diff --git a/pkg/provider/yandex/lockbox/lockbox_test.go b/pkg/provider/yandex/lockbox/lockbox_test.go index 8e27ce9fe..eb87ee5f1 100644 --- a/pkg/provider/yandex/lockbox/lockbox_test.go +++ b/pkg/provider/yandex/lockbox/lockbox_test.go @@ -131,11 +131,7 @@ func TestGetSecretForAllEntries(t *testing.T) { }) secretsClient, err := provider.NewClient(ctx, store, k8sClient, namespace) tassert.Nil(t, err) - data, err := secretsClient.GetSecret(ctx, esv1alpha1.ExternalSecretDataRemoteRef{ - Extract: esv1alpha1.ExternalSecretExtract{ - Key: secretID, - }, - }) + data, err := secretsClient.GetSecret(ctx, getRemoteDef(secretID, "", "")) tassert.Nil(t, err) tassert.Equal( @@ -173,12 +169,7 @@ func TestGetSecretForTextEntry(t *testing.T) { }) secretsClient, err := provider.NewClient(ctx, store, k8sClient, namespace) tassert.Nil(t, err) - data, err := secretsClient.GetSecret(ctx, esv1alpha1.ExternalSecretDataRemoteRef{ - Extract: esv1alpha1.ExternalSecretExtract{ - Key: secretID, - Property: k1, - }, - }) + data, err := secretsClient.GetSecret(ctx, getRemoteDef(secretID, k1, "")) tassert.Nil(t, err) tassert.Equal(t, v1, string(data)) @@ -209,12 +200,7 @@ func TestGetSecretForBinaryEntry(t *testing.T) { }) secretsClient, err := provider.NewClient(ctx, store, k8sClient, namespace) tassert.Nil(t, err) - data, err := secretsClient.GetSecret(ctx, esv1alpha1.ExternalSecretDataRemoteRef{ - Extract: esv1alpha1.ExternalSecretExtract{ - Key: secretID, - Property: k2, - }, - }) + data, err := secretsClient.GetSecret(ctx, getRemoteDef(secretID, k2, "")) tassert.Nil(t, err) tassert.Equal(t, v2, data) @@ -243,12 +229,7 @@ func TestGetSecretByVersionID(t *testing.T) { }) secretsClient, err := provider.NewClient(ctx, store, k8sClient, namespace) tassert.Nil(t, err) - data, err := secretsClient.GetSecret(ctx, esv1alpha1.ExternalSecretDataRemoteRef{ - Extract: esv1alpha1.ExternalSecretExtract{ - Key: secretID, - Version: oldVersionID, - }, - }) + data, err := secretsClient.GetSecret(ctx, getRemoteDef(secretID, "", oldVersionID)) tassert.Nil(t, err) tassert.Equal(t, map[string]string{oldKey: oldVal}, unmarshalStringMap(t, data)) @@ -258,21 +239,11 @@ func TestGetSecretByVersionID(t *testing.T) { textEntry(newKey, newVal), ) - data, err = secretsClient.GetSecret(ctx, esv1alpha1.ExternalSecretDataRemoteRef{ - Extract: esv1alpha1.ExternalSecretExtract{ - Key: secretID, - Version: oldVersionID, - }, - }) + data, err = secretsClient.GetSecret(ctx, getRemoteDef(secretID, "", oldVersionID)) tassert.Nil(t, err) tassert.Equal(t, map[string]string{oldKey: oldVal}, unmarshalStringMap(t, data)) - data, err = secretsClient.GetSecret(ctx, esv1alpha1.ExternalSecretDataRemoteRef{ - Extract: esv1alpha1.ExternalSecretExtract{ - Key: secretID, - Version: newVersionID, - }, - }) + data, err = secretsClient.GetSecret(ctx, getRemoteDef(secretID, "", newVersionID)) tassert.Nil(t, err) tassert.Equal(t, map[string]string{newKey: newVal}, unmarshalStringMap(t, data)) } @@ -300,11 +271,7 @@ func TestGetSecretUnauthorized(t *testing.T) { }) secretsClient, err := provider.NewClient(ctx, store, k8sClient, namespace) tassert.Nil(t, err) - _, err = secretsClient.GetSecret(ctx, esv1alpha1.ExternalSecretDataRemoteRef{ - Extract: esv1alpha1.ExternalSecretExtract{ - Key: secretID, - }, - }) + _, err = secretsClient.GetSecret(ctx, getRemoteDef(secretID, "", "")) tassert.EqualError(t, err, errSecretPayloadPermissionDenied) } @@ -327,22 +294,13 @@ func TestGetSecretNotFound(t *testing.T) { }) secretsClient, err := provider.NewClient(ctx, store, k8sClient, namespace) tassert.Nil(t, err) - _, err = secretsClient.GetSecret(ctx, esv1alpha1.ExternalSecretDataRemoteRef{ - Extract: esv1alpha1.ExternalSecretExtract{ - Key: "no-secret-with-this-id", - }, - }) + _, err = secretsClient.GetSecret(ctx, getRemoteDef("no-secret-with-this-id", "", "")) tassert.EqualError(t, err, errSecretPayloadNotFound) secretID, _ := lockboxBackend.CreateSecret(authorizedKey, textEntry("k1", "v1"), ) - _, err = secretsClient.GetSecret(ctx, esv1alpha1.ExternalSecretDataRemoteRef{ - Extract: esv1alpha1.ExternalSecretExtract{ - Key: secretID, - Version: "no-version-with-this-id", - }, - }) + _, err = secretsClient.GetSecret(ctx, getRemoteDef(secretID, "", "no-version-with-this-id")) tassert.EqualError(t, err, "unable to request secret payload to get secret: version not found") } @@ -381,37 +339,17 @@ func TestGetSecretWithTwoNamespaces(t *testing.T) { secretsClient2, err := provider.NewClient(ctx, store2, k8sClient, namespace2) tassert.Nil(t, err) - data, err := secretsClient1.GetSecret(ctx, esv1alpha1.ExternalSecretDataRemoteRef{ - Extract: esv1alpha1.ExternalSecretExtract{ - Key: secretID1, - Property: k1, - }, - }) + data, err := secretsClient1.GetSecret(ctx, getRemoteDef(secretID1, k1, "")) tassert.Equal(t, v1, string(data)) tassert.Nil(t, err) - data, err = secretsClient1.GetSecret(ctx, esv1alpha1.ExternalSecretDataRemoteRef{ - Extract: esv1alpha1.ExternalSecretExtract{ - Key: secretID2, - Property: k2, - }, - }) + data, err = secretsClient1.GetSecret(ctx, getRemoteDef(secretID2, k2, "")) tassert.Nil(t, data) tassert.EqualError(t, err, errSecretPayloadPermissionDenied) - data, err = secretsClient2.GetSecret(ctx, esv1alpha1.ExternalSecretDataRemoteRef{ - Extract: esv1alpha1.ExternalSecretExtract{ - Key: secretID1, - Property: k1, - }, - }) + data, err = secretsClient2.GetSecret(ctx, getRemoteDef(secretID1, k1, "")) tassert.Nil(t, data) tassert.EqualError(t, err, errSecretPayloadPermissionDenied) - data, err = secretsClient2.GetSecret(ctx, esv1alpha1.ExternalSecretDataRemoteRef{ - Extract: esv1alpha1.ExternalSecretExtract{ - Key: secretID2, - Property: k2, - }, - }) + data, err = secretsClient2.GetSecret(ctx, getRemoteDef(secretID2, k2, "")) tassert.Equal(t, v2, string(data)) tassert.Nil(t, err) } @@ -462,37 +400,17 @@ func TestGetSecretWithTwoApiEndpoints(t *testing.T) { var data []byte - data, err = secretsClient1.GetSecret(ctx, esv1alpha1.ExternalSecretDataRemoteRef{ - Extract: esv1alpha1.ExternalSecretExtract{ - Key: secretID1, - Property: k1, - }, - }) + data, err = secretsClient1.GetSecret(ctx, getRemoteDef(secretID1, k1, "")) tassert.Equal(t, v1, string(data)) tassert.Nil(t, err) - data, err = secretsClient1.GetSecret(ctx, esv1alpha1.ExternalSecretDataRemoteRef{ - Extract: esv1alpha1.ExternalSecretExtract{ - Key: secretID2, - Property: k2, - }, - }) + data, err = secretsClient1.GetSecret(ctx, getRemoteDef(secretID2, k2, "")) tassert.Nil(t, data) tassert.EqualError(t, err, errSecretPayloadNotFound) - data, err = secretsClient2.GetSecret(ctx, esv1alpha1.ExternalSecretDataRemoteRef{ - Extract: esv1alpha1.ExternalSecretExtract{ - Key: secretID1, - Property: k1, - }, - }) + data, err = secretsClient2.GetSecret(ctx, getRemoteDef(secretID1, k1, "")) tassert.Nil(t, data) tassert.EqualError(t, err, errSecretPayloadNotFound) - data, err = secretsClient2.GetSecret(ctx, esv1alpha1.ExternalSecretDataRemoteRef{ - Extract: esv1alpha1.ExternalSecretExtract{ - Key: secretID1, - Property: k2, - }, - }) + data, err = secretsClient2.GetSecret(ctx, getRemoteDef(secretID1, k2, "")) tassert.Equal(t, v2, string(data)) tassert.Nil(t, err) } @@ -524,34 +442,19 @@ func TestGetSecretWithIamTokenExpiration(t *testing.T) { oldSecretsClient, err := provider.NewClient(ctx, store, k8sClient, namespace) tassert.Nil(t, err) - data, err = oldSecretsClient.GetSecret(ctx, esv1alpha1.ExternalSecretDataRemoteRef{ - Extract: esv1alpha1.ExternalSecretExtract{ - Key: secretID, - Property: k1, - }, - }) + data, err = oldSecretsClient.GetSecret(ctx, getRemoteDef(secretID, k1, "")) tassert.Equal(t, v1, string(data)) tassert.Nil(t, err) lockboxBackend.AdvanceClock(2 * tokenExpirationTime) - data, err = oldSecretsClient.GetSecret(ctx, esv1alpha1.ExternalSecretDataRemoteRef{ - Extract: esv1alpha1.ExternalSecretExtract{ - Key: secretID, - Property: k1, - }, - }) + data, err = oldSecretsClient.GetSecret(ctx, getRemoteDef(secretID, k1, "")) tassert.Nil(t, data) tassert.EqualError(t, err, "unable to request secret payload to get secret: iam token expired") newSecretsClient, err := provider.NewClient(ctx, store, k8sClient, namespace) tassert.Nil(t, err) - data, err = newSecretsClient.GetSecret(ctx, esv1alpha1.ExternalSecretDataRemoteRef{ - Extract: esv1alpha1.ExternalSecretExtract{ - Key: secretID, - Property: k1, - }, - }) + data, err = newSecretsClient.GetSecret(ctx, getRemoteDef(secretID, k1, "")) tassert.Equal(t, v1, string(data)) tassert.Nil(t, err) } @@ -596,11 +499,7 @@ func TestGetSecretWithIamTokenCleanup(t *testing.T) { // Access secretID1 with authorizedKey1, IAM token for authorizedKey1 should be cached secretsClient, err := provider.NewClient(ctx, store1, k8sClient, namespace) tassert.Nil(t, err) - _, err = secretsClient.GetSecret(ctx, esv1alpha1.ExternalSecretDataRemoteRef{ - Extract: esv1alpha1.ExternalSecretExtract{ - Key: secretID1, - }, - }) + _, err = secretsClient.GetSecret(ctx, getRemoteDef(secretID1, "", "")) tassert.Nil(t, err) tassert.True(t, provider.isIamTokenCached(authorizedKey1)) @@ -611,11 +510,7 @@ func TestGetSecretWithIamTokenCleanup(t *testing.T) { // Access secretID2 with authorizedKey2, IAM token for authorizedKey2 should be cached secretsClient, err = provider.NewClient(ctx, store2, k8sClient, namespace) tassert.Nil(t, err) - _, err = secretsClient.GetSecret(ctx, esv1alpha1.ExternalSecretDataRemoteRef{ - Extract: esv1alpha1.ExternalSecretExtract{ - Key: secretID2, - }, - }) + _, err = secretsClient.GetSecret(ctx, getRemoteDef(secretID2, "", "")) tassert.Nil(t, err) tassert.True(t, provider.isIamTokenCached(authorizedKey1)) @@ -667,11 +562,7 @@ func TestGetSecretMap(t *testing.T) { }) secretsClient, err := provider.NewClient(ctx, store, k8sClient, namespace) tassert.Nil(t, err) - data, err := secretsClient.GetSecretMap(ctx, esv1alpha1.ExternalSecretDataRemoteRef{ - Extract: esv1alpha1.ExternalSecretExtract{ - Key: secretID, - }, - }) + data, err := secretsClient.GetSecretMap(ctx, getRemoteDef(secretID, "", "")) tassert.Nil(t, err) tassert.Equal( @@ -707,12 +598,7 @@ func TestGetSecretMapByVersionID(t *testing.T) { }) secretsClient, err := provider.NewClient(ctx, store, k8sClient, namespace) tassert.Nil(t, err) - data, err := secretsClient.GetSecretMap(ctx, esv1alpha1.ExternalSecretDataRemoteRef{ - Extract: esv1alpha1.ExternalSecretExtract{ - Key: secretID, - Version: oldVersionID, - }, - }) + data, err := secretsClient.GetSecretMap(ctx, getRemoteDef(secretID, "", oldVersionID)) tassert.Nil(t, err) tassert.Equal(t, map[string][]byte{oldKey: []byte(oldVal)}, data) @@ -722,21 +608,11 @@ func TestGetSecretMapByVersionID(t *testing.T) { textEntry(newKey, newVal), ) - data, err = secretsClient.GetSecretMap(ctx, esv1alpha1.ExternalSecretDataRemoteRef{ - Extract: esv1alpha1.ExternalSecretExtract{ - Key: secretID, - Version: oldVersionID, - }, - }) + data, err = secretsClient.GetSecretMap(ctx, getRemoteDef(secretID, "", oldVersionID)) tassert.Nil(t, err) tassert.Equal(t, map[string][]byte{oldKey: []byte(oldVal)}, data) - data, err = secretsClient.GetSecretMap(ctx, esv1alpha1.ExternalSecretDataRemoteRef{ - Extract: esv1alpha1.ExternalSecretExtract{ - Key: secretID, - Version: newVersionID, - }, - }) + data, err = secretsClient.GetSecretMap(ctx, getRemoteDef(secretID, "", newVersionID)) tassert.Nil(t, err) tassert.Equal(t, map[string][]byte{newKey: []byte(newVal)}, data) } @@ -764,6 +640,16 @@ func newYandexLockboxSecretStore(apiEndpoint, namespace, authorizedKeySecretName } } +func getRemoteDef(key, property, version string) esv1alpha1.ExternalSecretDataRemoteRef { + return esv1alpha1.ExternalSecretDataRemoteRef{ + Extract: esv1alpha1.ExternalSecretExtract{ + Key: key, + Property: property, + Version: version, + }, + } +} + func createK8sSecret(ctx context.Context, k8sClient client.Client, namespace, secretName, secretKey string, secretContent interface{}) error { data, err := json.Marshal(secretContent) if err != nil {