test: add storage service aws test

testing/e2e_host_test.go

@@ -11,26 +11,20 @@ import (
 	"testing"
 	"time"
 
-	"github.com/aws/aws-sdk-go/aws/awserr"
 	"github.com/hashicorp/boundary-plugin-aws/internal/credential"
-	"github.com/hashicorp/boundary-plugin-aws/internal/values"
 	"github.com/hashicorp/boundary-plugin-aws/plugin/service/host"
 	"github.com/hashicorp/boundary/sdk/pbs/controller/api/resources/hostcatalogs"
 	"github.com/hashicorp/boundary/sdk/pbs/controller/api/resources/hostsets"
 	pb "github.com/hashicorp/boundary/sdk/pbs/plugin"
-	"github.com/hashicorp/go-secure-stdlib/awsutil"
 	"github.com/stretchr/testify/require"
 	"google.golang.org/protobuf/types/known/structpb"
 )
 
-const (
-	expectedIamUserCount     = 6
-	expectedEc2InstanceCount = 5
-)
+const expectedEc2InstanceCount = 5
 
 var expectedTags = []string{"foo", "bar", "baz"}
 
-func TestPlugin(t *testing.T) {
+func TestHostPlugin(t *testing.T) {
 	region := os.Getenv("AWS_REGION")
 	if region == "" {
 		t.Skip("set AWS_REGION to use this test")
@@ -195,36 +189,7 @@ func testPluginOnCreateCatalog(ctx context.Context, t *testing.T, p *host.HostPl
 	require.NotNil(response)
 	persisted := response.GetPersisted()
 	require.NotNil(persisted)
-	persistedSecrets := persisted.GetSecrets()
-	require.NotNil(persistedSecrets)
-	persistedAccessKeyId, err := values.GetStringValue(persistedSecrets, credential.ConstAccessKeyId, true)
-	require.NoError(err)
-	require.NotZero(persistedAccessKeyId)
-	if rotate {
-		require.NotEqual(accessKeyId, persistedAccessKeyId)
-	} else {
-		require.Equal(accessKeyId, persistedAccessKeyId)
-	}
-
-	persistedSecretAccessKey, err := values.GetStringValue(persistedSecrets, credential.ConstSecretAccessKey, true)
-	require.NoError(err)
-	require.NotZero(persistedSecretAccessKey)
-	if rotate {
-		require.NotEqual(secretAccessKey, persistedSecretAccessKey)
-	} else {
-		require.Equal(secretAccessKey, persistedSecretAccessKey)
-	}
-
-	persistedCredsLastRotatedTime, err := values.GetTimeValue(persistedSecrets, credential.ConstCredsLastRotatedTime)
-	require.NoError(err)
-	if rotate {
-		require.NotZero(persistedCredsLastRotatedTime)
-		requireCredentialsInvalid(t, accessKeyId, secretAccessKey)
-	} else {
-		require.Zero(persistedCredsLastRotatedTime)
-	}
-
-	return persistedAccessKeyId, persistedSecretAccessKey
+	return validatePersistedSecrets(t, persisted.GetSecrets(), accessKeyId, secretAccessKey, rotate)
 }
 
 func testPluginOnUpdateCatalog(
@@ -293,116 +258,7 @@ func testPluginOnUpdateCatalog(
 	require.NotNil(response)
 	persisted := response.GetPersisted()
 	require.NotNil(persisted)
-	persistedSecrets := persisted.GetSecrets()
-	require.NotNil(persistedSecrets)
-
-	// Complex checks based on the scenarios.
-	persistedAccessKeyId, err := values.GetStringValue(persistedSecrets, credential.ConstAccessKeyId, true)
-	require.NoError(err)
-	require.NotZero(persistedAccessKeyId)
-	persistedSecretAccessKey, err := values.GetStringValue(persistedSecrets, credential.ConstSecretAccessKey, true)
-	require.NoError(err)
-	require.NotZero(persistedSecretAccessKey)
-	persistedCredsLastRotatedTime, err := values.GetTimeValue(persistedSecrets, credential.ConstCredsLastRotatedTime)
-	require.NoError(err)
-
-	// Our test scenarios are complex due the multi-dimensional nature
-	// of criteria, so we lay them out in a switch below.
-	switch {
-	case newAccessKeyId != "" && rotated && rotate:
-		// The new access key ID was provided, we had previously rotated
-		// the credentials before, and the new credential set is to be
-		// rotated as well. In this case, the old credentials should have
-		// been deleted, and the new credentials should have been rotated,
-		// hence, should not match the new credentials initially
-		// provided. Rotation time should be non-zero and updated.
-		requireCredentialsInvalid(t, currentAccessKeyId, currentSecretAccessKey)
-		require.NotEqual(persistedAccessKeyId, newAccessKeyId)
-		require.NotEqual(persistedSecretAccessKey, newSecretAccessKey)
-		require.NotZero(persistedCredsLastRotatedTime)
-		require.True(persistedCredsLastRotatedTime.After(currentCredsLastRotatedTime))
-
-	case newAccessKeyId != "" && rotated && !rotate:
-		// The new access key ID was provided, we had previously rotated
-		// the credentials before, and the new credential is *not*
-		// rotated. In this case, the old credentials should have
-		// been deleted, But the new credentials should have not been
-		// rotated, and hence should be the same. Rotation time should be
-		// zero.
-		requireCredentialsInvalid(t, currentAccessKeyId, currentSecretAccessKey)
-		require.Equal(persistedAccessKeyId, newAccessKeyId)
-		require.Equal(persistedSecretAccessKey, newSecretAccessKey)
-		require.Zero(persistedCredsLastRotatedTime)
-
-	case newAccessKeyId != "" && !rotated && rotate:
-		// The new access key ID was provided, we *have not* previously
-		// rotated the credentials, and the new credential set is to be
-		// rotated. In this case, the old credentials should have been
-		// left alone, and the new credentials should have been rotated,
-		// hence, should not match the new credentials initially
-		// provided. Rotation time should be non-zero, but updated.
-		requireCredentialsValid(t, currentAccessKeyId, currentSecretAccessKey)
-		require.NotEqual(persistedAccessKeyId, newAccessKeyId)
-		require.NotEqual(persistedSecretAccessKey, newSecretAccessKey)
-		require.NotZero(persistedCredsLastRotatedTime)
-		require.True(persistedCredsLastRotatedTime.After(currentCredsLastRotatedTime))
-
-	case newAccessKeyId != "" && !rotated && !rotate:
-		// The new access key ID was provided, but we have not rotated
-		// the credentials previously and we still don't plan on rotating
-		// them. In this case, the old credentials should still be valid,
-		// and the persisted ones should match the new ones provided.
-		// Rotation time should be zero.
-		requireCredentialsValid(t, currentAccessKeyId, currentSecretAccessKey)
-		require.Equal(persistedAccessKeyId, newAccessKeyId)
-		require.Equal(persistedSecretAccessKey, newSecretAccessKey)
-		require.Zero(persistedCredsLastRotatedTime)
-
-	case newAccessKeyId == "" && rotated && rotate:
-		// No new credentials have been provided, but we have previously
-		// rotated and are still rotating credentials. This is a no-op.
-		// Existing credentials should still be valid and match the ones
-		// persisted to state. Rotation time should be identical since
-		// no new rotation occurred.
-		requireCredentialsValid(t, currentAccessKeyId, currentSecretAccessKey)
-		require.Equal(persistedAccessKeyId, currentAccessKeyId)
-		require.Equal(persistedSecretAccessKey, currentSecretAccessKey)
-		require.NotZero(persistedCredsLastRotatedTime)
-		require.True(currentCredsLastRotatedTime.Equal(persistedCredsLastRotatedTime))
-
-	case newAccessKeyId == "" && rotated && !rotate:
-		// No new credentials have been provided, and we have previously
-		// rotated the credentials. This is actually an error, but we
-		// don't test it here; it's covered in unit testing (see
-		// plugin_test.go).
-		require.FailNow("testing rotated-to-not-rotated scenario not implemented by this helper")
-
-	case newAccessKeyId == "" && !rotated && rotate:
-		// No new credentials have been provided, and while we did not
-		// rotate before, we want to switch to rotation. In this case,
-		// the existing persisted credentials should have been rotated,
-		// with a new non-zero timestamp.
-		requireCredentialsInvalid(t, currentAccessKeyId, currentSecretAccessKey)
-		require.NotEqual(persistedAccessKeyId, currentAccessKeyId)
-		require.NotEqual(persistedSecretAccessKey, currentSecretAccessKey)
-		require.NotZero(persistedCredsLastRotatedTime)
-
-	case newAccessKeyId == "" && !rotated && !rotate:
-		// No new credentials have been provided and we have not, nor do
-		// not, plan on rotating the credentials. This is a no-op.
-		// Existing credentials should still be valid and match the ones
-		// persisted to state. Rotation time should remain at zero.
-		requireCredentialsValid(t, currentAccessKeyId, currentSecretAccessKey)
-		require.Equal(persistedAccessKeyId, currentAccessKeyId)
-		require.Equal(persistedSecretAccessKey, currentSecretAccessKey)
-		require.Zero(persistedCredsLastRotatedTime)
-
-	default:
-		// Scenario was reached that was not covered by this function.
-		require.FailNow("unknown test scenario")
-	}
-
-	return persistedAccessKeyId, persistedSecretAccessKey
+	return validateUpdateSecrets(t, persisted.GetSecrets(), currentCredsLastRotatedTime, currentAccessKeyId, currentSecretAccessKey, newAccessKeyId, newSecretAccessKey, rotated, rotate)
 }
 
 func testPluginOnDeleteCatalog(ctx context.Context, t *testing.T, p *host.HostPlugin, region, accessKeyId, secretAccessKey string, rotated bool) {
@@ -588,53 +444,3 @@ func testPluginListHosts(ctx context.Context, t *testing.T, p *host.HostPlugin,
 	// Success
 	t.Logf("testing ListHosts: success (region=%s, tags=%v, expected/actual=(len=%d, ids=%s))", region, tags, len(actualInstances), actualInstances)
 }
-
-func requireCredentialsInvalid(t *testing.T, accessKeyId, secretAccessKey string) {
-	t.Helper()
-	require := require.New(t)
-
-	c, err := awsutil.NewCredentialsConfig(
-		awsutil.WithAccessKey(accessKeyId),
-		awsutil.WithSecretKey(secretAccessKey),
-	)
-	require.NoError(err)
-
-	// We need to wait for invalidation as while awsutil waits for
-	// credential creation, deletion of the old credentials returns
-	// immediately.
-	timeoutCtx, cancel := context.WithTimeout(context.Background(), time.Second*30)
-	defer cancel()
-waitErr:
-	for {
-		_, err = c.GetCallerIdentity()
-		if err != nil {
-			break
-		}
-
-		select {
-		case <-time.After(time.Second):
-			// pass
-
-		case <-timeoutCtx.Done():
-			break waitErr
-		}
-	}
-
-	require.NotNil(err)
-	awsErr, ok := err.(awserr.Error)
-	require.True(ok)
-	require.Equal("InvalidClientTokenId", awsErr.Code())
-}
-
-func requireCredentialsValid(t *testing.T, accessKeyId, secretAccessKey string) {
-	t.Helper()
-	require := require.New(t)
-
-	c, err := awsutil.NewCredentialsConfig(
-		awsutil.WithAccessKey(accessKeyId),
-		awsutil.WithSecretKey(secretAccessKey),
-	)
-	require.NoError(err)
-	_, err = c.GetCallerIdentity()
-	require.NoError(err)
-}