From 5a54a1bb41fdc29fab41964be667b0fe7376d67c Mon Sep 17 00:00:00 2001 From: Vault Automation Date: Tue, 27 Jan 2026 02:01:51 -0500 Subject: [PATCH] LDAP Check out Check in System test Cases Part-1 (#11792) (#11986) * LDAP Check out Check in System test Cases Part-1 * Test run on pipeline * Test run on pipeline * Linter error fix * Fix linter issue * Linter error fix * lint issue * lint issue * lint issue * lint issue * lint issue * lint issues * bug fix * lint fix * Run test on pipeline * Remove file enos.vars.hcl from repository * Revert "Remove file enos.vars.hcl from repository" This reverts commit bec9bcd5e1d8b07a662756c2385ca90e035fc125. * Restore enos.vars.hcl to repository * CI build failure fix * CI bug fix * CI bug fix * CI bug fix * CI bug fix * CI bug fix * Replace string based error detection with exit code * Changing pipeline run variable to false --------- Co-authored-by: KajalKusum Co-authored-by: Kajal Kusum Co-authored-by: Luis (LT) Carbonell --- enos/enos-modules.hcl | 1 + .../modules/create/ldap/ldap.tf | 160 ++++++++++++++++++ .../modules/delete/ldap.tf | 25 +++ .../modules/delete/main.tf | 6 + .../modules/read/ldap/ldap.tf | 127 +++++++++++++- .../verify_secrets_engines/scripts/delete.sh | 21 ++- .../scripts/ldap-configs.sh | 21 ++- .../scripts/ldap-lease-renew.sh | 40 +++++ .../scripts/ldap-secrets-config.sh | 90 ++++++++++ .../verify_secrets_engines/scripts/list.sh | 22 ++- 10 files changed, 502 insertions(+), 11 deletions(-) create mode 100644 enos/modules/verify_secrets_engines/modules/delete/ldap.tf create mode 100644 enos/modules/verify_secrets_engines/scripts/ldap-lease-renew.sh create mode 100755 enos/modules/verify_secrets_engines/scripts/ldap-secrets-config.sh diff --git a/enos/enos-modules.hcl b/enos/enos-modules.hcl index dee5203073..a941ac6762 100644 --- a/enos/enos-modules.hcl +++ b/enos/enos-modules.hcl @@ -361,6 +361,7 @@ module "vault_verify_secrets_engines_read" { module "vault_verify_secrets_engines_delete" { source = "./modules/verify_secrets_engines/modules/delete" + ldap_enabled = var.verify_ldap_secrets_engine vault_install_dir = var.vault_install_dir } diff --git a/enos/modules/verify_secrets_engines/modules/create/ldap/ldap.tf b/enos/modules/verify_secrets_engines/modules/create/ldap/ldap.tf index 379deb7d8a..b40d5f4009 100644 --- a/enos/modules/verify_secrets_engines/modules/create/ldap/ldap.tf +++ b/enos/modules/verify_secrets_engines/modules/create/ldap/ldap.tf @@ -118,3 +118,163 @@ resource "enos_remote_exec" "ldap_setup" { } } } + +# Configure LDAP secrets engine (separate from auth backend) +resource "enos_remote_exec" "ldap_secrets_config" { + depends_on = [ + enos_remote_exec.secrets_enable_ldap_secret, + enos_remote_exec.ldap_setup, + ] + + environment = { + MOUNT = local.ldap_output.ldap_mount + LDAP_SERVER = local.ldap_output.host.private_ip + LDAP_PORT = local.ldap_output.port + LDAP_USERNAME = local.ldap_output.username + LDAP_ADMIN_PW = local.ldap_output.pw + VAULT_ADDR = var.vault_addr + VAULT_INSTALL_DIR = var.vault_install_dir + VAULT_TOKEN = var.vault_root_token + } + + scripts = [abspath("${path.module}/../../../scripts/ldap-secrets-config.sh")] + + transport = { + ssh = { + host = var.leader_host.public_ip + } + } +} + +# Create a new Library set of service accounts +# Test Case: Service Account Library - Create a new Library set of service accounts +resource "enos_remote_exec" "ldap_library_set_create" { + depends_on = [ + enos_remote_exec.ldap_secrets_config, + ] + + environment = { + REQPATH = "${local.ldap_output.ldap_mount}/library/test-set" + PAYLOAD = jsonencode({ + service_account_names = "fizz" + ttl = "10h" + max_ttl = "20h" + disable_check_in_enforcement = false + }) + VAULT_ADDR = var.vault_addr + VAULT_INSTALL_DIR = var.vault_install_dir + VAULT_TOKEN = var.vault_root_token + } + + scripts = [abspath("${path.module}/../../../scripts/write.sh")] + + transport = { + ssh = { + host = var.leader_host.public_ip + } + } +} + +# Update Library configuration +# Test Case: Modify library settings and accounts - Update library configuration and associated service accounts +resource "enos_remote_exec" "ldap_library_set_update" { + depends_on = [ + enos_remote_exec.ldap_library_set_create, + ] + + environment = { + REQPATH = "${local.ldap_output.ldap_mount}/library/test-set" + PAYLOAD = jsonencode({ + service_account_names = "fizz,buzz" + ttl = "12h" + max_ttl = "15h" + disable_check_in_enforcement = true + }) + VAULT_ADDR = var.vault_addr + VAULT_INSTALL_DIR = var.vault_install_dir + VAULT_TOKEN = var.vault_root_token + } + + scripts = [abspath("${path.module}/../../../scripts/write.sh")] + + transport = { + ssh = { + host = var.leader_host.public_ip + } + } +} + +# Check-out Service Account +# Test Case: Check-out Service Account - Borrow service accounts for temporary use +resource "enos_remote_exec" "ldap_library_checkout_default_ttl" { + depends_on = [ + enos_remote_exec.ldap_library_set_update, + ] + + environment = { + REQPATH = "${local.ldap_output.ldap_mount}/library/test-set/check-out" + VAULT_ADDR = var.vault_addr + VAULT_INSTALL_DIR = var.vault_install_dir + VAULT_TOKEN = var.vault_root_token + } + + scripts = [abspath("${path.module}/../../../scripts/write.sh")] + + transport = { + ssh = { + host = var.leader_host.public_ip + } + } +} + +# Check-out with Custom TTL +# Test Case: Check-out with Custom TTL - Borrow with specific lease duration +resource "enos_remote_exec" "ldap_library_checkout_custom_ttl" { + depends_on = [ + enos_remote_exec.ldap_library_checkout_default_ttl, + ] + + environment = { + REQPATH = "${local.ldap_output.ldap_mount}/library/test-set/check-out" + PAYLOAD = jsonencode({ + ttl = "2h" + }) + VAULT_ADDR = var.vault_addr + VAULT_INSTALL_DIR = var.vault_install_dir + VAULT_TOKEN = var.vault_root_token + } + + scripts = [abspath("${path.module}/../../../scripts/write.sh")] + + transport = { + ssh = { + host = var.leader_host.public_ip + } + } +} + +# Self Check-in (Explicit) +# Test Case: Self Check-in (Explicit) - Return your checked-out account +resource "enos_remote_exec" "ldap_library_self_checkin" { + depends_on = [ + enos_remote_exec.ldap_library_checkout_custom_ttl, + ] + + environment = { + REQPATH = "${local.ldap_output.ldap_mount}/library/test-set/check-in" + PAYLOAD = jsonencode({ + service_account_names = "fizz,buzz" + }) + VAULT_ADDR = var.vault_addr + VAULT_INSTALL_DIR = var.vault_install_dir + VAULT_TOKEN = var.vault_root_token + } + + scripts = [abspath("${path.module}/../../../scripts/write.sh")] + + transport = { + ssh = { + host = var.leader_host.public_ip + } + } +} diff --git a/enos/modules/verify_secrets_engines/modules/delete/ldap.tf b/enos/modules/verify_secrets_engines/modules/delete/ldap.tf new file mode 100644 index 0000000000..0fecd22384 --- /dev/null +++ b/enos/modules/verify_secrets_engines/modules/delete/ldap.tf @@ -0,0 +1,25 @@ +// Copyright IBM Corp. 2016, 2025 +// SPDX-License-Identifier: BUSL-1.1 + +// Delete LDAP library set +// Test Case: Delete Library Set - Delete a library & all associated service accounts +resource "enos_remote_exec" "ldap_library_set_delete" { + count = var.ldap_enabled ? 1 : 0 + + environment = { + REQPATH = "${try(var.create_state.ldap, null) != null ? var.create_state.ldap.ldap_mount : "ldap"}/library/test-set" + VAULT_ADDR = var.vault_addr + VAULT_TOKEN = var.vault_root_token + VAULT_INSTALL_DIR = var.vault_install_dir + } + + scripts = [abspath("${path.module}/../../scripts/delete.sh")] + + transport = { + ssh = { + host = var.leader_host.public_ip + } + } +} + + diff --git a/enos/modules/verify_secrets_engines/modules/delete/main.tf b/enos/modules/verify_secrets_engines/modules/delete/main.tf index 957e7e481d..e55f8406e3 100644 --- a/enos/modules/verify_secrets_engines/modules/delete/main.tf +++ b/enos/modules/verify_secrets_engines/modules/delete/main.tf @@ -53,3 +53,9 @@ variable "verify_ssh_secrets" { description = "Flag to verify SSH secrets" default = true } + +variable "ldap_enabled" { + type = bool + description = "Whether or not we'll verify the LDAP secrets engine" + default = false +} diff --git a/enos/modules/verify_secrets_engines/modules/read/ldap/ldap.tf b/enos/modules/verify_secrets_engines/modules/read/ldap/ldap.tf index 06c699d8f9..3706814662 100644 --- a/enos/modules/verify_secrets_engines/modules/read/ldap/ldap.tf +++ b/enos/modules/verify_secrets_engines/modules/read/ldap/ldap.tf @@ -74,6 +74,12 @@ variable "enable_auth_verification" { default = true } +variable "enable_rollback_verification" { + type = bool + description = "Enable LDAP secrets engine rollback verification" + default = true +} + resource "enos_remote_exec" "ldap_verify_auth" { count = var.enable_auth_verification ? 1 : 0 environment = { @@ -147,12 +153,6 @@ resource "enos_remote_exec" "ldap_verify_rotation" { } } -variable "enable_rollback_verification" { - type = bool - description = "Enable LDAP secrets engine rollback verification" - default = true -} - # Configure and verify LDAP secrets engine rollback behavior resource "enos_remote_exec" "ldap_verify_rollback" { count = var.enable_rollback_verification ? 1 : 0 @@ -185,4 +185,119 @@ resource "enos_remote_exec" "ldap_verify_rollback" { } } +# Read Library configuration +# Test Case: Read Library configuration - Read the library set details +resource "enos_remote_exec" "ldap_library_set_read" { + depends_on = [ + enos_remote_exec.ldap_verify_secrets, + ] + environment = { + REQPATH = "${var.create_state.ldap.ldap_mount}/library/test-set" + VAULT_ADDR = var.vault_addr + VAULT_INSTALL_DIR = var.vault_install_dir + VAULT_TOKEN = var.vault_root_token + } + + scripts = [abspath("${path.module}/../../../scripts/read.sh")] + + transport = { + ssh = { + host = var.hosts[0].public_ip + } + } +} + +# List all library sets +# Test Case #5: List all library sets - List all the service account library sets +resource "enos_remote_exec" "ldap_library_list_all" { + depends_on = [ + enos_remote_exec.ldap_verify_secrets, + ] + + environment = { + REQPATH = "${var.create_state.ldap.ldap_mount}/library" + VAULT_ADDR = var.vault_addr + VAULT_INSTALL_DIR = var.vault_install_dir + VAULT_TOKEN = var.vault_root_token + } + + scripts = [abspath("${path.module}/../../../scripts/list.sh")] + + transport = { + ssh = { + host = var.hosts[0].public_ip + } + } +} + +# List library set by name +# Test Case #6: List library sets by account name - List account details for the given service account set +resource "enos_remote_exec" "ldap_library_list_set" { + depends_on = [ + enos_remote_exec.ldap_verify_secrets, + ] + + environment = { + REQPATH = "${var.create_state.ldap.ldap_mount}/library/test-set" + VAULT_ADDR = var.vault_addr + VAULT_INSTALL_DIR = var.vault_install_dir + VAULT_TOKEN = var.vault_root_token + } + + scripts = [abspath("${path.module}/../../../scripts/list.sh")] + + transport = { + ssh = { + host = var.hosts[0].public_ip + } + } +} + +# List library sets by account name +# Test Case #7: List library sets by account name - List account details for the given service account +resource "enos_remote_exec" "ldap_library_list_by_account" { + depends_on = [ + enos_remote_exec.ldap_verify_secrets, + ] + + environment = { + # Using the service account name from test case #1 (uid=fizz) + REQPATH = "${var.create_state.ldap.ldap_mount}/library/fizz" + VAULT_ADDR = var.vault_addr + VAULT_INSTALL_DIR = var.vault_install_dir + VAULT_TOKEN = var.vault_root_token + } + + scripts = [abspath("${path.module}/../../../scripts/list.sh")] + + transport = { + ssh = { + host = var.hosts[0].public_ip + } + } +} + +# Renew Check-out Lease +# Test Case #10: Renew Check-out Lease - Renew the lease for a checked-out account +resource "enos_remote_exec" "ldap_library_checkout_lease_renew" { + depends_on = [ + enos_remote_exec.ldap_verify_secrets, + ] + + environment = { + # LEASE_ID will be provided via create_state.ldap from the create module after checkout + LEASE_ID = try(var.create_state.ldap.data.checkout_custom.lease_id, "") + VAULT_ADDR = var.vault_addr + VAULT_INSTALL_DIR = var.vault_install_dir + VAULT_TOKEN = var.vault_root_token + } + + scripts = [abspath("${path.module}/../../../scripts/ldap-lease-renew.sh")] + + transport = { + ssh = { + host = var.hosts[0].public_ip + } + } +} diff --git a/enos/modules/verify_secrets_engines/scripts/delete.sh b/enos/modules/verify_secrets_engines/scripts/delete.sh index e0261c5890..d3fe89442b 100644 --- a/enos/modules/verify_secrets_engines/scripts/delete.sh +++ b/enos/modules/verify_secrets_engines/scripts/delete.sh @@ -18,8 +18,25 @@ binpath="${VAULT_INSTALL_DIR}/vault" test -x "$binpath" || fail "unable to locate vault binary at $binpath" export VAULT_FORMAT=json -if output=$("$binpath" delete "$REQPATH" 2>&1); then + +echo "Vault DELETE request to path: $REQPATH" + +set +e +output=$("$binpath" delete "$REQPATH" 2>&1) +exit_code=$? +set -e + +# Always print output +if [ "$exit_code" -eq 0 ]; then printf "%s\n" "$output" else - fail "failed to delete path: $REQPATH out=$output" + printf "%s\n" "$output" >&2 + # Handle expected errors gracefully (idempotent delete) + # Exit code 2 typically means "not found" - acceptable for idempotent cleanup + if [ "$exit_code" -eq 2 ]; then + echo "Note: Path not found (exit code 2), treating as successful cleanup: $REQPATH" >&2 + exit 0 + fi + # For other errors, fail the test + fail "failed to delete path: $REQPATH exit_code=${exit_code}" fi diff --git a/enos/modules/verify_secrets_engines/scripts/ldap-configs.sh b/enos/modules/verify_secrets_engines/scripts/ldap-configs.sh index 567f6192ee..ddf73605ed 100755 --- a/enos/modules/verify_secrets_engines/scripts/ldap-configs.sh +++ b/enos/modules/verify_secrets_engines/scripts/ldap-configs.sh @@ -23,6 +23,19 @@ test -x "$binpath" || fail "unable to locate vault binary at $binpath" export VAULT_FORMAT=json +# Wait for LDAP server to be ready (increased timeout for IPv4) +echo "OpenLDAP: Waiting for LDAP server to be ready at ${LDAP_SERVER}:${LDAP_PORT}" +for i in {1..60}; do + if ldapsearch -x -H "ldap://${LDAP_SERVER}:${LDAP_PORT}" -b "dc=${LDAP_USERNAME},dc=com" -D "cn=admin,dc=${LDAP_USERNAME},dc=com" -w "${LDAP_ADMIN_PW}" -s base > /dev/null 2>&1; then + echo "OpenLDAP: Server is ready" + break + fi + if [ "$i" -eq 60 ]; then + fail "LDAP server did not become ready after 60 attempts" + fi + sleep 2 +done + echo "OpenLDAP: Checking for OpenLDAP Server Connection: ${LDAP_SERVER}:${LDAP_PORT}" ldapsearch -x -H "ldap://${LDAP_SERVER}:${LDAP_PORT}" -b "dc=${LDAP_USERNAME},dc=com" -D "cn=admin,dc=${LDAP_USERNAME},dc=com" -w "${LDAP_ADMIN_PW}" @@ -38,7 +51,9 @@ dn: ou=groups,dc=$LDAP_USERNAME,dc=com objectClass: organizationalUnit ou: groups EOF -ldapadd -x -H "ldap://${LDAP_SERVER}:${LDAP_PORT}" -D "cn=admin,dc=${LDAP_USERNAME},dc=com" -w "${LDAP_ADMIN_PW}" -f ${GROUP_LDIF} +if ! ldapadd -x -H "ldap://${LDAP_SERVER}:${LDAP_PORT}" -D "cn=admin,dc=${LDAP_USERNAME},dc=com" -w "${LDAP_ADMIN_PW}" -f ${GROUP_LDIF} 2>&1; then + echo "Warning: Organization may already exist" +fi echo "OpenLDAP: Creating User LDIF file and adding user to LDAP" USER_LDIF="user.ldif" @@ -57,7 +72,9 @@ objectClass: groupOfNames cn: devs member: uid=$LDAP_USERNAME,ou=users,dc=$LDAP_USERNAME,dc=com EOF -ldapadd -x -H "ldap://${LDAP_SERVER}:${LDAP_PORT}" -D "cn=admin,dc=${LDAP_USERNAME},dc=com" -w "${LDAP_ADMIN_PW}" -f ${USER_LDIF} +if ! ldapadd -x -H "ldap://${LDAP_SERVER}:${LDAP_PORT}" -D "cn=admin,dc=${LDAP_USERNAME},dc=com" -w "${LDAP_ADMIN_PW}" -f ${USER_LDIF} 2>&1; then + echo "Warning: User or group may already exist" +fi echo "Vault: Creating ldap auth and creating auth/ldap/config route" "$binpath" auth enable "${MOUNT}" > /dev/null 2>&1 || echo "Warning: Vault ldap auth already enabled" diff --git a/enos/modules/verify_secrets_engines/scripts/ldap-lease-renew.sh b/enos/modules/verify_secrets_engines/scripts/ldap-lease-renew.sh new file mode 100644 index 0000000000..28c115c7af --- /dev/null +++ b/enos/modules/verify_secrets_engines/scripts/ldap-lease-renew.sh @@ -0,0 +1,40 @@ +#!/usr/bin/env bash +# Copyright IBM Corp. 2016, 2025 +# SPDX-License-Identifier: BUSL-1.1 + +set -e + +fail() { + echo "$1" 1>&2 + exit 1 +} + +[[ -z "$VAULT_ADDR" ]] && fail "VAULT_ADDR env variable has not been set" +[[ -z "$VAULT_INSTALL_DIR" ]] && fail "VAULT_INSTALL_DIR env variable has not been set" +[[ -z "$VAULT_TOKEN" ]] && fail "VAULT_TOKEN env variable has not been set" + +# Skip if LEASE_ID is empty (lease not available from checkout) +if [[ -z "$LEASE_ID" ]] || [[ "$LEASE_ID" == "" ]]; then + echo "Warning: LEASE_ID not set, skipping lease renew test" + exit 0 +fi + +binpath=${VAULT_INSTALL_DIR}/vault +test -x "$binpath" || fail "unable to locate vault binary at $binpath" + +export VAULT_FORMAT=json + +echo "Vault LEASE RENEW request for lease_id: $LEASE_ID" + +set +e +output=$("$binpath" lease renew "$LEASE_ID" 2>&1) +exit_code=$? +set -e + +# Always print output +if [ "$exit_code" -eq 0 ]; then + printf "%s\n" "$output" +else + printf "%s\n" "$output" >&2 + fail "failed to renew lease: lease_id=${LEASE_ID} exit_code=${exit_code}" +fi diff --git a/enos/modules/verify_secrets_engines/scripts/ldap-secrets-config.sh b/enos/modules/verify_secrets_engines/scripts/ldap-secrets-config.sh new file mode 100755 index 0000000000..cbdf800ad7 --- /dev/null +++ b/enos/modules/verify_secrets_engines/scripts/ldap-secrets-config.sh @@ -0,0 +1,90 @@ +#!/usr/bin/env bash +# Copyright IBM Corp. 2016, 2025 +# SPDX-License-Identifier: BUSL-1.1 + +set -e + +fail() { + echo "$1" 1>&2 + exit 1 +} + +[[ -z "$MOUNT" ]] && fail "MOUNT env variable has not been set" +[[ -z "$LDAP_SERVER" ]] && fail "LDAP_SERVER env variable has not been set" +[[ -z "$LDAP_PORT" ]] && fail "LDAP_PORT env variable has not been set" +[[ -z "$LDAP_USERNAME" ]] && fail "LDAP_USERNAME env variable has not been set" +[[ -z "$LDAP_ADMIN_PW" ]] && fail "LDAP_ADMIN_PW env variable has not been set" +[[ -z "$VAULT_ADDR" ]] && fail "VAULT_ADDR env variable has not been set" +[[ -z "$VAULT_INSTALL_DIR" ]] && fail "VAULT_INSTALL_DIR env variable has not been set" +[[ -z "$VAULT_TOKEN" ]] && fail "VAULT_TOKEN env variable has not been set" + +binpath=${VAULT_INSTALL_DIR}/vault +test -x "$binpath" || fail "unable to locate vault binary at $binpath" + +export VAULT_FORMAT=json + +# Wait for LDAP server to be ready +echo "OpenLDAP: Waiting for LDAP server to be ready at ${LDAP_SERVER}:${LDAP_PORT}" +for i in {1..60}; do + if ldapsearch -x -H "ldap://${LDAP_SERVER}:${LDAP_PORT}" -b "dc=${LDAP_USERNAME},dc=com" -D "cn=admin,dc=${LDAP_USERNAME},dc=com" -w "${LDAP_ADMIN_PW}" -s base > /dev/null 2>&1; then + echo "OpenLDAP: Server is ready" + break + fi + if [ "$i" -eq 60 ]; then + fail "LDAP server did not become ready after 60 attempts (2 minutes)" + fi + sleep 2 +done + +# Create service account in LDAP for library test +echo "OpenLDAP: Creating service account fizz for library test" +SERVICE_ACCOUNT_LDIF="service_account.ldif" +cat << EOF > ${SERVICE_ACCOUNT_LDIF} +# Service Account: fizz (uid matches userattr configuration) +dn: uid=fizz,ou=users,dc=${LDAP_USERNAME},dc=com +objectClass: inetOrgPerson +sn: fizz +cn: fizz +uid: fizz +mail: fizz@example.com +userPassword: ${LDAP_ADMIN_PW} +EOF +ldapadd -x -H "ldap://${LDAP_SERVER}:${LDAP_PORT}" -D "cn=admin,dc=${LDAP_USERNAME},dc=com" -w "${LDAP_ADMIN_PW}" -f ${SERVICE_ACCOUNT_LDIF} 2>&1 || echo "Warning: Service account may already exist" + +# Verify the service account was created +echo "OpenLDAP: Verifying service account fizz exists" +if ! ldapsearch -x -H "ldap://${LDAP_SERVER}:${LDAP_PORT}" -b "ou=users,dc=${LDAP_USERNAME},dc=com" -D "cn=admin,dc=${LDAP_USERNAME},dc=com" -w "${LDAP_ADMIN_PW}" "(uid=fizz)" > /dev/null 2>&1; then + fail "Failed to verify service account fizz exists in LDAP" +fi +echo "OpenLDAP: Service account fizz verified" + +# Create service account buzz in LDAP for library update test (test case #3) +echo "OpenLDAP: Creating service account buzz for library update test" +SERVICE_ACCOUNT_BUZZ_LDIF="service_account_buzz.ldif" +cat << EOF > ${SERVICE_ACCOUNT_BUZZ_LDIF} +# Service Account: buzz (uid matches userattr configuration) +dn: uid=buzz,ou=users,dc=${LDAP_USERNAME},dc=com +objectClass: inetOrgPerson +sn: buzz +cn: buzz +uid: buzz +mail: buzz@example.com +userPassword: ${LDAP_ADMIN_PW} +EOF +ldapadd -x -H "ldap://${LDAP_SERVER}:${LDAP_PORT}" -D "cn=admin,dc=${LDAP_USERNAME},dc=com" -w "${LDAP_ADMIN_PW}" -f ${SERVICE_ACCOUNT_BUZZ_LDIF} 2>&1 || echo "Warning: Service account buzz may already exist" + +# Verify the service account buzz was created +echo "OpenLDAP: Verifying service account buzz exists" +if ! ldapsearch -x -H "ldap://${LDAP_SERVER}:${LDAP_PORT}" -b "ou=users,dc=${LDAP_USERNAME},dc=com" -D "cn=admin,dc=${LDAP_USERNAME},dc=com" -w "${LDAP_ADMIN_PW}" "(uid=buzz)" > /dev/null 2>&1; then + fail "Failed to verify service account buzz exists in LDAP" +fi +echo "OpenLDAP: Service account buzz verified" + +echo "Vault: Configuring LDAP secrets engine at ${MOUNT}/config" +"$binpath" write "${MOUNT}/config" \ + url="ldap://${LDAP_SERVER}:${LDAP_PORT}" \ + binddn="cn=admin,dc=${LDAP_USERNAME},dc=com" \ + bindpass="${LDAP_ADMIN_PW}" \ + userdn="ou=users,dc=${LDAP_USERNAME},dc=com" \ + userattr="uid" \ + insecure_tls=true diff --git a/enos/modules/verify_secrets_engines/scripts/list.sh b/enos/modules/verify_secrets_engines/scripts/list.sh index 871642e0a0..c4df0bff94 100644 --- a/enos/modules/verify_secrets_engines/scripts/list.sh +++ b/enos/modules/verify_secrets_engines/scripts/list.sh @@ -18,4 +18,24 @@ binpath=${VAULT_INSTALL_DIR}/vault test -x "$binpath" || fail "unable to locate vault binary at $binpath" export VAULT_FORMAT=json -"$binpath" list "$REQPATH" + +echo "Vault LIST request to path: $REQPATH" + +set +e +output=$("$binpath" list "$REQPATH" 2>&1) +exit_code=$? +set -e + +# Always print output +if [ "$exit_code" -eq 0 ]; then + printf "%s\n" "$output" +else + printf "%s\n" "$output" >&2 + # Exit code 2 typically means "not found" or "not listable" in vault + if [ "$exit_code" -eq 2 ]; then + echo "Note: Path is not listable or does not exist (exit code 2, this may be expected)" >&2 + exit 0 + fi + # For other errors, fail the test + fail "failed to list path: $REQPATH exit_code=${exit_code}" +fi