Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

fix: handle different vault injection cases #75

Merged
merged 9 commits into from
Feb 22, 2024
Merged

fix: handle different vault injection cases #75

merged 9 commits into from
Feb 22, 2024

Conversation

csatib02
Copy link
Member

@csatib02 csatib02 commented Feb 13, 2024
edited
Loading

Overview

  • The injector already utilizes a bunch of things, to detect vault secret references.
  • On the side of secret-init it's sufficient if we use a regex to detect vault:something/something/... like substrings in the env-values, since it won't mistake vault like env-values for vault references, and if somehow a non-vault reference would be detected, the injector would just ignore it.
  • Added an e2e test case to test different injection scenarios.

Fixes #68

@csatib02
fix: handle different vault injection cases
52d2bea 
Signed-off-by: Bence Csati <bcsati@cisco.com>
@csatib02
chore(multi-provider-test): adjust
bbebdef 
Signed-off-by: Bence Csati <bcsati@cisco.com>
@csatib02 csatib02 requested a review from ramizpolic February 13, 2024 18:50
@csatib02 csatib02 self-assigned this Feb 13, 2024
@github-actions github-actions bot added the size/S Denotes a PR that changes 10-99 lines label Feb 13, 2024
@csatib02
feat(multi-provider-test): add testcase
90222fe 
Signed-off-by: Bence Csati <bcsati@cisco.com>
@github-actions github-actions bot added size/M Denotes a PR that changes 100-499 lines and removed size/S Denotes a PR that changes 10-99 lines labels Feb 13, 2024
@csatib02
chore: minor fix
e966f7e 
Signed-off-by: Bence Csati <bcsati@cisco.com>
@csatib02
chore: minor fix
342f3b5 
Signed-off-by: Bence Csati <bcsati@cisco.com>
@csatib02
chore: minor fix
cc2e1c2 
Signed-off-by: Bence Csati <bcsati@cisco.com>
ramizpolic
ramizpolic requested changes Feb 22, 2024
View reviewed changes
env_store.go Outdated Show resolved Hide resolved
env_store.go Outdated Show resolved Hide resolved
@csatib02
fix: minor fix
d6add20 
Signed-off-by: Bence Csati <bcsati@cisco.com>
@csatib02 csatib02 requested a review from ramizpolic February 22, 2024 09:29
@ramizpolic
Copy link
Member

The test scenario in env_store_test.go could be a bit changed to set envs itself, for example rather than using createEnvsForProvider helper function, we could set envs in the test cases explicitly.
Note that the actual file is not needed for this specific test case since the test is only extracting data from envs.
I have added three cases to cover, just make sure to fill with the expected data

func TestEnvStore_GetProviderPaths(t *testing.T) {
	tests := []struct {
		name      string
		envs 	  map[string]string
		wantPaths map[string][]string
	}{
		{
			name: "file provider",
			envs: map[string]string{
				"AWS_SECRET_ACCESS_KEY_ID": "file:FILEPATH",
			}
			wantPaths: map[string][]string{
				"file": {
					"FILEPATH"
				},
			},
		},
		{
			name: "vault provider",
			envs: map[string]string{
				// Add all the envs from https://github.com/bank-vaults/internal/blob/1d4670005e01baaa08bac7e17d0876d444d3286b/injector/injector_test.go#L92-L101
			}
			wantPaths: map[string][]string{
				"vault": {
					// fill expected
				},
			},
		},
		{
			name: "multi provider",
			envs: map[string]string{
				"AWS_SECRET_ACCESS_KEY_ID": "file:FILEPATH",
				"MYSQL_PASSWORD": "vault:secret/data/test/mysql#MYSQL_PASSWORD",
				"AWS_SECRET_ACCESS_KEY: "vault:secret/data/test/aws#AWS_SECRET_ACCESS_KEY",
			}
			wantPaths: map[string][]string{
				"vault": {
					// fill expected
				},
				"file": {
					// fill expected
				},
			},
		},
	}

	for _, tt := range tests {
		ttp := tt
		t.Run(ttp.name, func(t *testing.T) {
			// prepare envs
			for envKey, envVal := range ttp.envs {
				os.Setenv(envKey, envVal)
				t.Cleanup(func() {
					os.Unsetenv(envKey)
				})
			}

			paths := NewEnvStore().GetProviderPaths()

			for key, expectedSlice := range ttp.wantPaths {
				actualSlice, ok := paths[key]
				assert.True(t, ok, "Key not found in actual paths")
				assert.ElementsMatch(t, expectedSlice, actualSlice, "Slices for key %s do not match", key)
			}
		})
	}
}

@csatib02
fix(env_store_test.go): fix tests
1b28ab4 
Signed-off-by: Bence Csati <bcsati@cisco.com>
ramizpolic
ramizpolic requested changes Feb 22, 2024
View reviewed changes
provider/vault/config_test.go Outdated Show resolved Hide resolved
provider/file/config_test.go Outdated Show resolved Hide resolved
env_store_test.go Outdated Show resolved Hide resolved
@csatib02
fix(env_store_test.go): minor fix
a8eecd0 
Signed-off-by: Bence Csati <bcsati@cisco.com>
@csatib02 csatib02 requested a review from ramizpolic February 22, 2024 17:41
ramizpolic
ramizpolic approved these changes Feb 22, 2024
View reviewed changes
Copy link
Member

@ramizpolic ramizpolic left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

great work! :shipit:

@csatib02 csatib02 merged commit faa8e41 into bank-vaults:main Feb 22, 2024
20 checks passed
@csatib02 csatib02 deleted the fix/handle-different-vault-provider-injection-cases branch February 22, 2024 18:10
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

@ramizpolic ramizpolic ramizpolic approved these changes

Assignees

@csatib02 csatib02

Labels
size/M Denotes a PR that changes 100-499 lines
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Handle different Vault provider injection cases
2 participants
@csatib02 @ramizpolic