Add tests

hashicorp · Aug 5, 2021 · 9825b11 · 9825b11
1 parent e52d170
commit 9825b11
Show file tree

Hide file tree

Showing 2 changed files with 141 additions and 0 deletions.
diff --git a/agent-inject/agent/annotations_test.go b/agent-inject/agent/annotations_test.go
@@ -538,6 +538,55 @@ func TestSecretTemplateFileAnnotations(t *testing.T) {
 }
 
 func TestSecretCommandAnnotations(t *testing.T) {
+	tests := []struct {
+		annotations        map[string]string
+		expectedKey        string
+		expectedPermission string
+	}{
+		{
+			map[string]string{
+				"vault.hashicorp.com/agent-inject-secret-foobar":          "test1",
+				"vault.hashicorp.com/agent-inject-file-permission-foobar": "0600",
+			}, "foobar", "0600",
+		},
+		{
+			map[string]string{
+				"vault.hashicorp.com/agent-inject-secret-foobar":           "test2",
+				"vault.hashicorp.com/agent-inject-file-permission-foobar2": "0600",
+			}, "foobar", "",
+		},
+	}
+
+	for _, tt := range tests {
+		pod := testPod(tt.annotations)
+		agentConfig := basicAgentConfig()
+		err := Init(pod, agentConfig)
+		if err != nil {
+			t.Errorf("got error, shouldn't have: %s", err)
+		}
+
+		var patches []*jsonpatch.JsonPatchOperation
+
+		agent, err := New(pod, patches)
+		if err != nil {
+			t.Errorf("got error, shouldn't have: %s", err)
+		}
+
+		if len(agent.Secrets) == 0 {
+			t.Error("Secrets length was zero, it shouldn't have been")
+		}
+
+		if agent.Secrets[0].Name != tt.expectedKey {
+			t.Errorf("expected name %s, got %s", tt.expectedKey, agent.Secrets[0].Name)
+		}
+
+		if agent.Secrets[0].FilePermission != tt.expectedPermission {
+			t.Errorf("expected permission %s, got %s", tt.expectedPermission, agent.Secrets[0].Command)
+		}
+	}
+}
+
+func TestSecretPErmissionAnnotations(t *testing.T) {
 	tests := []struct {
 		annotations     map[string]string
 		expectedKey     string

diff --git a/agent-inject/agent/config_test.go b/agent-inject/agent/config_test.go
@@ -224,6 +224,9 @@ func TestFilePathAndName(t *testing.T) {
 			}
 
 			agent, err := New(pod, patches)
+			if err != nil {
+				t.Errorf("got error creating agent, shouldn't have: %s", err)
+			}
 			cfg, err := agent.newConfig(true)
 			if err != nil {
 				t.Errorf("got error creating Vault config, shouldn't have: %s", err)
@@ -240,6 +243,95 @@ func TestFilePathAndName(t *testing.T) {
 	}
 }
 
+func TestFilePermission(t *testing.T) {
+
+	tests := []struct {
+		name        string
+		annotations map[string]string
+		permission  string
+	}{
+		{
+			"just secret",
+			map[string]string{
+				"vault.hashicorp.com/agent-inject-secret-foo":          "db/creds/foo",
+				"vault.hashicorp.com/agent-inject-file-permission-foo": "0600",
+			},
+			"0600",
+		},
+		{
+			"just secret without permission",
+			map[string]string{
+				"vault.hashicorp.com/agent-inject-secret-foo": "db/creds/foo",
+			},
+			"",
+		},
+		{
+			"with relative file path",
+			map[string]string{
+				"vault.hashicorp.com/agent-inject-secret-foo":          "db/creds/foo",
+				"vault.hashicorp.com/agent-inject-file-foo":            "nested/foofile",
+				"vault.hashicorp.com/agent-inject-file-permission-foo": "0600",
+			},
+			"0600",
+		},
+		{
+			"with relative file path without permission",
+			map[string]string{
+				"vault.hashicorp.com/agent-inject-secret-foo": "db/creds/foo",
+				"vault.hashicorp.com/agent-inject-file-foo":   "nested/foofile",
+			},
+			"",
+		},
+		{
+			"with absolute file path",
+			map[string]string{
+				"vault.hashicorp.com/agent-inject-secret-foo":          "db/creds/foo",
+				"vault.hashicorp.com/agent-inject-file-foo":            "/special/volume/foofile",
+				"vault.hashicorp.com/agent-inject-file-permission-foo": "0600",
+			},
+			"0600",
+		},
+		{
+			"with absolute file path without permission",
+			map[string]string{
+				"vault.hashicorp.com/agent-inject-secret-foo": "db/creds/foo",
+				"vault.hashicorp.com/agent-inject-file-foo":   "/special/volume/foofile",
+			},
+			"",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			pod := testPod(tt.annotations)
+			var patches []*jsonpatch.JsonPatchOperation
+
+			agentConfig := basicAgentConfig()
+			err := Init(pod, agentConfig)
+			if err != nil {
+				t.Errorf("got error initialising pod, shouldn't have: %s", err)
+			}
+
+			agent, err := New(pod, patches)
+			if err != nil {
+				t.Errorf("got error creating agent, shouldn't have: %s", err)
+			}
+			cfg, err := agent.newConfig(true)
+			if err != nil {
+				t.Errorf("got error creating Vault config, shouldn't have: %s", err)
+			}
+
+			config := &Config{}
+			if err := json.Unmarshal(cfg, config); err != nil {
+				t.Errorf("got error unmarshalling Vault config, shouldn't have: %s", err)
+			}
+			if config.Templates[0].Perms != tt.permission {
+				t.Errorf("wrong permission: %s != %s", config.Templates[0].Perms, tt.permission)
+			}
+		})
+	}
+}
+
 func TestConfigVaultAgentCacheNotEnabledByDefault(t *testing.T) {
 	annotations := map[string]string{}