diff --git a/pkg/corerp/frontend/controller/secretstores/kubernetes_test.go b/pkg/corerp/frontend/controller/secretstores/kubernetes_test.go index 71fbd6821c6..ad6610514a7 100644 --- a/pkg/corerp/frontend/controller/secretstores/kubernetes_test.go +++ b/pkg/corerp/frontend/controller/secretstores/kubernetes_test.go @@ -252,93 +252,109 @@ func TestGetOrDefaultEncoding(t *testing.T) { } func TestValidateAndMutateRequest(t *testing.T) { - t.Run("default type is generic", func(t *testing.T) { - newResource := testutil.MustGetTestData[datamodel.SecretStore](testFileCertValueFrom) - newResource.Properties.Type = "" - - resp, err := ValidateAndMutateRequest(context.TODO(), newResource, nil, nil) - require.NoError(t, err) - require.Nil(t, resp) - - // assert - require.Equal(t, datamodel.SecretTypeGeneric, newResource.Properties.Type) - }) - - t.Run("new resource, but referencing valueFrom", func(t *testing.T) { - newResource := testutil.MustGetTestData[datamodel.SecretStore](testFileCertValueFrom) - newResource.Properties.Resource = "" - resp, err := ValidateAndMutateRequest(context.TODO(), newResource, nil, nil) - require.NoError(t, err) - - // assert - r := resp.(*rest.BadRequestResponse) - require.True(t, r.Body.Error.Message == "$.properties.data[tls.crt].Value must be given to create the secret." || - r.Body.Error.Message == "$.properties.data[tls.key].Value must be given to create the secret.") - }) - - t.Run("update the existing resource - type not matched", func(t *testing.T) { - oldResource := testutil.MustGetTestData[datamodel.SecretStore](testFileCertValueFrom) - oldResource.Properties.Type = datamodel.SecretTypeGeneric - newResource := testutil.MustGetTestData[datamodel.SecretStore](testFileCertValueFrom) - resp, err := ValidateAndMutateRequest(context.TODO(), newResource, oldResource, nil) - require.NoError(t, err) - - // assert - r := resp.(*rest.BadRequestResponse) - require.Equal(t, "$.properties.type cannot change from 'generic' to 'certificate'.", r.Body.Error.Message) - }) - - t.Run("inherit resource id from existing resource", func(t *testing.T) { - oldResource := testutil.MustGetTestData[datamodel.SecretStore](testFileCertValueFrom) - newResource := testutil.MustGetTestData[datamodel.SecretStore](testFileCertValueFrom) - newResource.Properties.Resource = "" - resp, err := ValidateAndMutateRequest(context.TODO(), newResource, oldResource, nil) - - // assert - require.NoError(t, err) - require.Nil(t, resp) - require.Equal(t, oldResource.Properties.Resource, newResource.Properties.Resource) - }) - - t.Run("new basicAuthentication resource", func(t *testing.T) { - newResource := testutil.MustGetTestData[datamodel.SecretStore](testFileBasicAuthentication) - resp, err := ValidateAndMutateRequest(context.TODO(), newResource, nil, nil) - require.NoError(t, err) - - // assert - require.NoError(t, err) - require.Nil(t, resp) - }) - - t.Run("invalid basicAuthentication resource", func(t *testing.T) { - newResource := testutil.MustGetTestData[datamodel.SecretStore](testFileBasicAuthenticationInvalid) - resp, err := ValidateAndMutateRequest(context.TODO(), newResource, nil, nil) - require.NoError(t, err) - - // assert - r := resp.(*rest.BadRequestResponse) - require.True(t, r.Body.Error.Message == "$.properties.data must contain 'password' key for basicAuthentication type.") - }) - - t.Run("new awsIRSA resource", func(t *testing.T) { - newResource := testutil.MustGetTestData[datamodel.SecretStore](testFileAWSIRSA) - resp, err := ValidateAndMutateRequest(context.TODO(), newResource, nil, nil) - require.NoError(t, err) - - // assert - require.NoError(t, err) - require.Nil(t, resp) - }) - - t.Run("new azureWorkloadIdentity resource", func(t *testing.T) { - newResource := testutil.MustGetTestData[datamodel.SecretStore](testFileAzureWorkloadIdentity) - resp, err := ValidateAndMutateRequest(context.TODO(), newResource, nil, nil) - require.NoError(t, err) + tests := []struct { + name string + testFile string + oldResource *datamodel.SecretStore + modifyResource func(*datamodel.SecretStore, *datamodel.SecretStore) + assertions func(*testing.T, rest.Response, error, *datamodel.SecretStore, *datamodel.SecretStore) + }{ + { + name: "default type is generic", + testFile: testFileCertValueFrom, + modifyResource: func(newResource, oldResource *datamodel.SecretStore) { + newResource.Properties.Type = "" + }, + assertions: func(t *testing.T, resp rest.Response, err error, newResource, oldResource *datamodel.SecretStore) { + require.NoError(t, err) + require.Nil(t, resp) + require.Equal(t, datamodel.SecretTypeGeneric, newResource.Properties.Type) + }, + }, + { + name: "new resource, but referencing valueFrom", + testFile: testFileCertValueFrom, + modifyResource: func(newResource, oldResource *datamodel.SecretStore) { + newResource.Properties.Resource = "" + }, + assertions: func(t *testing.T, resp rest.Response, err error, newResource, oldResource *datamodel.SecretStore) { + require.NoError(t, err) + r := resp.(*rest.BadRequestResponse) + require.True(t, r.Body.Error.Message == "$.properties.data[tls.crt].Value must be given to create the secret." || + r.Body.Error.Message == "$.properties.data[tls.key].Value must be given to create the secret.") + }, + }, + { + name: "update the existing resource - type not matched", + testFile: testFileCertValueFrom, + oldResource: testutil.MustGetTestData[datamodel.SecretStore](testFileCertValueFrom), + modifyResource: func(newResource, oldResource *datamodel.SecretStore) { + oldResource.Properties.Type = datamodel.SecretTypeGeneric + }, + assertions: func(t *testing.T, resp rest.Response, err error, newResource, oldResource *datamodel.SecretStore) { + require.NoError(t, err) + r := resp.(*rest.BadRequestResponse) + require.Equal(t, "$.properties.type cannot change from 'generic' to 'certificate'.", r.Body.Error.Message) + }, + }, + { + name: "inherit resource id from existing resource", + testFile: testFileCertValueFrom, + oldResource: testutil.MustGetTestData[datamodel.SecretStore](testFileCertValueFrom), + modifyResource: func(newResource, oldResource *datamodel.SecretStore) { + newResource.Properties.Resource = "" + }, + assertions: func(t *testing.T, resp rest.Response, err error, newResource, oldResource *datamodel.SecretStore) { + require.NoError(t, err) + require.Nil(t, resp) + require.Equal(t, oldResource.Properties.Resource, newResource.Properties.Resource) + }, + }, + { + name: "new basicAuthentication resource", + testFile: testFileBasicAuthentication, + assertions: func(t *testing.T, resp rest.Response, err error, newResource, oldResource *datamodel.SecretStore) { + require.NoError(t, err) + require.Nil(t, resp) + }, + }, + { + name: "new awsIRSA resource", + testFile: testFileAWSIRSA, + assertions: func(t *testing.T, resp rest.Response, err error, newResource, oldResource *datamodel.SecretStore) { + require.NoError(t, err) + require.Nil(t, resp) + }, + }, + { + name: "new azureWorkloadIdentity resource", + testFile: testFileAzureWorkloadIdentity, + assertions: func(t *testing.T, resp rest.Response, err error, newResource, oldResource *datamodel.SecretStore) { + require.NoError(t, err) + require.Nil(t, resp) + }, + }, + { + name: "invalid basicAuthentication resource", + testFile: testFileBasicAuthenticationInvalid, + assertions: func(t *testing.T, resp rest.Response, err error, newResource, oldResource *datamodel.SecretStore) { + require.NoError(t, err) + r := resp.(*rest.BadRequestResponse) + require.True(t, r.Body.Error.Message == "$.properties.data must contain 'password' key for basicAuthentication type.") + }, + }, + } - // assert - require.NoError(t, err) - require.Nil(t, resp) - }) + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + newResource := testutil.MustGetTestData[datamodel.SecretStore](tt.testFile) + if tt.modifyResource != nil { + tt.modifyResource(newResource, tt.oldResource) + } + resp, err := ValidateAndMutateRequest(context.TODO(), newResource, tt.oldResource, nil) + tt.assertions(t, resp, err, newResource, tt.oldResource) + }) + } } func TestUpsertSecret(t *testing.T) {