ansible-collections/community.general
1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2025-06-27 10:40:22 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 8

Remove hashi_vault plugin, add redirect. (#1566)

Browse source
This commit is contained in:
Felix Fontein 2021-01-04 10:55:14 +01:00 committed by GitHub
parent d12951b9c7
commit ddaad1e650
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
31 changed files with 16 additions and 1332 deletions
Download patch file Download diff file Expand all files Collapse all files

7
tests/integration/targets/lookup_hashi_vault/aliases
View file

@ -1,7 +0,0 @@
shippable/posix/group2
destructive
needs/target/setup_openssl
needs/file/tests/utils/constraints.txt
skip/aix
skip/python2.6 # lookups are controller only, and we no longer support Python 2.6 on the controller
skip/macos # FIXME seems to be always unstable

5
tests/integration/targets/lookup_hashi_vault/lookup_hashi_vault/defaults/main.yml
View file

@ -1,5 +0,0 @@
---
vault_gen_path: 'gen/testproject'
vault_kv1_path: 'kv1/testproject'
vault_kv2_path: 'kv2/data/testproject'
vault_kv2_multi_path: 'kv2/data/testmulti'

27
tests/integration/targets/lookup_hashi_vault/lookup_hashi_vault/files/jwt_private.pem
View file

@ -1,27 +0,0 @@
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAnzyis1ZjfNB0bBgKFMSvvkTtwlvBsaJq7S5wA+kzeVOVpVWw
kWdVha4s38XM/pa/yr47av7+z3VTmvDRyAHcaT92whREFpLv9cj5lTeJSibyr/Mr
m/YtjCZVWgaOYIhwrXwKLqPr/11inWsAkfIytvHWTxZYEcXLgAXFuUuaS3uF9gEi
NQwzGTU1v0FqkqTBr4B8nW3HCN47XUu0t8Y0e+lf4s4OxQawWD79J9/5d3Ry0vbV
3Am1FtGJiJvOwRsIfVChDpYStTcHTCMqtvWbV6L11BWkpzGXSW4Hv43qa+GSYOD2
QU68Mb59oSk2OB+BtOLpJofmbGEGgvmwyCI9MwIDAQABAoIBACiARq2wkltjtcjs
kFvZ7w1JAORHbEufEO1Eu27zOIlqbgyAcAl7q+/1bip4Z/x1IVES84/yTaM8p0go
amMhvgry/mS8vNi1BN2SAZEnb/7xSxbflb70bX9RHLJqKnp5GZe2jexw+wyXlwaM
+bclUCrh9e1ltH7IvUrRrQnFJfh+is1fRon9Co9Li0GwoN0x0byrrngU8Ak3Y6D9
D8GjQA4Elm94ST3izJv8iCOLSDBmzsPsXfcCUZfmTfZ5DbUDMbMxRnSo3nQeoKGC
0Lj9FkWcfmLcpGlSXTO+Ww1L7EGq+PT3NtRae1FZPwjddQ1/4V905kyQFLamAA5Y
lSpE2wkCgYEAy1OPLQcZt4NQnQzPz2SBJqQN2P5u3vXl+zNVKP8w4eBv0vWuJJF+
hkGNnSxXQrTkvDOIUddSKOzHHgSg4nY6K02ecyT0PPm/UZvtRpWrnBjcEVtHEJNp
bU9pLD5iZ0J9sbzPU/LxPmuAP2Bs8JmTn6aFRspFrP7W0s1Nmk2jsm0CgYEAyH0X
+jpoqxj4efZfkUrg5GbSEhf+dZglf0tTOA5bVg8IYwtmNk/pniLG/zI7c+GlTc9B
BwfMr59EzBq/eFMI7+LgXaVUsM/sS4Ry+yeK6SJx/otIMWtDfqxsLD8CPMCRvecC
2Pip4uSgrl0MOebl9XKp57GoaUWRWRHqwV4Y6h8CgYAZhI4mh4qZtnhKjY4TKDjx
QYufXSdLAi9v3FxmvchDwOgn4L+PRVdMwDNms2bsL0m5uPn104EzM6w1vzz1zwKz
5pTpPI0OjgWN13Tq8+PKvm/4Ga2MjgOgPWQkslulO/oMcXbPwWC3hcRdr9tcQtn9
Imf9n2spL/6EDFId+Hp/7QKBgAqlWdiXsWckdE1Fn91/NGHsc8syKvjjk1onDcw0
NvVi5vcba9oGdElJX3e9mxqUKMrw7msJJv1MX8LWyMQC5L6YNYHDfbPF1q5L4i8j
8mRex97UVokJQRRA452V2vCO6S5ETgpnad36de3MUxHgCOX3qL382Qx9/THVmbma
3YfRAoGAUxL/Eu5yvMK8SAt/dJK6FedngcM3JEFNplmtLYVLWhkIlNRGDwkg3I5K
y18Ae9n7dHVueyslrb6weq7dTkYDi3iOYRW8HRkIQh06wEdbxt0shTzAJvvCQfrB
jg/3747WSsf/zBTcHihTRBdAv6OmdhV4/dD5YBfLAkLrd+mX7iE=
-----END RSA PRIVATE KEY-----

9
tests/integration/targets/lookup_hashi_vault/lookup_hashi_vault/files/jwt_public.pem
View file

@ -1,9 +0,0 @@
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnzyis1ZjfNB0bBgKFMSv
vkTtwlvBsaJq7S5wA+kzeVOVpVWwkWdVha4s38XM/pa/yr47av7+z3VTmvDRyAHc
aT92whREFpLv9cj5lTeJSibyr/Mrm/YtjCZVWgaOYIhwrXwKLqPr/11inWsAkfIy
tvHWTxZYEcXLgAXFuUuaS3uF9gEiNQwzGTU1v0FqkqTBr4B8nW3HCN47XUu0t8Y0
e+lf4s4OxQawWD79J9/5d3Ry0vbV3Am1FtGJiJvOwRsIfVChDpYStTcHTCMqtvWb
V6L11BWkpzGXSW4Hv43qa+GSYOD2QU68Mb59oSk2OB+BtOLpJofmbGEGgvmwyCI9
MwIDAQAB
-----END PUBLIC KEY-----

1
tests/integration/targets/lookup_hashi_vault/lookup_hashi_vault/files/token.jwt
View file

@ -1 +0,0 @@
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJ0ZXN0Iiwic3ViIjoiaGFzaGlfdmF1bHRAdGVzdC5hbnNpYmxlLmNvbSIsIm5iZiI6MTYwNDgzNTEwMCwiZXhwIjozMjQ5OTA1MTM1OX0.NEWQR_Eicw8Fa9gU9HPY2M9Rp1czNTUKrICwKe7l1edaZNtgxhMGdyqnBsPrHL_dw1ZIwdvwVAioi8bEyIDEWICls0lzHwM169rrea3WEFrB5CP17A6DkvYL0cnOnGutbwUrXInPCRUfvRogIKEI-w8X-ris9LX2FBPKhXX1K3U0D8uYi5_9t8YWywTe0NkYvY-nTzMugK1MXMoBJ3fCksweJiDp6BOo3v9OU03MLgwgri2UdsqVb7WSk4XvWG-lmbiiSAWVf9BI3mecVDUHpYxbEqjv1HDG_wdX8zy1ZlAFbjp3kIpMlDVK1Q5nu_VPDzQrEvPdTnOzU36LE4UF-w

1
tests/integration/targets/lookup_hashi_vault/lookup_hashi_vault/files/token_invalid.jwt
View file

@ -1 +0,0 @@
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiIxMjM0IiwidXNlcl9jbGFpbSI6InVzZXJfY2xhaW0iLCJuYmYiOjE2MDQ4MzUxMDAsImV4cCI6MzI0OTkwNTEzNTl9.etc2WSH7kR3fHFlVt4wlBYFKNn7Z4DQcRVXUK4gGF-Q

2
tests/integration/targets/lookup_hashi_vault/lookup_hashi_vault/meta/main.yml
View file

@ -1,2 +0,0 @@
dependencies:
- setup_pkg_mgr

19
tests/integration/targets/lookup_hashi_vault/lookup_hashi_vault/tasks/approle_secret_id_less_setup.yml
View file

@ -1,19 +0,0 @@
- name: 'Create an approle policy'
shell: "echo '{{ policy }}' | {{ vault_cmd }} policy write approle-policy-2 -"
vars:
policy: |
path "auth/approle/login" {
capabilities = [ "create", "read" ]
}
- name: 'Enable the AppRole auth method'
command: '{{ vault_cmd }} auth enable approle'
register: enable_approle
failed_when: "enable_approle.rc!=0 and 'path is already in use' not in enable_approle.stderr"
- name: 'Create a named role without secret id'
command: '{{ vault_cmd }} write auth/approle/role/test-role-2 policies="test-policy,approle-policy-2" bind_secret_id=false secret_id_bound_cidrs="0.0.0.0/0"'
- name: 'Fetch the RoleID of the AppRole'
command: '{{ vault_cmd }} read -field=role_id auth/approle/role/test-role-2/role-id'
register: role_id_cmd_2

44
tests/integration/targets/lookup_hashi_vault/lookup_hashi_vault/tasks/approle_secret_id_less_test.yml
View file

@ -1,44 +0,0 @@
- vars:
role_id: '{{ role_id_cmd_2.stdout }}'
block:
- name: 'Fetch secrets using "hashi_vault" lookup'
set_fact:
secret1: "{{ lookup('community.general.hashi_vault', conn_params ~ 'secret=' ~ vault_kv2_path ~ '/secret1 auth_method=approle role_id=' ~ role_id) }}"
secret2: "{{ lookup('community.general.hashi_vault', conn_params ~ 'secret=' ~ vault_kv2_path ~ '/secret2 auth_method=approle role_id=' ~ role_id) }}"
- name: 'Check secret values'
fail:
msg: 'unexpected secret values'
when: secret1['value'] != 'foo1' or secret2['value'] != 'foo2'
- name: 'Failure expected when erroneous credentials are used'
vars:
secret_wrong_cred: "{{ lookup('community.general.hashi_vault', conn_params ~ 'secret=' ~ vault_kv2_path ~ '/secret2 auth_method=approle role_id=foobar') }}"
debug:
msg: 'Failure is expected ({{ secret_wrong_cred }})'
register: test_wrong_cred
ignore_errors: true
- name: 'Failure expected when unauthorized secret is read'
vars:
secret_unauthorized: "{{ lookup('community.general.hashi_vault', conn_params ~ 'secret=' ~ vault_kv2_path ~ '/secret3 auth_method=approle role_id=' ~ role_id) }}"
debug:
msg: 'Failure is expected ({{ secret_unauthorized }})'
register: test_unauthorized
ignore_errors: true
- name: 'Failure expected when inexistent secret is read'
vars:
secret_inexistent: "{{ lookup('community.general.hashi_vault', conn_params ~ 'secret=' ~ vault_kv2_path ~ '/non_existent_secret4 auth_method=approle role_id=' ~ role_id) }}"
debug:
msg: 'Failure is expected ({{ secret_inexistent }})'
register: test_inexistent
ignore_errors: true
- name: 'Check expected failures'
assert:
msg: "an expected failure didn't occur"
that:
- test_wrong_cred is failed
- test_unauthorized is failed
- test_inexistent is failed

21
tests/integration/targets/lookup_hashi_vault/lookup_hashi_vault/tasks/approle_setup.yml
View file

@ -1,21 +0,0 @@
- name: 'Create an approle policy'
command:
cmd: '{{ vault_cmd }} policy write approle-policy -'
stdin: |
path "auth/approle/login" {
capabilities = [ "create", "read" ]
}
- name: 'Enable the AppRole auth method'
command: '{{ vault_cmd }} auth enable approle'
- name: 'Create a named role'
command: '{{ vault_cmd }} write auth/approle/role/test-role policies="test-policy,approle-policy"'
- name: 'Fetch the RoleID of the AppRole'
command: '{{ vault_cmd }} read -field=role_id auth/approle/role/test-role/role-id'
register: role_id_cmd
- name: 'Get a SecretID issued against the AppRole'
command: '{{ vault_cmd }} write -field=secret_id -f auth/approle/role/test-role/secret-id'
register: secret_id_cmd

45
tests/integration/targets/lookup_hashi_vault/lookup_hashi_vault/tasks/approle_test.yml
View file

@ -1,45 +0,0 @@
- vars:
role_id: '{{ role_id_cmd.stdout }}'
secret_id: '{{ secret_id_cmd.stdout }}'
block:
- name: 'Fetch secrets using "hashi_vault" lookup'
set_fact:
secret1: "{{ lookup('community.general.hashi_vault', conn_params ~ 'secret=' ~ vault_kv2_path ~ '/secret1 auth_method=approle secret_id=' ~ secret_id ~ ' role_id=' ~ role_id) }}"
secret2: "{{ lookup('community.general.hashi_vault', conn_params ~ 'secret=' ~ vault_kv2_path ~ '/secret2 auth_method=approle secret_id=' ~ secret_id ~ ' role_id=' ~ role_id) }}"
- name: 'Check secret values'
fail:
msg: 'unexpected secret values'
when: secret1['value'] != 'foo1' or secret2['value'] != 'foo2'
- name: 'Failure expected when erroneous credentials are used'
vars:
secret_wrong_cred: "{{ lookup('community.general.hashi_vault', conn_params ~ 'secret=' ~ vault_kv2_path ~ '/secret2 auth_method=approle secret_id=toto role_id=' ~ role_id) }}"
debug:
msg: 'Failure is expected ({{ secret_wrong_cred }})'
register: test_wrong_cred
ignore_errors: true
- name: 'Failure expected when unauthorized secret is read'
vars:
secret_unauthorized: "{{ lookup('community.general.hashi_vault', conn_params ~ 'secret=' ~ vault_kv2_path ~ '/secret3 auth_method=approle secret_id=' ~ secret_id ~ ' role_id=' ~ role_id) }}"
debug:
msg: 'Failure is expected ({{ secret_unauthorized }})'
register: test_unauthorized
ignore_errors: true
- name: 'Failure expected when inexistent secret is read'
vars:
secret_inexistent: "{{ lookup('community.general.hashi_vault', conn_params ~ 'secret=' ~ vault_kv2_path ~ '/non_existent_secret4 auth_method=approle secret_id=' ~ secret_id ~ ' role_id=' ~ role_id) }}"
debug:
msg: 'Failure is expected ({{ secret_inexistent }})'
register: test_inexistent
ignore_errors: true
- name: 'Check expected failures'
assert:
msg: "an expected failure didn't occur"
that:
- test_wrong_cred is failed
- test_unauthorized is failed
- test_inexistent is failed

18
tests/integration/targets/lookup_hashi_vault/lookup_hashi_vault/tasks/jwt_setup.yml
View file

@ -1,18 +0,0 @@
- name: 'Enable the JWT auth method'
command: '{{ vault_cmd }} auth enable jwt'
- name: 'Configure the JWT auth method'
command: '{{ vault_cmd }} write auth/jwt/config jwt_validation_pubkeys={{ jwt_public_key | quote }}'
vars:
jwt_public_key: '{{ lookup("file", "jwt_public.pem") }}'
- name: 'Create a named role'
command:
cmd: '{{ vault_cmd }} write auth/jwt/role/test-role -'
stdin: |
{
"role_type": "jwt",
"policies": "test-policy",
"user_claim": "sub",
"bound_audiences": "test"
}

46
tests/integration/targets/lookup_hashi_vault/lookup_hashi_vault/tasks/jwt_test.yml
View file

@ -1,46 +0,0 @@
- vars:
role_id: test-role
jwt: '{{ lookup("file", "token.jwt") }}'
jwt_invalid: '{{ lookup("file", "token_invalid.jwt") }}'
block:
- name: 'Fetch secrets using "hashi_vault" lookup'
set_fact:
secret1: "{{ lookup('community.general.hashi_vault', conn_params ~ 'secret=' ~ vault_kv2_path ~ '/secret1 auth_method=jwt jwt=' ~ jwt ~ ' role_id=' ~ role_id) }}"
secret2: "{{ lookup('community.general.hashi_vault', conn_params ~ 'secret=' ~ vault_kv2_path ~ '/secret2 auth_method=jwt jwt=' ~ jwt ~ ' role_id=' ~ role_id) }}"
- name: 'Check secret values'
fail:
msg: 'unexpected secret values'
when: secret1['value'] != 'foo1' or secret2['value'] != 'foo2'
- name: 'Failure expected when erroneous credentials are used'
vars:
secret_wrong_cred: "{{ lookup('community.general.hashi_vault', conn_params ~ 'secret=' ~ vault_kv2_path ~ '/secret2 auth_method=jwt jwt=' ~ jwt_invalid ~ ' role_id=' ~ role_id) }}"
debug:
msg: 'Failure is expected ({{ secret_wrong_cred }})'
register: test_wrong_cred
ignore_errors: true
- name: 'Failure expected when unauthorized secret is read'
vars:
secret_unauthorized: "{{ lookup('community.general.hashi_vault', conn_params ~ 'secret=' ~ vault_kv2_path ~ '/secret3 auth_method=jwt jwt=' ~ jwt ~ ' role_id=' ~ role_id) }}"
debug:
msg: 'Failure is expected ({{ secret_unauthorized }})'
register: test_unauthorized
ignore_errors: true
- name: 'Failure expected when non-existent secret is read'
vars:
secret_inexistent: "{{ lookup('community.general.hashi_vault', conn_params ~ 'secret=' ~ vault_kv2_path ~ '/non_existent_secret4 auth_method=jwt jwt=' ~ jwt ~ ' role_id=' ~ role_id) }}"
debug:
msg: 'Failure is expected ({{ secret_inexistent }})'
register: test_inexistent
ignore_errors: true
- name: 'Check expected failures'
assert:
msg: "an expected failure didn't occur"
that:
- test_wrong_cred is failed
- test_unauthorized is failed
- test_inexistent is failed

188
tests/integration/targets/lookup_hashi_vault/lookup_hashi_vault/tasks/main.yml
View file

@ -1,188 +0,0 @@
---
####################################################################
# WARNING: These are designed specifically for Ansible tests #
# and should not be used as examples of how to write Ansible roles #
####################################################################
- name: Install Hashi Vault on controlled node and test
vars:
vault_version: '0.11.0'
vault_uri: 'https://ansible-ci-files.s3.amazonaws.com/test/integration/targets/lookup_hashi_vault/vault_{{ vault_version }}_{{ ansible_system | lower }}_{{ vault_arch }}.zip'
vault_cmd: '{{ local_temp_dir }}/vault'
block:
- name: Create a local temporary directory
tempfile:
state: directory
register: tempfile_result
- set_fact:
local_temp_dir: '{{ tempfile_result.path }}'
- when: pyopenssl_version.stdout is version('0.15', '>=')
block:
- name: Generate privatekey
community.crypto.openssl_privatekey:
path: '{{ local_temp_dir }}/privatekey.pem'
- name: Generate CSR
community.crypto.openssl_csr:
path: '{{ local_temp_dir }}/csr.csr'
privatekey_path: '{{ local_temp_dir }}/privatekey.pem'
subject:
commonName: localhost
- name: Generate selfsigned certificate
community.crypto.openssl_certificate:
path: '{{ local_temp_dir }}/cert.pem'
csr_path: '{{ local_temp_dir }}/csr.csr'
privatekey_path: '{{ local_temp_dir }}/privatekey.pem'
provider: selfsigned
selfsigned_digest: sha256
register: selfsigned_certificate
- name: 'Install unzip'
package:
name: unzip
when: ansible_distribution != "MacOSX" # unzip already installed
- assert:
# Linux: x86_64, FreeBSD: amd64
that: ansible_architecture in ['i386', 'x86_64', 'amd64']
- set_fact:
vault_arch: '386'
when: ansible_architecture == 'i386'
- set_fact:
vault_arch: amd64
when: ansible_architecture in ['x86_64', 'amd64']
- name: 'Download vault binary'
unarchive:
src: '{{ vault_uri }}'
dest: '{{ local_temp_dir }}'
remote_src: true
- environment:
# used by vault command
VAULT_DEV_ROOT_TOKEN_ID: '47542cbc-6bf8-4fba-8eda-02e0a0d29a0a'
block:
- name: 'Create configuration file'
template:
src: vault_config.hcl.j2
dest: '{{ local_temp_dir }}/vault_config.hcl'
- name: 'Start vault service'
environment:
VAULT_ADDR: 'http://localhost:8200'
block:
- name: 'Start vault server (dev mode enabled)'
shell: 'nohup {{ vault_cmd }} server -dev -config {{ local_temp_dir }}/vault_config.hcl </dev/null >/dev/null 2>&1 &'
- name: 'Create generic secrets engine'
command: '{{ vault_cmd }} secrets enable -path=gen generic'
- name: 'Create KV v1 secrets engine'
command: '{{ vault_cmd }} secrets enable -path=kv1 -version=1 kv'
- name: 'Create KV v2 secrets engine'
command: '{{ vault_cmd }} secrets enable -path=kv2 -version=2 kv'
- name: 'Create a test policy'
command:
cmd: '{{ vault_cmd }} policy write test-policy -'
stdin: |
path "{{ vault_gen_path }}/secret1" {
capabilities = ["read"]
}
path "{{ vault_gen_path }}/secret2" {
capabilities = ["read", "update"]
}
path "{{ vault_gen_path }}/secret3" {
capabilities = ["deny"]
}
path "{{ vault_kv1_path }}/secret1" {
capabilities = ["read"]
}
path "{{ vault_kv1_path }}/secret2" {
capabilities = ["read", "update"]
}
path "{{ vault_kv1_path }}/secret3" {
capabilities = ["deny"]
}
path "{{ vault_kv2_path }}/secret1" {
capabilities = ["read"]
}
path "{{ vault_kv2_path }}/secret2" {
capabilities = ["read", "update"]
}
path "{{ vault_kv2_path }}/secret3" {
capabilities = ["deny"]
}
path "{{ vault_kv2_multi_path }}/secrets" {
capabilities = ["read"]
}
path "{{ vault_kv2_path }}/secret4" {
capabilities = ["read", "update"]
}
- name: 'Create generic secrets'
command: '{{ vault_cmd }} write {{ vault_gen_path }}/secret{{ item }} value=foo{{ item }}'
loop: [1, 2, 3]
- name: 'Create KV v1 secrets'
command: '{{ vault_cmd }} kv put {{ vault_kv1_path }}/secret{{ item }} value=foo{{ item }}'
loop: [1, 2, 3]
- name: 'Create KV v2 secrets'
command: '{{ vault_cmd }} kv put {{ vault_kv2_path | regex_replace("/data") }}/secret{{ item }} value=foo{{ item }}'
loop: [1, 2, 3, 4]
- name: 'Update KV v2 secret4 with new value to create version'
command: '{{ vault_cmd }} kv put {{ vault_kv2_path | regex_replace("/data") }}/secret4 value=foo5'
- name: 'Create multiple KV v2 secrets under one path'
command: '{{ vault_cmd }} kv put {{ vault_kv2_multi_path | regex_replace("/data") }}/secrets value1=foo1 value2=foo2 value3=foo3'
- name: setup approle auth
import_tasks: approle_setup.yml
when: ansible_distribution != 'RedHat' or ansible_distribution_major_version is version('7', '>')
- name: setup approle secret_id_less auth
import_tasks: approle_secret_id_less_setup.yml
when: ansible_distribution != 'RedHat' or ansible_distribution_major_version is version('7', '>')
- name: setup token auth
import_tasks: token_setup.yml
- name: setup jwt auth
import_tasks: jwt_setup.yml
when: ansible_distribution != 'RedHat' or ansible_distribution_major_version is version('7', '>')
- import_tasks: tests.yml
vars:
auth_type: approle
when: ansible_distribution != 'RedHat' or ansible_distribution_major_version is version('7', '>')
- import_tasks: tests.yml
vars:
auth_type: approle_secret_id_less
when: ansible_distribution != 'RedHat' or ansible_distribution_major_version is version('7', '>')
- import_tasks: tests.yml
vars:
auth_type: token
- import_tasks: tests.yml
vars:
auth_type: jwt
when: ansible_distribution != 'RedHat' or ansible_distribution_major_version is version('7', '>')
always:
- name: 'Kill vault process'
shell: "kill $(cat {{ local_temp_dir }}/vault.pid)"
ignore_errors: true
always:
- name: 'Delete temp dir'
file:
path: '{{ local_temp_dir }}'
state: absent

76
tests/integration/targets/lookup_hashi_vault/lookup_hashi_vault/tasks/tests.yml
View file

@ -1,76 +0,0 @@
- name: 'test {{ auth_type }} auth without SSL (lookup parameters)'
include_tasks: '{{ auth_type }}_test.yml'
vars:
conn_params: 'url=http://localhost:8200 '
- name: 'test {{ auth_type }} auth without SSL (environment variable)'
include_tasks: '{{ auth_type }}_test.yml'
args:
apply:
vars:
conn_params: ''
environment:
VAULT_ADDR: 'http://localhost:8200'
- when: pyopenssl_version.stdout is version('0.15', '>=')
block:
- name: 'test {{ auth_type }} auth with certs (validation enabled, lookup parameters)'
include_tasks: '{{ auth_type }}_test.yml'
vars:
conn_params: 'url=https://localhost:8201 ca_cert={{ local_temp_dir }}/cert.pem validate_certs=True '
- name: 'test {{ auth_type }} auth with certs (validation enabled, environment variables)'
include_tasks: '{{ auth_type }}_test.yml'
args:
apply:
vars:
conn_params: ''
environment:
VAULT_ADDR: 'https://localhost:8201'
VAULT_CACERT: '{{ local_temp_dir }}/cert.pem'
- name: 'test {{ auth_type }} auth with certs (validation disabled, lookup parameters)'
include_tasks: '{{ auth_type }}_test.yml'
vars:
conn_params: 'url=https://localhost:8201 validate_certs=False '
- name: 'test {{ auth_type }} auth with certs (validation using env VAR, lookup parameters)'
include_tasks: '{{ auth_type }}_test.yml'
args:
apply:
vars:
conn_params: ''
environment:
VAULT_ADDR: 'https://localhost:8201'
VAULT_SKIP_VERIFY: 1
- name: 'test {{ auth_type }} auth with certs (validation using env VAR (True), lookup parameters)'
include_tasks: '{{ auth_type }}_test.yml'
args:
apply:
vars:
conn_params: ''
environment:
VAULT_ADDR: 'https://localhost:8201'
VAULT_SKIP_VERIFY: True
- name: 'test {{ auth_type }} auth with certs (validation using env VAR (y), lookup parameters)'
include_tasks: '{{ auth_type }}_test.yml'
args:
apply:
vars:
conn_params: ''
environment:
VAULT_ADDR: 'https://localhost:8201'
VAULT_SKIP_VERIFY: y
- name: 'test {{ auth_type }} auth with certs (precedence of validate_certs over env VAR, lookup parameters)'
include_tasks: '{{ auth_type }}_test.yml'
args:
apply:
vars:
conn_params: 'validate_certs=False '
environment:
VAULT_ADDR: 'https://localhost:8201'
VAULT_SKIP_VERIFY: False

3
tests/integration/targets/lookup_hashi_vault/lookup_hashi_vault/tasks/token_setup.yml
View file

@ -1,3 +0,0 @@
- name: 'Create a test credentials (token)'
command: '{{ vault_cmd }} token create -policy test-policy -field token'
register: user_token_cmd

88
tests/integration/targets/lookup_hashi_vault/lookup_hashi_vault/tasks/token_test.yml
View file

@ -1,88 +0,0 @@
- vars:
user_token: '{{ user_token_cmd.stdout }}'
block:
- name: 'Fetch secrets using "hashi_vault" lookup'
set_fact:
gen_secret1: "{{ lookup('community.general.hashi_vault', conn_params ~ 'secret=' ~ vault_gen_path ~ '/secret1 auth_method=token token=' ~ user_token) }}"
gen_secret2: "{{ lookup('community.general.hashi_vault', conn_params ~ 'secret=' ~ vault_gen_path ~ '/secret2 token=' ~ user_token) }}"
kv1_secret1: "{{ lookup('community.general.hashi_vault', conn_params ~ 'secret=' ~ vault_kv1_path ~ '/secret1 auth_method=token token=' ~ user_token) }}"
kv1_secret2: "{{ lookup('community.general.hashi_vault', conn_params ~ 'secret=' ~ vault_kv1_path ~ '/secret2 token=' ~ user_token) }}"
kv2_secret1: "{{ lookup('community.general.hashi_vault', conn_params ~ 'secret=' ~ vault_kv2_path ~ '/secret1 auth_method=token token=' ~ user_token) }}"
kv2_secret2: "{{ lookup('community.general.hashi_vault', conn_params ~ 'secret=' ~ vault_kv2_path ~ '/secret2 token=' ~ user_token) }}"
kv2_secret4: "{{ lookup('community.general.hashi_vault', conn_params ~ 'secret=' ~ vault_kv2_path ~ '/secret4?version=2 token=' ~ user_token) }}"
kv2_secret2_as_raw: "{{ lookup('community.general.hashi_vault', vault_kv2_path ~ '/secret2 ' ~ conn_params, auth_method='token', token=user_token, return_format='raw') }}"
kv2_secrets_as_dict: "{{ lookup('community.general.hashi_vault', vault_kv2_multi_path ~ '/secrets ' ~ conn_params, auth_method='token', token=user_token) }}"
kv2_secrets_as_values: "{{ query('community.general.hashi_vault', vault_kv2_multi_path ~ '/secrets ' ~ conn_params, auth_method='token', token=user_token, return_format='values') }}"
- name: 'Check secret generic values'
fail:
msg: 'unexpected secret values'
when: gen_secret1['value'] != 'foo1' or gen_secret2['value'] != 'foo2'
- name: 'Check secret kv1 values'
fail:
msg: 'unexpected secret values'
when: kv1_secret1['value'] != 'foo1' or kv1_secret2['value'] != 'foo2'
- name: 'Check secret kv2 values'
fail:
msg: 'unexpected secret values'
when: kv2_secret1['value'] != 'foo1' or kv2_secret2['value'] != 'foo2' or kv2_secret4['value'] != 'foo5'
- name: 'Check kv2 secret raw return value'
fail:
msg:
when: >-
'data' not in kv2_secret2_as_raw
or 'data' not in kv2_secret2_as_raw['data']
or 'metadata' not in kv2_secret2_as_raw['data']
- name: "Check multiple secrets as dict"
fail:
msg: 'Return value was not dict or items do not match.'
when: (kv2_secrets_as_dict | type_debug != 'dict') or (kv2_secrets_as_dict['value{{ item }}'] != 'foo{{ item }}')
loop: [1, 2, 3]
- name: "Check multiple secrets as values"
fail:
msg: 'Return value was not list or items do not match.'
when: (kv2_secrets_as_values | type_debug != 'list') or ('foo{{ item }}' not in kv2_secrets_as_values)
loop: [1, 2, 3]
- name: "Check multiple secrets as dict"
fail:
msg: 'Return value was not dict or items do not match.'
when: (kv2_secrets_as_dict | type_debug != 'dict') or (kv2_secrets_as_dict['value{{ item }}'] != 'foo{{ item }}')
loop: [1, 2, 3]
- name: 'Failure expected when erroneous credentials are used'
vars:
secret_wrong_cred: "{{ lookup('community.general.hashi_vault', conn_params ~ 'secret=' ~ vault_kv2_path ~ '/secret2 auth_method=token token=wrong_token') }}"
debug:
msg: 'Failure is expected ({{ secret_wrong_cred }})'
register: test_wrong_cred
ignore_errors: true
- name: 'Failure expected when unauthorized secret is read'
vars:
secret_unauthorized: "{{ lookup('community.general.hashi_vault', conn_params ~ 'secret=' ~ vault_kv2_path ~ '/secret3 token=' ~ user_token) }}"
debug:
msg: 'Failure is expected ({{ secret_unauthorized }})'
register: test_unauthorized
ignore_errors: true
- name: 'Failure expected when inexistent secret is read'
vars:
secret_inexistent: "{{ lookup('community.general.hashi_vault', conn_params ~ 'secret=' ~ vault_kv2_path ~ '/non_existent_secret4 token=' ~ user_token) }}"
debug:
msg: 'Failure is expected ({{ secret_inexistent }})'
register: test_inexistent
ignore_errors: true
- name: 'Check expected failures'
assert:
msg: "an expected failure didn't occur"
that:
- test_wrong_cred is failed
- test_unauthorized is failed
- test_inexistent is failed

10
tests/integration/targets/lookup_hashi_vault/lookup_hashi_vault/templates/vault_config.hcl.j2
View file

@ -1,10 +0,0 @@
# {{ ansible_managed }}
pid_file = "{{ local_temp_dir }}/vault.pid"
{% if pyopenssl_version.stdout is version('0.15', '>=') %}
listener "tcp" {
tls_key_file = "{{ local_temp_dir }}/privatekey.pem"
tls_cert_file = "{{ local_temp_dir }}/cert.pem"
tls_disable = false
address = "localhost:8201"
}
{% endif %}

19
tests/integration/targets/lookup_hashi_vault/playbooks/install_dependencies.yml
View file

@ -1,19 +0,0 @@
- hosts: localhost
tasks:
- name: Install openssl
import_role:
name: setup_openssl
- name: "RedHat <= 7, select last version compatible with request 2.6.0 (this version doesn't support approle or jwt auth)"
set_fact:
hvac_package: 'hvac==0.2.5'
when: ansible_distribution == 'RedHat' and ansible_distribution_major_version is version('7', '<=')
- name: 'CentOS < 7, select last version compatible with Python 2.6'
set_fact:
hvac_package: 'hvac==0.5.0'
when: ansible_distribution == 'CentOS' and ansible_distribution_major_version is version('7', '<')
- name: 'Install hvac Python package'
pip:
name: "{{ hvac_package|default('hvac') }}"

9
tests/integration/targets/lookup_hashi_vault/playbooks/test_lookup_hashi_vault.yml
View file

@ -1,9 +0,0 @@
- hosts: localhost
tasks:
- name: register pyOpenSSL version
command: "{{ ansible_python.executable }} -c 'import OpenSSL; print(OpenSSL.__version__)'"
register: pyopenssl_version
- name: Test lookup hashi_vault
import_role:
name: lookup_hashi_vault/lookup_hashi_vault

23
tests/integration/targets/lookup_hashi_vault/runme.sh
View file

@ -1,23 +0,0 @@
#!/usr/bin/env bash
set -eux
# First install pyOpenSSL, then test lookup in a second playbook in order to
# workaround this error which occurs on OS X 10.11 only:
#
# TASK [lookup_hashi_vault : test token auth with certs (validation enabled, lookup parameters)] ***
# included: lookup_hashi_vault/tasks/token_test.yml for testhost
#
# TASK [lookup_hashi_vault : Fetch secrets using "hashi_vault" lookup] ***
# From cffi callback <function _verify_callback at 0x106f995f0>:
# Traceback (most recent call last):
# File "/usr/local/lib/python2.7/site-packages/OpenSSL/SSL.py", line 309, in wrapper
# _lib.X509_up_ref(x509)
# AttributeError: 'module' object has no attribute 'X509_up_ref'
# fatal: [testhost]: FAILED! => { "msg": "An unhandled exception occurred while running the lookup plugin 'hashi_vault'. Error was a <class 'requests.exceptions.SSLError'>, original message: HTTPSConnectionPool(host='localhost', port=8201): Max retries exceeded with url: /v1/auth/token/lookup-self (Caused by SSLError(SSLError(\"bad handshake: Error([('SSL routines', 'ssl3_get_server_certificate', 'certificate verify failed')],)\",),))"}
ANSIBLE_ROLES_PATH=../ \
ansible-playbook playbooks/install_dependencies.yml -v "$@"
ANSIBLE_ROLES_PATH=../ \
ansible-playbook playbooks/test_lookup_hashi_vault.yml -v "$@"