parameterstore_test.go 14 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428
  1. /*
  2. Licensed under the Apache License, Version 2.0 (the "License");
  3. you may not use this file except in compliance with the License.
  4. You may obtain a copy of the License at
  5. http://www.apache.org/licenses/LICENSE-2.0
  6. Unless required by applicable law or agreed to in writing, software
  7. distributed under the License is distributed on an "AS IS" BASIS,
  8. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  9. See the License for the specific language governing permissions and
  10. limitations under the License.
  11. */
  12. package parameterstore
  13. import (
  14. "context"
  15. "errors"
  16. "fmt"
  17. "strings"
  18. "testing"
  19. "github.com/aws/aws-sdk-go/aws"
  20. "github.com/aws/aws-sdk-go/service/ssm"
  21. "github.com/google/go-cmp/cmp"
  22. metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
  23. esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
  24. fakeps "github.com/external-secrets/external-secrets/pkg/provider/aws/parameterstore/fake"
  25. )
  26. type parameterstoreTestCase struct {
  27. fakeClient *fakeps.Client
  28. apiInput *ssm.GetParameterInput
  29. apiOutput *ssm.GetParameterOutput
  30. remoteRef *esv1beta1.ExternalSecretDataRemoteRef
  31. apiErr error
  32. expectError string
  33. expectedSecret string
  34. expectedData map[string][]byte
  35. }
  36. type fakeRef struct {
  37. key string
  38. }
  39. func (f fakeRef) GetRemoteKey() string {
  40. return f.key
  41. }
  42. func makeValidParameterStoreTestCase() *parameterstoreTestCase {
  43. return &parameterstoreTestCase{
  44. fakeClient: &fakeps.Client{},
  45. apiInput: makeValidAPIInput(),
  46. apiOutput: makeValidAPIOutput(),
  47. remoteRef: makeValidRemoteRef(),
  48. apiErr: nil,
  49. expectError: "",
  50. expectedSecret: "",
  51. expectedData: make(map[string][]byte),
  52. }
  53. }
  54. func makeValidAPIInput() *ssm.GetParameterInput {
  55. return &ssm.GetParameterInput{
  56. Name: aws.String("/baz"),
  57. WithDecryption: aws.Bool(true),
  58. }
  59. }
  60. func makeValidAPIOutput() *ssm.GetParameterOutput {
  61. return &ssm.GetParameterOutput{
  62. Parameter: &ssm.Parameter{
  63. Value: aws.String("RRRRR"),
  64. },
  65. }
  66. }
  67. func makeValidRemoteRef() *esv1beta1.ExternalSecretDataRemoteRef {
  68. return &esv1beta1.ExternalSecretDataRemoteRef{
  69. Key: "/baz",
  70. }
  71. }
  72. func makeValidParameterStoreTestCaseCustom(tweaks ...func(pstc *parameterstoreTestCase)) *parameterstoreTestCase {
  73. pstc := makeValidParameterStoreTestCase()
  74. for _, fn := range tweaks {
  75. fn(pstc)
  76. }
  77. pstc.fakeClient.WithValue(pstc.apiInput, pstc.apiOutput, pstc.apiErr)
  78. return pstc
  79. }
  80. func TestPushSecret(t *testing.T) {
  81. invalidParameters := errors.New(ssm.ErrCodeInvalidParameters)
  82. alreadyExistsError := errors.New(ssm.ErrCodeAlreadyExistsException)
  83. fakeValue := "fakeValue"
  84. managedByESO := ssm.Tag{
  85. Key: &managedBy,
  86. Value: &externalSecrets,
  87. }
  88. putParameterOutput := &ssm.PutParameterOutput{}
  89. getParameterOutput := &ssm.GetParameterOutput{}
  90. describeParameterOutput := &ssm.DescribeParametersOutput{}
  91. validListTagsForResourceOutput := &ssm.ListTagsForResourceOutput{
  92. TagList: []*ssm.Tag{&managedByESO},
  93. }
  94. noTagsResourceOutput := &ssm.ListTagsForResourceOutput{}
  95. validGetParameterOutput := &ssm.GetParameterOutput{
  96. Parameter: &ssm.Parameter{
  97. ARN: nil,
  98. DataType: nil,
  99. LastModifiedDate: nil,
  100. Name: nil,
  101. Selector: nil,
  102. SourceResult: nil,
  103. Type: nil,
  104. Value: nil,
  105. Version: nil,
  106. },
  107. }
  108. sameGetParameterOutput := &ssm.GetParameterOutput{
  109. Parameter: &ssm.Parameter{
  110. Value: &fakeValue,
  111. },
  112. }
  113. type args struct {
  114. store *esv1beta1.AWSProvider
  115. client fakeps.Client
  116. }
  117. type want struct {
  118. err error
  119. }
  120. tests := map[string]struct {
  121. reason string
  122. args args
  123. want want
  124. }{
  125. "PutParameterSucceeds": {
  126. reason: "a parameter can be successfully pushed to aws parameter store",
  127. args: args{
  128. store: makeValidParameterStore().Spec.Provider.AWS,
  129. client: fakeps.Client{
  130. PutParameterWithContextFn: fakeps.NewPutParameterWithContextFn(putParameterOutput, nil),
  131. GetParameterWithContextFn: fakeps.NewGetParameterWithContextFn(getParameterOutput, nil),
  132. DescribeParametersWithContextFn: fakeps.NewDescribeParametersWithContextFn(describeParameterOutput, nil),
  133. ListTagsForResourceWithContextFn: fakeps.NewListTagsForResourceWithContextFn(validListTagsForResourceOutput, nil),
  134. },
  135. },
  136. want: want{
  137. err: nil,
  138. },
  139. },
  140. "SetParameterFailsWhenNoNameProvided": {
  141. reason: "test push secret with no name gives error",
  142. args: args{
  143. store: makeValidParameterStore().Spec.Provider.AWS,
  144. client: fakeps.Client{
  145. PutParameterWithContextFn: fakeps.NewPutParameterWithContextFn(putParameterOutput, nil),
  146. GetParameterWithContextFn: fakeps.NewGetParameterWithContextFn(getParameterOutput, invalidParameters),
  147. DescribeParametersWithContextFn: fakeps.NewDescribeParametersWithContextFn(describeParameterOutput, nil),
  148. ListTagsForResourceWithContextFn: fakeps.NewListTagsForResourceWithContextFn(validListTagsForResourceOutput, nil),
  149. },
  150. },
  151. want: want{
  152. err: invalidParameters,
  153. },
  154. },
  155. "SetSecretWhenAlreadyExists": {
  156. reason: "test push secret with secret that already exists gives error",
  157. args: args{
  158. store: makeValidParameterStore().Spec.Provider.AWS,
  159. client: fakeps.Client{
  160. PutParameterWithContextFn: fakeps.NewPutParameterWithContextFn(putParameterOutput, alreadyExistsError),
  161. GetParameterWithContextFn: fakeps.NewGetParameterWithContextFn(getParameterOutput, nil),
  162. DescribeParametersWithContextFn: fakeps.NewDescribeParametersWithContextFn(describeParameterOutput, nil),
  163. ListTagsForResourceWithContextFn: fakeps.NewListTagsForResourceWithContextFn(validListTagsForResourceOutput, nil),
  164. },
  165. },
  166. want: want{
  167. err: alreadyExistsError,
  168. },
  169. },
  170. "GetSecretWithValidParameters": {
  171. reason: "Get secret with valid parameters",
  172. args: args{
  173. store: makeValidParameterStore().Spec.Provider.AWS,
  174. client: fakeps.Client{
  175. PutParameterWithContextFn: fakeps.NewPutParameterWithContextFn(putParameterOutput, nil),
  176. GetParameterWithContextFn: fakeps.NewGetParameterWithContextFn(validGetParameterOutput, nil),
  177. DescribeParametersWithContextFn: fakeps.NewDescribeParametersWithContextFn(describeParameterOutput, nil),
  178. ListTagsForResourceWithContextFn: fakeps.NewListTagsForResourceWithContextFn(validListTagsForResourceOutput, nil),
  179. },
  180. },
  181. want: want{
  182. err: nil,
  183. },
  184. },
  185. "SetSecretNotManagedByESO": {
  186. reason: "SetSecret to the parameter store but tags are not managed by ESO",
  187. args: args{
  188. store: makeValidParameterStore().Spec.Provider.AWS,
  189. client: fakeps.Client{
  190. PutParameterWithContextFn: fakeps.NewPutParameterWithContextFn(putParameterOutput, nil),
  191. GetParameterWithContextFn: fakeps.NewGetParameterWithContextFn(validGetParameterOutput, nil),
  192. DescribeParametersWithContextFn: fakeps.NewDescribeParametersWithContextFn(describeParameterOutput, nil),
  193. ListTagsForResourceWithContextFn: fakeps.NewListTagsForResourceWithContextFn(noTagsResourceOutput, nil),
  194. },
  195. },
  196. want: want{
  197. err: fmt.Errorf("secret not managed by external-secrets"),
  198. },
  199. },
  200. "SetSecretGetTagsError": {
  201. reason: "SetSecret to the parameter store returns error while obtaining tags",
  202. args: args{
  203. store: makeValidParameterStore().Spec.Provider.AWS,
  204. client: fakeps.Client{
  205. PutParameterWithContextFn: fakeps.NewPutParameterWithContextFn(putParameterOutput, nil),
  206. GetParameterWithContextFn: fakeps.NewGetParameterWithContextFn(validGetParameterOutput, nil),
  207. DescribeParametersWithContextFn: fakeps.NewDescribeParametersWithContextFn(describeParameterOutput, nil),
  208. ListTagsForResourceWithContextFn: fakeps.NewListTagsForResourceWithContextFn(nil, fmt.Errorf("you shall not tag")),
  209. },
  210. },
  211. want: want{
  212. err: fmt.Errorf("you shall not tag"),
  213. },
  214. },
  215. "SetSecretContentMatches": {
  216. reason: "No ops",
  217. args: args{
  218. store: makeValidParameterStore().Spec.Provider.AWS,
  219. client: fakeps.Client{
  220. PutParameterWithContextFn: fakeps.NewPutParameterWithContextFn(putParameterOutput, nil),
  221. GetParameterWithContextFn: fakeps.NewGetParameterWithContextFn(sameGetParameterOutput, nil),
  222. DescribeParametersWithContextFn: fakeps.NewDescribeParametersWithContextFn(describeParameterOutput, nil),
  223. ListTagsForResourceWithContextFn: fakeps.NewListTagsForResourceWithContextFn(validListTagsForResourceOutput, nil),
  224. },
  225. },
  226. want: want{
  227. err: nil,
  228. },
  229. },
  230. }
  231. for name, tc := range tests {
  232. t.Run(name, func(t *testing.T) {
  233. ref := fakeRef{key: "fake-key"}
  234. ps := ParameterStore{
  235. client: &tc.args.client,
  236. }
  237. err := ps.SetSecret(context.TODO(), []byte(fakeValue), ref)
  238. // Error nil XOR tc.want.err nil
  239. if ((err == nil) || (tc.want.err == nil)) && !((err == nil) && (tc.want.err == nil)) {
  240. t.Errorf("\nTesting SetSecret:\nName: %v\nReason: %v\nWant error: %v\nGot error: %v", name, tc.reason, tc.want.err, err)
  241. }
  242. // if errors are the same type but their contents do not match
  243. if err != nil && tc.want.err != nil {
  244. if !strings.Contains(err.Error(), tc.want.err.Error()) {
  245. t.Errorf("\nTesting SetSecret:\nName: %v\nReason: %v\nWant error: %v\nGot error got nil", name, tc.reason, tc.want.err)
  246. }
  247. }
  248. })
  249. }
  250. }
  251. // test the ssm<->aws interface
  252. // make sure correct values are passed and errors are handled accordingly.
  253. func TestGetSecret(t *testing.T) {
  254. // good case: key is passed in, output is sent back
  255. setSecretString := func(pstc *parameterstoreTestCase) {
  256. pstc.apiOutput.Parameter.Value = aws.String("RRRRR")
  257. pstc.expectedSecret = "RRRRR"
  258. }
  259. // good case: extract property
  260. setExtractProperty := func(pstc *parameterstoreTestCase) {
  261. pstc.apiOutput.Parameter.Value = aws.String(`{"/shmoo": "bang"}`)
  262. pstc.expectedSecret = "bang"
  263. pstc.remoteRef.Property = "/shmoo"
  264. }
  265. // good case: extract property with `.`
  266. setExtractPropertyWithDot := func(pstc *parameterstoreTestCase) {
  267. pstc.apiOutput.Parameter.Value = aws.String(`{"/shmoo.boom": "bang"}`)
  268. pstc.expectedSecret = "bang"
  269. pstc.remoteRef.Property = "/shmoo.boom"
  270. }
  271. // bad case: missing property
  272. setMissingProperty := func(pstc *parameterstoreTestCase) {
  273. pstc.apiOutput.Parameter.Value = aws.String(`{"/shmoo": "bang"}`)
  274. pstc.remoteRef.Property = "INVALPROP"
  275. pstc.expectError = "key INVALPROP does not exist in secret"
  276. }
  277. // bad case: parameter.Value not found
  278. setParameterValueNotFound := func(pstc *parameterstoreTestCase) {
  279. pstc.apiOutput.Parameter.Value = aws.String("NONEXISTENT")
  280. pstc.apiErr = esv1beta1.NoSecretErr
  281. pstc.expectError = "Secret does not exist"
  282. }
  283. // bad case: extract property failure due to invalid json
  284. setPropertyFail := func(pstc *parameterstoreTestCase) {
  285. pstc.apiOutput.Parameter.Value = aws.String(`------`)
  286. pstc.remoteRef.Property = "INVALPROP"
  287. pstc.expectError = "key INVALPROP does not exist in secret"
  288. }
  289. // bad case: parameter.Value may be nil but binary is set
  290. setParameterValueNil := func(pstc *parameterstoreTestCase) {
  291. pstc.apiOutput.Parameter.Value = nil
  292. pstc.expectError = "parameter value is nil for key"
  293. }
  294. // base case: api output return error
  295. setAPIError := func(pstc *parameterstoreTestCase) {
  296. pstc.apiOutput = &ssm.GetParameterOutput{}
  297. pstc.apiErr = fmt.Errorf("oh no")
  298. pstc.expectError = "oh no"
  299. }
  300. successCases := []*parameterstoreTestCase{
  301. makeValidParameterStoreTestCaseCustom(setSecretString),
  302. makeValidParameterStoreTestCaseCustom(setExtractProperty),
  303. makeValidParameterStoreTestCaseCustom(setMissingProperty),
  304. makeValidParameterStoreTestCaseCustom(setPropertyFail),
  305. makeValidParameterStoreTestCaseCustom(setParameterValueNil),
  306. makeValidParameterStoreTestCaseCustom(setAPIError),
  307. makeValidParameterStoreTestCaseCustom(setExtractPropertyWithDot),
  308. makeValidParameterStoreTestCaseCustom(setParameterValueNotFound),
  309. }
  310. ps := ParameterStore{}
  311. for k, v := range successCases {
  312. ps.client = v.fakeClient
  313. out, err := ps.GetSecret(context.Background(), *v.remoteRef)
  314. if !ErrorContains(err, v.expectError) {
  315. t.Errorf("[%d] unexpected error: %s, expected: '%s'", k, err.Error(), v.expectError)
  316. }
  317. if cmp.Equal(out, v.expectedSecret) {
  318. t.Errorf("[%d] unexpected secret data: expected %#v, got %#v", k, v.expectedSecret, out)
  319. }
  320. }
  321. }
  322. func TestGetSecretMap(t *testing.T) {
  323. // good case: default version & deserialization
  324. simpleJSON := func(pstc *parameterstoreTestCase) {
  325. pstc.apiOutput.Parameter.Value = aws.String(`{"foo":"bar"}`)
  326. pstc.expectedData["foo"] = []byte("bar")
  327. }
  328. // good case: default version & complex json
  329. complexJSON := func(pstc *parameterstoreTestCase) {
  330. pstc.apiOutput.Parameter.Value = aws.String(`{"int": 42, "str": "str", "nested": {"foo":"bar"}}`)
  331. pstc.expectedData["int"] = []byte("42")
  332. pstc.expectedData["str"] = []byte("str")
  333. pstc.expectedData["nested"] = []byte(`{"foo":"bar"}`)
  334. }
  335. // bad case: api error returned
  336. setAPIError := func(pstc *parameterstoreTestCase) {
  337. pstc.apiOutput.Parameter = &ssm.Parameter{}
  338. pstc.expectError = "some api err"
  339. pstc.apiErr = fmt.Errorf("some api err")
  340. }
  341. // bad case: invalid json
  342. setInvalidJSON := func(pstc *parameterstoreTestCase) {
  343. pstc.apiOutput.Parameter.Value = aws.String(`-----------------`)
  344. pstc.expectError = "unable to unmarshal secret"
  345. }
  346. successCases := []*parameterstoreTestCase{
  347. makeValidParameterStoreTestCaseCustom(simpleJSON),
  348. makeValidParameterStoreTestCaseCustom(complexJSON),
  349. makeValidParameterStoreTestCaseCustom(setAPIError),
  350. makeValidParameterStoreTestCaseCustom(setInvalidJSON),
  351. }
  352. ps := ParameterStore{}
  353. for k, v := range successCases {
  354. ps.client = v.fakeClient
  355. out, err := ps.GetSecretMap(context.Background(), *v.remoteRef)
  356. if !ErrorContains(err, v.expectError) {
  357. t.Errorf("[%d] unexpected error: %q, expected: %q", k, err.Error(), v.expectError)
  358. }
  359. if err == nil && !cmp.Equal(out, v.expectedData) {
  360. t.Errorf("[%d] unexpected secret data: expected %#v, got %#v", k, v.expectedData, out)
  361. }
  362. }
  363. }
  364. func makeValidParameterStore() *esv1beta1.SecretStore {
  365. return &esv1beta1.SecretStore{
  366. ObjectMeta: metav1.ObjectMeta{
  367. Name: "aws-parameterstore",
  368. Namespace: "default",
  369. },
  370. Spec: esv1beta1.SecretStoreSpec{
  371. Provider: &esv1beta1.SecretStoreProvider{
  372. AWS: &esv1beta1.AWSProvider{
  373. Service: esv1beta1.AWSServiceParameterStore,
  374. Region: "us-east-1",
  375. },
  376. },
  377. },
  378. }
  379. }
  380. func ErrorContains(out error, want string) bool {
  381. if out == nil {
  382. return want == ""
  383. }
  384. if want == "" {
  385. return false
  386. }
  387. return strings.Contains(out.Error(), want)
  388. }