Use caching GetSecretToken implementation

tektoncd · Jun 2, 2020 · 064df4d · 064df4d
1 parent 0d17151
commit 064df4d
Show file tree

Hide file tree

Showing 4 changed files with 114 additions and 6 deletions.
diff --git a/pkg/interceptors/github/github.go b/pkg/interceptors/github/github.go
@@ -64,7 +64,7 @@ func (w *Interceptor) ExecuteTrigger(request *http.Request) (*http.Response, err
 		if header == "" {
 			return nil, errors.New("no X-Hub-Signature header set")
 		}
-		secretToken, err := interceptors.GetSecretToken(w.KubeClientSet, w.GitHub.SecretRef, w.EventListenerNamespace)
+		secretToken, err := interceptors.GetSecretToken(request, w.KubeClientSet, w.GitHub.SecretRef, w.EventListenerNamespace)
 		if err != nil {
 			return nil, err
 		}

diff --git a/pkg/interceptors/gitlab/gitlab.go b/pkg/interceptors/gitlab/gitlab.go
@@ -54,7 +54,7 @@ func (w *Interceptor) ExecuteTrigger(request *http.Request) (*http.Response, err
 			return nil, errors.New("no X-GitLab-Token header set")
 		}
 
-		secretToken, err := interceptors.GetSecretToken(w.KubeClientSet, w.GitLab.SecretRef, w.EventListenerNamespace)
+		secretToken, err := interceptors.GetSecretToken(request, w.KubeClientSet, w.GitLab.SecretRef, w.EventListenerNamespace)
 		if err != nil {
 			return nil, err
 		}

diff --git a/pkg/interceptors/interceptors.go b/pkg/interceptors/interceptors.go
@@ -59,10 +59,14 @@ func getCache(req *http.Request) map[string]interface{} {
 // As we may have many triggers that all use the same secret, we cache the secret values
 // in the request cache.
 func GetSecretToken(req *http.Request, cs kubernetes.Interface, sr *triggersv1.SecretRef, eventListenerNamespace string) ([]byte, error) {
+	var cache map[string]interface{}
+
 	cacheKey := path.Join("secret", sr.Namespace, sr.SecretName, sr.SecretKey)
-	cache := getCache(req)
-	if secretValue, ok := cache[cacheKey]; ok {
-		return secretValue.([]byte), nil
+	if req != nil {
+		cache = getCache(req)
+		if secretValue, ok := cache[cacheKey]; ok {
+			return secretValue.([]byte), nil
+		}
 	}
 
 	ns := sr.Namespace
@@ -75,7 +79,9 @@ func GetSecretToken(req *http.Request, cs kubernetes.Interface, sr *triggersv1.S
 	}
 
 	secretValue := secret.Data[sr.SecretKey]
-	cache[cacheKey] = secret.Data[sr.SecretKey]
+	if req != nil {
+		cache[cacheKey] = secret.Data[sr.SecretKey]
+	}
 
 	return secretValue, nil
 }
diff --git a/pkg/interceptors/interceptors_test.go b/pkg/interceptors/interceptors_test.go
@@ -0,0 +1,102 @@
+/*
+Copyright 2019 The Tekton Authors
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+		http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package interceptors
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"net/http"
+	"testing"
+
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	fakekubeclient "knative.dev/pkg/client/injection/kube/client/fake"
+	rtesting "knative.dev/pkg/reconciler/testing"
+
+	triggersv1 "github.com/tektoncd/triggers/pkg/apis/triggers/v1alpha1"
+)
+
+const testNS = "testing-ns"
+
+func Test_GetSecretToken(t *testing.T) {
+	tests := []struct {
+		name   string
+		cache  map[string]interface{}
+		wanted []byte
+	}{
+		{
+			name:   "no matching cache entry exists",
+			cache:  make(map[string]interface{}),
+			wanted: []byte("secret from API"),
+		},
+		{
+			name: "a matching cache entry exists",
+			cache: map[string]interface{}{
+				fmt.Sprintf("secret/%s/test-secret/token", testNS): []byte("secret from cache"),
+			},
+			wanted: []byte("secret from cache"),
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(rt *testing.T) {
+			req := setCache(&http.Request{}, tt.cache)
+
+			ctx, _ := rtesting.SetupFakeContext(t)
+			kubeClient := fakekubeclient.Get(ctx)
+			secretRef := makeSecretRef()
+
+			if _, err := kubeClient.CoreV1().Secrets(testNS).Create(makeSecret("secret from API")); err != nil {
+				rt.Error(err)
+			}
+
+			secret, err := GetSecretToken(req, kubeClient, &secretRef, testNS)
+			if err != nil {
+				rt.Error(err)
+			}
+
+			if !bytes.Equal(secret, tt.wanted) {
+				rt.Errorf("Expected '%s', got '%s'", string(tt.wanted), string(secret))
+			}
+		})
+	}
+}
+
+func makeSecret(secretText string) *corev1.Secret {
+	return &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: testNS,
+			Name:      "test-secret",
+		},
+		Data: map[string][]byte{
+			"token": []byte(secretText),
+		},
+	}
+}
+
+func makeSecretRef() triggersv1.SecretRef {
+	return triggersv1.SecretRef{
+		SecretKey:  "token",
+		SecretName: "test-secret",
+		Namespace:  testNS,
+	}
+}
+
+func setCache(req *http.Request, vals map[string]interface{}) *http.Request {
+	return req.WithContext(context.WithValue(req.Context(), requestCacheKey, vals))
+}