Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Tree: b389570c81
Branches Tags
helm-externa...
/
pkg
/
provider
/
webhook
/
webhook_test.go

webhook_test.go 11 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406 
  1. /*
    2. 

  2. Licensed under the Apache License, Version 2.0 (the "License");
    3. 

  3. you may not use this file except in compliance with the License.
    4. 

  4. You may obtain a copy of the License at
    5. 

  5. 

  6. 	http://www.apache.org/licenses/LICENSE-2.0
    7. 

  7. 

  8. Unless required by applicable law or agreed to in writing, software
    9. 

  9. distributed under the License is distributed on an "AS IS" BASIS,
    10. 

  10. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    11. 

  11. See the License for the specific language governing permissions and
    12. 

  12. limitations under the License.
    13. 

  13. */
    14. 

  14. package webhook
    15. 

  15. 

  16. import (
    17. 

  17. 	"bytes"
    18. 

  18. 	"context"
    19. 

  19. 	"errors"
    20. 

  20. 	"io"
    21. 

  21. 	"net/http"
    22. 

  22. 	"net/http/httptest"
    23. 

  23. 	"strings"
    24. 

  24. 	"testing"
    25. 

  25. 	"time"
    26. 

  26. 

  27. 	"gopkg.in/yaml.v3"
    28. 

  28. 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
    29. 

  29. 

  30. 	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
    31. 

  31. )
    32. 

  32. 

  33. type testCase struct {
    34. 

  34. 	Case string `json:"case,omitempty"`
    35. 

  35. 	Args args   `json:"args"`
    36. 

  36. 	Want want   `json:"want"`
    37. 

  37. }
    38. 

  38. 

  39. type args struct {
    40. 

  40. 	URL        string `json:"url,omitempty"`
    41. 

  41. 	Body       string `json:"body,omitempty"`
    42. 

  42. 	Timeout    string `json:"timeout,omitempty"`
    43. 

  43. 	Key        string `json:"key,omitempty"`
    44. 

  44. 	Property   string `json:"property,omitempty"`
    45. 

  45. 	Version    string `json:"version,omitempty"`
    46. 

  46. 	JSONPath   string `json:"jsonpath,omitempty"`
    47. 

  47. 	Response   string `json:"response,omitempty"`
    48. 

  48. 	StatusCode int    `json:"statuscode,omitempty"`
    49. 

  49. }
    50. 

  50. 

  51. type want struct {
    52. 

  52. 	Path      string            `json:"path,omitempty"`
    53. 

  53. 	Err       string            `json:"err,omitempty"`
    54. 

  54. 	Result    string            `json:"result,omitempty"`
    55. 

  55. 	ResultMap map[string]string `json:"resultmap,omitempty"`
    56. 

  56. }
    57. 

  57. 

  58. var testCases = `
    59. 

  59. case: error url
    60. 

  60. args:
    61. 

  61.   url: /api/getsecret?id={{ .unclosed.template
    62. 

  62. want:
    63. 

  63.   err: failed to parse url
    64. 

  64. ---
    65. 

  65. case: error body
    66. 

  66. args:
    67. 

  67.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    68. 

  68.   body: Body error {{ .unclosed.template
    69. 

  69. want:
    70. 

  70.   err: failed to parse body
    71. 

  71. ---
    72. 

  72. case: error connection
    73. 

  73. args:
    74. 

  74.   url: 1/api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    75. 

  75. want:
    76. 

  76.   err: failed to call endpoint
    77. 

  77. ---
    78. 

  78. case: error no secret err
    79. 

  79. args:
    80. 

  80.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    81. 

  81.   key: testkey
    82. 

  82.   version: 1
    83. 

  83.   statuscode: 404
    84. 

  84.   response: not found
    85. 

  85. want:
    86. 

  86.   path: /api/getsecret?id=testkey&version=1
    87. 

  87.   err: ` + esv1beta1.NoSecretErr.Error() + `
    88. 

  88. ---
    89. 

  89. case: error server error
    90. 

  90. args:
    91. 

  91.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    92. 

  92.   key: testkey
    93. 

  93.   version: 1
    94. 

  94.   statuscode: 500
    95. 

  95.   response: server error
    96. 

  96. want:
    97. 

  97.   path: /api/getsecret?id=testkey&version=1
    98. 

  98.   err: endpoint gave error 500
    99. 

  99. ---
    100. 

  100. case: error bad json
    101. 

  101. args:
    102. 

  102.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    103. 

  103.   key: testkey
    104. 

  104.   version: 1
    105. 

  105.   jsonpath: $.result.thesecret
    106. 

  106.   response: '{"result":{"thesecret":"secret-value"}'
    107. 

  107. want:
    108. 

  108.   path: /api/getsecret?id=testkey&version=1
    109. 

  109.   err: failed to parse response json
    110. 

  110. ---
    111. 

  111. case: error bad jsonpath
    112. 

  112. args:
    113. 

  113.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    114. 

  114.   key: testkey
    115. 

  115.   version: 1
    116. 

  116.   jsonpath: $.result.thesecret
    117. 

  117.   response: '{"result":{"nosecret":"secret-value"}}'
    118. 

  118. want:
    119. 

  119.   path: /api/getsecret?id=testkey&version=1
    120. 

  120.   err: failed to get response path
    121. 

  121. ---
    122. 

  122. case: error bad json data
    123. 

  123. args:
    124. 

  124.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    125. 

  125.   key: testkey
    126. 

  126.   version: 1
    127. 

  127.   jsonpath: $.result.thesecret
    128. 

  128.   response: '{"result":{"thesecret":{"one":"secret-value"}}}'
    129. 

  129. want:
    130. 

  130.   path: /api/getsecret?id=testkey&version=1
    131. 

  131.   err: failed to get response (wrong type
    132. 

  132. ---
    133. 

  133. case: error timeout
    134. 

  134. args:
    135. 

  135.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    136. 

  136.   key: testkey
    137. 

  137.   version: 1
    138. 

  138.   response: secret-value
    139. 

  139.   timeout: 0.01ms
    140. 

  140. want:
    141. 

  141.   path: /api/getsecret?id=testkey&version=1
    142. 

  142.   err: context deadline exceeded
    143. 

  143. ---
    144. 

  144. case: good plaintext
    145. 

  145. args:
    146. 

  146.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    147. 

  147.   key: testkey
    148. 

  148.   version: 1
    149. 

  149.   response: secret-value
    150. 

  150. want:
    151. 

  151.   path: /api/getsecret?id=testkey&version=1
    152. 

  152.   err: ''
    153. 

  153.   result: secret-value
    154. 

  154. ---
    155. 

  155. case: good json
    156. 

  156. args:
    157. 

  157.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    158. 

  158.   key: testkey
    159. 

  159.   version: 1
    160. 

  160.   jsonpath: $.result.thesecret
    161. 

  161.   response: '{"result":{"thesecret":"secret-value"}}'
    162. 

  162. want:
    163. 

  163.   path: /api/getsecret?id=testkey&version=1
    164. 

  164.   err: ''
    165. 

  165.   result: secret-value
    166. 

  166. ---
    167. 

  167. case: good json map
    168. 

  168. args:
    169. 

  169.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    170. 

  170.   key: testkey
    171. 

  171.   version: 1
    172. 

  172.   jsonpath: $.result
    173. 

  173.   response: '{"result":{"thesecret":"secret-value","alsosecret":"another-value"}}'
    174. 

  174. want:
    175. 

  175.   path: /api/getsecret?id=testkey&version=1
    176. 

  176.   err: ''
    177. 

  177.   resultmap:
    178. 

  178.     thesecret: secret-value
    179. 

  179.     alsosecret: another-value
    180. 

  180. ---
    181. 

  181. case: good json map string
    182. 

  182. args:
    183. 

  183.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    184. 

  184.   key: testkey
    185. 

  185.   version: 1
    186. 

  186.   response: '{"thesecret":"secret-value","alsosecret":"another-value"}'
    187. 

  187. want:
    188. 

  188.   path: /api/getsecret?id=testkey&version=1
    189. 

  189.   err: ''
    190. 

  190.   resultmap:
    191. 

  191.     thesecret: secret-value
    192. 

  192.     alsosecret: another-value
    193. 

  193. ---
    194. 

  194. case: error json map string
    195. 

  195. args:
    196. 

  196.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    197. 

  197.   key: testkey
    198. 

  198.   version: 1
    199. 

  199.   response: 'some simple string'
    200. 

  200. want:
    201. 

  201.   path: /api/getsecret?id=testkey&version=1
    202. 

  202.   err: failed to get response (wrong type
    203. 

  203.   resultmap:
    204. 

  204.     thesecret: secret-value
    205. 

  205.     alsosecret: another-value
    206. 

  206. ---
    207. 

  207. case: error json map
    208. 

  208. args:
    209. 

  209.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    210. 

  210.   key: testkey
    211. 

  211.   version: 1
    212. 

  212.   jsonpath: $.result.thesecret
    213. 

  213.   response: '{"result":{"thesecret":"secret-value","alsosecret":"another-value"}}'
    214. 

  214. want:
    215. 

  215.   path: /api/getsecret?id=testkey&version=1
    216. 

  216.   err: failed to get response (wrong type
    217. 

  217.   resultmap:
    218. 

  218.     thesecret: secret-value
    219. 

  219.     alsosecret: another-value
    220. 

  220. ---
    221. 

  221. case: good json with good templated jsonpath
    222. 

  222. args:
    223. 

  223.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    224. 

  224.   key: testkey
    225. 

  225.   property: thesecret
    226. 

  226.   version: 1
    227. 

  227.   jsonpath: $.result.{{ .remoteRef.property }}
    228. 

  228.   response: '{"result":{"thesecret":"secret-value"}}'
    229. 

  229. want:
    230. 

  230.   path: /api/getsecret?id=testkey&version=1
    231. 

  231.   err: ''
    232. 

  232.   result: secret-value
    233. 

  233. ---
    234. 

  234. case: good json with jsonpath filter
    235. 

  235. args:
    236. 

  236.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    237. 

  237.   key: testkey
    238. 

  238.   version: 1
    239. 

  239.   jsonpath: $.secrets[?@.name=="thesecret"].value
    240. 

  240.   response: '{"secrets": [{"name": "thesecret", "value": "secret-value"}, {"name": "alsosecret", "value": "another-value"}]}'
    241. 

  241. want:
    242. 

  242.   path: /api/getsecret?id=testkey&version=1
    243. 

  243.   err: ''
    244. 

  244.   result: secret-value
    245. 

  245. ---
    246. 

  246. case: good json with bad templated jsonpath
    247. 

  247. args:
    248. 

  248.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    249. 

  249.   key: testkey
    250. 

  250.   property: thesecret
    251. 

  251.   version: 1
    252. 

  252.   jsonpath: $.result.{{ .remoteRef.property }
    253. 

  253.   response: '{"result":{"thesecret":"secret-value"}}'
    254. 

  254. want:
    255. 

  255.   path: /api/getsecret?id=testkey&version=1
    256. 

  256.   err: 'template: webhooktemplate:1: unexpected "}" in operand'
    257. 

  257. ---
    258. 

  258. case: error with jsonpath filter empty results
    259. 

  259. args:
    260. 

  260.   url: /api/getsecret?id={{ .remoteRef.key }}&version={{ .remoteRef.version }}
    261. 

  261.   key: testkey
    262. 

  262.   version: 1
    263. 

  263.   jsonpath: $.secrets[?@.name=="thebadsecret"].value
    264. 

  264.   response: '{"secrets": [{"name": "thesecret", "value": "secret-value"}, {"name": "alsosecret", "value": "another-value"}]}'
    265. 

  265. want:
    266. 

  266.   path: /api/getsecret?id=testkey&version=1
    267. 

  267.   err: "filter worked but didn't get any result"
    268. 

  268. `
    269. 

  269. 

  270. func TestWebhookGetSecret(t *testing.T) {
    271. 

  271. 	ydec := yaml.NewDecoder(bytes.NewReader([]byte(testCases)))
    272. 

  272. 	for {
    273. 

  273. 		var tc testCase
    274. 

  274. 		if err := ydec.Decode(&tc); err != nil {
    275. 

  275. 			if !errors.Is(err, io.EOF) {
    276. 

  276. 				t.Errorf("testcase decode error %v", err)
    277. 

  277. 			}
    278. 

  278. 			break
    279. 

  279. 		}
    280. 

  280. 		runTestCase(tc, t)
    281. 

  281. 	}
    282. 

  282. }
    283. 

  283. 

  284. func testCaseServer(tc testCase, t *testing.T) *httptest.Server {
    285. 

  285. 	// Start a new server for every test case because the server wants to check the expected api path
    286. 

  286. 	return httptest.NewServer(http.HandlerFunc(func(rw http.ResponseWriter, req *http.Request) {
    287. 

  287. 		if tc.Want.Path != "" && req.URL.String() != tc.Want.Path {
    288. 

  288. 			t.Errorf("%s: unexpected api path: %s, expected %s", tc.Case, req.URL.String(), tc.Want.Path)
    289. 

  289. 		}
    290. 

  290. 		if tc.Args.StatusCode != 0 {
    291. 

  291. 			rw.WriteHeader(tc.Args.StatusCode)
    292. 

  292. 		}
    293. 

  293. 		rw.Write([]byte(tc.Args.Response))
    294. 

  294. 	}))
    295. 

  295. }
    296. 

  296. 

  297. func parseTimeout(timeout string) (*metav1.Duration, error) {
    298. 

  298. 	if timeout == "" {
    299. 

  299. 		return nil, nil
    300. 

  300. 	}
    301. 

  301. 	dur, err := time.ParseDuration(timeout)
    302. 

  302. 	if err != nil {
    303. 

  303. 		return nil, err
    304. 

  304. 	}
    305. 

  305. 	return &metav1.Duration{Duration: dur}, nil
    306. 

  306. }
    307. 

  307. 

  308. func runTestCase(tc testCase, t *testing.T) {
    309. 

  309. 	ts := testCaseServer(tc, t)
    310. 

  310. 	defer ts.Close()
    311. 

  311. 

  312. 	testStore := makeClusterSecretStore(ts.URL, tc.Args)
    313. 

  313. 	var err error
    314. 

  314. 	timeout, err := parseTimeout(tc.Args.Timeout)
    315. 

  315. 	if err != nil {
    316. 

  316. 		t.Errorf("%s: error parsing timeout '%s': %s", tc.Case, tc.Args.Timeout, err.Error())
    317. 

  317. 		return
    318. 

  318. 	}
    319. 

  319. 	testStore.Spec.Provider.Webhook.Timeout = timeout
    320. 

  320. 	testProv := &Provider{}
    321. 

  321. 	client, err := testProv.NewClient(context.Background(), testStore, nil, "testnamespace")
    322. 

  322. 	if err != nil {
    323. 

  323. 		t.Errorf("%s: error creating client: %s", tc.Case, err.Error())
    324. 

  324. 		return
    325. 

  325. 	}
    326. 

  326. 

  327. 	if tc.Want.ResultMap != nil {
    328. 

  328. 		testGetSecretMap(tc, t, client)
    329. 

  329. 	} else {
    330. 

  330. 		testGetSecret(tc, t, client)
    331. 

  331. 	}
    332. 

  332. }
    333. 

  333. 

  334. func testGetSecretMap(tc testCase, t *testing.T, client esv1beta1.SecretsClient) {
    335. 

  335. 	testRef := esv1beta1.ExternalSecretDataRemoteRef{
    336. 

  336. 		Key:     tc.Args.Key,
    337. 

  337. 		Version: tc.Args.Version,
    338. 

  338. 	}
    339. 

  339. 	secretmap, err := client.GetSecretMap(context.Background(), testRef)
    340. 

  340. 	errStr := ""
    341. 

  341. 	if err != nil {
    342. 

  342. 		errStr = err.Error()
    343. 

  343. 	}
    344. 

  344. 	if (tc.Want.Err == "") != (errStr == "") || !strings.Contains(errStr, tc.Want.Err) {
    345. 

  345. 		t.Errorf("%s: unexpected error: '%s' (expected '%s')", tc.Case, errStr, tc.Want.Err)
    346. 

  346. 	}
    347. 

  347. 	if err == nil {
    348. 

  348. 		for wantkey, wantval := range tc.Want.ResultMap {
    349. 

  349. 			gotval, ok := secretmap[wantkey]
    350. 

  350. 			if !ok {
    351. 

  351. 				t.Errorf("%s: unexpected response: wanted key '%s' not found", tc.Case, wantkey)
    352. 

  352. 			} else if string(gotval) != wantval {
    353. 

  353. 				t.Errorf("%s: unexpected response: key '%s' = '%s' (expected '%s')", tc.Case, wantkey, wantval, gotval)
    354. 

  354. 			}
    355. 

  355. 		}
    356. 

  356. 	}
    357. 

  357. }
    358. 

  358. 

  359. func testGetSecret(tc testCase, t *testing.T, client esv1beta1.SecretsClient) {
    360. 

  360. 	testRef := esv1beta1.ExternalSecretDataRemoteRef{
    361. 

  361. 		Key:      tc.Args.Key,
    362. 

  362. 		Property: tc.Args.Property,
    363. 

  363. 		Version:  tc.Args.Version,
    364. 

  364. 	}
    365. 

  365. 	ctx, cancel := context.WithTimeout(context.Background(), time.Second)
    366. 

  366. 	defer cancel()
    367. 

  367. 	secret, err := client.GetSecret(ctx, testRef)
    368. 

  368. 	errStr := ""
    369. 

  369. 	if err != nil {
    370. 

  370. 		errStr = err.Error()
    371. 

  371. 	}
    372. 

  372. 	if !strings.Contains(errStr, tc.Want.Err) {
    373. 

  373. 		t.Errorf("%s: unexpected error: '%s' (expected '%s')", tc.Case, errStr, tc.Want.Err)
    374. 

  374. 	}
    375. 

  375. 	if err == nil && string(secret) != tc.Want.Result {
    376. 

  376. 		t.Errorf("%s: unexpected response: '%s' (expected '%s')", tc.Case, secret, tc.Want.Result)
    377. 

  377. 	}
    378. 

  378. }
    379. 

  379. 

  380. func makeClusterSecretStore(url string, args args) *esv1beta1.ClusterSecretStore {
    381. 

  381. 	store := &esv1beta1.ClusterSecretStore{
    382. 

  382. 		TypeMeta: metav1.TypeMeta{
    383. 

  383. 			Kind: "ClusterSecretStore",
    384. 

  384. 		},
    385. 

  385. 		ObjectMeta: metav1.ObjectMeta{
    386. 

  386. 			Name:      "wehbook-store",
    387. 

  387. 			Namespace: "default",
    388. 

  388. 		},
    389. 

  389. 		Spec: esv1beta1.SecretStoreSpec{
    390. 

  390. 			Provider: &esv1beta1.SecretStoreProvider{
    391. 

  391. 				Webhook: &esv1beta1.WebhookProvider{
    392. 

  392. 					URL:  url + args.URL,
    393. 

  393. 					Body: args.Body,
    394. 

  394. 					Headers: map[string]string{
    395. 

  395. 						"Content-Type": "application.json",
    396. 

  396. 						"X-SecretKey":  "{{ .remoteRef.key }}",
    397. 

  397. 					},
    398. 

  398. 					Result: esv1beta1.WebhookResult{
    399. 

  399. 						JSONPath: args.JSONPath,
    400. 

  400. 					},
    401. 

  401. 				},
    402. 

  402. 			},
    403. 

  403. 		},
    404. 

  404. 	}
    405. 

  405. 	return store
    406. 

  406. }
    407.