Startseite Erkunden Hilfe
Anmelden
logic855
/
helm-external-secrets
Mirror von https://github.com/external-secrets/external-secrets
1
0
Fork 0
Dateien Issues 0 Wiki
Branch: mj-v2-poc-e2e-framework
Branches Tags
helm-external-s...
/
providers
/
v2
/
adapter
/
store
/
client_test.go

client_test.go 26 KB
Permalink Verlauf Originalformat

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749 
  1. /*
    2. 

  2. Copyright © The ESO Authors
    3. 

  3. 

  4. Licensed under the Apache License, Version 2.0 (the "License");
    5. 

  5. you may not use this file except in compliance with the License.
    6. 

  6. You may obtain a copy of the License at
    7. 

  7. 

  8.     https://www.apache.org/licenses/LICENSE-2.0
    9. 

  9. 

  10. Unless required by applicable law or agreed to in writing, software
    11. 

  11. distributed under the License is distributed on an "AS IS" BASIS,
    12. 

  12. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13. 

  13. See the License for the specific language governing permissions and
    14. 

  14. limitations under the License.
    15. 

  15. */
    16. 

  16. 

  17. package store
    18. 

  18. 

  19. import (
    20. 

  20. 	"bytes"
    21. 

  21. 	"context"
    22. 

  22. 	"errors"
    23. 

  23. 	"testing"
    24. 

  24. 

  25. 	corev1 "k8s.io/api/core/v1"
    26. 

  26. 	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
    27. 

  27. 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
    28. 

  28. 

  29. 	esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
    30. 

  30. 	pb "github.com/external-secrets/external-secrets/proto/provider"
    31. 

  31. )
    32. 

  32. 

  33. const (
    34. 

  34. 	testProperty        = "property"
    35. 

  35. 	testSecretValue     = "secret-value"
    36. 

  36. 	testSourceNamespace = "tenant-a"
    37. 

  37. 	testBarValue        = "bar"
    38. 

  38. 	testValue           = "value"
    39. 

  39. )
    40. 

  40. 

  41. type fakeV2Provider struct {
    42. 

  42. 	getSecretResponse           []byte
    43. 

  43. 	getSecretErr                error
    44. 

  44. 	getSecretRef                esv1.ExternalSecretDataRemoteRef
    45. 

  45. 	getSecretProviderRef        *pb.ProviderReference
    46. 

  46. 	getSecretCompatibilityStore *pb.CompatibilityStore
    47. 

  47. 	getSecretNamespace          string
    48. 

  48. 

  49. 	getSecretMapResponse           map[string][]byte
    50. 

  50. 	getSecretMapErr                error
    51. 

  51. 	getSecretMapRef                esv1.ExternalSecretDataRemoteRef
    52. 

  52. 	getSecretMapCompatibilityStore *pb.CompatibilityStore
    53. 

  53. 

  54. 	getAllSecretsResponse           map[string][]byte
    55. 

  55. 	getAllSecretsErr                error
    56. 

  56. 	getAllSecretsFind               esv1.ExternalSecretFind
    57. 

  57. 	getAllSecretsCompatibilityStore *pb.CompatibilityStore
    58. 

  58. 

  59. 	pushSecretErr                error
    60. 

  60. 	pushSecretData               map[string][]byte
    61. 

  61. 	pushSecretSecret             *corev1.Secret
    62. 

  62. 	pushSecretPayload            *pb.PushSecretData
    63. 

  63. 	pushSecretProviderRef        *pb.ProviderReference
    64. 

  64. 	pushSecretCompatibilityStore *pb.CompatibilityStore
    65. 

  65. 	pushSecretNamespace          string
    66. 

  66. 

  67. 	deleteSecretErr                error
    68. 

  68. 	deleteSecretRemoteRef          *pb.PushSecretRemoteRef
    69. 

  69. 	deleteSecretProviderRef        *pb.ProviderReference
    70. 

  70. 	deleteSecretCompatibilityStore *pb.CompatibilityStore
    71. 

  71. 	deleteSecretNamespace          string
    72. 

  72. 

  73. 	secretExistsResponse           bool
    74. 

  74. 	secretExistsErr                error
    75. 

  75. 	secretExistsRemoteRef          *pb.PushSecretRemoteRef
    76. 

  76. 	secretExistsProviderRef        *pb.ProviderReference
    77. 

  77. 	secretExistsCompatibilityStore *pb.CompatibilityStore
    78. 

  78. 	secretExistsNamespace          string
    79. 

  79. 

  80. 	validateErr                error
    81. 

  81. 	validateProviderRef        *pb.ProviderReference
    82. 

  82. 	validateCompatibilityStore *pb.CompatibilityStore
    83. 

  83. 	validateNamespace          string
    84. 

  84. 	validateCalled             bool
    85. 

  85. 

  86. 	closeErr    error
    87. 

  87. 	closeCalled bool
    88. 

  88. }
    89. 

  89. 

  90. func (f *fakeV2Provider) GetSecret(
    91. 

  91. 	_ context.Context,
    92. 

  92. 	ref esv1.ExternalSecretDataRemoteRef,
    93. 

  93. 	providerRef *pb.ProviderReference,
    94. 

  94. 	compatibilityStore *pb.CompatibilityStore,
    95. 

  95. 	sourceNamespace string,
    96. 

  96. ) ([]byte, error) {
    97. 

  97. 	f.getSecretRef = ref
    98. 

  98. 	f.getSecretProviderRef = providerRef
    99. 

  99. 	f.getSecretCompatibilityStore = compatibilityStore
    100. 

  100. 	f.getSecretNamespace = sourceNamespace
    101. 

  101. 	return f.getSecretResponse, f.getSecretErr
    102. 

  102. }
    103. 

  103. 

  104. func (f *fakeV2Provider) GetSecretMap(
    105. 

  105. 	_ context.Context,
    106. 

  106. 	ref esv1.ExternalSecretDataRemoteRef,
    107. 

  107. 	providerRef *pb.ProviderReference,
    108. 

  108. 	compatibilityStore *pb.CompatibilityStore,
    109. 

  109. 	sourceNamespace string,
    110. 

  110. ) (map[string][]byte, error) {
    111. 

  111. 	f.getSecretMapRef = ref
    112. 

  112. 	f.getSecretProviderRef = providerRef
    113. 

  113. 	f.getSecretMapCompatibilityStore = compatibilityStore
    114. 

  114. 	f.getSecretNamespace = sourceNamespace
    115. 

  115. 	return f.getSecretMapResponse, f.getSecretMapErr
    116. 

  116. }
    117. 

  117. 

  118. func (f *fakeV2Provider) GetAllSecrets(
    119. 

  119. 	_ context.Context,
    120. 

  120. 	find esv1.ExternalSecretFind,
    121. 

  121. 	providerRef *pb.ProviderReference,
    122. 

  122. 	compatibilityStore *pb.CompatibilityStore,
    123. 

  123. 	sourceNamespace string,
    124. 

  124. ) (map[string][]byte, error) {
    125. 

  125. 	f.getAllSecretsFind = find
    126. 

  126. 	f.getSecretProviderRef = providerRef
    127. 

  127. 	f.getAllSecretsCompatibilityStore = compatibilityStore
    128. 

  128. 	f.getSecretNamespace = sourceNamespace
    129. 

  129. 	return f.getAllSecretsResponse, f.getAllSecretsErr
    130. 

  130. }
    131. 

  131. 

  132. func (f *fakeV2Provider) PushSecret(
    133. 

  133. 	_ context.Context,
    134. 

  134. 	secret *corev1.Secret,
    135. 

  135. 	pushSecretData *pb.PushSecretData,
    136. 

  136. 	providerRef *pb.ProviderReference,
    137. 

  137. 	compatibilityStore *pb.CompatibilityStore,
    138. 

  138. 	sourceNamespace string,
    139. 

  139. ) error {
    140. 

  140. 	f.pushSecretData = secret.Data
    141. 

  141. 	f.pushSecretSecret = secret.DeepCopy()
    142. 

  142. 	f.pushSecretPayload = pushSecretData
    143. 

  143. 	f.pushSecretProviderRef = providerRef
    144. 

  144. 	f.pushSecretCompatibilityStore = compatibilityStore
    145. 

  145. 	f.pushSecretNamespace = sourceNamespace
    146. 

  146. 	return f.pushSecretErr
    147. 

  147. }
    148. 

  148. 

  149. func (f *fakeV2Provider) DeleteSecret(
    150. 

  150. 	_ context.Context,
    151. 

  151. 	remoteRef *pb.PushSecretRemoteRef,
    152. 

  152. 	providerRef *pb.ProviderReference,
    153. 

  153. 	compatibilityStore *pb.CompatibilityStore,
    154. 

  154. 	sourceNamespace string,
    155. 

  155. ) error {
    156. 

  156. 	f.deleteSecretRemoteRef = remoteRef
    157. 

  157. 	f.deleteSecretProviderRef = providerRef
    158. 

  158. 	f.deleteSecretCompatibilityStore = compatibilityStore
    159. 

  159. 	f.deleteSecretNamespace = sourceNamespace
    160. 

  160. 	return f.deleteSecretErr
    161. 

  161. }
    162. 

  162. 

  163. func (f *fakeV2Provider) SecretExists(
    164. 

  164. 	_ context.Context,
    165. 

  165. 	remoteRef *pb.PushSecretRemoteRef,
    166. 

  166. 	providerRef *pb.ProviderReference,
    167. 

  167. 	compatibilityStore *pb.CompatibilityStore,
    168. 

  168. 	sourceNamespace string,
    169. 

  169. ) (bool, error) {
    170. 

  170. 	f.secretExistsRemoteRef = remoteRef
    171. 

  171. 	f.secretExistsProviderRef = providerRef
    172. 

  172. 	f.secretExistsCompatibilityStore = compatibilityStore
    173. 

  173. 	f.secretExistsNamespace = sourceNamespace
    174. 

  174. 	return f.secretExistsResponse, f.secretExistsErr
    175. 

  175. }
    176. 

  176. 

  177. func (f *fakeV2Provider) Validate(_ context.Context, providerRef *pb.ProviderReference, compatibilityStore *pb.CompatibilityStore, sourceNamespace string) error {
    178. 

  178. 	f.validateCalled = true
    179. 

  179. 	f.validateProviderRef = providerRef
    180. 

  180. 	f.validateCompatibilityStore = compatibilityStore
    181. 

  181. 	f.validateNamespace = sourceNamespace
    182. 

  182. 	return f.validateErr
    183. 

  183. }
    184. 

  184. 

  185. func (f *fakeV2Provider) Capabilities(context.Context, *pb.ProviderReference, string) (pb.SecretStoreCapabilities, error) {
    186. 

  186. 	return pb.SecretStoreCapabilities_READ_WRITE, nil
    187. 

  187. }
    188. 

  188. 

  189. func (f *fakeV2Provider) Close(context.Context) error {
    190. 

  190. 	f.closeCalled = true
    191. 

  191. 	return f.closeErr
    192. 

  192. }
    193. 

  193. 

  194. type fakePushSecretData struct {
    195. 

  195. 	property  string
    196. 

  196. 	secretKey string
    197. 

  197. 	remoteKey string
    198. 

  198. 	metadata  *apiextensionsv1.JSON
    199. 

  199. }
    200. 

  200. 

  201. func (f fakePushSecretData) GetProperty() string {
    202. 

  202. 	return f.property
    203. 

  203. }
    204. 

  204. 

  205. func (f fakePushSecretData) GetSecretKey() string {
    206. 

  206. 	return f.secretKey
    207. 

  207. }
    208. 

  208. 

  209. func (f fakePushSecretData) GetRemoteKey() string {
    210. 

  210. 	return f.remoteKey
    211. 

  211. }
    212. 

  212. 

  213. func (f fakePushSecretData) GetMetadata() *apiextensionsv1.JSON {
    214. 

  214. 	return f.metadata
    215. 

  215. }
    216. 

  216. 

  217. type fakePushSecretRemoteRef struct {
    218. 

  218. 	remoteKey string
    219. 

  219. 	property  string
    220. 

  220. }
    221. 

  221. 

  222. func (f fakePushSecretRemoteRef) GetRemoteKey() string {
    223. 

  223. 	return f.remoteKey
    224. 

  224. }
    225. 

  225. 

  226. func (f fakePushSecretRemoteRef) GetProperty() string {
    227. 

  227. 	return f.property
    228. 

  228. }
    229. 

  229. 

  230. func TestClientGetSecretDelegatesProviderReferenceAndNamespace(t *testing.T) {
    231. 

  231. 	providerRef := &pb.ProviderReference{Name: "provider", Namespace: "config-ns"}
    232. 

  232. 	provider := &fakeV2Provider{getSecretResponse: []byte(testSecretValue)}
    233. 

  233. 	client := NewClient(provider, providerRef, testSourceNamespace)
    234. 

  234. 

  235. 	ref := esv1.ExternalSecretDataRemoteRef{Key: "sample", Version: "v1", Property: "password"}
    236. 

  236. 	value, err := client.GetSecret(context.Background(), ref)
    237. 

  237. 	if err != nil {
    238. 

  238. 		t.Fatalf("GetSecret() error = %v", err)
    239. 

  239. 	}
    240. 

  240. 

  241. 	if string(value) != testSecretValue {
    242. 

  242. 		t.Fatalf("expected %s, got %q", testSecretValue, string(value))
    243. 

  243. 	}
    244. 

  244. 	if provider.getSecretRef != ref {
    245. 

  245. 		t.Fatalf("unexpected ref: %#v", provider.getSecretRef)
    246. 

  246. 	}
    247. 

  247. 	if provider.getSecretProviderRef != providerRef {
    248. 

  248. 		t.Fatalf("unexpected provider ref: %#v", provider.getSecretProviderRef)
    249. 

  249. 	}
    250. 

  250. 	if provider.getSecretNamespace != testSourceNamespace {
    251. 

  251. 		t.Fatalf("unexpected source namespace: %q", provider.getSecretNamespace)
    252. 

  252. 	}
    253. 

  253. }
    254. 

  254. 

  255. func TestClientGetSecretMapDelegatesProviderReferenceAndNamespace(t *testing.T) {
    256. 

  256. 	providerRef := &pb.ProviderReference{Name: "provider", Namespace: "config-ns"}
    257. 

  257. 	expected := map[string][]byte{
    258. 

  258. 		"foo": []byte(testBarValue),
    259. 

  259. 		"baz": []byte("qux"),
    260. 

  260. 	}
    261. 

  261. 	provider := &fakeV2Provider{getSecretMapResponse: expected}
    262. 

  262. 	client := NewClient(provider, providerRef, testSourceNamespace)
    263. 

  263. 

  264. 	ref := esv1.ExternalSecretDataRemoteRef{Key: "sample"}
    265. 

  265. 	secretMap, err := client.GetSecretMap(context.Background(), ref)
    266. 

  266. 	if err != nil {
    267. 

  267. 		t.Fatalf("GetSecretMap() error = %v", err)
    268. 

  268. 	}
    269. 

  269. 

  270. 	if string(secretMap["foo"]) != testBarValue || string(secretMap["baz"]) != "qux" {
    271. 

  271. 		t.Fatalf("unexpected secret map: %#v", secretMap)
    272. 

  272. 	}
    273. 

  273. 	if provider.getSecretMapRef != ref {
    274. 

  274. 		t.Fatalf("unexpected ref: %#v", provider.getSecretMapRef)
    275. 

  275. 	}
    276. 

  276. 	if provider.getSecretProviderRef != providerRef {
    277. 

  277. 		t.Fatalf("unexpected provider ref: %#v", provider.getSecretProviderRef)
    278. 

  278. 	}
    279. 

  279. 	if provider.getSecretNamespace != testSourceNamespace {
    280. 

  280. 		t.Fatalf("unexpected source namespace: %q", provider.getSecretNamespace)
    281. 

  281. 	}
    282. 

  282. }
    283. 

  283. 

  284. func TestClientGetAllSecretsDelegatesFindCriteria(t *testing.T) {
    285. 

  285. 	providerRef := &pb.ProviderReference{Name: "provider", Namespace: "config-ns"}
    286. 

  286. 	path := "/team-a"
    287. 

  287. 	expected := map[string][]byte{"db-password": []byte(testValue)}
    288. 

  288. 	provider := &fakeV2Provider{getAllSecretsResponse: expected}
    289. 

  289. 	client := NewClient(provider, providerRef, testSourceNamespace)
    290. 

  290. 

  291. 	find := esv1.ExternalSecretFind{
    292. 

  292. 		Tags: map[string]string{
    293. 

  293. 			"team": "a",
    294. 

  294. 		},
    295. 

  295. 		Path: &path,
    296. 

  296. 		Name: &esv1.FindName{RegExp: "db-.*"},
    297. 

  297. 	}
    298. 

  298. 

  299. 	secrets, err := client.GetAllSecrets(context.Background(), find)
    300. 

  300. 	if err != nil {
    301. 

  301. 		t.Fatalf("GetAllSecrets() error = %v", err)
    302. 

  302. 	}
    303. 

  303. 

  304. 	if string(secrets["db-password"]) != testValue {
    305. 

  305. 		t.Fatalf("unexpected secret value: %#v", secrets)
    306. 

  306. 	}
    307. 

  307. 	if provider.getAllSecretsFind.Tags["team"] != "a" {
    308. 

  308. 		t.Fatalf("unexpected find tags: %#v", provider.getAllSecretsFind)
    309. 

  309. 	}
    310. 

  310. 	if provider.getAllSecretsFind.Path == nil || *provider.getAllSecretsFind.Path != path {
    311. 

  311. 		t.Fatalf("unexpected find path: %#v", provider.getAllSecretsFind.Path)
    312. 

  312. 	}
    313. 

  313. 	if provider.getAllSecretsFind.Name == nil || provider.getAllSecretsFind.Name.RegExp != "db-.*" {
    314. 

  314. 		t.Fatalf("unexpected find name: %#v", provider.getAllSecretsFind.Name)
    315. 

  315. 	}
    316. 

  316. 	if provider.getSecretProviderRef != providerRef {
    317. 

  317. 		t.Fatalf("unexpected provider ref: %#v", provider.getSecretProviderRef)
    318. 

  318. 	}
    319. 

  319. 	if provider.getSecretNamespace != testSourceNamespace {
    320. 

  320. 		t.Fatalf("unexpected source namespace: %q", provider.getSecretNamespace)
    321. 

  321. 	}
    322. 

  322. }
    323. 

  323. 

  324. func TestCompatibilityClientGetSecretDelegatesCompatibilityStore(t *testing.T) {
    325. 

  325. 	compatibilityStore := &pb.CompatibilityStore{
    326. 

  326. 		StoreName:       "compat-store",
    327. 

  327. 		StoreNamespace:  "config-ns",
    328. 

  328. 		StoreKind:       esv1.SecretStoreKind,
    329. 

  329. 		StoreUid:        "uid-1",
    330. 

  330. 		StoreGeneration: 7,
    331. 

  331. 		StoreSpecJson:   []byte(`{"provider":{"fake":{"data":[{"key":"sample","value":"secret-value"}]}}}`),
    332. 

  332. 	}
    333. 

  333. 	provider := &fakeV2Provider{getSecretResponse: []byte(testSecretValue)}
    334. 

  334. 	client := NewCompatibilityClient(provider, compatibilityStore, testSourceNamespace)
    335. 

  335. 

  336. 	value, err := client.GetSecret(context.Background(), esv1.ExternalSecretDataRemoteRef{Key: "sample"})
    337. 

  337. 	if err != nil {
    338. 

  338. 		t.Fatalf("GetSecret() error = %v", err)
    339. 

  339. 	}
    340. 

  340. 

  341. 	if string(value) != testSecretValue {
    342. 

  342. 		t.Fatalf("expected %s, got %q", testSecretValue, string(value))
    343. 

  343. 	}
    344. 

  344. 	if provider.getSecretProviderRef != nil {
    345. 

  345. 		t.Fatalf("expected provider ref to be nil, got %#v", provider.getSecretProviderRef)
    346. 

  346. 	}
    347. 

  347. 	if provider.getSecretCompatibilityStore != compatibilityStore {
    348. 

  348. 		t.Fatalf("unexpected compatibility store: %#v", provider.getSecretCompatibilityStore)
    349. 

  349. 	}
    350. 

  350. }
    351. 

  351. 

  352. func TestCompatibilityClientGetSecretMapDelegatesCompatibilityStore(t *testing.T) {
    353. 

  353. 	compatibilityStore := &pb.CompatibilityStore{
    354. 

  354. 		StoreName:       "compat-store",
    355. 

  355. 		StoreNamespace:  "config-ns",
    356. 

  356. 		StoreKind:       esv1.SecretStoreKind,
    357. 

  357. 		StoreUid:        "uid-1",
    358. 

  358. 		StoreGeneration: 7,
    359. 

  359. 		StoreSpecJson:   []byte(`{"provider":{"fake":{"data":[{"key":"sample","value":"secret-value"}]}}}`),
    360. 

  360. 	}
    361. 

  361. 	provider := &fakeV2Provider{getSecretMapResponse: map[string][]byte{"foo": []byte(testBarValue)}}
    362. 

  362. 	client := NewCompatibilityClient(provider, compatibilityStore, testSourceNamespace)
    363. 

  363. 

  364. 	secretMap, err := client.GetSecretMap(context.Background(), esv1.ExternalSecretDataRemoteRef{Key: "sample"})
    365. 

  365. 	if err != nil {
    366. 

  366. 		t.Fatalf("GetSecretMap() error = %v", err)
    367. 

  367. 	}
    368. 

  368. 

  369. 	if string(secretMap["foo"]) != testBarValue {
    370. 

  370. 		t.Fatalf("unexpected secret map: %#v", secretMap)
    371. 

  371. 	}
    372. 

  372. 	if provider.getSecretProviderRef != nil {
    373. 

  373. 		t.Fatalf("expected provider ref to be nil, got %#v", provider.getSecretProviderRef)
    374. 

  374. 	}
    375. 

  375. 	if provider.getSecretMapCompatibilityStore != compatibilityStore {
    376. 

  376. 		t.Fatalf("unexpected compatibility store: %#v", provider.getSecretMapCompatibilityStore)
    377. 

  377. 	}
    378. 

  378. }
    379. 

  379. 

  380. func TestCompatibilityClientGetAllSecretsDelegatesCompatibilityStore(t *testing.T) {
    381. 

  381. 	compatibilityStore := &pb.CompatibilityStore{
    382. 

  382. 		StoreName:       "compat-store",
    383. 

  383. 		StoreNamespace:  "config-ns",
    384. 

  384. 		StoreKind:       esv1.SecretStoreKind,
    385. 

  385. 		StoreUid:        "uid-1",
    386. 

  386. 		StoreGeneration: 7,
    387. 

  387. 		StoreSpecJson:   []byte(`{"provider":{"fake":{"data":[{"key":"sample","value":"secret-value"}]}}}`),
    388. 

  388. 	}
    389. 

  389. 	provider := &fakeV2Provider{getAllSecretsResponse: map[string][]byte{"db-password": []byte(testValue)}}
    390. 

  390. 	client := NewCompatibilityClient(provider, compatibilityStore, testSourceNamespace)
    391. 

  391. 

  392. 	secrets, err := client.GetAllSecrets(context.Background(), esv1.ExternalSecretFind{})
    393. 

  393. 	if err != nil {
    394. 

  394. 		t.Fatalf("GetAllSecrets() error = %v", err)
    395. 

  395. 	}
    396. 

  396. 

  397. 	if string(secrets["db-password"]) != testValue {
    398. 

  398. 		t.Fatalf("unexpected secret value: %#v", secrets)
    399. 

  399. 	}
    400. 

  400. 	if provider.getSecretProviderRef != nil {
    401. 

  401. 		t.Fatalf("expected provider ref to be nil, got %#v", provider.getSecretProviderRef)
    402. 

  402. 	}
    403. 

  403. 	if provider.getAllSecretsCompatibilityStore != compatibilityStore {
    404. 

  404. 		t.Fatalf("unexpected compatibility store: %#v", provider.getAllSecretsCompatibilityStore)
    405. 

  405. 	}
    406. 

  406. }
    407. 

  407. 

  408. func TestCompatibilityClientPushSecretDelegatesCompatibilityStore(t *testing.T) {
    409. 

  409. 	compatibilityStore := &pb.CompatibilityStore{
    410. 

  410. 		StoreName:       "compat-store",
    411. 

  411. 		StoreNamespace:  "config-ns",
    412. 

  412. 		StoreKind:       esv1.SecretStoreKind,
    413. 

  413. 		StoreUid:        "uid-1",
    414. 

  414. 		StoreGeneration: 7,
    415. 

  415. 		StoreSpecJson:   []byte(`{"provider":{"fake":{"data":[{"key":"sample","value":"secret-value"}]}}}`),
    416. 

  416. 	}
    417. 

  417. 	provider := &fakeV2Provider{}
    418. 

  418. 	client := NewCompatibilityClient(provider, compatibilityStore, testSourceNamespace)
    419. 

  419. 

  420. 	err := client.PushSecret(context.Background(), &corev1.Secret{
    421. 

  421. 		Data: map[string][]byte{"token": []byte(testValue)},
    422. 

  422. 	}, fakePushSecretData{remoteKey: serverTestRemoteKey, secretKey: "token"})
    423. 

  423. 	if err != nil {
    424. 

  424. 		t.Fatalf("PushSecret() error = %v", err)
    425. 

  425. 	}
    426. 

  426. 

  427. 	if provider.pushSecretProviderRef != nil {
    428. 

  428. 		t.Fatalf("expected provider ref to be nil, got %#v", provider.pushSecretProviderRef)
    429. 

  429. 	}
    430. 

  430. 	if provider.pushSecretCompatibilityStore != compatibilityStore {
    431. 

  431. 		t.Fatalf("unexpected compatibility store: %#v", provider.pushSecretCompatibilityStore)
    432. 

  432. 	}
    433. 

  433. }
    434. 

  434. 

  435. func TestCompatibilityClientDeleteSecretDelegatesCompatibilityStore(t *testing.T) {
    436. 

  436. 	compatibilityStore := &pb.CompatibilityStore{
    437. 

  437. 		StoreName:       "compat-store",
    438. 

  438. 		StoreNamespace:  "config-ns",
    439. 

  439. 		StoreKind:       esv1.SecretStoreKind,
    440. 

  440. 		StoreUid:        "uid-1",
    441. 

  441. 		StoreGeneration: 7,
    442. 

  442. 		StoreSpecJson:   []byte(`{"provider":{"fake":{"data":[{"key":"sample","value":"secret-value"}]}}}`),
    443. 

  443. 	}
    444. 

  444. 	provider := &fakeV2Provider{}
    445. 

  445. 	client := NewCompatibilityClient(provider, compatibilityStore, testSourceNamespace)
    446. 

  446. 

  447. 	err := client.DeleteSecret(context.Background(), fakePushSecretRemoteRef{
    448. 

  448. 		remoteKey: serverTestRemoteKey,
    449. 

  449. 		property:  testProperty,
    450. 

  450. 	})
    451. 

  451. 	if err != nil {
    452. 

  452. 		t.Fatalf("DeleteSecret() error = %v", err)
    453. 

  453. 	}
    454. 

  454. 

  455. 	if provider.deleteSecretProviderRef != nil {
    456. 

  456. 		t.Fatalf("expected provider ref to be nil, got %#v", provider.deleteSecretProviderRef)
    457. 

  457. 	}
    458. 

  458. 	if provider.deleteSecretCompatibilityStore != compatibilityStore {
    459. 

  459. 		t.Fatalf("unexpected compatibility store: %#v", provider.deleteSecretCompatibilityStore)
    460. 

  460. 	}
    461. 

  461. }
    462. 

  462. 

  463. func TestCompatibilityClientSecretExistsDelegatesCompatibilityStore(t *testing.T) {
    464. 

  464. 	compatibilityStore := &pb.CompatibilityStore{
    465. 

  465. 		StoreName:       "compat-store",
    466. 

  466. 		StoreNamespace:  "config-ns",
    467. 

  467. 		StoreKind:       esv1.SecretStoreKind,
    468. 

  468. 		StoreUid:        "uid-1",
    469. 

  469. 		StoreGeneration: 7,
    470. 

  470. 		StoreSpecJson:   []byte(`{"provider":{"fake":{"data":[{"key":"sample","value":"secret-value"}]}}}`),
    471. 

  471. 	}
    472. 

  472. 	provider := &fakeV2Provider{secretExistsResponse: true}
    473. 

  473. 	client := NewCompatibilityClient(provider, compatibilityStore, testSourceNamespace)
    474. 

  474. 

  475. 	exists, err := client.SecretExists(context.Background(), fakePushSecretRemoteRef{
    476. 

  476. 		remoteKey: serverTestRemoteKey,
    477. 

  477. 		property:  testProperty,
    478. 

  478. 	})
    479. 

  479. 	if err != nil {
    480. 

  480. 		t.Fatalf("SecretExists() error = %v", err)
    481. 

  481. 	}
    482. 

  482. 	if !exists {
    483. 

  483. 		t.Fatal("expected secret to exist")
    484. 

  484. 	}
    485. 

  485. 	if provider.secretExistsProviderRef != nil {
    486. 

  486. 		t.Fatalf("expected provider ref to be nil, got %#v", provider.secretExistsProviderRef)
    487. 

  487. 	}
    488. 

  488. 	if provider.secretExistsCompatibilityStore != compatibilityStore {
    489. 

  489. 		t.Fatalf("unexpected compatibility store: %#v", provider.secretExistsCompatibilityStore)
    490. 

  490. 	}
    491. 

  491. }
    492. 

  492. 

  493. func TestClientPushSecretConvertsPayloadAndMetadata(t *testing.T) {
    494. 

  494. 	providerRef := &pb.ProviderReference{Name: "provider", Namespace: "config-ns"}
    495. 

  495. 	provider := &fakeV2Provider{}
    496. 

  496. 	client := NewClient(provider, providerRef, testSourceNamespace)
    497. 

  497. 

  498. 	metadata := []byte(`{"owner":"eso"}`)
    499. 

  499. 	secret := &corev1.Secret{
    500. 

  500. 		Data: map[string][]byte{
    501. 

  501. 			"token": []byte(testValue),
    502. 

  502. 		},
    503. 

  503. 	}
    504. 

  504. 	pushData := fakePushSecretData{
    505. 

  505. 		property:  testProperty,
    506. 

  506. 		secretKey: "token",
    507. 

  507. 		remoteKey: serverTestRemoteKey,
    508. 

  508. 		metadata:  &apiextensionsv1.JSON{Raw: metadata},
    509. 

  509. 	}
    510. 

  510. 

  511. 	err := client.PushSecret(context.Background(), secret, pushData)
    512. 

  512. 	if err != nil {
    513. 

  513. 		t.Fatalf("PushSecret() error = %v", err)
    514. 

  514. 	}
    515. 

  515. 

  516. 	if string(provider.pushSecretData["token"]) != testValue {
    517. 

  517. 		t.Fatalf("unexpected secret data: %#v", provider.pushSecretData)
    518. 

  518. 	}
    519. 

  519. 	if provider.pushSecretPayload == nil {
    520. 

  520. 		t.Fatal("expected push payload to be recorded")
    521. 

  521. 	}
    522. 

  522. 	if provider.pushSecretPayload.RemoteKey != serverTestRemoteKey || provider.pushSecretPayload.SecretKey != "token" || provider.pushSecretPayload.Property != testProperty {
    523. 

  523. 		t.Fatalf("unexpected push payload: %#v", provider.pushSecretPayload)
    524. 

  524. 	}
    525. 

  525. 	if !bytes.Equal(provider.pushSecretPayload.Metadata, metadata) {
    526. 

  526. 		t.Fatalf("unexpected metadata: %q", string(provider.pushSecretPayload.Metadata))
    527. 

  527. 	}
    528. 

  528. 	if provider.pushSecretProviderRef != providerRef {
    529. 

  529. 		t.Fatalf("unexpected provider ref: %#v", provider.pushSecretProviderRef)
    530. 

  530. 	}
    531. 

  531. 	if provider.pushSecretNamespace != testSourceNamespace {
    532. 

  532. 		t.Fatalf("unexpected source namespace: %q", provider.pushSecretNamespace)
    533. 

  533. 	}
    534. 

  534. }
    535. 

  535. 

  536. func TestClientPushSecretForwardsKubernetesSecretShape(t *testing.T) {
    537. 

  537. 	providerRef := &pb.ProviderReference{Name: "provider", Namespace: "config-ns"}
    538. 

  538. 	provider := &fakeV2Provider{}
    539. 

  539. 	client := NewClient(provider, providerRef, testSourceNamespace)
    540. 

  540. 

  541. 	metadata := []byte(`{"mergePolicy":"replace"}`)
    542. 

  542. 	secret := &corev1.Secret{
    543. 

  543. 		Type: corev1.SecretTypeDockerConfigJson,
    544. 

  544. 		ObjectMeta: metav1.ObjectMeta{
    545. 

  545. 			Labels:      map[string]string{"team": "platform"},
    546. 

  546. 			Annotations: map[string]string{"owner": "app-team"},
    547. 

  547. 		},
    548. 

  548. 		Data: map[string][]byte{
    549. 

  549. 			".dockerconfigjson": []byte("payload"),
    550. 

  550. 		},
    551. 

  551. 	}
    552. 

  552. 	pushData := fakePushSecretData{
    553. 

  553. 		property:  testProperty,
    554. 

  554. 		secretKey: ".dockerconfigjson",
    555. 

  555. 		remoteKey: serverTestRemoteKey,
    556. 

  556. 		metadata:  &apiextensionsv1.JSON{Raw: metadata},
    557. 

  557. 	}
    558. 

  558. 

  559. 	err := client.PushSecret(context.Background(), secret, pushData)
    560. 

  560. 	if err != nil {
    561. 

  561. 		t.Fatalf("PushSecret() error = %v", err)
    562. 

  562. 	}
    563. 

  563. 

  564. 	if provider.pushSecretSecret == nil {
    565. 

  565. 		t.Fatal("expected pushed secret to be recorded")
    566. 

  566. 	}
    567. 

  567. 	if provider.pushSecretSecret.Type != corev1.SecretTypeDockerConfigJson {
    568. 

  568. 		t.Errorf("expected secret type %q, got %q", corev1.SecretTypeDockerConfigJson, provider.pushSecretSecret.Type)
    569. 

  569. 	}
    570. 

  570. 	if got, want := provider.pushSecretSecret.Labels["team"], "platform"; got != want {
    571. 

  571. 		t.Errorf("expected secret label team=%q, got %q", want, got)
    572. 

  572. 	}
    573. 

  573. 	if got, want := provider.pushSecretSecret.Annotations["owner"], "app-team"; got != want {
    574. 

  574. 		t.Errorf("expected secret annotation owner=%q, got %q", want, got)
    575. 

  575. 	}
    576. 

  576. 	if got, want := string(provider.pushSecretSecret.Data[".dockerconfigjson"]), "payload"; got != want {
    577. 

  577. 		t.Errorf("expected secret payload %q, got %q", want, got)
    578. 

  578. 	}
    579. 

  579. 	if provider.pushSecretPayload == nil {
    580. 

  580. 		t.Fatal("expected push payload to be recorded")
    581. 

  581. 	}
    582. 

  582. 	if !bytes.Equal(provider.pushSecretPayload.Metadata, metadata) {
    583. 

  583. 		t.Fatalf("unexpected metadata: %q", string(provider.pushSecretPayload.Metadata))
    584. 

  584. 	}
    585. 

  585. }
    586. 

  586. 

  587. func TestClientDeleteSecretConvertsRemoteRef(t *testing.T) {
    588. 

  588. 	providerRef := &pb.ProviderReference{Name: "provider", Namespace: "config-ns"}
    589. 

  589. 	provider := &fakeV2Provider{}
    590. 

  590. 	client := NewClient(provider, providerRef, testSourceNamespace)
    591. 

  591. 

  592. 	err := client.DeleteSecret(context.Background(), fakePushSecretRemoteRef{
    593. 

  593. 		remoteKey: serverTestRemoteKey,
    594. 

  594. 		property:  testProperty,
    595. 

  595. 	})
    596. 

  596. 	if err != nil {
    597. 

  597. 		t.Fatalf("DeleteSecret() error = %v", err)
    598. 

  598. 	}
    599. 

  599. 

  600. 	if provider.deleteSecretRemoteRef == nil {
    601. 

  601. 		t.Fatal("expected delete remote ref to be recorded")
    602. 

  602. 	}
    603. 

  603. 	if provider.deleteSecretRemoteRef.RemoteKey != serverTestRemoteKey || provider.deleteSecretRemoteRef.Property != testProperty {
    604. 

  604. 		t.Fatalf("unexpected remote ref: %#v", provider.deleteSecretRemoteRef)
    605. 

  605. 	}
    606. 

  606. 	if provider.deleteSecretProviderRef != providerRef {
    607. 

  607. 		t.Fatalf("unexpected provider ref: %#v", provider.deleteSecretProviderRef)
    608. 

  608. 	}
    609. 

  609. 	if provider.deleteSecretNamespace != testSourceNamespace {
    610. 

  610. 		t.Fatalf("unexpected source namespace: %q", provider.deleteSecretNamespace)
    611. 

  611. 	}
    612. 

  612. }
    613. 

  613. 

  614. func TestClientSecretExistsConvertsRemoteRef(t *testing.T) {
    615. 

  615. 	providerRef := &pb.ProviderReference{Name: "provider", Namespace: "config-ns"}
    616. 

  616. 	provider := &fakeV2Provider{secretExistsResponse: true}
    617. 

  617. 	client := NewClient(provider, providerRef, testSourceNamespace)
    618. 

  618. 

  619. 	exists, err := client.SecretExists(context.Background(), fakePushSecretRemoteRef{
    620. 

  620. 		remoteKey: serverTestRemoteKey,
    621. 

  621. 		property:  testProperty,
    622. 

  622. 	})
    623. 

  623. 	if err != nil {
    624. 

  624. 		t.Fatalf("SecretExists() error = %v", err)
    625. 

  625. 	}
    626. 

  626. 

  627. 	if !exists {
    628. 

  628. 		t.Fatal("expected secret to exist")
    629. 

  629. 	}
    630. 

  630. 	if provider.secretExistsRemoteRef == nil {
    631. 

  631. 		t.Fatal("expected exists remote ref to be recorded")
    632. 

  632. 	}
    633. 

  633. 	if provider.secretExistsRemoteRef.RemoteKey != serverTestRemoteKey || provider.secretExistsRemoteRef.Property != testProperty {
    634. 

  634. 		t.Fatalf("unexpected remote ref: %#v", provider.secretExistsRemoteRef)
    635. 

  635. 	}
    636. 

  636. 	if provider.secretExistsProviderRef != providerRef {
    637. 

  637. 		t.Fatalf("unexpected provider ref: %#v", provider.secretExistsProviderRef)
    638. 

  638. 	}
    639. 

  639. 	if provider.secretExistsNamespace != testSourceNamespace {
    640. 

  640. 		t.Fatalf("unexpected source namespace: %q", provider.secretExistsNamespace)
    641. 

  641. 	}
    642. 

  642. }
    643. 

  643. 

  644. func TestClientValidateMapsProviderErrors(t *testing.T) {
    645. 

  645. 	t.Run("success", func(t *testing.T) {
    646. 

  646. 		providerRef := &pb.ProviderReference{
    647. 

  647. 			Name:         "provider",
    648. 

  648. 			Namespace:    "config-ns",
    649. 

  649. 			StoreRefKind: esv1.ProviderStoreKindStr,
    650. 

  650. 		}
    651. 

  651. 		provider := &fakeV2Provider{}
    652. 

  652. 		client := NewClient(provider, providerRef, testSourceNamespace)
    653. 

  653. 

  654. 		result, err := client.Validate()
    655. 

  655. 		if err != nil {
    656. 

  656. 			t.Fatalf("Validate() error = %v", err)
    657. 

  657. 		}
    658. 

  658. 		if result != esv1.ValidationResultReady {
    659. 

  659. 			t.Fatalf("expected ValidationResultReady, got %q", result)
    660. 

  660. 		}
    661. 

  661. 		if provider.validateProviderRef != providerRef {
    662. 

  662. 			t.Fatalf("unexpected provider ref: %#v", provider.validateProviderRef)
    663. 

  663. 		}
    664. 

  664. 		if provider.validateProviderRef.StoreRefKind != esv1.ProviderStoreKindStr {
    665. 

  665. 			t.Fatalf("unexpected store_ref_kind: %q", provider.validateProviderRef.StoreRefKind)
    666. 

  666. 		}
    667. 

  667. 		if provider.validateNamespace != testSourceNamespace {
    668. 

  668. 			t.Fatalf("unexpected source namespace: %q", provider.validateNamespace)
    669. 

  669. 		}
    670. 

  670. 	})
    671. 

  671. 

  672. 	t.Run("error", func(t *testing.T) {
    673. 

  673. 		validateErr := errors.New("invalid credentials")
    674. 

  674. 		provider := &fakeV2Provider{validateErr: validateErr}
    675. 

  675. 		client := NewClient(provider, &pb.ProviderReference{Name: "provider"}, testSourceNamespace)
    676. 

  676. 

  677. 		result, err := client.Validate()
    678. 

  678. 		if !errors.Is(err, validateErr) {
    679. 

  679. 			t.Fatalf("expected %v, got %v", validateErr, err)
    680. 

  680. 		}
    681. 

  681. 		if result != esv1.ValidationResultError {
    682. 

  682. 			t.Fatalf("expected ValidationResultError, got %q", result)
    683. 

  683. 		}
    684. 

  684. 	})
    685. 

  685. }
    686. 

  686. 

  687. func TestCompatibilityClientValidateUsesCompatibilityStore(t *testing.T) {
    688. 

  688. 	provider := &fakeV2Provider{}
    689. 

  689. 	compatibilityStore := &pb.CompatibilityStore{
    690. 

  690. 		StoreName:       "runtime-store",
    691. 

  691. 		StoreNamespace:  "tenant-a",
    692. 

  692. 		StoreKind:       esv1.SecretStoreKind,
    693. 

  693. 		StoreUid:        "uid-1",
    694. 

  694. 		StoreGeneration: 7,
    695. 

  695. 		StoreSpecJson:   []byte(`{"provider":{"fake":{"data":[{"key":"db","value":"secret"}]}}}`),
    696. 

  696. 	}
    697. 

  697. 	client := NewCompatibilityClient(provider, compatibilityStore, testSourceNamespace)
    698. 

  698. 

  699. 	result, err := client.Validate()
    700. 

  700. 	if err != nil {
    701. 

  701. 		t.Fatalf("Validate() error = %v", err)
    702. 

  702. 	}
    703. 

  703. 	if result != esv1.ValidationResultReady {
    704. 

  704. 		t.Fatalf("expected ValidationResultReady, got %q", result)
    705. 

  705. 	}
    706. 

  706. 	if !provider.validateCalled {
    707. 

  707. 		t.Fatal("expected provider Validate to be called")
    708. 

  708. 	}
    709. 

  709. 	if provider.validateProviderRef != nil {
    710. 

  710. 		t.Fatalf("expected provider ref to be nil, got %#v", provider.validateProviderRef)
    711. 

  711. 	}
    712. 

  712. 	if provider.validateCompatibilityStore != compatibilityStore {
    713. 

  713. 		t.Fatalf("unexpected compatibility store: %#v", provider.validateCompatibilityStore)
    714. 

  714. 	}
    715. 

  715. }
    716. 

  716. 

  717. func TestCompatibilityClientValidateReturnsErrorWhenValidationHookFails(t *testing.T) {
    718. 

  718. 	validateErr := errors.New("runtime not serving")
    719. 

  719. 	client := NewCompatibilityClient(&fakeV2Provider{validateErr: validateErr}, &pb.CompatibilityStore{
    720. 

  720. 		StoreName:       "runtime-store",
    721. 

  721. 		StoreNamespace:  "tenant-a",
    722. 

  722. 		StoreKind:       esv1.SecretStoreKind,
    723. 

  723. 		StoreUid:        "uid-1",
    724. 

  724. 		StoreGeneration: 7,
    725. 

  725. 		StoreSpecJson:   []byte(`{"provider":{"fake":{"data":[{"key":"db","value":"secret"}]}}}`),
    726. 

  726. 	}, testSourceNamespace)
    727. 

  727. 

  728. 	result, err := client.Validate()
    729. 

  729. 	if !errors.Is(err, validateErr) {
    730. 

  730. 		t.Fatalf("expected %v, got %v", validateErr, err)
    731. 

  731. 	}
    732. 

  732. 	if result != esv1.ValidationResultError {
    733. 

  733. 		t.Fatalf("expected ValidationResultError, got %q", result)
    734. 

  734. 	}
    735. 

  735. }
    736. 

  736. 

  737. func TestClientCloseDelegates(t *testing.T) {
    738. 

  738. 	closeErr := errors.New("close failed")
    739. 

  739. 	provider := &fakeV2Provider{closeErr: closeErr}
    740. 

  740. 	client := NewClient(provider, &pb.ProviderReference{Name: "provider"}, testSourceNamespace)
    741. 

  741. 

  742. 	err := client.Close(context.Background())
    743. 

  743. 	if !errors.Is(err, closeErr) {
    744. 

  744. 		t.Fatalf("expected %v, got %v", closeErr, err)
    745. 

  745. 	}
    746. 

  746. 	if !provider.closeCalled {
    747. 

  747. 		t.Fatal("expected provider close to be called")
    748. 

  748. 	}
    749. 

  749. }
    750.