-
Notifications
You must be signed in to change notification settings - Fork 6
Expand file tree
/
Copy pathkeyvault.test.ts
More file actions
349 lines (304 loc) · 15.1 KB
/
keyvault.test.ts
File metadata and controls
349 lines (304 loc) · 15.1 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
// Copyright (c) Microsoft Corporation.
// Licensed under the MIT license.
/* eslint-disable @typescript-eslint/no-unused-expressions */
import * as chai from "chai";
import chaiAsPromised from "chai-as-promised";
chai.use(chaiAsPromised);
const expect = chai.expect;
import { load } from "../src/index.js";
import { sinon, createMockedConnectionString, createMockedTokenCredential, mockAppConfigurationClientListConfigurationSettings, mockAppConfigurationClientGetConfigurationSetting, mockSecretClientGetSecret, restoreMocks, createMockedKeyVaultReference, createMockedKeyValue, sleepInMs } from "./utils/testHelper.js";
import { KeyVaultSecret, SecretClient } from "@azure/keyvault-secrets";
import { ErrorMessages, KeyVaultReferenceErrorMessages } from "../src/common/errorMessages.js";
const mockedData = [
// key, secretUri, value
["TestKey", "https://fake-vault-name.vault.azure.net/secrets/fakeSecretName", "SecretValue"],
["TestKeyFixedVersion", "https://fake-vault-name.vault.azure.net/secrets/fakeSecretName/741a0fc52610449baffd6e1c55b9d459", "OldSecretValue"],
["TestKey2", "https://fake-vault-name2.vault.azure.net/secrets/fakeSecretName2", "SecretValue2"]
];
function mockAppConfigurationClient() {
// eslint-disable-next-line @typescript-eslint/no-unused-vars
const kvs = mockedData.map(([key, vaultUri, _value]) => createMockedKeyVaultReference(key, vaultUri));
mockAppConfigurationClientListConfigurationSettings([kvs]);
}
function mockNewlyCreatedKeyVaultSecretClients() {
// eslint-disable-next-line @typescript-eslint/no-unused-vars
mockSecretClientGetSecret(mockedData.map(([_key, secretUri, value]) => [secretUri, value]));
}
describe("key vault reference", function () {
beforeEach(() => {
mockAppConfigurationClient();
mockNewlyCreatedKeyVaultSecretClients();
});
afterEach(() => {
restoreMocks();
});
it("require key vault options to resolve reference", async () => {
try {
await load(createMockedConnectionString());
} catch (error) {
expect(error.message).eq(ErrorMessages.LOAD_OPERATION_FAILED);
expect(error.cause.message).eq(KeyVaultReferenceErrorMessages.KEY_VAULT_OPTIONS_UNDEFINED);
return;
}
// we should never reach here, load should throw an error
throw new Error("Expected load to throw.");
});
it("should resolve key vault reference with credential", async () => {
const settings = await load(createMockedConnectionString(), {
keyVaultOptions: {
credential: createMockedTokenCredential()
}
});
expect(settings).not.undefined;
expect(settings.get("TestKey")).eq("SecretValue");
expect(settings.get("TestKeyFixedVersion")).eq("OldSecretValue");
});
it("should resolve key vault reference with secret resolver", async () => {
const settings = await load(createMockedConnectionString(), {
keyVaultOptions: {
secretResolver: (kvrUrl) => {
return "SecretResolver::" + kvrUrl.toString();
}
}
});
expect(settings).not.undefined;
expect(settings.get("TestKey")).eq("SecretResolver::https://fake-vault-name.vault.azure.net/secrets/fakeSecretName");
});
it("should resolve key vault reference with corresponding secret clients", async () => {
sinon.restore();
mockAppConfigurationClient();
// mock specific behavior per secret client
const client1 = new SecretClient("https://fake-vault-name.vault.azure.net", createMockedTokenCredential());
sinon.stub(client1, "getSecret").returns(Promise.resolve({value: "SecretValueViaClient1" } as KeyVaultSecret));
const client2 = new SecretClient("https://fake-vault-name2.vault.azure.net", createMockedTokenCredential());
sinon.stub(client2, "getSecret").returns(Promise.resolve({value: "SecretValueViaClient2" } as KeyVaultSecret));
const settings = await load(createMockedConnectionString(), {
keyVaultOptions: {
secretClients: [
client1,
client2,
]
}
});
expect(settings).not.undefined;
expect(settings.get("TestKey")).eq("SecretValueViaClient1");
expect(settings.get("TestKey2")).eq("SecretValueViaClient2");
});
it("should throw error when secret clients not provided for all key vault references", async () => {
try {
await load(createMockedConnectionString(), {
keyVaultOptions: {
secretClients: [
new SecretClient("https://fake-vault-name.vault.azure.net", createMockedTokenCredential()),
]
}
});
} catch (error) {
expect(error.message).eq(ErrorMessages.LOAD_OPERATION_FAILED);
expect(error.cause.message).eq(KeyVaultReferenceErrorMessages.KEY_VAULT_REFERENCE_UNRESOLVABLE);
return;
}
// we should never reach here, load should throw an error
throw new Error("Expected load to throw.");
});
it("should fallback to use default credential when corresponding secret client not provided", async () => {
const settings = await load(createMockedConnectionString(), {
keyVaultOptions: {
secretClients: [
new SecretClient("https://fake-vault-name.vault.azure.net", createMockedTokenCredential()),
],
credential: createMockedTokenCredential()
}
});
expect(settings).not.undefined;
expect(settings.get("TestKey")).eq("SecretValue");
expect(settings.get("TestKey2")).eq("SecretValue2");
});
it("should resolve key vault reference in parallel", async () => {
const settings = await load(createMockedConnectionString(), {
keyVaultOptions: {
credential: createMockedTokenCredential(),
parallelSecretResolutionEnabled: true
}
});
expect(settings).not.undefined;
expect(settings.get("TestKey")).eq("SecretValue");
expect(settings.get("TestKeyFixedVersion")).eq("OldSecretValue");
});
});
describe("key vault secret refresh", function () {
beforeEach(() => {
const data = [
["TestKey", "https://fake-vault-name.vault.azure.net/secrets/fakeSecretName", "SecretValue"]
];
// eslint-disable-next-line @typescript-eslint/no-unused-vars
const kvs = data.map(([key, vaultUri, _value]) => createMockedKeyVaultReference(key, vaultUri));
mockAppConfigurationClientListConfigurationSettings([kvs]);
});
afterEach(() => {
restoreMocks();
});
it("should not allow secret refresh interval less than 1 minute", async () => {
const connectionString = createMockedConnectionString();
const loadWithInvalidSecretRefreshInterval = load(connectionString, {
keyVaultOptions: {
secretClients: [
new SecretClient("https://fake-vault-name.vault.azure.net", createMockedTokenCredential()),
],
secretRefreshIntervalInMs: 59999 // less than 60_000 milliseconds
}
});
return expect(loadWithInvalidSecretRefreshInterval).eventually.rejectedWith(ErrorMessages.INVALID_SECRET_REFRESH_INTERVAL);
});
it("should reload key vault secret when there is no change to key-values", async () => {
const client = new SecretClient("https://fake-vault-name.vault.azure.net", createMockedTokenCredential());
const stub = sinon.stub(client, "getSecret");
stub.onCall(0).resolves({ value: "SecretValue" } as KeyVaultSecret);
stub.onCall(1).resolves({ value: "SecretValue - Updated" } as KeyVaultSecret);
const settings = await load(createMockedConnectionString(), {
keyVaultOptions: {
secretClients: [
client
],
credential: createMockedTokenCredential(),
secretRefreshIntervalInMs: 60_000
}
});
expect(settings).not.undefined;
expect(settings.get("TestKey")).eq("SecretValue");
await sleepInMs(30_000);
await settings.refresh();
// use cached value
expect(settings.get("TestKey")).eq("SecretValue");
await sleepInMs(30_000);
await settings.refresh();
// secret refresh interval expires, reload secret value
expect(settings.get("TestKey")).eq("SecretValue - Updated");
});
});
describe("min secret refresh interval during key-value refresh", function () {
let getSecretCallCount = 0;
let sentinelEtag = "initial-etag";
afterEach(() => {
restoreMocks();
getSecretCallCount = 0;
});
/**
* This test verifies the enforcement of the minimum secret refresh interval during key-value refresh.
* When key-value refresh is triggered (by a watched setting change), the provider calls clearCache()
* on the KeyVaultSecretProvider. However, clearCache() only clears the cache if the minimum secret
* refresh interval (60 seconds) has passed. This prevents overwhelming Key Vaults with too many requests.
*/
it("should not re-fetch secrets when key-value refresh happens within min secret refresh interval", async () => {
// Setup: key vault reference + sentinel key for watching
const kvWithSentinel = [
createMockedKeyVaultReference("TestKey", "https://fake-vault-name.vault.azure.net/secrets/fakeSecretName"),
createMockedKeyValue({ key: "sentinel", value: "initialValue", etag: sentinelEtag })
];
mockAppConfigurationClientListConfigurationSettings([kvWithSentinel]);
mockAppConfigurationClientGetConfigurationSetting(kvWithSentinel);
// Mock SecretClient with call counting
const client = new SecretClient("https://fake-vault-name.vault.azure.net", createMockedTokenCredential());
sinon.stub(client, "getSecret").callsFake(async () => {
getSecretCallCount++;
return { value: "SecretValue" } as KeyVaultSecret;
});
// Load with key-value refresh enabled (watching sentinel)
const settings = await load(createMockedConnectionString(), {
refreshOptions: {
enabled: true,
refreshIntervalInMs: 1000, // 1 second refresh interval for key-values
watchedSettings: [{ key: "sentinel" }]
},
keyVaultOptions: {
secretClients: [client]
}
});
expect(settings.get("TestKey")).eq("SecretValue");
expect(getSecretCallCount).eq(1); // Initial load fetched the secret
// Simulate sentinel change to trigger key-value refresh
sentinelEtag = "changed-etag-1";
const updatedKvs = [
createMockedKeyVaultReference("TestKey", "https://fake-vault-name.vault.azure.net/secrets/fakeSecretName"),
createMockedKeyValue({ key: "sentinel", value: "changedValue1", etag: sentinelEtag })
];
restoreMocks();
mockAppConfigurationClientListConfigurationSettings([updatedKvs]);
mockAppConfigurationClientGetConfigurationSetting(updatedKvs);
sinon.stub(client, "getSecret").callsFake(async () => {
getSecretCallCount++;
return { value: "SecretValue" } as KeyVaultSecret;
});
// Wait for refresh interval and trigger refresh
await sleepInMs(1000 + 100);
await settings.refresh();
// Key-value refresh happened, but secret should NOT be re-fetched
// because min secret refresh interval (60s) hasn't passed
expect(getSecretCallCount).eq(1); // Still 1, no additional getSecret call
// Trigger another key-value refresh
sentinelEtag = "changed-etag-2";
const updatedKvs2 = [
createMockedKeyVaultReference("TestKey", "https://fake-vault-name.vault.azure.net/secrets/fakeSecretName"),
createMockedKeyValue({ key: "sentinel", value: "changedValue2", etag: sentinelEtag })
];
restoreMocks();
mockAppConfigurationClientListConfigurationSettings([updatedKvs2]);
mockAppConfigurationClientGetConfigurationSetting(updatedKvs2);
sinon.stub(client, "getSecret").callsFake(async () => {
getSecretCallCount++;
return { value: "SecretValue" } as KeyVaultSecret;
});
await sleepInMs(1000 + 100);
await settings.refresh();
// Still no additional getSecret call due to min interval enforcement
expect(getSecretCallCount).eq(1);
});
it("should re-fetch secrets after min secret refresh interval passes during key-value refresh", async () => {
// Setup: key vault reference + sentinel key for watching
let currentSentinelValue = "initialValue";
sentinelEtag = "initial-etag";
const getKvs = () => [
createMockedKeyVaultReference("TestKey", "https://fake-vault-name.vault.azure.net/secrets/fakeSecretName"),
createMockedKeyValue({ key: "sentinel", value: currentSentinelValue, etag: sentinelEtag })
];
mockAppConfigurationClientListConfigurationSettings([getKvs()]);
mockAppConfigurationClientGetConfigurationSetting(getKvs());
// Mock SecretClient with call counting
const client = new SecretClient("https://fake-vault-name.vault.azure.net", createMockedTokenCredential());
sinon.stub(client, "getSecret").callsFake(async () => {
getSecretCallCount++;
return { value: `SecretValue-${getSecretCallCount}` } as KeyVaultSecret;
});
// Load with key-value refresh enabled
const settings = await load(createMockedConnectionString(), {
refreshOptions: {
enabled: true,
refreshIntervalInMs: 1000,
watchedSettings: [{ key: "sentinel" }]
},
keyVaultOptions: {
secretClients: [client]
}
});
expect(settings.get("TestKey")).eq("SecretValue-1");
expect(getSecretCallCount).eq(1);
// Wait for min secret refresh interval (60 seconds) to pass
await sleepInMs(60_000 + 100);
// Now change sentinel to trigger key-value refresh
currentSentinelValue = "changedValue";
sentinelEtag = "changed-etag";
restoreMocks();
mockAppConfigurationClientListConfigurationSettings([getKvs()]);
mockAppConfigurationClientGetConfigurationSetting(getKvs());
sinon.stub(client, "getSecret").callsFake(async () => {
getSecretCallCount++;
return { value: `SecretValue-${getSecretCallCount}` } as KeyVaultSecret;
});
await sleepInMs(1000 + 100); // Wait for kv refresh interval
await settings.refresh();
// Now getSecret SHOULD be called again because min interval has passed
expect(getSecretCallCount).eq(2);
expect(settings.get("TestKey")).eq("SecretValue-2");
});
});
/* eslint-enable @typescript-eslint/no-unused-expressions */