[VAULT-30189] enos: verify identity and OIDC tokens (#28274)

* [VAULT-30189] enos: verify identity and OIDC tokens

Expand our baseline API and data verification by including the identity
and identity OIDC tokens secrets engines. We now create a test entity,
entity-alias, identity group, various policies, and associate them with
the entity. For the OIDC side, we now configure the OIDC issuer, create
and rotate named keys, create and associate roles with the named key,
and issue and introspect tokens.

During a second phase we also verify that the those some entities,
groups, keys, roles, config, etc all exist with the expected values.
This is useful to test durability after upgrades, migrations, etc.

This change also includes new updates our prior `auth/userpass` and `kv`
verification. We had two modules that were loosely coupled and
interdependent. This restructures those both into a singular module with
child modules and fixes the assumed values by requiring the read module
to verify against the created state.

Going forward we can continue to extend this secrets engine verification
module with additional create and read checks for new secrets engines.

Signed-off-by: Ryan Cragun <[email protected]>

enos/Makefile

@@ -2,10 +2,10 @@
 default: check-fmt shellcheck
 
 .PHONY: check-fmt
-check-fmt: check-fmt-enos check-fmt-modules
+check-fmt: check-fmt-enos check-fmt-modules check-shfmt
 
 .PHONY: fmt
-fmt: fmt-enos fmt-modules
+fmt: fmt-enos fmt-modules shfmt
 
 .PHONY: check-fmt-enos
 check-fmt-enos:

enos/enos-descriptions.hcl

@@ -126,12 +126,6 @@ globals {
       'await-server-removal'.
     EOF
 
-    verify_read_test_data = <<-EOF
-      Verify that we are able to read test data we've written in prior steps. This includes:
-        - Auth user policies
-        - Kv data
-    EOF
-
     verify_replication_status = <<-EOF
       Verify that the default replication status is correct depending on the edition of Vault that
       been deployed. When testing a Community Edition of Vault we'll ensure that replication is not
@@ -163,12 +157,22 @@ globals {
       Vault's reported seal type matches our configuration.
     EOF
 
-    verify_write_test_data = <<-EOF
-      Verify that vault is capable mounting engines and writing data to them. These currently include:
-        - Mount the auth engine
-        - Mount the kv engine
-        - Write auth user policies
-        - Write kv data
+    verify_secrets_engines_create = <<-EOF
+      Verify that Vault is capable mounting, configuring, and using various secrets engines and auth
+      methods. These currently include:
+        - v1/auth/userpass/*
+        - v1/identity/*
+        - v1/kv/*
+        - v1/sys/policy/*
+    EOF
+
+    verify_secrets_engines_read = <<-EOF
+      Verify that data that we've created previously is still valid, consistent, and duarable.
+      This includes:
+        - v1/auth/userpass/*
+        - v1/identity/*
+        - v1/kv/*
+        - v1/sys/policy/*
     EOF
 
     verify_ui = <<-EOF

enos/enos-dev-scenario-pr-replication.hcl

@@ -722,7 +722,7 @@ scenario "dev_pr_replication" {
     description = <<-EOF
       Enable the auth userpass method and create a new user.
     EOF
-    module      = module.vault_verify_write_data
+    module      = module.vault_verify_secrets_engines_create
     depends_on  = [step.get_primary_cluster_ips]
 
 

enos/enos-modules.hcl

@@ -281,46 +281,39 @@ module "vault_verify_dr_replication" {
   vault_install_dir = var.vault_install_dir
 }
 
-module "vault_verify_raft_auto_join_voter" {
-  source = "./modules/vault_verify_raft_auto_join_voter"
+module "vault_verify_secrets_engines_create" {
+  source = "./modules/verify_secrets_engines/modules/create"
 
-  vault_install_dir       = var.vault_install_dir
-  vault_cluster_addr_port = global.ports["vault_cluster"]["port"]
+  vault_install_dir = var.vault_install_dir
 }
 
+module "vault_verify_secrets_engines_read" {
+  source = "./modules/verify_secrets_engines/modules/read"
+
+  vault_install_dir = var.vault_install_dir
+}
 
 module "vault_verify_default_lcq" {
   source = "./modules/vault_verify_default_lcq"
 
   vault_autopilot_default_max_leases = "300000"
 }
 
-module "vault_verify_replication" {
-  source = "./modules/vault_verify_replication"
-}
-
-module "vault_verify_read_data" {
-  source = "./modules/vault_verify_read_data"
-
-  vault_install_dir = var.vault_install_dir
-}
-
 module "vault_verify_performance_replication" {
   source = "./modules/vault_verify_performance_replication"
 
   vault_install_dir = var.vault_install_dir
 }
 
-module "vault_verify_version" {
-  source = "./modules/vault_verify_version"
+module "vault_verify_raft_auto_join_voter" {
+  source = "./modules/vault_verify_raft_auto_join_voter"
 
-  vault_install_dir = var.vault_install_dir
+  vault_install_dir       = var.vault_install_dir
+  vault_cluster_addr_port = global.ports["vault_cluster"]["port"]
 }
 
-module "vault_verify_write_data" {
-  source = "./modules/vault_verify_write_data"
-
-  vault_install_dir = var.vault_install_dir
+module "vault_verify_replication" {
+  source = "./modules/vault_verify_replication"
 }
 
 module "vault_verify_ui" {
@@ -339,6 +332,12 @@ module "vault_verify_unsealed" {
   vault_install_dir = var.vault_install_dir
 }
 
+module "vault_verify_version" {
+  source = "./modules/vault_verify_version"
+
+  vault_install_dir = var.vault_install_dir
+}
+
 module "vault_wait_for_leader" {
   source = "./modules/vault_wait_for_leader"
 
@@ -364,3 +363,4 @@ module "vault_verify_billing_start_date" {
   vault_instance_count    = var.vault_instance_count
   vault_cluster_addr_port = global.ports["vault_cluster"]["port"]
 }
+

enos/enos-qualities.hcl

@@ -72,8 +72,79 @@ quality "vault_agent_log_template" {
   description = global.description.verify_agent_output
 }
 
+quality "vault_api_auth_userpass_login_write" {
+  description = "The v1/auth/userpass/login/<user> Vault API creates a token for a user"
+}
+
+quality "vault_api_auth_userpass_user_write" {
+  description = "The v1/auth/userpass/users/<user> Vault API associates a policy with a user"
+}
+
+quality "vault_api_identity_entity_read" {
+  description = <<-EOF
+    The v1/identity/entity Vault API returns an identity entity, has the correct metadata, and is
+    associated with the expected entity-alias, groups, and policies
+  EOF
+}
+
+quality "vault_api_identity_entity_write" {
+  description = "The v1/identity/entity Vault API creates an identity entity"
+}
+
+quality "vault_api_identity_entity_alias_write" {
+  description = "The v1/identity/entity-alias Vault API creates an identity entity alias"
+}
+
+quality "vault_api_identity_group_write" {
+  description = "The v1/identity/group/<group> Vault API creates an identity group"
+}
+
+quality "vault_api_identity_oidc_config_read" {
+  description = <<-EOF
+    The v1/identity/oidc/config Vault API returns the built-in identity secrets engine configuration
+  EOF
+}
+
+quality "vault_api_identity_oidc_config_write" {
+  description = "The v1/identity/oidc/config Vault API configures the built-in identity secrets engine"
+}
+
+quality "vault_api_identity_oidc_introspect_write" {
+  description = "The v1/identity/oidc/introspect Vault API creates introspect verifies the active state of a signed OIDC token"
+}
+
+quality "vault_api_identity_oidc_key_read" {
+  description = <<-EOF
+    The v1/identity/oidc/key Vault API returns the OIDC signing key and verifies the key's algorithm,
+    rotation_period, and verification_ttl are correct
+  EOF
+}
+
+quality "vault_api_identity_oidc_key_write" {
+  description = "The v1/identity/oidc/key Vault API creates an OIDC signing key"
+}
+
+quality "vault_api_identity_oidc_key_rotate_write" {
+  description = "The v1/identity/oidc/key/<name>/rotate Vault API rotates an OIDC signing key and applies a new verification TTL"
+}
+
+quality "vault_api_identity_oidc_role_read" {
+  description = <<-EOF
+    The v1/identity/oidc/role Vault API returns the OIDC role and verifies that the roles key and
+    ttl are corect.
+  EOF
+}
+
+quality "vault_api_identity_oidc_role_write" {
+  description = "The v1/identity/oidc/role Vault API creates an OIDC role associated with a key and clients"
+}
+
+quality "vault_api_identity_oidc_token_read" {
+  description = "The v1/identity/oidc/token Vault API creates an OIDC token associated with a role"
+}
+
 quality "vault_api_sys_auth_userpass_user_write" {
-  description = "The v1/sys/auth/userpass/users/<user> Vault API associates a policy with a user"
+  description = "The v1/sys/auth/userpass/users/<user> Vault API associates a superuser policy with a user"
 }
 
 quality "vault_api_sys_config_read" {
@@ -110,7 +181,7 @@ quality "vault_api_sys_metrics_vault_core_replication_write_undo_logs_enabled" {
 }
 
 quality "vault_api_sys_policy_write" {
-  description = "The v1/sys/policy Vault API writes a superuser policy"
+  description = "The v1/sys/policy Vault API writes a policy"
 }
 
 quality "vault_api_sys_quotas_lease_count_read_max_leases_default" {
@@ -435,6 +506,10 @@ quality "vault_mount_auth" {
   description = "Vault mounts the auth engine"
 }
 
+quality "vault_mount_identity" {
+  description = "Vault mounts the identity engine"
+}
+
 quality "vault_mount_kv" {
   description = "Vault mounts the kv engine"
 }
@@ -487,10 +562,6 @@ quality "vault_seal_pkcs11" {
   description = "Vault auto-unseals with the pkcs11 seal"
 }
 
-quality "vault_secrets_auth_user_policy_write" {
-  description = "Vault creates auth user policies with the root token"
-}
-
 quality "vault_secrets_kv_read" {
   description = "Vault kv secrets engine data is readable"
 }

enos/enos-scenario-agent.hcl

@@ -455,20 +455,32 @@ scenario "agent" {
     }
   }
 
-  step "verify_write_test_data" {
-    description = global.description.verify_write_test_data
-    module      = module.vault_verify_write_data
+  step "verify_secrets_engines_create" {
+    description = global.description.verify_secrets_engines_create
+    module      = module.vault_verify_secrets_engines_create
     depends_on  = [step.verify_vault_unsealed]
 
     providers = {
       enos = local.enos_provider[matrix.distro]
     }
 
     verifies = [
-      quality.vault_secrets_auth_user_policy_write,
-      quality.vault_secrets_kv_write,
+      quality.vault_api_auth_userpass_login_write,
+      quality.vault_api_auth_userpass_user_write,
+      quality.vault_api_identity_entity_write,
+      quality.vault_api_identity_entity_alias_write,
+      quality.vault_api_identity_group_write,
+      quality.vault_api_identity_oidc_config_write,
+      quality.vault_api_identity_oidc_introspect_write,
+      quality.vault_api_identity_oidc_key_write,
+      quality.vault_api_identity_oidc_key_rotate_write,
+      quality.vault_api_identity_oidc_role_write,
+      quality.vault_api_identity_oidc_token_read,
+      quality.vault_api_sys_auth_userpass_user_write,
+      quality.vault_api_sys_policy_write,
       quality.vault_mount_auth,
       quality.vault_mount_kv,
+      quality.vault_secrets_kv_write,
     ]
 
     variables {
@@ -523,21 +535,29 @@ scenario "agent" {
     }
   }
 
-  step "verify_read_test_data" {
-    description = global.description.verify_read_test_data
-    module      = module.vault_verify_read_data
+  step "verify_secrets_engines_read" {
+    description = global.description.verify_secrets_engines_read
+    module      = module.vault_verify_secrets_engines_read
     depends_on = [
-      step.verify_write_test_data,
+      step.verify_secrets_engines_create,
       step.verify_replication
     ]
 
     providers = {
       enos = local.enos_provider[matrix.distro]
     }
 
-    verifies = quality.vault_secrets_kv_read
+    verifies = [
+      quality.vault_api_auth_userpass_login_write,
+      quality.vault_api_identity_entity_read,
+      quality.vault_api_identity_oidc_config_read,
+      quality.vault_api_identity_oidc_key_read,
+      quality.vault_api_identity_oidc_role_read,
+      quality.vault_secrets_kv_read
+    ]
 
     variables {
+      create_state      = step.verify_secrets_engines_create.state
       hosts             = step.get_vault_cluster_ips.follower_hosts
       vault_addr        = step.create_vault_cluster.api_addr_localhost
       vault_install_dir = global.vault_install_dir[matrix.artifact_type]
@@ -606,6 +626,11 @@ scenario "agent" {
     value       = step.create_vault_cluster.recovery_keys_hex
   }
 
+  output "secrets_engines_state" {
+    description = "The state of configured secrets engines"
+    value       = step.verify_secrets_engines_create.state
+  }
+
   output "seal_attributes" {
     description = "The Vault cluster seal attributes"
     value       = step.create_seal_key.attributes