logic855
/
helm-external-secrets
cermin dari https://github.com/external-secrets/external-secrets


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304
							/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package kubernetes

import (
	"context"
	"errors"
	"fmt"
	"reflect"
	"strings"
	"testing"

	authv1 "k8s.io/api/authorization/v1"
	corev1 "k8s.io/api/core/v1"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
	fclient "sigs.k8s.io/controller-runtime/pkg/client/fake"

	esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
	v1 "github.com/external-secrets/external-secrets/apis/meta/v1"
)

const (
	errTestFetchCredentialsSecret = "test could not fetch Credentials secret failed"
	errTestAuthValue              = "test failed key didn't match expected value"
)

type fakeClient struct {
	secretMap map[string]corev1.Secret
}

func (fk fakeClient) Get(ctx context.Context, name string, opts metav1.GetOptions) (*corev1.Secret, error) {
	secret, ok := fk.secretMap[name]

	if !ok {
		return nil, errors.New("Something went wrong")
	}
	return &secret, nil
}

type fakeReviewClient struct {
	authReview *authv1.SelfSubjectAccessReview
}

func (fk fakeReviewClient) Create(ctx context.Context, SelfSubjectAccessReview *authv1.SelfSubjectAccessReview, opts metav1.CreateOptions) (*authv1.SelfSubjectAccessReview, error) {
	if fk.authReview == nil {
		return nil, errors.New("Something went wrong")
	}
	return fk.authReview, nil
}

func TestKubernetesSecretManagerGetSecret(t *testing.T) {
	expected := make(map[string][]byte)
	value := "bar"
	expected["foo"] = []byte(value)
	mysecret := corev1.Secret{Data: expected}
	mysecretmap := make(map[string]corev1.Secret)
	mysecretmap["Key"] = mysecret

	fk := fakeClient{secretMap: mysecretmap}
	kp := ProviderKubernetes{Client: fk}

	ref := esv1beta1.ExternalSecretDataRemoteRef{Key: "Key", Property: "foo"}
	ctx := context.Background()

	output, _ := kp.GetSecret(ctx, ref)

	if string(output) != value {
		t.Error("missing match value of the secret")
	}

	ref = esv1beta1.ExternalSecretDataRemoteRef{Key: "Key2", Property: "foo"}
	_, err := kp.GetSecret(ctx, ref)

	if err.Error() != "Something went wrong" {
		t.Error("test failed")
	}

	ref = esv1beta1.ExternalSecretDataRemoteRef{Key: "Key", Property: "foo2"}
	_, err = kp.GetSecret(ctx, ref)
	expectedError := fmt.Sprintf("property %s does not exist in key %s", ref.Property, ref.Key)
	if err.Error() != expectedError {
		t.Error("test not existing property failed")
	}

	kp = ProviderKubernetes{Client: nil}
	_, err = kp.GetSecret(ctx, ref)

	if err.Error() != errUninitalizedKubernetesProvider {
		t.Error("test nil Client failed")
	}

	ref = esv1beta1.ExternalSecretDataRemoteRef{Key: "Key", Property: ""}
	_, err = kp.GetSecret(ctx, ref)

	if err.Error() != "property field not found on extrenal secrets" {
		t.Error("test nil Property failed")
	}
}

func TestKubernetesSecretManagerGetSecretMap(t *testing.T) {
	expected := make(map[string][]byte)
	value := "bar"
	expected["foo"] = []byte(value)
	expected["foo2"] = []byte(value)
	mysecret := corev1.Secret{Data: expected}
	mysecretmap := make(map[string]corev1.Secret)
	mysecretmap["Key"] = mysecret

	fk := fakeClient{secretMap: mysecretmap}
	kp := ProviderKubernetes{Client: fk}

	ref := esv1beta1.ExternalSecretDataRemoteRef{Key: "Key", Property: ""}
	ctx := context.Background()

	output, err := kp.GetSecretMap(ctx, ref)

	if err != nil {
		t.Error("test failed")
	}
	if !reflect.DeepEqual(output, expected) {
		t.Error("Objects are not equal")
	}
}

func TestKubernetesSecretManagerSetAuth(t *testing.T) {
	secretName := "good-name"
	CABundle := "CABundle"
	kp := esv1beta1.KubernetesProvider{Server: esv1beta1.KubernetesServer{}}

	fs := &corev1.Secret{
		ObjectMeta: metav1.ObjectMeta{Name: secretName},
		Data:       make(map[string][]byte),
	}
	fs.Data["cert"] = []byte("secret-cert")
	fs.Data["ca"] = []byte("secret-ca")
	fs.Data["bearerToken"] = []byte("bearerToken")

	fs2 := &corev1.Secret{
		ObjectMeta: metav1.ObjectMeta{Name: "secret-for-the-key"},
		Data:       make(map[string][]byte),
	}
	fs2.Data["key"] = []byte("secret-key")

	fk := fclient.NewClientBuilder().WithObjects(fs, fs2).Build()
	bc := BaseClient{fk, &kp, "", "", nil, nil, nil, nil}

	ctx := context.Background()

	err := bc.setAuth(ctx)

	if err.Error() != "no Certificate Authority provided" {
		fmt.Println(err.Error())
		t.Error("test no Certificate Authority provided failed")
	}

	kp.Server.CAProvider = &esv1beta1.CAProvider{
		Type:      esv1beta1.CAProviderTypeConfigMap,
		Name:      fs.ObjectMeta.Name,
		Namespace: &fs.ObjectMeta.Namespace,
		Key:       "ca",
	}

	bc.setAuth(ctx)

	if string(bc.CA) != "secret-ca" {
		t.Error("failed to set CA provider")
	}

	kp.Server.CABundle = []byte(CABundle)

	err = bc.setAuth(ctx)

	if err.Error() != "no credentials provided" {
		fmt.Println(err.Error())
		t.Error("test kubernetes credentials not empty failed")
	}

	if string(bc.CA) != CABundle {
		t.Error("failed to set CA provider")
	}

	kp = esv1beta1.KubernetesProvider{
		Auth: esv1beta1.KubernetesAuth{
			Cert: &esv1beta1.CertAuth{
				ClientCert: v1.SecretKeySelector{
					Name: "fake-name",
				},
			},
		},
	}
	kp.Server.CABundle = []byte(CABundle)

	err = bc.setAuth(ctx)

	if err.Error() != "could not fetch Credentials secret: secrets \"fake-name\" not found" {
		fmt.Println(err.Error())
		t.Error(errTestFetchCredentialsSecret)
	}

	kp.Auth.Cert.ClientCert.Name = fs.ObjectMeta.Name

	err = bc.setAuth(ctx)

	if err.Error() != fmt.Errorf(errMissingCredentials, "cert").Error() {
		fmt.Println(err.Error())
		t.Error(errTestFetchCredentialsSecret)
	}

	kp.Auth.Cert.ClientCert.Key = "cert"
	kp.Auth.Cert.ClientKey.Name = "secret-for-the-key"

	err = bc.setAuth(ctx)

	if err.Error() != fmt.Errorf(errMissingCredentials, "key").Error() {
		fmt.Println(err.Error())
		t.Error(errTestFetchCredentialsSecret)
	}
	kp.Auth.Cert.ClientKey.Key = "key"

	bc.setAuth(ctx)

	kp.Auth.Token = &esv1beta1.TokenAuth{BearerToken: v1.SecretKeySelector{Name: secretName}}

	err = bc.setAuth(ctx)

	if err.Error() != fmt.Errorf(errMissingCredentials, "bearerToken").Error() {
		fmt.Println(err.Error())
		t.Error(errTestFetchCredentialsSecret)
	}

	kp.Auth.Token = &esv1beta1.TokenAuth{BearerToken: v1.SecretKeySelector{Name: secretName, Key: "bearerToken"}}

	err = bc.setAuth(ctx)

	if err != nil {
		fmt.Println(err.Error())
		t.Error(errTestFetchCredentialsSecret)
	}
	if string(bc.CA) != CABundle {
		t.Error(errTestAuthValue)
	}
	if string(bc.Certificate) != "secret-cert" {
		t.Error(errTestAuthValue)
	}
	if string(bc.Key) != "secret-key" {
		t.Errorf(errTestAuthValue)
	}
	if string(bc.BearerToken) != "bearerToken" {
		t.Error(errTestAuthValue)
	}
}

func ErrorContains(out error, want string) bool {
	if out == nil {
		return want == ""
	}
	if want == "" {
		return false
	}
	return strings.Contains(out.Error(), want)
}

func TestValidate(t *testing.T) {
	authReview := authv1.SelfSubjectAccessReview{
		Status: authv1.SubjectAccessReviewStatus{
			Allowed: true,
		},
	}
	fakeClient := fakeReviewClient{authReview: &authReview}
	k := ProviderKubernetes{ReviewClient: fakeClient}
	err := k.Validate()
	if err != nil {
		t.Errorf("Test Failed! %v", err)
	}
	authReview = authv1.SelfSubjectAccessReview{
		Status: authv1.SubjectAccessReviewStatus{
			Allowed: false,
		},
	}
	fakeClient = fakeReviewClient{authReview: &authReview}
	k = ProviderKubernetes{ReviewClient: fakeClient}
	err = k.Validate()
	if err.Error() != "client is not allowed to get secrets" {
		t.Errorf("Test Failed! Wanted client is not allowed to get secrets got: %v", err)
	}

	fakeClient = fakeReviewClient{}
	k = ProviderKubernetes{ReviewClient: fakeClient}
	err = k.Validate()
	if err.Error() != "could not verify if client is valid: Something went wrong" {
		t.Errorf("Test Failed! Wanted could not verify if client is valid: Something went wrong got: %v", err)
	}
}