Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Tree: 07d93ab9db
Branches Tags
helm-externa...
/
pkg
/
provider
/
webhook
/
webhook_test.go

webhook_test.go 18 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683 
  1. /*
    2. 

  2. Licensed under the Apache License, Version 2.0 (the "License");
    3. 

  3. you may not use this file except in compliance with the License.
    4. 

  4. You may obtain a copy of the License at
    5. 

  5. 

  6. 	http://www.apache.org/licenses/LICENSE-2.0
    7. 

  7. 

  8. Unless required by applicable law or agreed to in writing, software
    9. 

  9. distributed under the License is distributed on an "AS IS" BASIS,
    10. 

  10. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    11. 

  11. See the License for the specific language governing permissions and
    12. 

  12. limitations under the License.
    13. 

  13. */
    14. 

  14. 

  15. package webhook
    16. 

  16. 

  17. import (
    18. 

  18. 	"bytes"
    19. 

  19. 	"context"
    20. 

  20. 	"errors"
    21. 

  21. 	"io"
    22. 

  22. 	"net/http"
    23. 

  23. 	"net/http/httptest"
    24. 

  24. 	"strings"
    25. 

  25. 	"testing"
    26. 

  26. 	"time"
    27. 

  27. 

  28. 	"gopkg.in/yaml.v3"
    29. 

  29. 	corev1 "k8s.io/api/core/v1"
    30. 

  30. 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
    31. 

  31. 

  32. 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
    33. 

  33. 	"github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
    34. 

  34. )
    35. 

  35. 

  36. type testCase struct {
    37. 

  37. 	Case string `json:"case,omitempty"`
    38. 

  38. 	Args args   `json:"args"`
    39. 

  39. 	Want want   `json:"want"`
    40. 

  40. }
    41. 

  41. 

  42. type secret struct {
    43. 

  43. 	Name string            `json:"name"`
    44. 

  44. 	Data map[string]string `json:"data"`
    45. 

  45. }
    46. 

  46. 

  47. type args struct {
    48. 

  48. 	URL        string `json:"url,omitempty"`
    49. 

  49. 	Body       string `json:"body,omitempty"`
    50. 

  50. 	Timeout    string `json:"timeout,omitempty"`
    51. 

  51. 	Key        string `json:"key,omitempty"`
    52. 

  52. 	SecretKey  string `json:"secretkey,omitempty"`
    53. 

  53. 	Property   string `json:"property,omitempty"`
    54. 

  54. 	Version    string `json:"version,omitempty"`
    55. 

  55. 	JSONPath   string `json:"jsonpath,omitempty"`
    56. 

  56. 	Response   string `json:"response,omitempty"`
    57. 

  57. 	StatusCode int    `json:"statuscode,omitempty"`
    58. 

  58. 	PushSecret bool   `json:"pushsecret,omitempty"`
    59. 

  59. 	Secret     secret `json:"secret,omitempty"`
    60. 

  60. }
    61. 

  61. 

  62. type want struct {
    63. 

  63. 	Path      string            `json:"path,omitempty"`
    64. 

  64. 	Body      *string           `json:"body,omitempty"`
    65. 

  65. 	Err       string            `json:"err,omitempty"`
    66. 

  66. 	Result    string            `json:"result,omitempty"`
    67. 

  67. 	ResultMap map[string]string `json:"resultmap,omitempty"`
    68. 

  68. }
    69. 

  69. 

  70. var testCases = `
    71. 

  71. case: error url
    72. 

  72. args:
    73. 

  73.   url: /api/getsecret?id={{ .unclosed.template
    74. 

  74. want:
    75. 

  75.   err: failed to parse url
    76. 

  76. ---
    77. 

  77. case: error body
    78. 

  78. args:
    79. 

  79.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    80. 

  80.   body: Body error {{ .unclosed.template
    81. 

  81. want:
    82. 

  82.   err: failed to parse body
    83. 

  83. ---
    84. 

  84. case: error connection
    85. 

  85. args:
    86. 

  86.   url: 1/api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    87. 

  87. want:
    88. 

  88.   err: failed to call endpoint
    89. 

  89. ---
    90. 

  90. case: error no secret err
    91. 

  91. args:
    92. 

  92.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    93. 

  93.   key: testkey
    94. 

  94.   version: 1
    95. 

  95.   statuscode: 404
    96. 

  96.   response: not found
    97. 

  97. want:
    98. 

  98.   path: /api/getsecret?id=testkey&version=1
    99. 

  99.   err: ` + esv1.NoSecretErr.Error() + `
    100. 

  100. ---
    101. 

  101. case: error server error
    102. 

  102. args:
    103. 

  103.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    104. 

  104.   key: testkey
    105. 

  105.   version: 1
    106. 

  106.   statuscode: 500
    107. 

  107.   response: server error
    108. 

  108. want:
    109. 

  109.   path: /api/getsecret?id=testkey&version=1
    110. 

  110.   err: endpoint gave error 500
    111. 

  111. ---
    112. 

  112. case: error bad json
    113. 

  113. args:
    114. 

  114.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    115. 

  115.   key: testkey
    116. 

  116.   version: 1
    117. 

  117.   jsonpath: $.result.thesecret
    118. 

  118.   response: '{"result":{"thesecret":"secret-value"}'
    119. 

  119. want:
    120. 

  120.   path: /api/getsecret?id=testkey&version=1
    121. 

  121.   err: failed to parse response json
    122. 

  122. ---
    123. 

  123. case: error bad jsonpath
    124. 

  124. args:
    125. 

  125.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    126. 

  126.   key: testkey
    127. 

  127.   version: 1
    128. 

  128.   jsonpath: $.result.thesecret
    129. 

  129.   response: '{"result":{"nosecret":"secret-value"}}'
    130. 

  130. want:
    131. 

  131.   path: /api/getsecret?id=testkey&version=1
    132. 

  132.   err: failed to get response path
    133. 

  133. ---
    134. 

  134. case: pull data out of map
    135. 

  135. args:
    136. 

  136.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    137. 

  137.   key: testkey
    138. 

  138.   version: 1
    139. 

  139.   jsonpath: $.result.thesecret
    140. 

  140.   response: '{"result":{"thesecret":{"one":"secret-value"}}}'
    141. 

  141. want:
    142. 

  142.   path: /api/getsecret?id=testkey&version=1
    143. 

  143.   err: ''
    144. 

  144.   result: '{"one":"secret-value"}'
    145. 

  145. ---
    146. 

  146. case: error timeout
    147. 

  147. args:
    148. 

  148.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    149. 

  149.   key: testkey
    150. 

  150.   version: 1
    151. 

  151.   response: secret-value
    152. 

  152.   timeout: 0.01ms
    153. 

  153. want:
    154. 

  154.   path: /api/getsecret?id=testkey&version=1
    155. 

  155.   err: context deadline exceeded
    156. 

  156. ---
    157. 

  157. case: good plaintext
    158. 

  158. args:
    159. 

  159.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    160. 

  160.   key: testkey
    161. 

  161.   version: 1
    162. 

  162.   response: secret-value
    163. 

  163. want:
    164. 

  164.   path: /api/getsecret?id=testkey&version=1
    165. 

  165.   err: ''
    166. 

  166.   result: secret-value
    167. 

  167. ---
    168. 

  168. case: good json
    169. 

  169. args:
    170. 

  170.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    171. 

  171.   key: testkey
    172. 

  172.   version: 1
    173. 

  173.   jsonpath: $.result.thesecret
    174. 

  174.   response: '{"result":{"thesecret":"secret-value"}}'
    175. 

  175. want:
    176. 

  176.   path: /api/getsecret?id=testkey&version=1
    177. 

  177.   err: ''
    178. 

  178.   result: secret-value
    179. 

  179. ---
    180. 

  180. case: good json map
    181. 

  181. args:
    182. 

  182.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    183. 

  183.   key: testkey
    184. 

  184.   version: 1
    185. 

  185.   jsonpath: $.result
    186. 

  186.   response: '{"result":{"thesecret":"secret-value","alsosecret":"another-value"}}'
    187. 

  187. want:
    188. 

  188.   path: /api/getsecret?id=testkey&version=1
    189. 

  189.   err: ''
    190. 

  190.   resultmap:
    191. 

  191.     thesecret: secret-value
    192. 

  192.     alsosecret: another-value
    193. 

  193. ---
    194. 

  194. case: templated jsonpath good json map
    195. 

  195. args:
    196. 

  196.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    197. 

  197.   key: testkey
    198. 

  198.   version: 1
    199. 

  199.   jsonpath: $.{{printf "result" }}
    200. 

  200.   response: '{"result":{"thesecret":"secret-value","alsosecret":"another-value"}}'
    201. 

  201. want:
    202. 

  202.   path: /api/getsecret?id=testkey&version=1
    203. 

  203.   err: ''
    204. 

  204.   resultmap:
    205. 

  205.     thesecret: secret-value
    206. 

  206.     alsosecret: another-value
    207. 

  207. ---
    208. 

  208. case: templated jsonpath invalid template
    209. 

  209. args:
    210. 

  210.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    211. 

  211.   key: testkey
    212. 

  212.   version: 1
    213. 

  213.   jsonpath: $.{{printf 'result' }}
    214. 

  214.   response: '{"result":{"thesecret":"secret-value","alsosecret":"another-value"}}'
    215. 

  215. want:
    216. 

  216.   path: /api/getsecret?id=testkey&version=1
    217. 

  217.   err: "cannot get templated json path"
    218. 

  218.   resultmap:
    219. 

  219.     thesecret: secret-value
    220. 

  220.     alsosecret: another-value
    221. 

  221. ---
    222. 

  222. case: good json map string
    223. 

  223. args:
    224. 

  224.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    225. 

  225.   key: testkey
    226. 

  226.   version: 1
    227. 

  227.   response: '{"thesecret":"secret-value","alsosecret":"another-value"}'
    228. 

  228. want:
    229. 

  229.   path: /api/getsecret?id=testkey&version=1
    230. 

  230.   err: ''
    231. 

  231.   resultmap:
    232. 

  232.     thesecret: secret-value
    233. 

  233.     alsosecret: another-value
    234. 

  234. ---
    235. 

  235. case: error json map string
    236. 

  236. args:
    237. 

  237.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    238. 

  238.   key: testkey
    239. 

  239.   version: 1
    240. 

  240.   response: 'some simple string'
    241. 

  241. want:
    242. 

  242.   path: /api/getsecret?id=testkey&version=1
    243. 

  243.   err: "failed to parse response json: invalid character"
    244. 

  244.   resultmap: {}
    245. 

  245. ---
    246. 

  246. case: error json map
    247. 

  247. args:
    248. 

  248.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    249. 

  249.   key: testkey
    250. 

  250.   version: 1
    251. 

  251.   jsonpath: $.result.thesecret
    252. 

  252.   response: '{"result":{"thesecret":"secret-value","alsosecret":"another-value"}}'
    253. 

  253. want:
    254. 

  254.   path: /api/getsecret?id=testkey&version=1
    255. 

  255.   err: "failed to parse response json from jsonpath"
    256. 

  256.   resultmap: {}
    257. 

  257. ---
    258. 

  258. case: good json with good templated jsonpath
    259. 

  259. args:
    260. 

  260.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    261. 

  261.   key: testkey
    262. 

  262.   property: thesecret
    263. 

  263.   version: 1
    264. 

  264.   jsonpath: $.result.{{ .remoteRef.property }}
    265. 

  265.   response: '{"result":{"thesecret":"secret-value"}}'
    266. 

  266. want:
    267. 

  267.   path: /api/getsecret?id=testkey&version=1
    268. 

  268.   err: ''
    269. 

  269.   result: secret-value
    270. 

  270. ---
    271. 

  271. case: good json with jsonpath filter
    272. 

  272. args:
    273. 

  273.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    274. 

  274.   key: testkey
    275. 

  275.   version: 1
    276. 

  276.   jsonpath: $.secrets[?@.name=="thesecret"].value
    277. 

  277.   response: '{"secrets": [{"name": "thesecret", "value": "secret-value"}, {"name": "alsosecret", "value": "another-value"}]}'
    278. 

  278. want:
    279. 

  279.   path: /api/getsecret?id=testkey&version=1
    280. 

  280.   err: ''
    281. 

  281.   result: secret-value
    282. 

  282. ---
    283. 

  283. case: good json with bad templated jsonpath
    284. 

  284. args:
    285. 

  285.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    286. 

  286.   key: testkey
    287. 

  287.   property: thesecret
    288. 

  288.   version: 1
    289. 

  289.   jsonpath: $.result.{{ .remoteRef.property }
    290. 

  290.   response: '{"result":{"thesecret":"secret-value"}}'
    291. 

  291. want:
    292. 

  292.   path: /api/getsecret?id=testkey&version=1
    293. 

  293.   err: 'template: webhooktemplate:1: unexpected "}" in operand'
    294. 

  294. ---
    295. 

  295. case: error with jsonpath filter empty results
    296. 

  296. args:
    297. 

  297.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    298. 

  298.   key: testkey
    299. 

  299.   version: 1
    300. 

  300.   jsonpath: $.secrets[?@.name=="thebadsecret"].value
    301. 

  301.   response: '{"secrets": [{"name": "thesecret", "value": "secret-value"}, {"name": "alsosecret", "value": "another-value"}]}'
    302. 

  302. want:
    303. 

  303.   path: /api/getsecret?id=testkey&version=1
    304. 

  304.   err: "filter worked but didn't get any result"
    305. 

  305. ---
    306. 

  306. case: success with jsonpath filter and result array
    307. 

  307. args:
    308. 

  308.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    309. 

  309.   key: testkey
    310. 

  310.   version: 1
    311. 

  311.   jsonpath: $..name
    312. 

  312.   response: '{"secrets": [{"name": "thesecret", "value": "secret-value"}, {"name": "alsosecret", "value": "another-value"}]}'
    313. 

  313. want:
    314. 

  314.   path: /api/getsecret?id=testkey&version=1
    315. 

  315.   err: ''
    316. 

  316.   result: 'thesecret'
    317. 

  317. ---
    318. 

  318. case: success with jsonpath filter and result array of ints
    319. 

  319. args:
    320. 

  320.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    321. 

  321.   key: testkey
    322. 

  322.   version: 1
    323. 

  323.   jsonpath: $..name
    324. 

  324.   response: '{"secrets": [{"name": 123, "value": "secret-value"}, {"name": 456, "value": "another-value"}]}'
    325. 

  325. want:
    326. 

  326.   path: /api/getsecret?id=testkey&version=1
    327. 

  327.   err: ''
    328. 

  328.   result: 123
    329. 

  329. ---
    330. 

  330. case: support backslash
    331. 

  331. args:
    332. 

  332.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    333. 

  333.   key: testkey
    334. 

  334.   version: 1
    335. 

  335.   jsonpath: $.refresh_token
    336. 

  336.   response: '{"access_token":"REDACTED","refresh_token":"RE\/DACTED=="}'
    337. 

  337. want:
    338. 

  338.   path: /api/getsecret?id=testkey&version=1
    339. 

  339.   err: ''
    340. 

  340.   result: "RE/DACTED=="
    341. 

  341. ---
    342. 

  342. case: good json with mixed fields and jsonpath filter
    343. 

  343. args:
    344. 

  344.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    345. 

  345.   key: testkey
    346. 

  346.   version: 1
    347. 

  347.   jsonpath: $.result.thesecret
    348. 

  348.   response: '{"result":{"thesecret":"secret-value","alsosecret":"another-value", "id": 1234, "weight": 1.5}}'
    349. 

  349. want:
    350. 

  350.   path: /api/getsecret?id=testkey&version=1
    351. 

  351.   err: ''
    352. 

  352.   result: secret-value
    353. 

  353. ---
    354. 

  354. case: good json with mixed fields to map
    355. 

  355. args:
    356. 

  356.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    357. 

  357.   key: testkey
    358. 

  358.   version: 1
    359. 

  359.   jsonpath: $.result
    360. 

  360.   response: '{"result":{"thesecret":"secret-value","alsosecret":"another-value", "id": 1234, "weight": 1.5}}'
    361. 

  361. want:
    362. 

  362.   path: /api/getsecret?id=testkey&version=1
    363. 

  363.   err: ''
    364. 

  364.   resultmap:
    365. 

  365.     thesecret: secret-value
    366. 

  366.     alsosecret: another-value
    367. 

  367.     id: 1234
    368. 

  368.     weight: 1.5
    369. 

  369. ---
    370. 

  370. case: only url encoding for url templates
    371. 

  371. args:
    372. 

  372.   url: /api/getsecrets?folder={{ .remoteRef.key }}
    373. 

  373.   body: '{"folder": "{{ .remoteRef.key }}"}'
    374. 

  374.   key: /myapp/secrets
    375. 

  375. want:
    376. 

  376.   path: /api/getsecrets?folder=%2Fmyapp%2Fsecrets
    377. 

  377.   body: '{"folder": "/myapp/secrets"}'
    378. 

  378. `
    379. 

  379. 

  380. func TestWebhookGetSecret(t *testing.T) {
    381. 

  381. 	ydec := yaml.NewDecoder(bytes.NewReader([]byte(testCases)))
    382. 

  382. 	for {
    383. 

  383. 		var tc testCase
    384. 

  384. 		if err := ydec.Decode(&tc); err != nil {
    385. 

  385. 			if !errors.Is(err, io.EOF) {
    386. 

  386. 				t.Errorf("testcase decode error %v", err)
    387. 

  387. 			}
    388. 

  388. 			break
    389. 

  389. 		}
    390. 

  390. 		runTestCase(tc, t)
    391. 

  391. 	}
    392. 

  392. }
    393. 

  393. 

  394. var testCasesPushSecret = `
    395. 

  395. ---
    396. 

  396. case: secret key not found
    397. 

  397. args:
    398. 

  398.   url: /api/pushsecret?id={{ .remoteRef.remoteKey }}&secret={{ .remoteRef.secretKey }}
    399. 

  399.   key: testkey
    400. 

  400.   secretkey: not-found
    401. 

  401.   pushsecret: true
    402. 

  402.   secret:
    403. 

  403.     name: test-secret
    404. 

  404.     data:
    405. 

  405.       secretkey: value
    406. 

  406. want:
    407. 

  407.   path: /api/pushsecret?id=testkey&secret=not-found
    408. 

  408.   err: 'failed to find secret key in secret with key: not-found'
    409. 

  409. ---
    410. 

  410. case: default body good json
    411. 

  411. args:
    412. 

  412.   url: /api/pushsecret?id={{ .remoteRef.remoteKey }}&secret={{ .remoteRef.secretKey }}
    413. 

  413.   key: testkey
    414. 

  414.   secretkey: secretkey
    415. 

  415.   pushsecret: true
    416. 

  416.   secret:
    417. 

  417.     name: test-secret
    418. 

  418.     data:
    419. 

  419.       secretkey: value
    420. 

  420. want:
    421. 

  421.   path: /api/pushsecret?id=testkey&secret=secretkey
    422. 

  422.   body: 'value'
    423. 

  423.   err: ''
    424. 

  424. ---
    425. 

  425. case: good json
    426. 

  426. args:
    427. 

  427.   url: /api/pushsecret?id={{ .remoteRef.remoteKey }}&secret={{ .remoteRef.secretKey }}
    428. 

  428.   key: testkey
    429. 

  429.   body: 'pre {{ .remoteRef.remoteKey }} {{ .remoteRef.testkey }} post'
    430. 

  430.   secretkey: secretkey
    431. 

  431.   pushsecret: true
    432. 

  432.   secret:
    433. 

  433.     name: test-secret
    434. 

  434.     data:
    435. 

  435.       secretkey: value
    436. 

  436. want:
    437. 

  437.   path: /api/pushsecret?id=testkey&secret=secretkey
    438. 

  438.   body: 'pre testkey value post'
    439. 

  439.   err: ''
    440. 

  440. ---
    441. 

  441. case: empty body
    442. 

  442. args:
    443. 

  443.   url: /api/pushsecret?id={{ .remoteRef.remoteKey }}
    444. 

  444.   key: testkey
    445. 

  445.   body: '{{ "" }}'
    446. 

  446.   pushsecret: true
    447. 

  447.   secret:
    448. 

  448.     name: test-secret
    449. 

  449.     data:
    450. 

  450.       secretkey: value
    451. 

  451. want:
    452. 

  452.   path: /api/pushsecret?id=testkey
    453. 

  453.   body: ''
    454. 

  454.   err: ''
    455. 

  455. ---
    456. 

  456. case: default body pushing without secret key
    457. 

  457. args:
    458. 

  458.   url: /api/pushsecret?id={{ .remoteRef.remoteKey }}
    459. 

  459.   key: testkey
    460. 

  460.   pushsecret: true
    461. 

  461.   secret:
    462. 

  462.     name: test-secret
    463. 

  463.     data:
    464. 

  464.       secretkey: value
    465. 

  465. want:
    466. 

  466.   path: /api/pushsecret?id=testkey
    467. 

  467.   body: '{"secretkey":"value"}'
    468. 

  468.   err: ''
    469. 

  469. ---
    470. 

  470. case: pushing without secret key
    471. 

  471. args:
    472. 

  472.   url: /api/pushsecret?id={{ .remoteRef.remoteKey }}
    473. 

  473.   key: testkey
    474. 

  474.   body: 'pre {{ .remoteRef.remoteKey }} {{ index (.remoteRef.testkey | fromJson) "secretkey" }} post'
    475. 

  475.   pushsecret: true
    476. 

  476.   secret:
    477. 

  477.     name: test-secret
    478. 

  478.     data:
    479. 

  479.       secretkey: value
    480. 

  480. want:
    481. 

  481.   path: /api/pushsecret?id=testkey
    482. 

  482.   body: 'pre testkey value post'
    483. 

  483.   err: ''
    484. 

  484. ---
    485. 

  485. case: pushing without secret key with dynamic resolution
    486. 

  486. args:
    487. 

  487.   url: /api/pushsecret?id={{ .remoteRef.remoteKey }}
    488. 

  488.   key: testkey
    489. 

  489.   body: 'pre {{ .remoteRef.remoteKey }} {{ index (index .remoteRef .remoteRef.remoteKey | fromJson) "secretkey" }} post'
    490. 

  490.   pushsecret: true
    491. 

  491.   secret:
    492. 

  492.     name: test-secret
    493. 

  493.     data:
    494. 

  494.       secretkey: value
    495. 

  495. want:
    496. 

  496.   path: /api/pushsecret?id=testkey
    497. 

  497.   body: 'pre testkey value post'
    498. 

  498.   err: ''
    499. 

  499. `
    500. 

  500. 

  501. func TestWebhookPushSecret(t *testing.T) {
    502. 

  502. 	ydec := yaml.NewDecoder(bytes.NewReader([]byte(testCasesPushSecret)))
    503. 

  503. 	for {
    504. 

  504. 		var tc testCase
    505. 

  505. 		if err := ydec.Decode(&tc); err != nil {
    506. 

  506. 			if !errors.Is(err, io.EOF) {
    507. 

  507. 				t.Errorf("testcase decode error %v", err)
    508. 

  508. 			}
    509. 

  509. 			break
    510. 

  510. 		}
    511. 

  511. 		runTestCase(tc, t)
    512. 

  512. 	}
    513. 

  513. }
    514. 

  514. 

  515. func testCaseServer(tc testCase, t *testing.T) *httptest.Server {
    516. 

  516. 	// Start a new server for every test case because the server wants to check the expected api path
    517. 

  517. 	return httptest.NewServer(http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
    518. 

  518. 		if tc.Want.Path != "" && req.URL.String() != tc.Want.Path {
    519. 

  519. 			t.Errorf("%s: unexpected api path: %s, expected %s", tc.Case, req.URL.String(), tc.Want.Path)
    520. 

  520. 		}
    521. 

  521. 		if tc.Want.Body != nil {
    522. 

  522. 			b, _ := io.ReadAll(req.Body)
    523. 

  523. 			if tc.Want.Body != nil && string(b) != *tc.Want.Body {
    524. 

  524. 				t.Errorf("%s: unexpected body: %s, expected %s", tc.Case, string(b), *tc.Want.Body)
    525. 

  525. 			}
    526. 

  526. 		}
    527. 

  527. 		if tc.Args.StatusCode != 0 {
    528. 

  528. 			rw.WriteHeader(tc.Args.StatusCode)
    529. 

  529. 		}
    530. 

  530. 		rw.Write([]byte(tc.Args.Response))
    531. 

  531. 	}))
    532. 

  532. }
    533. 

  533. 

  534. func parseTimeout(timeout string) (*metav1.Duration, error) {
    535. 

  535. 	if timeout == "" {
    536. 

  536. 		return nil, nil
    537. 

  537. 	}
    538. 

  538. 	dur, err := time.ParseDuration(timeout)
    539. 

  539. 	if err != nil {
    540. 

  540. 		return nil, err
    541. 

  541. 	}
    542. 

  542. 	return &metav1.Duration{Duration: dur}, nil
    543. 

  543. }
    544. 

  544. 

  545. func runTestCase(tc testCase, t *testing.T) {
    546. 

  546. 	t.Run(tc.Case, func(t *testing.T) {
    547. 

  547. 		ts := testCaseServer(tc, t)
    548. 

  548. 		defer ts.Close()
    549. 

  549. 

  550. 		testStore := makeClusterSecretStore(ts.URL, tc.Args)
    551. 

  551. 		var err error
    552. 

  552. 		timeout, err := parseTimeout(tc.Args.Timeout)
    553. 

  553. 		if err != nil {
    554. 

  554. 			t.Errorf("%s: error parsing timeout '%s': %s", tc.Case, tc.Args.Timeout, err.Error())
    555. 

  555. 			return
    556. 

  556. 		}
    557. 

  557. 		testStore.Spec.Provider.Webhook.Timeout = timeout
    558. 

  558. 		testProv := &Provider{}
    559. 

  559. 		client, err := testProv.NewClient(context.Background(), testStore, nil, "testnamespace")
    560. 

  560. 		if err != nil {
    561. 

  561. 			t.Errorf("%s: error creating client: %s", tc.Case, err.Error())
    562. 

  562. 			return
    563. 

  563. 		}
    564. 

  564. 

  565. 		if tc.Want.ResultMap != nil && !tc.Args.PushSecret {
    566. 

  566. 			testGetSecretMap(tc, t, client)
    567. 

  567. 		} else if !tc.Args.PushSecret {
    568. 

  568. 			testGetSecret(tc, t, client)
    569. 

  569. 		} else {
    570. 

  570. 			testPushSecret(tc, t, client)
    571. 

  571. 		}
    572. 

  572. 	})
    573. 

  573. }
    574. 

  574. 

  575. func testGetSecretMap(tc testCase, t *testing.T, client esv1.SecretsClient) {
    576. 

  576. 	testRef := esv1.ExternalSecretDataRemoteRef{
    577. 

  577. 		Key:     tc.Args.Key,
    578. 

  578. 		Version: tc.Args.Version,
    579. 

  579. 	}
    580. 

  580. 	secretmap, err := client.GetSecretMap(context.Background(), testRef)
    581. 

  581. 	errStr := ""
    582. 

  582. 	if err != nil {
    583. 

  583. 		errStr = err.Error()
    584. 

  584. 	}
    585. 

  585. 	if (tc.Want.Err == "") != (errStr == "") || !strings.Contains(errStr, tc.Want.Err) {
    586. 

  586. 		t.Errorf("%s: unexpected error: '%s' (expected '%s')", tc.Case, errStr, tc.Want.Err)
    587. 

  587. 	}
    588. 

  588. 	if err == nil {
    589. 

  589. 		for wantkey, wantval := range tc.Want.ResultMap {
    590. 

  590. 			gotval, ok := secretmap[wantkey]
    591. 

  591. 			if !ok {
    592. 

  592. 				t.Errorf("%s: unexpected response: wanted key '%s' not found", tc.Case, wantkey)
    593. 

  593. 			} else if string(gotval) != wantval {
    594. 

  594. 				t.Errorf("%s: unexpected response: key '%s' = '%s' (expected '%s')", tc.Case, wantkey, wantval, gotval)
    595. 

  595. 			}
    596. 

  596. 		}
    597. 

  597. 	}
    598. 

  598. }
    599. 

  599. 

  600. func testGetSecret(tc testCase, t *testing.T, client esv1.SecretsClient) {
    601. 

  601. 	testRef := esv1.ExternalSecretDataRemoteRef{
    602. 

  602. 		Key:      tc.Args.Key,
    603. 

  603. 		Property: tc.Args.Property,
    604. 

  604. 		Version:  tc.Args.Version,
    605. 

  605. 	}
    606. 

  606. 	ctx, cancel := context.WithTimeout(context.Background(), time.Second)
    607. 

  607. 	defer cancel()
    608. 

  608. 	secret, err := client.GetSecret(ctx, testRef)
    609. 

  609. 	errStr := ""
    610. 

  610. 	if err != nil {
    611. 

  611. 		errStr = err.Error()
    612. 

  612. 	}
    613. 

  613. 	if !strings.Contains(errStr, tc.Want.Err) {
    614. 

  614. 		t.Errorf("%s: unexpected error: '%s' (expected '%s')", tc.Case, errStr, tc.Want.Err)
    615. 

  615. 	}
    616. 

  616. 	if err == nil && string(secret) != tc.Want.Result {
    617. 

  617. 		t.Errorf("%s: unexpected response: '%s' (expected '%s')", tc.Case, secret, tc.Want.Result)
    618. 

  618. 	}
    619. 

  619. }
    620. 

  620. 

  621. func testPushSecret(tc testCase, t *testing.T, client esv1.SecretsClient) {
    622. 

  622. 	testRef := v1alpha1.PushSecretData{
    623. 

  623. 		Match: v1alpha1.PushSecretMatch{
    624. 

  624. 			SecretKey: tc.Args.SecretKey,
    625. 

  625. 			RemoteRef: v1alpha1.PushSecretRemoteRef{
    626. 

  626. 				RemoteKey: tc.Args.Key,
    627. 

  627. 			},
    628. 

  628. 		},
    629. 

  629. 	}
    630. 

  630. 

  631. 	data := map[string][]byte{}
    632. 

  632. 	for k, v := range tc.Args.Secret.Data {
    633. 

  633. 		data[k] = []byte(v)
    634. 

  634. 	}
    635. 

  635. 	sec := &corev1.Secret{
    636. 

  636. 		ObjectMeta: metav1.ObjectMeta{
    637. 

  637. 			Name: tc.Args.Secret.Name,
    638. 

  638. 		},
    639. 

  639. 		Data: data,
    640. 

  640. 	}
    641. 

  641. 	ctx, cancel := context.WithTimeout(context.Background(), time.Second)
    642. 

  642. 	defer cancel()
    643. 

  643. 	err := client.PushSecret(ctx, sec, testRef)
    644. 

  644. 	errStr := ""
    645. 

  645. 	if err != nil {
    646. 

  646. 		errStr = err.Error()
    647. 

  647. 	}
    648. 

  648. 	if tc.Want.Err == "" && errStr != "" {
    649. 

  649. 		t.Errorf("%s: unexpected error: '%s' (expected '%s')", tc.Case, errStr, tc.Want.Err)
    650. 

  650. 	}
    651. 

  651. 

  652. 	if !strings.Contains(errStr, tc.Want.Err) {
    653. 

  653. 		t.Errorf("%s: unexpected error: '%s' (expected '%s')", tc.Case, errStr, tc.Want.Err)
    654. 

  654. 	}
    655. 

  655. }
    656. 

  656. 

  657. func makeClusterSecretStore(url string, args args) *esv1.ClusterSecretStore {
    658. 

  658. 	store := &esv1.ClusterSecretStore{
    659. 

  659. 		TypeMeta: metav1.TypeMeta{
    660. 

  660. 			Kind: "ClusterSecretStore",
    661. 

  661. 		},
    662. 

  662. 		ObjectMeta: metav1.ObjectMeta{
    663. 

  663. 			Name:      "wehbook-store",
    664. 

  664. 			Namespace: "default",
    665. 

  665. 		},
    666. 

  666. 		Spec: esv1.SecretStoreSpec{
    667. 

  667. 			Provider: &esv1.SecretStoreProvider{
    668. 

  668. 				Webhook: &esv1.WebhookProvider{
    669. 

  669. 					URL:  url + args.URL,
    670. 

  670. 					Body: args.Body,
    671. 

  671. 					Headers: map[string]string{
    672. 

  672. 						"Content-Type": "application.json",
    673. 

  673. 						"X-SecretKey":  "{{ .remoteRef.key }}",
    674. 

  674. 					},
    675. 

  675. 					Result: esv1.WebhookResult{
    676. 

  676. 						JSONPath: args.JSONPath,
    677. 

  677. 					},
    678. 

  678. 				},
    679. 

  679. 			},
    680. 

  680. 		},
    681. 

  681. 	}
    682. 

  682. 	return store
    683. 

  683. }
    684.