// Copyright 2016-2023, Pulumi Corporation. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package cloud import ( "context" "crypto/rand" "fmt" "math/big" "net/url" "testing" "time" "github.com/pulumi/pulumi/pkg/v3/secrets" "github.com/pulumi/pulumi/sdk/v3/go/common/workspace" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" gosecrets "gocloud.dev/secrets" "gocloud.dev/secrets/driver" ) // the main testing function, takes a kms url and tries to make a new secret manager out of it and encrypt and // decrypt data, this is used by the aws_test and azure_test files. func testURL(ctx context.Context, t *testing.T, url string) { info := &workspace.ProjectStack{} info.SecretsProvider = url var err error var manager secrets.Manager // Creating a new cloud secrets manager is sometimes flaky, so we try a few times with backoff // before giving up. for i := 1; i < 10; i++ { manager, err = NewCloudSecretsManager(info, url, false) if err == nil { break } time.Sleep(time.Duration(i) * 100 * time.Millisecond) } require.NoError(t, err) enc, err := manager.Encrypter() require.NoError(t, err) dec, err := manager.Decrypter() require.NoError(t, err) ciphertext, err := enc.EncryptValue(ctx, "plaintext") require.NoError(t, err) plaintext, err := dec.DecryptValue(ctx, ciphertext) require.NoError(t, err) assert.Equal(t, "plaintext", plaintext) } func randomName(t *testing.T) string { name := "" letters := "abcdefghijklmnopqrstuvwxyz" for i := 0; i < 32; i++ { j, err := rand.Int(rand.Reader, big.NewInt(int64(len(letters)))) require.NoError(t, err) char := letters[j.Int64()] name = name + string(char) } return name } //nolint:paralleltest func TestSecretsProviderOverride(t *testing.T) { // Don't call t.Parallel because we temporarily modify // PULUMI_CLOUD_SECRET_OVERRIDE env var and it may interfere with other // tests. stackConfig := &workspace.ProjectStack{} opener := &mockSecretsKeeperOpener{} gosecrets.DefaultURLMux().RegisterKeeper("test", opener) //nolint:paralleltest t.Run("without override", func(t *testing.T) { opener.wantURL = "test://foo" _, createSecretsManagerError := NewCloudSecretsManager(stackConfig, "test://foo", false) assert.Nil(t, createSecretsManagerError, "Creating the cloud secret manager should succeed") _, createSecretsManagerError = NewCloudSecretsManager(stackConfig, "test://bar", false) msg := "NewCloudSecretsManager with unexpected secretsProvider URL succeeded, expected an error" assert.NotNil(t, createSecretsManagerError, msg) }) //nolint:paralleltest t.Run("with override", func(t *testing.T) { opener.wantURL = "test://bar" t.Setenv("PULUMI_CLOUD_SECRET_OVERRIDE", "test://bar") // Last argument here shouldn't matter anymore, since it gets overridden // by the env var. Both calls should succeed. msg := "creating the secrets manager should succeed regardless of secrets provider" _, createSecretsManagerError := NewCloudSecretsManager(stackConfig, "test://foo", false) assert.Nil(t, createSecretsManagerError, msg) _, createSecretsManagerError = NewCloudSecretsManager(stackConfig, "test://bar", false) assert.Nil(t, createSecretsManagerError, msg) }) } type mockSecretsKeeperOpener struct { wantURL string } func (m *mockSecretsKeeperOpener) OpenKeeperURL(ctx context.Context, u *url.URL) (*gosecrets.Keeper, error) { if m.wantURL != u.String() { return nil, fmt.Errorf("got keeper URL: %q, want: %q", u, m.wantURL) } return gosecrets.NewKeeper(dummySecretsKeeper{}), nil } type dummySecretsKeeper struct { driver.Keeper } func (k dummySecretsKeeper) Decrypt(ctx context.Context, ciphertext []byte) ([]byte, error) { return ciphertext, nil } func (k dummySecretsKeeper) Encrypt(ctx context.Context, plaintext []byte) ([]byte, error) { return plaintext, nil }