logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416
							/*
Copyright © 2025 ESO Maintainer Team

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    https://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package kubernetes

import (
	"context"
	"errors"
	"reflect"
	"strings"
	"testing"

	"github.com/google/go-cmp/cmp"
	"github.com/stretchr/testify/assert"
	v1 "k8s.io/api/core/v1"
	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
	apierrors "k8s.io/apimachinery/pkg/api/errors"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
	"k8s.io/apimachinery/pkg/runtime/schema"

	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
	"github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
	testingfake "github.com/external-secrets/external-secrets/pkg/provider/testing/fake"
)

const (
	errSomethingWentWrong = "Something went wrong"
)

type fakeClient struct {
	t                   *testing.T
	secretMap           map[string]*v1.Secret
	expectedListOptions metav1.ListOptions
	err                 error
}

func (fk *fakeClient) Get(_ context.Context, name string, _ metav1.GetOptions) (*v1.Secret, error) {
	if fk.err != nil {
		return nil, fk.err
	}

	secret, ok := fk.secretMap[name]

	if !ok {
		return nil, apierrors.NewNotFound(schema.GroupResource{Group: "", Resource: "Secret"}, "secret")
	}
	// return inmutable to simulate external system and avoid accidental side effects
	sCopy := secret.DeepCopy()
	// update operation requires to relate names
	sCopy.Name = name
	return sCopy, nil
}

func (fk *fakeClient) List(_ context.Context, opts metav1.ListOptions) (*v1.SecretList, error) {
	assert.Equal(fk.t, fk.expectedListOptions, opts)
	list := &v1.SecretList{}
	for _, v := range fk.secretMap {
		list.Items = append(list.Items, *v)
	}
	return list, nil
}

func (fk *fakeClient) Delete(_ context.Context, name string, _ metav1.DeleteOptions) error {
	if fk.err != nil {
		return fk.err
	}

	_, ok := fk.secretMap[name]

	if !ok {
		return apierrors.NewNotFound(schema.GroupResource{Group: "", Resource: "Secret"}, "secret")
	}
	delete(fk.secretMap, name)
	return nil
}

func (fk *fakeClient) Create(_ context.Context, secret *v1.Secret, _ metav1.CreateOptions) (*v1.Secret, error) {
	s := &v1.Secret{
		Data:       secret.Data,
		ObjectMeta: secret.ObjectMeta,
		Type:       secret.Type,
	}
	fk.secretMap[secret.Name] = s
	return s, nil
}

func (fk *fakeClient) Update(_ context.Context, secret *v1.Secret, _ metav1.UpdateOptions) (*v1.Secret, error) {
	s, ok := fk.secretMap[secret.Name]
	if !ok {
		return nil, errors.New("error while updating secret")
	}
	s.ObjectMeta = secret.ObjectMeta
	s.Data = secret.Data
	return s, nil
}

var binaryTestData = []byte{0x00, 0xff, 0x00, 0xff, 0xac, 0xab, 0x28, 0x21}

func TestGetSecret(t *testing.T) {
	tests := []struct {
		desc      string
		secrets   map[string]*v1.Secret
		clientErr error
		ref       esv1.ExternalSecretDataRemoteRef
		want      []byte
		wantErr   string
	}{
		{
			desc: "secret data with correct property",
			secrets: map[string]*v1.Secret{
				"mysec": {
					Data: map[string][]byte{
						"token": []byte(`foobar`),
					},
				},
			},
			ref: esv1.ExternalSecretDataRemoteRef{
				Key:      "mysec",
				Property: "token",
			},
			want: []byte(`foobar`),
		},
		{
			desc: "secret data with multi level property",
			secrets: map[string]*v1.Secret{
				"mysec": {
					Data: map[string][]byte{
						"foo": []byte(`{"huga":{"bar":"val"}}`),
					},
				},
			},
			ref: esv1.ExternalSecretDataRemoteRef{
				Key:      "mysec",
				Property: "foo.huga.bar",
			},
			want: []byte(`val`),
		},
		{
			desc: "secret data with property containing .",
			secrets: map[string]*v1.Secret{
				"mysec": {
					Data: map[string][]byte{
						"foo.png": []byte(`correct`),
						"foo":     []byte(`{"png":"wrong"}`),
					},
				},
			},
			ref: esv1.ExternalSecretDataRemoteRef{
				Key:      "mysec",
				Property: "foo.png",
			},
			want: []byte(`correct`),
		},
		{
			desc: "secret data contains html characters",
			secrets: map[string]*v1.Secret{
				"mysec": {
					Data: map[string][]byte{
						"html": []byte(`<foobar>`),
					},
				},
			},
			ref: esv1.ExternalSecretDataRemoteRef{
				Key: "mysec",
			},
			want: []byte(`{"html":"<foobar>"}`),
		},
		{
			desc: "secret metadata contains html characters",
			secrets: map[string]*v1.Secret{
				"mysec": {
					ObjectMeta: metav1.ObjectMeta{
						Annotations: map[string]string{"date": "today"},
						Labels:      map[string]string{"dev": "<seb>"},
					},
				},
			},
			ref: esv1.ExternalSecretDataRemoteRef{
				MetadataPolicy: esv1.ExternalSecretMetadataPolicyFetch,
				Key:            "mysec",
			},
			want: []byte(`{"annotations":{"date":"today"},"labels":{"dev":"<seb>"}}`),
		},
		{
			desc: "secret data contains binary",
			secrets: map[string]*v1.Secret{
				"mysec": {
					Data: map[string][]byte{
						"bindata": binaryTestData,
					},
				},
			},
			ref: esv1.ExternalSecretDataRemoteRef{
				Key:      "mysec",
				Property: "bindata",
			},
			want: binaryTestData,
		},
		{
			desc: "secret data without property",
			secrets: map[string]*v1.Secret{
				"mysec": {
					Data: map[string][]byte{
						"token": []byte(`foobar`),
					},
				},
			},
			ref: esv1.ExternalSecretDataRemoteRef{
				Key: "mysec",
			},
			want: []byte(`{"token":"foobar"}`),
		},
		{
			desc: "secret metadata without property",
			secrets: map[string]*v1.Secret{
				"mysec": {
					ObjectMeta: metav1.ObjectMeta{
						Annotations: map[string]string{"date": "today"},
						Labels:      map[string]string{"dev": "seb"},
					},
				},
			},
			ref: esv1.ExternalSecretDataRemoteRef{
				MetadataPolicy: esv1.ExternalSecretMetadataPolicyFetch,
				Key:            "mysec",
			},
			want: []byte(`{"annotations":{"date":"today"},"labels":{"dev":"seb"}}`),
		},
		{
			desc: "secret metadata with single level property",
			secrets: map[string]*v1.Secret{
				"mysec": {
					ObjectMeta: metav1.ObjectMeta{
						Annotations: map[string]string{"date": "today"},
						Labels:      map[string]string{"dev": "seb"},
					},
				},
			},
			ref: esv1.ExternalSecretDataRemoteRef{
				MetadataPolicy: esv1.ExternalSecretMetadataPolicyFetch,
				Key:            "mysec",
				Property:       "labels",
			},
			want: []byte(`{"dev":"seb"}`),
		},
		{
			desc: "secret metadata with multiple level property",
			secrets: map[string]*v1.Secret{
				"mysec": {
					ObjectMeta: metav1.ObjectMeta{
						Annotations: map[string]string{"date": "today"},
						Labels:      map[string]string{"dev": "seb"},
					},
				},
			},
			ref: esv1.ExternalSecretDataRemoteRef{
				MetadataPolicy: esv1.ExternalSecretMetadataPolicyFetch,
				Key:            "mysec",
				Property:       "labels.dev",
			},
			want: []byte(`seb`),
		},
		{
			desc:      "secret is not found",
			clientErr: apierrors.NewNotFound(schema.GroupResource{Group: "", Resource: "Secret"}, "secret"),
			ref: esv1.ExternalSecretDataRemoteRef{
				Key:      "mysec",
				Property: "token",
			},
			wantErr: `Secret "secret" not found`,
		},
		{
			desc: "secret data with wrong property",
			secrets: map[string]*v1.Secret{
				"mysec": {
					Data: map[string][]byte{
						"token": []byte(`foobar`),
					},
				},
			},
			ref: esv1.ExternalSecretDataRemoteRef{
				Key:      "mysec",
				Property: "not-the-token",
			},
			wantErr: "property not-the-token does not exist in data of secret",
		},
		{
			desc: "secret metadata with wrong property",
			secrets: map[string]*v1.Secret{
				"mysec": {
					ObjectMeta: metav1.ObjectMeta{
						Annotations: map[string]string{"date": "today"},
						Labels:      map[string]string{"dev": "seb"},
					},
				},
			},
			ref: esv1.ExternalSecretDataRemoteRef{
				MetadataPolicy: esv1.ExternalSecretMetadataPolicyFetch,
				Key:            "mysec",
				Property:       "foo",
			},
			wantErr: "property foo does not exist in metadata of secret",
		},
	}
	for _, tt := range tests {
		t.Run(tt.desc, func(t *testing.T) {
			p := &Client{
				userSecretClient: &fakeClient{t: t, secretMap: tt.secrets, err: tt.clientErr},
				namespace:        "default",
			}
			got, err := p.GetSecret(context.Background(), tt.ref)
			if err != nil {
				if tt.wantErr == "" {
					t.Fatalf("failed to call GetSecret: %v", err)
				}

				if !strings.Contains(err.Error(), tt.wantErr) {
					t.Fatalf("received an unexpected error: %q should have contained %q", err.Error(), tt.wantErr)
				}

				return
			}

			if tt.wantErr != "" {
				t.Fatalf("expected to receive an error but got nil")
			}

			if !reflect.DeepEqual(got, tt.want) {
				t.Fatalf("received an unexpected secret: got: %s, want %s", got, tt.want)
			}
		})
	}
}

func TestGetSecretMap(t *testing.T) {
	type fields struct {
		Client       KClient
		ReviewClient RClient
		Namespace    string
	}
	tests := []struct {
		name   string
		fields fields
		ref    esv1.ExternalSecretDataRemoteRef

		want    map[string][]byte
		wantErr bool
	}{
		{
			name: "successful case metadata without property",
			fields: fields{
				Client: &fakeClient{
					t: t,
					secretMap: map[string]*v1.Secret{
						"mysec": {
							ObjectMeta: metav1.ObjectMeta{
								Annotations: map[string]string{"date": "today"},
								Labels:      map[string]string{"dev": "seb"},
							},
						},
					},
				},
				Namespace: "default",
			},
			ref: esv1.ExternalSecretDataRemoteRef{
				MetadataPolicy: esv1.ExternalSecretMetadataPolicyFetch,
				Key:            "mysec",
			},
			want: map[string][]byte{"annotations": []byte("{\"date\":\"today\"}"), "labels": []byte("{\"dev\":\"seb\"}")},
		},
		{
			name: "successful case metadata with single property",
			fields: fields{
				Client: &fakeClient{
					t: t,
					secretMap: map[string]*v1.Secret{
						"mysec": {
							ObjectMeta: metav1.ObjectMeta{
								Annotations: map[string]string{"date": "today"},
								Labels:      map[string]string{"dev": "seb"},
							},
						},
					},
				},
				Namespace: "default",
			},
			ref: esv1.ExternalSecretDataRemoteRef{
				MetadataPolicy: esv1.ExternalSecretMetadataPolicyFetch,
				Key:            "mysec",
				Property:       "labels",
			},
			want: map[string][]byte{"dev": []byte("\"seb\"")},
		},
		{
			name: "error case metadata with wrong property",
			fields: fields{
				Client: &fakeClient{
					t: t,
					secretMap: map[string]*v1.Secret{
						"mysec": {
							ObjectMeta: metav1.ObjectMeta{
								Annotations: map[string]string{"date": "today"},
								Labels:      map[string]string{"dev": "seb"},
							},
						},
					},
				},
				Namespace: "default",
			},
			ref: esv1.ExternalSecretDataRemoteRef{
				MetadataPolicy: esv1.ExternalSecretMetadataPolicyFetch,
				Key:            "mysec",
				Property:       "foo",
			},
			wantErr: true,
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			p := &Client{
				userSecretClient: tt.fields.Client,
				userReviewClient: tt.fields.ReviewClient,
				namespace:        tt.fields.Namespace,
			}
			got, err := p.GetSecretMap(context.Background(), tt.ref)
			if (err != nil) != tt.wantErr {
				t.Errorf("ProviderKubernetes.GetSecretMap() error = %v, wantErr %v", err, tt.wantErr)
				return
			}
			if !reflect.DeepEqual(got, tt.want) {
				t.Errorf("ProviderKubernetes.GetSecretMap() = %v, want %v", got, tt.want)
			}
		})
	}
}

func TestGetAllSecrets(t *testing.T) {
	type fields struct {
		Client       KClient
		ReviewClient RClient
		Namespace    string
	}
	type args struct {
		ctx context.Context
		ref esv1.ExternalSecretFind
	}
	tests := []struct {
		name    string
		fields  fields
		args    args
		want    map[string][]byte
		wantErr bool
	}{
		{
			name: "use regex",
			fields: fields{
				Client: &fakeClient{
					t: t,
					secretMap: map[string]*v1.Secret{
						"mysec": {
							ObjectMeta: metav1.ObjectMeta{
								Name: "mysec",
							},
							Data: map[string][]byte{
								"token": []byte(`foo`),
							},
						},
						"other": {
							ObjectMeta: metav1.ObjectMeta{
								Name: "other",
							},
							Data: map[string][]byte{
								"token": []byte(`bar`),
							},
						},
					},
				},
			},
			args: args{
				ref: esv1.ExternalSecretFind{
					Name: &esv1.FindName{
						RegExp: "other",
					},
				},
			},
			want: map[string][]byte{
				"other": []byte(`{"token":"bar"}`),
			},
		},
		{
			name: "use tags/labels",
			fields: fields{
				Client: &fakeClient{
					t: t,
					expectedListOptions: metav1.ListOptions{
						LabelSelector: "app=foobar",
					},
					secretMap: map[string]*v1.Secret{
						"mysec": {
							ObjectMeta: metav1.ObjectMeta{
								Name: "mysec",
							},
							Data: map[string][]byte{
								"token": []byte(`foo`),
							},
						},
						"other": {
							ObjectMeta: metav1.ObjectMeta{
								Name: "other",
							},
							Data: map[string][]byte{
								"token": []byte(`bar`),
							},
						},
					},
				},
			},
			args: args{
				ref: esv1.ExternalSecretFind{
					Tags: map[string]string{
						"app": "foobar",
					},
				},
			},
			want: map[string][]byte{
				"mysec": []byte(`{"token":"foo"}`),
				"other": []byte(`{"token":"bar"}`),
			},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			p := &Client{
				userSecretClient: tt.fields.Client,
				userReviewClient: tt.fields.ReviewClient,
				namespace:        tt.fields.Namespace,
			}
			got, err := p.GetAllSecrets(tt.args.ctx, tt.args.ref)
			if (err != nil) != tt.wantErr {
				t.Errorf("ProviderKubernetes.GetAllSecrets() error = %v, wantErr %v", err, tt.wantErr)
				return
			}
			if !reflect.DeepEqual(got, tt.want) {
				t.Errorf("ProviderKubernetes.GetAllSecrets() = %v, want %v", got, tt.want)
			}
		})
	}
}

func TestDeleteSecret(t *testing.T) {
	type fields struct {
		Client KClient
	}
	tests := []struct {
		name   string
		fields fields
		ref    esv1.PushSecretRemoteRef

		wantSecretMap map[string]*v1.Secret
		wantErr       bool
	}{
		{
			name: "refuse to delete without property",
			fields: fields{
				Client: &fakeClient{
					t: t,
					secretMap: map[string]*v1.Secret{
						"mysec": {
							Data: map[string][]byte{
								"token": []byte(`foobar`),
							},
						},
					},
				},
			},
			ref: v1alpha1.PushSecretRemoteRef{
				RemoteKey: "mysec",
			},
			wantErr: true,
			wantSecretMap: map[string]*v1.Secret{
				"mysec": {
					Data: map[string][]byte{
						"token": []byte(`foobar`),
					},
				},
			},
		},
		{
			name: "gracefully ignore not found secret",
			fields: fields{
				Client: &fakeClient{
					t:         t,
					secretMap: map[string]*v1.Secret{},
				},
			},
			ref: v1alpha1.PushSecretRemoteRef{
				RemoteKey: "mysec",
				Property:  "token",
			},
			wantErr:       false,
			wantSecretMap: map[string]*v1.Secret{},
		},
		{
			name: "gracefully ignore not found property",
			fields: fields{
				Client: &fakeClient{
					t: t,
					secretMap: map[string]*v1.Secret{
						"mysec": {
							Data: map[string][]byte{
								"token": []byte(`foobar`),
							},
						},
					},
				},
			},
			ref: v1alpha1.PushSecretRemoteRef{
				RemoteKey: "mysec",
				Property:  "secret",
			},
			wantErr: false,
			wantSecretMap: map[string]*v1.Secret{
				"mysec": {
					Data: map[string][]byte{
						"token": []byte(`foobar`),
					},
				},
			},
		},
		{
			name: "unexpected lookup error",
			fields: fields{
				Client: &fakeClient{
					t: t,
					secretMap: map[string]*v1.Secret{
						"mysec": {
							Data: map[string][]byte{
								"token": []byte(`foobar`),
							},
						},
					},
					err: errors.New(errSomethingWentWrong),
				},
			},
			ref: v1alpha1.PushSecretRemoteRef{
				RemoteKey: "mysec",
			},
			wantErr: true,
			wantSecretMap: map[string]*v1.Secret{
				"mysec": {
					Data: map[string][]byte{
						"token": []byte(`foobar`),
					},
				},
			},
		},
		{
			name: "delete whole secret if only property should be removed",
			fields: fields{
				Client: &fakeClient{
					t: t,
					secretMap: map[string]*v1.Secret{
						"mysec": {
							Data: map[string][]byte{
								"token": []byte(`foobar`),
							},
						},
					},
				},
			},
			ref: v1alpha1.PushSecretRemoteRef{
				RemoteKey: "mysec",
				Property:  "token",
			},
			wantErr:       false,
			wantSecretMap: map[string]*v1.Secret{},
		},
		{
			name: "multiple properties, just remove that one",
			fields: fields{
				Client: &fakeClient{
					t: t,
					secretMap: map[string]*v1.Secret{
						"mysec": {
							Data: map[string][]byte{
								"token":  []byte(`foo`),
								"secret": []byte(`bar`),
							},
						},
					},
				},
			},
			ref: v1alpha1.PushSecretRemoteRef{
				RemoteKey: "mysec",
				Property:  "token",
			},
			wantErr: false,
			wantSecretMap: map[string]*v1.Secret{
				"mysec": {
					ObjectMeta: metav1.ObjectMeta{
						Name: "mysec",
					},
					Data: map[string][]byte{
						"secret": []byte(`bar`),
					},
				},
			},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			p := &Client{
				userSecretClient: tt.fields.Client,
			}
			err := p.DeleteSecret(context.Background(), tt.ref)
			if (err != nil) != tt.wantErr {
				t.Errorf("ProviderKubernetes.DeleteSecret() error = %v, wantErr %v", err, tt.wantErr)
				return
			}

			fClient := tt.fields.Client.(*fakeClient)
			if diff := cmp.Diff(tt.wantSecretMap, fClient.secretMap); diff != "" {
				t.Errorf("Unexpected resulting secrets map:  -want, +got :\n%s\n", diff)
			}
		})
	}
}

func TestPushSecret(t *testing.T) {
	secretKey := "secret-key"
	type fields struct {
		Client KClient
	}
	tests := []struct {
		name   string
		fields fields
		data   testingfake.PushSecretData
		secret *v1.Secret

		wantSecretMap map[string]*v1.Secret
		wantErr       bool
	}{
		{
			name: "refuse to work without property if secret key is provided",
			fields: fields{
				Client: &fakeClient{
					t: t,
					secretMap: map[string]*v1.Secret{
						"mysec": {
							Data: map[string][]byte{
								"token": []byte(`foo`),
							},
						},
					},
				},
			},
			data: testingfake.PushSecretData{
				SecretKey: secretKey,
				RemoteKey: "mysec",
			},
			secret: &v1.Secret{
				Data: map[string][]byte{secretKey: []byte("bar")},
			},
			wantErr: true,
			wantSecretMap: map[string]*v1.Secret{
				"mysec": {
					Data: map[string][]byte{
						"token": []byte(`foo`),
					},
				},
			},
		},
		{
			name: "push the whole secret if neither remote property or secretKey is defined but keep existing keys",
			fields: fields{
				Client: &fakeClient{
					t: t,
					secretMap: map[string]*v1.Secret{
						"mysec": {
							Data: map[string][]byte{
								"token": []byte(`foo`),
							},
						},
					},
				},
			},
			data: testingfake.PushSecretData{
				RemoteKey: "mysec",
			},
			secret: &v1.Secret{
				Data: map[string][]byte{"token2": []byte("foo")},
			},
			wantSecretMap: map[string]*v1.Secret{
				"mysec": {
					ObjectMeta: metav1.ObjectMeta{
						Name:        "mysec",
						Labels:      map[string]string{},
						Annotations: map[string]string{},
					},
					Data: map[string][]byte{
						"token":  []byte(`foo`),
						"token2": []byte(`foo`),
					},
				},
			},
		},
		{
			name: "push the whole secret while secret exists into a single property",
			fields: fields{
				Client: &fakeClient{
					t: t,
					secretMap: map[string]*v1.Secret{
						"mysec": {
							Data: map[string][]byte{
								"token": []byte(`foo`),
							},
						},
					},
				},
			},
			data: testingfake.PushSecretData{
				RemoteKey: "mysec",
				Property:  "token",
			},
			secret: &v1.Secret{
				Data: map[string][]byte{"foo": []byte("bar")},
			},
			wantSecretMap: map[string]*v1.Secret{
				"mysec": {
					ObjectMeta: metav1.ObjectMeta{
						Name:        "mysec",
						Labels:      map[string]string{},
						Annotations: map[string]string{},
					},
					Data: map[string][]byte{
						"token": []byte(`{"foo":"bar"}`),
					},
				},
			},
		},
		{
			name: "push the whole secret while secret exists but new property is defined should update the secret and keep existing key",
			fields: fields{
				Client: &fakeClient{
					t: t,
					secretMap: map[string]*v1.Secret{
						"mysec": {
							Data: map[string][]byte{
								"token": []byte(`foo`),
							},
						},
					},
				},
			},
			data: testingfake.PushSecretData{
				RemoteKey: "mysec",
				Property:  "token2",
			},
			secret: &v1.Secret{
				Data: map[string][]byte{"foo": []byte("bar")},
			},
			wantSecretMap: map[string]*v1.Secret{
				"mysec": {
					ObjectMeta: metav1.ObjectMeta{
						Name:        "mysec",
						Labels:      map[string]string{},
						Annotations: map[string]string{},
					},
					Data: map[string][]byte{
						"token":  []byte(`foo`),
						"token2": []byte(`{"foo":"bar"}`),
					},
				},
			},
		},
		{
			name: "push the whole secret as json if remote property is defined but secret key is not given",
			fields: fields{
				Client: &fakeClient{
					t:         t,
					secretMap: map[string]*v1.Secret{},
				},
			},
			data: testingfake.PushSecretData{
				RemoteKey: "mysec",
				Property:  "marshaled",
			},
			secret: &v1.Secret{
				Data: map[string][]byte{
					"token":  []byte("foo"),
					"token2": []byte("2"),
				},
			},
			wantSecretMap: map[string]*v1.Secret{
				"mysec": {
					ObjectMeta: metav1.ObjectMeta{
						Name:        "mysec",
						Labels:      map[string]string{},
						Annotations: map[string]string{},
					},
					Data: map[string][]byte{
						"marshaled": []byte(`{"token":"foo","token2":"2"}`),
					},
					Type: "Opaque",
				},
			},
		},
		{
			name: "add missing property to existing secret",
			fields: fields{
				Client: &fakeClient{
					t: t,
					secretMap: map[string]*v1.Secret{
						"mysec": {
							Data: map[string][]byte{
								"token": []byte(`foo`),
							},
						},
					},
				},
			},
			secret: &v1.Secret{
				Data: map[string][]byte{secretKey: []byte("bar")},
			},
			data: testingfake.PushSecretData{
				SecretKey: secretKey,
				RemoteKey: "mysec",
				Property:  "secret",
			},
			wantErr: false,
			wantSecretMap: map[string]*v1.Secret{
				"mysec": {
					ObjectMeta: metav1.ObjectMeta{
						Name:        "mysec",
						Labels:      map[string]string{},
						Annotations: map[string]string{},
					},
					Data: map[string][]byte{
						"token":  []byte(`foo`),
						"secret": []byte(`bar`),
					},
				},
			},
		},
		{
			name: "replace existing property in existing secret",
			fields: fields{
				Client: &fakeClient{
					t: t,
					secretMap: map[string]*v1.Secret{
						"mysec": {
							Data: map[string][]byte{
								"token": []byte(`foo`),
							},
						},
					},
				},
			},
			secret: &v1.Secret{
				Data: map[string][]byte{secretKey: []byte("bar")},
			},
			data: testingfake.PushSecretData{
				SecretKey: secretKey,
				RemoteKey: "mysec",
				Property:  "token",
			},
			wantErr: false,
			wantSecretMap: map[string]*v1.Secret{
				"mysec": {
					ObjectMeta: metav1.ObjectMeta{
						Name:        "mysec",
						Labels:      map[string]string{},
						Annotations: map[string]string{},
					},
					Data: map[string][]byte{
						"token": []byte(`bar`),
					},
				},
			},
		},
		{
			name: "replace existing property in existing secret with targetMergePolicy set to Ignore",
			fields: fields{
				Client: &fakeClient{
					t: t,
					secretMap: map[string]*v1.Secret{
						"mysec": {
							Data: map[string][]byte{
								"token": []byte(`foo`),
							},
						},
					},
				},
			},
			secret: &v1.Secret{
				ObjectMeta: metav1.ObjectMeta{
					Name: "mysec",
					// these should be ignored as the targetMergePolicy is set to Ignore
					Labels:      map[string]string{"dev": "seb"},
					Annotations: map[string]string{"date": "today"},
				},
				Data: map[string][]byte{secretKey: []byte("bar")},
			},
			data: testingfake.PushSecretData{
				SecretKey: secretKey,
				RemoteKey: "mysec",
				Property:  "token",
				Metadata: &apiextensionsv1.JSON{
					Raw: []byte(`{"apiVersion":"kubernetes.external-secrets.io/v1alpha1", "kind": "PushSecretMetadata", spec: {"targetMergePolicy": "Ignore"}}`),
				},
			},
			wantErr: false,
			wantSecretMap: map[string]*v1.Secret{
				"mysec": {
					ObjectMeta: metav1.ObjectMeta{
						Name:        "mysec",
						Labels:      map[string]string{},
						Annotations: map[string]string{},
					},
					Data: map[string][]byte{
						"token": []byte(`bar`),
					},
				},
			},
		},
		{
			name: "replace existing property in existing secret with targetMergePolicy set to Replace",
			fields: fields{
				Client: &fakeClient{
					t: t,
					secretMap: map[string]*v1.Secret{
						"mysec": {
							ObjectMeta: metav1.ObjectMeta{
								Name: "mysec",
								Labels: map[string]string{
									"already": "existing",
								},
								Annotations: map[string]string{
									"already": "existing",
								},
							},
							Data: map[string][]byte{
								"token": []byte(`foo`),
							},
						},
					},
				},
			},
			secret: &v1.Secret{
				ObjectMeta: metav1.ObjectMeta{
					Name: "mysec",
					// these should replace existing metadata as the targetMergePolicy is set to Replace
					Labels:      map[string]string{"dev": "seb"},
					Annotations: map[string]string{"date": "today"},
				},
				Data: map[string][]byte{secretKey: []byte("bar")},
			},
			data: testingfake.PushSecretData{
				SecretKey: secretKey,
				RemoteKey: "mysec",
				Property:  "token",
				Metadata: &apiextensionsv1.JSON{
					Raw: []byte(`{"apiVersion":"kubernetes.external-secrets.io/v1alpha1", "kind": "PushSecretMetadata", spec: {"targetMergePolicy": "Replace"}}`),
				},
			},
			wantErr: false,
			wantSecretMap: map[string]*v1.Secret{
				"mysec": {
					ObjectMeta: metav1.ObjectMeta{
						Name: "mysec",
						Labels: map[string]string{
							"dev": "seb",
						},
						Annotations: map[string]string{
							"date": "today",
						},
					},
					Data: map[string][]byte{
						"token": []byte(`bar`),
					},
				},
			},
		},
		{
			name: "create new secret, merging existing metadata",
			fields: fields{
				Client: &fakeClient{
					t: t,
					secretMap: map[string]*v1.Secret{
						"yoursec": {
							Data: map[string][]byte{
								"token": []byte(`foo`),
							},
						},
					},
				},
			},
			secret: &v1.Secret{
				ObjectMeta: metav1.ObjectMeta{
					Annotations: map[string]string{
						"this-annotation": "should be present on the targey secret",
					},
				},
				Data: map[string][]byte{secretKey: []byte("bar")},
			},
			data: testingfake.PushSecretData{
				SecretKey: secretKey,
				RemoteKey: "mysec",
				Property:  "secret",
				Metadata: &apiextensionsv1.JSON{
					Raw: []byte(`{"apiVersion":"kubernetes.external-secrets.io/v1alpha1", "kind": "PushSecretMetadata", spec: {"annotations": {"date": "today"}, "labels": {"dev": "seb"}}}`),
				},
			},
			wantErr: false,
			wantSecretMap: map[string]*v1.Secret{
				"yoursec": {
					Data: map[string][]byte{
						"token": []byte(`foo`),
					},
				},
				"mysec": {
					ObjectMeta: metav1.ObjectMeta{
						Name: "mysec",
						Annotations: map[string]string{
							"date":            "today",
							"this-annotation": "should be present on the targey secret",
						},
						Labels: map[string]string{"dev": "seb"},
					},
					Data: map[string][]byte{
						"secret": []byte(`bar`),
					},
					Type: v1.SecretTypeOpaque,
				},
			},
		},
		{
			name: "create new secret with metadata from secret metadata and remoteRef.metadata",
			fields: fields{
				Client: &fakeClient{
					t: t,
					secretMap: map[string]*v1.Secret{
						"yoursec": {
							Data: map[string][]byte{
								"token": []byte(`foo`),
							},
						},
					},
				},
			},
			secret: &v1.Secret{
				ObjectMeta: metav1.ObjectMeta{
					Annotations: map[string]string{"date": "today"},
					Labels:      map[string]string{"dev": "seb"},
				},
				Data: map[string][]byte{secretKey: []byte("bar")},
			},
			data: testingfake.PushSecretData{
				SecretKey: secretKey,
				RemoteKey: "mysec",
				Property:  "secret",
				Metadata: &apiextensionsv1.JSON{
					Raw: []byte(`{"apiVersion":"kubernetes.external-secrets.io/v1alpha1", "kind": "PushSecretMetadata", spec: { "sourceMergePolicy": "Replace", "annotations": {"another-field": "from-remote-ref"}, "labels": {"other-label": "from-remote-ref"}}}`),
				},
			},
			wantErr: false,
			wantSecretMap: map[string]*v1.Secret{
				"yoursec": {
					Data: map[string][]byte{
						"token": []byte(`foo`),
					},
				},
				"mysec": {
					ObjectMeta: metav1.ObjectMeta{
						Name: "mysec",
						Annotations: map[string]string{
							"another-field": "from-remote-ref",
						},
						Labels: map[string]string{
							"other-label": "from-remote-ref",
						},
					},
					Data: map[string][]byte{
						"secret": []byte(`bar`),
					},
					Type: v1.SecretTypeOpaque,
				},
			},
		},
		{
			name: "invalid secret metadata structure results in error",
			fields: fields{
				Client: &fakeClient{
					t: t,
					secretMap: map[string]*v1.Secret{
						"yoursec": {
							Data: map[string][]byte{
								"token": []byte(`foo`),
							},
						},
					},
				},
			},
			secret: &v1.Secret{
				Data: map[string][]byte{secretKey: []byte("bar")},
			},
			data: testingfake.PushSecretData{
				SecretKey: secretKey,
				RemoteKey: "mysec",
				Property:  "secret",
				Metadata: &apiextensionsv1.JSON{
					Raw: []byte(`{}`),
				},
			},
			wantErr: true,
			wantSecretMap: map[string]*v1.Secret{
				"yoursec": {
					Data: map[string][]byte{
						"token": []byte(`foo`),
					},
				},
			},
		},
		{
			name: "non-json secret metadata results in error",
			fields: fields{
				Client: &fakeClient{
					t: t,
					secretMap: map[string]*v1.Secret{
						"yoursec": {
							Data: map[string][]byte{
								"token": []byte(`foo`),
							},
						},
					},
				},
			},
			secret: &v1.Secret{
				Data: map[string][]byte{secretKey: []byte("bar")},
			},
			data: testingfake.PushSecretData{
				SecretKey: secretKey,
				RemoteKey: "mysec",
				Property:  "secret",
				Metadata: &apiextensionsv1.JSON{
					Raw: []byte(`--- not json ---`),
				},
			},
			wantErr: true,
			wantSecretMap: map[string]*v1.Secret{
				"yoursec": {
					Data: map[string][]byte{
						"token": []byte(`foo`),
					},
				},
			},
		},
		{
			name: "create new secret with whole secret",
			fields: fields{
				Client: &fakeClient{
					t: t,
					secretMap: map[string]*v1.Secret{
						"yoursec": {
							Data: map[string][]byte{
								"token": []byte(`foo`),
							},
						},
					},
				},
			},
			secret: &v1.Secret{
				Data: map[string][]byte{
					"foo": []byte("bar"),
					"baz": []byte("bang"),
				},
			},
			data: testingfake.PushSecretData{
				RemoteKey: "mysec",
			},
			wantErr: false,
			wantSecretMap: map[string]*v1.Secret{
				"yoursec": {
					Data: map[string][]byte{
						"token": []byte(`foo`),
					},
				},
				"mysec": {
					ObjectMeta: metav1.ObjectMeta{
						Name:        "mysec",
						Labels:      map[string]string{},
						Annotations: map[string]string{},
					},
					Data: map[string][]byte{
						"foo": []byte("bar"),
						"baz": []byte("bang"),
					},
					Type: v1.SecretTypeOpaque,
				},
			},
		},
		{
			name: "create new dockerconfigjson secret",
			fields: fields{
				Client: &fakeClient{
					t: t,
					secretMap: map[string]*v1.Secret{
						"yoursec": {
							Data: map[string][]byte{
								"token": []byte(`foo`),
							},
						},
					},
				},
			},
			secret: &v1.Secret{
				Type: v1.SecretTypeDockerConfigJson,
				Data: map[string][]byte{secretKey: []byte(`{"auths": {"myregistry.localhost": {"username": "{{ .username }}", "password": "{{ .password }}"}}}`)},
			},
			data: testingfake.PushSecretData{
				SecretKey: secretKey,
				RemoteKey: "mysec",
				Property:  "config.json",
			},
			wantErr: false,
			wantSecretMap: map[string]*v1.Secret{
				"yoursec": {
					Data: map[string][]byte{
						"token": []byte(`foo`),
					},
				},
				"mysec": {
					ObjectMeta: metav1.ObjectMeta{
						Name:        "mysec",
						Labels:      map[string]string{},
						Annotations: map[string]string{},
					},
					Data: map[string][]byte{
						"config.json": []byte(`{"auths": {"myregistry.localhost": {"username": "{{ .username }}", "password": "{{ .password }}"}}}`),
					},
					Type: v1.SecretTypeDockerConfigJson,
				},
			},
		},
		{
			name: "create new secret with remote namespace",
			fields: fields{
				Client: &fakeClient{
					t:         t,
					secretMap: map[string]*v1.Secret{},
				},
			},
			secret: &v1.Secret{
				ObjectMeta: metav1.ObjectMeta{
					Name:      "mysec",
					Namespace: "source-namespace",
				},
				Data: map[string][]byte{secretKey: []byte("bar")},
			},
			data: testingfake.PushSecretData{
				SecretKey: secretKey,
				RemoteKey: "mysec",
				Property:  "secret",
				Metadata: &apiextensionsv1.JSON{
					Raw: []byte(`{"apiVersion":"kubernetes.external-secrets.io/v1alpha1", "kind": "PushSecretMetadata", "spec": {"remoteNamespace": "target-namespace"}}`),
				},
			},
			wantErr: false,
			wantSecretMap: map[string]*v1.Secret{
				"mysec": {
					ObjectMeta: metav1.ObjectMeta{
						Name:        "mysec",
						Namespace:   "target-namespace",
						Labels:      map[string]string{},
						Annotations: map[string]string{},
					},
					Data: map[string][]byte{
						"secret": []byte(`bar`),
					},
					Type: v1.SecretTypeOpaque,
				},
			},
		},
	}
	for _, tt := range tests {
		t.Run(tt.name, func(t *testing.T) {
			p := &Client{
				userSecretClient: tt.fields.Client,
				store:            &esv1.KubernetesProvider{},
			}
			err := p.PushSecret(context.Background(), tt.secret, tt.data)
			if (err != nil) != tt.wantErr {
				t.Errorf("ProviderKubernetes error = %v, wantErr %v", err, tt.wantErr)
				return
			}

			fClient := tt.fields.Client.(*fakeClient)
			if diff := cmp.Diff(tt.wantSecretMap, fClient.secretMap); diff != "" {
				t.Errorf("Unexpected resulting secrets map:  -want, +got :\n%s\n", diff)
			}
		})
	}
}