mirrors/vault
1
0
Fork 0
mirror of https://github.com/hashicorp/vault.git synced 2025-08-22 07:01:09 +02:00
Code Issues Projects Releases Wiki Activity
vault/enos/modules/install_packages/scripts/install-packages.sh
Ryan Cragun 3b31b3e939
VAULT-32206: verify audit log and systemd journal secret integrity (#28932) 
Verify vault secret integrity in unauthenticated I/O streams (audit log, STDOUT/STDERR via the systemd journal) by scanning the text with Vault Radar. We search for both known and unknown secrets by using an index of KVV2 values and also by radar's built-in heuristics for credentials, secrets, and keys.

The verification has been added to many scenarios where a slight time increase is allowed, as we now have to install Vault Radar and scan the text. In practice this adds less than 10 seconds to the overall duration of a scenario.

In the in-place upgrade scenario we explicitly exclude this verification when upgrading from a version that we know will fail the check. We also make the verification opt-in so as to not require a Vault Radar license to run Enos scenarios, though it will always be enabled in CI.

As part of this we also update our enos workflow to utilize secret values from our self-hosted Vault when executing in the vault-enterprise repo context.

Signed-off-by: Ryan Cragun <me@ryan.ec>
2024-11-22 11:14:01 -07:00

106 lines
3.0 KiB
Bash
Raw Permalink Blame History

#!/usr/bin/env bash
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: BUSL-1.1
set -e
fail() {
echo "$1" 1>&2
exit 1
}
[[ -z "${RETRY_INTERVAL}" ]] && fail "RETRY_INTERVAL env variable has not been set"
[[ -z "${TIMEOUT_SECONDS}" ]] && fail "TIMEOUT_SECONDS env variable has not been set"
[[ -z "${PACKAGES}" ]] && fail "PACKAGES env variable has not been set"
[[ -z "${PACKAGE_MANAGER}" ]] && fail "PACKAGE_MANAGER env variable has not been set"
# Install packages based on the provided packages and package manager. We assume that the repositories
# have already been synchronized by the repo setup that is a prerequisite for this script.
install_packages() {
if [[ "${PACKAGES}" = "__skip" ]]; then
return 0
fi
set -x
echo "Installing Dependencies: ${PACKAGES}"
# Use the default package manager of the current Linux distro to install packages
case $PACKAGE_MANAGER in
apt)
for package in ${PACKAGES}; do
if dpkg -s "${package}"; then
echo "Skipping installation of ${package} because it is already installed"
continue
else
echo "Installing ${package}"
local output
if ! output=$(sudo apt install -y "${package}" 2>&1); then
echo "Failed to install ${package}: ${output}" 1>&2
return 1
fi
fi
done
;;
dnf)
for package in ${PACKAGES}; do
if rpm -q "${package}"; then
echo "Skipping installation of ${package} because it is already installed"
continue
else
echo "Installing ${package}"
local output
if ! output=$(sudo dnf -y install "${package}" 2>&1); then
echo "Failed to install ${package}: ${output}" 1>&2
return 1
fi
fi
done
;;
yum)
for package in ${PACKAGES}; do
if rpm -q "${package}"; then
echo "Skipping installation of ${package} because it is already installed"
continue
else
echo "Installing ${package}"
local output
if ! output=$(sudo yum -y install "${package}" 2>&1); then
echo "Failed to install ${package}: ${output}" 1>&2
return 1
fi
fi
done
;;
zypper)
for package in ${PACKAGES}; do
if rpm -q "${package}"; then
echo "Skipping installation of ${package} because it is already installed"
continue
else
echo "Installing ${package}"
local output
if ! output=$(sudo zypper --non-interactive install -y -l --force-resolution "${package}" 2>&1); then
echo "Failed to install ${package}: ${output}" 1>&2
return 1
fi
fi
done
;;
*)
fail "No matching package manager provided."
;;
esac
}
begin_time=$(date +%s)
end_time=$((begin_time + TIMEOUT_SECONDS))
while [[ "$(date +%s)" -lt "${end_time}" ]]; do
if install_packages; then
exit 0
fi
sleep "${RETRY_INTERVAL}"
done
fail "Timed out waiting for packages to install"
Reference in New Issue View Git Blame Copy Permalink