mirror of
https://github.com/SAP/jenkins-library.git
synced 2025-01-04 04:07:16 +02:00
177 lines
4.8 KiB
Go
177 lines
4.8 KiB
Go
|
package vault
|
||
|
|
||
|
import (
|
||
|
"strings"
|
||
|
"testing"
|
||
|
|
||
|
"github.com/stretchr/testify/mock"
|
||
|
|
||
|
mocks "github.com/SAP/jenkins-library/pkg/vault/mocks"
|
||
|
|
||
|
"github.com/hashicorp/vault/api"
|
||
|
"github.com/stretchr/testify/assert"
|
||
|
)
|
||
|
|
||
|
type SecretData = map[string]interface{}
|
||
|
|
||
|
const (
|
||
|
sysLookupPath = "sys/internal/ui/mounts/"
|
||
|
)
|
||
|
|
||
|
func TestGetKV2Secret(t *testing.T) {
|
||
|
|
||
|
t.Run("Test missing secret", func(t *testing.T) {
|
||
|
vaultMock := &mocks.VaultMock{}
|
||
|
client := Client{vaultMock}
|
||
|
setupMockKvV2(vaultMock)
|
||
|
vaultMock.On("Read", "secret/data/notexist").Return(nil, nil)
|
||
|
secret, err := client.GetKvSecret("secret/notexist")
|
||
|
assert.NoError(t, err, "Missing secret should not an error")
|
||
|
assert.Nil(t, secret)
|
||
|
})
|
||
|
|
||
|
t.Run("Test parsing KV2 secrets", func(t *testing.T) {
|
||
|
t.Parallel()
|
||
|
const secretAPIPath = "secret/data/test"
|
||
|
const secretName = "secret/test"
|
||
|
t.Run("Getting secret from KV engine (v2)", func(t *testing.T) {
|
||
|
vaultMock := &mocks.VaultMock{}
|
||
|
setupMockKvV2(vaultMock)
|
||
|
client := Client{vaultMock}
|
||
|
vaultMock.On("Read", secretAPIPath).Return(kv2Secret(SecretData{"key1": "value1"}), nil)
|
||
|
secret, err := client.GetKvSecret(secretName)
|
||
|
assert.NoError(t, err, "Expect GetKvSecret to succeed")
|
||
|
assert.Equal(t, "value1", secret["key1"])
|
||
|
|
||
|
})
|
||
|
|
||
|
t.Run("error is thrown when 'data' field can't be parsed", func(t *testing.T) {
|
||
|
vaultMock := &mocks.VaultMock{}
|
||
|
setupMockKvV2(vaultMock)
|
||
|
client := Client{vaultMock}
|
||
|
vaultMock.On("Read", secretAPIPath).Return(kv2Secret(SecretData{"key1": "value1", "key2": 5}), nil)
|
||
|
secret, err := client.GetKvSecret(secretName)
|
||
|
assert.Error(t, err, "Excpected to fail since value is wrong data type")
|
||
|
assert.Nil(t, secret)
|
||
|
|
||
|
})
|
||
|
|
||
|
t.Run("error is thrown when data field is missing", func(t *testing.T) {
|
||
|
vaultMock := &mocks.VaultMock{}
|
||
|
setupMockKvV2(vaultMock)
|
||
|
client := Client{vaultMock}
|
||
|
vaultMock.On("Read", secretAPIPath).Return(kv1Secret(SecretData{"key1": "value1"}), nil)
|
||
|
secret, err := client.GetKvSecret(secretName)
|
||
|
assert.Error(t, err, "Expected to fail since 'data' field is missing")
|
||
|
assert.Nil(t, secret)
|
||
|
})
|
||
|
})
|
||
|
}
|
||
|
|
||
|
func TestGetKV1Secret(t *testing.T) {
|
||
|
t.Parallel()
|
||
|
|
||
|
const secretName = "secret/test"
|
||
|
|
||
|
t.Run("Test missing secret", func(t *testing.T) {
|
||
|
vaultMock := &mocks.VaultMock{}
|
||
|
setupMockKvV1(vaultMock)
|
||
|
client := Client{vaultMock}
|
||
|
|
||
|
vaultMock.On("Read", mock.AnythingOfType("string")).Return(nil, nil)
|
||
|
secret, err := client.GetKvSecret("secret/notexist")
|
||
|
assert.NoError(t, err, "Missing secret should not an error")
|
||
|
assert.Nil(t, secret)
|
||
|
})
|
||
|
|
||
|
t.Run("Test parsing KV1 secrets", func(t *testing.T) {
|
||
|
vaultMock := &mocks.VaultMock{}
|
||
|
setupMockKvV1(vaultMock)
|
||
|
client := Client{vaultMock}
|
||
|
|
||
|
vaultMock.On("Read", secretName).Return(kv1Secret(SecretData{"key1": "value1"}), nil)
|
||
|
secret, err := client.GetKvSecret(secretName)
|
||
|
assert.NoError(t, err)
|
||
|
assert.Equal(t, "value1", secret["key1"])
|
||
|
})
|
||
|
|
||
|
t.Run("Test parsing KV1 secrets", func(t *testing.T) {
|
||
|
vaultMock := &mocks.VaultMock{}
|
||
|
setupMockKvV1(vaultMock)
|
||
|
vaultMock.On("Read", secretName).Return(kv1Secret(SecretData{"key1": 5}), nil)
|
||
|
client := Client{vaultMock}
|
||
|
|
||
|
secret, err := client.GetKvSecret(secretName)
|
||
|
assert.Error(t, err)
|
||
|
assert.Nil(t, secret)
|
||
|
|
||
|
})
|
||
|
}
|
||
|
|
||
|
func TestUnknownKvVersion(t *testing.T) {
|
||
|
vaultMock := &mocks.VaultMock{}
|
||
|
client := Client{vaultMock}
|
||
|
|
||
|
vaultMock.On("Read", "sys/internal/ui/mounts/secret/secret").Return(&api.Secret{
|
||
|
Data: map[string]interface{}{
|
||
|
"path": "secret",
|
||
|
"options": map[string]interface{}{
|
||
|
"version": "3",
|
||
|
},
|
||
|
}}, nil)
|
||
|
|
||
|
secret, err := client.GetKvSecret("/secret/secret")
|
||
|
assert.EqualError(t, err, "KV Engine in version 3 is currently not supported")
|
||
|
assert.Nil(t, secret)
|
||
|
|
||
|
}
|
||
|
|
||
|
func setupMockKvV2(vaultMock *mocks.VaultMock) {
|
||
|
vaultMock.On("Read", mock.MatchedBy(func(path string) bool {
|
||
|
return strings.HasPrefix(path, sysLookupPath)
|
||
|
})).Return(func(path string) *api.Secret {
|
||
|
pathComponents := strings.Split(strings.TrimPrefix(path, "sys/internal/ui/mounts/"), "/")
|
||
|
mountpath := "/"
|
||
|
if len(pathComponents) > 1 {
|
||
|
mountpath = pathComponents[0]
|
||
|
}
|
||
|
return &api.Secret{
|
||
|
Data: map[string]interface{}{
|
||
|
"path": mountpath,
|
||
|
"options": map[string]interface{}{
|
||
|
"version": "2",
|
||
|
},
|
||
|
},
|
||
|
}
|
||
|
}, nil)
|
||
|
}
|
||
|
|
||
|
func setupMockKvV1(vaultMock *mocks.VaultMock) {
|
||
|
vaultMock.On("Read", mock.MatchedBy(func(path string) bool {
|
||
|
return strings.HasPrefix(path, sysLookupPath)
|
||
|
})).Return(func(path string) *api.Secret {
|
||
|
pathComponents := strings.Split(strings.TrimPrefix(path, "sys/internal/ui/mounts/"), "/")
|
||
|
mountpath := "/"
|
||
|
if len(pathComponents) > 1 {
|
||
|
mountpath = pathComponents[0]
|
||
|
}
|
||
|
return &api.Secret{
|
||
|
Data: map[string]interface{}{
|
||
|
"path": mountpath,
|
||
|
},
|
||
|
}
|
||
|
}, nil)
|
||
|
}
|
||
|
|
||
|
func kv1Secret(data SecretData) *api.Secret {
|
||
|
return &api.Secret{
|
||
|
Data: data,
|
||
|
}
|
||
|
}
|
||
|
|
||
|
func kv2Secret(data SecretData) *api.Secret {
|
||
|
return &api.Secret{
|
||
|
Data: SecretData{"data": data},
|
||
|
}
|
||
|
}
|