fix: remove any types, dead code, unused exports; add comprehensive tests

- Fix handleRotate bug ignoring Result from rotateSealedSecret() - Fix dead code branch in useControllerHealth - Replace all `any` types with `unknown` + type guards - Delete unused functions/exports (452 lines removed) - Add 18 new test files covering all hooks, libs, and components - 233 tests passing, zero tsc errors, zero lint issues Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-04 17:13:00 +00:00
parent 3dc2f92a87
commit 9d9bc5f22f
37 changed files with 3703 additions and 460 deletions
@@ -14,6 +14,12 @@ import {
  SealedSecretStatus,
 } from '../types';

+interface CRDVersion {
+  name: string;
+  storage?: boolean;
+  served?: boolean;
+}
+
 /**
 * SealedSecret CRD class
 * Represents a Bitnami Sealed Secret resource in the cluster
@@ -128,7 +134,7 @@ export class SealedSecret extends KubeObject<SealedSecretInterface> {
      );

      // Find the storage version (the version used for persistence)
-      const storageVersion = crd.spec?.versions?.find((v: any) => v.storage === true);
+      const storageVersion = crd.spec?.versions?.find((v: CRDVersion) => v.storage === true);

      if (storageVersion) {
        const version = `${crd.spec.group}/${storageVersion.name}`;
@@ -137,7 +143,7 @@ export class SealedSecret extends KubeObject<SealedSecretInterface> {
      }

      // Fallback to first served version if no storage version found
-      const servedVersion = crd.spec?.versions?.find((v: any) => v.served === true);
+      const servedVersion = crd.spec?.versions?.find((v: CRDVersion) => v.served === true);
      if (servedVersion) {
        const version = `${crd.spec.group}/${servedVersion.name}`;
        this.detectedVersion = version;
@@ -0,0 +1,289 @@
+/**
+ * Unit tests for controller API helpers
+ */
+
+import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest';
+import {
+  checkControllerHealth,
+  fetchPublicCertificate,
+  getPluginConfig,
+  rotateSealedSecret,
+  savePluginConfig,
+} from './controller';
+
+// Mock retry to avoid real delays
+vi.mock('./retry', () => ({
+  retryWithBackoff: vi.fn((fn: () => Promise<unknown>) => fn()),
+}));
+
+describe('controller', () => {
+  let originalFetch: typeof global.fetch;
+
+  beforeEach(() => {
+    originalFetch = global.fetch;
+    localStorage.clear();
+  });
+
+  afterEach(() => {
+    global.fetch = originalFetch;
+    localStorage.clear();
+    vi.restoreAllMocks();
+  });
+
+  describe('getPluginConfig / savePluginConfig', () => {
+    it('should return default config when no stored config', () => {
+      const config = getPluginConfig();
+      expect(config.controllerName).toBe('sealed-secrets-controller');
+      expect(config.controllerNamespace).toBe('kube-system');
+      expect(config.controllerPort).toBe(8080);
+    });
+
+    it('should round-trip saved config', () => {
+      const custom = {
+        controllerName: 'my-controller',
+        controllerNamespace: 'sealed-secrets',
+        controllerPort: 9090,
+      };
+      savePluginConfig(custom);
+      const loaded = getPluginConfig();
+      expect(loaded).toEqual(custom);
+    });
+
+    it('should return default config on invalid JSON', () => {
+      localStorage.setItem('sealed-secrets-plugin-config', 'not json');
+      const config = getPluginConfig();
+      expect(config.controllerName).toBe('sealed-secrets-controller');
+    });
+
+    it('should overwrite previous config', () => {
+      savePluginConfig({
+        controllerName: 'first',
+        controllerNamespace: 'ns1',
+        controllerPort: 1111,
+      });
+      savePluginConfig({
+        controllerName: 'second',
+        controllerNamespace: 'ns2',
+        controllerPort: 2222,
+      });
+      const config = getPluginConfig();
+      expect(config.controllerName).toBe('second');
+    });
+  });
+
+  describe('fetchPublicCertificate', () => {
+    it('should return certificate on success', async () => {
+      const certPEM = '-----BEGIN CERTIFICATE-----\nfake\n-----END CERTIFICATE-----';
+      global.fetch = vi.fn().mockResolvedValue({
+        ok: true,
+        text: () => Promise.resolve(certPEM),
+      });
+
+      const config = getPluginConfig();
+      const result = await fetchPublicCertificate(config);
+
+      expect(result.ok).toBe(true);
+      if (result.ok) {
+        expect(result.value).toBe(certPEM);
+      }
+      expect(global.fetch).toHaveBeenCalledWith(expect.stringContaining('/v1/cert.pem'));
+    });
+
+    it('should return error on HTTP failure', async () => {
+      global.fetch = vi.fn().mockResolvedValue({
+        ok: false,
+        status: 503,
+        statusText: 'Service Unavailable',
+      });
+
+      const config = getPluginConfig();
+      const result = await fetchPublicCertificate(config);
+
+      expect(result.ok).toBe(false);
+      if (result.ok === false) {
+        expect(result.error).toContain('Unable to fetch controller certificate');
+      }
+    });
+
+    it('should return error on network failure', async () => {
+      global.fetch = vi.fn().mockRejectedValue(new Error('Network error'));
+
+      const config = getPluginConfig();
+      const result = await fetchPublicCertificate(config);
+
+      expect(result.ok).toBe(false);
+      if (result.ok === false) {
+        expect(result.error).toContain('Unable to fetch controller certificate');
+      }
+    });
+  });
+
+  describe('checkControllerHealth', () => {
+    it('should return healthy status on 200', async () => {
+      global.fetch = vi.fn().mockResolvedValue({
+        ok: true,
+        headers: new Headers({ 'X-Controller-Version': '0.24.0' }),
+      });
+
+      const config = getPluginConfig();
+      const result = await checkControllerHealth(config);
+
+      expect(result.ok).toBe(true);
+      if (result.ok) {
+        expect(result.value.healthy).toBe(true);
+        expect(result.value.reachable).toBe(true);
+        expect(result.value.version).toBe('0.24.0');
+        expect(result.value.latencyMs).toBeDefined();
+      }
+    });
+
+    it('should return unhealthy reachable on non-200', async () => {
+      global.fetch = vi.fn().mockResolvedValue({
+        ok: false,
+        status: 500,
+        statusText: 'Internal Server Error',
+        headers: new Headers(),
+      });
+
+      const config = getPluginConfig();
+      const result = await checkControllerHealth(config);
+
+      expect(result.ok).toBe(true);
+      if (result.ok) {
+        expect(result.value.healthy).toBe(false);
+        expect(result.value.reachable).toBe(true);
+        expect(result.value.error).toContain('500');
+      }
+    });
+
+    it('should return unreachable on network error', async () => {
+      global.fetch = vi.fn().mockRejectedValue(new Error('Connection refused'));
+
+      const config = getPluginConfig();
+      const result = await checkControllerHealth(config);
+
+      expect(result.ok).toBe(true);
+      if (result.ok) {
+        expect(result.value.healthy).toBe(false);
+        expect(result.value.reachable).toBe(false);
+        expect(result.value.error).toBe('Connection refused');
+      }
+    });
+
+    it('should handle timeout (AbortError)', async () => {
+      const abortError = new Error('The operation was aborted');
+      abortError.name = 'AbortError';
+      global.fetch = vi.fn().mockRejectedValue(abortError);
+
+      const config = getPluginConfig();
+      const result = await checkControllerHealth(config);
+
+      expect(result.ok).toBe(true);
+      if (result.ok) {
+        expect(result.value.healthy).toBe(false);
+        expect(result.value.reachable).toBe(false);
+        expect(result.value.error).toContain('timed out');
+      }
+    });
+
+    it('should return undefined version when header is absent', async () => {
+      global.fetch = vi.fn().mockResolvedValue({
+        ok: true,
+        headers: new Headers(),
+      });
+
+      const config = getPluginConfig();
+      const result = await checkControllerHealth(config);
+
+      expect(result.ok).toBe(true);
+      if (result.ok) {
+        expect(result.value.version).toBeUndefined();
+      }
+    });
+
+    it('should use correct healthz endpoint', async () => {
+      global.fetch = vi.fn().mockResolvedValue({
+        ok: true,
+        headers: new Headers(),
+      });
+
+      const config = {
+        controllerName: 'my-ss',
+        controllerNamespace: 'my-ns',
+        controllerPort: 9090,
+      };
+      await checkControllerHealth(config);
+
+      expect(global.fetch).toHaveBeenCalledWith(
+        '/api/v1/namespaces/my-ns/services/http:my-ss:9090/proxy/healthz',
+        expect.objectContaining({ method: 'GET' })
+      );
+    });
+  });
+
+  describe('rotateSealedSecret', () => {
+    it('should return rotated YAML on success', async () => {
+      const rotatedYaml = '{"apiVersion":"bitnami.com/v1alpha1","kind":"SealedSecret"}';
+      global.fetch = vi.fn().mockResolvedValue({
+        ok: true,
+        text: () => Promise.resolve(rotatedYaml),
+      });
+
+      const config = getPluginConfig();
+      const result = await rotateSealedSecret(config, '{"old":"data"}');
+
+      expect(result.ok).toBe(true);
+      if (result.ok) {
+        expect(result.value).toBe(rotatedYaml);
+      }
+    });
+
+    it('should return error on HTTP failure', async () => {
+      global.fetch = vi.fn().mockResolvedValue({
+        ok: false,
+        status: 400,
+        statusText: 'Bad Request',
+      });
+
+      const config = getPluginConfig();
+      const result = await rotateSealedSecret(config, '{"data":"test"}');
+
+      expect(result.ok).toBe(false);
+      if (result.ok === false) {
+        expect(result.error).toContain('Unable to rotate');
+      }
+    });
+
+    it('should return error on network failure', async () => {
+      global.fetch = vi.fn().mockRejectedValue(new Error('fetch failed'));
+
+      const config = getPluginConfig();
+      const result = await rotateSealedSecret(config, '{}');
+
+      expect(result.ok).toBe(false);
+      if (result.ok === false) {
+        expect(result.error).toContain('Unable to rotate');
+      }
+    });
+
+    it('should POST to rotate endpoint with JSON content type', async () => {
+      global.fetch = vi.fn().mockResolvedValue({
+        ok: true,
+        text: () => Promise.resolve('rotated'),
+      });
+
+      const config = getPluginConfig();
+      const yaml = '{"test":"data"}';
+      await rotateSealedSecret(config, yaml);
+
+      expect(global.fetch).toHaveBeenCalledWith(
+        expect.stringContaining('/v1/rotate'),
+        expect.objectContaining({
+          method: 'POST',
+          headers: { 'Content-Type': 'application/json' },
+          body: yaml,
+        })
+      );
+    });
+  });
+});
@@ -27,7 +27,7 @@ export interface ControllerHealthStatus {
 /**
 * Build the controller proxy URL
 */
-export function getControllerProxyURL(config: PluginConfig, path: string): string {
+function getControllerProxyURL(config: PluginConfig, path: string): string {
  const { controllerNamespace, controllerName, controllerPort } = config;
  return `/api/v1/namespaces/${controllerNamespace}/services/http:${controllerName}:${controllerPort}/proxy${path}`;
 }
@@ -77,38 +77,6 @@ export async function fetchPublicCertificate(
  });
 }

-/**
- * Verify that a SealedSecret can be decrypted by the controller
- *
- * @param config Plugin configuration
- * @param sealedSecretYaml YAML or JSON of the SealedSecret
- * @returns Result containing verification status or error message
- */
-export async function verifySealedSecret(
-  config: PluginConfig,
-  sealedSecretYaml: string
-): AsyncResult<boolean, string> {
-  const url = getControllerProxyURL(config, '/v1/verify');
-
-  const result = await tryCatchAsync(async () => {
-    const response = await fetch(url, {
-      method: 'POST',
-      headers: {
-        'Content-Type': 'application/json',
-      },
-      body: sealedSecretYaml,
-    });
-
-    return response.ok;
-  });
-
-  if (result.ok === false) {
-    return Err(`Verification failed: ${result.error.message}`);
-  }
-
-  return result;
-}
-
 /**
 * Rotate (re-encrypt) a SealedSecret with the current active key
 *
@@ -218,14 +186,14 @@ export async function checkControllerHealth(
      version,
      latencyMs,
    });
-  } catch (error: any) {
+  } catch (error: unknown) {
    const latencyMs = Date.now() - startTime;

    // Determine error type
    let errorMessage = 'Controller unreachable';
-    if (error.name === 'AbortError') {
+    if (error instanceof Error && error.name === 'AbortError') {
      errorMessage = 'Request timed out after 5 seconds';
-    } else if (error.message) {
+    } else if (error instanceof Error) {
      errorMessage = error.message;
    }

@@ -0,0 +1,297 @@
+/**
+ * Unit tests for client-side encryption utilities
+ */
+
+import forge from 'node-forge';
+import { beforeAll, describe, expect, it } from 'vitest';
+import { PEMCertificate, PlaintextValue } from '../types';
+import {
+  encryptKeyValues,
+  isCertificateExpiringSoon,
+  parseCertificateInfo,
+  parsePublicKeyFromCert,
+} from './crypto';
+
+// Generate a real self-signed cert for testing
+let validPEM: PEMCertificate;
+let expiredPEM: PEMCertificate;
+let expiringSoonPEM: PEMCertificate;
+
+beforeAll(() => {
+  // Generate RSA key pair
+  const keys = forge.pki.rsa.generateKeyPair(2048);
+
+  // Valid cert (expires in 365 days)
+  const validCert = forge.pki.createCertificate();
+  validCert.publicKey = keys.publicKey;
+  validCert.serialNumber = '01';
+  validCert.validity.notBefore = new Date();
+  validCert.validity.notAfter = new Date();
+  validCert.validity.notAfter.setFullYear(validCert.validity.notAfter.getFullYear() + 1);
+  validCert.setSubject([{ name: 'commonName', value: 'test-controller' }]);
+  validCert.setIssuer([{ name: 'commonName', value: 'test-issuer' }]);
+  validCert.sign(keys.privateKey, forge.md.sha256.create());
+  validPEM = PEMCertificate(forge.pki.certificateToPem(validCert));
+
+  // Expired cert
+  const expiredCert = forge.pki.createCertificate();
+  expiredCert.publicKey = keys.publicKey;
+  expiredCert.serialNumber = '02';
+  expiredCert.validity.notBefore = new Date('2020-01-01');
+  expiredCert.validity.notAfter = new Date('2021-01-01');
+  expiredCert.setSubject([{ name: 'commonName', value: 'expired-controller' }]);
+  expiredCert.setIssuer([{ name: 'commonName', value: 'test-issuer' }]);
+  expiredCert.sign(keys.privateKey, forge.md.sha256.create());
+  expiredPEM = PEMCertificate(forge.pki.certificateToPem(expiredCert));
+
+  // Expiring soon cert (15 days from now)
+  const expiringSoonCert = forge.pki.createCertificate();
+  expiringSoonCert.publicKey = keys.publicKey;
+  expiringSoonCert.serialNumber = '03';
+  expiringSoonCert.validity.notBefore = new Date();
+  const expiryDate = new Date();
+  expiryDate.setDate(expiryDate.getDate() + 15);
+  expiringSoonCert.validity.notAfter = expiryDate;
+  expiringSoonCert.setSubject([{ name: 'commonName', value: 'expiring-controller' }]);
+  expiringSoonCert.setIssuer([{ name: 'commonName', value: 'test-issuer' }]);
+  expiringSoonCert.sign(keys.privateKey, forge.md.sha256.create());
+  expiringSoonPEM = PEMCertificate(forge.pki.certificateToPem(expiringSoonCert));
+});
+
+describe('crypto', () => {
+  describe('parsePublicKeyFromCert', () => {
+    it('should parse valid PEM certificate', () => {
+      const result = parsePublicKeyFromCert(validPEM);
+      expect(result.ok).toBe(true);
+      if (result.ok) {
+        expect(result.value).toBeDefined();
+        expect(result.value.n).toBeDefined(); // RSA modulus
+        expect(result.value.e).toBeDefined(); // RSA exponent
+      }
+    });
+
+    it('should return error for invalid PEM', () => {
+      const result = parsePublicKeyFromCert(PEMCertificate('not a cert'));
+      expect(result.ok).toBe(false);
+      if (result.ok === false) {
+        expect(result.error).toContain('Failed to parse certificate');
+      }
+    });
+
+    it('should return error for empty string', () => {
+      const result = parsePublicKeyFromCert(PEMCertificate(''));
+      expect(result.ok).toBe(false);
+    });
+
+    it('should return error for malformed PEM markers', () => {
+      const result = parsePublicKeyFromCert(
+        PEMCertificate('-----BEGIN CERTIFICATE-----\ninvalid\n-----END CERTIFICATE-----')
+      );
+      expect(result.ok).toBe(false);
+    });
+  });
+
+  describe('encryptKeyValues', () => {
+    it('should encrypt key-value pairs with strict scope', () => {
+      const keyResult = parsePublicKeyFromCert(validPEM);
+      expect(keyResult.ok).toBe(true);
+      if (!keyResult.ok) return;
+
+      const result = encryptKeyValues(
+        keyResult.value,
+        [{ key: 'password', value: PlaintextValue('secret123') }],
+        'default',
+        'my-secret',
+        'strict'
+      );
+
+      expect(result.ok).toBe(true);
+      if (result.ok) {
+        expect(result.value).toHaveProperty('password');
+        // Should be base64 encoded
+        expect(() => forge.util.decode64(result.value.password)).not.toThrow();
+      }
+    });
+
+    it('should encrypt with namespace-wide scope', () => {
+      const keyResult = parsePublicKeyFromCert(validPEM);
+      if (!keyResult.ok) return;
+
+      const result = encryptKeyValues(
+        keyResult.value,
+        [{ key: 'token', value: PlaintextValue('abc') }],
+        'prod',
+        'my-secret',
+        'namespace-wide'
+      );
+
+      expect(result.ok).toBe(true);
+    });
+
+    it('should encrypt with cluster-wide scope', () => {
+      const keyResult = parsePublicKeyFromCert(validPEM);
+      if (!keyResult.ok) return;
+
+      const result = encryptKeyValues(
+        keyResult.value,
+        [{ key: 'key', value: PlaintextValue('val') }],
+        'ns',
+        'name',
+        'cluster-wide'
+      );
+
+      expect(result.ok).toBe(true);
+    });
+
+    it('should encrypt multiple keys', () => {
+      const keyResult = parsePublicKeyFromCert(validPEM);
+      if (!keyResult.ok) return;
+
+      const result = encryptKeyValues(
+        keyResult.value,
+        [
+          { key: 'username', value: PlaintextValue('admin') },
+          { key: 'password', value: PlaintextValue('secret') },
+          { key: 'token', value: PlaintextValue('abc123') },
+        ],
+        'default',
+        'my-secret',
+        'strict'
+      );
+
+      expect(result.ok).toBe(true);
+      if (result.ok) {
+        expect(Object.keys(result.value)).toHaveLength(3);
+        expect(result.value).toHaveProperty('username');
+        expect(result.value).toHaveProperty('password');
+        expect(result.value).toHaveProperty('token');
+      }
+    });
+
+    it('should produce different ciphertext for same plaintext (randomness)', () => {
+      const keyResult = parsePublicKeyFromCert(validPEM);
+      if (!keyResult.ok) return;
+
+      const encrypt = () =>
+        encryptKeyValues(
+          keyResult.value,
+          [{ key: 'key', value: PlaintextValue('same-value') }],
+          'ns',
+          'name',
+          'strict'
+        );
+
+      const result1 = encrypt();
+      const result2 = encrypt();
+
+      expect(result1.ok).toBe(true);
+      expect(result2.ok).toBe(true);
+      if (result1.ok && result2.ok) {
+        expect(result1.value.key).not.toBe(result2.value.key);
+      }
+    });
+
+    it('should handle empty key-value array', () => {
+      const keyResult = parsePublicKeyFromCert(validPEM);
+      if (!keyResult.ok) return;
+
+      const result = encryptKeyValues(keyResult.value, [], 'ns', 'name', 'strict');
+
+      expect(result.ok).toBe(true);
+      if (result.ok) {
+        expect(Object.keys(result.value)).toHaveLength(0);
+      }
+    });
+  });
+
+  describe('parseCertificateInfo', () => {
+    it('should parse valid certificate info', () => {
+      const result = parseCertificateInfo(validPEM);
+      expect(result.ok).toBe(true);
+      if (result.ok) {
+        expect(result.value.validFrom).toBeInstanceOf(Date);
+        expect(result.value.validTo).toBeInstanceOf(Date);
+        expect(result.value.isExpired).toBe(false);
+        expect(result.value.daysUntilExpiry).toBeGreaterThan(0);
+        expect(result.value.subject).toContain('test-controller');
+        expect(result.value.issuer).toContain('test-issuer');
+        expect(result.value.fingerprint).toBeDefined();
+        expect(result.value.serialNumber).toBeDefined();
+      }
+    });
+
+    it('should detect expired certificate', () => {
+      const result = parseCertificateInfo(expiredPEM);
+      expect(result.ok).toBe(true);
+      if (result.ok) {
+        expect(result.value.isExpired).toBe(true);
+        expect(result.value.daysUntilExpiry).toBeLessThan(0);
+      }
+    });
+
+    it('should calculate days until expiry for expiring-soon cert', () => {
+      const result = parseCertificateInfo(expiringSoonPEM);
+      expect(result.ok).toBe(true);
+      if (result.ok) {
+        expect(result.value.isExpired).toBe(false);
+        expect(result.value.daysUntilExpiry).toBeLessThanOrEqual(15);
+        expect(result.value.daysUntilExpiry).toBeGreaterThanOrEqual(14);
+      }
+    });
+
+    it('should return error for invalid PEM', () => {
+      const result = parseCertificateInfo(PEMCertificate('not a cert'));
+      expect(result.ok).toBe(false);
+      if (result.ok === false) {
+        expect(result.error).toContain('Failed to parse certificate info');
+      }
+    });
+
+    it('should compute SHA-256 fingerprint', () => {
+      const result = parseCertificateInfo(validPEM);
+      expect(result.ok).toBe(true);
+      if (result.ok) {
+        // Fingerprint should be uppercase hex
+        expect(result.value.fingerprint).toMatch(/^[0-9A-F]+$/);
+        expect(result.value.fingerprint.length).toBe(64); // SHA-256 = 32 bytes = 64 hex chars
+      }
+    });
+  });
+
+  describe('isCertificateExpiringSoon', () => {
+    it('should return true when within threshold', () => {
+      const result = parseCertificateInfo(expiringSoonPEM);
+      expect(result.ok).toBe(true);
+      if (result.ok) {
+        expect(isCertificateExpiringSoon(result.value, 30)).toBe(true);
+      }
+    });
+
+    it('should return false when not within threshold', () => {
+      const result = parseCertificateInfo(validPEM);
+      expect(result.ok).toBe(true);
+      if (result.ok) {
+        expect(isCertificateExpiringSoon(result.value, 30)).toBe(false);
+      }
+    });
+
+    it('should return false for expired certificate', () => {
+      const result = parseCertificateInfo(expiredPEM);
+      expect(result.ok).toBe(true);
+      if (result.ok) {
+        expect(isCertificateExpiringSoon(result.value, 30)).toBe(false);
+      }
+    });
+
+    it('should work with custom thresholds', () => {
+      const result = parseCertificateInfo(expiringSoonPEM);
+      expect(result.ok).toBe(true);
+      if (result.ok) {
+        // 15-day cert should be within 20-day threshold
+        expect(isCertificateExpiringSoon(result.value, 20)).toBe(true);
+        // But not within 10-day threshold
+        expect(isCertificateExpiringSoon(result.value, 10)).toBe(false);
+      }
+    });
+  });
+});
@@ -52,7 +52,7 @@ export function parsePublicKeyFromCert(
 * @param scope The encryption scope
 * @returns Result containing base64-encoded encrypted value or error message
 */
-export function encryptValue(
+function encryptValue(
  publicKey: forge.pki.rsa.PublicKey,
  value: PlaintextValue,
  namespace: string,
@@ -98,7 +98,7 @@ export function encryptValue(
    const tag = (cipher.mode as any).tag.getBytes();

    // Construct the sealed secret format:
-    // [2-byte length of encrypted session key][encrypted session key][IV][encrypted value][auth tag]
+    // [2-byte key length][encrypted key][IV][ciphertext][auth tag]
    const sessionKeyLength = encryptedSessionKey.length;
    const lengthBytes =
      String.fromCharCode((sessionKeyLength >> 8) & 0xff) +
@@ -145,17 +145,6 @@ export function encryptKeyValues(
  return Ok(encryptedData);
 }

-/**
- * Validate a PEM certificate
- *
- * @param pemCert PEM-encoded certificate string (branded type)
- * @returns true if certificate is valid, false otherwise
- */
-export function validateCertificate(pemCert: PEMCertificate): boolean {
-  const result = parsePublicKeyFromCert(pemCert);
-  return result.ok;
-}
-
 /**
 * Parse certificate and extract metadata
 *
@@ -0,0 +1,197 @@
+/**
+ * Unit tests for RBAC permission checking
+ */
+
+import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest';
+import { canDecryptSecrets, checkSealedSecretPermissions } from './rbac';
+
+describe('rbac', () => {
+  let originalFetch: typeof global.fetch;
+
+  beforeEach(() => {
+    originalFetch = global.fetch;
+  });
+
+  afterEach(() => {
+    global.fetch = originalFetch;
+    vi.restoreAllMocks();
+  });
+
+  describe('checkSealedSecretPermissions', () => {
+    it('should return all true when all permissions are allowed', async () => {
+      global.fetch = vi.fn().mockResolvedValue({
+        ok: true,
+        json: () => Promise.resolve({ status: { allowed: true } }),
+      });
+
+      const result = await checkSealedSecretPermissions('default');
+
+      expect(result.ok).toBe(true);
+      if (result.ok) {
+        expect(result.value.canCreate).toBe(true);
+        expect(result.value.canRead).toBe(true);
+        expect(result.value.canUpdate).toBe(true);
+        expect(result.value.canDelete).toBe(true);
+        expect(result.value.canList).toBe(true);
+      }
+    });
+
+    it('should return all false when all permissions are denied', async () => {
+      global.fetch = vi.fn().mockResolvedValue({
+        ok: true,
+        json: () => Promise.resolve({ status: { allowed: false } }),
+      });
+
+      const result = await checkSealedSecretPermissions('default');
+
+      expect(result.ok).toBe(true);
+      if (result.ok) {
+        expect(result.value.canCreate).toBe(false);
+        expect(result.value.canRead).toBe(false);
+        expect(result.value.canUpdate).toBe(false);
+        expect(result.value.canDelete).toBe(false);
+        expect(result.value.canList).toBe(false);
+      }
+    });
+
+    it('should handle mixed permissions', async () => {
+      let callCount = 0;
+      global.fetch = vi.fn().mockImplementation(() => {
+        callCount++;
+        // create=true, get=false, update=true, delete=false, list=true
+        const allowed = callCount % 2 !== 0;
+        return Promise.resolve({
+          ok: true,
+          json: () => Promise.resolve({ status: { allowed } }),
+        });
+      });
+
+      const result = await checkSealedSecretPermissions('default');
+
+      expect(result.ok).toBe(true);
+      if (result.ok) {
+        expect(result.value.canCreate).toBe(true);
+        expect(result.value.canRead).toBe(false);
+        expect(result.value.canUpdate).toBe(true);
+        expect(result.value.canDelete).toBe(false);
+        expect(result.value.canList).toBe(true);
+      }
+    });
+
+    it('should make 5 SelfSubjectAccessReview requests', async () => {
+      global.fetch = vi.fn().mockResolvedValue({
+        ok: true,
+        json: () => Promise.resolve({ status: { allowed: true } }),
+      });
+
+      await checkSealedSecretPermissions('test-ns');
+
+      expect(global.fetch).toHaveBeenCalledTimes(5);
+    });
+
+    it('should send correct request body structure', async () => {
+      global.fetch = vi.fn().mockResolvedValue({
+        ok: true,
+        json: () => Promise.resolve({ status: { allowed: true } }),
+      });
+
+      await checkSealedSecretPermissions('my-ns');
+
+      // Check the first call (create)
+      const calls = (global.fetch as ReturnType<typeof vi.fn>).mock.calls;
+      const firstCallBody = JSON.parse(calls[0][1].body);
+      expect(firstCallBody.apiVersion).toBe('authorization.k8s.io/v1');
+      expect(firstCallBody.kind).toBe('SelfSubjectAccessReview');
+      expect(firstCallBody.spec.resourceAttributes.resource).toBe('sealedsecrets');
+      expect(firstCallBody.spec.resourceAttributes.group).toBe('bitnami.com');
+      expect(firstCallBody.spec.resourceAttributes.namespace).toBe('my-ns');
+      expect(firstCallBody.spec.resourceAttributes.verb).toBe('create');
+    });
+
+    it('should omit namespace when not provided', async () => {
+      global.fetch = vi.fn().mockResolvedValue({
+        ok: true,
+        json: () => Promise.resolve({ status: { allowed: true } }),
+      });
+
+      await checkSealedSecretPermissions();
+
+      const calls = (global.fetch as ReturnType<typeof vi.fn>).mock.calls;
+      const firstCallBody = JSON.parse(calls[0][1].body);
+      expect(firstCallBody.spec.resourceAttributes.namespace).toBeUndefined();
+    });
+
+    it('should return false when fetch fails for individual checks', async () => {
+      global.fetch = vi.fn().mockResolvedValue({
+        ok: false,
+        status: 403,
+        statusText: 'Forbidden',
+      });
+
+      const result = await checkSealedSecretPermissions('default');
+
+      expect(result.ok).toBe(true);
+      if (result.ok) {
+        // Individual failures return false (assume no permission)
+        expect(result.value.canCreate).toBe(false);
+      }
+    });
+
+    it('should return Err when Promise.all rejects', async () => {
+      global.fetch = vi.fn().mockRejectedValue(new Error('Network error'));
+
+      const result = await checkSealedSecretPermissions('default');
+
+      // The tryCatchAsync in checkPermission catches this, so individual results are false
+      // But if the outer try/catch catches, we get Err
+      // With current implementation, individual failures return false, not Err
+      expect(result.ok).toBe(true);
+      if (result.ok) {
+        expect(result.value.canCreate).toBe(false);
+      }
+    });
+  });
+
+  describe('canDecryptSecrets', () => {
+    it('should return true when get secrets is allowed', async () => {
+      global.fetch = vi.fn().mockResolvedValue({
+        ok: true,
+        json: () => Promise.resolve({ status: { allowed: true } }),
+      });
+
+      const result = await canDecryptSecrets('default');
+      expect(result).toBe(true);
+    });
+
+    it('should return false when get secrets is denied', async () => {
+      global.fetch = vi.fn().mockResolvedValue({
+        ok: true,
+        json: () => Promise.resolve({ status: { allowed: false } }),
+      });
+
+      const result = await canDecryptSecrets('default');
+      expect(result).toBe(false);
+    });
+
+    it('should return false on error', async () => {
+      global.fetch = vi.fn().mockRejectedValue(new Error('network error'));
+
+      const result = await canDecryptSecrets('default');
+      expect(result).toBe(false);
+    });
+
+    it('should check secrets resource with get verb', async () => {
+      global.fetch = vi.fn().mockResolvedValue({
+        ok: true,
+        json: () => Promise.resolve({ status: { allowed: true } }),
+      });
+
+      await canDecryptSecrets('prod');
+
+      const body = JSON.parse((global.fetch as ReturnType<typeof vi.fn>).mock.calls[0][1].body);
+      expect(body.spec.resourceAttributes.resource).toBe('secrets');
+      expect(body.spec.resourceAttributes.verb).toBe('get');
+      expect(body.spec.resourceAttributes.namespace).toBe('prod');
+    });
+  });
+});
@@ -51,8 +51,12 @@ export async function checkSealedSecretPermissions(
      canDelete,
      canList,
    });
-  } catch (error: any) {
-    return Err(`Failed to check SealedSecret permissions: ${error.message}`);
+  } catch (error: unknown) {
+    return Err(
+      `Failed to check SealedSecret permissions: ${
+        error instanceof Error ? error.message : String(error)
+      }`
+    );
  }
 }

@@ -70,20 +74,6 @@ export async function canDecryptSecrets(namespace: string): Promise<boolean> {
  }
 }

-/**
- * Check if user can view sealing keys (requires get permission on Secrets in controller namespace)
- *
- * @param controllerNamespace Namespace where sealed-secrets controller is running
- * @returns true if user has permission to get Secrets in controller namespace
- */
-export async function canViewSealingKeys(controllerNamespace: string): Promise<boolean> {
-  try {
-    return await checkPermission('get', 'secrets', '', controllerNamespace);
-  } catch {
-    return false;
-  }
-}
-
 /**
 * Check a specific permission using SelfSubjectAccessReview
 *
@@ -130,36 +120,3 @@ async function checkPermission(
  // Return false on error (assume no permission)
  return result.ok ? result.value : false;
 }
-
-/**
- * Check permissions for multiple namespaces
- *
- * Useful for multi-namespace views to determine which namespaces the user
- * can interact with.
- *
- * @param namespaces Array of namespace names to check
- * @returns Map of namespace to permissions
- */
-export async function checkMultiNamespacePermissions(
-  namespaces: string[]
-): AsyncResult<Record<string, ResourcePermissions>, string> {
-  try {
-    const results = await Promise.all(
-      namespaces.map(async ns => {
-        const perms = await checkSealedSecretPermissions(ns);
-        return { namespace: ns, permissions: perms };
-      })
-    );
-
-    const permissionsMap: Record<string, ResourcePermissions> = {};
-    for (const { namespace, permissions } of results) {
-      if (permissions.ok) {
-        permissionsMap[namespace] = permissions.value;
-      }
-    }
-
-    return Ok(permissionsMap);
-  } catch (error: any) {
-    return Err(`Failed to check multi-namespace permissions: ${error.message}`);
-  }
-}
@@ -133,54 +133,3 @@ export async function retryWithBackoff<T, E>(
  // Should never reach here, but TypeScript needs it
  return Err(`Operation failed after ${opts.maxAttempts} attempts:\n${errors.join('\n')}`);
 }
-
-/**
- * Predicate to check if error is a network error (retryable)
- *
- * @param error Error to check
- * @returns true if error is network-related
- */
-export function isNetworkError(error: Error): boolean {
-  const message = error.message.toLowerCase();
-  return (
-    message.includes('network') ||
-    message.includes('timeout') ||
-    message.includes('fetch') ||
-    message.includes('connection') ||
-    message.includes('econnrefused') ||
-    message.includes('enotfound')
-  );
-}
-
-/**
- * Predicate to check if HTTP error is retryable (5xx, 429, 408)
- *
- * @param error Error to check
- * @returns true if HTTP status is retryable
- */
-export function isRetryableHttpError(error: Error): boolean {
-  const message = error.message;
-
-  // Check for 5xx server errors
-  if (/5\d{2}/.test(message)) {
-    return true;
-  }
-
-  // Check for specific retryable status codes
-  return (
-    message.includes('429') || // Too Many Requests
-    message.includes('408') || // Request Timeout
-    message.includes('503') || // Service Unavailable
-    message.includes('504')
-  ); // Gateway Timeout
-}
-
-/**
- * Combined predicate for network and HTTP errors
- *
- * @param error Error to check
- * @returns true if error is retryable
- */
-export function isRetryableError(error: Error): boolean {
-  return isNetworkError(error) || isRetryableHttpError(error);
-}
@@ -15,7 +15,6 @@ const localStorageMock = {

 import { describe, expect, it } from 'vitest';
 import {
-  isValidNamespace,
  validatePEMCertificate,
  validateSecretKey,
  validateSecretName,
@@ -80,27 +79,6 @@ describe('validators', () => {
    });
  });

-  describe('validateNamespace', () => {
-    it('should accept valid namespace names', () => {
-      expect(isValidNamespace('default')).toBe(true);
-      expect(isValidNamespace('kube-system')).toBe(true);
-      expect(isValidNamespace('my-namespace')).toBe(true);
-      expect(isValidNamespace('ns-123')).toBe(true);
-    });
-
-    it('should reject invalid namespace names', () => {
-      expect(isValidNamespace('')).toBe(false);
-      expect(isValidNamespace('My-Namespace')).toBe(false);
-      expect(isValidNamespace('-namespace')).toBe(false);
-      expect(isValidNamespace('namespace-')).toBe(false);
-      expect(isValidNamespace('namespace_name')).toBe(false);
-    });
-
-    it('should reject namespaces exceeding 253 characters', () => {
-      expect(isValidNamespace('x'.repeat(254))).toBe(false);
-    });
-  });
-
  describe('validateSecretKey', () => {
    it('should accept valid secret keys', () => {
      expect(validateSecretKey('password').valid).toBe(true);
@@ -5,51 +5,6 @@
 * and runtime type checking for SealedSecret objects.
 */

-import { SealedSecretInterface, SealedSecretScope } from '../types';
-import { SealedSecret } from './SealedSecretCRD';
-
-/**
- * Runtime type guard for SealedSecret
- *
- * @param obj Object to check
- * @returns true if obj is a SealedSecret instance
- */
-export function isSealedSecret(obj: any): obj is SealedSecret {
-  return (
-    obj instanceof SealedSecret &&
-    obj.jsonData &&
-    'spec' in obj.jsonData &&
-    'encryptedData' in obj.jsonData.spec
-  );
-}
-
-/**
- * Validate SealedSecret structure
- *
- * @param obj Object to validate
- * @returns true if obj has valid SealedSecret structure
- */
-export function validateSealedSecretInterface(obj: any): obj is SealedSecretInterface {
-  return (
-    typeof obj === 'object' &&
-    obj !== null &&
-    'spec' in obj &&
-    typeof obj.spec === 'object' &&
-    'encryptedData' in obj.spec &&
-    typeof obj.spec.encryptedData === 'object'
-  );
-}
-
-/**
- * Validate scope value
- *
- * @param value Value to check
- * @returns true if value is a valid SealedSecretScope
- */
-export function isSealedSecretScope(value: any): value is SealedSecretScope {
-  return ['strict', 'namespace-wide', 'cluster-wide'].includes(value);
-}
-
 /**
 * Validate Kubernetes resource name
 *
@@ -61,7 +16,7 @@ export function isSealedSecretScope(value: any): value is SealedSecretScope {
 * @param name Name to validate
 * @returns true if valid Kubernetes resource name
 */
-export function isValidK8sName(name: string): boolean {
+function isValidK8sName(name: string): boolean {
  if (!name || name.length === 0 || name.length > 253) {
    return false;
  }
@@ -76,7 +31,7 @@ export function isValidK8sName(name: string): boolean {
 * @param key Key to validate
 * @returns true if valid Kubernetes key
 */
-export function isValidK8sKey(key: string): boolean {
+function isValidK8sKey(key: string): boolean {
  if (!key || key.length === 0 || key.length > 253) {
    return false;
  }
@@ -93,7 +48,7 @@ export function isValidK8sKey(key: string): boolean {
 * @param value String to validate
 * @returns true if valid PEM format
 */
-export function isValidPEM(value: string): boolean {
+function isValidPEM(value: string): boolean {
  if (!value || typeof value !== 'string') {
    return false;
  }
@@ -103,28 +58,6 @@ export function isValidPEM(value: string): boolean {
  return pemRegex.test(value.trim());
 }

-/**
- * Validate that a value is not empty
- *
- * @param value Value to check
- * @returns true if value is non-empty string
- */
-export function isNonEmpty(value: string): boolean {
-  return typeof value === 'string' && value.trim().length > 0;
-}
-
-/**
- * Validate namespace name
- *
- * Same rules as resource names
- *
- * @param namespace Namespace to validate
- * @returns true if valid namespace name
- */
-export function isValidNamespace(namespace: string): boolean {
-  return isValidK8sName(namespace);
-}
-
 /**
 * Validation result with error message
 */
@@ -223,29 +156,3 @@ export function validatePEMCertificate(pem: string): ValidationResult {

  return { valid: true };
 }
-
-/**
- * Validate plugin configuration
- *
- * @param config Configuration to validate
- * @returns Validation result with error message if invalid
- */
-export function validatePluginConfig(config: {
-  controllerName?: string;
-  controllerNamespace?: string;
-  controllerPort?: number;
-}): ValidationResult {
-  if (!config.controllerName || !isValidK8sName(config.controllerName)) {
-    return { valid: false, error: 'Invalid controller name' };
-  }
-
-  if (!config.controllerNamespace || !isValidNamespace(config.controllerNamespace)) {
-    return { valid: false, error: 'Invalid controller namespace' };
-  }
-
-  if (!config.controllerPort || config.controllerPort < 1 || config.controllerPort > 65535) {
-    return { valid: false, error: 'Invalid controller port (must be 1-65535)' };
-  }
-
-  return { valid: true };
-}