Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Tree: 34892e7e52
Branches Tags
helm-externa...
/
pkg
/
provider
/
yandex
/
lockbox
/
client
/
fakeclient.go

fakeclient.go 4.4 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136 
  1. /*
    2. 

  2. Licensed under the Apache License, Version 2.0 (the "License");
    3. 

  3. you may not use this file except in compliance with the License.
    4. 

  4. You may obtain a copy of the License at
    5. 

  5. 

  6. 	http://www.apache.org/licenses/LICENSE-2.0
    7. 

  7. 

  8. Unless required by applicable law or agreed to in writing, software
    9. 

  9. distributed under the License is distributed on an "AS IS" BASIS,
    10. 

  10. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    11. 

  11. See the License for the specific language governing permissions and
    12. 

  12. limitations under the License.
    13. 

  13. */
    14. 

  14. package client
    15. 

  15. 

  16. import (
    17. 

  17. 	"context"
    18. 

  18. 	"fmt"
    19. 

  19. 	"time"
    20. 

  20. 

  21. 	"github.com/google/go-cmp/cmp"
    22. 

  22. 	"github.com/google/go-cmp/cmp/cmpopts"
    23. 

  23. 	"github.com/google/uuid"
    24. 

  24. 	api "github.com/yandex-cloud/go-genproto/yandex/cloud/lockbox/v1"
    25. 

  25. 	"github.com/yandex-cloud/go-sdk/iamkey"
    26. 

  26. 

  27. 	"github.com/external-secrets/external-secrets/pkg/provider/yandex/common"
    28. 

  28. 	"github.com/external-secrets/external-secrets/pkg/provider/yandex/common/clock"
    29. 

  29. )
    30. 

  30. 

  31. // Fake implementation of LockboxClient.
    32. 

  32. type fakeLockboxClient struct {
    33. 

  33. 	fakeLockboxServer *FakeLockboxServer
    34. 

  34. }
    35. 

  35. 

  36. func NewFakeLockboxClient(fakeLockboxServer *FakeLockboxServer) LockboxClient {
    37. 

  37. 	return &fakeLockboxClient{fakeLockboxServer}
    38. 

  38. }
    39. 

  39. 

  40. func (c *fakeLockboxClient) GetPayloadEntries(ctx context.Context, iamToken, secretID, versionID string) ([]*api.Payload_Entry, error) {
    41. 

  41. 	return c.fakeLockboxServer.getEntries(iamToken, secretID, versionID)
    42. 

  42. }
    43. 

  43. 

  44. // Fakes Yandex Lockbox service backend.
    45. 

  45. type FakeLockboxServer struct {
    46. 

  46. 	secretMap  map[secretKey]secretValue   // secret specific data
    47. 

  47. 	versionMap map[versionKey]versionValue // version specific data
    48. 

  48. 	tokenMap   map[tokenKey]tokenValue     // token specific data
    49. 

  49. 

  50. 	tokenExpirationDuration time.Duration
    51. 

  51. 	clock                   clock.Clock
    52. 

  52. }
    53. 

  53. 

  54. type secretKey struct {
    55. 

  55. 	secretID string
    56. 

  56. }
    57. 

  57. 

  58. type secretValue struct {
    59. 

  59. 	expectedAuthorizedKey *iamkey.Key // authorized key expected to access the secret
    60. 

  60. }
    61. 

  61. 

  62. type versionKey struct {
    63. 

  63. 	secretID  string
    64. 

  64. 	versionID string
    65. 

  65. }
    66. 

  66. 

  67. type versionValue struct {
    68. 

  68. 	entries []*api.Payload_Entry
    69. 

  69. }
    70. 

  70. 

  71. type tokenKey struct {
    72. 

  72. 	token string
    73. 

  73. }
    74. 

  74. 

  75. type tokenValue struct {
    76. 

  76. 	authorizedKey *iamkey.Key
    77. 

  77. 	expiresAt     time.Time
    78. 

  78. }
    79. 

  79. 

  80. func NewFakeLockboxServer(clock clock.Clock, tokenExpirationDuration time.Duration) *FakeLockboxServer {
    81. 

  81. 	return &FakeLockboxServer{
    82. 

  82. 		secretMap:               make(map[secretKey]secretValue),
    83. 

  83. 		versionMap:              make(map[versionKey]versionValue),
    84. 

  84. 		tokenMap:                make(map[tokenKey]tokenValue),
    85. 

  85. 		tokenExpirationDuration: tokenExpirationDuration,
    86. 

  86. 		clock:                   clock,
    87. 

  87. 	}
    88. 

  88. }
    89. 

  89. 

  90. func (s *FakeLockboxServer) CreateSecret(authorizedKey *iamkey.Key, entries ...*api.Payload_Entry) (string, string) {
    91. 

  91. 	secretID := uuid.NewString()
    92. 

  92. 	versionID := uuid.NewString()
    93. 

  93. 

  94. 	s.secretMap[secretKey{secretID}] = secretValue{authorizedKey}
    95. 

  95. 	s.versionMap[versionKey{secretID, ""}] = versionValue{entries} // empty versionID corresponds to the latest version
    96. 

  96. 	s.versionMap[versionKey{secretID, versionID}] = versionValue{entries}
    97. 

  97. 

  98. 	return secretID, versionID
    99. 

  99. }
    100. 

  100. 

  101. func (s *FakeLockboxServer) AddVersion(secretID string, entries ...*api.Payload_Entry) string {
    102. 

  102. 	versionID := uuid.NewString()
    103. 

  103. 

  104. 	s.versionMap[versionKey{secretID, ""}] = versionValue{entries} // empty versionID corresponds to the latest version
    105. 

  105. 	s.versionMap[versionKey{secretID, versionID}] = versionValue{entries}
    106. 

  106. 

  107. 	return versionID
    108. 

  108. }
    109. 

  109. 

  110. func (s *FakeLockboxServer) NewIamToken(authorizedKey *iamkey.Key) *common.IamToken {
    111. 

  111. 	token := uuid.NewString()
    112. 

  112. 	expiresAt := s.clock.CurrentTime().Add(s.tokenExpirationDuration)
    113. 

  113. 	s.tokenMap[tokenKey{token}] = tokenValue{authorizedKey, expiresAt}
    114. 

  114. 	return &common.IamToken{Token: token, ExpiresAt: expiresAt}
    115. 

  115. }
    116. 

  116. 

  117. func (s *FakeLockboxServer) getEntries(iamToken, secretID, versionID string) ([]*api.Payload_Entry, error) {
    118. 

  118. 	if _, ok := s.secretMap[secretKey{secretID}]; !ok {
    119. 

  119. 		return nil, fmt.Errorf("secret not found")
    120. 

  120. 	}
    121. 

  121. 	if _, ok := s.versionMap[versionKey{secretID, versionID}]; !ok {
    122. 

  122. 		return nil, fmt.Errorf("version not found")
    123. 

  123. 	}
    124. 

  124. 	if _, ok := s.tokenMap[tokenKey{iamToken}]; !ok {
    125. 

  125. 		return nil, fmt.Errorf("unauthenticated")
    126. 

  126. 	}
    127. 

  127. 

  128. 	if s.tokenMap[tokenKey{iamToken}].expiresAt.Before(s.clock.CurrentTime()) {
    129. 

  129. 		return nil, fmt.Errorf("iam token expired")
    130. 

  130. 	}
    131. 

  131. 	if !cmp.Equal(s.tokenMap[tokenKey{iamToken}].authorizedKey, s.secretMap[secretKey{secretID}].expectedAuthorizedKey, cmpopts.IgnoreUnexported(iamkey.Key{})) {
    132. 

  132. 		return nil, fmt.Errorf("permission denied")
    133. 

  133. 	}
    134. 

  134. 

  135. 	return s.versionMap[versionKey{secretID, versionID}].entries, nil
    136. 

  136. }
    137.