logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740
							/*
Copyright © The ESO Authors

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    https://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package conjur

import (
	"context"
	"errors"
	"fmt"
	"reflect"
	"testing"
	"time"

	"github.com/cyberark/conjur-api-go/conjurapi"
	"github.com/cyberark/conjur-api-go/conjurapi/authn"
	"github.com/golang-jwt/jwt/v5"
	"github.com/google/go-cmp/cmp"
	corev1 "k8s.io/api/core/v1"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
	typedcorev1 "k8s.io/client-go/kubernetes/typed/core/v1"
	kclient "sigs.k8s.io/controller-runtime/pkg/client"
	clientfake "sigs.k8s.io/controller-runtime/pkg/client/fake"

	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
	"github.com/external-secrets/external-secrets/providers/v1/conjur/fake"
	utilfake "github.com/external-secrets/external-secrets/runtime/util/fake"
)

var (
	svcURL           = "https://example.com"
	svcUser          = "user"
	svcApikey        = "apikey"
	svcAccount       = "account1"
	jwtAuthenticator = "jwt-authenticator"
	jwtAuthnService  = "jwt-auth-service"
	jwtSecretName    = "jwt-secret"
)

func makeValidRef(k string) *esv1.ExternalSecretDataRemoteRef {
	return &esv1.ExternalSecretDataRemoteRef{
		Key:     k,
		Version: "default",
	}
}

func makeValidFindRef(search string, tags map[string]string) *esv1.ExternalSecretFind {
	var name *esv1.FindName
	if search != "" {
		name = &esv1.FindName{
			RegExp: search,
		}
	}
	return &esv1.ExternalSecretFind{
		Name: name,
		Tags: tags,
	}
}

func TestGetSecret(t *testing.T) {
	type args struct {
		store      esv1.GenericStore
		kube       kclient.Client
		corev1     typedcorev1.CoreV1Interface
		namespace  string
		secretPath string
	}

	type want struct {
		err   error
		value string
	}

	type testCase struct {
		reason string
		args   args
		want   want
	}

	cases := map[string]testCase{
		"ApiKeyReadSecretSuccess": {
			reason: "Should read a secret successfully using an ApiKey auth secret store.",
			args: args{
				store: makeAPIKeySecretStore(svcURL, "conjur-hostid", "conjur-apikey", "myconjuraccount"),
				kube: clientfake.NewClientBuilder().
					WithObjects(makeFakeAPIKeySecrets()...).Build(),
				namespace:  "default",
				secretPath: "path/to/secret",
			},
			want: want{
				err:   nil,
				value: "secret",
			},
		},
		"ApiKeyReadSecretFailure": {
			reason: "Should fail to read secret using ApiKey auth secret store.",
			args: args{
				store: makeAPIKeySecretStore(svcURL, "conjur-hostid", "conjur-apikey", "myconjuraccount"),
				kube: clientfake.NewClientBuilder().
					WithObjects(makeFakeAPIKeySecrets()...).Build(),
				namespace:  "default",
				secretPath: "error",
			},
			want: want{
				err:   errors.New("error"),
				value: "",
			},
		},
		"JwtWithServiceAccountRefReadSecretSuccess": {
			reason: "Should read a secret successfully using a JWT auth secret store that references a k8s service account.",
			args: args{
				store: makeJWTSecretStore(svcURL, svcAccount, "", jwtAuthenticator, "", "myconjuraccount"),
				kube: clientfake.NewClientBuilder().
					WithObjects().Build(),
				namespace:  "default",
				secretPath: "path/to/secret",
				corev1:     utilfake.NewCreateTokenMock().WithToken(createFakeJwtToken(true)),
			},
			want: want{
				err:   nil,
				value: "secret",
			},
		},
		"JwtWithServiceAccountRefWithHostIdReadSecretSuccess": {
			reason: "Should read a secret successfully using a JWT auth secret store that references a k8s service account and uses a host ID.",
			args: args{
				store: makeJWTSecretStore(svcURL, svcAccount, "", jwtAuthenticator, "myhostid", "myconjuraccount"),
				kube: clientfake.NewClientBuilder().
					WithObjects().Build(),
				namespace:  "default",
				secretPath: "path/to/secret",
				corev1:     utilfake.NewCreateTokenMock().WithToken(createFakeJwtToken(true)),
			},
			want: want{
				err:   nil,
				value: "secret",
			},
		},
		"JwtWithSecretRefReadSecretSuccess": {
			reason: "Should read a secret successfully using an JWT auth secret store that references a k8s secret.",
			args: args{
				store: makeJWTSecretStore(svcURL, "", jwtSecretName, jwtAuthenticator, "", "myconjuraccount"),
				kube: clientfake.NewClientBuilder().
					WithObjects(&corev1.Secret{
						ObjectMeta: metav1.ObjectMeta{
							Name:      jwtSecretName,
							Namespace: "default",
						},
						Data: map[string][]byte{
							"token": []byte(createFakeJwtToken(true)),
						},
					}).Build(),
				namespace:  "default",
				secretPath: "path/to/secret",
			},
			want: want{
				err:   nil,
				value: "secret",
			},
		},
		"JwtWithCABundleSuccess": {
			reason: "Should read a secret successfully using a JWT auth secret store that references a k8s service account.",
			args: args{
				store: makeJWTSecretStore(svcURL, svcAccount, "", jwtAuthenticator, "", "myconjuraccount"),
				kube: clientfake.NewClientBuilder().
					WithObjects().Build(),
				namespace:  "default",
				secretPath: "path/to/secret",
				corev1:     utilfake.NewCreateTokenMock().WithToken(createFakeJwtToken(true)),
			},
			want: want{
				err:   nil,
				value: "secret",
			},
		},
	}

	runTest := func(t *testing.T, _ string, tc testCase) {
		provider, _ := newConjurProvider(context.Background(), tc.args.store, tc.args.kube, tc.args.namespace, tc.args.corev1, &ConjurMockAPIClient{})
		ref := makeValidRef(tc.args.secretPath)
		secret, err := provider.GetSecret(context.Background(), *ref)
		if diff := cmp.Diff(tc.want.err, err, EquateErrors()); diff != "" {
			t.Errorf("\n%s\nconjur.GetSecret(...): -want error, +got error:\n%s", tc.reason, diff)
		}
		secretString := string(secret)
		if secretString != tc.want.value {
			t.Errorf("\n%s\nconjur.GetSecret(...): want value %v got %v", tc.reason, tc.want.value, secretString)
		}
	}

	for name, tc := range cases {
		t.Run(name, func(t *testing.T) {
			runTest(t, name, tc)
		})
	}
}

func TestGetAllSecrets(t *testing.T) {
	type args struct {
		store     esv1.GenericStore
		kube      kclient.Client
		corev1    typedcorev1.CoreV1Interface
		namespace string
		search    string
		tags      map[string]string
	}

	type want struct {
		err    error
		values map[string][]byte
	}

	type testCase struct {
		reason string
		args   args
		want   want
	}

	cases := map[string]testCase{
		"SimpleSearchSingleResultSuccess": {
			reason: "Should search for secrets successfully using a simple string.",
			args: args{
				store: makeAPIKeySecretStore(svcURL, "conjur-hostid", "conjur-apikey", "myconjuraccount"),
				kube: clientfake.NewClientBuilder().
					WithObjects(makeFakeAPIKeySecrets()...).Build(),
				namespace: "default",
				search:    "secret1",
			},
			want: want{
				err: nil,
				values: map[string][]byte{
					"secret1": []byte("secret"),
				},
			},
		},
		"RegexSearchMultipleResultsSuccess": {
			reason: "Should search for secrets successfully using a regex and return multiple results.",
			args: args{
				store: makeAPIKeySecretStore(svcURL, "conjur-hostid", "conjur-apikey", "myconjuraccount"),
				kube: clientfake.NewClientBuilder().
					WithObjects(makeFakeAPIKeySecrets()...).Build(),
				namespace: "default",
				search:    "^secret[1,2]$",
			},
			want: want{
				err: nil,
				values: map[string][]byte{
					"secret1": []byte("secret"),
					"secret2": []byte("secret"),
				},
			},
		},
		"RegexSearchInvalidRegexFailure": {
			reason: "Should fail to search for secrets using an invalid regex.",
			args: args{
				store: makeAPIKeySecretStore(svcURL, "conjur-hostid", "conjur-apikey", "myconjuraccount"),
				kube: clientfake.NewClientBuilder().
					WithObjects(makeFakeAPIKeySecrets()...).Build(),
				namespace: "default",
				search:    "^secret[1,2", // Missing `]`
			},
			want: want{
				err:    fmt.Errorf("could not compile find.name.regexp [%s]: %w", "^secret[1,2", errors.New("error parsing regexp: missing closing ]: `[1,2`")),
				values: nil,
			},
		},
		"SimpleSearchNoResultsSuccess": {
			reason: "Should search for secrets successfully using a simple string and return no results.",
			args: args{
				store: makeAPIKeySecretStore(svcURL, "conjur-hostid", "conjur-apikey", "myconjuraccount"),
				kube: clientfake.NewClientBuilder().
					WithObjects(makeFakeAPIKeySecrets()...).Build(),
				namespace: "default",
				search:    "nonexistent",
			},
			want: want{
				err:    nil,
				values: map[string][]byte{},
			},
		},
		"TagSearchSingleResultSuccess": {
			reason: "Should search for secrets successfully using a tag.",
			args: args{
				store: makeAPIKeySecretStore(svcURL, "conjur-hostid", "conjur-apikey", "myconjuraccount"),
				kube: clientfake.NewClientBuilder().
					WithObjects(makeFakeAPIKeySecrets()...).Build(),
				namespace: "default",
				tags: map[string]string{
					"conjur/kind": "password",
				},
			},
			want: want{
				err: nil,
				values: map[string][]byte{
					"secret2": []byte("secret"),
				},
			},
		},
	}

	runTest := func(t *testing.T, _ string, tc testCase) {
		provider, _ := newConjurProvider(context.Background(), tc.args.store, tc.args.kube, tc.args.namespace, tc.args.corev1, &ConjurMockAPIClient{})
		ref := makeValidFindRef(tc.args.search, tc.args.tags)
		secrets, err := provider.GetAllSecrets(context.Background(), *ref)
		if diff := cmp.Diff(tc.want.err, err, EquateErrors()); diff != "" {
			t.Errorf("\n%s\nconjur.GetAllSecrets(...): -want error, +got error:\n%s", tc.reason, diff)
		}
		if diff := cmp.Diff(tc.want.values, secrets); diff != "" {
			t.Errorf("\n%s\nconjur.GetAllSecrets(...): -want, +got:\n%s", tc.reason, diff)
		}
	}

	for name, tc := range cases {
		t.Run(name, func(t *testing.T) {
			runTest(t, name, tc)
		})
	}
}

func TestGetSecretMap(t *testing.T) {
	type args struct {
		store     esv1.GenericStore
		kube      kclient.Client
		corev1    typedcorev1.CoreV1Interface
		namespace string
		ref       *esv1.ExternalSecretDataRemoteRef
	}

	type want struct {
		err error
		val map[string][]byte
	}

	type testCase struct {
		reason string
		args   args
		want   want
	}

	cases := map[string]testCase{
		"ReadJsonSecret": {
			reason: "Should read a JSON key value secret.",
			args: args{
				store: makeAPIKeySecretStore(svcURL, "conjur-hostid", "conjur-apikey", "myconjuraccount"),
				kube: clientfake.NewClientBuilder().
					WithObjects(makeFakeAPIKeySecrets()...).Build(),
				namespace: "default",
				ref:       makeValidRef("json_map"),
			},
			want: want{
				err: nil,
				val: map[string][]byte{
					"key1": []byte("value1"),
					"key2": []byte("value2"),
				},
			},
		},
		"ReadJsonSecretFailure": {
			reason: "Should fail to read a non JSON secret",
			args: args{
				store: makeAPIKeySecretStore(svcURL, "conjur-hostid", "conjur-apikey", "myconjuraccount"),
				kube: clientfake.NewClientBuilder().
					WithObjects(makeFakeAPIKeySecrets()...).Build(),
				namespace: "default",
				ref:       makeValidRef("secret1"),
			},
			want: want{
				err: fmt.Errorf("%w", fmt.Errorf("unable to unmarshal secret secret1: invalid character 's' looking for beginning of value")),
				val: nil,
			},
		},
		"ReadJsonSecretSpecificKey": {
			reason: "Should read a specific key from a JSON secret.",
			args: args{
				store: makeAPIKeySecretStore(svcURL, "conjur-hostid", "conjur-apikey", "myconjuraccount"),
				kube: clientfake.NewClientBuilder().
					WithObjects(makeFakeAPIKeySecrets()...).Build(),
				namespace: "default",
				ref: &esv1.ExternalSecretDataRemoteRef{
					Key:      "json_nested",
					Version:  "default",
					Property: "key2",
				},
			},
			want: want{
				err: nil,
				val: map[string][]byte{
					"key3": []byte("value3"),
					"key4": []byte("value4"),
				},
			},
		},
		"ReadJsonSecretSpecificKeyNotFound": {
			reason: "Should fail to read a nonexistent key from a JSON secret.",
			args: args{
				store: makeAPIKeySecretStore(svcURL, "conjur-hostid", "conjur-apikey", "myconjuraccount"),
				kube: clientfake.NewClientBuilder().
					WithObjects(makeFakeAPIKeySecrets()...).Build(),
				namespace: "default",
				ref: &esv1.ExternalSecretDataRemoteRef{
					Key:      "json_map",
					Version:  "default",
					Property: "key3",
				},
			},
			want: want{
				err: fmt.Errorf("%w", errors.New("error getting secret json_map: cannot find secret data for key: \"key3\"")),
				val: nil,
			},
		},
	}

	runTest := func(t *testing.T, _ string, tc testCase) {
		provider, _ := newConjurProvider(context.Background(), tc.args.store, tc.args.kube, tc.args.namespace, tc.args.corev1, &ConjurMockAPIClient{})
		val, err := provider.GetSecretMap(context.Background(), *tc.args.ref)
		if diff := cmp.Diff(tc.want.err, err, EquateErrors()); diff != "" {
			t.Errorf("\n%s\nconjur.GetSecretMap(...): -want error, +got error:\n%s", tc.reason, diff)
		}
		if diff := cmp.Diff(tc.want.val, val); diff != "" {
			t.Errorf("\n%s\nconjur.GetSecretMap(...): -want val, +got val:\n%s", tc.reason, diff)
		}
	}

	for name, tc := range cases {
		t.Run(name, func(t *testing.T) {
			runTest(t, name, tc)
		})
	}
}

func TestGetCA(t *testing.T) {
	type args struct {
		store     esv1.GenericStore
		kube      kclient.Client
		corev1    typedcorev1.CoreV1Interface
		namespace string
	}

	type want struct {
		err  error
		cert string
	}

	type testCase struct {
		reason string
		args   args
		want   want
	}

	certData := `-----BEGIN CERTIFICATE-----
MIICGTCCAZ+gAwIBAgIQCeCTZaz32ci5PhwLBCou8zAKBggqhkjOPQQDAzBOMQsw
CQYDVQQGEwJVUzEXMBUGA1UEChMORGlnaUNlcnQsIEluYy4xJjAkBgNVBAMTHURp
Z2lDZXJ0IFRMUyBFQ0MgUDM4NCBSb290IEc1MB4XDTIxMDExNTAwMDAwMFoXDTQ2
MDExNDIzNTk1OVowTjELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDkRpZ2lDZXJ0LCBJ
bmMuMSYwJAYDVQQDEx1EaWdpQ2VydCBUTFMgRUNDIFAzODQgUm9vdCBHNTB2MBAG
ByqGSM49AgEGBSuBBAAiA2IABMFEoc8Rl1Ca3iOCNQfN0MsYndLxf3c1TzvdlHJS
7cI7+Oz6e2tYIOyZrsn8aLN1udsJ7MgT9U7GCh1mMEy7H0cKPGEQQil8pQgO4CLp
0zVozptjn4S1mU1YoI71VOeVyaNCMEAwHQYDVR0OBBYEFMFRRVBZqz7nLFr6ICIS
B4CIfBFqMA4GA1UdDwEB/wQEAwIBhjAPBgNVHRMBAf8EBTADAQH/MAoGCCqGSM49
BAMDA2gAMGUCMQCJao1H5+z8blUD2WdsJk6Dxv3J+ysTvLd6jLRl0mlpYxNjOyZQ
LgGheQaRnUi/wr4CMEfDFXuxoJGZSZOoPHzoRgaLLPIxAJSdYsiJvRmEFOml+wG4
DXZDjC5Ty3zfDBeWUA==
-----END CERTIFICATE-----`
	certDataEncoded := "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNHVENDQVorZ0F3SUJBZ0lRQ2VDVFphejMyY2k1UGh3TEJDb3U4ekFLQmdncWhrak9QUVFEQXpCT01Rc3cKQ1FZRFZRUUdFd0pWVXpFWE1CVUdBMVVFQ2hNT1JHbG5hVU5sY25Rc0lFbHVZeTR4SmpBa0JnTlZCQU1USFVScApaMmxEWlhKMElGUk1VeUJGUTBNZ1VETTROQ0JTYjI5MElFYzFNQjRYRFRJeE1ERXhOVEF3TURBd01Gb1hEVFEyCk1ERXhOREl6TlRrMU9Wb3dUakVMTUFrR0ExVUVCaE1DVlZNeEZ6QVZCZ05WQkFvVERrUnBaMmxEWlhKMExDQkoKYm1NdU1TWXdKQVlEVlFRREV4MUVhV2RwUTJWeWRDQlVURk1nUlVORElGQXpPRFFnVW05dmRDQkhOVEIyTUJBRwpCeXFHU000OUFnRUdCU3VCQkFBaUEySUFCTUZFb2M4UmwxQ2EzaU9DTlFmTjBNc1luZEx4ZjNjMVR6dmRsSEpTCjdjSTcrT3o2ZTJ0WUlPeVpyc244YUxOMXVkc0o3TWdUOVU3R0NoMW1NRXk3SDBjS1BHRVFRaWw4cFFnTzRDTHAKMHpWb3pwdGpuNFMxbVUxWW9JNzFWT2VWeWFOQ01FQXdIUVlEVlIwT0JCWUVGTUZSUlZCWnF6N25MRnI2SUNJUwpCNENJZkJGcU1BNEdBMVVkRHdFQi93UUVBd0lCaGpBUEJnTlZIUk1CQWY4RUJUQURBUUgvTUFvR0NDcUdTTTQ5CkJBTURBMmdBTUdVQ01RQ0phbzFINSt6OGJsVUQyV2RzSms2RHh2M0oreXNUdkxkNmpMUmwwbWxwWXhOak95WlEKTGdHaGVRYVJuVWkvd3I0Q01FZkRGWHV4b0pHWlNaT29QSHpvUmdhTExQSXhBSlNkWXNpSnZSbUVGT21sK3dHNApEWFpEakM1VHkzemZEQmVXVUE9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0t"

	cases := map[string]testCase{
		"UseCABundleSuccess": {
			reason: "Should read a caBundle successfully.",
			args: args{
				store: makeStoreWithCA("cabundle", certDataEncoded),
				kube: clientfake.NewClientBuilder().
					WithObjects().Build(),
				namespace: "default",
				corev1:    utilfake.NewCreateTokenMock().WithToken(createFakeJwtToken(true)),
			},
			want: want{
				err:  nil,
				cert: certDataEncoded,
			},
		},
		"UseCAProviderConfigMapSuccess": {
			reason: "Should read a ca from a ConfigMap successfully.",
			args: args{
				store: makeStoreWithCA("configmap", ""),
				kube: clientfake.NewClientBuilder().
					WithObjects(makeFakeCASource("configmap", certData)).Build(),
				namespace: "default",
				corev1:    utilfake.NewCreateTokenMock().WithToken(createFakeJwtToken(true)),
			},
			want: want{
				err:  nil,
				cert: certDataEncoded,
			},
		},
		"UseCAProviderSecretSuccess": {
			reason: "Should read a ca from a Secret successfully.",
			args: args{
				store: makeStoreWithCA("secret", ""),
				kube: clientfake.NewClientBuilder().
					WithObjects(makeFakeCASource("secret", certData)).Build(),
				namespace: "default",
				corev1:    utilfake.NewCreateTokenMock().WithToken(createFakeJwtToken(true)),
			},
			want: want{
				err:  nil,
				cert: certDataEncoded,
			},
		},
	}

	runTest := func(t *testing.T, _ string, tc testCase) {
		provider, _ := newConjurProvider(context.Background(), tc.args.store, tc.args.kube, tc.args.namespace, tc.args.corev1, &ConjurMockAPIClient{})
		_, err := provider.GetSecret(context.Background(), esv1.ExternalSecretDataRemoteRef{
			Key: "path/to/secret",
		})
		if diff := cmp.Diff(tc.want.err, err, EquateErrors()); diff != "" {
			t.Errorf("\n%s\nconjur.GetCA(...): -want error, +got error:\n%s", tc.reason, diff)
		}
	}

	for name, tc := range cases {
		t.Run(name, func(t *testing.T) {
			runTest(t, name, tc)
		})
	}
}

func makeAPIKeySecretStore(svcURL, svcUser, svcApikey, svcAccount string) *esv1.SecretStore {
	uref := &esmeta.SecretKeySelector{
		Name: "user",
		Key:  "conjur-hostid",
	}
	if svcUser == "" {
		uref = nil
	}
	aref := &esmeta.SecretKeySelector{
		Name: "apikey",
		Key:  "conjur-apikey",
	}
	if svcApikey == "" {
		aref = nil
	}
	store := &esv1.SecretStore{
		Spec: esv1.SecretStoreSpec{
			Provider: &esv1.SecretStoreProvider{
				Conjur: &esv1.ConjurProvider{
					URL: svcURL,
					Auth: esv1.ConjurAuth{
						APIKey: &esv1.ConjurAPIKey{
							Account:   svcAccount,
							UserRef:   uref,
							APIKeyRef: aref,
						},
					},
				},
			},
		},
	}
	return store
}

func makeJWTSecretStore(svcURL, serviceAccountName, secretName, jwtServiceID, jwtHostID, conjurAccount string) *esv1.SecretStore {
	serviceAccountRef := &esmeta.ServiceAccountSelector{
		Name:      serviceAccountName,
		Audiences: []string{"conjur"},
	}
	if serviceAccountName == "" {
		serviceAccountRef = nil
	}

	secretRef := &esmeta.SecretKeySelector{
		Name: secretName,
		Key:  "token",
	}
	if secretName == "" {
		secretRef = nil
	}

	store := &esv1.SecretStore{
		Spec: esv1.SecretStoreSpec{
			Provider: &esv1.SecretStoreProvider{
				Conjur: &esv1.ConjurProvider{
					URL: svcURL,
					Auth: esv1.ConjurAuth{
						Jwt: &esv1.ConjurJWT{
							Account:           conjurAccount,
							ServiceID:         jwtServiceID,
							ServiceAccountRef: serviceAccountRef,
							SecretRef:         secretRef,
							HostID:            jwtHostID,
						},
					},
				},
			},
		},
	}
	return store
}

func makeStoreWithCA(caSource, caData string) *esv1.SecretStore {
	store := makeJWTSecretStore(svcURL, "conjur", "", jwtAuthnService, "", "myconjuraccount")
	if caSource == "secret" {
		store.Spec.Provider.Conjur.CAProvider = &esv1.CAProvider{
			Type: esv1.CAProviderTypeSecret,
			Name: "conjur-cert",
			Key:  "ca",
		}
	} else if caSource == "configmap" {
		store.Spec.Provider.Conjur.CAProvider = &esv1.CAProvider{
			Type: esv1.CAProviderTypeConfigMap,
			Name: "conjur-cert",
			Key:  "ca",
		}
	} else {
		store.Spec.Provider.Conjur.CABundle = caData
	}
	return store
}

func makeNoAuthSecretStore(svcURL string) *esv1.SecretStore {
	store := &esv1.SecretStore{
		Spec: esv1.SecretStoreSpec{
			Provider: &esv1.SecretStoreProvider{
				Conjur: &esv1.ConjurProvider{
					URL: svcURL,
				},
			},
		},
	}
	return store
}

func makeFakeAPIKeySecrets() []kclient.Object {
	return []kclient.Object{
		&corev1.Secret{
			ObjectMeta: metav1.ObjectMeta{
				Name:      "user",
				Namespace: "default",
			},
			Data: map[string][]byte{
				"conjur-hostid": []byte("myhostid"),
			},
		},
		&corev1.Secret{
			ObjectMeta: metav1.ObjectMeta{
				Name:      "apikey",
				Namespace: "default",
			},
			Data: map[string][]byte{
				"conjur-apikey": []byte("apikey"),
			},
		},
	}
}

func makeFakeCASource(kind, caData string) kclient.Object {
	if kind == "secret" {
		return &corev1.Secret{
			ObjectMeta: metav1.ObjectMeta{
				Name:      "conjur-cert",
				Namespace: "default",
			},
			Data: map[string][]byte{
				"ca": []byte(caData),
			},
		}
	}
	return &corev1.ConfigMap{
		ObjectMeta: metav1.ObjectMeta{
			Name:      "conjur-cert",
			Namespace: "default",
		},
		Data: map[string]string{
			"ca": caData,
		},
	}
}

func createFakeJwtToken(expires bool) string {
	signingKey := []byte("fakekey")
	token := jwt.New(jwt.SigningMethodHS256)
	claims := token.Claims.(jwt.MapClaims)
	if expires {
		claims["exp"] = time.Now().Add(time.Minute * 30).Unix()
	}
	jwtTokenString, err := token.SignedString(signingKey)
	if err != nil {
		panic(err)
	}
	return jwtTokenString
}

// ConjurMockAPIClient is a mock implementation of the ApiClient interface.
type ConjurMockAPIClient struct {
}

func (c *ConjurMockAPIClient) NewClientFromKey(_ conjurapi.Config, _ authn.LoginPair) (SecretsClient, error) {
	return &fake.ConjurMockClient{}, nil
}

func (c *ConjurMockAPIClient) NewClientFromJWT(_ conjurapi.Config) (SecretsClient, error) {
	return &fake.ConjurMockClient{}, nil
}

// EquateErrors returns true if the supplied errors are of the same type and
// produce identical strings. This mirrors the error comparison behavior of
// https://github.com/go-test/deep, which most Crossplane tests targeted before
// we switched to go-cmp.
//
// This differs from cmpopts.EquateErrors, which does not test for error strings
// and instead returns whether one error 'is' (in the errors.Is sense) the
// other.
func EquateErrors() cmp.Option {
	return cmp.Comparer(func(a, b error) bool {
		if a == nil || b == nil {
			return a == nil && b == nil
		}

		av := reflect.ValueOf(a)
		bv := reflect.ValueOf(b)
		if av.Type() != bv.Type() {
			return false
		}

		return a.Error() == b.Error()
	})
}