adding godaddy tests

Author: tvo0813

enos/modules/verify_secrets_engines/modules/read/ldap.tf

@@ -10,6 +10,8 @@ resource "enos_remote_exec" "ldap_verify_configs" {
 
   environment = {
     MOUNT             = "${var.create_state.ldap.ldap_mount}"
+    LDAP_SERVER       = "${var.create_state.ldap.host.private_ip}"
+    LDAP_PORT         = "${var.create_state.ldap.port}"
     LDAP_USERNAME     = "${var.create_state.ldap.username}"
     LDAP_ADMIN_PW     = "${var.create_state.ldap.pw}"
     VAULT_ADDR        = var.vault_addr

enos/modules/verify_secrets_engines/scripts/ldap-configs.sh

@@ -33,18 +33,29 @@ cat << EOF > ${GROUP_LDIF}
 dn: ou=users,dc=$LDAP_USERNAME,dc=com
 objectClass: organizationalUnit
 ou: users
+
+dn: ou=groups,dc=$LDAP_USERNAME,dc=com
+objectClass: organizationalUnit
+ou: groups
 EOF
 ldapadd -x -H "ldap://${LDAP_SERVER}:${LDAP_PORT}" -D "cn=admin,dc=${LDAP_USERNAME},dc=com" -w "${LDAP_ADMIN_PW}" -f ${GROUP_LDIF}
 
 echo "OpenLDAP: Creating User LDIF file and adding user to LDAP"
 USER_LDIF="user.ldif"
 cat << EOF > ${USER_LDIF}
+# User: enos
 dn: uid=$LDAP_USERNAME,ou=users,dc=$LDAP_USERNAME,dc=com
 objectClass: inetOrgPerson
-sn: user
+sn: $LDAP_USERNAME
 cn: $LDAP_USERNAME user
 uid: $LDAP_USERNAME
 userPassword: $LDAP_ADMIN_PW
+
+# Group: devs
+dn: cn=devs,ou=groups,dc=$LDAP_USERNAME,dc=com
+objectClass: groupOfNames
+cn: devs
+member: uid=$LDAP_USERNAME,ou=users,dc=$LDAP_USERNAME,dc=com
 EOF
 ldapadd -x -H "ldap://${LDAP_SERVER}:${LDAP_PORT}" -D "cn=admin,dc=${LDAP_USERNAME},dc=com" -w "${LDAP_ADMIN_PW}" -f ${USER_LDIF}
 
@@ -62,7 +73,6 @@ echo "Vault: Creating ldap auth and creating auth/ldap/config route"
   insecure_tls=true
 
 echo "Vault: Updating ldap auth and creating auth/ldap/config route"
-"$binpath" auth enable "${MOUNT}" > /dev/null 2>&1 || echo "Warning: Vault ldap auth already enabled"
 "$binpath" write "auth/${MOUNT}/config" \
   url="ldap://${LDAP_SERVER}:${LDAP_PORT}" \
   binddn="cn=admin,dc=${LDAP_USERNAME},dc=com" \
@@ -81,5 +91,17 @@ path "secret/data/*" {
   capabilities = ["read", "list"]
 }
 EOF
-"$binpath" policy write reader "${VAULT_LDAP_POLICY}"
-"$binpath" write "auth/${MOUNT}/users/${LDAP_USERNAME}" policies="reader"
+LDAP_READER_POLICY="reader-policy"
+"$binpath" policy write ${LDAP_READER_POLICY} "${VAULT_LDAP_POLICY}"
+"$binpath" write "auth/${MOUNT}/users/${LDAP_USERNAME}" policies="${LDAP_READER_POLICY}"
+
+echo "Vault: Creating Vault Policy for LDAP DEV and assigning user to policy"
+VAULT_LDAP_DEV_POLICY="ldap_dev.hcl"
+cat << EOF > ${VAULT_LDAP_DEV_POLICY}
+path "secret/data/dev/*" {
+  capabilities = ["read", "list"]
+}
+EOF
+LDAP_DEV_POLICY="dev-policy"
+"$binpath" policy write ${LDAP_DEV_POLICY} "${VAULT_LDAP_DEV_POLICY}"
+"$binpath" write "auth/${MOUNT}/groups/devs" policies="${LDAP_DEV_POLICY}"

enos/modules/verify_secrets_engines/scripts/ldap-verify-configs

@@ -10,6 +10,8 @@ fail() {
 }
 
 [[ -z "$MOUNT" ]] && fail "MOUNT env variable has not been set"
+[[ -z "$LDAP_SERVER" ]] && fail "LDAP_SERVER env variable has not been set"
+[[ -z "$LDAP_PORT" ]] && fail "LDAP_PORT env variable has not been set"
 [[ -z "$LDAP_USERNAME" ]] && fail "LDAP_USERNAME env variable has not been set"
 [[ -z "$LDAP_ADMIN_PW" ]] && fail "LDAP_ADMIN_PW env variable has not been set"
 [[ -z "$VAULT_ADDR" ]] && fail "VAULT_ADDR env variable has not been set"
@@ -21,5 +23,19 @@ test -x "$binpath" || fail "unable to locate vault binary at $binpath"
 
 export VAULT_FORMAT=json
 
-# Authenticate Using LDAP
-"$binpath" login -method=${MOUNT} username=${LDAP_USERNAME} password=${LDAP_ADMIN_PW}
+# Verifying LDAP Server Configs
+LDAP_UID=$(ldapsearch -x -LLL -H "ldap://${LDAP_SERVER}:${LDAP_PORT}" -b "dc=${LDAP_USERNAME},dc=com" -D "cn=admin,dc=${LDAP_USERNAME},dc=com" -w "${LDAP_ADMIN_PW}" "(uid=${LDAP_USERNAME})" 2>/dev/null)
+[[ -z "$LDAP_UID" ]] && fail "Could not search ldap server for uid: ${LDAP_USERNAME}"
+
+# Authenticate Using Vault LDAP login
+VAULT_LDAP_LOGIN=$("$binpath" login -method=${MOUNT} username=${LDAP_USERNAME} password=${LDAP_ADMIN_PW})
+
+# Verifying Vault LDAP Login Token
+VAULT_LDAP_TOKEN=$(echo $VAULT_LDAP_LOGIN | jq -r ".auth.client_token")
+[[ -z "$VAULT_LDAP_TOKEN" ]] && fail "Vault LDAP could not log in correctly: ${VAULT_LDAP_TOKEN}"
+
+# Verifying Vault LDAP Policies
+VAULT_POLICY_COUNT=$(echo $VAULT_LDAP_LOGIN | jq -r ".auth.policies | length")
+[[ -z "$VAULT_POLICY_COUNT" ]] && fail "Vault LDAP number of policies does not look correct: ${VAULT_POLICY_COUNT}"
+
+echo "${VAULT_LDAP_LOGIN}"