mirror of
https://github.com/hashicorp/vault.git
synced 2025-08-24 16:11:08 +02:00
392412829b
* [VAULT-30189] enos: verify identity and OIDC tokens Expand our baseline API and data verification by including the identity and identity OIDC tokens secrets engines. We now create a test entity, entity-alias, identity group, various policies, and associate them with the entity. For the OIDC side, we now configure the OIDC issuer, create and rotate named keys, create and associate roles with the named key, and issue and introspect tokens. During a second phase we also verify that the those some entities, groups, keys, roles, config, etc all exist with the expected values. This is useful to test durability after upgrades, migrations, etc. This change also includes new updates our prior `auth/userpass` and `kv` verification. We had two modules that were loosely coupled and interdependent. This restructures those both into a singular module with child modules and fixes the assumed values by requiring the read module to verify against the created state. Going forward we can continue to extend this secrets engine verification module with additional create and read checks for new secrets engines. Signed-off-by: Ryan Cragun <me@ryan.ec>
34 lines
1.3 KiB
Bash
34 lines
1.3 KiB
Bash
#!/usr/bin/env bash
|
|
# Copyright (c) HashiCorp, Inc.
|
|
# SPDX-License-Identifier: BUSL-1.1
|
|
|
|
set -e
|
|
|
|
fail() {
|
|
echo "$1" 1>&2
|
|
exit 1
|
|
}
|
|
|
|
[[ -z "$PAYLOAD" ]] && fail "PAYLOAD env variable has not been set"
|
|
[[ -z "$ASSERT_ACTIVE" ]] && fail "ASSERT_ACTIVE env variable has not been set"
|
|
[[ -z "$VAULT_ADDR" ]] && fail "VAULT_ADDR env variable has not been set"
|
|
[[ -z "$VAULT_INSTALL_DIR" ]] && fail "VAULT_INSTALL_DIR env variable has not been set"
|
|
[[ -z "$VAULT_TOKEN" ]] && fail "VAULT_TOKEN env variable has not been set"
|
|
|
|
binpath=${VAULT_INSTALL_DIR}/vault
|
|
test -x "$binpath" || fail "unable to locate vault binary at $binpath"
|
|
|
|
export VAULT_FORMAT=json
|
|
if ! output=$("$binpath" write identity/oidc/introspect - <<< "$PAYLOAD" 2>&1); then
|
|
# Attempt to write our error on stdout as JSON as our consumers of the script expect it to be JSON
|
|
printf '{"data":{"error":"%s"}}' "$output"
|
|
# Fail on stderr with a human readable message
|
|
fail "failed to write payload to identity/oidc/introspect: payload=$PAYLOAD output=$output"
|
|
fi
|
|
|
|
printf "%s\n" "$output" # Write our response output JSON to stdout
|
|
if ! jq -Me --argjson ACTIVE "$ASSERT_ACTIVE" '.data.active == $ACTIVE' <<< "$output" &> /dev/null; then
|
|
# Write a failure message on STDERR
|
|
fail "token active state is invalid, expected .data.active='$ASSERT_ACTIVE'"
|
|
fi
|