Trang chủ Khám phá Trợ giúp
Đăng nhập
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Các tập tin Các vấn đề 0 Wiki
Tree: 47cc50a9ed
Branches Tags
helm-externa...
/
pkg
/
provider
/
azure
/
keyvault
/
keyvault_auth_test.go

keyvault_auth_test.go 14 KB
Lịch sử Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465 
  1. /*
    2. 

  2. Licensed under the Apache License, Version 2.0 (the "License");
    3. 

  3. you may not use this file except in compliance with the License.
    4. 

  4. You may obtain a copy of the License at
    5. 

  5. 

  6.     http://www.apache.org/licenses/LICENSE-2.0
    7. 

  7. 

  8. Unless required by applicable law or agreed to in writing, software
    9. 

  9. distributed under the License is distributed on an "AS IS" BASIS,
    10. 

  10. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    11. 

  11. See the License for the specific language governing permissions and
    12. 

  12. limitations under the License.
    13. 

  13. */
    14. 

  14. 

  15. package keyvault
    16. 

  16. 

  17. import (
    18. 

  18. 	"context"
    19. 

  19. 	"net/http"
    20. 

  20. 	"os"
    21. 

  21. 	"strings"
    22. 

  22. 	"testing"
    23. 

  23. 

  24. 	"github.com/Azure/go-autorest/autorest"
    25. 

  25. 	"github.com/Azure/go-autorest/autorest/adal"
    26. 

  26. 	tassert "github.com/stretchr/testify/assert"
    27. 

  27. 	corev1 "k8s.io/api/core/v1"
    28. 

  28. 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
    29. 

  29. 	pointer "k8s.io/utils/ptr"
    30. 

  30. 	"sigs.k8s.io/controller-runtime/pkg/client"
    31. 

  31. 	clientfake "sigs.k8s.io/controller-runtime/pkg/client/fake"
    32. 

  32. 

  33. 	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
    34. 

  34. 	v1 "github.com/external-secrets/external-secrets/apis/meta/v1"
    35. 

  35. 	utilfake "github.com/external-secrets/external-secrets/pkg/provider/util/fake"
    36. 

  36. )
    37. 

  37. 

  38. var vaultURL = "https://local.vault.url"
    39. 

  39. 

  40. func TestNewClientManagedIdentityNoNeedForCredentials(t *testing.T) {
    41. 

  41. 	namespace := "internal"
    42. 

  42. 	identityID := "1234"
    43. 

  43. 	authType := esv1beta1.AzureManagedIdentity
    44. 

  44. 	store := esv1beta1.SecretStore{
    45. 

  45. 		ObjectMeta: metav1.ObjectMeta{
    46. 

  46. 			Namespace: namespace,
    47. 

  47. 		},
    48. 

  48. 		Spec: esv1beta1.SecretStoreSpec{Provider: &esv1beta1.SecretStoreProvider{AzureKV: &esv1beta1.AzureKVProvider{
    49. 

  49. 			AuthType:   &authType,
    50. 

  50. 			IdentityID: &identityID,
    51. 

  51. 			VaultURL:   &vaultURL,
    52. 

  52. 		}}},
    53. 

  53. 	}
    54. 

  54. 	k8sClient := clientfake.NewClientBuilder().Build()
    55. 

  55. 	az := &Azure{
    56. 

  56. 		crClient:  k8sClient,
    57. 

  57. 		namespace: namespace,
    58. 

  58. 		provider:  store.Spec.Provider.AzureKV,
    59. 

  59. 		store:     &store,
    60. 

  60. 	}
    61. 

  61. 	authorizer, err := az.authorizerForManagedIdentity()
    62. 

  62. 	if err != nil {
    63. 

  63. 		// On non Azure environment, MSI auth not available, so this error should be returned
    64. 

  64. 		tassert.EqualError(t, err, "failed to get oauth token from MSI: MSI not available")
    65. 

  65. 	} else {
    66. 

  66. 		// On Azure (where GitHub Actions are running) a secretClient is returned, as only an Authorizer is configured, but no token is requested for MI
    67. 

  67. 		tassert.NotNil(t, authorizer)
    68. 

  68. 	}
    69. 

  69. }
    70. 

  70. 

  71. func TestGetAuthorizorForWorkloadIdentity(t *testing.T) {
    72. 

  72. 	const (
    73. 

  73. 		tenantID      = "my-tenant-id"
    74. 

  74. 		clientID      = "my-client-id"
    75. 

  75. 		azAccessToken = "my-access-token"
    76. 

  76. 		saToken       = "FAKETOKEN"
    77. 

  77. 		saName        = "az-wi"
    78. 

  78. 		namespace     = "default"
    79. 

  79. 		secretName    = "mi-spec"
    80. 

  80. 	)
    81. 

  81. 

  82. 	// create a temporary file to imitate
    83. 

  83. 	// azure workload identity webhook
    84. 

  84. 	// see AZURE_FEDERATED_TOKEN_FILE
    85. 

  85. 	tf, err := os.CreateTemp("", "")
    86. 

  86. 	tassert.Nil(t, err)
    87. 

  87. 	defer os.RemoveAll(tf.Name())
    88. 

  88. 	_, err = tf.WriteString(saToken)
    89. 

  89. 	tassert.Nil(t, err)
    90. 

  90. 	tokenFile := tf.Name()
    91. 

  91. 

  92. 	authType := esv1beta1.AzureWorkloadIdentity
    93. 

  93. 

  94. 	defaultProvider := &esv1beta1.AzureKVProvider{
    95. 

  95. 		VaultURL: &vaultURL,
    96. 

  96. 		AuthType: &authType,
    97. 

  97. 		ServiceAccountRef: &v1.ServiceAccountSelector{
    98. 

  98. 			Name: saName,
    99. 

  99. 		},
    100. 

  100. 	}
    101. 

  101. 

  102. 	type testCase struct {
    103. 

  103. 		name       string
    104. 

  104. 		provider   *esv1beta1.AzureKVProvider
    105. 

  105. 		k8sObjects []client.Object
    106. 

  106. 		prep       func(*testing.T)
    107. 

  107. 		expErr     string
    108. 

  108. 	}
    109. 

  109. 

  110. 	for _, row := range []testCase{
    111. 

  111. 		{
    112. 

  112. 			name:     "missing service account",
    113. 

  113. 			provider: defaultProvider,
    114. 

  114. 			expErr:   "serviceaccounts \"" + saName + "\" not found",
    115. 

  115. 		},
    116. 

  116. 		{
    117. 

  117. 			name:     "missing webhook env vars",
    118. 

  118. 			provider: &esv1beta1.AzureKVProvider{},
    119. 

  119. 			expErr:   "missing environment variables. AZURE_CLIENT_ID, AZURE_TENANT_ID and AZURE_FEDERATED_TOKEN_FILE must be set",
    120. 

  120. 		},
    121. 

  121. 		{
    122. 

  122. 			name:     "missing workload identity token file",
    123. 

  123. 			provider: &esv1beta1.AzureKVProvider{},
    124. 

  124. 			prep: func(t *testing.T) {
    125. 

  125. 				t.Setenv("AZURE_CLIENT_ID", clientID)
    126. 

  126. 				t.Setenv("AZURE_TENANT_ID", tenantID)
    127. 

  127. 				t.Setenv("AZURE_FEDERATED_TOKEN_FILE", "invalid file")
    128. 

  128. 			},
    129. 

  129. 			expErr: "unable to read token file invalid file: open invalid file: no such file or directory",
    130. 

  130. 		},
    131. 

  131. 		{
    132. 

  132. 			name:     "correct workload identity",
    133. 

  133. 			provider: &esv1beta1.AzureKVProvider{},
    134. 

  134. 			prep: func(t *testing.T) {
    135. 

  135. 				t.Setenv("AZURE_CLIENT_ID", clientID)
    136. 

  136. 				t.Setenv("AZURE_TENANT_ID", tenantID)
    137. 

  137. 				t.Setenv("AZURE_FEDERATED_TOKEN_FILE", tokenFile)
    138. 

  138. 			},
    139. 

  139. 		},
    140. 

  140. 		{
    141. 

  141. 			name:     "missing sa annotations, tenantID, and clientId/tenantId AuthSecretRef",
    142. 

  142. 			provider: defaultProvider,
    143. 

  143. 			k8sObjects: []client.Object{
    144. 

  144. 				&corev1.ServiceAccount{
    145. 

  145. 					ObjectMeta: metav1.ObjectMeta{
    146. 

  146. 						Name:        saName,
    147. 

  147. 						Namespace:   namespace,
    148. 

  148. 						Annotations: map[string]string{},
    149. 

  149. 					},
    150. 

  150. 				},
    151. 

  151. 			},
    152. 

  152. 			expErr: "missing clientID: either serviceAccountRef or service account annotation 'azure.workload.identity/client-id' is missing",
    153. 

  153. 		},
    154. 

  154. 		{
    155. 

  155. 			name: "duplicated clientId",
    156. 

  156. 			provider: &esv1beta1.AzureKVProvider{
    157. 

  157. 				VaultURL: &vaultURL,
    158. 

  158. 				AuthType: &authType,
    159. 

  159. 				TenantID: pointer.To(tenantID),
    160. 

  160. 				ServiceAccountRef: &v1.ServiceAccountSelector{
    161. 

  161. 					Name: saName,
    162. 

  162. 				},
    163. 

  163. 				AuthSecretRef: &esv1beta1.AzureKVAuth{
    164. 

  164. 					ClientID: &v1.SecretKeySelector{Name: secretName, Namespace: pointer.To(namespace), Key: clientID},
    165. 

  165. 					TenantID: &v1.SecretKeySelector{Name: secretName, Namespace: pointer.To(namespace), Key: tenantID},
    166. 

  166. 				},
    167. 

  167. 			},
    168. 

  168. 			k8sObjects: []client.Object{
    169. 

  169. 				&corev1.ServiceAccount{
    170. 

  170. 					ObjectMeta: metav1.ObjectMeta{
    171. 

  171. 						Name:      saName,
    172. 

  172. 						Namespace: namespace,
    173. 

  173. 						Annotations: map[string]string{
    174. 

  174. 							AnnotationClientID: clientID,
    175. 

  175. 							AnnotationTenantID: tenantID,
    176. 

  176. 						},
    177. 

  177. 					},
    178. 

  178. 				},
    179. 

  179. 				&corev1.Secret{
    180. 

  180. 					ObjectMeta: metav1.ObjectMeta{
    181. 

  181. 						Name:      secretName,
    182. 

  182. 						Namespace: namespace,
    183. 

  183. 					},
    184. 

  184. 					Data: map[string][]byte{
    185. 

  185. 						clientID: []byte("clientid"),
    186. 

  186. 						tenantID: []byte("tenantid"),
    187. 

  187. 					},
    188. 

  188. 				},
    189. 

  189. 			},
    190. 

  190. 			expErr: "multiple clientID found. Check secretRef and serviceAccountRef",
    191. 

  191. 		},
    192. 

  192. 		{
    193. 

  193. 			name: "duplicated tenantId",
    194. 

  194. 			provider: &esv1beta1.AzureKVProvider{
    195. 

  195. 				VaultURL: &vaultURL,
    196. 

  196. 				AuthType: &authType,
    197. 

  197. 				TenantID: pointer.To(tenantID),
    198. 

  198. 				ServiceAccountRef: &v1.ServiceAccountSelector{
    199. 

  199. 					Name: saName,
    200. 

  200. 				},
    201. 

  201. 			},
    202. 

  202. 			k8sObjects: []client.Object{
    203. 

  203. 				&corev1.ServiceAccount{
    204. 

  204. 					ObjectMeta: metav1.ObjectMeta{
    205. 

  205. 						Name:      saName,
    206. 

  206. 						Namespace: namespace,
    207. 

  207. 						Annotations: map[string]string{
    208. 

  208. 							AnnotationClientID: clientID,
    209. 

  209. 							AnnotationTenantID: tenantID,
    210. 

  210. 						},
    211. 

  211. 					},
    212. 

  212. 				},
    213. 

  213. 			},
    214. 

  214. 			expErr: "multiple tenantID found. Check secretRef, 'spec.provider.azurekv.tenantId', and serviceAccountRef",
    215. 

  215. 		},
    216. 

  216. 		{
    217. 

  217. 			name:     "successful case #1: ClientID, TenantID from ServiceAccountRef",
    218. 

  218. 			provider: defaultProvider,
    219. 

  219. 			k8sObjects: []client.Object{
    220. 

  220. 				&corev1.ServiceAccount{
    221. 

  221. 					ObjectMeta: metav1.ObjectMeta{
    222. 

  222. 						Name:      saName,
    223. 

  223. 						Namespace: namespace,
    224. 

  224. 						Annotations: map[string]string{
    225. 

  225. 							AnnotationClientID: clientID,
    226. 

  226. 							AnnotationTenantID: tenantID,
    227. 

  227. 						},
    228. 

  228. 					},
    229. 

  229. 				},
    230. 

  230. 			},
    231. 

  231. 		},
    232. 

  232. 		{
    233. 

  233. 			name: "successful case #2: ClientID, TenantID from AuthSecretRef",
    234. 

  234. 			provider: &esv1beta1.AzureKVProvider{
    235. 

  235. 				VaultURL: &vaultURL,
    236. 

  236. 				AuthType: &authType,
    237. 

  237. 				ServiceAccountRef: &v1.ServiceAccountSelector{
    238. 

  238. 					Name: saName,
    239. 

  239. 				},
    240. 

  240. 				AuthSecretRef: &esv1beta1.AzureKVAuth{
    241. 

  241. 					ClientID: &v1.SecretKeySelector{Name: secretName, Namespace: pointer.To(namespace), Key: clientID},
    242. 

  242. 					TenantID: &v1.SecretKeySelector{Name: secretName, Namespace: pointer.To(namespace), Key: tenantID},
    243. 

  243. 				},
    244. 

  244. 			},
    245. 

  245. 			k8sObjects: []client.Object{
    246. 

  246. 				&corev1.ServiceAccount{
    247. 

  247. 					ObjectMeta: metav1.ObjectMeta{
    248. 

  248. 						Name:        saName,
    249. 

  249. 						Namespace:   namespace,
    250. 

  250. 						Annotations: map[string]string{},
    251. 

  251. 					},
    252. 

  252. 				},
    253. 

  253. 				&corev1.Secret{
    254. 

  254. 					ObjectMeta: metav1.ObjectMeta{
    255. 

  255. 						Name:      secretName,
    256. 

  256. 						Namespace: namespace,
    257. 

  257. 					},
    258. 

  258. 					Data: map[string][]byte{
    259. 

  259. 						clientID: []byte("clientid"),
    260. 

  260. 						tenantID: []byte("tenantid"),
    261. 

  261. 					},
    262. 

  262. 				},
    263. 

  263. 			},
    264. 

  264. 		},
    265. 

  265. 		{
    266. 

  266. 			name: "successful case #3: ClientID from AuthSecretRef, TenantID from provider",
    267. 

  267. 			provider: &esv1beta1.AzureKVProvider{
    268. 

  268. 				VaultURL: &vaultURL,
    269. 

  269. 				AuthType: &authType,
    270. 

  270. 				TenantID: pointer.To(tenantID),
    271. 

  271. 				ServiceAccountRef: &v1.ServiceAccountSelector{
    272. 

  272. 					Name: saName,
    273. 

  273. 				},
    274. 

  274. 				AuthSecretRef: &esv1beta1.AzureKVAuth{
    275. 

  275. 					ClientID: &v1.SecretKeySelector{Name: secretName, Namespace: pointer.To(namespace), Key: clientID},
    276. 

  276. 				},
    277. 

  277. 			},
    278. 

  278. 			k8sObjects: []client.Object{
    279. 

  279. 				&corev1.ServiceAccount{
    280. 

  280. 					ObjectMeta: metav1.ObjectMeta{
    281. 

  281. 						Name:        saName,
    282. 

  282. 						Namespace:   namespace,
    283. 

  283. 						Annotations: map[string]string{},
    284. 

  284. 					},
    285. 

  285. 				},
    286. 

  286. 				&corev1.Secret{
    287. 

  287. 					ObjectMeta: metav1.ObjectMeta{
    288. 

  288. 						Name:      secretName,
    289. 

  289. 						Namespace: namespace,
    290. 

  290. 					},
    291. 

  291. 					Data: map[string][]byte{
    292. 

  292. 						clientID: []byte("clientid"),
    293. 

  293. 					},
    294. 

  294. 				},
    295. 

  295. 			},
    296. 

  296. 		},
    297. 

  297. 	} {
    298. 

  298. 		t.Run(row.name, func(t *testing.T) {
    299. 

  299. 			store := esv1beta1.SecretStore{
    300. 

  300. 				Spec: esv1beta1.SecretStoreSpec{Provider: &esv1beta1.SecretStoreProvider{
    301. 

  301. 					AzureKV: row.provider,
    302. 

  302. 				}},
    303. 

  303. 			}
    304. 

  304. 			k8sClient := clientfake.NewClientBuilder().
    305. 

  305. 				WithObjects(row.k8sObjects...).
    306. 

  306. 				Build()
    307. 

  307. 			az := &Azure{
    308. 

  308. 				store:      &store,
    309. 

  309. 				namespace:  namespace,
    310. 

  310. 				crClient:   k8sClient,
    311. 

  311. 				kubeClient: utilfake.NewCreateTokenMock().WithToken(saToken),
    312. 

  312. 				provider:   store.Spec.Provider.AzureKV,
    313. 

  313. 			}
    314. 

  314. 			tokenProvider := func(ctx context.Context, token, clientID, tenantID, aadEndpoint, kvResource string) (adal.OAuthTokenProvider, error) {
    315. 

  315. 				tassert.Equal(t, token, saToken)
    316. 

  316. 				tassert.Equal(t, clientID, clientID)
    317. 

  317. 				tassert.Equal(t, tenantID, tenantID)
    318. 

  318. 				return &tokenProvider{accessToken: azAccessToken}, nil
    319. 

  319. 			}
    320. 

  320. 			if row.prep != nil {
    321. 

  321. 				row.prep(t)
    322. 

  322. 			}
    323. 

  323. 			authorizer, err := az.authorizerForWorkloadIdentity(context.Background(), tokenProvider)
    324. 

  324. 			if row.expErr == "" {
    325. 

  325. 				tassert.NotNil(t, authorizer)
    326. 

  326. 				tassert.Equal(t, getTokenFromAuthorizer(t, authorizer), azAccessToken)
    327. 

  327. 			} else {
    328. 

  328. 				tassert.EqualError(t, err, row.expErr)
    329. 

  329. 			}
    330. 

  330. 		})
    331. 

  331. 	}
    332. 

  332. }
    333. 

  333. 

  334. func TestAuth(t *testing.T) {
    335. 

  335. 	defaultStore := esv1beta1.SecretStore{
    336. 

  336. 		ObjectMeta: metav1.ObjectMeta{
    337. 

  337. 			Namespace: "default",
    338. 

  338. 		},
    339. 

  339. 		Spec: esv1beta1.SecretStoreSpec{
    340. 

  340. 			Provider: &esv1beta1.SecretStoreProvider{},
    341. 

  341. 		},
    342. 

  342. 	}
    343. 

  343. 	authType := esv1beta1.AzureServicePrincipal
    344. 

  344. 

  345. 	type testCase struct {
    346. 

  346. 		name     string
    347. 

  347. 		provider *esv1beta1.AzureKVProvider
    348. 

  348. 		store    esv1beta1.GenericStore
    349. 

  349. 		objects  []client.Object
    350. 

  350. 		expErr   string
    351. 

  351. 	}
    352. 

  352. 	for _, row := range []testCase{
    353. 

  353. 		{
    354. 

  354. 			name:   "bad config",
    355. 

  355. 			expErr: "missing secretRef in provider config",
    356. 

  356. 			store:  &defaultStore,
    357. 

  357. 			provider: &esv1beta1.AzureKVProvider{
    358. 

  358. 				AuthType: &authType,
    359. 

  359. 				VaultURL: &vaultURL,
    360. 

  360. 				TenantID: pointer.To("mytenant"),
    361. 

  361. 			},
    362. 

  362. 		},
    363. 

  363. 		{
    364. 

  364. 			name:   "bad config",
    365. 

  365. 			expErr: "missing accessKeyID/secretAccessKey in store config",
    366. 

  366. 			store:  &defaultStore,
    367. 

  367. 			provider: &esv1beta1.AzureKVProvider{
    368. 

  368. 				AuthType:      &authType,
    369. 

  369. 				VaultURL:      &vaultURL,
    370. 

  370. 				TenantID:      pointer.To("mytenant"),
    371. 

  371. 				AuthSecretRef: &esv1beta1.AzureKVAuth{},
    372. 

  372. 			},
    373. 

  373. 		},
    374. 

  374. 		{
    375. 

  375. 			name:   "bad config: missing secret",
    376. 

  376. 			expErr: "cannot get Kubernetes secret \"password\": secrets \"password\" not found",
    377. 

  377. 			store:  &defaultStore,
    378. 

  378. 			provider: &esv1beta1.AzureKVProvider{
    379. 

  379. 				AuthType: &authType,
    380. 

  380. 				VaultURL: &vaultURL,
    381. 

  381. 				TenantID: pointer.To("mytenant"),
    382. 

  382. 				AuthSecretRef: &esv1beta1.AzureKVAuth{
    383. 

  383. 					ClientSecret: &v1.SecretKeySelector{Name: "password"},
    384. 

  384. 					ClientID:     &v1.SecretKeySelector{Name: "password"},
    385. 

  385. 				},
    386. 

  386. 			},
    387. 

  387. 		},
    388. 

  388. 		{
    389. 

  389. 			name:   "cluster secret store",
    390. 

  390. 			expErr: "cannot get Kubernetes secret \"password\": secrets \"password\" not found",
    391. 

  391. 			store: &esv1beta1.ClusterSecretStore{
    392. 

  392. 				TypeMeta: metav1.TypeMeta{
    393. 

  393. 					Kind: esv1beta1.ClusterSecretStoreKind,
    394. 

  394. 				},
    395. 

  395. 				Spec: esv1beta1.SecretStoreSpec{Provider: &esv1beta1.SecretStoreProvider{}},
    396. 

  396. 			},
    397. 

  397. 			provider: &esv1beta1.AzureKVProvider{
    398. 

  398. 				AuthType: &authType,
    399. 

  399. 				VaultURL: &vaultURL,
    400. 

  400. 				TenantID: pointer.To("mytenant"),
    401. 

  401. 				AuthSecretRef: &esv1beta1.AzureKVAuth{
    402. 

  402. 					ClientSecret: &v1.SecretKeySelector{Name: "password", Namespace: pointer.To("foo")},
    403. 

  403. 					ClientID:     &v1.SecretKeySelector{Name: "password", Namespace: pointer.To("foo")},
    404. 

  404. 				},
    405. 

  405. 			},
    406. 

  406. 		},
    407. 

  407. 		{
    408. 

  408. 			name: "correct cluster secret store",
    409. 

  409. 			objects: []client.Object{&corev1.Secret{
    410. 

  410. 				ObjectMeta: metav1.ObjectMeta{
    411. 

  411. 					Name:      "password",
    412. 

  412. 					Namespace: "foo",
    413. 

  413. 				},
    414. 

  414. 				Data: map[string][]byte{
    415. 

  415. 					"id":     []byte("foo"),
    416. 

  416. 					"secret": []byte("bar"),
    417. 

  417. 				},
    418. 

  418. 			}},
    419. 

  419. 			store: &esv1beta1.ClusterSecretStore{
    420. 

  420. 				TypeMeta: metav1.TypeMeta{
    421. 

  421. 					Kind: esv1beta1.ClusterSecretStoreKind,
    422. 

  422. 				},
    423. 

  423. 				Spec: esv1beta1.SecretStoreSpec{Provider: &esv1beta1.SecretStoreProvider{}},
    424. 

  424. 			},
    425. 

  425. 			provider: &esv1beta1.AzureKVProvider{
    426. 

  426. 				AuthType: &authType,
    427. 

  427. 				VaultURL: &vaultURL,
    428. 

  428. 				TenantID: pointer.To("mytenant"),
    429. 

  429. 				AuthSecretRef: &esv1beta1.AzureKVAuth{
    430. 

  430. 					ClientSecret: &v1.SecretKeySelector{Name: "password", Namespace: pointer.To("foo"), Key: "secret"},
    431. 

  431. 					ClientID:     &v1.SecretKeySelector{Name: "password", Namespace: pointer.To("foo"), Key: "id"},
    432. 

  432. 				},
    433. 

  433. 			},
    434. 

  434. 		},
    435. 

  435. 	} {
    436. 

  436. 		t.Run(row.name, func(t *testing.T) {
    437. 

  437. 			k8sClient := clientfake.NewClientBuilder().WithObjects(row.objects...).Build()
    438. 

  438. 			spec := row.store.GetSpec()
    439. 

  439. 			spec.Provider.AzureKV = row.provider
    440. 

  440. 			az := &Azure{
    441. 

  441. 				crClient:  k8sClient,
    442. 

  442. 				namespace: "default",
    443. 

  443. 				provider:  spec.Provider.AzureKV,
    444. 

  444. 				store:     row.store,
    445. 

  445. 			}
    446. 

  446. 			authorizer, err := az.authorizerForServicePrincipal(context.Background())
    447. 

  447. 			if row.expErr == "" {
    448. 

  448. 				tassert.Nil(t, err)
    449. 

  449. 				tassert.NotNil(t, authorizer)
    450. 

  450. 			} else {
    451. 

  451. 				tassert.EqualError(t, err, row.expErr)
    452. 

  452. 			}
    453. 

  453. 		})
    454. 

  454. 	}
    455. 

  455. }
    456. 

  456. 

  457. func getTokenFromAuthorizer(t *testing.T, authorizer autorest.Authorizer) string {
    458. 

  458. 	rq, _ := http.NewRequest("POST", "http://example.com", http.NoBody)
    459. 

  459. 	_, err := authorizer.WithAuthorization()(
    460. 

  460. 		autorest.PreparerFunc(func(r *http.Request) (*http.Request, error) {
    461. 

  461. 			return rq, nil
    462. 

  462. 		})).Prepare(rq)
    463. 

  463. 	tassert.Nil(t, err)
    464. 

  464. 	return strings.TrimPrefix(rq.Header.Get("Authorization"), "Bearer ")
    465. 

  465. }
    466.