Skip to content

Commit

Permalink
chore: fix tests that require credential attributes
Browse files Browse the repository at this point in the history
  • Loading branch information
kian99 committed Jan 9, 2025
1 parent 2ab8501 commit 9c1b367
Show file tree
Hide file tree
Showing 8 changed files with 160 additions and 138 deletions.
6 changes: 0 additions & 6 deletions internal/db/cloudcredential_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -209,15 +209,9 @@ cloud-credentials:
- name: cred-1
cloud: cloud-1
owner: alice@canonical.com
attributes:
k1: v1
k2: v2
- name: cred-2
cloud: cloud-1
owner: bob@canonical.com
attributes:
k1: v1
k2: v2
- name: cred-3
cloud: cloud-2
owner: alice@canonical.com
Expand Down
5 changes: 4 additions & 1 deletion internal/db/secrets.go
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
// Copyright 2024 Canonical.
// Copyright 2025 Canonical.

package db

Expand Down Expand Up @@ -126,6 +126,9 @@ func (d *Database) Get(ctx context.Context, tag names.CloudCredentialTag) (_ map
secret := dbmodel.NewSecret(tag.Kind(), tag.String(), nil)
err = d.GetSecret(ctx, &secret)
if err != nil {
if errors.ErrorCode(err) == errors.CodeNotFound {
return nil, nil
}
zapctx.Error(ctx, "failed to get secret data", zap.Error(err))
return nil, errors.E(op, err)
}
Expand Down
3 changes: 1 addition & 2 deletions internal/dbmodel/controller_test.go
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
// Copyright 2024 Canonical.
// Copyright 2025 Canonical.

package dbmodel_test

Expand Down Expand Up @@ -179,7 +179,6 @@ func TestToAPIControllerInfo(t *testing.T) {
CACertificate: "ca-cert",
CloudTag: names.NewCloudTag("test-cloud").String(),
CloudRegion: "test-region",
Username: "admin",
AgentVersion: "1.2.3",
Status: jujuparams.EntityStatus{
Status: "available",
Expand Down
96 changes: 58 additions & 38 deletions internal/jimm/cloudcredential_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ import (
"github.com/canonical/jimm/v3/internal/openfga"
ofganames "github.com/canonical/jimm/v3/internal/openfga/names"
"github.com/canonical/jimm/v3/internal/testutils/jimmtest"
"github.com/canonical/jimm/v3/internal/vault"
)

func TestUpdateCloudCredential(t *testing.T) {
Expand Down Expand Up @@ -771,7 +772,6 @@ func TestUpdateCloudCredential(t *testing.T) {
API: api,
},
},
jimmtest.UsePostgresAsCredentialStore, // this test relies on credential attributes being stored in postgres
)

u, arg, expectedCredential, expectedError := test.createEnv(c, j)
Expand Down Expand Up @@ -1365,15 +1365,9 @@ cloud-credentials:
- name: cred-1
cloud: cloud-1
owner: alice@canonical.com
attributes:
k1: v1
k2: v2
- name: cred-2
cloud: cloud-1
owner: bob@canonical.com
attributes:
k1: v1
k2: v2
- name: cred-3
cloud: cloud-2
owner: alice@canonical.com
Expand Down Expand Up @@ -1474,11 +1468,6 @@ cloud-credentials:
cloud: test-cloud
owner: bob@canonical.com
auth-type: oauth2
attributes:
client-email: bob@example.com
client-id: 1234
private-key: super-secret
project-id: 5678
- name: cred-2
cloud: test-cloud
owner: bob@canonical.com
Expand All @@ -1495,6 +1484,7 @@ var getCloudCredentialAttributesTests = []struct {
hidden bool
jimmAdmin bool
cred string
skipAttributes bool
expectAttributes map[string]string
expectRedacted []string
expectError string
Expand All @@ -1515,6 +1505,7 @@ var getCloudCredentialAttributesTests = []struct {
username: "bob@canonical.com",
jimmAdmin: true,
cred: "cred-2",
skipAttributes: true,
expectAttributes: map[string]string{},
expectRedacted: nil,
}, {
Expand Down Expand Up @@ -1556,37 +1547,66 @@ var getCloudCredentialAttributesTests = []struct {
}}

func TestGetCloudCredentialAttributes(t *testing.T) {
c := qt.New(t)
attributes := map[string]string{
"client-email": "bob@example.com",
"client-id": "1234",
"private-key": "super-secret",
"project-id": "5678",
}

for _, test := range getCloudCredentialAttributesTests {
c.Run(test.name, func(c *qt.C) {
ctx := context.Background()

j := jimmtest.NewJIMM(c, nil)

env := jimmtest.ParseEnvironment(c, getCloudCredentialAttributesEnv)
env.PopulateDBAndPermissions(c, j.ResourceTag(), j.Database, j.OpenFGAClient)
u := env.User("bob@canonical.com").DBObject(c, j.Database)
userBob := openfga.NewUser(&u, j.OpenFGAClient)
credTag := fmt.Sprintf("test-cloud/bob@canonical.com/%s", test.cred)
cred, err := j.GetCloudCredential(ctx, userBob, names.NewCloudCredentialTag(credTag))
c.Assert(err, qt.IsNil)
c := qt.New(t)
// Run each test twice, once with Vault as a credential store
// and again with Postgres as a credential store.
client, path, roleID, roleSecretID, ok := jimmtest.VaultClient(c)
c.Assert(ok, qt.IsTrue)
vaultStore := &vault.VaultStore{
Client: client,
RoleID: roleID,
RoleSecretID: roleSecretID,
KVPath: path,
}
jimmWithVault := jimm.Parameters{CredentialStore: vaultStore}

testF := func(jp *jimm.Parameters) func(c *qt.C) {
return func(c *qt.C) {
ctx := context.Background()

j := jimmtest.NewJIMM(c, jp)

env := jimmtest.ParseEnvironment(c, getCloudCredentialAttributesEnv)
env.PopulateDBAndPermissions(c, j.ResourceTag(), j.Database, j.OpenFGAClient)

u := env.User("bob@canonical.com").DBObject(c, j.Database)
userBob := openfga.NewUser(&u, j.OpenFGAClient)

credTag := names.NewCloudCredentialTag(fmt.Sprintf("test-cloud/bob@canonical.com/%s", test.cred))
cred, err := j.GetCloudCredential(ctx, userBob, credTag)
c.Assert(err, qt.IsNil)

if !test.skipAttributes {
err = j.CredentialStore.Put(ctx, credTag, attributes)
c.Assert(err, qt.IsNil)
}

u = env.User(test.username).DBObject(c, j.Database)
userTest := openfga.NewUser(&u, j.OpenFGAClient)
userTest.JimmAdmin = test.jimmAdmin
attr, redacted, err := j.GetCloudCredentialAttributes(ctx, userTest, cred, test.hidden)
if test.expectError != "" {
c.Check(err, qt.ErrorMatches, test.expectError)
if test.expectErrorCode != "" {
c.Check(errors.ErrorCode(err), qt.Equals, test.expectErrorCode)
u = env.User(test.username).DBObject(c, j.Database)
userTest := openfga.NewUser(&u, j.OpenFGAClient)
userTest.JimmAdmin = test.jimmAdmin
attr, redacted, err := j.GetCloudCredentialAttributes(ctx, userTest, cred, test.hidden)
if test.expectError != "" {
c.Check(err, qt.ErrorMatches, test.expectError)
if test.expectErrorCode != "" {
c.Check(errors.ErrorCode(err), qt.Equals, test.expectErrorCode)
}
return
}
return
c.Assert(err, qt.IsNil)
c.Check(attr, qt.DeepEquals, test.expectAttributes)
c.Check(redacted, qt.DeepEquals, test.expectRedacted)
}
c.Assert(err, qt.IsNil)
c.Check(attr, qt.DeepEquals, test.expectAttributes)
c.Check(redacted, qt.DeepEquals, test.expectRedacted)
})
}
c.Run(test.name+"-postgres", testF(nil))
c.Run(test.name+"-vault", testF(&jimmWithVault))
}
}

Expand Down
Loading

0 comments on commit 9c1b367

Please sign in to comment.