lockbox_test.go 42 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114
  1. /*
  2. Copyright © 2025 ESO Maintainer Team
  3. Licensed under the Apache License, Version 2.0 (the "License");
  4. you may not use this file except in compliance with the License.
  5. You may obtain a copy of the License at
  6. https://www.apache.org/licenses/LICENSE-2.0
  7. Unless required by applicable law or agreed to in writing, software
  8. distributed under the License is distributed on an "AS IS" BASIS,
  9. WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  10. See the License for the specific language governing permissions and
  11. limitations under the License.
  12. */
  13. package lockbox
  14. import (
  15. "context"
  16. b64 "encoding/base64"
  17. "encoding/json"
  18. "testing"
  19. "time"
  20. "github.com/google/uuid"
  21. tassert "github.com/stretchr/testify/assert"
  22. "github.com/yandex-cloud/go-genproto/yandex/cloud/lockbox/v1"
  23. "github.com/yandex-cloud/go-sdk/iamkey"
  24. corev1 "k8s.io/api/core/v1"
  25. metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
  26. ctrl "sigs.k8s.io/controller-runtime"
  27. k8sclient "sigs.k8s.io/controller-runtime/pkg/client"
  28. clientfake "sigs.k8s.io/controller-runtime/pkg/client/fake"
  29. esv1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
  30. esmeta "github.com/external-secrets/external-secrets/apis/meta/v1"
  31. "github.com/external-secrets/external-secrets/pkg/provider/yandex/common"
  32. "github.com/external-secrets/external-secrets/pkg/provider/yandex/common/clock"
  33. "github.com/external-secrets/external-secrets/pkg/provider/yandex/lockbox/client"
  34. )
  35. const (
  36. errMissingKey = "invalid Yandex Lockbox SecretStore resource: missing AuthorizedKey Name"
  37. errSecretPayloadPermissionDenied = "unable to request secret payload to get secret: permission denied"
  38. errSecretPayloadNotFound = "unable to request secret payload to get secret: secret not found"
  39. errSecretPayloadVersionNotFound = "unable to request secret payload to get secret: version not found"
  40. )
  41. func TestNewClient(t *testing.T) {
  42. ctx := context.Background()
  43. const namespace = "namespace"
  44. const authorizedKeySecretName = "authorizedKeySecretName"
  45. const authorizedKeySecretKey = "authorizedKeySecretKey"
  46. store := &esv1.SecretStore{
  47. ObjectMeta: metav1.ObjectMeta{
  48. Namespace: namespace,
  49. },
  50. Spec: esv1.SecretStoreSpec{
  51. Provider: &esv1.SecretStoreProvider{
  52. YandexLockbox: &esv1.YandexLockboxProvider{
  53. Auth: esv1.YandexAuth{
  54. AuthorizedKey: esmeta.SecretKeySelector{
  55. Key: authorizedKeySecretKey,
  56. Name: authorizedKeySecretName,
  57. },
  58. },
  59. },
  60. },
  61. },
  62. }
  63. provider, err := esv1.GetProvider(store)
  64. tassert.Nil(t, err)
  65. k8sClient := clientfake.NewClientBuilder().Build()
  66. secretClient, err := provider.NewClient(context.Background(), store, k8sClient, namespace)
  67. tassert.EqualError(t, err, "cannot get Kubernetes secret \"authorizedKeySecretName\" from namespace \"namespace\": secrets \"authorizedKeySecretName\" not found")
  68. tassert.Nil(t, secretClient)
  69. err = createK8sSecret(ctx, t, k8sClient, namespace, authorizedKeySecretName, authorizedKeySecretKey, toJSON(t, newFakeAuthorizedKey()))
  70. tassert.Nil(t, err)
  71. const caCertificateSecretName = "caCertificateSecretName"
  72. const caCertificateSecretKey = "caCertificateSecretKey"
  73. store.Spec.Provider.YandexLockbox.CAProvider = &esv1.YandexCAProvider{
  74. Certificate: esmeta.SecretKeySelector{
  75. Key: caCertificateSecretKey,
  76. Name: caCertificateSecretName,
  77. },
  78. }
  79. secretClient, err = provider.NewClient(context.Background(), store, k8sClient, namespace)
  80. tassert.EqualError(t, err, "cannot get Kubernetes secret \"caCertificateSecretName\" from namespace \"namespace\": secrets \"caCertificateSecretName\" not found")
  81. tassert.Nil(t, secretClient)
  82. err = createK8sSecret(ctx, t, k8sClient, namespace, caCertificateSecretName, caCertificateSecretKey, []byte("it-is-not-a-certificate"))
  83. tassert.Nil(t, err)
  84. secretClient, err = provider.NewClient(context.Background(), store, k8sClient, namespace)
  85. tassert.EqualError(t, err, "failed to create Yandex.Cloud client: unable to read trusted CA certificates")
  86. tassert.Nil(t, secretClient)
  87. }
  88. func TestGetSecretForAllEntries(t *testing.T) {
  89. ctx := context.Background()
  90. namespace := uuid.NewString()
  91. authorizedKey := newFakeAuthorizedKey()
  92. fakeClock := clock.NewFakeClock()
  93. fakeLockboxServer := client.NewFakeLockboxServer(fakeClock, time.Hour)
  94. k1, v1 := "k1", "v1"
  95. k2, v2 := "k2", []byte("v2")
  96. secretID, _ := fakeLockboxServer.CreateSecret(authorizedKey,
  97. "folderId", "secretName",
  98. textEntry(k1, v1),
  99. binaryEntry(k2, v2),
  100. )
  101. k8sClient := clientfake.NewClientBuilder().Build()
  102. const authorizedKeySecretName = "authorizedKeySecretName"
  103. const authorizedKeySecretKey = "authorizedKeySecretKey"
  104. err := createK8sSecret(ctx, t, k8sClient, namespace, authorizedKeySecretName, authorizedKeySecretKey, toJSON(t, authorizedKey))
  105. tassert.Nil(t, err)
  106. store := newYandexLockboxSecretStore("", namespace, authorizedKeySecretName, authorizedKeySecretKey)
  107. provider := newLockboxProvider(fakeClock, fakeLockboxServer)
  108. secretsClient, err := provider.NewClient(ctx, store, k8sClient, namespace)
  109. tassert.Nil(t, err)
  110. data, err := secretsClient.GetSecret(ctx, esv1.ExternalSecretDataRemoteRef{Key: secretID})
  111. tassert.Nil(t, err)
  112. tassert.Equal(
  113. t,
  114. map[string]string{
  115. k1: v1,
  116. k2: base64(v2),
  117. },
  118. unmarshalStringMap(t, data),
  119. )
  120. }
  121. func TestGetSecretForTextEntry(t *testing.T) {
  122. ctx := context.Background()
  123. namespace := uuid.NewString()
  124. authorizedKey := newFakeAuthorizedKey()
  125. fakeClock := clock.NewFakeClock()
  126. fakeLockboxServer := client.NewFakeLockboxServer(fakeClock, time.Hour)
  127. k1, v1 := "k1", "v1"
  128. k2, v2 := "k2", []byte("v2")
  129. secretID, _ := fakeLockboxServer.CreateSecret(authorizedKey,
  130. "folderId", "secretName",
  131. textEntry(k1, v1),
  132. binaryEntry(k2, v2),
  133. )
  134. k8sClient := clientfake.NewClientBuilder().Build()
  135. const authorizedKeySecretName = "authorizedKeySecretName"
  136. const authorizedKeySecretKey = "authorizedKeySecretKey"
  137. err := createK8sSecret(ctx, t, k8sClient, namespace, authorizedKeySecretName, authorizedKeySecretKey, toJSON(t, authorizedKey))
  138. tassert.Nil(t, err)
  139. store := newYandexLockboxSecretStore("", namespace, authorizedKeySecretName, authorizedKeySecretKey)
  140. provider := newLockboxProvider(fakeClock, fakeLockboxServer)
  141. secretsClient, err := provider.NewClient(ctx, store, k8sClient, namespace)
  142. tassert.Nil(t, err)
  143. data, err := secretsClient.GetSecret(ctx, esv1.ExternalSecretDataRemoteRef{Key: secretID, Property: k1})
  144. tassert.Nil(t, err)
  145. tassert.Equal(t, v1, string(data))
  146. }
  147. func TestGetSecretForBinaryEntry(t *testing.T) {
  148. ctx := context.Background()
  149. namespace := uuid.NewString()
  150. authorizedKey := newFakeAuthorizedKey()
  151. fakeClock := clock.NewFakeClock()
  152. fakeLockboxServer := client.NewFakeLockboxServer(fakeClock, time.Hour)
  153. k1, v1 := "k1", "v1"
  154. k2, v2 := "k2", []byte("v2")
  155. secretID, _ := fakeLockboxServer.CreateSecret(authorizedKey,
  156. "folderId", "secretName",
  157. textEntry(k1, v1),
  158. binaryEntry(k2, v2),
  159. )
  160. k8sClient := clientfake.NewClientBuilder().Build()
  161. const authorizedKeySecretName = "authorizedKeySecretName"
  162. const authorizedKeySecretKey = "authorizedKeySecretKey"
  163. err := createK8sSecret(ctx, t, k8sClient, namespace, authorizedKeySecretName, authorizedKeySecretKey, toJSON(t, authorizedKey))
  164. tassert.Nil(t, err)
  165. store := newYandexLockboxSecretStore("", namespace, authorizedKeySecretName, authorizedKeySecretKey)
  166. provider := newLockboxProvider(fakeClock, fakeLockboxServer)
  167. secretsClient, err := provider.NewClient(ctx, store, k8sClient, namespace)
  168. tassert.Nil(t, err)
  169. data, err := secretsClient.GetSecret(ctx, esv1.ExternalSecretDataRemoteRef{Key: secretID, Property: k2})
  170. tassert.Nil(t, err)
  171. tassert.Equal(t, v2, data)
  172. }
  173. func TestGetSecretByVersionID(t *testing.T) {
  174. ctx := context.Background()
  175. namespace := uuid.NewString()
  176. authorizedKey := newFakeAuthorizedKey()
  177. fakeClock := clock.NewFakeClock()
  178. fakeLockboxServer := client.NewFakeLockboxServer(fakeClock, time.Hour)
  179. const oldKey, oldVal = "oldKey", "oldVal"
  180. secretID, oldVersionID := fakeLockboxServer.CreateSecret(authorizedKey,
  181. "folderId", "secretName",
  182. textEntry(oldKey, oldVal),
  183. )
  184. k8sClient := clientfake.NewClientBuilder().Build()
  185. const authorizedKeySecretName = "authorizedKeySecretName"
  186. const authorizedKeySecretKey = "authorizedKeySecretKey"
  187. err := createK8sSecret(ctx, t, k8sClient, namespace, authorizedKeySecretName, authorizedKeySecretKey, toJSON(t, authorizedKey))
  188. tassert.Nil(t, err)
  189. store := newYandexLockboxSecretStore("", namespace, authorizedKeySecretName, authorizedKeySecretKey)
  190. provider := newLockboxProvider(fakeClock, fakeLockboxServer)
  191. secretsClient, err := provider.NewClient(ctx, store, k8sClient, namespace)
  192. tassert.Nil(t, err)
  193. data, err := secretsClient.GetSecret(ctx, esv1.ExternalSecretDataRemoteRef{Key: secretID, Version: oldVersionID})
  194. tassert.Nil(t, err)
  195. tassert.Equal(t, map[string]string{oldKey: oldVal}, unmarshalStringMap(t, data))
  196. const newKey, newVal = "newKey", "newVal"
  197. newVersionID := fakeLockboxServer.AddVersion(secretID, textEntry(newKey, newVal))
  198. data, err = secretsClient.GetSecret(ctx, esv1.ExternalSecretDataRemoteRef{Key: secretID, Version: oldVersionID})
  199. tassert.Nil(t, err)
  200. tassert.Equal(t, map[string]string{oldKey: oldVal}, unmarshalStringMap(t, data))
  201. data, err = secretsClient.GetSecret(ctx, esv1.ExternalSecretDataRemoteRef{Key: secretID, Version: newVersionID})
  202. tassert.Nil(t, err)
  203. tassert.Equal(t, map[string]string{newKey: newVal}, unmarshalStringMap(t, data))
  204. }
  205. func TestGetSecretUnauthorized(t *testing.T) {
  206. ctx := context.Background()
  207. namespace := uuid.NewString()
  208. authorizedKeyA := newFakeAuthorizedKey()
  209. authorizedKeyB := newFakeAuthorizedKey()
  210. fakeClock := clock.NewFakeClock()
  211. fakeLockboxServer := client.NewFakeLockboxServer(fakeClock, time.Hour)
  212. secretID, _ := fakeLockboxServer.CreateSecret(authorizedKeyA,
  213. "folderId", "secretName",
  214. textEntry("k1", "v1"),
  215. )
  216. k8sClient := clientfake.NewClientBuilder().Build()
  217. const authorizedKeySecretName = "authorizedKeySecretName"
  218. const authorizedKeySecretKey = "authorizedKeySecretKey"
  219. err := createK8sSecret(ctx, t, k8sClient, namespace, authorizedKeySecretName, authorizedKeySecretKey, toJSON(t, authorizedKeyB))
  220. tassert.Nil(t, err)
  221. store := newYandexLockboxSecretStore("", namespace, authorizedKeySecretName, authorizedKeySecretKey)
  222. provider := newLockboxProvider(fakeClock, fakeLockboxServer)
  223. secretsClient, err := provider.NewClient(ctx, store, k8sClient, namespace)
  224. tassert.Nil(t, err)
  225. _, err = secretsClient.GetSecret(ctx, esv1.ExternalSecretDataRemoteRef{Key: secretID})
  226. tassert.EqualError(t, err, errSecretPayloadPermissionDenied)
  227. }
  228. func TestGetSecretNotFound(t *testing.T) {
  229. ctx := context.Background()
  230. namespace := uuid.NewString()
  231. authorizedKey := newFakeAuthorizedKey()
  232. fakeClock := clock.NewFakeClock()
  233. fakeLockboxServer := client.NewFakeLockboxServer(fakeClock, time.Hour)
  234. k8sClient := clientfake.NewClientBuilder().Build()
  235. const authorizedKeySecretName = "authorizedKeySecretName"
  236. const authorizedKeySecretKey = "authorizedKeySecretKey"
  237. err := createK8sSecret(ctx, t, k8sClient, namespace, authorizedKeySecretName, authorizedKeySecretKey, toJSON(t, authorizedKey))
  238. tassert.Nil(t, err)
  239. store := newYandexLockboxSecretStore("", namespace, authorizedKeySecretName, authorizedKeySecretKey)
  240. provider := newLockboxProvider(fakeClock, fakeLockboxServer)
  241. secretsClient, err := provider.NewClient(ctx, store, k8sClient, namespace)
  242. tassert.Nil(t, err)
  243. _, err = secretsClient.GetSecret(ctx, esv1.ExternalSecretDataRemoteRef{Key: "no-secret-with-this-id"})
  244. tassert.EqualError(t, err, errSecretPayloadNotFound)
  245. secretID, _ := fakeLockboxServer.CreateSecret(authorizedKey,
  246. "folderId", "secretName",
  247. textEntry("k1", "v1"),
  248. )
  249. _, err = secretsClient.GetSecret(ctx, esv1.ExternalSecretDataRemoteRef{Key: secretID, Version: "no-version-with-this-id"})
  250. tassert.EqualError(t, err, errSecretPayloadVersionNotFound)
  251. }
  252. func TestGetSecretWithTwoNamespaces(t *testing.T) {
  253. ctx := context.Background()
  254. namespace1 := uuid.NewString()
  255. namespace2 := uuid.NewString()
  256. authorizedKey1 := newFakeAuthorizedKey()
  257. authorizedKey2 := newFakeAuthorizedKey()
  258. fakeClock := clock.NewFakeClock()
  259. fakeLockboxServer := client.NewFakeLockboxServer(fakeClock, time.Hour)
  260. k1, v1 := "k1", "v1"
  261. secretID1, _ := fakeLockboxServer.CreateSecret(authorizedKey1,
  262. "folderId", "secretName1",
  263. textEntry(k1, v1),
  264. )
  265. k2, v2 := "k2", "v2"
  266. secretID2, _ := fakeLockboxServer.CreateSecret(authorizedKey2,
  267. "folderId", "secretName2",
  268. textEntry(k2, v2),
  269. textEntry(k2, v2),
  270. )
  271. k8sClient := clientfake.NewClientBuilder().Build()
  272. const authorizedKeySecretName = "authorizedKeySecretName"
  273. const authorizedKeySecretKey = "authorizedKeySecretKey"
  274. err := createK8sSecret(ctx, t, k8sClient, namespace1, authorizedKeySecretName, authorizedKeySecretKey, toJSON(t, authorizedKey1))
  275. tassert.Nil(t, err)
  276. err = createK8sSecret(ctx, t, k8sClient, namespace2, authorizedKeySecretName, authorizedKeySecretKey, toJSON(t, authorizedKey2))
  277. tassert.Nil(t, err)
  278. store1 := newYandexLockboxSecretStore("", namespace1, authorizedKeySecretName, authorizedKeySecretKey)
  279. store2 := newYandexLockboxSecretStore("", namespace2, authorizedKeySecretName, authorizedKeySecretKey)
  280. provider := newLockboxProvider(fakeClock, fakeLockboxServer)
  281. secretsClient1, err := provider.NewClient(ctx, store1, k8sClient, namespace1)
  282. tassert.Nil(t, err)
  283. secretsClient2, err := provider.NewClient(ctx, store2, k8sClient, namespace2)
  284. tassert.Nil(t, err)
  285. data, err := secretsClient1.GetSecret(ctx, esv1.ExternalSecretDataRemoteRef{Key: secretID1, Property: k1})
  286. tassert.Equal(t, v1, string(data))
  287. tassert.Nil(t, err)
  288. data, err = secretsClient1.GetSecret(ctx, esv1.ExternalSecretDataRemoteRef{Key: secretID2, Property: k2})
  289. tassert.Nil(t, data)
  290. tassert.EqualError(t, err, errSecretPayloadPermissionDenied)
  291. data, err = secretsClient2.GetSecret(ctx, esv1.ExternalSecretDataRemoteRef{Key: secretID1, Property: k1})
  292. tassert.Nil(t, data)
  293. tassert.EqualError(t, err, errSecretPayloadPermissionDenied)
  294. data, err = secretsClient2.GetSecret(ctx, esv1.ExternalSecretDataRemoteRef{Key: secretID2, Property: k2})
  295. tassert.Equal(t, v2, string(data))
  296. tassert.Nil(t, err)
  297. }
  298. func TestGetSecretWithTwoApiEndpoints(t *testing.T) {
  299. ctx := context.Background()
  300. apiEndpoint1 := uuid.NewString()
  301. apiEndpoint2 := uuid.NewString()
  302. namespace := uuid.NewString()
  303. authorizedKey1 := newFakeAuthorizedKey()
  304. authorizedKey2 := newFakeAuthorizedKey()
  305. fakeClock := clock.NewFakeClock()
  306. fakeLockboxServer1 := client.NewFakeLockboxServer(fakeClock, time.Hour)
  307. k1, v1 := "k1", "v1"
  308. secretID1, _ := fakeLockboxServer1.CreateSecret(authorizedKey1,
  309. "folderId", "secretName",
  310. textEntry(k1, v1),
  311. )
  312. fakeLockboxServer2 := client.NewFakeLockboxServer(fakeClock, time.Hour)
  313. k2, v2 := "k2", "v2"
  314. secretID2, _ := fakeLockboxServer2.CreateSecret(authorizedKey2,
  315. "folderId", "secretName",
  316. textEntry(k2, v2),
  317. )
  318. k8sClient := clientfake.NewClientBuilder().Build()
  319. const authorizedKeySecretName1 = "authorizedKeySecretName1"
  320. const authorizedKeySecretKey1 = "authorizedKeySecretKey1"
  321. err := createK8sSecret(ctx, t, k8sClient, namespace, authorizedKeySecretName1, authorizedKeySecretKey1, toJSON(t, authorizedKey1))
  322. tassert.Nil(t, err)
  323. const authorizedKeySecretName2 = "authorizedKeySecretName2"
  324. const authorizedKeySecretKey2 = "authorizedKeySecretKey2"
  325. err = createK8sSecret(ctx, t, k8sClient, namespace, authorizedKeySecretName2, authorizedKeySecretKey2, toJSON(t, authorizedKey2))
  326. tassert.Nil(t, err)
  327. store1 := newYandexLockboxSecretStore(apiEndpoint1, namespace, authorizedKeySecretName1, authorizedKeySecretKey1)
  328. store2 := newYandexLockboxSecretStore(apiEndpoint2, namespace, authorizedKeySecretName2, authorizedKeySecretKey2)
  329. provider1 := newLockboxProvider(fakeClock, fakeLockboxServer1)
  330. provider2 := newLockboxProvider(fakeClock, fakeLockboxServer2)
  331. secretsClient1, err := provider1.NewClient(ctx, store1, k8sClient, namespace)
  332. tassert.Nil(t, err)
  333. secretsClient2, err := provider2.NewClient(ctx, store2, k8sClient, namespace)
  334. tassert.Nil(t, err)
  335. var data []byte
  336. data, err = secretsClient1.GetSecret(ctx, esv1.ExternalSecretDataRemoteRef{Key: secretID1, Property: k1})
  337. tassert.Equal(t, v1, string(data))
  338. tassert.Nil(t, err)
  339. data, err = secretsClient1.GetSecret(ctx, esv1.ExternalSecretDataRemoteRef{Key: secretID2, Property: k2})
  340. tassert.Nil(t, data)
  341. tassert.EqualError(t, err, errSecretPayloadNotFound)
  342. data, err = secretsClient2.GetSecret(ctx, esv1.ExternalSecretDataRemoteRef{Key: secretID1, Property: k1})
  343. tassert.Nil(t, data)
  344. tassert.EqualError(t, err, errSecretPayloadNotFound)
  345. data, err = secretsClient2.GetSecret(ctx, esv1.ExternalSecretDataRemoteRef{Key: secretID2, Property: k2})
  346. tassert.Equal(t, v2, string(data))
  347. tassert.Nil(t, err)
  348. }
  349. func TestGetSecretWithIamTokenExpiration(t *testing.T) {
  350. ctx := context.Background()
  351. namespace := uuid.NewString()
  352. authorizedKey := newFakeAuthorizedKey()
  353. fakeClock := clock.NewFakeClock()
  354. tokenExpirationTime := time.Hour
  355. fakeLockboxServer := client.NewFakeLockboxServer(fakeClock, tokenExpirationTime)
  356. k1, v1 := "k1", "v1"
  357. secretID, _ := fakeLockboxServer.CreateSecret(authorizedKey,
  358. "folderId", "secretName",
  359. textEntry(k1, v1),
  360. )
  361. k8sClient := clientfake.NewClientBuilder().Build()
  362. const authorizedKeySecretName = "authorizedKeySecretName"
  363. const authorizedKeySecretKey = "authorizedKeySecretKey"
  364. err := createK8sSecret(ctx, t, k8sClient, namespace, authorizedKeySecretName, authorizedKeySecretKey, toJSON(t, authorizedKey))
  365. tassert.Nil(t, err)
  366. store := newYandexLockboxSecretStore("", namespace, authorizedKeySecretName, authorizedKeySecretKey)
  367. provider := newLockboxProvider(fakeClock, fakeLockboxServer)
  368. var data []byte
  369. oldSecretsClient, err := provider.NewClient(ctx, store, k8sClient, namespace)
  370. tassert.Nil(t, err)
  371. data, err = oldSecretsClient.GetSecret(ctx, esv1.ExternalSecretDataRemoteRef{Key: secretID, Property: k1})
  372. tassert.Equal(t, v1, string(data))
  373. tassert.Nil(t, err)
  374. fakeClock.AddDuration(2 * tokenExpirationTime)
  375. data, err = oldSecretsClient.GetSecret(ctx, esv1.ExternalSecretDataRemoteRef{Key: secretID, Property: k1})
  376. tassert.Nil(t, data)
  377. tassert.EqualError(t, err, "unable to request secret payload to get secret: iam token expired")
  378. newSecretsClient, err := provider.NewClient(ctx, store, k8sClient, namespace)
  379. tassert.Nil(t, err)
  380. data, err = newSecretsClient.GetSecret(ctx, esv1.ExternalSecretDataRemoteRef{Key: secretID, Property: k1})
  381. tassert.Equal(t, v1, string(data))
  382. tassert.Nil(t, err)
  383. }
  384. func TestGetSecretWithIamTokenCleanup(t *testing.T) {
  385. ctx := context.Background()
  386. namespace := uuid.NewString()
  387. authorizedKey1 := newFakeAuthorizedKey()
  388. authorizedKey2 := newFakeAuthorizedKey()
  389. fakeClock := clock.NewFakeClock()
  390. tokenExpirationDuration := time.Hour
  391. fakeLockboxServer := client.NewFakeLockboxServer(fakeClock, tokenExpirationDuration)
  392. secretID1, _ := fakeLockboxServer.CreateSecret(authorizedKey1,
  393. "folderId", "secretName1",
  394. textEntry("k1", "v1"),
  395. )
  396. secretID2, _ := fakeLockboxServer.CreateSecret(authorizedKey2,
  397. "folderId", "secretName2",
  398. textEntry("k2", "v2"),
  399. )
  400. var err error
  401. k8sClient := clientfake.NewClientBuilder().Build()
  402. const authorizedKeySecretName1 = "authorizedKeySecretName1"
  403. const authorizedKeySecretKey1 = "authorizedKeySecretKey1"
  404. err = createK8sSecret(ctx, t, k8sClient, namespace, authorizedKeySecretName1, authorizedKeySecretKey1, toJSON(t, authorizedKey1))
  405. tassert.Nil(t, err)
  406. const authorizedKeySecretName2 = "authorizedKeySecretName2"
  407. const authorizedKeySecretKey2 = "authorizedKeySecretKey2"
  408. err = createK8sSecret(ctx, t, k8sClient, namespace, authorizedKeySecretName2, authorizedKeySecretKey2, toJSON(t, authorizedKey2))
  409. tassert.Nil(t, err)
  410. store1 := newYandexLockboxSecretStore("", namespace, authorizedKeySecretName1, authorizedKeySecretKey1)
  411. store2 := newYandexLockboxSecretStore("", namespace, authorizedKeySecretName2, authorizedKeySecretKey2)
  412. provider := newLockboxProvider(fakeClock, fakeLockboxServer)
  413. tassert.False(t, provider.IsIamTokenCached(authorizedKey1))
  414. tassert.False(t, provider.IsIamTokenCached(authorizedKey2))
  415. // Access secretID1 with authorizedKey1, IAM token for authorizedKey1 should be cached
  416. secretsClient, err := provider.NewClient(ctx, store1, k8sClient, namespace)
  417. tassert.Nil(t, err)
  418. _, err = secretsClient.GetSecret(ctx, esv1.ExternalSecretDataRemoteRef{Key: secretID1})
  419. tassert.Nil(t, err)
  420. tassert.True(t, provider.IsIamTokenCached(authorizedKey1))
  421. tassert.False(t, provider.IsIamTokenCached(authorizedKey2))
  422. fakeClock.AddDuration(tokenExpirationDuration * 2)
  423. // Access secretID2 with authorizedKey2, IAM token for authorizedKey2 should be cached
  424. secretsClient, err = provider.NewClient(ctx, store2, k8sClient, namespace)
  425. tassert.Nil(t, err)
  426. _, err = secretsClient.GetSecret(ctx, esv1.ExternalSecretDataRemoteRef{Key: secretID2})
  427. tassert.Nil(t, err)
  428. tassert.True(t, provider.IsIamTokenCached(authorizedKey1))
  429. tassert.True(t, provider.IsIamTokenCached(authorizedKey2))
  430. fakeClock.AddDuration(tokenExpirationDuration)
  431. tassert.True(t, provider.IsIamTokenCached(authorizedKey1))
  432. tassert.True(t, provider.IsIamTokenCached(authorizedKey2))
  433. provider.CleanUpIamTokenMap()
  434. tassert.False(t, provider.IsIamTokenCached(authorizedKey1))
  435. tassert.True(t, provider.IsIamTokenCached(authorizedKey2))
  436. fakeClock.AddDuration(tokenExpirationDuration)
  437. tassert.False(t, provider.IsIamTokenCached(authorizedKey1))
  438. tassert.True(t, provider.IsIamTokenCached(authorizedKey2))
  439. provider.CleanUpIamTokenMap()
  440. tassert.False(t, provider.IsIamTokenCached(authorizedKey1))
  441. tassert.False(t, provider.IsIamTokenCached(authorizedKey2))
  442. }
  443. func TestGetSecretMap(t *testing.T) {
  444. ctx := context.Background()
  445. namespace := uuid.NewString()
  446. authorizedKey := newFakeAuthorizedKey()
  447. fakeClock := clock.NewFakeClock()
  448. fakeLockboxServer := client.NewFakeLockboxServer(fakeClock, time.Hour)
  449. k1, v1 := "k1", "v1"
  450. k2, v2 := "k2", []byte("v2")
  451. secretID, _ := fakeLockboxServer.CreateSecret(authorizedKey,
  452. "folderId", "secretName",
  453. textEntry(k1, v1),
  454. binaryEntry(k2, v2),
  455. )
  456. k8sClient := clientfake.NewClientBuilder().Build()
  457. const authorizedKeySecretName = "authorizedKeySecretName"
  458. const authorizedKeySecretKey = "authorizedKeySecretKey"
  459. err := createK8sSecret(ctx, t, k8sClient, namespace, authorizedKeySecretName, authorizedKeySecretKey, toJSON(t, authorizedKey))
  460. tassert.Nil(t, err)
  461. store := newYandexLockboxSecretStore("", namespace, authorizedKeySecretName, authorizedKeySecretKey)
  462. provider := newLockboxProvider(fakeClock, fakeLockboxServer)
  463. secretsClient, err := provider.NewClient(ctx, store, k8sClient, namespace)
  464. tassert.Nil(t, err)
  465. data, err := secretsClient.GetSecretMap(ctx, esv1.ExternalSecretDataRemoteRef{Key: secretID})
  466. tassert.Nil(t, err)
  467. tassert.Equal(
  468. t,
  469. map[string][]byte{
  470. k1: []byte(v1),
  471. k2: v2,
  472. },
  473. data,
  474. )
  475. }
  476. func TestGetSecretMapByVersionID(t *testing.T) {
  477. ctx := context.Background()
  478. namespace := uuid.NewString()
  479. authorizedKey := newFakeAuthorizedKey()
  480. fakeClock := clock.NewFakeClock()
  481. fakeLockboxServer := client.NewFakeLockboxServer(fakeClock, time.Hour)
  482. oldKey, oldVal := "oldKey", "oldVal"
  483. secretID, oldVersionID := fakeLockboxServer.CreateSecret(authorizedKey,
  484. "folderId", "secretName",
  485. textEntry(oldKey, oldVal),
  486. )
  487. k8sClient := clientfake.NewClientBuilder().Build()
  488. const authorizedKeySecretName = "authorizedKeySecretName"
  489. const authorizedKeySecretKey = "authorizedKeySecretKey"
  490. err := createK8sSecret(ctx, t, k8sClient, namespace, authorizedKeySecretName, authorizedKeySecretKey, toJSON(t, authorizedKey))
  491. tassert.Nil(t, err)
  492. store := newYandexLockboxSecretStore("", namespace, authorizedKeySecretName, authorizedKeySecretKey)
  493. provider := newLockboxProvider(fakeClock, fakeLockboxServer)
  494. secretsClient, err := provider.NewClient(ctx, store, k8sClient, namespace)
  495. tassert.Nil(t, err)
  496. data, err := secretsClient.GetSecretMap(ctx, esv1.ExternalSecretDataRemoteRef{Key: secretID, Version: oldVersionID})
  497. tassert.Nil(t, err)
  498. tassert.Equal(t, map[string][]byte{oldKey: []byte(oldVal)}, data)
  499. newKey, newVal := "newKey", "newVal"
  500. newVersionID := fakeLockboxServer.AddVersion(secretID, textEntry(newKey, newVal))
  501. data, err = secretsClient.GetSecretMap(ctx, esv1.ExternalSecretDataRemoteRef{Key: secretID, Version: oldVersionID})
  502. tassert.Nil(t, err)
  503. tassert.Equal(t, map[string][]byte{oldKey: []byte(oldVal)}, data)
  504. data, err = secretsClient.GetSecretMap(ctx, esv1.ExternalSecretDataRemoteRef{Key: secretID, Version: newVersionID})
  505. tassert.Nil(t, err)
  506. tassert.Equal(t, map[string][]byte{newKey: []byte(newVal)}, data)
  507. }
  508. func TestGetSecretWithByNameFetchingPolicyForAllEntries(t *testing.T) {
  509. ctx := context.Background()
  510. namespace := uuid.NewString()
  511. authorizedKey := newFakeAuthorizedKey()
  512. fakeClock := clock.NewFakeClock()
  513. fakeLockboxServer := client.NewFakeLockboxServer(fakeClock, time.Hour)
  514. folderId := uuid.NewString()
  515. const secretName = "secretName"
  516. k1, v1 := "k1", "v1"
  517. k2, v2 := "k2", []byte("v2")
  518. _, _ = fakeLockboxServer.CreateSecret(
  519. authorizedKey,
  520. folderId, secretName,
  521. textEntry(k1, v1),
  522. binaryEntry(k2, v2),
  523. )
  524. k8sClient := clientfake.NewClientBuilder().Build()
  525. const authorizedKeySecretName = "authorizedKeySecretName"
  526. const authorizedKeySecretKey = "authorizedKeySecretKey"
  527. err := createK8sSecret(ctx, t, k8sClient, namespace, authorizedKeySecretName, authorizedKeySecretKey, toJSON(t, authorizedKey))
  528. tassert.Nil(t, err)
  529. store := newYandexLockboxSecretStoreWithFetchByName("", namespace, authorizedKeySecretName, authorizedKeySecretKey, folderId)
  530. provider := newLockboxProvider(fakeClock, fakeLockboxServer)
  531. secretsClient, err := provider.NewClient(ctx, store, k8sClient, namespace)
  532. tassert.Nil(t, err)
  533. data, err := secretsClient.GetSecret(ctx, esv1.ExternalSecretDataRemoteRef{Key: secretName})
  534. tassert.Nil(t, err)
  535. expected := map[string]string{
  536. k1: base64([]byte(v1)),
  537. k2: base64(v2),
  538. }
  539. tassert.Equal(t, expected, unmarshalStringMap(t, data))
  540. }
  541. func TestGetSecretWithByNameFetchingPolicyAndVersionID(t *testing.T) {
  542. ctx := context.Background()
  543. namespace := uuid.NewString()
  544. authorizedKey := newFakeAuthorizedKey()
  545. fakeClock := clock.NewFakeClock()
  546. fakeLockboxServer := client.NewFakeLockboxServer(fakeClock, time.Hour)
  547. folderId := uuid.NewString()
  548. const secretName = "secretName"
  549. oldKey, oldVal := "oldKey", "oldVal"
  550. secretID, oldVersionID := fakeLockboxServer.CreateSecret(authorizedKey,
  551. folderId, secretName,
  552. textEntry(oldKey, oldVal),
  553. )
  554. k8sClient := clientfake.NewClientBuilder().Build()
  555. const authorizedKeySecretName = "authorizedKeySecretName"
  556. const authorizedKeySecretKey = "authorizedKeySecretKey"
  557. err := createK8sSecret(ctx, t, k8sClient, namespace, authorizedKeySecretName, authorizedKeySecretKey, toJSON(t, authorizedKey))
  558. tassert.Nil(t, err)
  559. store := newYandexLockboxSecretStoreWithFetchByName("", namespace, authorizedKeySecretName, authorizedKeySecretKey, folderId)
  560. provider := newLockboxProvider(fakeClock, fakeLockboxServer)
  561. secretsClient, err := provider.NewClient(ctx, store, k8sClient, namespace)
  562. tassert.Nil(t, err)
  563. data, err := secretsClient.GetSecret(ctx, esv1.ExternalSecretDataRemoteRef{Key: secretName, Version: oldVersionID})
  564. tassert.Nil(t, err)
  565. tassert.Equal(t, map[string]string{oldKey: base64([]byte(oldVal))}, unmarshalStringMap(t, data))
  566. newKey, newVal := "newKey", "newVal"
  567. newVersionID := fakeLockboxServer.AddVersion(secretID, textEntry(newKey, newVal))
  568. data, err = secretsClient.GetSecret(ctx, esv1.ExternalSecretDataRemoteRef{Key: secretName, Version: oldVersionID})
  569. tassert.Nil(t, err)
  570. tassert.Equal(t, map[string]string{oldKey: base64([]byte(oldVal))}, unmarshalStringMap(t, data))
  571. data, err = secretsClient.GetSecret(ctx, esv1.ExternalSecretDataRemoteRef{Key: secretName, Version: newVersionID})
  572. tassert.Nil(t, err)
  573. tassert.Equal(t, map[string]string{newKey: base64([]byte(newVal))}, unmarshalStringMap(t, data))
  574. }
  575. func TestGetSecretWithByNameFetchingPolicyForTextEntry(t *testing.T) {
  576. ctx := context.Background()
  577. namespace := uuid.NewString()
  578. authorizedKey := newFakeAuthorizedKey()
  579. fakeClock := clock.NewFakeClock()
  580. fakeLockboxServer := client.NewFakeLockboxServer(fakeClock, time.Hour)
  581. folderId := uuid.NewString()
  582. const secretName = "secretName"
  583. k1, v1 := "k1", "v1"
  584. k2, v2 := "k2", []byte("v2")
  585. _, _ = fakeLockboxServer.CreateSecret(authorizedKey,
  586. folderId, secretName,
  587. textEntry(k1, v1),
  588. binaryEntry(k2, v2),
  589. )
  590. k8sClient := clientfake.NewClientBuilder().Build()
  591. const authorizedKeySecretName = "authorizedKeySecretName"
  592. const authorizedKeySecretKey = "authorizedKeySecretKey"
  593. err := createK8sSecret(ctx, t, k8sClient, namespace, authorizedKeySecretName, authorizedKeySecretKey, toJSON(t, authorizedKey))
  594. tassert.Nil(t, err)
  595. store := newYandexLockboxSecretStoreWithFetchByName("", namespace, authorizedKeySecretName, authorizedKeySecretKey, folderId)
  596. provider := newLockboxProvider(fakeClock, fakeLockboxServer)
  597. secretsClient, err := provider.NewClient(ctx, store, k8sClient, namespace)
  598. tassert.Nil(t, err)
  599. data, err := secretsClient.GetSecret(ctx, esv1.ExternalSecretDataRemoteRef{Key: secretName, Property: k1})
  600. tassert.Nil(t, err)
  601. tassert.Equal(t, v1, string(data))
  602. }
  603. func TestGetSecretWithByNameFetchingPolicyForBinaryEntry(t *testing.T) {
  604. ctx := context.Background()
  605. namespace := uuid.NewString()
  606. authorizedKey := newFakeAuthorizedKey()
  607. fakeClock := clock.NewFakeClock()
  608. fakeLockboxServer := client.NewFakeLockboxServer(fakeClock, time.Hour)
  609. folderId := uuid.NewString()
  610. const secretName = "secretName"
  611. k1, v1 := "k1", "v1"
  612. k2, v2 := "k2", []byte("v2")
  613. _, _ = fakeLockboxServer.CreateSecret(authorizedKey,
  614. folderId, secretName,
  615. textEntry(k1, v1),
  616. binaryEntry(k2, v2),
  617. )
  618. k8sClient := clientfake.NewClientBuilder().Build()
  619. const authorizedKeySecretName = "authorizedKeySecretName"
  620. const authorizedKeySecretKey = "authorizedKeySecretKey"
  621. err := createK8sSecret(ctx, t, k8sClient, namespace, authorizedKeySecretName, authorizedKeySecretKey, toJSON(t, authorizedKey))
  622. tassert.Nil(t, err)
  623. store := newYandexLockboxSecretStoreWithFetchByName("", namespace, authorizedKeySecretName, authorizedKeySecretKey, folderId)
  624. provider := newLockboxProvider(fakeClock, fakeLockboxServer)
  625. secretsClient, err := provider.NewClient(ctx, store, k8sClient, namespace)
  626. tassert.Nil(t, err)
  627. data, err := secretsClient.GetSecret(ctx, esv1.ExternalSecretDataRemoteRef{Key: secretName, Property: k2})
  628. tassert.Nil(t, err)
  629. tassert.Equal(t, v2, data)
  630. }
  631. func TestGetSecretWithByNameFetchingPolicyNotFound(t *testing.T) {
  632. ctx := context.Background()
  633. namespace := uuid.NewString()
  634. authorizedKey := newFakeAuthorizedKey()
  635. fakeClock := clock.NewFakeClock()
  636. fakeLockboxServer := client.NewFakeLockboxServer(fakeClock, time.Hour)
  637. folderId := uuid.NewString()
  638. k8sClient := clientfake.NewClientBuilder().Build()
  639. const authorizedKeySecretName = "authorizedKeySecretName"
  640. const authorizedKeySecretKey = "authorizedKeySecretKey"
  641. err := createK8sSecret(ctx, t, k8sClient, namespace, authorizedKeySecretName, authorizedKeySecretKey, toJSON(t, authorizedKey))
  642. tassert.Nil(t, err)
  643. store := newYandexLockboxSecretStoreWithFetchByName("", namespace, authorizedKeySecretName, authorizedKeySecretKey, folderId)
  644. provider := newLockboxProvider(fakeClock, fakeLockboxServer)
  645. secretsClient, err := provider.NewClient(ctx, store, k8sClient, namespace)
  646. tassert.Nil(t, err)
  647. _, err = secretsClient.GetSecret(ctx, esv1.ExternalSecretDataRemoteRef{Key: "no-secret-with-such-name"})
  648. tassert.EqualError(t, err, errSecretPayloadNotFound)
  649. secretName := "secretName"
  650. _, _ = fakeLockboxServer.CreateSecret(
  651. authorizedKey,
  652. folderId, secretName,
  653. textEntry("k1", "v1"),
  654. )
  655. _, err = secretsClient.GetSecret(ctx, esv1.ExternalSecretDataRemoteRef{Key: secretName, Version: "no-version-with-such-id"})
  656. tassert.EqualError(t, err, errSecretPayloadVersionNotFound)
  657. }
  658. func TestGetSecretWithByNameFetchingPolicyUnauthorized(t *testing.T) {
  659. ctx := context.Background()
  660. namespace := uuid.NewString()
  661. authorizedKeyA := newFakeAuthorizedKey()
  662. authorizedKeyB := newFakeAuthorizedKey()
  663. fakeClock := clock.NewFakeClock()
  664. fakeLockboxServer := client.NewFakeLockboxServer(fakeClock, time.Hour)
  665. folderId := uuid.NewString()
  666. secretName := "secretName"
  667. _, _ = fakeLockboxServer.CreateSecret(authorizedKeyA,
  668. folderId, secretName,
  669. textEntry("k1", "v1"),
  670. )
  671. k8sClient := clientfake.NewClientBuilder().Build()
  672. const authorizedKeySecretName = "authorizedKeySecretName"
  673. const authorizedKeySecretKey = "authorizedKeySecretKey"
  674. err := createK8sSecret(ctx, t, k8sClient, namespace, authorizedKeySecretName, authorizedKeySecretKey, toJSON(t, authorizedKeyB))
  675. tassert.Nil(t, err)
  676. store := newYandexLockboxSecretStoreWithFetchByName("", namespace, authorizedKeySecretName, authorizedKeySecretKey, folderId)
  677. provider := newLockboxProvider(fakeClock, fakeLockboxServer)
  678. secretsClient, err := provider.NewClient(ctx, store, k8sClient, namespace)
  679. tassert.Nil(t, err)
  680. _, err = secretsClient.GetSecret(ctx, esv1.ExternalSecretDataRemoteRef{Key: secretName})
  681. tassert.EqualError(t, err, errSecretPayloadPermissionDenied)
  682. }
  683. func TestGetSecretWithByNameFetchingPolicyWithoutFolderID(t *testing.T) {
  684. ctx := context.Background()
  685. namespace := uuid.NewString()
  686. authorizedKey := newFakeAuthorizedKey()
  687. fakeClock := clock.NewFakeClock()
  688. fakeLockboxServer := client.NewFakeLockboxServer(fakeClock, time.Hour)
  689. k8sClient := clientfake.NewClientBuilder().Build()
  690. const authorizedKeySecretName = "authorizedKeySecretName"
  691. const authorizedKeySecretKey = "authorizedKeySecretKey"
  692. err := createK8sSecret(ctx, t, k8sClient, namespace, authorizedKeySecretName, authorizedKeySecretKey, toJSON(t, authorizedKey))
  693. tassert.Nil(t, err)
  694. store := newYandexLockboxSecretStoreWithFetchByName("", namespace, authorizedKeySecretName, authorizedKeySecretKey, "")
  695. provider := newLockboxProvider(fakeClock, fakeLockboxServer)
  696. _, err = provider.NewClient(ctx, store, k8sClient, namespace)
  697. tassert.EqualError(t, err, "folderID is required when fetching policy is 'byName'")
  698. }
  699. func TesGetSecretWithByIDFetchingPolicyForAllEntries(t *testing.T) {
  700. ctx := context.Background()
  701. namespace := uuid.NewString()
  702. authorizedKey := newFakeAuthorizedKey()
  703. fakeClock := clock.NewFakeClock()
  704. fakeLockboxServer := client.NewFakeLockboxServer(fakeClock, time.Hour)
  705. k1, v1 := "k1", "v1"
  706. k2, v2 := "k2", []byte("v2")
  707. secretID, _ := fakeLockboxServer.CreateSecret(authorizedKey,
  708. "folderId", "secret",
  709. textEntry(k1, v1),
  710. binaryEntry(k2, v2),
  711. )
  712. k8sClient := clientfake.NewClientBuilder().Build()
  713. const authorizedKeySecretName = "authorizedKeySecretName"
  714. const authorizedKeySecretKey = "authorizedKeySecretKey"
  715. err := createK8sSecret(ctx, t, k8sClient, namespace, authorizedKeySecretName, authorizedKeySecretKey, toJSON(t, authorizedKey))
  716. tassert.Nil(t, err)
  717. store := newYandexLockboxSecretStoreWithFetchByID("", namespace, authorizedKeySecretName, authorizedKeySecretKey)
  718. provider := newLockboxProvider(fakeClock, fakeLockboxServer)
  719. secretsClient, err := provider.NewClient(ctx, store, k8sClient, namespace)
  720. tassert.Nil(t, err)
  721. data, err := secretsClient.GetSecret(ctx, esv1.ExternalSecretDataRemoteRef{Key: secretID})
  722. tassert.Nil(t, err)
  723. expected := map[string]string{
  724. k1: v1,
  725. k2: base64(v2),
  726. }
  727. tassert.Equal(t, expected, unmarshalStringMap(t, data))
  728. }
  729. func TestGetSecretWithByIDFetchingPolicyForTextEntry(t *testing.T) {
  730. ctx := context.Background()
  731. namespace := uuid.NewString()
  732. authorizedKey := newFakeAuthorizedKey()
  733. fakeClock := clock.NewFakeClock()
  734. fakeLockboxServer := client.NewFakeLockboxServer(fakeClock, time.Hour)
  735. k1, v1 := "k1", "v1"
  736. k2, v2 := "k2", []byte("v2")
  737. secretID, _ := fakeLockboxServer.CreateSecret(authorizedKey,
  738. "folderId", "secret",
  739. textEntry(k1, v1),
  740. binaryEntry(k2, v2),
  741. )
  742. k8sClient := clientfake.NewClientBuilder().Build()
  743. const authorizedKeySecretName = "authorizedKeySecretName"
  744. const authorizedKeySecretKey = "authorizedKeySecretKey"
  745. err := createK8sSecret(ctx, t, k8sClient, namespace, authorizedKeySecretName, authorizedKeySecretKey, toJSON(t, authorizedKey))
  746. tassert.Nil(t, err)
  747. store := newYandexLockboxSecretStoreWithFetchByID("", namespace, authorizedKeySecretName, authorizedKeySecretKey)
  748. provider := newLockboxProvider(fakeClock, fakeLockboxServer)
  749. secretsClient, err := provider.NewClient(ctx, store, k8sClient, namespace)
  750. tassert.Nil(t, err)
  751. data, err := secretsClient.GetSecret(ctx, esv1.ExternalSecretDataRemoteRef{Key: secretID, Property: k1})
  752. tassert.Nil(t, err)
  753. tassert.Equal(t, v1, string(data))
  754. }
  755. func TestGetSecretWithByIDFetchingPolicyForBinaryEntry(t *testing.T) {
  756. ctx := context.Background()
  757. namespace := uuid.NewString()
  758. authorizedKey := newFakeAuthorizedKey()
  759. fakeClock := clock.NewFakeClock()
  760. fakeLockboxServer := client.NewFakeLockboxServer(fakeClock, time.Hour)
  761. k1, v1 := "k1", "v1"
  762. k2, v2 := "k2", []byte("v2")
  763. secretID, _ := fakeLockboxServer.CreateSecret(authorizedKey,
  764. "folderId", "secret",
  765. textEntry(k1, v1),
  766. binaryEntry(k2, v2),
  767. )
  768. k8sClient := clientfake.NewClientBuilder().Build()
  769. const authorizedKeySecretName = "authorizedKeySecretName"
  770. const authorizedKeySecretKey = "authorizedKeySecretKey"
  771. err := createK8sSecret(ctx, t, k8sClient, namespace, authorizedKeySecretName, authorizedKeySecretKey, toJSON(t, authorizedKey))
  772. tassert.Nil(t, err)
  773. store := newYandexLockboxSecretStoreWithFetchByID("", namespace, authorizedKeySecretName, authorizedKeySecretKey)
  774. provider := newLockboxProvider(fakeClock, fakeLockboxServer)
  775. secretsClient, err := provider.NewClient(ctx, store, k8sClient, namespace)
  776. tassert.Nil(t, err)
  777. data, err := secretsClient.GetSecret(ctx, esv1.ExternalSecretDataRemoteRef{Key: secretID, Property: k2})
  778. tassert.Nil(t, err)
  779. tassert.Equal(t, v2, data)
  780. }
  781. func TestGetSecretWithInvalidFetchingPolicy(t *testing.T) {
  782. ctx := context.Background()
  783. namespace := uuid.NewString()
  784. authorizedKey := newFakeAuthorizedKey()
  785. fakeClock := clock.NewFakeClock()
  786. fakeLockboxServer := client.NewFakeLockboxServer(fakeClock, time.Hour)
  787. k8sClient := clientfake.NewClientBuilder().Build()
  788. const authorizedKeySecretName = "authorizedKeySecretName"
  789. const authorizedKeySecretKey = "authorizedKeySecretKey"
  790. err := createK8sSecret(
  791. ctx, t, k8sClient, namespace,
  792. authorizedKeySecretName, authorizedKeySecretKey,
  793. toJSON(t, authorizedKey),
  794. )
  795. tassert.Nil(t, err)
  796. store := &esv1.SecretStore{
  797. ObjectMeta: metav1.ObjectMeta{Namespace: namespace},
  798. Spec: esv1.SecretStoreSpec{
  799. Provider: &esv1.SecretStoreProvider{
  800. YandexLockbox: &esv1.YandexLockboxProvider{
  801. Auth: esv1.YandexAuth{
  802. AuthorizedKey: esmeta.SecretKeySelector{
  803. Name: authorizedKeySecretName,
  804. Key: authorizedKeySecretKey,
  805. },
  806. },
  807. FetchingPolicy: &esv1.FetchingPolicy{
  808. ByID: nil,
  809. ByName: nil,
  810. },
  811. },
  812. },
  813. },
  814. }
  815. provider := newLockboxProvider(fakeClock, fakeLockboxServer)
  816. _, err = provider.NewClient(ctx, store, k8sClient, namespace)
  817. tassert.EqualError(
  818. t,
  819. err,
  820. "invalid Yandex Lockbox SecretStore: requires either 'byName' or 'byID' policy",
  821. )
  822. }
  823. // helper fuxnctions
  824. func newLockboxProvider(clock clock.Clock, fakeLockboxServer *client.FakeLockboxServer) *common.YandexCloudProvider {
  825. return common.InitYandexCloudProvider(
  826. ctrl.Log.WithName("provider").WithName("yandex").WithName("lockbox"),
  827. clock,
  828. adaptInput,
  829. func(ctx context.Context, apiEndpoint string, authorizedKey *iamkey.Key, caCertificate []byte) (common.SecretGetter, error) {
  830. return newLockboxSecretGetter(client.NewFakeLockboxClient(fakeLockboxServer))
  831. },
  832. func(ctx context.Context, apiEndpoint string, authorizedKey *iamkey.Key, caCertificate []byte) (*common.IamToken, error) {
  833. return fakeLockboxServer.NewIamToken(authorizedKey), nil
  834. },
  835. 0,
  836. )
  837. }
  838. func newYandexLockboxSecretStore(apiEndpoint, namespace, authorizedKeySecretName, authorizedKeySecretKey string) esv1.GenericStore {
  839. return &esv1.SecretStore{
  840. ObjectMeta: metav1.ObjectMeta{
  841. Namespace: namespace,
  842. },
  843. Spec: esv1.SecretStoreSpec{
  844. Provider: &esv1.SecretStoreProvider{
  845. YandexLockbox: &esv1.YandexLockboxProvider{
  846. APIEndpoint: apiEndpoint,
  847. Auth: esv1.YandexAuth{
  848. AuthorizedKey: esmeta.SecretKeySelector{
  849. Name: authorizedKeySecretName,
  850. Key: authorizedKeySecretKey,
  851. },
  852. },
  853. },
  854. },
  855. },
  856. }
  857. }
  858. func newYandexLockboxSecretStoreWithFetchByName(apiEndpoint, namespace, authorizedKeySecretName, authorizedKeySecretKey, folderID string) esv1.GenericStore {
  859. return &esv1.SecretStore{
  860. ObjectMeta: metav1.ObjectMeta{
  861. Namespace: namespace,
  862. },
  863. Spec: esv1.SecretStoreSpec{
  864. Provider: &esv1.SecretStoreProvider{
  865. YandexLockbox: &esv1.YandexLockboxProvider{
  866. APIEndpoint: apiEndpoint,
  867. Auth: esv1.YandexAuth{
  868. AuthorizedKey: esmeta.SecretKeySelector{
  869. Name: authorizedKeySecretName,
  870. Key: authorizedKeySecretKey,
  871. },
  872. },
  873. FetchingPolicy: &esv1.FetchingPolicy{
  874. ByName: &esv1.ByName{
  875. FolderID: folderID,
  876. },
  877. },
  878. },
  879. },
  880. },
  881. }
  882. }
  883. func newYandexLockboxSecretStoreWithFetchByID(apiEndpoint, namespace, authorizedKeySecretName, authorizedKeySecretKey string) esv1.GenericStore {
  884. return &esv1.SecretStore{
  885. ObjectMeta: metav1.ObjectMeta{
  886. Namespace: namespace,
  887. },
  888. Spec: esv1.SecretStoreSpec{
  889. Provider: &esv1.SecretStoreProvider{
  890. YandexLockbox: &esv1.YandexLockboxProvider{
  891. APIEndpoint: apiEndpoint,
  892. Auth: esv1.YandexAuth{
  893. AuthorizedKey: esmeta.SecretKeySelector{
  894. Name: authorizedKeySecretName,
  895. Key: authorizedKeySecretKey,
  896. },
  897. },
  898. FetchingPolicy: &esv1.FetchingPolicy{
  899. ByID: &esv1.ByID{},
  900. },
  901. },
  902. },
  903. },
  904. }
  905. }
  906. func toJSON(t *testing.T, v any) []byte {
  907. jsonBytes, err := json.Marshal(v)
  908. tassert.Nil(t, err)
  909. return jsonBytes
  910. }
  911. func createK8sSecret(ctx context.Context, t *testing.T, k8sClient k8sclient.Client, namespace, secretName, secretKey string, secretValue []byte) error {
  912. err := k8sClient.Create(ctx, &corev1.Secret{
  913. ObjectMeta: metav1.ObjectMeta{
  914. Namespace: namespace,
  915. Name: secretName,
  916. },
  917. Data: map[string][]byte{secretKey: secretValue},
  918. })
  919. tassert.Nil(t, err)
  920. return nil
  921. }
  922. func newFakeAuthorizedKey() *iamkey.Key {
  923. uniqueLabel := uuid.NewString()
  924. return &iamkey.Key{
  925. Id: uniqueLabel,
  926. Subject: &iamkey.Key_ServiceAccountId{
  927. ServiceAccountId: uniqueLabel,
  928. },
  929. PrivateKey: uniqueLabel,
  930. }
  931. }
  932. func textEntry(key, value string) *lockbox.Payload_Entry {
  933. return &lockbox.Payload_Entry{
  934. Key: key,
  935. Value: &lockbox.Payload_Entry_TextValue{
  936. TextValue: value,
  937. },
  938. }
  939. }
  940. func binaryEntry(key string, value []byte) *lockbox.Payload_Entry {
  941. return &lockbox.Payload_Entry{
  942. Key: key,
  943. Value: &lockbox.Payload_Entry_BinaryValue{
  944. BinaryValue: value,
  945. },
  946. }
  947. }
  948. func unmarshalStringMap(t *testing.T, data []byte) map[string]string {
  949. stringMap := make(map[string]string)
  950. err := json.Unmarshal(data, &stringMap)
  951. tassert.Nil(t, err)
  952. return stringMap
  953. }
  954. func base64(data []byte) string {
  955. return b64.StdEncoding.EncodeToString(data)
  956. }