Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Browse Source

Added Fingerprint validation for Oracle Provider

Signed-off-by: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>
Signed-off-by: William Young <will.young@engineerbetter.com>
Signed-off-by: Marcin Kubica <marcin.kubica@engineerbetter.com>
Gustavo Carvalho 4 years ago
parent
c395dc15bf
commit
b3bfd97252
2 changed files with 75 additions and 32 deletions
Split View Show Diff Stats
  1. 20 6
      pkg/provider/oracle/oracle.go
  2. 55 26
      pkg/provider/oracle/oracle_test.go

+ 20 - 6
pkg/provider/oracle/oracle.go
View File 

@@ -255,20 +255,34 @@ func (vms *VaultManagementService) ValidateStore(store esv1beta1.GenericStore) e
 
 	if tenant == "" {
 
 		return fmt.Errorf("tenant cannot be empty")
 
 	}
 
+	privateKey := oracleSpec.Auth.SecretRef.PrivateKey
 
 
-	privateKeyName := oracleSpec.Auth.SecretRef.PrivateKey.Name
 
-	if privateKeyName == "" {
 
+	if privateKey.Name == "" {
 
 		return fmt.Errorf("privateKey.name cannot be empty")
 
 	}
 
 
-	accessToken := oracleSpec.Auth.SecretRef.PrivateKey
 
-	err := utils.ValidateSecretSelector(store, accessToken)
 
+	if privateKey.Key == "" {
 
+		return fmt.Errorf("privateKey.key cannot be empty")
 
+	}
 
+
 
+	err := utils.ValidateSecretSelector(store, privateKey)
 
 	if err != nil {
 
 		return err
 
 	}
 
 
-	if oracleSpec.Auth.SecretRef.PrivateKey.Key == "" {
 
-		return fmt.Errorf("privateKey.key cannot be empty")
 
+	fingerprint := oracleSpec.Auth.SecretRef.Fingerprint
 
+
 
+	if fingerprint.Name == "" {
 
+		return fmt.Errorf("fingerprint.name cannot be empty")
 
+	}
 
+
 
+	if fingerprint.Key == "" {
 
+		return fmt.Errorf("fingerprint.key cannot be empty")
 
+	}
 
+
 
+	err = utils.ValidateSecretSelector(store, fingerprint)
 
+	if err != nil {
 
+		return err
 
 	}
 
 
 	return nil

+ 55 - 26
pkg/provider/oracle/oracle_test.go
View File 

@@ -198,7 +198,35 @@ func makeSecretStore(vault, region string, fn ...storeModifier) *esv1beta1.Secre
 
 	}
 
 	return store
 
 }
 
-
 
+func withSecretAuth(user, tenancy string) storeModifier {
 
+	return func(store *esv1beta1.SecretStore) *esv1beta1.SecretStore {
 
+		store.Spec.Provider.Oracle.Auth = &esv1beta1.OracleAuth{
 
+			User:    user,
 
+			Tenancy: tenancy,
 
+		}
 
+		return store
 
+	}
 
+}
 
+func withPrivateKey(name, key string, namespace *string) storeModifier {
 
+	return func(store *esv1beta1.SecretStore) *esv1beta1.SecretStore {
 
+		store.Spec.Provider.Oracle.Auth.SecretRef.PrivateKey = v1.SecretKeySelector{
 
+			Name:      name,
 
+			Key:       key,
 
+			Namespace: namespace,
 
+		}
 
+		return store
 
+	}
 
+}
 
+func withFingerprint(name, key string, namespace *string) storeModifier {
 
+	return func(store *esv1beta1.SecretStore) *esv1beta1.SecretStore {
 
+		store.Spec.Provider.Oracle.Auth.SecretRef.Fingerprint = v1.SecretKeySelector{
 
+			Name:      name,
 
+			Key:       key,
 
+			Namespace: namespace,
 
+		}
 
+		return store
 
+	}
 
+}
 
 func TestValidateStoreNoVault(t *testing.T) {
 
 	p := VaultManagementService{}
 
 	store := makeSecretStore("", "some-region")
 
@@ -210,7 +238,7 @@ func TestValidateStoreNoVault(t *testing.T) {
 
 
 func TestValidateStoreNoRegion(t *testing.T) {
 
 	p := VaultManagementService{}
 
-	store := makeSecretStore("some-OICD", "")
 
+	store := makeSecretStore("some-OCID", "")
 
 
 	err := p.ValidateStore(store)
 
 	if err == nil {
 
@@ -220,26 +248,16 @@ func TestValidateStoreNoRegion(t *testing.T) {
 
 
 func TestValidateStoreSuccess(t *testing.T) {
 
 	p := VaultManagementService{}
 
-	store := makeSecretStore("some-OICD", "some-region")
 
+	store := makeSecretStore("some-OCID", "some-region")
 
 	err := p.ValidateStore(store)
 
 	if err != nil {
 
 		t.Errorf("want nil got err")
 
 	}
 
 }
 
 
-func withSecretAuth(user, tenancy string) storeModifier {
 
-	return func(store *esv1beta1.SecretStore) *esv1beta1.SecretStore {
 
-		store.Spec.Provider.Oracle.Auth = &esv1beta1.OracleAuth{
 
-			User:    user,
 
-			Tenancy: tenancy,
 
-		}
 
-		return store
 
-	}
 
-}
 
-
 
 func TestSecretAuthNoUser(t *testing.T) {
 
 	p := VaultManagementService{}
 
-	store := makeSecretStore("some-OICD", "some-region", withSecretAuth("", "a-tenant"))
 
+	store := makeSecretStore("some-OCID", "some-region", withSecretAuth("", "a-tenant"))
 
 	err := p.ValidateStore(store)
 
 	if err == nil {
 
 		t.Errorf("want err got nil")
 
@@ -248,7 +266,7 @@ func TestSecretAuthNoUser(t *testing.T) {
 
 
 func TestSecretAuthNoTenancy(t *testing.T) {
 
 	p := VaultManagementService{}
 
-	store := makeSecretStore("some-OICD", "some-region", withSecretAuth("user", ""))
 
+	store := makeSecretStore("some-OCID", "some-region", withSecretAuth("user-OCID", ""))
 
 	err := p.ValidateStore(store)
 
 	if err == nil {
 
 		t.Errorf("want err got nil")
 
@@ -257,33 +275,44 @@ func TestSecretAuthNoTenancy(t *testing.T) {
 
 
 func TestSecretAuthNoPrivateKey(t *testing.T) {
 
 	p := VaultManagementService{}
 
-	store := makeSecretStore("some-OICD", "some-region", withSecretAuth("user", "a-tenant"), withPrivateKey("", "key", nil))
 
+	store := makeSecretStore("vault-OCID", "some-region", withSecretAuth("user-OCID", "a-tenant"), withPrivateKey("", "key", nil))
 
 	err := p.ValidateStore(store)
 
 	if err == nil {
 
 		t.Errorf("want err got nil")
 
 	}
 
 
 	namespace := "my-namespace"
 
-	store = makeSecretStore("some-OICD", "some-region", withSecretAuth("user", "a-tenant"), withPrivateKey("bob", "key", &namespace))
 
+	store = makeSecretStore("vault-OCID", "some-region", withSecretAuth("user-OCID", "a-tenant"), withPrivateKey("bob", "key", &namespace))
 
 	err = p.ValidateStore(store)
 
 	if err == nil {
 
 		t.Errorf("want err got nil")
 
 	}
 
 
-	store = makeSecretStore("some-OICD", "some-region", withSecretAuth("user", "a-tenant"), withPrivateKey("bob", "", nil))
 
+	store = makeSecretStore("vault-OCID", "some-region", withSecretAuth("user-OCID", "a-tenant"), withPrivateKey("bob", "", nil))
 
 	err = p.ValidateStore(store)
 
 	if err == nil {
 
 		t.Errorf("want err got nil")
 
 	}
 
 }
 
 
-func withPrivateKey(name, key string, namespace *string) storeModifier {
 
-	return func(store *esv1beta1.SecretStore) *esv1beta1.SecretStore {
 
-		store.Spec.Provider.Oracle.Auth.SecretRef.PrivateKey = v1.SecretKeySelector{
 
-			Name:      name,
 
-			Key:       key,
 
-			Namespace: namespace,
 
-		}
 
-		return store
 
+func TestSecretAuthNoFingerprint(t *testing.T) {
 
+	p := VaultManagementService{}
 
+	store := makeSecretStore("vault-OCID", "some-region", withSecretAuth("user-OCID", "a-tenant"), withPrivateKey("bob", "key", nil), withFingerprint("", "key", nil))
 
+	err := p.ValidateStore(store)
 
+	if err == nil {
 
+		t.Errorf("want err got nil")
 
+	}
 
+
 
+	namespace := "my-namespace"
 
+	store = makeSecretStore("vault-OCID", "some-region", withSecretAuth("user-OCID", "a-tenant"), withPrivateKey("bob", "key", nil), withFingerprint("kelly", "key", &namespace))
 
+	err = p.ValidateStore(store)
 
+	if err == nil {
 
+		t.Errorf("want err got nil")
 
+	}
 
+
 
+	store = makeSecretStore("vault-OCID", "some-region", withSecretAuth("user-OCID", "a-tenant"), withPrivateKey("bob", "key", nil), withFingerprint("kelly", "", nil))
 
+	err = p.ValidateStore(store)
 
+	if err == nil {
 
+		t.Errorf("want err got nil")
 
 	}
 
 }