auth_oidc_test.go 4.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166
  1. /*
  2. Copyright © The ESO Authors
  3. Licensed under the Apache License, Version 2.0 (the "License");
  4. you may not use this file except in compliance with the License.
  5. You may obtain a copy of the License at
  6. https://www.apache.org/licenses/LICENSE-2.0
  7. Unless required by applicable law or agreed to in writing, software
  8. distributed under the License is distributed on an "AS IS" BASIS,
  9. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  10. See the License for the specific language governing permissions and
  11. limitations under the License.
  12. */
  13. package doppler
  14. import (
  15. "context"
  16. "encoding/json"
  17. "net/http"
  18. "net/http/httptest"
  19. "testing"
  20. "time"
  21. "github.com/stretchr/testify/assert"
  22. "github.com/stretchr/testify/require"
  23. "k8s.io/client-go/kubernetes/fake"
  24. esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
  25. esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
  26. )
  27. func TestNewOIDCTokenManager_NilConfig(t *testing.T) {
  28. fakeClient := fake.NewSimpleClientset()
  29. // Test with nil store
  30. manager := NewOIDCTokenManager(fakeClient.CoreV1(), nil, "default", esv1.SecretStoreKind, "test-store")
  31. assert.Nil(t, manager)
  32. // Test with nil Auth
  33. store := &esv1.DopplerProvider{}
  34. manager = NewOIDCTokenManager(fakeClient.CoreV1(), store, "default", esv1.SecretStoreKind, "test-store")
  35. assert.Nil(t, manager)
  36. // Test with nil OIDCConfig
  37. store.Auth = &esv1.DopplerAuth{}
  38. manager = NewOIDCTokenManager(fakeClient.CoreV1(), store, "default", esv1.SecretStoreKind, "test-store")
  39. assert.Nil(t, manager)
  40. }
  41. func TestOIDCTokenManager_ExchangeToken(t *testing.T) {
  42. tests := []struct {
  43. name string
  44. responseBody map[string]any
  45. responseStatus int
  46. wantError bool
  47. errorContains string
  48. }{
  49. {
  50. name: "successful exchange",
  51. responseBody: map[string]any{
  52. "success": true,
  53. "token": "doppler_token_123",
  54. "expires_at": time.Now().Add(time.Hour).Format(time.RFC3339),
  55. },
  56. responseStatus: http.StatusOK,
  57. wantError: false,
  58. },
  59. {
  60. name: "failed exchange - success false",
  61. responseBody: map[string]any{
  62. "success": false,
  63. "error": "invalid identity",
  64. },
  65. responseStatus: http.StatusOK,
  66. wantError: true,
  67. errorContains: "Doppler OIDC auth failed",
  68. },
  69. {
  70. name: "unauthorized",
  71. responseBody: map[string]any{
  72. "error": "invalid_token",
  73. },
  74. responseStatus: http.StatusUnauthorized,
  75. wantError: true,
  76. errorContains: "Doppler OIDC auth failed",
  77. },
  78. {
  79. name: "server error",
  80. responseBody: nil,
  81. responseStatus: http.StatusInternalServerError,
  82. wantError: true,
  83. errorContains: "Doppler OIDC auth failed",
  84. },
  85. }
  86. for _, tt := range tests {
  87. t.Run(tt.name, func(t *testing.T) {
  88. server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
  89. w.WriteHeader(tt.responseStatus)
  90. if tt.responseBody != nil {
  91. _ = json.NewEncoder(w).Encode(tt.responseBody)
  92. }
  93. }))
  94. defer server.Close()
  95. // Set the custom base URL env var to use the test server
  96. t.Setenv(customBaseURLEnvVar, server.URL)
  97. fakeClient := fake.NewSimpleClientset()
  98. store := &esv1.DopplerProvider{
  99. Auth: &esv1.DopplerAuth{
  100. OIDCConfig: &esv1.DopplerOIDCAuth{
  101. Identity: "test-identity",
  102. ServiceAccountRef: esmeta.ServiceAccountSelector{
  103. Name: "test-sa",
  104. },
  105. },
  106. },
  107. }
  108. manager := NewOIDCTokenManager(fakeClient.CoreV1(), store, "default", esv1.SecretStoreKind, "test-store")
  109. require.NotNil(t, manager)
  110. token, _, err := manager.ExchangeToken(context.Background(), "k8s-token")
  111. if tt.wantError {
  112. require.Error(t, err)
  113. if tt.errorContains != "" {
  114. assert.Contains(t, err.Error(), tt.errorContains)
  115. }
  116. } else {
  117. require.NoError(t, err)
  118. assert.NotEmpty(t, token)
  119. }
  120. })
  121. }
  122. }
  123. func TestNewOIDCTokenManager_ValidConfig(t *testing.T) {
  124. fakeClient := fake.NewSimpleClientset()
  125. expSec := int64(600)
  126. store := &esv1.DopplerProvider{
  127. Auth: &esv1.DopplerAuth{
  128. OIDCConfig: &esv1.DopplerOIDCAuth{
  129. Identity: "test-identity",
  130. ServiceAccountRef: esmeta.ServiceAccountSelector{
  131. Name: "test-sa",
  132. },
  133. ExpirationSeconds: &expSec,
  134. },
  135. },
  136. }
  137. manager := NewOIDCTokenManager(
  138. fakeClient.CoreV1(),
  139. store,
  140. "default",
  141. esv1.SecretStoreKind,
  142. "test-store",
  143. )
  144. assert.NotNil(t, manager)
  145. }