Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Tree: 3245e656af
Branches Tags
helm-externa...
/
pkg
/
provider
/
webhook
/
webhook_test.go

webhook_test.go 19 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706 
  1. /*
    2. 

  2. Copyright © 2025 ESO Maintainer Team
    3. 

  3. 

  4. Licensed under the Apache License, Version 2.0 (the "License");
    5. 

  5. you may not use this file except in compliance with the License.
    6. 

  6. You may obtain a copy of the License at
    7. 

  7. 

  8.     https://www.apache.org/licenses/LICENSE-2.0
    9. 

  9. 

  10. Unless required by applicable law or agreed to in writing, software
    11. 

  11. distributed under the License is distributed on an "AS IS" BASIS,
    12. 

  12. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13. 

  13. See the License for the specific language governing permissions and
    14. 

  14. limitations under the License.
    15. 

  15. */
    16. 

  16. 

  17. package webhook
    18. 

  18. 

  19. import (
    20. 

  20. 	"bytes"
    21. 

  21. 	"context"
    22. 

  22. 	"errors"
    23. 

  23. 	"io"
    24. 

  24. 	"net/http"
    25. 

  25. 	"net/http/httptest"
    26. 

  26. 	"strings"
    27. 

  27. 	"testing"
    28. 

  28. 	"time"
    29. 

  29. 

  30. 	"gopkg.in/yaml.v3"
    31. 

  31. 	corev1 "k8s.io/api/core/v1"
    32. 

  32. 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
    33. 

  33. 

  34. 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
    35. 

  35. 	"github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
    36. 

  36. )
    37. 

  37. 

  38. type testCase struct {
    39. 

  39. 	Case string `json:"case,omitempty"`
    40. 

  40. 	Args args   `json:"args"`
    41. 

  41. 	Want want   `json:"want"`
    42. 

  42. }
    43. 

  43. 

  44. type secret struct {
    45. 

  45. 	Name string            `json:"name"`
    46. 

  46. 	Data map[string]string `json:"data"`
    47. 

  47. }
    48. 

  48. 

  49. type args struct {
    50. 

  50. 	URL        string `json:"url,omitempty"`
    51. 

  51. 	Body       string `json:"body,omitempty"`
    52. 

  52. 	Timeout    string `json:"timeout,omitempty"`
    53. 

  53. 	Key        string `json:"key,omitempty"`
    54. 

  54. 	SecretKey  string `json:"secretkey,omitempty"`
    55. 

  55. 	Property   string `json:"property,omitempty"`
    56. 

  56. 	Version    string `json:"version,omitempty"`
    57. 

  57. 	JSONPath   string `json:"jsonpath,omitempty"`
    58. 

  58. 	Response   string `json:"response,omitempty"`
    59. 

  59. 	StatusCode int    `json:"statuscode,omitempty"`
    60. 

  60. 	PushSecret bool   `json:"pushsecret,omitempty"`
    61. 

  61. 	Secret     secret `json:"secret,omitempty"`
    62. 

  62. }
    63. 

  63. 

  64. type want struct {
    65. 

  65. 	Path      string            `json:"path,omitempty"`
    66. 

  66. 	Body      *string           `json:"body,omitempty"`
    67. 

  67. 	Err       string            `json:"err,omitempty"`
    68. 

  68. 	Result    string            `json:"result,omitempty"`
    69. 

  69. 	ResultMap map[string]string `json:"resultmap,omitempty"`
    70. 

  70. }
    71. 

  71. 

  72. var testCases = `
    73. 

  73. case: error url
    74. 

  74. args:
    75. 

  75.   url: /api/getsecret?id={{ .unclosed.template
    76. 

  76. want:
    77. 

  77.   err: failed to parse url
    78. 

  78. ---
    79. 

  79. case: error body
    80. 

  80. args:
    81. 

  81.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    82. 

  82.   body: Body error {{ .unclosed.template
    83. 

  83. want:
    84. 

  84.   err: failed to parse body
    85. 

  85. ---
    86. 

  86. case: error connection
    87. 

  87. args:
    88. 

  88.   url: 1/api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    89. 

  89. want:
    90. 

  90.   err: failed to call endpoint
    91. 

  91. ---
    92. 

  92. case: error no secret err
    93. 

  93. args:
    94. 

  94.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    95. 

  95.   key: testkey
    96. 

  96.   version: 1
    97. 

  97.   statuscode: 404
    98. 

  98.   response: not found
    99. 

  99. want:
    100. 

  100.   path: /api/getsecret?id=testkey&version=1
    101. 

  101.   err: ` + esv1.NoSecretErr.Error() + `
    102. 

  102. ---
    103. 

  103. case: error server error
    104. 

  104. args:
    105. 

  105.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    106. 

  106.   key: testkey
    107. 

  107.   version: 1
    108. 

  108.   statuscode: 500
    109. 

  109.   response: server error
    110. 

  110. want:
    111. 

  111.   path: /api/getsecret?id=testkey&version=1
    112. 

  112.   err: endpoint gave error 500
    113. 

  113. ---
    114. 

  114. case: error bad json
    115. 

  115. args:
    116. 

  116.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    117. 

  117.   key: testkey
    118. 

  118.   version: 1
    119. 

  119.   jsonpath: $.result.thesecret
    120. 

  120.   response: '{"result":{"thesecret":"secret-value"}'
    121. 

  121. want:
    122. 

  122.   path: /api/getsecret?id=testkey&version=1
    123. 

  123.   err: failed to parse response json
    124. 

  124. ---
    125. 

  125. case: error bad jsonpath
    126. 

  126. args:
    127. 

  127.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    128. 

  128.   key: testkey
    129. 

  129.   version: 1
    130. 

  130.   jsonpath: $.result.thesecret
    131. 

  131.   response: '{"result":{"nosecret":"secret-value"}}'
    132. 

  132. want:
    133. 

  133.   path: /api/getsecret?id=testkey&version=1
    134. 

  134.   err: failed to get response path
    135. 

  135. ---
    136. 

  136. case: pull data out of map
    137. 

  137. args:
    138. 

  138.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    139. 

  139.   key: testkey
    140. 

  140.   version: 1
    141. 

  141.   jsonpath: $.result.thesecret
    142. 

  142.   response: '{"result":{"thesecret":{"one":"secret-value"}}}'
    143. 

  143. want:
    144. 

  144.   path: /api/getsecret?id=testkey&version=1
    145. 

  145.   err: ''
    146. 

  146.   result: '{"one":"secret-value"}'
    147. 

  147. ---
    148. 

  148. case: error timeout
    149. 

  149. args:
    150. 

  150.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    151. 

  151.   key: testkey
    152. 

  152.   version: 1
    153. 

  153.   response: secret-value
    154. 

  154.   timeout: 0.01ms
    155. 

  155. want:
    156. 

  156.   path: /api/getsecret?id=testkey&version=1
    157. 

  157.   err: context deadline exceeded
    158. 

  158. ---
    159. 

  159. case: good plaintext
    160. 

  160. args:
    161. 

  161.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    162. 

  162.   key: testkey
    163. 

  163.   version: 1
    164. 

  164.   response: secret-value
    165. 

  165. want:
    166. 

  166.   path: /api/getsecret?id=testkey&version=1
    167. 

  167.   err: ''
    168. 

  168.   result: secret-value
    169. 

  169. ---
    170. 

  170. case: good json
    171. 

  171. args:
    172. 

  172.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    173. 

  173.   key: testkey
    174. 

  174.   version: 1
    175. 

  175.   jsonpath: $.result.thesecret
    176. 

  176.   response: '{"result":{"thesecret":"secret-value"}}'
    177. 

  177. want:
    178. 

  178.   path: /api/getsecret?id=testkey&version=1
    179. 

  179.   err: ''
    180. 

  180.   result: secret-value
    181. 

  181. ---
    182. 

  182. case: good json map
    183. 

  183. args:
    184. 

  184.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    185. 

  185.   key: testkey
    186. 

  186.   version: 1
    187. 

  187.   jsonpath: $.result
    188. 

  188.   response: '{"result":{"thesecret":"secret-value","alsosecret":"another-value"}}'
    189. 

  189. want:
    190. 

  190.   path: /api/getsecret?id=testkey&version=1
    191. 

  191.   err: ''
    192. 

  192.   resultmap:
    193. 

  193.     thesecret: secret-value
    194. 

  194.     alsosecret: another-value
    195. 

  195. ---
    196. 

  196. case: templated jsonpath good json map
    197. 

  197. args:
    198. 

  198.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    199. 

  199.   key: testkey
    200. 

  200.   version: 1
    201. 

  201.   jsonpath: $.{{printf "result" }}
    202. 

  202.   response: '{"result":{"thesecret":"secret-value","alsosecret":"another-value"}}'
    203. 

  203. want:
    204. 

  204.   path: /api/getsecret?id=testkey&version=1
    205. 

  205.   err: ''
    206. 

  206.   resultmap:
    207. 

  207.     thesecret: secret-value
    208. 

  208.     alsosecret: another-value
    209. 

  209. ---
    210. 

  210. case: templated jsonpath invalid template
    211. 

  211. args:
    212. 

  212.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    213. 

  213.   key: testkey
    214. 

  214.   version: 1
    215. 

  215.   jsonpath: $.{{printf 'result' }}
    216. 

  216.   response: '{"result":{"thesecret":"secret-value","alsosecret":"another-value"}}'
    217. 

  217. want:
    218. 

  218.   path: /api/getsecret?id=testkey&version=1
    219. 

  219.   err: "cannot get templated json path"
    220. 

  220.   resultmap:
    221. 

  221.     thesecret: secret-value
    222. 

  222.     alsosecret: another-value
    223. 

  223. ---
    224. 

  224. case: good json map string
    225. 

  225. args:
    226. 

  226.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    227. 

  227.   key: testkey
    228. 

  228.   version: 1
    229. 

  229.   response: '{"thesecret":"secret-value","alsosecret":"another-value"}'
    230. 

  230. want:
    231. 

  231.   path: /api/getsecret?id=testkey&version=1
    232. 

  232.   err: ''
    233. 

  233.   resultmap:
    234. 

  234.     thesecret: secret-value
    235. 

  235.     alsosecret: another-value
    236. 

  236. ---
    237. 

  237. case: error json map string
    238. 

  238. args:
    239. 

  239.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    240. 

  240.   key: testkey
    241. 

  241.   version: 1
    242. 

  242.   response: 'some simple string'
    243. 

  243. want:
    244. 

  244.   path: /api/getsecret?id=testkey&version=1
    245. 

  245.   err: "failed to parse response json: invalid character"
    246. 

  246.   resultmap: {}
    247. 

  247. ---
    248. 

  248. case: error json map
    249. 

  249. args:
    250. 

  250.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    251. 

  251.   key: testkey
    252. 

  252.   version: 1
    253. 

  253.   jsonpath: $.result.thesecret
    254. 

  254.   response: '{"result":{"thesecret":"secret-value","alsosecret":"another-value"}}'
    255. 

  255. want:
    256. 

  256.   path: /api/getsecret?id=testkey&version=1
    257. 

  257.   err: "failed to parse response json from jsonpath"
    258. 

  258.   resultmap: {}
    259. 

  259. ---
    260. 

  260. case: good json with good templated jsonpath
    261. 

  261. args:
    262. 

  262.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    263. 

  263.   key: testkey
    264. 

  264.   property: thesecret
    265. 

  265.   version: 1
    266. 

  266.   jsonpath: $.result.{{ .remoteRef.property }}
    267. 

  267.   response: '{"result":{"thesecret":"secret-value"}}'
    268. 

  268. want:
    269. 

  269.   path: /api/getsecret?id=testkey&version=1
    270. 

  270.   err: ''
    271. 

  271.   result: secret-value
    272. 

  272. ---
    273. 

  273. case: good json with jsonpath filter
    274. 

  274. args:
    275. 

  275.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    276. 

  276.   key: testkey
    277. 

  277.   version: 1
    278. 

  278.   jsonpath: $.secrets[?@.name=="thesecret"].value
    279. 

  279.   response: '{"secrets": [{"name": "thesecret", "value": "secret-value"}, {"name": "alsosecret", "value": "another-value"}]}'
    280. 

  280. want:
    281. 

  281.   path: /api/getsecret?id=testkey&version=1
    282. 

  282.   err: ''
    283. 

  283.   result: secret-value
    284. 

  284. ---
    285. 

  285. case: good json with bad templated jsonpath
    286. 

  286. args:
    287. 

  287.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    288. 

  288.   key: testkey
    289. 

  289.   property: thesecret
    290. 

  290.   version: 1
    291. 

  291.   jsonpath: $.result.{{ .remoteRef.property }
    292. 

  292.   response: '{"result":{"thesecret":"secret-value"}}'
    293. 

  293. want:
    294. 

  294.   path: /api/getsecret?id=testkey&version=1
    295. 

  295.   err: 'template: webhooktemplate:1: unexpected "}" in operand'
    296. 

  296. ---
    297. 

  297. case: error with jsonpath filter empty results
    298. 

  298. args:
    299. 

  299.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    300. 

  300.   key: testkey
    301. 

  301.   version: 1
    302. 

  302.   jsonpath: $.secrets[?@.name=="thebadsecret"].value
    303. 

  303.   response: '{"secrets": [{"name": "thesecret", "value": "secret-value"}, {"name": "alsosecret", "value": "another-value"}]}'
    304. 

  304. want:
    305. 

  305.   path: /api/getsecret?id=testkey&version=1
    306. 

  306.   err: "filter worked but didn't get any result"
    307. 

  307. ---
    308. 

  308. case: success with jsonpath filter and result array
    309. 

  309. args:
    310. 

  310.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    311. 

  311.   key: testkey
    312. 

  312.   version: 1
    313. 

  313.   jsonpath: $..name
    314. 

  314.   response: '{"secrets": [{"name": "thesecret", "value": "secret-value"}, {"name": "alsosecret", "value": "another-value"}]}'
    315. 

  315. want:
    316. 

  316.   path: /api/getsecret?id=testkey&version=1
    317. 

  317.   err: ''
    318. 

  318.   result: 'thesecret'
    319. 

  319. ---
    320. 

  320. case: success with jsonpath filter and result array of ints
    321. 

  321. args:
    322. 

  322.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    323. 

  323.   key: testkey
    324. 

  324.   version: 1
    325. 

  325.   jsonpath: $..name
    326. 

  326.   response: '{"secrets": [{"name": 123, "value": "secret-value"}, {"name": 456, "value": "another-value"}]}'
    327. 

  327. want:
    328. 

  328.   path: /api/getsecret?id=testkey&version=1
    329. 

  329.   err: ''
    330. 

  330.   result: 123
    331. 

  331. ---
    332. 

  332. case: support backslash
    333. 

  333. args:
    334. 

  334.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    335. 

  335.   key: testkey
    336. 

  336.   version: 1
    337. 

  337.   jsonpath: $.refresh_token
    338. 

  338.   response: '{"access_token":"REDACTED","refresh_token":"RE\/DACTED=="}'
    339. 

  339. want:
    340. 

  340.   path: /api/getsecret?id=testkey&version=1
    341. 

  341.   err: ''
    342. 

  342.   result: "RE/DACTED=="
    343. 

  343. ---
    344. 

  344. case: good json with mixed fields and jsonpath filter
    345. 

  345. args:
    346. 

  346.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    347. 

  347.   key: testkey
    348. 

  348.   version: 1
    349. 

  349.   jsonpath: $.result.thesecret
    350. 

  350.   response: '{"result":{"thesecret":"secret-value","alsosecret":"another-value", "id": 1234, "weight": 1.5}}'
    351. 

  351. want:
    352. 

  352.   path: /api/getsecret?id=testkey&version=1
    353. 

  353.   err: ''
    354. 

  354.   result: secret-value
    355. 

  355. ---
    356. 

  356. case: good json with mixed fields to map
    357. 

  357. args:
    358. 

  358.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    359. 

  359.   key: testkey
    360. 

  360.   version: 1
    361. 

  361.   jsonpath: $.result
    362. 

  362.   response: '{"result":{"thesecret":"secret-value","alsosecret":"another-value", "id": 1234, "weight": 1.5}}'
    363. 

  363. want:
    364. 

  364.   path: /api/getsecret?id=testkey&version=1
    365. 

  365.   err: ''
    366. 

  366.   resultmap:
    367. 

  367.     thesecret: secret-value
    368. 

  368.     alsosecret: another-value
    369. 

  369.     id: 1234
    370. 

  370.     weight: 1.5
    371. 

  371. ---
    372. 

  372. case: only url encoding for url templates
    373. 

  373. args:
    374. 

  374.   url: /api/getsecrets?folder={{ .remoteRef.key }}
    375. 

  375.   body: '{"folder": "{{ .remoteRef.key }}"}'
    376. 

  376.   key: /myapp/secrets
    377. 

  377. want:
    378. 

  378.   path: /api/getsecrets?folder=%2Fmyapp%2Fsecrets
    379. 

  379.   body: '{"folder": "/myapp/secrets"}'
    380. 

  380. ---
    381. 

  381. case: namespace template in headers
    382. 

  382. args:
    383. 

  383.   url: /api/getsecret?id={{ .remoteRef.key }}
    384. 

  384.   key: testkey
    385. 

  385.   response: secret-value
    386. 

  386. want:
    387. 

  387.   path: /api/getsecret?id=testkey
    388. 

  388.   err: ''
    389. 

  389.   result: secret-value
    390. 

  390. ---
    391. 

  391. case: namespace template in url
    392. 

  392. args:
    393. 

  393.   url: /api/getsecret?id={{ .remoteRef.key }}&namespace={{ .remoteRef.namespace }}
    394. 

  394.   key: testkey
    395. 

  395.   response: secret-value
    396. 

  396. want:
    397. 

  397.   path: /api/getsecret?id=testkey&namespace=testnamespace
    398. 

  398.   err: ''
    399. 

  399.   result: secret-value
    400. 

  400. `
    401. 

  401. 

  402. func TestWebhookGetSecret(t *testing.T) {
    403. 

  403. 	ydec := yaml.NewDecoder(bytes.NewReader([]byte(testCases)))
    404. 

  404. 	for {
    405. 

  405. 		var tc testCase
    406. 

  406. 		if err := ydec.Decode(&tc); err != nil {
    407. 

  407. 			if !errors.Is(err, io.EOF) {
    408. 

  408. 				t.Errorf("testcase decode error %v", err)
    409. 

  409. 			}
    410. 

  410. 			break
    411. 

  411. 		}
    412. 

  412. 		runTestCase(tc, t)
    413. 

  413. 	}
    414. 

  414. }
    415. 

  415. 

  416. var testCasesPushSecret = `
    417. 

  417. ---
    418. 

  418. case: secret key not found
    419. 

  419. args:
    420. 

  420.   url: /api/pushsecret?id={{ .remoteRef.remoteKey }}&secret={{ .remoteRef.secretKey }}
    421. 

  421.   key: testkey
    422. 

  422.   secretkey: not-found
    423. 

  423.   pushsecret: true
    424. 

  424.   secret:
    425. 

  425.     name: test-secret
    426. 

  426.     data:
    427. 

  427.       secretkey: value
    428. 

  428. want:
    429. 

  429.   path: /api/pushsecret?id=testkey&secret=not-found
    430. 

  430.   err: 'failed to find secret key in secret with key: not-found'
    431. 

  431. ---
    432. 

  432. case: default body good json
    433. 

  433. args:
    434. 

  434.   url: /api/pushsecret?id={{ .remoteRef.remoteKey }}&secret={{ .remoteRef.secretKey }}
    435. 

  435.   key: testkey
    436. 

  436.   secretkey: secretkey
    437. 

  437.   pushsecret: true
    438. 

  438.   secret:
    439. 

  439.     name: test-secret
    440. 

  440.     data:
    441. 

  441.       secretkey: value
    442. 

  442. want:
    443. 

  443.   path: /api/pushsecret?id=testkey&secret=secretkey
    444. 

  444.   body: 'value'
    445. 

  445.   err: ''
    446. 

  446. ---
    447. 

  447. case: good json
    448. 

  448. args:
    449. 

  449.   url: /api/pushsecret?id={{ .remoteRef.remoteKey }}&secret={{ .remoteRef.secretKey }}
    450. 

  450.   key: testkey
    451. 

  451.   body: 'pre {{ .remoteRef.remoteKey }} {{ .remoteRef.testkey }} post'
    452. 

  452.   secretkey: secretkey
    453. 

  453.   pushsecret: true
    454. 

  454.   secret:
    455. 

  455.     name: test-secret
    456. 

  456.     data:
    457. 

  457.       secretkey: value
    458. 

  458. want:
    459. 

  459.   path: /api/pushsecret?id=testkey&secret=secretkey
    460. 

  460.   body: 'pre testkey value post'
    461. 

  461.   err: ''
    462. 

  462. ---
    463. 

  463. case: empty body
    464. 

  464. args:
    465. 

  465.   url: /api/pushsecret?id={{ .remoteRef.remoteKey }}
    466. 

  466.   key: testkey
    467. 

  467.   body: '{{ "" }}'
    468. 

  468.   pushsecret: true
    469. 

  469.   secret:
    470. 

  470.     name: test-secret
    471. 

  471.     data:
    472. 

  472.       secretkey: value
    473. 

  473. want:
    474. 

  474.   path: /api/pushsecret?id=testkey
    475. 

  475.   body: ''
    476. 

  476.   err: ''
    477. 

  477. ---
    478. 

  478. case: default body pushing without secret key
    479. 

  479. args:
    480. 

  480.   url: /api/pushsecret?id={{ .remoteRef.remoteKey }}
    481. 

  481.   key: testkey
    482. 

  482.   pushsecret: true
    483. 

  483.   secret:
    484. 

  484.     name: test-secret
    485. 

  485.     data:
    486. 

  486.       secretkey: value
    487. 

  487. want:
    488. 

  488.   path: /api/pushsecret?id=testkey
    489. 

  489.   body: '{"secretkey":"value"}'
    490. 

  490.   err: ''
    491. 

  491. ---
    492. 

  492. case: pushing without secret key
    493. 

  493. args:
    494. 

  494.   url: /api/pushsecret?id={{ .remoteRef.remoteKey }}
    495. 

  495.   key: testkey
    496. 

  496.   body: 'pre {{ .remoteRef.remoteKey }} {{ index (.remoteRef.testkey | fromJson) "secretkey" }} post'
    497. 

  497.   pushsecret: true
    498. 

  498.   secret:
    499. 

  499.     name: test-secret
    500. 

  500.     data:
    501. 

  501.       secretkey: value
    502. 

  502. want:
    503. 

  503.   path: /api/pushsecret?id=testkey
    504. 

  504.   body: 'pre testkey value post'
    505. 

  505.   err: ''
    506. 

  506. ---
    507. 

  507. case: pushing without secret key with dynamic resolution
    508. 

  508. args:
    509. 

  509.   url: /api/pushsecret?id={{ .remoteRef.remoteKey }}
    510. 

  510.   key: testkey
    511. 

  511.   body: 'pre {{ .remoteRef.remoteKey }} {{ index (index .remoteRef .remoteRef.remoteKey | fromJson) "secretkey" }} post'
    512. 

  512.   pushsecret: true
    513. 

  513.   secret:
    514. 

  514.     name: test-secret
    515. 

  515.     data:
    516. 

  516.       secretkey: value
    517. 

  517. want:
    518. 

  518.   path: /api/pushsecret?id=testkey
    519. 

  519.   body: 'pre testkey value post'
    520. 

  520.   err: ''
    521. 

  521. `
    522. 

  522. 

  523. func TestWebhookPushSecret(t *testing.T) {
    524. 

  524. 	ydec := yaml.NewDecoder(bytes.NewReader([]byte(testCasesPushSecret)))
    525. 

  525. 	for {
    526. 

  526. 		var tc testCase
    527. 

  527. 		if err := ydec.Decode(&tc); err != nil {
    528. 

  528. 			if !errors.Is(err, io.EOF) {
    529. 

  529. 				t.Errorf("testcase decode error %v", err)
    530. 

  530. 			}
    531. 

  531. 			break
    532. 

  532. 		}
    533. 

  533. 		runTestCase(tc, t)
    534. 

  534. 	}
    535. 

  535. }
    536. 

  536. 

  537. func testCaseServer(tc testCase, t *testing.T) *httptest.Server {
    538. 

  538. 	// Start a new server for every test case because the server wants to check the expected api path
    539. 

  539. 	return httptest.NewServer(http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
    540. 

  540. 		if tc.Want.Path != "" && req.URL.String() != tc.Want.Path {
    541. 

  541. 			t.Errorf("%s: unexpected api path: %s, expected %s", tc.Case, req.URL.String(), tc.Want.Path)
    542. 

  542. 		}
    543. 

  543. 		if tc.Want.Body != nil {
    544. 

  544. 			b, _ := io.ReadAll(req.Body)
    545. 

  545. 			if tc.Want.Body != nil && string(b) != *tc.Want.Body {
    546. 

  546. 				t.Errorf("%s: unexpected body: %s, expected %s", tc.Case, string(b), *tc.Want.Body)
    547. 

  547. 			}
    548. 

  548. 		}
    549. 

  549. 		if tc.Args.StatusCode != 0 {
    550. 

  550. 			rw.WriteHeader(tc.Args.StatusCode)
    551. 

  551. 		}
    552. 

  552. 		rw.Write([]byte(tc.Args.Response))
    553. 

  553. 	}))
    554. 

  554. }
    555. 

  555. 

  556. func parseTimeout(timeout string) (*metav1.Duration, error) {
    557. 

  557. 	if timeout == "" {
    558. 

  558. 		return nil, nil
    559. 

  559. 	}
    560. 

  560. 	dur, err := time.ParseDuration(timeout)
    561. 

  561. 	if err != nil {
    562. 

  562. 		return nil, err
    563. 

  563. 	}
    564. 

  564. 	return &metav1.Duration{Duration: dur}, nil
    565. 

  565. }
    566. 

  566. 

  567. func runTestCase(tc testCase, t *testing.T) {
    568. 

  568. 	t.Run(tc.Case, func(t *testing.T) {
    569. 

  569. 		ts := testCaseServer(tc, t)
    570. 

  570. 		defer ts.Close()
    571. 

  571. 

  572. 		testStore := makeClusterSecretStore(ts.URL, tc.Args)
    573. 

  573. 		var err error
    574. 

  574. 		timeout, err := parseTimeout(tc.Args.Timeout)
    575. 

  575. 		if err != nil {
    576. 

  576. 			t.Errorf("%s: error parsing timeout '%s': %s", tc.Case, tc.Args.Timeout, err.Error())
    577. 

  577. 			return
    578. 

  578. 		}
    579. 

  579. 		testStore.Spec.Provider.Webhook.Timeout = timeout
    580. 

  580. 		testProv := &Provider{}
    581. 

  581. 		client, err := testProv.NewClient(context.Background(), testStore, nil, "testnamespace")
    582. 

  582. 		if err != nil {
    583. 

  583. 			t.Errorf("%s: error creating client: %s", tc.Case, err.Error())
    584. 

  584. 			return
    585. 

  585. 		}
    586. 

  586. 

  587. 		if tc.Want.ResultMap != nil && !tc.Args.PushSecret {
    588. 

  588. 			testGetSecretMap(tc, t, client)
    589. 

  589. 		} else if !tc.Args.PushSecret {
    590. 

  590. 			testGetSecret(tc, t, client)
    591. 

  591. 		} else {
    592. 

  592. 			testPushSecret(tc, t, client)
    593. 

  593. 		}
    594. 

  594. 	})
    595. 

  595. }
    596. 

  596. 

  597. func testGetSecretMap(tc testCase, t *testing.T, client esv1.SecretsClient) {
    598. 

  598. 	testRef := esv1.ExternalSecretDataRemoteRef{
    599. 

  599. 		Key:     tc.Args.Key,
    600. 

  600. 		Version: tc.Args.Version,
    601. 

  601. 	}
    602. 

  602. 	secretmap, err := client.GetSecretMap(context.Background(), testRef)
    603. 

  603. 	errStr := ""
    604. 

  604. 	if err != nil {
    605. 

  605. 		errStr = err.Error()
    606. 

  606. 	}
    607. 

  607. 	if (tc.Want.Err == "") != (errStr == "") || !strings.Contains(errStr, tc.Want.Err) {
    608. 

  608. 		t.Errorf("%s: unexpected error: '%s' (expected '%s')", tc.Case, errStr, tc.Want.Err)
    609. 

  609. 	}
    610. 

  610. 	if err == nil {
    611. 

  611. 		for wantkey, wantval := range tc.Want.ResultMap {
    612. 

  612. 			gotval, ok := secretmap[wantkey]
    613. 

  613. 			if !ok {
    614. 

  614. 				t.Errorf("%s: unexpected response: wanted key '%s' not found", tc.Case, wantkey)
    615. 

  615. 			} else if string(gotval) != wantval {
    616. 

  616. 				t.Errorf("%s: unexpected response: key '%s' = '%s' (expected '%s')", tc.Case, wantkey, wantval, gotval)
    617. 

  617. 			}
    618. 

  618. 		}
    619. 

  619. 	}
    620. 

  620. }
    621. 

  621. 

  622. func testGetSecret(tc testCase, t *testing.T, client esv1.SecretsClient) {
    623. 

  623. 	testRef := esv1.ExternalSecretDataRemoteRef{
    624. 

  624. 		Key:      tc.Args.Key,
    625. 

  625. 		Property: tc.Args.Property,
    626. 

  626. 		Version:  tc.Args.Version,
    627. 

  627. 	}
    628. 

  628. 	ctx, cancel := context.WithTimeout(context.Background(), time.Second)
    629. 

  629. 	defer cancel()
    630. 

  630. 	secret, err := client.GetSecret(ctx, testRef)
    631. 

  631. 	errStr := ""
    632. 

  632. 	if err != nil {
    633. 

  633. 		errStr = err.Error()
    634. 

  634. 	}
    635. 

  635. 	if !strings.Contains(errStr, tc.Want.Err) {
    636. 

  636. 		t.Errorf("%s: unexpected error: '%s' (expected '%s')", tc.Case, errStr, tc.Want.Err)
    637. 

  637. 	}
    638. 

  638. 	if err == nil && string(secret) != tc.Want.Result {
    639. 

  639. 		t.Errorf("%s: unexpected response: '%s' (expected '%s')", tc.Case, secret, tc.Want.Result)
    640. 

  640. 	}
    641. 

  641. }
    642. 

  642. 

  643. func testPushSecret(tc testCase, t *testing.T, client esv1.SecretsClient) {
    644. 

  644. 	testRef := v1alpha1.PushSecretData{
    645. 

  645. 		Match: v1alpha1.PushSecretMatch{
    646. 

  646. 			SecretKey: tc.Args.SecretKey,
    647. 

  647. 			RemoteRef: v1alpha1.PushSecretRemoteRef{
    648. 

  648. 				RemoteKey: tc.Args.Key,
    649. 

  649. 			},
    650. 

  650. 		},
    651. 

  651. 	}
    652. 

  652. 

  653. 	data := map[string][]byte{}
    654. 

  654. 	for k, v := range tc.Args.Secret.Data {
    655. 

  655. 		data[k] = []byte(v)
    656. 

  656. 	}
    657. 

  657. 	sec := &corev1.Secret{
    658. 

  658. 		ObjectMeta: metav1.ObjectMeta{
    659. 

  659. 			Name: tc.Args.Secret.Name,
    660. 

  660. 		},
    661. 

  661. 		Data: data,
    662. 

  662. 	}
    663. 

  663. 	ctx, cancel := context.WithTimeout(context.Background(), time.Second)
    664. 

  664. 	defer cancel()
    665. 

  665. 	err := client.PushSecret(ctx, sec, testRef)
    666. 

  666. 	errStr := ""
    667. 

  667. 	if err != nil {
    668. 

  668. 		errStr = err.Error()
    669. 

  669. 	}
    670. 

  670. 	if tc.Want.Err == "" && errStr != "" {
    671. 

  671. 		t.Errorf("%s: unexpected error: '%s' (expected '%s')", tc.Case, errStr, tc.Want.Err)
    672. 

  672. 	}
    673. 

  673. 

  674. 	if !strings.Contains(errStr, tc.Want.Err) {
    675. 

  675. 		t.Errorf("%s: unexpected error: '%s' (expected '%s')", tc.Case, errStr, tc.Want.Err)
    676. 

  676. 	}
    677. 

  677. }
    678. 

  678. 

  679. func makeClusterSecretStore(url string, args args) *esv1.ClusterSecretStore {
    680. 

  680. 	store := &esv1.ClusterSecretStore{
    681. 

  681. 		TypeMeta: metav1.TypeMeta{
    682. 

  682. 			Kind: "ClusterSecretStore",
    683. 

  683. 		},
    684. 

  684. 		ObjectMeta: metav1.ObjectMeta{
    685. 

  685. 			Name:      "wehbook-store",
    686. 

  686. 			Namespace: "default",
    687. 

  687. 		},
    688. 

  688. 		Spec: esv1.SecretStoreSpec{
    689. 

  689. 			Provider: &esv1.SecretStoreProvider{
    690. 

  690. 				Webhook: &esv1.WebhookProvider{
    691. 

  691. 					URL:  url + args.URL,
    692. 

  692. 					Body: args.Body,
    693. 

  693. 					Headers: map[string]string{
    694. 

  694. 						"Content-Type":           "application.json",
    695. 

  695. 						"X-SecretKey":            "{{ .remoteRef.key }}",
    696. 

  696. 						"X-Kubernetes-Namespace": "{{ .remoteRef.namespace }}",
    697. 

  697. 					},
    698. 

  698. 					Result: esv1.WebhookResult{
    699. 

  699. 						JSONPath: args.JSONPath,
    700. 

  700. 					},
    701. 

  701. 				},
    702. 

  702. 			},
    703. 

  703. 		},
    704. 

  704. 	}
    705. 

  705. 	return store
    706. 

  706. }
    707.