Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Tree: 6862c9c637
Branches Tags
helm-externa...
/
pkg
/
provider
/
webhook
/
webhook_test.go

webhook_test.go 10 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372 
  1. /*
    2. 

  2. Licensed under the Apache License, Version 2.0 (the "License");
    3. 

  3. you may not use this file except in compliance with the License.
    4. 

  4. You may obtain a copy of the License at
    5. 

  5. 

  6. 	http://www.apache.org/licenses/LICENSE-2.0
    7. 

  7. 

  8. Unless required by applicable law or agreed to in writing, software
    9. 

  9. distributed under the License is distributed on an "AS IS" BASIS,
    10. 

  10. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    11. 

  11. See the License for the specific language governing permissions and
    12. 

  12. limitations under the License.
    13. 

  13. */
    14. 

  14. package webhook
    15. 

  15. 

  16. import (
    17. 

  17. 	"bytes"
    18. 

  18. 	"context"
    19. 

  19. 	"errors"
    20. 

  20. 	"io"
    21. 

  21. 	"net/http"
    22. 

  22. 	"net/http/httptest"
    23. 

  23. 	"strings"
    24. 

  24. 	"testing"
    25. 

  25. 	"time"
    26. 

  26. 

  27. 	"gopkg.in/yaml.v3"
    28. 

  28. 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
    29. 

  29. 

  30. 	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
    31. 

  31. )
    32. 

  32. 

  33. type testCase struct {
    34. 

  34. 	Case string `json:"case,omitempty"`
    35. 

  35. 	Args args   `json:"args"`
    36. 

  36. 	Want want   `json:"want"`
    37. 

  37. }
    38. 

  38. 

  39. type args struct {
    40. 

  40. 	URL        string `json:"url,omitempty"`
    41. 

  41. 	Body       string `json:"body,omitempty"`
    42. 

  42. 	Timeout    string `json:"timeout,omitempty"`
    43. 

  43. 	Key        string `json:"key,omitempty"`
    44. 

  44. 	Property   string `json:"property,omitempty"`
    45. 

  45. 	Version    string `json:"version,omitempty"`
    46. 

  46. 	JSONPath   string `json:"jsonpath,omitempty"`
    47. 

  47. 	Response   string `json:"response,omitempty"`
    48. 

  48. 	StatusCode int    `json:"statuscode,omitempty"`
    49. 

  49. }
    50. 

  50. 

  51. type want struct {
    52. 

  52. 	Path      string            `json:"path,omitempty"`
    53. 

  53. 	Err       string            `json:"err,omitempty"`
    54. 

  54. 	Result    string            `json:"result,omitempty"`
    55. 

  55. 	ResultMap map[string]string `json:"resultmap,omitempty"`
    56. 

  56. }
    57. 

  57. 

  58. var testCases = `
    59. 

  59. case: error url
    60. 

  60. args:
    61. 

  61.   url: /api/getsecret?id={{ .unclosed.template
    62. 

  62. want:
    63. 

  63.   err: failed to parse url
    64. 

  64. ---
    65. 

  65. case: error body
    66. 

  66. args:
    67. 

  67.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    68. 

  68.   body: Body error {{ .unclosed.template
    69. 

  69. want:
    70. 

  70.   err: failed to parse body
    71. 

  71. ---
    72. 

  72. case: error connection
    73. 

  73. args:
    74. 

  74.   url: 1/api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    75. 

  75. want:
    76. 

  76.   err: failed to call endpoint
    77. 

  77. ---
    78. 

  78. case: error not found
    79. 

  79. args:
    80. 

  80.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    81. 

  81.   key: testkey
    82. 

  82.   version: 1
    83. 

  83.   statuscode: 404
    84. 

  84.   response: not found
    85. 

  85. want:
    86. 

  86.   path: /api/getsecret?id=testkey&version=1
    87. 

  87.   err: endpoint gave error 404
    88. 

  88. ---
    89. 

  89. case: error bad json
    90. 

  90. args:
    91. 

  91.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    92. 

  92.   key: testkey
    93. 

  93.   version: 1
    94. 

  94.   jsonpath: $.result.thesecret
    95. 

  95.   response: '{"result":{"thesecret":"secret-value"}'
    96. 

  96. want:
    97. 

  97.   path: /api/getsecret?id=testkey&version=1
    98. 

  98.   err: failed to parse response json
    99. 

  99. ---
    100. 

  100. case: error bad jsonpath
    101. 

  101. args:
    102. 

  102.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    103. 

  103.   key: testkey
    104. 

  104.   version: 1
    105. 

  105.   jsonpath: $.result.thesecret
    106. 

  106.   response: '{"result":{"nosecret":"secret-value"}}'
    107. 

  107. want:
    108. 

  108.   path: /api/getsecret?id=testkey&version=1
    109. 

  109.   err: failed to get response path
    110. 

  110. ---
    111. 

  111. case: error bad json data
    112. 

  112. args:
    113. 

  113.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    114. 

  114.   key: testkey
    115. 

  115.   version: 1
    116. 

  116.   jsonpath: $.result.thesecret
    117. 

  117.   response: '{"result":{"thesecret":{"one":"secret-value"}}}'
    118. 

  118. want:
    119. 

  119.   path: /api/getsecret?id=testkey&version=1
    120. 

  120.   err: failed to get response (wrong type
    121. 

  121. ---
    122. 

  122. case: error timeout
    123. 

  123. args:
    124. 

  124.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    125. 

  125.   key: testkey
    126. 

  126.   version: 1
    127. 

  127.   response: secret-value
    128. 

  128.   timeout: 0.01ms
    129. 

  129. want:
    130. 

  130.   path: /api/getsecret?id=testkey&version=1
    131. 

  131.   err: context deadline exceeded
    132. 

  132. ---
    133. 

  133. case: good plaintext
    134. 

  134. args:
    135. 

  135.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    136. 

  136.   key: testkey
    137. 

  137.   version: 1
    138. 

  138.   response: secret-value
    139. 

  139. want:
    140. 

  140.   path: /api/getsecret?id=testkey&version=1
    141. 

  141.   err: ''
    142. 

  142.   result: secret-value
    143. 

  143. ---
    144. 

  144. case: good json
    145. 

  145. args:
    146. 

  146.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    147. 

  147.   key: testkey
    148. 

  148.   version: 1
    149. 

  149.   jsonpath: $.result.thesecret
    150. 

  150.   response: '{"result":{"thesecret":"secret-value"}}'
    151. 

  151. want:
    152. 

  152.   path: /api/getsecret?id=testkey&version=1
    153. 

  153.   err: ''
    154. 

  154.   result: secret-value
    155. 

  155. ---
    156. 

  156. case: good json map
    157. 

  157. args:
    158. 

  158.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    159. 

  159.   key: testkey
    160. 

  160.   version: 1
    161. 

  161.   jsonpath: $.result
    162. 

  162.   response: '{"result":{"thesecret":"secret-value","alsosecret":"another-value"}}'
    163. 

  163. want:
    164. 

  164.   path: /api/getsecret?id=testkey&version=1
    165. 

  165.   err: ''
    166. 

  166.   resultmap:
    167. 

  167.     thesecret: secret-value
    168. 

  168.     alsosecret: another-value
    169. 

  169. ---
    170. 

  170. case: good json map string
    171. 

  171. args:
    172. 

  172.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    173. 

  173.   key: testkey
    174. 

  174.   version: 1
    175. 

  175.   response: '{"thesecret":"secret-value","alsosecret":"another-value"}'
    176. 

  176. want:
    177. 

  177.   path: /api/getsecret?id=testkey&version=1
    178. 

  178.   err: ''
    179. 

  179.   resultmap:
    180. 

  180.     thesecret: secret-value
    181. 

  181.     alsosecret: another-value
    182. 

  182. ---
    183. 

  183. case: error json map string
    184. 

  184. args:
    185. 

  185.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    186. 

  186.   key: testkey
    187. 

  187.   version: 1
    188. 

  188.   response: 'some simple string'
    189. 

  189. want:
    190. 

  190.   path: /api/getsecret?id=testkey&version=1
    191. 

  191.   err: failed to get response (wrong type
    192. 

  192.   resultmap:
    193. 

  193.     thesecret: secret-value
    194. 

  194.     alsosecret: another-value
    195. 

  195. ---
    196. 

  196. case: error json map
    197. 

  197. args:
    198. 

  198.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    199. 

  199.   key: testkey
    200. 

  200.   version: 1
    201. 

  201.   jsonpath: $.result.thesecret
    202. 

  202.   response: '{"result":{"thesecret":"secret-value","alsosecret":"another-value"}}'
    203. 

  203. want:
    204. 

  204.   path: /api/getsecret?id=testkey&version=1
    205. 

  205.   err: failed to get response (wrong type
    206. 

  206.   resultmap:
    207. 

  207.     thesecret: secret-value
    208. 

  208.     alsosecret: another-value
    209. 

  209. ---
    210. 

  210. case: good json with good templated jsonpath
    211. 

  211. args:
    212. 

  212.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    213. 

  213.   key: testkey
    214. 

  214.   property: thesecret
    215. 

  215.   version: 1
    216. 

  216.   jsonpath: $.result.{{ .remoteRef.property }}
    217. 

  217.   response: '{"result":{"thesecret":"secret-value"}}'
    218. 

  218. want:
    219. 

  219.   path: /api/getsecret?id=testkey&version=1
    220. 

  220.   err: ''
    221. 

  221.   result: secret-value
    222. 

  222. ---
    223. 

  223. case: good json with bad temlated jsonpath
    224. 

  224. args:
    225. 

  225.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    226. 

  226.   key: testkey
    227. 

  227.   property: thesecret
    228. 

  228.   version: 1
    229. 

  229.   jsonpath: $.result.{{ .remoteRef.property }
    230. 

  230.   response: '{"result":{"thesecret":"secret-value"}}'
    231. 

  231. want:
    232. 

  232.   path: /api/getsecret?id=testkey&version=1
    233. 

  233.   err: 'template: webhooktemplate:1: unexpected "}" in operand'
    234. 

  234. `
    235. 

  235. 

  236. func TestWebhookGetSecret(t *testing.T) {
    237. 

  237. 	ydec := yaml.NewDecoder(bytes.NewReader([]byte(testCases)))
    238. 

  238. 	for {
    239. 

  239. 		var tc testCase
    240. 

  240. 		if err := ydec.Decode(&tc); err != nil {
    241. 

  241. 			if !errors.Is(err, io.EOF) {
    242. 

  242. 				t.Errorf("testcase decode error %v", err)
    243. 

  243. 			}
    244. 

  244. 			break
    245. 

  245. 		}
    246. 

  246. 		runTestCase(tc, t)
    247. 

  247. 	}
    248. 

  248. }
    249. 

  249. 

  250. func testCaseServer(tc testCase, t *testing.T) *httptest.Server {
    251. 

  251. 	// Start a new server for every test case because the server wants to check the expected api path
    252. 

  252. 	return httptest.NewServer(http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
    253. 

  253. 		if tc.Want.Path != "" && req.URL.String() != tc.Want.Path {
    254. 

  254. 			t.Errorf("%s: unexpected api path: %s, expected %s", tc.Case, req.URL.String(), tc.Want.Path)
    255. 

  255. 		}
    256. 

  256. 		if tc.Args.StatusCode != 0 {
    257. 

  257. 			rw.WriteHeader(tc.Args.StatusCode)
    258. 

  258. 		}
    259. 

  259. 		rw.Write([]byte(tc.Args.Response))
    260. 

  260. 	}))
    261. 

  261. }
    262. 

  262. 

  263. func parseTimeout(timeout string) (*metav1.Duration, error) {
    264. 

  264. 	if timeout == "" {
    265. 

  265. 		return nil, nil
    266. 

  266. 	}
    267. 

  267. 	dur, err := time.ParseDuration(timeout)
    268. 

  268. 	if err != nil {
    269. 

  269. 		return nil, err
    270. 

  270. 	}
    271. 

  271. 	return &metav1.Duration{Duration: dur}, nil
    272. 

  272. }
    273. 

  273. 

  274. func runTestCase(tc testCase, t *testing.T) {
    275. 

  275. 	ts := testCaseServer(tc, t)
    276. 

  276. 	defer ts.Close()
    277. 

  277. 

  278. 	testStore := makeClusterSecretStore(ts.URL, tc.Args)
    279. 

  279. 	var err error
    280. 

  280. 	timeout, err := parseTimeout(tc.Args.Timeout)
    281. 

  281. 	if err != nil {
    282. 

  282. 		t.Errorf("%s: error parsing timeout '%s': %s", tc.Case, tc.Args.Timeout, err.Error())
    283. 

  283. 		return
    284. 

  284. 	}
    285. 

  285. 	testStore.Spec.Provider.Webhook.Timeout = timeout
    286. 

  286. 	testProv := &Provider{}
    287. 

  287. 	client, err := testProv.NewClient(context.Background(), testStore, nil, "testnamespace")
    288. 

  288. 	if err != nil {
    289. 

  289. 		t.Errorf("%s: error creating client: %s", tc.Case, err.Error())
    290. 

  290. 		return
    291. 

  291. 	}
    292. 

  292. 

  293. 	if tc.Want.ResultMap != nil {
    294. 

  294. 		testGetSecretMap(tc, t, client)
    295. 

  295. 	} else {
    296. 

  296. 		testGetSecret(tc, t, client)
    297. 

  297. 	}
    298. 

  298. }
    299. 

  299. 

  300. func testGetSecretMap(tc testCase, t *testing.T, client esv1beta1.SecretsClient) {
    301. 

  301. 	testRef := esv1beta1.ExternalSecretDataRemoteRef{
    302. 

  302. 		Key:     tc.Args.Key,
    303. 

  303. 		Version: tc.Args.Version,
    304. 

  304. 	}
    305. 

  305. 	secretmap, err := client.GetSecretMap(context.Background(), testRef)
    306. 

  306. 	errStr := ""
    307. 

  307. 	if err != nil {
    308. 

  308. 		errStr = err.Error()
    309. 

  309. 	}
    310. 

  310. 	if (tc.Want.Err == "") != (errStr == "") || !strings.Contains(errStr, tc.Want.Err) {
    311. 

  311. 		t.Errorf("%s: unexpected error: '%s' (expected '%s')", tc.Case, errStr, tc.Want.Err)
    312. 

  312. 	}
    313. 

  313. 	if err == nil {
    314. 

  314. 		for wantkey, wantval := range tc.Want.ResultMap {
    315. 

  315. 			gotval, ok := secretmap[wantkey]
    316. 

  316. 			if !ok {
    317. 

  317. 				t.Errorf("%s: unexpected response: wanted key '%s' not found", tc.Case, wantkey)
    318. 

  318. 			} else if string(gotval) != wantval {
    319. 

  319. 				t.Errorf("%s: unexpected response: key '%s' = '%s' (expected '%s')", tc.Case, wantkey, wantval, gotval)
    320. 

  320. 			}
    321. 

  321. 		}
    322. 

  322. 	}
    323. 

  323. }
    324. 

  324. 

  325. func testGetSecret(tc testCase, t *testing.T, client esv1beta1.SecretsClient) {
    326. 

  326. 	testRef := esv1beta1.ExternalSecretDataRemoteRef{
    327. 

  327. 		Key:      tc.Args.Key,
    328. 

  328. 		Property: tc.Args.Property,
    329. 

  329. 		Version:  tc.Args.Version,
    330. 

  330. 	}
    331. 

  331. 	ctx, cancel := context.WithTimeout(context.Background(), time.Second)
    332. 

  332. 	defer cancel()
    333. 

  333. 	secret, err := client.GetSecret(ctx, testRef)
    334. 

  334. 	errStr := ""
    335. 

  335. 	if err != nil {
    336. 

  336. 		errStr = err.Error()
    337. 

  337. 	}
    338. 

  338. 	if !strings.Contains(errStr, tc.Want.Err) {
    339. 

  339. 		t.Errorf("%s: unexpected error: '%s' (expected '%s')", tc.Case, errStr, tc.Want.Err)
    340. 

  340. 	}
    341. 

  341. 	if err == nil && string(secret) != tc.Want.Result {
    342. 

  342. 		t.Errorf("%s: unexpected response: '%s' (expected '%s')", tc.Case, secret, tc.Want.Result)
    343. 

  343. 	}
    344. 

  344. }
    345. 

  345. 

  346. func makeClusterSecretStore(url string, args args) *esv1beta1.ClusterSecretStore {
    347. 

  347. 	store := &esv1beta1.ClusterSecretStore{
    348. 

  348. 		TypeMeta: metav1.TypeMeta{
    349. 

  349. 			Kind: "ClusterSecretStore",
    350. 

  350. 		},
    351. 

  351. 		ObjectMeta: metav1.ObjectMeta{
    352. 

  352. 			Name:      "wehbook-store",
    353. 

  353. 			Namespace: "default",
    354. 

  354. 		},
    355. 

  355. 		Spec: esv1beta1.SecretStoreSpec{
    356. 

  356. 			Provider: &esv1beta1.SecretStoreProvider{
    357. 

  357. 				Webhook: &esv1beta1.WebhookProvider{
    358. 

  358. 					URL:  url + args.URL,
    359. 

  359. 					Body: args.Body,
    360. 

  360. 					Headers: map[string]string{
    361. 

  361. 						"Content-Type": "application.json",
    362. 

  362. 						"X-SecretKey":  "{{ .remoteRef.key }}",
    363. 

  363. 					},
    364. 

  364. 					Result: esv1beta1.WebhookResult{
    365. 

  365. 						JSONPath: args.JSONPath,
    366. 

  366. 					},
    367. 

  367. 				},
    368. 

  368. 			},
    369. 

  369. 		},
    370. 

  370. 	}
    371. 

  371. 	return store
    372. 

  372. }
    373.