Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Tree: e324c5f9ee
Branches Tags
helm-externa...
/
pkg
/
provider
/
yandex
/
lockbox
/
client
/
fakeclient.go

fakeclient.go 6.4 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188 
  1. /*
    2. 

  2. Licensed under the Apache License, Version 2.0 (the "License");
    3. 

  3. you may not use this file except in compliance with the License.
    4. 

  4. You may obtain a copy of the License at
    5. 

  5. 

  6. 	http://www.apache.org/licenses/LICENSE-2.0
    7. 

  7. 

  8. Unless required by applicable law or agreed to in writing, software
    9. 

  9. distributed under the License is distributed on an "AS IS" BASIS,
    10. 

  10. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    11. 

  11. See the License for the specific language governing permissions and
    12. 

  12. limitations under the License.
    13. 

  13. */
    14. 

  14. 

  15. package client
    16. 

  16. 

  17. import (
    18. 

  18. 	"context"
    19. 

  19. 	"errors"
    20. 

  20. 	"time"
    21. 

  21. 

  22. 	"github.com/go-logr/logr"
    23. 

  23. 

  24. 	"github.com/google/go-cmp/cmp"
    25. 

  25. 	"github.com/google/go-cmp/cmp/cmpopts"
    26. 

  26. 	"github.com/google/uuid"
    27. 

  27. 	api "github.com/yandex-cloud/go-genproto/yandex/cloud/lockbox/v1"
    28. 

  28. 	"github.com/yandex-cloud/go-sdk/iamkey"
    29. 

  29. 

  30. 	"github.com/external-secrets/external-secrets/pkg/provider/yandex/common"
    31. 

  31. 	"github.com/external-secrets/external-secrets/pkg/provider/yandex/common/clock"
    32. 

  32. )
    33. 

  33. 

  34. // Fake implementation of LockboxClient.
    35. 

  35. type fakeLockboxClient struct {
    36. 

  36. 	fakeLockboxServer *FakeLockboxServer
    37. 

  37. }
    38. 

  38. 

  39. func NewFakeLockboxClient(fakeLockboxServer *FakeLockboxServer) LockboxClient {
    40. 

  40. 	return &fakeLockboxClient{fakeLockboxServer}
    41. 

  41. }
    42. 

  42. 

  43. func (c *fakeLockboxClient) GetPayloadEntries(_ context.Context, iamToken, secretID, versionID string) ([]*api.Payload_Entry, error) {
    44. 

  44. 	return c.fakeLockboxServer.getEntries(iamToken, secretID, versionID)
    45. 

  45. }
    46. 

  46. 

  47. func (c *fakeLockboxClient) GetExPayload(_ context.Context, iamToken, folderID, name, versionID string) (map[string][]byte, error) {
    48. 

  48. 	return c.fakeLockboxServer.getExPayload(iamToken, folderID, name, versionID)
    49. 

  49. }
    50. 

  50. 

  51. // Fakes Yandex Lockbox service backend.
    52. 

  52. type FakeLockboxServer struct {
    53. 

  53. 	secretMap        map[secretKey]secretValue               // secret specific data
    54. 

  54. 	versionMap       map[versionKey]versionValue             // version specific data
    55. 

  55. 	tokenMap         map[tokenKey]tokenValue                 // token specific data
    56. 

  56. 	folderAndNameMap map[folderAndNameKey]folderAndNameValue // folderAndName specific data
    57. 

  57. 

  58. 	tokenExpirationDuration time.Duration
    59. 

  59. 	clock                   clock.Clock
    60. 

  60. 	logger                  logr.Logger
    61. 

  61. }
    62. 

  62. 

  63. type secretKey struct {
    64. 

  64. 	secretID string
    65. 

  65. }
    66. 

  66. 

  67. type secretValue struct {
    68. 

  68. 	expectedAuthorizedKey *iamkey.Key // authorized key expected to access the secret
    69. 

  69. }
    70. 

  70. 

  71. type versionKey struct {
    72. 

  72. 	secretID  string
    73. 

  73. 	versionID string
    74. 

  74. }
    75. 

  75. 

  76. type versionValue struct {
    77. 

  77. 	entries []*api.Payload_Entry
    78. 

  78. }
    79. 

  79. 

  80. type folderAndNameKey struct {
    81. 

  81. 	folderID string
    82. 

  82. 	name     string
    83. 

  83. }
    84. 

  84. 

  85. type folderAndNameValue struct {
    86. 

  86. 	secretID string
    87. 

  87. }
    88. 

  88. 

  89. type tokenKey struct {
    90. 

  90. 	token string
    91. 

  91. }
    92. 

  92. 

  93. type tokenValue struct {
    94. 

  94. 	authorizedKey *iamkey.Key
    95. 

  95. 	expiresAt     time.Time
    96. 

  96. }
    97. 

  97. 

  98. func NewFakeLockboxServer(clock clock.Clock, tokenExpirationDuration time.Duration) *FakeLockboxServer {
    99. 

  99. 	return &FakeLockboxServer{
    100. 

  100. 		secretMap:               make(map[secretKey]secretValue),
    101. 

  101. 		versionMap:              make(map[versionKey]versionValue),
    102. 

  102. 		tokenMap:                make(map[tokenKey]tokenValue),
    103. 

  103. 		folderAndNameMap:        make(map[folderAndNameKey]folderAndNameValue),
    104. 

  104. 		tokenExpirationDuration: tokenExpirationDuration,
    105. 

  105. 		clock:                   clock,
    106. 

  106. 	}
    107. 

  107. }
    108. 

  108. 

  109. func (s *FakeLockboxServer) CreateSecret(authorizedKey *iamkey.Key, folderID, name string, entries ...*api.Payload_Entry) (string, string) {
    110. 

  110. 	secretID := uuid.NewString()
    111. 

  111. 	versionID := uuid.NewString()
    112. 

  112. 

  113. 	s.secretMap[secretKey{secretID}] = secretValue{authorizedKey}
    114. 

  114. 	s.versionMap[versionKey{secretID, ""}] = versionValue{entries} // empty versionID corresponds to the latest version
    115. 

  115. 	s.versionMap[versionKey{secretID, versionID}] = versionValue{entries}
    116. 

  116. 

  117. 	if _, exists := s.folderAndNameMap[folderAndNameKey{folderID, name}]; exists {
    118. 

  118. 		s.logger.Error(nil, "On the fake server, you cannot add two certificates with the same name in the same folder")
    119. 

  119. 	}
    120. 

  120. 	s.folderAndNameMap[folderAndNameKey{folderID, name}] = folderAndNameValue{secretID}
    121. 

  121. 

  122. 	return secretID, versionID
    123. 

  123. }
    124. 

  124. 

  125. func (s *FakeLockboxServer) AddVersion(secretID string, entries ...*api.Payload_Entry) string {
    126. 

  126. 	versionID := uuid.NewString()
    127. 

  127. 

  128. 	s.versionMap[versionKey{secretID, ""}] = versionValue{entries} // empty versionID corresponds to the latest version
    129. 

  129. 	s.versionMap[versionKey{secretID, versionID}] = versionValue{entries}
    130. 

  130. 

  131. 	return versionID
    132. 

  132. }
    133. 

  133. 

  134. func (s *FakeLockboxServer) NewIamToken(authorizedKey *iamkey.Key) *common.IamToken {
    135. 

  135. 	token := uuid.NewString()
    136. 

  136. 	expiresAt := s.clock.CurrentTime().Add(s.tokenExpirationDuration)
    137. 

  137. 	s.tokenMap[tokenKey{token}] = tokenValue{authorizedKey, expiresAt}
    138. 

  138. 	return &common.IamToken{Token: token, ExpiresAt: expiresAt}
    139. 

  139. }
    140. 

  140. 

  141. func (s *FakeLockboxServer) getEntries(iamToken, secretID, versionID string) ([]*api.Payload_Entry, error) {
    142. 

  142. 	if _, ok := s.secretMap[secretKey{secretID}]; !ok {
    143. 

  143. 		return nil, errors.New("secret not found")
    144. 

  144. 	}
    145. 

  145. 	if _, ok := s.versionMap[versionKey{secretID, versionID}]; !ok {
    146. 

  146. 		return nil, errors.New("version not found")
    147. 

  147. 	}
    148. 

  148. 	if _, ok := s.tokenMap[tokenKey{iamToken}]; !ok {
    149. 

  149. 		return nil, errors.New("unauthenticated")
    150. 

  150. 	}
    151. 

  151. 

  152. 	if s.tokenMap[tokenKey{iamToken}].expiresAt.Before(s.clock.CurrentTime()) {
    153. 

  153. 		return nil, errors.New("iam token expired")
    154. 

  154. 	}
    155. 

  155. 	if !cmp.Equal(s.tokenMap[tokenKey{iamToken}].authorizedKey, s.secretMap[secretKey{secretID}].expectedAuthorizedKey, cmpopts.IgnoreUnexported(iamkey.Key{})) {
    156. 

  156. 		return nil, errors.New("permission denied")
    157. 

  157. 	}
    158. 

  158. 

  159. 	return s.versionMap[versionKey{secretID, versionID}].entries, nil
    160. 

  160. }
    161. 

  161. 

  162. func (s *FakeLockboxServer) getExPayload(iamToken, folderID, name, versionID string) (map[string][]byte, error) {
    163. 

  163. 	if _, ok := s.folderAndNameMap[folderAndNameKey{folderID, name}]; !ok {
    164. 

  164. 		return nil, errors.New("secret not found")
    165. 

  165. 	}
    166. 

  166. 	secretID := s.folderAndNameMap[folderAndNameKey{folderID, name}].secretID
    167. 

  167. 	if _, ok := s.versionMap[versionKey{secretID, versionID}]; !ok {
    168. 

  168. 		return nil, errors.New("version not found")
    169. 

  169. 	}
    170. 

  170. 

  171. 	if s.tokenMap[tokenKey{iamToken}].expiresAt.Before(s.clock.CurrentTime()) {
    172. 

  172. 		return nil, errors.New("iam token expired")
    173. 

  173. 	}
    174. 

  174. 	if !cmp.Equal(s.tokenMap[tokenKey{iamToken}].authorizedKey, s.secretMap[secretKey{secretID}].expectedAuthorizedKey, cmpopts.IgnoreUnexported(iamkey.Key{})) {
    175. 

  175. 		return nil, errors.New("permission denied")
    176. 

  176. 	}
    177. 

  177. 	entries := s.versionMap[versionKey{secretID, versionID}].entries
    178. 

  178. 	out := make(map[string][]byte, len(entries))
    179. 

  179. 	for _, e := range entries {
    180. 

  180. 		switch e.Value.(type) {
    181. 

  181. 		case *api.Payload_Entry_TextValue:
    182. 

  182. 			out[e.Key] = []byte(e.GetTextValue())
    183. 

  183. 		case *api.Payload_Entry_BinaryValue:
    184. 

  184. 			out[e.Key] = e.GetBinaryValue()
    185. 

  185. 		}
    186. 

  186. 	}
    187. 

  187. 	return out, nil
    188. 

  188. }
    189.