| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689169016911692169316941695169616971698169917001701170217031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737173817391740174117421743174417451746174717481749175017511752175317541755175617571758175917601761176217631764176517661767176817691770177117721773177417751776177717781779178017811782178317841785178617871788178917901791179217931794179517961797179817991800180118021803180418051806180718081809181018111812181318141815181618171818181918201821182218231824182518261827182818291830183118321833183418351836183718381839184018411842184318441845184618471848184918501851185218531854185518561857185818591860186118621863186418651866186718681869187018711872187318741875187618771878187918801881188218831884188518861887188818891890189118921893189418951896189718981899190019011902190319041905190619071908190919101911191219131914191519161917191819191920192119221923192419251926192719281929193019311932193319341935193619371938193919401941194219431944194519461947194819491950195119521953195419551956195719581959196019611962196319641965196619671968196919701971197219731974197519761977197819791980198119821983198419851986198719881989199019911992199319941995199619971998199920002001200220032004200520062007200820092010201120122013201420152016201720182019202020212022202320242025202620272028202920302031203220332034203520362037203820392040204120422043204420452046204720482049205020512052205320542055205620572058205920602061206220632064206520662067206820692070207120722073207420752076207720782079208020812082208320842085208620872088208920902091209220932094209520962097209820992100210121022103210421052106210721082109211021112112211321142115211621172118211921202121212221232124212521262127212821292130213121322133213421352136213721382139214021412142214321442145214621472148214921502151215221532154 |
- /*
- Copyright © The ESO Authors
- Licensed under the Apache License, Version 2.0 (the "License");
- you may not use this file except in compliance with the License.
- You may obtain a copy of the License at
- https://www.apache.org/licenses/LICENSE-2.0
- Unless required by applicable law or agreed to in writing, software
- distributed under the License is distributed on an "AS IS" BASIS,
- WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- See the License for the specific language governing permissions and
- limitations under the License.
- */
- package onepasswordsdk
- import (
- "context"
- "errors"
- "fmt"
- "testing"
- "time"
- "github.com/1password/onepassword-sdk-go"
- "github.com/hashicorp/golang-lru/v2/expirable"
- "github.com/stretchr/testify/assert"
- "github.com/stretchr/testify/require"
- corev1 "k8s.io/api/core/v1"
- apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
- metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
- v1 "github.com/external-secrets/external-secrets/apis/externalsecrets/v1"
- "github.com/external-secrets/external-secrets/apis/externalsecrets/v1alpha1"
- )
- func TestProviderGetSecret(t *testing.T) {
- tests := []struct {
- name string
- ref v1.ExternalSecretDataRemoteRef
- want []byte
- assertError func(t *testing.T, err error)
- client func() *onepassword.Client
- }{
- {
- name: "get secret successfully",
- client: func() *onepassword.Client {
- fc := &fakeClient{
- resolveResult: "secret",
- }
- return &onepassword.Client{
- SecretsAPI: fc,
- VaultsAPI: fc,
- }
- },
- assertError: func(t *testing.T, err error) {
- require.NoError(t, err)
- },
- ref: v1.ExternalSecretDataRemoteRef{
- Key: "secret",
- },
- want: []byte("secret"),
- },
- {
- name: "get secret with error",
- client: func() *onepassword.Client {
- fc := &fakeClient{
- resolveError: errors.New("fobar"),
- }
- return &onepassword.Client{
- SecretsAPI: fc,
- VaultsAPI: fc,
- }
- },
- assertError: func(t *testing.T, err error) {
- require.ErrorContains(t, err, "fobar")
- },
- ref: v1.ExternalSecretDataRemoteRef{
- Key: "secret",
- },
- },
- {
- name: "get secret version not implemented",
- client: func() *onepassword.Client {
- fc := &fakeClient{
- resolveResult: "secret",
- }
- return &onepassword.Client{
- SecretsAPI: fc,
- VaultsAPI: fc,
- }
- },
- ref: v1.ExternalSecretDataRemoteRef{
- Key: "secret",
- Version: "1",
- },
- assertError: func(t *testing.T, err error) {
- require.ErrorContains(t, err, "is not implemented in the 1Password SDK provider")
- },
- },
- }
- for _, tt := range tests {
- t.Run(tt.name, func(t *testing.T) {
- p := &SecretsClient{
- client: tt.client(),
- vaultPrefix: "op://vault/",
- }
- got, err := p.GetSecret(t.Context(), tt.ref)
- tt.assertError(t, err)
- require.Equal(t, string(got), string(tt.want))
- })
- }
- }
- func TestProviderGetSecretMap(t *testing.T) {
- tests := []struct {
- name string
- ref v1.ExternalSecretDataRemoteRef
- want map[string][]byte
- assertError func(t *testing.T, err error)
- client func() *onepassword.Client
- }{
- {
- name: "get secret successfully for files",
- client: func() *onepassword.Client {
- fc := &fakeClient{}
- fl := &fakeLister{
- listAllResult: []onepassword.ItemOverview{
- {
- ID: "test-item-id",
- Title: "key",
- Category: "login",
- VaultID: "vault-id",
- },
- },
- getResult: onepassword.Item{
- ID: "test-item-id",
- Title: "key",
- Category: "login",
- VaultID: "vault-id",
- Files: []onepassword.ItemFile{
- {
- Attributes: onepassword.FileAttributes{
- Name: "name",
- ID: "id",
- },
- FieldID: "field-id",
- },
- },
- },
- fileLister: &fakeFileLister{
- readContent: []byte("content"),
- },
- }
- return &onepassword.Client{
- SecretsAPI: fc,
- ItemsAPI: fl,
- VaultsAPI: fc,
- }
- },
- assertError: func(t *testing.T, err error) {
- require.NoError(t, err)
- },
- ref: v1.ExternalSecretDataRemoteRef{
- Key: "key",
- Property: "file/name",
- },
- want: map[string][]byte{
- "name": []byte("content"),
- },
- },
- {
- name: "get secret successfully for fields",
- client: func() *onepassword.Client {
- fc := &fakeClient{}
- fl := &fakeLister{
- listAllResult: []onepassword.ItemOverview{
- {
- ID: "test-item-id",
- Title: "key",
- Category: "login",
- VaultID: "vault-id",
- },
- },
- getResult: onepassword.Item{
- ID: "test-item-id",
- Title: "key",
- Category: "login",
- VaultID: "vault-id",
- Fields: []onepassword.ItemField{
- {
- ID: "field-id",
- Title: "name",
- FieldType: onepassword.ItemFieldTypeConcealed,
- Value: "value",
- },
- },
- },
- fileLister: &fakeFileLister{
- readContent: []byte("content"),
- },
- }
- return &onepassword.Client{
- SecretsAPI: fc,
- ItemsAPI: fl,
- VaultsAPI: fc,
- }
- },
- assertError: func(t *testing.T, err error) {
- require.NoError(t, err)
- },
- ref: v1.ExternalSecretDataRemoteRef{
- Key: "key",
- Property: "field/name",
- },
- want: map[string][]byte{
- "name": []byte("value"),
- },
- },
- {
- name: "get secret fails with fields with same title",
- client: func() *onepassword.Client {
- fc := &fakeClient{}
- fl := &fakeLister{
- listAllResult: []onepassword.ItemOverview{
- {
- ID: "test-item-id",
- Title: "key",
- Category: "login",
- VaultID: "vault-id",
- },
- },
- getResult: onepassword.Item{
- ID: "test-item-id",
- Title: "key",
- Category: "login",
- VaultID: "vault-id",
- Fields: []onepassword.ItemField{
- {
- ID: "field-id",
- Title: "name",
- FieldType: onepassword.ItemFieldTypeConcealed,
- Value: "value",
- },
- {
- ID: "field-id",
- Title: "name",
- FieldType: onepassword.ItemFieldTypeConcealed,
- Value: "value",
- },
- },
- },
- fileLister: &fakeFileLister{
- readContent: []byte("content"),
- },
- }
- return &onepassword.Client{
- SecretsAPI: fc,
- ItemsAPI: fl,
- VaultsAPI: fc,
- }
- },
- assertError: func(t *testing.T, err error) {
- require.ErrorContains(t, err, "found more than 1 fields with title 'name' in 'key', got 2")
- },
- ref: v1.ExternalSecretDataRemoteRef{
- Key: "key",
- Property: "field/name",
- },
- },
- }
- for _, tt := range tests {
- t.Run(tt.name, func(t *testing.T) {
- p := &SecretsClient{
- client: tt.client(),
- vaultPrefix: "op://vault/",
- }
- got, err := p.GetSecretMap(t.Context(), tt.ref)
- tt.assertError(t, err)
- require.Equal(t, tt.want, got)
- })
- }
- }
- func TestProviderValidate(t *testing.T) {
- tests := []struct {
- name string
- want v1.ValidationResult
- assertError func(t *testing.T, err error)
- client func() *onepassword.Client
- vaultPrefix string
- }{
- {
- name: "validate successfully",
- client: func() *onepassword.Client {
- fc := &fakeClient{
- listAllResult: []onepassword.VaultOverview{
- {
- ID: "test",
- Title: "test",
- },
- },
- }
- return &onepassword.Client{
- SecretsAPI: fc,
- VaultsAPI: fc,
- }
- },
- want: v1.ValidationResultReady,
- assertError: func(t *testing.T, err error) {
- require.NoError(t, err)
- },
- vaultPrefix: "op://vault/",
- },
- }
- for _, tt := range tests {
- t.Run(tt.name, func(t *testing.T) {
- p := &SecretsClient{
- client: tt.client(),
- vaultPrefix: tt.vaultPrefix,
- }
- got, err := p.Validate()
- tt.assertError(t, err)
- require.Equal(t, got, tt.want)
- })
- }
- }
- func TestPushSecret(t *testing.T) {
- fc := &fakeClient{
- listAllResult: []onepassword.VaultOverview{
- {
- ID: "test",
- Title: "test",
- },
- },
- }
- tests := []struct {
- name string
- ref v1alpha1.PushSecretData
- secret *corev1.Secret
- assertError func(t *testing.T, err error)
- lister func() *fakeLister
- assertLister func(t *testing.T, lister *fakeLister)
- }{
- {
- name: "create is called",
- lister: func() *fakeLister {
- return &fakeLister{
- listAllResult: []onepassword.ItemOverview{},
- }
- },
- secret: &corev1.Secret{
- Data: map[string][]byte{
- "foo": []byte("bar"),
- },
- ObjectMeta: metav1.ObjectMeta{
- Name: "secret",
- Namespace: "default",
- },
- },
- ref: v1alpha1.PushSecretData{
- Match: v1alpha1.PushSecretMatch{
- SecretKey: "foo",
- RemoteRef: v1alpha1.PushSecretRemoteRef{
- RemoteKey: "key",
- },
- },
- },
- assertError: func(t *testing.T, err error) {
- require.NoError(t, err)
- },
- assertLister: func(t *testing.T, lister *fakeLister) {
- assert.True(t, lister.createCalled)
- },
- },
- {
- name: "update is called",
- lister: func() *fakeLister {
- return &fakeLister{
- listAllResult: []onepassword.ItemOverview{
- {
- ID: "test-item-id",
- Title: "key",
- Category: "login",
- VaultID: "vault-id",
- },
- },
- }
- },
- secret: &corev1.Secret{
- Data: map[string][]byte{
- "foo": []byte("bar"),
- },
- ObjectMeta: metav1.ObjectMeta{
- Name: "secret",
- Namespace: "default",
- },
- },
- ref: v1alpha1.PushSecretData{
- Match: v1alpha1.PushSecretMatch{
- SecretKey: "foo",
- RemoteRef: v1alpha1.PushSecretRemoteRef{
- RemoteKey: "key",
- },
- },
- },
- assertError: func(t *testing.T, err error) {
- require.NoError(t, err)
- },
- assertLister: func(t *testing.T, lister *fakeLister) {
- assert.True(t, lister.putCalled)
- },
- },
- }
- for _, tt := range tests {
- t.Run(tt.name, func(t *testing.T) {
- ctx := t.Context()
- lister := tt.lister()
- p := &SecretsClient{
- client: &onepassword.Client{
- SecretsAPI: fc,
- VaultsAPI: fc,
- ItemsAPI: lister,
- },
- }
- err := p.PushSecret(ctx, tt.secret, tt.ref)
- tt.assertError(t, err)
- tt.assertLister(t, lister)
- })
- }
- }
- func TestDeleteItemField(t *testing.T) {
- fc := &fakeClient{
- listAllResult: []onepassword.VaultOverview{
- {
- ID: "test",
- Title: "test",
- },
- },
- }
- testCases := []struct {
- name string
- lister func() *fakeLister
- ref *v1alpha1.PushSecretRemoteRef
- assertError func(t *testing.T, err error)
- assertLister func(t *testing.T, lister *fakeLister)
- }{
- {
- name: "update is called",
- ref: &v1alpha1.PushSecretRemoteRef{
- RemoteKey: "key",
- Property: "password",
- },
- assertLister: func(t *testing.T, lister *fakeLister) {
- require.True(t, lister.putCalled)
- },
- lister: func() *fakeLister {
- fl := &fakeLister{
- listAllResult: []onepassword.ItemOverview{
- {
- ID: "test-item-id",
- Title: "key",
- Category: "login",
- VaultID: "vault-id",
- },
- },
- getResult: onepassword.Item{
- ID: "test-item-id",
- Title: "key",
- Category: "login",
- VaultID: "vault-id",
- Fields: []onepassword.ItemField{
- {
- ID: "field-1",
- Title: "password",
- FieldType: onepassword.ItemFieldTypeConcealed,
- Value: "password",
- },
- {
- ID: "field-2",
- Title: "other-field",
- FieldType: onepassword.ItemFieldTypeConcealed,
- Value: "username",
- },
- },
- },
- }
- return fl
- },
- assertError: func(t *testing.T, err error) {
- require.NoError(t, err)
- },
- },
- {
- name: "delete is called",
- ref: &v1alpha1.PushSecretRemoteRef{
- RemoteKey: "key",
- Property: "password",
- },
- assertLister: func(t *testing.T, lister *fakeLister) {
- require.True(t, lister.deleteCalled, "delete should have been called as the item should have existed")
- },
- lister: func() *fakeLister {
- fl := &fakeLister{
- listAllResult: []onepassword.ItemOverview{
- {
- ID: "test-item-id",
- Title: "key",
- Category: "login",
- VaultID: "vault-id",
- },
- },
- getResult: onepassword.Item{
- ID: "test-item-id",
- Title: "key",
- Category: "login",
- VaultID: "vault-id",
- Fields: []onepassword.ItemField{
- {
- ID: "field-1",
- Title: "password",
- FieldType: onepassword.ItemFieldTypeConcealed,
- Value: "password",
- },
- },
- },
- }
- return fl
- },
- assertError: func(t *testing.T, err error) {
- require.NoError(t, err)
- },
- },
- }
- for _, testCase := range testCases {
- t.Run(testCase.name, func(t *testing.T) {
- ctx := t.Context()
- lister := testCase.lister()
- p := &SecretsClient{
- client: &onepassword.Client{
- SecretsAPI: fc,
- VaultsAPI: fc,
- ItemsAPI: lister,
- },
- }
- testCase.assertError(t, p.DeleteSecret(ctx, testCase.ref))
- testCase.assertLister(t, lister)
- })
- }
- }
- func TestGetVault(t *testing.T) {
- fc := &fakeClient{
- listAllResult: []onepassword.VaultOverview{
- {
- ID: "vault-id",
- Title: "vault-title",
- },
- },
- }
- p := &SecretsClient{
- client: &onepassword.Client{
- VaultsAPI: fc,
- },
- }
- titleOrUuids := []string{"vault-title", "vault-id"}
- for _, titleOrUuid := range titleOrUuids {
- t.Run(titleOrUuid, func(t *testing.T) {
- vaultID, err := p.GetVault(t.Context(), titleOrUuid)
- require.NoError(t, err)
- require.Equal(t, fc.listAllResult[0].ID, vaultID)
- })
- }
- }
- type fakeLister struct {
- listAllResult []onepassword.ItemOverview
- listErr error
- createCalled bool
- createdFieldType onepassword.ItemFieldType
- createdParams onepassword.ItemCreateParams
- putCalled bool
- putItem onepassword.Item
- deleteCalled bool
- getResult onepassword.Item
- getErr error
- fileLister onepassword.ItemsFilesAPI
- }
- func (f *fakeLister) Create(ctx context.Context, params onepassword.ItemCreateParams) (onepassword.Item, error) {
- f.createCalled = true
- f.createdParams = params
- if len(params.Fields) > 0 {
- f.createdFieldType = params.Fields[0].FieldType
- }
- return onepassword.Item{}, nil
- }
- func (f *fakeLister) Get(ctx context.Context, vaultID, itemID string) (onepassword.Item, error) {
- return f.getResult, f.getErr
- }
- func (f *fakeLister) Put(ctx context.Context, item onepassword.Item) (onepassword.Item, error) {
- f.putCalled = true
- f.putItem = item
- return onepassword.Item{}, nil
- }
- func (f *fakeLister) Delete(ctx context.Context, vaultID, itemID string) error {
- f.deleteCalled = true
- return nil
- }
- func (f *fakeLister) Archive(ctx context.Context, vaultID, itemID string) error {
- return nil
- }
- func (f *fakeLister) List(ctx context.Context, vaultID string, opts ...onepassword.ItemListFilter) ([]onepassword.ItemOverview, error) {
- return f.listAllResult, f.listErr
- }
- func (f *fakeLister) Shares() onepassword.ItemsSharesAPI {
- return nil
- }
- func (f *fakeLister) Files() onepassword.ItemsFilesAPI {
- return f.fileLister
- }
- type fakeFileLister struct {
- readContent []byte
- }
- func (f *fakeFileLister) Attach(ctx context.Context, item onepassword.Item, fileParams onepassword.FileCreateParams) (onepassword.Item, error) {
- return onepassword.Item{}, nil
- }
- func (f *fakeFileLister) Read(ctx context.Context, vaultID, itemID string, attr onepassword.FileAttributes) ([]byte, error) {
- return f.readContent, nil
- }
- func (f *fakeFileLister) Delete(ctx context.Context, item onepassword.Item, sectionID, fieldID string) (onepassword.Item, error) {
- return onepassword.Item{}, nil
- }
- func (f *fakeFileLister) ReplaceDocument(ctx context.Context, item onepassword.Item, docParams onepassword.DocumentCreateParams) (onepassword.Item, error) {
- return onepassword.Item{}, nil
- }
- var _ onepassword.ItemsFilesAPI = (*fakeFileLister)(nil)
- type statefulFakeLister struct {
- listAllResult []onepassword.ItemOverview
- items map[string]onepassword.Item
- deletedItems map[string]bool
- createCalled bool
- putCalled bool
- deleteCalled bool
- fileLister onepassword.ItemsFilesAPI
- }
- func (f *statefulFakeLister) Create(ctx context.Context, params onepassword.ItemCreateParams) (onepassword.Item, error) {
- f.createCalled = true
- return onepassword.Item{}, nil
- }
- func (f *statefulFakeLister) Get(ctx context.Context, vaultID, itemID string) (onepassword.Item, error) {
- if f.deletedItems != nil && f.deletedItems[itemID] {
- return onepassword.Item{}, fmt.Errorf("item not found")
- }
- if item, ok := f.items[itemID]; ok {
- return item, nil
- }
- return onepassword.Item{}, fmt.Errorf("item not found")
- }
- func (f *statefulFakeLister) Put(ctx context.Context, item onepassword.Item) (onepassword.Item, error) {
- f.putCalled = true
- if f.items == nil {
- f.items = make(map[string]onepassword.Item)
- }
- f.items[item.ID] = item
- return item, nil
- }
- func (f *statefulFakeLister) Delete(ctx context.Context, vaultID, itemID string) error {
- f.deleteCalled = true
- if f.deletedItems == nil {
- f.deletedItems = make(map[string]bool)
- }
- f.deletedItems[itemID] = true
- delete(f.items, itemID)
- f.listAllResult = nil
- return nil
- }
- func (f *statefulFakeLister) Archive(ctx context.Context, vaultID, itemID string) error {
- return nil
- }
- func (f *statefulFakeLister) List(ctx context.Context, vaultID string, opts ...onepassword.ItemListFilter) ([]onepassword.ItemOverview, error) {
- return f.listAllResult, nil
- }
- func (f *statefulFakeLister) Shares() onepassword.ItemsSharesAPI {
- return nil
- }
- func (f *statefulFakeLister) Files() onepassword.ItemsFilesAPI {
- return f.fileLister
- }
- var _ onepassword.ItemsAPI = (*statefulFakeLister)(nil)
- type fakeClient struct {
- resolveResult string
- resolveError error
- resolveAll onepassword.ResolveAllResponse
- resolveAllError error
- listAllResult []onepassword.VaultOverview
- listAllError error
- }
- func (f *fakeClient) List(ctx context.Context) ([]onepassword.VaultOverview, error) {
- return f.listAllResult, f.listAllError
- }
- func (f *fakeClient) Resolve(ctx context.Context, secretReference string) (string, error) {
- return f.resolveResult, f.resolveError
- }
- func (f *fakeClient) ResolveAll(ctx context.Context, secretReferences []string) (onepassword.ResolveAllResponse, error) {
- return f.resolveAll, f.resolveAllError
- }
- func TestDeleteMultipleFieldsFromSameItem(t *testing.T) {
- fc := &fakeClient{
- listAllResult: []onepassword.VaultOverview{
- {
- ID: "test",
- Title: "test",
- },
- },
- }
- t.Run("deleting second field after item was deleted should not error", func(t *testing.T) {
- fl := &statefulFakeLister{
- listAllResult: []onepassword.ItemOverview{
- {
- ID: "test-item-id",
- Title: "key",
- Category: "login",
- VaultID: "vault-id",
- },
- },
- items: map[string]onepassword.Item{
- "test-item-id": {
- ID: "test-item-id",
- Title: "key",
- Category: "login",
- VaultID: "vault-id",
- Fields: []onepassword.ItemField{
- {
- ID: "field-1",
- Title: "username",
- FieldType: onepassword.ItemFieldTypeConcealed,
- Value: "testuser",
- },
- {
- ID: "field-2",
- Title: "password",
- FieldType: onepassword.ItemFieldTypeConcealed,
- Value: "testpass",
- },
- },
- },
- },
- }
- p := &SecretsClient{
- client: &onepassword.Client{
- SecretsAPI: fc,
- VaultsAPI: fc,
- ItemsAPI: fl,
- },
- }
- ctx := t.Context()
- err := p.DeleteSecret(ctx, &v1alpha1.PushSecretRemoteRef{
- RemoteKey: "key",
- Property: "username",
- })
- require.NoError(t, err, "first field deletion should succeed")
- assert.True(t, fl.putCalled, "Put should have been called to update the item")
- assert.False(t, fl.deleteCalled, "Delete should not have been called yet")
- fl.putCalled = false
- err = p.DeleteSecret(ctx, &v1alpha1.PushSecretRemoteRef{
- RemoteKey: "key",
- Property: "password",
- })
- require.NoError(t, err, "second field deletion should succeed")
- assert.True(t, fl.deleteCalled, "Delete should have been called to remove the item")
- fl.listAllResult = nil
- err = p.DeleteSecret(ctx, &v1alpha1.PushSecretRemoteRef{
- RemoteKey: "key",
- Property: "some-other-field",
- })
- require.NoError(t, err, "deleting a field from an already-deleted item should not error (this is the bug!)")
- })
- }
- func TestCachingGetSecret(t *testing.T) {
- t.Run("cache hit returns cached value", func(t *testing.T) {
- fcWithCounter := &fakeClientWithCounter{
- fakeClient: &fakeClient{
- resolveResult: "secret-value",
- },
- }
- p := &SecretsClient{
- client: &onepassword.Client{
- SecretsAPI: fcWithCounter,
- VaultsAPI: fcWithCounter.fakeClient,
- },
- vaultPrefix: "op://vault/",
- }
- // Initialize cache
- p.cache = expirable.NewLRU[string, []byte](100, nil, time.Minute)
- ref := v1.ExternalSecretDataRemoteRef{Key: "item/field"}
- // First call - cache miss
- val1, err := p.GetSecret(t.Context(), ref)
- require.NoError(t, err)
- assert.Equal(t, []byte("secret-value"), val1)
- assert.Equal(t, 1, fcWithCounter.resolveCallCount)
- // Second call - cache hit, should not call API
- val2, err := p.GetSecret(t.Context(), ref)
- require.NoError(t, err)
- assert.Equal(t, []byte("secret-value"), val2)
- assert.Equal(t, 1, fcWithCounter.resolveCallCount, "API should not be called on cache hit")
- })
- t.Run("cache disabled works normally", func(t *testing.T) {
- fcWithCounter := &fakeClientWithCounter{
- fakeClient: &fakeClient{
- resolveResult: "secret-value",
- },
- }
- p := &SecretsClient{
- client: &onepassword.Client{
- SecretsAPI: fcWithCounter,
- VaultsAPI: fcWithCounter.fakeClient,
- },
- vaultPrefix: "op://vault/",
- cache: nil, // Cache disabled
- }
- ref := v1.ExternalSecretDataRemoteRef{Key: "item/field"}
- // Multiple calls should always hit API
- _, err := p.GetSecret(t.Context(), ref)
- require.NoError(t, err)
- assert.Equal(t, 1, fcWithCounter.resolveCallCount)
- _, err = p.GetSecret(t.Context(), ref)
- require.NoError(t, err)
- assert.Equal(t, 2, fcWithCounter.resolveCallCount)
- })
- }
- func TestCachingGetSecretMap(t *testing.T) {
- t.Run("cache hit returns cached map", func(t *testing.T) {
- fc := &fakeClient{}
- flWithCounter := &fakeListerWithCounter{
- fakeLister: &fakeLister{
- listAllResult: []onepassword.ItemOverview{
- {
- ID: "item-id",
- Title: "item",
- Category: "login",
- VaultID: "vault-id",
- },
- },
- getResult: onepassword.Item{
- ID: "item-id",
- Title: "item",
- Category: "login",
- VaultID: "vault-id",
- Fields: []onepassword.ItemField{
- {Title: "username", Value: "user1"},
- {Title: "password", Value: "pass1"},
- },
- },
- },
- }
- p := &SecretsClient{
- client: &onepassword.Client{
- SecretsAPI: fc,
- VaultsAPI: fc,
- ItemsAPI: flWithCounter,
- },
- vaultPrefix: "op://vault/",
- vaultID: "vault-id",
- cache: expirable.NewLRU[string, []byte](100, nil, time.Minute),
- }
- ref := v1.ExternalSecretDataRemoteRef{Key: "item"}
- // First call - cache miss
- val1, err := p.GetSecretMap(t.Context(), ref)
- require.NoError(t, err)
- assert.Equal(t, map[string][]byte{
- "username": []byte("user1"),
- "password": []byte("pass1"),
- }, val1)
- assert.Equal(t, 1, flWithCounter.getCallCount)
- // Second call - cache hit
- val2, err := p.GetSecretMap(t.Context(), ref)
- require.NoError(t, err)
- assert.Equal(t, val1, val2)
- assert.Equal(t, 1, flWithCounter.getCallCount, "API should not be called on cache hit")
- })
- }
- func TestCacheInvalidationPushSecret(t *testing.T) {
- t.Run("push secret invalidates cache", func(t *testing.T) {
- fcWithCounter := &fakeClientWithCounter{
- fakeClient: &fakeClient{
- resolveResult: "secret-value",
- },
- }
- fl := &fakeLister{
- listAllResult: []onepassword.ItemOverview{
- {ID: "item-id", Title: "item", VaultID: "vault-id"},
- },
- getResult: onepassword.Item{
- ID: "item-id",
- Title: "item",
- VaultID: "vault-id",
- Fields: []onepassword.ItemField{{Title: "password", Value: "old"}},
- },
- }
- p := &SecretsClient{
- client: &onepassword.Client{
- SecretsAPI: fcWithCounter,
- VaultsAPI: fcWithCounter.fakeClient,
- ItemsAPI: fl,
- },
- vaultPrefix: "op://vault/",
- vaultID: "vault-id",
- cache: expirable.NewLRU[string, []byte](100, nil, time.Minute),
- }
- ref := v1.ExternalSecretDataRemoteRef{Key: "item/password"}
- // Populate cache
- val1, err := p.GetSecret(t.Context(), ref)
- require.NoError(t, err)
- assert.Equal(t, []byte("secret-value"), val1)
- assert.Equal(t, 1, fcWithCounter.resolveCallCount)
- // Push new value (should invalidate cache)
- pushRef := v1alpha1.PushSecretData{
- Match: v1alpha1.PushSecretMatch{
- SecretKey: "key",
- RemoteRef: v1alpha1.PushSecretRemoteRef{
- RemoteKey: "item",
- Property: "password",
- },
- },
- }
- secret := &corev1.Secret{
- Data: map[string][]byte{"key": []byte("new-value")},
- }
- err = p.PushSecret(t.Context(), secret, pushRef)
- require.NoError(t, err)
- // Next GetSecret should fetch fresh value (cache was invalidated)
- val2, err := p.GetSecret(t.Context(), ref)
- require.NoError(t, err)
- assert.Equal(t, []byte("secret-value"), val2)
- assert.Equal(t, 2, fcWithCounter.resolveCallCount, "Cache should have been invalidated")
- })
- }
- func TestCacheInvalidationStaleItemAfterPush(t *testing.T) {
- t.Run("push update invalidates the UUID-keyed item cache", func(t *testing.T) {
- fc := &fakeClient{
- listAllResult: []onepassword.VaultOverview{
- {ID: "vault-id", Title: "vault"},
- },
- }
- fl := &statefulFakeListerWithCounter{
- statefulFakeLister: &statefulFakeLister{
- listAllResult: []onepassword.ItemOverview{
- {ID: "item-id", Title: "key", Category: "login", VaultID: "vault-id"},
- },
- items: map[string]onepassword.Item{
- "item-id": {
- ID: "item-id",
- Title: "key",
- Category: "login",
- VaultID: "vault-id",
- Fields: []onepassword.ItemField{
- {ID: "password", Title: "password", FieldType: onepassword.ItemFieldTypeConcealed, Value: "old-value"},
- },
- },
- },
- },
- }
- p := &SecretsClient{
- client: &onepassword.Client{
- SecretsAPI: fc,
- VaultsAPI: fc,
- ItemsAPI: fl,
- },
- vaultPrefix: "op://vault/",
- vaultID: "vault-id",
- cache: expirable.NewLRU[string, []byte](100, nil, time.Minute),
- }
- mapRef := v1.ExternalSecretDataRemoteRef{Key: "key", Property: "password"}
- got, err := p.GetSecretMap(t.Context(), mapRef)
- require.NoError(t, err)
- assert.Equal(t, []byte("old-value"), got["password"])
- getsAfterWarm := fl.getCallCount
- pushRef := v1alpha1.PushSecretData{
- Match: v1alpha1.PushSecretMatch{
- SecretKey: "key",
- RemoteRef: v1alpha1.PushSecretRemoteRef{
- RemoteKey: "key",
- Property: "password",
- },
- },
- }
- secret := &corev1.Secret{
- Data: map[string][]byte{"key": []byte("new-value")},
- }
- require.NoError(t, p.PushSecret(t.Context(), secret, pushRef))
- got2, err := p.GetSecretMap(t.Context(), mapRef)
- require.NoError(t, err)
- assert.Equal(t, []byte("new-value"), got2["password"])
- assert.Greater(t, fl.getCallCount, getsAfterWarm, "second read must hit the backend, not the stale UUID cache")
- })
- }
- func TestCacheInvalidationDeleteSecret(t *testing.T) {
- t.Run("delete secret invalidates cache", func(t *testing.T) {
- fcWithCounter := &fakeClientWithCounter{
- fakeClient: &fakeClient{
- resolveResult: "cached-value",
- },
- }
- fl := &fakeLister{
- listAllResult: []onepassword.ItemOverview{
- {ID: "item-id", Title: "item", VaultID: "vault-id"},
- },
- getResult: onepassword.Item{
- ID: "item-id",
- Title: "item",
- VaultID: "vault-id",
- Fields: []onepassword.ItemField{
- {Title: "field1", Value: "val1"},
- {Title: "field2", Value: "val2"},
- },
- },
- }
- p := &SecretsClient{
- client: &onepassword.Client{
- SecretsAPI: fcWithCounter,
- VaultsAPI: fcWithCounter.fakeClient,
- ItemsAPI: fl,
- },
- vaultPrefix: "op://vault/",
- vaultID: "vault-id",
- cache: expirable.NewLRU[string, []byte](100, nil, time.Minute),
- }
- ref := v1.ExternalSecretDataRemoteRef{Key: "item/field1"}
- // Populate cache
- _, err := p.GetSecret(t.Context(), ref)
- require.NoError(t, err)
- assert.Equal(t, 1, fcWithCounter.resolveCallCount)
- // Delete field (should invalidate cache)
- deleteRef := v1alpha1.PushSecretRemoteRef{
- RemoteKey: "item",
- Property: "field1",
- }
- err = p.DeleteSecret(t.Context(), deleteRef)
- require.NoError(t, err)
- // Next GetSecret should miss cache
- _, err = p.GetSecret(t.Context(), ref)
- require.NoError(t, err)
- assert.Equal(t, 2, fcWithCounter.resolveCallCount, "Cache should have been invalidated")
- })
- }
- func TestInvalidateCacheByPrefix(t *testing.T) {
- t.Run("invalidates all entries with prefix", func(t *testing.T) {
- p := &SecretsClient{
- vaultPrefix: "op://vault/",
- cache: expirable.NewLRU[string, []byte](100, nil, time.Minute),
- }
- // Add multiple cache entries
- p.cache.Add("op://vault/item1/field1", []byte("val1"))
- p.cache.Add("op://vault/item1/field2", []byte("val2"))
- p.cache.Add("op://vault/item2/field1", []byte("val3"))
- // Invalidate item1 entries
- p.invalidateCacheByPrefix("op://vault/item1")
- // item1 entries should be gone
- _, ok1 := p.cache.Get("op://vault/item1/field1")
- assert.False(t, ok1)
- _, ok2 := p.cache.Get("op://vault/item1/field2")
- assert.False(t, ok2)
- // item2 entry should still exist
- val3, ok3 := p.cache.Get("op://vault/item2/field1")
- assert.True(t, ok3)
- assert.Equal(t, []byte("val3"), val3)
- })
- t.Run("handles nil cache gracefully", func(t *testing.T) {
- p := &SecretsClient{
- vaultPrefix: "op://vault/",
- cache: nil,
- }
- // Should not panic
- p.invalidateCacheByPrefix("op://vault/item1")
- })
- t.Run("does not invalidate entries with similar prefixes", func(t *testing.T) {
- p := &SecretsClient{
- vaultPrefix: "op://vault/",
- cache: expirable.NewLRU[string, []byte](100, nil, time.Minute),
- }
- p.cache.Add("op://vault/item/field1", []byte("val1"))
- p.cache.Add("op://vault/item/field2", []byte("val2"))
- p.cache.Add("op://vault/item|property", []byte("val3"))
- p.cache.Add("op://vault/item-backup/field1", []byte("val4"))
- p.cache.Add("op://vault/prod-db/secret", []byte("val5"))
- p.cache.Add("op://vault/prod-db-replica/secret", []byte("val6"))
- p.cache.Add("op://vault/prod-db-replica/secret|property", []byte("val7"))
- p.invalidateCacheByPrefix("op://vault/item")
- _, ok1 := p.cache.Get("op://vault/item/field1")
- assert.False(t, ok1)
- _, ok2 := p.cache.Get("op://vault/item/field2")
- assert.False(t, ok2)
- _, ok3 := p.cache.Get("op://vault/item|property")
- assert.False(t, ok3)
- val4, ok4 := p.cache.Get("op://vault/item-backup/field1")
- assert.True(t, ok4, "item-backup should not be invalidated")
- assert.Equal(t, []byte("val4"), val4)
- p.invalidateCacheByPrefix("op://vault/prod-db")
- _, ok5 := p.cache.Get("op://vault/prod-db/secret")
- assert.False(t, ok5)
- val6, ok6 := p.cache.Get("op://vault/prod-db-replica/secret")
- assert.True(t, ok6, "prod-db-replica/secret should not be invalidated")
- assert.Equal(t, []byte("val6"), val6)
- val7, ok7 := p.cache.Get("op://vault/prod-db-replica/secret|property")
- assert.True(t, ok7, "prod-db-replica/secret|property should not be invalidated")
- assert.Equal(t, []byte("val7"), val7)
- })
- }
- // fakeClientWithCounter wraps fakeClient and tracks Resolve call count.
- type fakeClientWithCounter struct {
- *fakeClient
- resolveCallCount int
- }
- func (f *fakeClientWithCounter) Resolve(ctx context.Context, secretReference string) (string, error) {
- f.resolveCallCount++
- return f.fakeClient.Resolve(ctx, secretReference)
- }
- // fakeListerWithCounter wraps fakeLister and tracks Get call count.
- type fakeListerWithCounter struct {
- *fakeLister
- getCallCount int
- }
- func (f *fakeListerWithCounter) Get(ctx context.Context, vaultID, itemID string) (onepassword.Item, error) {
- f.getCallCount++
- return f.fakeLister.Get(ctx, vaultID, itemID)
- }
- func (f *fakeListerWithCounter) Put(ctx context.Context, item onepassword.Item) (onepassword.Item, error) {
- return f.fakeLister.Put(ctx, item)
- }
- func (f *fakeListerWithCounter) Delete(ctx context.Context, vaultID, itemID string) error {
- return f.fakeLister.Delete(ctx, vaultID, itemID)
- }
- func (f *fakeListerWithCounter) Archive(ctx context.Context, vaultID, itemID string) error {
- return f.fakeLister.Archive(ctx, vaultID, itemID)
- }
- func (f *fakeListerWithCounter) List(ctx context.Context, vaultID string, opts ...onepassword.ItemListFilter) ([]onepassword.ItemOverview, error) {
- return f.fakeLister.List(ctx, vaultID, opts...)
- }
- func (f *fakeListerWithCounter) Shares() onepassword.ItemsSharesAPI {
- return f.fakeLister.Shares()
- }
- func (f *fakeListerWithCounter) Files() onepassword.ItemsFilesAPI {
- return f.fakeLister.Files()
- }
- func (f *fakeListerWithCounter) Create(ctx context.Context, item onepassword.ItemCreateParams) (onepassword.Item, error) {
- return f.fakeLister.Create(ctx, item)
- }
- // fakeFileListerWithCounter wraps fakeFileLister and tracks Read call count.
- type fakeFileListerWithCounter struct {
- *fakeFileLister
- readCallCount int
- }
- func (f *fakeFileListerWithCounter) Attach(ctx context.Context, item onepassword.Item, fileParams onepassword.FileCreateParams) (onepassword.Item, error) {
- return onepassword.Item{}, nil
- }
- func (f *fakeFileListerWithCounter) Read(ctx context.Context, vaultID, itemID string, attr onepassword.FileAttributes) ([]byte, error) {
- f.readCallCount++
- return f.readContent, nil
- }
- func (f *fakeFileListerWithCounter) Delete(ctx context.Context, item onepassword.Item, sectionID, fieldID string) (onepassword.Item, error) {
- return onepassword.Item{}, nil
- }
- func (f *fakeFileListerWithCounter) ReplaceDocument(ctx context.Context, item onepassword.Item, docParams onepassword.DocumentCreateParams) (onepassword.Item, error) {
- return onepassword.Item{}, nil
- }
- // statefulFakeListerWithCounter wraps statefulFakeLister and tracks Get call count.
- type statefulFakeListerWithCounter struct {
- *statefulFakeLister
- getCallCount int
- listCallCount int
- }
- func (f *statefulFakeListerWithCounter) Get(ctx context.Context, vaultID, itemID string) (onepassword.Item, error) {
- f.getCallCount++
- return f.statefulFakeLister.Get(ctx, vaultID, itemID)
- }
- func (f *statefulFakeListerWithCounter) Put(ctx context.Context, item onepassword.Item) (onepassword.Item, error) {
- return f.statefulFakeLister.Put(ctx, item)
- }
- func (f *statefulFakeListerWithCounter) Delete(ctx context.Context, vaultID, itemID string) error {
- return f.statefulFakeLister.Delete(ctx, vaultID, itemID)
- }
- func (f *statefulFakeListerWithCounter) Archive(ctx context.Context, vaultID, itemID string) error {
- return f.statefulFakeLister.Archive(ctx, vaultID, itemID)
- }
- func (f *statefulFakeListerWithCounter) List(ctx context.Context, vaultID string, opts ...onepassword.ItemListFilter) ([]onepassword.ItemOverview, error) {
- f.listCallCount++
- return f.statefulFakeLister.List(ctx, vaultID, opts...)
- }
- func (f *statefulFakeListerWithCounter) Shares() onepassword.ItemsSharesAPI {
- return f.statefulFakeLister.Shares()
- }
- func (f *statefulFakeListerWithCounter) Files() onepassword.ItemsFilesAPI {
- return f.statefulFakeLister.Files()
- }
- func (f *statefulFakeListerWithCounter) Create(ctx context.Context, item onepassword.ItemCreateParams) (onepassword.Item, error) {
- return f.statefulFakeLister.Create(ctx, item)
- }
- var _ onepassword.SecretsAPI = &fakeClient{}
- var _ onepassword.VaultsAPI = &fakeClient{}
- var _ onepassword.ItemsAPI = &fakeLister{}
- var _ onepassword.SecretsAPI = &fakeClientWithCounter{}
- var _ onepassword.ItemsAPI = &fakeListerWithCounter{}
- func TestSecretExists(t *testing.T) {
- fc := &fakeClient{
- listAllResult: []onepassword.VaultOverview{
- {ID: "vault-id", Title: "vault"},
- },
- }
- itemWithPassword := &fakeLister{
- listAllResult: []onepassword.ItemOverview{
- {ID: "item-id", Title: "key", VaultID: "vault-id"},
- },
- getResult: onepassword.Item{
- ID: "item-id", Title: "key", VaultID: "vault-id",
- Fields: []onepassword.ItemField{
- {Title: "password", Value: "s3cr3t"},
- },
- },
- }
- tests := []struct {
- name string
- ref v1alpha1.PushSecretRemoteRef
- lister *fakeLister
- wantExists bool
- assertError func(t *testing.T, err error)
- }{
- {
- name: "item does not exist returns false",
- ref: v1alpha1.PushSecretRemoteRef{RemoteKey: "missing"},
- lister: &fakeLister{listAllResult: []onepassword.ItemOverview{}},
- wantExists: false,
- assertError: func(t *testing.T, err error) { require.NoError(t, err) },
- },
- {
- name: "item exists no property returns true",
- ref: v1alpha1.PushSecretRemoteRef{RemoteKey: "key"},
- lister: itemWithPassword,
- wantExists: true,
- assertError: func(t *testing.T, err error) { require.NoError(t, err) },
- },
- {
- name: "item exists field present returns true",
- ref: v1alpha1.PushSecretRemoteRef{RemoteKey: "key", Property: "password"},
- lister: itemWithPassword,
- wantExists: true,
- assertError: func(t *testing.T, err error) { require.NoError(t, err) },
- },
- {
- name: "item exists field absent returns false",
- ref: v1alpha1.PushSecretRemoteRef{RemoteKey: "key", Property: "api-token"},
- lister: itemWithPassword,
- wantExists: false,
- assertError: func(t *testing.T, err error) { require.NoError(t, err) },
- },
- {
- name: "pushAllKeys scenario: item exists with no fields returns true",
- ref: v1alpha1.PushSecretRemoteRef{RemoteKey: "key"},
- lister: &fakeLister{
- listAllResult: []onepassword.ItemOverview{
- {ID: "item-id", Title: "key", VaultID: "vault-id"},
- },
- getResult: onepassword.Item{
- ID: "item-id", Title: "key", VaultID: "vault-id",
- Fields: []onepassword.ItemField{},
- },
- },
- wantExists: true,
- assertError: func(t *testing.T, err error) { require.NoError(t, err) },
- },
- }
- for _, tt := range tests {
- t.Run(tt.name, func(t *testing.T) {
- p := &SecretsClient{
- client: &onepassword.Client{
- SecretsAPI: fc,
- VaultsAPI: fc,
- ItemsAPI: tt.lister,
- },
- vaultID: "vault-id",
- }
- exists, err := p.SecretExists(t.Context(), tt.ref)
- tt.assertError(t, err)
- assert.Equal(t, tt.wantExists, exists)
- })
- }
- }
- func TestResolveFieldType(t *testing.T) {
- tests := []struct {
- input string
- expected onepassword.ItemFieldType
- }{
- {"text", onepassword.ItemFieldTypeText},
- {"Text", onepassword.ItemFieldTypeText},
- {"TEXT", onepassword.ItemFieldTypeText},
- {"concealed", onepassword.ItemFieldTypeConcealed},
- {"Concealed", onepassword.ItemFieldTypeConcealed},
- {"url", onepassword.ItemFieldTypeURL},
- {"URL", onepassword.ItemFieldTypeURL},
- {"email", onepassword.ItemFieldTypeEmail},
- {"Email", onepassword.ItemFieldTypeEmail},
- {"phone", onepassword.ItemFieldTypePhone},
- {"date", onepassword.ItemFieldTypeDate},
- {"monthYear", onepassword.ItemFieldTypeMonthYear},
- {"monthyear", onepassword.ItemFieldTypeMonthYear},
- {"MONTHYEAR", onepassword.ItemFieldTypeMonthYear},
- {"", onepassword.ItemFieldTypeConcealed},
- {"unknown", onepassword.ItemFieldTypeConcealed},
- {"otp", onepassword.ItemFieldTypeConcealed},
- {"file", onepassword.ItemFieldTypeConcealed},
- }
- for _, tt := range tests {
- t.Run(tt.input, func(t *testing.T) {
- got := resolveFieldType(tt.input)
- assert.Equal(t, tt.expected, got)
- })
- }
- }
- func TestPushSecretFieldType(t *testing.T) {
- fc := &fakeClient{
- listAllResult: []onepassword.VaultOverview{
- {ID: "vault-id", Title: "vault"},
- },
- }
- tests := []struct {
- name string
- metadataJSON string
- wantFieldType onepassword.ItemFieldType
- }{
- {
- name: "no metadata defaults to Concealed",
- metadataJSON: "",
- wantFieldType: onepassword.ItemFieldTypeConcealed,
- },
- {
- name: "fieldType text creates Text field",
- metadataJSON: `{"apiVersion":"kubernetes.external-secrets.io/v1alpha1","kind":"PushSecretMetadata","spec":{"fieldType":"text"}}`,
- wantFieldType: onepassword.ItemFieldTypeText,
- },
- {
- name: "fieldType URL case-insensitive",
- metadataJSON: `{"apiVersion":"kubernetes.external-secrets.io/v1alpha1","kind":"PushSecretMetadata","spec":{"fieldType":"URL"}}`,
- wantFieldType: onepassword.ItemFieldTypeURL,
- },
- }
- for _, tt := range tests {
- t.Run(tt.name, func(t *testing.T) {
- fl := &fakeLister{
- listAllResult: []onepassword.ItemOverview{},
- }
- p := &SecretsClient{
- client: &onepassword.Client{
- SecretsAPI: fc,
- VaultsAPI: fc,
- ItemsAPI: fl,
- },
- vaultID: "vault-id",
- }
- ref := v1alpha1.PushSecretData{
- Match: v1alpha1.PushSecretMatch{
- SecretKey: "key",
- RemoteRef: v1alpha1.PushSecretRemoteRef{RemoteKey: "item", Property: "field"},
- },
- }
- if tt.metadataJSON != "" {
- raw := apiextensionsv1.JSON{Raw: []byte(tt.metadataJSON)}
- ref.Metadata = &raw
- }
- secret := &corev1.Secret{
- Data: map[string][]byte{"key": []byte("value")},
- }
- err := p.PushSecret(t.Context(), secret, ref)
- require.NoError(t, err)
- require.True(t, fl.createCalled, "Create should have been called")
- assert.Equal(t, tt.wantFieldType, fl.createdFieldType)
- })
- }
- }
- func TestUpdateFieldValueChangesFieldType(t *testing.T) {
- // Regression test: updateFieldValue must update FieldType when spec.fieldType changes,
- // not only when Value changes.
- fields := []onepassword.ItemField{
- {Title: "myfield", Value: "secret", FieldType: onepassword.ItemFieldTypeConcealed},
- }
- updated, err := updateFieldValue(fields, "myfield", "secret", onepassword.ItemFieldTypeText)
- require.NoError(t, err)
- require.Len(t, updated, 1)
- assert.Equal(t, onepassword.ItemFieldTypeText, updated[0].FieldType, "FieldType should be updated even when Value is unchanged")
- assert.Equal(t, "secret", updated[0].Value)
- }
- func TestGenerateNewItemFieldHasNonEmptyID(t *testing.T) {
- // Regression test: fields created without an ID cause "duplicate field ids" errors
- // when two PushSecret data entries target the same 1Password item.
- // See: generateNewItemField must always produce a non-empty ID.
- tests := []struct {
- title string
- fieldType onepassword.ItemFieldType
- }{
- {"password", onepassword.ItemFieldTypeConcealed},
- {"api-endpoint", onepassword.ItemFieldTypeURL},
- {"username", onepassword.ItemFieldTypeText},
- }
- for _, tt := range tests {
- field := generateNewItemField(tt.title, "value", tt.fieldType)
- assert.NotEmpty(t, field.ID, "field ID must be non-empty to avoid duplicate ID errors on Put")
- assert.Equal(t, tt.title, field.Title)
- assert.Equal(t, "value", field.Value)
- }
- }
- func TestNormalizeItemFields(t *testing.T) {
- // Regression test: fields fetched from 1Password can have SectionID pointing to ""
- // instead of nil. The SDK rejects Put when a field references a section ID that
- // doesn't exist in item.Sections — even an empty-string pointer triggers this.
- emptyStr := ""
- realSection := "extra"
- fields := []onepassword.ItemField{
- {ID: "a", Title: "a", SectionID: &emptyStr},
- {ID: "b", Title: "b", SectionID: nil},
- {ID: "c", Title: "c", SectionID: &realSection},
- }
- got := normalizeItemFields(fields)
- assert.Nil(t, got[0].SectionID, "empty-string SectionID should be normalized to nil")
- assert.Nil(t, got[1].SectionID, "nil SectionID should remain nil")
- assert.Equal(t, &realSection, got[2].SectionID, "non-empty SectionID should be unchanged")
- }
- func TestIsNativeID(t *testing.T) {
- tests := []struct {
- name string
- input string
- expected bool
- }{
- {"valid native ID", "gdpvdudxrico74msloimk7qjna", true},
- {"valid native ID all letters", "abcdefghijklmnopqrstuvwxyz", true},
- {"valid native ID with digits", "abcdefghij0123456789abcdef", true},
- {"too short", "gdpvdudxrico74msloimk7qjn", false},
- {"too long", "gdpvdudxrico74msloimk7qjnaa", false},
- {"empty string", "", false},
- {"contains uppercase", "Gdpvdudxrico74msloimk7qjna", false},
- {"contains special char", "gdpvdudxrico7-msloimk7qjna", false},
- {"RFC 4122 UUID", "687adbe7-e6d2-4059-9a62-dbb95d291143", false},
- {"item title", "My App (Production)", false},
- }
- for _, tt := range tests {
- t.Run(tt.name, func(t *testing.T) {
- got := isNativeID(tt.input)
- if got != tt.expected {
- t.Errorf("isNativeID(%q) = %v, want %v", tt.input, got, tt.expected)
- }
- })
- }
- }
- func TestGetAllSecrets(t *testing.T) {
- item1 := onepassword.Item{
- ID: "item-1",
- Title: "key1",
- Category: "login",
- VaultID: "vault-id",
- Tags: []string{"tag1"},
- Fields: []onepassword.ItemField{
- {
- ID: "field-1",
- Title: "username",
- FieldType: onepassword.ItemFieldTypeConcealed,
- Value: "testuser",
- },
- {
- ID: "field-2",
- Title: "password",
- FieldType: onepassword.ItemFieldTypeConcealed,
- Value: "testpass",
- },
- },
- }
- item2 := onepassword.Item{
- ID: "item-2",
- Title: "key2",
- Category: "login",
- VaultID: "vault-id",
- Tags: []string{"tag2"},
- Fields: []onepassword.ItemField{
- {
- ID: "field-3",
- Title: "db-host",
- FieldType: onepassword.ItemFieldTypeConcealed,
- Value: "testdb",
- },
- },
- }
- item3 := onepassword.Item{
- ID: "item-3",
- Title: "file1",
- Category: "login",
- VaultID: "vault-id",
- Tags: []string{"tag1"},
- Files: []onepassword.ItemFile{
- {
- Attributes: onepassword.FileAttributes{
- Name: "certfile",
- ID: "file-id",
- },
- FieldID: "field-4",
- },
- },
- }
- createLister := func(items ...onepassword.Item) *statefulFakeLister {
- fl := &statefulFakeLister{
- items: make(map[string]onepassword.Item),
- fileLister: &fakeFileLister{
- readContent: []byte("content"),
- },
- }
- for _, it := range items {
- fl.items[it.ID] = it
- fl.listAllResult = append(fl.listAllResult, onepassword.ItemOverview{
- ID: it.ID,
- Title: it.Title,
- VaultID: it.VaultID,
- Tags: it.Tags,
- })
- }
- return fl
- }
- tests := []struct {
- name string
- ref v1.ExternalSecretFind
- want map[string][]byte
- assertError func(t *testing.T, err error)
- client func() *onepassword.Client
- }{
- {
- name: "returns all fields and files from all items",
- client: func() *onepassword.Client {
- return &onepassword.Client{
- SecretsAPI: &fakeClient{},
- VaultsAPI: &fakeClient{},
- ItemsAPI: createLister(item1, item2, item3),
- }
- },
- assertError: func(t *testing.T, err error) {
- require.NoError(t, err)
- },
- ref: v1.ExternalSecretFind{},
- want: map[string][]byte{
- "username": []byte("testuser"),
- "password": []byte("testpass"),
- "db-host": []byte("testdb"),
- "certfile": []byte("content"),
- },
- },
- {
- name: "filters items by path",
- client: func() *onepassword.Client {
- return &onepassword.Client{
- SecretsAPI: &fakeClient{},
- VaultsAPI: &fakeClient{},
- ItemsAPI: createLister(item1, item2, item3),
- }
- },
- assertError: func(t *testing.T, err error) {
- require.NoError(t, err)
- },
- ref: v1.ExternalSecretFind{
- Path: &item1.Title,
- },
- want: map[string][]byte{
- "username": []byte("testuser"),
- "password": []byte("testpass"),
- },
- },
- {
- name: "filters items by tag",
- client: func() *onepassword.Client {
- return &onepassword.Client{
- SecretsAPI: &fakeClient{},
- VaultsAPI: &fakeClient{},
- ItemsAPI: createLister(item1, item2, item3),
- }
- },
- assertError: func(t *testing.T, err error) {
- require.NoError(t, err)
- },
- ref: v1.ExternalSecretFind{
- Tags: map[string]string{"tag1": "true"},
- },
- want: map[string][]byte{
- "username": []byte("testuser"),
- "password": []byte("testpass"),
- "certfile": []byte("content"),
- },
- },
- {
- name: "filters fields by name regex",
- client: func() *onepassword.Client {
- return &onepassword.Client{
- SecretsAPI: &fakeClient{},
- VaultsAPI: &fakeClient{},
- ItemsAPI: createLister(item1, item2, item3),
- }
- },
- assertError: func(t *testing.T, err error) {
- require.NoError(t, err)
- },
- ref: v1.ExternalSecretFind{
- Name: &v1.FindName{RegExp: "e"},
- },
- want: map[string][]byte{
- "username": []byte("testuser"),
- "certfile": []byte("content"),
- },
- },
- {
- name: "returns error on duplicate field name",
- client: func() *onepassword.Client {
- item2dup := onepassword.Item{
- ID: "item-2-dup",
- Title: "key2-dup",
- Category: "login",
- VaultID: "vault-id",
- Tags: []string{"tag2"},
- Fields: []onepassword.ItemField{
- {
- ID: "field-3-dup",
- Title: "db-host",
- FieldType: onepassword.ItemFieldTypeConcealed,
- Value: "testdb-dup",
- },
- },
- }
- return &onepassword.Client{
- SecretsAPI: &fakeClient{},
- VaultsAPI: &fakeClient{},
- ItemsAPI: createLister(item2, item2dup),
- }
- },
- assertError: func(t *testing.T, err error) {
- require.ErrorContains(t, err, "found multiple labels with the same key")
- },
- ref: v1.ExternalSecretFind{},
- },
- {
- name: "returns error on duplicate file name",
- client: func() *onepassword.Client {
- item3dup := onepassword.Item{
- ID: "item-3",
- Title: "file1-dup",
- Category: "login",
- VaultID: "vault-id",
- Tags: []string{"tag1"},
- Files: []onepassword.ItemFile{
- {
- Attributes: onepassword.FileAttributes{
- Name: "certfile",
- ID: "file-id-dup",
- },
- FieldID: "field-4-dup",
- },
- },
- }
- return &onepassword.Client{
- SecretsAPI: &fakeClient{},
- VaultsAPI: &fakeClient{},
- ItemsAPI: createLister(item3, item3dup),
- }
- },
- assertError: func(t *testing.T, err error) {
- require.ErrorContains(t, err, "found multiple labels with the same key")
- },
- ref: v1.ExternalSecretFind{},
- },
- {
- name: "returns error if field name matches file name",
- client: func() *onepassword.Client {
- item2filedup := onepassword.Item{
- ID: "item-2-dup",
- Title: "key2-dup",
- Category: "login",
- VaultID: "vault-id",
- Tags: []string{"tag1"},
- Files: []onepassword.ItemFile{
- {
- Attributes: onepassword.FileAttributes{
- Name: "db-host",
- ID: "file-id-dup",
- },
- FieldID: "field-3-dup",
- },
- },
- }
- return &onepassword.Client{
- SecretsAPI: &fakeClient{},
- VaultsAPI: &fakeClient{},
- ItemsAPI: createLister(item2, item2filedup),
- }
- },
- assertError: func(t *testing.T, err error) {
- require.ErrorContains(t, err, "found multiple labels with the same key")
- },
- ref: v1.ExternalSecretFind{},
- },
- {
- name: "returns error when list fails",
- client: func() *onepassword.Client {
- fl := &fakeLister{listAllResult: nil}
- fl.listErr = errors.New("list error")
- return &onepassword.Client{
- SecretsAPI: &fakeClient{},
- VaultsAPI: &fakeClient{},
- ItemsAPI: fl,
- }
- },
- assertError: func(t *testing.T, err error) {
- require.ErrorContains(t, err, "list error")
- },
- ref: v1.ExternalSecretFind{},
- },
- {
- name: "returns error when get fails",
- client: func() *onepassword.Client {
- fl := &fakeLister{
- listAllResult: []onepassword.ItemOverview{{ID: "item-1", Title: "app-secrets", VaultID: "vault-id"}},
- getErr: errors.New("get error"),
- }
- return &onepassword.Client{
- SecretsAPI: &fakeClient{},
- VaultsAPI: &fakeClient{},
- ItemsAPI: fl,
- }
- },
- assertError: func(t *testing.T, err error) {
- require.ErrorContains(t, err, "get error")
- },
- ref: v1.ExternalSecretFind{},
- },
- }
- for _, tt := range tests {
- t.Run(tt.name, func(t *testing.T) {
- p := &SecretsClient{
- client: tt.client(),
- vaultPrefix: "op://vault/",
- }
- got, err := p.GetAllSecrets(t.Context(), tt.ref)
- tt.assertError(t, err)
- require.Equal(t, tt.want, got)
- })
- }
- }
- func TestCachingGetAllSecrets(t *testing.T) {
- item1 := onepassword.Item{
- ID: "item1aaaaaaaaaaaaaaaaaaaaa",
- Title: "key1",
- Category: "login",
- VaultID: "vault-id",
- Tags: []string{"tag1"},
- Fields: []onepassword.ItemField{
- {
- ID: "field1aaaaaaaaaaaaaaaaaaaa",
- Title: "username",
- FieldType: onepassword.ItemFieldTypeConcealed,
- Value: "testuser",
- },
- {
- ID: "field2aaaaaaaaaaaaaaaaaaaa",
- Title: "password",
- FieldType: onepassword.ItemFieldTypeConcealed,
- Value: "testpass",
- },
- },
- }
- item2 := onepassword.Item{
- ID: "item2bbbbbbbbbbbbbbbbbbbbb",
- Title: "file1",
- Category: "login",
- VaultID: "vault-id",
- Tags: []string{"tag2"},
- Files: []onepassword.ItemFile{
- {
- Attributes: onepassword.FileAttributes{
- Name: "certfile",
- ID: "item2filebbbbbbbbbbbbbbbbb",
- },
- FieldID: "field3bbbbbbbbbbbbbbbbbbbb",
- },
- },
- }
- createLister := func(items ...onepassword.Item) *statefulFakeListerWithCounter {
- fl := &statefulFakeListerWithCounter{
- statefulFakeLister: &statefulFakeLister{
- items: make(map[string]onepassword.Item),
- fileLister: &fakeFileListerWithCounter{
- fakeFileLister: &fakeFileLister{
- readContent: []byte("content"),
- },
- },
- },
- }
- for _, it := range items {
- fl.items[it.ID] = it
- fl.listAllResult = append(fl.listAllResult, onepassword.ItemOverview{
- ID: it.ID,
- Title: it.Title,
- VaultID: it.VaultID,
- Tags: it.Tags,
- })
- }
- return fl
- }
- newCachedClient := func(fl *statefulFakeListerWithCounter) *SecretsClient {
- fc := &fakeClientWithCounter{
- fakeClient: &fakeClient{
- listAllResult: []onepassword.VaultOverview{{ID: "vault-id", Title: "vault"}},
- resolveResult: "testpass",
- },
- }
- return &SecretsClient{
- client: &onepassword.Client{SecretsAPI: fc, VaultsAPI: fc, ItemsAPI: fl},
- vaultID: "vault-id",
- cache: expirable.NewLRU[string, []byte](100, nil, time.Minute),
- }
- }
- t.Run("second GetAllSecrets call does not re-fetch item list from API", func(t *testing.T) {
- fl := createLister(item1, item2)
- p := newCachedClient(fl)
- find := v1.ExternalSecretFind{}
- _, err := p.GetAllSecrets(t.Context(), find)
- require.NoError(t, err)
- // There can be quite a few list calls depending on the items, so we'll just make sure
- // at least one was made, and that the count doesn't increase on the second call.
- assert.NotZero(t, fl.listCallCount, "first call should list from API")
- previousCallCount := fl.listCallCount
- _, err = p.GetAllSecrets(t.Context(), find)
- require.NoError(t, err)
- assert.Equal(t, previousCallCount, fl.listCallCount, "second call should use item cache, not re-fetch list from API")
- })
- t.Run("second GetAllSecrets call does not re-fetch items from API", func(t *testing.T) {
- fl := createLister(item1)
- p := newCachedClient(fl)
- find := v1.ExternalSecretFind{}
- _, err := p.GetAllSecrets(t.Context(), find)
- require.NoError(t, err)
- assert.Equal(t, 1, fl.getCallCount, "first call should fetch from API")
- _, err = p.GetAllSecrets(t.Context(), find)
- require.NoError(t, err)
- assert.Equal(t, 1, fl.getCallCount, "second call should use item cache, not re-fetch")
- })
- t.Run("second GetAllSecrets call does not re-read files from API", func(t *testing.T) {
- fl := createLister(item2)
- ffl := fl.fileLister.(*fakeFileListerWithCounter)
- p := newCachedClient(fl)
- find := v1.ExternalSecretFind{}
- _, err := p.GetAllSecrets(t.Context(), find)
- require.NoError(t, err)
- assert.Equal(t, 1, ffl.readCallCount, "first call should read file from API")
- _, err = p.GetAllSecrets(t.Context(), find)
- require.NoError(t, err)
- assert.Equal(t, 1, ffl.readCallCount, "second call should use file cache, not re-read")
- })
- t.Run("item fetched by GetAllSecrets is reused by GetSecretMap", func(t *testing.T) {
- fl := createLister(item1)
- p := newCachedClient(fl)
- want := map[string][]byte{"username": []byte("testuser"), "password": []byte("testpass")}
- got, err := p.GetAllSecrets(t.Context(), v1.ExternalSecretFind{})
- require.NoError(t, err)
- assert.Equal(t, 1, fl.getCallCount, "GetAllSecrets fetches item once")
- assert.Equal(t, want, got, "GetAllSecrets should return expected secrets")
- got, err = p.GetSecretMap(t.Context(), v1.ExternalSecretDataRemoteRef{Key: item1.Title})
- require.NoError(t, err)
- assert.Equal(t, 1, fl.getCallCount, "GetSecretMap should use cached item from GetAllSecrets")
- assert.Equal(t, want, got, "GetSecretMap should return expected secrets")
- want = map[string][]byte{"username": []byte("testuser")}
- got, err = p.GetSecretMap(t.Context(), v1.ExternalSecretDataRemoteRef{Key: item1.Title, Property: "username"})
- require.NoError(t, err)
- assert.Equal(t, 1, fl.getCallCount, "GetSecretMap with Property should use cached item from GetAllSecrets")
- assert.Equal(t, want, got, "GetSecretMap with Property should return expected secrets")
- })
- t.Run("item fetched by GetAllSecrets is reused by GetSecret", func(t *testing.T) {
- fl := createLister(item1)
- p := newCachedClient(fl)
- fc := p.client.SecretsAPI.(*fakeClientWithCounter)
- wantAllSecrets := map[string][]byte{"username": []byte("testuser"), "password": []byte("testpass")}
- gotAllSecrets, err := p.GetAllSecrets(t.Context(), v1.ExternalSecretFind{})
- require.NoError(t, err)
- assert.Equal(t, 1, fl.getCallCount, "GetAllSecrets fetches item once")
- assert.Equal(t, 0, fc.resolveCallCount, "GetAllSecrets should not call Resolve")
- assert.Equal(t, wantAllSecrets, gotAllSecrets, "GetAllSecrets should return expected secrets")
- wantSecret := []byte("testpass")
- gotSecret, err := p.GetSecret(t.Context(), v1.ExternalSecretDataRemoteRef{Key: fmt.Sprintf("%s/password", item1.Title)})
- require.NoError(t, err)
- assert.Equal(t, 1, fl.getCallCount, "GetSecret should use cached item from GetAllSecrets")
- assert.Equal(t, 0, fc.resolveCallCount, "GetSecret should not call Resolve due to cached value")
- assert.Equal(t, wantSecret, gotSecret, "GetSecret should return expected secrets")
- })
- }
- func TestPushAllKeys(t *testing.T) {
- const (
- testExistingItem = "existing-item"
- testOldKey = "old-key"
- )
- fc := &fakeClient{listAllResult: []onepassword.VaultOverview{{ID: "vault-id", Title: "vault"}}}
- existingItem := onepassword.Item{
- ID: "item-id", Title: testExistingItem, VaultID: "vault-id",
- Fields: []onepassword.ItemField{
- {ID: testOldKey, Title: testOldKey, Value: "old-val", FieldType: onepassword.ItemFieldTypeConcealed},
- },
- }
- newLister := func(existing ...onepassword.Item) *fakeLister {
- fl := &fakeLister{listAllResult: []onepassword.ItemOverview{}}
- if len(existing) > 0 {
- fl.getResult = existing[0]
- fl.listAllResult = []onepassword.ItemOverview{{ID: existing[0].ID, Title: existing[0].Title, VaultID: existing[0].VaultID}}
- }
- return fl
- }
- fieldsMap := func(fields []onepassword.ItemField) map[string]onepassword.ItemField {
- m := make(map[string]onepassword.ItemField, len(fields))
- for _, f := range fields {
- m[f.Title] = f
- }
- return m
- }
- ref := func(key, remoteKey string, meta ...string) v1alpha1.PushSecretData {
- d := v1alpha1.PushSecretData{Match: v1alpha1.PushSecretMatch{SecretKey: key, RemoteRef: v1alpha1.PushSecretRemoteRef{RemoteKey: remoteKey}}}
- if len(meta) > 0 {
- raw := apiextensionsv1.JSON{Raw: []byte(meta[0])}
- d.Metadata = &raw
- }
- return d
- }
- secret := func(kv ...string) *corev1.Secret {
- s := &corev1.Secret{Data: map[string][]byte{}}
- for i := 0; i+1 < len(kv); i += 2 {
- s.Data[kv[i]] = []byte(kv[i+1])
- }
- return s
- }
- t.Run("creates new item with all secret keys as concealed fields", func(t *testing.T) {
- fl := newLister()
- p := &SecretsClient{client: &onepassword.Client{SecretsAPI: fc, VaultsAPI: fc, ItemsAPI: fl}, vaultID: "vault-id"}
- require.NoError(t, p.PushSecret(t.Context(), secret("alpha", "val-alpha", "beta", "val-beta"), ref("", "my-item")))
- require.True(t, fl.createCalled)
- assert.False(t, fl.putCalled)
- fm := fieldsMap(fl.createdParams.Fields)
- assert.Equal(t, "val-alpha", fm["alpha"].Value)
- assert.Equal(t, onepassword.ItemFieldTypeConcealed, fm["alpha"].FieldType)
- assert.Equal(t, "val-beta", fm["beta"].Value)
- })
- t.Run("updates existing item with all secret keys", func(t *testing.T) {
- fl := newLister(onepassword.Item{ID: "item-id", Title: testExistingItem, VaultID: "vault-id"})
- p := &SecretsClient{client: &onepassword.Client{SecretsAPI: fc, VaultsAPI: fc, ItemsAPI: fl}, vaultID: "vault-id"}
- require.NoError(t, p.PushSecret(t.Context(), secret("key1", "value1", "key2", "value2"), ref("", testExistingItem)))
- assert.False(t, fl.createCalled)
- require.True(t, fl.putCalled)
- fm := fieldsMap(fl.putItem.Fields)
- assert.Equal(t, "value1", fm["key1"].Value)
- assert.Equal(t, "value2", fm["key2"].Value)
- })
- t.Run("applies tags from metadata on create", func(t *testing.T) {
- fl := newLister()
- p := &SecretsClient{client: &onepassword.Client{SecretsAPI: fc, VaultsAPI: fc, ItemsAPI: fl}, vaultID: "vault-id"}
- meta := `{"apiVersion":"kubernetes.external-secrets.io/v1alpha1","kind":"PushSecretMetadata","spec":{"tags":["env:prod","team:backend"]}}`
- require.NoError(t, p.PushSecret(t.Context(), secret("k", "v"), ref("", "tagged-item", meta)))
- require.True(t, fl.createCalled)
- assert.Equal(t, []string{"env:prod", "team:backend"}, fl.createdParams.Tags)
- })
- t.Run("removes fields deleted from the secret", func(t *testing.T) {
- fl := newLister(existingItem) // existingItem has field testOldKey
- p := &SecretsClient{client: &onepassword.Client{SecretsAPI: fc, VaultsAPI: fc, ItemsAPI: fl}, vaultID: "vault-id"}
- // secret no longer contains testOldKey, only "new-key"
- require.NoError(t, p.PushSecret(t.Context(), secret("new-key", "new-val"), ref("", testExistingItem)))
- require.True(t, fl.putCalled)
- fm := fieldsMap(fl.putItem.Fields)
- assert.Equal(t, "new-val", fm["new-key"].Value, "new field must be added")
- _, stillThere := fm[testOldKey]
- assert.False(t, stillThere, "deleted key must be removed from the 1Password item")
- })
- }
|