/* Copyright (c) Edgeless Systems GmbH SPDX-License-Identifier: AGPL-3.0-only */ package cloudcmd import ( "bytes" "context" "encoding/base64" "encoding/json" "errors" "testing" "github.com/edgelesssys/constellation/v2/cli/internal/terraform" "github.com/edgelesssys/constellation/v2/internal/cloud/cloudprovider" "github.com/edgelesssys/constellation/v2/internal/cloud/gcpshared" "github.com/stretchr/testify/assert" "github.com/stretchr/testify/require" ) func TestIAMCreator(t *testing.T) { validGCPIAMConfig := GCPIAMConfig{ Region: "europe-west1", Zone: "europe-west1-a", ProjectID: "project-1234", ServiceAccountID: "const-test", } validGCPIAMOutput := terraform.IAMOutput{ GCP: terraform.GCPIAMOutput{ SaKey: "not_a_secret", }, } validGCPIAMIDFile := IAMOutput{ CloudProvider: cloudprovider.GCP, GCPOutput: GCPIAMOutput{ ServiceAccountKey: "not_a_secret", }, } validAzureIAMConfig := AzureIAMConfig{ Location: "westus", ServicePrincipal: "constell-test", ResourceGroup: "constell-test", } validAzureIAMOutput := terraform.IAMOutput{ Azure: terraform.AzureIAMOutput{ SubscriptionID: "test_subscription_id", TenantID: "test_tenant_id", UAMIID: "test_uami_id", }, } validAzureIAMIDFile := IAMOutput{ CloudProvider: cloudprovider.Azure, AzureOutput: AzureIAMOutput{ SubscriptionID: "test_subscription_id", TenantID: "test_tenant_id", UAMIID: "test_uami_id", }, } validAWSIAMConfig := AWSIAMConfig{ Region: "us-east-2", Prefix: "test", } validAWSIAMOutput := terraform.IAMOutput{ AWS: terraform.AWSIAMOutput{ WorkerNodeInstanceProfile: "test_worker_node_instance_profile", ControlPlaneInstanceProfile: "test_control_plane_instance_profile", }, } validAWSIAMIDFile := IAMOutput{ CloudProvider: cloudprovider.AWS, AWSOutput: AWSIAMOutput{ ControlPlaneInstanceProfile: "test_control_plane_instance_profile", WorkerNodeInstanceProfile: "test_worker_node_instance_profile", }, } testCases := map[string]struct { tfClient tfIAMClient newTfClientErr error config *IAMConfigOptions provider cloudprovider.Provider wantIAMIDFile IAMOutput wantErr bool }{ "new terraform client err": { tfClient: &stubTerraformClient{}, newTfClientErr: assert.AnError, wantErr: true, config: &IAMConfigOptions{TFWorkspace: "test"}, }, "create iam config err": { tfClient: &stubTerraformClient{iamOutputErr: assert.AnError}, wantErr: true, config: &IAMConfigOptions{TFWorkspace: "test"}, }, "gcp": { tfClient: &stubTerraformClient{iamOutput: validGCPIAMOutput}, wantIAMIDFile: validGCPIAMIDFile, provider: cloudprovider.GCP, config: &IAMConfigOptions{GCP: validGCPIAMConfig, TFWorkspace: "test"}, }, "azure": { tfClient: &stubTerraformClient{iamOutput: validAzureIAMOutput}, wantIAMIDFile: validAzureIAMIDFile, provider: cloudprovider.Azure, config: &IAMConfigOptions{Azure: validAzureIAMConfig, TFWorkspace: "test"}, }, "aws": { tfClient: &stubTerraformClient{iamOutput: validAWSIAMOutput}, wantIAMIDFile: validAWSIAMIDFile, provider: cloudprovider.AWS, config: &IAMConfigOptions{AWS: validAWSIAMConfig, TFWorkspace: "test"}, }, } for name, tc := range testCases { t.Run(name, func(t *testing.T) { assert := assert.New(t) creator := &IAMCreator{ out: &bytes.Buffer{}, newTerraformClient: func(_ context.Context, _ string) (tfIAMClient, error) { return tc.tfClient, tc.newTfClientErr }, } idFile, err := creator.Create(context.Background(), tc.provider, tc.config) if tc.wantErr { assert.Error(err) } else { assert.NoError(err) assert.Equal(tc.provider, idFile.CloudProvider) switch tc.provider { case cloudprovider.GCP: assert.Equal(tc.wantIAMIDFile.GCPOutput, idFile.GCPOutput) case cloudprovider.Azure: assert.Equal(tc.wantIAMIDFile.AzureOutput, idFile.AzureOutput) case cloudprovider.AWS: assert.Equal(tc.wantIAMIDFile.AWSOutput, idFile.AWSOutput) } } }) } } func TestDestroyIAMConfiguration(t *testing.T) { newError := func() error { return errors.New("failed") } testCases := map[string]struct { tfClient *stubTerraformClient wantErr bool wantDestroyCalled bool wantCleanupWorkspaceCalled bool }{ "destroy error": { tfClient: &stubTerraformClient{destroyErr: newError()}, wantErr: true, wantDestroyCalled: true, }, "destroy": { tfClient: &stubTerraformClient{}, wantDestroyCalled: true, wantCleanupWorkspaceCalled: true, }, "cleanup error": { tfClient: &stubTerraformClient{cleanUpWorkspaceErr: newError()}, wantErr: true, wantDestroyCalled: true, wantCleanupWorkspaceCalled: true, }, } for name, tc := range testCases { t.Run(name, func(t *testing.T) { assert := assert.New(t) destroyer := &IAMDestroyer{newTerraformClient: func(_ context.Context, _ string) (tfIAMClient, error) { return tc.tfClient, nil }} err := destroyer.DestroyIAMConfiguration(context.Background(), "", terraform.LogLevelNone) if tc.wantErr { assert.Error(err) } else { assert.NoError(err) } assert.Equal(tc.wantDestroyCalled, tc.tfClient.destroyCalled) assert.Equal(tc.wantCleanupWorkspaceCalled, tc.tfClient.cleanUpWorkspaceCalled) }) } } func TestGetTfstateServiceAccountKey(t *testing.T) { gcpFile := ` { "auth_provider_x509_cert_url": "", "auth_uri": "", "client_email": "", "client_id": "", "client_x509_cert_url": "", "private_key": "", "private_key_id": "", "project_id": "", "token_uri": "", "type": "" } ` gcpFileB64 := base64.StdEncoding.EncodeToString([]byte(gcpFile)) testCases := map[string]struct { cl *stubTerraformClient wantValidSaKey bool wantErr bool wantShowCalled bool }{ "valid": { cl: &stubTerraformClient{ iamOutput: terraform.IAMOutput{ GCP: terraform.GCPIAMOutput{ SaKey: gcpFileB64, }, }, }, wantValidSaKey: true, wantShowCalled: true, }, "show error": { cl: &stubTerraformClient{ showIAMErr: assert.AnError, }, wantErr: true, wantShowCalled: true, }, "nil tfstate values": { cl: &stubTerraformClient{ iamOutput: terraform.IAMOutput{}, }, wantErr: true, wantShowCalled: true, }, "invalid base64": { cl: &stubTerraformClient{ iamOutput: terraform.IAMOutput{ GCP: terraform.GCPIAMOutput{ SaKey: "iamnotvalid", }, }, }, wantErr: true, wantShowCalled: true, }, "valid base64 invalid json": { cl: &stubTerraformClient{ iamOutput: terraform.IAMOutput{ GCP: terraform.GCPIAMOutput{ SaKey: base64.StdEncoding.EncodeToString([]byte("asdf")), }, }, }, wantErr: true, wantShowCalled: true, }, } for name, tc := range testCases { t.Run(name, func(t *testing.T) { assert := assert.New(t) destroyer := IAMDestroyer{newTerraformClient: func(_ context.Context, _ string) (tfIAMClient, error) { return tc.cl, nil }} saKey, err := destroyer.GetTfStateServiceAccountKey(context.Background(), "") if tc.wantErr { assert.Error(err) return } assert.NoError(err) var saKeyComp gcpshared.ServiceAccountKey require.NoError(t, json.Unmarshal([]byte(gcpFile), &saKeyComp)) assert.Equal(saKey, saKeyComp) assert.Equal(tc.wantShowCalled, tc.cl.showCalled) }) } }