From e0dfa263fea7868eca06288fd1de72e080d32df3 Mon Sep 17 00:00:00 2001
From: Robert Eckert <reckert@roblox.com>
Date: Tue, 12 Dec 2023 10:59:17 -0800
Subject: [PATCH] Enable enterprise Vault upgrades

- Adds a new variable `use_internal_repos`
  - Allows a user to pull vault binaries from Hashicorp's website.
  - Default is to use hashicorp repos. This maintains old behavior.
- Fixes enterprise license file configuration
  - A bug where the path was defined without license_content would fail.
- Changes default installed version to 1.8.5 from 1.6.1
- Add new tests for license file functionality and external binaries.
---
 .kitchen.yml                                  | 23 ++++++++++++-
 attributes/default.rb                         |  4 ++-
 libraries/vault_installation.rb               |  5 +++
 libraries/vault_installation_binary.rb        | 24 ++++++++++---
 recipes/default.rb                            | 21 +++++++++++-
 .../default/inspec/default_spec.rb            |  2 +-
 .../test_license/inspec/default_spec.rb       | 34 +++++++++++++++++++
 .../inspec/default_spec.rb                    | 34 +++++++++++++++++++
 .../inspec/default_spec.rb                    | 34 +++++++++++++++++++
 .../inspec/default_spec.rb                    |  2 +-
 10 files changed, 173 insertions(+), 10 deletions(-)
 create mode 100644 test/integration/test_license/inspec/default_spec.rb
 create mode 100644 test/integration/test_license_external_ent/inspec/default_spec.rb
 create mode 100644 test/integration/test_license_internal_ent/inspec/default_spec.rb

diff --git a/.kitchen.yml b/.kitchen.yml
index 6ec72370..eff7f8b1 100644
--- a/.kitchen.yml
+++ b/.kitchen.yml
@@ -32,6 +32,27 @@ suites:
       <<: *default-provisioner
       attributes:
         hashicorp-vault:
-          version: 1.8.4
           config:
             unauthenticated_metrics_access: true
+  - name: test_license
+    provisioner:
+      <<: *default-provisioner
+      attributes:
+        hashicorp-vault:
+          license_content: <%= ENV['VAULT_LICENSE'] %>
+  - name: test_license_external_ent
+    provisioner:
+      <<: *default-provisioner
+      attributes:
+        hashicorp-vault:
+          enterprise: true
+          license_content: <%= ENV['VAULT_LICENSE'] %>
+  - name: test_license_internal_ent
+    provisioner:
+      <<: *default-provisioner
+      attributes:
+        hashicorp-vault:
+          archive_url_root: "cdn.aws.robloxlabs.com"
+          enterprise: true
+          use_internal_repos: true
+          license_content: <%= ENV['VAULT_LICENSE'] %>
diff --git a/attributes/default.rb b/attributes/default.rb
index 01bc0b89..aef745b0 100644
--- a/attributes/default.rb
+++ b/attributes/default.rb
@@ -12,13 +12,15 @@
 default['hashicorp-vault']['service_user'] = 'vault'
 default['hashicorp-vault']['service_group'] = 'vault'
 
-default['hashicorp-vault']['version'] = '1.6.1'
+default['hashicorp-vault']['version'] = '1.8.5'
 
 default['hashicorp-vault']['archive_url_root'] = 'releases.hashicorp.com'
 
 default['hashicorp-vault']['enterprise'] = false
+default['hashicorp-vault']['use_internal_repos'] = false
 
 default['hashicorp-vault']['config']['path'] = '/etc/vault/vault.json'
+default['hashicorp-vault']['config']['license_path'] = '/etc/vault/vault_license.hclic'
 default['hashicorp-vault']['config']['address'] = '127.0.0.1:8200'
 default['hashicorp-vault']['config']['log_level'] = 'info'
 default['hashicorp-vault']['config']['tls_cert_file'] = '/etc/vault/ssl/certs/vault.crt'
diff --git a/libraries/vault_installation.rb b/libraries/vault_installation.rb
index 104b741e..cafec2cd 100644
--- a/libraries/vault_installation.rb
+++ b/libraries/vault_installation.rb
@@ -37,6 +37,11 @@ class VaultInstallation < Chef::Resource
       # @return [boolean]
       attribute(:enterprise, equal_to: [true, false])
 
+      # @!attribute use_internal_repos
+      # Install using internal repos or not
+      # @return [boolean]
+      attribute(:use_internal_repos, equal_to: [true, false])
+
       def vault_program
         @program ||= provider_for_action(:vault_program).vault_program
       end
diff --git a/libraries/vault_installation_binary.rb b/libraries/vault_installation_binary.rb
index f3073518..f264eda6 100644
--- a/libraries/vault_installation_binary.rb
+++ b/libraries/vault_installation_binary.rb
@@ -33,7 +33,13 @@ def self.default_inversion_options(node, new_resource)
         archive_basename = binary_basename(node, new_resource)
         super.merge(
           version: new_resource.version,
-          archive_url: format(default_archive_url, archive_url_root: node['hashicorp-vault']['archive_url_root'], version: new_resource.version, basename: archive_basename),
+          archive_url: format(
+              default_archive_url,
+              archive_url_root: node['hashicorp-vault']['archive_url_root'],
+              version: new_resource.version,
+              ent_terminal: new_resource.enterprise ? !new_resource.use_internal_repos ? "%%2bent": "" : "",
+              basename: archive_basename
+          ),
           archive_basename: archive_basename,
           archive_checksum: binary_checksum(node, new_resource),
           extract_to: '/opt/vault'
@@ -82,13 +88,21 @@ def vault_program
       end
 
       def self.default_archive_url
-        "https://%{archive_url_root}/vault/%{version}/%{basename}" # rubocop:disable Style/StringLiterals
+        "https://%{archive_url_root}/vault/%{version}%{ent_terminal}/%{basename}" # rubocop:disable Style/StringLiterals
       end
 
       def self.binary_basename(node, resource)
-        filename = resource.enterprise ? 'vault-enterprise' : 'vault'
-        # %2b is +, and %% is required because of call to format()
-        version = resource.enterprise ? "#{resource.version}%%2bprem" : resource.version
+        filename = 'vault'
+        version = resource.version
+        if resource.enterprise
+          if resource.use_internal_repos
+            filename = 'vault-enterprise'
+            # %2b is +, and %% is required because of call to format()
+            version = "#{resource.version}%%2bprem"
+          else
+            version = "#{resource.version}%%2bent"
+          end
+        end
 
         case node['kernel']['machine']
         when 'x86_64', 'amd64' then [filename, version, node['os'], 'amd64'].join('_')
diff --git a/recipes/default.rb b/recipes/default.rb
index 33ab5e14..5dddc012 100644
--- a/recipes/default.rb
+++ b/recipes/default.rb
@@ -14,6 +14,7 @@
     node['hashicorp-vault']['installation'].each_pair { |k, v| r.send(k, v) }
   end
   r.send('enterprise', node['hashicorp-vault']['enterprise'])
+  r.send('use_internal_repos', node['hashicorp-vault']['use_internal_repos'])
 end
 
 config = vault_config node['hashicorp-vault']['config']['path'] do |r|
@@ -21,11 +22,29 @@
   group node['hashicorp-vault']['service_group']
 
   if node['hashicorp-vault']['config']
-    node['hashicorp-vault']['config'].each_pair { |k, v| r.send(k, v) }
+    node['hashicorp-vault']['config'].each_pair do |k, v|
+      if k == "license_path" and !node['hashicorp-vault']['license_content']
+        next
+      end
+      r.send(k, v)
+    end
   end
+
   notifies :reload, "vault_service[#{node['hashicorp-vault']['service_name']}]", :delayed
 end
 
+if node['hashicorp-vault']['license_content']
+  file node['hashicorp-vault']['config']['license_path'] do
+    content node['hashicorp-vault']['license_content']
+    owner node['hashicorp-vault']['service_user']
+    group node['hashicorp-vault']['service_group']
+    sensitive true
+    notifies :reload, "vault_service[#{node['hashicorp-vault']['service_name']}]", :delayed
+  end
+else
+  node.default['hashicorp-vault']['config'].delete('license_path')
+end
+
 vault_service node['hashicorp-vault']['service_name'] do |r|
   user node['hashicorp-vault']['service_user']
   group node['hashicorp-vault']['service_group']
diff --git a/test/integration/default/inspec/default_spec.rb b/test/integration/default/inspec/default_spec.rb
index c7fd8b74..f731b14b 100644
--- a/test/integration/default/inspec/default_spec.rb
+++ b/test/integration/default/inspec/default_spec.rb
@@ -1,4 +1,4 @@
-describe file('/opt/vault/1.6.1/vault') do
+describe file('/opt/vault/1.8.5/vault') do
   it { should be_file }
   it { should be_executable }
 end
diff --git a/test/integration/test_license/inspec/default_spec.rb b/test/integration/test_license/inspec/default_spec.rb
new file mode 100644
index 00000000..bd333035
--- /dev/null
+++ b/test/integration/test_license/inspec/default_spec.rb
@@ -0,0 +1,34 @@
+describe file('/opt/vault/1.8.5/vault') do
+  it { should be_file }
+  it { should be_executable }
+end
+
+describe group('vault') do
+  it { should exist }
+end
+
+describe user('vault') do
+  it { should exist }
+end
+
+describe file('/etc/vault/vault.json') do
+  its('mode') { should eq 0640 }
+  it { should be_file }
+  it { should be_owned_by 'vault' }
+  it { should be_grouped_into 'vault' }
+  its('content') { should match /.*log_level.*/ }
+  its('content') { should match /.*license_path.*/}
+end
+
+describe file('/etc/vault/vault_license.hclic') do
+  it {should exist}
+  it {should be_file}
+  it { should be_owned_by 'vault' }
+  it { should be_grouped_into 'vault' }
+end
+
+describe service('vault') do
+  it { should be_installed }
+  it { should be_enabled }
+  it { should be_running }
+end
diff --git a/test/integration/test_license_external_ent/inspec/default_spec.rb b/test/integration/test_license_external_ent/inspec/default_spec.rb
new file mode 100644
index 00000000..bd333035
--- /dev/null
+++ b/test/integration/test_license_external_ent/inspec/default_spec.rb
@@ -0,0 +1,34 @@
+describe file('/opt/vault/1.8.5/vault') do
+  it { should be_file }
+  it { should be_executable }
+end
+
+describe group('vault') do
+  it { should exist }
+end
+
+describe user('vault') do
+  it { should exist }
+end
+
+describe file('/etc/vault/vault.json') do
+  its('mode') { should eq 0640 }
+  it { should be_file }
+  it { should be_owned_by 'vault' }
+  it { should be_grouped_into 'vault' }
+  its('content') { should match /.*log_level.*/ }
+  its('content') { should match /.*license_path.*/}
+end
+
+describe file('/etc/vault/vault_license.hclic') do
+  it {should exist}
+  it {should be_file}
+  it { should be_owned_by 'vault' }
+  it { should be_grouped_into 'vault' }
+end
+
+describe service('vault') do
+  it { should be_installed }
+  it { should be_enabled }
+  it { should be_running }
+end
diff --git a/test/integration/test_license_internal_ent/inspec/default_spec.rb b/test/integration/test_license_internal_ent/inspec/default_spec.rb
new file mode 100644
index 00000000..bd333035
--- /dev/null
+++ b/test/integration/test_license_internal_ent/inspec/default_spec.rb
@@ -0,0 +1,34 @@
+describe file('/opt/vault/1.8.5/vault') do
+  it { should be_file }
+  it { should be_executable }
+end
+
+describe group('vault') do
+  it { should exist }
+end
+
+describe user('vault') do
+  it { should exist }
+end
+
+describe file('/etc/vault/vault.json') do
+  its('mode') { should eq 0640 }
+  it { should be_file }
+  it { should be_owned_by 'vault' }
+  it { should be_grouped_into 'vault' }
+  its('content') { should match /.*log_level.*/ }
+  its('content') { should match /.*license_path.*/}
+end
+
+describe file('/etc/vault/vault_license.hclic') do
+  it {should exist}
+  it {should be_file}
+  it { should be_owned_by 'vault' }
+  it { should be_grouped_into 'vault' }
+end
+
+describe service('vault') do
+  it { should be_installed }
+  it { should be_enabled }
+  it { should be_running }
+end
diff --git a/test/integration/test_unauthenticated_metrics/inspec/default_spec.rb b/test/integration/test_unauthenticated_metrics/inspec/default_spec.rb
index 4477bb66..17ff431e 100644
--- a/test/integration/test_unauthenticated_metrics/inspec/default_spec.rb
+++ b/test/integration/test_unauthenticated_metrics/inspec/default_spec.rb
@@ -1,4 +1,4 @@
-describe file('/opt/vault/1.8.4/vault') do
+describe file('/opt/vault/1.8.5/vault') do
   it { should be_file }
   it { should be_executable }
 end