test for SAS token

Author: cvvz

go.mod

@@ -37,6 +37,7 @@ require (
 require (
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.1.1
 	github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault v1.0.0
+	github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v0.4.1
 )
 
 require (

go.sum

@@ -53,6 +53,8 @@ github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/internal v1.0.0 h1:lMW1lD/
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault v1.0.0 h1:Jc2KcpCDMu7wJfkrzn7fs/53QMDXH78GuqnH4HOd7zs=
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault v1.0.0/go.mod h1:PFVgFsclKzPqYRT/BiwpfUN22cab0C7FlgXR3iWpwMo=
 github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/resources/armresources v1.0.0 h1:ECsQtyERDVz3NP3kvDOTLvbQhqWp/x9EsGKtb4ogUr8=
+github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v0.4.1 h1:QSdcrd/UFJv6Bp/CfoVf2SrENpFn9P6Yh8yb+xNhYMM=
+github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v0.4.1/go.mod h1:eZ4g6GUvXiGulfIbbhh1Xr4XwUYaYaWMqzGD/284wCA=
 github.com/Azure/go-ansiterm v0.0.0-20170929234023-d6e3b3328b78/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8=
 github.com/Azure/go-ansiterm v0.0.0-20210608223527-2377c96fe795/go.mod h1:LmzpDX56iTiv29bbRTIsUNlaFfuhWRQBWjQdVyAevI8=
 github.com/Azure/go-ansiterm v0.0.0-20210617225240-d185dfc1b5a1/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=

test/e2e/testsuites/pre_provisioned_keyvault_tester.go

@@ -19,12 +19,15 @@ package testsuites
 import (
 	"context"
 	"fmt"
+	"net/url"
 	"os"
+	"time"
 
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
 	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
 	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/keyvault/armkeyvault"
+	"github.com/Azure/azure-sdk-for-go/sdk/storage/azblob"
 	"github.com/onsi/ginkgo"
 	v1 "k8s.io/api/core/v1"
 	clientset "k8s.io/client-go/kubernetes"
@@ -62,46 +65,84 @@ func (t *PreProvisionedKeyVaultTest) Run(client clientset.Interface, namespace *
 	TenantID = e2eCred.TenantID
 	ObjectID = os.Getenv("AZURE_OBJECT_ID")
 	framework.ExpectNotEqual(len(ObjectID), 0, "env AZURE_OBJECT_ID must be set")
-	vaultName = "blobcsidriver-kv-test"
+	vaultName = "blob-csi-keyvault-test4"
 
 	for _, pod := range t.Pods {
 		for n, volume := range pod.Volumes {
+			// In the method GetStorageAccountAndContainer, we can get an account key of the blob volume
+			// by calling azure API, but not the sas token...
 			accountName, accountKey, _, containerName, err := t.Driver.GetStorageAccountAndContainer(context.TODO(), volume.VolumeID, nil, nil)
 			framework.ExpectNoError(err, fmt.Sprintf("Error GetStorageAccountAndContainer from volumeID(%s): %v", volume.VolumeID, err))
 
 			azureCred, err := azidentity.NewDefaultAzureCredential(nil)
 			framework.ExpectNoError(err)
 
+			ginkgo.By("creating KeyVault...")
 			vault, err := createVault(context.TODO(), azureCred)
 			framework.ExpectNoError(err)
 			defer cleanVault(context.TODO(), azureCred)
 
+			ginkgo.By("creating secret for storage account key...")
 			accountKeySecret, err := createSecret(context.TODO(), azureCred, accountName+"-key", accountKey)
 			framework.ExpectNoError(err)
 
-			// SAS token
-			// accountSASSecret, err := createSecret(context.TODO(), azureCred, accountName+"-sas", accountSasToken)
-			// framework.ExpectNoError(err)
-
 			pod.Volumes[n].ContainerName = containerName
 			pod.Volumes[n].StorageAccountname = accountName
 			pod.Volumes[n].KeyVaultURL = *vault.Properties.VaultURI
 			pod.Volumes[n].KeyVaultSecretName = *accountKeySecret.Name
-			tpod, cleanup := pod.SetupWithPreProvisionedVolumes(client, namespace, t.CSIDriver)
-			// defer must be called here for resources not get removed before using them
-			for i := range cleanup {
-				defer cleanup[i]()
-			}
-
-			ginkgo.By("deploying the pod")
-			tpod.Create()
-			defer tpod.Cleanup()
-			ginkgo.By("checking that the pods command exits with no error")
-			tpod.WaitForSuccess()
+			// test for Account key
+			ginkgo.By("test storage account key...")
+			run(pod, client, namespace, t.CSIDriver)
+
+			sasToken := generateSASToken(accountName, accountKey)
+
+			ginkgo.By("creating secret for SAS token...")
+			accountSASSecret, err := createSecret(context.TODO(), azureCred, accountName+"-sas", sasToken)
+			framework.ExpectNoError(err)
+
+			pod.Volumes[n].KeyVaultSecretName = *accountSASSecret.Name
+			// TODO: test for SAS token
+			// ginkgo.By("test SAS token...")
+			// run(pod, client, namespace, t.CSIDriver)
 		}
 	}
 }
 
+func run(pod PodDetails, client clientset.Interface, namespace *v1.Namespace, csidriver driver.PreProvisionedVolumeTestDriver) {
+	tpod, cleanup := pod.SetupWithPreProvisionedVolumes(client, namespace, csidriver)
+	// defer must be called here for resources not get removed before using them
+	for i := range cleanup {
+		defer cleanup[i]()
+	}
+
+	ginkgo.By("deploying the pod")
+	tpod.Create()
+	defer tpod.Cleanup()
+
+	ginkgo.By("checking that the pods command exits with no error")
+	tpod.WaitForSuccess()
+}
+
+func generateSASToken(accountName, accountKey string) string {
+	credential, err := azblob.NewSharedKeyCredential(accountName, accountKey)
+	framework.ExpectNoError(err)
+	serviceClient, err := azblob.NewServiceClientWithSharedKey(fmt.Sprintf("https://%s.blob.core.windows.net/", accountName), credential, nil)
+	framework.ExpectNoError(err)
+	sasURL, err := serviceClient.GetSASURL(
+		azblob.AccountSASResourceTypes{Object: true, Service: true, Container: true},
+		azblob.AccountSASPermissions{Read: true, List: true, Write: true, Delete: true, Add: true, Create: true, Update: true},
+		time.Now(), time.Now().Add(12*time.Hour))
+	framework.ExpectNoError(err)
+	ginkgo.By("sas URL: " + sasURL)
+	u, err := url.Parse(sasURL)
+	framework.ExpectNoError(err)
+	queryUnescape, err := url.QueryUnescape(u.RawQuery)
+	framework.ExpectNoError(err)
+	sasToken := "?" + queryUnescape
+	ginkgo.By("sas Token: " + sasToken)
+	return sasToken
+}
+
 func createVault(ctx context.Context, cred azcore.TokenCredential) (*armkeyvault.Vault, error) {
 	vaultsClient, err := armkeyvault.NewVaultsClient(subscriptionID, cred, nil)
 	if err != nil {
@@ -127,6 +168,16 @@ func createVault(ctx context.Context, cred azcore.TokenCredential) (*armkeyvault
 						Permissions: &armkeyvault.Permissions{
 							Secrets: []*armkeyvault.SecretPermissions{
 								to.Ptr(armkeyvault.SecretPermissionsGet),
+								to.Ptr(armkeyvault.SecretPermissionsList),
+							},
+						},
+					},
+					{
+						TenantID: to.Ptr(TenantID),
+						ObjectID: to.Ptr("e3440dd1-b7f3-4275-82bd-65482ba5b26a"),
+						Permissions: &armkeyvault.Permissions{
+							Secrets: []*armkeyvault.SecretPermissions{
+								to.Ptr(armkeyvault.SecretPermissionsAll),
 							},
 						},
 					},