Introduce new unit tests for the exec backend

graphcareful · graphcareful · commit 74ccdcb0bed0 · 2025-08-26T13:52:03.000-04:00
diff --git a/src/secrets/exec.rs b/src/secrets/exec.rs
@@ -217,3 +217,76 @@ async fn query_backend(
     let response = serde_json::from_slice::<HashMap<String, ExecResponse>>(&output)?;
     Ok(response)
 }
+
+#[cfg(test)]
+mod tests {
+    use crate::{
+        config::SecretBackend,
+        secrets::exec::{ExecBackend, ExecVersion},
+    };
+    use rstest::rstest;
+    use std::{
+        collections::{HashMap, HashSet},
+        path::PathBuf,
+    };
+    use tokio::sync::broadcast;
+    use vrl::value;
+
+    fn make_test_backend(protocol: ExecVersion) -> ExecBackend {
+        let command_path = PathBuf::from(env!("CARGO_MANIFEST_DIR"))
+            .join("tests/behavior/secrets/mock_secrets_exec.py");
+        ExecBackend {
+            command: ["python", command_path.to_str().unwrap()]
+                .map(String::from)
+                .to_vec(),
+            timeout: 5,
+            protocol,
+        }
+    }
+
+    #[tokio::test(flavor = "multi_thread")]
+    #[rstest(
+        protocol,
+        case(ExecVersion::V1),
+        case(ExecVersion::V1_1 {
+            backend_type: "file.json".to_string(),
+            backend_config: value!({"file_path": "/abc.json"}),
+        })
+    )]
+    async fn test_exec_backend(protocol: ExecVersion) {
+        let mut backend = make_test_backend(protocol);
+        let (_tx, mut rx) = broadcast::channel(1);
+        // These fake secrets are statically contained in mock_secrets_exec.py
+        let fake_secret_values: HashMap<String, String> = [
+            ("fake_secret_1", "123456"),
+            ("fake_secret_2", "123457"),
+            ("fake_secret_3", "123458"),
+            ("fake_secret_4", "123459"),
+            ("fake_secret_5", "123460"),
+        ]
+        .into_iter()
+        .map(|(k, v)| (k.to_string(), v.to_string()))
+        .collect();
+        // Calling the mock_secects_exec.py program with the expected secret keys should provide
+        // the values expected above in `fake_secret_values`
+        let fetched_keys = backend
+            .retrieve(fake_secret_values.keys().cloned().collect(), &mut rx)
+            .await
+            .unwrap();
+        // Assert response is as expected
+        assert_eq!(fetched_keys.len(), 5);
+        for (fake_secret_key, fake_secret_value) in fake_secret_values {
+            assert_eq!(fetched_keys.get(&fake_secret_key), Some(&fake_secret_value));
+        }
+    }
+
+    #[tokio::test(flavor = "multi_thread")]
+    async fn test_exec_backend_missing_secrets() {
+        let mut backend = make_test_backend(ExecVersion::V1);
+        let (_tx, mut rx) = broadcast::channel(1);
+        let query_secrets: HashSet<String> =
+            ["fake_secret_900"].into_iter().map(String::from).collect();
+        let fetched_keys = backend.retrieve(query_secrets.clone(), &mut rx).await;
+        assert_eq!(format!("{}", fetched_keys.unwrap_err()), "secret for key 'fake_secret_900' was not retrieved: backend does not provide secret key");
+    }
+}
diff --git a/tests/behavior/secrets/mock_secrets_exec.py b/tests/behavior/secrets/mock_secrets_exec.py
@@ -0,0 +1,101 @@
+"""
+Mock secret manager implementation used for testing the secrets.exec backend type.
+This program is meant to be exec'ed by a unit test so that the implementation can be tested.
+"""
+
+import sys
+import json
+from typing import Any
+
+
+class Request:
+    def __init__(
+        self,
+        version: str,
+        secrets: list[str],
+        type: str | None = None,
+        config: dict[str, Any] | None = None,
+    ):
+        self.version = version
+        self.secrets = secrets
+        self.type = type
+        self.config = config
+
+
+class Response:
+    def __init__(self, contents: dict[str, dict[str, str | None]]):
+        self.contents = contents
+
+
+def parse_request(req: dict[str, Any]) -> Request:
+    """
+    Validate the request by ensuring the correct keys exist per version, and that the types of the
+    respective keys are as expected as well
+    """
+    v1_args = set(["version", "secrets"])
+    v1_1_args = set(["version", "secrets", "type", "config"])
+    if "version" not in req.keys():
+        raise RuntimeError("version key missing from request")
+    version = req["version"]
+    if version == "1.0":
+        if v1_args != set(req.keys()):
+            raise RuntimeError(f"Invalid required keys in 1.0 request: {req.keys()}")
+        if not isinstance(req["secrets"], list):
+            raise RuntimeError("key 'secrets' should be a list")
+        return Request(version, req["secrets"])
+    elif version == "1.1":
+        if v1_1_args != set(req.keys()):
+            raise RuntimeError(f"Invalid required keys in 1.1 request: {req.keys()}")
+        if not isinstance(req["secrets"], list):
+            raise RuntimeError("key 'secrets' should be a list")
+        if not isinstance(req["type"], str):
+            raise RuntimeError("key 'type' should be a str")
+        if not isinstance(req["config"], dict):
+            raise RuntimeError("key 'config' should be a dict")
+        return Request(version, req["secrets"], req["type"], req["config"])
+    else:
+        raise RuntimeError(f"Invalid version detected: {version}")
+
+
+def handle_request(req: Request) -> Response:
+    """
+    Handle the request by looking up the requested secret with a value that is in a static fake
+    secret cache below. Any values not contained will return the appropriate error message.
+    """
+    static_fake_secrets_cache = {
+        "fake_secret_1": "123456",
+        "fake_secret_2": "123457",
+        "fake_secret_3": "123458",
+        "fake_secret_4": "123459",
+        "fake_secret_5": "123460",
+    }
+    supported_fake_backends = ["file.json"]
+    if req.version == "1.1":
+        if req.type not in supported_fake_backends:
+            raise RuntimeError(f"Requested backend: {req.type} not supported")
+        if req.config is not None and "file_path" not in req.config:
+            raise RuntimeError("File backend option file_path must be supplied")
+
+    def get_secret(fake_secret_name: str) -> dict[str, str | None]:
+        if fake_secret_name in static_fake_secrets_cache:
+            return {"value": static_fake_secrets_cache[fake_secret_name], "error": None}
+        else:
+            return {"value": None, "error": "backend does not provide secret key"}
+
+    return Response(dict([(s, get_secret(s)) for s in req.secrets]))
+
+
+def main():
+    data = sys.stdin.buffer.read()
+    req = json.loads(data)
+    req = parse_request(req)
+    resp = handle_request(req)
+    sys.stdout.write(json.dumps(resp.contents))
+
+
+if __name__ == "__main__":
+    try:
+        main()
+    except Exception as e:
+        sys.stderr.write(str(e))
+        sys.exit(1)
