1- name: "Test block"
2  vars:
3    role_id: test-role
4    jwt: '{{ lookup("file", "token.jwt") }}'
5    jwt_invalid: '{{ lookup("file", "token_invalid.jwt") }}'
6    is_default_path: "{{ this_path == default_path }}"
7    common: "{{ conn_params ~ ('' if is_default_path else 'mount_point=' ~ this_path ~ ' ') }}"
8  block:
9    - name: 'Fetch secrets using "hashi_vault" lookup'
10      set_fact:
11        secret1: "{{ lookup('community.hashi_vault.hashi_vault', common ~ 'secret=' ~ vault_kv2_path ~ '/secret1 auth_method=jwt jwt=' ~ jwt ~ ' role_id=' ~ role_id) }}"
12        secret2: "{{ lookup('community.hashi_vault.hashi_vault', common ~ 'secret=' ~ vault_kv2_path ~ '/secret2 auth_method=jwt jwt=' ~ jwt ~ ' role_id=' ~ role_id) }}"
13
14    - name: 'Check secret values'
15      fail:
16        msg: 'unexpected secret values'
17      when: secret1['value'] != 'foo1' or secret2['value'] != 'foo2'
18
19    # the purpose of this test is to catch when the plugin accepts mount_point but does not pass it into hvac
20    # we set the policy of the default mount to deny access to this secret and so we expect failure when the mount
21    # is default, and success when the mount is alternate
22    - name: 'Check auth mount differing secret value'
23      vars:
24        secret5: "{{ lookup('community.hashi_vault.hashi_vault', common ~ 'secret=' ~ vault_kv2_path ~ '/secret5', auth_method='jwt', jwt=jwt, role_id=role_id) }}"
25      debug:
26        msg:
27          - "Checking secret5 with {{ auth_type }} auth via mount path '{{ this_path }}'"
28          - "{{ secret5 }}"
29      register: secret5_status
30      ignore_errors: true
31
32    - assert:
33        fail_msg: "A token from mount path '{{ this_path}}' had incorrect access to secret5"
34        that: >-
35          (is_default_path and (secret5_status is failed))
36          or (not is_default_path and (secret5_status is not failed))
37
38    - name: 'Failure expected when erroneous credentials are used'
39      vars:
40        secret_wrong_cred: "{{ lookup('community.hashi_vault.hashi_vault', common ~ 'secret=' ~ vault_kv2_path ~ '/secret2 auth_method=jwt jwt=' ~ jwt_invalid ~ ' role_id=' ~ role_id) }}"
41      debug:
42        msg: 'Failure is expected ({{ secret_wrong_cred }})'
43      register: test_wrong_cred
44      ignore_errors: true
45
46    - name: 'Failure expected when unauthorized secret is read'
47      vars:
48        secret_unauthorized: "{{ lookup('community.hashi_vault.hashi_vault', common ~ 'secret=' ~ vault_kv2_path ~ '/secret3 auth_method=jwt jwt=' ~ jwt ~ ' role_id=' ~ role_id) }}"
49      debug:
50        msg: 'Failure is expected ({{ secret_unauthorized }})'
51      register: test_unauthorized
52      ignore_errors: true
53
54    - name: 'Failure expected when non-existent secret is read'
55      vars:
56          secret_inexistent: "{{ lookup('community.hashi_vault.hashi_vault', common ~ 'secret=' ~ vault_kv2_path ~ '/non_existent_secret4 auth_method=jwt jwt=' ~ jwt ~ ' role_id=' ~ role_id) }}"
57      debug:
58        msg: 'Failure is expected ({{ secret_inexistent }})'
59      register: test_inexistent
60      ignore_errors: true
61
62    - name: 'Check expected failures'
63      assert:
64        msg: "an expected failure didn't occur"
65        that:
66          - test_wrong_cred is failed
67          - test_unauthorized is failed
68          - test_inexistent is failed
69