Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Tree: 8c5b10124e
Branches Tags
helm-externa...
/
pkg
/
provider
/
gcp
/
secretmanager
/
workload_identity_test.go

workload_identity_test.go 14 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497 
  1. /*
    2. 

  2. Licensed under the Apache License, Version 2.0 (the "License");
    3. 

  3. you may not use this file except in compliance with the License.
    4. 

  4. You may obtain a copy of the License at
    5. 

  5. 

  6. 	http://www.apache.org/licenses/LICENSE-2.0
    7. 

  7. 

  8. Unless required by applicable law or agreed to in writing, software
    9. 

  9. distributed under the License is distributed on an "AS IS" BASIS,
    10. 

  10. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    11. 

  11. See the License for the specific language governing permissions and
    12. 

  12. limitations under the License.
    13. 

  13. */
    14. 

  14. 

  15. package secretmanager
    16. 

  16. 

  17. import (
    18. 

  18. 	"context"
    19. 

  19. 	"encoding/json"
    20. 

  20. 	"errors"
    21. 

  21. 	"fmt"
    22. 

  22. 	"io"
    23. 

  23. 	"net/http"
    24. 

  24. 	"net/http/httptest"
    25. 

  25. 	"testing"
    26. 

  26. 

  27. 	"cloud.google.com/go/iam/credentials/apiv1/credentialspb"
    28. 

  28. 	"github.com/googleapis/gax-go/v2"
    29. 

  29. 	"github.com/stretchr/testify/assert"
    30. 

  30. 	"golang.org/x/oauth2"
    31. 

  31. 	authv1 "k8s.io/api/authentication/v1"
    32. 

  32. 	v1 "k8s.io/api/core/v1"
    33. 

  33. 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
    34. 

  34. 	k8sv1 "k8s.io/client-go/kubernetes/typed/core/v1"
    35. 

  35. 	"sigs.k8s.io/controller-runtime/pkg/client"
    36. 

  36. 	clientfake "sigs.k8s.io/controller-runtime/pkg/client/fake"
    37. 

  37. 

  38. 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
    39. 

  39. 	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
    40. 

  40. )
    41. 

  41. 

  42. type workloadIdentityTest struct {
    43. 

  43. 	name           string
    44. 

  44. 	expTS          bool
    45. 

  45. 	expToken       *oauth2.Token
    46. 

  46. 	expErr         string
    47. 

  47. 	genAccessToken func(context.Context, *credentialspb.GenerateAccessTokenRequest, ...gax.CallOption) (*credentialspb.GenerateAccessTokenResponse, error)
    48. 

  48. 	genIDBindToken func(ctx context.Context, client *http.Client, k8sToken, idPool, idProvider string) (*oauth2.Token, error)
    49. 

  49. 	genSAToken     func(c context.Context, s1 []string, s2, s3 string) (*authv1.TokenRequest, error)
    50. 

  50. 	instMetadata   map[string]string
    51. 

  51. 	store          esv1.GenericStore
    52. 

  52. 	kubeObjects    []client.Object
    53. 

  53. }
    54. 

  54. 

  55. func TestWorkloadIdentity(t *testing.T) {
    56. 

  56. 	clusterSANamespace := "foobar"
    57. 

  57. 	tbl := []*workloadIdentityTest{
    58. 

  58. 		composeTestcase(
    59. 

  59. 			defaultTestCase("should skip when no workload identity is configured: TokenSource and error must be nil"),
    60. 

  60. 			withStore(&esv1.SecretStore{
    61. 

  61. 				Spec: esv1.SecretStoreSpec{
    62. 

  62. 					Provider: &esv1.SecretStoreProvider{
    63. 

  63. 						GCPSM: &esv1.GCPSMProvider{},
    64. 

  64. 					},
    65. 

  65. 				},
    66. 

  66. 			}),
    67. 

  67. 		),
    68. 

  68. 		composeTestcase(
    69. 

  69. 			defaultTestCase("return access token from GenerateAccessTokenRequest with SecretStore"),
    70. 

  70. 			withStore(defaultStore()),
    71. 

  71. 			expTokenSource(),
    72. 

  72. 			expectToken(defaultGenAccessToken),
    73. 

  73. 		),
    74. 

  74. 		composeTestcase(
    75. 

  75. 			defaultTestCase("return idBindToken when no annotation is set with SecretStore"),
    76. 

  76. 			expTokenSource(),
    77. 

  77. 			expectToken(defaultIDBindToken),
    78. 

  78. 			withStore(defaultStore()),
    79. 

  79. 			withK8sResources([]client.Object{
    80. 

  80. 				&v1.ServiceAccount{
    81. 

  81. 					ObjectMeta: metav1.ObjectMeta{
    82. 

  82. 						Name:        "example",
    83. 

  83. 						Namespace:   "default",
    84. 

  84. 						Annotations: map[string]string{},
    85. 

  85. 					},
    86. 

  86. 				},
    87. 

  87. 			}),
    88. 

  88. 		),
    89. 

  89. 		composeTestcase(
    90. 

  90. 			defaultTestCase("ClusterSecretStore: referent auth / service account without namespace"),
    91. 

  91. 			expTokenSource(),
    92. 

  92. 			withStore(
    93. 

  93. 				composeStore(defaultClusterStore()),
    94. 

  94. 			),
    95. 

  95. 			withK8sResources([]client.Object{
    96. 

  96. 				&v1.ServiceAccount{
    97. 

  97. 					ObjectMeta: metav1.ObjectMeta{
    98. 

  98. 						Name:        "example",
    99. 

  99. 						Namespace:   "default",
    100. 

  100. 						Annotations: map[string]string{},
    101. 

  101. 					},
    102. 

  102. 				},
    103. 

  103. 			}),
    104. 

  104. 		),
    105. 

  105. 		composeTestcase(
    106. 

  106. 			defaultTestCase("ClusterSecretStore: invalid service account"),
    107. 

  107. 			expErr("foobar"),
    108. 

  108. 			withStore(
    109. 

  109. 				composeStore(defaultClusterStore()),
    110. 

  110. 			),
    111. 

  111. 			withK8sResources([]client.Object{
    112. 

  112. 				&v1.ServiceAccount{
    113. 

  113. 					ObjectMeta: metav1.ObjectMeta{
    114. 

  114. 						Name:        "does not exist",
    115. 

  115. 						Namespace:   "default",
    116. 

  116. 						Annotations: map[string]string{},
    117. 

  117. 					},
    118. 

  118. 				},
    119. 

  119. 			}),
    120. 

  120. 		),
    121. 

  121. 		composeTestcase(
    122. 

  122. 			defaultTestCase("return access token from GenerateAccessTokenRequest with ClusterSecretStore"),
    123. 

  123. 			expTokenSource(),
    124. 

  124. 			expectToken(defaultGenAccessToken),
    125. 

  125. 			withStore(
    126. 

  126. 				composeStore(defaultClusterStore(), withSANamespace(clusterSANamespace)),
    127. 

  127. 			),
    128. 

  128. 			withK8sResources([]client.Object{
    129. 

  129. 				&v1.ServiceAccount{
    130. 

  130. 					ObjectMeta: metav1.ObjectMeta{
    131. 

  131. 						Name:      "example",
    132. 

  132. 						Namespace: clusterSANamespace,
    133. 

  133. 						Annotations: map[string]string{
    134. 

  134. 							gcpSAAnnotation: "example",
    135. 

  135. 						},
    136. 

  136. 					},
    137. 

  137. 				},
    138. 

  138. 			}),
    139. 

  139. 		),
    140. 

  140. 		composeTestcase(
    141. 

  141. 			defaultTestCase("lookup cluster id from instance metadata"),
    142. 

  142. 			expTokenSource(),
    143. 

  143. 			expectToken(defaultGenAccessToken),
    144. 

  144. 			withStore(
    145. 

  145. 				composeStore(defaultStore(), withClusterID("", "", "")),
    146. 

  146. 			),
    147. 

  147. 			withInstMetadata(map[string]string{
    148. 

  148. 				"project-id":       "1234",
    149. 

  149. 				"cluster-location": "example",
    150. 

  150. 				"cluster-name":     "foobar",
    151. 

  151. 			}),
    152. 

  152. 		),
    153. 

  153. 	}
    154. 

  154. 

  155. 	for _, row := range tbl {
    156. 

  156. 		t.Run(row.name, func(t *testing.T) {
    157. 

  157. 			fakeIam := &fakeIAMClient{generateAccessTokenFunc: row.genAccessToken}
    158. 

  158. 			fakeMeta := &fakeMetadataClient{metadata: row.instMetadata}
    159. 

  159. 			fakeIDBGen := &fakeIDBindTokenGen{generateFunc: row.genIDBindToken}
    160. 

  160. 			fakeSATG := &fakeSATokenGen{GenerateFunc: row.genSAToken}
    161. 

  161. 			w := &workloadIdentity{
    162. 

  162. 				iamClient:            fakeIam,
    163. 

  163. 				metadataClient:       fakeMeta,
    164. 

  164. 				idBindTokenGenerator: fakeIDBGen,
    165. 

  165. 				saTokenGenerator:     fakeSATG,
    166. 

  166. 			}
    167. 

  167. 			cb := clientfake.NewClientBuilder()
    168. 

  168. 			cb.WithObjects(row.kubeObjects...)
    169. 

  169. 			client := cb.Build()
    170. 

  170. 			isCluster := row.store.GetTypeMeta().Kind == esv1.ClusterSecretStoreKind
    171. 

  171. 			ts, err := w.TokenSource(context.Background(), row.store.GetSpec().Provider.GCPSM.Auth, isCluster, client, "default")
    172. 

  172. 			// assert err
    173. 

  173. 			if row.expErr == "" {
    174. 

  174. 				assert.NoError(t, err)
    175. 

  175. 			} else {
    176. 

  176. 				assert.Error(t, err, row.expErr)
    177. 

  177. 			}
    178. 

  178. 			// assert ts
    179. 

  179. 			if row.expTS {
    180. 

  180. 				assert.NotNil(t, ts)
    181. 

  181. 				if row.expToken != nil {
    182. 

  182. 					tk, err := ts.Token()
    183. 

  183. 					assert.NoError(t, err)
    184. 

  184. 					assert.EqualValues(t, tk, row.expToken)
    185. 

  185. 				}
    186. 

  186. 			} else {
    187. 

  187. 				assert.Nil(t, ts)
    188. 

  188. 			}
    189. 

  189. 		})
    190. 

  190. 	}
    191. 

  191. }
    192. 

  192. 

  193. func TestClusterProjectID(t *testing.T) {
    194. 

  194. 	clusterID, err := clusterProjectID(defaultStore().GetSpec())
    195. 

  195. 	assert.Nil(t, err)
    196. 

  196. 	assert.Equal(t, clusterID, "1234")
    197. 

  197. 	externalClusterID, err := clusterProjectID(defaultExternalStore().GetSpec())
    198. 

  198. 	assert.Nil(t, err)
    199. 

  199. 	assert.Equal(t, externalClusterID, "5678")
    200. 

  200. }
    201. 

  201. 

  202. func TestSATokenGen(t *testing.T) {
    203. 

  203. 	corev1 := &fakeK8sV1{}
    204. 

  204. 	g := &k8sSATokenGenerator{
    205. 

  205. 		corev1: corev1,
    206. 

  206. 	}
    207. 

  207. 	token, err := g.Generate(context.Background(), []string{"my-fake-audience"}, "bar", "default")
    208. 

  208. 	assert.Nil(t, err)
    209. 

  209. 	assert.Equal(t, token.Status.Token, defaultSAToken)
    210. 

  210. 	assert.Equal(t, token.Spec.Audiences[0], "my-fake-audience")
    211. 

  211. }
    212. 

  212. 

  213. func TestIDBTokenGen(t *testing.T) {
    214. 

  214. 	srv := httptest.NewServer(http.HandlerFunc(func(rw http.ResponseWriter, r *http.Request) {
    215. 

  215. 		payload := make(map[string]string)
    216. 

  216. 		rb, err := io.ReadAll(r.Body)
    217. 

  217. 		assert.Nil(t, err)
    218. 

  218. 		err = json.Unmarshal(rb, &payload)
    219. 

  219. 		assert.Nil(t, err)
    220. 

  220. 		assert.Equal(t, payload["audience"], "identitynamespace:some-idpool:some-id-provider")
    221. 

  221. 

  222. 		bt, err := json.Marshal(&oauth2.Token{
    223. 

  223. 			AccessToken: "12345",
    224. 

  224. 		})
    225. 

  225. 		assert.Nil(t, err)
    226. 

  226. 		rw.WriteHeader(http.StatusOK)
    227. 

  227. 		rw.Write(bt)
    228. 

  228. 	}))
    229. 

  229. 	defer srv.Close()
    230. 

  230. 	gen := &gcpIDBindTokenGenerator{
    231. 

  231. 		targetURL: srv.URL,
    232. 

  232. 	}
    233. 

  233. 	token, err := gen.Generate(context.Background(), http.DefaultClient, "some-token", "some-idpool", "some-id-provider")
    234. 

  234. 	assert.Nil(t, err)
    235. 

  235. 	assert.Equal(t, token.AccessToken, "12345")
    236. 

  236. }
    237. 

  237. 

  238. type testCaseMutator func(tc *workloadIdentityTest)
    239. 

  239. 

  240. func composeTestcase(tc *workloadIdentityTest, mutators ...testCaseMutator) *workloadIdentityTest {
    241. 

  241. 	for _, m := range mutators {
    242. 

  242. 		m(tc)
    243. 

  243. 	}
    244. 

  244. 	return tc
    245. 

  245. }
    246. 

  246. 

  247. func withStore(store esv1.GenericStore) testCaseMutator {
    248. 

  248. 	return func(tc *workloadIdentityTest) {
    249. 

  249. 		tc.store = store
    250. 

  250. 	}
    251. 

  251. }
    252. 

  252. 

  253. func expTokenSource() testCaseMutator {
    254. 

  254. 	return func(tc *workloadIdentityTest) {
    255. 

  255. 		tc.expTS = true
    256. 

  256. 	}
    257. 

  257. }
    258. 

  258. 

  259. func expectToken(token string) testCaseMutator {
    260. 

  260. 	return func(tc *workloadIdentityTest) {
    261. 

  261. 		tc.expToken = &oauth2.Token{
    262. 

  262. 			AccessToken: token,
    263. 

  263. 		}
    264. 

  264. 	}
    265. 

  265. }
    266. 

  266. 

  267. func expErr(err string) testCaseMutator {
    268. 

  268. 	return func(tc *workloadIdentityTest) {
    269. 

  269. 		tc.expErr = err
    270. 

  270. 	}
    271. 

  271. }
    272. 

  272. 

  273. func withK8sResources(objs []client.Object) testCaseMutator {
    274. 

  274. 	return func(tc *workloadIdentityTest) {
    275. 

  275. 		tc.kubeObjects = objs
    276. 

  276. 	}
    277. 

  277. }
    278. 

  278. 

  279. func withInstMetadata(metadata map[string]string) testCaseMutator {
    280. 

  280. 	return func(tc *workloadIdentityTest) {
    281. 

  281. 		tc.instMetadata = metadata
    282. 

  282. 	}
    283. 

  283. }
    284. 

  284. 

  285. var (
    286. 

  286. 	defaultGenAccessToken = "default-gen-access-token"
    287. 

  287. 	defaultIDBindToken    = "default-id-bind-token"
    288. 

  288. 	defaultSAToken        = "default-k8s-sa-token"
    289. 

  289. )
    290. 

  290. 

  291. func defaultTestCase(name string) *workloadIdentityTest {
    292. 

  292. 	return &workloadIdentityTest{
    293. 

  293. 		name: name,
    294. 

  294. 		genAccessToken: func(c context.Context, gatr *credentialspb.GenerateAccessTokenRequest, co ...gax.CallOption) (*credentialspb.GenerateAccessTokenResponse, error) {
    295. 

  295. 			return &credentialspb.GenerateAccessTokenResponse{
    296. 

  296. 				AccessToken: defaultGenAccessToken,
    297. 

  297. 			}, nil
    298. 

  298. 		},
    299. 

  299. 		genIDBindToken: func(ctx context.Context, client *http.Client, k8sToken, idPool, idProvider string) (*oauth2.Token, error) {
    300. 

  300. 			return &oauth2.Token{
    301. 

  301. 				AccessToken: defaultIDBindToken,
    302. 

  302. 			}, nil
    303. 

  303. 		},
    304. 

  304. 		genSAToken: func(c context.Context, s1 []string, s2, s3 string) (*authv1.TokenRequest, error) {
    305. 

  305. 			return &authv1.TokenRequest{
    306. 

  306. 				Status: authv1.TokenRequestStatus{
    307. 

  307. 					Token: defaultSAToken,
    308. 

  308. 				},
    309. 

  309. 			}, nil
    310. 

  310. 		},
    311. 

  311. 		instMetadata: map[string]string{
    312. 

  312. 			"project-id": "1234",
    313. 

  313. 		},
    314. 

  314. 		kubeObjects: []client.Object{
    315. 

  315. 			&v1.ServiceAccount{
    316. 

  316. 				ObjectMeta: metav1.ObjectMeta{
    317. 

  317. 					Name:      "example",
    318. 

  318. 					Namespace: "default",
    319. 

  319. 					Annotations: map[string]string{
    320. 

  320. 						gcpSAAnnotation: "example",
    321. 

  321. 					},
    322. 

  322. 				},
    323. 

  323. 			},
    324. 

  324. 		},
    325. 

  325. 	}
    326. 

  326. }
    327. 

  327. 

  328. func defaultStore() *esv1.SecretStore {
    329. 

  329. 	return &esv1.SecretStore{
    330. 

  330. 		ObjectMeta: metav1.ObjectMeta{
    331. 

  331. 			Name:      "foobar",
    332. 

  332. 			Namespace: "default",
    333. 

  333. 		},
    334. 

  334. 		Spec: defaultStoreSpec(),
    335. 

  335. 	}
    336. 

  336. }
    337. 

  337. 

  338. func defaultExternalStore() *esv1.SecretStore {
    339. 

  339. 	return &esv1.SecretStore{
    340. 

  340. 		ObjectMeta: metav1.ObjectMeta{
    341. 

  341. 			Name:      "foobar",
    342. 

  342. 			Namespace: "default",
    343. 

  343. 		},
    344. 

  344. 		Spec: defaultExternalStoreSpec(),
    345. 

  345. 	}
    346. 

  346. }
    347. 

  347. 

  348. func defaultClusterStore() *esv1.ClusterSecretStore {
    349. 

  349. 	return &esv1.ClusterSecretStore{
    350. 

  350. 		TypeMeta: metav1.TypeMeta{
    351. 

  351. 			Kind: esv1.ClusterSecretStoreKind,
    352. 

  352. 		},
    353. 

  353. 		ObjectMeta: metav1.ObjectMeta{
    354. 

  354. 			Name: "foobar",
    355. 

  355. 		},
    356. 

  356. 		Spec: defaultStoreSpec(),
    357. 

  357. 	}
    358. 

  358. }
    359. 

  359. 

  360. func defaultStoreSpec() esv1.SecretStoreSpec {
    361. 

  361. 	return esv1.SecretStoreSpec{
    362. 

  362. 		Provider: &esv1.SecretStoreProvider{
    363. 

  363. 			GCPSM: &esv1.GCPSMProvider{
    364. 

  364. 				Auth: esv1.GCPSMAuth{
    365. 

  365. 					WorkloadIdentity: &esv1.GCPWorkloadIdentity{
    366. 

  366. 						ServiceAccountRef: esmeta.ServiceAccountSelector{
    367. 

  367. 							Name: "example",
    368. 

  368. 						},
    369. 

  369. 						ClusterLocation: "example",
    370. 

  370. 						ClusterName:     "foobar",
    371. 

  371. 					},
    372. 

  372. 				},
    373. 

  373. 				ProjectID: "1234",
    374. 

  374. 			},
    375. 

  375. 		},
    376. 

  376. 	}
    377. 

  377. }
    378. 

  378. 

  379. func defaultExternalStoreSpec() esv1.SecretStoreSpec {
    380. 

  380. 	return esv1.SecretStoreSpec{
    381. 

  381. 		Provider: &esv1.SecretStoreProvider{
    382. 

  382. 			GCPSM: &esv1.GCPSMProvider{
    383. 

  383. 				Auth: esv1.GCPSMAuth{
    384. 

  384. 					WorkloadIdentity: &esv1.GCPWorkloadIdentity{
    385. 

  385. 						ServiceAccountRef: esmeta.ServiceAccountSelector{
    386. 

  386. 							Name: "example",
    387. 

  387. 						},
    388. 

  388. 						ClusterLocation:  "example",
    389. 

  389. 						ClusterName:      "foobar",
    390. 

  390. 						ClusterProjectID: "5678",
    391. 

  391. 					},
    392. 

  392. 				},
    393. 

  393. 				ProjectID: "1234",
    394. 

  394. 			},
    395. 

  395. 		},
    396. 

  396. 	}
    397. 

  397. }
    398. 

  398. 

  399. type storeMutator func(spc esv1.GenericStore)
    400. 

  400. 

  401. func composeStore(store esv1.GenericStore, mutators ...storeMutator) esv1.GenericStore {
    402. 

  402. 	for _, m := range mutators {
    403. 

  403. 		m(store)
    404. 

  404. 	}
    405. 

  405. 	return store
    406. 

  406. }
    407. 

  407. 

  408. func withClusterID(project, location, name string) storeMutator {
    409. 

  409. 	return func(store esv1.GenericStore) {
    410. 

  410. 		spc := store.GetSpec()
    411. 

  411. 		spc.Provider.GCPSM.Auth.WorkloadIdentity.ClusterProjectID = project
    412. 

  412. 		spc.Provider.GCPSM.Auth.WorkloadIdentity.ClusterLocation = location
    413. 

  413. 		spc.Provider.GCPSM.Auth.WorkloadIdentity.ClusterName = name
    414. 

  414. 	}
    415. 

  415. }
    416. 

  416. 

  417. func withSANamespace(namespace string) storeMutator {
    418. 

  418. 	return func(store esv1.GenericStore) {
    419. 

  419. 		spc := store.GetSpec()
    420. 

  420. 		spc.Provider.GCPSM.Auth.WorkloadIdentity.ServiceAccountRef.Namespace = &namespace
    421. 

  421. 	}
    422. 

  422. }
    423. 

  423. 

  424. // fake IDBindToken Generator.
    425. 

  425. type fakeIDBindTokenGen struct {
    426. 

  426. 	generateFunc func(ctx context.Context, client *http.Client, k8sToken, idPool, idProvider string) (*oauth2.Token, error)
    427. 

  427. }
    428. 

  428. 

  429. func (g *fakeIDBindTokenGen) Generate(ctx context.Context, client *http.Client, k8sToken, idPool, idProvider string) (*oauth2.Token, error) {
    430. 

  430. 	return g.generateFunc(ctx, client, k8sToken, idPool, idProvider)
    431. 

  431. }
    432. 

  432. 

  433. // fake IAM Client.
    434. 

  434. type fakeIAMClient struct {
    435. 

  435. 	generateAccessTokenFunc func(context.Context, *credentialspb.GenerateAccessTokenRequest, ...gax.CallOption) (*credentialspb.GenerateAccessTokenResponse, error)
    436. 

  436. }
    437. 

  437. 

  438. func (f *fakeIAMClient) GenerateAccessToken(ctx context.Context, req *credentialspb.GenerateAccessTokenRequest, opts ...gax.CallOption) (*credentialspb.GenerateAccessTokenResponse, error) {
    439. 

  439. 	return f.generateAccessTokenFunc(ctx, req, opts...)
    440. 

  440. }
    441. 

  441. 

  442. func (f *fakeIAMClient) Close() error {
    443. 

  443. 	return nil
    444. 

  444. }
    445. 

  445. 

  446. // fake Metadata Client.
    447. 

  447. type fakeMetadataClient struct {
    448. 

  448. 	metadata map[string]string
    449. 

  449. }
    450. 

  450. 

  451. func (f *fakeMetadataClient) InstanceAttributeValueWithContext(ctx context.Context, attr string) (string, error) {
    452. 

  452. 	if val, ok := f.metadata[attr]; ok {
    453. 

  453. 		return val, nil
    454. 

  454. 	}
    455. 

  455. 	return "", fmt.Errorf("attr %s not found", attr)
    456. 

  456. }
    457. 

  457. 

  458. func (f *fakeMetadataClient) ProjectIDWithContext(ctx context.Context) (string, error) {
    459. 

  459. 	if val, ok := f.metadata["project-id"]; ok {
    460. 

  460. 		return val, nil
    461. 

  461. 	}
    462. 

  462. 	return "", errors.New("attr project-id not found")
    463. 

  463. }
    464. 

  464. 

  465. // fake SA Token Generator.
    466. 

  466. type fakeSATokenGen struct {
    467. 

  467. 	GenerateFunc func(context.Context, []string, string, string) (*authv1.TokenRequest, error)
    468. 

  468. }
    469. 

  469. 

  470. func (f *fakeSATokenGen) Generate(ctx context.Context, idPool []string, namespace, name string) (*authv1.TokenRequest, error) {
    471. 

  471. 	return f.GenerateFunc(ctx, idPool, namespace, name)
    472. 

  472. }
    473. 

  473. 

  474. // fake k8s client for creating tokens.
    475. 

  475. type fakeK8sV1 struct {
    476. 

  476. 	k8sv1.CoreV1Interface
    477. 

  477. }
    478. 

  478. 

  479. func (m *fakeK8sV1) ServiceAccounts(_ string) k8sv1.ServiceAccountInterface {
    480. 

  480. 	return &fakeK8sV1SA{v1mock: m}
    481. 

  481. }
    482. 

  482. 

  483. // Mock the K8s service account client.
    484. 

  484. type fakeK8sV1SA struct {
    485. 

  485. 	k8sv1.ServiceAccountInterface
    486. 

  486. 	v1mock *fakeK8sV1
    487. 

  487. }
    488. 

  488. 

  489. func (ma *fakeK8sV1SA) CreateToken(
    490. 

  490. 	_ context.Context,
    491. 

  491. 	_ string,
    492. 

  492. 	tokenRequest *authv1.TokenRequest,
    493. 

  493. 	_ metav1.CreateOptions,
    494. 

  494. ) (*authv1.TokenRequest, error) {
    495. 

  495. 	tokenRequest.Status.Token = defaultSAToken
    496. 

  496. 	return tokenRequest, nil
    497. 

  497. }
    498.