@@ -9,6 +9,20 @@ fail() {
99 exit 1
1010}
1111
12+ # Function to perform root rotation
13+ rotate_root () {
14+ " $binpath " " ${MOUNT} /rotate-root" 2>&1
15+ }
16+
17+ # Function to get userPassword from LDAP
18+ get_ldap_password () {
19+ local user_dn=" $1 "
20+ ldapsearch -x -LLL -H " ldap://${LDAP_SERVER} :${LDAP_PORT} "
21+ -b " ${user_dn} "
22+ -D " cn=admin,dc=${LDAP_USERNAME} ,dc=com"
23+ -w " ${LDAP_ADMIN_PW} " 2> /dev/null | grep " userPassword::" | awk ' {print $2}'
24+ }
25+
1226[[ -z " $MOUNT " && fail " MOUNT env variable has not been set"
1327[[ -z " $LDAP_SERVER " && fail " LDAP_SERVER env variable has not been set"
1428[[ -z " $LDAP_PORT " && fail " LDAP_PORT env variable has not been set"
@@ -22,6 +36,8 @@ binpath=${VAULT_INSTALL_DIR}/vault
2236test -x " $binpath " || fail " unable to locate vault binary at $binpath "
2337
2438export VAULT_FORMAT=json
39+ AUDIT_LOG=" ${VAULT_AUDIT_LOG:-/ var/ log/ vault/ vault_audit.log} "
40+ ROLE_NAME=" dynamic-role"
2541
2642# Verifying LDAP Server Configs
2743LDAP_UID=$( ldapsearch -x -LLL -H " ldap://${LDAP_SERVER} :${LDAP_PORT} " " dc=${LDAP_USERNAME} ,dc=com" " cn=admin,dc=${LDAP_USERNAME} ,dc=com" " ${LDAP_ADMIN_PW} " " (uid=${LDAP_USERNAME} )" 2> /dev/null)
@@ -40,19 +56,124 @@ VAULT_POLICY_COUNT=$(echo "$VAULT_LDAP_LOGIN" | jq -r ".auth.policies | length")
4056
4157echo " ${VAULT_LDAP_LOGIN} "
4258
43- # Attempting to rotate root with root token--should pass.
44- if " $binpath " " ${MOUNT} /rotate-root" > /dev/null 2>&1 ; then
45- echo " SUCCESS:rotate-root write passed (permissions OK)"
46- else
59+ # Test1: Attempting to rotate root with root token--should pass
60+ test_root_rotation_permissions () {
61+ if rotate_root > /dev/null; then
62+ echo " SUCCESS: rotate-root succeeded"
63+ else
4764 fail " Error: rotate-root write failed even though token had permissions"
48- fi
49-
50- # Attempting to rotate root with LDAP token--should fail as the policy does not allow it.
65+ fi
66+ }
5167
52- ROOT_ROTATE=$( VAULT_TOKEN=" $VAULT_LDAP_TOKEN " " $binpath " " ${MOUNT} /rotate-root" 2>&1 || true)
68+ # Test2: Checking if last_bind_password_rotation field is present
69+ test_rotation_field_presence () {
70+ if " $binpath " read " ${MOUNT} /config" | jq -e ' .data.last_bind_password_rotation' > /dev/null; then
71+ echo " Rotation success: last_bind_password_rotation field is present"
72+ else
73+ fail " Field is NOT present"
74+ fi
75+ }
5376
54- if echo " $ROOT_ROTATE " | grep -qi " permission denied" ; then
77+ # Test3: Attempting to rotate root with LDAP token--should fail as the policy does not allow it
78+ test_ldap_token_permissions () {
79+ if ! VAULT_TOKEN=" $VAULT_LDAP_TOKEN " " $binpath " " ${MOUNT} /rotate-root" > /dev/null 2>&1 ; then
5580 echo " SUCCESS: Vault correctly denied root rotation for LDAP token as policy does not allow."
56- else
81+ else
5782 fail " ERROR: LDAP token does not have permission to rotate, still rotation succeeded"
58- fi
83+ fi
84+ }
85+
86+ # Test4: Rotation with Invalid Config
87+ test_invalid_config_rotation () {
88+ echo " Test 4: Rotation with Invalid Config"
89+
90+ # Get password before attempting rotation with invalid config
91+ PASSWORD_BEFORE=$( get_ldap_password " cn=admin,dc=${LDAP_USERNAME} ,dc=com" )
92+
93+ if [[ -z " $PASSWORD_BEFORE " ; then
94+ fail " ERROR: Could not retrieve password before rotation attempt"
95+ fi
96+
97+ # Attempt to configure with invalid credentials
98+ " $binpath " " ${MOUNT} /config"
99+ binddn=" cn=invalid,dc=invalid,dc=com"
100+ bindpass=" wrongpassword" > /dev/null 2>&1 || true
101+
102+ # Try to rotate with invalid config: should fail
103+ if ! rotate_root > /dev/null 2>&1 ; then
104+ echo " SUCCESS: Rotation correctly failed with invalid configuration"
105+ else
106+ fail " ERROR: Rotation should have failed with invalid configuration"
107+ fi
108+
109+ # Restore valid config first
110+ " $binpath " " ${MOUNT} /config"
111+ binddn=" cn=admin,dc=${LDAP_USERNAME} ,dc=com"
112+ bindpass=" ${LDAP_ADMIN_PW} "
113+
114+ # Get password after failed rotation attempt
115+ PASSWORD_AFTER=$( get_ldap_password " cn=admin,dc=${LDAP_USERNAME} ,dc=com" )
116+
117+ if [[ -z " $PASSWORD_AFTER " ; then
118+ fail " ERROR: Could not retrieve password after rotation attempt"
119+ fi
120+
121+ # Verify password remains unchanged
122+ if [[ " $PASSWORD_BEFORE " == " $PASSWORD_AFTER " ; then
123+ echo " SUCCESS: User password remains unchanged after failed rotation with invalid config"
124+ else
125+ fail " ERROR: User password was modified despite rotation failure"
126+ fi
127+
128+ # Verify credentials work for LDAP required operations by testing dynamic credential generation
129+ if " $binpath " read " ${MOUNT} /creds/${ROLE_NAME} " > /dev/null 2>&1 ; then
130+ echo " SUCCESS: LDAP operations work correctly after restoring valid config"
131+ else
132+ fail " ERROR: LDAP operations failed after restoring valid config"
133+ fi
134+ }
135+
136+ # Test5: Rotate root twice and check if password changed
137+ test_password_change_verification () {
138+ echo " Performing first root rotation"
139+ rotate_root > /dev/null
140+
141+ # Get password after first rotation, this will return the userPassword of the binddn.
142+ echo " Getting password after first rotation"
143+ FIRST_ROTATED_PASSWORD=$( get_ldap_password " cn=admin,dc=${LDAP_USERNAME} ,dc=com" )
144+
145+ if [[ -z " $FIRST_ROTATED_PASSWORD " ; then
146+ fail " ERROR: Could not retrieve password after first rotation from LDAP"
147+ fi
148+ echo " First rotated password retrieved"
149+
150+ # Second rotation
151+ echo " Performing second root rotation"
152+ rotate_root > /dev/null
153+
154+ # Get password after second rotation
155+ echo " Getting password after second rotation"
156+ SECOND_ROTATED_PASSWORD=$( get_ldap_password " cn=admin,dc=${LDAP_USERNAME} ,dc=com" )
157+
158+ if [[ -z " $SECOND_ROTATED_PASSWORD " ; then
159+ fail " ERROR: Could not retrieve password after second rotation from LDAP"
160+ fi
161+
162+ # Compare passwords to ensure Userpassword is different after rotation
163+ if [[ " $FIRST_ROTATED_PASSWORD " == " $SECOND_ROTATED_PASSWORD " ; then
164+ fail " ERROR: Second rotation did not change the password! First and second rotated passwords are the same."
165+ fi
166+
167+ # Check audit logs for rotation and generation events
168+ echo " Checking audit logs for rotation and credential generation events"
169+ sudo grep -E " rotate-root" " $AUDIT_LOG " > /dev/null 2>&1 && echo " Audit log updated"
170+
171+ }
172+ # Running all tests
173+ test_root_rotation_permissions
174+ test_rotation_field_presence
175+ test_ldap_token_permissions
176+ test_invalid_config_rotation
177+ test_password_change_verification
178+
179+ echo " All rotation tests passed successfully!"
0 commit comments