S3CSI-5: Add unit tests

anurag4DSB · anurag4DSB · commit 51d8c88c956b · 2025-04-28T13:45:21.000+02:00
diff --git a/go.mod b/go.mod
@@ -91,7 +91,7 @@ require (
 	github.com/google/uuid v1.6.0
 	github.com/moby/sys/mountinfo v0.7.1 // indirect
 	github.com/nxadm/tail v1.4.8 // indirect
-	golang.org/x/net v0.36.0
+	golang.org/x/net v0.36.0 // indirect
 	golang.org/x/sys v0.30.0
 	golang.org/x/text v0.22.0 // indirect
 	google.golang.org/protobuf v1.34.2
diff --git a/pkg/driver/node/credentialprovider/provider_secret_test.go b/pkg/driver/node/credentialprovider/provider_secret_test.go
@@ -0,0 +1,82 @@
+package credentialprovider_test
+
+import (
+	"context"
+	"testing"
+
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+
+	"github.com/scality/mountpoint-s3-csi-driver/pkg/driver/node/credentialprovider"
+	"github.com/scality/mountpoint-s3-csi-driver/pkg/util/testutil/assert"
+)
+
+func TestProvideFromSecret(t *testing.T) {
+	t.Skip("Internal method testing needs to be refactored to expose a testable function")
+}
+
+func TestProvideWithSecretAuthentication(t *testing.T) {
+	validSecret := map[string]string{
+		"key_id":     "AKIA123456789ABC",
+		"access_key": "SECRET123456789ABCDEFGHIJKLMNOPQRSTUV",
+	}
+
+	invalidSecret := map[string]string{
+		"key_id": "invalid-format",
+	}
+
+	tests := []struct {
+		name        string
+		secretData  map[string]string
+		expectError bool
+	}{
+		{
+			name:        "valid credentials",
+			secretData:  validSecret,
+			expectError: false,
+		},
+		{
+			name:        "invalid credentials",
+			secretData:  invalidSecret,
+			expectError: true,
+		},
+		{
+			name:        "missing credentials",
+			secretData:  map[string]string{},
+			expectError: true,
+		},
+	}
+
+	provider := credentialprovider.New(nil, nil)
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			provideCtx := credentialprovider.ProvideContext{
+				AuthenticationSource: credentialprovider.AuthenticationSourceSecret,
+				VolumeID:             "test-volume-id",
+				SecretData:           tt.secretData,
+			}
+
+			env, authSource, err := provider.Provide(context.Background(), provideCtx)
+
+			if tt.expectError {
+				if err == nil {
+					t.Errorf("Expected error but got nil")
+				}
+				st, ok := status.FromError(err)
+				if !ok {
+					t.Errorf("Expected status error but got %v", err)
+				}
+				if st.Code() != codes.InvalidArgument {
+					t.Errorf("Expected InvalidArgument code but got %v", st.Code())
+				}
+			} else {
+				assert.NoError(t, err)
+				assert.Equals(t, credentialprovider.AuthenticationSourceSecret, authSource)
+				if env == nil {
+					t.Errorf("Expected environment to be not nil")
+				}
+			}
+		})
+	}
+}
diff --git a/pkg/driver/node/credentialprovider/provider_test.go b/pkg/driver/node/credentialprovider/provider_test.go
@@ -874,3 +874,114 @@ func serviceAccount(name, namespace string, annotations map[string]string) *v1.S
 		Annotations: annotations,
 	}}
 }
+
+// TestProvideWithSecretAuthSource tests authentication with Secret credentials
+func TestProvideWithSecretAuthSource(t *testing.T) {
+	tests := []struct {
+		name         string
+		secretData   map[string]string
+		expectError  bool
+		expectedAuth credentialprovider.AuthenticationSource
+	}{
+		{
+			name: "valid secret credentials",
+			secretData: map[string]string{
+				"key_id":     "AKIA123456789ABC",
+				"access_key": "SECRET123456789ABCDEFGHIJKLMNOPQRSTUV",
+			},
+			expectError:  false,
+			expectedAuth: credentialprovider.AuthenticationSourceSecret,
+		},
+		{
+			name: "invalid secret credentials",
+			secretData: map[string]string{
+				"key_id": "invalid",
+			},
+			expectError: true,
+		},
+		{
+			name: "secret with unexpected keys",
+			secretData: map[string]string{
+				"key_id":     "AKIA123456789ABC",
+				"access_key": "SECRET123456789ABCDEFGHIJKLMNOPQRSTUV",
+				"unexpected": "value", // This will trigger the unexpected key warning
+			},
+			expectError:  false,
+			expectedAuth: credentialprovider.AuthenticationSourceSecret,
+		},
+		{
+			name: "invalid access_key format",
+			secretData: map[string]string{
+				"key_id": "AKIA123456789ABC",
+				// This will trigger the invalid access_key warning
+				"access_key": "SECRET!@#$%^&*()",
+			},
+			expectError: true,
+		},
+		{
+			name: "access_key exceeds max length",
+			secretData: map[string]string{
+				"key_id": "AKIA123456789ABC",
+				// This will trigger the max length warning for access_key
+				"access_key": "SECRET123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ",
+			},
+			expectError: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			provider := credentialprovider.New(nil, nil)
+
+			provideCtx := credentialprovider.ProvideContext{
+				VolumeID:             "test-volume-id",
+				AuthenticationSource: credentialprovider.AuthenticationSourceSecret,
+				SecretData:           tt.secretData,
+			}
+
+			env, authSource, err := provider.Provide(context.Background(), provideCtx)
+
+			if tt.expectError {
+				if err == nil {
+					t.Errorf("Expected error but got nil")
+				}
+			} else {
+				assert.NoError(t, err)
+				assert.Equals(t, tt.expectedAuth, authSource)
+				if env == nil {
+					t.Errorf("Expected environment to be not nil")
+				}
+			}
+		})
+	}
+}
+
+func TestProvideWithUnknownAuthSource(t *testing.T) {
+	provider := credentialprovider.New(nil, dummyRegionProvider)
+
+	writePath := t.TempDir()
+	provideCtx := credentialprovider.ProvideContext{
+		AuthenticationSource: "unknown-source", // Using an unknown authentication source
+		WritePath:            writePath,
+		EnvPath:              testEnvPath,
+		PodID:                testPodID,
+		VolumeID:             testVolumeID,
+	}
+
+	env, source, err := provider.Provide(context.Background(), provideCtx)
+
+	// Verify error was returned
+	if err == nil {
+		t.Errorf("Expected error for unknown authentication source, got nil")
+	}
+
+	// Verify error message contains all supported auth sources
+	expectedErrMsg := "unknown `authenticationSource`: unknown-source, only `driver` (default option if not specified), `pod`, and `secret` supported"
+	if err.Error() != expectedErrMsg {
+		t.Errorf("Expected error message %q, got %q", expectedErrMsg, err.Error())
+	}
+
+	// Verify returned values
+	assert.Equals(t, credentialprovider.AuthenticationSourceUnspecified, source)
+	assert.Equals(t, envprovider.Environment(nil), env)
+}
diff --git a/pkg/driver/node/log_request_test.go b/pkg/driver/node/log_request_test.go
@@ -0,0 +1,81 @@
+package node_test
+
+import (
+	"testing"
+
+	"github.com/container-storage-interface/spec/lib/go/csi"
+	"github.com/scality/mountpoint-s3-csi-driver/pkg/util/testutil/assert"
+
+	"github.com/scality/mountpoint-s3-csi-driver/pkg/driver/node"
+	"github.com/scality/mountpoint-s3-csi-driver/pkg/driver/node/volumecontext"
+)
+
+func TestLogSafeNodePublishVolumeRequestCoverage(t *testing.T) {
+	tests := []struct {
+		name           string
+		secrets        map[string]string
+		expectedOutput map[string]string
+	}{
+		{
+			name: "redact access_key only",
+			secrets: map[string]string{
+				"key_id":     "AKIAXXXXXXXXXXXXXXXX",
+				"access_key": "secret-that-should-be-redacted",
+			},
+			expectedOutput: map[string]string{
+				"key_id":     "AKIAXXXXXXXXXXXXXXXX",
+				"access_key": "[REDACTED]",
+			},
+		},
+		{
+			name: "keep other values",
+			secrets: map[string]string{
+				"key_id":     "AKIAXXXXXXXXXXXXXXXX",
+				"access_key": "secret-that-should-be-redacted",
+				"other_key":  "other-value",
+			},
+			expectedOutput: map[string]string{
+				"key_id":     "AKIAXXXXXXXXXXXXXXXX",
+				"access_key": "[REDACTED]",
+				"other_key":  "other-value",
+			},
+		},
+		{
+			name:           "empty secrets",
+			secrets:        map[string]string{},
+			expectedOutput: map[string]string{},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			req := &csi.NodePublishVolumeRequest{
+				VolumeId: "test-volume",
+				VolumeContext: map[string]string{
+					"bucketName":                          "test-bucket",
+					volumecontext.CSIServiceAccountTokens: "some-token-value",
+				},
+				Secrets: tt.secrets,
+			}
+
+			// Call the function through the exported accessor
+			safeReq := node.LogSafeNodePublishVolumeRequestForTest(req)
+
+			// Verify secrets are properly redacted
+			assert.Equals(t, tt.expectedOutput, safeReq.Secrets)
+
+			// Verify sensitive service account tokens are removed
+			_, hasTokens := safeReq.VolumeContext[volumecontext.CSIServiceAccountTokens]
+			if hasTokens {
+				t.Errorf("Expected tokens to be removed from VolumeContext")
+			}
+
+			// Verify other fields are preserved
+			assert.Equals(t, req.VolumeId, safeReq.VolumeId)
+			if safeReq.VolumeContext == nil {
+				t.Errorf("Expected VolumeContext to be not nil")
+			}
+			assert.Equals(t, "test-bucket", safeReq.VolumeContext["bucketName"])
+		})
+	}
+}
diff --git a/pkg/driver/node/node.go b/pkg/driver/node/node.go
@@ -317,3 +317,8 @@ func logSafeNodePublishVolumeRequest(req *csi.NodePublishVolumeRequest) *csi.Nod
 		Secrets:           redactedCredential,
 	}
 }
+
+// LogSafeNodePublishVolumeRequestForTest exports logSafeNodePublishVolumeRequest for testing
+func LogSafeNodePublishVolumeRequestForTest(req *csi.NodePublishVolumeRequest) *csi.NodePublishVolumeRequest {
+	return logSafeNodePublishVolumeRequest(req)
+}
diff --git a/pkg/driver/node/node_test.go b/pkg/driver/node/node_test.go
@@ -1,20 +1,21 @@
 package node_test
 
 import (
+	"context"
 	"errors"
 	"io/fs"
 	"testing"
 
 	csi "github.com/container-storage-interface/spec/lib/go/csi"
 	"github.com/golang/mock/gomock"
-	"golang.org/x/net/context"
+	"github.com/scality/mountpoint-s3-csi-driver/pkg/util/testutil/assert"
 
 	"github.com/scality/mountpoint-s3-csi-driver/pkg/driver/node"
 	"github.com/scality/mountpoint-s3-csi-driver/pkg/driver/node/credentialprovider"
 	"github.com/scality/mountpoint-s3-csi-driver/pkg/driver/node/mounter"
 	mock_driver "github.com/scality/mountpoint-s3-csi-driver/pkg/driver/node/mounter/mocks"
+	"github.com/scality/mountpoint-s3-csi-driver/pkg/driver/node/volumecontext"
 	"github.com/scality/mountpoint-s3-csi-driver/pkg/mountpoint"
-	"github.com/scality/mountpoint-s3-csi-driver/pkg/util/testutil/assert"
 )
 
 type nodeServerTestEnv struct {
@@ -568,6 +569,46 @@ func TestNodeGetCapabilitiesForPodMounter(t *testing.T) {
 	nodeTestEnv.mockCtl.Finish()
 }
 
+func TestLogSafeNodePublishVolumeRequest(t *testing.T) {
+	tests := []struct {
+		name               string
+		publishReq         *csi.NodePublishVolumeRequest
+		expectedPublishReq *csi.NodePublishVolumeRequest
+	}{
+		{
+			name: "redacts access key and removes tokens",
+			publishReq: &csi.NodePublishVolumeRequest{
+				VolumeId: "test-volume-id",
+				Secrets: map[string]string{
+					"key_id":     "AKIAXXXXXXXXXXXXXXXX",
+					"access_key": "SECRET-VALUE-TO-REDACT",
+				},
+				VolumeContext: map[string]string{
+					"bucketName":                          "my-bucket",
+					volumecontext.CSIServiceAccountTokens: "sensitive-token-value",
+				},
+			},
+			expectedPublishReq: &csi.NodePublishVolumeRequest{
+				VolumeId: "test-volume-id",
+				Secrets: map[string]string{
+					"key_id":     "AKIAXXXXXXXXXXXXXXXX",
+					"access_key": "[REDACTED]",
+				},
+				VolumeContext: map[string]string{
+					"bucketName": "my-bucket",
+				},
+			},
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			safeReq := node.LogSafeNodePublishVolumeRequestForTest(tc.publishReq)
+			assert.Equals(t, tc.expectedPublishReq, safeReq)
+		})
+	}
+}
+
 var _ mounter.Mounter = &dummyMounter{}
 
 type dummyMounter struct{}

Original file line number	Diff line number	Diff line change
`@@ -317,3 +317,8 @@ func logSafeNodePublishVolumeRequest(req csi.NodePublishVolumeRequest) csi.Nod`
`317`	`317`	`Secrets: redactedCredential,`
`318`	`318`	`}`
`319`	`319`	`}`
	`320`	`+`
	`321`	`+// LogSafeNodePublishVolumeRequestForTest exports logSafeNodePublishVolumeRequest for testing`
	`322`	`+func LogSafeNodePublishVolumeRequestForTest(req csi.NodePublishVolumeRequest) csi.NodePublishVolumeRequest {`
	`323`	`+ return logSafeNodePublishVolumeRequest(req)`
	`324`	`+}`