Skip to content
This repository was archived by the owner on Dec 26, 2022. It is now read-only.

Commit c0d2f67

Browse files
christophermaierchristophermaier
authored
Merge pull request #26 from grapl-security/cm/more-details
Output the Vault image ID and version for visibility / debugging
2 parents 2f92b19 + 8b53a43 commit c0d2f67

File tree

2 files changed

+65
-21
lines changed

2 files changed

+65
-21
lines changed

hooks/environment

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -69,6 +69,10 @@ maybe_pull_image
6969

7070
echo "--- :vault: Login to ${VAULT_ADDR}"
7171
echo "Using Docker image: ${image}"
72+
echo "Image ID: $(docker inspect "${image}" --format="{{ index .RepoDigests 0 }}")"
73+
# Don't bother with a `log_and_run` here; it would just clutter up
74+
# this information display
75+
echo "Vault Version: $(vault --version)"
7276
echo "VAULT_ADDR=${VAULT_ADDR}"
7377
echo "VAULT_NAMESPACE=${VAULT_NAMESPACE}"
7478
# TODO: add in the `header_value` as well

tests/environment.bats

Lines changed: 61 additions & 21 deletions
Original file line numberDiff line numberDiff line change
@@ -37,8 +37,11 @@ teardown() {
3737
[ -n "${VAULT_NAMESPACE}" ]
3838
unset BUILDKITE_PLUGIN_VAULT_LOGIN_NAMESPACE
3939

40+
docker_vault_cmd="run --init --rm --env=SKIP_SETCAP=true --env=VAULT_ADDR=${VAULT_ADDR} --env=VAULT_NAMESPACE=${VAULT_NAMESPACE} -- ${DEFAULT_IMAGE}:${DEFAULT_TAG}"
4041
stub docker \
41-
"run --init --rm --env=SKIP_SETCAP=true --env=VAULT_ADDR=${VAULT_ADDR} --env=VAULT_NAMESPACE=${VAULT_NAMESPACE} -- ${DEFAULT_IMAGE}:${DEFAULT_TAG} login -method=aws -token-only role=default : echo 'THIS_IS_YOUR_VAULT_TOKEN'"
42+
"inspect ${DEFAULT_IMAGE}:${DEFAULT_TAG} --format='{{ index .RepoDigests 0 }}' : echo 'fake image ID'" \
43+
"${docker_vault_cmd} --version : echo 'Vault v6.6.6 (The Secrets Manager of the Beast)'" \
44+
"${docker_vault_cmd} login -method=aws -token-only role=default : echo 'THIS_IS_YOUR_VAULT_TOKEN'"
4245

4346
run "${PWD}/hooks/environment"
4447
assert_success
@@ -49,8 +52,11 @@ teardown() {
4952
@test "VAULT_ADDR is overridden in the presence of an explicitly configured address" {
5053
export BUILDKITE_PLUGIN_VAULT_LOGIN_ADDRESS=override.vault.mycompany.com:8200
5154

55+
docker_vault_cmd="run --init --rm --env=SKIP_SETCAP=true --env=VAULT_ADDR=override.vault.mycompany.com:8200 --env=VAULT_NAMESPACE=${VAULT_NAMESPACE} -- ${DEFAULT_IMAGE}:${DEFAULT_TAG}"
5256
stub docker \
53-
"run --init --rm --env=SKIP_SETCAP=true --env=VAULT_ADDR=override.vault.mycompany.com:8200 --env=VAULT_NAMESPACE=${VAULT_NAMESPACE} -- ${DEFAULT_IMAGE}:${DEFAULT_TAG} login -method=aws -token-only role=default : echo 'THIS_IS_YOUR_VAULT_TOKEN'"
57+
"inspect ${DEFAULT_IMAGE}:${DEFAULT_TAG} --format='{{ index .RepoDigests 0 }}' : echo 'fake image ID'" \
58+
"${docker_vault_cmd} --version : echo 'Vault v6.6.6 (The Secrets Manager of the Beast)'" \
59+
"${docker_vault_cmd} login -method=aws -token-only role=default : echo 'THIS_IS_YOUR_VAULT_TOKEN'"
5460

5561
run "${PWD}/hooks/environment"
5662
assert_success
@@ -72,8 +78,11 @@ teardown() {
7278
@test "VAULT_NAMESPACE is overridden in the presence of an explicitly configured namespace" {
7379
export BUILDKITE_PLUGIN_VAULT_LOGIN_NAMESPACE=override_namespace
7480

81+
docker_vault_cmd="run --init --rm --env=SKIP_SETCAP=true --env=VAULT_ADDR=${VAULT_ADDR} --env=VAULT_NAMESPACE=override_namespace -- ${DEFAULT_IMAGE}:${DEFAULT_TAG}"
7582
stub docker \
76-
"run --init --rm --env=SKIP_SETCAP=true --env=VAULT_ADDR=${VAULT_ADDR} --env=VAULT_NAMESPACE=override_namespace -- ${DEFAULT_IMAGE}:${DEFAULT_TAG} login -method=aws -token-only role=default : echo 'THIS_IS_YOUR_VAULT_TOKEN'"
83+
"inspect ${DEFAULT_IMAGE}:${DEFAULT_TAG} --format='{{ index .RepoDigests 0 }}' : echo 'fake image ID'" \
84+
"${docker_vault_cmd} --version : echo 'Vault v6.6.6 (The Secrets Manager of the Beast)'" \
85+
"${docker_vault_cmd} login -method=aws -token-only role=default : echo 'THIS_IS_YOUR_VAULT_TOKEN'"
7786

7887
run "${PWD}/hooks/environment"
7988
assert_success
@@ -94,8 +103,11 @@ teardown() {
94103
@test "The image can be overridden" {
95104
export BUILDKITE_PLUGIN_VAULT_LOGIN_IMAGE=mycompany/vault
96105

106+
docker_vault_cmd="run --init --rm --env=SKIP_SETCAP=true --env=VAULT_ADDR=${VAULT_ADDR} --env=VAULT_NAMESPACE=${VAULT_NAMESPACE} -- mycompany/vault:${DEFAULT_TAG}"
97107
stub docker \
98-
"run --init --rm --env=SKIP_SETCAP=true --env=VAULT_ADDR=${VAULT_ADDR} --env=VAULT_NAMESPACE=${VAULT_NAMESPACE} -- mycompany/vault:${DEFAULT_TAG} login -method=aws -token-only role=default : echo 'THIS_IS_YOUR_VAULT_TOKEN'"
108+
"inspect mycompany/vault:${DEFAULT_TAG} --format='{{ index .RepoDigests 0 }}' : echo 'fake image ID'" \
109+
"${docker_vault_cmd} --version : echo 'Vault v6.6.6 (The Secrets Manager of the Beast)'" \
110+
"${docker_vault_cmd} login -method=aws -token-only role=default : echo 'THIS_IS_YOUR_VAULT_TOKEN'"
99111

100112
run "${PWD}/hooks/environment"
101113
assert_success
@@ -106,8 +118,11 @@ teardown() {
106118
@test "The image tag can be overridden" {
107119
export BUILDKITE_PLUGIN_VAULT_LOGIN_TAG=v1.2.3
108120

121+
docker_vault_cmd="run --init --rm --env=SKIP_SETCAP=true --env=VAULT_ADDR=${VAULT_ADDR} --env=VAULT_NAMESPACE=${VAULT_NAMESPACE} -- ${DEFAULT_IMAGE}:v1.2.3"
109122
stub docker \
110-
"run --init --rm --env=SKIP_SETCAP=true --env=VAULT_ADDR=${VAULT_ADDR} --env=VAULT_NAMESPACE=${VAULT_NAMESPACE} -- ${DEFAULT_IMAGE}:v1.2.3 login -method=aws -token-only role=default : echo 'THIS_IS_YOUR_VAULT_TOKEN'"
123+
"inspect ${DEFAULT_IMAGE}:v1.2.3 --format='{{ index .RepoDigests 0 }}' : echo 'fake image ID'" \
124+
"${docker_vault_cmd} --version : echo 'Vault v6.6.6 (The Secrets Manager of the Beast)'" \
125+
"${docker_vault_cmd} login -method=aws -token-only role=default : echo 'THIS_IS_YOUR_VAULT_TOKEN'"
111126

112127
run "${PWD}/hooks/environment"
113128
assert_success
@@ -119,8 +134,11 @@ teardown() {
119134
export BUILDKITE_PLUGIN_VAULT_LOGIN_IMAGE=mycompany/vault
120135
export BUILDKITE_PLUGIN_VAULT_LOGIN_TAG=v1.2.3
121136

137+
docker_vault_cmd="run --init --rm --env=SKIP_SETCAP=true --env=VAULT_ADDR=${VAULT_ADDR} --env=VAULT_NAMESPACE=${VAULT_NAMESPACE} -- mycompany/vault:v1.2.3"
122138
stub docker \
123-
"run --init --rm --env=SKIP_SETCAP=true --env=VAULT_ADDR=${VAULT_ADDR} --env=VAULT_NAMESPACE=${VAULT_NAMESPACE} -- mycompany/vault:v1.2.3 login -method=aws -token-only role=default : echo 'THIS_IS_YOUR_VAULT_TOKEN'"
139+
"inspect mycompany/vault:v1.2.3 --format='{{ index .RepoDigests 0 }}' : echo 'fake image ID'" \
140+
"${docker_vault_cmd} --version : echo 'Vault v6.6.6 (The Secrets Manager of the Beast)'" \
141+
"${docker_vault_cmd} login -method=aws -token-only role=default : echo 'THIS_IS_YOUR_VAULT_TOKEN'"
124142

125143
run "${PWD}/hooks/environment"
126144
assert_success
@@ -131,8 +149,11 @@ teardown() {
131149
@test "A queue name with a slash is converted to the proper authentication role name" {
132150
export BUILDKITE_AGENT_META_DATA_QUEUE=default/testing
133151

152+
docker_vault_cmd="run --init --rm --env=SKIP_SETCAP=true --env=VAULT_ADDR=${VAULT_ADDR} --env=VAULT_NAMESPACE=${VAULT_NAMESPACE} -- ${DEFAULT_IMAGE}:${DEFAULT_TAG}"
134153
stub docker \
135-
"run --init --rm --env=SKIP_SETCAP=true --env=VAULT_ADDR=${VAULT_ADDR} --env=VAULT_NAMESPACE=${VAULT_NAMESPACE} -- ${DEFAULT_IMAGE}:${DEFAULT_TAG} login -method=aws -token-only role=default : echo 'THIS_IS_YOUR_VAULT_TOKEN'"
154+
"inspect ${DEFAULT_IMAGE}:${DEFAULT_TAG} --format='{{ index .RepoDigests 0 }}' : echo 'fake image ID'" \
155+
"${docker_vault_cmd} --version : echo 'Vault v6.6.6 (The Secrets Manager of the Beast)'" \
156+
"${docker_vault_cmd} login -method=aws -token-only role=default : echo 'THIS_IS_YOUR_VAULT_TOKEN'"
136157

137158
run "${PWD}/hooks/environment"
138159
assert_success
@@ -145,8 +166,11 @@ teardown() {
145166
export BUILDKITE_AGENT_META_DATA_QUEUE=default/testing
146167
export BUILDKITE_PLUGIN_VAULT_LOGIN_AUTH_ROLE=monkeypants
147168

169+
docker_vault_cmd="run --init --rm --env=SKIP_SETCAP=true --env=VAULT_ADDR=${VAULT_ADDR} --env=VAULT_NAMESPACE=${VAULT_NAMESPACE} -- ${DEFAULT_IMAGE}:${DEFAULT_TAG}"
148170
stub docker \
149-
"run --init --rm --env=SKIP_SETCAP=true --env=VAULT_ADDR=${VAULT_ADDR} --env=VAULT_NAMESPACE=${VAULT_NAMESPACE} -- ${DEFAULT_IMAGE}:${DEFAULT_TAG} login -method=aws -token-only role=monkeypants : echo 'THIS_IS_YOUR_VAULT_TOKEN'"
171+
"inspect ${DEFAULT_IMAGE}:${DEFAULT_TAG} --format='{{ index .RepoDigests 0 }}' : echo 'fake image ID'" \
172+
"${docker_vault_cmd} --version : echo 'Vault v6.6.6 (The Secrets Manager of the Beast)'" \
173+
"${docker_vault_cmd} login -method=aws -token-only role=monkeypants : echo 'THIS_IS_YOUR_VAULT_TOKEN'"
150174

151175
run "${PWD}/hooks/environment"
152176
assert_success
@@ -155,10 +179,14 @@ teardown() {
155179
}
156180

157181
@test "Multiple login attempts work" {
182+
183+
docker_vault_cmd="run --init --rm --env=SKIP_SETCAP=true --env=VAULT_ADDR=${VAULT_ADDR} --env=VAULT_NAMESPACE=${VAULT_NAMESPACE} -- ${DEFAULT_IMAGE}:${DEFAULT_TAG}"
158184
stub docker \
159-
"run --init --rm --env=SKIP_SETCAP=true --env=VAULT_ADDR=${VAULT_ADDR} --env=VAULT_NAMESPACE=${VAULT_NAMESPACE} -- ${DEFAULT_IMAGE}:${DEFAULT_TAG} login -method=aws -token-only role=default : exit 1" \
160-
"run --init --rm --env=SKIP_SETCAP=true --env=VAULT_ADDR=${VAULT_ADDR} --env=VAULT_NAMESPACE=${VAULT_NAMESPACE} -- ${DEFAULT_IMAGE}:${DEFAULT_TAG} login -method=aws -token-only role=default : exit 2" \
161-
"run --init --rm --env=SKIP_SETCAP=true --env=VAULT_ADDR=${VAULT_ADDR} --env=VAULT_NAMESPACE=${VAULT_NAMESPACE} -- ${DEFAULT_IMAGE}:${DEFAULT_TAG} login -method=aws -token-only role=default : echo 'THIS_IS_YOUR_VAULT_TOKEN'"
185+
"inspect ${DEFAULT_IMAGE}:${DEFAULT_TAG} --format='{{ index .RepoDigests 0 }}' : echo 'fake image ID'" \
186+
"${docker_vault_cmd} --version : echo 'Vault v6.6.6 (The Secrets Manager of the Beast)'" \
187+
"${docker_vault_cmd} login -method=aws -token-only role=default : exit 1" \
188+
"${docker_vault_cmd} login -method=aws -token-only role=default : exit 2" \
189+
"${docker_vault_cmd} login -method=aws -token-only role=default : echo 'THIS_IS_YOUR_VAULT_TOKEN'"
162190

163191
run "${PWD}/hooks/environment"
164192
assert_success
@@ -174,10 +202,13 @@ teardown() {
174202
# Waiting 5 seconds during tests sucks
175203
export BUILDKITE_PLUGIN_VAULT_LOGIN_ATTEMPT_WAIT_SECONDS=1
176204

205+
docker_vault_cmd="run --init --rm --env=SKIP_SETCAP=true --env=VAULT_ADDR=${VAULT_ADDR} --env=VAULT_NAMESPACE=${VAULT_NAMESPACE} -- ${DEFAULT_IMAGE}:${DEFAULT_TAG}"
177206
stub docker \
178-
"run --init --rm --env=SKIP_SETCAP=true --env=VAULT_ADDR=${VAULT_ADDR} --env=VAULT_NAMESPACE=${VAULT_NAMESPACE} -- ${DEFAULT_IMAGE}:${DEFAULT_TAG} login -method=aws -token-only role=default : exit 3" \
179-
"run --init --rm --env=SKIP_SETCAP=true --env=VAULT_ADDR=${VAULT_ADDR} --env=VAULT_NAMESPACE=${VAULT_NAMESPACE} -- ${DEFAULT_IMAGE}:${DEFAULT_TAG} login -method=aws -token-only role=default : exit 4" \
180-
"run --init --rm --env=SKIP_SETCAP=true --env=VAULT_ADDR=${VAULT_ADDR} --env=VAULT_NAMESPACE=${VAULT_NAMESPACE} -- ${DEFAULT_IMAGE}:${DEFAULT_TAG} login -method=aws -token-only role=default : exit 5"
207+
"inspect ${DEFAULT_IMAGE}:${DEFAULT_TAG} --format='{{ index .RepoDigests 0 }}' : echo 'fake image ID'" \
208+
"${docker_vault_cmd} --version : echo 'Vault v6.6.6 (The Secrets Manager of the Beast)'" \
209+
"${docker_vault_cmd} login -method=aws -token-only role=default : exit 3" \
210+
"${docker_vault_cmd} login -method=aws -token-only role=default : exit 4" \
211+
"${docker_vault_cmd} login -method=aws -token-only role=default : exit 5"
181212

182213
run "${PWD}/hooks/environment"
183214
assert_failure
@@ -194,12 +225,15 @@ teardown() {
194225
export BUILDKITE_PLUGIN_VAULT_LOGIN_ATTEMPT_WAIT_SECONDS=1
195226
export BUILDKITE_PLUGIN_VAULT_LOGIN_ATTEMPT_COUNT=5
196227

228+
docker_vault_cmd="run --init --rm --env=SKIP_SETCAP=true --env=VAULT_ADDR=${VAULT_ADDR} --env=VAULT_NAMESPACE=${VAULT_NAMESPACE} -- ${DEFAULT_IMAGE}:${DEFAULT_TAG}"
197229
stub docker \
198-
"run --init --rm --env=SKIP_SETCAP=true --env=VAULT_ADDR=${VAULT_ADDR} --env=VAULT_NAMESPACE=${VAULT_NAMESPACE} -- ${DEFAULT_IMAGE}:${DEFAULT_TAG} login -method=aws -token-only role=default : exit 6" \
199-
"run --init --rm --env=SKIP_SETCAP=true --env=VAULT_ADDR=${VAULT_ADDR} --env=VAULT_NAMESPACE=${VAULT_NAMESPACE} -- ${DEFAULT_IMAGE}:${DEFAULT_TAG} login -method=aws -token-only role=default : exit 7" \
200-
"run --init --rm --env=SKIP_SETCAP=true --env=VAULT_ADDR=${VAULT_ADDR} --env=VAULT_NAMESPACE=${VAULT_NAMESPACE} -- ${DEFAULT_IMAGE}:${DEFAULT_TAG} login -method=aws -token-only role=default : exit 8" \
201-
"run --init --rm --env=SKIP_SETCAP=true --env=VAULT_ADDR=${VAULT_ADDR} --env=VAULT_NAMESPACE=${VAULT_NAMESPACE} -- ${DEFAULT_IMAGE}:${DEFAULT_TAG} login -method=aws -token-only role=default : exit 9" \
202-
"run --init --rm --env=SKIP_SETCAP=true --env=VAULT_ADDR=${VAULT_ADDR} --env=VAULT_NAMESPACE=${VAULT_NAMESPACE} -- ${DEFAULT_IMAGE}:${DEFAULT_TAG} login -method=aws -token-only role=default : exit 10"
230+
"inspect ${DEFAULT_IMAGE}:${DEFAULT_TAG} --format='{{ index .RepoDigests 0 }}' : echo 'fake image ID'" \
231+
"${docker_vault_cmd} --version : echo 'Vault v6.6.6 (The Secrets Manager of the Beast)'" \
232+
"${docker_vault_cmd} login -method=aws -token-only role=default : exit 6" \
233+
"${docker_vault_cmd} login -method=aws -token-only role=default : exit 7" \
234+
"${docker_vault_cmd} login -method=aws -token-only role=default : exit 8" \
235+
"${docker_vault_cmd} login -method=aws -token-only role=default : exit 9" \
236+
"${docker_vault_cmd} login -method=aws -token-only role=default : exit 10"
203237

204238
run "${PWD}/hooks/environment"
205239
assert_failure
@@ -218,8 +252,11 @@ teardown() {
218252
export BUILDKITE_PLUGIN_VAULT_LOGIN_ATTEMPT_WAIT_SECONDS=1
219253
export BUILDKITE_PLUGIN_VAULT_LOGIN_ATTEMPT_COUNT=1
220254

255+
docker_vault_cmd="run --init --rm --env=SKIP_SETCAP=true --env=VAULT_ADDR=${VAULT_ADDR} --env=VAULT_NAMESPACE=${VAULT_NAMESPACE} -- ${DEFAULT_IMAGE}:${DEFAULT_TAG}"
221256
stub docker \
222-
"run --init --rm --env=SKIP_SETCAP=true --env=VAULT_ADDR=${VAULT_ADDR} --env=VAULT_NAMESPACE=${VAULT_NAMESPACE} -- ${DEFAULT_IMAGE}:${DEFAULT_TAG} login -method=aws -token-only role=default : exit 11"
257+
"inspect ${DEFAULT_IMAGE}:${DEFAULT_TAG} --format='{{ index .RepoDigests 0 }}' : echo 'fake image ID'" \
258+
"${docker_vault_cmd} --version : echo 'Vault v6.6.6 (The Secrets Manager of the Beast)'" \
259+
"${docker_vault_cmd} login -method=aws -token-only role=default : exit 11"
223260

224261
run "${PWD}/hooks/environment"
225262
assert_failure
@@ -250,9 +287,12 @@ teardown() {
250287
@test "always-pull will pull an image before running" {
251288
export BUILDKITE_PLUGIN_VAULT_LOGIN_ALWAYS_PULL=1
252289

290+
docker_vault_cmd="run --init --rm --env=SKIP_SETCAP=true --env=VAULT_ADDR=${VAULT_ADDR} --env=VAULT_NAMESPACE=${VAULT_NAMESPACE} -- ${DEFAULT_IMAGE}:${DEFAULT_TAG}"
253291
stub docker \
254292
"pull ${DEFAULT_IMAGE}:${DEFAULT_TAG} : echo 'pulling image'" \
255-
"run --init --rm --env=SKIP_SETCAP=true --env=VAULT_ADDR=${VAULT_ADDR} --env=VAULT_NAMESPACE=${VAULT_NAMESPACE} -- ${DEFAULT_IMAGE}:${DEFAULT_TAG} login -method=aws -token-only role=default : echo 'THIS_IS_YOUR_VAULT_TOKEN'"
293+
"inspect ${DEFAULT_IMAGE}:${DEFAULT_TAG} --format='{{ index .RepoDigests 0 }}' : echo 'fake image ID'" \
294+
"${docker_vault_cmd} --version : echo 'Vault v6.6.6 (The Secrets Manager of the Beast)'" \
295+
"${docker_vault_cmd} login -method=aws -token-only role=default : echo 'THIS_IS_YOUR_VAULT_TOKEN'"
256296

257297
run "${PWD}/hooks/environment"
258298
assert_success

0 commit comments

Comments
 (0)