Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Tree: 0ac2a33d62
Branches Tags
helm-externa...
/
runtime
/
template
/
v2
/
template_test.go

template_test.go 48 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335 
  1. /*
    2. 

  2. Copyright © 2025 ESO Maintainer Team
    3. 

  3. 

  4. Licensed under the Apache License, Version 2.0 (the "License");
    5. 

  5. you may not use this file except in compliance with the License.
    6. 

  6. You may obtain a copy of the License at
    7. 

  7. 

  8.     https://www.apache.org/licenses/LICENSE-2.0
    9. 

  9. 

  10. Unless required by applicable law or agreed to in writing, software
    11. 

  11. distributed under the License is distributed on an "AS IS" BASIS,
    12. 

  12. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13. 

  13. See the License for the specific language governing permissions and
    14. 

  14. limitations under the License.
    15. 

  15. */
    16. 

  16. 

  17. package template
    18. 

  18. 

  19. import (
    20. 

  20. 	"crypto/rand"
    21. 

  21. 	"crypto/rsa"
    22. 

  22. 	"crypto/x509"
    23. 

  23. 	"encoding/pem"
    24. 

  24. 	"os"
    25. 

  25. 	"strings"
    26. 

  26. 	"testing"
    27. 

  27. 

  28. 	"github.com/google/go-cmp/cmp"
    29. 

  29. 	"github.com/stretchr/testify/assert"
    30. 

  30. 	"github.com/stretchr/testify/require"
    31. 

  31. 	corev1 "k8s.io/api/core/v1"
    32. 

  32. 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
    33. 

  33. 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
    34. 

  34. 

  35. 	esapi "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
    36. 

  36. )
    37. 

  37. 

  38. const (
    39. 

  39. 	pkcs12ContentNoPass   = `MIIJYQIBAzCCCScGCSqGSIb3DQEHAaCCCRgEggkUMIIJEDCCA8cGCSqGSIb3DQEHBqCCA7gwggO0AgEAMIIDrQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQInZmyWpNTPS4CAggAgIIDgPzZTmogBRiLP0NJZEUghZ3Oh1aqHJJ32HKgXUpD5BJ/5AvpUL9FC7m6a3GD++P1On/35J9N50bDjfBJjJrl2zpA143bzltPQBOK30cBJjNsCeN2Dq1dcsvJZfEy20z75NduXjMF6/qs4BbE+1E6nYFYVNHUybFnaQwSx7+2/2OMbXbcFpt4bv3HTw0YLw2pZeW/4/4A9d+tC9UdVQTTyNbI8l9nf1aeaaPsw1keVLmHurmTihfwh469FvjgwiHUP/P3ZCn1tOpWDR8ck0j+ru6imVP2hn+Kvk6svllmYqo3A5DnDRoF/Cl9R0DAPyS0lw7BeGskgTm7B79mzVitTbzRnIUP+sGJjc1AVghnitfcX4ffv8gq5xWaKGucO/IZXbPBoe7tMhKZmsirKzD4RBhC3nMyrwaHJB6PqUwxMQGMLbuHe7GlWhJAyFlcOTt5dgNl+axIkWdisoKNinYYeOuxudqyX6yPfsyaRCV5MEez3Wu+59MENGlGDRWbw61QuwsZkr1bAT2SJrQ/zHn5aGAluQZ1csJhKQ34iy1Ml9K9F4Zh3/2OWPs0u6+JCb1PC1vChBkguqcqQtEcikRwR9dNF9cdMB1T1Xk5GqlmOPaigkYzGWLgtl8cV5/Zl0m2j77mX9x4HVCTercAABGf9JcCLzSCo04c5OwIYtWUXBkux5n2VI2ZIuS1KF+r6JNyL3lg/D8LColzDUP/6tQCBVVgMar3iLblM17wPMTDMR5Bn+NvenwJj6FWaGGMtdjygtN+oSHpNDbVygfGQy+jEgUtK7yw0uh/WKBMWVw1E6iNuhb8HIyCFtQon8sDkuZ81czOpR3Ta1SWUWrZD+pjpL2Z4y8Nc2wt9pVPvLFOTn+GDFVqGpde3kovh3GfJjYCG/HI5rXZyziflDOoSy0SyG6aVCG4ZqW2LTymoVN/kxf+skqAweX1vxvvJniiv8HgYfEASFUWear4uT641d1YwcEIawNv4n+GKBilK/7ODl2QL86svwqIcbyiJrneyU2tHymKzGcU2VxmSgf8EnjqGuIEo7WXOpk0oUMcvYrM73cgzZ3BchUDIN0KWSDI+vDcVY82dbI39KM6dtOJFAx3kEdms/gdSqZtmHUIeArGp+8caCCAK/W+4wTOvtisK+6MtzdMz6P93N78N4Vo6cs3dkj6t/6tgNog5SCfwlOEyUpmMIIFQQYJKoZIhvcNAQcBoIIFMgSCBS4wggUqMIIFJgYLKoZIhvcNAQwKAQKgggTuMIIE6jAcBgoqhkiG9w0BDAEDMA4ECHVnarQ94cqlAgIIAASCBMgUvEVKsUcqEvYJEJ9JixgB0W3uhSi/Espt931a/mwx5Ja2K7vjlttaOct3Zc8umVrP5C322tmHz9QDVPj3Bln8CGfofC/8Nb6+SDeofmYaQYReOZpZGksEBs4P3yURl8wQpIkG31Oyf3urDTJdplfDrzu6XpEpIf7RicIR+Zh4Q1+F75XwPo52/yNs8q/kVV8H97gSRqQ2GixIdyNu+JLtNjdwAERHy4DeQjwgiMCdL+xMfN+WJyIvkLZDoy9bacXeG4IcQM+n84272C6j1a0BPaOm0K5A7I0H1zpXOJiWfn3MrT4LHDudrQoIWUOvcJjWaIM/KyghotDN50THKN9qCEE9SmtfWXGGFaJmyxbUDFizBIAsFshNtMs/47PoInTSNwzxNvUUQ3ap93iquGZ9EaZAMY2HQHW/QJIQ70IbtcHU28Bus/hrMcV0X9D1p4UeHuk37W7aCrL6hS+ac9pmzwmcDBwZUliyInxRmqCCerjg2ojAM9SVg8FrpQUErP+BOaoCBwQqLLiz9BM+3tUQc/8MyaBHq+c2dUoPfvipDIQXYiq66CkjmPHxPFEL1l9d9oBFoIGkt6SIHDjWnTPc5q5SvJ9tz8Dp1k/1HQSA8OUS6j+XySYuGe8xTvN/oUpVRswef2Qd/kxZlc1FJ4lVAXvbW7C7772l14BJv/WULcFH4Sn83rlL3YwHr4vJMf6wLahn7oQPI0VFSQiiOOb/+gkiTrwO3Gz+HXOkUwaKnW85PeoIt3/q1u0CRl64mUjqCegi7RMY9Q9tRMlD5yx0RsH7mc4b6Eg/3IwGu8VQmZCO5W2unCpfzzyrOx7OaGGaW4RJ2Mx7bJ8uV9HU8MbbNntmc9oxebPdDnBmbt8p8t4ZZxC+zcqcXi3TxACXmwnasogQEi0d0ttXkB5cnDCG00Y8WPdNIWfJdIQh8Hj16LAMYWUacz/J0kLP99ENQntZibVw/Q3zZtHSF5tmsYp7o1HglBpRwLTcd026YTrxB+VCEiUYy4hH6a38oEEpY7wTIiRmEBQPIRM0HUOqVh4z6TNzRx6iIhrQEvg06B8U6iVPqy8FGDkhf3P55Ed95/Rw6uSdlMTHng+Q4aG00k4qKdKOyv55IXPcvEzAeVNBuesknaS8x7Eb/I5mHSoZU3RYAEFGbehUkvkhNr3Xq7/W/400AKiliravJq8j/qKIZ9hAVUWOps09F/4peYfLXM1AhxWWGa5QqvwFkClM+uRyqIRGJwl2Z7asl4sWVXbwtb+Axio+mYGdzxIki5iwJvRCwKapoZplndXKTrn2nYBuhxW2+fRHa8WYdsm/wn0K+jYMlZhquVjNXyL70/Sym6DkzCtJvveQs2CfcEWQuedjRSGFVFT2jV/s5F8L2TV7nQNVj6dEJSNM5JCdZ//OpiMHMCbPNeSxY9koGplUqFhP54F1WU9x+8xiFjEp8WKxQYKHUtj+ace0lLF4CDGXhFR/0k7Icarpax3hYnvagd2OpZyRJdavKBSs5U7/NPuO6sNhZ2NpzsOiul9Iu8bu3UHCECNKkwN4wF4alTlG9sAAbS4ns4wb9XTajG+OPYoDQZmuJfc71McN6m8KBHEnXU8r4epdR7xREe/w+h2MwtPhLvbxwO592tUxJTAjBgkqhkiG9w0BCRUxFgQUOEXV6IFYGpCSHi0MPHz4b3W0KOQwMTAhMAkGBSsOAwIaBQAEFAjyBCA+mr+5UkKuQ1jGw90ASfbVBAjbvqJJZikDPgICCAA=`
    40. 

  40. 	pkcs12ContentWithPass = `MIIJYQIBAzCCCScGCSqGSIb3DQEHAaCCCRgEggkUMIIJEDCCA8cGCSqGSIb3DQEHBqCCA7gwggO0AgEAMIIDrQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQI2eZRJ7Ar+JQCAggAgIIDgFTbOtkFPjqxAoYRHoq1SbyXKf/NRbBA5AqxQlv9aFVT4VcxUSrMGaSWifX2UjsVWQzn134yoLLbdJ0jTorVD+EuBUmtb3xXbBwLqtFZxwcWodYA5WhPQdDcQo0cD3o1vrsXPQARQR6ISSFnhFjPYdH9cO2LqUKV5pjFhIs2/1VPDS2eY7SWZN52DK3QknSj23S3ZW2s4TFEj/5C4ssbO7cWNWBjjaORnd17FMNgVtcRw8ITmLdGBOpFUwP8wIdiLGrXiyjfMLns74nztRelV30/v0DPlz0pZtOPygi/dy0qpbil3wtOFrtQBLEdvLNmt9ikQgGs3pJBS68eMJLu3jAU6rCIKycq0+E0eMXeHcseyMwgguTj2h4t+E4S7nU11lViBFqkSBKxE28+9fNlPvCsZ4WhQZ6TAW3E/jDy/ZSqmak5V7/khMlRPvtrxz71ivksH0iipPdJJkGi7SDEvETySBETiqIslUmsF0ZYeHR5wIBkB5V8zmi8RRZtpvDGbzuQ22V6sNk2mTDh+BRus7gNCoSGWYXWqNNp1PnznuYCJp9T+0mObcAijE7IQuhpYMeQPF+MUIlG5lmpNouzuygTf++xrKIjzP36DcthnMPeD/8LYWfzkuAeRodjl7Z1G6XLvBD5h+Xlq23WPjMcXUiiWYXxTREAQ1EWUf4A9twGcxHJ5AatbvQY3QUoS4a7LNuy17lF7G+O1SFDtGeHZXHHecaVpuAtqZEYeUpqy6ZzMJXtXE1JNl/UR9TtTordb1V5Pf45JTYKLI+SwxVQbRiTgfhulNc+E3tV1AEELZt4CKmh1OFJoJRtyREMfdVuP4rx7ywIoMYuWw8CRqJ3qSmdwz2kmL2pfJNn6vDfN6rNa+sXWErOJ7naSAKQH2CJfnkCOFxkKfwjbOcNRbnGKah8NyWu6xqlv7Y4xEJYqmPahGHmrSfdAt3mpc5zD74DvetLIczcadKaLH7mp6h98xHayvXh0UE7ERHeskfSPrLxL9A3V1RZXDOtcZFWSKHzokuXMDF9OnrcMYDzYgtzof4ReY2t1ldGF7phYINhDlUNyhzyjwyWQbdkxr/+FtWq8Sbm7o2zMTby48c25gnqD9U8RTAO+bY3oV3dQ4bpAOzWdzVmFjESUFx0xVwbTSJGXdkH4YmD5He+xwxTa0Je0HE5+ui5dbP1gxUY+pCGLOhGMIIFQQYJKoZIhvcNAQcBoIIFMgSCBS4wggUqMIIFJgYLKoZIhvcNAQwKAQKgggTuMIIE6jAcBgoqhkiG9w0BDAEDMA4ECGYAccNFWW6kAgIIAASCBMgbXw69iyx73RGWS3FYeuvF5L1VWXQGrDLdUGwa3SdovXxmP1pKBAb82UuiydXDpKSVCmefeEQTs6ucEFRmXrDIldNanqUwbydy3GSJ+4iNsVQHbFgNppH4e90L7BlLcZ3MzSrVEwxWVMHq+XLqTKf3X3QyrmA3mmF96+Nd+icpDIktd+/h2BHnSXHNP0QfVH27H4DwbMDijttXY0JB+8qP9m25Wn4zkmOPEUhrY4Ptv2I08eHFAuNI0jWUwfRhC4FDbUdwFb0aZjA3Te6uYTsu2zAlmg9HuqsD/Ef/wkBEKZLBkjiXa/niFVrwELXhWZDPBAuo+/1UbzXglsW4QDU4LbUutcs6DLag1vLe40a2LO1ODQm7Zw0bxLkb3f/ry6ZFYvO78XmHo4c/oQf4KPUtM2bLz5q7uOxAx07vHYaU2BVt3NjgiIO5VVKjw0075GdgFxwPvYncv1fsC5jSIkX43GuzEtoBTpJKDYb2nhKbN9XWixwGOhUBTK3WYBhn+uaMJs4l3EgkDtK9tsUs5VQQHawj0WrGS1mQhaBfcyZzv4wSn0d3JUO2CN0e9EReJcQvsEnwUvohilOvjDHHhTq8Kp4XU4jbq7TAKqxs3TOmdoskRykn9oKUPExJVhJQonFT3ietV5BHrnN/QoDCSeOR80ZxvWHrQDz3Hm1ygiHd8LYmN4IjiD8b28ZrCALifWxh0WmIYtLZrUjMZavPh+caWH9IG32fTxV9b1bgJD8vWqscj9jCjeMJvkKQo8PFg1kMAxt1u+bIyktTq42O9qxwGrdqEMeBzXxDJMMaRIH3m9LNZ/P5Nk4/hMURhCZJtRtNfOVTK+Q6kKgsdK2EHcuEnp/qBefZjve+xmitbF1W7C4+B7b2JNBacdIm1nE56DwglT/IUk65JrNFP3rf4c5ic76LCQrvyfLiKCGaqcihM9siLVFPYdrnr8TlGbCFnGbpBqMQA5MtZQaDUug50PJtdxlgfwWH4qliimgchCaZbSTcgN5YTguSe16uUSusHD+r6XdtI0939uDILXJjQMczhIKNw8w0Tn4Z3/g2KlB6cwbtaglnnO4a/USh0cPC1a581byNqeFoMi+mAhqfKkwdDuti4GX7OrhkUOkiRjEUXdcckpmmIsyamH/g1dq3CNFXFNIgRRrzIDo4Opr3Ip2VE/4BDQoo/+Rybzxh8bsHgCEujQf8urGxjGyd2ulHoXzHWhz7pPPuY5UN6dC9WZmOQDVous/1nhYThoLVVc61Rk6d83+Ac7iRg4bY5q/73J4HvPMmrTOOOqqn3wc9Pe5ibEy4tFaYnim4p1ZRm8YcwosZmuFPdsP6G5l5qt6uOyr2+qNpXIBkDpG7I6Ls10O7L3PQAX9zRGfcz6Ds0KtuDrLpaVvhuXpewsBwpo1lmhv9bAa4ppBuWznmKigX+vYojSxd/eCRAtMs+Lx6ppZsYNVhbdEIGKXSGwG98sSTZkoLHBMkUW7S8jpeSCHZWEFBUOPJQzAr5cW1w+RAs33cGUygZ5XEEx4DeW8MnO4lCuP+VDOwu3TAKhzAD+qCyXbLEzWiyL5fq3XL+YJtoAc8Mra9lK6jDqzq4u+PLNoYY+kWTBhCyRZ+PfzcXLry8pxuP5E6VtRgfYcxJTAjBgkqhkiG9w0BCRUxFgQUOEXV6IFYGpCSHi0MPHz4b3W0KOQwMTAhMAkGBSsOAwIaBQAEFBa+SV9FU2UObo+nYKdyt/kZVw6FBAgey4GonFtJ2gICCAA=`
    41. 

  41. 	pkcs12Cert            = `-----BEGIN CERTIFICATE-----
    42. 

  42. MIIDHTCCAgWgAwIBAgIRAKC4yxy9QGocND+6avTf7BgwDQYJKoZIhvcNAQELBQAw
    43. 

  43. EjEQMA4GA1UEChMHQWNtZSBDbzAeFw0yMTAzMjAyMDA4MDhaFw0yMTAzMjAyMDM4
    44. 

  44. MDhaMBIxEDAOBgNVBAoTB0FjbWUgQ28wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
    45. 

  45. ggEKAoIBAQC3o6/JdZEqNbqNRkopHhJtJG5c4qS5d0tQ/kZYpfD/v/izAYum4Nzj
    46. 

  46. aG15owr92/11W0pxPUliRLti3y6iScTs+ofm2D7p4UXj/Fnho/2xoWSOoWAodgvW
    47. 

  47. Y8jh8A0LQALZiV/9QsrJdXZdS47DYZLsQ3z9yFC/CdXkg1l7AQ3fIVGKdrQBr9kE
    48. 

  48. 1gEDqnKfRxXI8DEQKXr+CKPUwCAytegmy0SHp53zNAvY+kopHytzmJpXLoEhxq4e
    49. 

  49. ugHe52vXHdh/HJ9VjNp0xOH1waAgAGxHlltCW0PVd5AJ0SXROBS/a3V9sZCbCrJa
    50. 

  50. YOOonQSEswveSv6PcG9AHvpNPot2Xs6hAgMBAAGjbjBsMA4GA1UdDwEB/wQEAwIC
    51. 

  51. pDATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW
    52. 

  52. BBR00805mrpoonp95RmC3B6oLl+cGTAVBgNVHREEDjAMggpnb29ibGUuY29tMA0G
    53. 

  53. CSqGSIb3DQEBCwUAA4IBAQAipc1b6JrEDayPjpz5GM5krcI8dCWVd8re0a9bGjjN
    54. 

  54. ioWGlu/eTr5El0ffwCNZ2WLmL9rewfHf/bMvYz3ioFZJ2OTxfazqYXNggQz6cMfa
    55. 

  55. lbedDCdt5XLVX2TyerGvFram+9Uyvk3l0uM7rZnwAmdirG4Tv94QRaD3q4xTj/c0
    56. 

  56. mv+AggtK0aRFb9o47z/BypLdk5mhbf3Mmr88C8XBzEnfdYyf4JpTlZrYLBmDCu5d
    57. 

  57. 9RLLsjXxhag8xqMtd1uLUM8XOTGzVWacw8iGY+CTtBKqyA+AE6/bDwZvEwVtsKtC
    58. 

  58. QJ85ioEpy00NioqcF0WyMZH80uMsPycfpnl5uF7RkW8u
    59. 

  59. -----END CERTIFICATE-----
    60. 

  60. `
    61. 

  61. 	pkcs12Key = `-----BEGIN PRIVATE KEY-----
    62. 

  62. MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC3o6/JdZEqNbqN
    63. 

  63. RkopHhJtJG5c4qS5d0tQ/kZYpfD/v/izAYum4NzjaG15owr92/11W0pxPUliRLti
    64. 

  64. 3y6iScTs+ofm2D7p4UXj/Fnho/2xoWSOoWAodgvWY8jh8A0LQALZiV/9QsrJdXZd
    65. 

  65. S47DYZLsQ3z9yFC/CdXkg1l7AQ3fIVGKdrQBr9kE1gEDqnKfRxXI8DEQKXr+CKPU
    66. 

  66. wCAytegmy0SHp53zNAvY+kopHytzmJpXLoEhxq4eugHe52vXHdh/HJ9VjNp0xOH1
    67. 

  67. waAgAGxHlltCW0PVd5AJ0SXROBS/a3V9sZCbCrJaYOOonQSEswveSv6PcG9AHvpN
    68. 

  68. Pot2Xs6hAgMBAAECggEACTGPrmVNZDCWa1Y2hkJ0J7SoNcw+9O4M/jwMp4l/PD6P
    69. 

  69. I98S78LYLCZhPLK17SmjUcnFO1AXKW1JeFS2D/fjfP256guvcqQNjLFoioxcOhVb
    70. 

  70. ZGyd1Mi8JPqP5wfOj16gBeYDwTkjz9wqldcfiZaL9XoXetkZecbzR2JwC2FtIVuC
    71. 

  71. 0njTjMNYpaBKnoLb8OTR0EQz7lYEo2MkQiWryz8wseONnFmdfh18p+p10YgCbuCH
    72. 

  72. qesrWfDLLxaxZelNtDhDngg9LoCLmarYy7BgShacmUEgJTZ/x3xFC75thK3ln0OY
    73. 

  73. +ktTgvVotYYaZi7qAjQiEsTvkTAPg5RMpQLd2UIWsQKBgQDCBp+1vURbwGzmTNUg
    74. 

  74. HMipD6WDFdLc9DCacx6+ZqsEPTMWQbCpVZrDKiY0Rjt5F+xOCyMr00J5RDJXRC0G
    75. 

  75. +L7NcJdywOFutT7vB+cmETg7l/6PHweNYBnE66706eTL/KVYZMi4tEinarPWhHmL
    76. 

  76. jasfdLANtpDjdWkRt299TkPRbQKBgQDyS8Rr7KZdv04Csqkf+ASmiJpT5R6Y72kc
    77. 

  77. 3XYpKETyB2FyPZkuh/zInMut9SkkSI9O/jA3zf956jj6sF1DHvp7T8KkIp5OAQeD
    78. 

  78. J9AF65m2MnZfHFUeJ6ZQsggwMWqrD0ycIWP7YWtiBHH+D1wGkjYrssq+bvG/yNpA
    79. 

  79. LtqdKq9lhQKBgQCZA2hIhy61vRckuEsLvCdzTGeW7UsR/XGnHEqOlaEhArKbRsrv
    80. 

  80. gBdA+qiOaSTV5svw8E+YbE7sG6AnuhhYeyreEYEeeoZOLJmpIG5mUwYp2UBj1nC6
    81. 

  81. SaOI7OVZOGu7g09SWokBQQxbG4cgEfFY4Sym7fs5lVTGTP3Dfwppo6NQMQKBgQCo
    82. 

  82. J5NDP3Lafwk58BpV+H/pv8YzUUDh7M2rXbtCpxLqUdr8OOnVlEUISWFF8m5CIyVq
    83. 

  83. MhjuscWLK9Wtjba7/YTjDaDM3sW05xv6lyfU5ATCoNTr/zLHgcb4HAZ4w+L+otiN
    84. 

  84. RtMnxB2NYf5mzuwUF2cG/secUEzwyAlIH/xStSwTLQKBgQCRvqF+rqxnegoOgwVW
    85. 

  85. qrWPv06wXD8dW2FlPpY5GXqA0l6erSK3YsQQToRmbem9ibPD7bd5P4gNbWfxwK4C
    86. 

  86. Wt+1Rcb8OrDhDJbYz85bXBnPecKp4EN0b9SHO0/dsCqn2w30emc+9T/4m1ZDkpBd
    87. 

  87. BixHvI/EJ8YK3ta5WdJWKC6hnA==
    88. 

  88. -----END PRIVATE KEY-----
    89. 

  89. `
    90. 

  90. 	jwkPubRSA     = `{"kid":"ex","kty":"RSA","key_ops":["sign","verify","wrapKey","unwrapKey","encrypt","decrypt"],"n":"p2VQo8qCfWAZmdWBVaYuYb-a-tWWm78K6Sr9poCvNcmv8rUPSLACxitQWR8gZaSH1DklVkqz-Ed8Cdlf8lkDg4Ex5tkB64jRdC1Uvn4CDpOH6cp-N2s8hTFLqy9_YaDmyQS7HiqthOi9oVjil1VMeWfaAbClGtFt6UnKD0Vb_DvLoWYQSqlhgBArFJi966b4E1pOq5Ad02K8pHBDThlIIx7unibLehhDU6q3DCwNH_OOLx6bgNtmvGYJDd1cywpkLQ3YzNCUPWnfMBJRP3iQP_WI21uP6cvo0DqBPBM4wvVzHbCT0vnIflwkbgEWkq1FprqAitZlop9KjLqzjp9vyQ","e":"AQAB"}`
    91. 

  91. 	jwkPubRSAPKIX = `-----BEGIN PUBLIC KEY-----
    92. 

  92. MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp2VQo8qCfWAZmdWBVaYu
    93. 

  93. Yb+a+tWWm78K6Sr9poCvNcmv8rUPSLACxitQWR8gZaSH1DklVkqz+Ed8Cdlf8lkD
    94. 

  94. g4Ex5tkB64jRdC1Uvn4CDpOH6cp+N2s8hTFLqy9/YaDmyQS7HiqthOi9oVjil1VM
    95. 

  95. eWfaAbClGtFt6UnKD0Vb/DvLoWYQSqlhgBArFJi966b4E1pOq5Ad02K8pHBDThlI
    96. 

  96. Ix7unibLehhDU6q3DCwNH/OOLx6bgNtmvGYJDd1cywpkLQ3YzNCUPWnfMBJRP3iQ
    97. 

  97. P/WI21uP6cvo0DqBPBM4wvVzHbCT0vnIflwkbgEWkq1FprqAitZlop9KjLqzjp9v
    98. 

  98. yQIDAQAB
    99. 

  99. -----END PUBLIC KEY-----
    100. 

  100. `
    101. 

  101. 	jwkPrivRSA      = `{"kty" : "RSA","kid" : "cc34c0a0-bd5a-4a3c-a50d-a2a7db7643df","use" : "sig","n"   : "pjdss8ZaDfEH6K6U7GeW2nxDqR4IP049fk1fK0lndimbMMVBdPv_hSpm8T8EtBDxrUdi1OHZfMhUixGaut-3nQ4GG9nM249oxhCtxqqNvEXrmQRGqczyLxuh-fKn9Fg--hS9UpazHpfVAFnB5aCfXoNhPuI8oByyFKMKaOVgHNqP5NBEqabiLftZD3W_lsFCPGuzr4Vp0YS7zS2hDYScC2oOMu4rGU1LcMZf39p3153Cq7bS2Xh6Y-vw5pwzFYZdjQxDn8x8BG3fJ6j8TGLXQsbKH1218_HcUJRvMwdpbUQG5nvA2GXVqLqdwp054Lzk9_B_f1lVrmOKuHjTNHq48w","e"   : "AQAB","d"   : "ksDmucdMJXkFGZxiomNHnroOZxe8AmDLDGO1vhs-POa5PZM7mtUPonxwjVmthmpbZzla-kg55OFfO7YcXhg-Hm2OWTKwm73_rLh3JavaHjvBqsVKuorX3V3RYkSro6HyYIzFJ1Ek7sLxbjDRcDOj4ievSX0oN9l-JZhaDYlPlci5uJsoqro_YrE0PRRWVhtGynd-_aWgQv1YzkfZuMD-hJtDi1Im2humOWxA4eZrFs9eG-whXcOvaSwO4sSGbS99ecQZHM2TcdXeAs1PvjVgQ_dKnZlGN3lTWoWfQP55Z7Tgt8Nf1q4ZAKd-NlMe-7iqCFfsnFwXjSiaOa2CRGZn-Q","p"   : "4A5nU4ahEww7B65yuzmGeCUUi8ikWzv1C81pSyUKvKzu8CX41hp9J6oRaLGesKImYiuVQK47FhZ--wwfpRwHvSxtNU9qXb8ewo-BvadyO1eVrIk4tNV543QlSe7pQAoJGkxCia5rfznAE3InKF4JvIlchyqs0RQ8wx7lULqwnn0","q"   : "ven83GM6SfrmO-TBHbjTk6JhP_3CMsIvmSdo4KrbQNvp4vHO3w1_0zJ3URkmkYGhz2tgPlfd7v1l2I6QkIh4Bumdj6FyFZEBpxjE4MpfdNVcNINvVj87cLyTRmIcaGxmfylY7QErP8GFA-k4UoH_eQmGKGK44TRzYj5hZYGWIC8","dp"  : "lmmU_AG5SGxBhJqb8wxfNXDPJjf__i92BgJT2Vp4pskBbr5PGoyV0HbfUQVMnw977RONEurkR6O6gxZUeCclGt4kQlGZ-m0_XSWx13v9t9DIbheAtgVJ2mQyVDvK4m7aRYlEceFh0PsX8vYDS5o1txgPwb3oXkPTtrmbAGMUBpE","dq"  : "mxRTU3QDyR2EnCv0Nl0TCF90oliJGAHR9HJmBe__EjuCBbwHfcT8OG3hWOv8vpzokQPRl5cQt3NckzX3fs6xlJN4Ai2Hh2zduKFVQ2p-AF2p6Yfahscjtq-GY9cB85NxLy2IXCC0PF--Sq9LOrTE9QV988SJy_yUrAjcZ5MmECk","qi"  : "ldHXIrEmMZVaNwGzDF9WG8sHj2mOZmQpw9yrjLK9hAsmsNr5LTyqWAqJIYZSwPTYWhY4nu2O0EY9G9uYiqewXfCKw_UngrJt8Xwfq1Zruz0YY869zPN4GiE9-9rzdZB33RBw8kIOquY3MK74FMwCihYx_LiU2YTHkaoJ3ncvtvg"}`
    102. 

  102. 	jwkPrivRSAPKCS8 = `-----BEGIN PRIVATE KEY-----
    103. 

  103. MIIEwAIBADANBgkqhkiG9w0BAQEFAASCBKowggSmAgEAAoIBAQCmN2yzxloN8Qfo
    104. 

  104. rpTsZ5bafEOpHgg/Tj1+TV8rSWd2KZswxUF0+/+FKmbxPwS0EPGtR2LU4dl8yFSL
    105. 

  105. EZq637edDgYb2czbj2jGEK3Gqo28ReuZBEapzPIvG6H58qf0WD76FL1SlrMel9UA
    106. 

  106. WcHloJ9eg2E+4jygHLIUowpo5WAc2o/k0ESppuIt+1kPdb+WwUI8a7OvhWnRhLvN
    107. 

  107. LaENhJwLag4y7isZTUtwxl/f2nfXncKrttLZeHpj6/DmnDMVhl2NDEOfzHwEbd8n
    108. 

  108. qPxMYtdCxsofXbXz8dxQlG8zB2ltRAbme8DYZdWoup3CnTngvOT38H9/WVWuY4q4
    109. 

  109. eNM0erjzAgMBAAECggEBAJLA5rnHTCV5BRmcYqJjR566DmcXvAJgywxjtb4bPjzm
    110. 

  110. uT2TO5rVD6J8cI1ZrYZqW2c5WvpIOeThXzu2HF4YPh5tjlkysJu9/6y4dyWr2h47
    111. 

  111. warFSrqK191d0WJEq6Oh8mCMxSdRJO7C8W4w0XAzo+Inr0l9KDfZfiWYWg2JT5XI
    112. 

  112. ubibKKq6P2KxND0UVlYbRsp3fv2loEL9WM5H2bjA/oSbQ4tSJtobpjlsQOHmaxbP
    113. 

  113. XhvsIV3Dr2ksDuLEhm0vfXnEGRzNk3HV3gLNT741YEP3Sp2ZRjd5U1qFn0D+eWe0
    114. 

  114. 4LfDX9auGQCnfjZTHvu4qghX7JxcF40omjmtgkRmZ/kCgYEA4A5nU4ahEww7B65y
    115. 

  115. uzmGeCUUi8ikWzv1C81pSyUKvKzu8CX41hp9J6oRaLGesKImYiuVQK47FhZ++wwf
    116. 

  116. pRwHvSxtNU9qXb8ewo+BvadyO1eVrIk4tNV543QlSe7pQAoJGkxCia5rfznAE3In
    117. 

  117. KF4JvIlchyqs0RQ8wx7lULqwnn0CgYEAven83GM6SfrmO+TBHbjTk6JhP/3CMsIv
    118. 

  118. mSdo4KrbQNvp4vHO3w1/0zJ3URkmkYGhz2tgPlfd7v1l2I6QkIh4Bumdj6FyFZEB
    119. 

  119. pxjE4MpfdNVcNINvVj87cLyTRmIcaGxmfylY7QErP8GFA+k4UoH/eQmGKGK44TRz
    120. 

  120. Yj5hZYGWIC8CgYEAlmmU/AG5SGxBhJqb8wxfNXDPJjf//i92BgJT2Vp4pskBbr5P
    121. 

  121. GoyV0HbfUQVMnw977RONEurkR6O6gxZUeCclGt4kQlGZ+m0/XSWx13v9t9DIbheA
    122. 

  122. tgVJ2mQyVDvK4m7aRYlEceFh0PsX8vYDS5o1txgPwb3oXkPTtrmbAGMUBpECgYEA
    123. 

  123. mxRTU3QDyR2EnCv0Nl0TCF90oliJGAHR9HJmBe//EjuCBbwHfcT8OG3hWOv8vpzo
    124. 

  124. kQPRl5cQt3NckzX3fs6xlJN4Ai2Hh2zduKFVQ2p+AF2p6Yfahscjtq+GY9cB85Nx
    125. 

  125. Ly2IXCC0PF++Sq9LOrTE9QV988SJy/yUrAjcZ5MmECkCgYEAldHXIrEmMZVaNwGz
    126. 

  126. DF9WG8sHj2mOZmQpw9yrjLK9hAsmsNr5LTyqWAqJIYZSwPTYWhY4nu2O0EY9G9uY
    127. 

  127. iqewXfCKw/UngrJt8Xwfq1Zruz0YY869zPN4GiE9+9rzdZB33RBw8kIOquY3MK74
    128. 

  128. FMwCihYx/LiU2YTHkaoJ3ncvtvg=
    129. 

  129. -----END PRIVATE KEY-----
    130. 

  130. `
    131. 

  131. 	jwkPubEC     = `{"kid":"https://kv-test-mj.vault.azure.net/keys/ec-p-521/e3d0e9c179b54988860c69c6ae172c65","kty":"EC","key_ops":["sign","verify"],"crv":"P-521","x":"AedOAtb7H7Oz1C_cPKI_R4CN_eai5nteY6KFW07FOoaqgQfVCSkQDK22fCOiMT_28c8LZYJRsiIFz_IIbQUW7bXj","y":"AOnchHnmBphIWXvanmMAmcCDkaED6ycW8GsAl9fQ43BMVZTqcTkJYn6vGnhn7MObizmkNSmgZYTwG-vZkIg03HHs"}`
    132. 

  132. 	jwkPubECPKIX = `-----BEGIN PUBLIC KEY-----
    133. 

  133. MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQB504C1vsfs7PUL9w8oj9HgI395qLm
    134. 

  134. e15jooVbTsU6hqqBB9UJKRAMrbZ8I6IxP/bxzwtlglGyIgXP8ghtBRbtteMA6dyE
    135. 

  135. eeYGmEhZe9qeYwCZwIORoQPrJxbwawCX19DjcExVlOpxOQlifq8aeGfsw5uLOaQ1
    136. 

  136. KaBlhPAb69mQiDTccew=
    137. 

  137. -----END PUBLIC KEY-----
    138. 

  138. `
    139. 

  139. 	jwkPrivEC      = `{"kty": "EC","kid": "rie3pHe8u8gjSa0IaJfqk7_iEfHeYfDYx-Bqi7vQc0s","crv": "P-256","x": "fDjg3Nq4jPf8IOZ0277aPVal_8iXySnzLUJAZghUzZM","y": "d863PeyBOK_Q4duiSmWwgIRzi1RPlFZTR-vACMlPg-Q","d": "jJs5xsoHUetdMabtt8H2KyX5T92nGul1chFeMT5hlr0"}`
    140. 

  140. 	jwkPrivECPKCS8 = `-----BEGIN PRIVATE KEY-----
    141. 

  141. MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgjJs5xsoHUetdMabt
    142. 

  142. t8H2KyX5T92nGul1chFeMT5hlr2hRANCAAR8OODc2riM9/wg5nTbvto9VqX/yJfJ
    143. 

  143. KfMtQkBmCFTNk3fOtz3sgTiv0OHbokplsICEc4tUT5RWU0frwAjJT4Pk
    144. 

  144. -----END PRIVATE KEY-----
    145. 

  145. `
    146. 

  146. 	rsaDecryptPKRSAPKCS8 = `-----BEGIN PRIVATE KEY-----
    147. 

  147. MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQChzs1R+jA3Goqi
    148. 

  148. ropPzF4Ehpbi6VklbeZWP+RoU3rJshONJO6w9tPhbp0YIXrPSM9P5a9xaaNxDR9e
    149. 

  149. u84O05+vq3C4P9I0jb5GSjiuznrmsprFWGaGdd4Vr7Fir1oqfeVc+znQFUCvkq7B
    150. 

  150. EWobOonl6ktQ2OHBK0bEzXB7qY7P4ETI6owDUL+pkAwHzdnwk4sXMDKBLT3WZVRn
    151. 

  151. xPppIJ4VAEph1fJOCIIskxVBh8cAT4QRxsdu8oB7cAuYJLBBKiS/GGIA7vh9sQrb
    152. 

  152. +0BAgLqvy+kiQeQhYgF/Y/uVwkgAphFzSjSjoSFQ50nNE2VJA5J6o7QZ413DlIWr
    153. 

  153. VJKNZJDbAgMBAAECggEAemklU5te1pExyJka8fu+NNZNWCUI2BQoaZ+0gGiHQAeE
    154. 

  154. WwdRvHc/HBC+r/7EFgUTMXKmI7qzd1diIB0caoMXD6M3h2xg7nk9NZf5AeYbfGQq
    155. 

  155. SpnyFk8dUHK2U94s7HCKEKnOtukdIrZplo5CI49Ju7JggC1TvPuscj6pliRUclYY
    156. 

  156. Pc6pTVaG+bludDR8YkQ1mGi04wMQHpnisegRpMSjt9uZc1jKM7SSaHggu4/vuewo
    157. 

  157. CFdra50/MjidIOXd5T5iVYY28J+gR8oCCKySTogNJ3JpNMNAW4FHfime5B+uS0IA
    158. 

  158. YI/N8yjT/BPgRt4lQpR+6zi3fpguWNIM71xye1/R4QKBgQDNZNGFOntbFM2NTPYu
    159. 

  159. 4APRVu4a0gM+JEA/ozuxTigkgaj6dNeJvaNTxcKG0MmGxQLEcvgCDaWIoM6Qrj1K
    160. 

  160. YVwdiv1MddRDdSHQjGjNM6n7jNfYVQ2gP+1wDwTMN+eyAW8KoZByaQimmjyBj/Ps
    161. 

  161. C8VWPxyrw/UeHqzTazyEIZ2fHQKBgQDJrM2/xx7F63C6GaW+5gMeColxkdYb29Aw
    162. 

  162. R3xb2rn5lVPLW0BORQQuepZuaI+ZLTb4Op7V4yAC/S9femFXpgkZa56aacwy1jxb
    163. 

  163. R9WO0CWP3QCUCcIBF/4lbJDZ6gQLr51oahXhhjbgGMrlguC/j4R9n3i58EaeukeE
    164. 

  164. +Hsu/hMWVwKBgETsWALFJS/jQzbvZI1GTwGoki4d20i3EXhJZnaRK5dUi0fAfbOT
    165. 

  165. F4O9ERH8biPzaIJTsjW+LpYyoB6c2aRkF20yft1xjNE2NSquc1yowZnQIX5OzEvC
    166. 

  166. KAM6hvmgqPdq08BVhwtdg7GkgDlZ/Rhwur++XfilwVNiJ8yqZ5xPS31hAoGBALnu
    167. 

  167. hB5MMPXd86bPoHyYSMV4h3DaOGCkzpLERUXWKOGOp5tzfJzsikdjo68U3VcmVWiT
    168. 

  168. ev7MkCXRUMyg4n/RRtBV5PqNkcJIu4qYdq5c/lRdN3xEZsVlXl0Yc49EbghsFx49
    169. 

  169. uACdIZiHov/oItbZNRgwXzhl6mXKbceM4tzXR7evAoGBALug2beVoVAl2nAB2RkQ
    170. 

  170. Jy3viDKO+C6Z82gsS5x9Wif9cJTppIarZC+t7w33f4WHJiYT1VDxse08dohC5Nn7
    171. 

  171. 7WWKdtLMSyUaXE46s37Kl5tkTkROj3wBzSIzwLYAwsthcpQVubwDAMsig8EUAdr/
    172. 

  172. 0IwaauEPX9lBYMZDMYuSAR5n
    173. 

  173. -----END PRIVATE KEY-----
    174. 

  174. `
    175. 

  175. 	rsaDecryptDataPKCS8Base64 = `hAZJktRFdzSkGxxiiSE46T271veCgwvC0GrY+AwDYA/KeuFZFdPgZsJ74awu1WR6x4BrbMLTXNpQw4UqChdbaM7VoKUCkPTcCU1jsveqYNisM2MNF98QjNjvp+9jXHfAsClLA5AvJxe3GjfWIi18E4PieFpATn/BTrmoklx4rSkWmfifZol7Wcny0D2fhrj/JOdxEIqowUB/tNwYzNd+lXgm55wea+G3YnD3Fr4ARaCCaQMUcdW9Kgx7mmZGZE3xDAhs8WMfpe9xVZ17Ca7Sw2r1JKS0o0fYiZNHUmCXVsP9O+//+0sfEtETiVUF0jItrwlK4GL8+bVcXQ9N2TW7+g==`
    176. 

  176. 	rsaDecryptPKRSAPKCS1      = `-----BEGIN RSA PRIVATE KEY-----
    177. 

  177. MIICXAIBAAKBgQC8ronsBTX6GD5YhoE/v76+ZkWX0gODzAD+aCYIyTs4PiWruxlV
    178. 

  178. SOtjwq2gRgUexE5Hsz8cxhFz5Db8qFXBsA+GgXjByQuVbBw04SCKHgc0zhbcWonV
    179. 

  179. 3Rk03pjVB1HfuxcDRja8JZontfMAJyPNJovPu3rIi8npSC+T5g7Fq9UCbQIDAQAB
    180. 

  180. AoGAAo2+MiKT63GejmYro6g9taf+syJVh9gf/1F7ikzm70jwC5X5rszQ2sXMwcmQ
    181. 

  181. 0izH/nJvnT0VCWOCVwMUPg3a9+odoMNFyg2u3XCLBNr3vlgG3xeCTdjzaMnY61ct
    182. 

  182. xU4JgpIuiAlwCqhNfKuHxeesM/cvh9eC11ELXh27gLsNCEECQQDng5klIGPLHfiN
    183. 

  183. 3wam6wxLnqHPuhXAyrOAKA1qBlZGKI6n6iBYpfN+Y70gt10f3SBlFfkSyF7uZsUy
    184. 

  184. maofmjARAkEA0KM6Rj+p2CRMFMh4NpON4RKaQIYNGMTpe/akYBOx6wcZy0saON9l
    185. 

  185. eHS3nq77TDT+mA3uDbu+6VD8j8eEcXUInQJAYJkfQEd4fBrAR+nj66etVKwW1gbN
    186. 

  186. 5shtBy8vEasdOl7XzyY4YuSzaWwSUOFRYOcyChuV9olWWuDUrR1Cx7bdEQJBALzY
    187. 

  187. gg7D4UA62oKVUfpUZL+szuJIc+JPmecSwIYWTZymuLpCKGICEx6Mxwdi6yN3dFq9
    188. 

  188. gRP9NDiLjY+20DLB9CECQB5IqCvT396rjJn3g6sRXHX5qApJwInofLByafcjGd34
    189. 

  189. ejJKh20FmJegJhkImmNTokNbQZbYiLAP07Ykx9A8jLg=
    190. 

  190. -----END RSA PRIVATE KEY-----
    191. 

  191. 

  192. `
    193. 

  193. 	rsaDecryptDataPKCS1Base64 = `Xd9Jij8+hTqM7ii1nnKbKZy7pHhn3BJwxrENwIlvf0iRysVKn7gmAaD6UV4EpNwYOHvLbo6yLWBme6msVAhIV9KOp22jDe9j837C48rcUiF93Jb7+plabbwTQt4iqi1EKxEfVvKi4tLsLBRhu0v583oQAfCf5aLwF3Vb5bPgGeY=`
    194. 

  194. 	rsaDecryptPubKeyRSAPKCS1  = `-----BEGIN PUBLIC KEY-----
    195. 

  195. MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8ronsBTX6GD5YhoE/v76+ZkWX
    196. 

  196. 0gODzAD+aCYIyTs4PiWruxlVSOtjwq2gRgUexE5Hsz8cxhFz5Db8qFXBsA+GgXjB
    197. 

  197. yQuVbBw04SCKHgc0zhbcWonV3Rk03pjVB1HfuxcDRja8JZontfMAJyPNJovPu3rI
    198. 

  198. i8npSC+T5g7Fq9UCbQIDAQAB
    199. 

  199. -----END PUBLIC KEY-----
    200. 

  200. 

  201. `
    202. 

  202. )
    203. 

  203. 

  204. func rsaEncryptOAEP(t testing.TB, publicKeyPEM []byte, hash, plaintext string) []byte {
    205. 

  205. 	t.Helper()
    206. 

  206. 	block, _ := pem.Decode(publicKeyPEM)
    207. 

  207. 	if block == nil || block.Type != "PUBLIC KEY" {
    208. 

  208. 		t.Fatalf("failed to decode PEM block containing public key")
    209. 

  209. 	}
    210. 

  210. 

  211. 	pub, err := x509.ParsePKIXPublicKey(block.Bytes)
    212. 

  212. 	if err != nil {
    213. 

  213. 		t.Fatalf("failed to parse DER encoded public key: %v", err)
    214. 

  214. 	}
    215. 

  215. 

  216. 	rsaPub, ok := pub.(*rsa.PublicKey)
    217. 

  217. 	if !ok {
    218. 

  218. 		t.Fatalf("not RSA public key")
    219. 

  219. 	}
    220. 

  220. 	ciphertext, err := rsa.EncryptOAEP(getHash(hash), rand.Reader, rsaPub, []byte(plaintext), nil)
    221. 

  221. 	require.NoError(t, err)
    222. 

  222. 	return ciphertext
    223. 

  223. }
    224. 

  224. 

  225. func TestExecute(t *testing.T) {
    226. 

  226. 	tbl := []struct {
    227. 

  227. 		name                string
    228. 

  228. 		tpl                 map[string][]byte
    229. 

  229. 		labelsTpl           map[string][]byte
    230. 

  230. 		annotationsTpl      map[string][]byte
    231. 

  231. 		stringDataTpl       map[string][]byte
    232. 

  232. 		data                map[string][]byte
    233. 

  233. 		expectedData        map[string][]byte
    234. 

  234. 		expectedStringData  map[string]string
    235. 

  235. 		expectedLabels      map[string]string
    236. 

  236. 		expectedAnnotations map[string]string
    237. 

  237. 		leftDelimiter       string
    238. 

  238. 		rightDelimiter      string
    239. 

  239. 		expErr              string
    240. 

  240. 		expLblErr           string
    241. 

  241. 		expAnnoErr          string
    242. 

  242. 		expStrErr           string
    243. 

  243. 	}{
    244. 

  244. 		{
    245. 

  245. 			name:           "test empty",
    246. 

  246. 			tpl:            nil,
    247. 

  247. 			labelsTpl:      nil,
    248. 

  248. 			annotationsTpl: nil,
    249. 

  249. 			data:           nil,
    250. 

  250. 		},
    251. 

  251. 		{
    252. 

  252. 			name: "b64dec func",
    253. 

  253. 			tpl: map[string][]byte{
    254. 

  254. 				"foo": []byte("{{ .secret | b64dec }}"),
    255. 

  255. 			},
    256. 

  256. 			data: map[string][]byte{
    257. 

  257. 				"secret": []byte("MTIzNA=="),
    258. 

  258. 			},
    259. 

  259. 			expectedData: map[string][]byte{
    260. 

  260. 				"foo": []byte("1234"),
    261. 

  261. 			},
    262. 

  262. 		},
    263. 

  263. 		{
    264. 

  264. 			name: "fromJson func",
    265. 

  265. 			tpl: map[string][]byte{
    266. 

  266. 				"foo": []byte("{{ $var := .secret | fromJson }}{{ $var.foo }}"),
    267. 

  267. 			},
    268. 

  268. 			data: map[string][]byte{
    269. 

  269. 				"secret": []byte(`{"foo": "bar"}`),
    270. 

  270. 			},
    271. 

  271. 			expectedData: map[string][]byte{
    272. 

  272. 				"foo": []byte("bar"),
    273. 

  273. 			},
    274. 

  274. 		},
    275. 

  275. 		{
    276. 

  276. 			name: "from & toJson func",
    277. 

  277. 			tpl: map[string][]byte{
    278. 

  278. 				"foo": []byte("{{ $var := .secret | fromJson }}{{ $var.foo | toJson }}"),
    279. 

  279. 			},
    280. 

  280. 			data: map[string][]byte{
    281. 

  281. 				"secret": []byte(`{"foo": {"baz":"bang"}}`),
    282. 

  282. 			},
    283. 

  283. 			expectedData: map[string][]byte{
    284. 

  284. 				"foo": []byte(`{"baz":"bang"}`),
    285. 

  285. 			},
    286. 

  286. 		},
    287. 

  287. 		{
    288. 

  288. 			name: "fromJson & toYaml func",
    289. 

  289. 			tpl: map[string][]byte{
    290. 

  290. 				"foo": []byte("{{ $var := .secret | fromJson | toYaml }}{{ $var }}"),
    291. 

  291. 			},
    292. 

  292. 			data: map[string][]byte{
    293. 

  293. 				"secret": []byte(`{"foo": "bar"}`),
    294. 

  294. 			},
    295. 

  295. 			expectedData: map[string][]byte{
    296. 

  296. 				"foo": []byte(`foo: bar`),
    297. 

  297. 			},
    298. 

  298. 		},
    299. 

  299. 		{
    300. 

  300. 			name: "fromYaml & toJson func",
    301. 

  301. 			tpl: map[string][]byte{
    302. 

  302. 				"foo": []byte("{{ $var := .secret | fromYaml | toJson }}{{ $var }}"),
    303. 

  303. 			},
    304. 

  304. 			data: map[string][]byte{
    305. 

  305. 				"secret": []byte(`foo: bar`),
    306. 

  306. 			},
    307. 

  307. 			expectedData: map[string][]byte{
    308. 

  308. 				"foo": []byte(`{"foo":"bar"}`),
    309. 

  309. 			},
    310. 

  310. 		},
    311. 

  311. 		{
    312. 

  312. 			name: "use sprig functions",
    313. 

  313. 			tpl: map[string][]byte{
    314. 

  314. 				"foo": []byte(`{{ .path | ext }}`),
    315. 

  315. 			},
    316. 

  316. 			data: map[string][]byte{
    317. 

  317. 				"path": []byte(`foo/bar/baz.exe`),
    318. 

  318. 			},
    319. 

  319. 			expectedData: map[string][]byte{
    320. 

  320. 				"foo": []byte(`.exe`),
    321. 

  321. 			},
    322. 

  322. 		},
    323. 

  323. 		{
    324. 

  324. 			name: "use replace function",
    325. 

  325. 			tpl: map[string][]byte{
    326. 

  326. 				"foo": []byte(`{{ .conn | replace "postgres://" "db+postgresql://"}}`),
    327. 

  327. 			},
    328. 

  328. 			data: map[string][]byte{
    329. 

  329. 				"conn": []byte(`postgres://user:pass@db.host:5432/dbname`),
    330. 

  330. 			},
    331. 

  331. 			expectedData: map[string][]byte{
    332. 

  332. 				"foo": []byte(`db+postgresql://user:pass@db.host:5432/dbname`),
    333. 

  333. 			},
    334. 

  334. 		},
    335. 

  335. 		{
    336. 

  336. 			name: "use upper function",
    337. 

  337. 			tpl: map[string][]byte{
    338. 

  338. 				"foo": []byte(`{{ .value | upper }}`),
    339. 

  339. 			},
    340. 

  340. 			data: map[string][]byte{
    341. 

  341. 				"value": []byte(`username`),
    342. 

  342. 			},
    343. 

  343. 			expectedData: map[string][]byte{
    344. 

  344. 				"foo": []byte(`USERNAME`),
    345. 

  345. 			},
    346. 

  346. 		},
    347. 

  347. 		{
    348. 

  348. 			name: "multiline template",
    349. 

  349. 			tpl: map[string][]byte{
    350. 

  350. 				"cfg": []byte(`
    351. 

  351. 		datasources:
    352. 

  352. 		- name: Graphite
    353. 

  353. 			type: graphite
    354. 

  354. 			access: proxy
    355. 

  355. 			url: http://localhost:8080
    356. 

  356. 			password: "{{ .password }}"
    357. 

  357. 			user: "{{ .user }}"`),
    358. 

  358. 			},
    359. 

  359. 			data: map[string][]byte{
    360. 

  360. 				"user":     []byte(`foobert`),
    361. 

  361. 				"password": []byte("harharhar"),
    362. 

  362. 			},
    363. 

  363. 			expectedData: map[string][]byte{
    364. 

  364. 				"cfg": []byte(`
    365. 

  365. 		datasources:
    366. 

  366. 		- name: Graphite
    367. 

  367. 			type: graphite
    368. 

  368. 			access: proxy
    369. 

  369. 			url: http://localhost:8080
    370. 

  370. 			password: "harharhar"
    371. 

  371. 			user: "foobert"`),
    372. 

  372. 			},
    373. 

  373. 		},
    374. 

  374. 		{
    375. 

  375. 			name: "base64 pipeline",
    376. 

  376. 			tpl: map[string][]byte{
    377. 

  377. 				"foo": []byte(`{{ "123412341234" | b64enc | b64dec }}`),
    378. 

  378. 			},
    379. 

  379. 			data: map[string][]byte{},
    380. 

  380. 			expectedData: map[string][]byte{
    381. 

  381. 				"foo": []byte("123412341234"),
    382. 

  382. 			},
    383. 

  383. 		},
    384. 

  384. 		{
    385. 

  385. 			name: "base64 pkcs12 extract",
    386. 

  386. 			tpl: map[string][]byte{
    387. 

  387. 				"key":  []byte(`{{ .secret | b64dec | pkcs12key }}`),
    388. 

  388. 				"cert": []byte(`{{ .secret | b64dec | pkcs12cert }}`),
    389. 

  389. 			},
    390. 

  390. 			data: map[string][]byte{
    391. 

  391. 				"secret": []byte(pkcs12ContentNoPass),
    392. 

  392. 			},
    393. 

  393. 			expectedData: map[string][]byte{
    394. 

  394. 				"key":  []byte(pkcs12Key),
    395. 

  395. 				"cert": []byte(pkcs12Cert),
    396. 

  396. 			},
    397. 

  397. 		},
    398. 

  398. 		{
    399. 

  399. 			name: "base64 pkcs12 extract with password",
    400. 

  400. 			tpl: map[string][]byte{
    401. 

  401. 				"key":  []byte(`{{ .secret | b64dec | pkcs12keyPass "123456" }}`),
    402. 

  402. 				"cert": []byte(`{{ .secret | b64dec | pkcs12certPass "123456" }}`),
    403. 

  403. 			},
    404. 

  404. 			data: map[string][]byte{
    405. 

  405. 				"secret": []byte(pkcs12ContentWithPass),
    406. 

  406. 			},
    407. 

  407. 			expectedData: map[string][]byte{
    408. 

  408. 				"key":  []byte(pkcs12Key),
    409. 

  409. 				"cert": []byte(pkcs12Cert),
    410. 

  410. 			},
    411. 

  411. 		},
    412. 

  412. 		{
    413. 

  413. 			name: "base64 decode error",
    414. 

  414. 			tpl: map[string][]byte{
    415. 

  415. 				"key": []byte(`{{ .example | b64dec }}`),
    416. 

  416. 			},
    417. 

  417. 			data: map[string][]byte{
    418. 

  418. 				"example": []byte("iam_no_base64"),
    419. 

  419. 			},
    420. 

  420. 			expErr: "", // silent error
    421. 

  421. 		},
    422. 

  422. 		{
    423. 

  423. 			name: "pkcs12 key wrong password",
    424. 

  424. 			tpl: map[string][]byte{
    425. 

  425. 				"key": []byte(`{{ .secret | b64dec | pkcs12keyPass "wrong" }}`),
    426. 

  426. 			},
    427. 

  427. 			data: map[string][]byte{
    428. 

  428. 				"secret": []byte(pkcs12ContentWithPass),
    429. 

  429. 			},
    430. 

  430. 			expErr: "unable to decode pkcs12",
    431. 

  431. 		},
    432. 

  432. 		{
    433. 

  433. 			name: "pkcs12 cert wrong password",
    434. 

  434. 			tpl: map[string][]byte{
    435. 

  435. 				"cert": []byte(`{{ .secret | b64dec | pkcs12certPass "wrong" }}`),
    436. 

  436. 			},
    437. 

  437. 			data: map[string][]byte{
    438. 

  438. 				"secret": []byte(pkcs12ContentWithPass),
    439. 

  439. 			},
    440. 

  440. 			expErr: "unable to decode pkcs12",
    441. 

  441. 		},
    442. 

  442. 		{
    443. 

  443. 			name: "fromJson error",
    444. 

  444. 			tpl: map[string][]byte{
    445. 

  445. 				"key": []byte(`{{ "{ # no json # }" | fromJson }}`),
    446. 

  446. 			},
    447. 

  447. 			data:   map[string][]byte{},
    448. 

  448. 			expErr: "", // silent error
    449. 

  449. 		},
    450. 

  450. 		{
    451. 

  451. 			name: "template syntax error",
    452. 

  452. 			tpl: map[string][]byte{
    453. 

  453. 				"key": []byte(`{{ #xx }}`),
    454. 

  454. 			},
    455. 

  455. 			data:   map[string][]byte{},
    456. 

  456. 			expErr: "unable to parse template",
    457. 

  457. 		},
    458. 

  458. 		{
    459. 

  459. 			name: "unknown key error",
    460. 

  460. 			tpl: map[string][]byte{
    461. 

  461. 				"key": []byte(`{{ .unknown }}`),
    462. 

  462. 			},
    463. 

  463. 			data:   map[string][]byte{},
    464. 

  464. 			expErr: "unable to execute template at key key",
    465. 

  465. 		},
    466. 

  466. 		{
    467. 

  467. 			name: "jwk rsa pub pem",
    468. 

  468. 			tpl: map[string][]byte{
    469. 

  469. 				"fn": []byte(`{{ .secret | jwkPublicKeyPem }}`),
    470. 

  470. 			},
    471. 

  471. 			data: map[string][]byte{
    472. 

  472. 				"secret": []byte(jwkPubRSA),
    473. 

  473. 			},
    474. 

  474. 			expectedData: map[string][]byte{
    475. 

  475. 				"fn": []byte(jwkPubRSAPKIX),
    476. 

  476. 			},
    477. 

  477. 		},
    478. 

  478. 		{
    479. 

  479. 			name: "jwk rsa priv pem",
    480. 

  480. 			tpl: map[string][]byte{
    481. 

  481. 				"fn": []byte(`{{ .secret | jwkPrivateKeyPem }}`),
    482. 

  482. 			},
    483. 

  483. 			data: map[string][]byte{
    484. 

  484. 				"secret": []byte(jwkPrivRSA),
    485. 

  485. 			},
    486. 

  486. 			expectedData: map[string][]byte{
    487. 

  487. 				"fn": []byte(jwkPrivRSAPKCS8),
    488. 

  488. 			},
    489. 

  489. 		},
    490. 

  490. 		{
    491. 

  491. 			name: "jwk ecdsa pub pem",
    492. 

  492. 			tpl: map[string][]byte{
    493. 

  493. 				"fn": []byte(`{{ .secret | jwkPublicKeyPem }}`),
    494. 

  494. 			},
    495. 

  495. 			data: map[string][]byte{
    496. 

  496. 				"secret": []byte(jwkPubEC),
    497. 

  497. 			},
    498. 

  498. 			expectedData: map[string][]byte{
    499. 

  499. 				"fn": []byte(jwkPubECPKIX),
    500. 

  500. 			},
    501. 

  501. 		},
    502. 

  502. 		{
    503. 

  503. 			name: "jwk ecdsa priv pem",
    504. 

  504. 			tpl: map[string][]byte{
    505. 

  505. 				"fn": []byte(`{{ .secret | jwkPrivateKeyPem }}`),
    506. 

  506. 			},
    507. 

  507. 			data: map[string][]byte{
    508. 

  508. 				"secret": []byte(jwkPrivEC),
    509. 

  509. 			},
    510. 

  510. 			expectedData: map[string][]byte{
    511. 

  511. 				"fn": []byte(jwkPrivECPKCS8),
    512. 

  512. 			},
    513. 

  513. 		},
    514. 

  514. 		{
    515. 

  515. 			name: "filter pem certificate",
    516. 

  516. 			tpl: map[string][]byte{
    517. 

  517. 				"fn": []byte(`{{ .secret | filterPEM "CERTIFICATE" }}`),
    518. 

  518. 			},
    519. 

  519. 			data: map[string][]byte{
    520. 

  520. 				"secret": []byte(jwkPrivRSAPKCS8 + pkcs12Cert),
    521. 

  521. 			},
    522. 

  522. 			expectedData: map[string][]byte{
    523. 

  523. 				"fn": []byte(pkcs12Cert),
    524. 

  524. 			},
    525. 

  525. 		},
    526. 

  526. 		{
    527. 

  527. 			name: "labels",
    528. 

  528. 			tpl: map[string][]byte{
    529. 

  529. 				"foo": []byte("{{ .secret | b64dec }}"),
    530. 

  530. 			},
    531. 

  531. 			labelsTpl: map[string][]byte{
    532. 

  532. 				"bar": []byte("{{ .env | b64dec }}"),
    533. 

  533. 			},
    534. 

  534. 			data: map[string][]byte{
    535. 

  535. 				"secret": []byte("MTIzNA=="),
    536. 

  536. 				"env":    []byte("ZGV2"),
    537. 

  537. 			},
    538. 

  538. 			expectedData: map[string][]byte{
    539. 

  539. 				"foo": []byte("1234"),
    540. 

  540. 			},
    541. 

  541. 			expectedLabels: map[string]string{
    542. 

  542. 				"bar": "dev",
    543. 

  543. 			},
    544. 

  544. 		},
    545. 

  545. 		{
    546. 

  546. 			name: "annotations",
    547. 

  547. 			tpl: map[string][]byte{
    548. 

  548. 				"foo": []byte("{{ .secret | b64dec }}"),
    549. 

  549. 			},
    550. 

  550. 			annotationsTpl: map[string][]byte{
    551. 

  551. 				"bar": []byte("{{ .env | b64dec }}"),
    552. 

  552. 			},
    553. 

  553. 			data: map[string][]byte{
    554. 

  554. 				"secret": []byte("MTIzNA=="),
    555. 

  555. 				"env":    []byte("ZGV2"),
    556. 

  556. 			},
    557. 

  557. 			expectedData: map[string][]byte{
    558. 

  558. 				"foo": []byte("1234"),
    559. 

  559. 			},
    560. 

  560. 			expectedAnnotations: map[string]string{
    561. 

  561. 				"bar": "dev",
    562. 

  562. 			},
    563. 

  563. 		},
    564. 

  564. 		{
    565. 

  565. 			name: "stringData",
    566. 

  566. 			stringDataTpl: map[string][]byte{
    567. 

  567. 				"foo": []byte("{{ .secret | b64dec }}"),
    568. 

  568. 			},
    569. 

  569. 			data: map[string][]byte{
    570. 

  570. 				"secret": []byte("MTIzNA=="),
    571. 

  571. 				"env":    []byte("ZGV2"),
    572. 

  572. 			},
    573. 

  573. 			expectedStringData: map[string]string{
    574. 

  574. 				"foo": "1234",
    575. 

  575. 			},
    576. 

  576. 		},
    577. 

  577. 		{
    578. 

  578. 			name: "NonStandardDelimiters",
    579. 

  579. 			stringDataTpl: map[string][]byte{
    580. 

  580. 				"foo": []byte("<< .secret | b64dec >>"),
    581. 

  581. 			},
    582. 

  582. 			leftDelimiter:  "<<",
    583. 

  583. 			rightDelimiter: ">>",
    584. 

  584. 			data: map[string][]byte{
    585. 

  585. 				"secret": []byte("MTIzNA=="),
    586. 

  586. 				"env":    []byte("ZGV2"),
    587. 

  587. 			},
    588. 

  588. 			expectedStringData: map[string]string{
    589. 

  589. 				"foo": "1234",
    590. 

  590. 			},
    591. 

  591. 		},
    592. 

  592. 		{
    593. 

  593. 			name: "rsa decrypt rsa-oaep sha1 pkcs8 data base64",
    594. 

  594. 			tpl: map[string][]byte{
    595. 

  595. 				"data_decrypted": []byte(`{{ .private_key | rsaDecrypt "RSA-OAEP" "SHA1" (.data_crypted_base64 | b64dec) }}`),
    596. 

  596. 			},
    597. 

  597. 			data: map[string][]byte{
    598. 

  598. 				"private_key":         []byte(rsaDecryptPKRSAPKCS8),
    599. 

  599. 				"data_crypted_base64": []byte(rsaDecryptDataPKCS8Base64),
    600. 

  600. 			},
    601. 

  601. 			expectedData: map[string][]byte{
    602. 

  602. 				"data_decrypted": []byte("a1b2c3d4"),
    603. 

  603. 			},
    604. 

  604. 		},
    605. 

  605. 		{
    606. 

  606. 			name: "rsa decrypt rsa-oaep sha256 pkcs1 data base64",
    607. 

  607. 			tpl: map[string][]byte{
    608. 

  608. 				"data_decrypted": []byte(`{{ .private_key | rsaDecrypt "RSA-OAEP" "SHA256" (.data_crypted_base64 | b64dec) }}`),
    609. 

  609. 			},
    610. 

  610. 			data: map[string][]byte{
    611. 

  611. 				"private_key":         []byte(rsaDecryptPKRSAPKCS1),
    612. 

  612. 				"data_crypted_base64": []byte(rsaDecryptDataPKCS1Base64),
    613. 

  613. 			},
    614. 

  614. 			expectedData: map[string][]byte{
    615. 

  615. 				"data_decrypted": []byte("hellopkcs1sha256"),
    616. 

  616. 			},
    617. 

  617. 		},
    618. 

  618. 		{
    619. 

  619. 			name: "rsa decrypt rsa-oaep sha256 pkcs1 data bin",
    620. 

  620. 			tpl: map[string][]byte{
    621. 

  621. 				"data_decrypted": []byte(`{{ .private_key | rsaDecrypt "RSA-OAEP" "SHA256" .data_crypted_bin }}`),
    622. 

  622. 			},
    623. 

  623. 			data: map[string][]byte{
    624. 

  624. 				"private_key":      []byte(rsaDecryptPKRSAPKCS1),
    625. 

  625. 				"data_crypted_bin": rsaEncryptOAEP(t, []byte(rsaDecryptPubKeyRSAPKCS1), "SHA256", "hellopkcs1sha256"),
    626. 

  626. 			},
    627. 

  627. 			expectedData: map[string][]byte{
    628. 

  628. 				"data_decrypted": []byte("hellopkcs1sha256"),
    629. 

  629. 			},
    630. 

  630. 		},
    631. 

  631. 	}
    632. 

  632. 

  633. 	for _, tt := range tbl {
    634. 

  634. 		t.Run(tt.name, func(t *testing.T) {
    635. 

  635. 			sec := &corev1.Secret{
    636. 

  636. 				Data:       make(map[string][]byte),
    637. 

  637. 				StringData: make(map[string]string),
    638. 

  638. 				ObjectMeta: v1.ObjectMeta{Labels: make(map[string]string), Annotations: make(map[string]string)},
    639. 

  639. 			}
    640. 

  640. 			oldLeftDelim := leftDelim
    641. 

  641. 			oldRightDelim := rightDelim
    642. 

  642. 			if tt.leftDelimiter != "" {
    643. 

  643. 				leftDelim = tt.leftDelimiter
    644. 

  644. 			}
    645. 

  645. 			if tt.rightDelimiter != "" {
    646. 

  646. 				rightDelim = tt.rightDelimiter
    647. 

  647. 			}
    648. 

  648. 			defer func() {
    649. 

  649. 				leftDelim = oldLeftDelim
    650. 

  650. 				rightDelim = oldRightDelim
    651. 

  651. 			}()
    652. 

  652. 			err := Execute(tt.tpl, tt.data, esapi.TemplateScopeValues, esapi.TemplateTargetData, sec)
    653. 

  653. 			if !ErrorContains(err, tt.expErr) {
    654. 

  654. 				t.Errorf("unexpected error: %s, expected: %s", err, tt.expErr)
    655. 

  655. 			}
    656. 

  656. 			err = Execute(tt.labelsTpl, tt.data, esapi.TemplateScopeValues, esapi.TemplateTargetLabels, sec)
    657. 

  657. 			if !ErrorContains(err, tt.expLblErr) {
    658. 

  658. 				t.Errorf("unexpected error: %s, expected: %s", err, tt.expErr)
    659. 

  659. 			}
    660. 

  660. 			err = Execute(tt.annotationsTpl, tt.data, esapi.TemplateScopeValues, esapi.TemplateTargetAnnotations, sec)
    661. 

  661. 			if !ErrorContains(err, tt.expAnnoErr) {
    662. 

  662. 				t.Errorf("unexpected error: %s, expected: %s", err, tt.expErr)
    663. 

  663. 			}
    664. 

  664. 			if tt.expectedData != nil {
    665. 

  665. 				assert.EqualValues(t, tt.expectedData, sec.Data)
    666. 

  666. 			}
    667. 

  667. 			if tt.expectedLabels != nil {
    668. 

  668. 				assert.EqualValues(t, tt.expectedLabels, sec.ObjectMeta.Labels)
    669. 

  669. 			}
    670. 

  670. 			if tt.expectedAnnotations != nil {
    671. 

  671. 				assert.EqualValues(t, tt.expectedAnnotations, sec.ObjectMeta.Annotations)
    672. 

  672. 			}
    673. 

  673. 		})
    674. 

  674. 	}
    675. 

  675. }
    676. 

  676. 

  677. func TestScopeValuesWithSecretFieldsNil(t *testing.T) {
    678. 

  678. 	tbl := []struct {
    679. 

  679. 		name               string
    680. 

  680. 		tpl                map[string][]byte
    681. 

  681. 		target             string
    682. 

  682. 		data               map[string][]byte
    683. 

  683. 		expectedData       map[string][]byte
    684. 

  684. 		expectedStringData map[string]string
    685. 

  685. 		expErr             string
    686. 

  686. 	}{
    687. 

  687. 		{
    688. 

  688. 			name:   "test empty",
    689. 

  689. 			tpl:    map[string][]byte{},
    690. 

  690. 			target: esapi.TemplateTargetData,
    691. 

  691. 			data:   nil,
    692. 

  692. 		},
    693. 

  693. 		{
    694. 

  694. 			name:   "test byte",
    695. 

  695. 			tpl:    map[string][]byte{"foo": []byte("bar")},
    696. 

  696. 			target: esapi.TemplateTargetData,
    697. 

  697. 			data: map[string][]byte{
    698. 

  698. 				"key":   []byte("foo"),
    699. 

  699. 				"value": []byte("bar"),
    700. 

  700. 			},
    701. 

  701. 			expectedData: map[string][]byte{
    702. 

  702. 				"foo": []byte("bar"),
    703. 

  703. 			},
    704. 

  704. 		},
    705. 

  705. 		{
    706. 

  706. 			name:   "test Annotations",
    707. 

  707. 			tpl:    map[string][]byte{"foo": []byte("bar")},
    708. 

  708. 			target: esapi.TemplateTargetAnnotations,
    709. 

  709. 			data: map[string][]byte{
    710. 

  710. 				"key":   []byte("foo"),
    711. 

  711. 				"value": []byte("bar"),
    712. 

  712. 			},
    713. 

  713. 			expectedStringData: map[string]string{
    714. 

  714. 				"foo": "bar",
    715. 

  715. 			},
    716. 

  716. 		},
    717. 

  717. 		{
    718. 

  718. 			name:   "test Labels",
    719. 

  719. 			tpl:    map[string][]byte{"foo": []byte("bar")},
    720. 

  720. 			target: esapi.TemplateTargetLabels,
    721. 

  721. 			data: map[string][]byte{
    722. 

  722. 				"key":   []byte("foo"),
    723. 

  723. 				"value": []byte("bar"),
    724. 

  724. 			},
    725. 

  725. 			expectedStringData: map[string]string{
    726. 

  726. 				"foo": "bar",
    727. 

  727. 			},
    728. 

  728. 		},
    729. 

  729. 	}
    730. 

  730. 	for i := range tbl {
    731. 

  731. 		row := tbl[i]
    732. 

  732. 		t.Run(row.name, func(t *testing.T) {
    733. 

  733. 			sec := &corev1.Secret{}
    734. 

  734. 			err := Execute(row.tpl, row.data, esapi.TemplateScopeValues, row.target, sec)
    735. 

  735. 			if !ErrorContains(err, row.expErr) {
    736. 

  736. 				t.Errorf("unexpected error: %s, expected: %s", err, row.expErr)
    737. 

  737. 			}
    738. 

  738. 			switch row.target {
    739. 

  739. 			case esapi.TemplateTargetData:
    740. 

  740. 				if row.expectedData != nil {
    741. 

  741. 					assert.EqualValues(t, row.expectedData, sec.Data)
    742. 

  742. 				}
    743. 

  743. 			case esapi.TemplateTargetLabels:
    744. 

  744. 				if row.expectedStringData != nil {
    745. 

  745. 					assert.EqualValues(t, row.expectedStringData, sec.Labels)
    746. 

  746. 				}
    747. 

  747. 			case esapi.TemplateTargetAnnotations:
    748. 

  748. 				if row.expectedStringData != nil {
    749. 

  749. 					assert.EqualValues(t, row.expectedStringData, sec.Annotations)
    750. 

  750. 				}
    751. 

  751. 			}
    752. 

  752. 		})
    753. 

  753. 	}
    754. 

  754. }
    755. 

  755. 

  756. func TestExecuteInvalidTemplateScope(t *testing.T) {
    757. 

  757. 	sec := &corev1.Secret{}
    758. 

  758. 	err := Execute(map[string][]byte{"foo": []byte("bar")}, nil, "invalid", esapi.TemplateTargetData, sec)
    759. 

  759. 	require.Error(t, err)
    760. 

  760. 	assert.ErrorContains(t, err, "expected 'Values' or 'KeysAndValues'")
    761. 

  761. }
    762. 

  762. 

  763. func TestScopeKeysAndValues(t *testing.T) {
    764. 

  764. 	tbl := []struct {
    765. 

  765. 		name               string
    766. 

  766. 		tpl                map[string][]byte
    767. 

  767. 		target             string
    768. 

  768. 		data               map[string][]byte
    769. 

  769. 		expectedData       map[string][]byte
    770. 

  770. 		expectedStringData map[string]string
    771. 

  771. 		expErr             string
    772. 

  772. 	}{
    773. 

  773. 		{
    774. 

  774. 			name:   "test empty",
    775. 

  775. 			tpl:    map[string][]byte{"literal": []byte("")},
    776. 

  776. 			target: "Data",
    777. 

  777. 			data:   nil,
    778. 

  778. 		},
    779. 

  779. 		{
    780. 

  780. 			name:   "test base64",
    781. 

  781. 			tpl:    map[string][]byte{"literal": []byte("{{ .key }}: {{ .value }}")},
    782. 

  782. 			target: esapi.TemplateTargetData,
    783. 

  783. 			data: map[string][]byte{
    784. 

  784. 				"key":   []byte("foo"),
    785. 

  785. 				"value": []byte("bar"),
    786. 

  786. 			},
    787. 

  787. 			expectedData: map[string][]byte{
    788. 

  788. 				"foo": []byte("bar"),
    789. 

  789. 			},
    790. 

  790. 		},
    791. 

  791. 		{
    792. 

  792. 			name:   "test Annotations",
    793. 

  793. 			tpl:    map[string][]byte{"literal": []byte("{{ .key }}: {{ .value }}")},
    794. 

  794. 			target: esapi.TemplateTargetAnnotations,
    795. 

  795. 			data: map[string][]byte{
    796. 

  796. 				"key":   []byte("foo"),
    797. 

  797. 				"value": []byte("bar"),
    798. 

  798. 			},
    799. 

  799. 			expectedStringData: map[string]string{
    800. 

  800. 				"foo": "bar",
    801. 

  801. 			},
    802. 

  802. 		},
    803. 

  803. 		{
    804. 

  804. 			name:   "test Labels",
    805. 

  805. 			tpl:    map[string][]byte{"literal": []byte("{{ .key }}: {{ .value }}")},
    806. 

  806. 			target: esapi.TemplateTargetLabels,
    807. 

  807. 			data: map[string][]byte{
    808. 

  808. 				"key":   []byte("foo"),
    809. 

  809. 				"value": []byte("bar"),
    810. 

  810. 			},
    811. 

  811. 			expectedStringData: map[string]string{
    812. 

  812. 				"foo": "bar",
    813. 

  813. 			},
    814. 

  814. 		},
    815. 

  815. 	}
    816. 

  816. 	for i := range tbl {
    817. 

  817. 		row := tbl[i]
    818. 

  818. 		t.Run(row.name, func(t *testing.T) {
    819. 

  819. 			sec := &corev1.Secret{
    820. 

  820. 				Data:       make(map[string][]byte),
    821. 

  821. 				StringData: make(map[string]string),
    822. 

  822. 				ObjectMeta: v1.ObjectMeta{Labels: make(map[string]string), Annotations: make(map[string]string)},
    823. 

  823. 			}
    824. 

  824. 			err := Execute(row.tpl, row.data, esapi.TemplateScopeKeysAndValues, row.target, sec)
    825. 

  825. 			if !ErrorContains(err, row.expErr) {
    826. 

  826. 				t.Errorf("unexpected error: %s, expected: %s", err, row.expErr)
    827. 

  827. 			}
    828. 

  828. 			switch row.target {
    829. 

  829. 			case esapi.TemplateTargetData:
    830. 

  830. 				if row.expectedData != nil {
    831. 

  831. 					assert.EqualValues(t, row.expectedData, sec.Data)
    832. 

  832. 				}
    833. 

  833. 			case esapi.TemplateTargetLabels:
    834. 

  834. 				if row.expectedStringData != nil {
    835. 

  835. 					assert.EqualValues(t, row.expectedStringData, sec.Labels)
    836. 

  836. 				}
    837. 

  837. 			case esapi.TemplateTargetAnnotations:
    838. 

  838. 				if row.expectedStringData != nil {
    839. 

  839. 					assert.EqualValues(t, row.expectedStringData, sec.Annotations)
    840. 

  840. 				}
    841. 

  841. 			}
    842. 

  842. 		})
    843. 

  843. 	}
    844. 

  844. }
    845. 

  845. func TestComplexYAMLFieldsWithSpec(t *testing.T) {
    846. 

  846. 	// These tests verify that the template engine can handle complex YAML values
    847. 

  847. 	// for spec fields. Since ConfigMap doesn't have a spec field in its typed definition,
    848. 

  848. 	// we test by inspecting what would be set in an unstructured representation.
    849. 

  849. 

  850. 	type testCase struct {
    851. 

  851. 		name   string
    852. 

  852. 		tpl    map[string][]byte
    853. 

  853. 		target string
    854. 

  854. 		scope  esapi.TemplateScope
    855. 

  855. 		data   map[string][]byte
    856. 

  856. 		verify func(t *testing.T, obj *corev1.Secret)
    857. 

  857. 		expErr string
    858. 

  858. 	}
    859. 

  859. 

  860. 	tests := []testCase{
    861. 

  861. 		{
    862. 

  862. 			name:   "data target with simple string in Secret",
    863. 

  863. 			target: "data",
    864. 

  864. 			scope:  esapi.TemplateScopeValues,
    865. 

  865. 			tpl: map[string][]byte{
    866. 

  866. 				"simple": []byte("{{ .value }}"),
    867. 

  867. 			},
    868. 

  868. 			data: map[string][]byte{
    869. 

  869. 				"value": []byte("test-value"),
    870. 

  870. 			},
    871. 

  871. 			verify: func(t *testing.T, obj *corev1.Secret) {
    872. 

  872. 				assert.Equal(t, []byte("test-value"), obj.Data["simple"])
    873. 

  873. 			},
    874. 

  874. 		},
    875. 

  875. 		{
    876. 

  876. 			name:   "data target with multiple keys",
    877. 

  877. 			target: "data",
    878. 

  878. 			scope:  esapi.TemplateScopeValues,
    879. 

  879. 			tpl: map[string][]byte{
    880. 

  880. 				"username": []byte("{{ .user }}"),
    881. 

  881. 				"password": []byte("{{ .pass }}"),
    882. 

  882. 			},
    883. 

  883. 			data: map[string][]byte{
    884. 

  884. 				"user": []byte("admin"),
    885. 

  885. 				"pass": []byte("secret123"),
    886. 

  886. 			},
    887. 

  887. 			verify: func(t *testing.T, obj *corev1.Secret) {
    888. 

  888. 				assert.Equal(t, []byte("admin"), obj.Data["username"])
    889. 

  889. 				assert.Equal(t, []byte("secret123"), obj.Data["password"])
    890. 

  890. 			},
    891. 

  891. 		},
    892. 

  892. 		{
    893. 

  893. 			name:   "labels target with templated values",
    894. 

  894. 			target: "labels",
    895. 

  895. 			scope:  esapi.TemplateScopeValues,
    896. 

  896. 			tpl: map[string][]byte{
    897. 

  897. 				"app":     []byte("{{ .app }}"),
    898. 

  898. 				"version": []byte("{{ .version }}"),
    899. 

  899. 			},
    900. 

  900. 			data: map[string][]byte{
    901. 

  901. 				"app":     []byte("my-app"),
    902. 

  902. 				"version": []byte("1.0.0"),
    903. 

  903. 			},
    904. 

  904. 			verify: func(t *testing.T, obj *corev1.Secret) {
    905. 

  905. 				assert.Equal(t, "my-app", obj.Labels["app"])
    906. 

  906. 				assert.Equal(t, "1.0.0", obj.Labels["version"])
    907. 

  907. 			},
    908. 

  908. 		},
    909. 

  909. 		{
    910. 

  910. 			name:   "annotations target with templated values",
    911. 

  911. 			target: "annotations",
    912. 

  912. 			scope:  esapi.TemplateScopeValues,
    913. 

  913. 			tpl: map[string][]byte{
    914. 

  914. 				"description": []byte("{{ .desc }}"),
    915. 

  915. 				"owner":       []byte("{{ .owner }}"),
    916. 

  916. 			},
    917. 

  917. 			data: map[string][]byte{
    918. 

  918. 				"desc":  []byte("Test secret"),
    919. 

  919. 				"owner": []byte("team-platform"),
    920. 

  920. 			},
    921. 

  921. 			verify: func(t *testing.T, obj *corev1.Secret) {
    922. 

  922. 				assert.Equal(t, "Test secret", obj.Annotations["description"])
    923. 

  923. 				assert.Equal(t, "team-platform", obj.Annotations["owner"])
    924. 

  924. 			},
    925. 

  925. 		},
    926. 

  926. 	}
    927. 

  927. 

  928. 	for _, tt := range tests {
    929. 

  929. 		t.Run(tt.name, func(t *testing.T) {
    930. 

  930. 			obj := &corev1.Secret{
    931. 

  931. 				ObjectMeta: v1.ObjectMeta{
    932. 

  932. 					Name:        "test-secret",
    933. 

  933. 					Namespace:   "default",
    934. 

  934. 					Labels:      make(map[string]string),
    935. 

  935. 					Annotations: make(map[string]string),
    936. 

  936. 				},
    937. 

  937. 				Data: make(map[string][]byte),
    938. 

  938. 			}
    939. 

  939. 

  940. 			err := Execute(tt.tpl, tt.data, tt.scope, tt.target, obj)
    941. 

  941. 

  942. 			if tt.expErr != "" {
    943. 

  943. 				require.Error(t, err)
    944. 

  944. 				assert.Contains(t, err.Error(), tt.expErr)
    945. 

  945. 				return
    946. 

  946. 			}
    947. 

  947. 

  948. 			require.NoError(t, err)
    949. 

  949. 			if tt.verify != nil {
    950. 

  950. 				tt.verify(t, obj)
    951. 

  951. 			}
    952. 

  952. 		})
    953. 

  953. 	}
    954. 

  954. }
    955. 

  955. 

  956. func TestTryParseYAML(t *testing.T) {
    957. 

  957. 	tests := []struct {
    958. 

  958. 		name     string
    959. 

  959. 		input    any
    960. 

  960. 		expected any
    961. 

  961. 	}{
    962. 

  962. 		{
    963. 

  963. 			name:     "parse YAML object",
    964. 

  964. 			input:    "key: value\nfoo: bar",
    965. 

  965. 			expected: map[string]any{"key": "value", "foo": "bar"},
    966. 

  966. 		},
    967. 

  967. 		{
    968. 

  968. 			name:     "parse YAML array",
    969. 

  969. 			input:    "- item1\n- item2\n- item3",
    970. 

  970. 			expected: []any{"item1", "item2", "item3"},
    971. 

  971. 		},
    972. 

  972. 		{
    973. 

  973. 			name:     "parse YAML number",
    974. 

  974. 			input:    "42",
    975. 

  975. 			expected: int64(42),
    976. 

  976. 		},
    977. 

  977. 		{
    978. 

  978. 			name:     "parse YAML boolean true",
    979. 

  979. 			input:    "true",
    980. 

  980. 			expected: true,
    981. 

  981. 		},
    982. 

  982. 		{
    983. 

  983. 			name:     "parse YAML boolean false",
    984. 

  984. 			input:    "false",
    985. 

  985. 			expected: false,
    986. 

  986. 		},
    987. 

  987. 		{
    988. 

  988. 			name:     "parse YAML float",
    989. 

  989. 			input:    "3.14",
    990. 

  990. 			expected: 3.14,
    991. 

  991. 		},
    992. 

  992. 		{
    993. 

  993. 			name:     "parse complex YAML",
    994. 

  994. 			input:    "database:\n  host: localhost\n  port: 5432\n  enabled: true",
    995. 

  995. 			expected: map[string]any{"database": map[string]any{"host": "localhost", "port": int64(5432), "enabled": true}},
    996. 

  996. 		},
    997. 

  997. 		{
    998. 

  998. 			name:     "plain string returns as-is",
    999. 

  999. 			input:    "just a string",
    1000. 

  1000. 			expected: "just a string",
    1001. 

  1001. 		},
    1002. 

  1002. 		{
    1003. 

  1003. 			name:     "invalid YAML returns original",
    1004. 

  1004. 			input:    "invalid: : yaml:",
    1005. 

  1005. 			expected: "invalid: : yaml:",
    1006. 

  1006. 		},
    1007. 

  1007. 		{
    1008. 

  1008. 			name:     "non-string input returns as-is",
    1009. 

  1009. 			input:    123,
    1010. 

  1010. 			expected: 123,
    1011. 

  1011. 		},
    1012. 

  1012. 		{
    1013. 

  1013. 			name:     "byte slice returns as-is",
    1014. 

  1014. 			input:    []byte("test"),
    1015. 

  1015. 			expected: []byte("test"),
    1016. 

  1016. 		},
    1017. 

  1017. 		{
    1018. 

  1018. 			name:     "null/empty string",
    1019. 

  1019. 			input:    "",
    1020. 

  1020. 			expected: nil,
    1021. 

  1021. 		},
    1022. 

  1022. 	}
    1023. 

  1023. 

  1024. 	for _, tt := range tests {
    1025. 

  1025. 		t.Run(tt.name, func(t *testing.T) {
    1026. 

  1026. 			result := tryParseYAML(tt.input)
    1027. 

  1027. 			assert.Equal(t, tt.expected, result)
    1028. 

  1028. 		})
    1029. 

  1029. 	}
    1030. 

  1030. }
    1031. 

  1031. 

  1032. func ErrorContains(out error, want string) bool {
    1033. 

  1033. 	if out == nil {
    1034. 

  1034. 		return want == ""
    1035. 

  1035. 	}
    1036. 

  1036. 	if want == "" {
    1037. 

  1037. 		return false
    1038. 

  1038. 	}
    1039. 

  1039. 	return strings.Contains(out.Error(), want)
    1040. 

  1040. }
    1041. 

  1041. 

  1042. func TestPkcs12certPass(t *testing.T) {
    1043. 

  1043. 	const (
    1044. 

  1044. 		leafCertPath         = "_testdata/foo.crt"
    1045. 

  1045. 		intermediateCertPath = "_testdata/intermediate-ca.crt"
    1046. 

  1046. 		rootCertPath         = "_testdata/root-ca.crt"
    1047. 

  1047. 		disjunctCertPath     = "_testdata/disjunct-root-ca.crt"
    1048. 

  1048. 	)
    1049. 

  1049. 	type args struct {
    1050. 

  1050. 		pass     string
    1051. 

  1051. 		filename string
    1052. 

  1052. 	}
    1053. 

  1053. 	type testCase struct {
    1054. 

  1054. 		name    string
    1055. 

  1055. 		args    args
    1056. 

  1056. 		want    []string
    1057. 

  1057. 		wantErr bool
    1058. 

  1058. 	}
    1059. 

  1059. 	tests := []testCase{
    1060. 

  1060. 		{
    1061. 

  1061. 			// this case expects the whole chain to be stored
    1062. 

  1062. 			// in a single bag.
    1063. 

  1063. 			// bag(1): leaf/root/intermediate cert
    1064. 

  1064. 			// bag(2): private key
    1065. 

  1065. 			name: "read file without password",
    1066. 

  1066. 			args: args{
    1067. 

  1067. 				pass:     "",
    1068. 

  1068. 				filename: "_testdata/foo-nopass.pfx",
    1069. 

  1069. 			},
    1070. 

  1070. 			want: []string{
    1071. 

  1071. 				// this order is important
    1072. 

  1072. 				leafCertPath,
    1073. 

  1073. 				intermediateCertPath,
    1074. 

  1074. 				rootCertPath,
    1075. 

  1075. 			},
    1076. 

  1076. 		},
    1077. 

  1077. 		{
    1078. 

  1078. 			// same as above but with password
    1079. 

  1079. 			name: "read file with password",
    1080. 

  1080. 			args: args{
    1081. 

  1081. 				pass:     "1234",
    1082. 

  1082. 				filename: "_testdata/foo-withpass-1234.pfx",
    1083. 

  1083. 			},
    1084. 

  1084. 			want: []string{
    1085. 

  1085. 				// this order is important
    1086. 

  1086. 				leafCertPath,
    1087. 

  1087. 				intermediateCertPath,
    1088. 

  1088. 				rootCertPath,
    1089. 

  1089. 			},
    1090. 

  1090. 		},
    1091. 

  1091. 		{
    1092. 

  1092. 			// cert chain may be stored in different bags
    1093. 

  1093. 			// this test case uses a pfx that has the following structure:
    1094. 

  1094. 			// bag(1): leaf certificate
    1095. 

  1095. 			// bag(2): root + intermediate cert
    1096. 

  1096. 			// bag(3): private key
    1097. 

  1097. 			name: "read multibag cert chain",
    1098. 

  1098. 			args: args{
    1099. 

  1099. 				pass:     "",
    1100. 

  1100. 				filename: "_testdata/foo-multibag-nopass.pfx",
    1101. 

  1101. 			},
    1102. 

  1102. 			want: []string{
    1103. 

  1103. 				// this order is important
    1104. 

  1104. 				leafCertPath,
    1105. 

  1105. 				intermediateCertPath,
    1106. 

  1106. 				rootCertPath,
    1107. 

  1107. 			},
    1108. 

  1108. 		},
    1109. 

  1109. 		{
    1110. 

  1110. 			// cert chain may contain a disjunct cert
    1111. 

  1111. 			// bag(1): leaf/root/intermediate/disjunct
    1112. 

  1112. 			// bag(2): private key
    1113. 

  1113. 			name: "read disjunct cert chain",
    1114. 

  1114. 			args: args{
    1115. 

  1115. 				pass:     "",
    1116. 

  1116. 				filename: "_testdata/foo-disjunct-nopass.pfx",
    1117. 

  1117. 			},
    1118. 

  1118. 			want: []string{
    1119. 

  1119. 				// this order is important
    1120. 

  1120. 				leafCertPath,
    1121. 

  1121. 				rootCertPath,
    1122. 

  1122. 				intermediateCertPath,
    1123. 

  1123. 				disjunctCertPath,
    1124. 

  1124. 			},
    1125. 

  1125. 		},
    1126. 

  1126. 		{
    1127. 

  1127. 			name: "read file wrong password",
    1128. 

  1128. 			args: args{
    1129. 

  1129. 				pass:     "wrongpass",
    1130. 

  1130. 				filename: "_testdata/foo-withpass-1234.pfx",
    1131. 

  1131. 			},
    1132. 

  1132. 			wantErr: true,
    1133. 

  1133. 		},
    1134. 

  1134. 	}
    1135. 

  1135. 

  1136. 	testFunc := func(t *testing.T, tc testCase) {
    1137. 

  1137. 		archive, err := os.ReadFile(tc.args.filename)
    1138. 

  1138. 		if err != nil {
    1139. 

  1139. 			t.Error(err)
    1140. 

  1140. 		}
    1141. 

  1141. 		var expOut []byte
    1142. 

  1142. 		for _, w := range tc.want {
    1143. 

  1143. 			c, err := os.ReadFile(w)
    1144. 

  1144. 			if err != nil {
    1145. 

  1145. 				t.Error(err)
    1146. 

  1146. 			}
    1147. 

  1147. 			expOut = append(expOut, c...)
    1148. 

  1148. 		}
    1149. 

  1149. 		got, err := pkcs12certPass(tc.args.pass, string(archive))
    1150. 

  1150. 		if (err != nil) != tc.wantErr {
    1151. 

  1151. 			t.Errorf("pkcs12certPass() error = %v, wantErr %v", err, tc.wantErr)
    1152. 

  1152. 			return
    1153. 

  1153. 		}
    1154. 

  1154. 		if diff := cmp.Diff(string(expOut), got); diff != "" {
    1155. 

  1155. 			t.Errorf("pkcs12certPass() = diff:\n%s", diff)
    1156. 

  1156. 		}
    1157. 

  1157. 	}
    1158. 

  1158. 

  1159. 	for _, tt := range tests {
    1160. 

  1160. 		t.Run(tt.name, func(t *testing.T) {
    1161. 

  1161. 			testFunc(t, tt)
    1162. 

  1162. 		})
    1163. 

  1163. 	}
    1164. 

  1164. }
    1165. 

  1165. 

  1166. func TestConfigMapDataNotBase64Encoded(t *testing.T) {
    1167. 

  1167. 	configMap := &corev1.ConfigMap{
    1168. 

  1168. 		ObjectMeta: v1.ObjectMeta{
    1169. 

  1169. 			Name:      "test-cm",
    1170. 

  1170. 			Namespace: "default",
    1171. 

  1171. 		},
    1172. 

  1172. 	}
    1173. 

  1173. 

  1174. 	data := map[string][]byte{
    1175. 

  1175. 		"host":     []byte("localhost"),
    1176. 

  1176. 		"port":     []byte("5432"),
    1177. 

  1177. 		"database": []byte("mydb"),
    1178. 

  1178. 	}
    1179. 

  1179. 

  1180. 	tplMap := map[string][]byte{
    1181. 

  1181. 		"host":     []byte("{{ .host }}"),
    1182. 

  1182. 		"port":     []byte("{{ .port }}"),
    1183. 

  1183. 		"database": []byte("{{ .database }}"),
    1184. 

  1184. 	}
    1185. 

  1185. 

  1186. 	err := Execute(tplMap, data, esapi.TemplateScopeValues, "Data", configMap)
    1187. 

  1187. 	require.NoError(t, err)
    1188. 

  1188. 

  1189. 	assert.Equal(t, "localhost", configMap.Data["host"], "host should be plain text, not base64")
    1190. 

  1190. 	assert.Equal(t, "5432", configMap.Data["port"], "port should be plain text, not base64")
    1191. 

  1191. 	assert.Equal(t, "mydb", configMap.Data["database"], "database should be plain text, not base64")
    1192. 

  1192. }
    1193. 

  1193. 

  1194. func TestNestedPathTargeting(t *testing.T) {
    1195. 

  1195. 	tests := []struct {
    1196. 

  1196. 		name     string
    1197. 

  1197. 		target   string
    1198. 

  1198. 		scope    esapi.TemplateScope
    1199. 

  1199. 		tpl      map[string][]byte
    1200. 

  1200. 		data     map[string][]byte
    1201. 

  1201. 		verify   func(t *testing.T, obj map[string]interface{})
    1202. 

  1202. 		wantErr  bool
    1203. 

  1203. 		errorMsg string
    1204. 

  1204. 	}{
    1205. 

  1205. 		{
    1206. 

  1206. 			name:   "nested path spec.slack with template variables",
    1207. 

  1207. 			target: "spec.slack",
    1208. 

  1208. 			scope:  esapi.TemplateScopeKeysAndValues,
    1209. 

  1209. 			tpl: map[string][]byte{
    1210. 

  1210. 				"slack-config": []byte(`
    1211. 

  1211. api_url: {{ .url }}
    1212. 

  1212. webhook_url: {{ .webhook }}
    1213. 

  1213. `),
    1214. 

  1214. 			},
    1215. 

  1215. 			data: map[string][]byte{
    1216. 

  1216. 				"url":     []byte("https://hooks.slack.com/services/XXX"),
    1217. 

  1217. 				"webhook": []byte("https://hooks.slack.com/services/YYY"),
    1218. 

  1218. 			},
    1219. 

  1219. 			verify: func(t *testing.T, obj map[string]interface{}) {
    1220. 

  1220. 				specMap := obj["spec"].(map[string]interface{})
    1221. 

  1221. 				slackMap := specMap["slack"].(map[string]interface{})
    1222. 

  1222. 

  1223. 				// Should NOT have spec.slack.api_url.url (the bug with template variables)
    1224. 

  1224. 				apiURL := slackMap["api_url"]
    1225. 

  1225. 				assert.Equal(t, "https://hooks.slack.com/services/XXX", apiURL, "api_url should be string, not nested map")
    1226. 

  1226. 

  1227. 				webhookURL := slackMap["webhook_url"]
    1228. 

  1228. 				assert.Equal(t, "https://hooks.slack.com/services/YYY", webhookURL, "webhook_url should be string, not nested map")
    1229. 

  1229. 

  1230. 				// Verify the fix: should NOT have duplicate 'slack' in the path
    1231. 

  1231. 				_, hasDuplicateSlack := slackMap["slack"]
    1232. 

  1232. 				assert.False(t, hasDuplicateSlack, "should not have spec.slack.slack (the bug)")
    1233. 

  1233. 			},
    1234. 

  1234. 		},
    1235. 

  1235. 		{
    1236. 

  1236. 			name:   "nested path merge behavior - preserves existing fields",
    1237. 

  1237. 			target: "spec.slack",
    1238. 

  1238. 			scope:  esapi.TemplateScopeKeysAndValues,
    1239. 

  1239. 			tpl: map[string][]byte{
    1240. 

  1240. 				"slack-config": []byte(`
    1241. 

  1241. api_url: {{ .url }}
    1242. 

  1242. `),
    1243. 

  1243. 			},
    1244. 

  1244. 			data: map[string][]byte{
    1245. 

  1245. 				"url": []byte("https://hooks.slack.com/services/NEW"),
    1246. 

  1246. 			},
    1247. 

  1247. 			verify: func(t *testing.T, obj map[string]interface{}) {
    1248. 

  1248. 				specMap := obj["spec"].(map[string]interface{})
    1249. 

  1249. 				slackMap := specMap["slack"].(map[string]interface{})
    1250. 

  1250. 

  1251. 				// Should have the new field from template
    1252. 

  1252. 				assert.Equal(t, "https://hooks.slack.com/services/NEW", slackMap["api_url"], "api_url should be set from template")
    1253. 

  1253. 

  1254. 				// Should PRESERVE existing fields that were not in the template
    1255. 

  1255. 				assert.Equal(t, "general", slackMap["channel"], "existing channel field should be preserved")
    1256. 

  1256. 				assert.Equal(t, "test-value", slackMap["other_field"], "existing other_field should be preserved")
    1257. 

  1257. 			},
    1258. 

  1258. 		},
    1259. 

  1259. 		{
    1260. 

  1260. 			name:   "nested path overwrite field - updates existing value",
    1261. 

  1261. 			target: "spec.slack",
    1262. 

  1262. 			scope:  esapi.TemplateScopeKeysAndValues,
    1263. 

  1263. 			tpl: map[string][]byte{
    1264. 

  1264. 				"slack-config": []byte(`
    1265. 

  1265. channel: {{ .new_channel }}
    1266. 

  1266. `),
    1267. 

  1267. 			},
    1268. 

  1268. 			data: map[string][]byte{
    1269. 

  1269. 				"new_channel": []byte("alerts"),
    1270. 

  1270. 			},
    1271. 

  1271. 			verify: func(t *testing.T, obj map[string]interface{}) {
    1272. 

  1272. 				specMap := obj["spec"].(map[string]interface{})
    1273. 

  1273. 				slackMap := specMap["slack"].(map[string]interface{})
    1274. 

  1274. 

  1275. 				// Should update the existing field
    1276. 

  1276. 				assert.Equal(t, "alerts", slackMap["channel"], "channel should be updated")
    1277. 

  1277. 

  1278. 				// Should still preserve other existing fields
    1279. 

  1279. 				assert.Equal(t, "https://hooks.slack.com/existing", slackMap["api_url"], "existing api_url should be preserved")
    1280. 

  1280. 				assert.Equal(t, "test-value", slackMap["other_field"], "existing other_field should be preserved")
    1281. 

  1281. 			},
    1282. 

  1282. 		},
    1283. 

  1283. 	}
    1284. 

  1284. 

  1285. 	for _, tt := range tests {
    1286. 

  1286. 		t.Run(tt.name, func(t *testing.T) {
    1287. 

  1287. 			// Use an unstructured object to test generic target behavior
    1288. 

  1288. 			obj := &unstructured.Unstructured{
    1289. 

  1289. 				Object: map[string]interface{}{
    1290. 

  1290. 					"apiVersion": "example.com/v1",
    1291. 

  1291. 					"kind":       "TestResource",
    1292. 

  1292. 					"metadata": map[string]interface{}{
    1293. 

  1293. 						"name":      "test-resource",
    1294. 

  1294. 						"namespace": "default",
    1295. 

  1295. 					},
    1296. 

  1296. 				},
    1297. 

  1297. 			}
    1298. 

  1298. 

  1299. 			// For merge behavior tests, pre-populate the object with existing content
    1300. 

  1300. 			if strings.Contains(tt.name, "merge behavior") {
    1301. 

  1301. 				obj.Object["spec"] = map[string]interface{}{
    1302. 

  1302. 					"slack": map[string]interface{}{
    1303. 

  1303. 						"channel":     "general",
    1304. 

  1304. 						"other_field": "test-value",
    1305. 

  1305. 					},
    1306. 

  1306. 				}
    1307. 

  1307. 			}
    1308. 

  1308. 

  1309. 			// For overwrite field test, pre-populate with different initial values
    1310. 

  1310. 			if strings.Contains(tt.name, "overwrite field") {
    1311. 

  1311. 				obj.Object["spec"] = map[string]interface{}{
    1312. 

  1312. 					"slack": map[string]interface{}{
    1313. 

  1313. 						"channel":     "general",
    1314. 

  1314. 						"api_url":     "https://hooks.slack.com/existing",
    1315. 

  1315. 						"other_field": "test-value",
    1316. 

  1316. 					},
    1317. 

  1317. 				}
    1318. 

  1318. 			}
    1319. 

  1319. 

  1320. 			err := Execute(tt.tpl, tt.data, tt.scope, tt.target, obj)
    1321. 

  1321. 

  1322. 			if tt.wantErr {
    1323. 

  1323. 				require.Error(t, err)
    1324. 

  1324. 				if tt.errorMsg != "" {
    1325. 

  1325. 					assert.Contains(t, err.Error(), tt.errorMsg)
    1326. 

  1326. 				}
    1327. 

  1327. 			} else {
    1328. 

  1328. 				require.NoError(t, err)
    1329. 

  1329. 				if tt.verify != nil {
    1330. 

  1330. 					tt.verify(t, obj.Object)
    1331. 

  1331. 				}
    1332. 

  1332. 			}
    1333. 

  1333. 		})
    1334. 

  1334. 	}
    1335. 

  1335. }
    1336.