helm-external-secrets/pkg/provider/kubernetes/kubernetes_test.go

/*
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package kubernetes

import (
	"context"
	"errors"
	"fmt"
	"reflect"
	"strings"
	"testing"

	corev1 "k8s.io/api/core/v1"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
	fclient "sigs.k8s.io/controller-runtime/pkg/client/fake"

	esv1alpha1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
)

type fakeClient struct {
	secretMap map[string]corev1.Secret
}

func (fk fakeClient) Get(ctx context.Context, name string, opts metav1.GetOptions) (*corev1.Secret, error) {
	secret, ok := fk.secretMap[name]

	if !ok {
		return nil, errors.New("Something went wrong")
	}
	return &secret, nil
}

func (fk fakeClient) Create(ctx context.Context, name string, opts metav1.GetOptions) (*corev1.Secret, error) {
	return nil, nil
}

func TestKubernetesSecretManagerGetSecret(t *testing.T) {
	expected := make(map[string][]byte)
	value := "bar"
	expected["foo"] = []byte(value)
	mysecret := corev1.Secret{Data: expected}
	mysecretmap := make(map[string]corev1.Secret)
	mysecretmap["Key"] = mysecret

	fk := fakeClient{secretMap: mysecretmap}
	kp := ProviderKubernetes{Client: fk}

	ref := esv1alpha1.ExternalSecretDataRemoteRef{Key: "Key", Property: "foo"}
	ctx := context.Background()

	output, _ := kp.GetSecret(ctx, ref)

	if string(output) != value {
		t.Error("missing match value of the secret")
	}

	ref = esv1alpha1.ExternalSecretDataRemoteRef{Key: "Key2", Property: "foo"}
	_, err := kp.GetSecret(ctx, ref)

	if err.Error() != "Something went wrong" {
		t.Error("test failed")
	}

	ref = esv1alpha1.ExternalSecretDataRemoteRef{Key: "Key", Property: "foo2"}
	_, err = kp.GetSecret(ctx, ref)
	expectedError := fmt.Sprintf("property %s does not exist in key %s", ref.Property, ref.Key)
	if err.Error() != expectedError {
		t.Error("test not existing property failed")
	}

	kp = ProviderKubernetes{Client: nil}
	_, err = kp.GetSecret(ctx, ref)

	if err.Error() != errUninitalizedKubernetesProvider {
		t.Error("test nil Client failed")
	}

	ref = esv1alpha1.ExternalSecretDataRemoteRef{Key: "Key", Property: ""}
	_, err = kp.GetSecret(ctx, ref)

	if err.Error() != "property field not found on extrenal secrets" {
		t.Error("test nil Property failed")
	}
}

func TestKubernetesSecretManagerGetSecretMap(t *testing.T) {
	expected := make(map[string][]byte)
	value := "bar"
	expected["foo"] = []byte(value)
	expected["foo2"] = []byte(value)
	mysecret := corev1.Secret{Data: expected}
	mysecretmap := make(map[string]corev1.Secret)
	mysecretmap["Key"] = mysecret

	fk := fakeClient{secretMap: mysecretmap}
	kp := ProviderKubernetes{Client: fk}

	ref := esv1alpha1.ExternalSecretDataRemoteRef{Key: "Key", Property: ""}
	ctx := context.Background()

	output, err := kp.GetSecretMap(ctx, ref)

	if err != nil {
		t.Error("test failed")
	}
	if !reflect.DeepEqual(output, expected) {
		t.Error("Objects are not equal")
	}
}

func TestKubernetesSecretManagerSetAuth(t *testing.T) {
	kp := esv1alpha1.KubernetesProvider{}
	fs := &corev1.Secret{}
	secretName := "good-name"
	fs.ObjectMeta.Name = secretName
	secretValue := make(map[string][]byte)
	secretValue["cert"] = []byte("secret-cert")
	secretValue["ca"] = []byte("secret-ca")
	secretValue["bearerToken"] = []byte("bearerToken")

	fs2 := &corev1.Secret{}
	fs2.ObjectMeta.Name = "secret-for-the-key"
	secretValue2 := make(map[string][]byte)
	secretValue2["key"] = []byte("secret-key")

	fs.Data = secretValue
	fs2.Data = secretValue2
	fk := fclient.NewClientBuilder().WithObjects(fs, fs2).Build()
	bc := BaseClient{fk, &kp, "", "", "", "", nil, nil, nil, nil}

	ctx := context.Background()

	err := bc.setAuth(ctx)

	if err.Error() != "kubernetes credentials are empty" {
		t.Error("test kubernetes credentials not empty failed")
	}

	kp = esv1alpha1.KubernetesProvider{
		Auth: esv1alpha1.KubernetesAuth{
			SecretRef: esv1alpha1.KubernetesSecretRef{
				Certificate: esmeta.SecretKeySelector{
					Name: "fake-name",
				},
			},
		},
	}

	err = bc.setAuth(ctx)

	if err.Error() != "could not fetch Credentials secret: secrets \"fake-name\" not found" {
		fmt.Println(err.Error())
		t.Error("test could not fetch Credentials secret failed")
	}
	kp.Auth.SecretRef.Certificate.Name = secretName

	err = bc.setAuth(ctx)

	if err.Error() != "missing Credentials: cert" {
		fmt.Println(err.Error())
		t.Error("test could not fetch Credentials secret failed")
	}

	kp.Auth.SecretRef.Certificate.Key = "cert"
	kp.Auth.SecretRef.Key.Name = "secret-for-the-key"

	err = bc.setAuth(ctx)

	if err.Error() != "missing Credentials: key" {
		fmt.Println(err.Error())
		t.Error("test could not fetch Credentials secret failed")
	}

	kp.Auth.SecretRef.Key.Key = "key"
	kp.Auth.SecretRef.CA.Name = secretName

	err = bc.setAuth(ctx)

	if err.Error() != "missing Credentials: ca" {
		fmt.Println(err.Error())
		t.Error("test could not fetch Credentials secret failed")
	}
	kp.Auth.SecretRef.CA.Key = "ca"
	kp.Auth.SecretRef.BearerToken.Name = secretName

	err = bc.setAuth(ctx)

	if err.Error() != "missing Credentials: bearerToken" {
		fmt.Println(err.Error())
		t.Error("test could not fetch Credentials secret failed")
	}

	kp.Auth.SecretRef.BearerToken.Key = "bearerToken"

	err = bc.setAuth(ctx)

	if err != nil {
		fmt.Println(err.Error())
		t.Error("test could not fetch Credentials secret failed")
	}
}

func ErrorContains(out error, want string) bool {
	if out == nil {
		return want == ""
	}
	if want == "" {
		return false
	}
	return strings.Contains(out.Error(), want)
}