logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395
							/*
Copyright © The ESO Authors

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    https://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package dvls

import (
	"testing"

	"github.com/stretchr/testify/assert"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
)

const (
	testNamespace = "default"
	testServerURL = "https://dvls.example.com"
	secretName    = "dvls-secret"
	appIDKey      = "app-id"
	appSecretKey  = "app-secret"
	otherNS       = "other"
	testAppID     = "test-app-id"
	testAppSecret = "test-app-secret"
)

func TestProvider_ValidateStore(t *testing.T) {
	p := &Provider{}

	t.Run("case 1: should return no error when valid", func(t *testing.T) {
		store := &esv1.SecretStore{
			ObjectMeta: metav1.ObjectMeta{
				Name:      "dvls-store",
				Namespace: testNamespace,
			},
			Spec: esv1.SecretStoreSpec{
				Provider: &esv1.SecretStoreProvider{
					DVLS: &esv1.DVLSProvider{
						ServerURL: testServerURL,
						Auth: esv1.DVLSAuth{
							SecretRef: esv1.DVLSAuthSecretRef{
								AppID: esmeta.SecretKeySelector{
									Name: secretName,
									Key:  appIDKey,
								},
								AppSecret: esmeta.SecretKeySelector{
									Name: secretName,
									Key:  appSecretKey,
								},
							},
						},
					},
				},
			},
		}
		_, err := p.ValidateStore(store)
		assert.NoError(t, err)
	})

	t.Run("case 1b: cluster store requires namespace", func(t *testing.T) {
		store := &esv1.ClusterSecretStore{
			TypeMeta: metav1.TypeMeta{Kind: "ClusterSecretStore"},
			ObjectMeta: metav1.ObjectMeta{
				Name: "dvls-cluster-store",
			},
			Spec: esv1.SecretStoreSpec{
				Provider: &esv1.SecretStoreProvider{
					DVLS: &esv1.DVLSProvider{
						ServerURL: testServerURL,
						Auth: esv1.DVLSAuth{
							SecretRef: esv1.DVLSAuthSecretRef{
								AppID: esmeta.SecretKeySelector{
									Name: secretName,
									Key:  appIDKey,
								},
								AppSecret: esmeta.SecretKeySelector{
									Name: secretName,
									Key:  appSecretKey,
								},
							},
						},
					},
				},
			},
		}

		_, err := p.ValidateStore(store)
		assert.Error(t, err)
		assert.Contains(t, err.Error(), "cluster scope requires namespace")
	})

	t.Run("case 1c: cluster store succeeds with namespace", func(t *testing.T) {
		otherNamespace := otherNS
		store := &esv1.ClusterSecretStore{
			TypeMeta: metav1.TypeMeta{Kind: "ClusterSecretStore"},
			ObjectMeta: metav1.ObjectMeta{
				Name: "dvls-cluster-store",
			},
			Spec: esv1.SecretStoreSpec{
				Provider: &esv1.SecretStoreProvider{
					DVLS: &esv1.DVLSProvider{
						ServerURL: testServerURL,
						Auth: esv1.DVLSAuth{
							SecretRef: esv1.DVLSAuthSecretRef{
								AppID: esmeta.SecretKeySelector{
									Name:      secretName,
									Key:       appIDKey,
									Namespace: &otherNamespace,
								},
								AppSecret: esmeta.SecretKeySelector{
									Name:      secretName,
									Key:       appSecretKey,
									Namespace: &otherNamespace,
								},
							},
						},
					},
				},
			},
		}

		_, err := p.ValidateStore(store)
		assert.NoError(t, err)
	})

	t.Run("case 2: should return error when provider is nil", func(t *testing.T) {
		store := &esv1.SecretStore{
			Spec: esv1.SecretStoreSpec{
				Provider: &esv1.SecretStoreProvider{
					DVLS: nil,
				},
			},
		}
		_, err := p.ValidateStore(store)
		assert.Error(t, err)
		assert.Contains(t, err.Error(), "DVLS provider configuration is missing")
	})

	t.Run("case 2b: http URL without insecure flag should fail", func(t *testing.T) {
		store := &esv1.SecretStore{
			ObjectMeta: metav1.ObjectMeta{
				Name:      "dvls-store",
				Namespace: testNamespace,
			},
			Spec: esv1.SecretStoreSpec{
				Provider: &esv1.SecretStoreProvider{
					DVLS: &esv1.DVLSProvider{
						ServerURL: "http://dvls.example.com",
						Auth: esv1.DVLSAuth{
							SecretRef: esv1.DVLSAuthSecretRef{
								AppID: esmeta.SecretKeySelector{
									Name: secretName,
									Key:  appIDKey,
								},
								AppSecret: esmeta.SecretKeySelector{
									Name: secretName,
									Key:  appSecretKey,
								},
							},
						},
					},
				},
			},
		}
		_, err := p.ValidateStore(store)
		assert.Error(t, err)
		assert.Contains(t, err.Error(), "http URLs require 'insecure: true'")
	})

	t.Run("case 2c: http URL with insecure flag should pass", func(t *testing.T) {
		store := &esv1.SecretStore{
			ObjectMeta: metav1.ObjectMeta{
				Name:      "dvls-store",
				Namespace: testNamespace,
			},
			Spec: esv1.SecretStoreSpec{
				Provider: &esv1.SecretStoreProvider{
					DVLS: &esv1.DVLSProvider{
						ServerURL: "http://dvls.example.com",
						Insecure:  true,
						Auth: esv1.DVLSAuth{
							SecretRef: esv1.DVLSAuthSecretRef{
								AppID: esmeta.SecretKeySelector{
									Name: secretName,
									Key:  appIDKey,
								},
								AppSecret: esmeta.SecretKeySelector{
									Name: secretName,
									Key:  appSecretKey,
								},
							},
						},
					},
				},
			},
		}
		_, err := p.ValidateStore(store)
		assert.NoError(t, err)
	})

	t.Run("case 3: should return error when serverUrl is empty", func(t *testing.T) {
		store := &esv1.SecretStore{
			ObjectMeta: metav1.ObjectMeta{
				Name:      "dvls-store",
				Namespace: testNamespace,
			},
			Spec: esv1.SecretStoreSpec{
				Provider: &esv1.SecretStoreProvider{
					DVLS: &esv1.DVLSProvider{
						ServerURL: "",
						Auth: esv1.DVLSAuth{
							SecretRef: esv1.DVLSAuthSecretRef{
								AppID: esmeta.SecretKeySelector{
									Name: secretName,
									Key:  appIDKey,
								},
								AppSecret: esmeta.SecretKeySelector{
									Name: secretName,
									Key:  appSecretKey,
								},
							},
						},
					},
				},
			},
		}
		_, err := p.ValidateStore(store)
		assert.Error(t, err)
		assert.Contains(t, err.Error(), "serverUrl is required")
	})

	t.Run("case 3b: should return error when appId key is missing", func(t *testing.T) {
		store := &esv1.SecretStore{
			ObjectMeta: metav1.ObjectMeta{
				Name:      "dvls-store",
				Namespace: testNamespace,
			},
			Spec: esv1.SecretStoreSpec{
				Provider: &esv1.SecretStoreProvider{
					DVLS: &esv1.DVLSProvider{
						ServerURL: testServerURL,
						Auth: esv1.DVLSAuth{
							SecretRef: esv1.DVLSAuthSecretRef{
								AppID: esmeta.SecretKeySelector{
									Name: secretName,
									Key:  "",
								},
								AppSecret: esmeta.SecretKeySelector{
									Name: secretName,
									Key:  appSecretKey,
								},
							},
						},
					},
				},
			},
		}
		_, err := p.ValidateStore(store)
		assert.Error(t, err)
		assert.Contains(t, err.Error(), "appId secret key is required")
	})

	t.Run("case 3c: should return error when appSecret name is missing", func(t *testing.T) {
		store := &esv1.SecretStore{
			ObjectMeta: metav1.ObjectMeta{
				Name:      "dvls-store",
				Namespace: testNamespace,
			},
			Spec: esv1.SecretStoreSpec{
				Provider: &esv1.SecretStoreProvider{
					DVLS: &esv1.DVLSProvider{
						ServerURL: testServerURL,
						Auth: esv1.DVLSAuth{
							SecretRef: esv1.DVLSAuthSecretRef{
								AppID: esmeta.SecretKeySelector{
									Name: secretName,
									Key:  appIDKey,
								},
								AppSecret: esmeta.SecretKeySelector{
									Name: "",
									Key:  appSecretKey,
								},
							},
						},
					},
				},
			},
		}
		_, err := p.ValidateStore(store)
		assert.Error(t, err)
		assert.Contains(t, err.Error(), "appSecret secret name is required")
	})

	t.Run("case 4: should return error when AppID secret reference is invalid", func(t *testing.T) {
		otherNamespace := otherNS
		store := &esv1.SecretStore{
			ObjectMeta: metav1.ObjectMeta{
				Name:      "dvls-store",
				Namespace: testNamespace,
			},
			Spec: esv1.SecretStoreSpec{
				Provider: &esv1.SecretStoreProvider{
					DVLS: &esv1.DVLSProvider{
						ServerURL: testServerURL,
						Auth: esv1.DVLSAuth{
							SecretRef: esv1.DVLSAuthSecretRef{
								AppID: esmeta.SecretKeySelector{
									Name:      secretName,
									Key:       appIDKey,
									Namespace: &otherNamespace,
								},
								AppSecret: esmeta.SecretKeySelector{
									Name: secretName,
									Key:  appSecretKey,
								},
							},
						},
					},
				},
			},
		}
		_, err := p.ValidateStore(store)
		assert.Error(t, err)
		assert.Contains(t, err.Error(), "invalid appId")
	})

	t.Run("case 5: should return error when AppSecret secret reference is invalid", func(t *testing.T) {
		otherNamespace := otherNS
		store := &esv1.SecretStore{
			ObjectMeta: metav1.ObjectMeta{
				Name:      "dvls-store",
				Namespace: testNamespace,
			},
			Spec: esv1.SecretStoreSpec{
				Provider: &esv1.SecretStoreProvider{
					DVLS: &esv1.DVLSProvider{
						ServerURL: testServerURL,
						Auth: esv1.DVLSAuth{
							SecretRef: esv1.DVLSAuthSecretRef{
								AppID: esmeta.SecretKeySelector{
									Name: secretName,
									Key:  appIDKey,
								},
								AppSecret: esmeta.SecretKeySelector{
									Name:      secretName,
									Key:       appSecretKey,
									Namespace: &otherNamespace,
								},
							},
						},
					},
				},
			},
		}
		_, err := p.ValidateStore(store)
		assert.Error(t, err)
		assert.Contains(t, err.Error(), "invalid appSecret")
	})
}

func TestProvider_Capabilities(t *testing.T) {
	p := &Provider{}
	assert.Equal(t, esv1.SecretStoreReadWrite, p.Capabilities())
}

func TestNewProvider(t *testing.T) {
	p := NewProvider()
	assert.NotNil(t, p)
	_, ok := p.(*Provider)
	assert.True(t, ok)
}

func TestProviderSpec(t *testing.T) {
	spec := ProviderSpec()
	assert.NotNil(t, spec)
	assert.NotNil(t, spec.DVLS)
}

func TestMaintenanceStatus(t *testing.T) {
	status := MaintenanceStatus()
	assert.Equal(t, esv1.MaintenanceStatusMaintained, status)
}