vault

mirrors/vault

Fork 0

mirror of https://github.com/hashicorp/vault.git synced 2025-09-04 21:41:09 +02:00

Commit Graph

Author	SHA1	Message	Date
Tin Vo	ac3bb7b2d4	VAULT-32188: Enos test for PKI certificates (#29007 ) * updating pki test * updating pki test * updating pki test * updating pki script * resolving conflicts * adding pki cert verifications * resolving conflicts * updating test * removing comments * addressing bash formatting * updating test * adding description * fixing lint error * fixing lint error * fixing lint issue * removing unneeded scenario * resolving conflicts * debugging pipeline error * fixing pipeline tests' * fixing pipeline tests' * testing smoke test * fixing pipeline error * debugging pipeline error * debugging pipeline error * debugging pipeline error * debugging agent test ci failure * fixing ci errors * uncomment token * updating script * updating hosts * fixing lint * fixing lint * fixing lint * adding revoked certificate * undo kv.tf change * updating cert issuing * updating issuing certs to include issuer * updating pki cert verification * addressing comments * fixing lint * fixing lint * fixing lint * fixing lint * updating verify_secrets_engine_read module * fixing lint * fixing lint * fixing lint * debugging lint * testing pipeline * adding verify variables for autopilot * adding pki read variable for autopilot * updating vault engine read variables * addressing comments * fixing lint * update test for enterprise * update pki tests to adapt to enterprise	2025-01-23 11:30:20 -08:00
Ryan Cragun	3b31b3e939	VAULT-32206: verify audit log and systemd journal secret integrity (#28932 ) Verify vault secret integrity in unauthenticated I/O streams (audit log, STDOUT/STDERR via the systemd journal) by scanning the text with Vault Radar. We search for both known and unknown secrets by using an index of KVV2 values and also by radar's built-in heuristics for credentials, secrets, and keys. The verification has been added to many scenarios where a slight time increase is allowed, as we now have to install Vault Radar and scan the text. In practice this adds less than 10 seconds to the overall duration of a scenario. In the in-place upgrade scenario we explicitly exclude this verification when upgrading from a version that we know will fail the check. We also make the verification opt-in so as to not require a Vault Radar license to run Enos scenarios, though it will always be enabled in CI. As part of this we also update our enos workflow to utilize secret values from our self-hosted Vault when executing in the vault-enterprise repo context. Signed-off-by: Ryan Cragun <me@ryan.ec>	2024-11-22 11:14:01 -07:00
Ryan Cragun	392412829b	[VAULT-30189] enos: verify identity and OIDC tokens (#28274 ) * [VAULT-30189] enos: verify identity and OIDC tokens Expand our baseline API and data verification by including the identity and identity OIDC tokens secrets engines. We now create a test entity, entity-alias, identity group, various policies, and associate them with the entity. For the OIDC side, we now configure the OIDC issuer, create and rotate named keys, create and associate roles with the named key, and issue and introspect tokens. During a second phase we also verify that the those some entities, groups, keys, roles, config, etc all exist with the expected values. This is useful to test durability after upgrades, migrations, etc. This change also includes new updates our prior `auth/userpass` and `kv` verification. We had two modules that were loosely coupled and interdependent. This restructures those both into a singular module with child modules and fixes the assumed values by requiring the read module to verify against the created state. Going forward we can continue to extend this secrets engine verification module with additional create and read checks for new secrets engines. Signed-off-by: Ryan Cragun <me@ryan.ec>	2024-09-09 14:29:11 -06:00

Author

SHA1

Message

Date

Tin Vo

ac3bb7b2d4

VAULT-32188: Enos test for PKI certificates (#29007 )

* updating pki test

* updating pki test

* updating pki test

* updating pki script

* resolving conflicts

* adding pki cert verifications

* resolving conflicts

* updating test

* removing comments

* addressing bash formatting

* updating test

* adding description

* fixing lint error

* fixing lint error

* fixing lint issue

* removing unneeded scenario

* resolving conflicts

* debugging pipeline error

* fixing pipeline tests'

* fixing pipeline tests'

* testing smoke test

* fixing pipeline error

* debugging pipeline error

* debugging pipeline error

* debugging pipeline error

* debugging agent test ci failure

* fixing ci errors

* uncomment token

* updating script

* updating hosts

* fixing lint

* fixing lint

* fixing lint

* adding revoked certificate

* undo kv.tf change

* updating cert issuing

* updating issuing certs to include issuer

* updating pki cert verification

* addressing comments

* fixing lint

* fixing lint

* fixing lint

* fixing lint

* updating verify_secrets_engine_read module

* fixing lint

* fixing lint

* fixing lint

* debugging lint

* testing pipeline

* adding verify variables for autopilot

* adding pki read variable for autopilot

* updating vault engine read variables

* addressing comments

* fixing lint

* update test for enterprise

* update pki tests to adapt to enterprise

2025-01-23 11:30:20 -08:00

Ryan Cragun

3b31b3e939

VAULT-32206: verify audit log and systemd journal secret integrity (#28932 )

Verify vault secret integrity in unauthenticated I/O streams (audit log, STDOUT/STDERR via the systemd journal) by scanning the text with Vault Radar. We search for both known and unknown secrets by using an index of KVV2 values and also by radar's built-in heuristics for credentials, secrets, and keys.

The verification has been added to many scenarios where a slight time increase is allowed, as we now have to install Vault Radar and scan the text. In practice this adds less than 10 seconds to the overall duration of a scenario.

In the in-place upgrade scenario we explicitly exclude this verification when upgrading from a version that we know will fail the check. We also make the verification opt-in so as to not require a Vault Radar license to run Enos scenarios, though it will always be enabled in CI.

As part of this we also update our enos workflow to utilize secret values from our self-hosted Vault when executing in the vault-enterprise repo context.

Signed-off-by: Ryan Cragun <me@ryan.ec>

2024-11-22 11:14:01 -07:00

Ryan Cragun

392412829b

[VAULT-30189] enos: verify identity and OIDC tokens (#28274 )

* [VAULT-30189] enos: verify identity and OIDC tokens

Expand our baseline API and data verification by including the identity
and identity OIDC tokens secrets engines. We now create a test entity,
entity-alias, identity group, various policies, and associate them with
the entity. For the OIDC side, we now configure the OIDC issuer, create
and rotate named keys, create and associate roles with the named key,
and issue and introspect tokens.

During a second phase we also verify that the those some entities,
groups, keys, roles, config, etc all exist with the expected values.
This is useful to test durability after upgrades, migrations, etc.

This change also includes new updates our prior `auth/userpass` and `kv`
verification. We had two modules that were loosely coupled and
interdependent. This restructures those both into a singular module with
child modules and fixes the assumed values by requiring the read module
to verify against the created state.

Going forward we can continue to extend this secrets engine verification
module with additional create and read checks for new secrets engines.

Signed-off-by: Ryan Cragun <me@ryan.ec>

2024-09-09 14:29:11 -06:00

3 Commits