Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Tree: 6ec15bded7
Branches Tags
helm-externa...
/
pkg
/
provider
/
webhook
/
webhook_test.go

webhook_test.go 19 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704 
  1. /*
    2. 

  2. Licensed under the Apache License, Version 2.0 (the "License");
    3. 

  3. you may not use this file except in compliance with the License.
    4. 

  4. You may obtain a copy of the License at
    5. 

  5. 

  6. 	http://www.apache.org/licenses/LICENSE-2.0
    7. 

  7. 

  8. Unless required by applicable law or agreed to in writing, software
    9. 

  9. distributed under the License is distributed on an "AS IS" BASIS,
    10. 

  10. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    11. 

  11. See the License for the specific language governing permissions and
    12. 

  12. limitations under the License.
    13. 

  13. */
    14. 

  14. 

  15. package webhook
    16. 

  16. 

  17. import (
    18. 

  18. 	"bytes"
    19. 

  19. 	"context"
    20. 

  20. 	"errors"
    21. 

  21. 	"io"
    22. 

  22. 	"net/http"
    23. 

  23. 	"net/http/httptest"
    24. 

  24. 	"strings"
    25. 

  25. 	"testing"
    26. 

  26. 	"time"
    27. 

  27. 

  28. 	"gopkg.in/yaml.v3"
    29. 

  29. 	corev1 "k8s.io/api/core/v1"
    30. 

  30. 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
    31. 

  31. 

  32. 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
    33. 

  33. 	"github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
    34. 

  34. )
    35. 

  35. 

  36. type testCase struct {
    37. 

  37. 	Case string `json:"case,omitempty"`
    38. 

  38. 	Args args   `json:"args"`
    39. 

  39. 	Want want   `json:"want"`
    40. 

  40. }
    41. 

  41. 

  42. type secret struct {
    43. 

  43. 	Name string            `json:"name"`
    44. 

  44. 	Data map[string]string `json:"data"`
    45. 

  45. }
    46. 

  46. 

  47. type args struct {
    48. 

  48. 	URL        string `json:"url,omitempty"`
    49. 

  49. 	Body       string `json:"body,omitempty"`
    50. 

  50. 	Timeout    string `json:"timeout,omitempty"`
    51. 

  51. 	Key        string `json:"key,omitempty"`
    52. 

  52. 	SecretKey  string `json:"secretkey,omitempty"`
    53. 

  53. 	Property   string `json:"property,omitempty"`
    54. 

  54. 	Version    string `json:"version,omitempty"`
    55. 

  55. 	JSONPath   string `json:"jsonpath,omitempty"`
    56. 

  56. 	Response   string `json:"response,omitempty"`
    57. 

  57. 	StatusCode int    `json:"statuscode,omitempty"`
    58. 

  58. 	PushSecret bool   `json:"pushsecret,omitempty"`
    59. 

  59. 	Secret     secret `json:"secret,omitempty"`
    60. 

  60. }
    61. 

  61. 

  62. type want struct {
    63. 

  63. 	Path      string            `json:"path,omitempty"`
    64. 

  64. 	Body      *string           `json:"body,omitempty"`
    65. 

  65. 	Err       string            `json:"err,omitempty"`
    66. 

  66. 	Result    string            `json:"result,omitempty"`
    67. 

  67. 	ResultMap map[string]string `json:"resultmap,omitempty"`
    68. 

  68. }
    69. 

  69. 

  70. var testCases = `
    71. 

  71. case: error url
    72. 

  72. args:
    73. 

  73.   url: /api/getsecret?id={{ .unclosed.template
    74. 

  74. want:
    75. 

  75.   err: failed to parse url
    76. 

  76. ---
    77. 

  77. case: error body
    78. 

  78. args:
    79. 

  79.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    80. 

  80.   body: Body error {{ .unclosed.template
    81. 

  81. want:
    82. 

  82.   err: failed to parse body
    83. 

  83. ---
    84. 

  84. case: error connection
    85. 

  85. args:
    86. 

  86.   url: 1/api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    87. 

  87. want:
    88. 

  88.   err: failed to call endpoint
    89. 

  89. ---
    90. 

  90. case: error no secret err
    91. 

  91. args:
    92. 

  92.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    93. 

  93.   key: testkey
    94. 

  94.   version: 1
    95. 

  95.   statuscode: 404
    96. 

  96.   response: not found
    97. 

  97. want:
    98. 

  98.   path: /api/getsecret?id=testkey&version=1
    99. 

  99.   err: ` + esv1.NoSecretErr.Error() + `
    100. 

  100. ---
    101. 

  101. case: error server error
    102. 

  102. args:
    103. 

  103.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    104. 

  104.   key: testkey
    105. 

  105.   version: 1
    106. 

  106.   statuscode: 500
    107. 

  107.   response: server error
    108. 

  108. want:
    109. 

  109.   path: /api/getsecret?id=testkey&version=1
    110. 

  110.   err: endpoint gave error 500
    111. 

  111. ---
    112. 

  112. case: error bad json
    113. 

  113. args:
    114. 

  114.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    115. 

  115.   key: testkey
    116. 

  116.   version: 1
    117. 

  117.   jsonpath: $.result.thesecret
    118. 

  118.   response: '{"result":{"thesecret":"secret-value"}'
    119. 

  119. want:
    120. 

  120.   path: /api/getsecret?id=testkey&version=1
    121. 

  121.   err: failed to parse response json
    122. 

  122. ---
    123. 

  123. case: error bad jsonpath
    124. 

  124. args:
    125. 

  125.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    126. 

  126.   key: testkey
    127. 

  127.   version: 1
    128. 

  128.   jsonpath: $.result.thesecret
    129. 

  129.   response: '{"result":{"nosecret":"secret-value"}}'
    130. 

  130. want:
    131. 

  131.   path: /api/getsecret?id=testkey&version=1
    132. 

  132.   err: failed to get response path
    133. 

  133. ---
    134. 

  134. case: pull data out of map
    135. 

  135. args:
    136. 

  136.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    137. 

  137.   key: testkey
    138. 

  138.   version: 1
    139. 

  139.   jsonpath: $.result.thesecret
    140. 

  140.   response: '{"result":{"thesecret":{"one":"secret-value"}}}'
    141. 

  141. want:
    142. 

  142.   path: /api/getsecret?id=testkey&version=1
    143. 

  143.   err: ''
    144. 

  144.   result: '{"one":"secret-value"}'
    145. 

  145. ---
    146. 

  146. case: error timeout
    147. 

  147. args:
    148. 

  148.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    149. 

  149.   key: testkey
    150. 

  150.   version: 1
    151. 

  151.   response: secret-value
    152. 

  152.   timeout: 0.01ms
    153. 

  153. want:
    154. 

  154.   path: /api/getsecret?id=testkey&version=1
    155. 

  155.   err: context deadline exceeded
    156. 

  156. ---
    157. 

  157. case: good plaintext
    158. 

  158. args:
    159. 

  159.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    160. 

  160.   key: testkey
    161. 

  161.   version: 1
    162. 

  162.   response: secret-value
    163. 

  163. want:
    164. 

  164.   path: /api/getsecret?id=testkey&version=1
    165. 

  165.   err: ''
    166. 

  166.   result: secret-value
    167. 

  167. ---
    168. 

  168. case: good json
    169. 

  169. args:
    170. 

  170.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    171. 

  171.   key: testkey
    172. 

  172.   version: 1
    173. 

  173.   jsonpath: $.result.thesecret
    174. 

  174.   response: '{"result":{"thesecret":"secret-value"}}'
    175. 

  175. want:
    176. 

  176.   path: /api/getsecret?id=testkey&version=1
    177. 

  177.   err: ''
    178. 

  178.   result: secret-value
    179. 

  179. ---
    180. 

  180. case: good json map
    181. 

  181. args:
    182. 

  182.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    183. 

  183.   key: testkey
    184. 

  184.   version: 1
    185. 

  185.   jsonpath: $.result
    186. 

  186.   response: '{"result":{"thesecret":"secret-value","alsosecret":"another-value"}}'
    187. 

  187. want:
    188. 

  188.   path: /api/getsecret?id=testkey&version=1
    189. 

  189.   err: ''
    190. 

  190.   resultmap:
    191. 

  191.     thesecret: secret-value
    192. 

  192.     alsosecret: another-value
    193. 

  193. ---
    194. 

  194. case: templated jsonpath good json map
    195. 

  195. args:
    196. 

  196.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    197. 

  197.   key: testkey
    198. 

  198.   version: 1
    199. 

  199.   jsonpath: $.{{printf "result" }}
    200. 

  200.   response: '{"result":{"thesecret":"secret-value","alsosecret":"another-value"}}'
    201. 

  201. want:
    202. 

  202.   path: /api/getsecret?id=testkey&version=1
    203. 

  203.   err: ''
    204. 

  204.   resultmap:
    205. 

  205.     thesecret: secret-value
    206. 

  206.     alsosecret: another-value
    207. 

  207. ---
    208. 

  208. case: templated jsonpath invalid template
    209. 

  209. args:
    210. 

  210.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    211. 

  211.   key: testkey
    212. 

  212.   version: 1
    213. 

  213.   jsonpath: $.{{printf 'result' }}
    214. 

  214.   response: '{"result":{"thesecret":"secret-value","alsosecret":"another-value"}}'
    215. 

  215. want:
    216. 

  216.   path: /api/getsecret?id=testkey&version=1
    217. 

  217.   err: "cannot get templated json path"
    218. 

  218.   resultmap:
    219. 

  219.     thesecret: secret-value
    220. 

  220.     alsosecret: another-value
    221. 

  221. ---
    222. 

  222. case: good json map string
    223. 

  223. args:
    224. 

  224.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    225. 

  225.   key: testkey
    226. 

  226.   version: 1
    227. 

  227.   response: '{"thesecret":"secret-value","alsosecret":"another-value"}'
    228. 

  228. want:
    229. 

  229.   path: /api/getsecret?id=testkey&version=1
    230. 

  230.   err: ''
    231. 

  231.   resultmap:
    232. 

  232.     thesecret: secret-value
    233. 

  233.     alsosecret: another-value
    234. 

  234. ---
    235. 

  235. case: error json map string
    236. 

  236. args:
    237. 

  237.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    238. 

  238.   key: testkey
    239. 

  239.   version: 1
    240. 

  240.   response: 'some simple string'
    241. 

  241. want:
    242. 

  242.   path: /api/getsecret?id=testkey&version=1
    243. 

  243.   err: "failed to parse response json: invalid character"
    244. 

  244.   resultmap: {}
    245. 

  245. ---
    246. 

  246. case: error json map
    247. 

  247. args:
    248. 

  248.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    249. 

  249.   key: testkey
    250. 

  250.   version: 1
    251. 

  251.   jsonpath: $.result.thesecret
    252. 

  252.   response: '{"result":{"thesecret":"secret-value","alsosecret":"another-value"}}'
    253. 

  253. want:
    254. 

  254.   path: /api/getsecret?id=testkey&version=1
    255. 

  255.   err: "failed to parse response json from jsonpath"
    256. 

  256.   resultmap: {}
    257. 

  257. ---
    258. 

  258. case: good json with good templated jsonpath
    259. 

  259. args:
    260. 

  260.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    261. 

  261.   key: testkey
    262. 

  262.   property: thesecret
    263. 

  263.   version: 1
    264. 

  264.   jsonpath: $.result.{{ .remoteRef.property }}
    265. 

  265.   response: '{"result":{"thesecret":"secret-value"}}'
    266. 

  266. want:
    267. 

  267.   path: /api/getsecret?id=testkey&version=1
    268. 

  268.   err: ''
    269. 

  269.   result: secret-value
    270. 

  270. ---
    271. 

  271. case: good json with jsonpath filter
    272. 

  272. args:
    273. 

  273.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    274. 

  274.   key: testkey
    275. 

  275.   version: 1
    276. 

  276.   jsonpath: $.secrets[?@.name=="thesecret"].value
    277. 

  277.   response: '{"secrets": [{"name": "thesecret", "value": "secret-value"}, {"name": "alsosecret", "value": "another-value"}]}'
    278. 

  278. want:
    279. 

  279.   path: /api/getsecret?id=testkey&version=1
    280. 

  280.   err: ''
    281. 

  281.   result: secret-value
    282. 

  282. ---
    283. 

  283. case: good json with bad templated jsonpath
    284. 

  284. args:
    285. 

  285.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    286. 

  286.   key: testkey
    287. 

  287.   property: thesecret
    288. 

  288.   version: 1
    289. 

  289.   jsonpath: $.result.{{ .remoteRef.property }
    290. 

  290.   response: '{"result":{"thesecret":"secret-value"}}'
    291. 

  291. want:
    292. 

  292.   path: /api/getsecret?id=testkey&version=1
    293. 

  293.   err: 'template: webhooktemplate:1: unexpected "}" in operand'
    294. 

  294. ---
    295. 

  295. case: error with jsonpath filter empty results
    296. 

  296. args:
    297. 

  297.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    298. 

  298.   key: testkey
    299. 

  299.   version: 1
    300. 

  300.   jsonpath: $.secrets[?@.name=="thebadsecret"].value
    301. 

  301.   response: '{"secrets": [{"name": "thesecret", "value": "secret-value"}, {"name": "alsosecret", "value": "another-value"}]}'
    302. 

  302. want:
    303. 

  303.   path: /api/getsecret?id=testkey&version=1
    304. 

  304.   err: "filter worked but didn't get any result"
    305. 

  305. ---
    306. 

  306. case: success with jsonpath filter and result array
    307. 

  307. args:
    308. 

  308.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    309. 

  309.   key: testkey
    310. 

  310.   version: 1
    311. 

  311.   jsonpath: $..name
    312. 

  312.   response: '{"secrets": [{"name": "thesecret", "value": "secret-value"}, {"name": "alsosecret", "value": "another-value"}]}'
    313. 

  313. want:
    314. 

  314.   path: /api/getsecret?id=testkey&version=1
    315. 

  315.   err: ''
    316. 

  316.   result: 'thesecret'
    317. 

  317. ---
    318. 

  318. case: success with jsonpath filter and result array of ints
    319. 

  319. args:
    320. 

  320.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    321. 

  321.   key: testkey
    322. 

  322.   version: 1
    323. 

  323.   jsonpath: $..name
    324. 

  324.   response: '{"secrets": [{"name": 123, "value": "secret-value"}, {"name": 456, "value": "another-value"}]}'
    325. 

  325. want:
    326. 

  326.   path: /api/getsecret?id=testkey&version=1
    327. 

  327.   err: ''
    328. 

  328.   result: 123
    329. 

  329. ---
    330. 

  330. case: support backslash
    331. 

  331. args:
    332. 

  332.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    333. 

  333.   key: testkey
    334. 

  334.   version: 1
    335. 

  335.   jsonpath: $.refresh_token
    336. 

  336.   response: '{"access_token":"REDACTED","refresh_token":"RE\/DACTED=="}'
    337. 

  337. want:
    338. 

  338.   path: /api/getsecret?id=testkey&version=1
    339. 

  339.   err: ''
    340. 

  340.   result: "RE/DACTED=="
    341. 

  341. ---
    342. 

  342. case: good json with mixed fields and jsonpath filter
    343. 

  343. args:
    344. 

  344.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    345. 

  345.   key: testkey
    346. 

  346.   version: 1
    347. 

  347.   jsonpath: $.result.thesecret
    348. 

  348.   response: '{"result":{"thesecret":"secret-value","alsosecret":"another-value", "id": 1234, "weight": 1.5}}'
    349. 

  349. want:
    350. 

  350.   path: /api/getsecret?id=testkey&version=1
    351. 

  351.   err: ''
    352. 

  352.   result: secret-value
    353. 

  353. ---
    354. 

  354. case: good json with mixed fields to map
    355. 

  355. args:
    356. 

  356.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    357. 

  357.   key: testkey
    358. 

  358.   version: 1
    359. 

  359.   jsonpath: $.result
    360. 

  360.   response: '{"result":{"thesecret":"secret-value","alsosecret":"another-value", "id": 1234, "weight": 1.5}}'
    361. 

  361. want:
    362. 

  362.   path: /api/getsecret?id=testkey&version=1
    363. 

  363.   err: ''
    364. 

  364.   resultmap:
    365. 

  365.     thesecret: secret-value
    366. 

  366.     alsosecret: another-value
    367. 

  367.     id: 1234
    368. 

  368.     weight: 1.5
    369. 

  369. ---
    370. 

  370. case: only url encoding for url templates
    371. 

  371. args:
    372. 

  372.   url: /api/getsecrets?folder={{ .remoteRef.key }}
    373. 

  373.   body: '{"folder": "{{ .remoteRef.key }}"}'
    374. 

  374.   key: /myapp/secrets
    375. 

  375. want:
    376. 

  376.   path: /api/getsecrets?folder=%2Fmyapp%2Fsecrets
    377. 

  377.   body: '{"folder": "/myapp/secrets"}'
    378. 

  378. ---
    379. 

  379. case: namespace template in headers
    380. 

  380. args:
    381. 

  381.   url: /api/getsecret?id={{ .remoteRef.key }}
    382. 

  382.   key: testkey
    383. 

  383.   response: secret-value
    384. 

  384. want:
    385. 

  385.   path: /api/getsecret?id=testkey
    386. 

  386.   err: ''
    387. 

  387.   result: secret-value
    388. 

  388. ---
    389. 

  389. case: namespace template in url
    390. 

  390. args:
    391. 

  391.   url: /api/getsecret?id={{ .remoteRef.key }}&namespace={{ .remoteRef.namespace }}
    392. 

  392.   key: testkey
    393. 

  393.   response: secret-value
    394. 

  394. want:
    395. 

  395.   path: /api/getsecret?id=testkey&namespace=testnamespace
    396. 

  396.   err: ''
    397. 

  397.   result: secret-value
    398. 

  398. `
    399. 

  399. 

  400. func TestWebhookGetSecret(t *testing.T) {
    401. 

  401. 	ydec := yaml.NewDecoder(bytes.NewReader([]byte(testCases)))
    402. 

  402. 	for {
    403. 

  403. 		var tc testCase
    404. 

  404. 		if err := ydec.Decode(&tc); err != nil {
    405. 

  405. 			if !errors.Is(err, io.EOF) {
    406. 

  406. 				t.Errorf("testcase decode error %v", err)
    407. 

  407. 			}
    408. 

  408. 			break
    409. 

  409. 		}
    410. 

  410. 		runTestCase(tc, t)
    411. 

  411. 	}
    412. 

  412. }
    413. 

  413. 

  414. var testCasesPushSecret = `
    415. 

  415. ---
    416. 

  416. case: secret key not found
    417. 

  417. args:
    418. 

  418.   url: /api/pushsecret?id={{ .remoteRef.remoteKey }}&secret={{ .remoteRef.secretKey }}
    419. 

  419.   key: testkey
    420. 

  420.   secretkey: not-found
    421. 

  421.   pushsecret: true
    422. 

  422.   secret:
    423. 

  423.     name: test-secret
    424. 

  424.     data:
    425. 

  425.       secretkey: value
    426. 

  426. want:
    427. 

  427.   path: /api/pushsecret?id=testkey&secret=not-found
    428. 

  428.   err: 'failed to find secret key in secret with key: not-found'
    429. 

  429. ---
    430. 

  430. case: default body good json
    431. 

  431. args:
    432. 

  432.   url: /api/pushsecret?id={{ .remoteRef.remoteKey }}&secret={{ .remoteRef.secretKey }}
    433. 

  433.   key: testkey
    434. 

  434.   secretkey: secretkey
    435. 

  435.   pushsecret: true
    436. 

  436.   secret:
    437. 

  437.     name: test-secret
    438. 

  438.     data:
    439. 

  439.       secretkey: value
    440. 

  440. want:
    441. 

  441.   path: /api/pushsecret?id=testkey&secret=secretkey
    442. 

  442.   body: 'value'
    443. 

  443.   err: ''
    444. 

  444. ---
    445. 

  445. case: good json
    446. 

  446. args:
    447. 

  447.   url: /api/pushsecret?id={{ .remoteRef.remoteKey }}&secret={{ .remoteRef.secretKey }}
    448. 

  448.   key: testkey
    449. 

  449.   body: 'pre {{ .remoteRef.remoteKey }} {{ .remoteRef.testkey }} post'
    450. 

  450.   secretkey: secretkey
    451. 

  451.   pushsecret: true
    452. 

  452.   secret:
    453. 

  453.     name: test-secret
    454. 

  454.     data:
    455. 

  455.       secretkey: value
    456. 

  456. want:
    457. 

  457.   path: /api/pushsecret?id=testkey&secret=secretkey
    458. 

  458.   body: 'pre testkey value post'
    459. 

  459.   err: ''
    460. 

  460. ---
    461. 

  461. case: empty body
    462. 

  462. args:
    463. 

  463.   url: /api/pushsecret?id={{ .remoteRef.remoteKey }}
    464. 

  464.   key: testkey
    465. 

  465.   body: '{{ "" }}'
    466. 

  466.   pushsecret: true
    467. 

  467.   secret:
    468. 

  468.     name: test-secret
    469. 

  469.     data:
    470. 

  470.       secretkey: value
    471. 

  471. want:
    472. 

  472.   path: /api/pushsecret?id=testkey
    473. 

  473.   body: ''
    474. 

  474.   err: ''
    475. 

  475. ---
    476. 

  476. case: default body pushing without secret key
    477. 

  477. args:
    478. 

  478.   url: /api/pushsecret?id={{ .remoteRef.remoteKey }}
    479. 

  479.   key: testkey
    480. 

  480.   pushsecret: true
    481. 

  481.   secret:
    482. 

  482.     name: test-secret
    483. 

  483.     data:
    484. 

  484.       secretkey: value
    485. 

  485. want:
    486. 

  486.   path: /api/pushsecret?id=testkey
    487. 

  487.   body: '{"secretkey":"value"}'
    488. 

  488.   err: ''
    489. 

  489. ---
    490. 

  490. case: pushing without secret key
    491. 

  491. args:
    492. 

  492.   url: /api/pushsecret?id={{ .remoteRef.remoteKey }}
    493. 

  493.   key: testkey
    494. 

  494.   body: 'pre {{ .remoteRef.remoteKey }} {{ index (.remoteRef.testkey | fromJson) "secretkey" }} post'
    495. 

  495.   pushsecret: true
    496. 

  496.   secret:
    497. 

  497.     name: test-secret
    498. 

  498.     data:
    499. 

  499.       secretkey: value
    500. 

  500. want:
    501. 

  501.   path: /api/pushsecret?id=testkey
    502. 

  502.   body: 'pre testkey value post'
    503. 

  503.   err: ''
    504. 

  504. ---
    505. 

  505. case: pushing without secret key with dynamic resolution
    506. 

  506. args:
    507. 

  507.   url: /api/pushsecret?id={{ .remoteRef.remoteKey }}
    508. 

  508.   key: testkey
    509. 

  509.   body: 'pre {{ .remoteRef.remoteKey }} {{ index (index .remoteRef .remoteRef.remoteKey | fromJson) "secretkey" }} post'
    510. 

  510.   pushsecret: true
    511. 

  511.   secret:
    512. 

  512.     name: test-secret
    513. 

  513.     data:
    514. 

  514.       secretkey: value
    515. 

  515. want:
    516. 

  516.   path: /api/pushsecret?id=testkey
    517. 

  517.   body: 'pre testkey value post'
    518. 

  518.   err: ''
    519. 

  519. `
    520. 

  520. 

  521. func TestWebhookPushSecret(t *testing.T) {
    522. 

  522. 	ydec := yaml.NewDecoder(bytes.NewReader([]byte(testCasesPushSecret)))
    523. 

  523. 	for {
    524. 

  524. 		var tc testCase
    525. 

  525. 		if err := ydec.Decode(&tc); err != nil {
    526. 

  526. 			if !errors.Is(err, io.EOF) {
    527. 

  527. 				t.Errorf("testcase decode error %v", err)
    528. 

  528. 			}
    529. 

  529. 			break
    530. 

  530. 		}
    531. 

  531. 		runTestCase(tc, t)
    532. 

  532. 	}
    533. 

  533. }
    534. 

  534. 

  535. func testCaseServer(tc testCase, t *testing.T) *httptest.Server {
    536. 

  536. 	// Start a new server for every test case because the server wants to check the expected api path
    537. 

  537. 	return httptest.NewServer(http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
    538. 

  538. 		if tc.Want.Path != "" && req.URL.String() != tc.Want.Path {
    539. 

  539. 			t.Errorf("%s: unexpected api path: %s, expected %s", tc.Case, req.URL.String(), tc.Want.Path)
    540. 

  540. 		}
    541. 

  541. 		if tc.Want.Body != nil {
    542. 

  542. 			b, _ := io.ReadAll(req.Body)
    543. 

  543. 			if tc.Want.Body != nil && string(b) != *tc.Want.Body {
    544. 

  544. 				t.Errorf("%s: unexpected body: %s, expected %s", tc.Case, string(b), *tc.Want.Body)
    545. 

  545. 			}
    546. 

  546. 		}
    547. 

  547. 		if tc.Args.StatusCode != 0 {
    548. 

  548. 			rw.WriteHeader(tc.Args.StatusCode)
    549. 

  549. 		}
    550. 

  550. 		rw.Write([]byte(tc.Args.Response))
    551. 

  551. 	}))
    552. 

  552. }
    553. 

  553. 

  554. func parseTimeout(timeout string) (*metav1.Duration, error) {
    555. 

  555. 	if timeout == "" {
    556. 

  556. 		return nil, nil
    557. 

  557. 	}
    558. 

  558. 	dur, err := time.ParseDuration(timeout)
    559. 

  559. 	if err != nil {
    560. 

  560. 		return nil, err
    561. 

  561. 	}
    562. 

  562. 	return &metav1.Duration{Duration: dur}, nil
    563. 

  563. }
    564. 

  564. 

  565. func runTestCase(tc testCase, t *testing.T) {
    566. 

  566. 	t.Run(tc.Case, func(t *testing.T) {
    567. 

  567. 		ts := testCaseServer(tc, t)
    568. 

  568. 		defer ts.Close()
    569. 

  569. 

  570. 		testStore := makeClusterSecretStore(ts.URL, tc.Args)
    571. 

  571. 		var err error
    572. 

  572. 		timeout, err := parseTimeout(tc.Args.Timeout)
    573. 

  573. 		if err != nil {
    574. 

  574. 			t.Errorf("%s: error parsing timeout '%s': %s", tc.Case, tc.Args.Timeout, err.Error())
    575. 

  575. 			return
    576. 

  576. 		}
    577. 

  577. 		testStore.Spec.Provider.Webhook.Timeout = timeout
    578. 

  578. 		testProv := &Provider{}
    579. 

  579. 		client, err := testProv.NewClient(context.Background(), testStore, nil, "testnamespace")
    580. 

  580. 		if err != nil {
    581. 

  581. 			t.Errorf("%s: error creating client: %s", tc.Case, err.Error())
    582. 

  582. 			return
    583. 

  583. 		}
    584. 

  584. 

  585. 		if tc.Want.ResultMap != nil && !tc.Args.PushSecret {
    586. 

  586. 			testGetSecretMap(tc, t, client)
    587. 

  587. 		} else if !tc.Args.PushSecret {
    588. 

  588. 			testGetSecret(tc, t, client)
    589. 

  589. 		} else {
    590. 

  590. 			testPushSecret(tc, t, client)
    591. 

  591. 		}
    592. 

  592. 	})
    593. 

  593. }
    594. 

  594. 

  595. func testGetSecretMap(tc testCase, t *testing.T, client esv1.SecretsClient) {
    596. 

  596. 	testRef := esv1.ExternalSecretDataRemoteRef{
    597. 

  597. 		Key:     tc.Args.Key,
    598. 

  598. 		Version: tc.Args.Version,
    599. 

  599. 	}
    600. 

  600. 	secretmap, err := client.GetSecretMap(context.Background(), testRef)
    601. 

  601. 	errStr := ""
    602. 

  602. 	if err != nil {
    603. 

  603. 		errStr = err.Error()
    604. 

  604. 	}
    605. 

  605. 	if (tc.Want.Err == "") != (errStr == "") || !strings.Contains(errStr, tc.Want.Err) {
    606. 

  606. 		t.Errorf("%s: unexpected error: '%s' (expected '%s')", tc.Case, errStr, tc.Want.Err)
    607. 

  607. 	}
    608. 

  608. 	if err == nil {
    609. 

  609. 		for wantkey, wantval := range tc.Want.ResultMap {
    610. 

  610. 			gotval, ok := secretmap[wantkey]
    611. 

  611. 			if !ok {
    612. 

  612. 				t.Errorf("%s: unexpected response: wanted key '%s' not found", tc.Case, wantkey)
    613. 

  613. 			} else if string(gotval) != wantval {
    614. 

  614. 				t.Errorf("%s: unexpected response: key '%s' = '%s' (expected '%s')", tc.Case, wantkey, wantval, gotval)
    615. 

  615. 			}
    616. 

  616. 		}
    617. 

  617. 	}
    618. 

  618. }
    619. 

  619. 

  620. func testGetSecret(tc testCase, t *testing.T, client esv1.SecretsClient) {
    621. 

  621. 	testRef := esv1.ExternalSecretDataRemoteRef{
    622. 

  622. 		Key:      tc.Args.Key,
    623. 

  623. 		Property: tc.Args.Property,
    624. 

  624. 		Version:  tc.Args.Version,
    625. 

  625. 	}
    626. 

  626. 	ctx, cancel := context.WithTimeout(context.Background(), time.Second)
    627. 

  627. 	defer cancel()
    628. 

  628. 	secret, err := client.GetSecret(ctx, testRef)
    629. 

  629. 	errStr := ""
    630. 

  630. 	if err != nil {
    631. 

  631. 		errStr = err.Error()
    632. 

  632. 	}
    633. 

  633. 	if !strings.Contains(errStr, tc.Want.Err) {
    634. 

  634. 		t.Errorf("%s: unexpected error: '%s' (expected '%s')", tc.Case, errStr, tc.Want.Err)
    635. 

  635. 	}
    636. 

  636. 	if err == nil && string(secret) != tc.Want.Result {
    637. 

  637. 		t.Errorf("%s: unexpected response: '%s' (expected '%s')", tc.Case, secret, tc.Want.Result)
    638. 

  638. 	}
    639. 

  639. }
    640. 

  640. 

  641. func testPushSecret(tc testCase, t *testing.T, client esv1.SecretsClient) {
    642. 

  642. 	testRef := v1alpha1.PushSecretData{
    643. 

  643. 		Match: v1alpha1.PushSecretMatch{
    644. 

  644. 			SecretKey: tc.Args.SecretKey,
    645. 

  645. 			RemoteRef: v1alpha1.PushSecretRemoteRef{
    646. 

  646. 				RemoteKey: tc.Args.Key,
    647. 

  647. 			},
    648. 

  648. 		},
    649. 

  649. 	}
    650. 

  650. 

  651. 	data := map[string][]byte{}
    652. 

  652. 	for k, v := range tc.Args.Secret.Data {
    653. 

  653. 		data[k] = []byte(v)
    654. 

  654. 	}
    655. 

  655. 	sec := &corev1.Secret{
    656. 

  656. 		ObjectMeta: metav1.ObjectMeta{
    657. 

  657. 			Name: tc.Args.Secret.Name,
    658. 

  658. 		},
    659. 

  659. 		Data: data,
    660. 

  660. 	}
    661. 

  661. 	ctx, cancel := context.WithTimeout(context.Background(), time.Second)
    662. 

  662. 	defer cancel()
    663. 

  663. 	err := client.PushSecret(ctx, sec, testRef)
    664. 

  664. 	errStr := ""
    665. 

  665. 	if err != nil {
    666. 

  666. 		errStr = err.Error()
    667. 

  667. 	}
    668. 

  668. 	if tc.Want.Err == "" && errStr != "" {
    669. 

  669. 		t.Errorf("%s: unexpected error: '%s' (expected '%s')", tc.Case, errStr, tc.Want.Err)
    670. 

  670. 	}
    671. 

  671. 

  672. 	if !strings.Contains(errStr, tc.Want.Err) {
    673. 

  673. 		t.Errorf("%s: unexpected error: '%s' (expected '%s')", tc.Case, errStr, tc.Want.Err)
    674. 

  674. 	}
    675. 

  675. }
    676. 

  676. 

  677. func makeClusterSecretStore(url string, args args) *esv1.ClusterSecretStore {
    678. 

  678. 	store := &esv1.ClusterSecretStore{
    679. 

  679. 		TypeMeta: metav1.TypeMeta{
    680. 

  680. 			Kind: "ClusterSecretStore",
    681. 

  681. 		},
    682. 

  682. 		ObjectMeta: metav1.ObjectMeta{
    683. 

  683. 			Name:      "wehbook-store",
    684. 

  684. 			Namespace: "default",
    685. 

  685. 		},
    686. 

  686. 		Spec: esv1.SecretStoreSpec{
    687. 

  687. 			Provider: &esv1.SecretStoreProvider{
    688. 

  688. 				Webhook: &esv1.WebhookProvider{
    689. 

  689. 					URL:  url + args.URL,
    690. 

  690. 					Body: args.Body,
    691. 

  691. 					Headers: map[string]string{
    692. 

  692. 						"Content-Type":           "application.json",
    693. 

  693. 						"X-SecretKey":            "{{ .remoteRef.key }}",
    694. 

  694. 						"X-Kubernetes-Namespace": "{{ .remoteRef.namespace }}",
    695. 

  695. 					},
    696. 

  696. 					Result: esv1.WebhookResult{
    697. 

  697. 						JSONPath: args.JSONPath,
    698. 

  698. 					},
    699. 

  699. 				},
    700. 

  700. 			},
    701. 

  701. 		},
    702. 

  702. 	}
    703. 

  703. 	return store
    704. 

  704. }
    705.