Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: allow endpoint overrides in AwsSecretsManagerVault #485

Merged
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions extensions/common/vault/vault-aws/build.gradle.kts
Original file line number Diff line number Diff line change
Expand Up @@ -20,4 +20,6 @@ dependencies {
api(libs.edc.spi.core)
implementation(libs.aws.secretsmanager)
implementation(libs.edc.lib.util)

testImplementation(libs.edc.junit)
}
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,9 @@
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.secretsmanager.SecretsManagerClient;

import java.net.URI;
import java.util.Optional;

/**
* This extension registers an implementation of the Vault interface for AWS Secrets Manager.
* It also registers a VaultPrivateKeyResolver and VaultCertificateResolver, which store and retrieve certificates
Expand All @@ -33,8 +36,14 @@
public class AwsSecretsManagerVaultExtension implements ServiceExtension {
public static final String NAME = "AWS Secrets Manager Vault";

@Setting
private static final String VAULT_AWS_REGION = "edc.vault.aws.region";
@Setting(key = "edc.vault.aws.region",
description = "The AWS Secrets Manager client will point to the specified region")
private String vaultRegion;

@Setting(key = "edc.vault.aws.endpoint.override",
description = "If valued, the AWS Secrets Manager client will point to the specified endpoint",
required = false)
private String vaultAwsEndpointOverride;

@Override
public String name() {
Expand All @@ -43,18 +52,16 @@ public String name() {

@Provider
public Vault createVault(ServiceExtensionContext context) {
var vaultRegion = context.getConfig().getString(VAULT_AWS_REGION);
var vaultEndpointOverride = Optional.ofNullable(vaultAwsEndpointOverride)
.map(URI::create)
.orElse(null);

var smClient = buildSmClient(vaultRegion);
var builder = SecretsManagerClient.builder()
.region(Region.of(vaultRegion))
.endpointOverride(vaultEndpointOverride);
var smClient = builder.build();

return new AwsSecretsManagerVault(smClient, context.getMonitor(),
new AwsSecretsManagerVaultDefaultSanitationStrategy(context.getMonitor()));
}

private SecretsManagerClient buildSmClient(String vaultRegion) {
var builder = SecretsManagerClient.builder()
.region(Region.of(vaultRegion));
return builder.build();
}

}
Original file line number Diff line number Diff line change
Expand Up @@ -14,37 +14,70 @@

package org.eclipse.edc.vault.aws;

import org.eclipse.edc.boot.system.injection.ObjectFactory;
import org.eclipse.edc.junit.extensions.DependencyInjectionExtension;
import org.eclipse.edc.spi.monitor.Monitor;
import org.eclipse.edc.spi.system.ServiceExtensionContext;
import org.eclipse.edc.spi.system.configuration.Config;
import org.eclipse.edc.spi.system.configuration.ConfigFactory;
import org.junit.jupiter.api.Assertions;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.ExtendWith;
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.secretsmanager.SecretsManagerClient;

import java.net.URI;
import java.util.Map;

import static org.assertj.core.api.Assertions.assertThat;
import static org.assertj.core.api.InstanceOfAssertFactories.type;
import static org.mockito.Mockito.mock;
import static org.mockito.Mockito.when;

@ExtendWith(DependencyInjectionExtension.class)
class AwsSecretsManagerVaultExtensionTest {

private final Monitor monitor = mock(Monitor.class);
private final AwsSecretsManagerVaultExtension extension = new AwsSecretsManagerVaultExtension();

@Test
void configOptionRegionNotProvided_shouldThrowException() {
ServiceExtensionContext invalidContext = mock(ServiceExtensionContext.class);
when(invalidContext.getMonitor()).thenReturn(monitor);
void configOptionRegionNotProvided_shouldThrowException(ServiceExtensionContext context) {
when(context.getMonitor()).thenReturn(mock(Monitor.class));
var extension = new AwsSecretsManagerVaultExtension();

Assertions.assertThrows(NullPointerException.class, () -> extension.createVault(invalidContext));
Assertions.assertThrows(NullPointerException.class, () -> extension.createVault(context));
}

@Test
void configOptionRegionProvided_shouldNotThrowException() {
ServiceExtensionContext validContext = mock(ServiceExtensionContext.class);
Config cfg = mock();
when(cfg.getString("edc.vault.aws.region")).thenReturn("eu-west-1");
when(validContext.getConfig()).thenReturn(cfg);
when(validContext.getMonitor()).thenReturn(monitor);

extension.createVault(validContext);
void configOptionRegionProvided_shouldNotThrowException(ObjectFactory factory,
ServiceExtensionContext context) {
var config = ConfigFactory.fromMap(Map.of(
"edc.vault.aws.region", "eu-west-1"
));
when(context.getConfig()).thenReturn(config);
var extension = factory.constructInstance(AwsSecretsManagerVaultExtension.class);

var vault = extension.createVault(context);

assertThat(vault).extracting("smClient", type(SecretsManagerClient.class))
.satisfies(client -> {
assertThat(client.serviceClientConfiguration().region()).isEqualTo(
Region.of("eu-west-1"));
});
}

@Test
void configOptionEndpointOverrideProvided_shouldNotThrowException(ObjectFactory factory,
ServiceExtensionContext context) {
var config = ConfigFactory.fromMap(Map.of(
"edc.vault.aws.region", "eu-west-1",
"edc.vault.aws.endpoint.override", "http://localhost:4566"
));
when(context.getConfig()).thenReturn(config);
var extension = factory.constructInstance(AwsSecretsManagerVaultExtension.class);

var vault = extension.createVault(context);

assertThat(vault).extracting("smClient", type(SecretsManagerClient.class))
.satisfies(client -> {
assertThat(client.serviceClientConfiguration().endpointOverride()).contains(
URI.create("http://localhost:4566"));
});
}
}