Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Tree: 627817c413
Branches Tags
helm-externa...
/
pkg
/
provider
/
azure
/
keyvault
/
keyvault_test.go

keyvault_test.go 6.4 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178 
  1. /*
    2. 

  2. Licensed under the Apache License, Version 2.0 (the "License");
    3. 

  3. you may not use this file except in compliance with the License.
    4. 

  4. You may obtain a copy of the License at
    5. 

  5. 

  6.     http://www.apache.org/licenses/LICENSE-2.0
    7. 

  7. 

  8. Unless required by applicable law or agreed to in writing, software
    9. 

  9. distributed under the License is distributed on an "AS IS" BASIS,
    10. 

  10. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    11. 

  11. See the License for the specific language governing permissions and
    12. 

  12. limitations under the License.
    13. 

  13. */
    14. 

  14. 

  15. package keyvault
    16. 

  16. 

  17. import (
    18. 

  18. 	context "context"
    19. 

  19. 	"encoding/json"
    20. 

  20. 	"testing"
    21. 

  21. 

  22. 	"github.com/Azure/azure-sdk-for-go/services/keyvault/2016-10-01/keyvault"
    23. 

  23. 	tassert "github.com/stretchr/testify/assert"
    24. 

  24. 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
    25. 

  25. 	clientfake "sigs.k8s.io/controller-runtime/pkg/client/fake"
    26. 

  26. 

  27. 	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
    28. 

  28. 	v1 "github.com/external-secrets/external-secrets/apis/meta/v1"
    29. 

  29. 	fake "github.com/external-secrets/external-secrets/pkg/provider/azure/keyvault/fake"
    30. 

  30. 	"github.com/external-secrets/external-secrets/pkg/provider/schema"
    31. 

  31. )
    32. 

  32. 

  33. func newAzure() (Azure, *fake.AzureMock) {
    34. 

  34. 	azureMock := &fake.AzureMock{}
    35. 

  35. 	testAzure := Azure{
    36. 

  36. 		baseClient: azureMock,
    37. 

  37. 		vaultURL:   "https://local.vault/",
    38. 

  38. 	}
    39. 

  39. 	return testAzure, azureMock
    40. 

  40. }
    41. 

  41. 

  42. func TestNewClientNoCreds(t *testing.T) {
    43. 

  43. 	namespace := "internal"
    44. 

  44. 	vaultURL := "https://local.vault.url"
    45. 

  45. 	tenantID := "1234"
    46. 

  46. 	store := esv1alpha1.SecretStore{
    47. 

  47. 		ObjectMeta: metav1.ObjectMeta{
    48. 

  48. 			Namespace: namespace,
    49. 

  49. 		},
    50. 

  50. 		Spec: esv1alpha1.SecretStoreSpec{Provider: &esv1alpha1.SecretStoreProvider{AzureKV: &esv1alpha1.AzureKVProvider{
    51. 

  51. 			VaultURL: &vaultURL,
    52. 

  52. 			TenantID: &tenantID,
    53. 

  53. 		}}},
    54. 

  54. 	}
    55. 

  55. 	provider, err := schema.GetProvider(&store)
    56. 

  56. 	tassert.Nil(t, err, "the return err should be nil")
    57. 

  57. 	k8sClient := clientfake.NewClientBuilder().Build()
    58. 

  58. 	secretClient, err := provider.NewClient(context.Background(), &store, k8sClient, namespace)
    59. 

  59. 	tassert.EqualError(t, err, "missing clientID/clientSecret in store config")
    60. 

  60. 	tassert.Nil(t, secretClient)
    61. 

  61. 

  62. 	store.Spec.Provider.AzureKV.AuthSecretRef = &esv1alpha1.AzureKVAuth{}
    63. 

  63. 	secretClient, err = provider.NewClient(context.Background(), &store, k8sClient, namespace)
    64. 

  64. 	tassert.EqualError(t, err, "missing accessKeyID/secretAccessKey in store config")
    65. 

  65. 	tassert.Nil(t, secretClient)
    66. 

  66. 

  67. 	store.Spec.Provider.AzureKV.AuthSecretRef.ClientID = &v1.SecretKeySelector{Name: "user"}
    68. 

  68. 	secretClient, err = provider.NewClient(context.Background(), &store, k8sClient, namespace)
    69. 

  69. 	tassert.EqualError(t, err, "missing accessKeyID/secretAccessKey in store config")
    70. 

  70. 	tassert.Nil(t, secretClient)
    71. 

  71. 

  72. 	store.Spec.Provider.AzureKV.AuthSecretRef.ClientSecret = &v1.SecretKeySelector{Name: "password"}
    73. 

  73. 	secretClient, err = provider.NewClient(context.Background(), &store, k8sClient, namespace)
    74. 

  74. 	tassert.EqualError(t, err, "could not find secret internal/user: secrets \"user\" not found")
    75. 

  75. 	tassert.Nil(t, secretClient)
    76. 

  76. }
    77. 

  77. 

  78. const (
    79. 

  79. 	jwkPubRSA = `{"kid":"ex","kty":"RSA","key_ops":["sign","verify","wrapKey","unwrapKey","encrypt","decrypt"],"n":"p2VQo8qCfWAZmdWBVaYuYb-a-tWWm78K6Sr9poCvNcmv8rUPSLACxitQWR8gZaSH1DklVkqz-Ed8Cdlf8lkDg4Ex5tkB64jRdC1Uvn4CDpOH6cp-N2s8hTFLqy9_YaDmyQS7HiqthOi9oVjil1VMeWfaAbClGtFt6UnKD0Vb_DvLoWYQSqlhgBArFJi966b4E1pOq5Ad02K8pHBDThlIIx7unibLehhDU6q3DCwNH_OOLx6bgNtmvGYJDd1cywpkLQ3YzNCUPWnfMBJRP3iQP_WI21uP6cvo0DqBPBM4wvVzHbCT0vnIflwkbgEWkq1FprqAitZlop9KjLqzjp9vyQ","e":"AQAB"}`
    80. 

  80. 	jwkPubEC  = `{"kid":"https://example.vault.azure.net/keys/ec-p-521/e3d0e9c179b54988860c69c6ae172c65","kty":"EC","key_ops":["sign","verify"],"crv":"P-521","x":"AedOAtb7H7Oz1C_cPKI_R4CN_eai5nteY6KFW07FOoaqgQfVCSkQDK22fCOiMT_28c8LZYJRsiIFz_IIbQUW7bXj","y":"AOnchHnmBphIWXvanmMAmcCDkaED6ycW8GsAl9fQ43BMVZTqcTkJYn6vGnhn7MObizmkNSmgZYTwG-vZkIg03HHs"}`
    81. 

  81. )
    82. 

  82. 

  83. func TestGetKey(t *testing.T) {
    84. 

  84. 	testAzure, azureMock := newAzure()
    85. 

  85. 	ctx := context.Background()
    86. 

  86. 

  87. 	tbl := []struct {
    88. 

  88. 		name   string
    89. 

  89. 		kvName string
    90. 

  90. 		jwk    *keyvault.JSONWebKey
    91. 

  91. 		out    string
    92. 

  92. 	}{
    93. 

  93. 		{
    94. 

  94. 			name:   "test public rsa key",
    95. 

  95. 			kvName: "my-rsa",
    96. 

  96. 			jwk:    newKVJWK([]byte(jwkPubRSA)),
    97. 

  97. 			out:    jwkPubRSA,
    98. 

  98. 		},
    99. 

  99. 		{
    100. 

  100. 			name:   "test public ec key",
    101. 

  101. 			kvName: "my-ec",
    102. 

  102. 			jwk:    newKVJWK([]byte(jwkPubEC)),
    103. 

  103. 			out:    jwkPubEC,
    104. 

  104. 		},
    105. 

  105. 	}
    106. 

  106. 

  107. 	for _, row := range tbl {
    108. 

  108. 		t.Run(row.name, func(t *testing.T) {
    109. 

  109. 			azureMock.AddKey(testAzure.vaultURL, row.kvName, row.jwk, true)
    110. 

  110. 			azureMock.ExpectsGetKey(ctx, testAzure.vaultURL, row.kvName, "")
    111. 

  111. 

  112. 			rf := esv1alpha1.ExternalSecretDataRemoteRef{
    113. 

  113. 				Key: "key/" + row.kvName,
    114. 

  114. 			}
    115. 

  115. 			secret, err := testAzure.GetSecret(ctx, rf)
    116. 

  116. 			azureMock.AssertExpectations(t)
    117. 

  117. 			tassert.Nil(t, err, "the return err should be nil")
    118. 

  118. 			tassert.Equal(t, []byte(row.out), secret)
    119. 

  119. 		})
    120. 

  120. 	}
    121. 

  121. }
    122. 

  122. 

  123. func TestGetSecretWithVersion(t *testing.T) {
    124. 

  124. 	testAzure, azureMock := newAzure()
    125. 

  125. 	ctx := context.Background()
    126. 

  126. 	version := "v1"
    127. 

  127. 

  128. 	rf := esv1alpha1.ExternalSecretDataRemoteRef{
    129. 

  129. 		Key:     "testName",
    130. 

  130. 		Version: version,
    131. 

  131. 	}
    132. 

  132. 	azureMock.AddSecretWithVersion(testAzure.vaultURL, "testName", version, "My Secret", true)
    133. 

  133. 	azureMock.ExpectsGetSecret(ctx, testAzure.vaultURL, "testName", version)
    134. 

  134. 

  135. 	secret, err := testAzure.GetSecret(ctx, rf)
    136. 

  136. 	azureMock.AssertExpectations(t)
    137. 

  137. 	tassert.Nil(t, err, "the return err should be nil")
    138. 

  138. 	tassert.Equal(t, []byte("My Secret"), secret)
    139. 

  139. }
    140. 

  140. 

  141. func TestGetSecretWithoutVersion(t *testing.T) {
    142. 

  142. 	testAzure, azureMock := newAzure()
    143. 

  143. 	ctx := context.Background()
    144. 

  144. 

  145. 	rf := esv1alpha1.ExternalSecretDataRemoteRef{
    146. 

  146. 		Key: "testName",
    147. 

  147. 	}
    148. 

  148. 	azureMock.AddSecret(testAzure.vaultURL, "testName", "My Secret", true)
    149. 

  149. 	azureMock.ExpectsGetSecret(ctx, testAzure.vaultURL, "testName", "")
    150. 

  150. 

  151. 	secret, err := testAzure.GetSecret(ctx, rf)
    152. 

  152. 	azureMock.AssertExpectations(t)
    153. 

  153. 	tassert.Nil(t, err, "the return err should be nil")
    154. 

  154. 	tassert.Equal(t, []byte("My Secret"), secret)
    155. 

  155. }
    156. 

  156. 

  157. func TestGetSecretMap(t *testing.T) {
    158. 

  158. 	testAzure, azureMock := newAzure()
    159. 

  159. 	ctx := context.Background()
    160. 

  160. 	rf := esv1alpha1.ExternalSecretDataRemoteRef{
    161. 

  161. 		Key: "testName",
    162. 

  162. 	}
    163. 

  163. 	azureMock.AddSecret(testAzure.vaultURL, "testName", "{\"username\": \"user1\", \"pass\": \"123\"}", true)
    164. 

  164. 	azureMock.ExpectsGetSecret(ctx, testAzure.vaultURL, "testName", "")
    165. 

  165. 	secretMap, err := testAzure.GetSecretMap(ctx, rf)
    166. 

  166. 	azureMock.AssertExpectations(t)
    167. 

  167. 	tassert.Nil(t, err, "the return err should be nil")
    168. 

  168. 	tassert.Equal(t, secretMap, map[string][]byte{"username": []byte("user1"), "pass": []byte("123")})
    169. 

  169. }
    170. 

  170. 

  171. func newKVJWK(b []byte) *keyvault.JSONWebKey {
    172. 

  172. 	var key keyvault.JSONWebKey
    173. 

  173. 	err := json.Unmarshal(b, &key)
    174. 

  174. 	if err != nil {
    175. 

  175. 		panic(err)
    176. 

  176. 	}
    177. 

  177. 	return &key
    178. 

  178. }
    179.