deb.open-vault/command/agent_generate_config_test.go

// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0

package command

import (
	"bytes"
	"context"
	"reflect"
	"regexp"
	"testing"
	"time"
)

// TestConstructTemplates tests the construcTemplates helper function
func TestConstructTemplates(t *testing.T) {
	ctx, cancelContextFunc := context.WithTimeout(context.Background(), 5*time.Second)
	defer cancelContextFunc()

	client, closer := testVaultServerWithSecrets(ctx, t)
	defer closer()

	cases := map[string]struct {
		paths         []string
		expected      []generatedConfigEnvTemplate
		expectedError bool
	}{
		"kv-v1-simple": {
			paths: []string{"kv-v1/foo"},
			expected: []generatedConfigEnvTemplate{
				{Contents: `{{ with secret "kv-v1/foo" }}{{ .Data.password }}{{ end }}`, ErrorOnMissingKey: true, Name: "FOO_PASSWORD"},
				{Contents: `{{ with secret "kv-v1/foo" }}{{ .Data.user }}{{ end }}`, ErrorOnMissingKey: true, Name: "FOO_USER"},
			},
			expectedError: false,
		},

		"kv-v2-simple": {
			paths: []string{"kv-v2/foo"},
			expected: []generatedConfigEnvTemplate{
				{Contents: `{{ with secret "kv-v2/data/foo" }}{{ .Data.data.password }}{{ end }}`, ErrorOnMissingKey: true, Name: "FOO_PASSWORD"},
				{Contents: `{{ with secret "kv-v2/data/foo" }}{{ .Data.data.user }}{{ end }}`, ErrorOnMissingKey: true, Name: "FOO_USER"},
			},
			expectedError: false,
		},

		"kv-v2-data-in-path": {
			paths: []string{"kv-v2/data/foo"},
			expected: []generatedConfigEnvTemplate{
				{Contents: `{{ with secret "kv-v2/data/foo" }}{{ .Data.data.password }}{{ end }}`, ErrorOnMissingKey: true, Name: "FOO_PASSWORD"},
				{Contents: `{{ with secret "kv-v2/data/foo" }}{{ .Data.data.user }}{{ end }}`, ErrorOnMissingKey: true, Name: "FOO_USER"},
			},
			expectedError: false,
		},

		"kv-v1-nested": {
			paths: []string{"kv-v1/app-1/*"},
			expected: []generatedConfigEnvTemplate{
				{Contents: `{{ with secret "kv-v1/app-1/bar" }}{{ .Data.password }}{{ end }}`, ErrorOnMissingKey: true, Name: "BAR_PASSWORD"},
				{Contents: `{{ with secret "kv-v1/app-1/bar" }}{{ .Data.user }}{{ end }}`, ErrorOnMissingKey: true, Name: "BAR_USER"},
				{Contents: `{{ with secret "kv-v1/app-1/foo" }}{{ .Data.password }}{{ end }}`, ErrorOnMissingKey: true, Name: "FOO_PASSWORD"},
				{Contents: `{{ with secret "kv-v1/app-1/foo" }}{{ .Data.user }}{{ end }}`, ErrorOnMissingKey: true, Name: "FOO_USER"},
				{Contents: `{{ with secret "kv-v1/app-1/nested/baz" }}{{ .Data.password }}{{ end }}`, ErrorOnMissingKey: true, Name: "BAZ_PASSWORD"},
				{Contents: `{{ with secret "kv-v1/app-1/nested/baz" }}{{ .Data.user }}{{ end }}`, ErrorOnMissingKey: true, Name: "BAZ_USER"},
			},
			expectedError: false,
		},

		"kv-v2-nested": {
			paths: []string{"kv-v2/app-1/*"},
			expected: []generatedConfigEnvTemplate{
				{Contents: `{{ with secret "kv-v2/data/app-1/bar" }}{{ .Data.data.password }}{{ end }}`, ErrorOnMissingKey: true, Name: "BAR_PASSWORD"},
				{Contents: `{{ with secret "kv-v2/data/app-1/bar" }}{{ .Data.data.user }}{{ end }}`, ErrorOnMissingKey: true, Name: "BAR_USER"},
				{Contents: `{{ with secret "kv-v2/data/app-1/foo" }}{{ .Data.data.password }}{{ end }}`, ErrorOnMissingKey: true, Name: "FOO_PASSWORD"},
				{Contents: `{{ with secret "kv-v2/data/app-1/foo" }}{{ .Data.data.user }}{{ end }}`, ErrorOnMissingKey: true, Name: "FOO_USER"},
				{Contents: `{{ with secret "kv-v2/data/app-1/nested/baz" }}{{ .Data.data.password }}{{ end }}`, ErrorOnMissingKey: true, Name: "BAZ_PASSWORD"},
				{Contents: `{{ with secret "kv-v2/data/app-1/nested/baz" }}{{ .Data.data.user }}{{ end }}`, ErrorOnMissingKey: true, Name: "BAZ_USER"},
			},
			expectedError: false,
		},

		"kv-v1-multi-path": {
			paths: []string{"kv-v1/foo", "kv-v1/app-1/bar"},
			expected: []generatedConfigEnvTemplate{
				{Contents: `{{ with secret "kv-v1/foo" }}{{ .Data.password }}{{ end }}`, ErrorOnMissingKey: true, Name: "FOO_PASSWORD"},
				{Contents: `{{ with secret "kv-v1/foo" }}{{ .Data.user }}{{ end }}`, ErrorOnMissingKey: true, Name: "FOO_USER"},
				{Contents: `{{ with secret "kv-v1/app-1/bar" }}{{ .Data.password }}{{ end }}`, ErrorOnMissingKey: true, Name: "BAR_PASSWORD"},
				{Contents: `{{ with secret "kv-v1/app-1/bar" }}{{ .Data.user }}{{ end }}`, ErrorOnMissingKey: true, Name: "BAR_USER"},
			},
			expectedError: false,
		},

		"kv-v2-multi-path": {
			paths: []string{"kv-v2/foo", "kv-v2/app-1/bar"},
			expected: []generatedConfigEnvTemplate{
				{Contents: `{{ with secret "kv-v2/data/foo" }}{{ .Data.data.password }}{{ end }}`, ErrorOnMissingKey: true, Name: "FOO_PASSWORD"},
				{Contents: `{{ with secret "kv-v2/data/foo" }}{{ .Data.data.user }}{{ end }}`, ErrorOnMissingKey: true, Name: "FOO_USER"},
				{Contents: `{{ with secret "kv-v2/data/app-1/bar" }}{{ .Data.data.password }}{{ end }}`, ErrorOnMissingKey: true, Name: "BAR_PASSWORD"},
				{Contents: `{{ with secret "kv-v2/data/app-1/bar" }}{{ .Data.data.user }}{{ end }}`, ErrorOnMissingKey: true, Name: "BAR_USER"},
			},
			expectedError: false,
		},

		"kv-v1-path-not-found": {
			paths:         []string{"kv-v1/does/not/exist"},
			expected:      nil,
			expectedError: true,
		},

		"kv-v2-path-not-found": {
			paths:         []string{"kv-v2/does/not/exist"},
			expected:      nil,
			expectedError: true,
		},

		"kv-v1-early-wildcard": {
			paths:         []string{"kv-v1/*/foo"},
			expected:      nil,
			expectedError: true,
		},

		"kv-v2-early-wildcard": {
			paths:         []string{"kv-v2/*/foo"},
			expected:      nil,
			expectedError: true,
		},
	}

	for name, tc := range cases {
		name, tc := name, tc

		t.Run(name, func(t *testing.T) {
			templates, err := constructTemplates(ctx, client, tc.paths)

			if tc.expectedError {
				if err == nil {
					t.Fatal("an error was expected but the test succeeded")
				}
			} else {
				if err != nil {
					t.Fatal(err)
				}

				if !reflect.DeepEqual(tc.expected, templates) {
					t.Fatalf("unexpected output; want: %v, got: %v", tc.expected, templates)
				}
			}
		})
	}
}

// TestGenerateConfiguration tests the generateConfiguration helper function
func TestGenerateConfiguration(t *testing.T) {
	ctx, cancelContextFunc := context.WithTimeout(context.Background(), 5*time.Second)
	defer cancelContextFunc()

	client, closer := testVaultServerWithSecrets(ctx, t)
	defer closer()

	cases := map[string]struct {
		flagExec      string
		flagPaths     []string
		expected      *regexp.Regexp
		expectedError bool
	}{
		"kv-v1-simple": {
			flagExec:  "./my-app arg1 arg2",
			flagPaths: []string{"kv-v1/foo"},
			expected: regexp.MustCompile(`
auto_auth \{

  method \{
    type = "token_file"

    config \{
      token_file_path = ".*/.vault-token"
    }
  }
}

template_config \{
  static_secret_render_interval = "5m"
  exit_on_retry_failure         = true
}

vault \{
  address = "https://127.0.0.1:[0-9]{5}"
}

env_template "FOO_PASSWORD" \{
  contents             = "\{\{ with secret \\"kv-v1/foo\\" }}\{\{ .Data.password }}\{\{ end }}"
  error_on_missing_key = true
}
env_template "FOO_USER" \{
  contents             = "\{\{ with secret \\"kv-v1/foo\\" }}\{\{ .Data.user }}\{\{ end }}"
  error_on_missing_key = true
}

exec \{
  command                   = \["./my-app", "arg1", "arg2"\]
  restart_on_secret_changes = "always"
  restart_stop_signal       = "SIGTERM"
}
`),
			expectedError: false,
		},

		"kv-v2-default-exec": {
			flagExec:  "",
			flagPaths: []string{"kv-v2/foo"},
			expected: regexp.MustCompile(`
auto_auth \{

  method \{
    type = "token_file"

    config \{
      token_file_path = ".*/.vault-token"
    }
  }
}

template_config \{
  static_secret_render_interval = "5m"
  exit_on_retry_failure         = true
}

vault \{
  address = "https://127.0.0.1:[0-9]{5}"
}

env_template "FOO_PASSWORD" \{
  contents             = "\{\{ with secret \\"kv-v2/data/foo\\" }}\{\{ .Data.data.password }}\{\{ end }}"
  error_on_missing_key = true
}
env_template "FOO_USER" \{
  contents             = "\{\{ with secret \\"kv-v2/data/foo\\" }}\{\{ .Data.data.user }}\{\{ end }}"
  error_on_missing_key = true
}

exec \{
  command                   = \["env"\]
  restart_on_secret_changes = "always"
  restart_stop_signal       = "SIGTERM"
}
`),
			expectedError: false,
		},
	}

	for name, tc := range cases {
		name, tc := name, tc

		t.Run(name, func(t *testing.T) {
			var config bytes.Buffer

			c, err := generateConfiguration(ctx, client, tc.flagExec, tc.flagPaths)
			c.WriteTo(&config)

			if tc.expectedError {
				if err == nil {
					t.Fatal("an error was expected but the test succeeded")
				}
			} else {
				if err != nil {
					t.Fatal(err)
				}

				if !tc.expected.MatchString(config.String()) {
					t.Fatalf("unexpected output; want: %v, got: %v", tc.expected.String(), config.String())
				}
			}
		})
	}
}
New upstream version 1.14.8 2024-04-20 12:23:50 +00:00			`// Copyright (c) HashiCorp, Inc.`
			`// SPDX-License-Identifier: MPL-2.0`

			`package command`

			`import (`
			`"bytes"`
			`"context"`
			`"reflect"`
			`"regexp"`
			`"testing"`
			`"time"`
			`)`

			`// TestConstructTemplates tests the construcTemplates helper function`
			`func TestConstructTemplates(t *testing.T) {`
			`ctx, cancelContextFunc := context.WithTimeout(context.Background(), 5*time.Second)`
			`defer cancelContextFunc()`

			`client, closer := testVaultServerWithSecrets(ctx, t)`
			`defer closer()`

			`cases := map[string]struct {`
			`paths []string`
			`expected []generatedConfigEnvTemplate`
			`expectedError bool`
			`}{`
			`"kv-v1-simple": {`
			`paths: []string{"kv-v1/foo"},`
			`expected: []generatedConfigEnvTemplate{`
			{Contents: `{{ with secret "kv-v1/foo" }}{{ .Data.password }}{{ end }}`, ErrorOnMissingKey: true, Name: "FOO_PASSWORD"},
			{Contents: `{{ with secret "kv-v1/foo" }}{{ .Data.user }}{{ end }}`, ErrorOnMissingKey: true, Name: "FOO_USER"},
			`},`
			`expectedError: false,`
			`},`

			`"kv-v2-simple": {`
			`paths: []string{"kv-v2/foo"},`
			`expected: []generatedConfigEnvTemplate{`
			{Contents: `{{ with secret "kv-v2/data/foo" }}{{ .Data.data.password }}{{ end }}`, ErrorOnMissingKey: true, Name: "FOO_PASSWORD"},
			{Contents: `{{ with secret "kv-v2/data/foo" }}{{ .Data.data.user }}{{ end }}`, ErrorOnMissingKey: true, Name: "FOO_USER"},
			`},`
			`expectedError: false,`
			`},`

			`"kv-v2-data-in-path": {`
			`paths: []string{"kv-v2/data/foo"},`
			`expected: []generatedConfigEnvTemplate{`
			{Contents: `{{ with secret "kv-v2/data/foo" }}{{ .Data.data.password }}{{ end }}`, ErrorOnMissingKey: true, Name: "FOO_PASSWORD"},
			{Contents: `{{ with secret "kv-v2/data/foo" }}{{ .Data.data.user }}{{ end }}`, ErrorOnMissingKey: true, Name: "FOO_USER"},
			`},`
			`expectedError: false,`
			`},`

			`"kv-v1-nested": {`
			`paths: []string{"kv-v1/app-1/*"},`
			`expected: []generatedConfigEnvTemplate{`
			{Contents: `{{ with secret "kv-v1/app-1/bar" }}{{ .Data.password }}{{ end }}`, ErrorOnMissingKey: true, Name: "BAR_PASSWORD"},
			{Contents: `{{ with secret "kv-v1/app-1/bar" }}{{ .Data.user }}{{ end }}`, ErrorOnMissingKey: true, Name: "BAR_USER"},
			{Contents: `{{ with secret "kv-v1/app-1/foo" }}{{ .Data.password }}{{ end }}`, ErrorOnMissingKey: true, Name: "FOO_PASSWORD"},
			{Contents: `{{ with secret "kv-v1/app-1/foo" }}{{ .Data.user }}{{ end }}`, ErrorOnMissingKey: true, Name: "FOO_USER"},
			{Contents: `{{ with secret "kv-v1/app-1/nested/baz" }}{{ .Data.password }}{{ end }}`, ErrorOnMissingKey: true, Name: "BAZ_PASSWORD"},
			{Contents: `{{ with secret "kv-v1/app-1/nested/baz" }}{{ .Data.user }}{{ end }}`, ErrorOnMissingKey: true, Name: "BAZ_USER"},
			`},`
			`expectedError: false,`
			`},`

			`"kv-v2-nested": {`
			`paths: []string{"kv-v2/app-1/*"},`
			`expected: []generatedConfigEnvTemplate{`
			{Contents: `{{ with secret "kv-v2/data/app-1/bar" }}{{ .Data.data.password }}{{ end }}`, ErrorOnMissingKey: true, Name: "BAR_PASSWORD"},
			{Contents: `{{ with secret "kv-v2/data/app-1/bar" }}{{ .Data.data.user }}{{ end }}`, ErrorOnMissingKey: true, Name: "BAR_USER"},
			{Contents: `{{ with secret "kv-v2/data/app-1/foo" }}{{ .Data.data.password }}{{ end }}`, ErrorOnMissingKey: true, Name: "FOO_PASSWORD"},
			{Contents: `{{ with secret "kv-v2/data/app-1/foo" }}{{ .Data.data.user }}{{ end }}`, ErrorOnMissingKey: true, Name: "FOO_USER"},
			{Contents: `{{ with secret "kv-v2/data/app-1/nested/baz" }}{{ .Data.data.password }}{{ end }}`, ErrorOnMissingKey: true, Name: "BAZ_PASSWORD"},
			{Contents: `{{ with secret "kv-v2/data/app-1/nested/baz" }}{{ .Data.data.user }}{{ end }}`, ErrorOnMissingKey: true, Name: "BAZ_USER"},
			`},`
			`expectedError: false,`
			`},`

			`"kv-v1-multi-path": {`
			`paths: []string{"kv-v1/foo", "kv-v1/app-1/bar"},`
			`expected: []generatedConfigEnvTemplate{`
			{Contents: `{{ with secret "kv-v1/foo" }}{{ .Data.password }}{{ end }}`, ErrorOnMissingKey: true, Name: "FOO_PASSWORD"},
			{Contents: `{{ with secret "kv-v1/foo" }}{{ .Data.user }}{{ end }}`, ErrorOnMissingKey: true, Name: "FOO_USER"},
			{Contents: `{{ with secret "kv-v1/app-1/bar" }}{{ .Data.password }}{{ end }}`, ErrorOnMissingKey: true, Name: "BAR_PASSWORD"},
			{Contents: `{{ with secret "kv-v1/app-1/bar" }}{{ .Data.user }}{{ end }}`, ErrorOnMissingKey: true, Name: "BAR_USER"},
			`},`
			`expectedError: false,`
			`},`

			`"kv-v2-multi-path": {`
			`paths: []string{"kv-v2/foo", "kv-v2/app-1/bar"},`
			`expected: []generatedConfigEnvTemplate{`
			{Contents: `{{ with secret "kv-v2/data/foo" }}{{ .Data.data.password }}{{ end }}`, ErrorOnMissingKey: true, Name: "FOO_PASSWORD"},
			{Contents: `{{ with secret "kv-v2/data/foo" }}{{ .Data.data.user }}{{ end }}`, ErrorOnMissingKey: true, Name: "FOO_USER"},
			{Contents: `{{ with secret "kv-v2/data/app-1/bar" }}{{ .Data.data.password }}{{ end }}`, ErrorOnMissingKey: true, Name: "BAR_PASSWORD"},
			{Contents: `{{ with secret "kv-v2/data/app-1/bar" }}{{ .Data.data.user }}{{ end }}`, ErrorOnMissingKey: true, Name: "BAR_USER"},
			`},`
			`expectedError: false,`
			`},`

			`"kv-v1-path-not-found": {`
			`paths: []string{"kv-v1/does/not/exist"},`
			`expected: nil,`
			`expectedError: true,`
			`},`

			`"kv-v2-path-not-found": {`
			`paths: []string{"kv-v2/does/not/exist"},`
			`expected: nil,`
			`expectedError: true,`
			`},`

			`"kv-v1-early-wildcard": {`
			`paths: []string{"kv-v1/*/foo"},`
			`expected: nil,`
			`expectedError: true,`
			`},`

			`"kv-v2-early-wildcard": {`
			`paths: []string{"kv-v2/*/foo"},`
			`expected: nil,`
			`expectedError: true,`
			`},`
			`}`

			`for name, tc := range cases {`
			`name, tc := name, tc`

			`t.Run(name, func(t *testing.T) {`
			`templates, err := constructTemplates(ctx, client, tc.paths)`

			`if tc.expectedError {`
			`if err == nil {`
			`t.Fatal("an error was expected but the test succeeded")`
			`}`
			`} else {`
			`if err != nil {`
			`t.Fatal(err)`
			`}`

			`if !reflect.DeepEqual(tc.expected, templates) {`
			`t.Fatalf("unexpected output; want: %v, got: %v", tc.expected, templates)`
			`}`
			`}`
			`})`
			`}`
			`}`

			`// TestGenerateConfiguration tests the generateConfiguration helper function`
			`func TestGenerateConfiguration(t *testing.T) {`
			`ctx, cancelContextFunc := context.WithTimeout(context.Background(), 5*time.Second)`
			`defer cancelContextFunc()`

			`client, closer := testVaultServerWithSecrets(ctx, t)`
			`defer closer()`

			`cases := map[string]struct {`
			`flagExec string`
			`flagPaths []string`
			`expected *regexp.Regexp`
			`expectedError bool`
			`}{`
			`"kv-v1-simple": {`
			`flagExec: "./my-app arg1 arg2",`
			`flagPaths: []string{"kv-v1/foo"},`
			expected: regexp.MustCompile(`
			`auto_auth \{`

			`method \{`
			`type = "token_file"`

			`config \{`
			`token_file_path = ".*/.vault-token"`
			`}`
			`}`
			`}`

			`template_config \{`
			`static_secret_render_interval = "5m"`
			`exit_on_retry_failure = true`
			`}`

			`vault \{`
			`address = "https://127.0.0.1:[0-9]{5}"`
			`}`

			`env_template "FOO_PASSWORD" \{`
			`contents = "\{\{ with secret \\"kv-v1/foo\\" }}\{\{ .Data.password }}\{\{ end }}"`
			`error_on_missing_key = true`
			`}`
			`env_template "FOO_USER" \{`
			`contents = "\{\{ with secret \\"kv-v1/foo\\" }}\{\{ .Data.user }}\{\{ end }}"`
			`error_on_missing_key = true`
			`}`

			`exec \{`
			`command = \["./my-app", "arg1", "arg2"\]`
			`restart_on_secret_changes = "always"`
			`restart_stop_signal = "SIGTERM"`
			`}`
			`),
			`expectedError: false,`
			`},`

			`"kv-v2-default-exec": {`
			`flagExec: "",`
			`flagPaths: []string{"kv-v2/foo"},`
			expected: regexp.MustCompile(`
			`auto_auth \{`

			`method \{`
			`type = "token_file"`

			`config \{`
			`token_file_path = ".*/.vault-token"`
			`}`
			`}`
			`}`

			`template_config \{`
			`static_secret_render_interval = "5m"`
			`exit_on_retry_failure = true`
			`}`

			`vault \{`
			`address = "https://127.0.0.1:[0-9]{5}"`
			`}`

			`env_template "FOO_PASSWORD" \{`
			`contents = "\{\{ with secret \\"kv-v2/data/foo\\" }}\{\{ .Data.data.password }}\{\{ end }}"`
			`error_on_missing_key = true`
			`}`
			`env_template "FOO_USER" \{`
			`contents = "\{\{ with secret \\"kv-v2/data/foo\\" }}\{\{ .Data.data.user }}\{\{ end }}"`
			`error_on_missing_key = true`
			`}`

			`exec \{`
			`command = \["env"\]`
			`restart_on_secret_changes = "always"`
			`restart_stop_signal = "SIGTERM"`
			`}`
			`),
			`expectedError: false,`
			`},`
			`}`

			`for name, tc := range cases {`
			`name, tc := name, tc`

			`t.Run(name, func(t *testing.T) {`
			`var config bytes.Buffer`

			`c, err := generateConfiguration(ctx, client, tc.flagExec, tc.flagPaths)`
			`c.WriteTo(&config)`

			`if tc.expectedError {`
			`if err == nil {`
			`t.Fatal("an error was expected but the test succeeded")`
			`}`
			`} else {`
			`if err != nil {`
			`t.Fatal(err)`
			`}`

			`if !tc.expected.MatchString(config.String()) {`
			`t.Fatalf("unexpected output; want: %v, got: %v", tc.expected.String(), config.String())`
			`}`
			`}`
			`})`
			`}`
			`}`