grafana/pkg/registry/apis/secret/secure_value_client_test.go

package secret

import (
	"testing"

	"github.com/stretchr/testify/require"
	apierrors "k8s.io/apimachinery/pkg/api/errors"
	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
	"k8s.io/utils/ptr"

	secretv1beta1 "github.com/grafana/grafana/apps/secret/pkg/apis/secret/v1beta1"
	"github.com/grafana/grafana/pkg/registry/apis/secret/testutils"
	"github.com/grafana/grafana/pkg/registry/apis/secret/validator"
)

func TestIntegration_SecureValueClient_CRUD(t *testing.T) {
	if testing.Short() {
		t.Skip("skipping integration test in short mode")
	}
	setup := testutils.Setup(t)

	validator := validator.ProvideSecureValueValidator()

	client := ProvideSecureValueClient(
		setup.SecureValueService,
		validator,
		setup.AccessClient,
	)

	ns := "stacks-1234"
	ctx := testutils.CreateUserAuthContext(t.Context(), ns, map[string][]string{
		"securevalues:create": {"securevalues:uid:*"},
		"securevalues:read":   {"securevalues:uid:*"},
		"securevalues:write":  {"securevalues:uid:*"},
		"securevalues:delete": {"securevalues:uid:*"},
	})

	nsClient, err := client.Client(ctx, ns)
	require.NoError(t, err)
	require.NotNil(t, nsClient)

	sv := &secretv1beta1.SecureValue{
		ObjectMeta: metav1.ObjectMeta{
			Name:      "test-sv",
			Namespace: ns,
		},
		Spec: secretv1beta1.SecureValueSpec{
			Description: "test-description",
			Value:       ptr.To(secretv1beta1.NewExposedSecureValue("test-value")),
		},
	}

	unstructured, err := toUnstructured(sv)
	require.NoError(t, err)

	// Create
	created, err := nsClient.Create(ctx, unstructured, metav1.CreateOptions{})
	require.NoError(t, err)

	createdSv, err := fromUnstructured(created)
	require.NoError(t, err)

	require.NotEmpty(t, createdSv.UID)
	require.Nil(t, createdSv.Spec.Value)
	require.Equal(t, sv.Name, createdSv.Name)
	require.Equal(t, sv.Namespace, createdSv.Namespace)

	// Read
	read, err := nsClient.Get(ctx, createdSv.Name, metav1.GetOptions{})
	require.NoError(t, err)

	readSv, err := fromUnstructured(read)
	require.NoError(t, err)
	require.EqualValues(t, createdSv, readSv)

	// Update
	updatedSv := &secretv1beta1.SecureValue{
		ObjectMeta: metav1.ObjectMeta{
			Name:      createdSv.Name,
			Namespace: createdSv.Namespace,
		},
		Spec: secretv1beta1.SecureValueSpec{
			Description: "test-description-updated",
			Value:       ptr.To(secretv1beta1.NewExposedSecureValue("test-value-updated")),
		},
	}

	unstructured, err = toUnstructured(updatedSv)
	require.NoError(t, err)

	_, err = nsClient.Update(ctx, unstructured, metav1.UpdateOptions{})
	require.NoError(t, err)

	read, err = nsClient.Get(ctx, createdSv.Name, metav1.GetOptions{})
	require.NoError(t, err)
	readSv, err = fromUnstructured(read)
	require.NoError(t, err)
	require.Equal(t, updatedSv.Spec.Description, readSv.Spec.Description)
	require.Equal(t, updatedSv.Name, readSv.Name)
	require.Equal(t, updatedSv.Namespace, readSv.Namespace)

	// List
	list, err := nsClient.List(ctx, metav1.ListOptions{})
	require.NoError(t, err)
	require.Len(t, list.Items, 1)
	require.Equal(t, createdSv.Name, list.Items[0].GetName())
	require.Equal(t, createdSv.Namespace, list.Items[0].GetNamespace())

	// Delete
	err = nsClient.Delete(ctx, createdSv.Name, metav1.DeleteOptions{})
	require.NoError(t, err)

	read, err = nsClient.Get(ctx, createdSv.Name, metav1.GetOptions{})
	var apiErr *apierrors.StatusError
	require.ErrorAs(t, err, &apiErr)
	require.Equal(t, apiErr.ErrStatus.Reason, metav1.StatusReasonNotFound)
	require.Nil(t, read)
}

func Test_SecureValueClient_CRUD_NoPermissions(t *testing.T) {
	setup := testutils.Setup(t)

	validator := validator.ProvideSecureValueValidator()

	client := ProvideSecureValueClient(
		setup.SecureValueService,
		validator,
		setup.AccessClient,
	)

	ns := "stacks-1234"
	ctx := testutils.CreateUserAuthContext(t.Context(), ns, nil)

	nsClient, err := client.Client(ctx, ns)
	require.NoError(t, err)
	require.NotNil(t, nsClient)

	sv := &secretv1beta1.SecureValue{
		ObjectMeta: metav1.ObjectMeta{
			Name:      "test-sv",
			Namespace: ns,
		},
	}

	unstructured, err := toUnstructured(sv)
	require.NoError(t, err)

	// Create
	created, err := nsClient.Create(ctx, unstructured, metav1.CreateOptions{})
	var apiErr *apierrors.StatusError
	require.ErrorAs(t, err, &apiErr)
	require.Equal(t, apiErr.ErrStatus.Reason, metav1.StatusReasonForbidden)
	require.Nil(t, created)

	// Read
	read, err := nsClient.Get(ctx, sv.Name, metav1.GetOptions{})
	require.ErrorAs(t, err, &apiErr)
	require.Equal(t, apiErr.ErrStatus.Reason, metav1.StatusReasonForbidden)
	require.Nil(t, created)

	// Update
	updated, err := nsClient.Update(ctx, unstructured, metav1.UpdateOptions{})
	require.ErrorAs(t, err, &apiErr)
	require.Equal(t, apiErr.ErrStatus.Reason, metav1.StatusReasonForbidden)
	require.Nil(t, updated)

	// List
	list, err := nsClient.List(ctx, metav1.ListOptions{})
	require.ErrorAs(t, err, &apiErr)
	require.Equal(t, apiErr.ErrStatus.Reason, metav1.StatusReasonForbidden)
	require.Nil(t, list)

	// Delete
	err = nsClient.Delete(ctx, sv.Name, metav1.DeleteOptions{})
	require.ErrorAs(t, err, &apiErr)
	require.Equal(t, apiErr.ErrStatus.Reason, metav1.StatusReasonForbidden)
	require.Nil(t, read)
}
Secrets: Add single tenant SecureValueClient (#108099) * Secrets: Add single tenant SecureValueClient * SecureValueClient: Rename file * SecureValueClient: Move original type to contracts package and export it by aliasing 2025-07-17 16:56:49 +08:00			`package secret`

			`import (`
			`"testing"`

			`"github.com/stretchr/testify/require"`
Secrets: Add authz checks for the single-tenant SecureValue client (#108216) 2025-07-21 17:09:07 +08:00			`apierrors "k8s.io/apimachinery/pkg/api/errors"`
Secrets: Add single tenant SecureValueClient (#108099) * Secrets: Add single tenant SecureValueClient * SecureValueClient: Rename file * SecureValueClient: Move original type to contracts package and export it by aliasing 2025-07-17 16:56:49 +08:00			`metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"`
			`"k8s.io/utils/ptr"`

			`secretv1beta1 "github.com/grafana/grafana/apps/secret/pkg/apis/secret/v1beta1"`
			`"github.com/grafana/grafana/pkg/registry/apis/secret/testutils"`
			`"github.com/grafana/grafana/pkg/registry/apis/secret/validator"`
			`)`

			`func TestIntegration_SecureValueClient_CRUD(t *testing.T) {`
Chore: Omit integration tests if short test flag is passed (#108777) * omit integration tests if short test flag is passed * Update pkg/services/ngalert/models/receivers_test.go Co-authored-by: Matheus Macabu <macabu@users.noreply.github.com> * Update pkg/tests/api/alerting/api_ruler_test.go Co-authored-by: Matheus Macabu <macabu@users.noreply.github.com> * Update pkg/tests/api/alerting/api_ruler_test.go Co-authored-by: Matheus Macabu <macabu@users.noreply.github.com> * Update pkg/tests/api/alerting/api_ruler_test.go Co-authored-by: Matheus Macabu <macabu@users.noreply.github.com> * Update pkg/tests/api/alerting/api_ruler_test.go Co-authored-by: Matheus Macabu <macabu@users.noreply.github.com> * Update pkg/tests/api/alerting/api_ruler_test.go Co-authored-by: Matheus Macabu <macabu@users.noreply.github.com> * Update pkg/services/ngalert/models/receivers_test.go Co-authored-by: Matheus Macabu <macabu@users.noreply.github.com> * Update pkg/cmd/grafana-cli/commands/datamigrations/to_unified_storage_test.go Co-authored-by: Matheus Macabu <macabu@users.noreply.github.com> * Update pkg/services/ngalert/models/receivers_test.go Co-authored-by: Matheus Macabu <macabu@users.noreply.github.com> * fix the rest * false positive --------- Co-authored-by: Matheus Macabu <macabu@users.noreply.github.com> 2025-07-28 19:38:54 +08:00			`if testing.Short() {`
			`t.Skip("skipping integration test in short mode")`
			`}`
Secrets: Add single tenant SecureValueClient (#108099) * Secrets: Add single tenant SecureValueClient * SecureValueClient: Rename file * SecureValueClient: Move original type to contracts package and export it by aliasing 2025-07-17 16:56:49 +08:00			`setup := testutils.Setup(t)`

			`validator := validator.ProvideSecureValueValidator()`

			`client := ProvideSecureValueClient(`
			`setup.SecureValueService,`
			`validator,`
Secrets: Add authz checks for the single-tenant SecureValue client (#108216) 2025-07-21 17:09:07 +08:00			`setup.AccessClient,`
Secrets: Add single tenant SecureValueClient (#108099) * Secrets: Add single tenant SecureValueClient * SecureValueClient: Rename file * SecureValueClient: Move original type to contracts package and export it by aliasing 2025-07-17 16:56:49 +08:00			`)`

			`ns := "stacks-1234"`
			`ctx := testutils.CreateUserAuthContext(t.Context(), ns, map[string][]string{`
Secrets: Add authz checks for the single-tenant SecureValue client (#108216) 2025-07-21 17:09:07 +08:00			`"securevalues:create": {"securevalues:uid:*"},`
			`"securevalues:read": {"securevalues:uid:*"},`
			`"securevalues:write": {"securevalues:uid:*"},`
			`"securevalues:delete": {"securevalues:uid:*"},`
Secrets: Add single tenant SecureValueClient (#108099) * Secrets: Add single tenant SecureValueClient * SecureValueClient: Rename file * SecureValueClient: Move original type to contracts package and export it by aliasing 2025-07-17 16:56:49 +08:00			`})`

			`nsClient, err := client.Client(ctx, ns)`
			`require.NoError(t, err)`
			`require.NotNil(t, nsClient)`

			`sv := &secretv1beta1.SecureValue{`
			`ObjectMeta: metav1.ObjectMeta{`
			`Name: "test-sv",`
			`Namespace: ns,`
			`},`
			`Spec: secretv1beta1.SecureValueSpec{`
			`Description: "test-description",`
			`Value: ptr.To(secretv1beta1.NewExposedSecureValue("test-value")),`
			`},`
			`}`

			`unstructured, err := toUnstructured(sv)`
			`require.NoError(t, err)`

			`// Create`
			`created, err := nsClient.Create(ctx, unstructured, metav1.CreateOptions{})`
			`require.NoError(t, err)`

			`createdSv, err := fromUnstructured(created)`
			`require.NoError(t, err)`

			`require.NotEmpty(t, createdSv.UID)`
			`require.Nil(t, createdSv.Spec.Value)`
			`require.Equal(t, sv.Name, createdSv.Name)`
			`require.Equal(t, sv.Namespace, createdSv.Namespace)`

			`// Read`
			`read, err := nsClient.Get(ctx, createdSv.Name, metav1.GetOptions{})`
			`require.NoError(t, err)`

			`readSv, err := fromUnstructured(read)`
			`require.NoError(t, err)`
			`require.EqualValues(t, createdSv, readSv)`

			`// Update`
			`updatedSv := &secretv1beta1.SecureValue{`
			`ObjectMeta: metav1.ObjectMeta{`
			`Name: createdSv.Name,`
			`Namespace: createdSv.Namespace,`
			`},`
			`Spec: secretv1beta1.SecureValueSpec{`
			`Description: "test-description-updated",`
			`Value: ptr.To(secretv1beta1.NewExposedSecureValue("test-value-updated")),`
			`},`
			`}`

			`unstructured, err = toUnstructured(updatedSv)`
			`require.NoError(t, err)`

			`_, err = nsClient.Update(ctx, unstructured, metav1.UpdateOptions{})`
			`require.NoError(t, err)`

			`read, err = nsClient.Get(ctx, createdSv.Name, metav1.GetOptions{})`
			`require.NoError(t, err)`
			`readSv, err = fromUnstructured(read)`
			`require.NoError(t, err)`
			`require.Equal(t, updatedSv.Spec.Description, readSv.Spec.Description)`
			`require.Equal(t, updatedSv.Name, readSv.Name)`
			`require.Equal(t, updatedSv.Namespace, readSv.Namespace)`

			`// List`
			`list, err := nsClient.List(ctx, metav1.ListOptions{})`
			`require.NoError(t, err)`
			`require.Len(t, list.Items, 1)`
			`require.Equal(t, createdSv.Name, list.Items[0].GetName())`
			`require.Equal(t, createdSv.Namespace, list.Items[0].GetNamespace())`

			`// Delete`
			`err = nsClient.Delete(ctx, createdSv.Name, metav1.DeleteOptions{})`
			`require.NoError(t, err)`

			`read, err = nsClient.Get(ctx, createdSv.Name, metav1.GetOptions{})`
Secrets: Re-export and map domain errors into K8s API errors in ST client (#108226) 2025-07-21 17:32:20 +08:00			`var apiErr *apierrors.StatusError`
			`require.ErrorAs(t, err, &apiErr)`
			`require.Equal(t, apiErr.ErrStatus.Reason, metav1.StatusReasonNotFound)`
Secrets: Add single tenant SecureValueClient (#108099) * Secrets: Add single tenant SecureValueClient * SecureValueClient: Rename file * SecureValueClient: Move original type to contracts package and export it by aliasing 2025-07-17 16:56:49 +08:00			`require.Nil(t, read)`
			`}`
Secrets: Add authz checks for the single-tenant SecureValue client (#108216) 2025-07-21 17:09:07 +08:00
			`func Test_SecureValueClient_CRUD_NoPermissions(t *testing.T) {`
			`setup := testutils.Setup(t)`

			`validator := validator.ProvideSecureValueValidator()`

			`client := ProvideSecureValueClient(`
			`setup.SecureValueService,`
			`validator,`
			`setup.AccessClient,`
			`)`

			`ns := "stacks-1234"`
			`ctx := testutils.CreateUserAuthContext(t.Context(), ns, nil)`

			`nsClient, err := client.Client(ctx, ns)`
			`require.NoError(t, err)`
			`require.NotNil(t, nsClient)`

			`sv := &secretv1beta1.SecureValue{`
			`ObjectMeta: metav1.ObjectMeta{`
			`Name: "test-sv",`
			`Namespace: ns,`
			`},`
			`}`

			`unstructured, err := toUnstructured(sv)`
			`require.NoError(t, err)`

			`// Create`
			`created, err := nsClient.Create(ctx, unstructured, metav1.CreateOptions{})`
			`var apiErr *apierrors.StatusError`
			`require.ErrorAs(t, err, &apiErr)`
			`require.Equal(t, apiErr.ErrStatus.Reason, metav1.StatusReasonForbidden)`
			`require.Nil(t, created)`

			`// Read`
			`read, err := nsClient.Get(ctx, sv.Name, metav1.GetOptions{})`
			`require.ErrorAs(t, err, &apiErr)`
			`require.Equal(t, apiErr.ErrStatus.Reason, metav1.StatusReasonForbidden)`
			`require.Nil(t, created)`

			`// Update`
			`updated, err := nsClient.Update(ctx, unstructured, metav1.UpdateOptions{})`
			`require.ErrorAs(t, err, &apiErr)`
			`require.Equal(t, apiErr.ErrStatus.Reason, metav1.StatusReasonForbidden)`
			`require.Nil(t, updated)`

			`// List`
			`list, err := nsClient.List(ctx, metav1.ListOptions{})`
			`require.ErrorAs(t, err, &apiErr)`
			`require.Equal(t, apiErr.ErrStatus.Reason, metav1.StatusReasonForbidden)`
			`require.Nil(t, list)`

			`// Delete`
			`err = nsClient.Delete(ctx, sv.Name, metav1.DeleteOptions{})`
			`require.ErrorAs(t, err, &apiErr)`
			`require.Equal(t, apiErr.ErrStatus.Reason, metav1.StatusReasonForbidden)`
			`require.Nil(t, read)`
			`}`