keyvault_test.go 71 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555
  1. /*
  2. Licensed under the Apache License, Version 2.0 (the "License");
  3. you may not use this file except in compliance with the License.
  4. You may obtain a copy of the License at
  5. http://www.apache.org/licenses/LICENSE-2.0
  6. Unless required by applicable law or agreed to in writing, software
  7. distributed under the License is distributed on an "AS IS" BASIS,
  8. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  9. See the License for the specific language governing permissions and
  10. limitations under the License.
  11. */
  12. package keyvault
  13. import (
  14. "context"
  15. "encoding/base64"
  16. "encoding/json"
  17. "errors"
  18. "fmt"
  19. "reflect"
  20. "testing"
  21. "github.com/Azure/azure-sdk-for-go/services/keyvault/2016-10-01/keyvault"
  22. "github.com/Azure/go-autorest/autorest"
  23. "k8s.io/utils/pointer"
  24. esv1beta1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1beta1"
  25. v1 "github.com/external-secrets/external-secrets/apis/meta/v1"
  26. fake "github.com/external-secrets/external-secrets/pkg/provider/azure/keyvault/fake"
  27. utils "github.com/external-secrets/external-secrets/pkg/utils"
  28. )
  29. type secretManagerTestCase struct {
  30. mockClient *fake.AzureMockClient
  31. secretName string
  32. secretVersion string
  33. serviceURL string
  34. ref *esv1beta1.ExternalSecretDataRemoteRef
  35. refFind *esv1beta1.ExternalSecretFind
  36. apiErr error
  37. setErr error
  38. deleteErr error
  39. pushRef esv1beta1.PushRemoteRef
  40. secretOutput keyvault.SecretBundle
  41. setSecretOutput keyvault.SecretBundle
  42. keyOutput keyvault.KeyBundle
  43. createKeyOutput keyvault.KeyBundle
  44. certOutput keyvault.CertificateBundle
  45. importOutput keyvault.CertificateBundle
  46. listOutput keyvault.SecretListResultIterator
  47. deleteKeyOutput keyvault.DeletedKeyBundle
  48. deleteCertificateOutput keyvault.DeletedCertificateBundle
  49. deleteSecretOutput keyvault.DeletedSecretBundle
  50. expectError string
  51. setValue []byte
  52. expectedSecret string
  53. // for testing secretmap
  54. expectedData map[string][]byte
  55. }
  56. func makeValidSecretManagerTestCase() *secretManagerTestCase {
  57. secretString := "Hello World!"
  58. smtc := secretManagerTestCase{
  59. mockClient: &fake.AzureMockClient{},
  60. secretName: "MySecret",
  61. secretVersion: "",
  62. ref: makeValidRef(),
  63. refFind: makeValidFind(),
  64. secretOutput: keyvault.SecretBundle{Value: &secretString},
  65. serviceURL: "",
  66. apiErr: nil,
  67. expectError: "",
  68. expectedSecret: secretString,
  69. expectedData: map[string][]byte{},
  70. }
  71. smtc.mockClient.WithValue(smtc.serviceURL, smtc.secretName, smtc.secretVersion, smtc.secretOutput, smtc.apiErr)
  72. return &smtc
  73. }
  74. func makeValidSecretManagerTestCaseCustom(tweaks ...func(smtc *secretManagerTestCase)) *secretManagerTestCase {
  75. smtc := makeValidSecretManagerTestCase()
  76. for _, fn := range tweaks {
  77. fn(smtc)
  78. }
  79. smtc.mockClient.WithValue(smtc.serviceURL, smtc.secretName, smtc.secretVersion, smtc.secretOutput, smtc.apiErr)
  80. smtc.mockClient.WithKey(smtc.serviceURL, smtc.secretName, smtc.secretVersion, smtc.keyOutput, smtc.apiErr)
  81. smtc.mockClient.WithCertificate(smtc.serviceURL, smtc.secretName, smtc.secretVersion, smtc.certOutput, smtc.apiErr)
  82. smtc.mockClient.WithList(smtc.serviceURL, smtc.listOutput, smtc.apiErr)
  83. smtc.mockClient.WithImportCertificate(smtc.importOutput, smtc.setErr)
  84. smtc.mockClient.WithImportKey(smtc.createKeyOutput, smtc.setErr)
  85. smtc.mockClient.WithSetSecret(smtc.setSecretOutput, smtc.setErr)
  86. smtc.mockClient.WithDeleteCertificate(smtc.deleteCertificateOutput, smtc.deleteErr)
  87. smtc.mockClient.WithDeleteKey(smtc.deleteKeyOutput, smtc.deleteErr)
  88. smtc.mockClient.WithDeleteSecret(smtc.deleteSecretOutput, smtc.deleteErr)
  89. return smtc
  90. }
  91. const (
  92. jwkPubRSA = `{"kid":"ex","kty":"RSA","key_ops":["sign","verify","wrapKey","unwrapKey","encrypt","decrypt"],"n":"p2VQo8qCfWAZmdWBVaYuYb-a-tWWm78K6Sr9poCvNcmv8rUPSLACxitQWR8gZaSH1DklVkqz-Ed8Cdlf8lkDg4Ex5tkB64jRdC1Uvn4CDpOH6cp-N2s8hTFLqy9_YaDmyQS7HiqthOi9oVjil1VMeWfaAbClGtFt6UnKD0Vb_DvLoWYQSqlhgBArFJi966b4E1pOq5Ad02K8pHBDThlIIx7unibLehhDU6q3DCwNH_OOLx6bgNtmvGYJDd1cywpkLQ3YzNCUPWnfMBJRP3iQP_WI21uP6cvo0DqBPBM4wvVzHbCT0vnIflwkbgEWkq1FprqAitZlop9KjLqzjp9vyQ","e":"AQAB"}`
  93. jwkPubEC = `{"kid":"https://example.vault.azure.net/keys/ec-p-521/e3d0e9c179b54988860c69c6ae172c65","kty":"EC","key_ops":["sign","verify"],"crv":"P-521","x":"AedOAtb7H7Oz1C_cPKI_R4CN_eai5nteY6KFW07FOoaqgQfVCSkQDK22fCOiMT_28c8LZYJRsiIFz_IIbQUW7bXj","y":"AOnchHnmBphIWXvanmMAmcCDkaED6ycW8GsAl9fQ43BMVZTqcTkJYn6vGnhn7MObizmkNSmgZYTwG-vZkIg03HHs"}`
  94. jsonTestString = `{"Name": "External", "LastName": "Secret", "Address": { "Street": "Myroad st.", "CP": "J4K4T4" } }`
  95. jsonSingleTestString = `{"Name": "External", "LastName": "Secret" }`
  96. jsonTagTestString = `{"tagname":"tagvalue","tagname2":"tagvalue2"}`
  97. keyName = "key/keyname"
  98. certName = "cert/certname"
  99. secretString = "changedvalue"
  100. unexpectedError = "[%d] unexpected error: %s, expected: '%s'"
  101. unexpectedSecretData = "[%d] unexpected secret data: expected %#v, got %#v"
  102. errorNoTag = "tag something does not exist"
  103. errNotManaged = "not managed by external-secrets"
  104. errNoPermission = "No Permissions"
  105. errAPI = "unexpected api error"
  106. something = "something"
  107. tagname = "tagname"
  108. tagname2 = "tagname2"
  109. tagvalue = "tagvalue"
  110. tagvalue2 = "tagvalue2"
  111. secretName = "example-1"
  112. testsecret = "test-secret"
  113. fakeURL = "noop"
  114. foo = "foo"
  115. bar = "bar"
  116. errStore = "Azure.ValidateStore() error = %v, wantErr %v"
  117. )
  118. func getTagMap() map[string]*string {
  119. tag1 := "tagname"
  120. tag2 := "tagname2"
  121. value1 := "tagvalue"
  122. value2 := "tagvalue2"
  123. tagMap := make(map[string]*string)
  124. tagMap[tag1] = &value1
  125. tagMap[tag2] = &value2
  126. return tagMap
  127. }
  128. func newKVJWK(b []byte) *keyvault.JSONWebKey {
  129. var key keyvault.JSONWebKey
  130. err := json.Unmarshal(b, &key)
  131. if err != nil {
  132. panic(err)
  133. }
  134. return &key
  135. }
  136. type fakeRef struct {
  137. key string
  138. }
  139. func (f fakeRef) GetRemoteKey() string {
  140. return f.key
  141. }
  142. func TestAzureKeyVaultDeleteSecret(t *testing.T) {
  143. unsupportedType := func(smtc *secretManagerTestCase) {
  144. smtc.pushRef = fakeRef{
  145. key: "yadayada/foo",
  146. }
  147. smtc.expectError = "secret type 'yadayada' is not supported"
  148. }
  149. secretSuccess := func(smtc *secretManagerTestCase) {
  150. smtc.pushRef = fakeRef{
  151. key: secretName,
  152. }
  153. smtc.secretOutput = keyvault.SecretBundle{
  154. Tags: map[string]*string{
  155. "managed-by": pointer.String("external-secrets"),
  156. },
  157. Value: pointer.String("foo"),
  158. }
  159. smtc.deleteSecretOutput = keyvault.DeletedSecretBundle{}
  160. }
  161. secretNotFound := func(smtc *secretManagerTestCase) {
  162. smtc.pushRef = fakeRef{
  163. key: secretName,
  164. }
  165. smtc.apiErr = autorest.DetailedError{StatusCode: 404, Method: "GET", Message: "Not Found"}
  166. smtc.deleteErr = autorest.DetailedError{StatusCode: 404, Method: "DELETE", Message: "Not Found"}
  167. }
  168. secretNotManaged := func(smtc *secretManagerTestCase) {
  169. smtc.pushRef = fakeRef{
  170. key: secretName,
  171. }
  172. smtc.secretOutput = keyvault.SecretBundle{
  173. Value: pointer.String("foo"),
  174. }
  175. smtc.expectError = errNotManaged
  176. smtc.deleteErr = autorest.DetailedError{StatusCode: 500, Method: "DELETE", Message: "Shouldnt happen"}
  177. }
  178. secretUnexpectedError := func(smtc *secretManagerTestCase) {
  179. smtc.pushRef = fakeRef{
  180. key: secretName,
  181. }
  182. smtc.expectError = "boom"
  183. smtc.apiErr = fmt.Errorf("boom")
  184. }
  185. secretNoDeletePermissions := func(smtc *secretManagerTestCase) {
  186. smtc.pushRef = fakeRef{
  187. key: secretName,
  188. }
  189. smtc.secretOutput = keyvault.SecretBundle{
  190. Tags: map[string]*string{
  191. "managed-by": pointer.String("external-secrets"),
  192. },
  193. Value: pointer.String("foo"),
  194. }
  195. smtc.expectError = errNoPermission
  196. smtc.deleteErr = autorest.DetailedError{StatusCode: 403, Method: "DELETE", Message: errNoPermission}
  197. }
  198. secretNoGetPermissions := func(smtc *secretManagerTestCase) {
  199. smtc.pushRef = fakeRef{
  200. key: secretName,
  201. }
  202. smtc.expectError = errNoPermission
  203. smtc.apiErr = autorest.DetailedError{StatusCode: 403, Method: "GET", Message: errNoPermission}
  204. }
  205. certificateSuccess := func(smtc *secretManagerTestCase) {
  206. smtc.pushRef = fakeRef{
  207. key: certName,
  208. }
  209. smtc.certOutput = keyvault.CertificateBundle{
  210. Tags: map[string]*string{
  211. "managed-by": pointer.String("external-secrets"),
  212. },
  213. }
  214. smtc.deleteCertificateOutput = keyvault.DeletedCertificateBundle{}
  215. }
  216. certNotFound := func(smtc *secretManagerTestCase) {
  217. smtc.pushRef = fakeRef{
  218. key: certName,
  219. }
  220. smtc.apiErr = autorest.DetailedError{StatusCode: 404, Method: "GET", Message: "Certificate Not Found"}
  221. smtc.deleteErr = autorest.DetailedError{StatusCode: 404, Method: "DELETE", Message: "Not Found"}
  222. }
  223. certNotManaged := func(smtc *secretManagerTestCase) {
  224. smtc.pushRef = fakeRef{
  225. key: certName,
  226. }
  227. smtc.certOutput = keyvault.CertificateBundle{}
  228. smtc.expectError = errNotManaged
  229. smtc.deleteErr = autorest.DetailedError{StatusCode: 500, Method: "DELETE", Message: "Shouldnt happen"}
  230. }
  231. certUnexpectedError := func(smtc *secretManagerTestCase) {
  232. smtc.pushRef = fakeRef{
  233. key: certName,
  234. }
  235. smtc.expectError = "crash"
  236. smtc.apiErr = fmt.Errorf("crash")
  237. }
  238. certNoDeletePermissions := func(smtc *secretManagerTestCase) {
  239. smtc.pushRef = fakeRef{
  240. key: certName,
  241. }
  242. smtc.certOutput = keyvault.CertificateBundle{
  243. Tags: map[string]*string{
  244. "managed-by": pointer.String("external-secrets"),
  245. },
  246. }
  247. smtc.expectError = "No certificate delete Permissions"
  248. smtc.deleteErr = autorest.DetailedError{StatusCode: 403, Method: "DELETE", Message: "No certificate delete Permissions"}
  249. }
  250. certNoGetPermissions := func(smtc *secretManagerTestCase) {
  251. smtc.pushRef = fakeRef{
  252. key: certName,
  253. }
  254. smtc.expectError = "No certificate get Permissions"
  255. smtc.apiErr = autorest.DetailedError{StatusCode: 403, Method: "GET", Message: "No certificate get Permissions"}
  256. }
  257. keySuccess := func(smtc *secretManagerTestCase) {
  258. smtc.pushRef = fakeRef{
  259. key: keyName,
  260. }
  261. smtc.keyOutput = keyvault.KeyBundle{
  262. Tags: map[string]*string{
  263. "managed-by": pointer.String("external-secrets"),
  264. },
  265. }
  266. smtc.deleteKeyOutput = keyvault.DeletedKeyBundle{}
  267. }
  268. keyNotFound := func(smtc *secretManagerTestCase) {
  269. smtc.pushRef = fakeRef{
  270. key: keyName,
  271. }
  272. smtc.apiErr = autorest.DetailedError{StatusCode: 404, Method: "GET", Message: "Not Found"}
  273. smtc.deleteErr = autorest.DetailedError{StatusCode: 404, Method: "DELETE", Message: "Not Found"}
  274. }
  275. keyNotManaged := func(smtc *secretManagerTestCase) {
  276. smtc.pushRef = fakeRef{
  277. key: keyName,
  278. }
  279. smtc.keyOutput = keyvault.KeyBundle{}
  280. smtc.expectError = errNotManaged
  281. smtc.deleteErr = autorest.DetailedError{StatusCode: 500, Method: "DELETE", Message: "Shouldnt happen"}
  282. }
  283. keyUnexpectedError := func(smtc *secretManagerTestCase) {
  284. smtc.pushRef = fakeRef{
  285. key: keyName,
  286. }
  287. smtc.expectError = "tls timeout"
  288. smtc.apiErr = fmt.Errorf("tls timeout")
  289. }
  290. keyNoDeletePermissions := func(smtc *secretManagerTestCase) {
  291. smtc.pushRef = fakeRef{
  292. key: keyName,
  293. }
  294. smtc.keyOutput = keyvault.KeyBundle{
  295. Tags: map[string]*string{
  296. "managed-by": pointer.String("external-secrets"),
  297. },
  298. }
  299. smtc.expectError = errNoPermission
  300. smtc.deleteErr = autorest.DetailedError{StatusCode: 403, Method: "DELETE", Message: errNoPermission}
  301. }
  302. keyNoGetPermissions := func(smtc *secretManagerTestCase) {
  303. smtc.pushRef = fakeRef{
  304. key: keyName,
  305. }
  306. smtc.expectError = errNoPermission
  307. smtc.apiErr = autorest.DetailedError{StatusCode: 403, Method: "GET", Message: errNoPermission}
  308. }
  309. successCases := []*secretManagerTestCase{
  310. makeValidSecretManagerTestCaseCustom(unsupportedType),
  311. makeValidSecretManagerTestCaseCustom(secretSuccess),
  312. makeValidSecretManagerTestCaseCustom(secretNotFound),
  313. makeValidSecretManagerTestCaseCustom(secretNotManaged),
  314. makeValidSecretManagerTestCaseCustom(secretUnexpectedError),
  315. makeValidSecretManagerTestCaseCustom(secretNoDeletePermissions),
  316. makeValidSecretManagerTestCaseCustom(secretNoGetPermissions),
  317. makeValidSecretManagerTestCaseCustom(certificateSuccess),
  318. makeValidSecretManagerTestCaseCustom(certNotFound),
  319. makeValidSecretManagerTestCaseCustom(certNotManaged),
  320. makeValidSecretManagerTestCaseCustom(certUnexpectedError),
  321. makeValidSecretManagerTestCaseCustom(certNoDeletePermissions),
  322. makeValidSecretManagerTestCaseCustom(certNoGetPermissions),
  323. makeValidSecretManagerTestCaseCustom(keySuccess),
  324. makeValidSecretManagerTestCaseCustom(keyNotFound),
  325. makeValidSecretManagerTestCaseCustom(keyNotManaged),
  326. makeValidSecretManagerTestCaseCustom(keyUnexpectedError),
  327. makeValidSecretManagerTestCaseCustom(keyNoDeletePermissions),
  328. makeValidSecretManagerTestCaseCustom(keyNoGetPermissions),
  329. }
  330. sm := Azure{
  331. provider: &esv1beta1.AzureKVProvider{VaultURL: pointer.String(fakeURL)},
  332. }
  333. for k, v := range successCases {
  334. sm.baseClient = v.mockClient
  335. err := sm.DeleteSecret(context.Background(), v.pushRef)
  336. if !utils.ErrorContains(err, v.expectError) {
  337. if err == nil {
  338. t.Errorf("[%d] unexpected error: <nil>, expected: '%s'", k, v.expectError)
  339. } else {
  340. t.Errorf("[%d] unexpected error: '%s', expected: '%s'", k, err.Error(), v.expectError)
  341. }
  342. }
  343. }
  344. }
  345. func TestAzureKeyVaultPushSecret(t *testing.T) {
  346. p12Cert, _ := base64.StdEncoding.DecodeString("MIIQaQIBAzCCEC8GCSqGSIb3DQEHAaCCECAEghAcMIIQGDCCBk8GCSqGSIb3DQEHBqCCBkAwggY8AgEAMIIGNQYJKoZIhvcNAQcBMBwGCiqGSIb3DQEMAQYwDgQIoJ3l+zBtWI8CAggAgIIGCBqkhjPsUaowPQrDumYb2OySFN7Jt91IbIeCt1W3Lk99ueJbZ4+xNUiOD+ZDLLJJI/EDtq+0b+TgWHjx92q/IEUj2woQV2rg1W8EW815MmstyD0YRnw7KvoEKBH+CsWiR/JcC/IVoiV1od0dWFfWGSBtWY5xLiaBWUX6xV8zcBVz1fkB+pHOofkStW2up6G2sQos1WwIptAvz6VpS16xLUmZ1whZZvPhqz1GPfexJSavBWEe7YcoxVd/q8LLGQmQCfV7zXwyUX3WnHATkesYPMSTDPuRWXMOrJRjy2zinQP5XweNY2DeZ2bRV6y3v8eQlQNmKBXteNj5H5lJFkOD7BA6xwYlzj3KGB37Qf7kl6R46liT2tlYp/T9eX1ejC0GqICOroPrAy1J5/r9Jlst/39K20omD7M7DGbnqhEWNUeXoXpT6m/UiXLA+0ns5TBZqt4gwC8n8qgjYVvuxvn5tY3gERzkCa6PYzxBfasjM47hHEbsQ1gQORan7OQqTBjbwjeFC4ObMc4u48qxi/cyzMsPgbgE9pQoz2eF5BC6qcJr5mxL/0RWK+Zpn0or9tK4vqf2czLKrWsMcl5sfShSELXY3+jAsUscMbo0LfRgTwsVZGPgOC1cKJlGky734WFj2l9dHVxiRInz6yuWobIT/fmlvPUhjEXNPc0p7vrPvU3/susH+zilbSrp0rY9Y8t70ixGsHPbSHTk8MapukoFnKy2RxcYZQ4cLLMRBo0BA+ugAO7/pa2qGYawzl+U6ydmBftSxTs2gm4SjDnKWoe67r0Q1FHQEWd6rCA40dzAEiCmClCSqzggDKJYnxqub3sqh3Z2Ap9EEZdWBb/Qxryw5h5H3HAOblwudftsyaXsNPf6nDrknANHZyuwkWuh5XYSkKfG8mz6B8+l5A217nYWn0P4i1+WYgnyojJ+m/ZnaNy1+pWXHy1IugoRkfZaVp3NDmwgjK+dnu6rL3/XhJbXlrOk3UEYImX1yMzIWDv/urdWr3bR/cfwM3XwVUy55QUayLIzxRWfWOLuZ8+ZKw8cJ5YGNUa9AgQ3Fs6Lfp7Qn11SdG4adCEJl6DhsugwZokfy6JqBAv0ywbZ94LKvRc1ItM/crfy/5Io1+GsinnF7lsybsZJFGB6tVNWzgZh92dluzUKIRppMG1ZhUmq/4yaJgZsXYDkAxuPWQ2iSpldijmeuBnr/Oct1BpTwM5ogUS3WCHyZajfS/vIGTzz/q8+VnR9W57hvBKulSCS7G06QsFOvr6yOexb9bJJtgsu1sGjqXqyw0SKbFU9AMRunRVezp/r1LwJ+O/8O4ZCB40o3kSJM4tFvj80zVIz8VoWME7JjwAt04v+o9evavxt6p5yaSpH6pzHbvP6cT6YnJqQbYA9J/sDyLt5caq3/OeiJe4tb1pXmJ6dtwFxFygobKnGZjHsL+yRHrIPvNaqztGRzTu5gwEddMZ38nE0IGOhPVnE6WQC1admI/KUUdVOOATD6kJxSwGYGxpsWXX0KOcy9vb3ykeafmHoJU2S64KpxClH8BfOn7Bn4ypab7rNHs76FmqZYmTV9rjHdCgMqI62pB0TKK925q/RQuX+Rn/8J4mMOOjbDQwlndYbljWq0b9tbcTHpZntnmN/KZbydggrKwb0A9PonIGxqoPs+/MrJtCmlgjhjjHE8N3a10apN/NmN/B4TlfBAr47a/2eelTX642kU2DJ2f00mEeDvwY1lkRCjx+80EiY7nUj9cFfPptNdyQbiVDthkS0rXSbyobDgt53g7KU6/UvTdaRWK5Ks9Q5NZ9c44RaHJ/Y7ukWFrsZDCpcQ2v3gn0A9mQPoZGvziMd1Mh7pOJNR2jrpmodGA9j6MMVuYFKu0GbheEhf++UrDOti40GXcPO+o1NAbTClXeIhDEl81cE1rrK+pPvZEB9m/FV7Osp8NmHQDY+z2rPKa5luO6g77/HM9fJrEGBv19ByQcOFuvOQi0RICUp5sIJD+GO3TBGO7WANpUZvB2cezkBbTa/sVAINTXSD007tOo4WfJTBrQbXAbpQ+04B/2yolFvtbYL4rOcMIIJwQYJKoZIhvcNAQcBoIIJsgSCCa4wggmqMIIJpgYLKoZIhvcNAQwKAQKgggluMIIJajAcBgoqhkiG9w0BDAEDMA4ECM7kJUu/1hDPAgIIAASCCUgs+wJaAYsjcSK7oETqGlVmKzCLwkqvstEYmYlJDihNrj0MWHQqmMP/sfdrnqIHVrLnl3vWRN0CBEtzPZGIM5BqYW1puS8mHXowz+8epz6TLRDpiKM2M29+BfAmTkZwlppfuKpu2MoXgd3LLspAQT10pLjoP66OSj+PfUpCbU82+YjjK7PSxog5OrYmuf4Tfohl8bWcFj6mIiaUYiVuF7mRLq3oUY5mE61EjMGp118JKVCG/8sS4MRZ69ulowDZEdrPOCvXzG+gK3bjeMW4aboIaIZ7UxoUy/AYQNdcYjAiUIRWrZx3s7UMa90R7ZvpWRYEEenko95WEUezaing2vVdImMphmjOIpP0Fkm+WTIQHoznE2+ppET1MtIwLyB0PjLptjFtK5orXNqplFWsN6+X5B6ATG0KCwKcsX7fmrkbDpO3B/suVAGk4SdQsV4xrlHhUneUl4hiZ6v2M9MIC+ZMRuGxmuej7znRxV6IRuVVIOqWuwGVVOQpGC4sCOc2Ej0WQeHQCxVK4EWlGL7JE9ux4Ds//40LC2mUihJXiG01ZI/v6eez1GrPeoOeTtHU7+5N7eU4f00S0XSVQGOhUwlp1E9c7DkSPA4lJ7MfTYUFLeP4R+ITpXXbdco65mwH2WFWPbTAKG1rabHj2D5DvHEoBZEsgcD4klhPnZIEBh6gFg67MZB9XNiofSiLzeSKDgfyeTG1MCctUWTa+vy1mrue4rREuRQMC4h0NMyPJ4LlVYutFfEncH2iGmB8t4CVM5CzZ0hXqDxHEgddU02ix/aIzizXqWgpPN0vkHp/Hv+/wyRvjwuiljmE8otRRFMinoIigmLKQKueJQpLWAZAvBjmCZdKTG8sjJAeo0ufOJQdi/EuCmDWR3YkXKi/RX7ub6cnc9hFb+zDGiplLPTyYqOnEPVut8fdA0kmUuAkelLpSbJcv6h3/tS/IJzH2vMCz26J152UaY6Zh0AqD1hl+wA5q5qgDER0jeFY11KypNfEgYxNhr/BcvuNYvN1/1T/wuvEIviMYhJPaSXXbtqpBzIjpkvxOzm9LeC9wqRM1Gq1HrSHwUUeRl8AeMpsRmcmRRy222ZM7p6b0T90l/AKcPLmNxQVYTy5+DeWMC/YaBFHPVMiakKEmPZjeR3Vbb63EJ5DCoAN3xh6NmpANXmXAl7z6ID0hVjNV/Ji8Y+tuJczh0IyMQncDBRw76cdup9QIk2D/pKcj9M7ul2Jx2xwBqntJbvFQqjhIhaSzLKMQtaC+qgcL/C/ANFey8IN5zUUver9RdYyEnRNf4OPl/mq7kUs8znnu5wGGOyxHuvHMFUtJfuII3P7YDSltK2QP1uhefhMfEvNYL9QqosN3740nQ8TCPvZFzzoBC8Psn6OvNXnWipz3WCZ+5u+fOXzawpNKvPHWz/D4O4dmMu9/DpxKb8UOLv/+YFEkqkGNDhS91dgyI672JqC4TQ9ijmNwtdgQt+OtOmllUO3cRP5I4nxCLjAJ5bBYmFV7kSdfWJEjkeCUGMKmwP88sXxeAV0D7qGFG0kdNgMow7WE8AI+lKo8bgBpmR8LQlD0Zt/LBlgGk1uOXolXTNaEGXUMj7h3zS46C3qR/UraHTq+vaNrLqY3qYJaVXdvhhShVDEhH6jLFFYJYCBtWCnhZ3lKkFJnIY+n+25lEQNMwR4sNOLxmUP+kzkt6qSjTRj+u1gK4NptkhFck7lFigAlHozlzg1mnKPvXcD2w3B+Qt6smAQb31rxD6P/byFVEjMFFH1LHNaSrmJNt2/Hmlgd1+2lmVieHF0OnptCDt/MxGjlZYD9/MHBDvWC6LgyGAGL3hub/C/wX5ngOYNq7SZJ1xPsonppKsWD/ixwlzXKu0MQS05CjMqnJCUW7YWl8F+2c2WcAnKA8MN4oONJbv29afj35I/mInT20PptaUH3vJg1VrbU4gWyJWw2/ap63Y2mTMwF2MRuuvIZQTlSwAXHaSZT1weqNX37NFVQLEx1GIiMSBXu+ogZEZWuKwlzB2F2OQ4DuhWgxmTA8Fh0md/IG0sc96wBb3E1Jj80UOeIMIsOO3nCA5Wa5+btUaVueIqGHM9L3IGn2jk/PdidEW5Anp7aT8f8korjBKNF/qc7Hk0V0QDvzxXbuHIE2neoZVemgPteu4tFFI5N/wtXAp3BBQi1ozdqWaBBT/fbYiWesp6fe83f6KNaVXTnjGUnkv4ougvZDi99e+plpSFgjMv180/kfyC57PfX/KLbuK6M6nmVykZSzBdxGqe7V2JUR32dYNRZeiNI6PZO2HumyM7/h8adcP2yw9NseW9D4M2wihsY/ozcU/N+Fv+/WDMd+p7Ekl7oN/PERRZcL5bpjq+Oh7cv5mIH443K/tUni1wVrs8Njft/VQfubU2HY0UcFuX0IHc8/yp9NhqFgdMVTLQWTW9RRkl/9XleMco7qqEdhJCK8dHFBAwsK6SB6aUtY4rpopltVKbgnmAmCwkMcg9Q3Bx9DFJ0SVgqQdrNnJ0koJE9BWG96SreVBW+BOCqYED9sZI7DBFc/Hnb3pDwmqV2gr4gl+bzzHfOQwADVDIe6OcT0b3t4iOVhpd6G1LT/df4IdZLxcXi5PPbpwvjFmo8jJpT8DKya0KjW3E25Q6+qQQ9vZzc4d31yUog30tGJun1HHg1A+3KSo67awfgxG7er/viMe+Nx1dLPVlj+wi3X1JJvZlBXJ4yhfaSnzOa5u1ZxAGTz1OuHYkz7USuyJlf5qYV/oCyyypwaQ5DUpzcISgQGdOe4HVA6gTMLHWbX05MCHdfBFRa64c92/nxA0OS4m8xruRgsZwxwLDtG2IHXxcA/Tfam0Rqd5+UfWWyxLSHF3/u5gpLARwPsH59Tb28MhFmVFsELOHt1VoTntQU0qJ4ZljyUwP7Y3u0TmGhj0bEv3s7eqntKUz7zpGnLyxbu1tef4EJvFMYLBNIkkB3bb68i2HCXkoLJRyRH6VT3j9ahea/acgt5U8WASlMH41jURGFdCBWHdk+aIkyqDrJ9KtZFT6h88vUWt9iiAgJInLTL+tJ2j3dMHVvT0WkcAt8w6uXLYT7AGAbKjetqwLiU6JEXfCdZfUVQG50ztLwcfuTlzCO4d9vhkiuy/NIpH9NoONGwCYSfYyx+ycxZjMnLSsJcgys2aANdLGpLnQhy3WY8QxJTAjBgkqhkiG9w0BCRUxFgQUilZxcWgYWs3WodyrZQAAsliFtB4wMTAhMAkGBSsOAwIaBQAEFLCnG3FfSE655zJaBGibla7sAnVEBAguHlNaj8V3VQICCAA=")
  347. goodKey, _ := base64.StdEncoding.DecodeString("LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUpRZ0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQ1N3d2dna29BZ0VBQW9JQ0FRQ1pITzRvNkpteU9aZGYKQXQ3RFdqR2tHdzdENVVIU1BHZXQyTjg2cnBGWXcrZThnL3dSeDBnZDBzRk9pelBBREdjcnpmdWE5Z3ZFcDRWcwpXb2FHbmN3UXhqdnMrZ1orWmQ2UkVPNHRLNzRURmYxaWZibmowUHE2OENlQlFpaG8xbDNwM2UwQy8yemVJMjNiCnZWRHZlMm13VXE5aDY4UTFFUmdWMU1LaWJHU1Naak5DQzdkRGFQWmpKazViMFlWVFdxREViemREVnh2ZVVMNVIKcUZnL0RKQTMzVnE2VFQzQ2U5RjBIcEorb3graSs4cUxmWU5qZExSUDZlbEtLTU5naVhhNTFvdnQ5MjF4UkVGdgpYRXYvTUtqWTlhNkppNndIRSs0NmdvbFY4V2puK2xMRkRKVHh6WEFEN2p2NzVzaHY0WEczdFlaQ2J4cTMzZ2JtCm96c0VQZ3lTRGtCMm5zc0tIUEFhSVNPaWpjNDhiSXhwbDVocFJPWUZFblJDWnhablhQNjdLZVF1VWZXQkpoVWcKYWltc0JRK3p6cFB6ZjVUbjRnVExkWll2NU41V1V2djJJdUF5Qktha0ZhR1ZYTzFpZ2FDeVQvUTNBcEE2ZGx4Sgo1VW44SzY4dS9KSGFmWWZ5engwVnVoZk5zbmtiWkxWSEZsR2Rxd3JrU0tCWSs1eS9WWlpkeC9hSHNWWndVN3ZECmNlaGxlWlFNNGV2cm5tMUY3dk5xSHBUK3BHSnpNVWVUNGZMVFpabTBra1Y3ZXl5RGRMMDFEWXRXQk1TM2NEb1EKdU5vWElBMCtDeFZPOHcxcC9wbXF2UFQ3cmpad2pwYkVMUkp3MWs4R3ozU2FKb2VqaFBzWC9xNzNGWWdBc09PRApwTXJuK3ZpU2U0ZnJmR0VmZlEvYXJUVE5qK1BUb3dJREFRQUJBb0lDQUM3ek1CUmJQc1huNHdLL1hvK0ltTEE1Cm04MTEvemo0VE5LQ0xmRlFsa0VoMFcxOUMwNW9UVFRYNjI2cVFMUWpHWC9WS2RIYW9NRXNuVDBjaFNQQ1AxRGwKZUhxeU1FdVI4UzJLZzM1V2EzSnV5OFBueVppUi9GQldVOGJQQXBVakpxa1A1QjJITlZyb2drZGZSZklwWmI4cgptNXZyTDc4Vi9zeXk4UHZkUVBtalhSUmpnMDZvWU9VR1dnRE52cFJRdGZ1R0h1d0hTZ1JodmZwTUpNTXdsd2lLClY4Zkk1NmM3VUg3SzRTRHo1RCtWOWdYUDl2b0lUMEl4OTlkRnFLTnhnM1o0MDIrazcycE1BOFNpQ0t1M3dBN0gKUnozbUZsb1ZRbmV1ajI1TEdHQUo0bGVLQkNJaFhMZlgxWXpvdDQyWEU4ZkJZZW45SjdRNTRPUFlLY0NqUmpjSgp1M2NkamtIbmFWVFc1dDdLTDFuYVAxRmF0S0ZxSjY1V1Y0c3pxWDhPVkpzbWhLalNsNUhqTk1VeERuaFUraWRTCmsxaGNaa00zOWd2RGR1ekRHeHF0L2hHMWNJS3VtamxZb01WNDV4VWFoVHdhTjZnamlrTUxNdFgrb2c0MVAxU3cKa09hZTZ4enJFQmU1eXhqSnVDWFJzK2FFOXZhTmpIWmpnSTNKREJ0enNjeCtvRFZBMXoxWVBpR2t1NXBNYmxYUQpFMWlRQnlJOVRjeHMrazN0NWdIQ0d3Z2lOcXVnOVZJaXY1cTQ2R2VGRVdnQS8wZ2hEZ0hIRnNRSDJ4VEpGU2d6ClluTkRVNlZtQ1RYZEQ0QU5jS085Z0loQzdxYk9iazlUeS9zZkZIQjBrYUdCVjFFZGZ3a0R4LytYdXRacHNUN3IKdkl6SUVDd2JPTEUzZCtLb1grUUJBb0lCQVFESG9SVU42U1VmQ3I4Z2FsOFM3UDhscU1kZnhsQVNRcWRqOHY2WAp3V1o1MFJKVE9TRmxqN3dlb2FnTStDT3pEUHpoU3pMbE4vcVdnK2h1RFJGcXBWb08xTmlrZVdvZEVwajFyZG5qCmlLeFlEVUJKNjFCMk5GT3R6Qm9CZUgyOFpDR3dRUW93clZSNUh5dUlqOTRhTzBiRlNUWEJTdWx2d3NQeDZhR2cKaTV2Q0VITHB6ODZKV1BzcjYwSmxVSDk2Z2U3NXJNZEFuRTJ1UE5JVlRnR2grMHpOenZ2a21yZHRYRVR4QXpFZwo5d0RaNVFZTUNYTGVjV0RxaWtmQUpoaUFJTjdVWEtvajN0b1ZMMzh6Sm95WmNWT3ZLaVRIQXY1MCtyNGhVTzhiCjJmL1J2VllKMngybnJuSVR4L0s2Y2N3UUttb1dFNmJRdmg4SXJGTEI3aWN2cVJzUEFvSUJBUURFV1VGemRyRHgKN2w4VGg2bVV5ZlBIWWtOUU0vdDBqM3l3RDROQ2JuSlEvZGd2OGNqMVhGWTNkOWptdWZreGtrQ01WVC8rcVNrOQp1cm1JVVJDeGo5ZDJZcUtMYXZVcUVFWCtNVStIZ0VDOW4yTHluN0xXdVNyK2dFWVdkNllXUVNSVXpoS0xaN2RUCnliTnhmcnNtczNFSVJEZTkwcFV4ZGJ0eWpJSTlZd1NaRDdMUHVOQmc1cWNaTW1xWG9vSnQxdnJld1JINncwam8KM1pxTWMrVGFtNGxYc0xmU0pqTlAzd2IzZEE0ZDFvWWFIb29WWTVyK0dER1F5YnVKYllQZSt6d01NTkJhZ2dTVQpCL3J5NlBldVBTWVJnby9kTlR2TERDamJjbytXdFpncjRJaWxCVmpCbmwycEhzakVHYjZDV2Q2bXZCdlk3SWM5ClM3cXJLUGQrWE00dEFvSUJBR08wRkN2cWNkdmJKakl1Ym1XcGNKV0NnbkZYUHM2Zjg3Sjd2cVJVdDdYSHNmdFcKNFZNMFFxU1o0TEQ1amZyelZhbkFRUjh5b2psaWtFZkd4eGdZbGE0cXFEa2RXdDVDVjVyOHhZSmExSmoxcFZKRgo4TjNZcktKMCtkZ2FNZEpSd0hHalNrK2RnajhzVGpYYWhQZGMrNisxTE4vcFprV25aTzRCM2ZPdFJwSGFYVXBoCnU2bmxneTBnUnYwTEEyQlFYT2JlWUhYb212T1c5T1luRzdHbkxXanRJK205VERlV2llaEZ5OWZIQmVuTjlRTTIKQk9VTWczY2dzVTFLdVpuazBPWUhrZ0p3WDBPTmdWNHV0ckk4WTZ0c3hRbVFlVDQ3clpJK05lNFhKeW0rQXFiUgpoVEltY2x0bTFkaEExY2FOS0liMk1hNjRCZy95NFRKeW02ZTJNZ2tDZ2dFQkFKTGt5NmljVllqSjh1dGpoU1ZCCmFWWHpWN1M3RHhhRytwdWxIMmdseFBSKzFLd1owV1J1N2ptVk9mcHppOURnUDlZOU9TRkdZUXBEbGVZNzc2ZEgKbThSL3ltZFBYNWRXa1dhNGNXMUlNQ2N0QlJQTEVqcStVVUlScVYzSnFjSGdmbFBMeitmbmNpb0hMbTVzaDR0TwpsL085Ulk2SDZ3SVR1R2JjWTl1VkpxMTBKeXhzY2NqdEJubzlVNjJaOE1aSUhXdGxPaFJHNFZjRjQwZk10Snd2CjNMSjBEVEgxVGxJazRzdGlVZVZVeHdMbmNocktaL3hORVZmbTlKeStCL2hjTVBKVjJxcTd0cjBnczBmanJ0ajEKK25NRElLbzMxMEh6R09ZRWNSUXBTMjBZRUdLVSsyL3ZFTmNqcHNPL0Z0M2lha2FIV0xZVFRxSTI4N0oxZGFOZAp2d2tDZ2dFQUNqWTJIc0ErSlQvWlU1Q0k1NlFRNmlMTkdJeFNUYkxUMGJNbGNWTDJraGFFNTRMVGtld0I5enFTCk5xNVFacUhxbGk2anZiKzM4Q1FPUWxPWmd6clVtZlhIemNWQ1FwMUk1RjRmSGkyWUVVa3FJL2dWdlVGMUxCNUUKZE1KR1FZa3Jick83Qjc0eE50RUV3Mmh3UFUwcTRmby92eFZXV0pFdTNoMGpSL0llMDA3UGtPZ0p1K1R5ZWZBNwpQVkM4OFlQbmsyZ3ArUFpRdDljanhOL0V4enRweDZ4cUJzT0MvQWZIYU5BdFA0azM5MVc5NjN3eHVwbUE5SkdiCk4yM0NCRmVIZDJmTUViTWJuWDk1Q1NYNjNJVWNaNVRhZTdwQS9OZ094YkdzaGRSMHdFZldTMGNyT1VTdGt6aE0KT3lCekNZSk53d3Bld3cyOFpIMGgybHh6VVRHWStRPT0KLS0tLS1FTkQgUFJJVkFURSBLRVktLS0tLQo=")
  348. goodSecret := "old"
  349. typeNotSupported := func(smtc *secretManagerTestCase) {
  350. smtc.pushRef = fakeRef{
  351. key: "badtype/secret",
  352. }
  353. smtc.expectError = "secret type badtype not supported"
  354. }
  355. secretSuccess := func(smtc *secretManagerTestCase) {
  356. smtc.setValue = []byte("secret")
  357. smtc.pushRef = fakeRef{
  358. key: secretName,
  359. }
  360. smtc.secretOutput = keyvault.SecretBundle{
  361. Tags: map[string]*string{
  362. "managed-by": pointer.String("external-secrets"),
  363. },
  364. Value: &goodSecret,
  365. }
  366. }
  367. secretNoChange := func(smtc *secretManagerTestCase) {
  368. smtc.setValue = []byte(goodSecret)
  369. smtc.pushRef = fakeRef{
  370. key: secretName,
  371. }
  372. smtc.secretOutput = keyvault.SecretBundle{
  373. Tags: map[string]*string{
  374. "managed-by": pointer.String("external-secrets"),
  375. },
  376. Value: &goodSecret,
  377. }
  378. }
  379. secretWrongTags := func(smtc *secretManagerTestCase) {
  380. smtc.setValue = []byte(goodSecret)
  381. smtc.pushRef = fakeRef{
  382. key: secretName,
  383. }
  384. smtc.secretOutput = keyvault.SecretBundle{
  385. Tags: map[string]*string{
  386. "managed-by": pointer.String("nope"),
  387. },
  388. Value: &goodSecret,
  389. }
  390. smtc.expectError = errNotManaged
  391. }
  392. secretNoTags := func(smtc *secretManagerTestCase) {
  393. smtc.setValue = []byte(goodSecret)
  394. smtc.pushRef = fakeRef{
  395. key: secretName,
  396. }
  397. smtc.secretOutput = keyvault.SecretBundle{
  398. Tags: map[string]*string{},
  399. Value: &goodSecret,
  400. }
  401. smtc.expectError = errNotManaged
  402. }
  403. secretNotFound := func(smtc *secretManagerTestCase) {
  404. smtc.setValue = []byte(goodSecret)
  405. smtc.pushRef = fakeRef{
  406. key: secretName,
  407. }
  408. smtc.apiErr = autorest.DetailedError{StatusCode: 404, Method: "GET", Message: "Not Found"}
  409. }
  410. failedGetSecret := func(smtc *secretManagerTestCase) {
  411. smtc.setValue = []byte(goodSecret)
  412. smtc.pushRef = fakeRef{
  413. key: secretName,
  414. }
  415. smtc.apiErr = autorest.DetailedError{StatusCode: 403, Method: "GET", Message: "Forbidden"}
  416. smtc.expectError = errAPI
  417. }
  418. failedNotParseableError := func(smtc *secretManagerTestCase) {
  419. smtc.setValue = []byte(goodSecret)
  420. smtc.pushRef = fakeRef{
  421. key: secretName,
  422. }
  423. smtc.apiErr = fmt.Errorf("crash")
  424. smtc.expectError = "crash"
  425. }
  426. failedSetSecret := func(smtc *secretManagerTestCase) {
  427. smtc.setValue = []byte(goodSecret)
  428. smtc.pushRef = fakeRef{
  429. key: secretName,
  430. }
  431. smtc.apiErr = autorest.DetailedError{StatusCode: 404, Method: "GET", Message: "Not Found"}
  432. smtc.setErr = autorest.DetailedError{StatusCode: 403, Method: "POST", Message: "Forbidden"}
  433. smtc.expectError = "could not set secret example-1: #POST: Forbidden: StatusCode=403"
  434. }
  435. keySuccess := func(smtc *secretManagerTestCase) {
  436. smtc.setValue = goodKey
  437. smtc.pushRef = fakeRef{
  438. key: keyName,
  439. }
  440. smtc.keyOutput = keyvault.KeyBundle{
  441. Tags: map[string]*string{
  442. "managed-by": pointer.String(managerLabel),
  443. },
  444. Key: &keyvault.JSONWebKey{},
  445. }
  446. }
  447. symmetricKeySuccess := func(smtc *secretManagerTestCase) {
  448. smtc.setValue = []byte("secret")
  449. smtc.pushRef = fakeRef{
  450. key: keyName,
  451. }
  452. smtc.keyOutput = keyvault.KeyBundle{
  453. Tags: map[string]*string{
  454. "managed-by": pointer.String(managerLabel),
  455. },
  456. Key: &keyvault.JSONWebKey{},
  457. }
  458. }
  459. RSAKeySuccess := func(smtc *secretManagerTestCase) {
  460. smtc.setValue, _ = base64.StdEncoding.DecodeString("LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlKS1FJQkFBS0NBZ0VBdmIxYjM2YlpyaFNFYm5YWGtRL1pjR3VLY05HMDBGa2U1SkVOaWU4UzFHTG1uK1N0CndmdittVFRUN2xyVkdpVkplV3ZhQnRkMUVLRll0aWdlVlhJQjA0MllzeHRmMlM5WkNzNlUxaFZDWFZQc3BobEUKOUVyOHNHa0Ewa1lKdmxWejR2eFA2NTNzNjFGYTBpclRvUGlJTFZwMU1jdGRxVnB0VnJFV1JadzQ2NEF4MzhNNgpCMjFvN2NaUmlZN3VGZTA4UEllbEd3VGc0cHJRdEg2VXVuK09BV3MrNFNDTU5xT2xDRkNzSDBLK0NZZUMyZmpXClplaURsbjBTUDdkZ3puMmJsbk9VQzZ0Z3VtQ3grdW1ISVdmV1hzUDVQR0hoWFBwYlpGbDA4ZktaelNqbytCOWkKVzVsbWhrRE1HM0dsU0JPMmEvcEtjck1uTFVWbE15OVdWLy9LUmw3ZWFtdmJ5dWFzSnZHbVJ4L3d1NXlpYVhwSwprZG4xL0E2VFhBRnVvbU4xb3NvaGVyMjR2MHZ0YzBGZmxJM3h4WVpVTXIwazhLV0VlM1Nhdk83NkdrZTJhbEppCnVtZ20wTmhtK2pqNmlXajl1V1ZzV215MmFDMHc0aTRDS1d2YU56K0NDek5kWk8vcFpPTmlmTzVSSUZpZ2RzTVgKUHgvWU5nSkVKdmEyUVZ2MU9kcWZTdW1CMS8zRldFYmg5V2tFYXRGOElJRDI5TS9qVktiRm9BaktYeVZhUTI5eQpOOFRWR3Axc2pzOW5sSWdjN0JRUFhBZTVPQUExdnc5SWV4N09QZjhPZENBbDluQzlEaDdaK3MyV2lOVlRxb2dwCk1VbE1GUWxGVXpMWGVCUmp0ay9rL3lWT20yWkhBT2RuR1k4bSthRWlTV0ExYXhpa0RYMG9HWjhjbHFzQ0F3RUEKQVFLQ0FnRUFwZDZBRG9pQ0M1aU1IVFNQZXBUc2RVYk9BOHFQMHdQVjZlS1VmMXlzalZiWVhqYy9Yekc0Wko2MgpGc3o1TnA0YUdUZWJwaGQ4azBrNWtDU0tRQkFtWUphTVF5ZFBKMElwQ1RXSEQ1QU9NQ0JKNVBwNk9VWEVtVU55CklHQng3QjR2N09LOXl6Q0lDVDlac2hrV1lNWmo1YUlLaWJsSzY5M05iOWZuckhyaGw1NjkrdXRrTTFJR1JMYjIKV05iR2RBeXNlQTNzM0Mzcm1xM1VmYldhdDE4QytXS1QyYUxtY0cybXZCb3FIam51Zjg0aktnSkxDMU8wbFQ1SgpVY0l4c3RKRHpjYkVTVjlNZENKTDlSbHB0RjVlSFFJZFJCZ2ROM2IxcGtnOTM3VkJsd1NJaFVDS2I2RXU2M2FCCitBdmxmWmtlQkU4Ti9pOTN0Qy9TUkdqQmhyUnFVcEVOOVYrOHBJczVxTE5keC9RanF4TEpMMUtwMXQ0L0hVTkEKOVVTZVNrVDZTZ09OZ1NnQktCemFCYzUyTXRoWWYrZDk2YTJkN0N0dCt1amJBT0JKTkdKMytGenJoc3pzUTMzWQpkalBWTGQxSzBQSHZ0WDNrSWRKbFNWSmYxS3d5bDVKVm1Cck1wb2ZDQ2dsNnhyR0puYVJPb1A3bDZNb1BFZ21hClNRWWFIQVIvVGIzM2lBeTNLdlBuUkNMQlM2MEJCYitIcVd3c0RhczM0Uk9WUE05bUI2ZldkTUo0TG5kZmVpZm0KTGZ3Sy9GMXpRdFRaczNpYUYyMGEvY0EvdjRENWJCUldYSEQvTDA3Mks5TGxoMGNRRFVZY1V1ZUdwRWUycEZHRApxa1pCL08wSXNBOXAyTnNCekdvRWl1eHJwd0JBaXpiOUdCcU9DZUlGS1hKeU5heGU3YUVDZ2dFQkFOeG9zQ2cyCngwTWQzajRtWVhvWVpMMVBOUklwNlpuN2VLbThzK0tIRFdMUTlXWmtFbUwyODNXNzJFd2dDbmc2VjdsUHVYVlEKVTJXR0xjNDNvUU95U3JlNEZXbnZhTVhnWk42Wis2T0wvQ1J2VHZSbFhVNXJlYVNCT2tyZUJYK1g2dFo2Q1dORgpLWjkxTERvVVR5TlJVTTFUL3lwbS85SlE4MTJ1VUxnYUlQZGl5cCtPYmRoZWdBUE5CS0lxR3Nva0tKRlpjRDNyCjRwSVdHT0U3RVJrbU14MnFZMk54VGtuUGxOVUJzR01jS25qeTdycER5WmpDR0U3eldoRE5XRGdMUkJOc1liaHIKa0p4ZlNVVlBOb2RLaE8xVHQ3bDJRMnplcWxlV05pcktRbWdMY3JJRU9MRUdYcEY3U250eEx3N1pvYWlQU0FWWApQMTVqNXNkZlUzV1ZOdzhDZ2dFQkFOeGcyOGw5TllHUmwwU1JCZFJEakJhV21IK0pWYWdpdG0zNnorcnB1MWdZClZ4dFJ0N0FGTzF1QVphTys1aWd1d0JKcFhSUWJXVmZUcWppaTM1bUV2UENkZjhPcTZBQVlzeXg5WXVmUUdOUnEKZG1VNlcvdWhCMnVURDBrL0dQdjVFb2hBTlRjQmkyS1ROS2p0S1Z2bHFtbWZ4Tis5YTl4NjVEdWRHWUFRNGplNwpGaHZJSlU5WFA5VnRUc0ZGL1dqbE54enJNQURqSzNJekRvQTMwaU1XQXZkeTFjUDgxUzJzeGtwa0ZoL1QrNVVFCjYwZkNOSGFFemtQWWhKUmxYaUZtWXpqc3AyWjZpUERyMllHd1FWbURoMFFGeFVqZnoxdk1ONFdnVlVVeDlmNnUKR3QxeDdHblZFSGhzQ0VjQlFCUkhFbzJRcXY0VDVXbmNTNUVTN2hqK1JxVUNnZ0VBRDVUVEJ6VEFKMjJBSFpLbgpCM09jQTRvSzdXckxHZGllTWhtbCtkaWtTSjBQREJyODljUVJkL3c4a1QwZW9GczNnbUV4Y2lxb2lwL09zeXBaCmxxSlBCK2ZhazYrYUQ0c0tkbllhUlBpTGJhUDB4L0EyaFdteG9zQ0Q5M0Qwb0kyRHkzKzdGQ3A2Zzh4THdSdFkKY04yNXdab3ppckxYV08zaUZuaFJPb0tXWEFhKzNrSzZYelpuQkYzRSt4WFE2UU5mWHM4YzBUUFF3NVVPVXpYUwp3cDFodGJJcTdvZS9DaGJEcGI5RjBldlcwTkFUc2xWQ2Rpc2FmdEpUUnFiTm1zQ3BJbHBpR2lCNGk2VnN6NXFHCjkwOThVQzYvNlR1RURyazYvNUFkNmk1OFBWQzUzZjNRYUN0VUdpTEdKQzNmTHNTUjJoR3UvTG1yUUNmOTA1QlkKblJKY1h3S0NBUUVBbjJkQUV5SUtEY3B0akI4S0JGdEhmUjg0OXljeldnYWh4ak5oS1I0ZmNMMUtaR3hiWFdxcgpZS2dpM0tvOGVGdzRlaGpVUnJMeGtPRjlnckhzNG5KczUrNUVlQmVxOEVidGN3VFBBYlkzLzQxeVRnNUVjbUlyCnA5Z2Jlbk8xY3F6YWhzdEtzcHJmWTFIdkNURmlkU0pPZlZBZmEyYnNHZkthRzdTcXVVTjlIYXFwZHpieUpjMksKVXFwYUNOckRUWmhlb1FCTkhKYzAyY21zZDNubytZLzJYVjRtMlRpTVNobHE1R3c0eEpUa3FRbUIxY25YZ05MWApENlFSWWZWZ2ZQQStYUEp3czJOMm9pMDJpdVFlb016T2pwbE45a1JOREsxT2k4MUpZRitlKzdTYm9nbkJZMXZHCktoU2FlQ0dqWkFkMG1BbElaYmVtZlVmbk1PeHNaSStvTVFLQ0FRQmdETzBkTEt2Z3k0OFFwNzdzU3FkeGRRdTEKb2pqYm9rMGY4VVo5ZDJZWWl1WHMwb0k2WFQ4cmpESmJYUGZSUmFVUU1JYWRrL1VZOWxRdHZRRThHbW9aR2ozbgpXYTVXWGVkcUR3YUR4aHpmVnZQUzFMVm1VdkhsbllPWVBVT0JPc1ZUaU4yWXk1L0Y5WEpxMWRlVW0xVnVOZCs1ClVuK3d0YWVHVGR5K1pyQjF2RUFRT3M3R1REVFI2MjgwV1BPZ1JsenVRejhkYllYR29iajJrd3N1empCa0EvSjAKc2dkeEF0dExBWmIzQlVSQ2NmenkrdHJCd0Y3S1ZYek5EQnhmcit3MklRR0hINXR5NmNvcExTVDNXb2Y4WVRuTQpMdHBCVDNZTmgwTm5hS25HTlRGc3pZRldIRlJqSjRZU1BrcW85TkdWa0tiblZyOTllMDFjLys1VjBYY00KLS0tLS1FTkQgUlNBIFBSSVZBVEUgS0VZLS0tLS0K")
  461. smtc.pushRef = fakeRef{
  462. key: keyName,
  463. }
  464. smtc.keyOutput = keyvault.KeyBundle{
  465. Tags: map[string]*string{
  466. "managed-by": pointer.String(managerLabel),
  467. },
  468. Key: &keyvault.JSONWebKey{},
  469. }
  470. }
  471. ECKeySuccess := func(smtc *secretManagerTestCase) {
  472. smtc.setValue, _ = base64.StdEncoding.DecodeString("LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1JR2tBZ0VCQkRBWTk0L0NYOGo4UDNBakZXUkZYR0pWMFNWT1ErU1ZpV01nd0VFdy9rV2ZXcHF1OGtidllVTnAKVTQyN1Fubk5NV3VnQndZRks0RUVBQ0toWkFOaUFBU1FyOXAvcytDWHpFY2RUZ2t0aVFhTkxuVzJnNmQ1QkF4cQpBQXNaQms2UW11WngrZTZMUUdra080Uit0SVVaZCtWTGJlV3pLeEl3dk9xSVA3bkp0QldtTjZ4N3JsMjJibnhNCm5QWVQyNy9wSXM1RTk1L2dPV2RhOGMyUStHQTd5RTQ9Ci0tLS0tRU5EIEVDIFBSSVZBVEUgS0VZLS0tLS0K")
  473. smtc.pushRef = fakeRef{
  474. key: keyName,
  475. }
  476. smtc.keyOutput = keyvault.KeyBundle{
  477. Tags: map[string]*string{
  478. "managed-by": pointer.String(managerLabel),
  479. },
  480. Key: &keyvault.JSONWebKey{},
  481. }
  482. }
  483. invalidKey := func(smtc *secretManagerTestCase) {
  484. smtc.setValue, _ = base64.StdEncoding.DecodeString("LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZhekNDQTFPZ0F3SUJBZ0lVUHZKZ21wcTBKUWVRNkJuL0hmVTcvUDhRTFlFd0RRWUpLb1pJaHZjTkFRRUwKQlFBd1JURUxNQWtHQTFVRUJoTUNRVlV4RXpBUkJnTlZCQWdNQ2xOdmJXVXRVM1JoZEdVeElUQWZCZ05WQkFvTQpHRWx1ZEdWeWJtVjBJRmRwWkdkcGRITWdVSFI1SUV4MFpEQWVGdzB5TWpBMk1UY3lNREEwTWpSYUZ3MHlNekEyCk1UY3lNREEwTWpSYU1FVXhDekFKQmdOVkJBWVRBa0ZWTVJNd0VRWURWUVFJREFwVGIyMWxMVk4wWVhSbE1TRXcKSHdZRFZRUUtEQmhKYm5SbGNtNWxkQ0JYYVdSbmFYUnpJRkIwZVNCTWRHUXdnZ0lpTUEwR0NTcUdTSWIzRFFFQgpBUVVBQTRJQ0R3QXdnZ0lLQW9JQ0FRRGlEditEVENBL0xaZjZiNnlVYnliQUxlSUViOHh0aHd1dnRFZk5aZ1dOClN3ZWNMZXY0QXF1N3lSUWRidlQ1cnRKOGs3TnJ0TUE0RDNVN1BQamkwOXVpdjFnSGRockY0VlloTjhiRFllc1UKaEpxZXZSVFBVQ0hRek9xMmNhT3ViRnBUN3JxN3lsMVFTQTFlbkptMUQxNnc0UnlJcEtTLzhvVDNQaGtXM1YydwpkWmFjblZSV1RXZE5MTy9iVWdseDd1YzJMS0wwd2pIMzNSbkZiWUUrTTdiZFVDUXlsSXFwcDM2ZWNvL0Y1Ym1xCjdRdzJ2VkRENENGY0g5aUp4N1FDYjc4Skp5WWlMNzRycjJNVXVzMzR5RlhpMUk5RDR0ajdtQTM2VmNHRk9OZUsKdEtLMnlOYWNrWm1VeTlLQUdGWnIxU2c0ODZTcWw2Y2VpTlAvVGpsb3dQaDNMOTFHOEUxaGJSM3dDS2J6MUR1bQpmaEZOSUdNZmNERkNRcXpEUlU4OEpuUlcyYnF2bGpGanFla0NkcncyeHcrOWp1K1NieXkxeVlrN3ZSM015ZHovCmJ1YUY1S29YUlVzUzhxOHIwSEg1TVAzR3ZYVVY3eXU4bE5kUUtzMXhnVVpmL2JYM0ZjS2xjazhNU3ZZbjNMQWoKbDNRNHMwMXZQY1JnaUMyTUZmajlzV0pueW16YVhYUk1qNFpaY0RuVHlFUmhOcHpXSmNMelh3bFcydTVKdkpVTQpRVEdxUlpXYkErMHF5Y0dBOENBTHRRTXc2ZU5sLzI0Mlo5ZnZ0U0JPc3VkWTdEWTFXckFTWTNhbVV1WWU4RjFBCjhNMlg2N0xBc1lGNkY5YW9JNk00S2dVSXdHYm81OGFVTU1qdzJibGkzdHZIaVNSSjduejFXU1VGOHZnZThIYkEKcFFJREFRQUJvMU13VVRBZEJnTlZIUTRFRmdRVWd0Y0xTUXpaUkRmQkFsSWh5b2pJTHNLYXBwc3dId1lEVlIwagpCQmd3Rm9BVWd0Y0xTUXpaUkRmQkFsSWh5b2pJTHNLYXBwc3dEd1lEVlIwVEFRSC9CQVV3QXdFQi96QU5CZ2txCmhraUc5dzBCQVFzRkFBT0NBZ0VBcy96OWNOT1ZSUzZFMmJVZm9GZS9lQW5OZlJjTmNaaW05VkdCWUFtRjc0MDgKSVEvVjhDK3g3cEloR1NGZ2VFNncxS1BRVXF0Z3dldUxFK0psOVhEYlAvMUdhcmgvN0xDWTVBUXk5eEdTVTNkcAp5VWs3SWE2a0wxRENkS3M0dXdGZ24wVjE1SytSM01Ud2FsemhVb1NVS2tDYVVSeU4vNTZXYk9OanhzRUhUbFhnClBBTEVYKzZVNDMzdktkYnNZdTJXZ2hXSmNwMytSZkI2MU90VmdvYTJYaThhL2pSbFpKVUJ1ZURESGEwVTE0L2EKaFRKcVdQWElROFlTY1BCbndsTzFyRjJkaEtMU0hiczZBd3d6VEVHUE5SUVpGRXF4YTJlb3VvV0NWUmxHTGVueQpMcWxnb1FSQ1pGRTdNNnBJazE5b0ZwV2tTSmNXYjFRMjJRWE03SFdKNjNtM2VBRjBUNThXcE45UzBsYXFNbnZCClZxNVpueUs1YVNDNjV3MGp1YzJteWM2K1RyUmNQSmM0UHJCY3VSZ0gvS1M1bkQvVFlKSStOSVBjU0NVZ2VKWFgKR003THNZanVuY1pCQmJkbFByRXJJN3pkYVNGdVJJbWYrSmh3T2p4OThSZjg3WkQ3d05pRmtzd1ZQYWZFQzFXQQoxc3ZMZDI0Nk0vR3I0RFVDK2Y2MUx4eFNKUkRWMDNySmdsZnY2cWlrL3hjaVlKU2lDdkZzR0hqYzBJaEtyTXBNCnFKRW03dWQxK3VTM3NHWTR6SkVUMUhleEJudjJ4RVlESjZhbGErV3FsNDdZTllSNm4yNlAvUWpNYjdSSGE1ZWMKUEhPMW5HaTY5L1U1dmVMRVlmZmtIV01qSTlKa1dhQzFiREcrMDl0clpSdXNUQWJCZHhqbWxzZ3o0UUFDeFd3PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg==")
  485. smtc.pushRef = fakeRef{
  486. key: keyName,
  487. }
  488. smtc.keyOutput = keyvault.KeyBundle{
  489. Tags: map[string]*string{
  490. "managed-by": pointer.String(managerLabel),
  491. },
  492. Key: &keyvault.JSONWebKey{},
  493. }
  494. smtc.expectError = "could not load private key keyname: key type CERTIFICATE is not supported"
  495. }
  496. noTags := func(smtc *secretManagerTestCase) {
  497. smtc.setValue = goodKey
  498. smtc.pushRef = fakeRef{
  499. key: keyName,
  500. }
  501. smtc.keyOutput = keyvault.KeyBundle{
  502. Tags: map[string]*string{},
  503. Key: &keyvault.JSONWebKey{},
  504. }
  505. smtc.expectError = errNotManaged
  506. }
  507. wrongTags := func(smtc *secretManagerTestCase) {
  508. smtc.setValue = goodKey
  509. smtc.pushRef = fakeRef{
  510. key: keyName,
  511. }
  512. smtc.keyOutput = keyvault.KeyBundle{
  513. Tags: map[string]*string{
  514. "managed-by": pointer.String("internal-secrets"),
  515. },
  516. Key: &keyvault.JSONWebKey{},
  517. }
  518. smtc.expectError = errNotManaged
  519. }
  520. errorGetKey := func(smtc *secretManagerTestCase) {
  521. smtc.setValue = goodKey
  522. smtc.pushRef = fakeRef{
  523. key: keyName,
  524. }
  525. smtc.apiErr = autorest.DetailedError{StatusCode: 403, Method: "GET", Message: "Forbidden"}
  526. smtc.expectError = errAPI
  527. }
  528. keyNotFound := func(smtc *secretManagerTestCase) {
  529. smtc.setValue = goodKey
  530. smtc.pushRef = fakeRef{
  531. key: keyName,
  532. }
  533. smtc.apiErr = autorest.DetailedError{StatusCode: 404, Method: "GET", Message: "Not Found"}
  534. smtc.expectError = ""
  535. }
  536. importKeyFailed := func(smtc *secretManagerTestCase) {
  537. smtc.setValue = goodKey
  538. smtc.pushRef = fakeRef{
  539. key: keyName,
  540. }
  541. smtc.apiErr = autorest.DetailedError{StatusCode: 404, Method: "GET", Message: "Not Found"}
  542. smtc.setErr = autorest.DetailedError{StatusCode: 403, Method: "POST", Message: "Forbidden"}
  543. smtc.expectError = "could not import key keyname: #POST: Forbidden: StatusCode=403"
  544. }
  545. certP12Success := func(smtc *secretManagerTestCase) {
  546. smtc.setValue = p12Cert
  547. smtc.pushRef = fakeRef{
  548. key: certName,
  549. }
  550. smtc.certOutput = keyvault.CertificateBundle{
  551. X509Thumbprint: pointer.String("123"),
  552. Tags: map[string]*string{
  553. "managed-by": pointer.String("external-secrets"),
  554. },
  555. }
  556. }
  557. certPEMSuccess := func(smtc *secretManagerTestCase) {
  558. pemCert, _ := base64.StdEncoding.DecodeString("LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZwekNDQTQrZ0F3SUJBZ0lVTUhhVDZtZG8vd2Urbit0NFB2R0JZaUdDSXE0d0RRWUpLb1pJaHZjTkFRRUwKQlFBd1l6RUxNQWtHQTFVRUJoTUNRVlV4RXpBUkJnTlZCQWdNQ2xOdmJXVXRVM1JoZEdVeElUQWZCZ05WQkFvTQpHRWx1ZEdWeWJtVjBJRmRwWkdkcGRITWdVSFI1SUV4MFpERWNNQm9HQTFVRUF3d1RZVzV2ZEdobGNpMW1iMjh0ClltRnlMbU52YlRBZUZ3MHlNakEyTURreE56UTFNelphRncweU16QTJNRGt4TnpRMU16WmFNR014Q3pBSkJnTlYKQkFZVEFrRlZNUk13RVFZRFZRUUlEQXBUYjIxbExWTjBZWFJsTVNFd0h3WURWUVFLREJoSmJuUmxjbTVsZENCWAphV1JuYVhSeklGQjBlU0JNZEdReEhEQWFCZ05WQkFNTUUyRnViM1JvWlhJdFptOXZMV0poY2k1amIyMHdnZ0lpCk1BMEdDU3FHU0liM0RRRUJBUVVBQTRJQ0R3QXdnZ0lLQW9JQ0FRQ1pITzRvNkpteU9aZGZBdDdEV2pHa0d3N0QKNVVIU1BHZXQyTjg2cnBGWXcrZThnL3dSeDBnZDBzRk9pelBBREdjcnpmdWE5Z3ZFcDRWc1dvYUduY3dReGp2cworZ1orWmQ2UkVPNHRLNzRURmYxaWZibmowUHE2OENlQlFpaG8xbDNwM2UwQy8yemVJMjNidlZEdmUybXdVcTloCjY4UTFFUmdWMU1LaWJHU1Naak5DQzdkRGFQWmpKazViMFlWVFdxREViemREVnh2ZVVMNVJxRmcvREpBMzNWcTYKVFQzQ2U5RjBIcEorb3graSs4cUxmWU5qZExSUDZlbEtLTU5naVhhNTFvdnQ5MjF4UkVGdlhFdi9NS2pZOWE2SgppNndIRSs0NmdvbFY4V2puK2xMRkRKVHh6WEFEN2p2NzVzaHY0WEczdFlaQ2J4cTMzZ2Jtb3pzRVBneVNEa0IyCm5zc0tIUEFhSVNPaWpjNDhiSXhwbDVocFJPWUZFblJDWnhablhQNjdLZVF1VWZXQkpoVWdhaW1zQlErenpwUHoKZjVUbjRnVExkWll2NU41V1V2djJJdUF5Qktha0ZhR1ZYTzFpZ2FDeVQvUTNBcEE2ZGx4SjVVbjhLNjh1L0pIYQpmWWZ5engwVnVoZk5zbmtiWkxWSEZsR2Rxd3JrU0tCWSs1eS9WWlpkeC9hSHNWWndVN3ZEY2VobGVaUU00ZXZyCm5tMUY3dk5xSHBUK3BHSnpNVWVUNGZMVFpabTBra1Y3ZXl5RGRMMDFEWXRXQk1TM2NEb1F1Tm9YSUEwK0N4Vk8KOHcxcC9wbXF2UFQ3cmpad2pwYkVMUkp3MWs4R3ozU2FKb2VqaFBzWC9xNzNGWWdBc09PRHBNcm4rdmlTZTRmcgpmR0VmZlEvYXJUVE5qK1BUb3dJREFRQUJvMU13VVRBZEJnTlZIUTRFRmdRVWJPQk14azJ5UkNkR1N4eEZGMzBUCkZORFhHS3N3SHdZRFZSMGpCQmd3Rm9BVWJPQk14azJ5UkNkR1N4eEZGMzBURk5EWEdLc3dEd1lEVlIwVEFRSC8KQkFVd0F3RUIvekFOQmdrcWhraUc5dzBCQVFzRkFBT0NBZ0VBQXdudUtxOThOQ2hUMlUzU2RSNEFVem1MTjFCVwowNHIwMTA3TjlKdW9LbzJycjhoZ21mRmd0MDgrdFNDYzR5ajZSNStyY1hudXpqeEZLaWJVYnFncFpvd0pSSGEyCjF0NUJicEwxeWcybGZyZnhIb3YvRjh0VnNTbUE4d3loNlVpV1J3RTlrdlBXUm5LblR1a3Y1enpzcVNsTlNpbG0KNDl6UTdTV05sK0lBRnkvc3dacnRKUTEwVlQ5czRuUGVHM29XUU1vdE9QUCtsbFNpeW5LTFpxUTRnU0tSaTNmZQpQTGlXcHQ5WGZYb0dVQ0VqN3E1cGhibExQZ2RLVUNyaEdQMW4yalltWHNjV0xNeWtBbmEyMGNobHJxVlluQ2E4CkpVcDRMZnRGRHA4OVlUb1hPRkhuRm1uTkN2Y0lyRGZGeURmaGw0VU1GcEswT1VLcVRUeFdhSzl1cU9JcGFySXMKS1l3c3ArZkxlV0xiUTZrR2Ztbk81aURSZCtvT2hyTllvb1RaVks5ZlFSNXJEMmU0QitlYTByelFGWEFBVWpKNQpPWGFieGJEclErT01landjNEhxcXN4enRKZ0QyYVAyZUsyL0w1UFdQdWcwRSsxZzhBQlpmVmJvaC9NM01IZ2J6ClBnYVRxZ3V6R0Zka0czRVh1K09oR2JVMC8rNzdWTW5aaTJJUVpuL2F3R1VhN1grTVAwQkR2alZZNWtWcE1aMWgKYzJDbERqZ3hOc0xHdGlrTzRjV2I1c1FSUjJHWU0zZE1rNTBWUWN0SjVScXNSczZwT0NYRFhFM1JlVlFqNGhOQgplV3ZhRFdRMktteU9haTU1ZGJEcmxKK251ODNPbUNwNTlSelA1azU4WmFEWG5sQzM4VXdUdDBxMUQ3K3pGMHRzCjFHOTMydUVCSFdZSHVPQT0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=")
  559. smtc.setValue = pemCert
  560. smtc.pushRef = fakeRef{
  561. key: certName,
  562. }
  563. smtc.certOutput = keyvault.CertificateBundle{
  564. X509Thumbprint: pointer.String("123"),
  565. Tags: map[string]*string{
  566. "managed-by": pointer.String("external-secrets"),
  567. },
  568. }
  569. }
  570. certDERSuccess := func(smtc *secretManagerTestCase) {
  571. derCert, _ := base64.StdEncoding.DecodeString("MIIFpzCCA4+gAwIBAgIUMHaT6mdo/we+n+t4PvGBYiGCIq4wDQYJKoZIhvcNAQELBQAwYzELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEcMBoGA1UEAwwTYW5vdGhlci1mb28tYmFyLmNvbTAeFw0yMjA2MDkxNzQ1MzZaFw0yMzA2MDkxNzQ1MzZaMGMxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxHDAaBgNVBAMME2Fub3RoZXItZm9vLWJhci5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCZHO4o6JmyOZdfAt7DWjGkGw7D5UHSPGet2N86rpFYw+e8g/wRx0gd0sFOizPADGcrzfua9gvEp4VsWoaGncwQxjvs+gZ+Zd6REO4tK74TFf1ifbnj0Pq68CeBQiho1l3p3e0C/2zeI23bvVDve2mwUq9h68Q1ERgV1MKibGSSZjNCC7dDaPZjJk5b0YVTWqDEbzdDVxveUL5RqFg/DJA33Vq6TT3Ce9F0HpJ+ox+i+8qLfYNjdLRP6elKKMNgiXa51ovt921xREFvXEv/MKjY9a6Ji6wHE+46golV8Wjn+lLFDJTxzXAD7jv75shv4XG3tYZCbxq33gbmozsEPgySDkB2nssKHPAaISOijc48bIxpl5hpROYFEnRCZxZnXP67KeQuUfWBJhUgaimsBQ+zzpPzf5Tn4gTLdZYv5N5WUvv2IuAyBKakFaGVXO1igaCyT/Q3ApA6dlxJ5Un8K68u/JHafYfyzx0VuhfNsnkbZLVHFlGdqwrkSKBY+5y/VZZdx/aHsVZwU7vDcehleZQM4evrnm1F7vNqHpT+pGJzMUeT4fLTZZm0kkV7eyyDdL01DYtWBMS3cDoQuNoXIA0+CxVO8w1p/pmqvPT7rjZwjpbELRJw1k8Gz3SaJoejhPsX/q73FYgAsOODpMrn+viSe4frfGEffQ/arTTNj+PTowIDAQABo1MwUTAdBgNVHQ4EFgQUbOBMxk2yRCdGSxxFF30TFNDXGKswHwYDVR0jBBgwFoAUbOBMxk2yRCdGSxxFF30TFNDXGKswDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAAwnuKq98NChT2U3SdR4AUzmLN1BW04r0107N9JuoKo2rr8hgmfFgt08+tSCc4yj6R5+rcXnuzjxFKibUbqgpZowJRHa21t5BbpL1yg2lfrfxHov/F8tVsSmA8wyh6UiWRwE9kvPWRnKnTukv5zzsqSlNSilm49zQ7SWNl+IAFy/swZrtJQ10VT9s4nPeG3oWQMotOPP+llSiynKLZqQ4gSKRi3fePLiWpt9XfXoGUCEj7q5phblLPgdKUCrhGP1n2jYmXscWLMykAna20chlrqVYnCa8JUp4LftFDp89YToXOFHnFmnNCvcIrDfFyDfhl4UMFpK0OUKqTTxWaK9uqOIparIsKYwsp+fLeWLbQ6kGfmnO5iDRd+oOhrNYooTZVK9fQR5rD2e4B+ea0rzQFXAAUjJ5OXabxbDrQ+OMejwc4HqqsxztJgD2aP2eK2/L5PWPug0E+1g8ABZfVboh/M3MHgbzPgaTqguzGFdkG3EXu+OhGbU0/+77VMnZi2IQZn/awGUa7X+MP0BDvjVY5kVpMZ1hc2ClDjgxNsLGtikO4cWb5sQRR2GYM3dMk50VQctJ5RqsRs6pOCXDXE3ReVQj4hNBeWvaDWQ2KmyOai55dbDrlJ+nu83OmCp59RzP5k58ZaDXnlC38UwTt0q1D7+zF0ts1G932uEBHWYHuOA=")
  572. smtc.setValue = derCert
  573. smtc.pushRef = fakeRef{
  574. key: certName,
  575. }
  576. smtc.certOutput = keyvault.CertificateBundle{
  577. X509Thumbprint: pointer.String("123"),
  578. Tags: map[string]*string{
  579. "managed-by": pointer.String("external-secrets"),
  580. },
  581. }
  582. }
  583. certImportCertificateError := func(smtc *secretManagerTestCase) {
  584. smtc.setErr = errors.New("error")
  585. smtc.setValue = p12Cert
  586. smtc.pushRef = fakeRef{
  587. key: certName,
  588. }
  589. smtc.certOutput = keyvault.CertificateBundle{
  590. X509Thumbprint: pointer.String("123"),
  591. Tags: map[string]*string{
  592. "managed-by": pointer.String("external-secrets"),
  593. },
  594. }
  595. smtc.expectError = "could not import certificate certname: error"
  596. }
  597. certFingerprintMatches := func(smtc *secretManagerTestCase) {
  598. smtc.setErr = errors.New("error")
  599. cert, _ := base64.StdEncoding.DecodeString("MIIFpzCCA4+gAwIBAgIUMHaT6mdo/we+n+t4PvGBYiGCIq4wDQYJKoZIhvcNAQELBQAwYzELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEcMBoGA1UEAwwTYW5vdGhlci1mb28tYmFyLmNvbTAeFw0yMjA2MDkxNzQ1MzZaFw0yMzA2MDkxNzQ1MzZaMGMxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxHDAaBgNVBAMME2Fub3RoZXItZm9vLWJhci5jb20wggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCZHO4o6JmyOZdfAt7DWjGkGw7D5UHSPGet2N86rpFYw+e8g/wRx0gd0sFOizPADGcrzfua9gvEp4VsWoaGncwQxjvs+gZ+Zd6REO4tK74TFf1ifbnj0Pq68CeBQiho1l3p3e0C/2zeI23bvVDve2mwUq9h68Q1ERgV1MKibGSSZjNCC7dDaPZjJk5b0YVTWqDEbzdDVxveUL5RqFg/DJA33Vq6TT3Ce9F0HpJ+ox+i+8qLfYNjdLRP6elKKMNgiXa51ovt921xREFvXEv/MKjY9a6Ji6wHE+46golV8Wjn+lLFDJTxzXAD7jv75shv4XG3tYZCbxq33gbmozsEPgySDkB2nssKHPAaISOijc48bIxpl5hpROYFEnRCZxZnXP67KeQuUfWBJhUgaimsBQ+zzpPzf5Tn4gTLdZYv5N5WUvv2IuAyBKakFaGVXO1igaCyT/Q3ApA6dlxJ5Un8K68u/JHafYfyzx0VuhfNsnkbZLVHFlGdqwrkSKBY+5y/VZZdx/aHsVZwU7vDcehleZQM4evrnm1F7vNqHpT+pGJzMUeT4fLTZZm0kkV7eyyDdL01DYtWBMS3cDoQuNoXIA0+CxVO8w1p/pmqvPT7rjZwjpbELRJw1k8Gz3SaJoejhPsX/q73FYgAsOODpMrn+viSe4frfGEffQ/arTTNj+PTowIDAQABo1MwUTAdBgNVHQ4EFgQUbOBMxk2yRCdGSxxFF30TFNDXGKswHwYDVR0jBBgwFoAUbOBMxk2yRCdGSxxFF30TFNDXGKswDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAgEAAwnuKq98NChT2U3SdR4AUzmLN1BW04r0107N9JuoKo2rr8hgmfFgt08+tSCc4yj6R5+rcXnuzjxFKibUbqgpZowJRHa21t5BbpL1yg2lfrfxHov/F8tVsSmA8wyh6UiWRwE9kvPWRnKnTukv5zzsqSlNSilm49zQ7SWNl+IAFy/swZrtJQ10VT9s4nPeG3oWQMotOPP+llSiynKLZqQ4gSKRi3fePLiWpt9XfXoGUCEj7q5phblLPgdKUCrhGP1n2jYmXscWLMykAna20chlrqVYnCa8JUp4LftFDp89YToXOFHnFmnNCvcIrDfFyDfhl4UMFpK0OUKqTTxWaK9uqOIparIsKYwsp+fLeWLbQ6kGfmnO5iDRd+oOhrNYooTZVK9fQR5rD2e4B+ea0rzQFXAAUjJ5OXabxbDrQ+OMejwc4HqqsxztJgD2aP2eK2/L5PWPug0E+1g8ABZfVboh/M3MHgbzPgaTqguzGFdkG3EXu+OhGbU0/+77VMnZi2IQZn/awGUa7X+MP0BDvjVY5kVpMZ1hc2ClDjgxNsLGtikO4cWb5sQRR2GYM3dMk50VQctJ5RqsRs6pOCXDXE3ReVQj4hNBeWvaDWQ2KmyOai55dbDrlJ+nu83OmCp59RzP5k58ZaDXnlC38UwTt0q1D7+zF0ts1G932uEBHWYHuOA=")
  600. smtc.setValue = p12Cert
  601. smtc.pushRef = fakeRef{
  602. key: certName,
  603. }
  604. smtc.certOutput = keyvault.CertificateBundle{
  605. Cer: &cert,
  606. Tags: map[string]*string{
  607. "managed-by": pointer.String("external-secrets"),
  608. },
  609. }
  610. }
  611. certNotManagedByES := func(smtc *secretManagerTestCase) {
  612. smtc.setValue = p12Cert
  613. smtc.pushRef = fakeRef{
  614. key: certName,
  615. }
  616. smtc.certOutput = keyvault.CertificateBundle{
  617. X509Thumbprint: pointer.String("123"),
  618. Tags: map[string]*string{
  619. "managed-by": pointer.String("foobar"),
  620. },
  621. }
  622. smtc.expectError = "certificate certname: not managed by external-secrets"
  623. }
  624. certNoManagerTags := func(smtc *secretManagerTestCase) {
  625. smtc.setValue = p12Cert
  626. smtc.pushRef = fakeRef{
  627. key: certName,
  628. }
  629. smtc.certOutput = keyvault.CertificateBundle{
  630. X509Thumbprint: pointer.String("123"),
  631. }
  632. smtc.expectError = "certificate certname: not managed by external-secrets"
  633. }
  634. certNotACertificate := func(smtc *secretManagerTestCase) {
  635. smtc.setValue = []byte("foobar")
  636. smtc.pushRef = fakeRef{
  637. key: certName,
  638. }
  639. smtc.certOutput = keyvault.CertificateBundle{
  640. X509Thumbprint: pointer.String("123"),
  641. }
  642. smtc.expectError = "value from secret is not a valid certificate: x509: malformed certificate"
  643. }
  644. certNoPermissions := func(smtc *secretManagerTestCase) {
  645. smtc.apiErr = autorest.DetailedError{
  646. StatusCode: 403,
  647. Method: "GET",
  648. Message: "Insufficient Permissions",
  649. }
  650. smtc.setValue = p12Cert
  651. smtc.pushRef = fakeRef{
  652. key: certName,
  653. }
  654. smtc.certOutput = keyvault.CertificateBundle{
  655. X509Thumbprint: pointer.String("123"),
  656. }
  657. smtc.expectError = errAPI
  658. }
  659. successCases := []*secretManagerTestCase{
  660. makeValidSecretManagerTestCaseCustom(certP12Success),
  661. makeValidSecretManagerTestCaseCustom(certPEMSuccess),
  662. makeValidSecretManagerTestCaseCustom(certDERSuccess),
  663. makeValidSecretManagerTestCaseCustom(certImportCertificateError),
  664. makeValidSecretManagerTestCaseCustom(certFingerprintMatches),
  665. makeValidSecretManagerTestCaseCustom(certNotManagedByES),
  666. makeValidSecretManagerTestCaseCustom(certNoManagerTags),
  667. makeValidSecretManagerTestCaseCustom(certNotACertificate),
  668. makeValidSecretManagerTestCaseCustom(certNoPermissions),
  669. makeValidSecretManagerTestCaseCustom(keySuccess),
  670. makeValidSecretManagerTestCaseCustom(symmetricKeySuccess),
  671. makeValidSecretManagerTestCaseCustom(RSAKeySuccess),
  672. makeValidSecretManagerTestCaseCustom(ECKeySuccess),
  673. makeValidSecretManagerTestCaseCustom(invalidKey),
  674. makeValidSecretManagerTestCaseCustom(errorGetKey),
  675. makeValidSecretManagerTestCaseCustom(keyNotFound),
  676. makeValidSecretManagerTestCaseCustom(importKeyFailed),
  677. makeValidSecretManagerTestCaseCustom(noTags),
  678. makeValidSecretManagerTestCaseCustom(wrongTags),
  679. makeValidSecretManagerTestCaseCustom(secretSuccess),
  680. makeValidSecretManagerTestCaseCustom(secretNoChange),
  681. makeValidSecretManagerTestCaseCustom(secretWrongTags),
  682. makeValidSecretManagerTestCaseCustom(secretNoTags),
  683. makeValidSecretManagerTestCaseCustom(secretNotFound),
  684. makeValidSecretManagerTestCaseCustom(failedGetSecret),
  685. makeValidSecretManagerTestCaseCustom(failedNotParseableError),
  686. makeValidSecretManagerTestCaseCustom(failedSetSecret),
  687. makeValidSecretManagerTestCaseCustom(typeNotSupported),
  688. }
  689. sm := Azure{
  690. provider: &esv1beta1.AzureKVProvider{VaultURL: pointer.String(fakeURL)},
  691. }
  692. for k, v := range successCases {
  693. sm.baseClient = v.mockClient
  694. err := sm.PushSecret(context.Background(), v.setValue, v.pushRef)
  695. if !utils.ErrorContains(err, v.expectError) {
  696. if err == nil {
  697. t.Errorf("[%d] unexpected error: <nil>, expected: '%s'", k, v.expectError)
  698. } else {
  699. t.Errorf("[%d] unexpected error: %s, expected: '%s'", k, err.Error(), v.expectError)
  700. }
  701. }
  702. }
  703. }
  704. // test the sm<->azurekv interface
  705. // make sure correct values are passed and errors are handled accordingly.
  706. func TestAzureKeyVaultSecretManagerGetSecret(t *testing.T) {
  707. secretString := "changedvalue"
  708. secretCertificate := "certificate_value"
  709. tagMap := getTagMap()
  710. // good case
  711. setSecretString := func(smtc *secretManagerTestCase) {
  712. smtc.expectedSecret = secretString
  713. smtc.secretOutput = keyvault.SecretBundle{
  714. Value: &secretString,
  715. }
  716. }
  717. setSecretStringWithVersion := func(smtc *secretManagerTestCase) {
  718. smtc.expectedSecret = secretString
  719. smtc.secretOutput = keyvault.SecretBundle{
  720. Value: &secretString,
  721. }
  722. smtc.ref.Version = "v1"
  723. smtc.secretVersion = smtc.ref.Version
  724. }
  725. setSecretWithProperty := func(smtc *secretManagerTestCase) {
  726. jsonString := jsonTestString
  727. smtc.expectedSecret = "External"
  728. smtc.secretOutput = keyvault.SecretBundle{
  729. Value: &jsonString,
  730. }
  731. smtc.ref.Property = "Name"
  732. }
  733. badSecretWithProperty := func(smtc *secretManagerTestCase) {
  734. jsonString := jsonTestString
  735. smtc.expectedSecret = ""
  736. smtc.secretOutput = keyvault.SecretBundle{
  737. Value: &jsonString,
  738. }
  739. smtc.ref.Property = "Age"
  740. smtc.expectError = fmt.Sprintf("property %s does not exist in key %s", smtc.ref.Property, smtc.ref.Key)
  741. smtc.apiErr = errors.New(smtc.expectError)
  742. }
  743. // // good case: key set
  744. setPubRSAKey := func(smtc *secretManagerTestCase) {
  745. smtc.secretName = keyName
  746. smtc.expectedSecret = jwkPubRSA
  747. smtc.keyOutput = keyvault.KeyBundle{
  748. Key: newKVJWK([]byte(jwkPubRSA)),
  749. }
  750. smtc.ref.Key = smtc.secretName
  751. }
  752. // // good case: key set
  753. setPubECKey := func(smtc *secretManagerTestCase) {
  754. smtc.secretName = keyName
  755. smtc.expectedSecret = jwkPubEC
  756. smtc.keyOutput = keyvault.KeyBundle{
  757. Key: newKVJWK([]byte(jwkPubEC)),
  758. }
  759. smtc.ref.Key = smtc.secretName
  760. }
  761. // // good case: key set
  762. setCertificate := func(smtc *secretManagerTestCase) {
  763. byteArrString := []byte(secretCertificate)
  764. smtc.secretName = certName
  765. smtc.expectedSecret = secretCertificate
  766. smtc.certOutput = keyvault.CertificateBundle{
  767. Cer: &byteArrString,
  768. }
  769. smtc.ref.Key = smtc.secretName
  770. }
  771. badSecretType := func(smtc *secretManagerTestCase) {
  772. smtc.secretName = "name"
  773. smtc.expectedSecret = ""
  774. smtc.expectError = fmt.Sprintf("unknown Azure Keyvault object Type for %s", smtc.secretName)
  775. smtc.ref.Key = fmt.Sprintf("dummy/%s", smtc.secretName)
  776. }
  777. setSecretWithTag := func(smtc *secretManagerTestCase) {
  778. smtc.ref.MetadataPolicy = esv1beta1.ExternalSecretMetadataPolicyFetch
  779. smtc.ref.Property = tagname
  780. smtc.secretOutput = keyvault.SecretBundle{
  781. Value: &secretString, Tags: tagMap,
  782. }
  783. smtc.expectedSecret = tagvalue
  784. }
  785. badSecretWithTag := func(smtc *secretManagerTestCase) {
  786. smtc.ref.MetadataPolicy = esv1beta1.ExternalSecretMetadataPolicyFetch
  787. smtc.ref.Property = something
  788. smtc.expectedSecret = ""
  789. smtc.expectError = errorNoTag
  790. smtc.apiErr = errors.New(smtc.expectError)
  791. }
  792. setSecretWithNoSpecificTag := func(smtc *secretManagerTestCase) {
  793. smtc.ref.MetadataPolicy = esv1beta1.ExternalSecretMetadataPolicyFetch
  794. smtc.secretOutput = keyvault.SecretBundle{
  795. Value: &secretString, Tags: tagMap,
  796. }
  797. smtc.expectedSecret = jsonTagTestString
  798. }
  799. setSecretWithNoTags := func(smtc *secretManagerTestCase) {
  800. smtc.ref.MetadataPolicy = esv1beta1.ExternalSecretMetadataPolicyFetch
  801. smtc.secretOutput = keyvault.SecretBundle{}
  802. smtc.expectedSecret = "{}"
  803. }
  804. setCertWithTag := func(smtc *secretManagerTestCase) {
  805. byteArrString := []byte(secretCertificate)
  806. smtc.secretName = certName
  807. smtc.certOutput = keyvault.CertificateBundle{
  808. Cer: &byteArrString, Tags: tagMap,
  809. }
  810. smtc.ref.MetadataPolicy = esv1beta1.ExternalSecretMetadataPolicyFetch
  811. smtc.ref.Property = tagname
  812. smtc.expectedSecret = tagvalue
  813. smtc.ref.Key = smtc.secretName
  814. }
  815. badCertWithTag := func(smtc *secretManagerTestCase) {
  816. byteArrString := []byte(secretCertificate)
  817. smtc.secretName = certName
  818. smtc.ref.Key = smtc.secretName
  819. smtc.certOutput = keyvault.CertificateBundle{
  820. Cer: &byteArrString,
  821. }
  822. smtc.ref.MetadataPolicy = esv1beta1.ExternalSecretMetadataPolicyFetch
  823. smtc.ref.Property = something
  824. smtc.expectedSecret = ""
  825. smtc.expectError = errorNoTag
  826. smtc.apiErr = errors.New(smtc.expectError)
  827. }
  828. setCertWithNoSpecificTag := func(smtc *secretManagerTestCase) {
  829. byteArrString := []byte(secretCertificate)
  830. smtc.secretName = certName
  831. smtc.ref.Key = smtc.secretName
  832. smtc.certOutput = keyvault.CertificateBundle{
  833. Cer: &byteArrString, Tags: tagMap,
  834. }
  835. smtc.ref.MetadataPolicy = esv1beta1.ExternalSecretMetadataPolicyFetch
  836. smtc.expectedSecret = jsonTagTestString
  837. }
  838. setCertWithNoTags := func(smtc *secretManagerTestCase) {
  839. byteArrString := []byte(secretCertificate)
  840. smtc.secretName = certName
  841. smtc.ref.Key = smtc.secretName
  842. smtc.certOutput = keyvault.CertificateBundle{
  843. Cer: &byteArrString,
  844. }
  845. smtc.ref.MetadataPolicy = esv1beta1.ExternalSecretMetadataPolicyFetch
  846. smtc.expectedSecret = "{}"
  847. }
  848. setKeyWithTag := func(smtc *secretManagerTestCase) {
  849. smtc.secretName = keyName
  850. smtc.keyOutput = keyvault.KeyBundle{
  851. Key: newKVJWK([]byte(jwkPubRSA)), Tags: tagMap,
  852. }
  853. smtc.ref.MetadataPolicy = esv1beta1.ExternalSecretMetadataPolicyFetch
  854. smtc.ref.Property = tagname
  855. smtc.expectedSecret = tagvalue
  856. smtc.ref.Key = smtc.secretName
  857. }
  858. badKeyWithTag := func(smtc *secretManagerTestCase) {
  859. smtc.secretName = keyName
  860. smtc.ref.Key = smtc.secretName
  861. smtc.keyOutput = keyvault.KeyBundle{
  862. Key: newKVJWK([]byte(jwkPubRSA)), Tags: tagMap,
  863. }
  864. smtc.ref.MetadataPolicy = esv1beta1.ExternalSecretMetadataPolicyFetch
  865. smtc.ref.Property = something
  866. smtc.expectedSecret = ""
  867. smtc.expectError = errorNoTag
  868. smtc.apiErr = errors.New(smtc.expectError)
  869. }
  870. setKeyWithNoSpecificTag := func(smtc *secretManagerTestCase) {
  871. smtc.secretName = keyName
  872. smtc.ref.Key = smtc.secretName
  873. smtc.keyOutput = keyvault.KeyBundle{
  874. Key: newKVJWK([]byte(jwkPubRSA)), Tags: tagMap,
  875. }
  876. smtc.ref.MetadataPolicy = esv1beta1.ExternalSecretMetadataPolicyFetch
  877. smtc.expectedSecret = jsonTagTestString
  878. }
  879. setKeyWithNoTags := func(smtc *secretManagerTestCase) {
  880. smtc.secretName = keyName
  881. smtc.ref.Key = smtc.secretName
  882. smtc.keyOutput = keyvault.KeyBundle{
  883. Key: newKVJWK([]byte(jwkPubRSA)),
  884. }
  885. smtc.ref.MetadataPolicy = esv1beta1.ExternalSecretMetadataPolicyFetch
  886. smtc.expectedSecret = "{}"
  887. }
  888. badPropertyTag := func(smtc *secretManagerTestCase) {
  889. smtc.ref.Property = tagname
  890. smtc.expectedSecret = ""
  891. smtc.expectError = "property tagname does not exist in key test-secret"
  892. smtc.apiErr = errors.New(smtc.expectError)
  893. }
  894. fetchSingleTag := func(smtc *secretManagerTestCase) {
  895. jsonString := jsonTestString
  896. smtc.expectedSecret = bar
  897. smtc.ref.MetadataPolicy = esv1beta1.ExternalSecretMetadataPolicyFetch
  898. secretTags := map[string]*string{}
  899. tagValue := bar
  900. secretTags[foo] = &tagValue
  901. smtc.secretOutput = keyvault.SecretBundle{
  902. Value: &jsonString,
  903. Tags: secretTags,
  904. }
  905. smtc.ref.Property = foo
  906. }
  907. fetchJSONTag := func(smtc *secretManagerTestCase) {
  908. jsonString := jsonTestString
  909. smtc.ref.MetadataPolicy = esv1beta1.ExternalSecretMetadataPolicyFetch
  910. secretTags := map[string]*string{}
  911. tagValue := "{\"key\":\"value\"}"
  912. secretTags[foo] = &tagValue
  913. smtc.secretOutput = keyvault.SecretBundle{
  914. Value: &jsonString,
  915. Tags: secretTags,
  916. }
  917. smtc.ref.Property = foo
  918. smtc.expectedSecret = tagValue
  919. }
  920. fetchDottedJSONTag := func(smtc *secretManagerTestCase) {
  921. jsonString := jsonTestString
  922. smtc.ref.MetadataPolicy = esv1beta1.ExternalSecretMetadataPolicyFetch
  923. secretTags := map[string]*string{}
  924. tagValue := "{\"key\":\"value\"}"
  925. secretTags[foo] = &tagValue
  926. smtc.secretOutput = keyvault.SecretBundle{
  927. Value: &jsonString,
  928. Tags: secretTags,
  929. }
  930. smtc.ref.Property = "foo.key"
  931. smtc.expectedSecret = "value"
  932. }
  933. fetchNestedJSONTag := func(smtc *secretManagerTestCase) {
  934. jsonString := jsonTestString
  935. smtc.ref.MetadataPolicy = esv1beta1.ExternalSecretMetadataPolicyFetch
  936. secretTags := map[string]*string{}
  937. tagValue := "{\"key\":\"value\", \"nested\": {\"foo\":\"bar\"}}"
  938. secretTags["foo"] = &tagValue
  939. smtc.secretOutput = keyvault.SecretBundle{
  940. Value: &jsonString,
  941. Tags: secretTags,
  942. }
  943. smtc.ref.Property = "foo.nested"
  944. smtc.expectedSecret = "{\"foo\":\"bar\"}"
  945. }
  946. fetchNestedDottedJSONTag := func(smtc *secretManagerTestCase) {
  947. jsonString := jsonTestString
  948. smtc.ref.MetadataPolicy = esv1beta1.ExternalSecretMetadataPolicyFetch
  949. secretTags := map[string]*string{}
  950. tagValue := "{\"key\":\"value\", \"nested\": {\"foo\":\"bar\"}}"
  951. secretTags[foo] = &tagValue
  952. smtc.secretOutput = keyvault.SecretBundle{
  953. Value: &jsonString,
  954. Tags: secretTags,
  955. }
  956. smtc.ref.Property = "foo.nested.foo"
  957. smtc.expectedSecret = bar
  958. }
  959. fetchDottedKeyJSONTag := func(smtc *secretManagerTestCase) {
  960. jsonString := jsonTestString
  961. smtc.ref.MetadataPolicy = esv1beta1.ExternalSecretMetadataPolicyFetch
  962. secretTags := map[string]*string{}
  963. tagValue := "{\"foo.json\":\"bar\"}"
  964. secretTags[foo] = &tagValue
  965. smtc.secretOutput = keyvault.SecretBundle{
  966. Value: &jsonString,
  967. Tags: secretTags,
  968. }
  969. smtc.ref.Property = "foo.foo.json"
  970. smtc.expectedSecret = bar
  971. }
  972. fetchDottedSecretJSONTag := func(smtc *secretManagerTestCase) {
  973. jsonString := "{\"foo.json\":\"bar\"}"
  974. smtc.secretOutput = keyvault.SecretBundle{
  975. Value: &jsonString,
  976. }
  977. smtc.ref.Property = "foo.json"
  978. smtc.expectedSecret = bar
  979. }
  980. successCases := []*secretManagerTestCase{
  981. makeValidSecretManagerTestCase(),
  982. makeValidSecretManagerTestCaseCustom(setSecretString),
  983. makeValidSecretManagerTestCaseCustom(setSecretStringWithVersion),
  984. makeValidSecretManagerTestCaseCustom(setSecretWithProperty),
  985. makeValidSecretManagerTestCaseCustom(badSecretWithProperty),
  986. makeValidSecretManagerTestCaseCustom(setPubRSAKey),
  987. makeValidSecretManagerTestCaseCustom(setPubECKey),
  988. makeValidSecretManagerTestCaseCustom(setCertificate),
  989. makeValidSecretManagerTestCaseCustom(badSecretType),
  990. makeValidSecretManagerTestCaseCustom(setSecretWithTag),
  991. makeValidSecretManagerTestCaseCustom(badSecretWithTag),
  992. makeValidSecretManagerTestCaseCustom(setSecretWithNoSpecificTag),
  993. makeValidSecretManagerTestCaseCustom(setSecretWithNoTags),
  994. makeValidSecretManagerTestCaseCustom(setCertWithTag),
  995. makeValidSecretManagerTestCaseCustom(badCertWithTag),
  996. makeValidSecretManagerTestCaseCustom(setCertWithNoSpecificTag),
  997. makeValidSecretManagerTestCaseCustom(setCertWithNoTags),
  998. makeValidSecretManagerTestCaseCustom(setKeyWithTag),
  999. makeValidSecretManagerTestCaseCustom(badKeyWithTag),
  1000. makeValidSecretManagerTestCaseCustom(setKeyWithNoSpecificTag),
  1001. makeValidSecretManagerTestCaseCustom(setKeyWithNoTags),
  1002. makeValidSecretManagerTestCaseCustom(badPropertyTag),
  1003. makeValidSecretManagerTestCaseCustom(fetchSingleTag),
  1004. makeValidSecretManagerTestCaseCustom(fetchJSONTag),
  1005. makeValidSecretManagerTestCaseCustom(fetchDottedJSONTag),
  1006. makeValidSecretManagerTestCaseCustom(fetchNestedJSONTag),
  1007. makeValidSecretManagerTestCaseCustom(fetchNestedDottedJSONTag),
  1008. makeValidSecretManagerTestCaseCustom(fetchDottedKeyJSONTag),
  1009. makeValidSecretManagerTestCaseCustom(fetchDottedSecretJSONTag),
  1010. }
  1011. sm := Azure{
  1012. provider: &esv1beta1.AzureKVProvider{VaultURL: pointer.String(fakeURL)},
  1013. }
  1014. for k, v := range successCases {
  1015. sm.baseClient = v.mockClient
  1016. out, err := sm.GetSecret(context.Background(), *v.ref)
  1017. if !utils.ErrorContains(err, v.expectError) {
  1018. t.Errorf("[%d] unexpected error: %s, expected: '%s'", k, err.Error(), v.expectError)
  1019. }
  1020. if string(out) != v.expectedSecret {
  1021. t.Errorf("[%d] unexpected secret: expected %s, got %s", k, v.expectedSecret, string(out))
  1022. }
  1023. }
  1024. }
  1025. func TestAzureKeyVaultSecretManagerGetSecretMap(t *testing.T) {
  1026. secretString := "changedvalue"
  1027. secretCertificate := "certificate_value"
  1028. tagMap := getTagMap()
  1029. badSecretString := func(smtc *secretManagerTestCase) {
  1030. smtc.expectedSecret = secretString
  1031. smtc.secretOutput = keyvault.SecretBundle{
  1032. Value: &secretString,
  1033. }
  1034. smtc.expectError = "error unmarshalling json data: invalid character 'c' looking for beginning of value"
  1035. }
  1036. setSecretJSON := func(smtc *secretManagerTestCase) {
  1037. jsonString := jsonSingleTestString
  1038. smtc.secretOutput = keyvault.SecretBundle{
  1039. Value: &jsonString,
  1040. }
  1041. smtc.expectedData["Name"] = []byte("External")
  1042. smtc.expectedData["LastName"] = []byte("Secret")
  1043. }
  1044. setSecretJSONWithProperty := func(smtc *secretManagerTestCase) {
  1045. jsonString := jsonTestString
  1046. smtc.secretOutput = keyvault.SecretBundle{
  1047. Value: &jsonString,
  1048. }
  1049. smtc.ref.Property = "Address"
  1050. smtc.expectedData["Street"] = []byte("Myroad st.")
  1051. smtc.expectedData["CP"] = []byte("J4K4T4")
  1052. }
  1053. badSecretWithProperty := func(smtc *secretManagerTestCase) {
  1054. jsonString := jsonTestString
  1055. smtc.expectedSecret = ""
  1056. smtc.secretOutput = keyvault.SecretBundle{
  1057. Value: &jsonString,
  1058. }
  1059. smtc.ref.Property = "Age"
  1060. smtc.expectError = fmt.Sprintf("property %s does not exist in key %s", smtc.ref.Property, smtc.ref.Key)
  1061. smtc.apiErr = errors.New(smtc.expectError)
  1062. }
  1063. badPubRSAKey := func(smtc *secretManagerTestCase) {
  1064. smtc.secretName = keyName
  1065. smtc.expectedSecret = jwkPubRSA
  1066. smtc.keyOutput = keyvault.KeyBundle{
  1067. Key: newKVJWK([]byte(jwkPubRSA)),
  1068. }
  1069. smtc.ref.Key = smtc.secretName
  1070. smtc.expectError = "cannot get use dataFrom to get key secret"
  1071. }
  1072. badCertificate := func(smtc *secretManagerTestCase) {
  1073. byteArrString := []byte(secretCertificate)
  1074. smtc.secretName = certName
  1075. smtc.expectedSecret = secretCertificate
  1076. smtc.certOutput = keyvault.CertificateBundle{
  1077. Cer: &byteArrString,
  1078. }
  1079. smtc.ref.Key = smtc.secretName
  1080. smtc.expectError = "cannot get use dataFrom to get certificate secret"
  1081. }
  1082. badSecretType := func(smtc *secretManagerTestCase) {
  1083. smtc.secretName = "name"
  1084. smtc.expectedSecret = ""
  1085. smtc.expectError = fmt.Sprintf("unknown Azure Keyvault object Type for %s", smtc.secretName)
  1086. smtc.ref.Key = fmt.Sprintf("dummy/%s", smtc.secretName)
  1087. }
  1088. setSecretTags := func(smtc *secretManagerTestCase) {
  1089. smtc.ref.MetadataPolicy = esv1beta1.ExternalSecretMetadataPolicyFetch
  1090. smtc.secretOutput = keyvault.SecretBundle{
  1091. Tags: tagMap,
  1092. }
  1093. smtc.expectedData[testsecret+"_"+tagname] = []byte(tagvalue)
  1094. smtc.expectedData[testsecret+"_"+tagname2] = []byte(tagvalue2)
  1095. }
  1096. setSecretWithJSONTag := func(smtc *secretManagerTestCase) {
  1097. tagJSONMap := make(map[string]*string)
  1098. tagJSONData := `{"keyname":"keyvalue","x":"y"}`
  1099. tagJSONMap["json"] = &tagJSONData
  1100. smtc.ref.MetadataPolicy = esv1beta1.ExternalSecretMetadataPolicyFetch
  1101. smtc.secretOutput = keyvault.SecretBundle{
  1102. Value: &secretString, Tags: tagJSONMap,
  1103. }
  1104. smtc.expectedData[testsecret+"_json_keyname"] = []byte("keyvalue")
  1105. smtc.expectedData[testsecret+"_json_x"] = []byte("y")
  1106. }
  1107. setSecretWithNoTags := func(smtc *secretManagerTestCase) {
  1108. smtc.ref.MetadataPolicy = esv1beta1.ExternalSecretMetadataPolicyFetch
  1109. tagMapTestEmpty := make(map[string]*string)
  1110. smtc.secretOutput = keyvault.SecretBundle{
  1111. Tags: tagMapTestEmpty,
  1112. }
  1113. smtc.expectedSecret = ""
  1114. }
  1115. nestedJSONNoProperty := func(smtc *secretManagerTestCase) {
  1116. jsonString := jsonTestString
  1117. smtc.expectedSecret = ""
  1118. smtc.secretOutput = keyvault.SecretBundle{
  1119. Value: &jsonString,
  1120. }
  1121. smtc.ref.Property = ""
  1122. smtc.expectedData["Name"] = []byte("External")
  1123. smtc.expectedData["LastName"] = []byte("Secret")
  1124. smtc.expectedData["Address"] = []byte(`{ "Street": "Myroad st.", "CP": "J4K4T4" }`)
  1125. }
  1126. setNestedJSONTag := func(smtc *secretManagerTestCase) {
  1127. secretTags := map[string]*string{}
  1128. tagValue := `{"foo":"bar","nested.tag":{"foo":"bar"}}`
  1129. bug := "1137"
  1130. secretTags["dev"] = &tagValue
  1131. secretTags["bug"] = &bug
  1132. smtc.ref.MetadataPolicy = esv1beta1.ExternalSecretMetadataPolicyFetch
  1133. smtc.secretOutput = keyvault.SecretBundle{
  1134. Tags: secretTags,
  1135. }
  1136. smtc.ref.Property = "dev"
  1137. smtc.expectedData[testsecret+"_dev"] = []byte(tagValue)
  1138. }
  1139. successCases := []*secretManagerTestCase{
  1140. makeValidSecretManagerTestCaseCustom(badSecretString),
  1141. makeValidSecretManagerTestCaseCustom(setSecretJSON),
  1142. makeValidSecretManagerTestCaseCustom(setSecretJSONWithProperty),
  1143. makeValidSecretManagerTestCaseCustom(badSecretWithProperty),
  1144. makeValidSecretManagerTestCaseCustom(badPubRSAKey),
  1145. makeValidSecretManagerTestCaseCustom(badCertificate),
  1146. makeValidSecretManagerTestCaseCustom(badSecretType),
  1147. makeValidSecretManagerTestCaseCustom(setSecretTags),
  1148. makeValidSecretManagerTestCaseCustom(setSecretWithJSONTag),
  1149. makeValidSecretManagerTestCaseCustom(setSecretWithNoTags),
  1150. makeValidSecretManagerTestCaseCustom(nestedJSONNoProperty),
  1151. makeValidSecretManagerTestCaseCustom(setNestedJSONTag),
  1152. }
  1153. sm := Azure{
  1154. provider: &esv1beta1.AzureKVProvider{VaultURL: pointer.String(fakeURL)},
  1155. }
  1156. for k, v := range successCases {
  1157. sm.baseClient = v.mockClient
  1158. out, err := sm.GetSecretMap(context.Background(), *v.ref)
  1159. if !utils.ErrorContains(err, v.expectError) {
  1160. t.Errorf("[%d] unexpected error: %s, expected: '%s'", k, err.Error(), v.expectError)
  1161. }
  1162. if err == nil && !reflect.DeepEqual(out, v.expectedData) {
  1163. t.Errorf("[%d] unexpected secret data: expected %#v, got %#v", k, v.expectedData, out)
  1164. }
  1165. }
  1166. }
  1167. func TestAzureKeyVaultSecretManagerGetAllSecrets(t *testing.T) {
  1168. secretString := secretString
  1169. secretName := secretName
  1170. wrongName := "not-valid"
  1171. environment := "dev"
  1172. author := "seb"
  1173. enabled := true
  1174. getNextPage := func(ctx context.Context, list keyvault.SecretListResult) (result keyvault.SecretListResult, err error) {
  1175. return keyvault.SecretListResult{
  1176. Value: nil,
  1177. NextLink: nil,
  1178. }, nil
  1179. }
  1180. setOneSecretByName := func(smtc *secretManagerTestCase) {
  1181. enabledAtt := keyvault.SecretAttributes{
  1182. Enabled: &enabled,
  1183. }
  1184. secretItem := keyvault.SecretItem{
  1185. ID: &secretName,
  1186. Attributes: &enabledAtt,
  1187. }
  1188. secretList := make([]keyvault.SecretItem, 0)
  1189. secretList = append(secretList, secretItem)
  1190. list := keyvault.SecretListResult{
  1191. Value: &secretList,
  1192. }
  1193. resultPage := keyvault.NewSecretListResultPage(list, getNextPage)
  1194. smtc.listOutput = keyvault.NewSecretListResultIterator(resultPage)
  1195. smtc.expectedSecret = secretString
  1196. smtc.secretOutput = keyvault.SecretBundle{
  1197. Value: &secretString,
  1198. }
  1199. smtc.expectedData[secretName] = []byte(secretString)
  1200. }
  1201. setTwoSecretsByName := func(smtc *secretManagerTestCase) {
  1202. enabledAtt := keyvault.SecretAttributes{
  1203. Enabled: &enabled,
  1204. }
  1205. secretItemOne := keyvault.SecretItem{
  1206. ID: &secretName,
  1207. Attributes: &enabledAtt,
  1208. }
  1209. secretItemTwo := keyvault.SecretItem{
  1210. ID: &wrongName,
  1211. Attributes: &enabledAtt,
  1212. }
  1213. secretList := make([]keyvault.SecretItem, 1)
  1214. secretList = append(secretList, secretItemOne, secretItemTwo)
  1215. list := keyvault.SecretListResult{
  1216. Value: &secretList,
  1217. }
  1218. resultPage := keyvault.NewSecretListResultPage(list, getNextPage)
  1219. smtc.listOutput = keyvault.NewSecretListResultIterator(resultPage)
  1220. smtc.expectedSecret = secretString
  1221. smtc.secretOutput = keyvault.SecretBundle{
  1222. Value: &secretString,
  1223. }
  1224. smtc.expectedData[secretName] = []byte(secretString)
  1225. }
  1226. setOneSecretByTag := func(smtc *secretManagerTestCase) {
  1227. enabledAtt := keyvault.SecretAttributes{
  1228. Enabled: &enabled,
  1229. }
  1230. secretItem := keyvault.SecretItem{
  1231. ID: &secretName,
  1232. Attributes: &enabledAtt,
  1233. Tags: map[string]*string{"environment": &environment},
  1234. }
  1235. secretList := make([]keyvault.SecretItem, 0)
  1236. secretList = append(secretList, secretItem)
  1237. list := keyvault.SecretListResult{
  1238. Value: &secretList,
  1239. }
  1240. resultPage := keyvault.NewSecretListResultPage(list, getNextPage)
  1241. smtc.listOutput = keyvault.NewSecretListResultIterator(resultPage)
  1242. smtc.expectedSecret = secretString
  1243. smtc.secretOutput = keyvault.SecretBundle{
  1244. Value: &secretString,
  1245. }
  1246. smtc.refFind.Tags = map[string]string{"environment": environment}
  1247. smtc.expectedData[secretName] = []byte(secretString)
  1248. }
  1249. setTwoSecretsByTag := func(smtc *secretManagerTestCase) {
  1250. enabled := true
  1251. enabledAtt := keyvault.SecretAttributes{
  1252. Enabled: &enabled,
  1253. }
  1254. secretItem := keyvault.SecretItem{
  1255. ID: &secretName,
  1256. Attributes: &enabledAtt,
  1257. Tags: map[string]*string{"environment": &environment, "author": &author},
  1258. }
  1259. secretList := make([]keyvault.SecretItem, 0)
  1260. secretList = append(secretList, secretItem)
  1261. list := keyvault.SecretListResult{
  1262. Value: &secretList,
  1263. }
  1264. resultPage := keyvault.NewSecretListResultPage(list, getNextPage)
  1265. smtc.listOutput = keyvault.NewSecretListResultIterator(resultPage)
  1266. smtc.expectedSecret = secretString
  1267. smtc.secretOutput = keyvault.SecretBundle{
  1268. Value: &secretString,
  1269. }
  1270. smtc.refFind.Tags = map[string]string{"environment": environment, "author": author}
  1271. smtc.expectedData[secretName] = []byte(secretString)
  1272. }
  1273. successCases := []*secretManagerTestCase{
  1274. makeValidSecretManagerTestCaseCustom(setOneSecretByName),
  1275. makeValidSecretManagerTestCaseCustom(setTwoSecretsByName),
  1276. makeValidSecretManagerTestCaseCustom(setOneSecretByTag),
  1277. makeValidSecretManagerTestCaseCustom(setTwoSecretsByTag),
  1278. }
  1279. sm := Azure{
  1280. provider: &esv1beta1.AzureKVProvider{VaultURL: pointer.String(fakeURL)},
  1281. }
  1282. for k, v := range successCases {
  1283. sm.baseClient = v.mockClient
  1284. out, err := sm.GetAllSecrets(context.Background(), *v.refFind)
  1285. if !utils.ErrorContains(err, v.expectError) {
  1286. t.Errorf(unexpectedError, k, err.Error(), v.expectError)
  1287. }
  1288. if err == nil && !reflect.DeepEqual(out, v.expectedData) {
  1289. t.Errorf(unexpectedSecretData, k, v.expectedData, out)
  1290. }
  1291. }
  1292. }
  1293. func makeValidRef() *esv1beta1.ExternalSecretDataRemoteRef {
  1294. return &esv1beta1.ExternalSecretDataRemoteRef{
  1295. Key: "test-secret",
  1296. Version: "default",
  1297. Property: "",
  1298. }
  1299. }
  1300. func makeValidFind() *esv1beta1.ExternalSecretFind {
  1301. return &esv1beta1.ExternalSecretFind{
  1302. Name: &esv1beta1.FindName{
  1303. RegExp: "^example",
  1304. },
  1305. Tags: map[string]string{},
  1306. }
  1307. }
  1308. func TestValidateStore(t *testing.T) {
  1309. type args struct {
  1310. store *esv1beta1.SecretStore
  1311. }
  1312. tests := []struct {
  1313. name string
  1314. args args
  1315. wantErr bool
  1316. }{
  1317. {
  1318. name: "storeIsNil",
  1319. wantErr: true,
  1320. },
  1321. {
  1322. name: "specIsNil",
  1323. wantErr: true,
  1324. args: args{
  1325. store: &esv1beta1.SecretStore{},
  1326. },
  1327. },
  1328. {
  1329. name: "providerIsNil",
  1330. wantErr: true,
  1331. args: args{
  1332. store: &esv1beta1.SecretStore{
  1333. Spec: esv1beta1.SecretStoreSpec{},
  1334. },
  1335. },
  1336. },
  1337. {
  1338. name: "azureKVIsNil",
  1339. wantErr: true,
  1340. args: args{
  1341. store: &esv1beta1.SecretStore{
  1342. Spec: esv1beta1.SecretStoreSpec{
  1343. Provider: &esv1beta1.SecretStoreProvider{},
  1344. },
  1345. },
  1346. },
  1347. },
  1348. {
  1349. name: "empty auth",
  1350. wantErr: false,
  1351. args: args{
  1352. store: &esv1beta1.SecretStore{
  1353. Spec: esv1beta1.SecretStoreSpec{
  1354. Provider: &esv1beta1.SecretStoreProvider{
  1355. AzureKV: &esv1beta1.AzureKVProvider{},
  1356. },
  1357. },
  1358. },
  1359. },
  1360. },
  1361. {
  1362. name: "empty client id",
  1363. wantErr: false,
  1364. args: args{
  1365. store: &esv1beta1.SecretStore{
  1366. Spec: esv1beta1.SecretStoreSpec{
  1367. Provider: &esv1beta1.SecretStoreProvider{
  1368. AzureKV: &esv1beta1.AzureKVProvider{
  1369. AuthSecretRef: &esv1beta1.AzureKVAuth{},
  1370. },
  1371. },
  1372. },
  1373. },
  1374. },
  1375. },
  1376. {
  1377. name: "invalid client id",
  1378. wantErr: true,
  1379. args: args{
  1380. store: &esv1beta1.SecretStore{
  1381. Spec: esv1beta1.SecretStoreSpec{
  1382. Provider: &esv1beta1.SecretStoreProvider{
  1383. AzureKV: &esv1beta1.AzureKVProvider{
  1384. AuthSecretRef: &esv1beta1.AzureKVAuth{
  1385. ClientID: &v1.SecretKeySelector{
  1386. Namespace: pointer.String("invalid"),
  1387. },
  1388. },
  1389. },
  1390. },
  1391. },
  1392. },
  1393. },
  1394. },
  1395. {
  1396. name: "invalid client secret",
  1397. wantErr: true,
  1398. args: args{
  1399. store: &esv1beta1.SecretStore{
  1400. Spec: esv1beta1.SecretStoreSpec{
  1401. Provider: &esv1beta1.SecretStoreProvider{
  1402. AzureKV: &esv1beta1.AzureKVProvider{
  1403. AuthSecretRef: &esv1beta1.AzureKVAuth{
  1404. ClientSecret: &v1.SecretKeySelector{
  1405. Namespace: pointer.String("invalid"),
  1406. },
  1407. },
  1408. },
  1409. },
  1410. },
  1411. },
  1412. },
  1413. },
  1414. }
  1415. for _, tt := range tests {
  1416. t.Run(tt.name, func(t *testing.T) {
  1417. a := &Azure{}
  1418. if tt.name == "storeIsNil" {
  1419. if err := a.ValidateStore(nil); (err != nil) != tt.wantErr {
  1420. t.Errorf(errStore, err, tt.wantErr)
  1421. }
  1422. } else if err := a.ValidateStore(tt.args.store); (err != nil) != tt.wantErr {
  1423. t.Errorf(errStore, err, tt.wantErr)
  1424. }
  1425. })
  1426. }
  1427. }