parameterstore_test.go 8.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298
  1. /*
  2. Licensed under the Apache License, Version 2.0 (the "License");
  3. you may not use this file except in compliance with the License.
  4. You may obtain a copy of the License at
  5. http://www.apache.org/licenses/LICENSE-2.0
  6. Unless required by applicable law or agreed to in writing, software
  7. distributed under the License is distributed on an "AS IS" BASIS,
  8. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  9. See the License for the specific language governing permissions and
  10. limitations under the License.
  11. */
  12. package parameterstore
  13. import (
  14. "context"
  15. "errors"
  16. "fmt"
  17. "strings"
  18. "testing"
  19. "github.com/aws/aws-sdk-go/aws"
  20. "github.com/aws/aws-sdk-go/service/ssm"
  21. "github.com/crossplane/crossplane-runtime/pkg/test"
  22. "github.com/google/go-cmp/cmp"
  23. metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
  24. esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
  25. fakeps "github.com/external-secrets/external-secrets/pkg/provider/aws/parameterstore/fake"
  26. )
  27. type parameterstoreTestCase struct {
  28. fakeClient *fakeps.Client
  29. apiInput *ssm.GetParameterInput
  30. apiOutput *ssm.GetParameterOutput
  31. remoteRef *esv1beta1.ExternalSecretDataRemoteRef
  32. apiErr error
  33. expectError string
  34. expectedSecret string
  35. expectedData map[string]string
  36. }
  37. type fakeRef struct {
  38. key string
  39. }
  40. func (f fakeRef) GetRemoteKey() string {
  41. return f.key
  42. }
  43. func makeValidParameterStoreTestCase() *parameterstoreTestCase {
  44. return &parameterstoreTestCase{
  45. fakeClient: &fakeps.Client{},
  46. apiInput: makeValidAPIInput(),
  47. apiOutput: makeValidAPIOutput(),
  48. remoteRef: makeValidRemoteRef(),
  49. apiErr: nil,
  50. expectError: "",
  51. expectedSecret: "",
  52. expectedData: make(map[string]string),
  53. }
  54. }
  55. func makeValidAPIInput() *ssm.GetParameterInput {
  56. return &ssm.GetParameterInput{
  57. Name: aws.String("/baz"),
  58. WithDecryption: aws.Bool(true),
  59. }
  60. }
  61. func makeValidAPIOutput() *ssm.GetParameterOutput {
  62. return &ssm.GetParameterOutput{
  63. Parameter: &ssm.Parameter{
  64. Value: aws.String("RRRRR"),
  65. },
  66. }
  67. }
  68. func makeValidRemoteRef() *esv1beta1.ExternalSecretDataRemoteRef {
  69. return &esv1beta1.ExternalSecretDataRemoteRef{
  70. Key: "/baz",
  71. }
  72. }
  73. func makeValidParameterStoreTestCaseCustom(tweaks ...func(pstc *parameterstoreTestCase)) *parameterstoreTestCase {
  74. pstc := makeValidParameterStoreTestCase()
  75. for _, fn := range tweaks {
  76. fn(pstc)
  77. }
  78. pstc.fakeClient.WithValue(pstc.apiInput, pstc.apiOutput, pstc.apiErr)
  79. return pstc
  80. }
  81. func TestPushSecret(t *testing.T) {
  82. invalidPerameters := errors.New(ssm.ErrCodeInvalidParameters)
  83. putParameterOutput := &ssm.PutParameterOutput{}
  84. type args struct {
  85. store *esv1beta1.AWSProvider
  86. client fakeps.Client
  87. }
  88. type want struct {
  89. err error
  90. }
  91. tests := map[string]struct {
  92. reason string
  93. args args
  94. want want
  95. }{
  96. "PutParameterSucceeds": {
  97. reason: "a parameter can be successfully pushed to aws parameter store",
  98. args: args{
  99. store: makeValidParameterStore().Spec.Provider.AWS,
  100. client: fakeps.Client{
  101. PutParameterWithContextFn: fakeps.NewPutParameterWithContextFn(putParameterOutput, nil),
  102. },
  103. },
  104. want: want{
  105. err: nil,
  106. },
  107. },
  108. "SetParameterFailsWhenNoNameProvided": {
  109. reason: "test push secret with no name gives error",
  110. args: args{
  111. store: makeValidParameterStore().Spec.Provider.AWS,
  112. client: fakeps.Client{
  113. PutParameterWithContextFn: fakeps.NewPutParameterWithContextFn(putParameterOutput, invalidPerameters),
  114. },
  115. },
  116. want: want{
  117. err: invalidPerameters,
  118. },
  119. },
  120. }
  121. for name, tc := range tests {
  122. t.Run(name, func(t *testing.T) {
  123. ref := fakeRef{key: "fake-key"}
  124. ps := ParameterStore{
  125. client: &tc.args.client,
  126. }
  127. err := ps.SetSecret(context.TODO(), []byte("fakeValue"), ref)
  128. if diff := cmp.Diff(tc.want.err, err, test.EquateErrors()); diff != "" {
  129. t.Errorf("\nTesting SetSecret:\nName: %v\nReason: %v\nWant error: %v\nGot error: %v", name, tc.reason, tc.want.err, diff)
  130. }
  131. })
  132. }
  133. }
  134. // test the ssm<->aws interface
  135. // make sure correct values are passed and errors are handled accordingly.
  136. func TestGetSecret(t *testing.T) {
  137. // good case: key is passed in, output is sent back
  138. setSecretString := func(pstc *parameterstoreTestCase) {
  139. pstc.apiOutput.Parameter.Value = aws.String("RRRRR")
  140. pstc.expectedSecret = "RRRRR"
  141. }
  142. // good case: extract property
  143. setExtractProperty := func(pstc *parameterstoreTestCase) {
  144. pstc.apiOutput.Parameter.Value = aws.String(`{"/shmoo": "bang"}`)
  145. pstc.expectedSecret = "bang"
  146. pstc.remoteRef.Property = "/shmoo"
  147. }
  148. // good case: extract property with `.`
  149. setExtractPropertyWithDot := func(pstc *parameterstoreTestCase) {
  150. pstc.apiOutput.Parameter.Value = aws.String(`{"/shmoo.boom": "bang"}`)
  151. pstc.expectedSecret = "bang"
  152. pstc.remoteRef.Property = "/shmoo.boom"
  153. }
  154. // bad case: missing property
  155. setMissingProperty := func(pstc *parameterstoreTestCase) {
  156. pstc.apiOutput.Parameter.Value = aws.String(`{"/shmoo": "bang"}`)
  157. pstc.remoteRef.Property = "INVALPROP"
  158. pstc.expectError = "key INVALPROP does not exist in secret"
  159. }
  160. // bad case: parameter.Value not found
  161. setParameterValueNotFound := func(pstc *parameterstoreTestCase) {
  162. pstc.apiOutput.Parameter.Value = aws.String("NONEXISTENT")
  163. pstc.apiErr = esv1beta1.NoSecretErr
  164. pstc.expectError = "Secret does not exist"
  165. }
  166. // bad case: extract property failure due to invalid json
  167. setPropertyFail := func(pstc *parameterstoreTestCase) {
  168. pstc.apiOutput.Parameter.Value = aws.String(`------`)
  169. pstc.remoteRef.Property = "INVALPROP"
  170. pstc.expectError = "key INVALPROP does not exist in secret"
  171. }
  172. // bad case: parameter.Value may be nil but binary is set
  173. setParameterValueNil := func(pstc *parameterstoreTestCase) {
  174. pstc.apiOutput.Parameter.Value = nil
  175. pstc.expectError = "parameter value is nil for key"
  176. }
  177. // base case: api output return error
  178. setAPIError := func(pstc *parameterstoreTestCase) {
  179. pstc.apiOutput = &ssm.GetParameterOutput{}
  180. pstc.apiErr = fmt.Errorf("oh no")
  181. pstc.expectError = "oh no"
  182. }
  183. successCases := []*parameterstoreTestCase{
  184. makeValidParameterStoreTestCaseCustom(setSecretString),
  185. makeValidParameterStoreTestCaseCustom(setExtractProperty),
  186. makeValidParameterStoreTestCaseCustom(setMissingProperty),
  187. makeValidParameterStoreTestCaseCustom(setPropertyFail),
  188. makeValidParameterStoreTestCaseCustom(setParameterValueNil),
  189. makeValidParameterStoreTestCaseCustom(setAPIError),
  190. makeValidParameterStoreTestCaseCustom(setExtractPropertyWithDot),
  191. makeValidParameterStoreTestCaseCustom(setParameterValueNotFound),
  192. }
  193. ps := ParameterStore{}
  194. for k, v := range successCases {
  195. ps.client = v.fakeClient
  196. out, err := ps.GetSecret(context.Background(), *v.remoteRef)
  197. if !ErrorContains(err, v.expectError) {
  198. t.Errorf("[%d] unexpected error: %s, expected: '%s'", k, err.Error(), v.expectError)
  199. }
  200. if cmp.Equal(out, v.expectedSecret) {
  201. t.Errorf("[%d] unexpected secret data: expected %#v, got %#v", k, v.expectedSecret, out)
  202. }
  203. }
  204. }
  205. func TestGetSecretMap(t *testing.T) {
  206. // good case: default version & deserialization
  207. setDeserialization := func(pstc *parameterstoreTestCase) {
  208. pstc.apiOutput.Parameter.Value = aws.String(`{"foo":"bar"}`)
  209. pstc.expectedData["foo"] = "bar"
  210. }
  211. // bad case: api error returned
  212. setAPIError := func(pstc *parameterstoreTestCase) {
  213. pstc.apiOutput.Parameter = &ssm.Parameter{}
  214. pstc.expectError = "some api err"
  215. pstc.apiErr = fmt.Errorf("some api err")
  216. }
  217. // bad case: invalid json
  218. setInvalidJSON := func(pstc *parameterstoreTestCase) {
  219. pstc.apiOutput.Parameter.Value = aws.String(`-----------------`)
  220. pstc.expectError = "unable to unmarshal secret"
  221. }
  222. successCases := []*parameterstoreTestCase{
  223. makeValidParameterStoreTestCaseCustom(setDeserialization),
  224. makeValidParameterStoreTestCaseCustom(setAPIError),
  225. makeValidParameterStoreTestCaseCustom(setInvalidJSON),
  226. }
  227. ps := ParameterStore{}
  228. for k, v := range successCases {
  229. ps.client = v.fakeClient
  230. out, err := ps.GetSecretMap(context.Background(), *v.remoteRef)
  231. if !ErrorContains(err, v.expectError) {
  232. t.Errorf("[%d] unexpected error: %s, expected: '%s'", k, err.Error(), v.expectError)
  233. }
  234. if cmp.Equal(out, v.expectedData) {
  235. t.Errorf("[%d] unexpected secret data: expected %#v, got %#v", k, v.expectedData, out)
  236. }
  237. }
  238. }
  239. func makeValidParameterStore() *esv1beta1.SecretStore {
  240. return &esv1beta1.SecretStore{
  241. ObjectMeta: metav1.ObjectMeta{
  242. Name: "aws-parameterstore",
  243. Namespace: "default",
  244. },
  245. Spec: esv1beta1.SecretStoreSpec{
  246. Provider: &esv1beta1.SecretStoreProvider{
  247. AWS: &esv1beta1.AWSProvider{
  248. Service: esv1beta1.AWSServiceParameterStore,
  249. Region: "us-east-1",
  250. },
  251. },
  252. },
  253. }
  254. }
  255. func ErrorContains(out error, want string) bool {
  256. if out == nil {
  257. return want == ""
  258. }
  259. if want == "" {
  260. return false
  261. }
  262. return strings.Contains(out.Error(), want)
  263. }