Home Explore Help
Sign In
logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets
1
0
Fork 0
Files Issues 0 Wiki
Tree: fcb2564a2f
Branches Tags
helm-externa...
/
pkg
/
template
/
v2
/
template_test.go

template_test.go 39 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977 
  1. /*
    2. 

  2. Copyright © 2025 ESO Maintainer Team
    3. 

  3. 

  4. Licensed under the Apache License, Version 2.0 (the "License");
    5. 

  5. you may not use this file except in compliance with the License.
    6. 

  6. You may obtain a copy of the License at
    7. 

  7. 

  8.     https://www.apache.org/licenses/LICENSE-2.0
    9. 

  9. 

  10. Unless required by applicable law or agreed to in writing, software
    11. 

  11. distributed under the License is distributed on an "AS IS" BASIS,
    12. 

  12. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13. 

  13. See the License for the specific language governing permissions and
    14. 

  14. limitations under the License.
    15. 

  15. */
    16. 

  16. 

  17. package template
    18. 

  18. 

  19. import (
    20. 

  20. 	"crypto/rand"
    21. 

  21. 	"crypto/rsa"
    22. 

  22. 	"crypto/x509"
    23. 

  23. 	"encoding/pem"
    24. 

  24. 	"os"
    25. 

  25. 	"strings"
    26. 

  26. 	"testing"
    27. 

  27. 

  28. 	"github.com/google/go-cmp/cmp"
    29. 

  29. 	"github.com/stretchr/testify/assert"
    30. 

  30. 	"github.com/stretchr/testify/require"
    31. 

  31. 	corev1 "k8s.io/api/core/v1"
    32. 

  32. 	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
    33. 

  33. 

  34. 	esapi "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
    35. 

  35. )
    36. 

  36. 

  37. const (
    38. 

  38. 	pkcs12ContentNoPass   = `MIIJYQIBAzCCCScGCSqGSIb3DQEHAaCCCRgEggkUMIIJEDCCA8cGCSqGSIb3DQEHBqCCA7gwggO0AgEAMIIDrQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQInZmyWpNTPS4CAggAgIIDgPzZTmogBRiLP0NJZEUghZ3Oh1aqHJJ32HKgXUpD5BJ/5AvpUL9FC7m6a3GD++P1On/35J9N50bDjfBJjJrl2zpA143bzltPQBOK30cBJjNsCeN2Dq1dcsvJZfEy20z75NduXjMF6/qs4BbE+1E6nYFYVNHUybFnaQwSx7+2/2OMbXbcFpt4bv3HTw0YLw2pZeW/4/4A9d+tC9UdVQTTyNbI8l9nf1aeaaPsw1keVLmHurmTihfwh469FvjgwiHUP/P3ZCn1tOpWDR8ck0j+ru6imVP2hn+Kvk6svllmYqo3A5DnDRoF/Cl9R0DAPyS0lw7BeGskgTm7B79mzVitTbzRnIUP+sGJjc1AVghnitfcX4ffv8gq5xWaKGucO/IZXbPBoe7tMhKZmsirKzD4RBhC3nMyrwaHJB6PqUwxMQGMLbuHe7GlWhJAyFlcOTt5dgNl+axIkWdisoKNinYYeOuxudqyX6yPfsyaRCV5MEez3Wu+59MENGlGDRWbw61QuwsZkr1bAT2SJrQ/zHn5aGAluQZ1csJhKQ34iy1Ml9K9F4Zh3/2OWPs0u6+JCb1PC1vChBkguqcqQtEcikRwR9dNF9cdMB1T1Xk5GqlmOPaigkYzGWLgtl8cV5/Zl0m2j77mX9x4HVCTercAABGf9JcCLzSCo04c5OwIYtWUXBkux5n2VI2ZIuS1KF+r6JNyL3lg/D8LColzDUP/6tQCBVVgMar3iLblM17wPMTDMR5Bn+NvenwJj6FWaGGMtdjygtN+oSHpNDbVygfGQy+jEgUtK7yw0uh/WKBMWVw1E6iNuhb8HIyCFtQon8sDkuZ81czOpR3Ta1SWUWrZD+pjpL2Z4y8Nc2wt9pVPvLFOTn+GDFVqGpde3kovh3GfJjYCG/HI5rXZyziflDOoSy0SyG6aVCG4ZqW2LTymoVN/kxf+skqAweX1vxvvJniiv8HgYfEASFUWear4uT641d1YwcEIawNv4n+GKBilK/7ODl2QL86svwqIcbyiJrneyU2tHymKzGcU2VxmSgf8EnjqGuIEo7WXOpk0oUMcvYrM73cgzZ3BchUDIN0KWSDI+vDcVY82dbI39KM6dtOJFAx3kEdms/gdSqZtmHUIeArGp+8caCCAK/W+4wTOvtisK+6MtzdMz6P93N78N4Vo6cs3dkj6t/6tgNog5SCfwlOEyUpmMIIFQQYJKoZIhvcNAQcBoIIFMgSCBS4wggUqMIIFJgYLKoZIhvcNAQwKAQKgggTuMIIE6jAcBgoqhkiG9w0BDAEDMA4ECHVnarQ94cqlAgIIAASCBMgUvEVKsUcqEvYJEJ9JixgB0W3uhSi/Espt931a/mwx5Ja2K7vjlttaOct3Zc8umVrP5C322tmHz9QDVPj3Bln8CGfofC/8Nb6+SDeofmYaQYReOZpZGksEBs4P3yURl8wQpIkG31Oyf3urDTJdplfDrzu6XpEpIf7RicIR+Zh4Q1+F75XwPo52/yNs8q/kVV8H97gSRqQ2GixIdyNu+JLtNjdwAERHy4DeQjwgiMCdL+xMfN+WJyIvkLZDoy9bacXeG4IcQM+n84272C6j1a0BPaOm0K5A7I0H1zpXOJiWfn3MrT4LHDudrQoIWUOvcJjWaIM/KyghotDN50THKN9qCEE9SmtfWXGGFaJmyxbUDFizBIAsFshNtMs/47PoInTSNwzxNvUUQ3ap93iquGZ9EaZAMY2HQHW/QJIQ70IbtcHU28Bus/hrMcV0X9D1p4UeHuk37W7aCrL6hS+ac9pmzwmcDBwZUliyInxRmqCCerjg2ojAM9SVg8FrpQUErP+BOaoCBwQqLLiz9BM+3tUQc/8MyaBHq+c2dUoPfvipDIQXYiq66CkjmPHxPFEL1l9d9oBFoIGkt6SIHDjWnTPc5q5SvJ9tz8Dp1k/1HQSA8OUS6j+XySYuGe8xTvN/oUpVRswef2Qd/kxZlc1FJ4lVAXvbW7C7772l14BJv/WULcFH4Sn83rlL3YwHr4vJMf6wLahn7oQPI0VFSQiiOOb/+gkiTrwO3Gz+HXOkUwaKnW85PeoIt3/q1u0CRl64mUjqCegi7RMY9Q9tRMlD5yx0RsH7mc4b6Eg/3IwGu8VQmZCO5W2unCpfzzyrOx7OaGGaW4RJ2Mx7bJ8uV9HU8MbbNntmc9oxebPdDnBmbt8p8t4ZZxC+zcqcXi3TxACXmwnasogQEi0d0ttXkB5cnDCG00Y8WPdNIWfJdIQh8Hj16LAMYWUacz/J0kLP99ENQntZibVw/Q3zZtHSF5tmsYp7o1HglBpRwLTcd026YTrxB+VCEiUYy4hH6a38oEEpY7wTIiRmEBQPIRM0HUOqVh4z6TNzRx6iIhrQEvg06B8U6iVPqy8FGDkhf3P55Ed95/Rw6uSdlMTHng+Q4aG00k4qKdKOyv55IXPcvEzAeVNBuesknaS8x7Eb/I5mHSoZU3RYAEFGbehUkvkhNr3Xq7/W/400AKiliravJq8j/qKIZ9hAVUWOps09F/4peYfLXM1AhxWWGa5QqvwFkClM+uRyqIRGJwl2Z7asl4sWVXbwtb+Axio+mYGdzxIki5iwJvRCwKapoZplndXKTrn2nYBuhxW2+fRHa8WYdsm/wn0K+jYMlZhquVjNXyL70/Sym6DkzCtJvveQs2CfcEWQuedjRSGFVFT2jV/s5F8L2TV7nQNVj6dEJSNM5JCdZ//OpiMHMCbPNeSxY9koGplUqFhP54F1WU9x+8xiFjEp8WKxQYKHUtj+ace0lLF4CDGXhFR/0k7Icarpax3hYnvagd2OpZyRJdavKBSs5U7/NPuO6sNhZ2NpzsOiul9Iu8bu3UHCECNKkwN4wF4alTlG9sAAbS4ns4wb9XTajG+OPYoDQZmuJfc71McN6m8KBHEnXU8r4epdR7xREe/w+h2MwtPhLvbxwO592tUxJTAjBgkqhkiG9w0BCRUxFgQUOEXV6IFYGpCSHi0MPHz4b3W0KOQwMTAhMAkGBSsOAwIaBQAEFAjyBCA+mr+5UkKuQ1jGw90ASfbVBAjbvqJJZikDPgICCAA=`
    39. 

  39. 	pkcs12ContentWithPass = `MIIJYQIBAzCCCScGCSqGSIb3DQEHAaCCCRgEggkUMIIJEDCCA8cGCSqGSIb3DQEHBqCCA7gwggO0AgEAMIIDrQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQI2eZRJ7Ar+JQCAggAgIIDgFTbOtkFPjqxAoYRHoq1SbyXKf/NRbBA5AqxQlv9aFVT4VcxUSrMGaSWifX2UjsVWQzn134yoLLbdJ0jTorVD+EuBUmtb3xXbBwLqtFZxwcWodYA5WhPQdDcQo0cD3o1vrsXPQARQR6ISSFnhFjPYdH9cO2LqUKV5pjFhIs2/1VPDS2eY7SWZN52DK3QknSj23S3ZW2s4TFEj/5C4ssbO7cWNWBjjaORnd17FMNgVtcRw8ITmLdGBOpFUwP8wIdiLGrXiyjfMLns74nztRelV30/v0DPlz0pZtOPygi/dy0qpbil3wtOFrtQBLEdvLNmt9ikQgGs3pJBS68eMJLu3jAU6rCIKycq0+E0eMXeHcseyMwgguTj2h4t+E4S7nU11lViBFqkSBKxE28+9fNlPvCsZ4WhQZ6TAW3E/jDy/ZSqmak5V7/khMlRPvtrxz71ivksH0iipPdJJkGi7SDEvETySBETiqIslUmsF0ZYeHR5wIBkB5V8zmi8RRZtpvDGbzuQ22V6sNk2mTDh+BRus7gNCoSGWYXWqNNp1PnznuYCJp9T+0mObcAijE7IQuhpYMeQPF+MUIlG5lmpNouzuygTf++xrKIjzP36DcthnMPeD/8LYWfzkuAeRodjl7Z1G6XLvBD5h+Xlq23WPjMcXUiiWYXxTREAQ1EWUf4A9twGcxHJ5AatbvQY3QUoS4a7LNuy17lF7G+O1SFDtGeHZXHHecaVpuAtqZEYeUpqy6ZzMJXtXE1JNl/UR9TtTordb1V5Pf45JTYKLI+SwxVQbRiTgfhulNc+E3tV1AEELZt4CKmh1OFJoJRtyREMfdVuP4rx7ywIoMYuWw8CRqJ3qSmdwz2kmL2pfJNn6vDfN6rNa+sXWErOJ7naSAKQH2CJfnkCOFxkKfwjbOcNRbnGKah8NyWu6xqlv7Y4xEJYqmPahGHmrSfdAt3mpc5zD74DvetLIczcadKaLH7mp6h98xHayvXh0UE7ERHeskfSPrLxL9A3V1RZXDOtcZFWSKHzokuXMDF9OnrcMYDzYgtzof4ReY2t1ldGF7phYINhDlUNyhzyjwyWQbdkxr/+FtWq8Sbm7o2zMTby48c25gnqD9U8RTAO+bY3oV3dQ4bpAOzWdzVmFjESUFx0xVwbTSJGXdkH4YmD5He+xwxTa0Je0HE5+ui5dbP1gxUY+pCGLOhGMIIFQQYJKoZIhvcNAQcBoIIFMgSCBS4wggUqMIIFJgYLKoZIhvcNAQwKAQKgggTuMIIE6jAcBgoqhkiG9w0BDAEDMA4ECGYAccNFWW6kAgIIAASCBMgbXw69iyx73RGWS3FYeuvF5L1VWXQGrDLdUGwa3SdovXxmP1pKBAb82UuiydXDpKSVCmefeEQTs6ucEFRmXrDIldNanqUwbydy3GSJ+4iNsVQHbFgNppH4e90L7BlLcZ3MzSrVEwxWVMHq+XLqTKf3X3QyrmA3mmF96+Nd+icpDIktd+/h2BHnSXHNP0QfVH27H4DwbMDijttXY0JB+8qP9m25Wn4zkmOPEUhrY4Ptv2I08eHFAuNI0jWUwfRhC4FDbUdwFb0aZjA3Te6uYTsu2zAlmg9HuqsD/Ef/wkBEKZLBkjiXa/niFVrwELXhWZDPBAuo+/1UbzXglsW4QDU4LbUutcs6DLag1vLe40a2LO1ODQm7Zw0bxLkb3f/ry6ZFYvO78XmHo4c/oQf4KPUtM2bLz5q7uOxAx07vHYaU2BVt3NjgiIO5VVKjw0075GdgFxwPvYncv1fsC5jSIkX43GuzEtoBTpJKDYb2nhKbN9XWixwGOhUBTK3WYBhn+uaMJs4l3EgkDtK9tsUs5VQQHawj0WrGS1mQhaBfcyZzv4wSn0d3JUO2CN0e9EReJcQvsEnwUvohilOvjDHHhTq8Kp4XU4jbq7TAKqxs3TOmdoskRykn9oKUPExJVhJQonFT3ietV5BHrnN/QoDCSeOR80ZxvWHrQDz3Hm1ygiHd8LYmN4IjiD8b28ZrCALifWxh0WmIYtLZrUjMZavPh+caWH9IG32fTxV9b1bgJD8vWqscj9jCjeMJvkKQo8PFg1kMAxt1u+bIyktTq42O9qxwGrdqEMeBzXxDJMMaRIH3m9LNZ/P5Nk4/hMURhCZJtRtNfOVTK+Q6kKgsdK2EHcuEnp/qBefZjve+xmitbF1W7C4+B7b2JNBacdIm1nE56DwglT/IUk65JrNFP3rf4c5ic76LCQrvyfLiKCGaqcihM9siLVFPYdrnr8TlGbCFnGbpBqMQA5MtZQaDUug50PJtdxlgfwWH4qliimgchCaZbSTcgN5YTguSe16uUSusHD+r6XdtI0939uDILXJjQMczhIKNw8w0Tn4Z3/g2KlB6cwbtaglnnO4a/USh0cPC1a581byNqeFoMi+mAhqfKkwdDuti4GX7OrhkUOkiRjEUXdcckpmmIsyamH/g1dq3CNFXFNIgRRrzIDo4Opr3Ip2VE/4BDQoo/+Rybzxh8bsHgCEujQf8urGxjGyd2ulHoXzHWhz7pPPuY5UN6dC9WZmOQDVous/1nhYThoLVVc61Rk6d83+Ac7iRg4bY5q/73J4HvPMmrTOOOqqn3wc9Pe5ibEy4tFaYnim4p1ZRm8YcwosZmuFPdsP6G5l5qt6uOyr2+qNpXIBkDpG7I6Ls10O7L3PQAX9zRGfcz6Ds0KtuDrLpaVvhuXpewsBwpo1lmhv9bAa4ppBuWznmKigX+vYojSxd/eCRAtMs+Lx6ppZsYNVhbdEIGKXSGwG98sSTZkoLHBMkUW7S8jpeSCHZWEFBUOPJQzAr5cW1w+RAs33cGUygZ5XEEx4DeW8MnO4lCuP+VDOwu3TAKhzAD+qCyXbLEzWiyL5fq3XL+YJtoAc8Mra9lK6jDqzq4u+PLNoYY+kWTBhCyRZ+PfzcXLry8pxuP5E6VtRgfYcxJTAjBgkqhkiG9w0BCRUxFgQUOEXV6IFYGpCSHi0MPHz4b3W0KOQwMTAhMAkGBSsOAwIaBQAEFBa+SV9FU2UObo+nYKdyt/kZVw6FBAgey4GonFtJ2gICCAA=`
    40. 

  40. 	pkcs12Cert            = `-----BEGIN CERTIFICATE-----
    41. 

  41. MIIDHTCCAgWgAwIBAgIRAKC4yxy9QGocND+6avTf7BgwDQYJKoZIhvcNAQELBQAw
    42. 

  42. EjEQMA4GA1UEChMHQWNtZSBDbzAeFw0yMTAzMjAyMDA4MDhaFw0yMTAzMjAyMDM4
    43. 

  43. MDhaMBIxEDAOBgNVBAoTB0FjbWUgQ28wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAw
    44. 

  44. ggEKAoIBAQC3o6/JdZEqNbqNRkopHhJtJG5c4qS5d0tQ/kZYpfD/v/izAYum4Nzj
    45. 

  45. aG15owr92/11W0pxPUliRLti3y6iScTs+ofm2D7p4UXj/Fnho/2xoWSOoWAodgvW
    46. 

  46. Y8jh8A0LQALZiV/9QsrJdXZdS47DYZLsQ3z9yFC/CdXkg1l7AQ3fIVGKdrQBr9kE
    47. 

  47. 1gEDqnKfRxXI8DEQKXr+CKPUwCAytegmy0SHp53zNAvY+kopHytzmJpXLoEhxq4e
    48. 

  48. ugHe52vXHdh/HJ9VjNp0xOH1waAgAGxHlltCW0PVd5AJ0SXROBS/a3V9sZCbCrJa
    49. 

  49. YOOonQSEswveSv6PcG9AHvpNPot2Xs6hAgMBAAGjbjBsMA4GA1UdDwEB/wQEAwIC
    50. 

  50. pDATBgNVHSUEDDAKBggrBgEFBQcDATAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQW
    51. 

  51. BBR00805mrpoonp95RmC3B6oLl+cGTAVBgNVHREEDjAMggpnb29ibGUuY29tMA0G
    52. 

  52. CSqGSIb3DQEBCwUAA4IBAQAipc1b6JrEDayPjpz5GM5krcI8dCWVd8re0a9bGjjN
    53. 

  53. ioWGlu/eTr5El0ffwCNZ2WLmL9rewfHf/bMvYz3ioFZJ2OTxfazqYXNggQz6cMfa
    54. 

  54. lbedDCdt5XLVX2TyerGvFram+9Uyvk3l0uM7rZnwAmdirG4Tv94QRaD3q4xTj/c0
    55. 

  55. mv+AggtK0aRFb9o47z/BypLdk5mhbf3Mmr88C8XBzEnfdYyf4JpTlZrYLBmDCu5d
    56. 

  56. 9RLLsjXxhag8xqMtd1uLUM8XOTGzVWacw8iGY+CTtBKqyA+AE6/bDwZvEwVtsKtC
    57. 

  57. QJ85ioEpy00NioqcF0WyMZH80uMsPycfpnl5uF7RkW8u
    58. 

  58. -----END CERTIFICATE-----
    59. 

  59. `
    60. 

  60. 	pkcs12Key = `-----BEGIN PRIVATE KEY-----
    61. 

  61. MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC3o6/JdZEqNbqN
    62. 

  62. RkopHhJtJG5c4qS5d0tQ/kZYpfD/v/izAYum4NzjaG15owr92/11W0pxPUliRLti
    63. 

  63. 3y6iScTs+ofm2D7p4UXj/Fnho/2xoWSOoWAodgvWY8jh8A0LQALZiV/9QsrJdXZd
    64. 

  64. S47DYZLsQ3z9yFC/CdXkg1l7AQ3fIVGKdrQBr9kE1gEDqnKfRxXI8DEQKXr+CKPU
    65. 

  65. wCAytegmy0SHp53zNAvY+kopHytzmJpXLoEhxq4eugHe52vXHdh/HJ9VjNp0xOH1
    66. 

  66. waAgAGxHlltCW0PVd5AJ0SXROBS/a3V9sZCbCrJaYOOonQSEswveSv6PcG9AHvpN
    67. 

  67. Pot2Xs6hAgMBAAECggEACTGPrmVNZDCWa1Y2hkJ0J7SoNcw+9O4M/jwMp4l/PD6P
    68. 

  68. I98S78LYLCZhPLK17SmjUcnFO1AXKW1JeFS2D/fjfP256guvcqQNjLFoioxcOhVb
    69. 

  69. ZGyd1Mi8JPqP5wfOj16gBeYDwTkjz9wqldcfiZaL9XoXetkZecbzR2JwC2FtIVuC
    70. 

  70. 0njTjMNYpaBKnoLb8OTR0EQz7lYEo2MkQiWryz8wseONnFmdfh18p+p10YgCbuCH
    71. 

  71. qesrWfDLLxaxZelNtDhDngg9LoCLmarYy7BgShacmUEgJTZ/x3xFC75thK3ln0OY
    72. 

  72. +ktTgvVotYYaZi7qAjQiEsTvkTAPg5RMpQLd2UIWsQKBgQDCBp+1vURbwGzmTNUg
    73. 

  73. HMipD6WDFdLc9DCacx6+ZqsEPTMWQbCpVZrDKiY0Rjt5F+xOCyMr00J5RDJXRC0G
    74. 

  74. +L7NcJdywOFutT7vB+cmETg7l/6PHweNYBnE66706eTL/KVYZMi4tEinarPWhHmL
    75. 

  75. jasfdLANtpDjdWkRt299TkPRbQKBgQDyS8Rr7KZdv04Csqkf+ASmiJpT5R6Y72kc
    76. 

  76. 3XYpKETyB2FyPZkuh/zInMut9SkkSI9O/jA3zf956jj6sF1DHvp7T8KkIp5OAQeD
    77. 

  77. J9AF65m2MnZfHFUeJ6ZQsggwMWqrD0ycIWP7YWtiBHH+D1wGkjYrssq+bvG/yNpA
    78. 

  78. LtqdKq9lhQKBgQCZA2hIhy61vRckuEsLvCdzTGeW7UsR/XGnHEqOlaEhArKbRsrv
    79. 

  79. gBdA+qiOaSTV5svw8E+YbE7sG6AnuhhYeyreEYEeeoZOLJmpIG5mUwYp2UBj1nC6
    80. 

  80. SaOI7OVZOGu7g09SWokBQQxbG4cgEfFY4Sym7fs5lVTGTP3Dfwppo6NQMQKBgQCo
    81. 

  81. J5NDP3Lafwk58BpV+H/pv8YzUUDh7M2rXbtCpxLqUdr8OOnVlEUISWFF8m5CIyVq
    82. 

  82. MhjuscWLK9Wtjba7/YTjDaDM3sW05xv6lyfU5ATCoNTr/zLHgcb4HAZ4w+L+otiN
    83. 

  83. RtMnxB2NYf5mzuwUF2cG/secUEzwyAlIH/xStSwTLQKBgQCRvqF+rqxnegoOgwVW
    84. 

  84. qrWPv06wXD8dW2FlPpY5GXqA0l6erSK3YsQQToRmbem9ibPD7bd5P4gNbWfxwK4C
    85. 

  85. Wt+1Rcb8OrDhDJbYz85bXBnPecKp4EN0b9SHO0/dsCqn2w30emc+9T/4m1ZDkpBd
    86. 

  86. BixHvI/EJ8YK3ta5WdJWKC6hnA==
    87. 

  87. -----END PRIVATE KEY-----
    88. 

  88. `
    89. 

  89. 	jwkPubRSA     = `{"kid":"ex","kty":"RSA","key_ops":["sign","verify","wrapKey","unwrapKey","encrypt","decrypt"],"n":"p2VQo8qCfWAZmdWBVaYuYb-a-tWWm78K6Sr9poCvNcmv8rUPSLACxitQWR8gZaSH1DklVkqz-Ed8Cdlf8lkDg4Ex5tkB64jRdC1Uvn4CDpOH6cp-N2s8hTFLqy9_YaDmyQS7HiqthOi9oVjil1VMeWfaAbClGtFt6UnKD0Vb_DvLoWYQSqlhgBArFJi966b4E1pOq5Ad02K8pHBDThlIIx7unibLehhDU6q3DCwNH_OOLx6bgNtmvGYJDd1cywpkLQ3YzNCUPWnfMBJRP3iQP_WI21uP6cvo0DqBPBM4wvVzHbCT0vnIflwkbgEWkq1FprqAitZlop9KjLqzjp9vyQ","e":"AQAB"}`
    90. 

  90. 	jwkPubRSAPKIX = `-----BEGIN PUBLIC KEY-----
    91. 

  91. MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp2VQo8qCfWAZmdWBVaYu
    92. 

  92. Yb+a+tWWm78K6Sr9poCvNcmv8rUPSLACxitQWR8gZaSH1DklVkqz+Ed8Cdlf8lkD
    93. 

  93. g4Ex5tkB64jRdC1Uvn4CDpOH6cp+N2s8hTFLqy9/YaDmyQS7HiqthOi9oVjil1VM
    94. 

  94. eWfaAbClGtFt6UnKD0Vb/DvLoWYQSqlhgBArFJi966b4E1pOq5Ad02K8pHBDThlI
    95. 

  95. Ix7unibLehhDU6q3DCwNH/OOLx6bgNtmvGYJDd1cywpkLQ3YzNCUPWnfMBJRP3iQ
    96. 

  96. P/WI21uP6cvo0DqBPBM4wvVzHbCT0vnIflwkbgEWkq1FprqAitZlop9KjLqzjp9v
    97. 

  97. yQIDAQAB
    98. 

  98. -----END PUBLIC KEY-----
    99. 

  99. `
    100. 

  100. 	jwkPrivRSA      = `{"kty" : "RSA","kid" : "cc34c0a0-bd5a-4a3c-a50d-a2a7db7643df","use" : "sig","n"   : "pjdss8ZaDfEH6K6U7GeW2nxDqR4IP049fk1fK0lndimbMMVBdPv_hSpm8T8EtBDxrUdi1OHZfMhUixGaut-3nQ4GG9nM249oxhCtxqqNvEXrmQRGqczyLxuh-fKn9Fg--hS9UpazHpfVAFnB5aCfXoNhPuI8oByyFKMKaOVgHNqP5NBEqabiLftZD3W_lsFCPGuzr4Vp0YS7zS2hDYScC2oOMu4rGU1LcMZf39p3153Cq7bS2Xh6Y-vw5pwzFYZdjQxDn8x8BG3fJ6j8TGLXQsbKH1218_HcUJRvMwdpbUQG5nvA2GXVqLqdwp054Lzk9_B_f1lVrmOKuHjTNHq48w","e"   : "AQAB","d"   : "ksDmucdMJXkFGZxiomNHnroOZxe8AmDLDGO1vhs-POa5PZM7mtUPonxwjVmthmpbZzla-kg55OFfO7YcXhg-Hm2OWTKwm73_rLh3JavaHjvBqsVKuorX3V3RYkSro6HyYIzFJ1Ek7sLxbjDRcDOj4ievSX0oN9l-JZhaDYlPlci5uJsoqro_YrE0PRRWVhtGynd-_aWgQv1YzkfZuMD-hJtDi1Im2humOWxA4eZrFs9eG-whXcOvaSwO4sSGbS99ecQZHM2TcdXeAs1PvjVgQ_dKnZlGN3lTWoWfQP55Z7Tgt8Nf1q4ZAKd-NlMe-7iqCFfsnFwXjSiaOa2CRGZn-Q","p"   : "4A5nU4ahEww7B65yuzmGeCUUi8ikWzv1C81pSyUKvKzu8CX41hp9J6oRaLGesKImYiuVQK47FhZ--wwfpRwHvSxtNU9qXb8ewo-BvadyO1eVrIk4tNV543QlSe7pQAoJGkxCia5rfznAE3InKF4JvIlchyqs0RQ8wx7lULqwnn0","q"   : "ven83GM6SfrmO-TBHbjTk6JhP_3CMsIvmSdo4KrbQNvp4vHO3w1_0zJ3URkmkYGhz2tgPlfd7v1l2I6QkIh4Bumdj6FyFZEBpxjE4MpfdNVcNINvVj87cLyTRmIcaGxmfylY7QErP8GFA-k4UoH_eQmGKGK44TRzYj5hZYGWIC8","dp"  : "lmmU_AG5SGxBhJqb8wxfNXDPJjf__i92BgJT2Vp4pskBbr5PGoyV0HbfUQVMnw977RONEurkR6O6gxZUeCclGt4kQlGZ-m0_XSWx13v9t9DIbheAtgVJ2mQyVDvK4m7aRYlEceFh0PsX8vYDS5o1txgPwb3oXkPTtrmbAGMUBpE","dq"  : "mxRTU3QDyR2EnCv0Nl0TCF90oliJGAHR9HJmBe__EjuCBbwHfcT8OG3hWOv8vpzokQPRl5cQt3NckzX3fs6xlJN4Ai2Hh2zduKFVQ2p-AF2p6Yfahscjtq-GY9cB85NxLy2IXCC0PF--Sq9LOrTE9QV988SJy_yUrAjcZ5MmECk","qi"  : "ldHXIrEmMZVaNwGzDF9WG8sHj2mOZmQpw9yrjLK9hAsmsNr5LTyqWAqJIYZSwPTYWhY4nu2O0EY9G9uYiqewXfCKw_UngrJt8Xwfq1Zruz0YY869zPN4GiE9-9rzdZB33RBw8kIOquY3MK74FMwCihYx_LiU2YTHkaoJ3ncvtvg"}`
    101. 

  101. 	jwkPrivRSAPKCS8 = `-----BEGIN PRIVATE KEY-----
    102. 

  102. MIIEwAIBADANBgkqhkiG9w0BAQEFAASCBKowggSmAgEAAoIBAQCmN2yzxloN8Qfo
    103. 

  103. rpTsZ5bafEOpHgg/Tj1+TV8rSWd2KZswxUF0+/+FKmbxPwS0EPGtR2LU4dl8yFSL
    104. 

  104. EZq637edDgYb2czbj2jGEK3Gqo28ReuZBEapzPIvG6H58qf0WD76FL1SlrMel9UA
    105. 

  105. WcHloJ9eg2E+4jygHLIUowpo5WAc2o/k0ESppuIt+1kPdb+WwUI8a7OvhWnRhLvN
    106. 

  106. LaENhJwLag4y7isZTUtwxl/f2nfXncKrttLZeHpj6/DmnDMVhl2NDEOfzHwEbd8n
    107. 

  107. qPxMYtdCxsofXbXz8dxQlG8zB2ltRAbme8DYZdWoup3CnTngvOT38H9/WVWuY4q4
    108. 

  108. eNM0erjzAgMBAAECggEBAJLA5rnHTCV5BRmcYqJjR566DmcXvAJgywxjtb4bPjzm
    109. 

  109. uT2TO5rVD6J8cI1ZrYZqW2c5WvpIOeThXzu2HF4YPh5tjlkysJu9/6y4dyWr2h47
    110. 

  110. warFSrqK191d0WJEq6Oh8mCMxSdRJO7C8W4w0XAzo+Inr0l9KDfZfiWYWg2JT5XI
    111. 

  111. ubibKKq6P2KxND0UVlYbRsp3fv2loEL9WM5H2bjA/oSbQ4tSJtobpjlsQOHmaxbP
    112. 

  112. XhvsIV3Dr2ksDuLEhm0vfXnEGRzNk3HV3gLNT741YEP3Sp2ZRjd5U1qFn0D+eWe0
    113. 

  113. 4LfDX9auGQCnfjZTHvu4qghX7JxcF40omjmtgkRmZ/kCgYEA4A5nU4ahEww7B65y
    114. 

  114. uzmGeCUUi8ikWzv1C81pSyUKvKzu8CX41hp9J6oRaLGesKImYiuVQK47FhZ++wwf
    115. 

  115. pRwHvSxtNU9qXb8ewo+BvadyO1eVrIk4tNV543QlSe7pQAoJGkxCia5rfznAE3In
    116. 

  116. KF4JvIlchyqs0RQ8wx7lULqwnn0CgYEAven83GM6SfrmO+TBHbjTk6JhP/3CMsIv
    117. 

  117. mSdo4KrbQNvp4vHO3w1/0zJ3URkmkYGhz2tgPlfd7v1l2I6QkIh4Bumdj6FyFZEB
    118. 

  118. pxjE4MpfdNVcNINvVj87cLyTRmIcaGxmfylY7QErP8GFA+k4UoH/eQmGKGK44TRz
    119. 

  119. Yj5hZYGWIC8CgYEAlmmU/AG5SGxBhJqb8wxfNXDPJjf//i92BgJT2Vp4pskBbr5P
    120. 

  120. GoyV0HbfUQVMnw977RONEurkR6O6gxZUeCclGt4kQlGZ+m0/XSWx13v9t9DIbheA
    121. 

  121. tgVJ2mQyVDvK4m7aRYlEceFh0PsX8vYDS5o1txgPwb3oXkPTtrmbAGMUBpECgYEA
    122. 

  122. mxRTU3QDyR2EnCv0Nl0TCF90oliJGAHR9HJmBe//EjuCBbwHfcT8OG3hWOv8vpzo
    123. 

  123. kQPRl5cQt3NckzX3fs6xlJN4Ai2Hh2zduKFVQ2p+AF2p6Yfahscjtq+GY9cB85Nx
    124. 

  124. Ly2IXCC0PF++Sq9LOrTE9QV988SJy/yUrAjcZ5MmECkCgYEAldHXIrEmMZVaNwGz
    125. 

  125. DF9WG8sHj2mOZmQpw9yrjLK9hAsmsNr5LTyqWAqJIYZSwPTYWhY4nu2O0EY9G9uY
    126. 

  126. iqewXfCKw/UngrJt8Xwfq1Zruz0YY869zPN4GiE9+9rzdZB33RBw8kIOquY3MK74
    127. 

  127. FMwCihYx/LiU2YTHkaoJ3ncvtvg=
    128. 

  128. -----END PRIVATE KEY-----
    129. 

  129. `
    130. 

  130. 	jwkPubEC     = `{"kid":"https://kv-test-mj.vault.azure.net/keys/ec-p-521/e3d0e9c179b54988860c69c6ae172c65","kty":"EC","key_ops":["sign","verify"],"crv":"P-521","x":"AedOAtb7H7Oz1C_cPKI_R4CN_eai5nteY6KFW07FOoaqgQfVCSkQDK22fCOiMT_28c8LZYJRsiIFz_IIbQUW7bXj","y":"AOnchHnmBphIWXvanmMAmcCDkaED6ycW8GsAl9fQ43BMVZTqcTkJYn6vGnhn7MObizmkNSmgZYTwG-vZkIg03HHs"}`
    131. 

  131. 	jwkPubECPKIX = `-----BEGIN PUBLIC KEY-----
    132. 

  132. MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQB504C1vsfs7PUL9w8oj9HgI395qLm
    133. 

  133. e15jooVbTsU6hqqBB9UJKRAMrbZ8I6IxP/bxzwtlglGyIgXP8ghtBRbtteMA6dyE
    134. 

  134. eeYGmEhZe9qeYwCZwIORoQPrJxbwawCX19DjcExVlOpxOQlifq8aeGfsw5uLOaQ1
    135. 

  135. KaBlhPAb69mQiDTccew=
    136. 

  136. -----END PUBLIC KEY-----
    137. 

  137. `
    138. 

  138. 	jwkPrivEC      = `{"kty": "EC","kid": "rie3pHe8u8gjSa0IaJfqk7_iEfHeYfDYx-Bqi7vQc0s","crv": "P-256","x": "fDjg3Nq4jPf8IOZ0277aPVal_8iXySnzLUJAZghUzZM","y": "d863PeyBOK_Q4duiSmWwgIRzi1RPlFZTR-vACMlPg-Q","d": "jJs5xsoHUetdMabtt8H2KyX5T92nGul1chFeMT5hlr0"}`
    139. 

  139. 	jwkPrivECPKCS8 = `-----BEGIN PRIVATE KEY-----
    140. 

  140. MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgjJs5xsoHUetdMabt
    141. 

  141. t8H2KyX5T92nGul1chFeMT5hlr2hRANCAAR8OODc2riM9/wg5nTbvto9VqX/yJfJ
    142. 

  142. KfMtQkBmCFTNk3fOtz3sgTiv0OHbokplsICEc4tUT5RWU0frwAjJT4Pk
    143. 

  143. -----END PRIVATE KEY-----
    144. 

  144. `
    145. 

  145. 	rsaDecryptPKRSAPKCS8 = `-----BEGIN PRIVATE KEY-----
    146. 

  146. MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQChzs1R+jA3Goqi
    147. 

  147. ropPzF4Ehpbi6VklbeZWP+RoU3rJshONJO6w9tPhbp0YIXrPSM9P5a9xaaNxDR9e
    148. 

  148. u84O05+vq3C4P9I0jb5GSjiuznrmsprFWGaGdd4Vr7Fir1oqfeVc+znQFUCvkq7B
    149. 

  149. EWobOonl6ktQ2OHBK0bEzXB7qY7P4ETI6owDUL+pkAwHzdnwk4sXMDKBLT3WZVRn
    150. 

  150. xPppIJ4VAEph1fJOCIIskxVBh8cAT4QRxsdu8oB7cAuYJLBBKiS/GGIA7vh9sQrb
    151. 

  151. +0BAgLqvy+kiQeQhYgF/Y/uVwkgAphFzSjSjoSFQ50nNE2VJA5J6o7QZ413DlIWr
    152. 

  152. VJKNZJDbAgMBAAECggEAemklU5te1pExyJka8fu+NNZNWCUI2BQoaZ+0gGiHQAeE
    153. 

  153. WwdRvHc/HBC+r/7EFgUTMXKmI7qzd1diIB0caoMXD6M3h2xg7nk9NZf5AeYbfGQq
    154. 

  154. SpnyFk8dUHK2U94s7HCKEKnOtukdIrZplo5CI49Ju7JggC1TvPuscj6pliRUclYY
    155. 

  155. Pc6pTVaG+bludDR8YkQ1mGi04wMQHpnisegRpMSjt9uZc1jKM7SSaHggu4/vuewo
    156. 

  156. CFdra50/MjidIOXd5T5iVYY28J+gR8oCCKySTogNJ3JpNMNAW4FHfime5B+uS0IA
    157. 

  157. YI/N8yjT/BPgRt4lQpR+6zi3fpguWNIM71xye1/R4QKBgQDNZNGFOntbFM2NTPYu
    158. 

  158. 4APRVu4a0gM+JEA/ozuxTigkgaj6dNeJvaNTxcKG0MmGxQLEcvgCDaWIoM6Qrj1K
    159. 

  159. YVwdiv1MddRDdSHQjGjNM6n7jNfYVQ2gP+1wDwTMN+eyAW8KoZByaQimmjyBj/Ps
    160. 

  160. C8VWPxyrw/UeHqzTazyEIZ2fHQKBgQDJrM2/xx7F63C6GaW+5gMeColxkdYb29Aw
    161. 

  161. R3xb2rn5lVPLW0BORQQuepZuaI+ZLTb4Op7V4yAC/S9femFXpgkZa56aacwy1jxb
    162. 

  162. R9WO0CWP3QCUCcIBF/4lbJDZ6gQLr51oahXhhjbgGMrlguC/j4R9n3i58EaeukeE
    163. 

  163. +Hsu/hMWVwKBgETsWALFJS/jQzbvZI1GTwGoki4d20i3EXhJZnaRK5dUi0fAfbOT
    164. 

  164. F4O9ERH8biPzaIJTsjW+LpYyoB6c2aRkF20yft1xjNE2NSquc1yowZnQIX5OzEvC
    165. 

  165. KAM6hvmgqPdq08BVhwtdg7GkgDlZ/Rhwur++XfilwVNiJ8yqZ5xPS31hAoGBALnu
    166. 

  166. hB5MMPXd86bPoHyYSMV4h3DaOGCkzpLERUXWKOGOp5tzfJzsikdjo68U3VcmVWiT
    167. 

  167. ev7MkCXRUMyg4n/RRtBV5PqNkcJIu4qYdq5c/lRdN3xEZsVlXl0Yc49EbghsFx49
    168. 

  168. uACdIZiHov/oItbZNRgwXzhl6mXKbceM4tzXR7evAoGBALug2beVoVAl2nAB2RkQ
    169. 

  169. Jy3viDKO+C6Z82gsS5x9Wif9cJTppIarZC+t7w33f4WHJiYT1VDxse08dohC5Nn7
    170. 

  170. 7WWKdtLMSyUaXE46s37Kl5tkTkROj3wBzSIzwLYAwsthcpQVubwDAMsig8EUAdr/
    171. 

  171. 0IwaauEPX9lBYMZDMYuSAR5n
    172. 

  172. -----END PRIVATE KEY-----
    173. 

  173. `
    174. 

  174. 	rsaDecryptDataPKCS8Base64 = `hAZJktRFdzSkGxxiiSE46T271veCgwvC0GrY+AwDYA/KeuFZFdPgZsJ74awu1WR6x4BrbMLTXNpQw4UqChdbaM7VoKUCkPTcCU1jsveqYNisM2MNF98QjNjvp+9jXHfAsClLA5AvJxe3GjfWIi18E4PieFpATn/BTrmoklx4rSkWmfifZol7Wcny0D2fhrj/JOdxEIqowUB/tNwYzNd+lXgm55wea+G3YnD3Fr4ARaCCaQMUcdW9Kgx7mmZGZE3xDAhs8WMfpe9xVZ17Ca7Sw2r1JKS0o0fYiZNHUmCXVsP9O+//+0sfEtETiVUF0jItrwlK4GL8+bVcXQ9N2TW7+g==`
    175. 

  175. 	rsaDecryptPKRSAPKCS1      = `-----BEGIN RSA PRIVATE KEY-----
    176. 

  176. MIICXAIBAAKBgQC8ronsBTX6GD5YhoE/v76+ZkWX0gODzAD+aCYIyTs4PiWruxlV
    177. 

  177. SOtjwq2gRgUexE5Hsz8cxhFz5Db8qFXBsA+GgXjByQuVbBw04SCKHgc0zhbcWonV
    178. 

  178. 3Rk03pjVB1HfuxcDRja8JZontfMAJyPNJovPu3rIi8npSC+T5g7Fq9UCbQIDAQAB
    179. 

  179. AoGAAo2+MiKT63GejmYro6g9taf+syJVh9gf/1F7ikzm70jwC5X5rszQ2sXMwcmQ
    180. 

  180. 0izH/nJvnT0VCWOCVwMUPg3a9+odoMNFyg2u3XCLBNr3vlgG3xeCTdjzaMnY61ct
    181. 

  181. xU4JgpIuiAlwCqhNfKuHxeesM/cvh9eC11ELXh27gLsNCEECQQDng5klIGPLHfiN
    182. 

  182. 3wam6wxLnqHPuhXAyrOAKA1qBlZGKI6n6iBYpfN+Y70gt10f3SBlFfkSyF7uZsUy
    183. 

  183. maofmjARAkEA0KM6Rj+p2CRMFMh4NpON4RKaQIYNGMTpe/akYBOx6wcZy0saON9l
    184. 

  184. eHS3nq77TDT+mA3uDbu+6VD8j8eEcXUInQJAYJkfQEd4fBrAR+nj66etVKwW1gbN
    185. 

  185. 5shtBy8vEasdOl7XzyY4YuSzaWwSUOFRYOcyChuV9olWWuDUrR1Cx7bdEQJBALzY
    186. 

  186. gg7D4UA62oKVUfpUZL+szuJIc+JPmecSwIYWTZymuLpCKGICEx6Mxwdi6yN3dFq9
    187. 

  187. gRP9NDiLjY+20DLB9CECQB5IqCvT396rjJn3g6sRXHX5qApJwInofLByafcjGd34
    188. 

  188. ejJKh20FmJegJhkImmNTokNbQZbYiLAP07Ykx9A8jLg=
    189. 

  189. -----END RSA PRIVATE KEY-----
    190. 

  190. 

  191. `
    192. 

  192. 	rsaDecryptDataPKCS1Base64 = `Xd9Jij8+hTqM7ii1nnKbKZy7pHhn3BJwxrENwIlvf0iRysVKn7gmAaD6UV4EpNwYOHvLbo6yLWBme6msVAhIV9KOp22jDe9j837C48rcUiF93Jb7+plabbwTQt4iqi1EKxEfVvKi4tLsLBRhu0v583oQAfCf5aLwF3Vb5bPgGeY=`
    193. 

  193. 	rsaDecryptPubKeyRSAPKCS1  = `-----BEGIN PUBLIC KEY-----
    194. 

  194. MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC8ronsBTX6GD5YhoE/v76+ZkWX
    195. 

  195. 0gODzAD+aCYIyTs4PiWruxlVSOtjwq2gRgUexE5Hsz8cxhFz5Db8qFXBsA+GgXjB
    196. 

  196. yQuVbBw04SCKHgc0zhbcWonV3Rk03pjVB1HfuxcDRja8JZontfMAJyPNJovPu3rI
    197. 

  197. i8npSC+T5g7Fq9UCbQIDAQAB
    198. 

  198. -----END PUBLIC KEY-----
    199. 

  199. 

  200. `
    201. 

  201. )
    202. 

  202. 

  203. func rsaEncryptOAEP(t testing.TB, publicKeyPEM []byte, hash, plaintext string) []byte {
    204. 

  204. 	t.Helper()
    205. 

  205. 	block, _ := pem.Decode(publicKeyPEM)
    206. 

  206. 	if block == nil || block.Type != "PUBLIC KEY" {
    207. 

  207. 		t.Fatalf("failed to decode PEM block containing public key")
    208. 

  208. 	}
    209. 

  209. 

  210. 	pub, err := x509.ParsePKIXPublicKey(block.Bytes)
    211. 

  211. 	if err != nil {
    212. 

  212. 		t.Fatalf("failed to parse DER encoded public key: %v", err)
    213. 

  213. 	}
    214. 

  214. 

  215. 	rsaPub, ok := pub.(*rsa.PublicKey)
    216. 

  216. 	if !ok {
    217. 

  217. 		t.Fatalf("not RSA public key")
    218. 

  218. 	}
    219. 

  219. 	ciphertext, err := rsa.EncryptOAEP(getHash(hash), rand.Reader, rsaPub, []byte(plaintext), nil)
    220. 

  220. 	require.NoError(t, err)
    221. 

  221. 	return ciphertext
    222. 

  222. }
    223. 

  223. 

  224. func TestExecute(t *testing.T) {
    225. 

  225. 	tbl := []struct {
    226. 

  226. 		name                string
    227. 

  227. 		tpl                 map[string][]byte
    228. 

  228. 		labelsTpl           map[string][]byte
    229. 

  229. 		annotationsTpl      map[string][]byte
    230. 

  230. 		stringDataTpl       map[string][]byte
    231. 

  231. 		data                map[string][]byte
    232. 

  232. 		expectedData        map[string][]byte
    233. 

  233. 		expectedStringData  map[string]string
    234. 

  234. 		expectedLabels      map[string]string
    235. 

  235. 		expectedAnnotations map[string]string
    236. 

  236. 		leftDelimiter       string
    237. 

  237. 		rightDelimiter      string
    238. 

  238. 		expErr              string
    239. 

  239. 		expLblErr           string
    240. 

  240. 		expAnnoErr          string
    241. 

  241. 		expStrErr           string
    242. 

  242. 	}{
    243. 

  243. 		{
    244. 

  244. 			name:           "test empty",
    245. 

  245. 			tpl:            nil,
    246. 

  246. 			labelsTpl:      nil,
    247. 

  247. 			annotationsTpl: nil,
    248. 

  248. 			data:           nil,
    249. 

  249. 		},
    250. 

  250. 		{
    251. 

  251. 			name: "b64dec func",
    252. 

  252. 			tpl: map[string][]byte{
    253. 

  253. 				"foo": []byte("{{ .secret | b64dec }}"),
    254. 

  254. 			},
    255. 

  255. 			data: map[string][]byte{
    256. 

  256. 				"secret": []byte("MTIzNA=="),
    257. 

  257. 			},
    258. 

  258. 			expectedData: map[string][]byte{
    259. 

  259. 				"foo": []byte("1234"),
    260. 

  260. 			},
    261. 

  261. 		},
    262. 

  262. 		{
    263. 

  263. 			name: "fromJson func",
    264. 

  264. 			tpl: map[string][]byte{
    265. 

  265. 				"foo": []byte("{{ $var := .secret | fromJson }}{{ $var.foo }}"),
    266. 

  266. 			},
    267. 

  267. 			data: map[string][]byte{
    268. 

  268. 				"secret": []byte(`{"foo": "bar"}`),
    269. 

  269. 			},
    270. 

  270. 			expectedData: map[string][]byte{
    271. 

  271. 				"foo": []byte("bar"),
    272. 

  272. 			},
    273. 

  273. 		},
    274. 

  274. 		{
    275. 

  275. 			name: "from & toJson func",
    276. 

  276. 			tpl: map[string][]byte{
    277. 

  277. 				"foo": []byte("{{ $var := .secret | fromJson }}{{ $var.foo | toJson }}"),
    278. 

  278. 			},
    279. 

  279. 			data: map[string][]byte{
    280. 

  280. 				"secret": []byte(`{"foo": {"baz":"bang"}}`),
    281. 

  281. 			},
    282. 

  282. 			expectedData: map[string][]byte{
    283. 

  283. 				"foo": []byte(`{"baz":"bang"}`),
    284. 

  284. 			},
    285. 

  285. 		},
    286. 

  286. 		{
    287. 

  287. 			name: "fromJson & toYaml func",
    288. 

  288. 			tpl: map[string][]byte{
    289. 

  289. 				"foo": []byte("{{ $var := .secret | fromJson | toYaml }}{{ $var }}"),
    290. 

  290. 			},
    291. 

  291. 			data: map[string][]byte{
    292. 

  292. 				"secret": []byte(`{"foo": "bar"}`),
    293. 

  293. 			},
    294. 

  294. 			expectedData: map[string][]byte{
    295. 

  295. 				"foo": []byte(`foo: bar`),
    296. 

  296. 			},
    297. 

  297. 		},
    298. 

  298. 		{
    299. 

  299. 			name: "fromYaml & toJson func",
    300. 

  300. 			tpl: map[string][]byte{
    301. 

  301. 				"foo": []byte("{{ $var := .secret | fromYaml | toJson }}{{ $var }}"),
    302. 

  302. 			},
    303. 

  303. 			data: map[string][]byte{
    304. 

  304. 				"secret": []byte(`foo: bar`),
    305. 

  305. 			},
    306. 

  306. 			expectedData: map[string][]byte{
    307. 

  307. 				"foo": []byte(`{"foo":"bar"}`),
    308. 

  308. 			},
    309. 

  309. 		},
    310. 

  310. 		{
    311. 

  311. 			name: "use sprig functions",
    312. 

  312. 			tpl: map[string][]byte{
    313. 

  313. 				"foo": []byte(`{{ .path | ext }}`),
    314. 

  314. 			},
    315. 

  315. 			data: map[string][]byte{
    316. 

  316. 				"path": []byte(`foo/bar/baz.exe`),
    317. 

  317. 			},
    318. 

  318. 			expectedData: map[string][]byte{
    319. 

  319. 				"foo": []byte(`.exe`),
    320. 

  320. 			},
    321. 

  321. 		},
    322. 

  322. 		{
    323. 

  323. 			name: "use replace function",
    324. 

  324. 			tpl: map[string][]byte{
    325. 

  325. 				"foo": []byte(`{{ .conn | replace "postgres://" "db+postgresql://"}}`),
    326. 

  326. 			},
    327. 

  327. 			data: map[string][]byte{
    328. 

  328. 				"conn": []byte(`postgres://user:pass@db.host:5432/dbname`),
    329. 

  329. 			},
    330. 

  330. 			expectedData: map[string][]byte{
    331. 

  331. 				"foo": []byte(`db+postgresql://user:pass@db.host:5432/dbname`),
    332. 

  332. 			},
    333. 

  333. 		},
    334. 

  334. 		{
    335. 

  335. 			name: "use upper function",
    336. 

  336. 			tpl: map[string][]byte{
    337. 

  337. 				"foo": []byte(`{{ .value | upper }}`),
    338. 

  338. 			},
    339. 

  339. 			data: map[string][]byte{
    340. 

  340. 				"value": []byte(`username`),
    341. 

  341. 			},
    342. 

  342. 			expectedData: map[string][]byte{
    343. 

  343. 				"foo": []byte(`USERNAME`),
    344. 

  344. 			},
    345. 

  345. 		},
    346. 

  346. 		{
    347. 

  347. 			name: "multiline template",
    348. 

  348. 			tpl: map[string][]byte{
    349. 

  349. 				"cfg": []byte(`
    350. 

  350. 		datasources:
    351. 

  351. 		- name: Graphite
    352. 

  352. 			type: graphite
    353. 

  353. 			access: proxy
    354. 

  354. 			url: http://localhost:8080
    355. 

  355. 			password: "{{ .password }}"
    356. 

  356. 			user: "{{ .user }}"`),
    357. 

  357. 			},
    358. 

  358. 			data: map[string][]byte{
    359. 

  359. 				"user":     []byte(`foobert`),
    360. 

  360. 				"password": []byte("harharhar"),
    361. 

  361. 			},
    362. 

  362. 			expectedData: map[string][]byte{
    363. 

  363. 				"cfg": []byte(`
    364. 

  364. 		datasources:
    365. 

  365. 		- name: Graphite
    366. 

  366. 			type: graphite
    367. 

  367. 			access: proxy
    368. 

  368. 			url: http://localhost:8080
    369. 

  369. 			password: "harharhar"
    370. 

  370. 			user: "foobert"`),
    371. 

  371. 			},
    372. 

  372. 		},
    373. 

  373. 		{
    374. 

  374. 			name: "base64 pipeline",
    375. 

  375. 			tpl: map[string][]byte{
    376. 

  376. 				"foo": []byte(`{{ "123412341234" | b64enc | b64dec }}`),
    377. 

  377. 			},
    378. 

  378. 			data: map[string][]byte{},
    379. 

  379. 			expectedData: map[string][]byte{
    380. 

  380. 				"foo": []byte("123412341234"),
    381. 

  381. 			},
    382. 

  382. 		},
    383. 

  383. 		{
    384. 

  384. 			name: "base64 pkcs12 extract",
    385. 

  385. 			tpl: map[string][]byte{
    386. 

  386. 				"key":  []byte(`{{ .secret | b64dec | pkcs12key }}`),
    387. 

  387. 				"cert": []byte(`{{ .secret | b64dec | pkcs12cert }}`),
    388. 

  388. 			},
    389. 

  389. 			data: map[string][]byte{
    390. 

  390. 				"secret": []byte(pkcs12ContentNoPass),
    391. 

  391. 			},
    392. 

  392. 			expectedData: map[string][]byte{
    393. 

  393. 				"key":  []byte(pkcs12Key),
    394. 

  394. 				"cert": []byte(pkcs12Cert),
    395. 

  395. 			},
    396. 

  396. 		},
    397. 

  397. 		{
    398. 

  398. 			name: "base64 pkcs12 extract with password",
    399. 

  399. 			tpl: map[string][]byte{
    400. 

  400. 				"key":  []byte(`{{ .secret | b64dec | pkcs12keyPass "123456" }}`),
    401. 

  401. 				"cert": []byte(`{{ .secret | b64dec | pkcs12certPass "123456" }}`),
    402. 

  402. 			},
    403. 

  403. 			data: map[string][]byte{
    404. 

  404. 				"secret": []byte(pkcs12ContentWithPass),
    405. 

  405. 			},
    406. 

  406. 			expectedData: map[string][]byte{
    407. 

  407. 				"key":  []byte(pkcs12Key),
    408. 

  408. 				"cert": []byte(pkcs12Cert),
    409. 

  409. 			},
    410. 

  410. 		},
    411. 

  411. 		{
    412. 

  412. 			name: "base64 decode error",
    413. 

  413. 			tpl: map[string][]byte{
    414. 

  414. 				"key": []byte(`{{ .example | b64dec }}`),
    415. 

  415. 			},
    416. 

  416. 			data: map[string][]byte{
    417. 

  417. 				"example": []byte("iam_no_base64"),
    418. 

  418. 			},
    419. 

  419. 			expErr: "", // silent error
    420. 

  420. 		},
    421. 

  421. 		{
    422. 

  422. 			name: "pkcs12 key wrong password",
    423. 

  423. 			tpl: map[string][]byte{
    424. 

  424. 				"key": []byte(`{{ .secret | b64dec | pkcs12keyPass "wrong" }}`),
    425. 

  425. 			},
    426. 

  426. 			data: map[string][]byte{
    427. 

  427. 				"secret": []byte(pkcs12ContentWithPass),
    428. 

  428. 			},
    429. 

  429. 			expErr: "unable to decode pkcs12",
    430. 

  430. 		},
    431. 

  431. 		{
    432. 

  432. 			name: "pkcs12 cert wrong password",
    433. 

  433. 			tpl: map[string][]byte{
    434. 

  434. 				"cert": []byte(`{{ .secret | b64dec | pkcs12certPass "wrong" }}`),
    435. 

  435. 			},
    436. 

  436. 			data: map[string][]byte{
    437. 

  437. 				"secret": []byte(pkcs12ContentWithPass),
    438. 

  438. 			},
    439. 

  439. 			expErr: "unable to decode pkcs12",
    440. 

  440. 		},
    441. 

  441. 		{
    442. 

  442. 			name: "fromJson error",
    443. 

  443. 			tpl: map[string][]byte{
    444. 

  444. 				"key": []byte(`{{ "{ # no json # }" | fromJson }}`),
    445. 

  445. 			},
    446. 

  446. 			data:   map[string][]byte{},
    447. 

  447. 			expErr: "", // silent error
    448. 

  448. 		},
    449. 

  449. 		{
    450. 

  450. 			name: "template syntax error",
    451. 

  451. 			tpl: map[string][]byte{
    452. 

  452. 				"key": []byte(`{{ #xx }}`),
    453. 

  453. 			},
    454. 

  454. 			data:   map[string][]byte{},
    455. 

  455. 			expErr: "unable to parse template",
    456. 

  456. 		},
    457. 

  457. 		{
    458. 

  458. 			name: "unknown key error",
    459. 

  459. 			tpl: map[string][]byte{
    460. 

  460. 				"key": []byte(`{{ .unknown }}`),
    461. 

  461. 			},
    462. 

  462. 			data:   map[string][]byte{},
    463. 

  463. 			expErr: "unable to execute template at key key",
    464. 

  464. 		},
    465. 

  465. 		{
    466. 

  466. 			name: "jwk rsa pub pem",
    467. 

  467. 			tpl: map[string][]byte{
    468. 

  468. 				"fn": []byte(`{{ .secret | jwkPublicKeyPem }}`),
    469. 

  469. 			},
    470. 

  470. 			data: map[string][]byte{
    471. 

  471. 				"secret": []byte(jwkPubRSA),
    472. 

  472. 			},
    473. 

  473. 			expectedData: map[string][]byte{
    474. 

  474. 				"fn": []byte(jwkPubRSAPKIX),
    475. 

  475. 			},
    476. 

  476. 		},
    477. 

  477. 		{
    478. 

  478. 			name: "jwk rsa priv pem",
    479. 

  479. 			tpl: map[string][]byte{
    480. 

  480. 				"fn": []byte(`{{ .secret | jwkPrivateKeyPem }}`),
    481. 

  481. 			},
    482. 

  482. 			data: map[string][]byte{
    483. 

  483. 				"secret": []byte(jwkPrivRSA),
    484. 

  484. 			},
    485. 

  485. 			expectedData: map[string][]byte{
    486. 

  486. 				"fn": []byte(jwkPrivRSAPKCS8),
    487. 

  487. 			},
    488. 

  488. 		},
    489. 

  489. 		{
    490. 

  490. 			name: "jwk ecdsa pub pem",
    491. 

  491. 			tpl: map[string][]byte{
    492. 

  492. 				"fn": []byte(`{{ .secret | jwkPublicKeyPem }}`),
    493. 

  493. 			},
    494. 

  494. 			data: map[string][]byte{
    495. 

  495. 				"secret": []byte(jwkPubEC),
    496. 

  496. 			},
    497. 

  497. 			expectedData: map[string][]byte{
    498. 

  498. 				"fn": []byte(jwkPubECPKIX),
    499. 

  499. 			},
    500. 

  500. 		},
    501. 

  501. 		{
    502. 

  502. 			name: "jwk ecdsa priv pem",
    503. 

  503. 			tpl: map[string][]byte{
    504. 

  504. 				"fn": []byte(`{{ .secret | jwkPrivateKeyPem }}`),
    505. 

  505. 			},
    506. 

  506. 			data: map[string][]byte{
    507. 

  507. 				"secret": []byte(jwkPrivEC),
    508. 

  508. 			},
    509. 

  509. 			expectedData: map[string][]byte{
    510. 

  510. 				"fn": []byte(jwkPrivECPKCS8),
    511. 

  511. 			},
    512. 

  512. 		},
    513. 

  513. 		{
    514. 

  514. 			name: "filter pem certificate",
    515. 

  515. 			tpl: map[string][]byte{
    516. 

  516. 				"fn": []byte(`{{ .secret | filterPEM "CERTIFICATE" }}`),
    517. 

  517. 			},
    518. 

  518. 			data: map[string][]byte{
    519. 

  519. 				"secret": []byte(jwkPrivRSAPKCS8 + pkcs12Cert),
    520. 

  520. 			},
    521. 

  521. 			expectedData: map[string][]byte{
    522. 

  522. 				"fn": []byte(pkcs12Cert),
    523. 

  523. 			},
    524. 

  524. 		},
    525. 

  525. 		{
    526. 

  526. 			name: "labels",
    527. 

  527. 			tpl: map[string][]byte{
    528. 

  528. 				"foo": []byte("{{ .secret | b64dec }}"),
    529. 

  529. 			},
    530. 

  530. 			labelsTpl: map[string][]byte{
    531. 

  531. 				"bar": []byte("{{ .env | b64dec }}"),
    532. 

  532. 			},
    533. 

  533. 			data: map[string][]byte{
    534. 

  534. 				"secret": []byte("MTIzNA=="),
    535. 

  535. 				"env":    []byte("ZGV2"),
    536. 

  536. 			},
    537. 

  537. 			expectedData: map[string][]byte{
    538. 

  538. 				"foo": []byte("1234"),
    539. 

  539. 			},
    540. 

  540. 			expectedLabels: map[string]string{
    541. 

  541. 				"bar": "dev",
    542. 

  542. 			},
    543. 

  543. 		},
    544. 

  544. 		{
    545. 

  545. 			name: "annotations",
    546. 

  546. 			tpl: map[string][]byte{
    547. 

  547. 				"foo": []byte("{{ .secret | b64dec }}"),
    548. 

  548. 			},
    549. 

  549. 			annotationsTpl: map[string][]byte{
    550. 

  550. 				"bar": []byte("{{ .env | b64dec }}"),
    551. 

  551. 			},
    552. 

  552. 			data: map[string][]byte{
    553. 

  553. 				"secret": []byte("MTIzNA=="),
    554. 

  554. 				"env":    []byte("ZGV2"),
    555. 

  555. 			},
    556. 

  556. 			expectedData: map[string][]byte{
    557. 

  557. 				"foo": []byte("1234"),
    558. 

  558. 			},
    559. 

  559. 			expectedAnnotations: map[string]string{
    560. 

  560. 				"bar": "dev",
    561. 

  561. 			},
    562. 

  562. 		},
    563. 

  563. 		{
    564. 

  564. 			name: "stringData",
    565. 

  565. 			stringDataTpl: map[string][]byte{
    566. 

  566. 				"foo": []byte("{{ .secret | b64dec }}"),
    567. 

  567. 			},
    568. 

  568. 			data: map[string][]byte{
    569. 

  569. 				"secret": []byte("MTIzNA=="),
    570. 

  570. 				"env":    []byte("ZGV2"),
    571. 

  571. 			},
    572. 

  572. 			expectedStringData: map[string]string{
    573. 

  573. 				"foo": "1234",
    574. 

  574. 			},
    575. 

  575. 		},
    576. 

  576. 		{
    577. 

  577. 			name: "NonStandardDelimiters",
    578. 

  578. 			stringDataTpl: map[string][]byte{
    579. 

  579. 				"foo": []byte("<< .secret | b64dec >>"),
    580. 

  580. 			},
    581. 

  581. 			leftDelimiter:  "<<",
    582. 

  582. 			rightDelimiter: ">>",
    583. 

  583. 			data: map[string][]byte{
    584. 

  584. 				"secret": []byte("MTIzNA=="),
    585. 

  585. 				"env":    []byte("ZGV2"),
    586. 

  586. 			},
    587. 

  587. 			expectedStringData: map[string]string{
    588. 

  588. 				"foo": "1234",
    589. 

  589. 			},
    590. 

  590. 		},
    591. 

  591. 		{
    592. 

  592. 			name: "rsa decrypt rsa-oaep sha1 pkcs8 data base64",
    593. 

  593. 			tpl: map[string][]byte{
    594. 

  594. 				"data_decrypted": []byte(`{{ .private_key | rsaDecrypt "RSA-OAEP" "SHA1" (.data_crypted_base64 | b64dec) }}`),
    595. 

  595. 			},
    596. 

  596. 			data: map[string][]byte{
    597. 

  597. 				"private_key":         []byte(rsaDecryptPKRSAPKCS8),
    598. 

  598. 				"data_crypted_base64": []byte(rsaDecryptDataPKCS8Base64),
    599. 

  599. 			},
    600. 

  600. 			expectedData: map[string][]byte{
    601. 

  601. 				"data_decrypted": []byte("a1b2c3d4"),
    602. 

  602. 			},
    603. 

  603. 		},
    604. 

  604. 		{
    605. 

  605. 			name: "rsa decrypt rsa-oaep sha256 pkcs1 data base64",
    606. 

  606. 			tpl: map[string][]byte{
    607. 

  607. 				"data_decrypted": []byte(`{{ .private_key | rsaDecrypt "RSA-OAEP" "SHA256" (.data_crypted_base64 | b64dec) }}`),
    608. 

  608. 			},
    609. 

  609. 			data: map[string][]byte{
    610. 

  610. 				"private_key":         []byte(rsaDecryptPKRSAPKCS1),
    611. 

  611. 				"data_crypted_base64": []byte(rsaDecryptDataPKCS1Base64),
    612. 

  612. 			},
    613. 

  613. 			expectedData: map[string][]byte{
    614. 

  614. 				"data_decrypted": []byte("hellopkcs1sha256"),
    615. 

  615. 			},
    616. 

  616. 		},
    617. 

  617. 		{
    618. 

  618. 			name: "rsa decrypt rsa-oaep sha256 pkcs1 data bin",
    619. 

  619. 			tpl: map[string][]byte{
    620. 

  620. 				"data_decrypted": []byte(`{{ .private_key | rsaDecrypt "RSA-OAEP" "SHA256" .data_crypted_bin }}`),
    621. 

  621. 			},
    622. 

  622. 			data: map[string][]byte{
    623. 

  623. 				"private_key":      []byte(rsaDecryptPKRSAPKCS1),
    624. 

  624. 				"data_crypted_bin": rsaEncryptOAEP(t, []byte(rsaDecryptPubKeyRSAPKCS1), "SHA256", "hellopkcs1sha256"),
    625. 

  625. 			},
    626. 

  626. 			expectedData: map[string][]byte{
    627. 

  627. 				"data_decrypted": []byte("hellopkcs1sha256"),
    628. 

  628. 			},
    629. 

  629. 		},
    630. 

  630. 	}
    631. 

  631. 

  632. 	for i := range tbl {
    633. 

  633. 		row := tbl[i]
    634. 

  634. 		t.Run(row.name, func(t *testing.T) {
    635. 

  635. 			sec := &corev1.Secret{
    636. 

  636. 				Data:       make(map[string][]byte),
    637. 

  637. 				StringData: make(map[string]string),
    638. 

  638. 				ObjectMeta: v1.ObjectMeta{Labels: make(map[string]string), Annotations: make(map[string]string)},
    639. 

  639. 			}
    640. 

  640. 			oldLeftDelim := leftDelim
    641. 

  641. 			oldRightDelim := rightDelim
    642. 

  642. 			if row.leftDelimiter != "" {
    643. 

  643. 				leftDelim = row.leftDelimiter
    644. 

  644. 			}
    645. 

  645. 			if row.rightDelimiter != "" {
    646. 

  646. 				rightDelim = row.rightDelimiter
    647. 

  647. 			}
    648. 

  648. 			defer func() {
    649. 

  649. 				leftDelim = oldLeftDelim
    650. 

  650. 				rightDelim = oldRightDelim
    651. 

  651. 			}()
    652. 

  652. 			err := Execute(row.tpl, row.data, esapi.TemplateScopeValues, esapi.TemplateTargetData, sec)
    653. 

  653. 			if !ErrorContains(err, row.expErr) {
    654. 

  654. 				t.Errorf("unexpected error: %s, expected: %s", err, row.expErr)
    655. 

  655. 			}
    656. 

  656. 			err = Execute(row.labelsTpl, row.data, esapi.TemplateScopeValues, esapi.TemplateTargetLabels, sec)
    657. 

  657. 			if !ErrorContains(err, row.expLblErr) {
    658. 

  658. 				t.Errorf("unexpected error: %s, expected: %s", err, row.expErr)
    659. 

  659. 			}
    660. 

  660. 			err = Execute(row.annotationsTpl, row.data, esapi.TemplateScopeValues, esapi.TemplateTargetAnnotations, sec)
    661. 

  661. 			if !ErrorContains(err, row.expAnnoErr) {
    662. 

  662. 				t.Errorf("unexpected error: %s, expected: %s", err, row.expErr)
    663. 

  663. 			}
    664. 

  664. 			if row.expectedData != nil {
    665. 

  665. 				assert.EqualValues(t, row.expectedData, sec.Data)
    666. 

  666. 			}
    667. 

  667. 			if row.expectedLabels != nil {
    668. 

  668. 				assert.EqualValues(t, row.expectedLabels, sec.ObjectMeta.Labels)
    669. 

  669. 			}
    670. 

  670. 			if row.expectedAnnotations != nil {
    671. 

  671. 				assert.EqualValues(t, row.expectedAnnotations, sec.ObjectMeta.Annotations)
    672. 

  672. 			}
    673. 

  673. 		})
    674. 

  674. 	}
    675. 

  675. }
    676. 

  676. 

  677. func TestScopeValuesWithSecretFieldsNil(t *testing.T) {
    678. 

  678. 	tbl := []struct {
    679. 

  679. 		name               string
    680. 

  680. 		tpl                map[string][]byte
    681. 

  681. 		target             esapi.TemplateTarget
    682. 

  682. 		data               map[string][]byte
    683. 

  683. 		expectedData       map[string][]byte
    684. 

  684. 		expectedStringData map[string]string
    685. 

  685. 		expErr             string
    686. 

  686. 	}{
    687. 

  687. 		{
    688. 

  688. 			name:   "test empty",
    689. 

  689. 			tpl:    map[string][]byte{},
    690. 

  690. 			target: esapi.TemplateTargetData,
    691. 

  691. 			data:   nil,
    692. 

  692. 		},
    693. 

  693. 		{
    694. 

  694. 			name:   "test byte",
    695. 

  695. 			tpl:    map[string][]byte{"foo": []byte("bar")},
    696. 

  696. 			target: esapi.TemplateTargetData,
    697. 

  697. 			data: map[string][]byte{
    698. 

  698. 				"key":   []byte("foo"),
    699. 

  699. 				"value": []byte("bar"),
    700. 

  700. 			},
    701. 

  701. 			expectedData: map[string][]byte{
    702. 

  702. 				"foo": []byte("bar"),
    703. 

  703. 			},
    704. 

  704. 		},
    705. 

  705. 		{
    706. 

  706. 			name:   "test Annotations",
    707. 

  707. 			tpl:    map[string][]byte{"foo": []byte("bar")},
    708. 

  708. 			target: esapi.TemplateTargetAnnotations,
    709. 

  709. 			data: map[string][]byte{
    710. 

  710. 				"key":   []byte("foo"),
    711. 

  711. 				"value": []byte("bar"),
    712. 

  712. 			},
    713. 

  713. 			expectedStringData: map[string]string{
    714. 

  714. 				"foo": "bar",
    715. 

  715. 			},
    716. 

  716. 		},
    717. 

  717. 		{
    718. 

  718. 			name:   "test Labels",
    719. 

  719. 			tpl:    map[string][]byte{"foo": []byte("bar")},
    720. 

  720. 			target: esapi.TemplateTargetLabels,
    721. 

  721. 			data: map[string][]byte{
    722. 

  722. 				"key":   []byte("foo"),
    723. 

  723. 				"value": []byte("bar"),
    724. 

  724. 			},
    725. 

  725. 			expectedStringData: map[string]string{
    726. 

  726. 				"foo": "bar",
    727. 

  727. 			},
    728. 

  728. 		},
    729. 

  729. 	}
    730. 

  730. 	for i := range tbl {
    731. 

  731. 		row := tbl[i]
    732. 

  732. 		t.Run(row.name, func(t *testing.T) {
    733. 

  733. 			sec := &corev1.Secret{}
    734. 

  734. 			err := Execute(row.tpl, row.data, esapi.TemplateScopeValues, row.target, sec)
    735. 

  735. 			if !ErrorContains(err, row.expErr) {
    736. 

  736. 				t.Errorf("unexpected error: %s, expected: %s", err, row.expErr)
    737. 

  737. 			}
    738. 

  738. 			switch row.target {
    739. 

  739. 			case esapi.TemplateTargetData:
    740. 

  740. 				if row.expectedData != nil {
    741. 

  741. 					assert.EqualValues(t, row.expectedData, sec.Data)
    742. 

  742. 				}
    743. 

  743. 			case esapi.TemplateTargetLabels:
    744. 

  744. 				if row.expectedStringData != nil {
    745. 

  745. 					assert.EqualValues(t, row.expectedStringData, sec.Labels)
    746. 

  746. 				}
    747. 

  747. 			case esapi.TemplateTargetAnnotations:
    748. 

  748. 				if row.expectedStringData != nil {
    749. 

  749. 					assert.EqualValues(t, row.expectedStringData, sec.Annotations)
    750. 

  750. 				}
    751. 

  751. 			}
    752. 

  752. 		})
    753. 

  753. 	}
    754. 

  754. }
    755. 

  755. 

  756. func TestExecuteInvalidTemplateScope(t *testing.T) {
    757. 

  757. 	sec := &corev1.Secret{}
    758. 

  758. 	err := Execute(map[string][]byte{"foo": []byte("bar")}, nil, "invalid", esapi.TemplateTargetData, sec)
    759. 

  759. 	require.Error(t, err)
    760. 

  760. 	assert.ErrorContains(t, err, "expected 'Values' or 'KeysAndValues'")
    761. 

  761. }
    762. 

  762. 

  763. func TestScopeKeysAndValues(t *testing.T) {
    764. 

  764. 	tbl := []struct {
    765. 

  765. 		name               string
    766. 

  766. 		tpl                map[string][]byte
    767. 

  767. 		target             esapi.TemplateTarget
    768. 

  768. 		data               map[string][]byte
    769. 

  769. 		expectedData       map[string][]byte
    770. 

  770. 		expectedStringData map[string]string
    771. 

  771. 		expErr             string
    772. 

  772. 	}{
    773. 

  773. 		{
    774. 

  774. 			name:   "test empty",
    775. 

  775. 			tpl:    map[string][]byte{"literal": []byte("")},
    776. 

  776. 			target: "Data",
    777. 

  777. 			data:   nil,
    778. 

  778. 		},
    779. 

  779. 		{
    780. 

  780. 			name:   "test base64",
    781. 

  781. 			tpl:    map[string][]byte{"literal": []byte("{{ .key }}: {{ .value }}")},
    782. 

  782. 			target: esapi.TemplateTargetData,
    783. 

  783. 			data: map[string][]byte{
    784. 

  784. 				"key":   []byte("foo"),
    785. 

  785. 				"value": []byte("bar"),
    786. 

  786. 			},
    787. 

  787. 			expectedData: map[string][]byte{
    788. 

  788. 				"foo": []byte("bar"),
    789. 

  789. 			},
    790. 

  790. 		},
    791. 

  791. 		{
    792. 

  792. 			name:   "test Annotations",
    793. 

  793. 			tpl:    map[string][]byte{"literal": []byte("{{ .key }}: {{ .value }}")},
    794. 

  794. 			target: esapi.TemplateTargetAnnotations,
    795. 

  795. 			data: map[string][]byte{
    796. 

  796. 				"key":   []byte("foo"),
    797. 

  797. 				"value": []byte("bar"),
    798. 

  798. 			},
    799. 

  799. 			expectedStringData: map[string]string{
    800. 

  800. 				"foo": "bar",
    801. 

  801. 			},
    802. 

  802. 		},
    803. 

  803. 		{
    804. 

  804. 			name:   "test Labels",
    805. 

  805. 			tpl:    map[string][]byte{"literal": []byte("{{ .key }}: {{ .value }}")},
    806. 

  806. 			target: esapi.TemplateTargetLabels,
    807. 

  807. 			data: map[string][]byte{
    808. 

  808. 				"key":   []byte("foo"),
    809. 

  809. 				"value": []byte("bar"),
    810. 

  810. 			},
    811. 

  811. 			expectedStringData: map[string]string{
    812. 

  812. 				"foo": "bar",
    813. 

  813. 			},
    814. 

  814. 		},
    815. 

  815. 	}
    816. 

  816. 	for i := range tbl {
    817. 

  817. 		row := tbl[i]
    818. 

  818. 		t.Run(row.name, func(t *testing.T) {
    819. 

  819. 			sec := &corev1.Secret{
    820. 

  820. 				Data:       make(map[string][]byte),
    821. 

  821. 				StringData: make(map[string]string),
    822. 

  822. 				ObjectMeta: v1.ObjectMeta{Labels: make(map[string]string), Annotations: make(map[string]string)},
    823. 

  823. 			}
    824. 

  824. 			err := Execute(row.tpl, row.data, esapi.TemplateScopeKeysAndValues, row.target, sec)
    825. 

  825. 			if !ErrorContains(err, row.expErr) {
    826. 

  826. 				t.Errorf("unexpected error: %s, expected: %s", err, row.expErr)
    827. 

  827. 			}
    828. 

  828. 			switch row.target {
    829. 

  829. 			case esapi.TemplateTargetData:
    830. 

  830. 				if row.expectedData != nil {
    831. 

  831. 					assert.EqualValues(t, row.expectedData, sec.Data)
    832. 

  832. 				}
    833. 

  833. 			case esapi.TemplateTargetLabels:
    834. 

  834. 				if row.expectedStringData != nil {
    835. 

  835. 					assert.EqualValues(t, row.expectedStringData, sec.Labels)
    836. 

  836. 				}
    837. 

  837. 			case esapi.TemplateTargetAnnotations:
    838. 

  838. 				if row.expectedStringData != nil {
    839. 

  839. 					assert.EqualValues(t, row.expectedStringData, sec.Annotations)
    840. 

  840. 				}
    841. 

  841. 			}
    842. 

  842. 		})
    843. 

  843. 	}
    844. 

  844. }
    845. 

  845. func ErrorContains(out error, want string) bool {
    846. 

  846. 	if out == nil {
    847. 

  847. 		return want == ""
    848. 

  848. 	}
    849. 

  849. 	if want == "" {
    850. 

  850. 		return false
    851. 

  851. 	}
    852. 

  852. 	return strings.Contains(out.Error(), want)
    853. 

  853. }
    854. 

  854. 

  855. func TestPkcs12certPass(t *testing.T) {
    856. 

  856. 	const (
    857. 

  857. 		leafCertPath         = "_testdata/foo.crt"
    858. 

  858. 		intermediateCertPath = "_testdata/intermediate-ca.crt"
    859. 

  859. 		rootCertPath         = "_testdata/root-ca.crt"
    860. 

  860. 		disjunctCertPath     = "_testdata/disjunct-root-ca.crt"
    861. 

  861. 	)
    862. 

  862. 	type args struct {
    863. 

  863. 		pass     string
    864. 

  864. 		filename string
    865. 

  865. 	}
    866. 

  866. 	type testCase struct {
    867. 

  867. 		name    string
    868. 

  868. 		args    args
    869. 

  869. 		want    []string
    870. 

  870. 		wantErr bool
    871. 

  871. 	}
    872. 

  872. 	tests := []testCase{
    873. 

  873. 		{
    874. 

  874. 			// this case expects the whole chain to be stored
    875. 

  875. 			// in a single bag.
    876. 

  876. 			// bag(1): leaf/root/intermediate cert
    877. 

  877. 			// bag(2): private key
    878. 

  878. 			name: "read file without password",
    879. 

  879. 			args: args{
    880. 

  880. 				pass:     "",
    881. 

  881. 				filename: "_testdata/foo-nopass.pfx",
    882. 

  882. 			},
    883. 

  883. 			want: []string{
    884. 

  884. 				// this order is important
    885. 

  885. 				leafCertPath,
    886. 

  886. 				intermediateCertPath,
    887. 

  887. 				rootCertPath,
    888. 

  888. 			},
    889. 

  889. 		},
    890. 

  890. 		{
    891. 

  891. 			// same as above but with password
    892. 

  892. 			name: "read file with password",
    893. 

  893. 			args: args{
    894. 

  894. 				pass:     "1234",
    895. 

  895. 				filename: "_testdata/foo-withpass-1234.pfx",
    896. 

  896. 			},
    897. 

  897. 			want: []string{
    898. 

  898. 				// this order is important
    899. 

  899. 				leafCertPath,
    900. 

  900. 				intermediateCertPath,
    901. 

  901. 				rootCertPath,
    902. 

  902. 			},
    903. 

  903. 		},
    904. 

  904. 		{
    905. 

  905. 			// cert chain may be stored in different bags
    906. 

  906. 			// this test case uses a pfx that has the following structure:
    907. 

  907. 			// bag(1): leaf certificate
    908. 

  908. 			// bag(2): root + intermediate cert
    909. 

  909. 			// bag(3): private key
    910. 

  910. 			name: "read multibag cert chain",
    911. 

  911. 			args: args{
    912. 

  912. 				pass:     "",
    913. 

  913. 				filename: "_testdata/foo-multibag-nopass.pfx",
    914. 

  914. 			},
    915. 

  915. 			want: []string{
    916. 

  916. 				// this order is important
    917. 

  917. 				leafCertPath,
    918. 

  918. 				intermediateCertPath,
    919. 

  919. 				rootCertPath,
    920. 

  920. 			},
    921. 

  921. 		},
    922. 

  922. 		{
    923. 

  923. 			// cert chain may contain a disjunct cert
    924. 

  924. 			// bag(1): leaf/root/intermediate/disjunct
    925. 

  925. 			// bag(2): private key
    926. 

  926. 			name: "read disjunct cert chain",
    927. 

  927. 			args: args{
    928. 

  928. 				pass:     "",
    929. 

  929. 				filename: "_testdata/foo-disjunct-nopass.pfx",
    930. 

  930. 			},
    931. 

  931. 			want: []string{
    932. 

  932. 				// this order is important
    933. 

  933. 				leafCertPath,
    934. 

  934. 				rootCertPath,
    935. 

  935. 				intermediateCertPath,
    936. 

  936. 				disjunctCertPath,
    937. 

  937. 			},
    938. 

  938. 		},
    939. 

  939. 		{
    940. 

  940. 			name: "read file wrong password",
    941. 

  941. 			args: args{
    942. 

  942. 				pass:     "wrongpass",
    943. 

  943. 				filename: "_testdata/foo-withpass-1234.pfx",
    944. 

  944. 			},
    945. 

  945. 			wantErr: true,
    946. 

  946. 		},
    947. 

  947. 	}
    948. 

  948. 

  949. 	testFunc := func(t *testing.T, tc testCase) {
    950. 

  950. 		archive, err := os.ReadFile(tc.args.filename)
    951. 

  951. 		if err != nil {
    952. 

  952. 			t.Error(err)
    953. 

  953. 		}
    954. 

  954. 		var expOut []byte
    955. 

  955. 		for _, w := range tc.want {
    956. 

  956. 			c, err := os.ReadFile(w)
    957. 

  957. 			if err != nil {
    958. 

  958. 				t.Error(err)
    959. 

  959. 			}
    960. 

  960. 			expOut = append(expOut, c...)
    961. 

  961. 		}
    962. 

  962. 		got, err := pkcs12certPass(tc.args.pass, string(archive))
    963. 

  963. 		if (err != nil) != tc.wantErr {
    964. 

  964. 			t.Errorf("pkcs12certPass() error = %v, wantErr %v", err, tc.wantErr)
    965. 

  965. 			return
    966. 

  966. 		}
    967. 

  967. 		if diff := cmp.Diff(string(expOut), got); diff != "" {
    968. 

  968. 			t.Errorf("pkcs12certPass() = diff:\n%s", diff)
    969. 

  969. 		}
    970. 

  970. 	}
    971. 

  971. 

  972. 	for _, tt := range tests {
    973. 

  973. 		t.Run(tt.name, func(t *testing.T) {
    974. 

  974. 			testFunc(t, tt)
    975. 

  975. 		})
    976. 

  976. 	}
    977. 

  977. }
    978.