logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433
							/*
Copyright © The ESO Authors

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    https://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package ngrok

import (
	"fmt"
	"testing"

	"github.com/ngrok/ngrok-api-go/v7"
	corev1 "k8s.io/api/core/v1"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
	kubeClient "sigs.k8s.io/controller-runtime/pkg/client"
	clientfake "sigs.k8s.io/controller-runtime/pkg/client/fake"
	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"

	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
	v1 "github.com/external-secrets/external-secrets/apis/meta/v1"
	"github.com/external-secrets/external-secrets/providers/v1/ngrok/fake"

	. "github.com/onsi/ginkgo/v2"
	. "github.com/onsi/gomega"
)

func newTestClusterSecretStore(provider *esv1.SecretStoreProvider) esv1.GenericStore {
	return &esv1.ClusterSecretStore{
		TypeMeta: metav1.TypeMeta{
			Kind: "ClusterSecretStore",
		},
		Spec: esv1.SecretStoreSpec{
			Provider: provider,
		},
	}
}

func newTestNgrokClusterSecretStore(ngrokProv *esv1.NgrokProvider) esv1.GenericStore {
	return newTestClusterSecretStore(&esv1.SecretStoreProvider{
		Ngrok: ngrokProv,
	})
}

func newTestSecretStore(provider *esv1.SecretStoreProvider) esv1.GenericStore {
	return &esv1.SecretStore{
		TypeMeta: metav1.TypeMeta{
			Kind: "SecretStore",
		},
		Spec: esv1.SecretStoreSpec{
			Provider: provider,
		},
	}
}

func newTestNgrokSecretStore(ngrokProv *esv1.NgrokProvider) esv1.GenericStore {
	return newTestSecretStore(&esv1.SecretStoreProvider{
		Ngrok: ngrokProv,
	})
}

func newNgrokAPICredentials(name, namespace, apiKey string) *corev1.Secret {
	return &corev1.Secret{
		ObjectMeta: metav1.ObjectMeta{
			Name:      name,
			Namespace: namespace,
		},
		Data: map[string][]byte{
			"API_KEY": []byte(apiKey),
		},
	}
}

var _ = Describe("Provider", func() {
	var (
		provider *Provider
	)

	BeforeEach(func() {
		provider = &Provider{}
	})

	Describe("Capabilities", func() {
		It("should return write-only capability", func() {
			cap := provider.Capabilities()
			Expect(cap).To(Equal(esv1.SecretStoreWriteOnly))
		})
	})

	Describe("NewClient", func() {
		var (
			store            esv1.GenericStore
			ngrokStore       *fake.Store
			namespace        string
			kubeClient       kubeClient.Client
			ngrokCredentials *corev1.Secret
			vaultName        string

			// Injected errors
			vaultListErr error

			// Outputs
			err    error
			client esv1.SecretsClient
		)

		BeforeEach(func() {
			namespace = "default"
			vaultName = "vault-" + fake.GenerateRandomString(5)
			ngrokCredentials = newNgrokAPICredentials("ngrok-credentials", namespace, "secret-api-key")
			kubeClient = clientfake.NewClientBuilder().WithObjects(ngrokCredentials).Build()
			ngrokStore = fake.NewStore()
			vaultListErr = nil
		})

		JustBeforeEach(func() {
			getVaultsClient = func(_ *ngrok.ClientConfig) VaultClient {
				return ngrokStore.VaultClient().WithListError(vaultListErr)
			}
			getSecretsClient = func(_ *ngrok.ClientConfig) SecretsClient {
				return ngrokStore.SecretsClient()
			}
			client, err = provider.NewClient(GinkgoT().Context(), store, kubeClient, namespace)
		})

		Context("SecretStore", func() {
			When("the secret does not exist", func() {
				BeforeEach(func() {
					store = newTestNgrokSecretStore(&esv1.NgrokProvider{
						Vault: esv1.NgrokVault{
							Name: vaultName,
						},
						Auth: esv1.NgrokAuth{
							APIKey: &esv1.NgrokProviderSecretRef{
								SecretRef: &v1.SecretKeySelector{
									Key:  "API_KEY",
									Name: "non-existent-secret",
								},
							},
						},
					})
				})

				It("should return an error that the secret does not exist", func() {
					Expect(err).To(HaveOccurred())
					Expect(err.Error()).To(ContainSubstring("secrets \"non-existent-secret\" not found"))
					Expect(client).To(BeNil())
				})
			})

			When("the store is valid", func() {
				BeforeEach(func() {
					store = newTestNgrokSecretStore(&esv1.NgrokProvider{
						Vault: esv1.NgrokVault{
							Name: vaultName,
						},
						Auth: esv1.NgrokAuth{
							APIKey: &esv1.NgrokProviderSecretRef{
								SecretRef: &v1.SecretKeySelector{
									Key:  "API_KEY",
									Name: ngrokCredentials.Name,
								},
							},
						},
					})
				})

				When("the vault does not exist", func() {
					It("Should return an error that the vault is not found", func() {
						Expect(err).To(HaveOccurred())
						Expect(err.Error()).To(ContainSubstring(fmt.Sprintf("vault %q not found", vaultName)))
						Expect(client).To(BeNil())
					})
				})

				When("the vault exists", func() {
					BeforeEach(func() {
						_, createErr := ngrokStore.CreateVault(&ngrok.VaultCreate{
							Name: vaultName,
						})
						Expect(createErr).To(BeNil())
					})

					It("should not return an error", func() {
						Expect(err).To(BeNil())
					})

					It("should return a non-nil client", func() {
						Expect(client).NotTo(BeNil())
					})
				})

				When("there is an error listing vaults", func() {
					BeforeEach(func() {
						vaultListErr = fmt.Errorf("some error listing vaults")
					})

					It("should return the list error", func() {
						Expect(err).To(HaveOccurred())
						Expect(err.Error()).To(ContainSubstring("some error listing vaults"))
						Expect(client).To(BeNil())
					})
				})
			})
		})

		Context("ClusterSecretStore", func() {
			When("the store does not specify a namespace", func() {
				BeforeEach(func() {
					store = newTestNgrokClusterSecretStore(&esv1.NgrokProvider{
						Vault: esv1.NgrokVault{
							Name: vaultName,
						},
						Auth: esv1.NgrokAuth{
							APIKey: &esv1.NgrokProviderSecretRef{
								SecretRef: &v1.SecretKeySelector{
									Key:  "API_KEY",
									Name: ngrokCredentials.Name,
								},
							},
						},
					})
				})

				It("should return an error that the cluster store requires a namespace", func() {
					Expect(err).To(MatchError(errClusterStoreRequiresNamespace))
					Expect(client).To(BeNil())
				})
			})

			When("the secret does not exist", func() {
				BeforeEach(func() {
					store = newTestNgrokClusterSecretStore(&esv1.NgrokProvider{
						Vault: esv1.NgrokVault{
							Name: vaultName,
						},
						Auth: esv1.NgrokAuth{
							APIKey: &esv1.NgrokProviderSecretRef{
								SecretRef: &v1.SecretKeySelector{
									Key:       "API_KEY",
									Name:      "non-existent-secret",
									Namespace: new("some-other-namespace"),
								},
							},
						},
					})
				})

				It("should return an error that the secret does not exist", func() {
					Expect(err).To(HaveOccurred())
					Expect(err.Error()).To(ContainSubstring("secrets \"non-existent-secret\" not found"))
					Expect(client).To(BeNil())
				})
			})

			When("the store is valid", func() {
				BeforeEach(func() {
					store = newTestNgrokClusterSecretStore(&esv1.NgrokProvider{
						Vault: esv1.NgrokVault{
							Name: vaultName,
						},
						Auth: esv1.NgrokAuth{
							APIKey: &esv1.NgrokProviderSecretRef{
								SecretRef: &v1.SecretKeySelector{
									Key:       "API_KEY",
									Name:      ngrokCredentials.Name,
									Namespace: new(namespace),
								},
							},
						},
					})
				})

				When("the vault does not exist", func() {
					It("Should return an error that the vault is not found", func() {
						Expect(err).To(HaveOccurred())
						Expect(err.Error()).To(ContainSubstring(fmt.Sprintf("vault %q not found", vaultName)))
						Expect(client).To(BeNil())
					})
				})

				When("the vault exists", func() {
					BeforeEach(func() {
						_, createErr := ngrokStore.CreateVault(&ngrok.VaultCreate{
							Name: vaultName,
						})
						Expect(createErr).To(BeNil())
					})

					It("should not return an error", func() {
						Expect(err).To(BeNil())
					})

					It("should return a non-nil client", func() {
						Expect(client).NotTo(BeNil())
					})
				})
			})
		})
	})

	Describe("ValidateStore", func() {
		var (
			store esv1.GenericStore

			err      error
			warnings admission.Warnings
		)

		JustBeforeEach(func() {
			warnings, err = provider.ValidateStore(store)
		})

		When("the store is nil", func() {
			BeforeEach(func() { store = nil })

			It("Should return an invalid store error", func() {
				Expect(err).To(MatchError(errInvalidStore))
				Expect(warnings).To(BeNil())
			})
		})

		When("the provider is nil", func() {
			BeforeEach(func() { store = newTestSecretStore(nil) })

			It("Should return an invalid ngrok provider error", func() {
				Expect(err).To(MatchError(errInvalidStoreProv))
				Expect(warnings).To(BeNil())
			})
		})

		When("the ngrok provider is nil", func() {
			BeforeEach(func() { store = newTestNgrokSecretStore(nil) })

			It("Should return an invalid ngrok provider error", func() {
				Expect(err).To(MatchError(errInvalidNgrokProv))
				Expect(warnings).To(BeNil())
			})
		})

		When("the API URL is invalid", func() {
			BeforeEach(func() {
				store = newTestNgrokSecretStore(&esv1.NgrokProvider{
					APIURL: "http://example.com/path\n",
				})
			})

			It("Should return an invalid API URL error", func() {
				Expect(err).To(MatchError(errInvalidAPIURL))
				Expect(warnings).To(BeNil())
			})
		})

		When("the auth APIKey is missing", func() {
			BeforeEach(func() {
				store = newTestNgrokSecretStore(&esv1.NgrokProvider{
					Vault: esv1.NgrokVault{
						Name: "test-vault",
					},
					Auth: esv1.NgrokAuth{
						APIKey: nil,
					},
				})
			})

			It("Should return an invalid auth APIKey required error", func() {
				Expect(err).To(MatchError(errInvalidAuthAPIKeyRequired))
				Expect(warnings).To(BeNil())
			})
		})

		When("the vault name is missing", func() {
			BeforeEach(func() {
				store = newTestNgrokSecretStore(&esv1.NgrokProvider{
					Auth: esv1.NgrokAuth{
						APIKey: &esv1.NgrokProviderSecretRef{
							SecretRef: &v1.SecretKeySelector{
								Key:  "apiKey",
								Name: "ngrok-credentials",
							},
						},
					},
					Vault: esv1.NgrokVault{},
				})
			})

			It("Should return a missing vault name error", func() {
				Expect(err).To(MatchError(errMissingVaultName))
				Expect(warnings).To(BeNil())
			})
		})

		When("the store is valid", func() {
			BeforeEach(func() {
				store = newTestNgrokSecretStore(&esv1.NgrokProvider{
					Vault: esv1.NgrokVault{
						Name: "test-vault",
					},
					Auth: esv1.NgrokAuth{
						APIKey: &esv1.NgrokProviderSecretRef{
							SecretRef: &v1.SecretKeySelector{
								Key:  "apiKey",
								Name: "ngrok-credentials",
							},
						},
					},
				})
			})

			It("Should not return an error", func() {
				Expect(err).To(BeNil())
				Expect(warnings).To(BeNil())
			})
		})
	})

	// Add more Ginkgo tests here for ValidateStore, NewClient, etc.
})

func TestNgrokProvider(t *testing.T) {
	RegisterFailHandler(Fail)
	RunSpecs(t, "Ngrok Provider Suite")
}