logic855
/
helm-external-secrets
mirror of https://github.com/external-secrets/external-secrets


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455
							/*
Copyright © The ESO Authors

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    https://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package ovh

import (
	"context"
	"testing"

	corev1 "k8s.io/api/core/v1"
	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
	"k8s.io/apimachinery/pkg/runtime"
	kclient "sigs.k8s.io/controller-runtime/pkg/client"
	fakeBuilder "sigs.k8s.io/controller-runtime/pkg/client/fake"

	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
	"github.com/external-secrets/external-secrets/providers/v1/ovh/fake"
)

var (
	namespace = "namespace"
	scheme    = runtime.NewScheme()
	_         = corev1.AddToScheme(scheme)
	kube      = fakeBuilder.NewClientBuilder().
			WithScheme(scheme).
			WithObjects(&corev1.Secret{
			ObjectMeta: v1.ObjectMeta{
				Name:      "my-secret",
				Namespace: "default",
			},
			Data: map[string][]byte{
				"key": []byte("value"),
			},
		}).Build()
	okmsId          = "11111111-1111-1111-1111-111111111111"
	validTokenAuth  = "Valid token auth"
	validClientCert = "Valid mtls client certificate"
	validClientKey  = "Valid mtls client key"
	fillingStr      = "string"
)

func TestNewClient(t *testing.T) {
	tests := map[string]struct {
		errshould string
		kube      kclient.Client
		store     *esv1.SecretStore
	}{
		"Nil store": {
			errshould: "failed to create new ovh provider client: store validation failed: store is nil",
			kube:      kube,
		},
		"Nil provider": {
			errshould: "failed to create new ovh provider client: store validation failed: store provider is nil",
			kube:      kube,
			store: &esv1.SecretStore{
				Spec: esv1.SecretStoreSpec{
					Provider: nil,
				},
			},
		},
		"Nil ovh provider": {
			errshould: "failed to create new ovh provider client: store validation failed: ovh store provider is nil",
			kube:      kube,
			store: &esv1.SecretStore{
				Spec: esv1.SecretStoreSpec{
					Provider: &esv1.SecretStoreProvider{
						AWS: &esv1.AWSProvider{},
					},
				},
			},
		},
		"Nil controller-runtime client": {
			errshould: "failed to create new ovh provider client: controller-runtime client is nil",
			store: &esv1.SecretStore{
				Spec: esv1.SecretStoreSpec{
					Provider: &esv1.SecretStoreProvider{
						OVHcloud: &esv1.OvhProvider{
							Auth: esv1.OvhAuth{
								ClientToken: &esv1.OvhClientToken{
									ClientTokenSecret: esmeta.SecretKeySelector{
										Name:      validTokenAuth,
										Namespace: &namespace,
										Key:       fillingStr,
									},
								},
							},
							Server: fillingStr,
							OkmsID: okmsId,
						},
					},
				},
			},
		},
		"Authentication method conflict": {
			errshould: "failed to create new ovh provider client: store validation failed: only one authentication method allowed (mtls | token)",
			kube:      kube,
			store: &esv1.SecretStore{
				Spec: esv1.SecretStoreSpec{
					Provider: &esv1.SecretStoreProvider{
						OVHcloud: &esv1.OvhProvider{
							Server: fillingStr,
							OkmsID: okmsId,
							Auth: esv1.OvhAuth{
								ClientMTLS: &esv1.OvhClientMTLS{
									ClientCertificate: esmeta.SecretKeySelector{
										Name:      fillingStr,
										Namespace: &namespace,
										Key:       fillingStr,
									},
									ClientKey: esmeta.SecretKeySelector{
										Name:      fillingStr,
										Namespace: &namespace,
										Key:       fillingStr,
									},
								},
								ClientToken: &esv1.OvhClientToken{
									ClientTokenSecret: esmeta.SecretKeySelector{
										Name:      fillingStr,
										Namespace: &namespace,
										Key:       fillingStr,
									},
								},
							},
						},
					},
				},
			},
		},
		"Authentication method empty": {
			errshould: "failed to create new ovh provider client: store validation failed: missing authentication method",
			kube:      kube,
			store: &esv1.SecretStore{
				Spec: esv1.SecretStoreSpec{
					Provider: &esv1.SecretStoreProvider{
						OVHcloud: &esv1.OvhProvider{
							Server: fillingStr,
							OkmsID: okmsId,
							Auth:   esv1.OvhAuth{},
						},
					},
				},
			},
		},
		"Valid token auth": {
			errshould: "",
			kube:      kube,
			store: &esv1.SecretStore{
				Spec: esv1.SecretStoreSpec{
					Provider: &esv1.SecretStoreProvider{
						OVHcloud: &esv1.OvhProvider{
							Server: fillingStr,
							OkmsID: okmsId,
							Auth: esv1.OvhAuth{
								ClientToken: &esv1.OvhClientToken{
									ClientTokenSecret: esmeta.SecretKeySelector{
										Name:      validTokenAuth,
										Namespace: &namespace,
										Key:       fillingStr,
									},
								},
							},
						},
					},
				},
			},
		},
		"Empty token auth": {
			errshould: "failed to create new ovh provider client: store validation failed: missing token secret for token authentication",
			kube:      kube,
			store: &esv1.SecretStore{
				Spec: esv1.SecretStoreSpec{
					Provider: &esv1.SecretStoreProvider{
						OVHcloud: &esv1.OvhProvider{
							Server: fillingStr,
							OkmsID: okmsId,
							Auth: esv1.OvhAuth{
								ClientToken: &esv1.OvhClientToken{
									ClientTokenSecret: esmeta.SecretKeySelector{},
								},
							},
						},
					},
				},
			},
		},
		"Valid mtls auth": {
			errshould: "",
			kube:      kube,
			store: &esv1.SecretStore{
				Spec: esv1.SecretStoreSpec{
					Provider: &esv1.SecretStoreProvider{
						OVHcloud: &esv1.OvhProvider{
							Server: fillingStr,
							OkmsID: okmsId,
							Auth: esv1.OvhAuth{
								ClientMTLS: &esv1.OvhClientMTLS{
									ClientCertificate: esmeta.SecretKeySelector{
										Name:      validClientCert,
										Namespace: &namespace,
										Key:       fillingStr,
									},
									ClientKey: esmeta.SecretKeySelector{
										Name:      validClientKey,
										Namespace: &namespace,
										Key:       fillingStr,
									},
								},
							},
						},
					},
				},
			},
		},
		"Empty mtls client certificate": {
			errshould: "failed to create new ovh provider client: store validation failed: missing tls certificate or key for mtls authentication",
			kube:      kube,
			store: &esv1.SecretStore{
				Spec: esv1.SecretStoreSpec{
					Provider: &esv1.SecretStoreProvider{
						OVHcloud: &esv1.OvhProvider{
							Server: fillingStr,
							OkmsID: okmsId,
							Auth: esv1.OvhAuth{
								ClientMTLS: &esv1.OvhClientMTLS{
									ClientKey: esmeta.SecretKeySelector{
										Name:      validClientKey,
										Namespace: &namespace,
										Key:       fillingStr,
									},
								},
							},
						},
					},
				},
			},
		},
	}
	ctx := context.Background()
	for name, testCase := range tests {
		t.Run(name, func(t *testing.T) {
			provider := Provider{
				secretKeyResolver: &fake.FakeSecretKeyResolver{},
			}
			_, err := provider.NewClient(ctx, testCase.store, testCase.kube, "namespace")
			if testCase.errshould != "" {
				if err == nil {
					t.Errorf("\nexpected error: %s\nactual error:   <nil>\n\n", testCase.errshould)
				} else if err.Error() != testCase.errshould {
					t.Errorf("\nexpected error: %s\nactual error:   %v\n\n", testCase.errshould, err)
				}
			} else if err != nil {
				t.Errorf("\nunexpected error: %v\n\n", err)
			}
		})
	}
}

func TestValidateStore(t *testing.T) {
	var namespace string = "namespace"
	tests := map[string]struct {
		errshould string
		kube      kclient.Client
		store     *esv1.SecretStore
	}{
		"Nil store": {
			errshould: "store provider is nil",
			kube:      kube,
			store: &esv1.SecretStore{
				Spec: esv1.SecretStoreSpec{
					Provider: nil,
				},
			},
		},
		"Nil ovh provider": {
			errshould: "ovh store provider is nil",
			kube:      kube,
			store: &esv1.SecretStore{
				Spec: esv1.SecretStoreSpec{
					Provider: &esv1.SecretStoreProvider{
						AWS: &esv1.AWSProvider{},
					},
				},
			},
		},
		"Authentication method conflict": {
			errshould: "only one authentication method allowed (mtls | token)",
			kube:      kube,
			store: &esv1.SecretStore{
				Spec: esv1.SecretStoreSpec{
					Provider: &esv1.SecretStoreProvider{
						OVHcloud: &esv1.OvhProvider{
							Server: fillingStr,
							OkmsID: okmsId,
							Auth: esv1.OvhAuth{
								ClientMTLS: &esv1.OvhClientMTLS{
									ClientCertificate: esmeta.SecretKeySelector{
										Name:      fillingStr,
										Namespace: &namespace,
										Key:       fillingStr,
									},
									ClientKey: esmeta.SecretKeySelector{
										Name:      fillingStr,
										Namespace: &namespace,
										Key:       fillingStr,
									},
								},
								ClientToken: &esv1.OvhClientToken{
									ClientTokenSecret: esmeta.SecretKeySelector{
										Name:      fillingStr,
										Namespace: &namespace,
										Key:       fillingStr,
									},
								},
							},
						},
					},
				},
			},
		},
		"Valid token auth": {
			errshould: "",
			kube:      kube,
			store: &esv1.SecretStore{
				Spec: esv1.SecretStoreSpec{
					Provider: &esv1.SecretStoreProvider{
						OVHcloud: &esv1.OvhProvider{
							Server: fillingStr,
							OkmsID: okmsId,
							Auth: esv1.OvhAuth{
								ClientToken: &esv1.OvhClientToken{
									ClientTokenSecret: esmeta.SecretKeySelector{
										Name:      fillingStr,
										Namespace: &namespace,
										Key:       fillingStr,
									},
								},
							},
						},
					},
				},
			},
		},
		"Valid mtls auth": {
			errshould: "",
			kube:      kube,
			store: &esv1.SecretStore{
				Spec: esv1.SecretStoreSpec{
					Provider: &esv1.SecretStoreProvider{
						OVHcloud: &esv1.OvhProvider{
							Server: fillingStr,
							OkmsID: okmsId,
							Auth: esv1.OvhAuth{
								ClientMTLS: &esv1.OvhClientMTLS{
									ClientCertificate: esmeta.SecretKeySelector{
										Name:      fillingStr,
										Namespace: &namespace,
										Key:       fillingStr,
									},
									ClientKey: esmeta.SecretKeySelector{
										Name:      fillingStr,
										Namespace: &namespace,
										Key:       fillingStr,
									},
								},
							},
						},
					},
				},
			},
		},
		"Invalid mtls auth: missing client certificate": {
			errshould: "missing tls certificate or key for mtls authentication",
			kube:      kube,
			store: &esv1.SecretStore{
				Spec: esv1.SecretStoreSpec{
					Provider: &esv1.SecretStoreProvider{
						OVHcloud: &esv1.OvhProvider{
							Server: fillingStr,
							OkmsID: okmsId,
							Auth: esv1.OvhAuth{
								ClientMTLS: &esv1.OvhClientMTLS{
									ClientKey: esmeta.SecretKeySelector{
										Name:      fillingStr,
										Namespace: &namespace,
										Key:       fillingStr,
									},
								},
							},
						},
					},
				},
			},
		},
		"Empty auth": {
			errshould: "missing authentication method",
			kube:      kube,
			store: &esv1.SecretStore{
				Spec: esv1.SecretStoreSpec{
					Provider: &esv1.SecretStoreProvider{
						OVHcloud: &esv1.OvhProvider{
							Server: fillingStr,
							OkmsID: okmsId,
						},
					},
				},
			},
		},
		"Invalid token auth: missing token secret": {
			errshould: "missing token secret for token authentication",
			kube:      kube,
			store: &esv1.SecretStore{
				Spec: esv1.SecretStoreSpec{
					Provider: &esv1.SecretStoreProvider{
						OVHcloud: &esv1.OvhProvider{
							Server: fillingStr,
							OkmsID: okmsId,
							Auth: esv1.OvhAuth{
								ClientToken: &esv1.OvhClientToken{},
							},
						},
					},
				},
			},
		},
	}
	for name, testCase := range tests {
		t.Run(name, func(t *testing.T) {
			provider := Provider{}
			_, err := provider.ValidateStore(testCase.store)
			if testCase.errshould != "" {
				if err == nil {
					t.Errorf("\nexpected error: %s\nactual error:   <nil>\n\n", testCase.errshould)
				} else if err.Error() != testCase.errshould {
					t.Errorf("\nexpected error: %s\nactual error:   %v\n\n", testCase.errshould, err)
				}
			} else if err != nil {
				t.Errorf("\nunexpected error: %v\n\n", err)
			}
		})
	}
}