From 9ca75998fa4f445601eff3881399b9f0b460b37d Mon Sep 17 00:00:00 2001
From: Alex Hung <alexh@jfrog.com>
Date: Fri, 2 Aug 2024 10:43:24 -0700
Subject: [PATCH] Add OpenBao to acceptance test GitHub workflow

---
 .github/workflows/acceptance-tests.yml | 45 ++++++++++++++++++++++----
 .gitignore                             |  1 +
 Makefile                               | 40 ++++++++++++-----------
 README.md                              |  6 ++++
 4 files changed, 67 insertions(+), 25 deletions(-)

diff --git a/.github/workflows/acceptance-tests.yml b/.github/workflows/acceptance-tests.yml
index 5a85402..a72a47c 100644
--- a/.github/workflows/acceptance-tests.yml
+++ b/.github/workflows/acceptance-tests.yml
@@ -10,12 +10,19 @@ on:
 name: Vault Acceptance Tests
 
 jobs:
-  acceptance-tests:
+  acceptance-tests-matrix:
+    name: ${{ matrix.cli }}
     runs-on: ubuntu-latest
     continue-on-error: false
     environment: development
+    strategy:
+      fail-fast: true
+      matrix:
+        cli: [vault, bao]
     outputs:
       artifactory_version: ${{ steps.run_artifactory_container.outputs.version }}
+      openbao_version: ${{ steps.get_bao_cli_version.outputs.version }}
+      vault_version: ${{ steps.get_vault_cli_version.outputs.version }}
     steps:
       - name: Checkout
         uses: actions/checkout@v4
@@ -33,6 +40,26 @@ jobs:
           install-only: true
       - name: Install Vault binary
         uses: eLco/setup-vault@v1
+        if: ${{ matrix.cli == 'vault' }}
+      - name: Get Vault CLI version
+        id: get_vault_cli_version
+        if: ${{ matrix.cli == 'vault' }}
+        run: |
+          VAULT_VERSION=$(vault version | cut -d ' ' -f 2)
+          echo $VAULT_VERSION
+          echo "version=$VAULT_VERSION" >> "$GITHUB_OUTPUT"
+     - name: Install OpenBoa binary
+        if: ${{ matrix.cli == 'bao' }}
+        run: |
+          curl -o ${{ runner.temp }}/bao_2.0.0_linux_amd64.deb https://github.com/openbao/openbao/releases/download/v2.0.0/bao_2.0.0_linux_amd64.deb
+          sudo dpkg -i ${{ runner.temp }}/bao_2.0.0_linux_amd64.deb
+     - name: Get OpenBao CLI version
+        id: get_bao_cli_version
+        if: ${{ matrix.cli == 'bao' }}
+        run: |
+          BAO_VERSION=$(bao version | cut -d ' ' -f 2)
+          echo $BAO_VERSION
+          echo "version=$BAO_VERSION" >> "$GITHUB_OUTPUT"
       - name: Run Vault Dev server
         run: |
           docker run --cap-add=IPC_LOCK -e 'VAULT_LOCAL_CONFIG={"storage": {"file": {"path": "/vault/file"}}}' -d --name=dev-vault -p 8200:8200 hashicorp/vault server
@@ -88,8 +115,12 @@ jobs:
             --header "cookie: ACCESSTOKEN=${ACCESSTOKEN}; REFRESHTOKEN=${REFRESHTOKEN}")
           echo "::add-mask::$JFROG_ACCESS_TOKEN"
           echo "JFROG_ACCESS_TOKEN=$JFROG_ACCESS_TOKEN" >> "$GITHUB_ENV"
-      - name: Execute acceptance tests
-        run: make acceptance
+      - name: Execute all tests
+        run: make alltests
+      - name: Setup plugin with Vault server
+        run: |
+          make build
+          VAULT_CLI=${{ matrix.cli }} make setup
       - name: Clean up Docker container
         if: always() && ${{ steps.run_artifactory_container.outcome == 'success' }}
         run: docker stop artifactory
@@ -116,7 +147,7 @@ jobs:
 
   update-changelog:
     runs-on: ubuntu-latest
-    needs: acceptance-tests
+    needs: acceptance-tests-matrix
     if: github.event_name == 'pull_request' && needs.acceptance-tests.result == 'success'
     permissions:
       contents: write
@@ -127,10 +158,12 @@ jobs:
           ref: ${{ github.event.pull_request.head.ref }}
       - name: Update CHANGELOG and push commit
         env:
-          ARTIFACTORY_VERSION: ${{ needs.acceptance-tests.outputs.artifactory_version }}
+          ARTIFACTORY_VERSION: ${{ needs.acceptance-tests-matrix.outputs.artifactory_version }}
+          OPENBAO_VERSION: ${{ needs.acceptance-tests-matrix.outputs.openbao_version }}
+          VAULT_VERSION: ${{ needs.acceptance-tests-matrix.outputs.vault_version }}
         run: |
           echo "Adding Artifactory version to CHANGELOG.md"
-          sed -i -E "0,/(##\s.+\..+\..+\s\(.+\)).*/ s/(##\s.+\..+\..+\s\(.+\)).*/\1. Tested on Artifactory $ARTIFACTORY_VERSION/" CHANGELOG.md
+          sed -i -E "0,/(##\s.+\..+\..+\s\(.+\)).*/ s/(##\s.+\..+\..+\s\(.+\)).*/\1. Tested on Artifactory $ARTIFACTORY_VERSION with Vault $VAULT_VERSION and OpenBao $OPENBAO_VERSION/" CHANGELOG.md
           head -10 CHANGELOG.md
           git add CHANGELOG.md
           export REGEX="Changes to be committed*"
diff --git a/.gitignore b/.gitignore
index 2e2af4f..a79617b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -3,5 +3,6 @@
 /vendor
 
 .DS_Store
+bin/
 dist/
 /coverage.*
\ No newline at end of file
diff --git a/Makefile b/Makefile
index 0466c29..f25184f 100644
--- a/Makefile
+++ b/Makefile
@@ -15,6 +15,8 @@ PLUGIN_FILE := artifactory-secrets-plugin
 PLUGIN_NAME ?= artifactory
 PLUGIN_VAULT_PATH ?= artifactory
 
+VAULT_CLI?=vault
+
 ARTIFACTORY_ENV := ./vault/artifactory.env
 ARTIFACTORY_SCOPE ?= applied-permissions/groups:readers
 export JFROG_URL ?= http://localhost:8082
@@ -34,23 +36,23 @@ release:
 	goreleaser release --clean --snapshot --parallelism 2
 
 start:
-	vault server -dev -dev-root-token-id=root -dev-plugin-dir=$(PLUGIN_DIR) -log-level=DEBUG
+	${VAULT_CLI} server -dev -dev-root-token-id=root -dev-plugin-dir=$(PLUGIN_DIR) -log-level=DEBUG
 
 disable:
-	vault secrets disable $(PLUGIN_VAULT_PATH)
+	${VAULT_CLI} secrets disable $(PLUGIN_VAULT_PATH)
 
 enable:
-	vault secrets enable -path=$(PLUGIN_VAULT_PATH) -plugin-version=$(NEXT_VERSION) $(PLUGIN_NAME)
+	${VAULT_CLI} secrets enable -path=$(PLUGIN_VAULT_PATH) -plugin-version=$(NEXT_VERSION) $(PLUGIN_NAME)
 
 register:
-	vault plugin register -sha256=$$(sha256sum $(PLUGIN_DIR)/$(PLUGIN_FILE) | cut -d " " -f 1) -command=$(PLUGIN_FILE) -version=$(NEXT_VERSION) secret $(PLUGIN_NAME)
-	vault plugin info -version=$(NEXT_VERSION) secret $(PLUGIN_NAME)
+	${VAULT_CLI} plugin register -sha256=$$(sha256sum $(PLUGIN_DIR)/$(PLUGIN_FILE) | cut -d " " -f 1) -command=$(PLUGIN_FILE) -version=$(NEXT_VERSION) secret $(PLUGIN_NAME)
+	${VAULT_CLI} plugin info -version=$(NEXT_VERSION) secret $(PLUGIN_NAME)
 
 deregister:
-	vault plugin deregister -version=$(NEXT_VERSION) secret $(PLUGIN_NAME)
+	${VAULT_CLI} plugin deregister -version=$(NEXT_VERSION) secret $(PLUGIN_NAME)
 
 upgrade: build register
-	vault plugin reload -plugin=$(PLUGIN_NAME)
+	${VAULT_CLI} plugin reload -plugin=$(PLUGIN_NAME)
 
 test:
 	go test -v -count=1 ./...
@@ -74,21 +76,21 @@ fmt:
 setup: disable register enable
 
 admin:
-	vault write $(PLUGIN_VAULT_PATH)/config/admin url=$(JFROG_URL) access_token=$(JFROG_ACCESS_TOKEN)
-	vault read $(PLUGIN_VAULT_PATH)/config/admin
-	vault write -f $(PLUGIN_VAULT_PATH)/config/rotate
-	vault read $(PLUGIN_VAULT_PATH)/config/admin
+	${VAULT_CLI} write $(PLUGIN_VAULT_PATH)/config/admin url=$(JFROG_URL) access_token=$(JFROG_ACCESS_TOKEN)
+	${VAULT_CLI} read $(PLUGIN_VAULT_PATH)/config/admin
+	${VAULT_CLI} write -f $(PLUGIN_VAULT_PATH)/config/rotate
+	${VAULT_CLI} read $(PLUGIN_VAULT_PATH)/config/admin
 
 usertoken:
-	vault write $(PLUGIN_VAULT_PATH)/config/admin url=$(JFROG_URL) access_token=$(JFROG_ACCESS_TOKEN)
-	vault write $(PLUGIN_VAULT_PATH)/config/user_token default_description="Vault Test"
-	vault read $(PLUGIN_VAULT_PATH)/config/user_token
-	vault read $(PLUGIN_VAULT_PATH)/user_token/test refreshable=true include_reference_token=true use_expiring_tokens=true
+	${VAULT_CLI} write $(PLUGIN_VAULT_PATH)/config/admin url=$(JFROG_URL) access_token=$(JFROG_ACCESS_TOKEN)
+	${VAULT_CLI} write $(PLUGIN_VAULT_PATH)/config/user_token default_description="Vault Test"
+	${VAULT_CLI} read $(PLUGIN_VAULT_PATH)/config/user_token
+	${VAULT_CLI} read $(PLUGIN_VAULT_PATH)/user_token/test refreshable=true include_reference_token=true use_expiring_tokens=true
 
 testrole:
-	vault write $(PLUGIN_VAULT_PATH)/roles/test scope="$(ARTIFACTORY_SCOPE)" max_ttl=3h default_ttl=2h
-	vault read $(PLUGIN_VAULT_PATH)/roles/test
-	vault read $(PLUGIN_VAULT_PATH)/token/test
+	${VAULT_CLI} write $(PLUGIN_VAULT_PATH)/roles/test scope="$(ARTIFACTORY_SCOPE)" max_ttl=3h default_ttl=2h
+	${VAULT_CLI} read $(PLUGIN_VAULT_PATH)/roles/test
+	${VAULT_CLI} read $(PLUGIN_VAULT_PATH)/token/test
 
 artifactory: $(ARTIFACTORY_ENV)
 
@@ -99,4 +101,4 @@ stop_artifactory:
 	source $(ARTIFACTORY_ENV) && docker stop $$ARTIFACTORY_CONTAINER_ID
 	rm -f $(ARTIFACTORY_ENV)
 
-.PHONY: build clean fmt start disable enable register deregister upgrade test acceptance  setup admin testrole artifactory stop_artifactory
+.PHONY: build clean fmt start disable enable register deregister upgrade test acceptance setup admin testrole artifactory stop_artifactory
diff --git a/README.md b/README.md
index 0b91343..e880a06 100644
--- a/README.md
+++ b/README.md
@@ -717,6 +717,12 @@ brew tap hashicorp/tap
 brew install hashicorp/tap/vault
 ```
 
+#### Test with OpenBao binary
+
+*  You can follow the [Installing OpenBao](https://openbao.org/docs/install/) instructions.
+* Export env var `VAULT_CLI=<your path to bao binary>`, e.g. `export VAULT_CLI=/usr/local/bin/bao`
+* Run makefile as usual `make setup` or `VAULT_CLI=/usr/local/bin/bao make setup`
+
 #### Start Vault dev server
 
 ```sh