keyvault_test.go 72 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578
  1. /*
  2. Licensed under the Apache License, Version 2.0 (the "License");
  3. you may not use this file except in compliance with the License.
  4. You may obtain a copy of the License at
  5. http://www.apache.org/licenses/LICENSE-2.0
  6. Unless required by applicable law or agreed to in writing, software
  7. distributed under the License is distributed on an "AS IS" BASIS,
  8. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  9. See the License for the specific language governing permissions and
  10. limitations under the License.
  11. */
  12. package keyvault
  13. import (
  14. "context"
  15. "encoding/base64"
  16. "encoding/json"
  17. "errors"
  18. "fmt"
  19. "reflect"
  20. "testing"
  21. "github.com/Azure/azure-sdk-for-go/services/keyvault/2016-10-01/keyvault"
  22. "github.com/Azure/go-autorest/autorest"
  23. "k8s.io/utils/pointer"
  24. esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
  25. v1 "github.com/external-secrets/external-secrets/apis/meta/v1"
  26. fake "github.com/external-secrets/external-secrets/pkg/provider/azure/keyvault/fake"
  27. utils "github.com/external-secrets/external-secrets/pkg/utils"
  28. )
  29. type secretManagerTestCase struct {
  30. mockClient *fake.AzureMockClient
  31. secretName string
  32. secretVersion string
  33. serviceURL string
  34. ref *esv1beta1.ExternalSecretDataRemoteRef
  35. refFind *esv1beta1.ExternalSecretFind
  36. apiErr error
  37. setErr error
  38. deleteErr error
  39. pushRef esv1beta1.PushRemoteRef
  40. secretOutput keyvault.SecretBundle
  41. setSecretOutput keyvault.SecretBundle
  42. keyOutput keyvault.KeyBundle
  43. createKeyOutput keyvault.KeyBundle
  44. certOutput keyvault.CertificateBundle
  45. importOutput keyvault.CertificateBundle
  46. listOutput keyvault.SecretListResultIterator
  47. deleteKeyOutput keyvault.DeletedKeyBundle
  48. deleteCertificateOutput keyvault.DeletedCertificateBundle
  49. deleteSecretOutput keyvault.DeletedSecretBundle
  50. expectError string
  51. setValue []byte
  52. expectedSecret string
  53. // for testing secretmap
  54. expectedData map[string][]byte
  55. }
  56. func makeValidSecretManagerTestCase() *secretManagerTestCase {
  57. secretString := "Hello World!"
  58. smtc := secretManagerTestCase{
  59. mockClient: &fake.AzureMockClient{},
  60. secretName: "MySecret",
  61. secretVersion: "",
  62. ref: makeValidRef(),
  63. refFind: makeValidFind(),
  64. secretOutput: keyvault.SecretBundle{Value: &secretString},
  65. serviceURL: "",
  66. apiErr: nil,
  67. expectError: "",
  68. expectedSecret: secretString,
  69. expectedData: map[string][]byte{},
  70. }
  71. smtc.mockClient.WithValue(smtc.serviceURL, smtc.secretName, smtc.secretVersion, smtc.secretOutput, smtc.apiErr)
  72. return &smtc
  73. }
  74. func makeValidSecretManagerTestCaseCustom(tweaks ...func(smtc *secretManagerTestCase)) *secretManagerTestCase {
  75. smtc := makeValidSecretManagerTestCase()
  76. for _, fn := range tweaks {
  77. fn(smtc)
  78. }
  79. smtc.mockClient.WithValue(smtc.serviceURL, smtc.secretName, smtc.secretVersion, smtc.secretOutput, smtc.apiErr)
  80. smtc.mockClient.WithKey(smtc.serviceURL, smtc.secretName, smtc.secretVersion, smtc.keyOutput, smtc.apiErr)
  81. smtc.mockClient.WithCertificate(smtc.serviceURL, smtc.secretName, smtc.secretVersion, smtc.certOutput, smtc.apiErr)
  82. smtc.mockClient.WithList(smtc.serviceURL, smtc.listOutput, smtc.apiErr)
  83. smtc.mockClient.WithImportCertificate(smtc.importOutput, smtc.setErr)
  84. smtc.mockClient.WithImportKey(smtc.createKeyOutput, smtc.setErr)
  85. smtc.mockClient.WithSetSecret(smtc.setSecretOutput, smtc.setErr)
  86. smtc.mockClient.WithDeleteCertificate(smtc.deleteCertificateOutput, smtc.deleteErr)
  87. smtc.mockClient.WithDeleteKey(smtc.deleteKeyOutput, smtc.deleteErr)
  88. smtc.mockClient.WithDeleteSecret(smtc.deleteSecretOutput, smtc.deleteErr)
  89. return smtc
  90. }
  91. const (
  92. jwkPubRSA = `{"kid":"ex","kty":"RSA","key_ops":["sign","verify","wrapKey","unwrapKey","encrypt","decrypt"],"n":"p2VQo8qCfWAZmdWBVaYuYb-a-tWWm78K6Sr9poCvNcmv8rUPSLACxitQWR8gZaSH1DklVkqz-Ed8Cdlf8lkDg4Ex5tkB64jRdC1Uvn4CDpOH6cp-N2s8hTFLqy9_YaDmyQS7HiqthOi9oVjil1VMeWfaAbClGtFt6UnKD0Vb_DvLoWYQSqlhgBArFJi966b4E1pOq5Ad02K8pHBDThlIIx7unibLehhDU6q3DCwNH_OOLx6bgNtmvGYJDd1cywpkLQ3YzNCUPWnfMBJRP3iQP_WI21uP6cvo0DqBPBM4wvVzHbCT0vnIflwkbgEWkq1FprqAitZlop9KjLqzjp9vyQ","e":"AQAB"}`
  93. jwkPubEC = `{"kid":"https://example.vault.azure.net/keys/ec-p-521/e3d0e9c179b54988860c69c6ae172c65","kty":"EC","key_ops":["sign","verify"],"crv":"P-521","x":"AedOAtb7H7Oz1C_cPKI_R4CN_eai5nteY6KFW07FOoaqgQfVCSkQDK22fCOiMT_28c8LZYJRsiIFz_IIbQUW7bXj","y":"AOnchHnmBphIWXvanmMAmcCDkaED6ycW8GsAl9fQ43BMVZTqcTkJYn6vGnhn7MObizmkNSmgZYTwG-vZkIg03HHs"}`
  94. jsonTestString = `{"Name": "External", "LastName": "Secret", "Address": { "Street": "Myroad st.", "CP": "J4K4T4" } }`
  95. jsonSingleTestString = `{"Name": "External", "LastName": "Secret" }`
  96. jsonTagTestString = `{"tagname":"tagvalue","tagname2":"tagvalue2"}`
  97. keyName = "key/keyname"
  98. certName = "cert/certname"
  99. secretString = "changedvalue"
  100. unexpectedError = "[%d] unexpected error: %s, expected: '%s'"
  101. unexpectedSecretData = "[%d] unexpected secret data: expected %#v, got %#v"
  102. errorNoTag = "tag something does not exist"
  103. errNotManaged = "not managed by external-secrets"
  104. errNoPermission = "No Permissions"
  105. errAPI = "unexpected api error"
  106. something = "something"
  107. tagname = "tagname"
  108. tagname2 = "tagname2"
  109. tagvalue = "tagvalue"
  110. tagvalue2 = "tagvalue2"
  111. secretName = "example-1"
  112. testsecret = "test-secret"
  113. fakeURL = "noop"
  114. foo = "foo"
  115. bar = "bar"
  116. errStore = "Azure.ValidateStore() error = %v, wantErr %v"
  117. )
  118. func getTagMap() map[string]*string {
  119. tag1 := "tagname"
  120. tag2 := "tagname2"
  121. value1 := "tagvalue"
  122. value2 := "tagvalue2"
  123. tagMap := make(map[string]*string)
  124. tagMap[tag1] = &value1
  125. tagMap[tag2] = &value2
  126. return tagMap
  127. }
  128. func newKVJWK(b []byte) *keyvault.JSONWebKey {
  129. var key keyvault.JSONWebKey
  130. err := json.Unmarshal(b, &key)
  131. if err != nil {
  132. panic(err)
  133. }
  134. return &key
  135. }
  136. type fakeRef struct {
  137. key string
  138. }
  139. func (f fakeRef) GetRemoteKey() string {
  140. return f.key
  141. }
  142. func TestAzureKeyVaultDeleteSecret(t *testing.T) {
  143. unsupportedType := func(smtc *secretManagerTestCase) {
  144. smtc.pushRef = fakeRef{
  145. key: "yadayada/foo",
  146. }
  147. smtc.expectError = "secret type 'yadayada' is not supported"
  148. }
  149. secretSuccess := func(smtc *secretManagerTestCase) {
  150. smtc.pushRef = fakeRef{
  151. key: secretName,
  152. }
  153. smtc.secretOutput = keyvault.SecretBundle{
  154. Tags: map[string]*string{
  155. "managed-by": pointer.String("external-secrets"),
  156. },
  157. Value: pointer.String("foo"),
  158. }
  159. smtc.deleteSecretOutput = keyvault.DeletedSecretBundle{}
  160. }
  161. secretNotFound := func(smtc *secretManagerTestCase) {
  162. smtc.pushRef = fakeRef{
  163. key: secretName,
  164. }
  165. smtc.apiErr = autorest.DetailedError{StatusCode: 404, Method: "GET", Message: "Not Found"}
  166. smtc.deleteErr = autorest.DetailedError{StatusCode: 404, Method: "DELETE", Message: "Not Found"}
  167. }
  168. secretNotManaged := func(smtc *secretManagerTestCase) {
  169. smtc.pushRef = fakeRef{
  170. key: secretName,
  171. }
  172. smtc.secretOutput = keyvault.SecretBundle{
  173. Value: pointer.String("foo"),
  174. }
  175. smtc.expectError = errNotManaged
  176. smtc.deleteErr = autorest.DetailedError{StatusCode: 500, Method: "DELETE", Message: "Shouldnt happen"}
  177. }
  178. secretUnexpectedError := func(smtc *secretManagerTestCase) {
  179. smtc.pushRef = fakeRef{
  180. key: secretName,
  181. }
  182. smtc.expectError = "boom"
  183. smtc.apiErr = fmt.Errorf("boom")
  184. }
  185. secretNoDeletePermissions := func(smtc *secretManagerTestCase) {
  186. smtc.pushRef = fakeRef{
  187. key: secretName,
  188. }
  189. smtc.secretOutput = keyvault.SecretBundle{
  190. Tags: map[string]*string{
  191. "managed-by": pointer.String("external-secrets"),
  192. },
  193. Value: pointer.String("foo"),
  194. }
  195. smtc.expectError = errNoPermission
  196. smtc.deleteErr = autorest.DetailedError{StatusCode: 403, Method: "DELETE", Message: errNoPermission}
  197. }
  198. secretNoGetPermissions := func(smtc *secretManagerTestCase) {
  199. smtc.pushRef = fakeRef{
  200. key: secretName,
  201. }
  202. smtc.expectError = errNoPermission
  203. smtc.apiErr = autorest.DetailedError{StatusCode: 403, Method: "GET", Message: errNoPermission}
  204. }
  205. certificateSuccess := func(smtc *secretManagerTestCase) {
  206. smtc.pushRef = fakeRef{
  207. key: certName,
  208. }
  209. smtc.certOutput = keyvault.CertificateBundle{
  210. Tags: map[string]*string{
  211. "managed-by": pointer.String("external-secrets"),
  212. },
  213. }
  214. smtc.deleteCertificateOutput = keyvault.DeletedCertificateBundle{}
  215. }
  216. certNotFound := func(smtc *secretManagerTestCase) {
  217. smtc.pushRef = fakeRef{
  218. key: certName,
  219. }
  220. smtc.apiErr = autorest.DetailedError{StatusCode: 404, Method: "GET", Message: "Certificate Not Found"}
  221. smtc.deleteErr = autorest.DetailedError{StatusCode: 404, Method: "DELETE", Message: "Not Found"}
  222. }
  223. certNotManaged := func(smtc *secretManagerTestCase) {
  224. smtc.pushRef = fakeRef{
  225. key: certName,
  226. }
  227. smtc.certOutput = keyvault.CertificateBundle{}
  228. smtc.expectError = errNotManaged
  229. smtc.deleteErr = autorest.DetailedError{StatusCode: 500, Method: "DELETE", Message: "Shouldnt happen"}
  230. }
  231. certUnexpectedError := func(smtc *secretManagerTestCase) {
  232. smtc.pushRef = fakeRef{
  233. key: certName,
  234. }
  235. smtc.expectError = "crash"
  236. smtc.apiErr = fmt.Errorf("crash")
  237. }
  238. certNoDeletePermissions := func(smtc *secretManagerTestCase) {
  239. smtc.pushRef = fakeRef{
  240. key: certName,
  241. }
  242. smtc.certOutput = keyvault.CertificateBundle{
  243. Tags: map[string]*string{
  244. "managed-by": pointer.String("external-secrets"),
  245. },
  246. }
  247. smtc.expectError = "No certificate delete Permissions"
  248. smtc.deleteErr = autorest.DetailedError{StatusCode: 403, Method: "DELETE", Message: "No certificate delete Permissions"}
  249. }
  250. certNoGetPermissions := func(smtc *secretManagerTestCase) {
  251. smtc.pushRef = fakeRef{
  252. key: certName,
  253. }
  254. smtc.expectError = "No certificate get Permissions"
  255. smtc.apiErr = autorest.DetailedError{StatusCode: 403, Method: "GET", Message: "No certificate get Permissions"}
  256. }
  257. keySuccess := func(smtc *secretManagerTestCase) {
  258. smtc.pushRef = fakeRef{
  259. key: keyName,
  260. }
  261. smtc.keyOutput = keyvault.KeyBundle{
  262. Tags: map[string]*string{
  263. "managed-by": pointer.String("external-secrets"),
  264. },
  265. }
  266. smtc.deleteKeyOutput = keyvault.DeletedKeyBundle{}
  267. }
  268. keyNotFound := func(smtc *secretManagerTestCase) {
  269. smtc.pushRef = fakeRef{
  270. key: keyName,
  271. }
  272. smtc.apiErr = autorest.DetailedError{StatusCode: 404, Method: "GET", Message: "Not Found"}
  273. smtc.deleteErr = autorest.DetailedError{StatusCode: 404, Method: "DELETE", Message: "Not Found"}
  274. }
  275. keyNotManaged := func(smtc *secretManagerTestCase) {
  276. smtc.pushRef = fakeRef{
  277. key: keyName,
  278. }
  279. smtc.keyOutput = keyvault.KeyBundle{}
  280. smtc.expectError = errNotManaged
  281. smtc.deleteErr = autorest.DetailedError{StatusCode: 500, Method: "DELETE", Message: "Shouldnt happen"}
  282. }
  283. keyUnexpectedError := func(smtc *secretManagerTestCase) {
  284. smtc.pushRef = fakeRef{
  285. key: keyName,
  286. }
  287. smtc.expectError = "tls timeout"
  288. smtc.apiErr = fmt.Errorf("tls timeout")
  289. }
  290. keyNoDeletePermissions := func(smtc *secretManagerTestCase) {
  291. smtc.pushRef = fakeRef{
  292. key: keyName,
  293. }
  294. smtc.keyOutput = keyvault.KeyBundle{
  295. Tags: map[string]*string{
  296. "managed-by": pointer.String("external-secrets"),
  297. },
  298. }
  299. smtc.expectError = errNoPermission
  300. smtc.deleteErr = autorest.DetailedError{StatusCode: 403, Method: "DELETE", Message: errNoPermission}
  301. }
  302. keyNoGetPermissions := func(smtc *secretManagerTestCase) {
  303. smtc.pushRef = fakeRef{
  304. key: keyName,
  305. }
  306. smtc.expectError = errNoPermission
  307. smtc.apiErr = autorest.DetailedError{StatusCode: 403, Method: "GET", Message: errNoPermission}
  308. }
  309. successCases := []*secretManagerTestCase{
  310. makeValidSecretManagerTestCaseCustom(unsupportedType),
  311. makeValidSecretManagerTestCaseCustom(secretSuccess),
  312. makeValidSecretManagerTestCaseCustom(secretNotFound),
  313. makeValidSecretManagerTestCaseCustom(secretNotManaged),
  314. makeValidSecretManagerTestCaseCustom(secretUnexpectedError),
  315. makeValidSecretManagerTestCaseCustom(secretNoDeletePermissions),
  316. makeValidSecretManagerTestCaseCustom(secretNoGetPermissions),
  317. makeValidSecretManagerTestCaseCustom(certificateSuccess),
  318. makeValidSecretManagerTestCaseCustom(certNotFound),
  319. makeValidSecretManagerTestCaseCustom(certNotManaged),
  320. makeValidSecretManagerTestCaseCustom(certUnexpectedError),
  321. makeValidSecretManagerTestCaseCustom(certNoDeletePermissions),
  322. makeValidSecretManagerTestCaseCustom(certNoGetPermissions),
  323. makeValidSecretManagerTestCaseCustom(keySuccess),
  324. makeValidSecretManagerTestCaseCustom(keyNotFound),
  325. makeValidSecretManagerTestCaseCustom(keyNotManaged),
  326. makeValidSecretManagerTestCaseCustom(keyUnexpectedError),
  327. makeValidSecretManagerTestCaseCustom(keyNoDeletePermissions),
  328. makeValidSecretManagerTestCaseCustom(keyNoGetPermissions),
  329. }
  330. sm := Azure{
  331. provider: &esv1beta1.AzureKVProvider{VaultURL: pointer.String(fakeURL)},
  332. }
  333. for k, v := range successCases {
  334. sm.baseClient = v.mockClient
  335. err := sm.DeleteSecret(context.Background(), v.pushRef)
  336. if !utils.ErrorContains(err, v.expectError) {
  337. if err == nil {
  338. t.Errorf("[%d] unexpected error: <nil>, expected: '%s'", k, v.expectError)
  339. } else {
  340. t.Errorf("[%d] unexpected error: '%s', expected: '%s'", k, err.Error(), v.expectError)
  341. }
  342. }
  343. }
  344. }
  345. func TestAzureKeyVaultPushSecret(t *testing.T) {
  346. p12Cert, _ := base64.StdEncoding.DecodeString("MIIQaQIBAzCCEC8GCSqGSIb3DQEHAaCCECAEghAcMIIQGDCCBk8GCSqGSIb3DQEHBqCCBkAwggY8AgEAMIIGNQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQIoJ3l+zBtWI8CAggAgIIGCBqkhjPsUaowPQrDumYb2OySFN7Jt91IbIeCt1W3Lk99ueJbZ4+xNUiOD+ZDLLJJI/EDtq+0b+TgWHjx92q/IEUj2woQV2rg1W8EW815MmstyD0YRnw7KvoEKBH+CsWiR/JcC/IVoiV1od0dWFfWGSBtWY5xLiaBWUX6xV8zcBVz1fkB+pHOofkStW2up6G2sQos1WwIptAvz6VpS16xLUmZ1whZZvPhqz1GPfexJSavBWEe7YcoxVd/q8LLGQmQCfV7zXwyUX3WnHATkesYPMSTDPuRWXMOrJRjy2zinQP5XweNY2DeZ2bRV6y3v8eQlQNmKBXteNj5H5lJFkOD7BA6xwYlzj3KGB37Qf7kl6R46liT2tlYp/T9eX1ejC0GqICOroPrAy1J5/r9Jlst/39K20omD7M7DGbnqhEWNUeXoXpT6m/UiXLA+0ns5TBZqt4gwC8n8qgjYVvuxvn5tY3gERzkCa6PYzxBfasjM47hHEbsQ1gQORan7OQqTBjbwjeFC4ObMc4u48qxi/cyzMsPgbgE9pQoz2eF5BC6qcJr5mxL/0RWK+Zpn0or9tK4vqf2czLKrWsMcl5sfShSELXY3+jAsUscMbo0LfRgTwsVZGPgOC1cKJlGky734WFj2l9dHVxiRInz6yuWobIT/fmlvPUhjEXNPc0p7vrPvU3/susH+zilbSrp0rY9Y8t70ixGsHPbSHTk8MapukoFnKy2RxcYZQ4cLLMRBo0BA+ugAO7/pa2qGYawzl+U6ydmBftSxTs2gm4SjDnKWoe67r0Q1FHQEWd6rCA40dzAEiCmClCSqzggDKJYnxqub3sqh3Z2Ap9EEZdWBb/Qxryw5h5H3HAOblwudftsyaXsNPf6nDrknANHZyuwkWuh5XYSkKfG8mz6B8+l5A217nYWn0P4i1+WYgnyojJ+m/ZnaNy1+pWXHy1IugoRkfZaVp3NDmwgjK+dnu6rL3/XhJbXlrOk3UEYImX1yMzIWDv/urdWr3bR/cfwM3XwVUy55QUayLIzxRWfWOLuZ8+ZKw8cJ5YGNUa9AgQ3Fs6Lfp7Qn11SdG4adCEJl6DhsugwZokfy6JqBAv0ywbZ94LKvRc1ItM/crfy/5Io1+GsinnF7lsybsZJFGB6tVNWzgZh92dluzUKIRppMG1ZhUmq/4yaJgZsXYDkAxuPWQ2iSpldijmeuBnr/Oct1BpTwM5ogUS3WCHyZajfS/vIGTzz/q8+VnR9W57hvBKulSCS7G06QsFOvr6yOexb9bJJtgsu1sGjqXqyw0SKbFU9AMRunRVezp/r1LwJ+O/8O4ZCB40o3kSJM4tFvj80zVIz8VoWME7JjwAt04v+o9evavxt6p5yaSpH6pzHbvP6cT6YnJqQbYA9J/sDyLt5caq3/OeiJe4tb1pXmJ6dtwFxFygobKnGZjHsL+yRHrIPvNaqztGRzTu5gwEddMZ38nE0IGOhPVnE6WQC1admI/KUUdVOOATD6kJxSwGYGxpsWXX0KOcy9vb3ykeafmHoJU2S64KpxClH8BfOn7Bn4ypab7rNHs76FmqZYmTV9rjHdCgMqI62pB0TKK925q/RQuX+Rn/8J4mMOOjbDQwlndYbljWq0b9tbcTHpZntnmN/KZbydggrKwb0A9PonIGxqoPs+/MrJtCmlgjhjjHE8N3a10apN/NmN/B4TlfBAr47a/2eelTX642kU2DJ2f00mEeDvwY1lkRCjx+80EiY7nUj9cFfPptNdyQbiVDthkS0rXSbyobDgt53g7KU6/UvTdaRWK5Ks9Q5NZ9c44RaHJ/Y7ukWFrsZDCpcQ2v3gn0A9mQPoZGvziMd1Mh7pOJNR2jrpmodGA9j6MMVuYFKu0GbheEhf++UrDOti40GXcPO+o1NAbTClXeIhDEl81cE1rrK+pPvZEB9m/FV7Osp8NmHQDY+z2rPKa5luO6g77/HM9fJrEGBv19ByQcOFuvOQi0RICUp5sIJD+GO3TBGO7WANpUZvB2cezkBbTa/sVAINTXSD007tOo4WfJTBrQbXAbpQ+04B/2yolFvtbYL4rOcMIIJwQYJKoZIhvcNAQcBoIIJsgSCCa4wggmqMIIJpgYLKoZIhvcNAQwKAQKgggluMIIJajAcBgoqhkiG9w0BDAEDMA4ECM7kJUu/1hDPAgIIAASCCUgs+wJaAYsjcSK7oETqGlVmKzCLwkqvstEYmYlJDihNrj0MWHQqmMP/sfdrnqIHVrLnl3vWRN0CBEtzPZGIM5BqYW1puS8mHXowz+8epz6TLRDpiKM2M29+BfAmTkZwlppfuKpu2MoXgd3LLspAQT10pLjoP66OSj+PfUpCbU82+YjjK7PSxog5OrYmuf4Tfohl8bWcFj6mIiaUYiVuF7mRLq3oUY5mE61EjMGp118JKVCG/8sS4MRZ69ulowDZEdrPOCvXzG+gK3bjeMW4aboIaIZ7UxoUy/AYQNdcYjAiUIRWrZx3s7UMa90R7ZvpWRYEEenko95WEUezaing2vVdImMphmjOIpP0Fkm+WTIQHoznE2+ppET1MtIwLyB0PjLptjFtK5orXNqplFWsN6+X5B6ATG0KCwKcsX7fmrkbDpO3B/suVAGk4SdQsV4xrlHhUneUl4hiZ6v2M9MIC+ZMRuGxmuej7znRxV6IRuVVIOqWuwGVVOQpGC4sCOc2Ej0WQeHQCxVK4EWlGL7JE9ux4Ds//40LC2mUihJXiG01ZI/v6eez1GrPeoOeTtHU7+5N7eU4f00S0XSVQGOhUwlp1E9c7DkSPA4lJ7MfTYUFLeP4R+ITpXXbdco65mwH2WFWPbTAKG1rabHj2D5DvHEoBZEsgcD4klhPnZIEBh6gFg67MZB9XNiofSiLzeSKDgfyeTG1MCctUWTa+vy1mrue4rREuRQMC4h0NMyPJ4LlVYutFfEncH2iGmB8t4CVM5CzZ0hXqDxHEgddU02ix/aIzizXqWgpPN0vkHp/Hv+/wyRvjwuiljmE8otRRFMinoIigmLKQKueJQpLWAZAvBjmCZdKTG8sjJAeo0ufOJQdi/EuCmDWR3YkXKi/RX7ub6cnc9hFb+zDGiplLPTyYqOnEPVut8fdA0kmUuAkelLpSbJcv6h3/tS/IJzH2vMCz26J152UaY6Zh0AqD1hl+wA5q5qgDER0jeFY11KypNfEgYxNhr/BcvuNYvN1/1T/wuvEIviMYhJPaSXXbtqpBzIjpkvxOzm9LeC9wqRM1Gq1HrSHwUUeRl8AeMpsRmcmRRy222ZM7p6b0T90l/AKcPLmNxQVYTy5+DeWMC/YaBFHPVMiakKEmPZjeR3Vbb63EJ5DCoAN3xh6NmpANXmXAl7z6ID0hVjNV/Ji8Y+tuJczh0IyMQncDBRw76cdup9QIk2D/pKcj9M7ul2Jx2xwBqntJbvFQqjhIhaSzLKMQtaC+qgcL/C/ANFey8IN5zUUver9RdYyEnRNf4OPl/mq7kUs8znnu5wGGOyxHuvHMFUtJfuII3P7YDSltK2QP1uhefhMfEvNYL9QqosN3740nQ8TCPvZFzzoBC8Psn6OvNXnWipz3WCZ+5u+fOXzawpNKvPHWz/D4O4dmMu9/DpxKb8UOLv/+YFEkqkGNDhS91dgyI672JqC4TQ9ijmNwtdgQt+OtOmllUO3cRP5I4nxCLjAJ5bBYmFV7kSdfWJEjkeCUGMKmwP88sXxeAV0D7qGFG0kdNgMow7WE8AI+lKo8bgBpmR8LQlD0Zt/LBlgGk1uOXolXTNaEGXUMj7h3zS46C3qR/UraHTq+vaNrLqY3qYJaVXdvhhShVDEhH6jLFFYJYCBtWCnhZ3lKkFJnIY+n+25lEQNMwR4sNOLxmUP+kzkt6qSjTRj+u1gK4NptkhFck7lFigAlHozlzg1mnKPvXcD2w3B+Qt6smAQb31rxD6P/byFVEjMFFH1LHNaSrmJNt2/Hmlgd1+2lmVieHF0OnptCDt/MxGjlZYD9/MHBDvWC6LgyGAGL3hub/C/wX5ngOYNq7SZJ1xPsonppKsWD/ixwlzXKu0MQS05CjMqnJCUW7YWl8F+2c2WcAnKA8MN4oONJbv29afj35I/mInT20PptaUH3vJg1VrbU4gWyJWw2/ap63Y2mTMwF2MRuuvIZQTlSwAXHaSZT1weqNX37NFVQLEx1GIiMSBXu+ogZEZWuKwlzB2F2OQ4DuhWgxmTA8Fh0md/IG0sc96wBb3E1Jj80UOeIMIsOO3nCA5Wa5+btUaVueIqGHM9L3IGn2jk/PdidEW5Anp7aT8f8korjBKNF/qc7Hk0V0QDvzxXbuHIE2neoZVemgPteu4tFFI5N/wtXAp3BBQi1ozdqWaBBT/fbYiWesp6fe83f6KNaVXTnjGUnkv4ougvZDi99e+plpSFgjMv180/kfyC57PfX/KLbuK6M6nmVykZSzBdxGqe7V2JUR32dYNRZeiNI6PZO2HumyM7/h8adcP2yw9NseW9D4M2wihsY/ozcU/N+Fv+/WDMd+p7Ekl7oN/PERRZcL5bpjq+Oh7cv5mIH443K/tUni1wVrs8Njft/VQfubU2HY0UcFuX0IHc8/yp9NhqFgdMVTLQWTW9RRkl/9XleMco7qqEdhJCK8dHFBAwsK6SB6aUtY4rpopltVKbgnmAmCwkMcg9Q3Bx9DFJ0SVgqQdrNnJ0koJE9BWG96SreVBW+BOCqYED9sZI7DBFc/Hnb3pDwmqV2gr4gl+bzzHfOQwADVDIe6OcT0b3t4iOVhpd6G1LT/df4IdZLxcXi5PPbpwvjFmo8jJpT8DKya0KjW3E25Q6+qQQ9vZzc4d31yUog30tGJun1HHg1A+3KSo67awfgxG7er/viMe+Nx1dLPVlj+wi3X1JJvZlBXJ4yhfaSnzOa5u1ZxAGTz1OuHYkz7USuyJlf5qYV/oCyyypwaQ5DUpzcISgQGdOe4HVA6gTMLHWbX05MCHdfBFRa64c92/nxA0OS4m8xruRgsZwxwLDtG2IHXxcA/Tfam0Rqd5+UfWWyxLSHF3/u5gpLARwPsH59Tb28MhFmVFsELOHt1VoTntQU0qJ4ZljyUwP7Y3u0TmGhj0bEv3s7eqntKUz7zpGnLyxbu1tef4EJvFMYLBNIkkB3bb68i2HCXkoLJRyRH6VT3j9ahea/acgt5U8WASlMH41jURGFdCBWHdk+aIkyqDrJ9KtZFT6h88vUWt9iiAgJInLTL+tJ2j3dMHVvT0WkcAt8w6uXLYT7AGAbKjetqwLiU6JEXfCdZfUVQG50ztLwcfuTlzCO4d9vhkiuy/NIpH9NoONGwCYSfYyx+ycxZjMnLSsJcgys2aANdLGpLnQhy3WY8QxJTAjBgkqhkiG9w0BCRUxFgQUilZxcWgYWs3WodyrZQAAsliFtB4wMTAhMAkGBSsOAwIaBQAEFLCnG3FfSE655zJaBGibla7sAnVEBAguHlNaj8V3VQICCAA=")
  347. goodKey, _ := base64.StdEncoding.DecodeString("LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUpRZ0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQ1N3d2dna29BZ0VBQW9JQ0FRQ1pITzRvNkpteU9aZGYKQXQ3RFdqR2tHdzdENVVIU1BHZXQyTjg2cnBGWXcrZThnL3dSeDBnZDBzRk9pelBBREdjcnpmdWE5Z3ZFcDRWcwpXb2FHbmN3UXhqdnMrZ1orWmQ2UkVPNHRLNzRURmYxaWZibmowUHE2OENlQlFpaG8xbDNwM2UwQy8yemVJMjNiCnZWRHZlMm13VXE5aDY4UTFFUmdWMU1LaWJHU1Naak5DQzdkRGFQWmpKazViMFlWVFdxREViemREVnh2ZVVMNVIKcUZnL0RKQTMzVnE2VFQzQ2U5RjBIcEorb3graSs4cUxmWU5qZExSUDZlbEtLTU5naVhhNTFvdnQ5MjF4UkVGdgpYRXYvTUtqWTlhNkppNndIRSs0NmdvbFY4V2puK2xMRkRKVHh6WEFEN2p2NzVzaHY0WEczdFlaQ2J4cTMzZ2JtCm96c0VQZ3lTRGtCMm5zc0tIUEFhSVNPaWpjNDhiSXhwbDVocFJPWUZFblJDWnhablhQNjdLZVF1VWZXQkpoVWcKYWltc0JRK3p6cFB6ZjVUbjRnVExkWll2NU41V1V2djJJdUF5Qktha0ZhR1ZYTzFpZ2FDeVQvUTNBcEE2ZGx4Sgo1VW44SzY4dS9KSGFmWWZ5engwVnVoZk5zbmtiWkxWSEZsR2Rxd3JrU0tCWSs1eS9WWlpkeC9hSHNWWndVN3ZECmNlaGxlWlFNNGV2cm5tMUY3dk5xSHBUK3BHSnpNVWVUNGZMVFpabTBra1Y3ZXl5RGRMMDFEWXRXQk1TM2NEb1EKdU5vWElBMCtDeFZPOHcxcC9wbXF2UFQ3cmpad2pwYkVMUkp3MWs4R3ozU2FKb2VqaFBzWC9xNzNGWWdBc09PRApwTXJuK3ZpU2U0ZnJmR0VmZlEvYXJUVE5qK1BUb3dJREFRQUJBb0lDQUM3ek1CUmJQc1huNHdLL1hvK0ltTEE1Cm04MTEvemo0VE5LQ0xmRlFsa0VoMFcxOUMwNW9UVFRYNjI2cVFMUWpHWC9WS2RIYW9NRXNuVDBjaFNQQ1AxRGwKZUhxeU1FdVI4UzJLZzM1V2EzSnV5OFBueVppUi9GQldVOGJQQXBVakpxa1A1QjJITlZyb2drZGZSZklwWmI4cgptNXZyTDc4Vi9zeXk4UHZkUVBtalhSUmpnMDZvWU9VR1dnRE52cFJRdGZ1R0h1d0hTZ1JodmZwTUpNTXdsd2lLClY4Zkk1NmM3VUg3SzRTRHo1RCtWOWdYUDl2b0lUMEl4OTlkRnFLTnhnM1o0MDIrazcycE1BOFNpQ0t1M3dBN0gKUnozbUZsb1ZRbmV1ajI1TEdHQUo0bGVLQkNJaFhMZlgxWXpvdDQyWEU4ZkJZZW45SjdRNTRPUFlLY0NqUmpjSgp1M2NkamtIbmFWVFc1dDdLTDFuYVAxRmF0S0ZxSjY1V1Y0c3pxWDhPVkpzbWhLalNsNUhqTk1VeERuaFUraWRTCmsxaGNaa00zOWd2RGR1ekRHeHF0L2hHMWNJS3VtamxZb01WNDV4VWFoVHdhTjZnamlrTUxNdFgrb2c0MVAxU3cKa09hZTZ4enJFQmU1eXhqSnVDWFJzK2FFOXZhTmpIWmpnSTNKREJ0enNjeCtvRFZBMXoxWVBpR2t1NXBNYmxYUQpFMWlRQnlJOVRjeHMrazN0NWdIQ0d3Z2lOcXVnOVZJaXY1cTQ2R2VGRVdnQS8wZ2hEZ0hIRnNRSDJ4VEpGU2d6ClluTkRVNlZtQ1RYZEQ0QU5jS085Z0loQzdxYk9iazlUeS9zZkZIQjBrYUdCVjFFZGZ3a0R4LytYdXRacHNUN3IKdkl6SUVDd2JPTEUzZCtLb1grUUJBb0lCQVFESG9SVU42U1VmQ3I4Z2FsOFM3UDhscU1kZnhsQVNRcWRqOHY2WAp3V1o1MFJKVE9TRmxqN3dlb2FnTStDT3pEUHpoU3pMbE4vcVdnK2h1RFJGcXBWb08xTmlrZVdvZEVwajFyZG5qCmlLeFlEVUJKNjFCMk5GT3R6Qm9CZUgyOFpDR3dRUW93clZSNUh5dUlqOTRhTzBiRlNUWEJTdWx2d3NQeDZhR2cKaTV2Q0VITHB6ODZKV1BzcjYwSmxVSDk2Z2U3NXJNZEFuRTJ1UE5JVlRnR2grMHpOenZ2a21yZHRYRVR4QXpFZwo5d0RaNVFZTUNYTGVjV0RxaWtmQUpoaUFJTjdVWEtvajN0b1ZMMzh6Sm95WmNWT3ZLaVRIQXY1MCtyNGhVTzhiCjJmL1J2VllKMngybnJuSVR4L0s2Y2N3UUttb1dFNmJRdmg4SXJGTEI3aWN2cVJzUEFvSUJBUURFV1VGemRyRHgKN2w4VGg2bVV5ZlBIWWtOUU0vdDBqM3l3RDROQ2JuSlEvZGd2OGNqMVhGWTNkOWptdWZreGtrQ01WVC8rcVNrOQp1cm1JVVJDeGo5ZDJZcUtMYXZVcUVFWCtNVStIZ0VDOW4yTHluN0xXdVNyK2dFWVdkNllXUVNSVXpoS0xaN2RUCnliTnhmcnNtczNFSVJEZTkwcFV4ZGJ0eWpJSTlZd1NaRDdMUHVOQmc1cWNaTW1xWG9vSnQxdnJld1JINncwam8KM1pxTWMrVGFtNGxYc0xmU0pqTlAzd2IzZEE0ZDFvWWFIb29WWTVyK0dER1F5YnVKYllQZSt6d01NTkJhZ2dTVQpCL3J5NlBldVBTWVJnby9kTlR2TERDamJjbytXdFpncjRJaWxCVmpCbmwycEhzakVHYjZDV2Q2bXZCdlk3SWM5ClM3cXJLUGQrWE00dEFvSUJBR08wRkN2cWNkdmJKakl1Ym1XcGNKV0NnbkZYUHM2Zjg3Sjd2cVJVdDdYSHNmdFcKNFZNMFFxU1o0TEQ1amZyelZhbkFRUjh5b2psaWtFZkd4eGdZbGE0cXFEa2RXdDVDVjVyOHhZSmExSmoxcFZKRgo4TjNZcktKMCtkZ2FNZEpSd0hHalNrK2RnajhzVGpYYWhQZGMrNisxTE4vcFprV25aTzRCM2ZPdFJwSGFYVXBoCnU2bmxneTBnUnYwTEEyQlFYT2JlWUhYb212T1c5T1luRzdHbkxXanRJK205VERlV2llaEZ5OWZIQmVuTjlRTTIKQk9VTWczY2dzVTFLdVpuazBPWUhrZ0p3WDBPTmdWNHV0ckk4WTZ0c3hRbVFlVDQ3clpJK05lNFhKeW0rQXFiUgpoVEltY2x0bTFkaEExY2FOS0liMk1hNjRCZy95NFRKeW02ZTJNZ2tDZ2dFQkFKTGt5NmljVllqSjh1dGpoU1ZCCmFWWHpWN1M3RHhhRytwdWxIMmdseFBSKzFLd1owV1J1N2ptVk9mcHppOURnUDlZOU9TRkdZUXBEbGVZNzc2ZEgKbThSL3ltZFBYNWRXa1dhNGNXMUlNQ2N0QlJQTEVqcStVVUlScVYzSnFjSGdmbFBMeitmbmNpb0hMbTVzaDR0TwpsL085Ulk2SDZ3SVR1R2JjWTl1VkpxMTBKeXhzY2NqdEJubzlVNjJaOE1aSUhXdGxPaFJHNFZjRjQwZk10Snd2CjNMSjBEVEgxVGxJazRzdGlVZVZVeHdMbmNocktaL3hORVZmbTlKeStCL2hjTVBKVjJxcTd0cjBnczBmanJ0ajEKK25NRElLbzMxMEh6R09ZRWNSUXBTMjBZRUdLVSsyL3ZFTmNqcHNPL0Z0M2lha2FIV0xZVFRxSTI4N0oxZGFOZAp2d2tDZ2dFQUNqWTJIc0ErSlQvWlU1Q0k1NlFRNmlMTkdJeFNUYkxUMGJNbGNWTDJraGFFNTRMVGtld0I5enFTCk5xNVFacUhxbGk2anZiKzM4Q1FPUWxPWmd6clVtZlhIemNWQ1FwMUk1RjRmSGkyWUVVa3FJL2dWdlVGMUxCNUUKZE1KR1FZa3Jick83Qjc0eE50RUV3Mmh3UFUwcTRmby92eFZXV0pFdTNoMGpSL0llMDA3UGtPZ0p1K1R5ZWZBNwpQVkM4OFlQbmsyZ3ArUFpRdDljanhOL0V4enRweDZ4cUJzT0MvQWZIYU5BdFA0azM5MVc5NjN3eHVwbUE5SkdiCk4yM0NCRmVIZDJmTUViTWJuWDk1Q1NYNjNJVWNaNVRhZTdwQS9OZ094YkdzaGRSMHdFZldTMGNyT1VTdGt6aE0KT3lCekNZSk53d3Bld3cyOFpIMGgybHh6VVRHWStRPT0KLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo=")
  348. goodSecret := "old"
  349. typeNotSupported := func(smtc *secretManagerTestCase) {
  350. smtc.pushRef = fakeRef{
  351. key: "badtype/secret",
  352. }
  353. smtc.expectError = "secret type badtype not supported"
  354. }
  355. secretSuccess := func(smtc *secretManagerTestCase) {
  356. smtc.setValue = []byte("secret")
  357. smtc.pushRef = fakeRef{
  358. key: secretName,
  359. }
  360. smtc.secretOutput = keyvault.SecretBundle{
  361. Tags: map[string]*string{
  362. "managed-by": pointer.String("external-secrets"),
  363. },
  364. Value: &goodSecret,
  365. }
  366. }
  367. secretNoChange := func(smtc *secretManagerTestCase) {
  368. smtc.setValue = []byte(goodSecret)
  369. smtc.pushRef = fakeRef{
  370. key: secretName,
  371. }
  372. smtc.secretOutput = keyvault.SecretBundle{
  373. Tags: map[string]*string{
  374. "managed-by": pointer.String("external-secrets"),
  375. },
  376. Value: &goodSecret,
  377. }
  378. }
  379. secretWrongTags := func(smtc *secretManagerTestCase) {
  380. smtc.setValue = []byte(goodSecret)
  381. smtc.pushRef = fakeRef{
  382. key: secretName,
  383. }
  384. smtc.secretOutput = keyvault.SecretBundle{
  385. Tags: map[string]*string{
  386. "managed-by": pointer.String("nope"),
  387. },
  388. Value: &goodSecret,
  389. }
  390. smtc.expectError = errNotManaged
  391. }
  392. secretNoTags := func(smtc *secretManagerTestCase) {
  393. smtc.setValue = []byte(goodSecret)
  394. smtc.pushRef = fakeRef{
  395. key: secretName,
  396. }
  397. smtc.secretOutput = keyvault.SecretBundle{
  398. Tags: map[string]*string{},
  399. Value: &goodSecret,
  400. }
  401. smtc.expectError = errNotManaged
  402. }
  403. secretNotFound := func(smtc *secretManagerTestCase) {
  404. smtc.setValue = []byte(goodSecret)
  405. smtc.pushRef = fakeRef{
  406. key: secretName,
  407. }
  408. smtc.apiErr = autorest.DetailedError{StatusCode: 404, Method: "GET", Message: "Not Found"}
  409. }
  410. failedGetSecret := func(smtc *secretManagerTestCase) {
  411. smtc.setValue = []byte(goodSecret)
  412. smtc.pushRef = fakeRef{
  413. key: secretName,
  414. }
  415. smtc.apiErr = autorest.DetailedError{StatusCode: 403, Method: "GET", Message: "Forbidden"}
  416. smtc.expectError = errAPI
  417. }
  418. failedNotParseableError := func(smtc *secretManagerTestCase) {
  419. smtc.setValue = []byte(goodSecret)
  420. smtc.pushRef = fakeRef{
  421. key: secretName,
  422. }
  423. smtc.apiErr = fmt.Errorf("crash")
  424. smtc.expectError = "crash"
  425. }
  426. failedSetSecret := func(smtc *secretManagerTestCase) {
  427. smtc.setValue = []byte(goodSecret)
  428. smtc.pushRef = fakeRef{
  429. key: secretName,
  430. }
  431. smtc.apiErr = autorest.DetailedError{StatusCode: 404, Method: "GET", Message: "Not Found"}
  432. smtc.setErr = autorest.DetailedError{StatusCode: 403, Method: "POST", Message: "Forbidden"}
  433. smtc.expectError = "could not set secret example-1: #POST: Forbidden: StatusCode=403"
  434. }
  435. keySuccess := func(smtc *secretManagerTestCase) {
  436. smtc.setValue = goodKey
  437. smtc.pushRef = fakeRef{
  438. key: keyName,
  439. }
  440. smtc.keyOutput = keyvault.KeyBundle{
  441. Tags: map[string]*string{
  442. "managed-by": pointer.String(managerLabel),
  443. },
  444. Key: &keyvault.JSONWebKey{},
  445. }
  446. }
  447. symmetricKeySuccess := func(smtc *secretManagerTestCase) {
  448. smtc.setValue = []byte("secret")
  449. smtc.pushRef = fakeRef{
  450. key: keyName,
  451. }
  452. smtc.keyOutput = keyvault.KeyBundle{
  453. Tags: map[string]*string{
  454. "managed-by": pointer.String(managerLabel),
  455. },
  456. Key: &keyvault.JSONWebKey{},
  457. }
  458. }
  459. RSAKeySuccess := func(smtc *secretManagerTestCase) {
  460. smtc.setValue, _ = base64.StdEncoding.DecodeString("LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlKS1FJQkFBS0NBZ0VBdmIxYjM2YlpyaFNFYm5YWGtRL1pjR3VLY05HMDBGa2U1SkVOaWU4UzFHTG1uK1N0CndmdittVFRUN2xyVkdpVkplV3ZhQnRkMUVLRll0aWdlVlhJQjA0MllzeHRmMlM5WkNzNlUxaFZDWFZQc3BobEUKOUVyOHNHa0Ewa1lKdmxWejR2eFA2NTNzNjFGYTBpclRvUGlJTFZwMU1jdGRxVnB0VnJFV1JadzQ2NEF4MzhNNgpCMjFvN2NaUmlZN3VGZTA4UEllbEd3VGc0cHJRdEg2VXVuK09BV3MrNFNDTU5xT2xDRkNzSDBLK0NZZUMyZmpXClplaURsbjBTUDdkZ3puMmJsbk9VQzZ0Z3VtQ3grdW1ISVdmV1hzUDVQR0hoWFBwYlpGbDA4ZktaelNqbytCOWkKVzVsbWhrRE1HM0dsU0JPMmEvcEtjck1uTFVWbE15OVdWLy9LUmw3ZWFtdmJ5dWFzSnZHbVJ4L3d1NXlpYVhwSwprZG4xL0E2VFhBRnVvbU4xb3NvaGVyMjR2MHZ0YzBGZmxJM3h4WVpVTXIwazhLV0VlM1Nhdk83NkdrZTJhbEppCnVtZ20wTmhtK2pqNmlXajl1V1ZzV215MmFDMHc0aTRDS1d2YU56K0NDek5kWk8vcFpPTmlmTzVSSUZpZ2RzTVgKUHgvWU5nSkVKdmEyUVZ2MU9kcWZTdW1CMS8zRldFYmg5V2tFYXRGOElJRDI5TS9qVktiRm9BaktYeVZhUTI5eQpOOFRWR3Axc2pzOW5sSWdjN0JRUFhBZTVPQUExdnc5SWV4N09QZjhPZENBbDluQzlEaDdaK3MyV2lOVlRxb2dwCk1VbE1GUWxGVXpMWGVCUmp0ay9rL3lWT20yWkhBT2RuR1k4bSthRWlTV0ExYXhpa0RYMG9HWjhjbHFzQ0F3RUEKQVFLQ0FnRUFwZDZBRG9pQ0M1aU1IVFNQZXBUc2RVYk9BOHFQMHdQVjZlS1VmMXlzalZiWVhqYy9Yekc0Wko2MgpGc3o1TnA0YUdUZWJwaGQ4azBrNWtDU0tRQkFtWUphTVF5ZFBKMElwQ1RXSEQ1QU9NQ0JKNVBwNk9VWEVtVU55CklHQng3QjR2N09LOXl6Q0lDVDlac2hrV1lNWmo1YUlLaWJsSzY5M05iOWZuckhyaGw1NjkrdXRrTTFJR1JMYjIKV05iR2RBeXNlQTNzM0Mzcm1xM1VmYldhdDE4QytXS1QyYUxtY0cybXZCb3FIam51Zjg0aktnSkxDMU8wbFQ1SgpVY0l4c3RKRHpjYkVTVjlNZENKTDlSbHB0RjVlSFFJZFJCZ2ROM2IxcGtnOTM3VkJsd1NJaFVDS2I2RXU2M2FCCitBdmxmWmtlQkU4Ti9pOTN0Qy9TUkdqQmhyUnFVcEVOOVYrOHBJczVxTE5keC9RanF4TEpMMUtwMXQ0L0hVTkEKOVVTZVNrVDZTZ09OZ1NnQktCemFCYzUyTXRoWWYrZDk2YTJkN0N0dCt1amJBT0JKTkdKMytGenJoc3pzUTMzWQpkalBWTGQxSzBQSHZ0WDNrSWRKbFNWSmYxS3d5bDVKVm1Cck1wb2ZDQ2dsNnhyR0puYVJPb1A3bDZNb1BFZ21hClNRWWFIQVIvVGIzM2lBeTNLdlBuUkNMQlM2MEJCYitIcVd3c0RhczM0Uk9WUE05bUI2ZldkTUo0TG5kZmVpZm0KTGZ3Sy9GMXpRdFRaczNpYUYyMGEvY0EvdjRENWJCUldYSEQvTDA3Mks5TGxoMGNRRFVZY1V1ZUdwRWUycEZHRApxa1pCL08wSXNBOXAyTnNCekdvRWl1eHJwd0JBaXpiOUdCcU9DZUlGS1hKeU5heGU3YUVDZ2dFQkFOeG9zQ2cyCngwTWQzajRtWVhvWVpMMVBOUklwNlpuN2VLbThzK0tIRFdMUTlXWmtFbUwyODNXNzJFd2dDbmc2VjdsUHVYVlEKVTJXR0xjNDNvUU95U3JlNEZXbnZhTVhnWk42Wis2T0wvQ1J2VHZSbFhVNXJlYVNCT2tyZUJYK1g2dFo2Q1dORgpLWjkxTERvVVR5TlJVTTFUL3lwbS85SlE4MTJ1VUxnYUlQZGl5cCtPYmRoZWdBUE5CS0lxR3Nva0tKRlpjRDNyCjRwSVdHT0U3RVJrbU14MnFZMk54VGtuUGxOVUJzR01jS25qeTdycER5WmpDR0U3eldoRE5XRGdMUkJOc1liaHIKa0p4ZlNVVlBOb2RLaE8xVHQ3bDJRMnplcWxlV05pcktRbWdMY3JJRU9MRUdYcEY3U250eEx3N1pvYWlQU0FWWApQMTVqNXNkZlUzV1ZOdzhDZ2dFQkFOeGcyOGw5TllHUmwwU1JCZFJEakJhV21IK0pWYWdpdG0zNnorcnB1MWdZClZ4dFJ0N0FGTzF1QVphTys1aWd1d0JKcFhSUWJXVmZUcWppaTM1bUV2UENkZjhPcTZBQVlzeXg5WXVmUUdOUnEKZG1VNlcvdWhCMnVURDBrL0dQdjVFb2hBTlRjQmkyS1ROS2p0S1Z2bHFtbWZ4Tis5YTl4NjVEdWRHWUFRNGplNwpGaHZJSlU5WFA5VnRUc0ZGL1dqbE54enJNQURqSzNJekRvQTMwaU1XQXZkeTFjUDgxUzJzeGtwa0ZoL1QrNVVFCjYwZkNOSGFFemtQWWhKUmxYaUZtWXpqc3AyWjZpUERyMllHd1FWbURoMFFGeFVqZnoxdk1ONFdnVlVVeDlmNnUKR3QxeDdHblZFSGhzQ0VjQlFCUkhFbzJRcXY0VDVXbmNTNUVTN2hqK1JxVUNnZ0VBRDVUVEJ6VEFKMjJBSFpLbgpCM09jQTRvSzdXckxHZGllTWhtbCtkaWtTSjBQREJyODljUVJkL3c4a1QwZW9GczNnbUV4Y2lxb2lwL09zeXBaCmxxSlBCK2ZhazYrYUQ0c0tkbllhUlBpTGJhUDB4L0EyaFdteG9zQ0Q5M0Qwb0kyRHkzKzdGQ3A2Zzh4THdSdFkKY04yNXdab3ppckxYV08zaUZuaFJPb0tXWEFhKzNrSzZYelpuQkYzRSt4WFE2UU5mWHM4YzBUUFF3NVVPVXpYUwp3cDFodGJJcTdvZS9DaGJEcGI5RjBldlcwTkFUc2xWQ2Rpc2FmdEpUUnFiTm1zQ3BJbHBpR2lCNGk2VnN6NXFHCjkwOThVQzYvNlR1RURyazYvNUFkNmk1OFBWQzUzZjNRYUN0VUdpTEdKQzNmTHNTUjJoR3UvTG1yUUNmOTA1QlkKblJKY1h3S0NBUUVBbjJkQUV5SUtEY3B0akI4S0JGdEhmUjg0OXljeldnYWh4ak5oS1I0ZmNMMUtaR3hiWFdxcgpZS2dpM0tvOGVGdzRlaGpVUnJMeGtPRjlnckhzNG5KczUrNUVlQmVxOEVidGN3VFBBYlkzLzQxeVRnNUVjbUlyCnA5Z2Jlbk8xY3F6YWhzdEtzcHJmWTFIdkNURmlkU0pPZlZBZmEyYnNHZkthRzdTcXVVTjlIYXFwZHpieUpjMksKVXFwYUNOckRUWmhlb1FCTkhKYzAyY21zZDNubytZLzJYVjRtMlRpTVNobHE1R3c0eEpUa3FRbUIxY25YZ05MWApENlFSWWZWZ2ZQQStYUEp3czJOMm9pMDJpdVFlb016T2pwbE45a1JOREsxT2k4MUpZRitlKzdTYm9nbkJZMXZHCktoU2FlQ0dqWkFkMG1BbElaYmVtZlVmbk1PeHNaSStvTVFLQ0FRQmdETzBkTEt2Z3k0OFFwNzdzU3FkeGRRdTEKb2pqYm9rMGY4VVo5ZDJZWWl1WHMwb0k2WFQ4cmpESmJYUGZSUmFVUU1JYWRrL1VZOWxRdHZRRThHbW9aR2ozbgpXYTVXWGVkcUR3YUR4aHpmVnZQUzFMVm1VdkhsbllPWVBVT0JPc1ZUaU4yWXk1L0Y5WEpxMWRlVW0xVnVOZCs1ClVuK3d0YWVHVGR5K1pyQjF2RUFRT3M3R1REVFI2MjgwV1BPZ1JsenVRejhkYllYR29iajJrd3N1empCa0EvSjAKc2dkeEF0dExBWmIzQlVSQ2NmenkrdHJCd0Y3S1ZYek5EQnhmcit3MklRR0hINXR5NmNvcExTVDNXb2Y4WVRuTQpMdHBCVDNZTmgwTm5hS25HTlRGc3pZRldIRlJqSjRZU1BrcW85TkdWa0tiblZyOTllMDFjLys1VjBYY00KLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K")
  461. smtc.pushRef = fakeRef{
  462. key: keyName,
  463. }
  464. smtc.keyOutput = keyvault.KeyBundle{
  465. Tags: map[string]*string{
  466. "managed-by": pointer.String(managerLabel),
  467. },
  468. Key: &keyvault.JSONWebKey{},
  469. }
  470. }
  471. ECKeySuccess := func(smtc *secretManagerTestCase) {
  472. smtc.setValue, _ = base64.StdEncoding.DecodeString("LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1JR2tBZ0VCQkRBWTk0L0NYOGo4UDNBakZXUkZYR0pWMFNWT1ErU1ZpV01nd0VFdy9rV2ZXcHF1OGtidllVTnAKVTQyN1Fubk5NV3VnQndZRks0RUVBQ0toWkFOaUFBU1FyOXAvcytDWHpFY2RUZ2t0aVFhTkxuVzJnNmQ1QkF4cQpBQXNaQms2UW11WngrZTZMUUdra080Uit0SVVaZCtWTGJlV3pLeEl3dk9xSVA3bkp0QldtTjZ4N3JsMjJibnhNCm5QWVQyNy9wSXM1RTk1L2dPV2RhOGMyUStHQTd5RTQ9Ci0tLS0tRU5EIEVDIFBSSVZBVEUgS0VZLS0tLS0K")
  473. smtc.pushRef = fakeRef{
  474. key: keyName,
  475. }
  476. smtc.keyOutput = keyvault.KeyBundle{
  477. Tags: map[string]*string{
  478. "managed-by": pointer.String(managerLabel),
  479. },
  480. Key: &keyvault.JSONWebKey{},
  481. }
  482. }
  483. invalidKey := func(smtc *secretManagerTestCase) {
  484. smtc.setValue, _ = base64.StdEncoding.DecodeString("LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZhekNDQTFPZ0F3SUJBZ0lVUHZKZ21wcTBKUWVRNkJuL0hmVTcvUDhRTFlFd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1JURUxNQWtHQTFVRUJoTUNRVlV4RXpBUkJnTlZCQWdNQ2xOdmJXVXRVM1JoZEdVeElUQWZCZ05WQkFvTQpHRWx1ZEdWeWJtVjBJRmRwWkdkcGRITWdVSFI1SUV4MFpEQWVGdzB5TWpBMk1UY3lNREEwTWpSYUZ3MHlNekEyCk1UY3lNREEwTWpSYU1FVXhDekFKQmdOVkJBWVRBa0ZWTVJNd0VRWURWUVFJREFwVGIyMWxMVk4wWVhSbE1TRXcKSHdZRFZRUUtEQmhKYm5SbGNtNWxkQ0JYYVdSbmFYUnpJRkIwZVNCTWRHUXdnZ0lpTUEwR0NTcUdTSWIzRFFFQgpBUVVBQTRJQ0R3QXdnZ0lLQW9JQ0FRRGlEditEVENBL0xaZjZiNnlVYnliQUxlSUViOHh0aHd1dnRFZk5aZ1dOClN3ZWNMZXY0QXF1N3lSUWRidlQ1cnRKOGs3TnJ0TUE0RDNVN1BQamkwOXVpdjFnSGRockY0VlloTjhiRFllc1UKaEpxZXZSVFBVQ0hRek9xMmNhT3ViRnBUN3JxN3lsMVFTQTFlbkptMUQxNnc0UnlJcEtTLzhvVDNQaGtXM1YydwpkWmFjblZSV1RXZE5MTy9iVWdseDd1YzJMS0wwd2pIMzNSbkZiWUUrTTdiZFVDUXlsSXFwcDM2ZWNvL0Y1Ym1xCjdRdzJ2VkRENENGY0g5aUp4N1FDYjc4Skp5WWlMNzRycjJNVXVzMzR5RlhpMUk5RDR0ajdtQTM2VmNHRk9OZUsKdEtLMnlOYWNrWm1VeTlLQUdGWnIxU2c0ODZTcWw2Y2VpTlAvVGpsb3dQaDNMOTFHOEUxaGJSM3dDS2J6MUR1bQpmaEZOSUdNZmNERkNRcXpEUlU4OEpuUlcyYnF2bGpGanFla0NkcncyeHcrOWp1K1NieXkxeVlrN3ZSM015ZHovCmJ1YUY1S29YUlVzUzhxOHIwSEg1TVAzR3ZYVVY3eXU4bE5kUUtzMXhnVVpmL2JYM0ZjS2xjazhNU3ZZbjNMQWoKbDNRNHMwMXZQY1JnaUMyTUZmajlzV0pueW16YVhYUk1qNFpaY0RuVHlFUmhOcHpXSmNMelh3bFcydTVKdkpVTQpRVEdxUlpXYkErMHF5Y0dBOENBTHRRTXc2ZU5sLzI0Mlo5ZnZ0U0JPc3VkWTdEWTFXckFTWTNhbVV1WWU4RjFBCjhNMlg2N0xBc1lGNkY5YW9JNk00S2dVSXdHYm81OGFVTU1qdzJibGkzdHZIaVNSSjduejFXU1VGOHZnZThIYkEKcFFJREFRQUJvMU13VVRBZEJnTlZIUTRFRmdRVWd0Y0xTUXpaUkRmQkFsSWh5b2pJTHNLYXBwc3dId1lEVlIwagpCQmd3Rm9BVWd0Y0xTUXpaUkRmQkFsSWh5b2pJTHNLYXBwc3dEd1lEVlIwVEFRSC9CQVV3QXdFQi96QU5CZ2txCmhraUc5dzBCQVFzRkFBT0NBZ0VBcy96OWNOT1ZSUzZFMmJVZm9GZS9lQW5OZlJjTmNaaW05VkdCWUFtRjc0MDgKSVEvVjhDK3g3cEloR1NGZ2VFNncxS1BRVXF0Z3dldUxFK0psOVhEYlAvMUdhcmgvN0xDWTVBUXk5eEdTVTNkcAp5VWs3SWE2a0wxRENkS3M0dXdGZ24wVjE1SytSM01Ud2FsemhVb1NVS2tDYVVSeU4vNTZXYk9OanhzRUhUbFhnClBBTEVYKzZVNDMzdktkYnNZdTJXZ2hXSmNwMytSZkI2MU90VmdvYTJYaThhL2pSbFpKVUJ1ZURESGEwVTE0L2EKaFRKcVdQWElROFlTY1BCbndsTzFyRjJkaEtMU0hiczZBd3d6VEVHUE5SUVpGRXF4YTJlb3VvV0NWUmxHTGVueQpMcWxnb1FSQ1pGRTdNNnBJazE5b0ZwV2tTSmNXYjFRMjJRWE03SFdKNjNtM2VBRjBUNThXcE45UzBsYXFNbnZCClZxNVpueUs1YVNDNjV3MGp1YzJteWM2K1RyUmNQSmM0UHJCY3VSZ0gvS1M1bkQvVFlKSStOSVBjU0NVZ2VKWFgKR003THNZanVuY1pCQmJkbFByRXJJN3pkYVNGdVJJbWYrSmh3T2p4OThSZjg3WkQ3d05pRmtzd1ZQYWZFQzFXQQoxc3ZMZDI0Nk0vR3I0RFVDK2Y2MUx4eFNKUkRWMDNySmdsZnY2cWlrL3hjaVlKU2lDdkZzR0hqYzBJaEtyTXBNCnFKRW03dWQxK3VTM3NHWTR6SkVUMUhleEJudjJ4RVlESjZhbGErV3FsNDdZTllSNm4yNlAvUWpNYjdSSGE1ZWMKUEhPMW5HaTY5L1U1dmVMRVlmZmtIV01qSTlKa1dhQzFiREcrMDl0clpSdXNUQWJCZHhqbWxzZ3o0UUFDeFd3PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==")
  485. smtc.pushRef = fakeRef{
  486. key: keyName,
  487. }
  488. smtc.keyOutput = keyvault.KeyBundle{
  489. Tags: map[string]*string{
  490. "managed-by": pointer.String(managerLabel),
  491. },
  492. Key: &keyvault.JSONWebKey{},
  493. }
  494. smtc.expectError = "could not load private key keyname: key type CERTIFICATE is not supported"
  495. }
  496. noTags := func(smtc *secretManagerTestCase) {
  497. smtc.setValue = goodKey
  498. smtc.pushRef = fakeRef{
  499. key: keyName,
  500. }
  501. smtc.keyOutput = keyvault.KeyBundle{
  502. Tags: map[string]*string{},
  503. Key: &keyvault.JSONWebKey{},
  504. }
  505. smtc.expectError = errNotManaged
  506. }
  507. wrongTags := func(smtc *secretManagerTestCase) {
  508. smtc.setValue = goodKey
  509. smtc.pushRef = fakeRef{
  510. key: keyName,
  511. }
  512. smtc.keyOutput = keyvault.KeyBundle{
  513. Tags: map[string]*string{
  514. "managed-by": pointer.String("internal-secrets"),
  515. },
  516. Key: &keyvault.JSONWebKey{},
  517. }
  518. smtc.expectError = errNotManaged
  519. }
  520. errorGetKey := func(smtc *secretManagerTestCase) {
  521. smtc.setValue = goodKey
  522. smtc.pushRef = fakeRef{
  523. key: keyName,
  524. }
  525. smtc.apiErr = autorest.DetailedError{StatusCode: 403, Method: "GET", Message: "Forbidden"}
  526. smtc.expectError = errAPI
  527. }
  528. keyNotFound := func(smtc *secretManagerTestCase) {
  529. smtc.setValue = goodKey
  530. smtc.pushRef = fakeRef{
  531. key: keyName,
  532. }
  533. smtc.apiErr = autorest.DetailedError{StatusCode: 404, Method: "GET", Message: "Not Found"}
  534. smtc.expectError = ""
  535. }
  536. importKeyFailed := func(smtc *secretManagerTestCase) {
  537. smtc.setValue = goodKey
  538. smtc.pushRef = fakeRef{
  539. key: keyName,
  540. }
  541. smtc.apiErr = autorest.DetailedError{StatusCode: 404, Method: "GET", Message: "Not Found"}
  542. smtc.setErr = autorest.DetailedError{StatusCode: 403, Method: "POST", Message: "Forbidden"}
  543. smtc.expectError = "could not import key keyname: #POST: Forbidden: StatusCode=403"
  544. }
  545. certP12Success := func(smtc *secretManagerTestCase) {
  546. smtc.setValue = p12Cert
  547. smtc.pushRef = fakeRef{
  548. key: certName,
  549. }
  550. smtc.certOutput = keyvault.CertificateBundle{
  551. X509Thumbprint: pointer.String("123"),
  552. Tags: map[string]*string{
  553. "managed-by": pointer.String("external-secrets"),
  554. },
  555. }
  556. }
  557. certPEMSuccess := func(smtc *secretManagerTestCase) {
  558. pemCert, _ := base64.StdEncoding.DecodeString("LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZwekNDQTQrZ0F3SUJBZ0lVTUhhVDZtZG8vd2Urbit0NFB2R0JZaUdDSXE0d0RRWUpLb1pJaHZjTkFRRUwKQlFBd1l6RUxNQWtHQTFVRUJoTUNRVlV4RXpBUkJnTlZCQWdNQ2xOdmJXVXRVM1JoZEdVeElUQWZCZ05WQkFvTQpHRWx1ZEdWeWJtVjBJRmRwWkdkcGRITWdVSFI1SUV4MFpERWNNQm9HQTFVRUF3d1RZVzV2ZEdobGNpMW1iMjh0ClltRnlMbU52YlRBZUZ3MHlNakEyTURreE56UTFNelphRncweU16QTJNRGt4TnpRMU16WmFNR014Q3pBSkJnTlYKQkFZVEFrRlZNUk13RVFZRFZRUUlEQXBUYjIxbExWTjBZWFJsTVNFd0h3WURWUVFLREJoSmJuUmxjbTVsZENCWAphV1JuYVhSeklGQjBlU0JNZEdReEhEQWFCZ05WQkFNTUUyRnViM1JvWlhJdFptOXZMV0poY2k1amIyMHdnZ0lpCk1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQ0R3QXdnZ0lLQW9JQ0FRQ1pITzRvNkpteU9aZGZBdDdEV2pHa0d3N0QKNVVIU1BHZXQyTjg2cnBGWXcrZThnL3dSeDBnZDBzRk9pelBBREdjcnpmdWE5Z3ZFcDRWc1dvYUduY3dReGp2cworZ1orWmQ2UkVPNHRLNzRURmYxaWZibmowUHE2OENlQlFpaG8xbDNwM2UwQy8yemVJMjNidlZEdmUybXdVcTloCjY4UTFFUmdWMU1LaWJHU1Naak5DQzdkRGFQWmpKazViMFlWVFdxREViemREVnh2ZVVMNVJxRmcvREpBMzNWcTYKVFQzQ2U5RjBIcEorb3graSs4cUxmWU5qZExSUDZlbEtLTU5naVhhNTFvdnQ5MjF4UkVGdlhFdi9NS2pZOWE2SgppNndIRSs0NmdvbFY4V2puK2xMRkRKVHh6WEFEN2p2NzVzaHY0WEczdFlaQ2J4cTMzZ2Jtb3pzRVBneVNEa0IyCm5zc0tIUEFhSVNPaWpjNDhiSXhwbDVocFJPWUZFblJDWnhablhQNjdLZVF1VWZXQkpoVWdhaW1zQlErenpwUHoKZjVUbjRnVExkWll2NU41V1V2djJJdUF5Qktha0ZhR1ZYTzFpZ2FDeVQvUTNBcEE2ZGx4SjVVbjhLNjh1L0pIYQpmWWZ5engwVnVoZk5zbmtiWkxWSEZsR2Rxd3JrU0tCWSs1eS9WWlpkeC9hSHNWWndVN3ZEY2VobGVaUU00ZXZyCm5tMUY3dk5xSHBUK3BHSnpNVWVUNGZMVFpabTBra1Y3ZXl5RGRMMDFEWXRXQk1TM2NEb1F1Tm9YSUEwK0N4Vk8KOHcxcC9wbXF2UFQ3cmpad2pwYkVMUkp3MWs4R3ozU2FKb2VqaFBzWC9xNzNGWWdBc09PRHBNcm4rdmlTZTRmcgpmR0VmZlEvYXJUVE5qK1BUb3dJREFRQUJvMU13VVRBZEJnTlZIUTRFRmdRVWJPQk14azJ5UkNkR1N4eEZGMzBUCkZORFhHS3N3SHdZRFZSMGpCQmd3Rm9BVWJPQk14azJ5UkNkR1N4eEZGMzBURk5EWEdLc3dEd1lEVlIwVEFRSC8KQkFVd0F3RUIvekFOQmdrcWhraUc5dzBCQVFzRkFBT0NBZ0VBQXdudUtxOThOQ2hUMlUzU2RSNEFVem1MTjFCVwowNHIwMTA3TjlKdW9LbzJycjhoZ21mRmd0MDgrdFNDYzR5ajZSNStyY1hudXpqeEZLaWJVYnFncFpvd0pSSGEyCjF0NUJicEwxeWcybGZyZnhIb3YvRjh0VnNTbUE4d3loNlVpV1J3RTlrdlBXUm5LblR1a3Y1enpzcVNsTlNpbG0KNDl6UTdTV05sK0lBRnkvc3dacnRKUTEwVlQ5czRuUGVHM29XUU1vdE9QUCtsbFNpeW5LTFpxUTRnU0tSaTNmZQpQTGlXcHQ5WGZYb0dVQ0VqN3E1cGhibExQZ2RLVUNyaEdQMW4yalltWHNjV0xNeWtBbmEyMGNobHJxVlluQ2E4CkpVcDRMZnRGRHA4OVlUb1hPRkhuRm1uTkN2Y0lyRGZGeURmaGw0VU1GcEswT1VLcVRUeFdhSzl1cU9JcGFySXMKS1l3c3ArZkxlV0xiUTZrR2Ztbk81aURSZCtvT2hyTllvb1RaVks5ZlFSNXJEMmU0QitlYTByelFGWEFBVWpKNQpPWGFieGJEclErT01landjNEhxcXN4enRKZ0QyYVAyZUsyL0w1UFdQdWcwRSsxZzhBQlpmVmJvaC9NM01IZ2J6ClBnYVRxZ3V6R0Zka0czRVh1K09oR2JVMC8rNzdWTW5aaTJJUVpuL2F3R1VhN1grTVAwQkR2alZZNWtWcE1aMWgKYzJDbERqZ3hOc0xHdGlrTzRjV2I1c1FSUjJHWU0zZE1rNTBWUWN0SjVScXNSczZwT0NYRFhFM1JlVlFqNGhOQgplV3ZhRFdRMktteU9haTU1ZGJEcmxKK251ODNPbUNwNTlSelA1azU4WmFEWG5sQzM4VXdUdDBxMUQ3K3pGMHRzCjFHOTMydUVCSFdZSHVPQT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=")
  559. smtc.setValue = pemCert
  560. smtc.pushRef = fakeRef{
  561. key: certName,
  562. }
  563. smtc.certOutput = keyvault.CertificateBundle{
  564. X509Thumbprint: pointer.String("123"),
  565. Tags: map[string]*string{
  566. "managed-by": pointer.String("external-secrets"),
  567. },
  568. }
  569. }
  570. certDERSuccess := func(smtc *secretManagerTestCase) {
  571. derCert, _ := base64.StdEncoding.DecodeString("MIIFpzCCA4+gAwIBAgIUMHaT6mdo/we+n+t4PvGBYiGCIq4wDQYJKoZIhvcNAQELBQAwYzELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEcMBoGA1UEAwwTYW5vdGhlci1mb28tYmFyLmNvbTAeFw0yMjA2MDkxNzQ1MzZaFw0yMzA2MDkxNzQ1MzZaMGMxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxHDAaBgNVBAMME2Fub3RoZXItZm9vLWJhci5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCZHO4o6JmyOZdfAt7DWjGkGw7D5UHSPGet2N86rpFYw+e8g/wRx0gd0sFOizPADGcrzfua9gvEp4VsWoaGncwQxjvs+gZ+Zd6REO4tK74TFf1ifbnj0Pq68CeBQiho1l3p3e0C/2zeI23bvVDve2mwUq9h68Q1ERgV1MKibGSSZjNCC7dDaPZjJk5b0YVTWqDEbzdDVxveUL5RqFg/DJA33Vq6TT3Ce9F0HpJ+ox+i+8qLfYNjdLRP6elKKMNgiXa51ovt921xREFvXEv/MKjY9a6Ji6wHE+46golV8Wjn+lLFDJTxzXAD7jv75shv4XG3tYZCbxq33gbmozsEPgySDkB2nssKHPAaISOijc48bIxpl5hpROYFEnRCZxZnXP67KeQuUfWBJhUgaimsBQ+zzpPzf5Tn4gTLdZYv5N5WUvv2IuAyBKakFaGVXO1igaCyT/Q3ApA6dlxJ5Un8K68u/JHafYfyzx0VuhfNsnkbZLVHFlGdqwrkSKBY+5y/VZZdx/aHsVZwU7vDcehleZQM4evrnm1F7vNqHpT+pGJzMUeT4fLTZZm0kkV7eyyDdL01DYtWBMS3cDoQuNoXIA0+CxVO8w1p/pmqvPT7rjZwjpbELRJw1k8Gz3SaJoejhPsX/q73FYgAsOODpMrn+viSe4frfGEffQ/arTTNj+PTowIDAQABo1MwUTAdBgNVHQ4EFgQUbOBMxk2yRCdGSxxFF30TFNDXGKswHwYDVR0jBBgwFoAUbOBMxk2yRCdGSxxFF30TFNDXGKswDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAAwnuKq98NChT2U3SdR4AUzmLN1BW04r0107N9JuoKo2rr8hgmfFgt08+tSCc4yj6R5+rcXnuzjxFKibUbqgpZowJRHa21t5BbpL1yg2lfrfxHov/F8tVsSmA8wyh6UiWRwE9kvPWRnKnTukv5zzsqSlNSilm49zQ7SWNl+IAFy/swZrtJQ10VT9s4nPeG3oWQMotOPP+llSiynKLZqQ4gSKRi3fePLiWpt9XfXoGUCEj7q5phblLPgdKUCrhGP1n2jYmXscWLMykAna20chlrqVYnCa8JUp4LftFDp89YToXOFHnFmnNCvcIrDfFyDfhl4UMFpK0OUKqTTxWaK9uqOIparIsKYwsp+fLeWLbQ6kGfmnO5iDRd+oOhrNYooTZVK9fQR5rD2e4B+ea0rzQFXAAUjJ5OXabxbDrQ+OMejwc4HqqsxztJgD2aP2eK2/L5PWPug0E+1g8ABZfVboh/M3MHgbzPgaTqguzGFdkG3EXu+OhGbU0/+77VMnZi2IQZn/awGUa7X+MP0BDvjVY5kVpMZ1hc2ClDjgxNsLGtikO4cWb5sQRR2GYM3dMk50VQctJ5RqsRs6pOCXDXE3ReVQj4hNBeWvaDWQ2KmyOai55dbDrlJ+nu83OmCp59RzP5k58ZaDXnlC38UwTt0q1D7+zF0ts1G932uEBHWYHuOA=")
  572. smtc.setValue = derCert
  573. smtc.pushRef = fakeRef{
  574. key: certName,
  575. }
  576. smtc.certOutput = keyvault.CertificateBundle{
  577. X509Thumbprint: pointer.String("123"),
  578. Tags: map[string]*string{
  579. "managed-by": pointer.String("external-secrets"),
  580. },
  581. }
  582. }
  583. certImportCertificateError := func(smtc *secretManagerTestCase) {
  584. smtc.setErr = errors.New("error")
  585. smtc.setValue = p12Cert
  586. smtc.pushRef = fakeRef{
  587. key: certName,
  588. }
  589. smtc.certOutput = keyvault.CertificateBundle{
  590. X509Thumbprint: pointer.String("123"),
  591. Tags: map[string]*string{
  592. "managed-by": pointer.String("external-secrets"),
  593. },
  594. }
  595. smtc.expectError = "could not import certificate certname: error"
  596. }
  597. certFingerprintMatches := func(smtc *secretManagerTestCase) {
  598. smtc.setErr = errors.New("error")
  599. cert, _ := base64.StdEncoding.DecodeString("MIIFpzCCA4+gAwIBAgIUMHaT6mdo/we+n+t4PvGBYiGCIq4wDQYJKoZIhvcNAQELBQAwYzELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEcMBoGA1UEAwwTYW5vdGhlci1mb28tYmFyLmNvbTAeFw0yMjA2MDkxNzQ1MzZaFw0yMzA2MDkxNzQ1MzZaMGMxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxHDAaBgNVBAMME2Fub3RoZXItZm9vLWJhci5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCZHO4o6JmyOZdfAt7DWjGkGw7D5UHSPGet2N86rpFYw+e8g/wRx0gd0sFOizPADGcrzfua9gvEp4VsWoaGncwQxjvs+gZ+Zd6REO4tK74TFf1ifbnj0Pq68CeBQiho1l3p3e0C/2zeI23bvVDve2mwUq9h68Q1ERgV1MKibGSSZjNCC7dDaPZjJk5b0YVTWqDEbzdDVxveUL5RqFg/DJA33Vq6TT3Ce9F0HpJ+ox+i+8qLfYNjdLRP6elKKMNgiXa51ovt921xREFvXEv/MKjY9a6Ji6wHE+46golV8Wjn+lLFDJTxzXAD7jv75shv4XG3tYZCbxq33gbmozsEPgySDkB2nssKHPAaISOijc48bIxpl5hpROYFEnRCZxZnXP67KeQuUfWBJhUgaimsBQ+zzpPzf5Tn4gTLdZYv5N5WUvv2IuAyBKakFaGVXO1igaCyT/Q3ApA6dlxJ5Un8K68u/JHafYfyzx0VuhfNsnkbZLVHFlGdqwrkSKBY+5y/VZZdx/aHsVZwU7vDcehleZQM4evrnm1F7vNqHpT+pGJzMUeT4fLTZZm0kkV7eyyDdL01DYtWBMS3cDoQuNoXIA0+CxVO8w1p/pmqvPT7rjZwjpbELRJw1k8Gz3SaJoejhPsX/q73FYgAsOODpMrn+viSe4frfGEffQ/arTTNj+PTowIDAQABo1MwUTAdBgNVHQ4EFgQUbOBMxk2yRCdGSxxFF30TFNDXGKswHwYDVR0jBBgwFoAUbOBMxk2yRCdGSxxFF30TFNDXGKswDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAAwnuKq98NChT2U3SdR4AUzmLN1BW04r0107N9JuoKo2rr8hgmfFgt08+tSCc4yj6R5+rcXnuzjxFKibUbqgpZowJRHa21t5BbpL1yg2lfrfxHov/F8tVsSmA8wyh6UiWRwE9kvPWRnKnTukv5zzsqSlNSilm49zQ7SWNl+IAFy/swZrtJQ10VT9s4nPeG3oWQMotOPP+llSiynKLZqQ4gSKRi3fePLiWpt9XfXoGUCEj7q5phblLPgdKUCrhGP1n2jYmXscWLMykAna20chlrqVYnCa8JUp4LftFDp89YToXOFHnFmnNCvcIrDfFyDfhl4UMFpK0OUKqTTxWaK9uqOIparIsKYwsp+fLeWLbQ6kGfmnO5iDRd+oOhrNYooTZVK9fQR5rD2e4B+ea0rzQFXAAUjJ5OXabxbDrQ+OMejwc4HqqsxztJgD2aP2eK2/L5PWPug0E+1g8ABZfVboh/M3MHgbzPgaTqguzGFdkG3EXu+OhGbU0/+77VMnZi2IQZn/awGUa7X+MP0BDvjVY5kVpMZ1hc2ClDjgxNsLGtikO4cWb5sQRR2GYM3dMk50VQctJ5RqsRs6pOCXDXE3ReVQj4hNBeWvaDWQ2KmyOai55dbDrlJ+nu83OmCp59RzP5k58ZaDXnlC38UwTt0q1D7+zF0ts1G932uEBHWYHuOA=")
  600. smtc.setValue = p12Cert
  601. smtc.pushRef = fakeRef{
  602. key: certName,
  603. }
  604. smtc.certOutput = keyvault.CertificateBundle{
  605. Cer: &cert,
  606. Tags: map[string]*string{
  607. "managed-by": pointer.String("external-secrets"),
  608. },
  609. }
  610. }
  611. certNotManagedByES := func(smtc *secretManagerTestCase) {
  612. smtc.setValue = p12Cert
  613. smtc.pushRef = fakeRef{
  614. key: certName,
  615. }
  616. smtc.certOutput = keyvault.CertificateBundle{
  617. X509Thumbprint: pointer.String("123"),
  618. Tags: map[string]*string{
  619. "managed-by": pointer.String("foobar"),
  620. },
  621. }
  622. smtc.expectError = "certificate certname: not managed by external-secrets"
  623. }
  624. certNoManagerTags := func(smtc *secretManagerTestCase) {
  625. smtc.setValue = p12Cert
  626. smtc.pushRef = fakeRef{
  627. key: certName,
  628. }
  629. smtc.certOutput = keyvault.CertificateBundle{
  630. X509Thumbprint: pointer.String("123"),
  631. }
  632. smtc.expectError = "certificate certname: not managed by external-secrets"
  633. }
  634. certNotACertificate := func(smtc *secretManagerTestCase) {
  635. smtc.setValue = []byte("foobar")
  636. smtc.pushRef = fakeRef{
  637. key: certName,
  638. }
  639. smtc.certOutput = keyvault.CertificateBundle{
  640. X509Thumbprint: pointer.String("123"),
  641. }
  642. smtc.expectError = "value from secret is not a valid certificate: x509: malformed certificate"
  643. }
  644. certNoPermissions := func(smtc *secretManagerTestCase) {
  645. smtc.apiErr = autorest.DetailedError{
  646. StatusCode: 403,
  647. Method: "GET",
  648. Message: "Insufficient Permissions",
  649. }
  650. smtc.setValue = p12Cert
  651. smtc.pushRef = fakeRef{
  652. key: certName,
  653. }
  654. smtc.certOutput = keyvault.CertificateBundle{
  655. X509Thumbprint: pointer.String("123"),
  656. }
  657. smtc.expectError = errAPI
  658. }
  659. successCases := []*secretManagerTestCase{
  660. makeValidSecretManagerTestCaseCustom(certP12Success),
  661. makeValidSecretManagerTestCaseCustom(certPEMSuccess),
  662. makeValidSecretManagerTestCaseCustom(certDERSuccess),
  663. makeValidSecretManagerTestCaseCustom(certImportCertificateError),
  664. makeValidSecretManagerTestCaseCustom(certFingerprintMatches),
  665. makeValidSecretManagerTestCaseCustom(certNotManagedByES),
  666. makeValidSecretManagerTestCaseCustom(certNoManagerTags),
  667. makeValidSecretManagerTestCaseCustom(certNotACertificate),
  668. makeValidSecretManagerTestCaseCustom(certNoPermissions),
  669. makeValidSecretManagerTestCaseCustom(keySuccess),
  670. makeValidSecretManagerTestCaseCustom(symmetricKeySuccess),
  671. makeValidSecretManagerTestCaseCustom(RSAKeySuccess),
  672. makeValidSecretManagerTestCaseCustom(ECKeySuccess),
  673. makeValidSecretManagerTestCaseCustom(invalidKey),
  674. makeValidSecretManagerTestCaseCustom(errorGetKey),
  675. makeValidSecretManagerTestCaseCustom(keyNotFound),
  676. makeValidSecretManagerTestCaseCustom(importKeyFailed),
  677. makeValidSecretManagerTestCaseCustom(noTags),
  678. makeValidSecretManagerTestCaseCustom(wrongTags),
  679. makeValidSecretManagerTestCaseCustom(secretSuccess),
  680. makeValidSecretManagerTestCaseCustom(secretNoChange),
  681. makeValidSecretManagerTestCaseCustom(secretWrongTags),
  682. makeValidSecretManagerTestCaseCustom(secretNoTags),
  683. makeValidSecretManagerTestCaseCustom(secretNotFound),
  684. makeValidSecretManagerTestCaseCustom(failedGetSecret),
  685. makeValidSecretManagerTestCaseCustom(failedNotParseableError),
  686. makeValidSecretManagerTestCaseCustom(failedSetSecret),
  687. makeValidSecretManagerTestCaseCustom(typeNotSupported),
  688. }
  689. sm := Azure{
  690. provider: &esv1beta1.AzureKVProvider{VaultURL: pointer.String(fakeURL)},
  691. }
  692. for k, v := range successCases {
  693. sm.baseClient = v.mockClient
  694. err := sm.PushSecret(context.Background(), v.setValue, v.pushRef)
  695. if !utils.ErrorContains(err, v.expectError) {
  696. if err == nil {
  697. t.Errorf("[%d] unexpected error: <nil>, expected: '%s'", k, v.expectError)
  698. } else {
  699. t.Errorf("[%d] unexpected error: %s, expected: '%s'", k, err.Error(), v.expectError)
  700. }
  701. }
  702. }
  703. }
  704. // test the sm<->azurekv interface
  705. // make sure correct values are passed and errors are handled accordingly.
  706. func TestAzureKeyVaultSecretManagerGetSecret(t *testing.T) {
  707. secretString := "changedvalue"
  708. secretCertificate := "certificate_value"
  709. tagMap := getTagMap()
  710. // good case
  711. setSecretString := func(smtc *secretManagerTestCase) {
  712. smtc.expectedSecret = secretString
  713. smtc.secretOutput = keyvault.SecretBundle{
  714. Value: &secretString,
  715. }
  716. }
  717. // good case
  718. secretNotFound := func(smtc *secretManagerTestCase) {
  719. smtc.expectedSecret = ""
  720. smtc.apiErr = autorest.DetailedError{StatusCode: 404}
  721. smtc.expectError = esv1beta1.NoSecretError{}.Error()
  722. }
  723. certNotFound := func(smtc *secretManagerTestCase) {
  724. smtc.expectedSecret = ""
  725. smtc.secretName = certName
  726. smtc.apiErr = autorest.DetailedError{StatusCode: 404}
  727. smtc.expectError = esv1beta1.NoSecretError{}.Error()
  728. }
  729. keyNotFound := func(smtc *secretManagerTestCase) {
  730. smtc.expectedSecret = ""
  731. smtc.secretName = keyName
  732. smtc.apiErr = autorest.DetailedError{StatusCode: 404}
  733. smtc.expectError = esv1beta1.NoSecretError{}.Error()
  734. }
  735. setSecretStringWithVersion := func(smtc *secretManagerTestCase) {
  736. smtc.expectedSecret = secretString
  737. smtc.secretOutput = keyvault.SecretBundle{
  738. Value: &secretString,
  739. }
  740. smtc.ref.Version = "v1"
  741. smtc.secretVersion = smtc.ref.Version
  742. }
  743. setSecretWithProperty := func(smtc *secretManagerTestCase) {
  744. jsonString := jsonTestString
  745. smtc.expectedSecret = "External"
  746. smtc.secretOutput = keyvault.SecretBundle{
  747. Value: &jsonString,
  748. }
  749. smtc.ref.Property = "Name"
  750. }
  751. badSecretWithProperty := func(smtc *secretManagerTestCase) {
  752. jsonString := jsonTestString
  753. smtc.expectedSecret = ""
  754. smtc.secretOutput = keyvault.SecretBundle{
  755. Value: &jsonString,
  756. }
  757. smtc.ref.Property = "Age"
  758. smtc.expectError = fmt.Sprintf("property %s does not exist in key %s", smtc.ref.Property, smtc.ref.Key)
  759. smtc.apiErr = errors.New(smtc.expectError)
  760. }
  761. // // good case: key set
  762. setPubRSAKey := func(smtc *secretManagerTestCase) {
  763. smtc.secretName = keyName
  764. smtc.expectedSecret = jwkPubRSA
  765. smtc.keyOutput = keyvault.KeyBundle{
  766. Key: newKVJWK([]byte(jwkPubRSA)),
  767. }
  768. smtc.ref.Key = smtc.secretName
  769. }
  770. // // good case: key set
  771. setPubECKey := func(smtc *secretManagerTestCase) {
  772. smtc.secretName = keyName
  773. smtc.expectedSecret = jwkPubEC
  774. smtc.keyOutput = keyvault.KeyBundle{
  775. Key: newKVJWK([]byte(jwkPubEC)),
  776. }
  777. smtc.ref.Key = smtc.secretName
  778. }
  779. // // good case: key set
  780. setCertificate := func(smtc *secretManagerTestCase) {
  781. byteArrString := []byte(secretCertificate)
  782. smtc.secretName = certName
  783. smtc.expectedSecret = secretCertificate
  784. smtc.certOutput = keyvault.CertificateBundle{
  785. Cer: &byteArrString,
  786. }
  787. smtc.ref.Key = smtc.secretName
  788. }
  789. badSecretType := func(smtc *secretManagerTestCase) {
  790. smtc.secretName = "name"
  791. smtc.expectedSecret = ""
  792. smtc.expectError = fmt.Sprintf("unknown Azure Keyvault object Type for %s", smtc.secretName)
  793. smtc.ref.Key = fmt.Sprintf("example/%s", smtc.secretName)
  794. }
  795. setSecretWithTag := func(smtc *secretManagerTestCase) {
  796. smtc.ref.MetadataPolicy = esv1beta1.ExternalSecretMetadataPolicyFetch
  797. smtc.ref.Property = tagname
  798. smtc.secretOutput = keyvault.SecretBundle{
  799. Value: &secretString, Tags: tagMap,
  800. }
  801. smtc.expectedSecret = tagvalue
  802. }
  803. badSecretWithTag := func(smtc *secretManagerTestCase) {
  804. smtc.ref.MetadataPolicy = esv1beta1.ExternalSecretMetadataPolicyFetch
  805. smtc.ref.Property = something
  806. smtc.expectedSecret = ""
  807. smtc.expectError = errorNoTag
  808. smtc.apiErr = errors.New(smtc.expectError)
  809. }
  810. setSecretWithNoSpecificTag := func(smtc *secretManagerTestCase) {
  811. smtc.ref.MetadataPolicy = esv1beta1.ExternalSecretMetadataPolicyFetch
  812. smtc.secretOutput = keyvault.SecretBundle{
  813. Value: &secretString, Tags: tagMap,
  814. }
  815. smtc.expectedSecret = jsonTagTestString
  816. }
  817. setSecretWithNoTags := func(smtc *secretManagerTestCase) {
  818. smtc.ref.MetadataPolicy = esv1beta1.ExternalSecretMetadataPolicyFetch
  819. smtc.secretOutput = keyvault.SecretBundle{}
  820. smtc.expectedSecret = "{}"
  821. }
  822. setCertWithTag := func(smtc *secretManagerTestCase) {
  823. byteArrString := []byte(secretCertificate)
  824. smtc.secretName = certName
  825. smtc.certOutput = keyvault.CertificateBundle{
  826. Cer: &byteArrString, Tags: tagMap,
  827. }
  828. smtc.ref.MetadataPolicy = esv1beta1.ExternalSecretMetadataPolicyFetch
  829. smtc.ref.Property = tagname
  830. smtc.expectedSecret = tagvalue
  831. smtc.ref.Key = smtc.secretName
  832. }
  833. badCertWithTag := func(smtc *secretManagerTestCase) {
  834. byteArrString := []byte(secretCertificate)
  835. smtc.secretName = certName
  836. smtc.ref.Key = smtc.secretName
  837. smtc.certOutput = keyvault.CertificateBundle{
  838. Cer: &byteArrString,
  839. }
  840. smtc.ref.MetadataPolicy = esv1beta1.ExternalSecretMetadataPolicyFetch
  841. smtc.ref.Property = something
  842. smtc.expectedSecret = ""
  843. smtc.expectError = errorNoTag
  844. smtc.apiErr = errors.New(smtc.expectError)
  845. }
  846. setCertWithNoSpecificTag := func(smtc *secretManagerTestCase) {
  847. byteArrString := []byte(secretCertificate)
  848. smtc.secretName = certName
  849. smtc.ref.Key = smtc.secretName
  850. smtc.certOutput = keyvault.CertificateBundle{
  851. Cer: &byteArrString, Tags: tagMap,
  852. }
  853. smtc.ref.MetadataPolicy = esv1beta1.ExternalSecretMetadataPolicyFetch
  854. smtc.expectedSecret = jsonTagTestString
  855. }
  856. setCertWithNoTags := func(smtc *secretManagerTestCase) {
  857. byteArrString := []byte(secretCertificate)
  858. smtc.secretName = certName
  859. smtc.ref.Key = smtc.secretName
  860. smtc.certOutput = keyvault.CertificateBundle{
  861. Cer: &byteArrString,
  862. }
  863. smtc.ref.MetadataPolicy = esv1beta1.ExternalSecretMetadataPolicyFetch
  864. smtc.expectedSecret = "{}"
  865. }
  866. setKeyWithTag := func(smtc *secretManagerTestCase) {
  867. smtc.secretName = keyName
  868. smtc.keyOutput = keyvault.KeyBundle{
  869. Key: newKVJWK([]byte(jwkPubRSA)), Tags: tagMap,
  870. }
  871. smtc.ref.MetadataPolicy = esv1beta1.ExternalSecretMetadataPolicyFetch
  872. smtc.ref.Property = tagname
  873. smtc.expectedSecret = tagvalue
  874. smtc.ref.Key = smtc.secretName
  875. }
  876. badKeyWithTag := func(smtc *secretManagerTestCase) {
  877. smtc.secretName = keyName
  878. smtc.ref.Key = smtc.secretName
  879. smtc.keyOutput = keyvault.KeyBundle{
  880. Key: newKVJWK([]byte(jwkPubRSA)), Tags: tagMap,
  881. }
  882. smtc.ref.MetadataPolicy = esv1beta1.ExternalSecretMetadataPolicyFetch
  883. smtc.ref.Property = something
  884. smtc.expectedSecret = ""
  885. smtc.expectError = errorNoTag
  886. smtc.apiErr = errors.New(smtc.expectError)
  887. }
  888. setKeyWithNoSpecificTag := func(smtc *secretManagerTestCase) {
  889. smtc.secretName = keyName
  890. smtc.ref.Key = smtc.secretName
  891. smtc.keyOutput = keyvault.KeyBundle{
  892. Key: newKVJWK([]byte(jwkPubRSA)), Tags: tagMap,
  893. }
  894. smtc.ref.MetadataPolicy = esv1beta1.ExternalSecretMetadataPolicyFetch
  895. smtc.expectedSecret = jsonTagTestString
  896. }
  897. setKeyWithNoTags := func(smtc *secretManagerTestCase) {
  898. smtc.secretName = keyName
  899. smtc.ref.Key = smtc.secretName
  900. smtc.keyOutput = keyvault.KeyBundle{
  901. Key: newKVJWK([]byte(jwkPubRSA)),
  902. }
  903. smtc.ref.MetadataPolicy = esv1beta1.ExternalSecretMetadataPolicyFetch
  904. smtc.expectedSecret = "{}"
  905. }
  906. badPropertyTag := func(smtc *secretManagerTestCase) {
  907. smtc.ref.Property = tagname
  908. smtc.expectedSecret = ""
  909. smtc.expectError = "property tagname does not exist in key test-secret"
  910. smtc.apiErr = errors.New(smtc.expectError)
  911. }
  912. fetchSingleTag := func(smtc *secretManagerTestCase) {
  913. jsonString := jsonTestString
  914. smtc.expectedSecret = bar
  915. smtc.ref.MetadataPolicy = esv1beta1.ExternalSecretMetadataPolicyFetch
  916. secretTags := map[string]*string{}
  917. tagValue := bar
  918. secretTags[foo] = &tagValue
  919. smtc.secretOutput = keyvault.SecretBundle{
  920. Value: &jsonString,
  921. Tags: secretTags,
  922. }
  923. smtc.ref.Property = foo
  924. }
  925. fetchJSONTag := func(smtc *secretManagerTestCase) {
  926. jsonString := jsonTestString
  927. smtc.ref.MetadataPolicy = esv1beta1.ExternalSecretMetadataPolicyFetch
  928. secretTags := map[string]*string{}
  929. tagValue := "{\"key\":\"value\"}"
  930. secretTags[foo] = &tagValue
  931. smtc.secretOutput = keyvault.SecretBundle{
  932. Value: &jsonString,
  933. Tags: secretTags,
  934. }
  935. smtc.ref.Property = foo
  936. smtc.expectedSecret = tagValue
  937. }
  938. fetchDottedJSONTag := func(smtc *secretManagerTestCase) {
  939. jsonString := jsonTestString
  940. smtc.ref.MetadataPolicy = esv1beta1.ExternalSecretMetadataPolicyFetch
  941. secretTags := map[string]*string{}
  942. tagValue := "{\"key\":\"value\"}"
  943. secretTags[foo] = &tagValue
  944. smtc.secretOutput = keyvault.SecretBundle{
  945. Value: &jsonString,
  946. Tags: secretTags,
  947. }
  948. smtc.ref.Property = "foo.key"
  949. smtc.expectedSecret = "value"
  950. }
  951. fetchNestedJSONTag := func(smtc *secretManagerTestCase) {
  952. jsonString := jsonTestString
  953. smtc.ref.MetadataPolicy = esv1beta1.ExternalSecretMetadataPolicyFetch
  954. secretTags := map[string]*string{}
  955. tagValue := "{\"key\":\"value\", \"nested\": {\"foo\":\"bar\"}}"
  956. secretTags["foo"] = &tagValue
  957. smtc.secretOutput = keyvault.SecretBundle{
  958. Value: &jsonString,
  959. Tags: secretTags,
  960. }
  961. smtc.ref.Property = "foo.nested"
  962. smtc.expectedSecret = "{\"foo\":\"bar\"}"
  963. }
  964. fetchNestedDottedJSONTag := func(smtc *secretManagerTestCase) {
  965. jsonString := jsonTestString
  966. smtc.ref.MetadataPolicy = esv1beta1.ExternalSecretMetadataPolicyFetch
  967. secretTags := map[string]*string{}
  968. tagValue := "{\"key\":\"value\", \"nested\": {\"foo\":\"bar\"}}"
  969. secretTags[foo] = &tagValue
  970. smtc.secretOutput = keyvault.SecretBundle{
  971. Value: &jsonString,
  972. Tags: secretTags,
  973. }
  974. smtc.ref.Property = "foo.nested.foo"
  975. smtc.expectedSecret = bar
  976. }
  977. fetchDottedKeyJSONTag := func(smtc *secretManagerTestCase) {
  978. jsonString := jsonTestString
  979. smtc.ref.MetadataPolicy = esv1beta1.ExternalSecretMetadataPolicyFetch
  980. secretTags := map[string]*string{}
  981. tagValue := "{\"foo.json\":\"bar\"}"
  982. secretTags[foo] = &tagValue
  983. smtc.secretOutput = keyvault.SecretBundle{
  984. Value: &jsonString,
  985. Tags: secretTags,
  986. }
  987. smtc.ref.Property = "foo.foo.json"
  988. smtc.expectedSecret = bar
  989. }
  990. fetchDottedSecretJSONTag := func(smtc *secretManagerTestCase) {
  991. jsonString := "{\"foo.json\":\"bar\"}"
  992. smtc.secretOutput = keyvault.SecretBundle{
  993. Value: &jsonString,
  994. }
  995. smtc.ref.Property = "foo.json"
  996. smtc.expectedSecret = bar
  997. }
  998. successCases := []*secretManagerTestCase{
  999. makeValidSecretManagerTestCase(),
  1000. makeValidSecretManagerTestCaseCustom(setSecretString),
  1001. makeValidSecretManagerTestCaseCustom(setSecretStringWithVersion),
  1002. makeValidSecretManagerTestCaseCustom(setSecretWithProperty),
  1003. makeValidSecretManagerTestCaseCustom(badSecretWithProperty),
  1004. makeValidSecretManagerTestCaseCustom(setPubRSAKey),
  1005. makeValidSecretManagerTestCaseCustom(setPubECKey),
  1006. makeValidSecretManagerTestCaseCustom(secretNotFound),
  1007. makeValidSecretManagerTestCaseCustom(certNotFound),
  1008. makeValidSecretManagerTestCaseCustom(keyNotFound),
  1009. makeValidSecretManagerTestCaseCustom(setCertificate),
  1010. makeValidSecretManagerTestCaseCustom(badSecretType),
  1011. makeValidSecretManagerTestCaseCustom(setSecretWithTag),
  1012. makeValidSecretManagerTestCaseCustom(badSecretWithTag),
  1013. makeValidSecretManagerTestCaseCustom(setSecretWithNoSpecificTag),
  1014. makeValidSecretManagerTestCaseCustom(setSecretWithNoTags),
  1015. makeValidSecretManagerTestCaseCustom(setCertWithTag),
  1016. makeValidSecretManagerTestCaseCustom(badCertWithTag),
  1017. makeValidSecretManagerTestCaseCustom(setCertWithNoSpecificTag),
  1018. makeValidSecretManagerTestCaseCustom(setCertWithNoTags),
  1019. makeValidSecretManagerTestCaseCustom(setKeyWithTag),
  1020. makeValidSecretManagerTestCaseCustom(badKeyWithTag),
  1021. makeValidSecretManagerTestCaseCustom(setKeyWithNoSpecificTag),
  1022. makeValidSecretManagerTestCaseCustom(setKeyWithNoTags),
  1023. makeValidSecretManagerTestCaseCustom(badPropertyTag),
  1024. makeValidSecretManagerTestCaseCustom(fetchSingleTag),
  1025. makeValidSecretManagerTestCaseCustom(fetchJSONTag),
  1026. makeValidSecretManagerTestCaseCustom(fetchDottedJSONTag),
  1027. makeValidSecretManagerTestCaseCustom(fetchNestedJSONTag),
  1028. makeValidSecretManagerTestCaseCustom(fetchNestedDottedJSONTag),
  1029. makeValidSecretManagerTestCaseCustom(fetchDottedKeyJSONTag),
  1030. makeValidSecretManagerTestCaseCustom(fetchDottedSecretJSONTag),
  1031. }
  1032. sm := Azure{
  1033. provider: &esv1beta1.AzureKVProvider{VaultURL: pointer.String(fakeURL)},
  1034. }
  1035. for k, v := range successCases {
  1036. sm.baseClient = v.mockClient
  1037. out, err := sm.GetSecret(context.Background(), *v.ref)
  1038. if !utils.ErrorContains(err, v.expectError) {
  1039. t.Errorf("[%d] unexpected error: %s, expected: '%s'", k, err.Error(), v.expectError)
  1040. }
  1041. if string(out) != v.expectedSecret {
  1042. t.Errorf("[%d] unexpected secret: expected %s, got %s", k, v.expectedSecret, string(out))
  1043. }
  1044. }
  1045. }
  1046. func TestAzureKeyVaultSecretManagerGetSecretMap(t *testing.T) {
  1047. secretString := "changedvalue"
  1048. secretCertificate := "certificate_value"
  1049. tagMap := getTagMap()
  1050. badSecretString := func(smtc *secretManagerTestCase) {
  1051. smtc.expectedSecret = secretString
  1052. smtc.secretOutput = keyvault.SecretBundle{
  1053. Value: &secretString,
  1054. }
  1055. smtc.expectError = "error unmarshalling json data: invalid character 'c' looking for beginning of value"
  1056. }
  1057. setSecretJSON := func(smtc *secretManagerTestCase) {
  1058. jsonString := jsonSingleTestString
  1059. smtc.secretOutput = keyvault.SecretBundle{
  1060. Value: &jsonString,
  1061. }
  1062. smtc.expectedData["Name"] = []byte("External")
  1063. smtc.expectedData["LastName"] = []byte("Secret")
  1064. }
  1065. setSecretJSONWithProperty := func(smtc *secretManagerTestCase) {
  1066. jsonString := jsonTestString
  1067. smtc.secretOutput = keyvault.SecretBundle{
  1068. Value: &jsonString,
  1069. }
  1070. smtc.ref.Property = "Address"
  1071. smtc.expectedData["Street"] = []byte("Myroad st.")
  1072. smtc.expectedData["CP"] = []byte("J4K4T4")
  1073. }
  1074. badSecretWithProperty := func(smtc *secretManagerTestCase) {
  1075. jsonString := jsonTestString
  1076. smtc.expectedSecret = ""
  1077. smtc.secretOutput = keyvault.SecretBundle{
  1078. Value: &jsonString,
  1079. }
  1080. smtc.ref.Property = "Age"
  1081. smtc.expectError = fmt.Sprintf("property %s does not exist in key %s", smtc.ref.Property, smtc.ref.Key)
  1082. smtc.apiErr = errors.New(smtc.expectError)
  1083. }
  1084. badPubRSAKey := func(smtc *secretManagerTestCase) {
  1085. smtc.secretName = keyName
  1086. smtc.expectedSecret = jwkPubRSA
  1087. smtc.keyOutput = keyvault.KeyBundle{
  1088. Key: newKVJWK([]byte(jwkPubRSA)),
  1089. }
  1090. smtc.ref.Key = smtc.secretName
  1091. smtc.expectError = "cannot get use dataFrom to get key secret"
  1092. }
  1093. badCertificate := func(smtc *secretManagerTestCase) {
  1094. byteArrString := []byte(secretCertificate)
  1095. smtc.secretName = certName
  1096. smtc.expectedSecret = secretCertificate
  1097. smtc.certOutput = keyvault.CertificateBundle{
  1098. Cer: &byteArrString,
  1099. }
  1100. smtc.ref.Key = smtc.secretName
  1101. smtc.expectError = "cannot get use dataFrom to get certificate secret"
  1102. }
  1103. badSecretType := func(smtc *secretManagerTestCase) {
  1104. smtc.secretName = "name"
  1105. smtc.expectedSecret = ""
  1106. smtc.expectError = fmt.Sprintf("unknown Azure Keyvault object Type for %s", smtc.secretName)
  1107. smtc.ref.Key = fmt.Sprintf("example/%s", smtc.secretName)
  1108. }
  1109. setSecretTags := func(smtc *secretManagerTestCase) {
  1110. smtc.ref.MetadataPolicy = esv1beta1.ExternalSecretMetadataPolicyFetch
  1111. smtc.secretOutput = keyvault.SecretBundle{
  1112. Tags: tagMap,
  1113. }
  1114. smtc.expectedData[testsecret+"_"+tagname] = []byte(tagvalue)
  1115. smtc.expectedData[testsecret+"_"+tagname2] = []byte(tagvalue2)
  1116. }
  1117. setSecretWithJSONTag := func(smtc *secretManagerTestCase) {
  1118. tagJSONMap := make(map[string]*string)
  1119. tagJSONData := `{"keyname":"keyvalue","x":"y"}`
  1120. tagJSONMap["json"] = &tagJSONData
  1121. smtc.ref.MetadataPolicy = esv1beta1.ExternalSecretMetadataPolicyFetch
  1122. smtc.secretOutput = keyvault.SecretBundle{
  1123. Value: &secretString, Tags: tagJSONMap,
  1124. }
  1125. smtc.expectedData[testsecret+"_json_keyname"] = []byte("keyvalue")
  1126. smtc.expectedData[testsecret+"_json_x"] = []byte("y")
  1127. }
  1128. setSecretWithNoTags := func(smtc *secretManagerTestCase) {
  1129. smtc.ref.MetadataPolicy = esv1beta1.ExternalSecretMetadataPolicyFetch
  1130. tagMapTestEmpty := make(map[string]*string)
  1131. smtc.secretOutput = keyvault.SecretBundle{
  1132. Tags: tagMapTestEmpty,
  1133. }
  1134. smtc.expectedSecret = ""
  1135. }
  1136. nestedJSONNoProperty := func(smtc *secretManagerTestCase) {
  1137. jsonString := jsonTestString
  1138. smtc.expectedSecret = ""
  1139. smtc.secretOutput = keyvault.SecretBundle{
  1140. Value: &jsonString,
  1141. }
  1142. smtc.ref.Property = ""
  1143. smtc.expectedData["Name"] = []byte("External")
  1144. smtc.expectedData["LastName"] = []byte("Secret")
  1145. smtc.expectedData["Address"] = []byte(`{ "Street": "Myroad st.", "CP": "J4K4T4" }`)
  1146. }
  1147. setNestedJSONTag := func(smtc *secretManagerTestCase) {
  1148. secretTags := map[string]*string{}
  1149. tagValue := `{"foo":"bar","nested.tag":{"foo":"bar"}}`
  1150. bug := "1137"
  1151. secretTags["dev"] = &tagValue
  1152. secretTags["bug"] = &bug
  1153. smtc.ref.MetadataPolicy = esv1beta1.ExternalSecretMetadataPolicyFetch
  1154. smtc.secretOutput = keyvault.SecretBundle{
  1155. Tags: secretTags,
  1156. }
  1157. smtc.ref.Property = "dev"
  1158. smtc.expectedData[testsecret+"_dev"] = []byte(tagValue)
  1159. }
  1160. successCases := []*secretManagerTestCase{
  1161. makeValidSecretManagerTestCaseCustom(badSecretString),
  1162. makeValidSecretManagerTestCaseCustom(setSecretJSON),
  1163. makeValidSecretManagerTestCaseCustom(setSecretJSONWithProperty),
  1164. makeValidSecretManagerTestCaseCustom(badSecretWithProperty),
  1165. makeValidSecretManagerTestCaseCustom(badPubRSAKey),
  1166. makeValidSecretManagerTestCaseCustom(badCertificate),
  1167. makeValidSecretManagerTestCaseCustom(badSecretType),
  1168. makeValidSecretManagerTestCaseCustom(setSecretTags),
  1169. makeValidSecretManagerTestCaseCustom(setSecretWithJSONTag),
  1170. makeValidSecretManagerTestCaseCustom(setSecretWithNoTags),
  1171. makeValidSecretManagerTestCaseCustom(nestedJSONNoProperty),
  1172. makeValidSecretManagerTestCaseCustom(setNestedJSONTag),
  1173. }
  1174. sm := Azure{
  1175. provider: &esv1beta1.AzureKVProvider{VaultURL: pointer.String(fakeURL)},
  1176. }
  1177. for k, v := range successCases {
  1178. sm.baseClient = v.mockClient
  1179. out, err := sm.GetSecretMap(context.Background(), *v.ref)
  1180. if !utils.ErrorContains(err, v.expectError) {
  1181. t.Errorf("[%d] unexpected error: %s, expected: '%s'", k, err.Error(), v.expectError)
  1182. }
  1183. if err == nil && !reflect.DeepEqual(out, v.expectedData) {
  1184. t.Errorf("[%d] unexpected secret data: expected %#v, got %#v", k, v.expectedData, out)
  1185. }
  1186. }
  1187. }
  1188. func TestAzureKeyVaultSecretManagerGetAllSecrets(t *testing.T) {
  1189. secretString := secretString
  1190. secretName := secretName
  1191. wrongName := "not-valid"
  1192. environment := "dev"
  1193. author := "seb"
  1194. enabled := true
  1195. getNextPage := func(ctx context.Context, list keyvault.SecretListResult) (result keyvault.SecretListResult, err error) {
  1196. return keyvault.SecretListResult{
  1197. Value: nil,
  1198. NextLink: nil,
  1199. }, nil
  1200. }
  1201. setOneSecretByName := func(smtc *secretManagerTestCase) {
  1202. enabledAtt := keyvault.SecretAttributes{
  1203. Enabled: &enabled,
  1204. }
  1205. secretItem := keyvault.SecretItem{
  1206. ID: &secretName,
  1207. Attributes: &enabledAtt,
  1208. }
  1209. secretList := make([]keyvault.SecretItem, 0)
  1210. secretList = append(secretList, secretItem)
  1211. list := keyvault.SecretListResult{
  1212. Value: &secretList,
  1213. }
  1214. resultPage := keyvault.NewSecretListResultPage(list, getNextPage)
  1215. smtc.listOutput = keyvault.NewSecretListResultIterator(resultPage)
  1216. smtc.expectedSecret = secretString
  1217. smtc.secretOutput = keyvault.SecretBundle{
  1218. Value: &secretString,
  1219. }
  1220. smtc.expectedData[secretName] = []byte(secretString)
  1221. }
  1222. setTwoSecretsByName := func(smtc *secretManagerTestCase) {
  1223. enabledAtt := keyvault.SecretAttributes{
  1224. Enabled: &enabled,
  1225. }
  1226. secretItemOne := keyvault.SecretItem{
  1227. ID: &secretName,
  1228. Attributes: &enabledAtt,
  1229. }
  1230. secretItemTwo := keyvault.SecretItem{
  1231. ID: &wrongName,
  1232. Attributes: &enabledAtt,
  1233. }
  1234. secretList := make([]keyvault.SecretItem, 1)
  1235. secretList = append(secretList, secretItemOne, secretItemTwo)
  1236. list := keyvault.SecretListResult{
  1237. Value: &secretList,
  1238. }
  1239. resultPage := keyvault.NewSecretListResultPage(list, getNextPage)
  1240. smtc.listOutput = keyvault.NewSecretListResultIterator(resultPage)
  1241. smtc.expectedSecret = secretString
  1242. smtc.secretOutput = keyvault.SecretBundle{
  1243. Value: &secretString,
  1244. }
  1245. smtc.expectedData[secretName] = []byte(secretString)
  1246. }
  1247. setOneSecretByTag := func(smtc *secretManagerTestCase) {
  1248. enabledAtt := keyvault.SecretAttributes{
  1249. Enabled: &enabled,
  1250. }
  1251. secretItem := keyvault.SecretItem{
  1252. ID: &secretName,
  1253. Attributes: &enabledAtt,
  1254. Tags: map[string]*string{"environment": &environment},
  1255. }
  1256. secretList := make([]keyvault.SecretItem, 0)
  1257. secretList = append(secretList, secretItem)
  1258. list := keyvault.SecretListResult{
  1259. Value: &secretList,
  1260. }
  1261. resultPage := keyvault.NewSecretListResultPage(list, getNextPage)
  1262. smtc.listOutput = keyvault.NewSecretListResultIterator(resultPage)
  1263. smtc.expectedSecret = secretString
  1264. smtc.secretOutput = keyvault.SecretBundle{
  1265. Value: &secretString,
  1266. }
  1267. smtc.refFind.Tags = map[string]string{"environment": environment}
  1268. smtc.expectedData[secretName] = []byte(secretString)
  1269. }
  1270. setTwoSecretsByTag := func(smtc *secretManagerTestCase) {
  1271. enabled := true
  1272. enabledAtt := keyvault.SecretAttributes{
  1273. Enabled: &enabled,
  1274. }
  1275. secretItem := keyvault.SecretItem{
  1276. ID: &secretName,
  1277. Attributes: &enabledAtt,
  1278. Tags: map[string]*string{"environment": &environment, "author": &author},
  1279. }
  1280. secretList := make([]keyvault.SecretItem, 0)
  1281. secretList = append(secretList, secretItem)
  1282. list := keyvault.SecretListResult{
  1283. Value: &secretList,
  1284. }
  1285. resultPage := keyvault.NewSecretListResultPage(list, getNextPage)
  1286. smtc.listOutput = keyvault.NewSecretListResultIterator(resultPage)
  1287. smtc.expectedSecret = secretString
  1288. smtc.secretOutput = keyvault.SecretBundle{
  1289. Value: &secretString,
  1290. }
  1291. smtc.refFind.Tags = map[string]string{"environment": environment, "author": author}
  1292. smtc.expectedData[secretName] = []byte(secretString)
  1293. }
  1294. successCases := []*secretManagerTestCase{
  1295. makeValidSecretManagerTestCaseCustom(setOneSecretByName),
  1296. makeValidSecretManagerTestCaseCustom(setTwoSecretsByName),
  1297. makeValidSecretManagerTestCaseCustom(setOneSecretByTag),
  1298. makeValidSecretManagerTestCaseCustom(setTwoSecretsByTag),
  1299. }
  1300. sm := Azure{
  1301. provider: &esv1beta1.AzureKVProvider{VaultURL: pointer.String(fakeURL)},
  1302. }
  1303. for k, v := range successCases {
  1304. sm.baseClient = v.mockClient
  1305. out, err := sm.GetAllSecrets(context.Background(), *v.refFind)
  1306. if !utils.ErrorContains(err, v.expectError) {
  1307. t.Errorf(unexpectedError, k, err.Error(), v.expectError)
  1308. }
  1309. if err == nil && !reflect.DeepEqual(out, v.expectedData) {
  1310. t.Errorf(unexpectedSecretData, k, v.expectedData, out)
  1311. }
  1312. }
  1313. }
  1314. func makeValidRef() *esv1beta1.ExternalSecretDataRemoteRef {
  1315. return &esv1beta1.ExternalSecretDataRemoteRef{
  1316. Key: "test-secret",
  1317. Version: "default",
  1318. Property: "",
  1319. }
  1320. }
  1321. func makeValidFind() *esv1beta1.ExternalSecretFind {
  1322. return &esv1beta1.ExternalSecretFind{
  1323. Name: &esv1beta1.FindName{
  1324. RegExp: "^example",
  1325. },
  1326. Tags: map[string]string{},
  1327. }
  1328. }
  1329. func TestValidateStore(t *testing.T) {
  1330. type args struct {
  1331. store *esv1beta1.SecretStore
  1332. }
  1333. tests := []struct {
  1334. name string
  1335. args args
  1336. wantErr bool
  1337. }{
  1338. {
  1339. name: "storeIsNil",
  1340. wantErr: true,
  1341. },
  1342. {
  1343. name: "specIsNil",
  1344. wantErr: true,
  1345. args: args{
  1346. store: &esv1beta1.SecretStore{},
  1347. },
  1348. },
  1349. {
  1350. name: "providerIsNil",
  1351. wantErr: true,
  1352. args: args{
  1353. store: &esv1beta1.SecretStore{
  1354. Spec: esv1beta1.SecretStoreSpec{},
  1355. },
  1356. },
  1357. },
  1358. {
  1359. name: "azureKVIsNil",
  1360. wantErr: true,
  1361. args: args{
  1362. store: &esv1beta1.SecretStore{
  1363. Spec: esv1beta1.SecretStoreSpec{
  1364. Provider: &esv1beta1.SecretStoreProvider{},
  1365. },
  1366. },
  1367. },
  1368. },
  1369. {
  1370. name: "empty auth",
  1371. wantErr: false,
  1372. args: args{
  1373. store: &esv1beta1.SecretStore{
  1374. Spec: esv1beta1.SecretStoreSpec{
  1375. Provider: &esv1beta1.SecretStoreProvider{
  1376. AzureKV: &esv1beta1.AzureKVProvider{},
  1377. },
  1378. },
  1379. },
  1380. },
  1381. },
  1382. {
  1383. name: "empty client id",
  1384. wantErr: false,
  1385. args: args{
  1386. store: &esv1beta1.SecretStore{
  1387. Spec: esv1beta1.SecretStoreSpec{
  1388. Provider: &esv1beta1.SecretStoreProvider{
  1389. AzureKV: &esv1beta1.AzureKVProvider{
  1390. AuthSecretRef: &esv1beta1.AzureKVAuth{},
  1391. },
  1392. },
  1393. },
  1394. },
  1395. },
  1396. },
  1397. {
  1398. name: "invalid client id",
  1399. wantErr: true,
  1400. args: args{
  1401. store: &esv1beta1.SecretStore{
  1402. Spec: esv1beta1.SecretStoreSpec{
  1403. Provider: &esv1beta1.SecretStoreProvider{
  1404. AzureKV: &esv1beta1.AzureKVProvider{
  1405. AuthSecretRef: &esv1beta1.AzureKVAuth{
  1406. ClientID: &v1.SecretKeySelector{
  1407. Namespace: pointer.String("invalid"),
  1408. },
  1409. },
  1410. },
  1411. },
  1412. },
  1413. },
  1414. },
  1415. },
  1416. {
  1417. name: "invalid client secret",
  1418. wantErr: true,
  1419. args: args{
  1420. store: &esv1beta1.SecretStore{
  1421. Spec: esv1beta1.SecretStoreSpec{
  1422. Provider: &esv1beta1.SecretStoreProvider{
  1423. AzureKV: &esv1beta1.AzureKVProvider{
  1424. AuthSecretRef: &esv1beta1.AzureKVAuth{
  1425. ClientSecret: &v1.SecretKeySelector{
  1426. Namespace: pointer.String("invalid"),
  1427. },
  1428. },
  1429. },
  1430. },
  1431. },
  1432. },
  1433. },
  1434. },
  1435. }
  1436. for _, tt := range tests {
  1437. t.Run(tt.name, func(t *testing.T) {
  1438. a := &Azure{}
  1439. if tt.name == "storeIsNil" {
  1440. if err := a.ValidateStore(nil); (err != nil) != tt.wantErr {
  1441. t.Errorf(errStore, err, tt.wantErr)
  1442. }
  1443. } else if err := a.ValidateStore(tt.args.store); (err != nil) != tt.wantErr {
  1444. t.Errorf(errStore, err, tt.wantErr)
  1445. }
  1446. })
  1447. }
  1448. }