util: configure tenants vaultAuthNamespace if not set

When a tenant provides a configuration that includes the `vaultNamespace` option, the `vaultAuthNamespace` option is still taken from the global configuration. This is not wanted in all cases, as the `vaultAuthNamespace` option defauls to the `vaultNamespace` option which the tenant may want to override as well. The following behaviour is now better defined: 1. no `vaultAuthNamespace` in the global configuration: A tenant can override the `vaultNamespace` option and that will also set the `vaultAuthNamespace` option to the same value. 2. `vaultAuthNamespace` and `vaultNamespace` in the global configuration: When both options are set to different values in the global configuration, the tenant `vaultNamespace` option will not override the global `vaultAuthNamespace` option. The tenant can configure `vaultAuthNamespace` with a different value if required. Signed-off-by: Niels de Vos <ndevos@redhat.com>
2025-06-13 10:33:35 +00:00 · 2022-03-01 11:45:37 +01:00
parent b1af5f63b5
commit 1f012004a6
2 changed files with 148 additions and 0 deletions
--- a/internal/kms/vault_tokens_test.go
+++ b/internal/kms/vault_tokens_test.go
@ -235,3 +235,96 @@ func TestVaultTokensKMSRegistered(t *testing.T) {
 	_, ok := kmsManager.providers[kmsTypeVaultTokens]
 	assert.True(t, ok)
 }
+
+func TestSetTenantAuthNamespace(t *testing.T) {
+	t.Parallel()
+
+	vaultNamespace := "tenant"
+
+	t.Run("override vaultAuthNamespace", func(tt *testing.T) {
+		tt.Parallel()
+
+		kms := &vaultTenantConnection{}
+		kms.keyContext = map[string]string{
+			loss.KeyVaultNamespace: "global",
+		}
+		kms.vaultConfig = map[string]interface{}{
+			api.EnvVaultNamespace: "global",
+		}
+
+		config := map[string]interface{}{
+			"vaultNamespace": vaultNamespace,
+		}
+
+		kms.setTenantAuthNamespace(config)
+
+		assert.Equal(tt, vaultNamespace, config["vaultAuthNamespace"])
+	})
+
+	t.Run("inherit vaultAuthNamespace", func(tt *testing.T) {
+		tt.Parallel()
+
+		vaultAuthNamespace := "configured"
+
+		kms := &vaultTenantConnection{}
+		kms.keyContext = map[string]string{
+			loss.KeyVaultNamespace: vaultAuthNamespace,
+		}
+		kms.vaultConfig = map[string]interface{}{
+			api.EnvVaultNamespace: "global",
+		}
+
+		config := map[string]interface{}{
+			"vaultNamespace": vaultNamespace,
+		}
+
+		kms.setTenantAuthNamespace(config)
+
+		// when inheriting from the global config, the config of the
+		// tenant should not have vaultAuthNamespace configured
+		assert.Equal(tt, nil, config["vaultAuthNamespace"])
+	})
+
+	t.Run("unset vaultAuthNamespace", func(tt *testing.T) {
+		tt.Parallel()
+
+		kms := &vaultTenantConnection{}
+		kms.keyContext = map[string]string{
+			// no vaultAuthNamespace configured
+		}
+		kms.vaultConfig = map[string]interface{}{
+			api.EnvVaultNamespace: "global",
+		}
+
+		config := map[string]interface{}{
+			"vaultNamespace": vaultNamespace,
+		}
+
+		kms.setTenantAuthNamespace(config)
+
+		// global vaultAuthNamespace is not set, tenant
+		// vaultAuthNamespace will be configured as vaultNamespace by
+		// default
+		assert.Equal(tt, nil, config["vaultAuthNamespace"])
+	})
+
+	t.Run("no vaultNamespace", func(tt *testing.T) {
+		tt.Parallel()
+
+		kms := &vaultTenantConnection{}
+		kms.keyContext = map[string]string{
+			// no vaultAuthNamespace configured
+		}
+		kms.vaultConfig = map[string]interface{}{
+			// no vaultNamespace configured
+		}
+
+		config := map[string]interface{}{
+			// no tenant namespaces configured
+		}
+
+		kms.setTenantAuthNamespace(config)
+
+		assert.Equal(tt, nil, config["vaultAuthNamespace"])
+	})
+}