Vault 29181 plugin testing poc with enos

.gitignore

@@ -41,6 +41,9 @@ website/build
 .vagrant/
 Vagrantfile
 
+# Configs
+*.hcl
+
 .DS_Store
 .idea
 .vscode
@@ -78,6 +81,10 @@ tmp/
 
 scripts/custom.sh
 
+# enos
+/enos/.enos/*
+/enos/enos*.vars.hcl
+
 **/.terraform/*
 .terraform.lock.hcl
 *.tfstate

Makefile

@@ -7,9 +7,69 @@ ifndef $(GOPATH)
     GOPATH=$(shell go env GOPATH)
     export GOPATH
 endif
-PLUGIN_DIR ?= $$GOPATH/vault-plugins
+PLUGIN_DIR ?= $(GOPATH)/vault-plugins
 PLUGIN_PATH ?= local-secrets-ldap
 
+# env vars
+
+#setup ldap server:
+LDAP_DOMAIN ?= example.com
+LDAP_ORG ?= example
+LDAP_ADMIN_PW ?= adminpassword
+IMAGE_TAG ?= 1.3.0
+LDAP_HOST ?= 127.0.0.1
+LDAP_PORT ?= 389
+LDIF_PATH ?= $(PWD)/bootstrap/ldif/seed.ldif
+
+#configure ldap plugin
+MAKEFILE_DIR ?= $(PWD)
+PLUGIN_SOURCE_TYPE ?= local_build
+PLUGIN_DIR_VAULT ?= /etc/vault/plugins
+LDAP_URL ?= ldap://127.0.0.1:389
+LDAP_BIND_DN ?= cn=admin,dc=example,dc=com
+LDAP_BIND_PASS ?= adminpassword
+LDAP_USER_DN ?= ou=users,dc=example,dc=com
+LDAP_SCHEMA ?= openldap
+
+#plugin endpoints tests
+ROTATION_PERIOD ?= 10
+ROTATION_WINDOW ?= 3600
+LDAP_DN ?= uid=mary.smith,ou=users,dc=example,dc=com
+LDAP_USERNAME ?= mary.smith
+LDAP_OLD_PASSWORD ?= defaultpassword
+LDIF_PATH ?= $(PWD)/enos/modules/dynamic_role_crud_api/ldif
+LDAP_BASE_DN ?= dc=example,dc=com
+LIBRARY_SET_NAME ?= staticuser bob.johnson mary.smith
+SERVICE_ACCOUNT_NAMES ?= dev-team
+
+export LDAP_DOMAIN
+export LDAP_ORG
+export LDAP_ADMIN_PW
+export IMAGE_TAG
+export LDAP_PORT
+export PLUGIN_DIR
+export PLUGIN_NAME
+export PLUGIN_PATH
+export PLUGIN_SOURCE_TYPE
+export MAKEFILE_DIR
+export PLUGIN_DIR_VAULT
+export LDAP_URL
+export LDAP_BIND_DN
+export LDAP_BIND_PASS
+export LDAP_USER_DN
+export LDAP_SCHEMA
+export LDIF_PATH
+export LDAP_HOST
+export ROTATION_PERIOD
+export ROTATION_WINDOW
+export LDAP_DN
+export LDAP_USERNAME
+export LDAP_OLD_PASSWORD
+export LDIF_PATH
+export LDAP_BASE_DN
+export LIBRARY_SET_NAME
+export SERVICE_ACCOUNT_NAMES
+
 .PHONY: default
 default: dev
 
@@ -48,8 +108,58 @@ fmtcheck:
 fmt:
 	gofumpt -l -w .
 
-configure: dev
-	./bootstrap/configure.sh \
-	$(PLUGIN_DIR) \
-	$(PLUGIN_NAME) \
-	$(PLUGIN_PATH)
+.PHONY: setup-env
+setup-env:
+	cd bootstrap && ./setup-openldap.sh
+
+.PHONY: plugin-build
+plugin-build:
+	cd enos/modules/build_local && ./scripts/plugin-build.sh
+
+.PHONY: plugin-register
+plugin-register:
+	cd enos/modules/setup_plugin && \
+	PLUGIN_BINARY_SRC="$(PLUGIN_DIR)/$(PLUGIN_NAME)" ./scripts/plugin-register.sh
+
+.PHONY: plugin-enable
+plugin-enable:
+	cd enos/modules/setup_plugin && ./scripts/plugin-enable.sh
+
+.PHONY: plugin-configure
+plugin-configure:
+	cd enos/modules/configure_plugin/ldap && ./scripts/plugin-configure.sh
+
+.PHONY: configure
+configure: plugin-build plugin-register plugin-enable plugin-configure
+
+.PHONY: teardown-env
+teardown-env:
+	cd bootstrap && ./teardown-env.sh
+
+.PHONY: manual-root-rotation-test
+manual-root-rotation-test:
+	cd enos/modules/root_rotation_manual && ./scripts/test-root-rotation-manual.sh
+
+.PHONY: periodic-root-rotation-test
+periodic-root-rotation-test:
+	cd enos/modules/root_rotation_period && ./scripts/test-root-rotation-period.sh
+
+.PHONY: scheduled-root-rotation-test
+scheduled-root-rotation-test:
+	cd enos/modules/root_rotation_schedule && ./scripts/test-root-rotation-schedule.sh
+
+.PHONY: static-role-test
+static-role-test:
+	ROLE_NAME=mary cd enos/modules/static_role_crud_api && ./scripts/static-role.sh
+
+.PHONY: dynamic-role-test
+dynamic-role-test:
+	ROLE_NAME=adam cd enos/modules/dynamic_role_crud_api && ./scripts/dynamic-role.sh
+
+.PHONY: library-test
+library-test:
+	cd enos/modules/library_crud_api && ./scripts/library.sh
+
+.PHONY: teardown-env
+teardown-env:
+	cd bootstrap && ./teardown-env.sh

bootstrap/ldif/seed.ldif

@@ -0,0 +1,41 @@
+# Define Organizational Units
+dn: ou=groups,dc=example,dc=com
+objectClass: organizationalUnit
+ou: groups
+
+dn: ou=users,dc=example,dc=com
+objectClass: organizationalUnit
+ou: users
+
+dn: cn=dev,ou=groups,dc=example,dc=com
+objectClass: groupOfUniqueNames
+cn: dev
+uniqueMember: cn=staticuser,ou=users,dc=example,dc=com
+uniqueMember: cn=bob.johnson,ou=users,dc=example,dc=com
+uniqueMember: cn=mary.smith,ou=users,dc=example,dc=com
+description: Development group
+
+# Add users for static role rotation
+dn: uid=staticuser,ou=users,dc=example,dc=com
+objectClass: inetOrgPerson
+cn: staticuser
+sn: staticuser
+uid: staticuser
+memberOf: cn=dev,ou=groups,dc=example,dc=com
+userPassword: defaultpassword
+
+dn: uid=bob.johnson,ou=users,dc=example,dc=com
+objectClass: inetOrgPerson
+cn: bob.johnson
+sn: bob.johnson
+uid: bob.johnson
+memberOf: cn=dev,ou=groups,dc=example,dc=com
+userPassword: defaultpassword
+
+dn: uid=mary.smith,ou=users,dc=example,dc=com
+objectClass: inetOrgPerson
+cn: mary.smith
+sn: mary.smith
+uid: mary.smith
+memberOf: cn=dev,ou=groups,dc=example,dc=com
+userPassword: defaultpassword

bootstrap/setup-openldap.sh

@@ -0,0 +1,66 @@
+#!/usr/bin/env bash
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+set -e
+
+fail() {
+  echo "$1" 1>&2
+  exit 1
+}
+
+[[ -z "$LDAP_DOMAIN" ]] && fail "LDAP_DOMAIN env variable has not been set"
+[[ -z "$LDAP_ORG" ]] && fail "LDAP_ORG env variable has not been set"
+[[ -z "$LDAP_ADMIN_PW" ]] && fail "LDAP_ADMIN_PW env variable has not been set"
+[[ -z "$IMAGE_TAG" ]] && fail "IMAGE_TAG env variable has not been set"
+[[ -z "$LDAP_PORT" ]] && fail "LDAP_PORT env variable has not been set"
+[[ -z "$LDIF_PATH" ]] && fail "LDIF_PATH env variable has not been set"
+
+LDAP_HOSTNAME="${LDAP_HOSTNAME:-openldap}"
+
+# Determine container runtime: prefer podman if installed, allow override via CONTAINER_RUNTIME
+if [[ -n "$CONTAINER_RUNTIME" ]]; then
+  RUNTIME="$CONTAINER_RUNTIME"
+elif command -v podman >/dev/null 2>&1; then
+  RUNTIME="sudo podman"
+else
+  RUNTIME="sudo docker"
+fi
+
+echo "Using container runtime: $RUNTIME"
+
+# Pulling image
+echo "Pulling image: ${LDAP_DOCKER_NAME}"
+LDAP_DOCKER_NAME="docker.io/osixia/openldap:${IMAGE_TAG}"
+${RUNTIME} pull "${LDAP_DOCKER_NAME}"
+
+# Run OpenLDAP container
+echo "Starting OpenLDAP container..."
+${RUNTIME} run -d \
+  --name openldap \
+  --hostname "${LDAP_HOSTNAME}" \
+  -p "${LDAP_PORT}:${LDAP_PORT}" \
+  -p 1636:636 \
+  -e LDAP_ORGANISATION="${LDAP_ORG}" \
+  -e LDAP_DOMAIN="${LDAP_DOMAIN}" \
+  -e LDAP_ADMIN_PASSWORD="${LDAP_ADMIN_PW}" \
+  "${LDAP_DOCKER_NAME}"
+
+echo "OpenLDAP server is now running in container!"
+
+# Wait for the container to be up and running
+echo "Waiting for OpenLDAP to start..."
+sleep 5
+
+# Check container status
+status=$(${RUNTIME} ps --filter name=openldap --format "{{.Status}}")
+if [[ -n "$status" ]]; then
+  echo "OpenLDAP container is running. Status: $status"
+else
+  echo "OpenLDAP container is NOT running!"
+  echo "Check logs with: ${RUNTIME} logs openldap"
+  exit 1
+fi
+
+# Run ldapadd inside the container
+${RUNTIME} exec -i openldap ldapadd -x -w "${LDAP_ADMIN_PW}" -D "cn=admin,dc=${LDAP_DOMAIN//./,dc=}" -f /dev/stdin < "${LDIF_PATH}"

bootstrap/teardown-env.sh

@@ -0,0 +1,33 @@
+#!/usr/bin/env bash
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: MPL-2.0
+
+set -e
+
+fail() {
+  echo "$1" 1>&2
+  exit 1
+}
+
+[[ -z "$PLUGIN_NAME" ]] && fail "PLUGIN_NAME env variable has not been set"
+[[ -z "$PLUGIN_DIR" ]] && fail "PLUGIN_DIR env variable has not been set"
+
+MAKEFILE_DIR="${MAKEFILE_DIR:-$(pwd)}"
+PROJECT_BIN_DIR="${MAKEFILE_DIR}/bin"
+
+echo "[teardown] Stopping and removing openldap docker container if it exists..."
+docker rm -f openldap 2>/dev/null || echo "[teardown] No openldap container found."
+
+# Remove from bin directory
+if [ -f "${PROJECT_BIN_DIR}/${PLUGIN_NAME}" ]; then
+  echo "[teardown] Removing existing plugin at ${PROJECT_BIN_DIR}/${PLUGIN_NAME}"
+  rm -f "${PROJECT_BIN_DIR}/${PLUGIN_NAME}"
+fi
+
+# Remove from destination directory
+if [ -f "${PLUGIN_DIR}/${PLUGIN_NAME}" ]; then
+  echo "[teardown] Removing existing plugin at ${PLUGIN_DIR}/${PLUGIN_NAME}"
+  rm -f "${PLUGIN_DIR}/${PLUGIN_NAME}"
+fi
+
+echo "[teardown] Teardown complete."

enos/Makefile

@@ -0,0 +1,48 @@
+VAULT_VERSION=$$(cat $(CURDIR)/../version/VERSION)
+
+.PHONY: default
+default: check-fmt shellcheck
+
+.PHONY: check-fmt
+check-fmt: check-fmt-enos check-fmt-modules check-shfmt
+
+.PHONY: fmt
+fmt: fmt-enos fmt-modules shfmt
+
+.PHONY: check-fmt-enos
+check-fmt-enos:
+	enos fmt --check --diff .
+	enos fmt --check --diff ./k8s
+
+.PHONY: fmt-enos
+fmt-enos:
+	enos fmt .
+	enos fmt ./k8s
+
+.PHONY: check-fmt-modules
+check-fmt-modules:
+	terraform fmt -check -diff -recursive ./modules
+
+.PHONY: fmt-modules
+fmt-modules:
+	terraform fmt -diff -recursive ./modules
+
+.PHONY: validate-enos
+validate-enos:
+	enos scenario validate --timeout 30m0s --chdir ./k8s
+	enos scenario validate --timeout 30m0s
+
+.PHONY: lint
+lint: check-fmt check-fmt-modules check-shfmt shellcheck validate-enos
+
+.PHONY: shellcheck
+shellcheck:
+	find ./modules/ -type f -name '*.sh' | xargs shellcheck
+
+.PHONY: shfmt
+shfmt:
+	find ./modules/ -type f -name '*.sh' | xargs shfmt -l -w -i 2 -bn -ci -kp -sr
+
+.PHONY: check-shfmt
+check-shfmt:
+	find ./modules/ -type f -name '*.sh' | xargs shfmt -l -d -i 2 -bn -ci -kp -sr