github.com/kaisenlinux/docker.io@v0.0.0-20230510090727-ea55db55fac7/swarmkit/agent/secrets/secrets_test.go (about) 1 package secrets 2 3 import ( 4 "fmt" 5 "testing" 6 7 "github.com/stretchr/testify/require" 8 9 "github.com/docker/swarmkit/agent/exec" 10 "github.com/docker/swarmkit/api" 11 "github.com/docker/swarmkit/identity" 12 "github.com/stretchr/testify/assert" 13 ) 14 15 func TestTaskRestrictedSecretsProvider(t *testing.T) { 16 type testCase struct { 17 desc string 18 secretIDs map[string]struct{} 19 secrets exec.SecretGetter 20 secretID string 21 taskID string 22 secretIDToGet string 23 value string 24 expected string 25 expectedErr string 26 } 27 28 originalSecretID := identity.NewID() 29 taskID := identity.NewID() 30 taskSpecificID := fmt.Sprintf("%s.%s", originalSecretID, taskID) 31 32 testCases := []testCase{ 33 // The default case when not using a secrets driver or not returning 34 // DoNotReuse: true in the SecretsProviderResponse. 35 { 36 desc: "Test getting secret by original ID when restricted by task", 37 value: "value", 38 expected: "value", 39 secretIDs: map[string]struct{}{ 40 originalSecretID: {}, 41 }, 42 // Simulates inserting a secret returned by a driver which sets the 43 // DoNotReuse flag to false. 44 secretID: originalSecretID, 45 // Internal API calls would request to get the secret by the 46 // original ID. 47 secretIDToGet: originalSecretID, 48 taskID: taskID, 49 }, 50 // The case for when a secrets driver returns DoNotReuse: true in the 51 // SecretsProviderResponse. 52 { 53 desc: "Test getting secret by task specific ID when restricted by task", 54 value: "value", 55 expected: "value", 56 secretIDs: map[string]struct{}{ 57 originalSecretID: {}, 58 }, 59 // Simulates inserting a secret returned by a driver which sets the 60 // DoNotReuse flag to true. This would result in the assignment 61 // containing a secret with the ID set to the cibcatebatuib of the 62 // secret and task IDs separated by a dot. 63 secretID: taskSpecificID, 64 // Internal API calls would still request to get the secret by the 65 // original ID. 66 secretIDToGet: originalSecretID, 67 taskID: taskID, 68 }, 69 // This case should catch regressions in the logic coupling of the ID 70 // given to secrets in assignments and the corresponding retrieval of 71 // the same secrets. If a secret can be got by the task specific ID 72 // without it being added as such in an assignment, something has been 73 // changed inconsistently. 74 { 75 desc: "Test attempting to get a secret by task specific ID when secret is added with original ID", 76 value: "value", 77 expectedErr: fmt.Sprintf("task not authorized to access secret %s", taskSpecificID), 78 secretIDs: map[string]struct{}{ 79 originalSecretID: {}, 80 }, 81 secretID: originalSecretID, 82 secretIDToGet: taskSpecificID, 83 taskID: taskID, 84 }, 85 } 86 secretsManager := NewManager() 87 for _, testCase := range testCases { 88 t.Logf("secretID=%s, taskID=%s, taskSpecificID=%s", originalSecretID, taskID, taskSpecificID) 89 secretsManager.Add(api.Secret{ 90 ID: testCase.secretID, 91 Spec: api.SecretSpec{ 92 Data: []byte(testCase.value), 93 }, 94 }) 95 secretsGetter := Restrict(secretsManager, &api.Task{ 96 ID: taskID, 97 }) 98 (secretsGetter.(*taskRestrictedSecretsProvider)).secretIDs = testCase.secretIDs 99 secret, err := secretsGetter.Get(testCase.secretIDToGet) 100 if testCase.expectedErr != "" { 101 assert.Error(t, err, testCase.desc) 102 assert.Equal(t, testCase.expectedErr, err.Error(), testCase.desc) 103 } else { 104 t.Logf("secretIDs=%v", testCase.secretIDs) 105 assert.NoError(t, err, testCase.desc) 106 require.NotNil(t, secret, testCase.desc) 107 require.NotNil(t, secret.Spec, testCase.desc) 108 require.NotNil(t, secret.Spec.Data, testCase.desc) 109 assert.Equal(t, testCase.expected, string(secret.Spec.Data), testCase.desc) 110 } 111 secretsManager.Reset() 112 } 113 }