logic855
/
helm-external-secrets
spiegel van https://github.com/external-secrets/external-secrets


			
				
					
						
						
							123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219
							/*
Copyright © The ESO Authors

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

    https://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package oidc

import (
	"context"
	"fmt"
	"testing"
	"time"

	"github.com/stretchr/testify/assert"
	"github.com/stretchr/testify/require"
	authv1 "k8s.io/api/authentication/v1"
	"k8s.io/apimachinery/pkg/runtime"
	"k8s.io/client-go/kubernetes/fake"
	k8stesting "k8s.io/client-go/testing"

	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
	esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
)

// noopExchanger satisfies TokenExchanger and returns a fixed token.
type noopExchanger struct{}

func (n *noopExchanger) ExchangeToken(_ context.Context, _ string) (string, time.Time, error) {
	return "exchanged-token", time.Now().Add(time.Hour), nil
}

// namespaceMismatchReactor intercepts serviceaccounts/token create calls and
// returns an error when the request body namespace differs from the URL namespace,
// mimicking the kube-apiserver's enforcement. fake.NewSimpleClientset() does not
// enforce this check, which is why the pre-fix code passed tests.
func namespaceMismatchReactor(action k8stesting.Action) (bool, runtime.Object, error) {
	ca, ok := action.(k8stesting.CreateAction)
	if !ok {
		return false, nil, nil
	}
	tr, ok := ca.GetObject().(*authv1.TokenRequest)
	if !ok {
		return false, nil, nil
	}
	urlNS := action.GetNamespace()
	bodyNS := tr.Namespace
	if bodyNS != "" && bodyNS != urlNS {
		return true, nil, fmt.Errorf(
			"the namespace of the provided object does not match "+
				"the namespace sent on the request: body=%q url=%q",
			bodyNS, urlNS,
		)
	}
	return true, &authv1.TokenRequest{
		Status: authv1.TokenRequestStatus{Token: "fake-sa-token"},
	}, nil
}

func TestCreateServiceAccountToken_NamespaceConsistency(t *testing.T) {
	tests := []struct {
		name          string
		storeKind     string
		esNamespace   string
		saRef         esmeta.ServiceAccountSelector
		wantNamespace string // expected URL (and body) namespace
	}{
		{
			name:          "SecretStore same-namespace",
			storeKind:     esv1.SecretStoreKind,
			esNamespace:   "default",
			saRef:         esmeta.ServiceAccountSelector{Name: "my-sa"},
			wantNamespace: "default",
		},
		{
			name:        "ClusterSecretStore cross-namespace regression",
			storeKind:   esv1.ClusterSecretStoreKind,
			esNamespace: "default",
			saRef:       esmeta.ServiceAccountSelector{Name: "oidc-sa", Namespace: new("external-secrets")},
			// Pre-fix: body namespace was "default", URL was "external-secrets"
			// -> kube-apiserver rejected with "namespace of provided object does not match".
			wantNamespace: "external-secrets",
		},
		{
			name:          "ClusterSecretStore SA namespace equals ES namespace",
			storeKind:     esv1.ClusterSecretStoreKind,
			esNamespace:   "external-secrets",
			saRef:         esmeta.ServiceAccountSelector{Name: "oidc-sa", Namespace: new("external-secrets")},
			wantNamespace: "external-secrets",
		},
		{
			name:          "ClusterSecretStore no explicit SA namespace falls back to ES namespace",
			storeKind:     esv1.ClusterSecretStoreKind,
			esNamespace:   "default",
			saRef:         esmeta.ServiceAccountSelector{Name: "oidc-sa"},
			wantNamespace: "default",
		},
	}

	for _, tc := range tests {
		t.Run(tc.name, func(t *testing.T) {
			capturedURLNS := ""
			capturedBodyNS := ""

			fc := fake.NewSimpleClientset()
			fc.Fake.PrependReactor("create", "serviceaccounts/token",
				func(action k8stesting.Action) (bool, runtime.Object, error) {
					capturedURLNS = action.GetNamespace()
					ca, ok := action.(k8stesting.CreateAction)
					if ok {
						if tr, ok := ca.GetObject().(*authv1.TokenRequest); ok {
							capturedBodyNS = tr.Namespace
						}
					}
					return namespaceMismatchReactor(action)
				},
			)

			m := NewBaseTokenManager(
				fc.CoreV1(), tc.esNamespace, tc.storeKind, "https://example.com", tc.saRef,
			)

			saToken, err := m.CreateServiceAccountToken(context.Background())
			require.NoError(t, err)
			assert.Equal(t, "fake-sa-token", saToken)

			assert.Equal(t, tc.wantNamespace, capturedURLNS,
				"URL namespace must match the SA's namespace")
			assert.Equal(t, capturedURLNS, capturedBodyNS,
				"body namespace must equal URL namespace (apiserver enforces this)")
		})
	}
}

func TestGetToken_CachingAndRefresh(t *testing.T) {
	fc := fake.NewSimpleClientset()
	callCount := 0
	fc.Fake.PrependReactor("create", "serviceaccounts/token",
		func(_ k8stesting.Action) (bool, runtime.Object, error) {
			callCount++
			return true, &authv1.TokenRequest{
				Status: authv1.TokenRequestStatus{Token: fmt.Sprintf("token-%d", callCount)},
			}, nil
		},
	)

	saRef := esmeta.ServiceAccountSelector{Name: "test-sa"}
	m := NewBaseTokenManager(fc.CoreV1(), "default", esv1.SecretStoreKind, "https://example.com", saRef)
	m.Exchanger = &noopExchanger{}

	tok1, err := m.GetToken(context.Background())
	require.NoError(t, err)
	assert.Equal(t, "exchanged-token", tok1)
	assert.Equal(t, 1, callCount)

	// Second call should use the cached token without a new SA token request.
	tok2, err := m.GetToken(context.Background())
	require.NoError(t, err)
	assert.Equal(t, tok1, tok2)
	assert.Equal(t, 1, callCount, "cached token returned without a new SA token request")
}

func TestBuildAudiences(t *testing.T) {
	tests := []struct {
		name         string
		saAudiences  []string
		extraAud     []string
		baseURL      string
		wantAudience []string
	}{
		{
			name:         "uses baseURL when no SA audiences configured",
			baseURL:      "https://api.example.com",
			wantAudience: []string{"https://api.example.com"},
		},
		{
			name:         "SA audiences override baseURL",
			saAudiences:  []string{"sts.amazonaws.com"},
			baseURL:      "https://api.example.com",
			wantAudience: []string{"sts.amazonaws.com"},
		},
		{
			name:         "extra audiences appended after SA audiences",
			saAudiences:  []string{"sts.amazonaws.com"},
			extraAud:     []string{"extra-aud"},
			baseURL:      "https://api.example.com",
			wantAudience: []string{"sts.amazonaws.com", "extra-aud"},
		},
		{
			name:         "extra audiences appended after baseURL fallback",
			extraAud:     []string{"extra-aud"},
			baseURL:      "https://api.example.com",
			wantAudience: []string{"https://api.example.com", "extra-aud"},
		},
	}

	for _, tc := range tests {
		t.Run(tc.name, func(t *testing.T) {
			saRef := esmeta.ServiceAccountSelector{
				Name:      "test-sa",
				Audiences: tc.saAudiences,
			}
			fc := fake.NewSimpleClientset()
			m := NewBaseTokenManager(fc.CoreV1(), "default", esv1.SecretStoreKind, tc.baseURL, saRef)
			m.ExtraAudiences = tc.extraAud
			assert.Equal(t, tc.wantAudience, m.BuildAudiences())
		})
	}
}