (#28142) Signed-off-by: Ryan Cragun <me@ryan.ec> 2024-08-23 15:45:30 -04:00			`*ent.hsm) version_expected="$version_expected (cgo)" ;;`
[VAULT-2937] Verify the `/sys/version-history` in enos scenarios (#27947) When verifying the Vault version, in addition to verifying the CLI version we also check that the `/sys/version-history` contains the expected version. As part of this we also fix a bug where when doing an in-place upgrade with a Debian or Redhat package we also remove the self-managed `vault.service` systemd unit to ensure that correctly start up using the new version of Vault. Signed-off-by: Ryan Cragun <me@ryan.ec> 2024-08-02 15:26:39 -04:00			`*ent.fips1402) version_expected="$version_expected (cgo)" ;;`
			`*ent.hsm.fips1402) version_expected="$version_expected (cgo)" ;;`
			`*) fail "Unknown Vault edition: ($edition)" ;;`
			`esac`

			`version_expected_nosha=$(echo "$version_expected" \| awk '!($3="")' \| sed 's/ / /' \| sed -e 's/[[:space:]]*$//')`
			`version_output=$("$binpath" version)`

			`if [[ "$version_output" == "$version_expected_nosha" ]] \|\| [[ "$version_output" == "$version_expected" ]]; then`
			`echo "Version verification succeeded!"`
			`else`
enos: renable undo logs verification (#27206) After VAULT-20259 we did not enable the undo logs verification. This reenables the check but modified to check the status of the primary and follower nodes, as they should have different values. While testing this I accidentally flubbed my version input and found the diagnostic a bit confusing to read so I updated the error message on version mismatch to be a bit easier to read. Signed-off-by: Ryan Cragun <me@ryan.ec> 2024-08-14 15:45:50 -04:00			`msg="$(printf "\nThe Vault cluster did not match the expected version, expected:\n%s\nor\n%s\ngot:\n%s" "$version_expected" "$version_expected_nosha" "$version_output")"`
			`if type diff &> /dev/null; then`
			`# Diff exits non-zero if we have a diff, which we want, so we'll guard against failing early.`
enos: add shfmt formatting to enos module scripts (#28142) Signed-off-by: Ryan Cragun <me@ryan.ec> 2024-08-23 15:45:30 -04:00			`if ! version_diff=$(diff <(echo "$version_expected") <(echo "$version_output") -u -L expected -L got); then`
enos: renable undo logs verification (#27206) After VAULT-20259 we did not enable the undo logs verification. This reenables the check but modified to check the status of the primary and follower nodes, as they should have different values. While testing this I accidentally flubbed my version input and found the diagnostic a bit confusing to read so I updated the error message on version mismatch to be a bit easier to read. Signed-off-by: Ryan Cragun <me@ryan.ec> 2024-08-14 15:45:50 -04:00			`msg="$(printf "\nThe Vault cluster did not match the expected version:\n%s" "$version_diff")"`
			`fi`
			`fi`

			`fail "$msg"`
[VAULT-2937] Verify the `/sys/version-history` in enos scenarios (#27947) When verifying the Vault version, in addition to verifying the CLI version we also check that the `/sys/version-history` contains the expected version. As part of this we also fix a bug where when doing an in-place upgrade with a Debian or Redhat package we also remove the self-managed `vault.service` systemd unit to ensure that correctly start up using the new version of Vault. Signed-off-by: Ryan Cragun <me@ryan.ec> 2024-08-02 15:26:39 -04:00			`fi`