-
Notifications
You must be signed in to change notification settings - Fork 89
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
allowedSecretParameterPaths prefix but not parent of secretParameters (…
…#3242) trying to make a test for another example of #3227. In this test, we have `foo` in `allowedSecretParameterPaths` but the `secretParameters` has `path = "foobar/baz"`. I think this means validation should fail in `_validate_allowed_secret_parameter_paths` with the log message `secret parameter path 'foobar/baz' does not match any of allowedSecretParameterPaths`. But this is based on a naive reading of the code + test cases, and I could be wrong. Somebody who uses this function should review. https://issues.redhat.com/browse/APPSRE-7196
- Loading branch information
Showing
2 changed files
with
82 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,76 @@ | ||
| import pytest | ||
|
|
||
| from reconcile.utils.saasherder import SaasHerder | ||
|
|
||
|
|
||
| @pytest.mark.parametrize( | ||
| "allowed_secret_parameter_path,referenced_secret_path,expected_valid", | ||
| [ | ||
| # covered by parent directory | ||
| ("foobar", "foobar/baz", True), | ||
| # not covered by parent directory even though there is a common name prefix | ||
| ("foo", "foobar/baz", False), | ||
| # multilevel allowed path | ||
| ("foo/bar", "foo/bar/baz", True), | ||
| # multilevel but different intermediary path | ||
| ("foo/bar", "foo/baz/bar", False), | ||
| ], | ||
| ) | ||
| def test_saasherder_allowed_secret_paths( | ||
| allowed_secret_parameter_path: str, | ||
| referenced_secret_path: str, | ||
| expected_valid: bool, | ||
| ): | ||
| """ | ||
| ensure a parent directory in allowed_secret_parameter_paths matches correctly | ||
| """ | ||
| saas_files = [ | ||
| { | ||
| "path": "path1", | ||
| "name": "a1", | ||
| "managedResourceTypes": [], | ||
| "allowedSecretParameterPaths": [allowed_secret_parameter_path], | ||
| "resourceTemplates": [ | ||
| { | ||
| "name": "test", | ||
| "url": "url", | ||
| "targets": [ | ||
| { | ||
| "namespace": { | ||
| "name": "ns", | ||
| "environment": {"name": "env1", "parameters": "{}"}, | ||
| "cluster": {"name": "cluster"}, | ||
| }, | ||
| "ref": "main", | ||
| "upstream": {"instance": {"name": "ci"}, "name": "job"}, | ||
| "parameters": {}, | ||
| "secretParameters": [ | ||
| { | ||
| "name": "secret", | ||
| "secret": { | ||
| "path": referenced_secret_path, | ||
| "field": "db.endpoint", | ||
| }, | ||
| }, | ||
| ], | ||
| }, | ||
| ], | ||
| }, | ||
| ], | ||
| "selfServiceRoles": [ | ||
| {"users": [{"org_username": "theirname"}], "bots": []} | ||
| ], | ||
| }, | ||
| ] | ||
|
|
||
| saasherder = SaasHerder( | ||
| saas_files, | ||
| thread_pool_size=1, | ||
| gitlab=None, | ||
| integration="", | ||
| integration_version="", | ||
| settings={}, | ||
| validate=True, | ||
| ) | ||
|
|
||
| assert saasherder.valid == expected_valid |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters