infra/scripts/test-vault-token-renew.sh

#!/usr/bin/env bash
# Unit tests for the pure drift-guard functions in vault-token-renew.sh.
# Sources the script (vtr_main is guarded) and exercises the decision logic that
# decides whether ~/.vault-token is OUR periodic admin token (renew) or a foreign
# token that clobbered the file (refuse, fail loud). This is exactly the logic
# whose ABSENCE let the 2026-06-05 woodpecker-token clobber be silently renewed
# for two days. Run: bash infra/scripts/test-vault-token-renew.sh
set -uo pipefail
DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
# shellcheck source=/dev/null
source "$DIR/vault-token-renew.sh"

pass=0 fail=0
ok() {  # <description> <cmd...> — expects the command to succeed (renew-OK)
  if "${@:2}"; then pass=$((pass + 1)); else
    fail=$((fail + 1)); printf 'FAIL: %s — expected OK, got refuse\n' "$1"
  fi
}
no() {  # <description> <cmd...> — expects the command to fail (drift, refuse)
  if "${@:2}"; then
    fail=$((fail + 1)); printf 'FAIL: %s — expected DRIFT, got OK\n' "$1"
  else pass=$((pass + 1)); fi
}
eq() {  # <description> <expected> <actual>
  if [[ "$2" == "$3" ]]; then pass=$((pass + 1)); else
    fail=$((fail + 1)); printf 'FAIL: %s — expected [%s] got [%s]\n' "$1" "$2" "$3"
  fi
}

# --- vtr_drift_ok: ONLY our periodic admin token (right name AND vault-admin) renews ---
ok "our token renews"                vtr_drift_ok token-devvm-wizard "default,sops-admin,vault-admin"
ok "vault-admin anywhere in list"    vtr_drift_ok token-devvm-wizard "default,vault-admin"
ok "policy order irrelevant"         vtr_drift_ok token-devvm-wizard "vault-admin,default"
no "woodpecker clobber refused"      vtr_drift_ok kubernetes-woodpecker-default "ci,default,terraform-state"
no "oidc token (admin but wrong dn)" vtr_drift_ok oidc-vbarzin "default,sops-admin,vault-admin"
no "right name, no vault-admin"      vtr_drift_ok token-devvm-wizard "default,sops-admin"
no "empty display_name"              vtr_drift_ok "" "vault-admin"
no "empty policies"                  vtr_drift_ok token-devvm-wizard ""
no "no substring false-positive"     vtr_drift_ok token-devvm-wizard "default,vault-admin-ro"

# --- vtr_display_name / vtr_policies_csv: parse real `vault token lookup -format=json` ---
LOOKUP_OURS='{"data":{"display_name":"token-devvm-wizard","policies":["default","sops-admin","vault-admin"],"identity_policies":null}}'
LOOKUP_OIDC='{"data":{"display_name":"oidc-vbarzin","policies":["default"],"identity_policies":["sops-admin","vault-admin"]}}'
LOOKUP_WP='{"data":{"display_name":"kubernetes-woodpecker-default","policies":["ci","default","terraform-state"],"identity_policies":[]}}'
eq "dn ours"  "token-devvm-wizard" "$(vtr_display_name "$LOOKUP_OURS")"
eq "dn oidc"  "oidc-vbarzin"       "$(vtr_display_name "$LOOKUP_OIDC")"
eq "pols ours"                       "default,sops-admin,vault-admin" "$(vtr_policies_csv "$LOOKUP_OURS")"
eq "pols oidc merges token+identity" "default,sops-admin,vault-admin" "$(vtr_policies_csv "$LOOKUP_OIDC")"
eq "pols woodpecker"                 "ci,default,terraform-state"     "$(vtr_policies_csv "$LOOKUP_WP")"

# --- parse + decide end-to-end (the real lookup-JSON -> renew/refuse path) ---
ok "ours: parse+decide renews"        vtr_drift_ok "$(vtr_display_name "$LOOKUP_OURS")" "$(vtr_policies_csv "$LOOKUP_OURS")"
no "woodpecker: parse+decide refused" vtr_drift_ok "$(vtr_display_name "$LOOKUP_WP")"   "$(vtr_policies_csv "$LOOKUP_WP")"
no "oidc: parse+decide refused"       vtr_drift_ok "$(vtr_display_name "$LOOKUP_OIDC")" "$(vtr_policies_csv "$LOOKUP_OIDC")"

printf '\n%d passed, %d failed\n' "$pass" "$fail"
(( fail == 0 ))
vault-token-renew: version the devvm renewer + user units in the repo The devvm periodic Vault admin token (token-devvm-wizard, period=768h, policies default+sops-admin+vault-admin) is kept alive by a systemd user timer, but the renewer script + units lived only under ~/.local/bin and ~/.config/systemd/user — lost on a devvm rebuild. Move them into the repo as the source of truth so a rebuild can restore them. (version-only scope: behavior unchanged; no canonical-file/self-heal added.) - scripts/vault-token-renew.{sh,service,timer}: renewer + user units, refactored into pure drift-guard functions + a guarded main (behavior identical; deployed live and verified still renewing with full write access). - scripts/test-vault-token-renew.sh: unit-tests the drift guard + lookup-JSON parsing, incl. the 2026-06-05 woodpecker-clobber case (17 assertions). - docs/runbooks/vault-token-renew-devvm.md: deploy, mint/re-mint, health-check, drift recovery. - docs/architecture/secrets.md: correct the stale '~/.vault-token = OIDC token' description for devvm. [ci skip] Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> 2026-06-07 16:26:01 +00:00			`#!/usr/bin/env bash`
			`# Unit tests for the pure drift-guard functions in vault-token-renew.sh.`
			`# Sources the script (vtr_main is guarded) and exercises the decision logic that`
			`# decides whether ~/.vault-token is OUR periodic admin token (renew) or a foreign`
			`# token that clobbered the file (refuse, fail loud). This is exactly the logic`
			`# whose ABSENCE let the 2026-06-05 woodpecker-token clobber be silently renewed`
			`# for two days. Run: bash infra/scripts/test-vault-token-renew.sh`
			`set -uo pipefail`
			`DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"`
			`# shellcheck source=/dev/null`
			`source "$DIR/vault-token-renew.sh"`

			`pass=0 fail=0`
			`ok() { # <description> <cmd...> — expects the command to succeed (renew-OK)`
			`if "${@:2}"; then pass=$((pass + 1)); else`
			`fail=$((fail + 1)); printf 'FAIL: %s — expected OK, got refuse\n' "$1"`
			`fi`
			`}`
			`no() { # <description> <cmd...> — expects the command to fail (drift, refuse)`
			`if "${@:2}"; then`
			`fail=$((fail + 1)); printf 'FAIL: %s — expected DRIFT, got OK\n' "$1"`
			`else pass=$((pass + 1)); fi`
			`}`
			`eq() { # <description> <expected> <actual>`
			`if [[ "$2" == "$3" ]]; then pass=$((pass + 1)); else`
			`fail=$((fail + 1)); printf 'FAIL: %s — expected [%s] got [%s]\n' "$1" "$2" "$3"`
			`fi`
			`}`

			`# --- vtr_drift_ok: ONLY our periodic admin token (right name AND vault-admin) renews ---`
			`ok "our token renews" vtr_drift_ok token-devvm-wizard "default,sops-admin,vault-admin"`
			`ok "vault-admin anywhere in list" vtr_drift_ok token-devvm-wizard "default,vault-admin"`
			`ok "policy order irrelevant" vtr_drift_ok token-devvm-wizard "vault-admin,default"`
			`no "woodpecker clobber refused" vtr_drift_ok kubernetes-woodpecker-default "ci,default,terraform-state"`
			`no "oidc token (admin but wrong dn)" vtr_drift_ok oidc-vbarzin "default,sops-admin,vault-admin"`
			`no "right name, no vault-admin" vtr_drift_ok token-devvm-wizard "default,sops-admin"`
			`no "empty display_name" vtr_drift_ok "" "vault-admin"`
			`no "empty policies" vtr_drift_ok token-devvm-wizard ""`
			`no "no substring false-positive" vtr_drift_ok token-devvm-wizard "default,vault-admin-ro"`

			# --- vtr_display_name / vtr_policies_csv: parse real `vault token lookup -format=json` ---
			`LOOKUP_OURS='{"data":{"display_name":"token-devvm-wizard","policies":["default","sops-admin","vault-admin"],"identity_policies":null}}'`
			`LOOKUP_OIDC='{"data":{"display_name":"oidc-vbarzin","policies":["default"],"identity_policies":["sops-admin","vault-admin"]}}'`
			`LOOKUP_WP='{"data":{"display_name":"kubernetes-woodpecker-default","policies":["ci","default","terraform-state"],"identity_policies":[]}}'`
			`eq "dn ours" "token-devvm-wizard" "$(vtr_display_name "$LOOKUP_OURS")"`
			`eq "dn oidc" "oidc-vbarzin" "$(vtr_display_name "$LOOKUP_OIDC")"`
			`eq "pols ours" "default,sops-admin,vault-admin" "$(vtr_policies_csv "$LOOKUP_OURS")"`
			`eq "pols oidc merges token+identity" "default,sops-admin,vault-admin" "$(vtr_policies_csv "$LOOKUP_OIDC")"`
			`eq "pols woodpecker" "ci,default,terraform-state" "$(vtr_policies_csv "$LOOKUP_WP")"`

			`# --- parse + decide end-to-end (the real lookup-JSON -> renew/refuse path) ---`
			`ok "ours: parse+decide renews" vtr_drift_ok "$(vtr_display_name "$LOOKUP_OURS")" "$(vtr_policies_csv "$LOOKUP_OURS")"`
			`no "woodpecker: parse+decide refused" vtr_drift_ok "$(vtr_display_name "$LOOKUP_WP")" "$(vtr_policies_csv "$LOOKUP_WP")"`
			`no "oidc: parse+decide refused" vtr_drift_ok "$(vtr_display_name "$LOOKUP_OIDC")" "$(vtr_policies_csv "$LOOKUP_OIDC")"`

			`printf '\n%d passed, %d failed\n' "$pass" "$fail"`
			`(( fail == 0 ))`