From 296f751d085f9553a2d355ec9edb3a9179969331 Mon Sep 17 00:00:00 2001
From: Niels de Vos <ndevos@redhat.com>
Date: Tue, 23 Mar 2021 08:56:35 +0100
Subject: [PATCH] e2e: verify (non)existence of keys for VaultTokensKMS

Key existence and removal is only checked for the VaultKMS provider. It
should also be done for the VaultTokensKMS provider.

Signed-off-by: Niels de Vos <ndevos@redhat.com>
---
 e2e/rbd_helper.go | 12 ++++++++----
 e2e/utils.go      | 19 +++++++++++++++----
 2 files changed, 23 insertions(+), 8 deletions(-)

diff --git a/e2e/rbd_helper.go b/e2e/rbd_helper.go
index 09c5fc7e7..675689c0b 100644
--- a/e2e/rbd_helper.go
+++ b/e2e/rbd_helper.go
@@ -225,6 +225,10 @@ func validateImageOwner(pvcPath string, f *framework.Framework) error {
 	return deletePVCAndValidatePV(f.ClientSet, pvc, deployTimeout)
 }
 
+func kmsIsVault(kms string) bool {
+	return kms == "vault"
+}
+
 func validateEncryptedPVCAndAppBinding(pvcPath, appPath, kms string, f *framework.Framework) error {
 	pvc, app, err := createPVCAndAppBinding(pvcPath, appPath, f, deployTimeout)
 	if err != nil {
@@ -252,9 +256,9 @@ func validateEncryptedPVCAndAppBinding(pvcPath, appPath, kms string, f *framewor
 		return fmt.Errorf("%v not equal to crypt", mountType)
 	}
 
-	if kms == "vault" {
+	if kmsIsVault(kms) || kms == "vaulttokens" {
 		// check new passphrase created
-		_, stdErr := readVaultSecret(imageData.csiVolumeHandle, f)
+		_, stdErr := readVaultSecret(imageData.csiVolumeHandle, kmsIsVault(kms), f)
 		if stdErr != "" {
 			return fmt.Errorf("failed to read passphrase from vault: %s", stdErr)
 		}
@@ -265,9 +269,9 @@ func validateEncryptedPVCAndAppBinding(pvcPath, appPath, kms string, f *framewor
 		return err
 	}
 
-	if kms == "vault" {
+	if kmsIsVault(kms) || kms == "vaulttokens" {
 		// check new passphrase created
-		stdOut, _ := readVaultSecret(imageData.csiVolumeHandle, f)
+		stdOut, _ := readVaultSecret(imageData.csiVolumeHandle, kmsIsVault(kms), f)
 		if stdOut != "" {
 			return fmt.Errorf("passphrase found in vault while should be deleted: %s", stdOut)
 		}
diff --git a/e2e/utils.go b/e2e/utils.go
index fa8b1d335..9b658d20c 100644
--- a/e2e/utils.go
+++ b/e2e/utils.go
@@ -25,8 +25,13 @@ import (
 
 /* #nosec:G101, values not credententials, just a reference to the location.*/
 const (
-	defaultNs     = "default"
-	vaultSecretNs = "/secret/ceph-csi/"
+	defaultNs = "default"
+
+	// vaultBackendPath is the default VAULT_BACKEND_PATH for secrets
+	vaultBackendPath = "secret/"
+	// vaultPassphrasePath is an advanced configuration option, only
+	// available for the VaultKMS (not VaultTokensKMS) provider.
+	vaultPassphrasePath = "ceph-csi/"
 
 	rookToolBoxPodLabel = "app=rook-ceph-tools"
 	rbdmountOptions     = "mountOptions"
@@ -207,9 +212,15 @@ func getMountType(appName, appNamespace, mountPath string, f *framework.Framewor
 //  * issue get request for particular key
 // resulting in stdOut (first entry in tuple) - output that contains the key
 // or stdErr (second entry in tuple) - error getting the key.
-func readVaultSecret(key string, f *framework.Framework) (string, string) {
+func readVaultSecret(key string, usePassphrasePath bool, f *framework.Framework) (string, string) {
+	extraPath := vaultPassphrasePath
+	if !usePassphrasePath {
+		extraPath = ""
+	}
+
 	loginCmd := fmt.Sprintf("vault login -address=%s sample_root_token_id > /dev/null", vaultAddr)
-	readSecret := fmt.Sprintf("vault kv get -address=%s -field=data %s%s", vaultAddr, vaultSecretNs, key)
+	readSecret := fmt.Sprintf("vault kv get -address=%s -field=data %s%s%s",
+		vaultAddr, vaultBackendPath, extraPath, key)
 	cmd := fmt.Sprintf("%s && %s", loginCmd, readSecret)
 	opt := metav1.ListOptions{
 		LabelSelector: "app=vault",