Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Tree: 0a02f73142
Branches Tags
helm-externa...
/
pkg
/
template
/
v2
/
template_test.go

template_test.go 30 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738 
  1. /*
    2. 

  2. Licensed under the Apache License, Version 2.0 (the "License");
    3. 

  3. you may not use this file except in compliance with the License.
    4. 

  4. You may obtain a copy of the License at
    5. 

  5. 

  6. 	http://www.apache.org/licenses/LICENSE-2.0
    7. 

  7. 

  8. Unless required by applicable law or agreed to in writing, software
    9. 

  9. distributed under the License is distributed on an "AS IS" BASIS,
    10. 

  10. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    11. 

  11. See the License for the specific language governing permissions and
    12. 

  12. limitations under the License.
    13. 

  13. */
    14. 

  14. package template
    15. 

  15. 

  16. import (
    17. 

  17. 	"os"
    18. 

  18. 	"strings"
    19. 

  19. 	"testing"
    20. 

  20. 

  21. 	"github.com/google/go-cmp/cmp"
    22. 

  22. 	"github.com/stretchr/testify/assert"
    23. 

  23. 	"github.com/stretchr/testify/require"
    24. 

  24. 	corev1 "k8s.io/api/core/v1"
    25. 

  25. 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
    26. 

  26. 

  27. 	esapi "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
    28. 

  28. )
    29. 

  29. 

  30. const (
    31. 

  31. 	pkcs12ContentNoPass   = `MIIJYQIBAzCCCScGCSqGSIb3DQEHAaCCCRgEggkUMIIJEDCCA8cGCSqGSIb3DQEHBqCCA7gwggO0AgEAMIIDrQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQInZmyWpNTPS4CAggAgIIDgPzZTmogBRiLP0NJZEUghZ3Oh1aqHJJ32HKgXUpD5BJ/5AvpUL9FC7m6a3GD++P1On/35J9N50bDjfBJjJrl2zpA143bzltPQBOK30cBJjNsCeN2Dq1dcsvJZfEy20z75NduXjMF6/qs4BbE+1E6nYFYVNHUybFnaQwSx7+2/2OMbXbcFpt4bv3HTw0YLw2pZeW/4/4A9d+tC9UdVQTTyNbI8l9nf1aeaaPsw1keVLmHurmTihfwh469FvjgwiHUP/P3ZCn1tOpWDR8ck0j+ru6imVP2hn+Kvk6svllmYqo3A5DnDRoF/Cl9R0DAPyS0lw7BeGskgTm7B79mzVitTbzRnIUP+sGJjc1AVghnitfcX4ffv8gq5xWaKGucO/IZXbPBoe7tMhKZmsirKzD4RBhC3nMyrwaHJB6PqUwxMQGMLbuHe7GlWhJAyFlcOTt5dgNl+axIkWdisoKNinYYeOuxudqyX6yPfsyaRCV5MEez3Wu+59MENGlGDRWbw61QuwsZkr1bAT2SJrQ/zHn5aGAluQZ1csJhKQ34iy1Ml9K9F4Zh3/2OWPs0u6+JCb1PC1vChBkguqcqQtEcikRwR9dNF9cdMB1T1Xk5GqlmOPaigkYzGWLgtl8cV5/Zl0m2j77mX9x4HVCTercAABGf9JcCLzSCo04c5OwIYtWUXBkux5n2VI2ZIuS1KF+r6JNyL3lg/D8LColzDUP/6tQCBVVgMar3iLblM17wPMTDMR5Bn+NvenwJj6FWaGGMtdjygtN+oSHpNDbVygfGQy+jEgUtK7yw0uh/WKBMWVw1E6iNuhb8HIyCFtQon8sDkuZ81czOpR3Ta1SWUWrZD+pjpL2Z4y8Nc2wt9pVPvLFOTn+GDFVqGpde3kovh3GfJjYCG/HI5rXZyziflDOoSy0SyG6aVCG4ZqW2LTymoVN/kxf+skqAweX1vxvvJniiv8HgYfEASFUWear4uT641d1YwcEIawNv4n+GKBilK/7ODl2QL86svwqIcbyiJrneyU2tHymKzGcU2VxmSgf8EnjqGuIEo7WXOpk0oUMcvYrM73cgzZ3BchUDIN0KWSDI+vDcVY82dbI39KM6dtOJFAx3kEdms/gdSqZtmHUIeArGp+8caCCAK/W+4wTOvtisK+6MtzdMz6P93N78N4Vo6cs3dkj6t/6tgNog5SCfwlOEyUpmMIIFQQYJKoZIhvcNAQcBoIIFMgSCBS4wggUqMIIFJgYLKoZIhvcNAQwKAQKgggTuMIIE6jAcBgoqhkiG9w0BDAEDMA4ECHVnarQ94cqlAgIIAASCBMgUvEVKsUcqEvYJEJ9JixgB0W3uhSi/Espt931a/mwx5Ja2K7vjlttaOct3Zc8umVrP5C322tmHz9QDVPj3Bln8CGfofC/8Nb6+SDeofmYaQYReOZpZGksEBs4P3yURl8wQpIkG31Oyf3urDTJdplfDrzu6XpEpIf7RicIR+Zh4Q1+F75XwPo52/yNs8q/kVV8H97gSRqQ2GixIdyNu+JLtNjdwAERHy4DeQjwgiMCdL+xMfN+WJyIvkLZDoy9bacXeG4IcQM+n84272C6j1a0BPaOm0K5A7I0H1zpXOJiWfn3MrT4LHDudrQoIWUOvcJjWaIM/KyghotDN50THKN9qCEE9SmtfWXGGFaJmyxbUDFizBIAsFshNtMs/47PoInTSNwzxNvUUQ3ap93iquGZ9EaZAMY2HQHW/QJIQ70IbtcHU28Bus/hrMcV0X9D1p4UeHuk37W7aCrL6hS+ac9pmzwmcDBwZUliyInxRmqCCerjg2ojAM9SVg8FrpQUErP+BOaoCBwQqLLiz9BM+3tUQc/8MyaBHq+c2dUoPfvipDIQXYiq66CkjmPHxPFEL1l9d9oBFoIGkt6SIHDjWnTPc5q5SvJ9tz8Dp1k/1HQSA8OUS6j+XySYuGe8xTvN/oUpVRswef2Qd/kxZlc1FJ4lVAXvbW7C7772l14BJv/WULcFH4Sn83rlL3YwHr4vJMf6wLahn7oQPI0VFSQiiOOb/+gkiTrwO3Gz+HXOkUwaKnW85PeoIt3/q1u0CRl64mUjqCegi7RMY9Q9tRMlD5yx0RsH7mc4b6Eg/3IwGu8VQmZCO5W2unCpfzzyrOx7OaGGaW4RJ2Mx7bJ8uV9HU8MbbNntmc9oxebPdDnBmbt8p8t4ZZxC+zcqcXi3TxACXmwnasogQEi0d0ttXkB5cnDCG00Y8WPdNIWfJdIQh8Hj16LAMYWUacz/J0kLP99ENQntZibVw/Q3zZtHSF5tmsYp7o1HglBpRwLTcd026YTrxB+VCEiUYy4hH6a38oEEpY7wTIiRmEBQPIRM0HUOqVh4z6TNzRx6iIhrQEvg06B8U6iVPqy8FGDkhf3P55Ed95/Rw6uSdlMTHng+Q4aG00k4qKdKOyv55IXPcvEzAeVNBuesknaS8x7Eb/I5mHSoZU3RYAEFGbehUkvkhNr3Xq7/W/400AKiliravJq8j/qKIZ9hAVUWOps09F/4peYfLXM1AhxWWGa5QqvwFkClM+uRyqIRGJwl2Z7asl4sWVXbwtb+Axio+mYGdzxIki5iwJvRCwKapoZplndXKTrn2nYBuhxW2+fRHa8WYdsm/wn0K+jYMlZhquVjNXyL70/Sym6DkzCtJvveQs2CfcEWQuedjRSGFVFT2jV/s5F8L2TV7nQNVj6dEJSNM5JCdZ//OpiMHMCbPNeSxY9koGplUqFhP54F1WU9x+8xiFjEp8WKxQYKHUtj+ace0lLF4CDGXhFR/0k7Icarpax3hYnvagd2OpZyRJdavKBSs5U7/NPuO6sNhZ2NpzsOiul9Iu8bu3UHCECNKkwN4wF4alTlG9sAAbS4ns4wb9XTajG+OPYoDQZmuJfc71McN6m8KBHEnXU8r4epdR7xREe/w+h2MwtPhLvbxwO592tUxJTAjBgkqhkiG9w0BCRUxFgQUOEXV6IFYGpCSHi0MPHz4b3W0KOQwMTAhMAkGBSsOAwIaBQAEFAjyBCA+mr+5UkKuQ1jGw90ASfbVBAjbvqJJZikDPgICCAA=`
    32. 

  32. 	pkcs12ContentWithPass = `MIIJYQIBAzCCCScGCSqGSIb3DQEHAaCCCRgEggkUMIIJEDCCA8cGCSqGSIb3DQEHBqCCA7gwggO0AgEAMIIDrQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQI2eZRJ7Ar+JQCAggAgIIDgFTbOtkFPjqxAoYRHoq1SbyXKf/NRbBA5AqxQlv9aFVT4VcxUSrMGaSWifX2UjsVWQzn134yoLLbdJ0jTorVD+EuBUmtb3xXbBwLqtFZxwcWodYA5WhPQdDcQo0cD3o1vrsXPQARQR6ISSFnhFjPYdH9cO2LqUKV5pjFhIs2/1VPDS2eY7SWZN52DK3QknSj23S3ZW2s4TFEj/5C4ssbO7cWNWBjjaORnd17FMNgVtcRw8ITmLdGBOpFUwP8wIdiLGrXiyjfMLns74nztRelV30/v0DPlz0pZtOPygi/dy0qpbil3wtOFrtQBLEdvLNmt9ikQgGs3pJBS68eMJLu3jAU6rCIKycq0+E0eMXeHcseyMwgguTj2h4t+E4S7nU11lViBFqkSBKxE28+9fNlPvCsZ4WhQZ6TAW3E/jDy/ZSqmak5V7/khMlRPvtrxz71ivksH0iipPdJJkGi7SDEvETySBETiqIslUmsF0ZYeHR5wIBkB5V8zmi8RRZtpvDGbzuQ22V6sNk2mTDh+BRus7gNCoSGWYXWqNNp1PnznuYCJp9T+0mObcAijE7IQuhpYMeQPF+MUIlG5lmpNouzuygTf++xrKIjzP36DcthnMPeD/8LYWfzkuAeRodjl7Z1G6XLvBD5h+Xlq23WPjMcXUiiWYXxTREAQ1EWUf4A9twGcxHJ5AatbvQY3QUoS4a7LNuy17lF7G+O1SFDtGeHZXHHecaVpuAtqZEYeUpqy6ZzMJXtXE1JNl/UR9TtTordb1V5Pf45JTYKLI+SwxVQbRiTgfhulNc+E3tV1AEELZt4CKmh1OFJoJRtyREMfdVuP4rx7ywIoMYuWw8CRqJ3qSmdwz2kmL2pfJNn6vDfN6rNa+sXWErOJ7naSAKQH2CJfnkCOFxkKfwjbOcNRbnGKah8NyWu6xqlv7Y4xEJYqmPahGHmrSfdAt3mpc5zD74DvetLIczcadKaLH7mp6h98xHayvXh0UE7ERHeskfSPrLxL9A3V1RZXDOtcZFWSKHzokuXMDF9OnrcMYDzYgtzof4ReY2t1ldGF7phYINhDlUNyhzyjwyWQbdkxr/+FtWq8Sbm7o2zMTby48c25gnqD9U8RTAO+bY3oV3dQ4bpAOzWdzVmFjESUFx0xVwbTSJGXdkH4YmD5He+xwxTa0Je0HE5+ui5dbP1gxUY+pCGLOhGMIIFQQYJKoZIhvcNAQcBoIIFMgSCBS4wggUqMIIFJgYLKoZIhvcNAQwKAQKgggTuMIIE6jAcBgoqhkiG9w0BDAEDMA4ECGYAccNFWW6kAgIIAASCBMgbXw69iyx73RGWS3FYeuvF5L1VWXQGrDLdUGwa3SdovXxmP1pKBAb82UuiydXDpKSVCmefeEQTs6ucEFRmXrDIldNanqUwbydy3GSJ+4iNsVQHbFgNppH4e90L7BlLcZ3MzSrVEwxWVMHq+XLqTKf3X3QyrmA3mmF96+Nd+icpDIktd+/h2BHnSXHNP0QfVH27H4DwbMDijttXY0JB+8qP9m25Wn4zkmOPEUhrY4Ptv2I08eHFAuNI0jWUwfRhC4FDbUdwFb0aZjA3Te6uYTsu2zAlmg9HuqsD/Ef/wkBEKZLBkjiXa/niFVrwELXhWZDPBAuo+/1UbzXglsW4QDU4LbUutcs6DLag1vLe40a2LO1ODQm7Zw0bxLkb3f/ry6ZFYvO78XmHo4c/oQf4KPUtM2bLz5q7uOxAx07vHYaU2BVt3NjgiIO5VVKjw0075GdgFxwPvYncv1fsC5jSIkX43GuzEtoBTpJKDYb2nhKbN9XWixwGOhUBTK3WYBhn+uaMJs4l3EgkDtK9tsUs5VQQHawj0WrGS1mQhaBfcyZzv4wSn0d3JUO2CN0e9EReJcQvsEnwUvohilOvjDHHhTq8Kp4XU4jbq7TAKqxs3TOmdoskRykn9oKUPExJVhJQonFT3ietV5BHrnN/QoDCSeOR80ZxvWHrQDz3Hm1ygiHd8LYmN4IjiD8b28ZrCALifWxh0WmIYtLZrUjMZavPh+caWH9IG32fTxV9b1bgJD8vWqscj9jCjeMJvkKQo8PFg1kMAxt1u+bIyktTq42O9qxwGrdqEMeBzXxDJMMaRIH3m9LNZ/P5Nk4/hMURhCZJtRtNfOVTK+Q6kKgsdK2EHcuEnp/qBefZjve+xmitbF1W7C4+B7b2JNBacdIm1nE56DwglT/IUk65JrNFP3rf4c5ic76LCQrvyfLiKCGaqcihM9siLVFPYdrnr8TlGbCFnGbpBqMQA5MtZQaDUug50PJtdxlgfwWH4qliimgchCaZbSTcgN5YTguSe16uUSusHD+r6XdtI0939uDILXJjQMczhIKNw8w0Tn4Z3/g2KlB6cwbtaglnnO4a/USh0cPC1a581byNqeFoMi+mAhqfKkwdDuti4GX7OrhkUOkiRjEUXdcckpmmIsyamH/g1dq3CNFXFNIgRRrzIDo4Opr3Ip2VE/4BDQoo/+Rybzxh8bsHgCEujQf8urGxjGyd2ulHoXzHWhz7pPPuY5UN6dC9WZmOQDVous/1nhYThoLVVc61Rk6d83+Ac7iRg4bY5q/73J4HvPMmrTOOOqqn3wc9Pe5ibEy4tFaYnim4p1ZRm8YcwosZmuFPdsP6G5l5qt6uOyr2+qNpXIBkDpG7I6Ls10O7L3PQAX9zRGfcz6Ds0KtuDrLpaVvhuXpewsBwpo1lmhv9bAa4ppBuWznmKigX+vYojSxd/eCRAtMs+Lx6ppZsYNVhbdEIGKXSGwG98sSTZkoLHBMkUW7S8jpeSCHZWEFBUOPJQzAr5cW1w+RAs33cGUygZ5XEEx4DeW8MnO4lCuP+VDOwu3TAKhzAD+qCyXbLEzWiyL5fq3XL+YJtoAc8Mra9lK6jDqzq4u+PLNoYY+kWTBhCyRZ+PfzcXLry8pxuP5E6VtRgfYcxJTAjBgkqhkiG9w0BCRUxFgQUOEXV6IFYGpCSHi0MPHz4b3W0KOQwMTAhMAkGBSsOAwIaBQAEFBa+SV9FU2UObo+nYKdyt/kZVw6FBAgey4GonFtJ2gICCAA=`
    33. 

  33. 	pkcs12Cert            = `-----BEGIN CERTIFICATE-----
    34. 

  34. MIIDHTCCAgWgAwIBAgIRAKC4yxy9QGocND+6avTf7BgwDQYJKoZIhvcNAQELBQAw
    35. 

  35. EjEQMA4GA1UEChMHQWNtZSBDbzAeFw0yMTAzMjAyMDA4MDhaFw0yMTAzMjAyMDM4
    36. 

  36. MDhaMBIxEDAOBgNVBAoTB0FjbWUgQ28wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
    37. 

  37. ggEKAoIBAQC3o6/JdZEqNbqNRkopHhJtJG5c4qS5d0tQ/kZYpfD/v/izAYum4Nzj
    38. 

  38. aG15owr92/11W0pxPUliRLti3y6iScTs+ofm2D7p4UXj/Fnho/2xoWSOoWAodgvW
    39. 

  39. Y8jh8A0LQALZiV/9QsrJdXZdS47DYZLsQ3z9yFC/CdXkg1l7AQ3fIVGKdrQBr9kE
    40. 

  40. 1gEDqnKfRxXI8DEQKXr+CKPUwCAytegmy0SHp53zNAvY+kopHytzmJpXLoEhxq4e
    41. 

  41. ugHe52vXHdh/HJ9VjNp0xOH1waAgAGxHlltCW0PVd5AJ0SXROBS/a3V9sZCbCrJa
    42. 

  42. YOOonQSEswveSv6PcG9AHvpNPot2Xs6hAgMBAAGjbjBsMA4GA1UdDwEB/wQEAwIC
    43. 

  43. pDATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW
    44. 

  44. BBR00805mrpoonp95RmC3B6oLl+cGTAVBgNVHREEDjAMggpnb29ibGUuY29tMA0G
    45. 

  45. CSqGSIb3DQEBCwUAA4IBAQAipc1b6JrEDayPjpz5GM5krcI8dCWVd8re0a9bGjjN
    46. 

  46. ioWGlu/eTr5El0ffwCNZ2WLmL9rewfHf/bMvYz3ioFZJ2OTxfazqYXNggQz6cMfa
    47. 

  47. lbedDCdt5XLVX2TyerGvFram+9Uyvk3l0uM7rZnwAmdirG4Tv94QRaD3q4xTj/c0
    48. 

  48. mv+AggtK0aRFb9o47z/BypLdk5mhbf3Mmr88C8XBzEnfdYyf4JpTlZrYLBmDCu5d
    49. 

  49. 9RLLsjXxhag8xqMtd1uLUM8XOTGzVWacw8iGY+CTtBKqyA+AE6/bDwZvEwVtsKtC
    50. 

  50. QJ85ioEpy00NioqcF0WyMZH80uMsPycfpnl5uF7RkW8u
    51. 

  51. -----END CERTIFICATE-----
    52. 

  52. `
    53. 

  53. 	pkcs12Key = `-----BEGIN PRIVATE KEY-----
    54. 

  54. MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC3o6/JdZEqNbqN
    55. 

  55. RkopHhJtJG5c4qS5d0tQ/kZYpfD/v/izAYum4NzjaG15owr92/11W0pxPUliRLti
    56. 

  56. 3y6iScTs+ofm2D7p4UXj/Fnho/2xoWSOoWAodgvWY8jh8A0LQALZiV/9QsrJdXZd
    57. 

  57. S47DYZLsQ3z9yFC/CdXkg1l7AQ3fIVGKdrQBr9kE1gEDqnKfRxXI8DEQKXr+CKPU
    58. 

  58. wCAytegmy0SHp53zNAvY+kopHytzmJpXLoEhxq4eugHe52vXHdh/HJ9VjNp0xOH1
    59. 

  59. waAgAGxHlltCW0PVd5AJ0SXROBS/a3V9sZCbCrJaYOOonQSEswveSv6PcG9AHvpN
    60. 

  60. Pot2Xs6hAgMBAAECggEACTGPrmVNZDCWa1Y2hkJ0J7SoNcw+9O4M/jwMp4l/PD6P
    61. 

  61. I98S78LYLCZhPLK17SmjUcnFO1AXKW1JeFS2D/fjfP256guvcqQNjLFoioxcOhVb
    62. 

  62. ZGyd1Mi8JPqP5wfOj16gBeYDwTkjz9wqldcfiZaL9XoXetkZecbzR2JwC2FtIVuC
    63. 

  63. 0njTjMNYpaBKnoLb8OTR0EQz7lYEo2MkQiWryz8wseONnFmdfh18p+p10YgCbuCH
    64. 

  64. qesrWfDLLxaxZelNtDhDngg9LoCLmarYy7BgShacmUEgJTZ/x3xFC75thK3ln0OY
    65. 

  65. +ktTgvVotYYaZi7qAjQiEsTvkTAPg5RMpQLd2UIWsQKBgQDCBp+1vURbwGzmTNUg
    66. 

  66. HMipD6WDFdLc9DCacx6+ZqsEPTMWQbCpVZrDKiY0Rjt5F+xOCyMr00J5RDJXRC0G
    67. 

  67. +L7NcJdywOFutT7vB+cmETg7l/6PHweNYBnE66706eTL/KVYZMi4tEinarPWhHmL
    68. 

  68. jasfdLANtpDjdWkRt299TkPRbQKBgQDyS8Rr7KZdv04Csqkf+ASmiJpT5R6Y72kc
    69. 

  69. 3XYpKETyB2FyPZkuh/zInMut9SkkSI9O/jA3zf956jj6sF1DHvp7T8KkIp5OAQeD
    70. 

  70. J9AF65m2MnZfHFUeJ6ZQsggwMWqrD0ycIWP7YWtiBHH+D1wGkjYrssq+bvG/yNpA
    71. 

  71. LtqdKq9lhQKBgQCZA2hIhy61vRckuEsLvCdzTGeW7UsR/XGnHEqOlaEhArKbRsrv
    72. 

  72. gBdA+qiOaSTV5svw8E+YbE7sG6AnuhhYeyreEYEeeoZOLJmpIG5mUwYp2UBj1nC6
    73. 

  73. SaOI7OVZOGu7g09SWokBQQxbG4cgEfFY4Sym7fs5lVTGTP3Dfwppo6NQMQKBgQCo
    74. 

  74. J5NDP3Lafwk58BpV+H/pv8YzUUDh7M2rXbtCpxLqUdr8OOnVlEUISWFF8m5CIyVq
    75. 

  75. MhjuscWLK9Wtjba7/YTjDaDM3sW05xv6lyfU5ATCoNTr/zLHgcb4HAZ4w+L+otiN
    76. 

  76. RtMnxB2NYf5mzuwUF2cG/secUEzwyAlIH/xStSwTLQKBgQCRvqF+rqxnegoOgwVW
    77. 

  77. qrWPv06wXD8dW2FlPpY5GXqA0l6erSK3YsQQToRmbem9ibPD7bd5P4gNbWfxwK4C
    78. 

  78. Wt+1Rcb8OrDhDJbYz85bXBnPecKp4EN0b9SHO0/dsCqn2w30emc+9T/4m1ZDkpBd
    79. 

  79. BixHvI/EJ8YK3ta5WdJWKC6hnA==
    80. 

  80. -----END PRIVATE KEY-----
    81. 

  81. `
    82. 

  82. 	jwkPubRSA     = `{"kid":"ex","kty":"RSA","key_ops":["sign","verify","wrapKey","unwrapKey","encrypt","decrypt"],"n":"p2VQo8qCfWAZmdWBVaYuYb-a-tWWm78K6Sr9poCvNcmv8rUPSLACxitQWR8gZaSH1DklVkqz-Ed8Cdlf8lkDg4Ex5tkB64jRdC1Uvn4CDpOH6cp-N2s8hTFLqy9_YaDmyQS7HiqthOi9oVjil1VMeWfaAbClGtFt6UnKD0Vb_DvLoWYQSqlhgBArFJi966b4E1pOq5Ad02K8pHBDThlIIx7unibLehhDU6q3DCwNH_OOLx6bgNtmvGYJDd1cywpkLQ3YzNCUPWnfMBJRP3iQP_WI21uP6cvo0DqBPBM4wvVzHbCT0vnIflwkbgEWkq1FprqAitZlop9KjLqzjp9vyQ","e":"AQAB"}`
    83. 

  83. 	jwkPubRSAPKIX = `-----BEGIN PUBLIC KEY-----
    84. 

  84. MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp2VQo8qCfWAZmdWBVaYu
    85. 

  85. Yb+a+tWWm78K6Sr9poCvNcmv8rUPSLACxitQWR8gZaSH1DklVkqz+Ed8Cdlf8lkD
    86. 

  86. g4Ex5tkB64jRdC1Uvn4CDpOH6cp+N2s8hTFLqy9/YaDmyQS7HiqthOi9oVjil1VM
    87. 

  87. eWfaAbClGtFt6UnKD0Vb/DvLoWYQSqlhgBArFJi966b4E1pOq5Ad02K8pHBDThlI
    88. 

  88. Ix7unibLehhDU6q3DCwNH/OOLx6bgNtmvGYJDd1cywpkLQ3YzNCUPWnfMBJRP3iQ
    89. 

  89. P/WI21uP6cvo0DqBPBM4wvVzHbCT0vnIflwkbgEWkq1FprqAitZlop9KjLqzjp9v
    90. 

  90. yQIDAQAB
    91. 

  91. -----END PUBLIC KEY-----
    92. 

  92. `
    93. 

  93. 	jwkPrivRSA      = `{"kty" : "RSA","kid" : "cc34c0a0-bd5a-4a3c-a50d-a2a7db7643df","use" : "sig","n"   : "pjdss8ZaDfEH6K6U7GeW2nxDqR4IP049fk1fK0lndimbMMVBdPv_hSpm8T8EtBDxrUdi1OHZfMhUixGaut-3nQ4GG9nM249oxhCtxqqNvEXrmQRGqczyLxuh-fKn9Fg--hS9UpazHpfVAFnB5aCfXoNhPuI8oByyFKMKaOVgHNqP5NBEqabiLftZD3W_lsFCPGuzr4Vp0YS7zS2hDYScC2oOMu4rGU1LcMZf39p3153Cq7bS2Xh6Y-vw5pwzFYZdjQxDn8x8BG3fJ6j8TGLXQsbKH1218_HcUJRvMwdpbUQG5nvA2GXVqLqdwp054Lzk9_B_f1lVrmOKuHjTNHq48w","e"   : "AQAB","d"   : "ksDmucdMJXkFGZxiomNHnroOZxe8AmDLDGO1vhs-POa5PZM7mtUPonxwjVmthmpbZzla-kg55OFfO7YcXhg-Hm2OWTKwm73_rLh3JavaHjvBqsVKuorX3V3RYkSro6HyYIzFJ1Ek7sLxbjDRcDOj4ievSX0oN9l-JZhaDYlPlci5uJsoqro_YrE0PRRWVhtGynd-_aWgQv1YzkfZuMD-hJtDi1Im2humOWxA4eZrFs9eG-whXcOvaSwO4sSGbS99ecQZHM2TcdXeAs1PvjVgQ_dKnZlGN3lTWoWfQP55Z7Tgt8Nf1q4ZAKd-NlMe-7iqCFfsnFwXjSiaOa2CRGZn-Q","p"   : "4A5nU4ahEww7B65yuzmGeCUUi8ikWzv1C81pSyUKvKzu8CX41hp9J6oRaLGesKImYiuVQK47FhZ--wwfpRwHvSxtNU9qXb8ewo-BvadyO1eVrIk4tNV543QlSe7pQAoJGkxCia5rfznAE3InKF4JvIlchyqs0RQ8wx7lULqwnn0","q"   : "ven83GM6SfrmO-TBHbjTk6JhP_3CMsIvmSdo4KrbQNvp4vHO3w1_0zJ3URkmkYGhz2tgPlfd7v1l2I6QkIh4Bumdj6FyFZEBpxjE4MpfdNVcNINvVj87cLyTRmIcaGxmfylY7QErP8GFA-k4UoH_eQmGKGK44TRzYj5hZYGWIC8","dp"  : "lmmU_AG5SGxBhJqb8wxfNXDPJjf__i92BgJT2Vp4pskBbr5PGoyV0HbfUQVMnw977RONEurkR6O6gxZUeCclGt4kQlGZ-m0_XSWx13v9t9DIbheAtgVJ2mQyVDvK4m7aRYlEceFh0PsX8vYDS5o1txgPwb3oXkPTtrmbAGMUBpE","dq"  : "mxRTU3QDyR2EnCv0Nl0TCF90oliJGAHR9HJmBe__EjuCBbwHfcT8OG3hWOv8vpzokQPRl5cQt3NckzX3fs6xlJN4Ai2Hh2zduKFVQ2p-AF2p6Yfahscjtq-GY9cB85NxLy2IXCC0PF--Sq9LOrTE9QV988SJy_yUrAjcZ5MmECk","qi"  : "ldHXIrEmMZVaNwGzDF9WG8sHj2mOZmQpw9yrjLK9hAsmsNr5LTyqWAqJIYZSwPTYWhY4nu2O0EY9G9uYiqewXfCKw_UngrJt8Xwfq1Zruz0YY869zPN4GiE9-9rzdZB33RBw8kIOquY3MK74FMwCihYx_LiU2YTHkaoJ3ncvtvg"}`
    94. 

  94. 	jwkPrivRSAPKCS8 = `-----BEGIN PRIVATE KEY-----
    95. 

  95. MIIEwAIBADANBgkqhkiG9w0BAQEFAASCBKowggSmAgEAAoIBAQCmN2yzxloN8Qfo
    96. 

  96. rpTsZ5bafEOpHgg/Tj1+TV8rSWd2KZswxUF0+/+FKmbxPwS0EPGtR2LU4dl8yFSL
    97. 

  97. EZq637edDgYb2czbj2jGEK3Gqo28ReuZBEapzPIvG6H58qf0WD76FL1SlrMel9UA
    98. 

  98. WcHloJ9eg2E+4jygHLIUowpo5WAc2o/k0ESppuIt+1kPdb+WwUI8a7OvhWnRhLvN
    99. 

  99. LaENhJwLag4y7isZTUtwxl/f2nfXncKrttLZeHpj6/DmnDMVhl2NDEOfzHwEbd8n
    100. 

  100. qPxMYtdCxsofXbXz8dxQlG8zB2ltRAbme8DYZdWoup3CnTngvOT38H9/WVWuY4q4
    101. 

  101. eNM0erjzAgMBAAECggEBAJLA5rnHTCV5BRmcYqJjR566DmcXvAJgywxjtb4bPjzm
    102. 

  102. uT2TO5rVD6J8cI1ZrYZqW2c5WvpIOeThXzu2HF4YPh5tjlkysJu9/6y4dyWr2h47
    103. 

  103. warFSrqK191d0WJEq6Oh8mCMxSdRJO7C8W4w0XAzo+Inr0l9KDfZfiWYWg2JT5XI
    104. 

  104. ubibKKq6P2KxND0UVlYbRsp3fv2loEL9WM5H2bjA/oSbQ4tSJtobpjlsQOHmaxbP
    105. 

  105. XhvsIV3Dr2ksDuLEhm0vfXnEGRzNk3HV3gLNT741YEP3Sp2ZRjd5U1qFn0D+eWe0
    106. 

  106. 4LfDX9auGQCnfjZTHvu4qghX7JxcF40omjmtgkRmZ/kCgYEA4A5nU4ahEww7B65y
    107. 

  107. uzmGeCUUi8ikWzv1C81pSyUKvKzu8CX41hp9J6oRaLGesKImYiuVQK47FhZ++wwf
    108. 

  108. pRwHvSxtNU9qXb8ewo+BvadyO1eVrIk4tNV543QlSe7pQAoJGkxCia5rfznAE3In
    109. 

  109. KF4JvIlchyqs0RQ8wx7lULqwnn0CgYEAven83GM6SfrmO+TBHbjTk6JhP/3CMsIv
    110. 

  110. mSdo4KrbQNvp4vHO3w1/0zJ3URkmkYGhz2tgPlfd7v1l2I6QkIh4Bumdj6FyFZEB
    111. 

  111. pxjE4MpfdNVcNINvVj87cLyTRmIcaGxmfylY7QErP8GFA+k4UoH/eQmGKGK44TRz
    112. 

  112. Yj5hZYGWIC8CgYEAlmmU/AG5SGxBhJqb8wxfNXDPJjf//i92BgJT2Vp4pskBbr5P
    113. 

  113. GoyV0HbfUQVMnw977RONEurkR6O6gxZUeCclGt4kQlGZ+m0/XSWx13v9t9DIbheA
    114. 

  114. tgVJ2mQyVDvK4m7aRYlEceFh0PsX8vYDS5o1txgPwb3oXkPTtrmbAGMUBpECgYEA
    115. 

  115. mxRTU3QDyR2EnCv0Nl0TCF90oliJGAHR9HJmBe//EjuCBbwHfcT8OG3hWOv8vpzo
    116. 

  116. kQPRl5cQt3NckzX3fs6xlJN4Ai2Hh2zduKFVQ2p+AF2p6Yfahscjtq+GY9cB85Nx
    117. 

  117. Ly2IXCC0PF++Sq9LOrTE9QV988SJy/yUrAjcZ5MmECkCgYEAldHXIrEmMZVaNwGz
    118. 

  118. DF9WG8sHj2mOZmQpw9yrjLK9hAsmsNr5LTyqWAqJIYZSwPTYWhY4nu2O0EY9G9uY
    119. 

  119. iqewXfCKw/UngrJt8Xwfq1Zruz0YY869zPN4GiE9+9rzdZB33RBw8kIOquY3MK74
    120. 

  120. FMwCihYx/LiU2YTHkaoJ3ncvtvg=
    121. 

  121. -----END PRIVATE KEY-----
    122. 

  122. `
    123. 

  123. 	jwkPubEC     = `{"kid":"https://kv-test-mj.vault.azure.net/keys/ec-p-521/e3d0e9c179b54988860c69c6ae172c65","kty":"EC","key_ops":["sign","verify"],"crv":"P-521","x":"AedOAtb7H7Oz1C_cPKI_R4CN_eai5nteY6KFW07FOoaqgQfVCSkQDK22fCOiMT_28c8LZYJRsiIFz_IIbQUW7bXj","y":"AOnchHnmBphIWXvanmMAmcCDkaED6ycW8GsAl9fQ43BMVZTqcTkJYn6vGnhn7MObizmkNSmgZYTwG-vZkIg03HHs"}`
    124. 

  124. 	jwkPubECPKIX = `-----BEGIN PUBLIC KEY-----
    125. 

  125. MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQB504C1vsfs7PUL9w8oj9HgI395qLm
    126. 

  126. e15jooVbTsU6hqqBB9UJKRAMrbZ8I6IxP/bxzwtlglGyIgXP8ghtBRbtteMA6dyE
    127. 

  127. eeYGmEhZe9qeYwCZwIORoQPrJxbwawCX19DjcExVlOpxOQlifq8aeGfsw5uLOaQ1
    128. 

  128. KaBlhPAb69mQiDTccew=
    129. 

  129. -----END PUBLIC KEY-----
    130. 

  130. `
    131. 

  131. 	jwkPrivEC      = `{"kty": "EC","kid": "rie3pHe8u8gjSa0IaJfqk7_iEfHeYfDYx-Bqi7vQc0s","crv": "P-256","x": "fDjg3Nq4jPf8IOZ0277aPVal_8iXySnzLUJAZghUzZM","y": "d863PeyBOK_Q4duiSmWwgIRzi1RPlFZTR-vACMlPg-Q","d": "jJs5xsoHUetdMabtt8H2KyX5T92nGul1chFeMT5hlr0"}`
    132. 

  132. 	jwkPrivECPKCS8 = `-----BEGIN PRIVATE KEY-----
    133. 

  133. MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgjJs5xsoHUetdMabt
    134. 

  134. t8H2KyX5T92nGul1chFeMT5hlr2hRANCAAR8OODc2riM9/wg5nTbvto9VqX/yJfJ
    135. 

  135. KfMtQkBmCFTNk3fOtz3sgTiv0OHbokplsICEc4tUT5RWU0frwAjJT4Pk
    136. 

  136. -----END PRIVATE KEY-----
    137. 

  137. `
    138. 

  138. )
    139. 

  139. 

  140. func TestExecute(t *testing.T) {
    141. 

  141. 	tbl := []struct {
    142. 

  142. 		name                string
    143. 

  143. 		tpl                 map[string][]byte
    144. 

  144. 		labelsTpl           map[string][]byte
    145. 

  145. 		annotationsTpl      map[string][]byte
    146. 

  146. 		stringDataTpl       map[string][]byte
    147. 

  147. 		data                map[string][]byte
    148. 

  148. 		expectedData        map[string][]byte
    149. 

  149. 		expectedStringData  map[string]string
    150. 

  150. 		expectedLabels      map[string]string
    151. 

  151. 		expectedAnnotations map[string]string
    152. 

  152. 		expErr              string
    153. 

  153. 		expLblErr           string
    154. 

  154. 		expAnnoErr          string
    155. 

  155. 		expStrErr           string
    156. 

  156. 	}{
    157. 

  157. 		{
    158. 

  158. 			name:           "test empty",
    159. 

  159. 			tpl:            nil,
    160. 

  160. 			labelsTpl:      nil,
    161. 

  161. 			annotationsTpl: nil,
    162. 

  162. 			data:           nil,
    163. 

  163. 		},
    164. 

  164. 		{
    165. 

  165. 			name: "b64dec func",
    166. 

  166. 			tpl: map[string][]byte{
    167. 

  167. 				"foo": []byte("{{ .secret | b64dec }}"),
    168. 

  168. 			},
    169. 

  169. 			data: map[string][]byte{
    170. 

  170. 				"secret": []byte("MTIzNA=="),
    171. 

  171. 			},
    172. 

  172. 			expectedData: map[string][]byte{
    173. 

  173. 				"foo": []byte("1234"),
    174. 

  174. 			},
    175. 

  175. 		},
    176. 

  176. 		{
    177. 

  177. 			name: "fromJson func",
    178. 

  178. 			tpl: map[string][]byte{
    179. 

  179. 				"foo": []byte("{{ $var := .secret | fromJson }}{{ $var.foo }}"),
    180. 

  180. 			},
    181. 

  181. 			data: map[string][]byte{
    182. 

  182. 				"secret": []byte(`{"foo": "bar"}`),
    183. 

  183. 			},
    184. 

  184. 			expectedData: map[string][]byte{
    185. 

  185. 				"foo": []byte("bar"),
    186. 

  186. 			},
    187. 

  187. 		},
    188. 

  188. 		{
    189. 

  189. 			name: "from & toJson func",
    190. 

  190. 			tpl: map[string][]byte{
    191. 

  191. 				"foo": []byte("{{ $var := .secret | fromJson }}{{ $var.foo | toJson }}"),
    192. 

  192. 			},
    193. 

  193. 			data: map[string][]byte{
    194. 

  194. 				"secret": []byte(`{"foo": {"baz":"bang"}}`),
    195. 

  195. 			},
    196. 

  196. 			expectedData: map[string][]byte{
    197. 

  197. 				"foo": []byte(`{"baz":"bang"}`),
    198. 

  198. 			},
    199. 

  199. 		},
    200. 

  200. 		{
    201. 

  201. 			name: "fromJson & toYaml func",
    202. 

  202. 			tpl: map[string][]byte{
    203. 

  203. 				"foo": []byte("{{ $var := .secret | fromJson | toYaml }}{{ $var }}"),
    204. 

  204. 			},
    205. 

  205. 			data: map[string][]byte{
    206. 

  206. 				"secret": []byte(`{"foo": "bar"}`),
    207. 

  207. 			},
    208. 

  208. 			expectedData: map[string][]byte{
    209. 

  209. 				"foo": []byte(`foo: bar`),
    210. 

  210. 			},
    211. 

  211. 		},
    212. 

  212. 		{
    213. 

  213. 			name: "fromYaml & toJson func",
    214. 

  214. 			tpl: map[string][]byte{
    215. 

  215. 				"foo": []byte("{{ $var := .secret | fromYaml | toJson }}{{ $var }}"),
    216. 

  216. 			},
    217. 

  217. 			data: map[string][]byte{
    218. 

  218. 				"secret": []byte(`foo: bar`),
    219. 

  219. 			},
    220. 

  220. 			expectedData: map[string][]byte{
    221. 

  221. 				"foo": []byte(`{"foo":"bar"}`),
    222. 

  222. 			},
    223. 

  223. 		},
    224. 

  224. 		{
    225. 

  225. 			name: "use sprig functions",
    226. 

  226. 			tpl: map[string][]byte{
    227. 

  227. 				"foo": []byte(`{{ .path | ext }}`),
    228. 

  228. 			},
    229. 

  229. 			data: map[string][]byte{
    230. 

  230. 				"path": []byte(`foo/bar/baz.exe`),
    231. 

  231. 			},
    232. 

  232. 			expectedData: map[string][]byte{
    233. 

  233. 				"foo": []byte(`.exe`),
    234. 

  234. 			},
    235. 

  235. 		},
    236. 

  236. 		{
    237. 

  237. 			name: "use replace function",
    238. 

  238. 			tpl: map[string][]byte{
    239. 

  239. 				"foo": []byte(`{{ .conn | replace "postgres://" "db+postgresql://"}}`),
    240. 

  240. 			},
    241. 

  241. 			data: map[string][]byte{
    242. 

  242. 				"conn": []byte(`postgres://user:pass@db.host:5432/dbname`),
    243. 

  243. 			},
    244. 

  244. 			expectedData: map[string][]byte{
    245. 

  245. 				"foo": []byte(`db+postgresql://user:pass@db.host:5432/dbname`),
    246. 

  246. 			},
    247. 

  247. 		},
    248. 

  248. 		{
    249. 

  249. 			name: "use upper function",
    250. 

  250. 			tpl: map[string][]byte{
    251. 

  251. 				"foo": []byte(`{{ .value | upper }}`),
    252. 

  252. 			},
    253. 

  253. 			data: map[string][]byte{
    254. 

  254. 				"value": []byte(`username`),
    255. 

  255. 			},
    256. 

  256. 			expectedData: map[string][]byte{
    257. 

  257. 				"foo": []byte(`USERNAME`),
    258. 

  258. 			},
    259. 

  259. 		},
    260. 

  260. 		{
    261. 

  261. 			name: "multiline template",
    262. 

  262. 			tpl: map[string][]byte{
    263. 

  263. 				"cfg": []byte(`
    264. 

  264. 		datasources:
    265. 

  265. 		- name: Graphite
    266. 

  266. 			type: graphite
    267. 

  267. 			access: proxy
    268. 

  268. 			url: http://localhost:8080
    269. 

  269. 			password: "{{ .password }}"
    270. 

  270. 			user: "{{ .user }}"`),
    271. 

  271. 			},
    272. 

  272. 			data: map[string][]byte{
    273. 

  273. 				"user":     []byte(`foobert`),
    274. 

  274. 				"password": []byte("harharhar"),
    275. 

  275. 			},
    276. 

  276. 			expectedData: map[string][]byte{
    277. 

  277. 				"cfg": []byte(`
    278. 

  278. 		datasources:
    279. 

  279. 		- name: Graphite
    280. 

  280. 			type: graphite
    281. 

  281. 			access: proxy
    282. 

  282. 			url: http://localhost:8080
    283. 

  283. 			password: "harharhar"
    284. 

  284. 			user: "foobert"`),
    285. 

  285. 			},
    286. 

  286. 		},
    287. 

  287. 		{
    288. 

  288. 			name: "base64 pipeline",
    289. 

  289. 			tpl: map[string][]byte{
    290. 

  290. 				"foo": []byte(`{{ "123412341234" | b64enc | b64dec }}`),
    291. 

  291. 			},
    292. 

  292. 			data: map[string][]byte{},
    293. 

  293. 			expectedData: map[string][]byte{
    294. 

  294. 				"foo": []byte("123412341234"),
    295. 

  295. 			},
    296. 

  296. 		},
    297. 

  297. 		{
    298. 

  298. 			name: "base64 pkcs12 extract",
    299. 

  299. 			tpl: map[string][]byte{
    300. 

  300. 				"key":  []byte(`{{ .secret | b64dec | pkcs12key }}`),
    301. 

  301. 				"cert": []byte(`{{ .secret | b64dec | pkcs12cert }}`),
    302. 

  302. 			},
    303. 

  303. 			data: map[string][]byte{
    304. 

  304. 				"secret": []byte(pkcs12ContentNoPass),
    305. 

  305. 			},
    306. 

  306. 			expectedData: map[string][]byte{
    307. 

  307. 				"key":  []byte(pkcs12Key),
    308. 

  308. 				"cert": []byte(pkcs12Cert),
    309. 

  309. 			},
    310. 

  310. 		},
    311. 

  311. 		{
    312. 

  312. 			name: "base64 pkcs12 extract with password",
    313. 

  313. 			tpl: map[string][]byte{
    314. 

  314. 				"key":  []byte(`{{ .secret | b64dec | pkcs12keyPass "123456" }}`),
    315. 

  315. 				"cert": []byte(`{{ .secret | b64dec | pkcs12certPass "123456" }}`),
    316. 

  316. 			},
    317. 

  317. 			data: map[string][]byte{
    318. 

  318. 				"secret": []byte(pkcs12ContentWithPass),
    319. 

  319. 			},
    320. 

  320. 			expectedData: map[string][]byte{
    321. 

  321. 				"key":  []byte(pkcs12Key),
    322. 

  322. 				"cert": []byte(pkcs12Cert),
    323. 

  323. 			},
    324. 

  324. 		},
    325. 

  325. 		{
    326. 

  326. 			name: "base64 decode error",
    327. 

  327. 			tpl: map[string][]byte{
    328. 

  328. 				"key": []byte(`{{ .example | b64dec }}`),
    329. 

  329. 			},
    330. 

  330. 			data: map[string][]byte{
    331. 

  331. 				"example": []byte("iam_no_base64"),
    332. 

  332. 			},
    333. 

  333. 			expErr: "", // silent error
    334. 

  334. 		},
    335. 

  335. 		{
    336. 

  336. 			name: "pkcs12 key wrong password",
    337. 

  337. 			tpl: map[string][]byte{
    338. 

  338. 				"key": []byte(`{{ .secret | b64dec | pkcs12keyPass "wrong" }}`),
    339. 

  339. 			},
    340. 

  340. 			data: map[string][]byte{
    341. 

  341. 				"secret": []byte(pkcs12ContentWithPass),
    342. 

  342. 			},
    343. 

  343. 			expErr: "unable to decode pkcs12",
    344. 

  344. 		},
    345. 

  345. 		{
    346. 

  346. 			name: "pkcs12 cert wrong password",
    347. 

  347. 			tpl: map[string][]byte{
    348. 

  348. 				"cert": []byte(`{{ .secret | b64dec | pkcs12certPass "wrong" }}`),
    349. 

  349. 			},
    350. 

  350. 			data: map[string][]byte{
    351. 

  351. 				"secret": []byte(pkcs12ContentWithPass),
    352. 

  352. 			},
    353. 

  353. 			expErr: "unable to decode pkcs12",
    354. 

  354. 		},
    355. 

  355. 		{
    356. 

  356. 			name: "fromJson error",
    357. 

  357. 			tpl: map[string][]byte{
    358. 

  358. 				"key": []byte(`{{ "{ # no json # }" | fromJson }}`),
    359. 

  359. 			},
    360. 

  360. 			data:   map[string][]byte{},
    361. 

  361. 			expErr: "", // silent error
    362. 

  362. 		},
    363. 

  363. 		{
    364. 

  364. 			name: "template syntax error",
    365. 

  365. 			tpl: map[string][]byte{
    366. 

  366. 				"key": []byte(`{{ #xx }}`),
    367. 

  367. 			},
    368. 

  368. 			data:   map[string][]byte{},
    369. 

  369. 			expErr: "unable to parse template",
    370. 

  370. 		},
    371. 

  371. 		{
    372. 

  372. 			name: "jwk rsa pub pem",
    373. 

  373. 			tpl: map[string][]byte{
    374. 

  374. 				"fn": []byte(`{{ .secret | jwkPublicKeyPem }}`),
    375. 

  375. 			},
    376. 

  376. 			data: map[string][]byte{
    377. 

  377. 				"secret": []byte(jwkPubRSA),
    378. 

  378. 			},
    379. 

  379. 			expectedData: map[string][]byte{
    380. 

  380. 				"fn": []byte(jwkPubRSAPKIX),
    381. 

  381. 			},
    382. 

  382. 		},
    383. 

  383. 		{
    384. 

  384. 			name: "jwk rsa priv pem",
    385. 

  385. 			tpl: map[string][]byte{
    386. 

  386. 				"fn": []byte(`{{ .secret | jwkPrivateKeyPem }}`),
    387. 

  387. 			},
    388. 

  388. 			data: map[string][]byte{
    389. 

  389. 				"secret": []byte(jwkPrivRSA),
    390. 

  390. 			},
    391. 

  391. 			expectedData: map[string][]byte{
    392. 

  392. 				"fn": []byte(jwkPrivRSAPKCS8),
    393. 

  393. 			},
    394. 

  394. 		},
    395. 

  395. 		{
    396. 

  396. 			name: "jwk ecdsa pub pem",
    397. 

  397. 			tpl: map[string][]byte{
    398. 

  398. 				"fn": []byte(`{{ .secret | jwkPublicKeyPem }}`),
    399. 

  399. 			},
    400. 

  400. 			data: map[string][]byte{
    401. 

  401. 				"secret": []byte(jwkPubEC),
    402. 

  402. 			},
    403. 

  403. 			expectedData: map[string][]byte{
    404. 

  404. 				"fn": []byte(jwkPubECPKIX),
    405. 

  405. 			},
    406. 

  406. 		},
    407. 

  407. 		{
    408. 

  408. 			name: "jwk ecdsa priv pem",
    409. 

  409. 			tpl: map[string][]byte{
    410. 

  410. 				"fn": []byte(`{{ .secret | jwkPrivateKeyPem }}`),
    411. 

  411. 			},
    412. 

  412. 			data: map[string][]byte{
    413. 

  413. 				"secret": []byte(jwkPrivEC),
    414. 

  414. 			},
    415. 

  415. 			expectedData: map[string][]byte{
    416. 

  416. 				"fn": []byte(jwkPrivECPKCS8),
    417. 

  417. 			},
    418. 

  418. 		},
    419. 

  419. 		{
    420. 

  420. 			name: "filter pem certificate",
    421. 

  421. 			tpl: map[string][]byte{
    422. 

  422. 				"fn": []byte(`{{ .secret | filterPEM "CERTIFICATE" }}`),
    423. 

  423. 			},
    424. 

  424. 			data: map[string][]byte{
    425. 

  425. 				"secret": []byte(jwkPrivRSAPKCS8 + pkcs12Cert),
    426. 

  426. 			},
    427. 

  427. 			expectedData: map[string][]byte{
    428. 

  428. 				"fn": []byte(pkcs12Cert),
    429. 

  429. 			},
    430. 

  430. 		},
    431. 

  431. 		{
    432. 

  432. 			name: "labels",
    433. 

  433. 			tpl: map[string][]byte{
    434. 

  434. 				"foo": []byte("{{ .secret | b64dec }}"),
    435. 

  435. 			},
    436. 

  436. 			labelsTpl: map[string][]byte{
    437. 

  437. 				"bar": []byte("{{ .env | b64dec }}"),
    438. 

  438. 			},
    439. 

  439. 			data: map[string][]byte{
    440. 

  440. 				"secret": []byte("MTIzNA=="),
    441. 

  441. 				"env":    []byte("ZGV2"),
    442. 

  442. 			},
    443. 

  443. 			expectedData: map[string][]byte{
    444. 

  444. 				"foo": []byte("1234"),
    445. 

  445. 			},
    446. 

  446. 			expectedLabels: map[string]string{
    447. 

  447. 				"bar": "dev",
    448. 

  448. 			},
    449. 

  449. 		},
    450. 

  450. 		{
    451. 

  451. 			name: "annotations",
    452. 

  452. 			tpl: map[string][]byte{
    453. 

  453. 				"foo": []byte("{{ .secret | b64dec }}"),
    454. 

  454. 			},
    455. 

  455. 			annotationsTpl: map[string][]byte{
    456. 

  456. 				"bar": []byte("{{ .env | b64dec }}"),
    457. 

  457. 			},
    458. 

  458. 			data: map[string][]byte{
    459. 

  459. 				"secret": []byte("MTIzNA=="),
    460. 

  460. 				"env":    []byte("ZGV2"),
    461. 

  461. 			},
    462. 

  462. 			expectedData: map[string][]byte{
    463. 

  463. 				"foo": []byte("1234"),
    464. 

  464. 			},
    465. 

  465. 			expectedAnnotations: map[string]string{
    466. 

  466. 				"bar": "dev",
    467. 

  467. 			},
    468. 

  468. 		},
    469. 

  469. 		{
    470. 

  470. 			name: "stringData",
    471. 

  471. 			stringDataTpl: map[string][]byte{
    472. 

  472. 				"foo": []byte("{{ .secret | b64dec }}"),
    473. 

  473. 			},
    474. 

  474. 			data: map[string][]byte{
    475. 

  475. 				"secret": []byte("MTIzNA=="),
    476. 

  476. 				"env":    []byte("ZGV2"),
    477. 

  477. 			},
    478. 

  478. 			expectedStringData: map[string]string{
    479. 

  479. 				"foo": "1234",
    480. 

  480. 			},
    481. 

  481. 		},
    482. 

  482. 	}
    483. 

  483. 

  484. 	for i := range tbl {
    485. 

  485. 		row := tbl[i]
    486. 

  486. 		t.Run(row.name, func(t *testing.T) {
    487. 

  487. 			sec := &corev1.Secret{
    488. 

  488. 				Data:       make(map[string][]byte),
    489. 

  489. 				StringData: make(map[string]string),
    490. 

  490. 				ObjectMeta: v1.ObjectMeta{Labels: make(map[string]string), Annotations: make(map[string]string)},
    491. 

  491. 			}
    492. 

  492. 			err := Execute(row.tpl, row.data, esapi.TemplateScopeValues, esapi.TemplateTargetData, sec)
    493. 

  493. 			if !ErrorContains(err, row.expErr) {
    494. 

  494. 				t.Errorf("unexpected error: %s, expected: %s", err, row.expErr)
    495. 

  495. 			}
    496. 

  496. 			err = Execute(row.labelsTpl, row.data, esapi.TemplateScopeValues, esapi.TemplateTargetLabels, sec)
    497. 

  497. 			if !ErrorContains(err, row.expLblErr) {
    498. 

  498. 				t.Errorf("unexpected error: %s, expected: %s", err, row.expErr)
    499. 

  499. 			}
    500. 

  500. 			err = Execute(row.annotationsTpl, row.data, esapi.TemplateScopeValues, esapi.TemplateTargetAnnotations, sec)
    501. 

  501. 			if !ErrorContains(err, row.expAnnoErr) {
    502. 

  502. 				t.Errorf("unexpected error: %s, expected: %s", err, row.expErr)
    503. 

  503. 			}
    504. 

  504. 			if row.expectedData != nil {
    505. 

  505. 				assert.EqualValues(t, row.expectedData, sec.Data)
    506. 

  506. 			}
    507. 

  507. 			if row.expectedLabels != nil {
    508. 

  508. 				assert.EqualValues(t, row.expectedLabels, sec.ObjectMeta.Labels)
    509. 

  509. 			}
    510. 

  510. 			if row.expectedAnnotations != nil {
    511. 

  511. 				assert.EqualValues(t, row.expectedAnnotations, sec.ObjectMeta.Annotations)
    512. 

  512. 			}
    513. 

  513. 		})
    514. 

  514. 	}
    515. 

  515. }
    516. 

  516. 

  517. func TestExecuteInvalidTemplateScope(t *testing.T) {
    518. 

  518. 	sec := &corev1.Secret{}
    519. 

  519. 	err := Execute(map[string][]byte{"foo": []byte("bar")}, nil, "invalid", esapi.TemplateTargetData, sec)
    520. 

  520. 	require.Error(t, err)
    521. 

  521. 	assert.ErrorContains(t, err, "expected 'Values' or 'KeysAndValues'")
    522. 

  522. }
    523. 

  523. 

  524. func TestScopeKeysAndValues(t *testing.T) {
    525. 

  525. 	tbl := []struct {
    526. 

  526. 		name               string
    527. 

  527. 		tpl                map[string][]byte
    528. 

  528. 		target             esapi.TemplateTarget
    529. 

  529. 		data               map[string][]byte
    530. 

  530. 		expectedData       map[string][]byte
    531. 

  531. 		expectedStringData map[string]string
    532. 

  532. 		expErr             string
    533. 

  533. 	}{
    534. 

  534. 		{
    535. 

  535. 			name:   "test empty",
    536. 

  536. 			tpl:    map[string][]byte{"literal": []byte("")},
    537. 

  537. 			target: "Data",
    538. 

  538. 			data:   nil,
    539. 

  539. 		},
    540. 

  540. 		{
    541. 

  541. 			name:   "test base64",
    542. 

  542. 			tpl:    map[string][]byte{"literal": []byte("{{ .key }}: {{ .value }}")},
    543. 

  543. 			target: esapi.TemplateTargetData,
    544. 

  544. 			data: map[string][]byte{
    545. 

  545. 				"key":   []byte("foo"),
    546. 

  546. 				"value": []byte("bar"),
    547. 

  547. 			},
    548. 

  548. 			expectedData: map[string][]byte{
    549. 

  549. 				"foo": []byte("bar"),
    550. 

  550. 			},
    551. 

  551. 		},
    552. 

  552. 		{
    553. 

  553. 			name:   "test Annotations",
    554. 

  554. 			tpl:    map[string][]byte{"literal": []byte("{{ .key }}: {{ .value }}")},
    555. 

  555. 			target: esapi.TemplateTargetAnnotations,
    556. 

  556. 			data: map[string][]byte{
    557. 

  557. 				"key":   []byte("foo"),
    558. 

  558. 				"value": []byte("bar"),
    559. 

  559. 			},
    560. 

  560. 			expectedStringData: map[string]string{
    561. 

  561. 				"foo": "bar",
    562. 

  562. 			},
    563. 

  563. 		},
    564. 

  564. 		{
    565. 

  565. 			name:   "test Labels",
    566. 

  566. 			tpl:    map[string][]byte{"literal": []byte("{{ .key }}: {{ .value }}")},
    567. 

  567. 			target: esapi.TemplateTargetLabels,
    568. 

  568. 			data: map[string][]byte{
    569. 

  569. 				"key":   []byte("foo"),
    570. 

  570. 				"value": []byte("bar"),
    571. 

  571. 			},
    572. 

  572. 			expectedStringData: map[string]string{
    573. 

  573. 				"foo": "bar",
    574. 

  574. 			},
    575. 

  575. 		},
    576. 

  576. 	}
    577. 

  577. 	for i := range tbl {
    578. 

  578. 		row := tbl[i]
    579. 

  579. 		t.Run(row.name, func(t *testing.T) {
    580. 

  580. 			sec := &corev1.Secret{
    581. 

  581. 				Data:       make(map[string][]byte),
    582. 

  582. 				StringData: make(map[string]string),
    583. 

  583. 				ObjectMeta: v1.ObjectMeta{Labels: make(map[string]string), Annotations: make(map[string]string)},
    584. 

  584. 			}
    585. 

  585. 			err := Execute(row.tpl, row.data, esapi.TemplateScopeKeysAndValues, row.target, sec)
    586. 

  586. 			if !ErrorContains(err, row.expErr) {
    587. 

  587. 				t.Errorf("unexpected error: %s, expected: %s", err, row.expErr)
    588. 

  588. 			}
    589. 

  589. 			switch row.target {
    590. 

  590. 			case esapi.TemplateTargetData:
    591. 

  591. 				if row.expectedData != nil {
    592. 

  592. 					assert.EqualValues(t, row.expectedData, sec.Data)
    593. 

  593. 				}
    594. 

  594. 			case esapi.TemplateTargetLabels:
    595. 

  595. 				if row.expectedStringData != nil {
    596. 

  596. 					assert.EqualValues(t, row.expectedStringData, sec.Labels)
    597. 

  597. 				}
    598. 

  598. 			case esapi.TemplateTargetAnnotations:
    599. 

  599. 				if row.expectedStringData != nil {
    600. 

  600. 					assert.EqualValues(t, row.expectedStringData, sec.Annotations)
    601. 

  601. 				}
    602. 

  602. 			}
    603. 

  603. 		})
    604. 

  604. 	}
    605. 

  605. }
    606. 

  606. func ErrorContains(out error, want string) bool {
    607. 

  607. 	if out == nil {
    608. 

  608. 		return want == ""
    609. 

  609. 	}
    610. 

  610. 	if want == "" {
    611. 

  611. 		return false
    612. 

  612. 	}
    613. 

  613. 	return strings.Contains(out.Error(), want)
    614. 

  614. }
    615. 

  615. 

  616. func TestPkcs12certPass(t *testing.T) {
    617. 

  617. 	const (
    618. 

  618. 		leafCertPath         = "_testdata/foo.crt"
    619. 

  619. 		intermediateCertPath = "_testdata/intermediate-ca.crt"
    620. 

  620. 		rootCertPath         = "_testdata/root-ca.crt"
    621. 

  621. 		disjunctCertPath     = "_testdata/disjunct-root-ca.crt"
    622. 

  622. 	)
    623. 

  623. 	type args struct {
    624. 

  624. 		pass     string
    625. 

  625. 		filename string
    626. 

  626. 	}
    627. 

  627. 	type testCase struct {
    628. 

  628. 		name    string
    629. 

  629. 		args    args
    630. 

  630. 		want    []string
    631. 

  631. 		wantErr bool
    632. 

  632. 	}
    633. 

  633. 	tests := []testCase{
    634. 

  634. 		{
    635. 

  635. 			// this case expects the whole chain to be stored
    636. 

  636. 			// in a single bag.
    637. 

  637. 			// bag(1): leaf/root/intermediate cert
    638. 

  638. 			// bag(2): private key
    639. 

  639. 			name: "read file without password",
    640. 

  640. 			args: args{
    641. 

  641. 				pass:     "",
    642. 

  642. 				filename: "_testdata/foo-nopass.pfx",
    643. 

  643. 			},
    644. 

  644. 			want: []string{
    645. 

  645. 				// this order is important
    646. 

  646. 				leafCertPath,
    647. 

  647. 				intermediateCertPath,
    648. 

  648. 				rootCertPath,
    649. 

  649. 			},
    650. 

  650. 		},
    651. 

  651. 		{
    652. 

  652. 			// same as above but with password
    653. 

  653. 			name: "read file with password",
    654. 

  654. 			args: args{
    655. 

  655. 				pass:     "1234",
    656. 

  656. 				filename: "_testdata/foo-withpass-1234.pfx",
    657. 

  657. 			},
    658. 

  658. 			want: []string{
    659. 

  659. 				// this order is important
    660. 

  660. 				leafCertPath,
    661. 

  661. 				intermediateCertPath,
    662. 

  662. 				rootCertPath,
    663. 

  663. 			},
    664. 

  664. 		},
    665. 

  665. 		{
    666. 

  666. 			// cert chain may be stored in different bags
    667. 

  667. 			// this test case uses a pfx that has the following structure:
    668. 

  668. 			// bag(1): leaf certificate
    669. 

  669. 			// bag(2): root + intermediate cert
    670. 

  670. 			// bag(3): private key
    671. 

  671. 			name: "read multibag cert chain",
    672. 

  672. 			args: args{
    673. 

  673. 				pass:     "",
    674. 

  674. 				filename: "_testdata/foo-multibag-nopass.pfx",
    675. 

  675. 			},
    676. 

  676. 			want: []string{
    677. 

  677. 				// this order is important
    678. 

  678. 				leafCertPath,
    679. 

  679. 				intermediateCertPath,
    680. 

  680. 				rootCertPath,
    681. 

  681. 			},
    682. 

  682. 		},
    683. 

  683. 		{
    684. 

  684. 			// cert chain may contain a disjunct cert
    685. 

  685. 			// bag(1): leaf/root/intermediate/disjunct
    686. 

  686. 			// bag(2): private key
    687. 

  687. 			name: "read disjunct cert chain",
    688. 

  688. 			args: args{
    689. 

  689. 				pass:     "",
    690. 

  690. 				filename: "_testdata/foo-disjunct-nopass.pfx",
    691. 

  691. 			},
    692. 

  692. 			want: []string{
    693. 

  693. 				// this order is important
    694. 

  694. 				leafCertPath,
    695. 

  695. 				rootCertPath,
    696. 

  696. 				intermediateCertPath,
    697. 

  697. 				disjunctCertPath,
    698. 

  698. 			},
    699. 

  699. 		},
    700. 

  700. 		{
    701. 

  701. 			name: "read file wrong password",
    702. 

  702. 			args: args{
    703. 

  703. 				pass:     "wrongpass",
    704. 

  704. 				filename: "_testdata/foo-withpass-1234.pfx",
    705. 

  705. 			},
    706. 

  706. 			wantErr: true,
    707. 

  707. 		},
    708. 

  708. 	}
    709. 

  709. 

  710. 	testFunc := func(t *testing.T, tc testCase) {
    711. 

  711. 		archive, err := os.ReadFile(tc.args.filename)
    712. 

  712. 		if err != nil {
    713. 

  713. 			t.Error(err)
    714. 

  714. 		}
    715. 

  715. 		var expOut []byte
    716. 

  716. 		for _, w := range tc.want {
    717. 

  717. 			c, err := os.ReadFile(w)
    718. 

  718. 			if err != nil {
    719. 

  719. 				t.Error(err)
    720. 

  720. 			}
    721. 

  721. 			expOut = append(expOut, c...)
    722. 

  722. 		}
    723. 

  723. 		got, err := pkcs12certPass(tc.args.pass, string(archive))
    724. 

  724. 		if (err != nil) != tc.wantErr {
    725. 

  725. 			t.Errorf("pkcs12certPass() error = %v, wantErr %v", err, tc.wantErr)
    726. 

  726. 			return
    727. 

  727. 		}
    728. 

  728. 		if diff := cmp.Diff(string(expOut), got); diff != "" {
    729. 

  729. 			t.Errorf("pkcs12certPass() = diff:\n%s", diff)
    730. 

  730. 		}
    731. 

  731. 	}
    732. 

  732. 

  733. 	for _, tt := range tests {
    734. 

  734. 		t.Run(tt.name, func(t *testing.T) {
    735. 

  735. 			testFunc(t, tt)
    736. 

  736. 		})
    737. 

  737. 	}
    738. 

  738. }
    739.