Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Tree: 53cc579ee8
Branches Tags
helm-externa...
/
pkg
/
provider
/
aws
/
secretsmanager
/
secretsmanager_test.go

secretsmanager_test.go 20 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732 
  1. /*
    2. 

  2. Licensed under the Apache License, Version 2.0 (the "License");
    3. 

  3. you may not use this file except in compliance with the License.
    4. 

  4. You may obtain a copy of the License at
    5. 

  5. 

  6.     http://www.apache.org/licenses/LICENSE-2.0
    7. 

  7. 

  8. Unless required by applicable law or agreed to in writing, software
    9. 

  9. distributed under the License is distributed on an "AS IS" BASIS,
    10. 

  10. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    11. 

  11. See the License for the specific language governing permissions and
    12. 

  12. limitations under the License.
    13. 

  13. */
    14. 

  14. package secretsmanager
    15. 

  15. 

  16. import (
    17. 

  17. 	"context"
    18. 

  18. 	"fmt"
    19. 

  19. 	"os"
    20. 

  20. 	"strings"
    21. 

  21. 	"testing"
    22. 

  22. 	"time"
    23. 

  23. 

  24. 	"github.com/aws/aws-sdk-go/aws"
    25. 

  25. 	"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
    26. 

  26. 	"github.com/aws/aws-sdk-go/aws/session"
    27. 

  27. 	awssm "github.com/aws/aws-sdk-go/service/secretsmanager"
    28. 

  28. 	"github.com/aws/aws-sdk-go/service/sts"
    29. 

  29. 	"github.com/google/go-cmp/cmp"
    30. 

  30. 	"github.com/stretchr/testify/assert"
    31. 

  31. 	v1 "k8s.io/api/core/v1"
    32. 

  32. 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
    33. 

  33. 	clientfake "sigs.k8s.io/controller-runtime/pkg/client/fake"
    34. 

  34. 

  35. 	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
    36. 

  36. 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
    37. 

  37. 	awsprovider "github.com/external-secrets/external-secrets/pkg/provider/aws"
    38. 

  38. 	fakesm "github.com/external-secrets/external-secrets/pkg/provider/aws/secretsmanager/fake"
    39. 

  39. )
    40. 

  40. 

  41. func TestConstructor(t *testing.T) {
    42. 

  42. 	rows := []ConstructorRow{
    43. 

  43. 		{
    44. 

  44. 			name:      "nil store",
    45. 

  45. 			expectErr: "found nil store",
    46. 

  46. 			store:     nil,
    47. 

  47. 		},
    48. 

  48. 		{
    49. 

  49. 			name:      "not store spec",
    50. 

  50. 			expectErr: "storeSpec is missing provider",
    51. 

  51. 			store:     &esv1alpha1.SecretStore{},
    52. 

  52. 		},
    53. 

  53. 		{
    54. 

  54. 			name:      "store spec has no provider",
    55. 

  55. 			expectErr: "storeSpec is missing provider",
    56. 

  56. 			store: &esv1alpha1.SecretStore{
    57. 

  57. 				Spec: esv1alpha1.SecretStoreSpec{},
    58. 

  58. 			},
    59. 

  59. 		},
    60. 

  60. 		{
    61. 

  61. 			name:      "spec has no awssm field",
    62. 

  62. 			expectErr: "Missing AWSSM field",
    63. 

  63. 			store: &esv1alpha1.SecretStore{
    64. 

  64. 				Spec: esv1alpha1.SecretStoreSpec{
    65. 

  65. 					Provider: &esv1alpha1.SecretStoreProvider{},
    66. 

  66. 				},
    67. 

  67. 			},
    68. 

  68. 		},
    69. 

  69. 		{
    70. 

  70. 			name: "configure aws using environment variables",
    71. 

  71. 			store: &esv1alpha1.SecretStore{
    72. 

  72. 				Spec: esv1alpha1.SecretStoreSpec{
    73. 

  73. 					Provider: &esv1alpha1.SecretStoreProvider{
    74. 

  74. 						AWSSM: &esv1alpha1.AWSSMProvider{},
    75. 

  75. 					},
    76. 

  76. 				},
    77. 

  77. 			},
    78. 

  78. 			env: map[string]string{
    79. 

  79. 				"AWS_ACCESS_KEY_ID":     "1111",
    80. 

  80. 				"AWS_SECRET_ACCESS_KEY": "2222",
    81. 

  81. 			},
    82. 

  82. 			expectProvider:    true,
    83. 

  83. 			expectedKeyID:     "1111",
    84. 

  84. 			expectedSecretKey: "2222",
    85. 

  85. 		},
    86. 

  86. 		{
    87. 

  87. 			name: "configure aws using environment variables + assume role",
    88. 

  88. 			stsProvider: func(*session.Session) stscreds.AssumeRoler {
    89. 

  89. 				return &fakesm.AssumeRoler{
    90. 

  90. 					AssumeRoleFunc: func(input *sts.AssumeRoleInput) (*sts.AssumeRoleOutput, error) {
    91. 

  91. 						assert.Equal(t, *input.RoleArn, "foo-bar-baz")
    92. 

  92. 						return &sts.AssumeRoleOutput{
    93. 

  93. 							AssumedRoleUser: &sts.AssumedRoleUser{
    94. 

  94. 								Arn:           aws.String("1123132"),
    95. 

  95. 								AssumedRoleId: aws.String("xxxxx"),
    96. 

  96. 							},
    97. 

  97. 							Credentials: &sts.Credentials{
    98. 

  98. 								AccessKeyId:     aws.String("3333"),
    99. 

  99. 								SecretAccessKey: aws.String("4444"),
    100. 

  100. 								Expiration:      aws.Time(time.Now().Add(time.Hour)),
    101. 

  101. 								SessionToken:    aws.String("6666"),
    102. 

  102. 							},
    103. 

  103. 						}, nil
    104. 

  104. 					},
    105. 

  105. 				}
    106. 

  106. 			},
    107. 

  107. 			store: &esv1alpha1.SecretStore{
    108. 

  108. 				Spec: esv1alpha1.SecretStoreSpec{
    109. 

  109. 					Provider: &esv1alpha1.SecretStoreProvider{
    110. 

  110. 						AWSSM: &esv1alpha1.AWSSMProvider{
    111. 

  111. 							Role: "foo-bar-baz",
    112. 

  112. 						},
    113. 

  113. 					},
    114. 

  114. 				},
    115. 

  115. 			},
    116. 

  116. 			env: map[string]string{
    117. 

  117. 				"AWS_ACCESS_KEY_ID":     "1111",
    118. 

  118. 				"AWS_SECRET_ACCESS_KEY": "2222",
    119. 

  119. 			},
    120. 

  120. 			expectProvider:    true,
    121. 

  121. 			expectedKeyID:     "3333",
    122. 

  122. 			expectedSecretKey: "4444",
    123. 

  123. 		},
    124. 

  124. 		{
    125. 

  125. 			name:      "error out when secret with credentials does not exist",
    126. 

  126. 			namespace: "foo",
    127. 

  127. 			store: &esv1alpha1.SecretStore{
    128. 

  128. 				Spec: esv1alpha1.SecretStoreSpec{
    129. 

  129. 					Provider: &esv1alpha1.SecretStoreProvider{
    130. 

  130. 						AWSSM: &esv1alpha1.AWSSMProvider{
    131. 

  131. 							Auth: &esv1alpha1.AWSSMAuth{
    132. 

  132. 								SecretRef: esv1alpha1.AWSSMAuthSecretRef{
    133. 

  133. 									AccessKeyID: esmeta.SecretKeySelector{
    134. 

  134. 										Name: "othersecret",
    135. 

  135. 										Key:  "one",
    136. 

  136. 									},
    137. 

  137. 									SecretAccessKey: esmeta.SecretKeySelector{
    138. 

  138. 										Name: "othersecret",
    139. 

  139. 										Key:  "two",
    140. 

  140. 									},
    141. 

  141. 								},
    142. 

  142. 							},
    143. 

  143. 						},
    144. 

  144. 					},
    145. 

  145. 				},
    146. 

  146. 			},
    147. 

  147. 			expectErr: `secrets "othersecret" not found`,
    148. 

  148. 		},
    149. 

  149. 		{
    150. 

  150. 			name:      "use credentials from secret to configure aws",
    151. 

  151. 			namespace: "foo",
    152. 

  152. 			store: &esv1alpha1.SecretStore{
    153. 

  153. 				Spec: esv1alpha1.SecretStoreSpec{
    154. 

  154. 					Provider: &esv1alpha1.SecretStoreProvider{
    155. 

  155. 						AWSSM: &esv1alpha1.AWSSMProvider{
    156. 

  156. 							Auth: &esv1alpha1.AWSSMAuth{
    157. 

  157. 								SecretRef: esv1alpha1.AWSSMAuthSecretRef{
    158. 

  158. 									AccessKeyID: esmeta.SecretKeySelector{
    159. 

  159. 										Name: "onesecret",
    160. 

  160. 										// Namespace is not set
    161. 

  161. 										Key: "one",
    162. 

  162. 									},
    163. 

  163. 									SecretAccessKey: esmeta.SecretKeySelector{
    164. 

  164. 										Name: "onesecret",
    165. 

  165. 										// Namespace is not set
    166. 

  166. 										Key: "two",
    167. 

  167. 									},
    168. 

  168. 								},
    169. 

  169. 							},
    170. 

  170. 						},
    171. 

  171. 					},
    172. 

  172. 				},
    173. 

  173. 			},
    174. 

  174. 			secrets: []v1.Secret{
    175. 

  175. 				{
    176. 

  176. 					ObjectMeta: metav1.ObjectMeta{
    177. 

  177. 						Name:      "onesecret",
    178. 

  178. 						Namespace: "foo",
    179. 

  179. 					},
    180. 

  180. 					Data: map[string][]byte{
    181. 

  181. 						"one": []byte("1111"),
    182. 

  182. 						"two": []byte("2222"),
    183. 

  183. 					},
    184. 

  184. 				},
    185. 

  185. 			},
    186. 

  186. 			expectProvider:    true,
    187. 

  187. 			expectedKeyID:     "1111",
    188. 

  188. 			expectedSecretKey: "2222",
    189. 

  189. 		},
    190. 

  190. 		{
    191. 

  191. 			name:      "error out when secret key does not exist",
    192. 

  192. 			namespace: "foo",
    193. 

  193. 			store: &esv1alpha1.SecretStore{
    194. 

  194. 				Spec: esv1alpha1.SecretStoreSpec{
    195. 

  195. 					Provider: &esv1alpha1.SecretStoreProvider{
    196. 

  196. 						AWSSM: &esv1alpha1.AWSSMProvider{
    197. 

  197. 							Auth: &esv1alpha1.AWSSMAuth{
    198. 

  198. 								SecretRef: esv1alpha1.AWSSMAuthSecretRef{
    199. 

  199. 									AccessKeyID: esmeta.SecretKeySelector{
    200. 

  200. 										Name: "brokensecret",
    201. 

  201. 										Key:  "one",
    202. 

  202. 									},
    203. 

  203. 									SecretAccessKey: esmeta.SecretKeySelector{
    204. 

  204. 										Name: "brokensecret",
    205. 

  205. 										Key:  "two",
    206. 

  206. 									},
    207. 

  207. 								},
    208. 

  208. 							},
    209. 

  209. 						},
    210. 

  210. 					},
    211. 

  211. 				},
    212. 

  212. 			},
    213. 

  213. 			secrets: []v1.Secret{
    214. 

  214. 				{
    215. 

  215. 					ObjectMeta: metav1.ObjectMeta{
    216. 

  216. 						Name:      "brokensecret",
    217. 

  217. 						Namespace: "foo",
    218. 

  218. 					},
    219. 

  219. 					Data: map[string][]byte{},
    220. 

  220. 				},
    221. 

  221. 			},
    222. 

  222. 			expectErr: "missing SecretAccessKey",
    223. 

  223. 		},
    224. 

  224. 		{
    225. 

  225. 			name:      "should not be able to access secrets from different namespace",
    226. 

  226. 			namespace: "foo",
    227. 

  227. 			store: &esv1alpha1.SecretStore{
    228. 

  228. 				Spec: esv1alpha1.SecretStoreSpec{
    229. 

  229. 					Provider: &esv1alpha1.SecretStoreProvider{
    230. 

  230. 						AWSSM: &esv1alpha1.AWSSMProvider{
    231. 

  231. 							Auth: &esv1alpha1.AWSSMAuth{
    232. 

  232. 								SecretRef: esv1alpha1.AWSSMAuthSecretRef{
    233. 

  233. 									AccessKeyID: esmeta.SecretKeySelector{
    234. 

  234. 										Name:      "onesecret",
    235. 

  235. 										Namespace: aws.String("evil"), // this should not be possible!
    236. 

  236. 										Key:       "one",
    237. 

  237. 									},
    238. 

  238. 									SecretAccessKey: esmeta.SecretKeySelector{
    239. 

  239. 										Name:      "onesecret",
    240. 

  240. 										Namespace: aws.String("evil"),
    241. 

  241. 										Key:       "two",
    242. 

  242. 									},
    243. 

  243. 								},
    244. 

  244. 							},
    245. 

  245. 						},
    246. 

  246. 					},
    247. 

  247. 				},
    248. 

  248. 			},
    249. 

  249. 			secrets: []v1.Secret{
    250. 

  250. 				{
    251. 

  251. 					ObjectMeta: metav1.ObjectMeta{
    252. 

  252. 						Name:      "onesecret",
    253. 

  253. 						Namespace: "evil",
    254. 

  254. 					},
    255. 

  255. 					Data: map[string][]byte{
    256. 

  256. 						"one": []byte("1111"),
    257. 

  257. 						"two": []byte("2222"),
    258. 

  258. 					},
    259. 

  259. 				},
    260. 

  260. 			},
    261. 

  261. 			expectErr: `secrets "onesecret" not found`,
    262. 

  262. 		},
    263. 

  263. 		{
    264. 

  264. 			name:      "ClusterStore should use credentials from a specific namespace",
    265. 

  265. 			namespace: "es-namespace",
    266. 

  266. 			store: &esv1alpha1.ClusterSecretStore{
    267. 

  267. 				TypeMeta: metav1.TypeMeta{
    268. 

  268. 					APIVersion: esv1alpha1.ClusterSecretStoreKindAPIVersion,
    269. 

  269. 					Kind:       esv1alpha1.ClusterSecretStoreKind,
    270. 

  270. 				},
    271. 

  271. 				Spec: esv1alpha1.SecretStoreSpec{
    272. 

  272. 					Provider: &esv1alpha1.SecretStoreProvider{
    273. 

  273. 						AWSSM: &esv1alpha1.AWSSMProvider{
    274. 

  274. 							Auth: &esv1alpha1.AWSSMAuth{
    275. 

  275. 								SecretRef: esv1alpha1.AWSSMAuthSecretRef{
    276. 

  276. 									AccessKeyID: esmeta.SecretKeySelector{
    277. 

  277. 										Name:      "onesecret",
    278. 

  278. 										Namespace: aws.String("platform-team-ns"),
    279. 

  279. 										Key:       "one",
    280. 

  280. 									},
    281. 

  281. 									SecretAccessKey: esmeta.SecretKeySelector{
    282. 

  282. 										Name:      "onesecret",
    283. 

  283. 										Namespace: aws.String("platform-team-ns"),
    284. 

  284. 										Key:       "two",
    285. 

  285. 									},
    286. 

  286. 								},
    287. 

  287. 							},
    288. 

  288. 						},
    289. 

  289. 					},
    290. 

  290. 				},
    291. 

  291. 			},
    292. 

  292. 			secrets: []v1.Secret{
    293. 

  293. 				{
    294. 

  294. 					ObjectMeta: metav1.ObjectMeta{
    295. 

  295. 						Name:      "onesecret",
    296. 

  296. 						Namespace: "platform-team-ns",
    297. 

  297. 					},
    298. 

  298. 					Data: map[string][]byte{
    299. 

  299. 						"one": []byte("1111"),
    300. 

  300. 						"two": []byte("2222"),
    301. 

  301. 					},
    302. 

  302. 				},
    303. 

  303. 			},
    304. 

  304. 			expectProvider:    true,
    305. 

  305. 			expectedKeyID:     "1111",
    306. 

  306. 			expectedSecretKey: "2222",
    307. 

  307. 		},
    308. 

  308. 		{
    309. 

  309. 			name:      "namespace is mandatory when using ClusterStore with SecretKeySelector",
    310. 

  310. 			namespace: "es-namespace",
    311. 

  311. 			store: &esv1alpha1.ClusterSecretStore{
    312. 

  312. 				TypeMeta: metav1.TypeMeta{
    313. 

  313. 					APIVersion: esv1alpha1.ClusterSecretStoreKindAPIVersion,
    314. 

  314. 					Kind:       esv1alpha1.ClusterSecretStoreKind,
    315. 

  315. 				},
    316. 

  316. 				Spec: esv1alpha1.SecretStoreSpec{
    317. 

  317. 					Provider: &esv1alpha1.SecretStoreProvider{
    318. 

  318. 						AWSSM: &esv1alpha1.AWSSMProvider{
    319. 

  319. 							Auth: &esv1alpha1.AWSSMAuth{
    320. 

  320. 								SecretRef: esv1alpha1.AWSSMAuthSecretRef{
    321. 

  321. 									AccessKeyID: esmeta.SecretKeySelector{
    322. 

  322. 										Name: "onesecret",
    323. 

  323. 										Key:  "one",
    324. 

  324. 									},
    325. 

  325. 									SecretAccessKey: esmeta.SecretKeySelector{
    326. 

  326. 										Name: "onesecret",
    327. 

  327. 										Key:  "two",
    328. 

  328. 									},
    329. 

  329. 								},
    330. 

  330. 							},
    331. 

  331. 						},
    332. 

  332. 					},
    333. 

  333. 				},
    334. 

  334. 			},
    335. 

  335. 			expectErr: "invalid ClusterSecretStore: missing AWSSM AccessKeyID Namespace",
    336. 

  336. 		},
    337. 

  337. 	}
    338. 

  338. 	for i := range rows {
    339. 

  339. 		row := rows[i]
    340. 

  340. 		t.Run(row.name, func(t *testing.T) {
    341. 

  341. 			testRow(t, row)
    342. 

  342. 		})
    343. 

  343. 	}
    344. 

  344. }
    345. 

  345. 

  346. type ConstructorRow struct {
    347. 

  347. 	name              string
    348. 

  348. 	store             esv1alpha1.GenericStore
    349. 

  349. 	secrets           []v1.Secret
    350. 

  350. 	namespace         string
    351. 

  351. 	stsProvider       awsprovider.STSProvider
    352. 

  352. 	expectProvider    bool
    353. 

  353. 	expectErr         string
    354. 

  354. 	expectedKeyID     string
    355. 

  355. 	expectedSecretKey string
    356. 

  356. 	env               map[string]string
    357. 

  357. }
    358. 

  358. 

  359. func testRow(t *testing.T, row ConstructorRow) {
    360. 

  360. 	kc := clientfake.NewClientBuilder().Build()
    361. 

  361. 	for i := range row.secrets {
    362. 

  362. 		err := kc.Create(context.Background(), &row.secrets[i])
    363. 

  363. 		assert.Nil(t, err)
    364. 

  364. 	}
    365. 

  365. 	for k, v := range row.env {
    366. 

  366. 		os.Setenv(k, v)
    367. 

  367. 	}
    368. 

  368. 	defer func() {
    369. 

  369. 		for k := range row.env {
    370. 

  370. 			os.Unsetenv(k)
    371. 

  371. 		}
    372. 

  372. 	}()
    373. 

  373. 	sm := SecretsManager{
    374. 

  374. 		stsProvider: row.stsProvider,
    375. 

  375. 	}
    376. 

  376. 	newsm, err := sm.New(context.Background(), row.store, kc, row.namespace)
    377. 

  377. 	if !ErrorContains(err, row.expectErr) {
    378. 

  378. 		t.Errorf("expected error %s but found %s", row.expectErr, err.Error())
    379. 

  379. 	}
    380. 

  380. 	// pass test on expected error
    381. 

  381. 	if err != nil {
    382. 

  382. 		return
    383. 

  383. 	}
    384. 

  384. 	if row.expectProvider && newsm == nil {
    385. 

  385. 		t.Errorf("expected provider object, found nil")
    386. 

  386. 		return
    387. 

  387. 	}
    388. 

  388. 	creds, _ := newsm.(*SecretsManager).session.Config.Credentials.Get()
    389. 

  389. 	assert.Equal(t, creds.AccessKeyID, row.expectedKeyID)
    390. 

  390. 	assert.Equal(t, creds.SecretAccessKey, row.expectedSecretKey)
    391. 

  391. }
    392. 

  392. 

  393. func TestSMEnvCredentials(t *testing.T) {
    394. 

  394. 	k8sClient := clientfake.NewClientBuilder().Build()
    395. 

  395. 	sm := &SecretsManager{}
    396. 

  396. 	os.Setenv("AWS_SECRET_ACCESS_KEY", "1111")
    397. 

  397. 	os.Setenv("AWS_ACCESS_KEY_ID", "2222")
    398. 

  398. 	defer os.Unsetenv("AWS_SECRET_ACCESS_KEY")
    399. 

  399. 	defer os.Unsetenv("AWS_ACCESS_KEY_ID")
    400. 

  400. 	smi, err := sm.New(context.Background(), &esv1alpha1.SecretStore{
    401. 

  401. 		Spec: esv1alpha1.SecretStoreSpec{
    402. 

  402. 			Provider: &esv1alpha1.SecretStoreProvider{
    403. 

  403. 				// defaults
    404. 

  404. 				AWSSM: &esv1alpha1.AWSSMProvider{},
    405. 

  405. 			},
    406. 

  406. 		},
    407. 

  407. 	}, k8sClient, "example-ns")
    408. 

  408. 	assert.Nil(t, err)
    409. 

  409. 	assert.NotNil(t, smi)
    410. 

  410. 

  411. 	creds, err := sm.session.Config.Credentials.Get()
    412. 

  412. 	assert.Nil(t, err)
    413. 

  413. 	assert.Equal(t, creds.AccessKeyID, "2222")
    414. 

  414. 	assert.Equal(t, creds.SecretAccessKey, "1111")
    415. 

  415. }
    416. 

  416. 

  417. func TestSMAssumeRole(t *testing.T) {
    418. 

  418. 	k8sClient := clientfake.NewClientBuilder().Build()
    419. 

  419. 	sts := &fakesm.AssumeRoler{
    420. 

  420. 		AssumeRoleFunc: func(input *sts.AssumeRoleInput) (*sts.AssumeRoleOutput, error) {
    421. 

  421. 			// make sure the correct role is passed in
    422. 

  422. 			assert.Equal(t, *input.RoleArn, "my-awesome-role")
    423. 

  423. 			return &sts.AssumeRoleOutput{
    424. 

  424. 				AssumedRoleUser: &sts.AssumedRoleUser{
    425. 

  425. 					Arn:           aws.String("1123132"),
    426. 

  426. 					AssumedRoleId: aws.String("xxxxx"),
    427. 

  427. 				},
    428. 

  428. 				Credentials: &sts.Credentials{
    429. 

  429. 					AccessKeyId:     aws.String("3333"),
    430. 

  430. 					SecretAccessKey: aws.String("4444"),
    431. 

  431. 					Expiration:      aws.Time(time.Now().Add(time.Hour)),
    432. 

  432. 					SessionToken:    aws.String("6666"),
    433. 

  433. 				},
    434. 

  434. 			}, nil
    435. 

  435. 		},
    436. 

  436. 	}
    437. 

  437. 	sm := &SecretsManager{
    438. 

  438. 		stsProvider: func(se *session.Session) stscreds.AssumeRoler {
    439. 

  439. 			// check if the correct temporary credentials were used
    440. 

  440. 			creds, err := se.Config.Credentials.Get()
    441. 

  441. 			assert.Nil(t, err)
    442. 

  442. 			assert.Equal(t, creds.AccessKeyID, "2222")
    443. 

  443. 			assert.Equal(t, creds.SecretAccessKey, "1111")
    444. 

  444. 			return sts
    445. 

  445. 		},
    446. 

  446. 	}
    447. 

  447. 	os.Setenv("AWS_SECRET_ACCESS_KEY", "1111")
    448. 

  448. 	os.Setenv("AWS_ACCESS_KEY_ID", "2222")
    449. 

  449. 	defer os.Unsetenv("AWS_SECRET_ACCESS_KEY")
    450. 

  450. 	defer os.Unsetenv("AWS_ACCESS_KEY_ID")
    451. 

  451. 	smi, err := sm.New(context.Background(), &esv1alpha1.SecretStore{
    452. 

  452. 		Spec: esv1alpha1.SecretStoreSpec{
    453. 

  453. 			Provider: &esv1alpha1.SecretStoreProvider{
    454. 

  454. 				// do assume role!
    455. 

  455. 				AWSSM: &esv1alpha1.AWSSMProvider{
    456. 

  456. 					Role: "my-awesome-role",
    457. 

  457. 				},
    458. 

  458. 			},
    459. 

  459. 		},
    460. 

  460. 	}, k8sClient, "example-ns")
    461. 

  461. 	assert.Nil(t, err)
    462. 

  462. 	assert.NotNil(t, smi)
    463. 

  463. 

  464. 	creds, err := sm.session.Config.Credentials.Get()
    465. 

  465. 	assert.Nil(t, err)
    466. 

  466. 	assert.Equal(t, creds.AccessKeyID, "3333")
    467. 

  467. 	assert.Equal(t, creds.SecretAccessKey, "4444")
    468. 

  468. }
    469. 

  469. 

  470. // test the sm<->aws interface
    471. 

  471. // make sure correct values are passed and errors are handled accordingly.
    472. 

  472. func TestGetSecret(t *testing.T) {
    473. 

  473. 	fake := &fakesm.Client{}
    474. 

  474. 	p := &SecretsManager{
    475. 

  475. 		client: fake,
    476. 

  476. 	}
    477. 

  477. 	for i, row := range []struct {
    478. 

  478. 		apiInput       *awssm.GetSecretValueInput
    479. 

  479. 		apiOutput      *awssm.GetSecretValueOutput
    480. 

  480. 		rr             esv1alpha1.ExternalSecretDataRemoteRef
    481. 

  481. 		apiErr         error
    482. 

  482. 		expectError    string
    483. 

  483. 		expectedSecret string
    484. 

  484. 	}{
    485. 

  485. 		{
    486. 

  486. 			// good case: default version is set
    487. 

  487. 			// key is passed in, output is sent back
    488. 

  488. 			apiInput: &awssm.GetSecretValueInput{
    489. 

  489. 				SecretId:     aws.String("/baz"),
    490. 

  490. 				VersionStage: aws.String("AWSCURRENT"),
    491. 

  491. 			},
    492. 

  492. 			rr: esv1alpha1.ExternalSecretDataRemoteRef{
    493. 

  493. 				Key: "/baz",
    494. 

  494. 			},
    495. 

  495. 			apiOutput: &awssm.GetSecretValueOutput{
    496. 

  496. 				SecretString: aws.String("RRRRR"),
    497. 

  497. 			},
    498. 

  498. 			apiErr:         nil,
    499. 

  499. 			expectError:    "",
    500. 

  500. 			expectedSecret: "RRRRR",
    501. 

  501. 		},
    502. 

  502. 		{
    503. 

  503. 			// good case: extract property
    504. 

  504. 			apiInput: &awssm.GetSecretValueInput{
    505. 

  505. 				SecretId:     aws.String("/baz"),
    506. 

  506. 				VersionStage: aws.String("AWSCURRENT"),
    507. 

  507. 			},
    508. 

  508. 			rr: esv1alpha1.ExternalSecretDataRemoteRef{
    509. 

  509. 				Key:      "/baz",
    510. 

  510. 				Property: "/shmoo",
    511. 

  511. 			},
    512. 

  512. 			apiOutput: &awssm.GetSecretValueOutput{
    513. 

  513. 				SecretString: aws.String(`{"/shmoo": "bang"}`),
    514. 

  514. 			},
    515. 

  515. 			apiErr:         nil,
    516. 

  516. 			expectError:    "",
    517. 

  517. 			expectedSecret: "bang",
    518. 

  518. 		},
    519. 

  519. 		{
    520. 

  520. 			// bad case: missing property
    521. 

  521. 			apiInput: &awssm.GetSecretValueInput{
    522. 

  522. 				SecretId:     aws.String("/baz"),
    523. 

  523. 				VersionStage: aws.String("AWSCURRENT"),
    524. 

  524. 			},
    525. 

  525. 			rr: esv1alpha1.ExternalSecretDataRemoteRef{
    526. 

  526. 				Key:      "/baz",
    527. 

  527. 				Property: "INVALPROP",
    528. 

  528. 			},
    529. 

  529. 			apiOutput: &awssm.GetSecretValueOutput{
    530. 

  530. 				SecretString: aws.String(`{"/shmoo": "bang"}`),
    531. 

  531. 			},
    532. 

  532. 			apiErr:         nil,
    533. 

  533. 			expectError:    "key INVALPROP does not exist in secret",
    534. 

  534. 			expectedSecret: "",
    535. 

  535. 		},
    536. 

  536. 		{
    537. 

  537. 			// bad case: extract property failure due to invalid json
    538. 

  538. 			apiInput: &awssm.GetSecretValueInput{
    539. 

  539. 				SecretId:     aws.String("/baz"),
    540. 

  540. 				VersionStage: aws.String("AWSCURRENT"),
    541. 

  541. 			},
    542. 

  542. 			rr: esv1alpha1.ExternalSecretDataRemoteRef{
    543. 

  543. 				Key:      "/baz",
    544. 

  544. 				Property: "INVALPROP",
    545. 

  545. 			},
    546. 

  546. 			apiOutput: &awssm.GetSecretValueOutput{
    547. 

  547. 				SecretString: aws.String(`------`),
    548. 

  548. 			},
    549. 

  549. 			apiErr:         nil,
    550. 

  550. 			expectError:    "key INVALPROP does not exist in secret",
    551. 

  551. 			expectedSecret: "",
    552. 

  552. 		},
    553. 

  553. 		{
    554. 

  554. 			// case: ssm.SecretString may be nil but binary is set
    555. 

  555. 			apiInput: &awssm.GetSecretValueInput{
    556. 

  556. 				SecretId:     aws.String("/baz"),
    557. 

  557. 				VersionStage: aws.String("AWSCURRENT"),
    558. 

  558. 			},
    559. 

  559. 			rr: esv1alpha1.ExternalSecretDataRemoteRef{
    560. 

  560. 				Key: "/baz",
    561. 

  561. 			},
    562. 

  562. 			apiOutput: &awssm.GetSecretValueOutput{
    563. 

  563. 				SecretString: nil,
    564. 

  564. 				SecretBinary: []byte("yesplease"),
    565. 

  565. 			},
    566. 

  566. 			apiErr:         nil,
    567. 

  567. 			expectError:    "",
    568. 

  568. 			expectedSecret: "yesplease",
    569. 

  569. 		},
    570. 

  570. 		{
    571. 

  571. 			// case: both .SecretString and .SecretBinary is nil
    572. 

  572. 			apiInput: &awssm.GetSecretValueInput{
    573. 

  573. 				SecretId:     aws.String("/baz"),
    574. 

  574. 				VersionStage: aws.String("AWSCURRENT"),
    575. 

  575. 			},
    576. 

  576. 			rr: esv1alpha1.ExternalSecretDataRemoteRef{
    577. 

  577. 				Key: "/baz",
    578. 

  578. 			},
    579. 

  579. 			apiOutput: &awssm.GetSecretValueOutput{
    580. 

  580. 				SecretString: nil,
    581. 

  581. 				SecretBinary: nil,
    582. 

  582. 			},
    583. 

  583. 			apiErr:         nil,
    584. 

  584. 			expectError:    "no secret string nor binary for key",
    585. 

  585. 			expectedSecret: "",
    586. 

  586. 		},
    587. 

  587. 		{
    588. 

  588. 			// case: secretOut.SecretBinary JSON parsing
    589. 

  589. 			apiInput: &awssm.GetSecretValueInput{
    590. 

  590. 				SecretId:     aws.String("/baz"),
    591. 

  591. 				VersionStage: aws.String("AWSCURRENT"),
    592. 

  592. 			},
    593. 

  593. 			rr: esv1alpha1.ExternalSecretDataRemoteRef{
    594. 

  594. 				Key:      "/baz",
    595. 

  595. 				Property: "foobar.baz",
    596. 

  596. 			},
    597. 

  597. 			apiOutput: &awssm.GetSecretValueOutput{
    598. 

  598. 				SecretString: nil,
    599. 

  599. 				SecretBinary: []byte(`{"foobar":{"baz":"nestedval"}}`),
    600. 

  600. 			},
    601. 

  601. 			apiErr:         nil,
    602. 

  602. 			expectError:    "",
    603. 

  603. 			expectedSecret: "nestedval",
    604. 

  604. 		},
    605. 

  605. 		{
    606. 

  606. 			// should pass version
    607. 

  607. 			apiInput: &awssm.GetSecretValueInput{
    608. 

  608. 				SecretId:     aws.String("/foo/bar"),
    609. 

  609. 				VersionStage: aws.String("1234"),
    610. 

  610. 			},
    611. 

  611. 			rr: esv1alpha1.ExternalSecretDataRemoteRef{
    612. 

  612. 				Key:     "/foo/bar",
    613. 

  613. 				Version: "1234",
    614. 

  614. 			},
    615. 

  615. 			apiOutput: &awssm.GetSecretValueOutput{
    616. 

  616. 				SecretString: aws.String("FOOBA!"),
    617. 

  617. 			},
    618. 

  618. 			apiErr:         nil,
    619. 

  619. 			expectError:    "",
    620. 

  620. 			expectedSecret: "FOOBA!",
    621. 

  621. 		},
    622. 

  622. 		{
    623. 

  623. 			// should return err
    624. 

  624. 			apiInput: &awssm.GetSecretValueInput{
    625. 

  625. 				SecretId:     aws.String("/foo/bar"),
    626. 

  626. 				VersionStage: aws.String("AWSCURRENT"),
    627. 

  627. 			},
    628. 

  628. 			rr: esv1alpha1.ExternalSecretDataRemoteRef{
    629. 

  629. 				Key: "/foo/bar",
    630. 

  630. 			},
    631. 

  631. 			apiOutput:   &awssm.GetSecretValueOutput{},
    632. 

  632. 			apiErr:      fmt.Errorf("oh no"),
    633. 

  633. 			expectError: "oh no",
    634. 

  634. 		},
    635. 

  635. 	} {
    636. 

  636. 		fake.WithValue(row.apiInput, row.apiOutput, row.apiErr)
    637. 

  637. 		out, err := p.GetSecret(context.Background(), row.rr)
    638. 

  638. 		if !ErrorContains(err, row.expectError) {
    639. 

  639. 			t.Errorf("[%d] unexpected error: %s, expected: '%s'", i, err.Error(), row.expectError)
    640. 

  640. 		}
    641. 

  641. 		if string(out) != row.expectedSecret {
    642. 

  642. 			t.Errorf("[%d] unexpected secret: expected %s, got %s", i, row.expectedSecret, string(out))
    643. 

  643. 		}
    644. 

  644. 	}
    645. 

  645. }
    646. 

  646. 

  647. func TestGetSecretMap(t *testing.T) {
    648. 

  648. 	fake := &fakesm.Client{}
    649. 

  649. 	p := &SecretsManager{
    650. 

  650. 		client: fake,
    651. 

  651. 	}
    652. 

  652. 	for i, row := range []struct {
    653. 

  653. 		apiInput     *awssm.GetSecretValueInput
    654. 

  654. 		apiOutput    *awssm.GetSecretValueOutput
    655. 

  655. 		rr           esv1alpha1.ExternalSecretDataRemoteRef
    656. 

  656. 		expectedData map[string]string
    657. 

  657. 		apiErr       error
    658. 

  658. 		expectError  string
    659. 

  659. 	}{
    660. 

  660. 		{
    661. 

  661. 			// good case: default version & deserialization
    662. 

  662. 			apiInput: &awssm.GetSecretValueInput{
    663. 

  663. 				SecretId:     aws.String("/baz"),
    664. 

  664. 				VersionStage: aws.String("AWSCURRENT"),
    665. 

  665. 			},
    666. 

  666. 			apiOutput: &awssm.GetSecretValueOutput{
    667. 

  667. 				SecretString: aws.String(`{"foo":"bar"}`),
    668. 

  668. 			},
    669. 

  669. 			rr: esv1alpha1.ExternalSecretDataRemoteRef{
    670. 

  670. 				Key: "/baz",
    671. 

  671. 			},
    672. 

  672. 			expectedData: map[string]string{
    673. 

  673. 				"foo": "bar",
    674. 

  674. 			},
    675. 

  675. 			apiErr:      nil,
    676. 

  676. 			expectError: "",
    677. 

  677. 		},
    678. 

  678. 		{
    679. 

  679. 			// bad case: api error returned
    680. 

  680. 			apiInput: &awssm.GetSecretValueInput{
    681. 

  681. 				SecretId:     aws.String("/baz"),
    682. 

  682. 				VersionStage: aws.String("AWSCURRENT"),
    683. 

  683. 			},
    684. 

  684. 			apiOutput: &awssm.GetSecretValueOutput{
    685. 

  685. 				SecretString: aws.String(`{"foo":"bar"}`),
    686. 

  686. 			},
    687. 

  687. 			rr: esv1alpha1.ExternalSecretDataRemoteRef{
    688. 

  688. 				Key: "/baz",
    689. 

  689. 			},
    690. 

  690. 			expectedData: map[string]string{
    691. 

  691. 				"foo": "bar",
    692. 

  692. 			},
    693. 

  693. 			apiErr:      fmt.Errorf("some api err"),
    694. 

  694. 			expectError: "some api err",
    695. 

  695. 		},
    696. 

  696. 		{
    697. 

  697. 			// bad case: invalid json
    698. 

  698. 			apiInput: &awssm.GetSecretValueInput{
    699. 

  699. 				SecretId:     aws.String("/baz"),
    700. 

  700. 				VersionStage: aws.String("AWSCURRENT"),
    701. 

  701. 			},
    702. 

  702. 			apiOutput: &awssm.GetSecretValueOutput{
    703. 

  703. 				SecretString: aws.String(`-----------------`),
    704. 

  704. 			},
    705. 

  705. 			rr: esv1alpha1.ExternalSecretDataRemoteRef{
    706. 

  706. 				Key: "/baz",
    707. 

  707. 			},
    708. 

  708. 			expectedData: map[string]string{},
    709. 

  709. 			apiErr:       nil,
    710. 

  710. 			expectError:  "unable to unmarshal secret",
    711. 

  711. 		},
    712. 

  712. 	} {
    713. 

  713. 		fake.WithValue(row.apiInput, row.apiOutput, row.apiErr)
    714. 

  714. 		out, err := p.GetSecretMap(context.Background(), row.rr)
    715. 

  715. 		if !ErrorContains(err, row.expectError) {
    716. 

  716. 			t.Errorf("[%d] unexpected error: %s, expected: '%s'", i, err.Error(), row.expectError)
    717. 

  717. 		}
    718. 

  718. 		if cmp.Equal(out, row.expectedData) {
    719. 

  719. 			t.Errorf("[%d] unexpected secret data: expected %#v, got %#v", i, row.expectedData, out)
    720. 

  720. 		}
    721. 

  721. 	}
    722. 

  722. }
    723. 

  723. 

  724. func ErrorContains(out error, want string) bool {
    725. 

  725. 	if out == nil {
    726. 

  726. 		return want == ""
    727. 

  727. 	}
    728. 

  728. 	if want == "" {
    729. 

  729. 		return false
    730. 

  730. 	}
    731. 

  731. 	return strings.Contains(out.Error(), want)
    732. 

  732. }
    733.