VAULT-38191/use artifactory identity token in tests

.github/workflows/test.yml

@@ -104,8 +104,7 @@ jobs:
           } | tee -a "$GITHUB_OUTPUT"
       - run: make test-acc
         env:
-          ARTIFACTORY_USER: ${{ secrets.ARTIFACTORY_USER }}
-          ARTIFACTORY_TOKEN: ${{ secrets.ARTIFACTORY_TOKEN }}
+          ARTIFACTORY_BEARER_TOKEN: ${{ secrets.ARTIFACTORY_BEARER_TOKEN }}
           ENOS_TRANSPORT_USER: ubuntu
           ENOS_TRANSPORT_PRIVATE_KEY_PATH: ./enos-ci-ssh-key.pem
           ENOS_TRANSPORT_HOST: ${{ steps.target-host.outputs.host_ip }}

VERSION

@@ -1 +1 @@
-0.6.1
+0.6.2

enos/modules/go-acceptance-test-target/main.tf

@@ -30,6 +30,11 @@ data "aws_ami" "ubuntu" {
     values = ["hvm"]
   }
 
+  filter {
+    name   = "architecture"
+    values = ["x86_64"]
+  }
+
   owners = ["099720109477"] # Canonical
 }
 

examples/artifactory/README.md

@@ -1,8 +1,8 @@
 # artifactory
 
-This example module uses demonstrates the enos utilizing artifactory.
+This example module demonstrates enos utilizing artifactory.
 
-To used this module you'll need to provide the required credentials and
+To use this module you'll need to provide the required credentials and
 search criteria in order to search for a valid binary.
 
 For example, add the follow to a `terraform.tfvars` file:
@@ -11,6 +11,7 @@ For example, add the follow to a `terraform.tfvars` file:
 ```hcl
 artifactory_username   = "<your hashicorp email address>"
 artifactory_token      = "<your artifactory token>"
+artifactory_bearer_token = "<artifactory identity token - instead of username/ token>"
 artifactory_host       = "https://artifactory.hashicorp.engineering/artifactory"
 artifactory_repo       = "hashicorp-packagespec-buildcache-local*"
 artifactory_path       = "cache-v1/vault-enterprise/*"

internal/artifactory/aql_test.go

@@ -16,16 +16,21 @@ import (
 func EnsureArtifactoryEnvAuth(t *testing.T) (map[string]string, bool) {
 	t.Helper()
 
-	var okacc, oktoken bool
+	var okacc, oktoken, okbearertoken, okuser bool
 	vars := map[string]string{}
 
 	_, okacc = os.LookupEnv("TF_ACC")
-	vars["username"], _ = os.LookupEnv("ARTIFACTORY_USER")
-	vars["token"], oktoken = os.LookupEnv("ARTIFACTORY_TOKEN")
+	vars["username"], okuser = os.LookupEnv("ARTIFACTORY_USER")
+	if !okuser {
+		vars["token"], okbearertoken = os.LookupEnv("ARTIFACTORY_BEARER_TOKEN")
+	} else {
+		vars["token"], oktoken = os.LookupEnv("ARTIFACTORY_TOKEN")
+	}
 
-	if !okacc || !oktoken {
-		t.Logf(`skipping data "enos_artifactory_item" test because TF_ACC(%t), ARTIFACTORY_TOKEN(%t) aren't set`,
-			okacc, oktoken,
+	if !okacc || (okuser && !oktoken) || (!okuser && !okbearertoken) {
+		t.Logf(`skipping data "enos_artifactory_item" test because one or more of the following isn't set: 
+			TF_ACC(%t), ARTIFACTORY_TOKEN(%t), ARTIFACTORY_BEARER_TOKEN(%t)`,
+			okacc, oktoken, okbearertoken,
 		)
 		t.Skip()
 
@@ -38,18 +43,23 @@ func EnsureArtifactoryEnvAuth(t *testing.T) (map[string]string, bool) {
 func EnsureArtifactoryEnvVars(t *testing.T) (map[string]string, bool) {
 	t.Helper()
 
-	var okacc, oktoken, okver, okrev bool
+	var okacc, oktoken, okbearertoken, okver, okrev, okuser bool
 	vars := map[string]string{}
 
 	_, okacc = os.LookupEnv("TF_ACC")
-	vars["username"], _ = os.LookupEnv("ARTIFACTORY_USER")
-	vars["token"], oktoken = os.LookupEnv("ARTIFACTORY_TOKEN")
+	vars["username"], okuser = os.LookupEnv("ARTIFACTORY_USER")
+	if !okuser {
+		vars["token"], okbearertoken = os.LookupEnv("ARTIFACTORY_BEARER_TOKEN")
+	} else {
+		vars["token"], oktoken = os.LookupEnv("ARTIFACTORY_TOKEN")
+	}
 	vars["version"], okver = os.LookupEnv("ARTIFACTORY_PRODUCT_VERSION")
 	vars["revision"], okrev = os.LookupEnv("ARTIFACTORY_REVISION")
 
-	if !okacc || !oktoken || !okver || !okrev {
-		t.Logf(`skipping data "enos_artifactory_item" test because TF_ACC(%t), ARTIFACTORY_TOKEN(%t), ARTIFACTORY_PRODUCT_VERSION(%t), ARTIFACTORY_REVISION(%t) aren't set`,
-			okacc, oktoken, okver, okrev,
+	if !okacc || (okuser && !oktoken) || (!okuser && !okbearertoken) || !okver || !okrev {
+		t.Logf(`skipping data "enos_artifactory_item" test because one or more of the following isn't set: 
+			TF_ACC(%t), ARTIFACTORY_TOKEN(%t), ARTIFACTORY_BEARER_TOKEN(%t), ARTIFACTORY_PRODUCT_VERSION(%t), ARTIFACTORY_REVISION(%t)`,
+			okacc, oktoken, okbearertoken, okver, okrev,
 		)
 		t.Skip()
 
@@ -64,11 +74,14 @@ func TestAccSearchAQL(t *testing.T) {
 
 	vars, _ := EnsureArtifactoryEnvVars(t)
 
-	client := NewClient(
+	opts := []Opt{
 		WithHost("https://artifactory.hashicorp.engineering/artifactory"),
-		WithUsername(vars["username"]),
 		WithToken(vars["token"]),
-	)
+	}
+	if vars["username"] != "" {
+		opts = append(opts, WithUsername(vars["username"]))
+	}
+	client := NewClient(opts...)
 
 	for _, test := range []struct {
 		Name string
@@ -172,11 +185,14 @@ func TestAccSearchRawQuery(t *testing.T) {
 
 	vars, _ := EnsureArtifactoryEnvAuth(t)
 
-	client := NewClient(
+	opts := []Opt{
 		WithHost("https://artifactory.hashicorp.engineering/artifactory"),
-		WithUsername(vars["username"]),
 		WithToken(vars["token"]),
-	)
+	}
+	if vars["username"] != "" {
+		opts = append(opts, WithUsername(vars["username"]))
+	}
+	client := NewClient(opts...)
 
 	orQueryTemplate := template.Must(template.New("or").Parse(`
 items.find(

internal/kind/client.go

@@ -4,6 +4,7 @@
 package kind
 
 import (
+	"context"
 	"encoding/base64"
 	"errors"
 	"fmt"
@@ -235,7 +236,7 @@ func (c *localClient) LoadImage(req LoadImageRequest) (LoadedImageResult, error)
 
 	// saved the docker image to a tar archive
 	commandArgs := append([]string{"save", "-o", imageTar}, image)
-	if err := exec.Command("docker", commandArgs...).Run(); err != nil {
+	if err := exec.CommandContext(context.TODO(), "docker", commandArgs...).Run(); err != nil {
 		return LoadedImageResult{}, fmt.Errorf("failed to export image: [%s] to archive: [%s], due to: %w", imageName, imageTar, err)
 	}
 

internal/plugin/datasource_artifactory_item_test.go

@@ -15,12 +15,12 @@ import (
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
 )
 
-// TestAccDataSourceArtifacotoryItemProperties is an integration test that uses the
+// TestAccDataSourceArtifactoryItemProperties is an integration test that uses the
 // actual HashiCorp artifactory service to resolve items based on the search
 // criteria.
 //
 //nolint:paralleltest// because our resource handles it
-func TestAccDataSourceArtifacotoryItemProperties(t *testing.T) {
+func TestAccDataSourceArtifactoryItemProperties(t *testing.T) {
 	for name, props := range map[string]map[string]string{
 		"vault-1.18.5-1.x86_64.rpm": {
 			"commit":          "06a36557c4904c52f720bafb71866d389385f5ad",
@@ -35,11 +35,20 @@ func TestAccDataSourceArtifacotoryItemProperties(t *testing.T) {
 		t.Run(name, func(t *testing.T) {
 			state := newArtifactoryItemStateV1()
 			_, okacc := os.LookupEnv("TF_ACC")
-			username, _ := os.LookupEnv("ARTIFACTORY_USER")
-			token, oktoken := os.LookupEnv("ARTIFACTORY_TOKEN")
+			var token string
+			var okbearertoken, oktoken bool
+			username, okuser := os.LookupEnv("ARTIFACTORY_USER")
+			if !okuser {
+				token, okbearertoken = os.LookupEnv("ARTIFACTORY_BEARER_TOKEN")
+			} else {
+				token, oktoken = os.LookupEnv("ARTIFACTORY_TOKEN")
+			}
 
 			if !okacc || !oktoken {
-				t.Log(`skipping data "enos_artifactory_item" test because either TF_ACC or ARTIFACTORY_TOKEN are not set`)
+				t.Logf(`skipping data "enos_artifactory_item" test because one or more of the following isn't set: 
+					TF_ACC(%t), ARTIFACTORY_TOKEN(%t), ARTIFACTORY_BEARER_TOKEN(%t)`,
+					okacc, oktoken, okbearertoken,
+				)
 				t.Skip()
 
 				return
@@ -95,12 +104,12 @@ output "name" {
 	}
 }
 
-// TestAccDataSourceArtifacotoryItemQueryTemplate is an integration test that
+// TestAccDataSourceArtifactoryItemQueryTemplate is an integration test that
 // uses the actual HashiCorp artifactory service to resolve items based on the
 // search criteria.
 //
 //nolint:paralleltest// because our resource handles it
-func TestAccDataSourceArtifacotoryItemQueryTemplate(t *testing.T) {
+func TestAccDataSourceArtifactoryItemQueryTemplate(t *testing.T) {
 	orQueryTemplate := template.Must(template.New("or").Parse(`
 items.find(
 {
@@ -137,11 +146,20 @@ items.find(
 		t.Run(name, func(t *testing.T) {
 			state := newArtifactoryItemStateV1()
 			_, okacc := os.LookupEnv("TF_ACC")
-			username, _ := os.LookupEnv("ARTIFACTORY_USER")
-			token, oktoken := os.LookupEnv("ARTIFACTORY_TOKEN")
+			var token string
+			var okbearertoken, oktoken bool
+			username, okuser := os.LookupEnv("ARTIFACTORY_USER")
+			if !okuser {
+				token, okbearertoken = os.LookupEnv("ARTIFACTORY_BEARER_TOKEN")
+			} else {
+				token, oktoken = os.LookupEnv("ARTIFACTORY_TOKEN")
+			}
 
-			if !okacc || !oktoken {
-				t.Log(`skipping data "enos_artifactory_item" test because either TF_ACC or ARTIFACTORY_TOKEN are not set`)
+			if !okacc || (okuser && !oktoken) || (!okuser && !okbearertoken) {
+				t.Logf(`skipping data "enos_artifactory_item" test because one or more of the following isn't set: 
+					TF_ACC(%t), ARTIFACTORY_TOKEN(%t), ARTIFACTORY_BEARER_TOKEN(%t)`,
+					okacc, oktoken, okbearertoken,
+				)
 				t.Skip()
 
 				return
@@ -163,7 +181,9 @@ items.find(
 			state.QueryTemplate.Set(qbuf.String())
 
 			cfg := template.Must(template.New("enos_data_artifactory_item").Parse(`data "enos_artifactory_item" "vault" {
+  {{if .Username.Value -}}
   username = "{{ .Username.Value }}"
+  {{end -}}
   token    = "{{ .Token.Value }}"
   host     = "{{ .Host.Value }}"
   query_template = <<EOT

internal/plugin/helpers_test.go

@@ -217,7 +217,9 @@ func ensureEnosTransportEnvVars(t *testing.T) (map[string]string, bool) {
 	vars["path"], okpath = os.LookupEnv("ENOS_TRANSPORT_PRIVATE_KEY_PATH")
 
 	if !okacc || !okuser || !okhost || !okpath {
-		t.Log(`skipping because TF_ACC, ENOS_TRANSPORT_USER, ENOS_TRANSPORT_HOST, and ENOS_TRANSPORT_PRIVATE_KEY_PATH environment variables need to be set`)
+		t.Logf(`skipping because TF_ACC(%t), ENOS_TRANSPORT_USER(%t), ENOS_TRANSPORT_HOST(%t), and ENOS_TRANSPORT_PRIVATE_KEY_PATH(%t) environment variables need to be set`,
+			okacc, okuser, okhost, okpath,
+		)
 		t.Skip()
 
 		return vars, false

internal/plugin/resource_bundle_install_test.go

@@ -38,7 +38,7 @@ func TestAccResourceBundleInstall(t *testing.T) {
 
 		  {{ if .Artifactory.URL.Value -}}
 		  artifactory = {
-			{{ if .Artifactory.Username.Value }} username = "{{ .Artifactory.Username.Value }}" {{ end }}
+			username = {{ if .Artifactory.Username.Value }} "{{ .Artifactory.Username.Value }}" {{ else }} null {{ end }}
 			token    = "{{ .Artifactory.Token.Value }}"
 			url      = "{{ .Artifactory.URL.Value }}"
 			sha256   = "{{ .Artifactory.SHA256.Value }}"
@@ -161,13 +161,22 @@ func TestAccResourceBundleInstall(t *testing.T) {
 			true,
 		})
 
+		var artToken string
+		var okbearertoken, oktoken bool
 		artUser, okuser := os.LookupEnv("ARTIFACTORY_USER")
-		artToken, oktoken := os.LookupEnv("ARTIFACTORY_TOKEN")
-		if !oktoken {
-			t.Log(`skipping data bundle install from artifactory test because ARTIFACTORY_TOKEN isn't set`)
+		if !okuser {
+			artToken, okbearertoken = os.LookupEnv("ARTIFACTORY_BEARER_TOKEN")
+		} else {
+			artToken, oktoken = os.LookupEnv("ARTIFACTORY_TOKEN")
+		}
+		if (okuser && !oktoken) || (!okuser && !okbearertoken) {
+			t.Logf(`skipping data bundle install from artifactory test because ARTIFACTORY_BEARER_TOKEN(%t) or ARTIFACTORY_TOKEN(%t) isn't set`,
+				okbearertoken, oktoken,
+			)
 			t.Skip()
 		} else {
 			bundleInstallArtifactoryInstall := newBundleInstallStateV1()
+			bundleInstallArtifactoryInstall.Artifactory.Username.Set("")
 			bundleInstallArtifactoryInstall.ID.Set("realart")
 			bundleInstallArtifactoryInstall.Destination.Set("/opt/vault/bin")
 			if okuser {

internal/plugin/resource_local_kind_cluster_test.go

@@ -5,6 +5,7 @@ package plugin
 
 import (
 	"bytes"
+	"context"
 	"crypto/rand"
 	"math/big"
 	"os"
@@ -118,7 +119,7 @@ func TestClusterBuild(t *testing.T) {
 		t.Skip("Skipping test 'TestClusterBuild', because 'TF_ACC' not set")
 	}
 
-	checkDocker := exec.Command("docker", "ps")
+	checkDocker := exec.CommandContext(context.TODO(), "docker", "ps")
 	err := checkDocker.Run()
 	if err != nil {
 		t.Skip("Skipping test 'TestClusterBuild' since docker daemon not available")

internal/transport/ssh/client.go

@@ -171,7 +171,7 @@ func (c *client) Connect(ctx context.Context) error {
 
 	var err error
 
-	sshAgentConn, sshAgent, ok := c.connectSSHAgent()
+	sshAgentConn, sshAgent, ok := c.connectSSHAgent(ctx)
 	if ok {
 		c.clientConfig.Auth = append(c.clientConfig.Auth, sshAgent)
 		c.agentConn = sshAgentConn
@@ -418,10 +418,11 @@ func (c *client) newSession(ctx context.Context) (*xssh.Session, func() error, e
 	}
 }
 
-func (c *client) connectSSHAgent() (net.Conn, xssh.AuthMethod, bool) {
+func (c *client) connectSSHAgent(ctx context.Context) (net.Conn, xssh.AuthMethod, bool) {
 	var auth xssh.AuthMethod
 
-	sshAgent, err := net.Dial("unix", os.Getenv("SSH_AUTH_SOCK"))
+	dialer := net.Dialer{}
+	sshAgent, err := dialer.DialContext(ctx, "unix", os.Getenv("SSH_AUTH_SOCK"))
 	if err != nil {
 		return sshAgent, auth, false
 	}