diff --git a/testing/internal/e2e/tests/base_with_vault/credential_library_vault_ldap_test.go b/testing/internal/e2e/tests/base_with_vault/credential_library_vault_ldap_test.go index 1f4f6b06cd..0bd6875583 100644 --- a/testing/internal/e2e/tests/base_with_vault/credential_library_vault_ldap_test.go +++ b/testing/internal/e2e/tests/base_with_vault/credential_library_vault_ldap_test.go @@ -65,7 +65,7 @@ func TestApiVaultLdapCredentialLibrary(t *testing.T) { require.NoError(t, err) // Configure Vault for LDAP. - boundaryPolicyName, _, ldapPolicyFilePath := vault.Setup(t, "testdata/boundary-controller-policy.hcl") + boundaryPolicyName := vault.SetupForBoundaryController(t, "testdata/boundary-controller-policy.hcl") t.Cleanup(func() { output := e2e.RunCommand(context.Background(), "vault", e2e.WithArgs("policy", "delete", boundaryPolicyName), @@ -73,7 +73,7 @@ func TestApiVaultLdapCredentialLibrary(t *testing.T) { require.NoError(t, output.Err, string(output.Stderr)) }) - ldapPolicyName := vault.SetupLdap(t, c.VaultLdapPath, ldapPolicyFilePath, + ldapPolicyName := vault.SetupLdap(t, c.VaultLdapPath, c.LdapAddress, c.LdapAdminDn, c.LdapAdminPassword, c.LdapDomainDn, c.LdapUserName, c.LdapGroupName, ) @@ -235,7 +235,7 @@ func TestCliVaultLdapCredentialLibrary(t *testing.T) { require.NoError(t, err) // Configure Vault for LDAP. - boundaryPolicyName, _, ldapPolicyFilePath := vault.Setup(t, "testdata/boundary-controller-policy.hcl") + boundaryPolicyName := vault.SetupForBoundaryController(t, "testdata/boundary-controller-policy.hcl") t.Cleanup(func() { output := e2e.RunCommand(context.Background(), "vault", e2e.WithArgs("policy", "delete", boundaryPolicyName), @@ -243,7 +243,7 @@ func TestCliVaultLdapCredentialLibrary(t *testing.T) { require.NoError(t, output.Err, string(output.Stderr)) }) - ldapPolicyName := vault.SetupLdap(t, c.VaultLdapPath, ldapPolicyFilePath, + ldapPolicyName := vault.SetupLdap(t, c.VaultLdapPath, c.LdapAddress, c.LdapAdminDn, c.LdapAdminPassword, c.LdapDomainDn, c.LdapUserName, c.LdapGroupName, ) diff --git a/testing/internal/e2e/tests/base_with_vault/credential_store_test.go b/testing/internal/e2e/tests/base_with_vault/credential_store_test.go index d9d46d6755..50a0008e6e 100644 --- a/testing/internal/e2e/tests/base_with_vault/credential_store_test.go +++ b/testing/internal/e2e/tests/base_with_vault/credential_store_test.go @@ -55,7 +55,7 @@ func TestCliVaultCredentialStore(t *testing.T) { require.NoError(t, err) // Configure vault - boundaryPolicyName, kvPolicyFilePath, _ := vault.Setup(t, "testdata/boundary-controller-policy.hcl") + boundaryPolicyName := vault.SetupForBoundaryController(t, "testdata/boundary-controller-policy.hcl") t.Cleanup(func() { output := e2e.RunCommand(ctx, "vault", e2e.WithArgs("policy", "delete", boundaryPolicyName), @@ -75,13 +75,26 @@ func TestCliVaultCredentialStore(t *testing.T) { }) // Create credentials in vault - privateKeySecretName := vault.CreateKvPrivateKeyCredential(t, c.VaultSecretPath, c.TargetSshUser, c.TargetSshKeyPath, kvPolicyFilePath) - passwordSecretName, password := vault.CreateKvPasswordCredential(t, c.VaultSecretPath, c.TargetSshUser, kvPolicyFilePath) - domainSecretName, domainPassword := vault.CreateKvPasswordDomainCredential(t, c.VaultSecretPath, c.TargetSshUser, "domain.com", kvPolicyFilePath) - kvPolicyName := vault.WritePolicy(t, ctx, kvPolicyFilePath) + privateKeySecretName, privateKeyPolicyName := vault.CreateKvPrivateKeyCredential(t, c.VaultSecretPath, c.TargetSshUser, c.TargetSshKeyPath) t.Cleanup(func() { output := e2e.RunCommand(ctx, "vault", - e2e.WithArgs("policy", "delete", kvPolicyName), + e2e.WithArgs("policy", "delete", privateKeyPolicyName), + ) + require.NoError(t, output.Err, string(output.Stderr)) + }) + + passwordSecretName, passwordPolicyName, password := vault.CreateKvPasswordCredential(t, c.VaultSecretPath, c.TargetSshUser) + t.Cleanup(func() { + output := e2e.RunCommand(ctx, "vault", + e2e.WithArgs("policy", "delete", passwordPolicyName), + ) + require.NoError(t, output.Err, string(output.Stderr)) + }) + + domainSecretName, domainPolicyName, domainPassword := vault.CreateKvPasswordDomainCredential(t, c.VaultSecretPath, c.TargetSshUser, "domain.com") + t.Cleanup(func() { + output := e2e.RunCommand(ctx, "vault", + e2e.WithArgs("policy", "delete", domainPolicyName), ) require.NoError(t, output.Err, string(output.Stderr)) }) @@ -93,7 +106,9 @@ func TestCliVaultCredentialStore(t *testing.T) { "token", "create", "-no-default-policy=true", "-policy="+boundaryPolicyName, - "-policy="+kvPolicyName, + "-policy="+privateKeyPolicyName, + "-policy="+passwordPolicyName, + "-policy="+domainPolicyName, "-orphan=true", "-period=20m", "-renewable=true", @@ -243,7 +258,7 @@ func TestApiVaultCredentialStore(t *testing.T) { require.NoError(t, err) // Configure vault - boundaryPolicyName, kvPolicyFilePath, _ := vault.Setup(t, "testdata/boundary-controller-policy.hcl") + boundaryPolicyName := vault.SetupForBoundaryController(t, "testdata/boundary-controller-policy.hcl") output := e2e.RunCommand(ctx, "vault", e2e.WithArgs("secrets", "enable", "-path="+c.VaultSecretPath, "kv-v2"), ) @@ -255,11 +270,30 @@ func TestApiVaultCredentialStore(t *testing.T) { require.NoError(t, output.Err, string(output.Stderr)) }) - // Create credential in vault - privateKeySecretName := vault.CreateKvPrivateKeyCredential(t, c.VaultSecretPath, c.TargetSshUser, c.TargetSshKeyPath, kvPolicyFilePath) - passwordSecretName, password := vault.CreateKvPasswordCredential(t, c.VaultSecretPath, c.TargetSshUser, kvPolicyFilePath) - domainSecretName, domainPassword := vault.CreateKvPasswordDomainCredential(t, c.VaultSecretPath, c.TargetSshUser, "domain.com", kvPolicyFilePath) - kvPolicyName := vault.WritePolicy(t, ctx, kvPolicyFilePath) + // Create credentials in vault + privateKeySecretName, privateKeyPolicyName := vault.CreateKvPrivateKeyCredential(t, c.VaultSecretPath, c.TargetSshUser, c.TargetSshKeyPath) + t.Cleanup(func() { + output := e2e.RunCommand(ctx, "vault", + e2e.WithArgs("policy", "delete", privateKeyPolicyName), + ) + require.NoError(t, output.Err, string(output.Stderr)) + }) + + passwordSecretName, passwordPolicyName, password := vault.CreateKvPasswordCredential(t, c.VaultSecretPath, c.TargetSshUser) + t.Cleanup(func() { + output := e2e.RunCommand(ctx, "vault", + e2e.WithArgs("policy", "delete", passwordPolicyName), + ) + require.NoError(t, output.Err, string(output.Stderr)) + }) + + domainSecretName, domainPolicyName, domainPassword := vault.CreateKvPasswordDomainCredential(t, c.VaultSecretPath, c.TargetSshUser, "domain.com") + t.Cleanup(func() { + output := e2e.RunCommand(ctx, "vault", + e2e.WithArgs("policy", "delete", domainPolicyName), + ) + require.NoError(t, output.Err, string(output.Stderr)) + }) t.Log("Created Vault Credentials") // Create vault token for boundary @@ -268,7 +302,9 @@ func TestApiVaultCredentialStore(t *testing.T) { "token", "create", "-no-default-policy=true", "-policy="+boundaryPolicyName, - "-policy="+kvPolicyName, + "-policy="+privateKeyPolicyName, + "-policy="+passwordPolicyName, + "-policy="+domainPolicyName, "-orphan=true", "-period=20m", "-renewable=true", diff --git a/testing/internal/e2e/tests/base_with_vault/paginate_credential_library_test.go b/testing/internal/e2e/tests/base_with_vault/paginate_credential_library_test.go index 9950032509..600c07f6f7 100644 --- a/testing/internal/e2e/tests/base_with_vault/paginate_credential_library_test.go +++ b/testing/internal/e2e/tests/base_with_vault/paginate_credential_library_test.go @@ -41,7 +41,7 @@ func TestCliPaginateCredentialLibraries(t *testing.T) { require.NoError(t, err) // Configure vault - boundaryPolicyName, kvPolicyFilePath, _ := vault.Setup(t, "testdata/boundary-controller-policy.hcl") + boundaryPolicyName := vault.SetupForBoundaryController(t, "testdata/boundary-controller-policy.hcl") t.Cleanup(func() { output := e2e.RunCommand(ctx, "vault", e2e.WithArgs("policy", "delete", boundaryPolicyName), @@ -61,11 +61,10 @@ func TestCliPaginateCredentialLibraries(t *testing.T) { }) // Create credentials in vault - privateKeySecretName := vault.CreateKvPrivateKeyCredential(t, c.VaultSecretPath, c.TargetSshUser, c.TargetSshKeyPath, kvPolicyFilePath) - kvPolicyName := vault.WritePolicy(t, ctx, kvPolicyFilePath) + privateKeySecretName, privateKeyPolicyName := vault.CreateKvPrivateKeyCredential(t, c.VaultSecretPath, c.TargetSshUser, c.TargetSshKeyPath) t.Cleanup(func() { output := e2e.RunCommand(ctx, "vault", - e2e.WithArgs("policy", "delete", kvPolicyName), + e2e.WithArgs("policy", "delete", privateKeyPolicyName), ) require.NoError(t, output.Err, string(output.Stderr)) }) @@ -76,7 +75,7 @@ func TestCliPaginateCredentialLibraries(t *testing.T) { "token", "create", "-no-default-policy=true", "-policy="+boundaryPolicyName, - "-policy="+kvPolicyName, + "-policy="+privateKeyPolicyName, "-orphan=true", "-period=20m", "-renewable=true", @@ -194,7 +193,7 @@ func TestApiPaginateCredentialLibraries(t *testing.T) { require.NoError(t, err) // Configure vault - boundaryPolicyName, kvPolicyFilePath, _ := vault.Setup(t, "testdata/boundary-controller-policy.hcl") + boundaryPolicyName := vault.SetupForBoundaryController(t, "testdata/boundary-controller-policy.hcl") t.Cleanup(func() { output := e2e.RunCommand(ctx, "vault", e2e.WithArgs("policy", "delete", boundaryPolicyName), @@ -214,11 +213,10 @@ func TestApiPaginateCredentialLibraries(t *testing.T) { }) // Create credentials in vault - privateKeySecretName := vault.CreateKvPrivateKeyCredential(t, c.VaultSecretPath, c.TargetSshUser, c.TargetSshKeyPath, kvPolicyFilePath) - kvPolicyName := vault.WritePolicy(t, ctx, kvPolicyFilePath) + privateKeySecretName, privateKeyPolicyName := vault.CreateKvPrivateKeyCredential(t, c.VaultSecretPath, c.TargetSshUser, c.TargetSshKeyPath) t.Cleanup(func() { output := e2e.RunCommand(ctx, "vault", - e2e.WithArgs("policy", "delete", kvPolicyName), + e2e.WithArgs("policy", "delete", privateKeyPolicyName), ) require.NoError(t, output.Err, string(output.Stderr)) }) @@ -229,7 +227,7 @@ func TestApiPaginateCredentialLibraries(t *testing.T) { "token", "create", "-no-default-policy=true", "-policy="+boundaryPolicyName, - "-policy="+kvPolicyName, + "-policy="+privateKeyPolicyName, "-orphan=true", "-period=20m", "-renewable=true", diff --git a/testing/internal/e2e/tests/base_with_vault/target_tcp_vault_generic_connect_authz_token_test.go b/testing/internal/e2e/tests/base_with_vault/target_tcp_vault_generic_connect_authz_token_test.go index b285597727..77b3edf053 100644 --- a/testing/internal/e2e/tests/base_with_vault/target_tcp_vault_generic_connect_authz_token_test.go +++ b/testing/internal/e2e/tests/base_with_vault/target_tcp_vault_generic_connect_authz_token_test.go @@ -53,7 +53,7 @@ func TestCliTcpTargetVaultGenericConnectTargetWithAuthzToken(t *testing.T) { require.NoError(t, err) // Configure vault - boundaryPolicyName, kvPolicyFilePath, _ := vault.Setup(t, "testdata/boundary-controller-policy.hcl") + boundaryPolicyName := vault.SetupForBoundaryController(t, "testdata/boundary-controller-policy.hcl") t.Cleanup(func() { output := e2e.RunCommand(ctx, "vault", e2e.WithArgs("policy", "delete", boundaryPolicyName), @@ -73,11 +73,10 @@ func TestCliTcpTargetVaultGenericConnectTargetWithAuthzToken(t *testing.T) { }) // Create credential in vault - privateKeySecretName := vault.CreateKvPrivateKeyCredential(t, c.VaultSecretPath, c.TargetSshUser, c.TargetSshKeyPath, kvPolicyFilePath) - kvPolicyName := vault.WritePolicy(t, ctx, kvPolicyFilePath) + privateKeySecretName, privateKeyPolicyName := vault.CreateKvPrivateKeyCredential(t, c.VaultSecretPath, c.TargetSshUser, c.TargetSshKeyPath) t.Cleanup(func() { output := e2e.RunCommand(ctx, "vault", - e2e.WithArgs("policy", "delete", kvPolicyName), + e2e.WithArgs("policy", "delete", privateKeyPolicyName), ) require.NoError(t, output.Err, string(output.Stderr)) }) @@ -89,7 +88,7 @@ func TestCliTcpTargetVaultGenericConnectTargetWithAuthzToken(t *testing.T) { "token", "create", "-no-default-policy=true", fmt.Sprintf("-policy=%s", boundaryPolicyName), - fmt.Sprintf("-policy=%s", kvPolicyName), + fmt.Sprintf("-policy=%s", privateKeyPolicyName), "-orphan=true", "-period=20m", "-renewable=true", diff --git a/testing/internal/e2e/tests/base_with_vault/target_tcp_vault_generic_connect_ssh_test.go b/testing/internal/e2e/tests/base_with_vault/target_tcp_vault_generic_connect_ssh_test.go index bb4144e0f6..02e70dee2b 100644 --- a/testing/internal/e2e/tests/base_with_vault/target_tcp_vault_generic_connect_ssh_test.go +++ b/testing/internal/e2e/tests/base_with_vault/target_tcp_vault_generic_connect_ssh_test.go @@ -53,7 +53,7 @@ func TestCliTcpTargetVaultGenericConnectTargetWithSsh(t *testing.T) { require.NoError(t, err) // Configure vault - boundaryPolicyName, kvPolicyFilePath, _ := vault.Setup(t, "testdata/boundary-controller-policy.hcl") + boundaryPolicyName := vault.SetupForBoundaryController(t, "testdata/boundary-controller-policy.hcl") t.Cleanup(func() { output := e2e.RunCommand(ctx, "vault", e2e.WithArgs("policy", "delete", boundaryPolicyName), @@ -73,11 +73,10 @@ func TestCliTcpTargetVaultGenericConnectTargetWithSsh(t *testing.T) { }) // Create credential in vault - privateKeySecretName := vault.CreateKvPrivateKeyCredential(t, c.VaultSecretPath, c.TargetSshUser, c.TargetSshKeyPath, kvPolicyFilePath) - kvPolicyName := vault.WritePolicy(t, ctx, kvPolicyFilePath) + privateKeySecretName, privateKeyPolicyName := vault.CreateKvPrivateKeyCredential(t, c.VaultSecretPath, c.TargetSshUser, c.TargetSshKeyPath) t.Cleanup(func() { output := e2e.RunCommand(ctx, "vault", - e2e.WithArgs("policy", "delete", kvPolicyName), + e2e.WithArgs("policy", "delete", privateKeyPolicyName), ) require.NoError(t, output.Err, string(output.Stderr)) }) @@ -89,7 +88,7 @@ func TestCliTcpTargetVaultGenericConnectTargetWithSsh(t *testing.T) { "token", "create", "-no-default-policy=true", fmt.Sprintf("-policy=%s", boundaryPolicyName), - fmt.Sprintf("-policy=%s", kvPolicyName), + fmt.Sprintf("-policy=%s", privateKeyPolicyName), "-orphan=true", "-period=20m", "-renewable=true", diff --git a/testing/internal/e2e/tests/base_with_vault/target_tcp_vault_generic_connect_test.go b/testing/internal/e2e/tests/base_with_vault/target_tcp_vault_generic_connect_test.go index 13bf233398..fd813a556d 100644 --- a/testing/internal/e2e/tests/base_with_vault/target_tcp_vault_generic_connect_test.go +++ b/testing/internal/e2e/tests/base_with_vault/target_tcp_vault_generic_connect_test.go @@ -54,7 +54,7 @@ func TestCliTcpTargetVaultGenericConnectTarget(t *testing.T) { require.NoError(t, err) // Configure vault - boundaryPolicyName, kvPolicyFilePath, _ := vault.Setup(t, "testdata/boundary-controller-policy.hcl") + boundaryPolicyName := vault.SetupForBoundaryController(t, "testdata/boundary-controller-policy.hcl") t.Cleanup(func() { output := e2e.RunCommand(ctx, "vault", e2e.WithArgs("policy", "delete", boundaryPolicyName), @@ -74,11 +74,10 @@ func TestCliTcpTargetVaultGenericConnectTarget(t *testing.T) { }) // Create credential in vault - privateKeySecretName := vault.CreateKvPrivateKeyCredential(t, c.VaultSecretPath, c.TargetSshUser, c.TargetSshKeyPath, kvPolicyFilePath) - kvPolicyName := vault.WritePolicy(t, ctx, kvPolicyFilePath) + privateKeySecretName, privateKeyPolicyName := vault.CreateKvPrivateKeyCredential(t, c.VaultSecretPath, c.TargetSshUser, c.TargetSshKeyPath) t.Cleanup(func() { output := e2e.RunCommand(ctx, "vault", - e2e.WithArgs("policy", "delete", kvPolicyName), + e2e.WithArgs("policy", "delete", privateKeyPolicyName), ) require.NoError(t, output.Err, string(output.Stderr)) }) @@ -90,7 +89,7 @@ func TestCliTcpTargetVaultGenericConnectTarget(t *testing.T) { "token", "create", "-no-default-policy=true", fmt.Sprintf("-policy=%s", boundaryPolicyName), - fmt.Sprintf("-policy=%s", kvPolicyName), + fmt.Sprintf("-policy=%s", privateKeyPolicyName), "-orphan=true", "-period=20m", "-renewable=true", diff --git a/testing/internal/e2e/tests/base_with_worker/target_tcp_worker_connect_ssh_test.go b/testing/internal/e2e/tests/base_with_worker/target_tcp_worker_connect_ssh_test.go index 46fc656525..ed3a55c30d 100644 --- a/testing/internal/e2e/tests/base_with_worker/target_tcp_worker_connect_ssh_test.go +++ b/testing/internal/e2e/tests/base_with_worker/target_tcp_worker_connect_ssh_test.go @@ -49,7 +49,7 @@ func TestCliTcpTargetWorkerConnectTarget(t *testing.T) { require.NoError(t, err) // Configure vault - boundaryPolicyName, kvPolicyFilePath, _ := vault.Setup(t, "testdata/boundary-controller-policy.hcl") + boundaryPolicyName := vault.SetupForBoundaryController(t, "testdata/boundary-controller-policy.hcl") t.Cleanup(func() { output := e2e.RunCommand(ctx, "vault", e2e.WithArgs("policy", "delete", boundaryPolicyName), @@ -69,11 +69,10 @@ func TestCliTcpTargetWorkerConnectTarget(t *testing.T) { }) // Create credential in vault - privateKeySecretName := vault.CreateKvPrivateKeyCredential(t, c.VaultSecretPath, c.TargetSshUser, c.TargetSshKeyPath, kvPolicyFilePath) - kvPolicyName := vault.WritePolicy(t, ctx, kvPolicyFilePath) + privateKeySecretName, privateKeyPolicyName := vault.CreateKvPrivateKeyCredential(t, c.VaultSecretPath, c.TargetSshUser, c.TargetSshKeyPath) t.Cleanup(func() { output := e2e.RunCommand(ctx, "vault", - e2e.WithArgs("policy", "delete", kvPolicyName), + e2e.WithArgs("policy", "delete", privateKeyPolicyName), ) require.NoError(t, output.Err, string(output.Stderr)) }) @@ -85,7 +84,7 @@ func TestCliTcpTargetWorkerConnectTarget(t *testing.T) { "token", "create", "-no-default-policy=true", fmt.Sprintf("-policy=%s", boundaryPolicyName), - fmt.Sprintf("-policy=%s", kvPolicyName), + fmt.Sprintf("-policy=%s", privateKeyPolicyName), "-orphan=true", "-period=20m", "-renewable=true", diff --git a/testing/internal/e2e/tests/database/migration_test.go b/testing/internal/e2e/tests/database/migration_test.go index d7f39debb9..96ba59431e 100644 --- a/testing/internal/e2e/tests/database/migration_test.go +++ b/testing/internal/e2e/tests/database/migration_test.go @@ -278,22 +278,36 @@ func populateBoundaryDatabase(t testing.TB, ctx context.Context, c *config, te T require.NoError(t, err) // Create vault credentials - boundaryPolicyName, kvPolicyFilePath, _ := vault.Setup(t, "testdata/boundary-controller-policy.hcl") + boundaryPolicyName := vault.SetupForBoundaryController(t, "testdata/boundary-controller-policy.hcl") output := e2e.RunCommand(ctx, "vault", e2e.WithArgs("secrets", "enable", "-path="+c.VaultSecretPath, "kv-v2"), ) require.NoError(t, output.Err, string(output.Stderr)) - privateKeySecretName := vault.CreateKvPrivateKeyCredential(t, c.VaultSecretPath, c.TargetSshUser, c.TargetSshKeyPath, kvPolicyFilePath) - passwordSecretName, _ := vault.CreateKvPasswordCredential(t, c.VaultSecretPath, c.TargetSshUser, kvPolicyFilePath) - kvPolicyName := vault.WritePolicy(t, ctx, kvPolicyFilePath) + privateKeySecretName, privateKeyPolicyName := vault.CreateKvPrivateKeyCredential(t, c.VaultSecretPath, c.TargetSshUser, c.TargetSshKeyPath) + t.Cleanup(func() { + output := e2e.RunCommand(ctx, "vault", + e2e.WithArgs("policy", "delete", privateKeyPolicyName), + ) + require.NoError(t, output.Err, string(output.Stderr)) + }) + + passwordSecretName, passwordPolicyName, _ := vault.CreateKvPasswordCredential(t, c.VaultSecretPath, c.TargetSshUser) + t.Cleanup(func() { + output := e2e.RunCommand(ctx, "vault", + e2e.WithArgs("policy", "delete", passwordPolicyName), + ) + require.NoError(t, output.Err, string(output.Stderr)) + }) t.Log("Created Vault Credential") + output = e2e.RunCommand(ctx, "vault", e2e.WithArgs( "token", "create", "-no-default-policy=true", "-policy="+boundaryPolicyName, - "-policy="+kvPolicyName, + "-policy="+privateKeyPolicyName, + "-policy="+passwordPolicyName, "-orphan=true", "-period=20m", "-renewable=true", diff --git a/testing/internal/e2e/vault/vault.go b/testing/internal/e2e/vault/vault.go index 02c4da4502..f750225f4d 100644 --- a/testing/internal/e2e/vault/vault.go +++ b/testing/internal/e2e/vault/vault.go @@ -8,6 +8,7 @@ import ( "context" "fmt" "os" + "path" "path/filepath" "strings" "testing" @@ -24,25 +25,15 @@ type CreateTokenResponse struct { } } -// Setup verifies if appropriate credentials are set and adds the boundary controller -// policy to vault. Returns the vault address. -func Setup(t testing.TB, boundaryControllerFilePath string) (boundaryPolicyName, kvPolicyFilePath, ldapPolicyFilePath string) { +// SetupForBoundaryController verifies if appropriate credentials are set and +// adds the boundary controller policy to vault. Returns the policy name. +func SetupForBoundaryController(t testing.TB, boundaryControllerFilePath string) (boundaryPolicyName string) { // Set up boundary policy boundaryPolicyFilePath, err := filepath.Abs(boundaryControllerFilePath) require.NoError(t, err) - boundaryPolicyName = WritePolicy(t, context.Background(), boundaryPolicyFilePath) + boundaryPolicyName = WritePolicy(t, t.Context(), boundaryPolicyFilePath) - // Create kv policy - kvPolicyFilePath = fmt.Sprintf("%s/%s", t.TempDir(), "kv-policy.hcl") - _, err = os.Create(kvPolicyFilePath) - require.NoError(t, err) - - // Create ldap policy - ldapPolicyFilePath = fmt.Sprintf("%s/%s", t.TempDir(), "ldap-policy.hcl") - _, err = os.Create(ldapPolicyFilePath) - require.NoError(t, err) - - return boundaryPolicyName, kvPolicyFilePath, ldapPolicyFilePath + return boundaryPolicyName } // SetupLdap sets a Vault server up for LDAP against an OpenLDAP server. It @@ -52,7 +43,7 @@ func Setup(t testing.TB, boundaryControllerFilePath string) (boundaryPolicyName, // clean-up in place to run after a test is complete. When applicable, callers // should destroy the Vault LDAP policy and LDAP secrets engine this function // creates. -func SetupLdap(t testing.TB, vaultLdapMountPath, vaultLdapPolicyFilePath, ldapAddr, ldapAdminDn, ldapAdminPw, ldapDn, ldapUser, ldapGroup string) string { +func SetupLdap(t testing.TB, vaultLdapMountPath, ldapAddr, ldapAdminDn, ldapAdminPw, ldapDn, ldapUser, ldapGroup string) string { // Enable LDAP secrets engine. output := e2e.RunCommand(t.Context(), "vault", e2e.WithArgs("secrets", "enable", fmt.Sprintf("-path=%s", vaultLdapMountPath), "ldap"), @@ -60,8 +51,10 @@ func SetupLdap(t testing.TB, vaultLdapMountPath, vaultLdapPolicyFilePath, ldapAd require.NoError(t, output.Err, string(output.Stderr)) // Define and write LDAP access policy to Vault. - f, err := os.OpenFile(vaultLdapPolicyFilePath, os.O_APPEND|os.O_WRONLY, 0o644) + vaultLdapPolicyFilePath := path.Join(t.TempDir(), "ldap-policy.hcl") + f, err := os.Create(vaultLdapPolicyFilePath) require.NoError(t, err) + _, err = fmt.Fprintf(f, ` path "%[1]s/static-cred/%[2]s" { capabilities = ["read"] @@ -148,21 +141,27 @@ func SetupLdap(t testing.TB, vaultLdapMountPath, vaultLdapPolicyFilePath, ldapAd return policyName } -// CreateKvPrivateKeyCredential creates a private key credential in vault and creates a vault policy -// to be able to read that credential. Returns the name of the policy. -func CreateKvPrivateKeyCredential(t testing.TB, secretPath string, user string, keyPath string, kvPolicyFilePath string) string { +// CreateKvPrivateKeyCredential creates a private key credential in vault and +// creates a vault policy to be able to read that credential. Returns the secret +// and policy names. Note that this function does not put any clean-up in place +// to run after a test is complete. When applicable, callers should destroy the +// policy and secret this function creates. +func CreateKvPrivateKeyCredential(t testing.TB, secretPath string, user string, keyPath string) (secretName string, policyName string) { secretName, err := base62.Random(16) require.NoError(t, err) - // Update policy file - f, err := os.OpenFile(kvPolicyFilePath, os.O_APPEND|os.O_WRONLY, 0o644) + policyFilePath := path.Join(t.TempDir(), fmt.Sprintf("kv-pk-%s-policy.hcl", secretName)) + f, err := os.Create(policyFilePath) require.NoError(t, err) - _, err = f.WriteString(fmt.Sprintf("path \"%s/data/%s\" { capabilities = [\"read\"] }\n", + + _, err = fmt.Fprintf(f, "path \"%s/data/%s\" { capabilities = [\"read\"] }\n", secretPath, secretName, - )) + ) require.NoError(t, err) + policyName = WritePolicy(t, t.Context(), policyFilePath) + // Create secret output := e2e.RunCommand(context.Background(), "vault", e2e.WithArgs( @@ -175,24 +174,31 @@ func CreateKvPrivateKeyCredential(t testing.TB, secretPath string, user string, ) require.NoError(t, output.Err, string(output.Stderr)) - return secretName + return secretName, policyName } -// CreateKvPasswordCredential creates a username/password credential in vault and creates a vault -// policy to be able to read that credential. Returns the name of the policy -func CreateKvPasswordCredential(t testing.TB, secretPath string, user string, kvPolicyFilePath string) (secretName string, password string) { +// CreateKvPasswordCredential creates a username/password credential in vault +// and creates a vault policy to be able to read that credential. Returns the +// secret and policy names as well as the password for the secret. Note that +// this function does not put any clean-up in place to run after a test is +// complete. When applicable, callers should destroy the policy and secret this +// function creates. +func CreateKvPasswordCredential(t testing.TB, secretPath string, user string) (secretName string, policyName string, password string) { secretName, err := base62.Random(16) require.NoError(t, err) - // Update policy file - f, err := os.OpenFile(kvPolicyFilePath, os.O_APPEND|os.O_WRONLY, 0o644) + policyFilePath := path.Join(t.TempDir(), fmt.Sprintf("kv-up-%s-policy.hcl", secretName)) + f, err := os.Create(policyFilePath) require.NoError(t, err) - _, err = f.WriteString(fmt.Sprintf("path \"%s/data/%s\" { capabilities = [\"read\"] }\n", + + _, err = fmt.Fprintf(f, "path \"%s/data/%s\" { capabilities = [\"read\"] }\n", secretPath, secretName, - )) + ) require.NoError(t, err) + policyName = WritePolicy(t, t.Context(), policyFilePath) + // Create secret password, err = base62.Random(16) require.NoError(t, err) @@ -207,24 +213,30 @@ func CreateKvPasswordCredential(t testing.TB, secretPath string, user string, kv ) require.NoError(t, output.Err, string(output.Stderr)) - return secretName, password + return secretName, policyName, password } -// CreateKvPasswordDomainCredential creates a username/password/domain credential in vault and creates a vault -// policy to be able to read that credential. Returns the name of the policy -func CreateKvPasswordDomainCredential(t testing.TB, secretPath string, user string, domain string, kvPolicyFilePath string) (secretName string, password string) { +// CreateKvPasswordDomainCredential creates a username/password/domain +// credential in vault and creates a vault policy to be able to read that +// credential. Returns the name of the policy. Note that this function does not +// put any clean-up in place to run after a test is complete. When applicable, +// callers should destroy the policy and secret this function creates. +func CreateKvPasswordDomainCredential(t testing.TB, secretPath string, user string, domain string) (secretName string, policyName string, password string) { secretName, err := base62.Random(16) require.NoError(t, err) - // Update policy file - f, err := os.OpenFile(kvPolicyFilePath, os.O_APPEND|os.O_WRONLY, 0o644) + policyFilePath := path.Join(t.TempDir(), fmt.Sprintf("kv-upd-%s-policy.hcl", secretName)) + f, err := os.Create(policyFilePath) require.NoError(t, err) - _, err = f.WriteString(fmt.Sprintf("path \"%s/data/%s\" { capabilities = [\"read\"] }\n", + + _, err = fmt.Fprintf(f, "path \"%s/data/%s\" { capabilities = [\"read\"] }\n", secretPath, secretName, - )) + ) require.NoError(t, err) + policyName = WritePolicy(t, t.Context(), policyFilePath) + // Create secret password, err = base62.Random(16) require.NoError(t, err) @@ -240,7 +252,7 @@ func CreateKvPasswordDomainCredential(t testing.TB, secretPath string, user stri ) require.NoError(t, output.Err, string(output.Stderr)) - return secretName, password + return secretName, policyName, password } // WritePolicy adds a policy to vault. Provide a name for the policy that you want to create as well