Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Tree: 413d1f9c07
Branches Tags
helm-externa...
/
providers
/
v1
/
infisical
/
api
/
api_test.go

api_test.go 8.5 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315 
  1. /*
    2. 

  2. Copyright © 2025 ESO Maintainer Team
    3. 

  3. 

  4. Licensed under the Apache License, Version 2.0 (the "License");
    5. 

  5. you may not use this file except in compliance with the License.
    6. 

  6. You may obtain a copy of the License at
    7. 

  7. 

  8.     https://www.apache.org/licenses/LICENSE-2.0
    9. 

  9. 

  10. Unless required by applicable law or agreed to in writing, software
    11. 

  11. distributed under the License is distributed on an "AS IS" BASIS,
    12. 

  12. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13. 

  13. See the License for the specific language governing permissions and
    14. 

  14. limitations under the License.
    15. 

  15. */
    16. 

  16. 

  17. package api
    18. 

  18. 

  19. import (
    20. 

  20. 	"errors"
    21. 

  21. 	"fmt"
    22. 

  22. 	"regexp"
    23. 

  23. 	"strconv"
    24. 

  24. 	"testing"
    25. 

  25. 

  26. 	infisical "github.com/infisical/go-sdk"
    27. 

  27. 	"github.com/stretchr/testify/assert"
    28. 

  28. )
    29. 

  29. 

  30. func parseInfisicalAPIError(err error, t *testing.T) (int, string, error) {
    31. 

  31. 	var apiErr *infisical.APIError
    32. 

  32. 	assert.True(t, errors.As(err, &apiErr))
    33. 

  33. 

  34. 	// Regex to extract status-code
    35. 

  35. 	statusRegex := regexp.MustCompile(`\[status-code=(\d+)\]`)
    36. 

  36. 	statusMatch := statusRegex.FindStringSubmatch(apiErr.Error())
    37. 

  37. 

  38. 	// Regex to extract message (handles quoted content)
    39. 

  39. 	messageRegex := regexp.MustCompile(`\[message="([^"]*)"\]`)
    40. 

  40. 	messageMatch := messageRegex.FindStringSubmatch(apiErr.Error())
    41. 

  41. 

  42. 	if len(statusMatch) < 2 {
    43. 

  43. 		return 0, "", fmt.Errorf("status-code not found in error string")
    44. 

  44. 	}
    45. 

  45. 

  46. 	if len(messageMatch) < 2 {
    47. 

  47. 		return 0, "", fmt.Errorf("message not found in error string")
    48. 

  48. 	}
    49. 

  49. 

  50. 	statusCode, err := strconv.Atoi(statusMatch[1])
    51. 

  51. 	if err != nil {
    52. 

  52. 		return 0, "", fmt.Errorf("invalid status code: %w", err)
    53. 

  53. 	}
    54. 

  54. 

  55. 	return statusCode, messageMatch[1], nil
    56. 

  56. }
    57. 

  57. 

  58. const errNoAccessToken = "sdk client is not authenticated, cannot revoke access token"
    59. 

  59. 

  60. const (
    61. 

  61. 	fakeClientID        = "client-id"
    62. 

  62. 	fakeClientSecret    = "client-secret"
    63. 

  63. 	fakeToken           = "token"
    64. 

  64. 	fakeProjectSlug     = "first-project"
    65. 

  65. 	fakeEnvironmentSlug = "dev"
    66. 

  66. )
    67. 

  67. 

  68. func TestSetTokenViaMachineIdentity(t *testing.T) {
    69. 

  69. 	t.Run("Success", func(t *testing.T) {
    70. 

  70. 		apiClient, closeFunc := NewMockClient(200, MachineIdentityDetailsResponse{
    71. 

  71. 			AccessToken:       "foobar",
    72. 

  72. 			ExpiresIn:         2592000,
    73. 

  73. 			AccessTokenMaxTTL: 2592000,
    74. 

  74. 			TokenType:         "Bearer",
    75. 

  75. 		})
    76. 

  76. 		defer closeFunc()
    77. 

  77. 

  78. 		_, err := apiClient.Auth().UniversalAuthLogin(fakeClientID, fakeClientSecret)
    79. 

  79. 

  80. 		assert.NoError(t, err)
    81. 

  81. 		assert.Equal(t, apiClient.Auth().GetAccessToken(), "foobar")
    82. 

  82. 	})
    83. 

  83. 

  84. 	t.Run("SetTokenViaMachineIdentity: Error when non-200 response received", func(t *testing.T) {
    85. 

  85. 		apiClient, closeFunc := NewMockClient(401, InfisicalAPIErrorResponse{
    86. 

  86. 			StatusCode: 401,
    87. 

  87. 			Message:    "Unauthorized",
    88. 

  88. 		})
    89. 

  89. 		defer closeFunc()
    90. 

  90. 

  91. 		_, err := apiClient.Auth().UniversalAuthLogin(fakeClientID, fakeClientSecret)
    92. 

  92. 		assert.Error(t, err)
    93. 

  93. 

  94. 		apiErrorStatusCode, apiErrorMessage, err := parseInfisicalAPIError(err, t)
    95. 

  95. 		if err != nil {
    96. 

  96. 			t.Fatalf("Error parsing infisical API error: %v", err)
    97. 

  97. 		}
    98. 

  98. 

  99. 		assert.Equal(t, 401, apiErrorStatusCode)
    100. 

  100. 		assert.Equal(t, "Unauthorized", apiErrorMessage)
    101. 

  101. 	})
    102. 

  102. }
    103. 

  103. 

  104. func TestRevokeAccessToken(t *testing.T) {
    105. 

  105. 	t.Run("Success", func(t *testing.T) {
    106. 

  106. 		apiClient, closeFunc := NewMockClient(200, RevokeMachineIdentityAccessTokenResponse{
    107. 

  107. 			Message: "Success",
    108. 

  108. 		})
    109. 

  109. 		defer closeFunc()
    110. 

  110. 

  111. 		apiClient.Auth().SetAccessToken(fakeToken)
    112. 

  112. 

  113. 		err := apiClient.Auth().RevokeAccessToken()
    114. 

  114. 

  115. 		assert.NoError(t, err)
    116. 

  116. 		// Verify that the access token was unset.
    117. 

  117. 		assert.Equal(t, apiClient.Auth().GetAccessToken(), "")
    118. 

  118. 	})
    119. 

  119. 

  120. 	t.Run("RevokeAccessToken: Error when non-200 response received", func(t *testing.T) {
    121. 

  121. 		apiClient, closeFunc := NewMockClient(401, InfisicalAPIErrorResponse{
    122. 

  122. 			StatusCode: 401,
    123. 

  123. 			Message:    "Unauthorized",
    124. 

  124. 		})
    125. 

  125. 		defer closeFunc()
    126. 

  126. 

  127. 		apiClient.Auth().SetAccessToken(fakeToken)
    128. 

  128. 

  129. 		err := apiClient.Auth().RevokeAccessToken()
    130. 

  130. 		assert.Error(t, err)
    131. 

  131. 

  132. 		apiErrorStatusCode, apiErrorMessage, err := parseInfisicalAPIError(err, t)
    133. 

  133. 		if err != nil {
    134. 

  134. 			t.Fatalf("Error parsing infisical API error: %v", err)
    135. 

  135. 		}
    136. 

  136. 		assert.Equal(t, 401, apiErrorStatusCode)
    137. 

  137. 		assert.Equal(t, "Unauthorized", apiErrorMessage)
    138. 

  138. 	})
    139. 

  139. 

  140. 	t.Run("Error when no access token is set", func(t *testing.T) {
    141. 

  141. 		apiClient, closeFunc := NewMockClient(401, nil)
    142. 

  142. 		defer closeFunc()
    143. 

  143. 

  144. 		err := apiClient.Auth().RevokeAccessToken()
    145. 

  145. 

  146. 		assert.EqualError(t, err, errNoAccessToken)
    147. 

  147. 	})
    148. 

  148. }
    149. 

  149. 

  150. func TestGetSecretsV3(t *testing.T) {
    151. 

  151. 	t.Run("Works with secrets", func(t *testing.T) {
    152. 

  152. 		secrets := []SecretsV3{
    153. 

  153. 			{SecretKey: "foo", SecretValue: "bar"},
    154. 

  154. 		}
    155. 

  155. 

  156. 		apiClient, closeFunc := NewMockClient(200, GetSecretsV3Response{
    157. 

  157. 			Secrets: secrets,
    158. 

  158. 		})
    159. 

  159. 

  160. 		var sdkFormattedSecrets []infisical.Secret
    161. 

  161. 

  162. 		for _, secret := range secrets {
    163. 

  163. 			sdkFormattedSecrets = append(sdkFormattedSecrets, infisical.Secret{
    164. 

  164. 				SecretKey:   secret.SecretKey,
    165. 

  165. 				SecretValue: secret.SecretValue,
    166. 

  166. 			})
    167. 

  167. 		}
    168. 

  168. 

  169. 		defer closeFunc()
    170. 

  170. 

  171. 		sdkSecrets, err := apiClient.Secrets().List(infisical.ListSecretsOptions{
    172. 

  172. 			ProjectSlug: fakeProjectSlug,
    173. 

  173. 			Environment: fakeEnvironmentSlug,
    174. 

  174. 			SecretPath:  "/",
    175. 

  175. 			Recursive:   true,
    176. 

  176. 		})
    177. 

  177. 		assert.NoError(t, err)
    178. 

  178. 		assert.Equal(t, sdkSecrets, sdkFormattedSecrets)
    179. 

  179. 	})
    180. 

  180. 

  181. 	t.Run("Works with imported secrets", func(t *testing.T) {
    182. 

  182. 		secrets := []SecretsV3{
    183. 

  183. 			{SecretKey: "foo", SecretValue: "bar"},
    184. 

  184. 		}
    185. 

  185. 

  186. 		apiClient, closeFunc := NewMockClient(200, GetSecretsV3Response{
    187. 

  187. 			ImportedSecrets: []ImportedSecretV3{{
    188. 

  188. 				Secrets: secrets,
    189. 

  189. 			}},
    190. 

  190. 		})
    191. 

  191. 		defer closeFunc()
    192. 

  192. 

  193. 		var sdkFormattedSecrets []infisical.Secret
    194. 

  194. 

  195. 		for _, secret := range secrets {
    196. 

  196. 			sdkFormattedSecrets = append(sdkFormattedSecrets, infisical.Secret{
    197. 

  197. 				SecretKey:   secret.SecretKey,
    198. 

  198. 				SecretValue: secret.SecretValue,
    199. 

  199. 			})
    200. 

  200. 		}
    201. 

  201. 

  202. 		sdkSecrets, err := apiClient.Secrets().List(infisical.ListSecretsOptions{
    203. 

  203. 			ProjectSlug:    fakeProjectSlug,
    204. 

  204. 			Environment:    fakeEnvironmentSlug,
    205. 

  205. 			IncludeImports: true,
    206. 

  206. 			SecretPath:     "/",
    207. 

  207. 			Recursive:      true,
    208. 

  208. 		})
    209. 

  209. 		assert.NoError(t, err)
    210. 

  210. 		assert.Equal(t, sdkSecrets, sdkFormattedSecrets)
    211. 

  211. 	})
    212. 

  212. 

  213. 	t.Run("GetSecretsV3: Error when non-200 response received", func(t *testing.T) {
    214. 

  214. 		apiClient, closeFunc := NewMockClient(401, InfisicalAPIErrorResponse{
    215. 

  215. 			StatusCode: 401,
    216. 

  216. 			Message:    "Unauthorized",
    217. 

  217. 		})
    218. 

  218. 		defer closeFunc()
    219. 

  219. 

  220. 		_, err := apiClient.Secrets().List(infisical.ListSecretsOptions{
    221. 

  221. 			ProjectSlug: fakeProjectSlug,
    222. 

  222. 			Environment: fakeEnvironmentSlug,
    223. 

  223. 			SecretPath:  "/",
    224. 

  224. 			Recursive:   true,
    225. 

  225. 		})
    226. 

  226. 		assert.Error(t, err)
    227. 

  227. 

  228. 		apiErrorStatusCode, apiErrorMessage, err := parseInfisicalAPIError(err, t)
    229. 

  229. 		if err != nil {
    230. 

  230. 			t.Fatalf("Error parsing infisical API error: %v", err)
    231. 

  231. 		}
    232. 

  232. 

  233. 		assert.Equal(t, 401, apiErrorStatusCode)
    234. 

  234. 		assert.Equal(t, "Unauthorized", apiErrorMessage)
    235. 

  235. 	})
    236. 

  236. }
    237. 

  237. func TestGetSecretByKeyV3(t *testing.T) {
    238. 

  238. 	t.Run("Works", func(t *testing.T) {
    239. 

  239. 		secret := SecretsV3{
    240. 

  240. 			SecretKey:   "foo",
    241. 

  241. 			SecretValue: "bar",
    242. 

  242. 		}
    243. 

  243. 

  244. 		sdkFormattedSecret := infisical.Secret{
    245. 

  245. 			SecretKey:   secret.SecretKey,
    246. 

  246. 			SecretValue: secret.SecretValue,
    247. 

  247. 		}
    248. 

  248. 

  249. 		apiClient, closeFunc := NewMockClient(200, GetSecretByKeyV3Response{
    250. 

  250. 			Secret: secret,
    251. 

  251. 		})
    252. 

  252. 		defer closeFunc()
    253. 

  253. 

  254. 		sdkSecret, err := apiClient.Secrets().Retrieve(infisical.RetrieveSecretOptions{
    255. 

  255. 			ProjectSlug:    fakeProjectSlug,
    256. 

  256. 			Environment:    fakeEnvironmentSlug,
    257. 

  257. 			SecretPath:     "/",
    258. 

  258. 			IncludeImports: true,
    259. 

  259. 			SecretKey:      "foo",
    260. 

  260. 		})
    261. 

  261. 		assert.NoError(t, err)
    262. 

  262. 		assert.Equal(t, sdkSecret, sdkFormattedSecret)
    263. 

  263. 	})
    264. 

  264. 

  265. 	t.Run("Error when secret is not found", func(t *testing.T) {
    266. 

  266. 		apiClient, closeFunc := NewMockClient(404, InfisicalAPIErrorResponse{
    267. 

  267. 			StatusCode: 404,
    268. 

  268. 			Message:    "Not Found",
    269. 

  269. 		})
    270. 

  270. 		defer closeFunc()
    271. 

  271. 

  272. 		_, err := apiClient.Secrets().Retrieve(infisical.RetrieveSecretOptions{
    273. 

  273. 			ProjectSlug:    fakeProjectSlug,
    274. 

  274. 			Environment:    fakeEnvironmentSlug,
    275. 

  275. 			SecretPath:     "/",
    276. 

  276. 			IncludeImports: true,
    277. 

  277. 			SecretKey:      "foo",
    278. 

  278. 		})
    279. 

  279. 		assert.Error(t, err)
    280. 

  280. 

  281. 		apiErrorStatusCode, apiErrorMessage, err := parseInfisicalAPIError(err, t)
    282. 

  282. 		if err != nil {
    283. 

  283. 			t.Fatalf("Error parsing infisical API error: %v", err)
    284. 

  284. 		}
    285. 

  285. 

  286. 		assert.Equal(t, 404, apiErrorStatusCode)
    287. 

  287. 		assert.Equal(t, "Not Found", apiErrorMessage)
    288. 

  288. 	})
    289. 

  289. 

  290. 	// Test case where the request is unauthorized
    291. 

  291. 	t.Run("ErrorHandlingUnauthorized", func(t *testing.T) {
    292. 

  292. 		apiClient, closeFunc := NewMockClient(401, InfisicalAPIErrorResponse{
    293. 

  293. 			StatusCode: 401,
    294. 

  294. 			Message:    "Unauthorized",
    295. 

  295. 		})
    296. 

  296. 		defer closeFunc()
    297. 

  297. 

  298. 		_, err := apiClient.Secrets().Retrieve(infisical.RetrieveSecretOptions{
    299. 

  299. 			ProjectSlug:    fakeProjectSlug,
    300. 

  300. 			Environment:    fakeEnvironmentSlug,
    301. 

  301. 			SecretPath:     "/",
    302. 

  302. 			IncludeImports: true,
    303. 

  303. 			SecretKey:      "foo",
    304. 

  304. 		})
    305. 

  305. 		assert.Error(t, err)
    306. 

  306. 

  307. 		apiErrorStatusCode, apiErrorMessage, err := parseInfisicalAPIError(err, t)
    308. 

  308. 		if err != nil {
    309. 

  309. 			t.Fatalf("Error parsing infisical API error: %v", err)
    310. 

  310. 		}
    311. 

  311. 

  312. 		assert.Equal(t, 401, apiErrorStatusCode)
    313. 

  313. 		assert.Equal(t, "Unauthorized", apiErrorMessage)
    314. 

  314. 	})
    315. 

  315. }
    316.