Merge remote-tracking branch 'remotes/from/ce/main'

Author: hc-github-team-secure-vault-core

.github/workflows/test-run-enos-scenario-matrix.yml

@@ -203,6 +203,10 @@ jobs:
       - uses: ./.github/actions/set-up-go
         with:
           github-token: ${{ steps.secrets.outputs.github-token }}
+      - name: Install LDAP client tools
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y ldap-utils
       - uses: ./.github/actions/install-tools
       - uses: hashicorp/setup-terraform@5e8dbf3c6d9deaf4193ca7a8fb23f2ac83bb6c85 # v4.0.0
         with:

enos/enos-samples-ce-build.hcl

@@ -24,7 +24,6 @@ sample "build_ce_linux_amd64_deb" {
     }
   }
 
-
   subset "proxy" {
     matrix {
       arch            = ["amd64"]
@@ -69,7 +68,6 @@ sample "build_ce_linux_arm64_deb" {
     }
   }
 
-
   subset "proxy" {
     matrix {
       arch            = ["arm64"]
@@ -114,7 +112,6 @@ sample "build_ce_linux_arm64_rpm" {
     }
   }
 
-
   subset "proxy" {
     matrix {
       arch            = ["arm64"]
@@ -159,7 +156,6 @@ sample "build_ce_linux_amd64_rpm" {
     }
   }
 
-
   subset "proxy" {
     matrix {
       arch            = ["amd64"]
@@ -210,7 +206,6 @@ sample "build_ce_linux_amd64_zip" {
     }
   }
 
-
   subset "proxy" {
     matrix {
       arch            = ["amd64"]
@@ -255,7 +250,6 @@ sample "build_ce_linux_arm64_zip" {
     }
   }
 
-
   subset "proxy" {
     matrix {
       arch            = ["arm64"]

enos/enos-samples-ce-release.hcl

@@ -24,7 +24,6 @@ sample "release_ce_linux_amd64_deb" {
     }
   }
 
-
   subset "proxy" {
     matrix {
       arch            = ["amd64"]
@@ -69,7 +68,6 @@ sample "release_ce_linux_arm64_deb" {
     }
   }
 
-
   subset "proxy" {
     matrix {
       arch            = ["arm64"]
@@ -114,7 +112,6 @@ sample "release_ce_linux_arm64_rpm" {
     }
   }
 
-
   subset "proxy" {
     matrix {
       arch            = ["arm64"]
@@ -159,7 +156,6 @@ sample "release_ce_linux_amd64_rpm" {
     }
   }
 
-
   subset "proxy" {
     matrix {
       arch            = ["amd64"]
@@ -204,7 +200,6 @@ sample "release_ce_linux_amd64_zip" {
     }
   }
 
-
   subset "proxy" {
     matrix {
       arch            = ["amd64"]
@@ -249,7 +244,6 @@ sample "release_ce_linux_arm64_zip" {
     }
   }
 
-
   subset "proxy" {
     matrix {
       arch            = ["arm64"]

enos/enos-scenario-plugin.hcl

@@ -6,6 +6,9 @@ scenario "plugin" {
     The plugin scenario deploys a Vault cluster with external integration services and runs comprehensive
     plugin blackbox tests. This scenario validates plugin functionality including:
 
+    - LDAP secrets engine: Static/dynamic roles, password policies, rotation, rollback scenarios
+    - Future plugins: Database, SSH, PKI, and other secrets engines
+
     The scenario creates dedicated external services (LDAP, databases, etc.) using containers and
     configures them with test data required for comprehensive plugin testing.
 
@@ -92,7 +95,12 @@ scenario "plugin" {
       ubuntu = provider.enos.ubuntu
     }
     manage_service = matrix.artifact_type == "bundle"
-    test_names     = ["TestAlwaysPass"]
+    test_names = {
+      ldap = ["TestLDAPSecretsEngineComprehensive"]
+      // database = ["TestDatabaseSecretsEngineComprehensive"] // Future
+      // ssh      = ["TestSSHSecretsEngineComprehensive"]      // Future
+      // pki      = ["TestPKISecretsEngineComprehensive"]      // Future
+    }
   }
 
   step "build_vault" {
@@ -477,8 +485,8 @@ scenario "plugin" {
       leader_host            = step.get_vault_cluster_ips.leader_host
       leader_public_ip       = step.get_vault_cluster_ips.leader_public_ip
       vault_root_token       = step.create_vault_cluster.root_token
-      test_names             = local.test_names
-      test_package           = "./vault/external_tests/blackbox/plugin"
+      test_names             = local.test_names["ldap"] // Update this to select different plugin tests based on scenario configuration
+      test_package           = "./vault/external_tests/blackbox/ldap"
       integration_host_state = step.set_up_plugin_services.state
       vault_edition          = matrix.edition
     }

enos/modules/vault_run_blackbox_test/main.tf

@@ -52,10 +52,14 @@ locals {
   domain_dn = try(local.ldap_config.domain, "") != "" ? join(",", [for part in split(".", local.ldap_config.domain) : "dc=${part}"]) : ""
 
   # Set up LDAP environment variables when LDAP integration is available
+  # LDAP_SERVER uses private_ip for Vault operations (runs on Vault leader host)
+  # LDAP_SERVER_PUBLIC uses public_ip for test setup operations (runs from GitHub runner)
   ldap_environment = try(local.ldap_config.domain, "") != "" ? {
-    LDAP_SERVER    = "ldap://${local.ldap_config.host.private_ip}:${local.ldap_config.port}"
-    LDAP_BIND_DN   = "cn=admin,${local.domain_dn}"
-    LDAP_BIND_PASS = local.ldap_config.admin_pw
+    LDAP_SERVER        = local.ldap_config.host.private_ip
+    LDAP_SERVER_PUBLIC = local.ldap_config.host.public_ip
+    LDAP_PORT          = tostring(local.ldap_config.port)
+    LDAP_BIND_DN       = "cn=admin,${local.domain_dn}"
+    LDAP_BIND_PASS     = local.ldap_config.admin_pw
   } : {}
 }
 

enos/modules/vault_run_blackbox_test/plugin.tf

@@ -15,6 +15,7 @@ variable "plugin_config" {
   }
 }
 
+
 # Local variables for plugin environment setup
 locals {
   plugin_environment = var.plugin_config.enabled ? {

sdk/helper/testcluster/blackbox/session.go

@@ -10,6 +10,7 @@ import (
 	"os"
 	"path"
 	"testing"
+	"time"
 
 	"github.com/hashicorp/vault/api"
 	"github.com/stretchr/testify/require"
@@ -37,6 +38,7 @@ func New(t *testing.T) *Session {
 
 	config := api.DefaultConfig()
 	config.Address = addr
+	config.Timeout = 120 * time.Second // Increase timeout for LDAP operations that verify service accounts
 
 	privClient, err := api.NewClient(config)
 	require.NoError(t, err)

sdk/helper/testcluster/blackbox/session_util.go

@@ -12,18 +12,24 @@ import (
 
 // Eventually retries the function 'fn' until it returns nil or timeout occurs.
 func (s *Session) Eventually(fn func() error) {
+	s.EventuallyWithTimeout(fn, 5*time.Second)
+}
+
+// EventuallyWithTimeout retries the function 'fn' until it returns nil or timeout occurs.
+// Use this for operations that may take longer than the default 5 seconds.
+func (s *Session) EventuallyWithTimeout(fn func() error, timeout time.Duration) {
 	s.t.Helper()
 
-	timeout := time.After(5 * time.Second)
+	timeoutChan := time.After(timeout)
 	ticker := time.NewTicker(200 * time.Millisecond)
 	defer ticker.Stop()
 
 	var lastErr error
 
 	for {
 		select {
-		case <-timeout:
-			s.t.Fatalf("Eventually failed after 5s. Last error: %v", lastErr)
+		case <-timeoutChan:
+			s.t.Fatalf("Eventually failed after %v. Last error: %v", timeout, lastErr)
 		case <-ticker.C:
 			lastErr = fn()
 			if lastErr == nil {