add test

linglingye001 · linglingye001 · commit 5a7e69ba3ba3 · 2026-01-28T14:22:09.000+08:00
diff --git a/test/keyvault.test.ts b/test/keyvault.test.ts
@@ -7,7 +7,7 @@ import chaiAsPromised from "chai-as-promised";
 chai.use(chaiAsPromised);
 const expect = chai.expect;
 import { load } from "../src/index.js";
-import { sinon, createMockedConnectionString, createMockedTokenCredential, mockAppConfigurationClientListConfigurationSettings, mockSecretClientGetSecret, restoreMocks, createMockedKeyVaultReference, sleepInMs } from "./utils/testHelper.js";
+import { sinon, createMockedConnectionString, createMockedTokenCredential, mockAppConfigurationClientListConfigurationSettings, mockAppConfigurationClientGetConfigurationSetting, mockSecretClientGetSecret, restoreMocks, createMockedKeyVaultReference, createMockedKeyValue, sleepInMs } from "./utils/testHelper.js";
 import { KeyVaultSecret, SecretClient } from "@azure/keyvault-secrets";
 import { ErrorMessages, KeyVaultReferenceErrorMessages } from "../src/common/errorMessages.js";
 
@@ -144,6 +144,10 @@ describe("key vault reference", function () {
 
 describe("key vault secret refresh", function () {
 
+    afterEach(() => {
+        restoreMocks();
+    });
+
     beforeEach(() => {
         const data = [
             ["TestKey", "https://fake-vault-name.vault.azure.net/secrets/fakeSecretName", "SecretValue"]
@@ -153,10 +157,6 @@ describe("key vault secret refresh", function () {
         mockAppConfigurationClientListConfigurationSettings([kvs]);
     });
 
-    afterEach(() => {
-        restoreMocks();
-    });
-
     it("should not allow secret refresh interval less than 1 minute", async () => {
         const connectionString = createMockedConnectionString();
         const loadWithInvalidSecretRefreshInterval = load(connectionString, {
@@ -199,4 +199,151 @@ describe("key vault secret refresh", function () {
         expect(settings.get("TestKey")).eq("SecretValue - Updated");
     });
 });
+
+describe("min secret refresh interval during key-value refresh", function () {
+    let getSecretCallCount = 0;
+    let sentinelEtag = "initial-etag";
+
+    afterEach(() => {
+        restoreMocks();
+        getSecretCallCount = 0;
+    });
+
+    /**
+     * This test verifies the enforcement of the minimum secret refresh interval during key-value refresh.
+     * When key-value refresh is triggered (by a watched setting change), the provider calls clearCache()
+     * on the KeyVaultSecretProvider. However, clearCache() only clears the cache if the minimum secret
+     * refresh interval (60 seconds) has passed. This prevents overwhelming Key Vaults with too many requests.
+     */
+    it("should not re-fetch secrets when key-value refresh happens within min secret refresh interval", async () => {
+        // Setup: key vault reference + sentinel key for watching
+        const kvWithSentinel = [
+            createMockedKeyVaultReference("TestKey", "https://fake-vault-name.vault.azure.net/secrets/fakeSecretName"),
+            createMockedKeyValue({ key: "sentinel", value: "initialValue", etag: sentinelEtag })
+        ];
+        mockAppConfigurationClientListConfigurationSettings([kvWithSentinel]);
+        mockAppConfigurationClientGetConfigurationSetting(kvWithSentinel);
+
+        // Mock SecretClient with call counting
+        const client = new SecretClient("https://fake-vault-name.vault.azure.net", createMockedTokenCredential());
+        sinon.stub(client, "getSecret").callsFake(async () => {
+            getSecretCallCount++;
+            return { value: "SecretValue" } as KeyVaultSecret;
+        });
+
+        // Load with key-value refresh enabled (watching sentinel)
+        const settings = await load(createMockedConnectionString(), {
+            refreshOptions: {
+                enabled: true,
+                refreshIntervalInMs: 1000, // 1 second refresh interval for key-values
+                watchedSettings: [{ key: "sentinel" }]
+            },
+            keyVaultOptions: {
+                secretClients: [client]
+            }
+        });
+
+        expect(settings.get("TestKey")).eq("SecretValue");
+        expect(getSecretCallCount).eq(1); // Initial load fetched the secret
+
+        // Simulate sentinel change to trigger key-value refresh
+        sentinelEtag = "changed-etag-1";
+        const updatedKvs = [
+            createMockedKeyVaultReference("TestKey", "https://fake-vault-name.vault.azure.net/secrets/fakeSecretName"),
+            createMockedKeyValue({ key: "sentinel", value: "changedValue1", etag: sentinelEtag })
+        ];
+        restoreMocks();
+        mockAppConfigurationClientListConfigurationSettings([updatedKvs]);
+        mockAppConfigurationClientGetConfigurationSetting(updatedKvs);
+        sinon.stub(client, "getSecret").callsFake(async () => {
+            getSecretCallCount++;
+            return { value: "SecretValue" } as KeyVaultSecret;
+        });
+
+        // Wait for refresh interval and trigger refresh
+        await sleepInMs(1000 + 100);
+        await settings.refresh();
+
+        // Key-value refresh happened, but secret should NOT be re-fetched
+        // because min secret refresh interval (60s) hasn't passed
+        expect(getSecretCallCount).eq(1); // Still 1, no additional getSecret call
+
+        // Trigger another key-value refresh
+        sentinelEtag = "changed-etag-2";
+        const updatedKvs2 = [
+            createMockedKeyVaultReference("TestKey", "https://fake-vault-name.vault.azure.net/secrets/fakeSecretName"),
+            createMockedKeyValue({ key: "sentinel", value: "changedValue2", etag: sentinelEtag })
+        ];
+        restoreMocks();
+        mockAppConfigurationClientListConfigurationSettings([updatedKvs2]);
+        mockAppConfigurationClientGetConfigurationSetting(updatedKvs2);
+        sinon.stub(client, "getSecret").callsFake(async () => {
+            getSecretCallCount++;
+            return { value: "SecretValue" } as KeyVaultSecret;
+        });
+
+        await sleepInMs(1000 + 100);
+        await settings.refresh();
+
+        // Still no additional getSecret call due to min interval enforcement
+        expect(getSecretCallCount).eq(1);
+    });
+
+    it("should re-fetch secrets after min secret refresh interval passes during key-value refresh", async () => {
+        // Setup: key vault reference + sentinel key for watching
+        let currentSentinelValue = "initialValue";
+        sentinelEtag = "initial-etag";
+
+        const getKvs = () => [
+            createMockedKeyVaultReference("TestKey", "https://fake-vault-name.vault.azure.net/secrets/fakeSecretName"),
+            createMockedKeyValue({ key: "sentinel", value: currentSentinelValue, etag: sentinelEtag })
+        ];
+
+        mockAppConfigurationClientListConfigurationSettings([getKvs()]);
+        mockAppConfigurationClientGetConfigurationSetting(getKvs());
+
+        // Mock SecretClient with call counting
+        const client = new SecretClient("https://fake-vault-name.vault.azure.net", createMockedTokenCredential());
+        sinon.stub(client, "getSecret").callsFake(async () => {
+            getSecretCallCount++;
+            return { value: `SecretValue-${getSecretCallCount}` } as KeyVaultSecret;
+        });
+
+        // Load with key-value refresh enabled
+        const settings = await load(createMockedConnectionString(), {
+            refreshOptions: {
+                enabled: true,
+                refreshIntervalInMs: 1000,
+                watchedSettings: [{ key: "sentinel" }]
+            },
+            keyVaultOptions: {
+                secretClients: [client]
+            }
+        });
+
+        expect(settings.get("TestKey")).eq("SecretValue-1");
+        expect(getSecretCallCount).eq(1);
+
+        // Wait for min secret refresh interval (60 seconds) to pass
+        await sleepInMs(60_000 + 100);
+
+        // Now change sentinel to trigger key-value refresh
+        currentSentinelValue = "changedValue";
+        sentinelEtag = "changed-etag";
+        restoreMocks();
+        mockAppConfigurationClientListConfigurationSettings([getKvs()]);
+        mockAppConfigurationClientGetConfigurationSetting(getKvs());
+        sinon.stub(client, "getSecret").callsFake(async () => {
+            getSecretCallCount++;
+            return { value: `SecretValue-${getSecretCallCount}` } as KeyVaultSecret;
+        });
+
+        await sleepInMs(1000 + 100); // Wait for kv refresh interval
+        await settings.refresh();
+
+        // Now getSecret SHOULD be called again because min interval has passed
+        expect(getSecretCallCount).eq(2);
+        expect(settings.get("TestKey")).eq("SecretValue-2");
+    });
+});
 /* eslint-enable @typescript-eslint/no-unused-expressions */
