Dark-Alex-17/gman
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

test: Added tests for the Azure Key Vault provider

Browse Source
This commit is contained in:
Alex Clarke
2025-09-12 19:35:54 -06:00
parent 4042402d1b
commit 03bc44a9f6
5 changed files with 109 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+31 -1
View File
@@ -93,6 +93,7 @@ gman aws sts get-caller-identity
- [Local](#provider-local) - [Local](#provider-local)
- [AWS Secrets Manager](#provider-aws_secrets_manager) - [AWS Secrets Manager](#provider-aws_secrets_manager)
- [GCP Secret Manager](#provider-gcp_secret_manager) - [GCP Secret Manager](#provider-gcp_secret_manager)
- [Azure Key Vault](#provider-azure_key_vault)
- [Run Configurations](#run-configurations) - [Run Configurations](#run-configurations)
- [Environment Variable Secret Injection](#environment-variable-secret-injection) - [Environment Variable Secret Injection](#environment-variable-secret-injection)
- [Inject Secrets via Command-Line Flags](#inject-secrets-via-command-line-flags) - [Inject Secrets via Command-Line Flags](#inject-secrets-via-command-line-flags)
@@ -244,7 +245,7 @@ documented and added without breaking existing setups. The following table shows
| `local` | ✅ | [Local](#provider-local) | | | `local` | ✅ | [Local](#provider-local) | |
| [`aws_secrets_manager`](https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html) | ✅ | [AWS Secrets Manager](#provider-aws_secrets_manager) | | | [`aws_secrets_manager`](https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html) | ✅ | [AWS Secrets Manager](#provider-aws_secrets_manager) | |
| [`hashicorp_vault`](https://www.hashicorp.com/en/products/vault) | 🕒 | | | | [`hashicorp_vault`](https://www.hashicorp.com/en/products/vault) | 🕒 | | |
| [`azure_key_vault`](https://azure.microsoft.com/en-us/products/key-vault/) | 🕒 | | | | [`azure_key_vault`](https://azure.microsoft.com/en-us/products/key-vault/) | | [Azure Key Vault](#provider-azure_key_vault) | |
| [`gcp_secret_manager`](https://cloud.google.com/security/products/secret-manager?hl=en) | ✅ | [GCP Secret Manager](#provider-gcp_secret_manager) | | | [`gcp_secret_manager`](https://cloud.google.com/security/products/secret-manager?hl=en) | ✅ | [GCP Secret Manager](#provider-gcp_secret_manager) | |
| [`1password`](https://1password.com/) | 🕒 | | | | [`1password`](https://1password.com/) | 🕒 | | |
| [`bitwarden`](https://bitwarden.com/) | 🕒 | | | | [`bitwarden`](https://bitwarden.com/) | 🕒 | | |
@@ -360,6 +361,35 @@ Important notes:
add a new version. add a new version.
- `get` returns the latest version; older versions remain unless you delete the secret. - `get` returns the latest version; older versions remain unless you delete the secret.
### Provider: `azure_key_vault`
The `azure_key_vault` provider uses Azure Key Vault as the backing storage location for secrets.
- Requires: `vault_name` (Key Vault name; the endpoint is constructed as `https://<vault_name>.vault.azure.net`).
Configuration example:
```yaml
default_provider: azure
providers:
- name: azure
type: azure_key_vault
vault_name: my-vault-name
```
Authentication:
- Use the Azure CLI and ensure you are logged in: `az login`.
- If needed, select the correct subscription: `az account set -s <subscription-id-or-name>`.
- The provider uses `DefaultAzureCredential`, which can authenticate via Azure CLI, environment variables, managed
identity, etc.
Important notes:
- Deleting a secret removes the entire secret and all its versions, not just the latest version. Depending on your
vaults soft-delete settings, the secret may enter a deleted state until purged.
- `set`/`update` create a new secret version each time; reads return the latest by default.
- Ensure your identity has the necessary Key Vault permissions (RBAC such as `Key Vault Secrets User`/`Administrator`,
or appropriate access policies) for get/set/list/delete.
## Run Configurations ## Run Configurations
Run configurations (or "profiles") tell `gman` how to inject secrets into a command. Three modes of secret injection are Run configurations (or "profiles") tell `gman` how to inject secrets into a command. Three modes of secret injection are
src/providers/mod.rs
+1 -1
View File
@@ -8,12 +8,12 @@ pub mod gcp_secret_manager;
mod git_sync; mod git_sync;
pub mod local; pub mod local;
use std::fmt;
use crate::providers::local::LocalProvider; use crate::providers::local::LocalProvider;
use anyhow::{Result, anyhow}; use anyhow::{Result, anyhow};
use aws_secrets_manager::AwsSecretsManagerProvider; use aws_secrets_manager::AwsSecretsManagerProvider;
use gcp_secret_manager::GcpSecretManagerProvider; use gcp_secret_manager::GcpSecretManagerProvider;
use serde::{Deserialize, Serialize}; use serde::{Deserialize, Serialize};
use std::fmt;
use std::fmt::{Display, Formatter}; use std::fmt::{Display, Formatter};
use validator::{Validate, ValidationErrors}; use validator::{Validate, ValidationErrors};
tests/providers/azure_key_vault_tests.rs
+71
View File
@@ -0,0 +1,71 @@
use gman::config::{Config, ProviderConfig};
use gman::providers::azure_key_vault::AzureKeyVaultProvider;
use gman::providers::{SecretProvider, SupportedProvider};
use pretty_assertions::{assert_eq, assert_str_eq};
use validator::Validate;
#[test]
fn test_azure_provider_name() {
let provider = AzureKeyVaultProvider {
vault_name: Some("my-vault".into()),
};
assert_str_eq!(provider.name(), "AzureKeyVaultProvider");
}
#[test]
fn test_azure_provider_validation_ok() {
let provider = AzureKeyVaultProvider {
vault_name: Some("vault-prod".into()),
};
assert!(provider.validate().is_ok());
}
#[test]
fn test_azure_provider_missing_vault_name() {
let provider = AzureKeyVaultProvider { vault_name: None };
assert!(provider.validate().is_err());
}
#[test]
fn test_supported_provider_display_and_validate() {
let sp = SupportedProvider::AzureKeyVault {
provider_def: AzureKeyVaultProvider {
vault_name: Some("kv-demo".into()),
},
};
assert!(sp.validate().is_ok());
assert_eq!(sp.to_string(), "azure_key_vault");
}
#[test]
fn test_provider_config_with_azure_deserialize_and_extract() {
// Minimal ProviderConfig YAML using the azure_key_vault variant
let yaml = r#"---
name: azure
type: azure_key_vault
vault_name: my-vault
"#;
let pc: ProviderConfig = serde_yaml::from_str(yaml).expect("valid provider config yaml");
assert!(pc.validate().is_ok());
let mut pc_owned = pc.clone();
let provider: &mut dyn SecretProvider = pc_owned.extract_provider();
assert_eq!(provider.name(), "AzureKeyVaultProvider");
// Round-trip through Config with default_provider
let cfg_yaml = r#"---
default_provider: azure
providers:
- name: azure
type: azure_key_vault
vault_name: my-vault
"#;
let cfg: Config = serde_yaml::from_str(cfg_yaml).expect("valid config yaml");
assert!(cfg.validate().is_ok());
let extracted = cfg
.extract_provider_config(None)
.expect("should find default provider");
assert_eq!(extracted.name.as_deref(), Some("azure"));
}
tests/providers/gcp_secret_manager_tests.rs
+3 -2
View File
@@ -22,7 +22,9 @@ fn test_gcp_provider_validation_ok() {
#[test] #[test]
fn test_gcp_provider_missing_project() { fn test_gcp_provider_missing_project() {
let provider = GcpSecretManagerProvider { gcp_project_id: None }; let provider = GcpSecretManagerProvider {
gcp_project_id: None,
};
assert!(provider.validate().is_err()); assert!(provider.validate().is_err());
} }
@@ -71,4 +73,3 @@ providers:
.expect("should find default provider"); .expect("should find default provider");
assert_eq!(extracted.name.as_deref(), Some("gcp")); assert_eq!(extracted.name.as_deref(), Some("gcp"));
} }
tests/providers/mod.rs
+1
View File
@@ -1,4 +1,5 @@
mod aws_secrets_manager_tests; mod aws_secrets_manager_tests;
mod azure_key_vault_tests;
mod gcp_secret_manager_tests; mod gcp_secret_manager_tests;
mod local_tests; mod local_tests;
mod provider_tests; mod provider_tests;