backport of commit 403720c (#30720)

Co-authored-by: Luis (LT) Carbonell <[email protected]>

Author: hc-github-team-secure-vault-core

enos/enos-modules.hcl

@@ -306,7 +306,6 @@ module "vault_verify_removed_node_shim" {
   vault_install_dir = var.vault_install_dir
 }
 
-
 module "vault_verify_secrets_engines_create" {
   source = "./modules/verify_secrets_engines/modules/create"
 

enos/enos-qualities.hcl

@@ -602,6 +602,11 @@ quality "vault_secrets_kv_write" {
   description = "Vault kv secrets engine data is writable"
 }
 
+
+quality "vault_secrets_ldap_write_config" {
+  description = "The Vault LDAP secrets engine is configured with the correct settings"
+}
+
 quality "vault_service_restart" {
   description = "Vault restarts with existing configuration"
 }

enos/enos-scenario-agent.hcl

@@ -6,7 +6,7 @@ scenario "agent" {
     The agent scenario verifies Vault when running in Agent mode. The build can be a local branch,
     any CRT built Vault artifact saved to the local machine, or any CRT built Vault artifact in the
     stable channel in Artifactory.
-    
+
     The scenario creates a new Vault Cluster using the candidate build and then runs the same Vault
     build in Agent mode and verifies behavior against the Vault cluster. The scenario also performs
     standard baseline verification that is not specific to the Agent mode deployment.
@@ -22,10 +22,10 @@ scenario "agent" {
       - vault_build_date*
       - vault_product_version
       - vault_revision*
-    
+
     * If you don't already know what build date and revision you should be using, see
     https://eng-handbook.hashicorp.services/internal-tools/enos/troubleshooting/#execution-error-expected-vs-got-for-vault-versioneditionrevisionbuild-date.
-  
+
     Variables required for some scenario variants:
       - artifactory_username (if using `artifact_source:artifactory` in your filter)
       - artifactory_token (if using `artifact_source:artifactory` in your filter)
@@ -502,6 +502,7 @@ scenario "agent" {
       quality.vault_mount_auth,
       quality.vault_mount_kv,
       quality.vault_secrets_kv_write,
+      quality.vault_secrets_ldap_write_config,
     ]
 
     variables {

enos/enos-scenario-autopilot.hcl

@@ -24,10 +24,10 @@ scenario "autopilot" {
       - vault_build_date*
       - vault_product_version
       - vault_revision*
-    
+
     * If you don't already know what build date and revision you should be using, see
     https://eng-handbook.hashicorp.services/internal-tools/enos/troubleshooting/#execution-error-expected-vs-got-for-vault-versioneditionrevisionbuild-date.
-  
+
     Variables required for some scenario variants:
       - artifactory_username (if using `artifact_source:artifactory` in your filter)
       - artifactory_token (if using `artifact_source:artifactory` in your filter)
@@ -370,6 +370,7 @@ scenario "autopilot" {
       quality.vault_mount_auth,
       quality.vault_mount_kv,
       quality.vault_secrets_kv_write,
+      quality.vault_secrets_ldap_write_config,
     ]
 
     variables {

enos/enos-scenario-dr-replication.hcl

@@ -27,10 +27,10 @@ scenario "dr_replication" {
       - vault_build_date*
       - vault_product_version
       - vault_revision*
-    
+
     * If you don't already know what build date and revision you should be using, see
     https://eng-handbook.hashicorp.services/internal-tools/enos/troubleshooting/#execution-error-expected-vs-got-for-vault-versioneditionrevisionbuild-date.
-  
+
     Variables required for some scenario variants:
       - artifactory_username (if using `artifact_source:artifactory` in your filter)
       - artifactory_token (if using `artifact_source:artifactory` in your filter)
@@ -702,6 +702,7 @@ scenario "dr_replication" {
       quality.vault_mount_auth,
       quality.vault_mount_kv,
       quality.vault_secrets_kv_write,
+      quality.vault_secrets_ldap_write_config,
     ]
 
     variables {

enos/enos-scenario-pr-replication.hcl

@@ -27,10 +27,10 @@ scenario "pr_replication" {
       - vault_build_date*
       - vault_product_version
       - vault_revision*
-    
+
     * If you don't already know what build date and revision you should be using, see
     https://eng-handbook.hashicorp.services/internal-tools/enos/troubleshooting/#execution-error-expected-vs-got-for-vault-versioneditionrevisionbuild-date.
-  
+
     Variables required for some scenario variants:
       - artifactory_username (if using `artifact_source:artifactory` in your filter)
       - artifactory_token (if using `artifact_source:artifactory` in your filter)
@@ -724,6 +724,7 @@ scenario "pr_replication" {
       quality.vault_mount_auth,
       quality.vault_mount_kv,
       quality.vault_secrets_kv_write,
+      quality.vault_secrets_ldap_write_config,
     ]
 
     variables {

enos/enos-scenario-proxy.hcl

@@ -22,7 +22,7 @@ scenario "proxy" {
     - vault_build_date*
     - vault_product_version
     - vault_revision*
-  
+
   * If you don't already know what build date and revision you should be using, see
   https://eng-handbook.hashicorp.services/internal-tools/enos/troubleshooting/#execution-error-expected-vs-got-for-vault-versioneditionrevisionbuild-date.
 
@@ -479,6 +479,7 @@ scenario "proxy" {
       quality.vault_mount_auth,
       quality.vault_mount_kv,
       quality.vault_secrets_kv_write,
+      quality.vault_secrets_ldap_write_config,
     ]
 
     variables {

enos/enos-scenario-seal-ha.hcl

@@ -25,10 +25,10 @@ scenario "seal_ha" {
       - vault_build_date*
       - vault_product_version
       - vault_revision*
-    
+
     * If you don't already know what build date and revision you should be using, see
     https://eng-handbook.hashicorp.services/internal-tools/enos/troubleshooting/#execution-error-expected-vs-got-for-vault-versioneditionrevisionbuild-date.
-  
+
     Variables required for some scenario variants:
       - artifactory_username (if using `artifact_source:artifactory` in your filter)
       - artifactory_token (if using `artifact_source:artifactory` in your filter)
@@ -461,6 +461,7 @@ scenario "seal_ha" {
       quality.vault_mount_auth,
       quality.vault_mount_kv,
       quality.vault_secrets_kv_write,
+      quality.vault_secrets_ldap_write_config,
     ]
 
     variables {

enos/enos-scenario-smoke.hcl

@@ -21,10 +21,10 @@ scenario "smoke" {
       - vault_build_date*
       - vault_product_version
       - vault_revision*
-    
+
     * If you don't already know what build date and revision you should be using, see
     https://eng-handbook.hashicorp.services/internal-tools/enos/troubleshooting/#execution-error-expected-vs-got-for-vault-versioneditionrevisionbuild-date.
-  
+
     Variables required for some scenario variants:
       - artifactory_username (if using `artifact_source:artifactory` in your filter)
       - artifactory_token (if using `artifact_source:artifactory` in your filter)
@@ -582,6 +582,7 @@ scenario "smoke" {
       quality.vault_mount_auth,
       quality.vault_mount_kv,
       quality.vault_secrets_kv_write,
+      quality.vault_secrets_ldap_write_config,
     ]
 
     variables {

enos/enos-scenario-upgrade.hcl

@@ -22,10 +22,10 @@ scenario "upgrade" {
       - vault_build_date*
       - vault_product_version
       - vault_revision*
-    
+
     * If you don't already know what build date and revision you should be using, see
     https://eng-handbook.hashicorp.services/internal-tools/enos/troubleshooting/#execution-error-expected-vs-got-for-vault-versioneditionrevisionbuild-date.
-  
+
     Variables required for some scenario variants:
       - artifactory_username (if using `artifact_source:artifactory` in your filter)
       - artifactory_token (if using `artifact_source:artifactory` in your filter)
@@ -420,6 +420,7 @@ scenario "upgrade" {
       quality.vault_mount_auth,
       quality.vault_mount_kv,
       quality.vault_secrets_kv_write,
+      quality.vault_secrets_ldap_write_config,
     ]
 
     variables {

enos/modules/verify_secrets_engines/modules/create/auth.tf

@@ -8,6 +8,8 @@ locals {
   user_password      = "passtestuser1" # auth/userpass/login/passtestuser1
   user_policy_name   = "reguser"       # sys/policy/reguser
 
+  auth_ldap_path = "ldap" # auth/ldap
+
   // Response data
   user_login_data = jsondecode(enos_remote_exec.auth_login_testuser.stdout)
   sys_auth_data   = jsondecode(enos_remote_exec.read_sys_auth.stdout).data
@@ -143,3 +145,86 @@ resource "enos_remote_exec" "auth_login_testuser" {
     }
   }
 }
+
+# Enable ldap auth
+resource "enos_remote_exec" "auth_enable_ldap" {
+  environment = {
+    AUTH_METHOD       = "ldap"
+    AUTH_PATH         = local.auth_ldap_path
+    VAULT_ADDR        = var.vault_addr
+    VAULT_TOKEN       = var.vault_root_token
+    VAULT_INSTALL_DIR = var.vault_install_dir
+  }
+
+  scripts = [abspath("${path.module}/../../scripts/auth-enable.sh")]
+
+  transport = {
+    ssh = {
+      host = var.leader_host.public_ip
+    }
+  }
+}
+
+# Write the initial ldap config
+# This is a one time write to the leader node.
+resource "enos_remote_exec" "auth_write_ldap_config" {
+  depends_on = [
+    enos_remote_exec.auth_enable_ldap
+  ]
+
+  environment = {
+    AUTH_PATH         = local.auth_ldap_path
+    GROUPATTR         = "memberOf"
+    GROUPDN           = "CN=Users,DC=corp,DC=example,DC=net"
+    INSECURE_TLS      = "true"
+    POLICIES          = local.auth_ldap_path
+    UPNDOMAIN         = "corp.example.net"
+    URL               = "ldaps://ldap.example.com"
+    USERATTR          = "sAMAccountName"
+    USERDN            = "CN=Users,DC=corp,DC=example,DC=net"
+    VAULT_ADDR        = var.vault_addr
+    VAULT_INSTALL_DIR = var.vault_install_dir
+    VAULT_TOKEN       = var.vault_root_token
+  }
+
+  scripts = [abspath("${path.module}/../../scripts/auth-ldap-write.sh")]
+
+  transport = {
+    ssh = {
+      host = var.leader_host.public_ip
+    }
+  }
+}
+
+# Update the ldap config on all nodes
+# This ensures that a write to the non-leader nodes will not panic.
+resource "enos_remote_exec" "auth_update_ldap_config" {
+  depends_on = [
+    enos_remote_exec.auth_enable_ldap
+  ]
+
+  for_each = var.hosts
+
+  environment = {
+    AUTH_PATH         = local.auth_ldap_path
+    GROUPATTR         = "memberOf"
+    GROUPDN           = "CN=Users,DC=corp,DC=example,DC=net"
+    INSECURE_TLS      = "true"
+    POLICIES          = local.auth_ldap_path
+    UPNDOMAIN         = "corp.example.net"
+    URL               = "ldaps://ldap2.example.com"
+    USERATTR          = "sAMAccountName"
+    USERDN            = "CN=Users,DC=corp,DC=example,DC=net"
+    VAULT_ADDR        = var.vault_addr
+    VAULT_INSTALL_DIR = var.vault_install_dir
+    VAULT_TOKEN       = var.vault_root_token
+  }
+
+  scripts = [abspath("${path.module}/../../scripts/auth-ldap-write.sh")]
+
+  transport = {
+    ssh = {
+      host = each.value.public_ip
+    }
+  }
+}

enos/modules/verify_secrets_engines/scripts/auth-ldap-write.sh

@@ -0,0 +1,36 @@
+#!/usr/bin/env bash
+# Copyright (c) HashiCorp, Inc.
+# SPDX-License-Identifier: BUSL-1.1
+
+set -e
+
+fail() {
+  echo "$1" 1>&2
+  exit 1
+}
+
+[[ -z "$AUTH_PATH" ]] && fail "AUTH_PATH env variable has not been set"
+[[ -z "$GROUPATTR" ]] && fail "GROUPATTR env variable has not been set"
+[[ -z "$GROUPDN" ]] && fail "GROUPDN env variable has not been set"
+[[ -z "$INSECURE_TLS" ]] && fail "INSECURE_TLS env variable has not been set"
+[[ -z "$UPNDOMAIN" ]] && fail "UPNDOMAIN env variable has not been set"
+[[ -z "$URL" ]] && fail "URL env variable has not been set"
+[[ -z "$USERATTR" ]] && fail "USERATTR env variable has not been set"
+[[ -z "$USERDN" ]] && fail "USERDN env variable has not been set"
+
+[[ -z "$VAULT_ADDR" ]] && fail "VAULT_ADDR env variable has not been set"
+[[ -z "$VAULT_INSTALL_DIR" ]] && fail "VAULT_INSTALL_DIR env variable has not been set"
+[[ -z "$VAULT_TOKEN" ]] && fail "VAULT_TOKEN env variable has not been set"
+
+binpath=${VAULT_INSTALL_DIR}/vault
+test -x "$binpath" || fail "unable to locate vault binary at $binpath"
+
+export VAULT_FORMAT=json
+"$binpath" write "auth/$AUTH_PATH/config" \
+    url="$URL" \
+    userdn="$USERDN" \
+    userattr="$USERATTR" \
+    groupdn="$GROUPDN" \
+    groupattr="$GROUPATTR" \
+    upndomain="$UPNDOMAIN" \
+    insecure_tls="$INSECURE_TLS"