feat: allow endpoint overrides in AwsSecretsManagerVault (#485)

* feat: allow endpoint overrides in AwsSecretsManagerVault * accept review * fix by self review * accept review
eclipse-edc · Dec 2, 2024 · fa3fbf6 · fa3fbf6
1 parent b199d7d
commit fa3fbf6
Show file tree

Hide file tree

Showing 3 changed files with 69 additions and 27 deletions.
diff --git a/extensions/common/vault/vault-aws/build.gradle.kts b/extensions/common/vault/vault-aws/build.gradle.kts
@@ -20,4 +20,6 @@ dependencies {
     api(libs.edc.spi.core)
     implementation(libs.aws.secretsmanager)
     implementation(libs.edc.lib.util)
+
+    testImplementation(libs.edc.junit)
 }
diff --git a/...lt/vault-aws/src/main/java/org/eclipse/edc/vault/aws/AwsSecretsManagerVaultExtension.java b/...lt/vault-aws/src/main/java/org/eclipse/edc/vault/aws/AwsSecretsManagerVaultExtension.java
@@ -23,6 +23,9 @@
 import software.amazon.awssdk.regions.Region;
 import software.amazon.awssdk.services.secretsmanager.SecretsManagerClient;
 
+import java.net.URI;
+import java.util.Optional;
+
 /**
  * This extension registers an implementation of the Vault interface for AWS Secrets Manager.
  * It also registers a VaultPrivateKeyResolver and VaultCertificateResolver, which store and retrieve certificates
@@ -33,8 +36,14 @@
 public class AwsSecretsManagerVaultExtension implements ServiceExtension {
     public static final String NAME = "AWS Secrets Manager Vault";
 
-    @Setting
-    private static final String VAULT_AWS_REGION = "edc.vault.aws.region";
+    @Setting(key = "edc.vault.aws.region",
+            description = "The AWS Secrets Manager client will point to the specified region")
+    private String vaultRegion;
+
+    @Setting(key = "edc.vault.aws.endpoint.override",
+            description = "If valued, the AWS Secrets Manager client will point to the specified endpoint",
+            required = false)
+    private String vaultAwsEndpointOverride;
 
     @Override
     public String name() {
@@ -43,18 +52,16 @@ public String name() {
 
     @Provider
     public Vault createVault(ServiceExtensionContext context) {
-        var vaultRegion = context.getConfig().getString(VAULT_AWS_REGION);
+        var vaultEndpointOverride = Optional.ofNullable(vaultAwsEndpointOverride)
+                .map(URI::create)
+                .orElse(null);
 
-        var smClient = buildSmClient(vaultRegion);
+        var builder = SecretsManagerClient.builder()
+                .region(Region.of(vaultRegion))
+                .endpointOverride(vaultEndpointOverride);
+        var smClient = builder.build();
 
         return new AwsSecretsManagerVault(smClient, context.getMonitor(),
                 new AwsSecretsManagerVaultDefaultSanitationStrategy(context.getMonitor()));
     }
-
-    private SecretsManagerClient buildSmClient(String vaultRegion) {
-        var builder = SecretsManagerClient.builder()
-                .region(Region.of(vaultRegion));
-        return builder.build();
-    }
-
 }
diff --git a/...ault-aws/src/test/java/org/eclipse/edc/vault/aws/AwsSecretsManagerVaultExtensionTest.java b/...ault-aws/src/test/java/org/eclipse/edc/vault/aws/AwsSecretsManagerVaultExtensionTest.java
@@ -14,37 +14,70 @@
 
 package org.eclipse.edc.vault.aws;
 
+import org.eclipse.edc.boot.system.injection.ObjectFactory;
+import org.eclipse.edc.junit.extensions.DependencyInjectionExtension;
 import org.eclipse.edc.spi.monitor.Monitor;
 import org.eclipse.edc.spi.system.ServiceExtensionContext;
-import org.eclipse.edc.spi.system.configuration.Config;
+import org.eclipse.edc.spi.system.configuration.ConfigFactory;
 import org.junit.jupiter.api.Assertions;
 import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.extension.ExtendWith;
+import software.amazon.awssdk.regions.Region;
+import software.amazon.awssdk.services.secretsmanager.SecretsManagerClient;
 
+import java.net.URI;
+import java.util.Map;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.InstanceOfAssertFactories.type;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.when;
 
+@ExtendWith(DependencyInjectionExtension.class)
 class AwsSecretsManagerVaultExtensionTest {
 
-    private final Monitor monitor = mock(Monitor.class);
-    private final AwsSecretsManagerVaultExtension extension = new AwsSecretsManagerVaultExtension();
-
     @Test
-    void configOptionRegionNotProvided_shouldThrowException() {
-        ServiceExtensionContext invalidContext = mock(ServiceExtensionContext.class);
-        when(invalidContext.getMonitor()).thenReturn(monitor);
+    void configOptionRegionNotProvided_shouldThrowException(ServiceExtensionContext context) {
+        when(context.getMonitor()).thenReturn(mock(Monitor.class));
+        var extension = new AwsSecretsManagerVaultExtension();
 
-        Assertions.assertThrows(NullPointerException.class, () -> extension.createVault(invalidContext));
+        Assertions.assertThrows(NullPointerException.class, () -> extension.createVault(context));
     }
 
     @Test
-    void configOptionRegionProvided_shouldNotThrowException() {
-        ServiceExtensionContext validContext = mock(ServiceExtensionContext.class);
-        Config cfg = mock();
-        when(cfg.getString("edc.vault.aws.region")).thenReturn("eu-west-1");
-        when(validContext.getConfig()).thenReturn(cfg);
-        when(validContext.getMonitor()).thenReturn(monitor);
-
-        extension.createVault(validContext);
+    void configOptionRegionProvided_shouldNotThrowException(ObjectFactory factory,
+            ServiceExtensionContext context) {
+        var config = ConfigFactory.fromMap(Map.of(
+                "edc.vault.aws.region", "eu-west-1"
+        ));
+        when(context.getConfig()).thenReturn(config);
+        var extension = factory.constructInstance(AwsSecretsManagerVaultExtension.class);
+
+        var vault = extension.createVault(context);
+
+        assertThat(vault).extracting("smClient", type(SecretsManagerClient.class))
+                .satisfies(client -> {
+                    assertThat(client.serviceClientConfiguration().region()).isEqualTo(
+                            Region.of("eu-west-1"));
+                });
     }
 
+    @Test
+    void configOptionEndpointOverrideProvided_shouldNotThrowException(ObjectFactory factory,
+            ServiceExtensionContext context) {
+        var config = ConfigFactory.fromMap(Map.of(
+                "edc.vault.aws.region", "eu-west-1",
+                "edc.vault.aws.endpoint.override", "http://localhost:4566"
+        ));
+        when(context.getConfig()).thenReturn(config);
+        var extension = factory.constructInstance(AwsSecretsManagerVaultExtension.class);
+
+        var vault = extension.createVault(context);
+
+        assertThat(vault).extracting("smClient", type(SecretsManagerClient.class))
+                .satisfies(client -> {
+                    assertThat(client.serviceClientConfiguration().endpointOverride()).contains(
+                            URI.create("http://localhost:4566"));
+                });
+    }
 }