From ff917d5c169316fa398edbee27747ebe6adc3c5f Mon Sep 17 00:00:00 2001 From: Jason Frame Date: Mon, 21 Aug 2023 14:08:33 +1000 Subject: [PATCH 01/21] Add Aws params to Eth1Config --- .../dsl/signer/SignerConfiguration.java | 8 +-- .../signer/SignerConfigurationBuilder.java | 10 ++-- .../runner/CmdLineParamsConfigFileImpl.java | 53 +++++++++---------- .../runner/CmdLineParamsDefaultImpl.java | 53 +++++++++---------- .../AwsSecretsManagerAcceptanceTest.java | 20 +++---- ...ecretsManagerMultiValueAcceptanceTest.java | 10 ++-- ...cretsManagerPerformanceAcceptanceTest.java | 10 ++-- ...ameters.java => PicoCliAwsParameters.java} | 4 +- .../subcommands/Eth1SubCommand.java | 9 ++++ .../subcommands/Eth2SubCommand.java | 14 ++--- .../commandline/CommandlineParserTest.java | 16 +++--- .../jsonrpcproxy/support/TestEth1Config.java | 7 +++ .../pegasys/web3signer/core/Eth2Runner.java | 14 ++--- .../web3signer/core/config/Eth1Config.java | 3 ++ .../AWSBulkLoadingArtifactSignerProvider.java | 4 +- ...agerParameters.java => AwsParameters.java} | 2 +- .../config/AwsSecretsManagerFactory.java | 14 ++--- .../metadata/AwsKeySigningMetadata.java | 4 +- ...Builder.java => AwsParametersBuilder.java} | 38 ++++++------- 19 files changed, 153 insertions(+), 140 deletions(-) rename commandline/src/main/java/tech/pegasys/web3signer/commandline/{PicoCliAwsSecretsManagerParameters.java => PicoCliAwsParameters.java} (97%) rename signing/src/main/java/tech/pegasys/web3signer/signing/config/{AwsSecretsManagerParameters.java => AwsParameters.java} (96%) rename signing/src/testFixtures/java/tech/pegasys/web3signer/signing/config/{AwsSecretsManagerParametersBuilder.java => AwsParametersBuilder.java} (77%) diff --git a/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/SignerConfiguration.java b/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/SignerConfiguration.java index 7317b5fb4..29f95ef0d 100644 --- a/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/SignerConfiguration.java +++ b/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/SignerConfiguration.java @@ -16,7 +16,7 @@ import tech.pegasys.web3signer.core.config.client.ClientTlsOptions; import tech.pegasys.web3signer.core.service.jsonrpc.handlers.signing.ChainIdProvider; import tech.pegasys.web3signer.dsl.tls.TlsCertificateDefinition; -import tech.pegasys.web3signer.signing.config.AwsSecretsManagerParameters; +import tech.pegasys.web3signer.signing.config.AwsParameters; import tech.pegasys.web3signer.signing.config.AzureKeyVaultParameters; import tech.pegasys.web3signer.signing.config.KeystoresParameters; @@ -41,7 +41,7 @@ public class SignerConfiguration { private final List metricsCategories; private final boolean metricsEnabled; private final Optional azureKeyVaultParameters; - private final Optional awsSecretsManagerParameters; + private final Optional awsSecretsManagerParameters; private final Optional keystoresParameters; private final Optional serverTlsOptions; private final Optional overriddenCaTrustStore; @@ -88,7 +88,7 @@ public SignerConfiguration( final List metricsCategories, final boolean metricsEnabled, final Optional azureKeyVaultParameters, - final Optional awsSecretsManagerParameters, + final Optional awsSecretsManagerParameters, final Optional keystoresParameters, final Optional serverTlsOptions, final Optional overriddenCaTrustStore, @@ -218,7 +218,7 @@ public Optional getAzureKeyVaultParameters() { return azureKeyVaultParameters; } - public Optional getAwsSecretsManagerParameters() { + public Optional getAwsSecretsManagerParameters() { return awsSecretsManagerParameters; } diff --git a/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/SignerConfigurationBuilder.java b/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/SignerConfigurationBuilder.java index dc78a259b..57d333865 100644 --- a/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/SignerConfigurationBuilder.java +++ b/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/SignerConfigurationBuilder.java @@ -20,7 +20,7 @@ import tech.pegasys.web3signer.core.service.jsonrpc.handlers.signing.ChainIdProvider; import tech.pegasys.web3signer.core.service.jsonrpc.handlers.signing.ConfigurationChainId; import tech.pegasys.web3signer.dsl.tls.TlsCertificateDefinition; -import tech.pegasys.web3signer.signing.config.AwsSecretsManagerParameters; +import tech.pegasys.web3signer.signing.config.AwsParameters; import tech.pegasys.web3signer.signing.config.AzureKeyVaultParameters; import tech.pegasys.web3signer.signing.config.KeystoresParameters; @@ -50,7 +50,7 @@ public class SignerConfigurationBuilder { private Path slashingProtectionDbPoolConfigurationFile = null; private String mode; private AzureKeyVaultParameters azureKeyVaultParameters; - private AwsSecretsManagerParameters awsSecretsManagerParameters; + private AwsParameters awsParameters; private Map web3SignerEnvironment; private Duration startupTimeout = Boolean.getBoolean("debugSubProcess") ? Duration.ofHours(1) : Duration.ofSeconds(30); @@ -142,8 +142,8 @@ public SignerConfigurationBuilder withAzureKeyVaultParameters( } public SignerConfigurationBuilder withAwsSecretsManagerParameters( - final AwsSecretsManagerParameters awsSecretsManagerParameters) { - this.awsSecretsManagerParameters = awsSecretsManagerParameters; + final AwsParameters awsParameters) { + this.awsParameters = awsParameters; return this; } @@ -324,7 +324,7 @@ public SignerConfiguration build() { metricsCategories, metricsEnabled, Optional.ofNullable(azureKeyVaultParameters), - Optional.ofNullable(awsSecretsManagerParameters), + Optional.ofNullable(awsParameters), Optional.ofNullable(keystoresParameters), Optional.ofNullable(serverTlsOptions), Optional.ofNullable(overriddenCaTrustStore), diff --git a/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/runner/CmdLineParamsConfigFileImpl.java b/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/runner/CmdLineParamsConfigFileImpl.java index 9fd805734..4bcac4138 100644 --- a/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/runner/CmdLineParamsConfigFileImpl.java +++ b/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/runner/CmdLineParamsConfigFileImpl.java @@ -12,15 +12,15 @@ */ package tech.pegasys.web3signer.dsl.signer.runner; -import static tech.pegasys.web3signer.commandline.PicoCliAwsSecretsManagerParameters.AWS_ENDPOINT_OVERRIDE_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliAwsSecretsManagerParameters.AWS_SECRETS_ACCESS_KEY_ID_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliAwsSecretsManagerParameters.AWS_SECRETS_AUTH_MODE_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliAwsSecretsManagerParameters.AWS_SECRETS_ENABLED_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliAwsSecretsManagerParameters.AWS_SECRETS_PREFIXES_FILTER_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliAwsSecretsManagerParameters.AWS_SECRETS_REGION_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliAwsSecretsManagerParameters.AWS_SECRETS_SECRET_ACCESS_KEY_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliAwsSecretsManagerParameters.AWS_SECRETS_TAG_NAMES_FILTER_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliAwsSecretsManagerParameters.AWS_SECRETS_TAG_VALUES_FILTER_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliAwsParameters.AWS_ENDPOINT_OVERRIDE_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliAwsParameters.AWS_SECRETS_ACCESS_KEY_ID_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliAwsParameters.AWS_SECRETS_AUTH_MODE_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliAwsParameters.AWS_SECRETS_ENABLED_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliAwsParameters.AWS_SECRETS_PREFIXES_FILTER_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliAwsParameters.AWS_SECRETS_REGION_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliAwsParameters.AWS_SECRETS_SECRET_ACCESS_KEY_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliAwsParameters.AWS_SECRETS_TAG_NAMES_FILTER_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliAwsParameters.AWS_SECRETS_TAG_VALUES_FILTER_OPTION; import tech.pegasys.web3signer.core.config.ClientAuthConstraints; import tech.pegasys.web3signer.core.config.TlsOptions; @@ -28,7 +28,7 @@ import tech.pegasys.web3signer.dsl.signer.SignerConfiguration; import tech.pegasys.web3signer.dsl.signer.WatermarkRepairParameters; import tech.pegasys.web3signer.dsl.utils.DatabaseUtil; -import tech.pegasys.web3signer.signing.config.AwsSecretsManagerParameters; +import tech.pegasys.web3signer.signing.config.AwsParameters; import tech.pegasys.web3signer.signing.config.AzureKeyVaultParameters; import tech.pegasys.web3signer.signing.config.KeystoresParameters; @@ -441,71 +441,70 @@ private String createEth2SlashingProtectionArgs() { return yamlConfig.toString(); } - private String awsBulkLoadingOptions( - final AwsSecretsManagerParameters awsSecretsManagerParameters) { + private String awsBulkLoadingOptions(final AwsParameters awsParameters) { final StringBuilder yamlConfig = new StringBuilder(); yamlConfig.append( String.format( YAML_BOOLEAN_FMT, "eth2." + AWS_SECRETS_ENABLED_OPTION.substring(2), - awsSecretsManagerParameters.isEnabled())); + awsParameters.isEnabled())); yamlConfig.append( String.format( YAML_STRING_FMT, "eth2." + AWS_SECRETS_AUTH_MODE_OPTION.substring(2), - awsSecretsManagerParameters.getAuthenticationMode().name())); + awsParameters.getAuthenticationMode().name())); - if (awsSecretsManagerParameters.getAccessKeyId() != null) { + if (awsParameters.getAccessKeyId() != null) { yamlConfig.append( String.format( YAML_STRING_FMT, "eth2." + AWS_SECRETS_ACCESS_KEY_ID_OPTION.substring(2), - awsSecretsManagerParameters.getAccessKeyId())); + awsParameters.getAccessKeyId())); } - if (awsSecretsManagerParameters.getSecretAccessKey() != null) { + if (awsParameters.getSecretAccessKey() != null) { yamlConfig.append( String.format( YAML_STRING_FMT, "eth2." + AWS_SECRETS_SECRET_ACCESS_KEY_OPTION.substring(2), - awsSecretsManagerParameters.getSecretAccessKey())); + awsParameters.getSecretAccessKey())); } - if (awsSecretsManagerParameters.getRegion() != null) { + if (awsParameters.getRegion() != null) { yamlConfig.append( String.format( YAML_STRING_FMT, "eth2." + AWS_SECRETS_REGION_OPTION.substring(2), - awsSecretsManagerParameters.getRegion())); + awsParameters.getRegion())); } - if (!awsSecretsManagerParameters.getPrefixesFilter().isEmpty()) { + if (!awsParameters.getPrefixesFilter().isEmpty()) { yamlConfig.append( String.format( YAML_STRING_FMT, "eth2." + AWS_SECRETS_PREFIXES_FILTER_OPTION.substring(2), - String.join(",", awsSecretsManagerParameters.getPrefixesFilter()))); + String.join(",", awsParameters.getPrefixesFilter()))); } - if (!awsSecretsManagerParameters.getTagNamesFilter().isEmpty()) { + if (!awsParameters.getTagNamesFilter().isEmpty()) { yamlConfig.append( String.format( YAML_STRING_FMT, "eth2." + AWS_SECRETS_TAG_NAMES_FILTER_OPTION.substring(2), - String.join(",", awsSecretsManagerParameters.getTagNamesFilter()))); + String.join(",", awsParameters.getTagNamesFilter()))); } - if (!awsSecretsManagerParameters.getTagValuesFilter().isEmpty()) { + if (!awsParameters.getTagValuesFilter().isEmpty()) { yamlConfig.append( String.format( YAML_STRING_FMT, "eth2." + AWS_SECRETS_TAG_VALUES_FILTER_OPTION.substring(2), - String.join(",", awsSecretsManagerParameters.getTagValuesFilter()))); + String.join(",", awsParameters.getTagValuesFilter()))); } - awsSecretsManagerParameters + awsParameters .getEndpointOverride() .ifPresent( uri -> diff --git a/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/runner/CmdLineParamsDefaultImpl.java b/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/runner/CmdLineParamsDefaultImpl.java index 42762aa00..cbb226066 100644 --- a/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/runner/CmdLineParamsDefaultImpl.java +++ b/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/runner/CmdLineParamsDefaultImpl.java @@ -12,15 +12,15 @@ */ package tech.pegasys.web3signer.dsl.signer.runner; -import static tech.pegasys.web3signer.commandline.PicoCliAwsSecretsManagerParameters.AWS_ENDPOINT_OVERRIDE_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliAwsSecretsManagerParameters.AWS_SECRETS_ACCESS_KEY_ID_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliAwsSecretsManagerParameters.AWS_SECRETS_AUTH_MODE_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliAwsSecretsManagerParameters.AWS_SECRETS_ENABLED_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliAwsSecretsManagerParameters.AWS_SECRETS_PREFIXES_FILTER_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliAwsSecretsManagerParameters.AWS_SECRETS_REGION_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliAwsSecretsManagerParameters.AWS_SECRETS_SECRET_ACCESS_KEY_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliAwsSecretsManagerParameters.AWS_SECRETS_TAG_NAMES_FILTER_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliAwsSecretsManagerParameters.AWS_SECRETS_TAG_VALUES_FILTER_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliAwsParameters.AWS_ENDPOINT_OVERRIDE_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliAwsParameters.AWS_SECRETS_ACCESS_KEY_ID_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliAwsParameters.AWS_SECRETS_AUTH_MODE_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliAwsParameters.AWS_SECRETS_ENABLED_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliAwsParameters.AWS_SECRETS_PREFIXES_FILTER_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliAwsParameters.AWS_SECRETS_REGION_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliAwsParameters.AWS_SECRETS_SECRET_ACCESS_KEY_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliAwsParameters.AWS_SECRETS_TAG_NAMES_FILTER_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliAwsParameters.AWS_SECRETS_TAG_VALUES_FILTER_OPTION; import tech.pegasys.web3signer.core.config.ClientAuthConstraints; import tech.pegasys.web3signer.core.config.TlsOptions; @@ -28,7 +28,7 @@ import tech.pegasys.web3signer.dsl.signer.SignerConfiguration; import tech.pegasys.web3signer.dsl.signer.WatermarkRepairParameters; import tech.pegasys.web3signer.dsl.utils.DatabaseUtil; -import tech.pegasys.web3signer.signing.config.AwsSecretsManagerParameters; +import tech.pegasys.web3signer.signing.config.AwsParameters; import tech.pegasys.web3signer.signing.config.AzureKeyVaultParameters; import tech.pegasys.web3signer.signing.config.KeystoresParameters; @@ -276,31 +276,30 @@ private Collection createEth2Args() { return params; } - private Collection awsBulkLoadingOptions( - final AwsSecretsManagerParameters awsSecretsManagerParameters) { + private Collection awsBulkLoadingOptions(final AwsParameters awsParameters) { final List params = new ArrayList<>(); - params.add(AWS_SECRETS_ENABLED_OPTION + "=" + awsSecretsManagerParameters.isEnabled()); + params.add(AWS_SECRETS_ENABLED_OPTION + "=" + awsParameters.isEnabled()); params.add(AWS_SECRETS_AUTH_MODE_OPTION); - params.add(awsSecretsManagerParameters.getAuthenticationMode().name()); + params.add(awsParameters.getAuthenticationMode().name()); - if (awsSecretsManagerParameters.getAccessKeyId() != null) { + if (awsParameters.getAccessKeyId() != null) { params.add(AWS_SECRETS_ACCESS_KEY_ID_OPTION); - params.add(awsSecretsManagerParameters.getAccessKeyId()); + params.add(awsParameters.getAccessKeyId()); } - if (awsSecretsManagerParameters.getSecretAccessKey() != null) { + if (awsParameters.getSecretAccessKey() != null) { params.add(AWS_SECRETS_SECRET_ACCESS_KEY_OPTION); - params.add(awsSecretsManagerParameters.getSecretAccessKey()); + params.add(awsParameters.getSecretAccessKey()); } - if (awsSecretsManagerParameters.getRegion() != null) { + if (awsParameters.getRegion() != null) { params.add(AWS_SECRETS_REGION_OPTION); - params.add(awsSecretsManagerParameters.getRegion()); + params.add(awsParameters.getRegion()); } - awsSecretsManagerParameters + awsParameters .getEndpointOverride() .ifPresent( uri -> { @@ -308,19 +307,19 @@ private Collection awsBulkLoadingOptions( params.add(uri.toString()); }); - if (!awsSecretsManagerParameters.getPrefixesFilter().isEmpty()) { + if (!awsParameters.getPrefixesFilter().isEmpty()) { params.add(AWS_SECRETS_PREFIXES_FILTER_OPTION); - params.add(String.join(",", awsSecretsManagerParameters.getPrefixesFilter())); + params.add(String.join(",", awsParameters.getPrefixesFilter())); } - if (!awsSecretsManagerParameters.getTagNamesFilter().isEmpty()) { + if (!awsParameters.getTagNamesFilter().isEmpty()) { params.add(AWS_SECRETS_TAG_NAMES_FILTER_OPTION); - params.add(String.join(",", awsSecretsManagerParameters.getTagNamesFilter())); + params.add(String.join(",", awsParameters.getTagNamesFilter())); } - if (!awsSecretsManagerParameters.getTagValuesFilter().isEmpty()) { + if (!awsParameters.getTagValuesFilter().isEmpty()) { params.add(AWS_SECRETS_TAG_VALUES_FILTER_OPTION); - params.add(String.join(",", awsSecretsManagerParameters.getTagValuesFilter())); + params.add(String.join(",", awsParameters.getTagValuesFilter())); } return params; diff --git a/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/bulkloading/AwsSecretsManagerAcceptanceTest.java b/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/bulkloading/AwsSecretsManagerAcceptanceTest.java index ad407da1e..8d5f18aa5 100644 --- a/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/bulkloading/AwsSecretsManagerAcceptanceTest.java +++ b/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/bulkloading/AwsSecretsManagerAcceptanceTest.java @@ -21,8 +21,8 @@ import tech.pegasys.web3signer.common.config.AwsAuthenticationMode; import tech.pegasys.web3signer.dsl.signer.SignerConfigurationBuilder; import tech.pegasys.web3signer.signing.KeyType; -import tech.pegasys.web3signer.signing.config.AwsSecretsManagerParameters; -import tech.pegasys.web3signer.signing.config.AwsSecretsManagerParametersBuilder; +import tech.pegasys.web3signer.signing.config.AwsParameters; +import tech.pegasys.web3signer.signing.config.AwsParametersBuilder; import tech.pegasys.web3signer.tests.AcceptanceTestBase; import java.net.URI; @@ -102,8 +102,8 @@ void setupAwsResources() { @ParameterizedTest(name = "{index} - Using config file: {0}") @ValueSource(booleans = {true, false}) void secretsAreLoadedFromAWSSecretsManagerAndReportedByPublicApi(final boolean useConfigFile) { - final AwsSecretsManagerParameters awsSecretsManagerParameters = - AwsSecretsManagerParametersBuilder.anAwsSecretsManagerParameters() + final AwsParameters awsParameters = + AwsParametersBuilder.anAwsSecretsManagerParameters() .withAuthenticationMode(AwsAuthenticationMode.SPECIFIED) .withRegion(AWS_REGION) .withAccessKeyId(RO_AWS_ACCESS_KEY_ID) @@ -118,7 +118,7 @@ void secretsAreLoadedFromAWSSecretsManagerAndReportedByPublicApi(final boolean u new SignerConfigurationBuilder() .withUseConfigFile(useConfigFile) .withMode("eth2") - .withAwsSecretsManagerParameters(awsSecretsManagerParameters); + .withAwsSecretsManagerParameters(awsParameters); startSigner(configBuilder.build()); @@ -144,8 +144,8 @@ void secretsAreLoadedFromAWSSecretsManagerAndReportedByPublicApi(final boolean u @Test void healthCheckErrorCountWhenInvalidCredentialsAreUsed() { final boolean useConfigFile = false; - final AwsSecretsManagerParameters invalidCredsParams = - AwsSecretsManagerParametersBuilder.anAwsSecretsManagerParameters() + final AwsParameters invalidCredsParams = + AwsParametersBuilder.anAwsSecretsManagerParameters() .withAuthenticationMode(AwsAuthenticationMode.SPECIFIED) .withRegion("us-east-2") .withAccessKeyId("invalid") @@ -189,8 +189,8 @@ private static int getAwsBulkLoadingData(String healthCheckJsonBody, String data @ValueSource(booleans = {true, false}) void secretsAreLoadedFromAWSSecretsManagerWithEnvironmentAuthModeAndReportedByPublicApi( final boolean useConfigFile) { - final AwsSecretsManagerParameters awsSecretsManagerParameters = - AwsSecretsManagerParametersBuilder.anAwsSecretsManagerParameters() + final AwsParameters awsParameters = + AwsParametersBuilder.anAwsSecretsManagerParameters() .withAuthenticationMode(AwsAuthenticationMode.ENVIRONMENT) .withPrefixesFilter(List.of(awsSecretsManagerUtil.getSecretsManagerPrefix())) .withTagNamesFilter(List.of("TagName2", "TagName3")) @@ -202,7 +202,7 @@ void secretsAreLoadedFromAWSSecretsManagerWithEnvironmentAuthModeAndReportedByPu new SignerConfigurationBuilder() .withUseConfigFile(useConfigFile) .withMode("eth2") - .withAwsSecretsManagerParameters(awsSecretsManagerParameters); + .withAwsSecretsManagerParameters(awsParameters); startSigner(configBuilder.build()); diff --git a/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/bulkloading/AwsSecretsManagerMultiValueAcceptanceTest.java b/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/bulkloading/AwsSecretsManagerMultiValueAcceptanceTest.java index 44bbb0e00..0bdfb8a5e 100644 --- a/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/bulkloading/AwsSecretsManagerMultiValueAcceptanceTest.java +++ b/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/bulkloading/AwsSecretsManagerMultiValueAcceptanceTest.java @@ -21,8 +21,8 @@ import tech.pegasys.web3signer.common.config.AwsAuthenticationMode; import tech.pegasys.web3signer.dsl.signer.SignerConfigurationBuilder; import tech.pegasys.web3signer.signing.KeyType; -import tech.pegasys.web3signer.signing.config.AwsSecretsManagerParameters; -import tech.pegasys.web3signer.signing.config.AwsSecretsManagerParametersBuilder; +import tech.pegasys.web3signer.signing.config.AwsParameters; +import tech.pegasys.web3signer.signing.config.AwsParametersBuilder; import tech.pegasys.web3signer.tests.AcceptanceTestBase; import java.net.URI; @@ -103,8 +103,8 @@ void setupAwsResources() { @ParameterizedTest(name = "{index} -> use config file: {0}") @ValueSource(booleans = {true, false}) void secretsAreLoadedFromAWSSecretsManagerAndReportedByPublicApi(final boolean useConfigFile) { - final AwsSecretsManagerParameters awsSecretsManagerParameters = - AwsSecretsManagerParametersBuilder.anAwsSecretsManagerParameters() + final AwsParameters awsParameters = + AwsParametersBuilder.anAwsSecretsManagerParameters() .withAuthenticationMode(AwsAuthenticationMode.SPECIFIED) .withRegion(AWS_REGION) .withAccessKeyId(RO_AWS_ACCESS_KEY_ID) @@ -118,7 +118,7 @@ void secretsAreLoadedFromAWSSecretsManagerAndReportedByPublicApi(final boolean u new SignerConfigurationBuilder() .withUseConfigFile(useConfigFile) .withMode("eth2") - .withAwsSecretsManagerParameters(awsSecretsManagerParameters); + .withAwsSecretsManagerParameters(awsParameters); startSigner(configBuilder.build()); diff --git a/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/bulkloading/AwsSecretsManagerPerformanceAcceptanceTest.java b/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/bulkloading/AwsSecretsManagerPerformanceAcceptanceTest.java index 1a431aeec..4e976c7de 100644 --- a/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/bulkloading/AwsSecretsManagerPerformanceAcceptanceTest.java +++ b/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/bulkloading/AwsSecretsManagerPerformanceAcceptanceTest.java @@ -19,8 +19,8 @@ import tech.pegasys.web3signer.common.config.AwsAuthenticationMode; import tech.pegasys.web3signer.dsl.signer.SignerConfigurationBuilder; import tech.pegasys.web3signer.signing.KeyType; -import tech.pegasys.web3signer.signing.config.AwsSecretsManagerParameters; -import tech.pegasys.web3signer.signing.config.AwsSecretsManagerParametersBuilder; +import tech.pegasys.web3signer.signing.config.AwsParameters; +import tech.pegasys.web3signer.signing.config.AwsParametersBuilder; import tech.pegasys.web3signer.tests.AcceptanceTestBase; import java.net.URI; @@ -120,8 +120,8 @@ void setupAwsResources() { @Test void largeNumberOfKeysAreLoadedSuccessfully() { - final AwsSecretsManagerParameters awsSecretsManagerParameters = - AwsSecretsManagerParametersBuilder.anAwsSecretsManagerParameters() + final AwsParameters awsParameters = + AwsParametersBuilder.anAwsSecretsManagerParameters() .withAuthenticationMode(AwsAuthenticationMode.SPECIFIED) .withRegion(AWS_REGION) .withAccessKeyId(RO_AWS_ACCESS_KEY_ID) @@ -133,7 +133,7 @@ void largeNumberOfKeysAreLoadedSuccessfully() { final SignerConfigurationBuilder configBuilder = new SignerConfigurationBuilder() .withMode("eth2") - .withAwsSecretsManagerParameters(awsSecretsManagerParameters) + .withAwsSecretsManagerParameters(awsParameters) .withStartupTimeout(STARTUP_TIMEOUT) .withLogLevel(Level.INFO); diff --git a/commandline/src/main/java/tech/pegasys/web3signer/commandline/PicoCliAwsSecretsManagerParameters.java b/commandline/src/main/java/tech/pegasys/web3signer/commandline/PicoCliAwsParameters.java similarity index 97% rename from commandline/src/main/java/tech/pegasys/web3signer/commandline/PicoCliAwsSecretsManagerParameters.java rename to commandline/src/main/java/tech/pegasys/web3signer/commandline/PicoCliAwsParameters.java index a3e1f6a63..f294d825e 100644 --- a/commandline/src/main/java/tech/pegasys/web3signer/commandline/PicoCliAwsSecretsManagerParameters.java +++ b/commandline/src/main/java/tech/pegasys/web3signer/commandline/PicoCliAwsParameters.java @@ -13,7 +13,7 @@ package tech.pegasys.web3signer.commandline; import tech.pegasys.web3signer.common.config.AwsAuthenticationMode; -import tech.pegasys.web3signer.signing.config.AwsSecretsManagerParameters; +import tech.pegasys.web3signer.signing.config.AwsParameters; import java.net.URI; import java.util.Collection; @@ -24,7 +24,7 @@ import picocli.CommandLine; import picocli.CommandLine.Option; -public class PicoCliAwsSecretsManagerParameters implements AwsSecretsManagerParameters { +public class PicoCliAwsParameters implements AwsParameters { public static final String AWS_SECRETS_ENABLED_OPTION = "--aws-secrets-enabled"; public static final String AWS_SECRETS_AUTH_MODE_OPTION = "--aws-secrets-auth-mode"; public static final String AWS_SECRETS_ACCESS_KEY_ID_OPTION = "--aws-secrets-access-key-id"; diff --git a/commandline/src/main/java/tech/pegasys/web3signer/commandline/subcommands/Eth1SubCommand.java b/commandline/src/main/java/tech/pegasys/web3signer/commandline/subcommands/Eth1SubCommand.java index 47f296ab4..28445ea75 100644 --- a/commandline/src/main/java/tech/pegasys/web3signer/commandline/subcommands/Eth1SubCommand.java +++ b/commandline/src/main/java/tech/pegasys/web3signer/commandline/subcommands/Eth1SubCommand.java @@ -18,6 +18,7 @@ import static tech.pegasys.web3signer.commandline.DefaultCommandValues.PORT_FORMAT_HELP; import static tech.pegasys.web3signer.commandline.util.RequiredOptionsUtil.checkIfRequiredOptionsAreInitialized; +import tech.pegasys.web3signer.commandline.PicoCliAwsParameters; import tech.pegasys.web3signer.commandline.PicoCliEth1AzureKeyVaultParameters; import tech.pegasys.web3signer.commandline.annotations.RequiredOption; import tech.pegasys.web3signer.commandline.config.client.PicoCliClientTlsOptions; @@ -27,6 +28,7 @@ import tech.pegasys.web3signer.core.config.client.ClientTlsOptions; import tech.pegasys.web3signer.core.service.jsonrpc.handlers.signing.ChainIdProvider; import tech.pegasys.web3signer.core.service.jsonrpc.handlers.signing.ConfigurationChainId; +import tech.pegasys.web3signer.signing.config.AwsParameters; import tech.pegasys.web3signer.signing.config.AzureKeyVaultParameters; import java.net.URI; @@ -146,6 +148,8 @@ public void setDownstreamHttpPath(final String path) { @CommandLine.Mixin private PicoCliEth1AzureKeyVaultParameters azureKeyVaultParameters; + @CommandLine.Mixin private PicoCliAwsParameters awsParameters; + @Override public Runner createRunner() { return new Eth1Runner(config, this); @@ -216,6 +220,11 @@ public AzureKeyVaultParameters getAzureKeyVaultConfig() { return azureKeyVaultParameters; } + @Override + public AwsParameters getAwsParameters() { + return awsParameters; + } + @CommandLine.Option( names = {"--aws-kms-client-cache-size"}, paramLabel = "", diff --git a/commandline/src/main/java/tech/pegasys/web3signer/commandline/subcommands/Eth2SubCommand.java b/commandline/src/main/java/tech/pegasys/web3signer/commandline/subcommands/Eth2SubCommand.java index f54e57b08..fc3b9a009 100644 --- a/commandline/src/main/java/tech/pegasys/web3signer/commandline/subcommands/Eth2SubCommand.java +++ b/commandline/src/main/java/tech/pegasys/web3signer/commandline/subcommands/Eth2SubCommand.java @@ -12,10 +12,10 @@ */ package tech.pegasys.web3signer.commandline.subcommands; -import static tech.pegasys.web3signer.commandline.PicoCliAwsSecretsManagerParameters.AWS_SECRETS_ACCESS_KEY_ID_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliAwsSecretsManagerParameters.AWS_SECRETS_AUTH_MODE_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliAwsSecretsManagerParameters.AWS_SECRETS_REGION_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliAwsSecretsManagerParameters.AWS_SECRETS_SECRET_ACCESS_KEY_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliAwsParameters.AWS_SECRETS_ACCESS_KEY_ID_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliAwsParameters.AWS_SECRETS_AUTH_MODE_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliAwsParameters.AWS_SECRETS_REGION_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliAwsParameters.AWS_SECRETS_SECRET_ACCESS_KEY_OPTION; import static tech.pegasys.web3signer.signing.config.AzureAuthenticationMode.CLIENT_SECRET; import static tech.pegasys.web3signer.signing.config.AzureAuthenticationMode.USER_ASSIGNED_MANAGED_IDENTITY; @@ -25,7 +25,7 @@ import tech.pegasys.teku.spec.ForkSchedule; import tech.pegasys.teku.spec.SpecMilestone; import tech.pegasys.teku.spec.networks.Eth2Network; -import tech.pegasys.web3signer.commandline.PicoCliAwsSecretsManagerParameters; +import tech.pegasys.web3signer.commandline.PicoCliAwsParameters; import tech.pegasys.web3signer.commandline.PicoCliEth2AzureKeyVaultParameters; import tech.pegasys.web3signer.commandline.PicoCliSlashingProtectionParameters; import tech.pegasys.web3signer.commandline.config.PicoKeystoresParameters; @@ -144,7 +144,7 @@ private static class NetworkCliCompletionCandidates extends ArrayList { @Mixin private PicoCliSlashingProtectionParameters slashingProtectionParameters; @Mixin private PicoCliEth2AzureKeyVaultParameters azureKeyVaultParameters; @Mixin private PicoKeystoresParameters keystoreParameters; - @Mixin private PicoCliAwsSecretsManagerParameters awsSecretsManagerParameters; + @Mixin private PicoCliAwsParameters awsSecretsManagerParameters; private tech.pegasys.teku.spec.Spec eth2Spec; public Eth2SubCommand() { @@ -339,7 +339,7 @@ public SlashingProtectionParameters getSlashingProtectionParameters() { } @VisibleForTesting - public PicoCliAwsSecretsManagerParameters getAwsSecretsManagerParameters() { + public PicoCliAwsParameters getAwsSecretsManagerParameters() { return awsSecretsManagerParameters; } diff --git a/commandline/src/test/java/tech/pegasys/web3signer/commandline/CommandlineParserTest.java b/commandline/src/test/java/tech/pegasys/web3signer/commandline/CommandlineParserTest.java index 80bc077aa..b1883ecd7 100644 --- a/commandline/src/test/java/tech/pegasys/web3signer/commandline/CommandlineParserTest.java +++ b/commandline/src/test/java/tech/pegasys/web3signer/commandline/CommandlineParserTest.java @@ -15,14 +15,14 @@ import static org.assertj.core.api.Assertions.assertThat; import static tech.pegasys.web3signer.CmdlineHelpers.removeFieldFrom; import static tech.pegasys.web3signer.CmdlineHelpers.validBaseCommandOptions; -import static tech.pegasys.web3signer.commandline.PicoCliAwsSecretsManagerParameters.AWS_SECRETS_ACCESS_KEY_ID_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliAwsSecretsManagerParameters.AWS_SECRETS_AUTH_MODE_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliAwsSecretsManagerParameters.AWS_SECRETS_ENABLED_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliAwsSecretsManagerParameters.AWS_SECRETS_PREFIXES_FILTER_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliAwsSecretsManagerParameters.AWS_SECRETS_REGION_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliAwsSecretsManagerParameters.AWS_SECRETS_SECRET_ACCESS_KEY_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliAwsSecretsManagerParameters.AWS_SECRETS_TAG_NAMES_FILTER_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliAwsSecretsManagerParameters.AWS_SECRETS_TAG_VALUES_FILTER_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliAwsParameters.AWS_SECRETS_ACCESS_KEY_ID_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliAwsParameters.AWS_SECRETS_AUTH_MODE_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliAwsParameters.AWS_SECRETS_ENABLED_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliAwsParameters.AWS_SECRETS_PREFIXES_FILTER_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliAwsParameters.AWS_SECRETS_REGION_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliAwsParameters.AWS_SECRETS_SECRET_ACCESS_KEY_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliAwsParameters.AWS_SECRETS_TAG_NAMES_FILTER_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliAwsParameters.AWS_SECRETS_TAG_VALUES_FILTER_OPTION; import tech.pegasys.web3signer.commandline.subcommands.Eth2SubCommand; import tech.pegasys.web3signer.common.config.AwsAuthenticationMode; diff --git a/core/src/integrationTest/java/tech/pegasys/web3signer/core/jsonrpcproxy/support/TestEth1Config.java b/core/src/integrationTest/java/tech/pegasys/web3signer/core/jsonrpcproxy/support/TestEth1Config.java index 3f72270eb..0d12879a9 100644 --- a/core/src/integrationTest/java/tech/pegasys/web3signer/core/jsonrpcproxy/support/TestEth1Config.java +++ b/core/src/integrationTest/java/tech/pegasys/web3signer/core/jsonrpcproxy/support/TestEth1Config.java @@ -16,6 +16,8 @@ import tech.pegasys.web3signer.core.config.client.ClientTlsOptions; import tech.pegasys.web3signer.core.service.jsonrpc.handlers.signing.ChainIdProvider; import tech.pegasys.web3signer.core.service.jsonrpc.handlers.signing.ConfigurationChainId; +import tech.pegasys.web3signer.signing.config.AwsParameters; +import tech.pegasys.web3signer.signing.config.AwsParametersBuilder; import tech.pegasys.web3signer.signing.config.AzureKeyVaultParameters; import tech.pegasys.web3signer.signing.config.DefaultAzureKeyVaultParameters; @@ -97,6 +99,11 @@ public AzureKeyVaultParameters getAzureKeyVaultConfig() { return new DefaultAzureKeyVaultParameters("", "", "", ""); } + @Override + public AwsParameters getAwsParameters() { + return AwsParametersBuilder.anAwsSecretsManagerParameters().build(); + } + @Override public long getAwsKmsClientCacheSize() { return 1; diff --git a/core/src/main/java/tech/pegasys/web3signer/core/Eth2Runner.java b/core/src/main/java/tech/pegasys/web3signer/core/Eth2Runner.java index 04cbd0713..4b6b23941 100644 --- a/core/src/main/java/tech/pegasys/web3signer/core/Eth2Runner.java +++ b/core/src/main/java/tech/pegasys/web3signer/core/Eth2Runner.java @@ -45,7 +45,7 @@ import tech.pegasys.web3signer.signing.ValidatorManager; import tech.pegasys.web3signer.signing.bulkloading.AWSBulkLoadingArtifactSignerProvider; import tech.pegasys.web3signer.signing.bulkloading.BlsKeystoreBulkLoader; -import tech.pegasys.web3signer.signing.config.AwsSecretsManagerParameters; +import tech.pegasys.web3signer.signing.config.AwsParameters; import tech.pegasys.web3signer.signing.config.AzureKeyVaultFactory; import tech.pegasys.web3signer.signing.config.AzureKeyVaultParameters; import tech.pegasys.web3signer.signing.config.DefaultArtifactSignerProvider; @@ -94,7 +94,7 @@ public class Eth2Runner extends Runner { private final Optional slashingProtectionContext; private final AzureKeyVaultParameters azureKeyVaultParameters; - private final AwsSecretsManagerParameters awsSecretsManagerParameters; + private final AwsParameters awsParameters; private final SlashingProtectionParameters slashingProtectionParameters; private final boolean pruningEnabled; private final KeystoresParameters keystoresParameters; @@ -106,7 +106,7 @@ public Eth2Runner( final SlashingProtectionParameters slashingProtectionParameters, final AzureKeyVaultParameters azureKeyVaultParameters, final KeystoresParameters keystoresParameters, - final AwsSecretsManagerParameters awsSecretsManagerParameters, + final AwsParameters awsParameters, final Spec eth2Spec, final boolean isKeyManagerApiEnabled) { super(baseConfig); @@ -117,7 +117,7 @@ public Eth2Runner( this.keystoresParameters = keystoresParameters; this.eth2Spec = eth2Spec; this.isKeyManagerApiEnabled = isKeyManagerApiEnabled; - this.awsSecretsManagerParameters = awsSecretsManagerParameters; + this.awsParameters = awsParameters; } private Optional createSlashingProtection( @@ -272,7 +272,7 @@ private MappedResults loadSignersFromKeyConfigFiles( final YubiHsmOpaqueDataProvider yubiHsmOpaqueDataProvider = new YubiHsmOpaqueDataProvider(); final AwsSecretsManagerProvider awsSecretsManagerProvider = - new AwsSecretsManagerProvider(awsSecretsManagerParameters.getCacheMaximumSize()); ) { + new AwsSecretsManagerProvider(awsParameters.getCacheMaximumSize()); ) { final AbstractArtifactSignerFactory artifactSignerFactory = new BlsArtifactSignerFactory( baseConfig.getKeyConfigPath(), @@ -338,13 +338,13 @@ private MappedResults bulkLoadSigners( results = MappedResults.merge(results, keystoreSignersResult); } - if (awsSecretsManagerParameters.isEnabled()) { + if (awsParameters.isEnabled()) { LOG.info("Bulk loading keys from AWS Secrets Manager ... "); final AWSBulkLoadingArtifactSignerProvider awsBulkLoadingArtifactSignerProvider = new AWSBulkLoadingArtifactSignerProvider(); final MappedResults awsResult = - awsBulkLoadingArtifactSignerProvider.load(awsSecretsManagerParameters); + awsBulkLoadingArtifactSignerProvider.load(awsParameters); LOG.info( "Keys loaded from AWS Secrets Manager: [{}], with error count: [{}]", awsResult.getValues().size(), diff --git a/core/src/main/java/tech/pegasys/web3signer/core/config/Eth1Config.java b/core/src/main/java/tech/pegasys/web3signer/core/config/Eth1Config.java index 2757eec5e..a917696c8 100644 --- a/core/src/main/java/tech/pegasys/web3signer/core/config/Eth1Config.java +++ b/core/src/main/java/tech/pegasys/web3signer/core/config/Eth1Config.java @@ -14,6 +14,7 @@ import tech.pegasys.web3signer.core.config.client.ClientTlsOptions; import tech.pegasys.web3signer.core.service.jsonrpc.handlers.signing.ChainIdProvider; +import tech.pegasys.web3signer.signing.config.AwsParameters; import tech.pegasys.web3signer.signing.config.AzureKeyVaultParameters; import java.time.Duration; @@ -43,5 +44,7 @@ public interface Eth1Config { AzureKeyVaultParameters getAzureKeyVaultConfig(); + AwsParameters getAwsParameters(); + long getAwsKmsClientCacheSize(); } diff --git a/signing/src/main/java/tech/pegasys/web3signer/signing/bulkloading/AWSBulkLoadingArtifactSignerProvider.java b/signing/src/main/java/tech/pegasys/web3signer/signing/bulkloading/AWSBulkLoadingArtifactSignerProvider.java index f33db9b4a..fce2ec353 100644 --- a/signing/src/main/java/tech/pegasys/web3signer/signing/bulkloading/AWSBulkLoadingArtifactSignerProvider.java +++ b/signing/src/main/java/tech/pegasys/web3signer/signing/bulkloading/AWSBulkLoadingArtifactSignerProvider.java @@ -19,8 +19,8 @@ import tech.pegasys.web3signer.keystorage.common.MappedResults; import tech.pegasys.web3signer.signing.ArtifactSigner; import tech.pegasys.web3signer.signing.BlsArtifactSigner; +import tech.pegasys.web3signer.signing.config.AwsParameters; import tech.pegasys.web3signer.signing.config.AwsSecretsManagerFactory; -import tech.pegasys.web3signer.signing.config.AwsSecretsManagerParameters; import tech.pegasys.web3signer.signing.config.metadata.SignerOrigin; import org.apache.tuweni.bytes.Bytes; @@ -28,7 +28,7 @@ public class AWSBulkLoadingArtifactSignerProvider { - public MappedResults load(final AwsSecretsManagerParameters parameters) { + public MappedResults load(final AwsParameters parameters) { try (final AwsSecretsManagerProvider awsSecretsManagerProvider = new AwsSecretsManagerProvider(parameters.getCacheMaximumSize())) { final AwsSecretsManager awsSecretsManager = diff --git a/signing/src/main/java/tech/pegasys/web3signer/signing/config/AwsSecretsManagerParameters.java b/signing/src/main/java/tech/pegasys/web3signer/signing/config/AwsParameters.java similarity index 96% rename from signing/src/main/java/tech/pegasys/web3signer/signing/config/AwsSecretsManagerParameters.java rename to signing/src/main/java/tech/pegasys/web3signer/signing/config/AwsParameters.java index 99573615a..034959121 100644 --- a/signing/src/main/java/tech/pegasys/web3signer/signing/config/AwsSecretsManagerParameters.java +++ b/signing/src/main/java/tech/pegasys/web3signer/signing/config/AwsParameters.java @@ -19,7 +19,7 @@ import java.util.Collections; import java.util.Optional; -public interface AwsSecretsManagerParameters { +public interface AwsParameters { boolean isEnabled(); AwsAuthenticationMode getAuthenticationMode(); diff --git a/signing/src/main/java/tech/pegasys/web3signer/signing/config/AwsSecretsManagerFactory.java b/signing/src/main/java/tech/pegasys/web3signer/signing/config/AwsSecretsManagerFactory.java index b22aefcca..130adbf15 100644 --- a/signing/src/main/java/tech/pegasys/web3signer/signing/config/AwsSecretsManagerFactory.java +++ b/signing/src/main/java/tech/pegasys/web3signer/signing/config/AwsSecretsManagerFactory.java @@ -19,17 +19,17 @@ public class AwsSecretsManagerFactory { public static AwsSecretsManager createAwsSecretsManager( final AwsSecretsManagerProvider awsSecretsManagerProvider, - final AwsSecretsManagerParameters awsSecretsManagerParameters) { - switch (awsSecretsManagerParameters.getAuthenticationMode()) { + final AwsParameters awsParameters) { + switch (awsParameters.getAuthenticationMode()) { case SPECIFIED: return awsSecretsManagerProvider.createAwsSecretsManager( - awsSecretsManagerParameters.getAccessKeyId(), - awsSecretsManagerParameters.getSecretAccessKey(), - awsSecretsManagerParameters.getRegion(), - awsSecretsManagerParameters.getEndpointOverride()); + awsParameters.getAccessKeyId(), + awsParameters.getSecretAccessKey(), + awsParameters.getRegion(), + awsParameters.getEndpointOverride()); default: return awsSecretsManagerProvider.createAwsSecretsManager( - awsSecretsManagerParameters.getEndpointOverride()); + awsParameters.getEndpointOverride()); } } } diff --git a/signing/src/main/java/tech/pegasys/web3signer/signing/config/metadata/AwsKeySigningMetadata.java b/signing/src/main/java/tech/pegasys/web3signer/signing/config/metadata/AwsKeySigningMetadata.java index 2f81ab2fa..e2d38814c 100644 --- a/signing/src/main/java/tech/pegasys/web3signer/signing/config/metadata/AwsKeySigningMetadata.java +++ b/signing/src/main/java/tech/pegasys/web3signer/signing/config/metadata/AwsKeySigningMetadata.java @@ -15,7 +15,7 @@ import tech.pegasys.web3signer.common.config.AwsAuthenticationMode; import tech.pegasys.web3signer.signing.ArtifactSigner; import tech.pegasys.web3signer.signing.KeyType; -import tech.pegasys.web3signer.signing.config.AwsSecretsManagerParameters; +import tech.pegasys.web3signer.signing.config.AwsParameters; import java.net.URI; import java.util.Optional; @@ -23,7 +23,7 @@ import com.fasterxml.jackson.databind.annotation.JsonDeserialize; @JsonDeserialize(using = AwsKeySigningMetadataDeserializer.class) -public class AwsKeySigningMetadata extends SigningMetadata implements AwsSecretsManagerParameters { +public class AwsKeySigningMetadata extends SigningMetadata implements AwsParameters { public static final String TYPE = "aws-secret"; private final AwsAuthenticationMode authenticationMode; private final String region; diff --git a/signing/src/testFixtures/java/tech/pegasys/web3signer/signing/config/AwsSecretsManagerParametersBuilder.java b/signing/src/testFixtures/java/tech/pegasys/web3signer/signing/config/AwsParametersBuilder.java similarity index 77% rename from signing/src/testFixtures/java/tech/pegasys/web3signer/signing/config/AwsSecretsManagerParametersBuilder.java rename to signing/src/testFixtures/java/tech/pegasys/web3signer/signing/config/AwsParametersBuilder.java index 897da217f..7853c89ed 100644 --- a/signing/src/testFixtures/java/tech/pegasys/web3signer/signing/config/AwsSecretsManagerParametersBuilder.java +++ b/signing/src/testFixtures/java/tech/pegasys/web3signer/signing/config/AwsParametersBuilder.java @@ -19,7 +19,7 @@ import java.util.Collections; import java.util.Optional; -public final class AwsSecretsManagerParametersBuilder { +public final class AwsParametersBuilder { private AwsAuthenticationMode authenticationMode = AwsAuthenticationMode.SPECIFIED; private String accessKeyId; private String secretAccessKey; @@ -31,63 +31,59 @@ public final class AwsSecretsManagerParametersBuilder { private Optional endpointURI = Optional.empty(); - private AwsSecretsManagerParametersBuilder() {} + private AwsParametersBuilder() {} - public static AwsSecretsManagerParametersBuilder anAwsSecretsManagerParameters() { - return new AwsSecretsManagerParametersBuilder(); + public static AwsParametersBuilder anAwsSecretsManagerParameters() { + return new AwsParametersBuilder(); } - public AwsSecretsManagerParametersBuilder withAuthenticationMode( + public AwsParametersBuilder withAuthenticationMode( final AwsAuthenticationMode authenticationMode) { this.authenticationMode = authenticationMode; return this; } - public AwsSecretsManagerParametersBuilder withAccessKeyId(final String accessKeyId) { + public AwsParametersBuilder withAccessKeyId(final String accessKeyId) { this.accessKeyId = accessKeyId; return this; } - public AwsSecretsManagerParametersBuilder withSecretAccessKey(final String secretAccessKey) { + public AwsParametersBuilder withSecretAccessKey(final String secretAccessKey) { this.secretAccessKey = secretAccessKey; return this; } - public AwsSecretsManagerParametersBuilder withRegion(final String region) { + public AwsParametersBuilder withRegion(final String region) { this.region = region; return this; } - public AwsSecretsManagerParametersBuilder withPrefixesFilter( - final Collection prefixesFilter) { + public AwsParametersBuilder withPrefixesFilter(final Collection prefixesFilter) { this.prefixesFilter = prefixesFilter; return this; } - public AwsSecretsManagerParametersBuilder withTagNamesFilter( - final Collection tagNameFilters) { + public AwsParametersBuilder withTagNamesFilter(final Collection tagNameFilters) { this.tagNamesFilter = tagNameFilters; return this; } - public AwsSecretsManagerParametersBuilder withTagValuesFilter( - final Collection tagValuesFilter) { + public AwsParametersBuilder withTagValuesFilter(final Collection tagValuesFilter) { this.tagValuesFilter = tagValuesFilter; return this; } - public AwsSecretsManagerParametersBuilder withCacheMaximumSize(final long cacheMaximumSize) { + public AwsParametersBuilder withCacheMaximumSize(final long cacheMaximumSize) { this.cacheMaximumSize = cacheMaximumSize; return this; } - public AwsSecretsManagerParametersBuilder withEndpointOverride( - final Optional endpointOverride) { + public AwsParametersBuilder withEndpointOverride(final Optional endpointOverride) { this.endpointURI = endpointOverride; return this; } - public AwsSecretsManagerParameters build() { + public AwsParameters build() { if (authenticationMode == AwsAuthenticationMode.SPECIFIED) { if (accessKeyId == null) { throw new IllegalArgumentException("accessKeyId is required"); @@ -102,7 +98,7 @@ public AwsSecretsManagerParameters build() { } } - return new TestAwsSecretsManagerParameters( + return new TestAwsParameters( authenticationMode, accessKeyId, secretAccessKey, @@ -114,7 +110,7 @@ public AwsSecretsManagerParameters build() { endpointURI); } - private static class TestAwsSecretsManagerParameters implements AwsSecretsManagerParameters { + private static class TestAwsParameters implements AwsParameters { private final AwsAuthenticationMode authenticationMode; private final String accessKeyId; private final String secretAccessKey; @@ -125,7 +121,7 @@ private static class TestAwsSecretsManagerParameters implements AwsSecretsManage private final long cacheMaximumSize; private final Optional endpointOverride; - TestAwsSecretsManagerParameters( + TestAwsParameters( final AwsAuthenticationMode authenticationMode, final String accessKeyId, final String secretAccessKey, From fc4eb12b56274d83d4330a2da694bdebfd22e631 Mon Sep 17 00:00:00 2001 From: Jason Frame Date: Mon, 21 Aug 2023 14:10:38 +1000 Subject: [PATCH 02/21] Rename AWSBulkLoadingArtifactSignerProvider to BlsAwsBulkLoader to make room for a secp variant --- .../java/tech/pegasys/web3signer/core/Eth2Runner.java | 8 +++----- ...gArtifactSignerProvider.java => BlsAwsBulkLoader.java} | 2 +- 2 files changed, 4 insertions(+), 6 deletions(-) rename signing/src/main/java/tech/pegasys/web3signer/signing/bulkloading/{AWSBulkLoadingArtifactSignerProvider.java => BlsAwsBulkLoader.java} (97%) diff --git a/core/src/main/java/tech/pegasys/web3signer/core/Eth2Runner.java b/core/src/main/java/tech/pegasys/web3signer/core/Eth2Runner.java index 4b6b23941..27cc74958 100644 --- a/core/src/main/java/tech/pegasys/web3signer/core/Eth2Runner.java +++ b/core/src/main/java/tech/pegasys/web3signer/core/Eth2Runner.java @@ -43,7 +43,7 @@ import tech.pegasys.web3signer.signing.FileValidatorManager; import tech.pegasys.web3signer.signing.KeystoreFileManager; import tech.pegasys.web3signer.signing.ValidatorManager; -import tech.pegasys.web3signer.signing.bulkloading.AWSBulkLoadingArtifactSignerProvider; +import tech.pegasys.web3signer.signing.bulkloading.BlsAwsBulkLoader; import tech.pegasys.web3signer.signing.bulkloading.BlsKeystoreBulkLoader; import tech.pegasys.web3signer.signing.config.AwsParameters; import tech.pegasys.web3signer.signing.config.AzureKeyVaultFactory; @@ -340,11 +340,9 @@ private MappedResults bulkLoadSigners( if (awsParameters.isEnabled()) { LOG.info("Bulk loading keys from AWS Secrets Manager ... "); - final AWSBulkLoadingArtifactSignerProvider awsBulkLoadingArtifactSignerProvider = - new AWSBulkLoadingArtifactSignerProvider(); + final BlsAwsBulkLoader blsAwsBulkLoader = new BlsAwsBulkLoader(); - final MappedResults awsResult = - awsBulkLoadingArtifactSignerProvider.load(awsParameters); + final MappedResults awsResult = blsAwsBulkLoader.load(awsParameters); LOG.info( "Keys loaded from AWS Secrets Manager: [{}], with error count: [{}]", awsResult.getValues().size(), diff --git a/signing/src/main/java/tech/pegasys/web3signer/signing/bulkloading/AWSBulkLoadingArtifactSignerProvider.java b/signing/src/main/java/tech/pegasys/web3signer/signing/bulkloading/BlsAwsBulkLoader.java similarity index 97% rename from signing/src/main/java/tech/pegasys/web3signer/signing/bulkloading/AWSBulkLoadingArtifactSignerProvider.java rename to signing/src/main/java/tech/pegasys/web3signer/signing/bulkloading/BlsAwsBulkLoader.java index fce2ec353..51750254e 100644 --- a/signing/src/main/java/tech/pegasys/web3signer/signing/bulkloading/AWSBulkLoadingArtifactSignerProvider.java +++ b/signing/src/main/java/tech/pegasys/web3signer/signing/bulkloading/BlsAwsBulkLoader.java @@ -26,7 +26,7 @@ import org.apache.tuweni.bytes.Bytes; import org.apache.tuweni.bytes.Bytes32; -public class AWSBulkLoadingArtifactSignerProvider { +public class BlsAwsBulkLoader { public MappedResults load(final AwsParameters parameters) { try (final AwsSecretsManagerProvider awsSecretsManagerProvider = From ad2d0ff2d541ba260ba1e767e56f02238c20005f Mon Sep 17 00:00:00 2001 From: Jason Frame Date: Tue, 22 Aug 2023 13:14:11 +1000 Subject: [PATCH 03/21] SecpAwsBulkLoader --- .../bulkloading/SecpAwsBulkLoader.java | 78 +++++++++++++++++++ .../config/metadata/AwsKmsMetadata.java | 18 ++++- .../signing/secp256k1/aws/AwsKmsClient.java | 46 +++++++++++ .../secp256k1/aws/AwsKmsSignerTest.java | 5 +- 4 files changed, 145 insertions(+), 2 deletions(-) create mode 100644 signing/src/main/java/tech/pegasys/web3signer/signing/bulkloading/SecpAwsBulkLoader.java diff --git a/signing/src/main/java/tech/pegasys/web3signer/signing/bulkloading/SecpAwsBulkLoader.java b/signing/src/main/java/tech/pegasys/web3signer/signing/bulkloading/SecpAwsBulkLoader.java new file mode 100644 index 000000000..b6e7cc88e --- /dev/null +++ b/signing/src/main/java/tech/pegasys/web3signer/signing/bulkloading/SecpAwsBulkLoader.java @@ -0,0 +1,78 @@ +/* + * Copyright 2022 ConsenSys AG. + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on + * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the + * specific language governing permissions and limitations under the License. + */ +package tech.pegasys.web3signer.signing.bulkloading; + +import tech.pegasys.web3signer.common.config.AwsAuthenticationMode; +import tech.pegasys.web3signer.common.config.AwsCredentials; +import tech.pegasys.web3signer.keystorage.common.MappedResults; +import tech.pegasys.web3signer.signing.ArtifactSigner; +import tech.pegasys.web3signer.signing.EthSecpArtifactSigner; +import tech.pegasys.web3signer.signing.config.AwsCredentialsProviderFactory; +import tech.pegasys.web3signer.signing.config.AwsParameters; +import tech.pegasys.web3signer.signing.config.metadata.AwsKmsMetadata; +import tech.pegasys.web3signer.signing.secp256k1.aws.AwsKmsClient; +import tech.pegasys.web3signer.signing.secp256k1.aws.AwsKmsSignerFactory; +import tech.pegasys.web3signer.signing.secp256k1.aws.CachedAwsKmsClientFactory; + +import java.util.Optional; + +import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider; + +public class SecpAwsBulkLoader { + private final CachedAwsKmsClientFactory cachedAwsKmsClientFactory; + private final AwsKmsSignerFactory awsKmsSignerFactory; + + public SecpAwsBulkLoader( + final CachedAwsKmsClientFactory cachedAwsKmsClientFactory, + final AwsKmsSignerFactory awsKmsSignerFactory) { + this.cachedAwsKmsClientFactory = cachedAwsKmsClientFactory; + this.awsKmsSignerFactory = awsKmsSignerFactory; + } + + public MappedResults load(final AwsParameters parameters) { + final Optional awsCredentials = + parameters.getAuthenticationMode() == AwsAuthenticationMode.SPECIFIED + ? Optional.of( + AwsCredentials.builder() + .withAccessKeyId(parameters.getAccessKeyId()) + .withSecretAccessKey(parameters.getSecretAccessKey()) + .build()) + : Optional.empty(); + + final AwsCredentialsProvider awsCredentialsProvider = + AwsCredentialsProviderFactory.createAwsCredentialsProvider( + parameters.getAuthenticationMode(), awsCredentials); + final AwsKmsClient kmsClient = + cachedAwsKmsClientFactory.createKmsClient( + awsCredentialsProvider, parameters.getRegion(), parameters.getEndpointOverride()); + return kmsClient.mapKeyList( + parameters.getPrefixesFilter(), + parameters.getTagNamesFilter(), + parameters.getTagValuesFilter(), + kl -> createSigner(awsCredentials, parameters, kl.keyId())); + } + + private EthSecpArtifactSigner createSigner( + final Optional awsCredentials, + final AwsParameters awsParameters, + final String keyId) { + return new EthSecpArtifactSigner( + awsKmsSignerFactory.createSigner( + new AwsKmsMetadata( + awsParameters.getAuthenticationMode(), + awsParameters.getRegion(), + awsCredentials, + keyId, + awsParameters.getEndpointOverride()))); + } +} diff --git a/signing/src/main/java/tech/pegasys/web3signer/signing/config/metadata/AwsKmsMetadata.java b/signing/src/main/java/tech/pegasys/web3signer/signing/config/metadata/AwsKmsMetadata.java index fe9f126c9..f74232f27 100644 --- a/signing/src/main/java/tech/pegasys/web3signer/signing/config/metadata/AwsKmsMetadata.java +++ b/signing/src/main/java/tech/pegasys/web3signer/signing/config/metadata/AwsKmsMetadata.java @@ -16,6 +16,7 @@ import tech.pegasys.web3signer.common.config.AwsCredentials; import tech.pegasys.web3signer.signing.ArtifactSigner; import tech.pegasys.web3signer.signing.KeyType; +import tech.pegasys.web3signer.signing.config.AwsParameters; import java.net.URI; import java.util.Optional; @@ -23,7 +24,7 @@ import com.fasterxml.jackson.databind.annotation.JsonDeserialize; @JsonDeserialize(using = AwsKmsMetadataDeserializer.class) -public class AwsKmsMetadata extends SigningMetadata { +public class AwsKmsMetadata extends SigningMetadata implements AwsParameters { public static final String TYPE = "aws-kms"; private final AwsAuthenticationMode authenticationMode; private final String region; @@ -45,10 +46,25 @@ public AwsKmsMetadata( this.endpointOverride = endpointOverride; } + @Override + public boolean isEnabled() { + return true; + } + public AwsAuthenticationMode getAuthenticationMode() { return this.authenticationMode; } + @Override + public String getAccessKeyId() { + return null; + } + + @Override + public String getSecretAccessKey() { + return null; + } + public Optional getAwsCredentials() { return awsCredentials; } diff --git a/signing/src/main/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsClient.java b/signing/src/main/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsClient.java index 8780616ff..40b9c5b6c 100644 --- a/signing/src/main/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsClient.java +++ b/signing/src/main/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsClient.java @@ -14,20 +14,30 @@ import static com.google.common.base.Preconditions.checkArgument; +import tech.pegasys.web3signer.keystorage.common.MappedResults; + import java.security.KeyFactory; import java.security.NoSuchAlgorithmException; import java.security.Provider; import java.security.interfaces.ECPublicKey; import java.security.spec.InvalidKeySpecException; import java.security.spec.X509EncodedKeySpec; +import java.util.Collection; +import java.util.Set; +import java.util.concurrent.ConcurrentHashMap; +import java.util.concurrent.atomic.AtomicInteger; +import java.util.function.Function; import com.google.common.annotations.VisibleForTesting; +import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; import org.bouncycastle.jce.provider.BouncyCastleProvider; import software.amazon.awssdk.core.SdkBytes; import software.amazon.awssdk.services.kms.KmsClient; import software.amazon.awssdk.services.kms.model.CreateKeyRequest; import software.amazon.awssdk.services.kms.model.GetPublicKeyRequest; import software.amazon.awssdk.services.kms.model.GetPublicKeyResponse; +import software.amazon.awssdk.services.kms.model.KeyListEntry; import software.amazon.awssdk.services.kms.model.KeySpec; import software.amazon.awssdk.services.kms.model.MessageType; import software.amazon.awssdk.services.kms.model.ScheduleKeyDeletionRequest; @@ -40,6 +50,7 @@ * not implemented close method. */ public class AwsKmsClient { + private static final Logger LOG = LogManager.getLogger(); private static final Provider BC_PROVIDER = new BouncyCastleProvider(); private final KmsClient kmsClient; @@ -82,6 +93,41 @@ public byte[] sign(final String kmsKeyId, final byte[] data) { return kmsClient.sign(signRequest).signature().asByteArray(); } + public MappedResults mapKeyList( + final Collection namePrefixes, + final Collection tagKeys, + final Collection tagValues, + final Function mapper) { + final Set result = ConcurrentHashMap.newKeySet(); + final AtomicInteger errorCount = new AtomicInteger(0); + + try { + kmsClient + .listKeysPaginator() + .iterator() + .forEachRemaining( + listKeysResponse -> + listKeysResponse.keys().parallelStream() + .forEach( + keyListEntry -> { + try { + final R value = mapper.apply(keyListEntry); + result.add(value); + } catch (final Exception e) { + LOG.warn( + "Failed to map keyListEntry '{}' to requested object type.", + keyListEntry.keyId()); + errorCount.incrementAndGet(); + } + })); + } catch (Exception e) { + LOG.error("Unexpected error during Aws mapKeyList", e); + errorCount.incrementAndGet(); + } + + return MappedResults.newInstance(result, errorCount.intValue()); + } + @VisibleForTesting public String createKey(CreateKeyRequest createKeyRequest) { return kmsClient.createKey(createKeyRequest).keyMetadata().keyId(); diff --git a/signing/src/test/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsSignerTest.java b/signing/src/test/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsSignerTest.java index 2d0b8d1cd..fcf68cadc 100644 --- a/signing/src/test/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsSignerTest.java +++ b/signing/src/test/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsSignerTest.java @@ -133,8 +133,11 @@ void awsSignatureCanBeVerified() throws SignatureException { ENDPOINT_OVERRIDE); final long kmsClientCacheSize = 1; final boolean applySha3Hash = true; + final CachedAwsKmsClientFactory cachedAwsKmsClientFactory = + new CachedAwsKmsClientFactory(kmsClientCacheSize); final Signer signer = - new AwsKmsSignerFactory(kmsClientCacheSize, applySha3Hash).createSigner(awsKmsMetadata); + new AwsKmsSignerFactory(cachedAwsKmsClientFactory, applySha3Hash) + .createSigner(awsKmsMetadata); final BigInteger publicKey = Numeric.toBigInt(EthPublicKeyUtils.toByteArray(signer.getPublicKey())); From 6b2960b3577b8c957ebea8f8b616ee1c2847dd08 Mon Sep 17 00:00:00 2001 From: Jason Frame Date: Wed, 23 Aug 2023 13:50:58 +1000 Subject: [PATCH 04/21] AwsKmsClient tests --- .../config/metadata/AwsKmsMetadata.java | 18 +- .../signing/secp256k1/aws/AwsKmsClient.java | 7 +- .../secp256k1/aws/AwsKmsClientTest.java | 178 ++++++++++++++++++ .../secp256k1/aws/AwsKmsSignerTest.java | 5 +- 4 files changed, 184 insertions(+), 24 deletions(-) create mode 100644 signing/src/test/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsClientTest.java diff --git a/signing/src/main/java/tech/pegasys/web3signer/signing/config/metadata/AwsKmsMetadata.java b/signing/src/main/java/tech/pegasys/web3signer/signing/config/metadata/AwsKmsMetadata.java index f74232f27..fe9f126c9 100644 --- a/signing/src/main/java/tech/pegasys/web3signer/signing/config/metadata/AwsKmsMetadata.java +++ b/signing/src/main/java/tech/pegasys/web3signer/signing/config/metadata/AwsKmsMetadata.java @@ -16,7 +16,6 @@ import tech.pegasys.web3signer.common.config.AwsCredentials; import tech.pegasys.web3signer.signing.ArtifactSigner; import tech.pegasys.web3signer.signing.KeyType; -import tech.pegasys.web3signer.signing.config.AwsParameters; import java.net.URI; import java.util.Optional; @@ -24,7 +23,7 @@ import com.fasterxml.jackson.databind.annotation.JsonDeserialize; @JsonDeserialize(using = AwsKmsMetadataDeserializer.class) -public class AwsKmsMetadata extends SigningMetadata implements AwsParameters { +public class AwsKmsMetadata extends SigningMetadata { public static final String TYPE = "aws-kms"; private final AwsAuthenticationMode authenticationMode; private final String region; @@ -46,25 +45,10 @@ public AwsKmsMetadata( this.endpointOverride = endpointOverride; } - @Override - public boolean isEnabled() { - return true; - } - public AwsAuthenticationMode getAuthenticationMode() { return this.authenticationMode; } - @Override - public String getAccessKeyId() { - return null; - } - - @Override - public String getSecretAccessKey() { - return null; - } - public Optional getAwsCredentials() { return awsCredentials; } diff --git a/signing/src/main/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsClient.java b/signing/src/main/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsClient.java index 40b9c5b6c..07bdf3089 100644 --- a/signing/src/main/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsClient.java +++ b/signing/src/main/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsClient.java @@ -94,10 +94,10 @@ public byte[] sign(final String kmsKeyId, final byte[] data) { } public MappedResults mapKeyList( + final Function mapper, final Collection namePrefixes, final Collection tagKeys, - final Collection tagValues, - final Function mapper) { + final Collection tagValues) { final Set result = ConcurrentHashMap.newKeySet(); final AtomicInteger errorCount = new AtomicInteger(0); @@ -116,7 +116,8 @@ public MappedResults mapKeyList( } catch (final Exception e) { LOG.warn( "Failed to map keyListEntry '{}' to requested object type.", - keyListEntry.keyId()); + keyListEntry.keyId(), + e); errorCount.incrementAndGet(); } })); diff --git a/signing/src/test/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsClientTest.java b/signing/src/test/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsClientTest.java new file mode 100644 index 000000000..25437208f --- /dev/null +++ b/signing/src/test/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsClientTest.java @@ -0,0 +1,178 @@ +/* + * Copyright 2023 ConsenSys AG. + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on + * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the + * specific language governing permissions and limitations under the License. + */ +package tech.pegasys.web3signer.signing.secp256k1.aws; + +import static org.assertj.core.api.Assertions.assertThat; + +import tech.pegasys.web3signer.common.config.AwsAuthenticationMode; +import tech.pegasys.web3signer.common.config.AwsCredentials; +import tech.pegasys.web3signer.keystorage.common.MappedResults; +import tech.pegasys.web3signer.signing.config.AwsCredentialsProviderFactory; + +import java.util.Collections; +import java.util.Optional; + +import org.assertj.core.api.Assertions; +import org.junit.jupiter.api.AfterAll; +import org.junit.jupiter.api.BeforeAll; +import org.junit.jupiter.api.Test; +import org.junit.jupiter.api.condition.EnabledIfEnvironmentVariable; +import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider; +import software.amazon.awssdk.regions.Region; +import software.amazon.awssdk.services.kms.KmsClient; +import software.amazon.awssdk.services.kms.model.CreateKeyRequest; +import software.amazon.awssdk.services.kms.model.KeyListEntry; +import software.amazon.awssdk.services.kms.model.KeySpec; +import software.amazon.awssdk.services.kms.model.KeyUsageType; +import software.amazon.awssdk.services.kms.model.ScheduleKeyDeletionRequest; + +@EnabledIfEnvironmentVariable( + named = "RW_AWS_ACCESS_KEY_ID", + matches = ".*", + disabledReason = "RW_AWS_ACCESS_KEY_ID env variable is required") +@EnabledIfEnvironmentVariable( + named = "RW_AWS_SECRET_ACCESS_KEY", + matches = ".*", + disabledReason = "RW_AWS_SECRET_ACCESS_KEY env variable is required") +@EnabledIfEnvironmentVariable( + named = "AWS_ACCESS_KEY_ID", + matches = ".*", + disabledReason = "AWS_ACCESS_KEY_ID env variable is required") +@EnabledIfEnvironmentVariable( + named = "AWS_SECRET_ACCESS_KEY", + matches = ".*", + disabledReason = "AWS_SECRET_ACCESS_KEY env variable is required") +@EnabledIfEnvironmentVariable( + named = "AWS_REGION", + matches = ".*", + disabledReason = "AWS_REGION env variable is required") +public class AwsKmsClientTest { + private static final String AWS_ACCESS_KEY_ID = System.getenv("AWS_ACCESS_KEY_ID"); + private static final String AWS_SECRET_ACCESS_KEY = System.getenv("AWS_SECRET_ACCESS_KEY"); + private static final String AWS_REGION = System.getenv("AWS_REGION"); + private static final String RW_AWS_ACCESS_KEY_ID = System.getenv("RW_AWS_ACCESS_KEY_ID"); + private static final String RW_AWS_SECRET_ACCESS_KEY = System.getenv("RW_AWS_SECRET_ACCESS_KEY"); + private static final String AWS_SESSION_TOKEN = System.getenv("AWS_SESSION_TOKEN"); + private static final AwsCredentials AWS_RW_CREDENTIALS = + AwsCredentials.builder() + .withAccessKeyId(RW_AWS_ACCESS_KEY_ID) + .withSecretAccessKey(RW_AWS_SECRET_ACCESS_KEY) + .withSessionToken(AWS_SESSION_TOKEN) + .build(); + + private static final AwsCredentials AWS_CREDENTIALS = + AwsCredentials.builder() + .withAccessKeyId(AWS_ACCESS_KEY_ID) + .withSecretAccessKey(AWS_SECRET_ACCESS_KEY) + .withSessionToken(AWS_SESSION_TOKEN) + .build(); + + private static AwsKmsClient awsRwKmsClient; + private static String testKeyId; + + @BeforeAll + static void init() { + final AwsCredentialsProvider awsCredentialsProvider = + AwsCredentialsProviderFactory.createAwsCredentialsProvider( + AwsAuthenticationMode.SPECIFIED, Optional.of(AWS_RW_CREDENTIALS)); + + final KmsClient kmsClient = + KmsClient.builder() + .credentialsProvider(awsCredentialsProvider) + .region(Region.of(AWS_REGION)) + .build(); + + awsRwKmsClient = new AwsKmsClient(kmsClient); + + // create a test key + final CreateKeyRequest web3SignerTestingKey = + CreateKeyRequest.builder() + .keySpec(KeySpec.ECC_SECG_P256_K1) + .description("Web3Signer Testing Key") + .keyUsage(KeyUsageType.SIGN_VERIFY) + .build(); + testKeyId = awsRwKmsClient.createKey(web3SignerTestingKey); + assertThat(testKeyId).isNotEmpty(); + } + + @AfterAll + static void cleanup() { + if (awsRwKmsClient == null) { + return; + } + // delete key + ScheduleKeyDeletionRequest deletionRequest = + ScheduleKeyDeletionRequest.builder().keyId(testKeyId).pendingWindowInDays(7).build(); + awsRwKmsClient.scheduleKeyDeletion(deletionRequest); + } + + @Test + void keyPropertiesCanBeMappedUsingCustomMappingFunction() { + final AwsCredentialsProvider awsCredentialsProvider = + AwsCredentialsProviderFactory.createAwsCredentialsProvider( + AwsAuthenticationMode.SPECIFIED, Optional.of(AWS_CREDENTIALS)); + final KmsClient kmsClient = + KmsClient.builder() + .credentialsProvider(awsCredentialsProvider) + .region(Region.of(AWS_REGION)) + .build(); + final AwsKmsClient awsKmsClient = new AwsKmsClient(kmsClient); + + final MappedResults result = + awsKmsClient.mapKeyList( + KeyListEntry::keyId, + Collections.emptyList(), + Collections.emptyList(), + Collections.emptyList()); + + final Optional testKeyEntry = + result.getValues().stream().filter(e -> e.equals(testKeyId)).findAny(); + Assertions.assertThat(testKeyEntry).isPresent(); + Assertions.assertThat(testKeyEntry.get()).isEqualTo(testKeyId); + Assertions.assertThat(result.getErrorCount()).isZero(); + } + + @Test + void mapKeyPropertiesThrowsAwayObjectsWhichFailMapper() { + final AwsCredentialsProvider awsCredentialsProvider = + AwsCredentialsProviderFactory.createAwsCredentialsProvider( + AwsAuthenticationMode.SPECIFIED, Optional.of(AWS_CREDENTIALS)); + final KmsClient kmsClient = + KmsClient.builder() + .credentialsProvider(awsCredentialsProvider) + .region(Region.of(AWS_REGION)) + .build(); + final AwsKmsClient awsKmsClient = new AwsKmsClient(kmsClient); + + final MappedResults result = + awsKmsClient.mapKeyList( + kl -> { + if (kl.keyId().equals(testKeyId)) { + throw new IllegalStateException("Failed mapper"); + } else { + return kl.keyId(); + } + }, + Collections.emptyList(), + Collections.emptyList(), + Collections.emptyList()); + + final Optional testKeyEntry = + result.getValues().stream().filter(e -> e.equals(testKeyId)).findAny(); + Assertions.assertThat(testKeyEntry).isEmpty(); + Assertions.assertThat(result.getErrorCount()).isOne(); + } + + // TODO JF tests for tags mapKeyPropertiesUsingTags, mapKeyPropertiesWhenTagsDoesNotExist + +} diff --git a/signing/src/test/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsSignerTest.java b/signing/src/test/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsSignerTest.java index fcf68cadc..2d0b8d1cd 100644 --- a/signing/src/test/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsSignerTest.java +++ b/signing/src/test/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsSignerTest.java @@ -133,11 +133,8 @@ void awsSignatureCanBeVerified() throws SignatureException { ENDPOINT_OVERRIDE); final long kmsClientCacheSize = 1; final boolean applySha3Hash = true; - final CachedAwsKmsClientFactory cachedAwsKmsClientFactory = - new CachedAwsKmsClientFactory(kmsClientCacheSize); final Signer signer = - new AwsKmsSignerFactory(cachedAwsKmsClientFactory, applySha3Hash) - .createSigner(awsKmsMetadata); + new AwsKmsSignerFactory(kmsClientCacheSize, applySha3Hash).createSigner(awsKmsMetadata); final BigInteger publicKey = Numeric.toBigInt(EthPublicKeyUtils.toByteArray(signer.getPublicKey())); From c3a3fc4311b0735628154f71f3adac82bfd79c0a Mon Sep 17 00:00:00 2001 From: Jason Frame Date: Thu, 24 Aug 2023 15:41:05 +1000 Subject: [PATCH 05/21] Add support for tags --- .../bulkloading/SecpAwsBulkLoader.java | 4 +- .../signing/secp256k1/aws/AwsKmsClient.java | 25 +++ .../secp256k1/aws/AwsKmsClientTest.java | 165 +++++++++++------- .../tech/pegasys/web3signer/AwsKmsUtil.java | 78 +++++++++ 4 files changed, 204 insertions(+), 68 deletions(-) create mode 100644 signing/src/testFixtures/java/tech/pegasys/web3signer/AwsKmsUtil.java diff --git a/signing/src/main/java/tech/pegasys/web3signer/signing/bulkloading/SecpAwsBulkLoader.java b/signing/src/main/java/tech/pegasys/web3signer/signing/bulkloading/SecpAwsBulkLoader.java index b6e7cc88e..4572ec92a 100644 --- a/signing/src/main/java/tech/pegasys/web3signer/signing/bulkloading/SecpAwsBulkLoader.java +++ b/signing/src/main/java/tech/pegasys/web3signer/signing/bulkloading/SecpAwsBulkLoader.java @@ -56,10 +56,10 @@ public MappedResults load(final AwsParameters parameters) { cachedAwsKmsClientFactory.createKmsClient( awsCredentialsProvider, parameters.getRegion(), parameters.getEndpointOverride()); return kmsClient.mapKeyList( + kl -> createSigner(awsCredentials, parameters, kl.keyId()), parameters.getPrefixesFilter(), parameters.getTagNamesFilter(), - parameters.getTagValuesFilter(), - kl -> createSigner(awsCredentials, parameters, kl.keyId())); + parameters.getTagValuesFilter()); } private EthSecpArtifactSigner createSigner( diff --git a/signing/src/main/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsClient.java b/signing/src/main/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsClient.java index 07bdf3089..d7a57fddf 100644 --- a/signing/src/main/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsClient.java +++ b/signing/src/main/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsClient.java @@ -23,6 +23,7 @@ import java.security.spec.InvalidKeySpecException; import java.security.spec.X509EncodedKeySpec; import java.util.Collection; +import java.util.List; import java.util.Set; import java.util.concurrent.ConcurrentHashMap; import java.util.concurrent.atomic.AtomicInteger; @@ -39,10 +40,12 @@ import software.amazon.awssdk.services.kms.model.GetPublicKeyResponse; import software.amazon.awssdk.services.kms.model.KeyListEntry; import software.amazon.awssdk.services.kms.model.KeySpec; +import software.amazon.awssdk.services.kms.model.ListResourceTagsRequest; import software.amazon.awssdk.services.kms.model.MessageType; import software.amazon.awssdk.services.kms.model.ScheduleKeyDeletionRequest; import software.amazon.awssdk.services.kms.model.SignRequest; import software.amazon.awssdk.services.kms.model.SigningAlgorithmSpec; +import software.amazon.awssdk.services.kms.model.Tag; /** * Wraps KmsClient to allow the same instance to be cached and re-used. It exposes the methods that @@ -108,6 +111,9 @@ public MappedResults mapKeyList( .forEachRemaining( listKeysResponse -> listKeysResponse.keys().parallelStream() + .filter( + keyListEntry -> + keyListPredicate(keyListEntry.keyId(), tagKeys, tagValues)) .forEach( keyListEntry -> { try { @@ -129,6 +135,25 @@ public MappedResults mapKeyList( return MappedResults.newInstance(result, errorCount.intValue()); } + private boolean keyListPredicate( + final String keyId, final Collection tagKeys, final Collection tagValues) { + if (tagKeys.isEmpty() && tagValues.isEmpty()) + return true; // we don't want to filter if user-supplied tags map is empty + + final List kmsTags = + kmsClient.listResourceTags(ListResourceTagsRequest.builder().keyId(keyId).build()).tags(); + return matchesTag(kmsTags, tagKeys, Tag::tagKey) + && matchesTag(kmsTags, tagValues, Tag::tagValue); + } + + private boolean matchesTag( + final List kmsTags, + final Collection tags, + final Function tagProperty) { + return tags.isEmpty() + || kmsTags.stream().allMatch(tag -> tags.contains(tagProperty.apply(tag))); + } + @VisibleForTesting public String createKey(CreateKeyRequest createKeyRequest) { return kmsClient.createKey(createKeyRequest).keyMetadata().keyId(); diff --git a/signing/src/test/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsClientTest.java b/signing/src/test/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsClientTest.java index 25437208f..a11923e62 100644 --- a/signing/src/test/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsClientTest.java +++ b/signing/src/test/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsClientTest.java @@ -12,14 +12,17 @@ */ package tech.pegasys.web3signer.signing.secp256k1.aws; -import static org.assertj.core.api.Assertions.assertThat; - +import tech.pegasys.web3signer.AwsKmsUtil; import tech.pegasys.web3signer.common.config.AwsAuthenticationMode; import tech.pegasys.web3signer.common.config.AwsCredentials; +import tech.pegasys.web3signer.common.config.AwsCredentials.AwsCredentialsBuilder; import tech.pegasys.web3signer.keystorage.common.MappedResults; import tech.pegasys.web3signer.signing.config.AwsCredentialsProviderFactory; +import java.net.URI; import java.util.Collections; +import java.util.List; +import java.util.Map; import java.util.Optional; import org.assertj.core.api.Assertions; @@ -30,11 +33,8 @@ import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider; import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.kms.KmsClient; -import software.amazon.awssdk.services.kms.model.CreateKeyRequest; +import software.amazon.awssdk.services.kms.KmsClientBuilder; import software.amazon.awssdk.services.kms.model.KeyListEntry; -import software.amazon.awssdk.services.kms.model.KeySpec; -import software.amazon.awssdk.services.kms.model.KeyUsageType; -import software.amazon.awssdk.services.kms.model.ScheduleKeyDeletionRequest; @EnabledIfEnvironmentVariable( named = "RW_AWS_ACCESS_KEY_ID", @@ -62,72 +62,58 @@ public class AwsKmsClientTest { private static final String AWS_REGION = System.getenv("AWS_REGION"); private static final String RW_AWS_ACCESS_KEY_ID = System.getenv("RW_AWS_ACCESS_KEY_ID"); private static final String RW_AWS_SECRET_ACCESS_KEY = System.getenv("RW_AWS_SECRET_ACCESS_KEY"); - private static final String AWS_SESSION_TOKEN = System.getenv("AWS_SESSION_TOKEN"); - private static final AwsCredentials AWS_RW_CREDENTIALS = - AwsCredentials.builder() - .withAccessKeyId(RW_AWS_ACCESS_KEY_ID) - .withSecretAccessKey(RW_AWS_SECRET_ACCESS_KEY) - .withSessionToken(AWS_SESSION_TOKEN) - .build(); - - private static final AwsCredentials AWS_CREDENTIALS = - AwsCredentials.builder() - .withAccessKeyId(AWS_ACCESS_KEY_ID) - .withSecretAccessKey(AWS_SECRET_ACCESS_KEY) - .withSessionToken(AWS_SESSION_TOKEN) - .build(); - - private static AwsKmsClient awsRwKmsClient; + private static final Optional AWS_SESSION_TOKEN = + Optional.ofNullable(System.getenv("AWS_SESSION_TOKEN")); + private static final Optional ENDPOINT_OVERRIDE = + Optional.ofNullable(System.getenv("AWS_ENDPOINT_OVERRIDE")).map(URI::create); + private static String testKeyId; + private static String testWithTagKeyId; + private static AwsKmsUtil awsKmsUtil; + private static AwsKmsClient awsKmsClient; @BeforeAll static void init() { + awsKmsUtil = + new AwsKmsUtil( + new CachedAwsKmsClientFactory(1), + AWS_REGION, + RW_AWS_ACCESS_KEY_ID, + RW_AWS_SECRET_ACCESS_KEY, + AWS_SESSION_TOKEN, + ENDPOINT_OVERRIDE); + testKeyId = awsKmsUtil.createKey(Collections.emptyMap()); + testWithTagKeyId = awsKmsUtil.createKey(Map.of("tagKey", "tagValue")); + + final AwsCredentialsBuilder awsCredentialsBuilder = AwsCredentials.builder(); + awsCredentialsBuilder + .withAccessKeyId(AWS_ACCESS_KEY_ID) + .withSecretAccessKey(AWS_SECRET_ACCESS_KEY); + AWS_SESSION_TOKEN.ifPresent(awsCredentialsBuilder::withSessionToken); + final AwsCredentialsProvider awsCredentialsProvider = AwsCredentialsProviderFactory.createAwsCredentialsProvider( - AwsAuthenticationMode.SPECIFIED, Optional.of(AWS_RW_CREDENTIALS)); - - final KmsClient kmsClient = - KmsClient.builder() - .credentialsProvider(awsCredentialsProvider) - .region(Region.of(AWS_REGION)) - .build(); - - awsRwKmsClient = new AwsKmsClient(kmsClient); - - // create a test key - final CreateKeyRequest web3SignerTestingKey = - CreateKeyRequest.builder() - .keySpec(KeySpec.ECC_SECG_P256_K1) - .description("Web3Signer Testing Key") - .keyUsage(KeyUsageType.SIGN_VERIFY) - .build(); - testKeyId = awsRwKmsClient.createKey(web3SignerTestingKey); - assertThat(testKeyId).isNotEmpty(); + AwsAuthenticationMode.SPECIFIED, Optional.of(awsCredentialsBuilder.build())); + + final KmsClientBuilder kmsClientBuilder = KmsClient.builder(); + kmsClientBuilder.credentialsProvider(awsCredentialsProvider).region(Region.of(AWS_REGION)); + ENDPOINT_OVERRIDE.ifPresent(kmsClientBuilder::endpointOverride); + + awsKmsClient = new AwsKmsClient(kmsClientBuilder.build()); } @AfterAll static void cleanup() { - if (awsRwKmsClient == null) { + if (awsKmsUtil == null) { return; } // delete key - ScheduleKeyDeletionRequest deletionRequest = - ScheduleKeyDeletionRequest.builder().keyId(testKeyId).pendingWindowInDays(7).build(); - awsRwKmsClient.scheduleKeyDeletion(deletionRequest); + awsKmsUtil.deleteKey(testKeyId); + awsKmsUtil.deleteKey(testWithTagKeyId); } @Test void keyPropertiesCanBeMappedUsingCustomMappingFunction() { - final AwsCredentialsProvider awsCredentialsProvider = - AwsCredentialsProviderFactory.createAwsCredentialsProvider( - AwsAuthenticationMode.SPECIFIED, Optional.of(AWS_CREDENTIALS)); - final KmsClient kmsClient = - KmsClient.builder() - .credentialsProvider(awsCredentialsProvider) - .region(Region.of(AWS_REGION)) - .build(); - final AwsKmsClient awsKmsClient = new AwsKmsClient(kmsClient); - final MappedResults result = awsKmsClient.mapKeyList( KeyListEntry::keyId, @@ -144,16 +130,6 @@ void keyPropertiesCanBeMappedUsingCustomMappingFunction() { @Test void mapKeyPropertiesThrowsAwayObjectsWhichFailMapper() { - final AwsCredentialsProvider awsCredentialsProvider = - AwsCredentialsProviderFactory.createAwsCredentialsProvider( - AwsAuthenticationMode.SPECIFIED, Optional.of(AWS_CREDENTIALS)); - final KmsClient kmsClient = - KmsClient.builder() - .credentialsProvider(awsCredentialsProvider) - .region(Region.of(AWS_REGION)) - .build(); - final AwsKmsClient awsKmsClient = new AwsKmsClient(kmsClient); - final MappedResults result = awsKmsClient.mapKeyList( kl -> { @@ -173,6 +149,63 @@ void mapKeyPropertiesThrowsAwayObjectsWhichFailMapper() { Assertions.assertThat(result.getErrorCount()).isOne(); } - // TODO JF tests for tags mapKeyPropertiesUsingTags, mapKeyPropertiesWhenTagsDoesNotExist + @Test + void mapKeyPropertiesUsingTagsKey() { + final MappedResults result = + awsKmsClient.mapKeyList( + KeyListEntry::keyId, + Collections.emptyList(), + List.of("tagKey"), + Collections.emptyList()); + final Optional testKeyEntry = + result.getValues().stream().filter(e -> e.equals(testWithTagKeyId)).findAny(); + Assertions.assertThat(testKeyEntry).isPresent(); + Assertions.assertThat(testKeyEntry.get()).isEqualTo(testWithTagKeyId); + Assertions.assertThat(result.getErrorCount()).isZero(); + } + + @Test + void mapKeyPropertiesUsingTagsValue() { + final MappedResults result = + awsKmsClient.mapKeyList( + KeyListEntry::keyId, + Collections.emptyList(), + Collections.emptyList(), + List.of("tagValue")); + + final Optional testKeyEntry = + result.getValues().stream().filter(e -> e.equals(testWithTagKeyId)).findAny(); + Assertions.assertThat(testKeyEntry).isPresent(); + Assertions.assertThat(testKeyEntry.get()).isEqualTo(testWithTagKeyId); + Assertions.assertThat(result.getErrorCount()).isZero(); + } + + @Test + void mapKeyPropertiesUsingTagsKeyAndValue() { + final MappedResults result = + awsKmsClient.mapKeyList( + KeyListEntry::keyId, Collections.emptyList(), List.of("tagKey"), List.of("tagValue")); + + final Optional testKeyEntry = + result.getValues().stream().filter(e -> e.equals(testWithTagKeyId)).findAny(); + Assertions.assertThat(testKeyEntry).isPresent(); + Assertions.assertThat(testKeyEntry.get()).isEqualTo(testWithTagKeyId); + Assertions.assertThat(result.getErrorCount()).isZero(); + } + + @Test + void mapKeyPropertiesWhenTagDoesNotExist() { + final MappedResults result = + awsKmsClient.mapKeyList( + KeyListEntry::keyId, + Collections.emptyList(), + List.of("unknownKey"), + List.of("unknownValue")); + + final Optional testKeyEntry = + result.getValues().stream().filter(e -> e.equals(testWithTagKeyId)).findAny(); + Assertions.assertThat(testKeyEntry).isEmpty(); + Assertions.assertThat(result.getErrorCount()).isZero(); + } } diff --git a/signing/src/testFixtures/java/tech/pegasys/web3signer/AwsKmsUtil.java b/signing/src/testFixtures/java/tech/pegasys/web3signer/AwsKmsUtil.java new file mode 100644 index 000000000..be23af5aa --- /dev/null +++ b/signing/src/testFixtures/java/tech/pegasys/web3signer/AwsKmsUtil.java @@ -0,0 +1,78 @@ +/* + * Copyright 2023 ConsenSys AG. + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on + * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the + * specific language governing permissions and limitations under the License. + */ +package tech.pegasys.web3signer; + +import tech.pegasys.web3signer.common.config.AwsAuthenticationMode; +import tech.pegasys.web3signer.common.config.AwsCredentials; +import tech.pegasys.web3signer.common.config.AwsCredentials.AwsCredentialsBuilder; +import tech.pegasys.web3signer.signing.config.AwsCredentialsProviderFactory; +import tech.pegasys.web3signer.signing.secp256k1.aws.AwsKmsClient; +import tech.pegasys.web3signer.signing.secp256k1.aws.CachedAwsKmsClientFactory; + +import java.net.URI; +import java.util.List; +import java.util.Map; +import java.util.Optional; + +import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider; +import software.amazon.awssdk.services.kms.model.CreateKeyRequest; +import software.amazon.awssdk.services.kms.model.KeySpec; +import software.amazon.awssdk.services.kms.model.KeyUsageType; +import software.amazon.awssdk.services.kms.model.ScheduleKeyDeletionRequest; +import software.amazon.awssdk.services.kms.model.Tag; + +public class AwsKmsUtil { + + private final AwsKmsClient awsKMSClient; + + public AwsKmsUtil( + final CachedAwsKmsClientFactory cachedAwsKmsClientFactory, + final String region, + final String accessKeyId, + final String secretAccessKey, + final Optional sessionToken, + Optional awsEndpointOverride) { + final AwsCredentialsBuilder awsCredentialsBuilder = AwsCredentials.builder(); + awsCredentialsBuilder.withAccessKeyId(accessKeyId).withSecretAccessKey(secretAccessKey); + sessionToken.ifPresent(awsCredentialsBuilder::withSessionToken); + + final AwsCredentialsProvider awsCredentialsProvider = + AwsCredentialsProviderFactory.createAwsCredentialsProvider( + AwsAuthenticationMode.SPECIFIED, Optional.of(awsCredentialsBuilder.build())); + + awsKMSClient = + cachedAwsKmsClientFactory.createKmsClient( + awsCredentialsProvider, region, awsEndpointOverride); + } + + public String createKey(final Map tags) { + final List awsTags = + tags.entrySet().stream() + .map(e -> Tag.builder().tagKey(e.getKey()).tagValue(e.getValue()).build()) + .toList(); + final CreateKeyRequest web3SignerTestingKey = + CreateKeyRequest.builder() + .keySpec(KeySpec.ECC_SECG_P256_K1) + .description("Web3Signer Testing Key") + .keyUsage(KeyUsageType.SIGN_VERIFY) + .tags(awsTags) + .build(); + return awsKMSClient.createKey(web3SignerTestingKey); + } + + public void deleteKey(final String keyId) { + final ScheduleKeyDeletionRequest deletionRequest = + ScheduleKeyDeletionRequest.builder().keyId(keyId).pendingWindowInDays(7).build(); + awsKMSClient.scheduleKeyDeletion(deletionRequest); + } +} From 46fe53ce7ecfa867e0bb84195b72848763b8df52 Mon Sep 17 00:00:00 2001 From: Jason Frame Date: Thu, 24 Aug 2023 16:21:03 +1000 Subject: [PATCH 06/21] Change existing tests to use AwsKmsUtil --- .../signing/SecpSigningAcceptanceTest.java | 71 ++++--------------- .../secp256k1/aws/AwsKmsClientTest.java | 1 - .../secp256k1/aws/AwsKmsSignerTest.java | 48 ++++--------- .../tech/pegasys/web3signer/AwsKmsUtil.java | 10 ++- 4 files changed, 34 insertions(+), 96 deletions(-) diff --git a/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/signing/SecpSigningAcceptanceTest.java b/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/signing/SecpSigningAcceptanceTest.java index 71e39dabd..a4d5769c8 100644 --- a/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/signing/SecpSigningAcceptanceTest.java +++ b/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/signing/SecpSigningAcceptanceTest.java @@ -17,16 +17,12 @@ import static org.assertj.core.api.Assertions.assertThat; import static org.web3j.crypto.Sign.signedMessageToKey; -import tech.pegasys.web3signer.common.config.AwsAuthenticationMode; -import tech.pegasys.web3signer.common.config.AwsCredentials; +import tech.pegasys.web3signer.AwsKmsUtil; import tech.pegasys.web3signer.dsl.HashicorpSigningParams; import tech.pegasys.web3signer.dsl.utils.MetadataFileHelpers; import tech.pegasys.web3signer.keystore.hashicorp.dsl.HashicorpNode; import tech.pegasys.web3signer.signing.KeyType; -import tech.pegasys.web3signer.signing.config.AwsCredentialsProviderFactory; import tech.pegasys.web3signer.signing.secp256k1.EthPublicKeyUtils; -import tech.pegasys.web3signer.signing.secp256k1.aws.AwsKmsClient; -import tech.pegasys.web3signer.signing.secp256k1.aws.CachedAwsKmsClientFactory; import java.io.File; import java.math.BigInteger; @@ -35,6 +31,7 @@ import java.nio.file.Path; import java.security.SignatureException; import java.security.interfaces.ECPublicKey; +import java.util.Collections; import java.util.Map; import java.util.Optional; @@ -46,11 +43,6 @@ import org.junit.jupiter.api.condition.EnabledIfEnvironmentVariable; import org.junit.jupiter.api.condition.EnabledIfEnvironmentVariables; import org.web3j.crypto.Sign.SignatureData; -import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider; -import software.amazon.awssdk.services.kms.model.CreateKeyRequest; -import software.amazon.awssdk.services.kms.model.KeySpec; -import software.amazon.awssdk.services.kms.model.KeyUsageType; -import software.amazon.awssdk.services.kms.model.ScheduleKeyDeletionRequest; public class SecpSigningAcceptanceTest extends SigningAcceptanceTestBase { @@ -153,7 +145,14 @@ public void remoteSignWithAwsKMS() { final Optional awsEndpointOverride = Optional.ofNullable(System.getenv("AWS_ENDPOINT_OVERRIDE")).map(URI::create); - final Map.Entry remoteAWSKMSKey = createRemoteAWSKMSKey(); + final AwsKmsUtil awsKmsUtil = + new AwsKmsUtil( + region, + System.getenv("RW_AWS_ACCESS_KEY_ID"), + System.getenv("RW_AWS_SECRET_ACCESS_KEY"), + Optional.ofNullable(System.getenv("AWS_SESSION_TOKEN")), + awsEndpointOverride); + final Map.Entry remoteAWSKMSKey = createRemoteAWSKMSKey(awsKmsUtil); final String awsKeyId = remoteAWSKMSKey.getKey(); final ECPublicKey ecPublicKey = remoteAWSKMSKey.getValue(); @@ -170,7 +169,7 @@ public void remoteSignWithAwsKMS() { signAndVerifySignature(EthPublicKeyUtils.toHexString(ecPublicKey)); } finally { - markAwsKeyForDeletion(region, awsEndpointOverride, awsKeyId); + awsKmsUtil.deleteKey(awsKeyId); } } @@ -206,52 +205,10 @@ private BigInteger recoverPublicKey(final SignatureData signature) { } } - private static Map.Entry createRemoteAWSKMSKey() { - final String region = Optional.ofNullable(System.getenv("AWS_REGION")).orElse("us-east-2"); - final Optional awsEndpointOverride = - System.getenv("AWS_ENDPOINT_OVERRIDE") != null - ? Optional.of(URI.create(System.getenv("AWS_ENDPOINT_OVERRIDE"))) - : Optional.empty(); + private static Map.Entry createRemoteAWSKMSKey(final AwsKmsUtil awsKmsUtil) { + final String testKeyId = awsKmsUtil.createKey(Collections.emptyMap()); - final AwsCredentialsProvider rwAwsCredentialsProvider = - AwsCredentialsProviderFactory.createAwsCredentialsProvider( - AwsAuthenticationMode.SPECIFIED, Optional.of(getAwsCredentialsFromEnvVar())); - final AwsKmsClient rwKmsClient = - new CachedAwsKmsClientFactory(1) - .createKmsClient(rwAwsCredentialsProvider, region, awsEndpointOverride); - // create a test key - final CreateKeyRequest web3SignerTestingKey = - CreateKeyRequest.builder() - .keySpec(KeySpec.ECC_SECG_P256_K1) - .description("Web3Signer Testing Key") - .keyUsage(KeyUsageType.SIGN_VERIFY) - .build(); - - final String testKeyId = rwKmsClient.createKey(web3SignerTestingKey); - final ECPublicKey ecPublicKey = rwKmsClient.getECPublicKey(testKeyId); + final ECPublicKey ecPublicKey = awsKmsUtil.publicKey(testKeyId); return Maps.immutableEntry(testKeyId, ecPublicKey); } - - private static void markAwsKeyForDeletion( - String region, Optional awsEndpointOverride, String awsKeyId) { - // mark aws key for deletion - ScheduleKeyDeletionRequest deletionRequest = - ScheduleKeyDeletionRequest.builder().keyId(awsKeyId).pendingWindowInDays(7).build(); - final AwsCredentialsProvider rwAwsCredentialsProvider = - AwsCredentialsProviderFactory.createAwsCredentialsProvider( - AwsAuthenticationMode.SPECIFIED, Optional.of(getAwsCredentialsFromEnvVar())); - - final AwsKmsClient rwKmsClient = - new CachedAwsKmsClientFactory(1) - .createKmsClient(rwAwsCredentialsProvider, region, awsEndpointOverride); - rwKmsClient.scheduleKeyDeletion(deletionRequest); - } - - private static AwsCredentials getAwsCredentialsFromEnvVar() { - return AwsCredentials.builder() - .withAccessKeyId(System.getenv("RW_AWS_ACCESS_KEY_ID")) - .withSecretAccessKey(System.getenv("RW_AWS_SECRET_ACCESS_KEY")) - .withSessionToken(System.getenv("AWS_SESSION_TOKEN")) - .build(); - } } diff --git a/signing/src/test/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsClientTest.java b/signing/src/test/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsClientTest.java index a11923e62..312c802f8 100644 --- a/signing/src/test/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsClientTest.java +++ b/signing/src/test/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsClientTest.java @@ -76,7 +76,6 @@ public class AwsKmsClientTest { static void init() { awsKmsUtil = new AwsKmsUtil( - new CachedAwsKmsClientFactory(1), AWS_REGION, RW_AWS_ACCESS_KEY_ID, RW_AWS_SECRET_ACCESS_KEY, diff --git a/signing/src/test/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsSignerTest.java b/signing/src/test/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsSignerTest.java index 2d0b8d1cd..66d99b569 100644 --- a/signing/src/test/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsSignerTest.java +++ b/signing/src/test/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsSignerTest.java @@ -15,9 +15,9 @@ import static java.nio.charset.StandardCharsets.UTF_8; import static org.assertj.core.api.Assertions.assertThat; +import tech.pegasys.web3signer.AwsKmsUtil; import tech.pegasys.web3signer.common.config.AwsAuthenticationMode; import tech.pegasys.web3signer.common.config.AwsCredentials; -import tech.pegasys.web3signer.signing.config.AwsCredentialsProviderFactory; import tech.pegasys.web3signer.signing.config.metadata.AwsKmsMetadata; import tech.pegasys.web3signer.signing.secp256k1.EthPublicKeyUtils; import tech.pegasys.web3signer.signing.secp256k1.Signature; @@ -26,6 +26,7 @@ import java.math.BigInteger; import java.net.URI; import java.security.SignatureException; +import java.util.Collections; import java.util.Optional; import org.junit.jupiter.api.AfterAll; @@ -36,11 +37,6 @@ import org.web3j.crypto.Hash; import org.web3j.crypto.Sign; import org.web3j.utils.Numeric; -import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider; -import software.amazon.awssdk.services.kms.model.CreateKeyRequest; -import software.amazon.awssdk.services.kms.model.KeySpec; -import software.amazon.awssdk.services.kms.model.KeyUsageType; -import software.amazon.awssdk.services.kms.model.ScheduleKeyDeletionRequest; @TestInstance(TestInstance.Lifecycle.PER_CLASS) @EnabledIfEnvironmentVariable( @@ -73,13 +69,6 @@ public class AwsKmsSignerTest { private static final Optional ENDPOINT_OVERRIDE = Optional.ofNullable(System.getenv("AWS_ENDPOINT_OVERRIDE")).map(URI::create); - private static final AwsCredentials AWS_RW_CREDENTIALS = - AwsCredentials.builder() - .withAccessKeyId(RW_AWS_ACCESS_KEY_ID) - .withSecretAccessKey(RW_AWS_SECRET_ACCESS_KEY) - .withSessionToken(AWS_SESSION_TOKEN) - .build(); - private static final AwsCredentials AWS_CREDENTIALS = AwsCredentials.builder() .withAccessKeyId(AWS_ACCESS_KEY_ID) @@ -87,39 +76,28 @@ public class AwsKmsSignerTest { .withSessionToken(AWS_SESSION_TOKEN) .build(); - private static final CachedAwsKmsClientFactory KMS_CLIENT_FACTORY = - new CachedAwsKmsClientFactory(1); - private static AwsKmsClient awsKMSClient; private static String testKeyId; + private static AwsKmsUtil awsKmsUtil; @BeforeAll static void init() { - AwsCredentialsProvider awsCredentialsProvider = - AwsCredentialsProviderFactory.createAwsCredentialsProvider( - AwsAuthenticationMode.SPECIFIED, Optional.of(AWS_RW_CREDENTIALS)); - awsKMSClient = - KMS_CLIENT_FACTORY.createKmsClient(awsCredentialsProvider, AWS_REGION, ENDPOINT_OVERRIDE); - - // create a test key - final CreateKeyRequest web3SignerTestingKey = - CreateKeyRequest.builder() - .keySpec(KeySpec.ECC_SECG_P256_K1) - .description("Web3Signer Testing Key") - .keyUsage(KeyUsageType.SIGN_VERIFY) - .build(); - testKeyId = awsKMSClient.createKey(web3SignerTestingKey); + awsKmsUtil = + new AwsKmsUtil( + AWS_REGION, + RW_AWS_ACCESS_KEY_ID, + RW_AWS_SECRET_ACCESS_KEY, + Optional.ofNullable(AWS_SESSION_TOKEN), + ENDPOINT_OVERRIDE); + testKeyId = awsKmsUtil.createKey(Collections.emptyMap()); assertThat(testKeyId).isNotEmpty(); } @AfterAll static void cleanup() { - if (awsKMSClient == null) { + if (awsKmsUtil == null) { return; } - // delete key - ScheduleKeyDeletionRequest deletionRequest = - ScheduleKeyDeletionRequest.builder().keyId(testKeyId).pendingWindowInDays(7).build(); - awsKMSClient.scheduleKeyDeletion(deletionRequest); + awsKmsUtil.deleteKey(testKeyId); } @Test diff --git a/signing/src/testFixtures/java/tech/pegasys/web3signer/AwsKmsUtil.java b/signing/src/testFixtures/java/tech/pegasys/web3signer/AwsKmsUtil.java index be23af5aa..f92617f7a 100644 --- a/signing/src/testFixtures/java/tech/pegasys/web3signer/AwsKmsUtil.java +++ b/signing/src/testFixtures/java/tech/pegasys/web3signer/AwsKmsUtil.java @@ -20,6 +20,7 @@ import tech.pegasys.web3signer.signing.secp256k1.aws.CachedAwsKmsClientFactory; import java.net.URI; +import java.security.interfaces.ECPublicKey; import java.util.List; import java.util.Map; import java.util.Optional; @@ -36,7 +37,6 @@ public class AwsKmsUtil { private final AwsKmsClient awsKMSClient; public AwsKmsUtil( - final CachedAwsKmsClientFactory cachedAwsKmsClientFactory, final String region, final String accessKeyId, final String secretAccessKey, @@ -49,9 +49,9 @@ public AwsKmsUtil( final AwsCredentialsProvider awsCredentialsProvider = AwsCredentialsProviderFactory.createAwsCredentialsProvider( AwsAuthenticationMode.SPECIFIED, Optional.of(awsCredentialsBuilder.build())); - + final CachedAwsKmsClientFactory cachedAwsKmsClientFactory1 = new CachedAwsKmsClientFactory(1); awsKMSClient = - cachedAwsKmsClientFactory.createKmsClient( + cachedAwsKmsClientFactory1.createKmsClient( awsCredentialsProvider, region, awsEndpointOverride); } @@ -75,4 +75,8 @@ public void deleteKey(final String keyId) { ScheduleKeyDeletionRequest.builder().keyId(keyId).pendingWindowInDays(7).build(); awsKMSClient.scheduleKeyDeletion(deletionRequest); } + + public ECPublicKey publicKey(final String keyId) { + return awsKMSClient.getECPublicKey(keyId); + } } From 93514aa4e09a90a8c29682562c9491e968b84fc6 Mon Sep 17 00:00:00 2001 From: Jason Frame Date: Tue, 29 Aug 2023 14:04:35 +1000 Subject: [PATCH 07/21] Wire in Eth1 AWS bulk loading --- .../runner/CmdLineParamsConfigFileImpl.java | 18 +-- .../runner/CmdLineParamsDefaultImpl.java | 18 +-- .../commandline/PicoCliKmsAwsParameters.java | 148 ++++++++++++++++++ ...=> PicoCliSecretsMangerAwsParameters.java} | 2 +- .../subcommands/Eth1SubCommand.java | 4 +- .../subcommands/Eth2SubCommand.java | 14 +- .../commandline/CommandlineParserTest.java | 16 +- .../pegasys/web3signer/core/Eth1Runner.java | 45 ++++-- .../web3signer/core/FilecoinRunner.java | 5 +- .../signing/config/AwsParameters.java | 2 + .../secp256k1/aws/AwsKmsSignerFactory.java | 16 +- .../secp256k1/aws/AwsKmsSignerTest.java | 5 +- 12 files changed, 236 insertions(+), 57 deletions(-) create mode 100644 commandline/src/main/java/tech/pegasys/web3signer/commandline/PicoCliKmsAwsParameters.java rename commandline/src/main/java/tech/pegasys/web3signer/commandline/{PicoCliAwsParameters.java => PicoCliSecretsMangerAwsParameters.java} (98%) diff --git a/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/runner/CmdLineParamsConfigFileImpl.java b/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/runner/CmdLineParamsConfigFileImpl.java index 4bcac4138..765aa2fa9 100644 --- a/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/runner/CmdLineParamsConfigFileImpl.java +++ b/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/runner/CmdLineParamsConfigFileImpl.java @@ -12,15 +12,15 @@ */ package tech.pegasys.web3signer.dsl.signer.runner; -import static tech.pegasys.web3signer.commandline.PicoCliAwsParameters.AWS_ENDPOINT_OVERRIDE_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliAwsParameters.AWS_SECRETS_ACCESS_KEY_ID_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliAwsParameters.AWS_SECRETS_AUTH_MODE_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliAwsParameters.AWS_SECRETS_ENABLED_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliAwsParameters.AWS_SECRETS_PREFIXES_FILTER_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliAwsParameters.AWS_SECRETS_REGION_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliAwsParameters.AWS_SECRETS_SECRET_ACCESS_KEY_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliAwsParameters.AWS_SECRETS_TAG_NAMES_FILTER_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliAwsParameters.AWS_SECRETS_TAG_VALUES_FILTER_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliSecretsMangerAwsParameters.AWS_ENDPOINT_OVERRIDE_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliSecretsMangerAwsParameters.AWS_SECRETS_ACCESS_KEY_ID_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliSecretsMangerAwsParameters.AWS_SECRETS_AUTH_MODE_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliSecretsMangerAwsParameters.AWS_SECRETS_ENABLED_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliSecretsMangerAwsParameters.AWS_SECRETS_PREFIXES_FILTER_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliSecretsMangerAwsParameters.AWS_SECRETS_REGION_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliSecretsMangerAwsParameters.AWS_SECRETS_SECRET_ACCESS_KEY_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliSecretsMangerAwsParameters.AWS_SECRETS_TAG_NAMES_FILTER_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliSecretsMangerAwsParameters.AWS_SECRETS_TAG_VALUES_FILTER_OPTION; import tech.pegasys.web3signer.core.config.ClientAuthConstraints; import tech.pegasys.web3signer.core.config.TlsOptions; diff --git a/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/runner/CmdLineParamsDefaultImpl.java b/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/runner/CmdLineParamsDefaultImpl.java index cbb226066..1b858bf52 100644 --- a/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/runner/CmdLineParamsDefaultImpl.java +++ b/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/runner/CmdLineParamsDefaultImpl.java @@ -12,15 +12,15 @@ */ package tech.pegasys.web3signer.dsl.signer.runner; -import static tech.pegasys.web3signer.commandline.PicoCliAwsParameters.AWS_ENDPOINT_OVERRIDE_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliAwsParameters.AWS_SECRETS_ACCESS_KEY_ID_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliAwsParameters.AWS_SECRETS_AUTH_MODE_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliAwsParameters.AWS_SECRETS_ENABLED_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliAwsParameters.AWS_SECRETS_PREFIXES_FILTER_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliAwsParameters.AWS_SECRETS_REGION_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliAwsParameters.AWS_SECRETS_SECRET_ACCESS_KEY_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliAwsParameters.AWS_SECRETS_TAG_NAMES_FILTER_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliAwsParameters.AWS_SECRETS_TAG_VALUES_FILTER_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliSecretsMangerAwsParameters.AWS_ENDPOINT_OVERRIDE_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliSecretsMangerAwsParameters.AWS_SECRETS_ACCESS_KEY_ID_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliSecretsMangerAwsParameters.AWS_SECRETS_AUTH_MODE_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliSecretsMangerAwsParameters.AWS_SECRETS_ENABLED_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliSecretsMangerAwsParameters.AWS_SECRETS_PREFIXES_FILTER_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliSecretsMangerAwsParameters.AWS_SECRETS_REGION_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliSecretsMangerAwsParameters.AWS_SECRETS_SECRET_ACCESS_KEY_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliSecretsMangerAwsParameters.AWS_SECRETS_TAG_NAMES_FILTER_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliSecretsMangerAwsParameters.AWS_SECRETS_TAG_VALUES_FILTER_OPTION; import tech.pegasys.web3signer.core.config.ClientAuthConstraints; import tech.pegasys.web3signer.core.config.TlsOptions; diff --git a/commandline/src/main/java/tech/pegasys/web3signer/commandline/PicoCliKmsAwsParameters.java b/commandline/src/main/java/tech/pegasys/web3signer/commandline/PicoCliKmsAwsParameters.java new file mode 100644 index 000000000..a9d619585 --- /dev/null +++ b/commandline/src/main/java/tech/pegasys/web3signer/commandline/PicoCliKmsAwsParameters.java @@ -0,0 +1,148 @@ +/* + * Copyright 2020 ConsenSys AG. + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on + * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the + * specific language governing permissions and limitations under the License. + */ +package tech.pegasys.web3signer.commandline; + +import tech.pegasys.web3signer.common.config.AwsAuthenticationMode; +import tech.pegasys.web3signer.signing.config.AwsParameters; + +import java.net.URI; +import java.util.Collection; +import java.util.Collections; +import java.util.List; +import java.util.Optional; + +import picocli.CommandLine.Option; + +public class PicoCliKmsAwsParameters implements AwsParameters { + public static final String AWS_KMS_ENABLED_OPTION = "--aws-kms-enabled"; + public static final String AWS_KMS_AUTH_MODE_OPTION = "--aws-kms-auth-mode"; + public static final String AWS_KMS_ACCESS_KEY_ID_OPTION = "--aws-kms-access-key-id"; + public static final String AWS_KMS_SECRET_ACCESS_KEY_OPTION = "--aws-secrets-secret-access-key"; + public static final String AWS_KMS_REGION_OPTION = "--aws-kms-region"; + public static final String AWS_ENDPOINT_OVERRIDE_OPTION = "--aws-endpoint-override"; + public static final String AWS_KMS_PREFIXES_FILTER_OPTION = "--aws-kms-prefixes-filter"; + public static final String AWS_KMS_TAG_NAMES_FILTER_OPTION = "--aws-kms-tag-names-filter"; + public static final String AWS_KMS_TAG_VALUES_FILTER_OPTION = "--aws-kms-tag-values-filter"; + public static final String AWS_CONNECTION_CACHE_SIZE_OPTION = "--aws-connection-cache-size"; + + @Option( + names = AWS_KMS_ENABLED_OPTION, + description = + "Set to true to enable bulk loading from the AWS KMS service." + + " (Default: ${DEFAULT-VALUE})", + paramLabel = "") + private boolean awsKmsManagerEnabled = false; + + @Option( + names = AWS_KMS_AUTH_MODE_OPTION, + description = + "Authentication mode for AWS KMS service. Valid Values: [${COMPLETION-CANDIDATES}]" + + " (Default: ${DEFAULT-VALUE})", + paramLabel = "") + private AwsAuthenticationMode authenticationMode = AwsAuthenticationMode.SPECIFIED; + + @Option( + names = {AWS_KMS_ACCESS_KEY_ID_OPTION}, + description = + "AWS Access Key Id to authenticate Aws KMS. Required for SPECIFIED authentication mode.", + paramLabel = "") + private String accessKeyId; + + @Option( + names = {AWS_KMS_SECRET_ACCESS_KEY_OPTION}, + description = + "AWS Secret Access Key to authenticate Aws KMS. Required for SPECIFIED authentication mode.", + paramLabel = "") + private String secretAccessKey; + + @Option( + names = {AWS_KMS_REGION_OPTION}, + description = + "AWS region where KMS is available. Required for SPECIFIED authentication mode.", + paramLabel = "") + private String region; + + @Option( + names = {AWS_ENDPOINT_OVERRIDE_OPTION}, + description = "Override AWS endpoint.", + paramLabel = "") + private Optional endpointOverride; + + @Option( + names = AWS_KMS_TAG_NAMES_FILTER_OPTION, + description = + "Optional comma-separated list of tag names filter to apply while fetching key ids from AWS KMS." + + " Applied as AND operation with other filters.", + split = ",") + private List tagNamesFilter = Collections.emptyList(); + + @Option( + names = AWS_KMS_TAG_VALUES_FILTER_OPTION, + description = + "Optional comma-separated list of tag values filter to apply while fetching key ids from AWS KMS." + + " Applied as AND operation with other filters.", + split = ",") + private List tagValuesFilter = Collections.emptyList(); + + @Option( + names = {AWS_CONNECTION_CACHE_SIZE_OPTION}, + paramLabel = "", + description = + "Maximum number of connections to cache to the AWS KMS (default: ${DEFAULT-VALUE})") + private long cacheMaximumSize = 1; + + @Override + public boolean isEnabled() { + return awsKmsManagerEnabled; + } + + @Override + public AwsAuthenticationMode getAuthenticationMode() { + return authenticationMode; + } + + @Override + public String getAccessKeyId() { + return accessKeyId; + } + + @Override + public String getSecretAccessKey() { + return secretAccessKey; + } + + @Override + public String getRegion() { + return region; + } + + @Override + public long getCacheMaximumSize() { + return cacheMaximumSize; + } + + @Override + public Collection getTagNamesFilter() { + return tagNamesFilter; + } + + @Override + public Collection getTagValuesFilter() { + return tagValuesFilter; + } + + @Override + public Optional getEndpointOverride() { + return endpointOverride; + } +} diff --git a/commandline/src/main/java/tech/pegasys/web3signer/commandline/PicoCliAwsParameters.java b/commandline/src/main/java/tech/pegasys/web3signer/commandline/PicoCliSecretsMangerAwsParameters.java similarity index 98% rename from commandline/src/main/java/tech/pegasys/web3signer/commandline/PicoCliAwsParameters.java rename to commandline/src/main/java/tech/pegasys/web3signer/commandline/PicoCliSecretsMangerAwsParameters.java index f294d825e..13beda170 100644 --- a/commandline/src/main/java/tech/pegasys/web3signer/commandline/PicoCliAwsParameters.java +++ b/commandline/src/main/java/tech/pegasys/web3signer/commandline/PicoCliSecretsMangerAwsParameters.java @@ -24,7 +24,7 @@ import picocli.CommandLine; import picocli.CommandLine.Option; -public class PicoCliAwsParameters implements AwsParameters { +public class PicoCliSecretsMangerAwsParameters implements AwsParameters { public static final String AWS_SECRETS_ENABLED_OPTION = "--aws-secrets-enabled"; public static final String AWS_SECRETS_AUTH_MODE_OPTION = "--aws-secrets-auth-mode"; public static final String AWS_SECRETS_ACCESS_KEY_ID_OPTION = "--aws-secrets-access-key-id"; diff --git a/commandline/src/main/java/tech/pegasys/web3signer/commandline/subcommands/Eth1SubCommand.java b/commandline/src/main/java/tech/pegasys/web3signer/commandline/subcommands/Eth1SubCommand.java index 28445ea75..5ed9cd9d6 100644 --- a/commandline/src/main/java/tech/pegasys/web3signer/commandline/subcommands/Eth1SubCommand.java +++ b/commandline/src/main/java/tech/pegasys/web3signer/commandline/subcommands/Eth1SubCommand.java @@ -18,8 +18,8 @@ import static tech.pegasys.web3signer.commandline.DefaultCommandValues.PORT_FORMAT_HELP; import static tech.pegasys.web3signer.commandline.util.RequiredOptionsUtil.checkIfRequiredOptionsAreInitialized; -import tech.pegasys.web3signer.commandline.PicoCliAwsParameters; import tech.pegasys.web3signer.commandline.PicoCliEth1AzureKeyVaultParameters; +import tech.pegasys.web3signer.commandline.PicoCliKmsAwsParameters; import tech.pegasys.web3signer.commandline.annotations.RequiredOption; import tech.pegasys.web3signer.commandline.config.client.PicoCliClientTlsOptions; import tech.pegasys.web3signer.core.Eth1Runner; @@ -148,7 +148,7 @@ public void setDownstreamHttpPath(final String path) { @CommandLine.Mixin private PicoCliEth1AzureKeyVaultParameters azureKeyVaultParameters; - @CommandLine.Mixin private PicoCliAwsParameters awsParameters; + @CommandLine.Mixin private PicoCliKmsAwsParameters awsParameters; @Override public Runner createRunner() { diff --git a/commandline/src/main/java/tech/pegasys/web3signer/commandline/subcommands/Eth2SubCommand.java b/commandline/src/main/java/tech/pegasys/web3signer/commandline/subcommands/Eth2SubCommand.java index fc3b9a009..5d41d1410 100644 --- a/commandline/src/main/java/tech/pegasys/web3signer/commandline/subcommands/Eth2SubCommand.java +++ b/commandline/src/main/java/tech/pegasys/web3signer/commandline/subcommands/Eth2SubCommand.java @@ -12,10 +12,10 @@ */ package tech.pegasys.web3signer.commandline.subcommands; -import static tech.pegasys.web3signer.commandline.PicoCliAwsParameters.AWS_SECRETS_ACCESS_KEY_ID_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliAwsParameters.AWS_SECRETS_AUTH_MODE_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliAwsParameters.AWS_SECRETS_REGION_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliAwsParameters.AWS_SECRETS_SECRET_ACCESS_KEY_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliSecretsMangerAwsParameters.AWS_SECRETS_ACCESS_KEY_ID_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliSecretsMangerAwsParameters.AWS_SECRETS_AUTH_MODE_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliSecretsMangerAwsParameters.AWS_SECRETS_REGION_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliSecretsMangerAwsParameters.AWS_SECRETS_SECRET_ACCESS_KEY_OPTION; import static tech.pegasys.web3signer.signing.config.AzureAuthenticationMode.CLIENT_SECRET; import static tech.pegasys.web3signer.signing.config.AzureAuthenticationMode.USER_ASSIGNED_MANAGED_IDENTITY; @@ -25,8 +25,8 @@ import tech.pegasys.teku.spec.ForkSchedule; import tech.pegasys.teku.spec.SpecMilestone; import tech.pegasys.teku.spec.networks.Eth2Network; -import tech.pegasys.web3signer.commandline.PicoCliAwsParameters; import tech.pegasys.web3signer.commandline.PicoCliEth2AzureKeyVaultParameters; +import tech.pegasys.web3signer.commandline.PicoCliSecretsMangerAwsParameters; import tech.pegasys.web3signer.commandline.PicoCliSlashingProtectionParameters; import tech.pegasys.web3signer.commandline.config.PicoKeystoresParameters; import tech.pegasys.web3signer.common.config.AwsAuthenticationMode; @@ -144,7 +144,7 @@ private static class NetworkCliCompletionCandidates extends ArrayList { @Mixin private PicoCliSlashingProtectionParameters slashingProtectionParameters; @Mixin private PicoCliEth2AzureKeyVaultParameters azureKeyVaultParameters; @Mixin private PicoKeystoresParameters keystoreParameters; - @Mixin private PicoCliAwsParameters awsSecretsManagerParameters; + @Mixin private PicoCliSecretsMangerAwsParameters awsSecretsManagerParameters; private tech.pegasys.teku.spec.Spec eth2Spec; public Eth2SubCommand() { @@ -339,7 +339,7 @@ public SlashingProtectionParameters getSlashingProtectionParameters() { } @VisibleForTesting - public PicoCliAwsParameters getAwsSecretsManagerParameters() { + public PicoCliSecretsMangerAwsParameters getAwsSecretsManagerParameters() { return awsSecretsManagerParameters; } diff --git a/commandline/src/test/java/tech/pegasys/web3signer/commandline/CommandlineParserTest.java b/commandline/src/test/java/tech/pegasys/web3signer/commandline/CommandlineParserTest.java index b1883ecd7..7ae18643a 100644 --- a/commandline/src/test/java/tech/pegasys/web3signer/commandline/CommandlineParserTest.java +++ b/commandline/src/test/java/tech/pegasys/web3signer/commandline/CommandlineParserTest.java @@ -15,14 +15,14 @@ import static org.assertj.core.api.Assertions.assertThat; import static tech.pegasys.web3signer.CmdlineHelpers.removeFieldFrom; import static tech.pegasys.web3signer.CmdlineHelpers.validBaseCommandOptions; -import static tech.pegasys.web3signer.commandline.PicoCliAwsParameters.AWS_SECRETS_ACCESS_KEY_ID_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliAwsParameters.AWS_SECRETS_AUTH_MODE_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliAwsParameters.AWS_SECRETS_ENABLED_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliAwsParameters.AWS_SECRETS_PREFIXES_FILTER_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliAwsParameters.AWS_SECRETS_REGION_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliAwsParameters.AWS_SECRETS_SECRET_ACCESS_KEY_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliAwsParameters.AWS_SECRETS_TAG_NAMES_FILTER_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliAwsParameters.AWS_SECRETS_TAG_VALUES_FILTER_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliSecretsMangerAwsParameters.AWS_SECRETS_ACCESS_KEY_ID_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliSecretsMangerAwsParameters.AWS_SECRETS_AUTH_MODE_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliSecretsMangerAwsParameters.AWS_SECRETS_ENABLED_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliSecretsMangerAwsParameters.AWS_SECRETS_PREFIXES_FILTER_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliSecretsMangerAwsParameters.AWS_SECRETS_REGION_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliSecretsMangerAwsParameters.AWS_SECRETS_SECRET_ACCESS_KEY_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliSecretsMangerAwsParameters.AWS_SECRETS_TAG_NAMES_FILTER_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliSecretsMangerAwsParameters.AWS_SECRETS_TAG_VALUES_FILTER_OPTION; import tech.pegasys.web3signer.commandline.subcommands.Eth2SubCommand; import tech.pegasys.web3signer.common.config.AwsAuthenticationMode; diff --git a/core/src/main/java/tech/pegasys/web3signer/core/Eth1Runner.java b/core/src/main/java/tech/pegasys/web3signer/core/Eth1Runner.java index 388f72890..394f7d5d6 100644 --- a/core/src/main/java/tech/pegasys/web3signer/core/Eth1Runner.java +++ b/core/src/main/java/tech/pegasys/web3signer/core/Eth1Runner.java @@ -43,6 +43,7 @@ import tech.pegasys.web3signer.signing.ArtifactSignerProvider; import tech.pegasys.web3signer.signing.EthSecpArtifactSigner; import tech.pegasys.web3signer.signing.SecpArtifactSignature; +import tech.pegasys.web3signer.signing.bulkloading.SecpAwsBulkLoader; import tech.pegasys.web3signer.signing.bulkloading.SecpAzureBulkLoader; import tech.pegasys.web3signer.signing.config.AzureKeyVaultFactory; import tech.pegasys.web3signer.signing.config.AzureKeyVaultParameters; @@ -55,6 +56,7 @@ import tech.pegasys.web3signer.signing.config.metadata.parser.YamlSignerParser; import tech.pegasys.web3signer.signing.config.metadata.yubihsm.YubiHsmOpaqueDataProvider; import tech.pegasys.web3signer.signing.secp256k1.aws.AwsKmsSignerFactory; +import tech.pegasys.web3signer.signing.secp256k1.aws.CachedAwsKmsClientFactory; import tech.pegasys.web3signer.signing.secp256k1.azure.AzureHttpClientFactory; import tech.pegasys.web3signer.signing.secp256k1.azure.AzureKeyVaultSignerFactory; @@ -168,11 +170,21 @@ protected ArtifactSignerProvider createArtifactSignerProvider( registerClose(azureKeyVaultFactory::close); final AzureKeyVaultSignerFactory azureSignerFactory = new AzureKeyVaultSignerFactory(azureKeyVaultFactory, azureHttpClientFactory); - + final CachedAwsKmsClientFactory cachedAwsKmsClientFactory = + new CachedAwsKmsClientFactory(eth1Config.getAwsKmsClientCacheSize()); + final AwsKmsSignerFactory awsKmsSignerFactory = + new AwsKmsSignerFactory(cachedAwsKmsClientFactory, true); + signers.addAll( + loadSignersFromKeyConfigFiles( + vertx, azureKeyVaultFactory, azureSignerFactory, awsKmsSignerFactory) + .getValues()); signers.addAll( - loadSignersFromKeyConfigFiles(vertx, azureKeyVaultFactory, azureSignerFactory) + bulkLoadSigners( + azureKeyVaultFactory, + azureSignerFactory, + cachedAwsKmsClientFactory, + awsKmsSignerFactory) .getValues()); - signers.addAll(bulkLoadSigners(azureKeyVaultFactory, azureSignerFactory).getValues()); return signers; }); } @@ -180,11 +192,9 @@ protected ArtifactSignerProvider createArtifactSignerProvider( private MappedResults loadSignersFromKeyConfigFiles( final Vertx vertx, final AzureKeyVaultFactory azureKeyVaultFactory, - final AzureKeyVaultSignerFactory azureSignerFactory) { + final AzureKeyVaultSignerFactory azureSignerFactory, + final AwsKmsSignerFactory awsKmsSignerFactory) { final HashicorpConnectionFactory hashicorpConnectionFactory = new HashicorpConnectionFactory(); - final boolean applySha3Hash = true; - final AwsKmsSignerFactory awsKmsSignerFactory = - new AwsKmsSignerFactory(eth1Config.getAwsKmsClientCacheSize(), applySha3Hash); try (final InterlockKeyProvider interlockKeyProvider = new InterlockKeyProvider(vertx); final YubiHsmOpaqueDataProvider yubiHsmOpaqueDataProvider = new YubiHsmOpaqueDataProvider()) { @@ -213,7 +223,9 @@ private MappedResults loadSignersFromKeyConfigFiles( private MappedResults bulkLoadSigners( final AzureKeyVaultFactory azureKeyVaultFactory, - final AzureKeyVaultSignerFactory azureSignerFactory) { + final AzureKeyVaultSignerFactory azureSignerFactory, + final CachedAwsKmsClientFactory cachedAwsKmsClientFactory, + final AwsKmsSignerFactory awsKmsSignerFactory) { final AzureKeyVaultParameters azureKeyVaultConfig = eth1Config.getAzureKeyVaultConfig(); if (azureKeyVaultConfig.isAzureKeyVaultEnabled()) { LOG.info("Bulk loading keys from Azure key vault ... "); @@ -234,9 +246,22 @@ private MappedResults bulkLoadSigners( azureResult.getErrorCount()); registerSignerLoadingHealthCheck(KEYS_CHECK_AZURE_BULK_LOADING, azureResult); return azureResult; - } else { - return MappedResults.newSetInstance(); } + if (eth1Config.getAwsParameters().isEnabled()) { + LOG.info("Bulk loading keys from AWS KMS key vault ... "); + final SecpAwsBulkLoader secpAwsBulkLoader = + new SecpAwsBulkLoader(cachedAwsKmsClientFactory, awsKmsSignerFactory); + final MappedResults awsResult = + secpAwsBulkLoader.load(eth1Config.getAwsParameters()); + LOG.info( + "Keys loaded from AWS: [{}], with error count: [{}]", + awsResult.getValues().size(), + awsResult.getErrorCount()); + registerSignerLoadingHealthCheck(KEYS_CHECK_AZURE_BULK_LOADING, awsResult); + return awsResult; + } + + return MappedResults.newSetInstance(); } private String formatSecpSignature(final SecpArtifactSignature signature) { diff --git a/core/src/main/java/tech/pegasys/web3signer/core/FilecoinRunner.java b/core/src/main/java/tech/pegasys/web3signer/core/FilecoinRunner.java index cd78b5490..0071b74d9 100644 --- a/core/src/main/java/tech/pegasys/web3signer/core/FilecoinRunner.java +++ b/core/src/main/java/tech/pegasys/web3signer/core/FilecoinRunner.java @@ -39,6 +39,7 @@ import tech.pegasys.web3signer.signing.config.metadata.yubihsm.YubiHsmOpaqueDataProvider; import tech.pegasys.web3signer.signing.filecoin.FilecoinNetwork; import tech.pegasys.web3signer.signing.secp256k1.aws.AwsKmsSignerFactory; +import tech.pegasys.web3signer.signing.secp256k1.aws.CachedAwsKmsClientFactory; import tech.pegasys.web3signer.signing.secp256k1.azure.AzureHttpClientFactory; import tech.pegasys.web3signer.signing.secp256k1.azure.AzureKeyVaultSignerFactory; @@ -117,9 +118,11 @@ protected ArtifactSignerProvider createArtifactSignerProvider( final AzureHttpClientFactory azureHttpClientFactory = new AzureHttpClientFactory(); final AzureKeyVaultSignerFactory azureSignerFactory = new AzureKeyVaultSignerFactory(azureKeyVaultFactory, azureHttpClientFactory); + final CachedAwsKmsClientFactory cachedAwsKmsClientFactory = + new CachedAwsKmsClientFactory(awsKmsClientCacheSize); final boolean applySha3Hash = false; final AwsKmsSignerFactory awsKmsSignerFactory = - new AwsKmsSignerFactory(awsKmsClientCacheSize, applySha3Hash); + new AwsKmsSignerFactory(cachedAwsKmsClientFactory, applySha3Hash); try (final HashicorpConnectionFactory hashicorpConnectionFactory = new HashicorpConnectionFactory(); diff --git a/signing/src/main/java/tech/pegasys/web3signer/signing/config/AwsParameters.java b/signing/src/main/java/tech/pegasys/web3signer/signing/config/AwsParameters.java index 034959121..2d2d01669 100644 --- a/signing/src/main/java/tech/pegasys/web3signer/signing/config/AwsParameters.java +++ b/signing/src/main/java/tech/pegasys/web3signer/signing/config/AwsParameters.java @@ -30,6 +30,8 @@ public interface AwsParameters { String getRegion(); + // TODO JF change the defaults to throw unsupported operation exceptions? + default long getCacheMaximumSize() { return 1; } diff --git a/signing/src/main/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsSignerFactory.java b/signing/src/main/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsSignerFactory.java index 5f569904d..1ef18a588 100644 --- a/signing/src/main/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsSignerFactory.java +++ b/signing/src/main/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsSignerFactory.java @@ -25,21 +25,19 @@ /** A Signer factory that create an instance of `Signer` type backed by AWS KMS. */ public class AwsKmsSignerFactory { - private final CachedAwsKmsClientFactory factory; - + private final CachedAwsKmsClientFactory cachedAwsKmsClientFactory; private final boolean applySha3Hash; /** * Construct AwsKmsSignerFactory * - * @param kmsClientCacheSize The cache size of AWS kms clients. This size should be set based on - * the number of credentials/region used. If same set of credentials/region used to access - * kms, set to 1. + * @param cachedAwsKmsClientFactory The cached AWS KMS client factory used to provide cached AWS + * KMS clients. * @param applySha3Hash Set to true for eth1 signing. Set false for filecoin signing. */ - public AwsKmsSignerFactory(final long kmsClientCacheSize, final boolean applySha3Hash) { - checkArgument(kmsClientCacheSize > 0, "Kms client cache Size must be positive."); - factory = new CachedAwsKmsClientFactory(kmsClientCacheSize); + public AwsKmsSignerFactory( + final CachedAwsKmsClientFactory cachedAwsKmsClientFactory, final boolean applySha3Hash) { + this.cachedAwsKmsClientFactory = cachedAwsKmsClientFactory; this.applySha3Hash = applySha3Hash; } @@ -51,7 +49,7 @@ public Signer createSigner(final AwsKmsMetadata awsKmsMetadata) { awsKmsMetadata.getAuthenticationMode(), awsKmsMetadata.getAwsCredentials()); final AwsKmsClient kmsClient = - factory.createKmsClient( + cachedAwsKmsClientFactory.createKmsClient( awsCredentialsProvider, awsKmsMetadata.getRegion(), awsKmsMetadata.getEndpointOverride()); diff --git a/signing/src/test/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsSignerTest.java b/signing/src/test/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsSignerTest.java index 66d99b569..527c3e854 100644 --- a/signing/src/test/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsSignerTest.java +++ b/signing/src/test/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsSignerTest.java @@ -111,8 +111,11 @@ void awsSignatureCanBeVerified() throws SignatureException { ENDPOINT_OVERRIDE); final long kmsClientCacheSize = 1; final boolean applySha3Hash = true; + final CachedAwsKmsClientFactory cachedAwsKmsClientFactory = + new CachedAwsKmsClientFactory(kmsClientCacheSize); final Signer signer = - new AwsKmsSignerFactory(kmsClientCacheSize, applySha3Hash).createSigner(awsKmsMetadata); + new AwsKmsSignerFactory(cachedAwsKmsClientFactory, applySha3Hash) + .createSigner(awsKmsMetadata); final BigInteger publicKey = Numeric.toBigInt(EthPublicKeyUtils.toByteArray(signer.getPublicKey())); From c63fde99b2a1256ba48a74f321679f914cc1a399 Mon Sep 17 00:00:00 2001 From: Jason Frame Date: Thu, 31 Aug 2023 11:33:48 +1000 Subject: [PATCH 08/21] acceptance tests for Aws Kms --- .../dsl/signer/SignerConfiguration.java | 2 +- .../signer/SignerConfigurationBuilder.java | 3 +- .../runner/CmdLineParamsConfigFileImpl.java | 86 ++++++- .../runner/CmdLineParamsDefaultImpl.java | 61 ++++- .../dsl/signer/runner/Web3SignerRunner.java | 14 +- .../bulkloading/AwsKmsAcceptanceTest.java | 235 ++++++++++++++++++ .../AwsSecretsManagerAcceptanceTest.java | 12 +- ...ecretsManagerMultiValueAcceptanceTest.java | 4 +- ...cretsManagerPerformanceAcceptanceTest.java | 4 +- .../commandline/PicoCliKmsAwsParameters.java | 3 +- .../jsonrpcproxy/support/TestEth1Config.java | 2 +- .../pegasys/web3signer/core/Eth1Runner.java | 3 +- .../signing/secp256k1/aws/AwsKmsClient.java | 10 + .../tech/pegasys/web3signer/AwsKmsUtil.java | 4 +- .../signing/config/AwsParametersBuilder.java | 2 +- 15 files changed, 412 insertions(+), 33 deletions(-) create mode 100644 acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/bulkloading/AwsKmsAcceptanceTest.java diff --git a/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/SignerConfiguration.java b/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/SignerConfiguration.java index 29f95ef0d..32b7c5156 100644 --- a/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/SignerConfiguration.java +++ b/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/SignerConfiguration.java @@ -218,7 +218,7 @@ public Optional getAzureKeyVaultParameters() { return azureKeyVaultParameters; } - public Optional getAwsSecretsManagerParameters() { + public Optional getAwsParameters() { return awsSecretsManagerParameters; } diff --git a/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/SignerConfigurationBuilder.java b/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/SignerConfigurationBuilder.java index 57d333865..3862da234 100644 --- a/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/SignerConfigurationBuilder.java +++ b/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/SignerConfigurationBuilder.java @@ -141,8 +141,7 @@ public SignerConfigurationBuilder withAzureKeyVaultParameters( return this; } - public SignerConfigurationBuilder withAwsSecretsManagerParameters( - final AwsParameters awsParameters) { + public SignerConfigurationBuilder withAwsParameters(final AwsParameters awsParameters) { this.awsParameters = awsParameters; return this; } diff --git a/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/runner/CmdLineParamsConfigFileImpl.java b/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/runner/CmdLineParamsConfigFileImpl.java index 765aa2fa9..ee0fa711d 100644 --- a/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/runner/CmdLineParamsConfigFileImpl.java +++ b/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/runner/CmdLineParamsConfigFileImpl.java @@ -12,6 +12,13 @@ */ package tech.pegasys.web3signer.dsl.signer.runner; +import static tech.pegasys.web3signer.commandline.PicoCliKmsAwsParameters.AWS_KMS_ACCESS_KEY_ID_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliKmsAwsParameters.AWS_KMS_AUTH_MODE_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliKmsAwsParameters.AWS_KMS_ENABLED_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliKmsAwsParameters.AWS_KMS_REGION_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliKmsAwsParameters.AWS_KMS_SECRET_ACCESS_KEY_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliKmsAwsParameters.AWS_KMS_TAG_NAMES_FILTER_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliKmsAwsParameters.AWS_KMS_TAG_VALUES_FILTER_OPTION; import static tech.pegasys.web3signer.commandline.PicoCliSecretsMangerAwsParameters.AWS_ENDPOINT_OVERRIDE_OPTION; import static tech.pegasys.web3signer.commandline.PicoCliSecretsMangerAwsParameters.AWS_SECRETS_ACCESS_KEY_ID_OPTION; import static tech.pegasys.web3signer.commandline.PicoCliSecretsMangerAwsParameters.AWS_SECRETS_AUTH_MODE_OPTION; @@ -139,8 +146,9 @@ public List createCmdLineParams() { } signerConfig - .getAwsSecretsManagerParameters() - .ifPresent(awsParams -> yamlConfig.append(awsBulkLoadingOptions(awsParams))); + .getAwsParameters() + .ifPresent( + awsParams -> yamlConfig.append(awsSecretsManagerBulkLoadingOptions(awsParams))); final CommandArgs subCommandArgs = createSubCommandArgs(); params.addAll(subCommandArgs.params); @@ -152,6 +160,10 @@ public List createCmdLineParams() { yamlConfig.append( String.format(YAML_NUMERIC_FMT, "eth1.chain-id", signerConfig.getChainIdProvider().id())); yamlConfig.append(createDownstreamTlsArgs()); + + signerConfig + .getAwsParameters() + .ifPresent(awsParams -> yamlConfig.append(awsKmsBulkLoadingOptions(awsParams))); } signerConfig @@ -441,7 +453,7 @@ private String createEth2SlashingProtectionArgs() { return yamlConfig.toString(); } - private String awsBulkLoadingOptions(final AwsParameters awsParameters) { + private String awsSecretsManagerBulkLoadingOptions(final AwsParameters awsParameters) { final StringBuilder yamlConfig = new StringBuilder(); yamlConfig.append( @@ -517,6 +529,74 @@ private String awsBulkLoadingOptions(final AwsParameters awsParameters) { return yamlConfig.toString(); } + private String awsKmsBulkLoadingOptions(final AwsParameters awsParameters) { + final StringBuilder yamlConfig = new StringBuilder(); + + yamlConfig.append( + String.format( + YAML_BOOLEAN_FMT, + "eth1." + AWS_KMS_ENABLED_OPTION.substring(2), + awsParameters.isEnabled())); + + yamlConfig.append( + String.format( + YAML_STRING_FMT, + "eth1." + AWS_KMS_AUTH_MODE_OPTION.substring(2), + awsParameters.getAuthenticationMode().name())); + + if (awsParameters.getAccessKeyId() != null) { + yamlConfig.append( + String.format( + YAML_STRING_FMT, + "eth1." + AWS_KMS_ACCESS_KEY_ID_OPTION.substring(2), + awsParameters.getAccessKeyId())); + } + + if (awsParameters.getSecretAccessKey() != null) { + yamlConfig.append( + String.format( + YAML_STRING_FMT, + "eth1." + AWS_KMS_SECRET_ACCESS_KEY_OPTION.substring(2), + awsParameters.getSecretAccessKey())); + } + + if (awsParameters.getRegion() != null) { + yamlConfig.append( + String.format( + YAML_STRING_FMT, + "eth1." + AWS_KMS_REGION_OPTION.substring(2), + awsParameters.getRegion())); + } + + if (!awsParameters.getTagNamesFilter().isEmpty()) { + yamlConfig.append( + String.format( + YAML_STRING_FMT, + "eth1." + AWS_KMS_TAG_NAMES_FILTER_OPTION.substring(2), + String.join(",", awsParameters.getTagNamesFilter()))); + } + + if (!awsParameters.getTagValuesFilter().isEmpty()) { + yamlConfig.append( + String.format( + YAML_STRING_FMT, + "eth1." + AWS_KMS_TAG_VALUES_FILTER_OPTION.substring(2), + String.join(",", awsParameters.getTagValuesFilter()))); + } + + awsParameters + .getEndpointOverride() + .ifPresent( + uri -> + yamlConfig.append( + String.format( + YAML_STRING_FMT, + "eth1." + AWS_ENDPOINT_OVERRIDE_OPTION.substring(2), + uri))); + + return yamlConfig.toString(); + } + private String formatStringList(final String key, final List stringList) { return stringList.isEmpty() ? String.format("%s: []%n", key) diff --git a/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/runner/CmdLineParamsDefaultImpl.java b/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/runner/CmdLineParamsDefaultImpl.java index 1b858bf52..3ceec8ae0 100644 --- a/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/runner/CmdLineParamsDefaultImpl.java +++ b/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/runner/CmdLineParamsDefaultImpl.java @@ -12,6 +12,13 @@ */ package tech.pegasys.web3signer.dsl.signer.runner; +import static tech.pegasys.web3signer.commandline.PicoCliKmsAwsParameters.AWS_KMS_ACCESS_KEY_ID_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliKmsAwsParameters.AWS_KMS_AUTH_MODE_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliKmsAwsParameters.AWS_KMS_ENABLED_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliKmsAwsParameters.AWS_KMS_REGION_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliKmsAwsParameters.AWS_KMS_SECRET_ACCESS_KEY_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliKmsAwsParameters.AWS_KMS_TAG_NAMES_FILTER_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliKmsAwsParameters.AWS_KMS_TAG_VALUES_FILTER_OPTION; import static tech.pegasys.web3signer.commandline.PicoCliSecretsMangerAwsParameters.AWS_ENDPOINT_OVERRIDE_OPTION; import static tech.pegasys.web3signer.commandline.PicoCliSecretsMangerAwsParameters.AWS_SECRETS_ACCESS_KEY_ID_OPTION; import static tech.pegasys.web3signer.commandline.PicoCliSecretsMangerAwsParameters.AWS_SECRETS_AUTH_MODE_OPTION; @@ -116,8 +123,8 @@ public List createCmdLineParams() { } signerConfig - .getAwsSecretsManagerParameters() - .ifPresent(awsParams -> params.addAll(awsBulkLoadingOptions(awsParams))); + .getAwsParameters() + .ifPresent(awsParams -> params.addAll(awsSecretsManagerBulkLoadingOptions(awsParams))); } else if (signerConfig.getMode().equals("eth1")) { params.add("--downstream-http-port"); params.add(Integer.toString(signerConfig.getDownstreamHttpPort())); @@ -128,6 +135,9 @@ public List createCmdLineParams() { if (signerConfig.getAzureKeyVaultParameters().isPresent()) { createAzureArgs(params); } + signerConfig + .getAwsParameters() + .ifPresent(awsParams -> params.addAll(awsKmsBulkLoadingOptions(awsParams))); } return params; @@ -276,7 +286,8 @@ private Collection createEth2Args() { return params; } - private Collection awsBulkLoadingOptions(final AwsParameters awsParameters) { + private Collection awsSecretsManagerBulkLoadingOptions( + final AwsParameters awsParameters) { final List params = new ArrayList<>(); params.add(AWS_SECRETS_ENABLED_OPTION + "=" + awsParameters.isEnabled()); @@ -325,6 +336,50 @@ private Collection awsBulkLoadingOptions(final AwsParameters awsParamete return params; } + private Collection awsKmsBulkLoadingOptions(final AwsParameters awsParameters) { + final List params = new ArrayList<>(); + + params.add(AWS_KMS_ENABLED_OPTION + "=" + awsParameters.isEnabled()); + + params.add(AWS_KMS_AUTH_MODE_OPTION); + params.add(awsParameters.getAuthenticationMode().name()); + + if (awsParameters.getAccessKeyId() != null) { + params.add(AWS_KMS_ACCESS_KEY_ID_OPTION); + params.add(awsParameters.getAccessKeyId()); + } + + if (awsParameters.getSecretAccessKey() != null) { + params.add(AWS_KMS_SECRET_ACCESS_KEY_OPTION); + params.add(awsParameters.getSecretAccessKey()); + } + + if (awsParameters.getRegion() != null) { + params.add(AWS_KMS_REGION_OPTION); + params.add(awsParameters.getRegion()); + } + + awsParameters + .getEndpointOverride() + .ifPresent( + uri -> { + params.add(AWS_ENDPOINT_OVERRIDE_OPTION); + params.add(uri.toString()); + }); + + if (!awsParameters.getTagNamesFilter().isEmpty()) { + params.add(AWS_KMS_TAG_NAMES_FILTER_OPTION); + params.add(String.join(",", awsParameters.getTagNamesFilter())); + } + + if (!awsParameters.getTagValuesFilter().isEmpty()) { + params.add(AWS_KMS_TAG_VALUES_FILTER_OPTION); + params.add(String.join(",", awsParameters.getTagValuesFilter())); + } + + return params; + } + private void createAzureArgs(final List params) { final AzureKeyVaultParameters azureParams = signerConfig.getAzureKeyVaultParameters().get(); params.add("--azure-vault-enabled=true"); diff --git a/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/runner/Web3SignerRunner.java b/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/runner/Web3SignerRunner.java index 2a612bd80..03baedc13 100644 --- a/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/runner/Web3SignerRunner.java +++ b/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/runner/Web3SignerRunner.java @@ -48,13 +48,13 @@ public abstract class Web3SignerRunner { private static final String METRICS_PORT_KEY = "metrics-port"; public static Web3SignerRunner createRunner(final SignerConfiguration signerConfig) { - if (Boolean.getBoolean("acctests.runWeb3SignerAsProcess")) { - LOG.info("Web3Signer running as a process."); - return new Web3SignerProcessRunner(signerConfig); - } else { - LOG.info("Web3Signer running in a thread."); - return new Web3SignerThreadRunner(signerConfig); - } + // if (Boolean.getBoolean("acctests.runWeb3SignerAsProcess")) { + // LOG.info("Web3Signer running as a process."); + // return new Web3SignerProcessRunner(signerConfig); + // } else { + LOG.info("Web3Signer running in a thread."); + return new Web3SignerThreadRunner(signerConfig); + // } } protected Web3SignerRunner(final SignerConfiguration signerConfig) { diff --git a/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/bulkloading/AwsKmsAcceptanceTest.java b/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/bulkloading/AwsKmsAcceptanceTest.java new file mode 100644 index 000000000..fe2e55e74 --- /dev/null +++ b/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/bulkloading/AwsKmsAcceptanceTest.java @@ -0,0 +1,235 @@ +/* + * Copyright 2022 ConsenSys AG. + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on + * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the + * specific language governing permissions and limitations under the License. + */ +package tech.pegasys.web3signer.tests.bulkloading; + +import static org.assertj.core.api.Assertions.assertThat; +import static org.hamcrest.Matchers.containsInAnyOrder; +import static org.hamcrest.Matchers.hasSize; +import static org.hamcrest.core.IsEqual.equalTo; + +import tech.pegasys.web3signer.AwsKmsUtil; +import tech.pegasys.web3signer.common.config.AwsAuthenticationMode; +import tech.pegasys.web3signer.dsl.signer.SignerConfigurationBuilder; +import tech.pegasys.web3signer.signing.KeyType; +import tech.pegasys.web3signer.signing.config.AwsParameters; +import tech.pegasys.web3signer.signing.config.AwsParametersBuilder; +import tech.pegasys.web3signer.signing.secp256k1.EthPublicKeyUtils; +import tech.pegasys.web3signer.tests.AcceptanceTestBase; + +import java.net.URI; +import java.security.interfaces.ECPublicKey; +import java.util.ArrayList; +import java.util.List; +import java.util.Map; +import java.util.Optional; + +import io.restassured.http.ContentType; +import io.restassured.response.Response; +import io.vertx.core.json.JsonObject; +import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; +import org.junit.jupiter.api.AfterAll; +import org.junit.jupiter.api.BeforeAll; +import org.junit.jupiter.api.Test; +import org.junit.jupiter.api.TestInstance; +import org.junit.jupiter.api.condition.EnabledIfEnvironmentVariable; +import org.junit.jupiter.params.ParameterizedTest; +import org.junit.jupiter.params.provider.ValueSource; + +@EnabledIfEnvironmentVariable( + named = "RW_AWS_ACCESS_KEY_ID", + matches = ".*", + disabledReason = "RW_AWS_ACCESS_KEY_ID env variable is required") +@EnabledIfEnvironmentVariable( + named = "RW_AWS_SECRET_ACCESS_KEY", + matches = ".*", + disabledReason = "RW_AWS_SECRET_ACCESS_KEY env variable is required") +@EnabledIfEnvironmentVariable( + named = "AWS_ACCESS_KEY_ID", + matches = ".*", + disabledReason = "AWS_ACCESS_KEY_ID env variable is required") +@EnabledIfEnvironmentVariable( + named = "AWS_SECRET_ACCESS_KEY", + matches = ".*", + disabledReason = "AWS_SECRET_ACCESS_KEY env variable is required") +@EnabledIfEnvironmentVariable( + named = "AWS_REGION", + matches = ".*", + disabledReason = "AWS_REGION env variable is required") +@TestInstance(TestInstance.Lifecycle.PER_CLASS) // same instance is shared across test methods +public class AwsKmsAcceptanceTest extends AcceptanceTestBase { + private static final Logger LOG = LogManager.getLogger(); + private static final String RW_AWS_ACCESS_KEY_ID = System.getenv("RW_AWS_ACCESS_KEY_ID"); + private static final String RW_AWS_SECRET_ACCESS_KEY = System.getenv("RW_AWS_SECRET_ACCESS_KEY"); + private static final String RO_AWS_ACCESS_KEY_ID = System.getenv("AWS_ACCESS_KEY_ID"); + private static final String RO_AWS_SECRET_ACCESS_KEY = System.getenv("AWS_SECRET_ACCESS_KEY"); + private static final String AWS_REGION = + Optional.ofNullable(System.getenv("AWS_REGION")).orElse("us-east-2"); + + // can be pointed to localstack + private final Optional awsEndpointOverride = + System.getenv("AWS_ENDPOINT_OVERRIDE") != null + ? Optional.of(URI.create(System.getenv("AWS_ENDPOINT_OVERRIDE"))) + : Optional.empty(); + private AwsKmsUtil awsSecretsManagerUtil; + + public record Key(String keyId, String publicKey) {} + + private final List keys = new ArrayList<>(); + + @BeforeAll + void setupAwsResources() { + awsSecretsManagerUtil = + new AwsKmsUtil( + AWS_REGION, + RW_AWS_ACCESS_KEY_ID, + RW_AWS_SECRET_ACCESS_KEY, + Optional.empty(), + awsEndpointOverride); + + for (int i = 0; i < 4; i++) { + final String keyId = awsSecretsManagerUtil.createKey(Map.of("TagName" + i, "TagValue" + i)); + final ECPublicKey publicKey = awsSecretsManagerUtil.publicKey(keyId); + keys.add(new Key(keyId, EthPublicKeyUtils.toHexString(publicKey))); + } + } + + @ParameterizedTest(name = "{index} - Using config file: {0}") + @ValueSource(booleans = {true, false}) + void keysAreLoadedFromAwsKmsAndReportedByPublicApi(final boolean useConfigFile) { + final AwsParameters awsParameters = + AwsParametersBuilder.anAwsParameters() + .withAuthenticationMode(AwsAuthenticationMode.SPECIFIED) + .withRegion(AWS_REGION) + .withAccessKeyId(RO_AWS_ACCESS_KEY_ID) + .withSecretAccessKey(RO_AWS_SECRET_ACCESS_KEY) + .withTagNamesFilter(List.of("TagName0", "TagName1")) + .withTagValuesFilter(List.of("TagValue0", "TagValue1", "TagValue2")) + .withEndpointOverride(awsEndpointOverride) + .build(); + + final SignerConfigurationBuilder configBuilder = + new SignerConfigurationBuilder() + .withUseConfigFile(useConfigFile) + .withMode("eth1") + .withAwsParameters(awsParameters); + + startSigner(configBuilder.build()); + + final Response response = signer.callApiPublicKeys(KeyType.SECP256K1); + response + .then() + .statusCode(200) + .contentType(ContentType.JSON) + .body("", containsInAnyOrder(keys.get(0).publicKey(), keys.get(1).publicKey())); + + final Response healthcheckResponse = signer.healthcheck(); + healthcheckResponse + .then() + .statusCode(200) + .contentType(ContentType.JSON) + .body("status", equalTo("UP")); + + final String jsonBody = healthcheckResponse.body().asString(); + final int keysLoaded = getAwsBulkLoadingData(jsonBody, "keys-loaded"); + assertThat(keysLoaded).isEqualTo(2); + } + + @Test + void healthCheckErrorCountWhenInvalidCredentialsAreUsed() { + final boolean useConfigFile = false; + final AwsParameters invalidCredsParams = + AwsParametersBuilder.anAwsParameters() + .withAuthenticationMode(AwsAuthenticationMode.SPECIFIED) + .withRegion("us-east-2") + .withAccessKeyId("invalid") + .withSecretAccessKey("invalid") + .withPrefixesFilter(List.of("shouldNotExist/")) + .withEndpointOverride(Optional.empty()) + .build(); + + final SignerConfigurationBuilder configBuilder = + new SignerConfigurationBuilder() + .withUseConfigFile(useConfigFile) + .withMode("eth1") + .withAwsParameters(invalidCredsParams); + + startSigner(configBuilder.build()); + + final String healthCheckJsonBody = signer.healthcheck().body().asString(); + + int keysLoaded = getAwsBulkLoadingData(healthCheckJsonBody, "keys-loaded"); + int errorCount = getAwsBulkLoadingData(healthCheckJsonBody, "error-count"); + + assertThat(keysLoaded).isEqualTo(0); + assertThat(errorCount).isEqualTo(1); + assertThat(new JsonObject(healthCheckJsonBody).getString("status")).isEqualTo("DOWN"); + } + + private static int getAwsBulkLoadingData(String healthCheckJsonBody, String dataKey) { + final JsonObject jsonObject = new JsonObject(healthCheckJsonBody); + return jsonObject.getJsonArray("checks").stream() + .filter(o -> "keys-check".equals(((JsonObject) o).getString("id"))) + .flatMap(o -> ((JsonObject) o).getJsonArray("checks").stream()) + .filter(o -> "aws-bulk-loading".equals(((JsonObject) o).getString("id"))) + .mapToInt(o -> ((JsonObject) ((JsonObject) o).getValue("data")).getInteger(dataKey)) + .findFirst() + .orElse(-1); + } + + @ParameterizedTest(name = "{index} - Using config file: {0}") + @ValueSource(booleans = {true, false}) + void keysAreLoadedFromAwsKmsWithEnvironmentAuthModeAndReportedByPublicApi( + final boolean useConfigFile) { + final AwsParameters awsParameters = + AwsParametersBuilder.anAwsParameters() + .withAuthenticationMode(AwsAuthenticationMode.ENVIRONMENT) + .withTagNamesFilter(List.of("TagName2", "TagName3")) + .withTagValuesFilter(List.of("TagValue0", "TagValue2", "TagValue3")) + .withEndpointOverride(awsEndpointOverride) + .build(); + + final SignerConfigurationBuilder configBuilder = + new SignerConfigurationBuilder() + .withUseConfigFile(useConfigFile) + .withMode("eth1") + .withAwsParameters(awsParameters); + + startSigner(configBuilder.build()); + + signer + .callApiPublicKeys(KeyType.BLS) + .then() + .statusCode(200) + .contentType(ContentType.JSON) + .body( + "", + containsInAnyOrder(keys.get(2).publicKey(), keys.get(3).publicKey()), + "", + hasSize(2)); + } + + @AfterAll + void cleanUpAwsResources() { + if (awsSecretsManagerUtil != null) { + keys.forEach( + key -> { + try { + awsSecretsManagerUtil.deleteKey(key.keyId()); + } catch (final RuntimeException e) { + LOG.warn("Unexpected error while deleting key {}: {}", key.keyId(), e.getMessage()); + } + }); + } + } +} diff --git a/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/bulkloading/AwsSecretsManagerAcceptanceTest.java b/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/bulkloading/AwsSecretsManagerAcceptanceTest.java index 8d5f18aa5..9229da77a 100644 --- a/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/bulkloading/AwsSecretsManagerAcceptanceTest.java +++ b/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/bulkloading/AwsSecretsManagerAcceptanceTest.java @@ -103,7 +103,7 @@ void setupAwsResources() { @ValueSource(booleans = {true, false}) void secretsAreLoadedFromAWSSecretsManagerAndReportedByPublicApi(final boolean useConfigFile) { final AwsParameters awsParameters = - AwsParametersBuilder.anAwsSecretsManagerParameters() + AwsParametersBuilder.anAwsParameters() .withAuthenticationMode(AwsAuthenticationMode.SPECIFIED) .withRegion(AWS_REGION) .withAccessKeyId(RO_AWS_ACCESS_KEY_ID) @@ -118,7 +118,7 @@ void secretsAreLoadedFromAWSSecretsManagerAndReportedByPublicApi(final boolean u new SignerConfigurationBuilder() .withUseConfigFile(useConfigFile) .withMode("eth2") - .withAwsSecretsManagerParameters(awsParameters); + .withAwsParameters(awsParameters); startSigner(configBuilder.build()); @@ -145,7 +145,7 @@ void secretsAreLoadedFromAWSSecretsManagerAndReportedByPublicApi(final boolean u void healthCheckErrorCountWhenInvalidCredentialsAreUsed() { final boolean useConfigFile = false; final AwsParameters invalidCredsParams = - AwsParametersBuilder.anAwsSecretsManagerParameters() + AwsParametersBuilder.anAwsParameters() .withAuthenticationMode(AwsAuthenticationMode.SPECIFIED) .withRegion("us-east-2") .withAccessKeyId("invalid") @@ -158,7 +158,7 @@ void healthCheckErrorCountWhenInvalidCredentialsAreUsed() { new SignerConfigurationBuilder() .withUseConfigFile(useConfigFile) .withMode("eth2") - .withAwsSecretsManagerParameters(invalidCredsParams); + .withAwsParameters(invalidCredsParams); startSigner(configBuilder.build()); @@ -190,7 +190,7 @@ private static int getAwsBulkLoadingData(String healthCheckJsonBody, String data void secretsAreLoadedFromAWSSecretsManagerWithEnvironmentAuthModeAndReportedByPublicApi( final boolean useConfigFile) { final AwsParameters awsParameters = - AwsParametersBuilder.anAwsSecretsManagerParameters() + AwsParametersBuilder.anAwsParameters() .withAuthenticationMode(AwsAuthenticationMode.ENVIRONMENT) .withPrefixesFilter(List.of(awsSecretsManagerUtil.getSecretsManagerPrefix())) .withTagNamesFilter(List.of("TagName2", "TagName3")) @@ -202,7 +202,7 @@ void secretsAreLoadedFromAWSSecretsManagerWithEnvironmentAuthModeAndReportedByPu new SignerConfigurationBuilder() .withUseConfigFile(useConfigFile) .withMode("eth2") - .withAwsSecretsManagerParameters(awsParameters); + .withAwsParameters(awsParameters); startSigner(configBuilder.build()); diff --git a/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/bulkloading/AwsSecretsManagerMultiValueAcceptanceTest.java b/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/bulkloading/AwsSecretsManagerMultiValueAcceptanceTest.java index 0bdfb8a5e..46a4d4f79 100644 --- a/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/bulkloading/AwsSecretsManagerMultiValueAcceptanceTest.java +++ b/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/bulkloading/AwsSecretsManagerMultiValueAcceptanceTest.java @@ -104,7 +104,7 @@ void setupAwsResources() { @ValueSource(booleans = {true, false}) void secretsAreLoadedFromAWSSecretsManagerAndReportedByPublicApi(final boolean useConfigFile) { final AwsParameters awsParameters = - AwsParametersBuilder.anAwsSecretsManagerParameters() + AwsParametersBuilder.anAwsParameters() .withAuthenticationMode(AwsAuthenticationMode.SPECIFIED) .withRegion(AWS_REGION) .withAccessKeyId(RO_AWS_ACCESS_KEY_ID) @@ -118,7 +118,7 @@ void secretsAreLoadedFromAWSSecretsManagerAndReportedByPublicApi(final boolean u new SignerConfigurationBuilder() .withUseConfigFile(useConfigFile) .withMode("eth2") - .withAwsSecretsManagerParameters(awsParameters); + .withAwsParameters(awsParameters); startSigner(configBuilder.build()); diff --git a/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/bulkloading/AwsSecretsManagerPerformanceAcceptanceTest.java b/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/bulkloading/AwsSecretsManagerPerformanceAcceptanceTest.java index 4e976c7de..7732e96ce 100644 --- a/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/bulkloading/AwsSecretsManagerPerformanceAcceptanceTest.java +++ b/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/bulkloading/AwsSecretsManagerPerformanceAcceptanceTest.java @@ -121,7 +121,7 @@ void setupAwsResources() { @Test void largeNumberOfKeysAreLoadedSuccessfully() { final AwsParameters awsParameters = - AwsParametersBuilder.anAwsSecretsManagerParameters() + AwsParametersBuilder.anAwsParameters() .withAuthenticationMode(AwsAuthenticationMode.SPECIFIED) .withRegion(AWS_REGION) .withAccessKeyId(RO_AWS_ACCESS_KEY_ID) @@ -133,7 +133,7 @@ void largeNumberOfKeysAreLoadedSuccessfully() { final SignerConfigurationBuilder configBuilder = new SignerConfigurationBuilder() .withMode("eth2") - .withAwsSecretsManagerParameters(awsParameters) + .withAwsParameters(awsParameters) .withStartupTimeout(STARTUP_TIMEOUT) .withLogLevel(Level.INFO); diff --git a/commandline/src/main/java/tech/pegasys/web3signer/commandline/PicoCliKmsAwsParameters.java b/commandline/src/main/java/tech/pegasys/web3signer/commandline/PicoCliKmsAwsParameters.java index a9d619585..2999c0cf1 100644 --- a/commandline/src/main/java/tech/pegasys/web3signer/commandline/PicoCliKmsAwsParameters.java +++ b/commandline/src/main/java/tech/pegasys/web3signer/commandline/PicoCliKmsAwsParameters.java @@ -27,10 +27,9 @@ public class PicoCliKmsAwsParameters implements AwsParameters { public static final String AWS_KMS_ENABLED_OPTION = "--aws-kms-enabled"; public static final String AWS_KMS_AUTH_MODE_OPTION = "--aws-kms-auth-mode"; public static final String AWS_KMS_ACCESS_KEY_ID_OPTION = "--aws-kms-access-key-id"; - public static final String AWS_KMS_SECRET_ACCESS_KEY_OPTION = "--aws-secrets-secret-access-key"; + public static final String AWS_KMS_SECRET_ACCESS_KEY_OPTION = "--aws-kms-secret-access-key"; public static final String AWS_KMS_REGION_OPTION = "--aws-kms-region"; public static final String AWS_ENDPOINT_OVERRIDE_OPTION = "--aws-endpoint-override"; - public static final String AWS_KMS_PREFIXES_FILTER_OPTION = "--aws-kms-prefixes-filter"; public static final String AWS_KMS_TAG_NAMES_FILTER_OPTION = "--aws-kms-tag-names-filter"; public static final String AWS_KMS_TAG_VALUES_FILTER_OPTION = "--aws-kms-tag-values-filter"; public static final String AWS_CONNECTION_CACHE_SIZE_OPTION = "--aws-connection-cache-size"; diff --git a/core/src/integrationTest/java/tech/pegasys/web3signer/core/jsonrpcproxy/support/TestEth1Config.java b/core/src/integrationTest/java/tech/pegasys/web3signer/core/jsonrpcproxy/support/TestEth1Config.java index 0d12879a9..c18e9c5c6 100644 --- a/core/src/integrationTest/java/tech/pegasys/web3signer/core/jsonrpcproxy/support/TestEth1Config.java +++ b/core/src/integrationTest/java/tech/pegasys/web3signer/core/jsonrpcproxy/support/TestEth1Config.java @@ -101,7 +101,7 @@ public AzureKeyVaultParameters getAzureKeyVaultConfig() { @Override public AwsParameters getAwsParameters() { - return AwsParametersBuilder.anAwsSecretsManagerParameters().build(); + return AwsParametersBuilder.anAwsParameters().build(); } @Override diff --git a/core/src/main/java/tech/pegasys/web3signer/core/Eth1Runner.java b/core/src/main/java/tech/pegasys/web3signer/core/Eth1Runner.java index 394f7d5d6..b958d39ed 100644 --- a/core/src/main/java/tech/pegasys/web3signer/core/Eth1Runner.java +++ b/core/src/main/java/tech/pegasys/web3signer/core/Eth1Runner.java @@ -12,6 +12,7 @@ */ package tech.pegasys.web3signer.core; +import static tech.pegasys.web3signer.core.config.HealthCheckNames.KEYS_CHECK_AWS_BULK_LOADING; import static tech.pegasys.web3signer.core.config.HealthCheckNames.KEYS_CHECK_AZURE_BULK_LOADING; import static tech.pegasys.web3signer.signing.KeyType.SECP256K1; @@ -257,7 +258,7 @@ private MappedResults bulkLoadSigners( "Keys loaded from AWS: [{}], with error count: [{}]", awsResult.getValues().size(), awsResult.getErrorCount()); - registerSignerLoadingHealthCheck(KEYS_CHECK_AZURE_BULK_LOADING, awsResult); + registerSignerLoadingHealthCheck(KEYS_CHECK_AWS_BULK_LOADING, awsResult); return awsResult; } diff --git a/signing/src/main/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsClient.java b/signing/src/main/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsClient.java index d7a57fddf..e7c52ab16 100644 --- a/signing/src/main/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsClient.java +++ b/signing/src/main/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsClient.java @@ -36,10 +36,13 @@ import software.amazon.awssdk.core.SdkBytes; import software.amazon.awssdk.services.kms.KmsClient; import software.amazon.awssdk.services.kms.model.CreateKeyRequest; +import software.amazon.awssdk.services.kms.model.DescribeKeyRequest; +import software.amazon.awssdk.services.kms.model.DescribeKeyResponse; import software.amazon.awssdk.services.kms.model.GetPublicKeyRequest; import software.amazon.awssdk.services.kms.model.GetPublicKeyResponse; import software.amazon.awssdk.services.kms.model.KeyListEntry; import software.amazon.awssdk.services.kms.model.KeySpec; +import software.amazon.awssdk.services.kms.model.KeyState; import software.amazon.awssdk.services.kms.model.ListResourceTagsRequest; import software.amazon.awssdk.services.kms.model.MessageType; import software.amazon.awssdk.services.kms.model.ScheduleKeyDeletionRequest; @@ -114,6 +117,7 @@ public MappedResults mapKeyList( .filter( keyListEntry -> keyListPredicate(keyListEntry.keyId(), tagKeys, tagValues)) + .filter(this::isKeyEnabled) .forEach( keyListEntry -> { try { @@ -135,6 +139,12 @@ public MappedResults mapKeyList( return MappedResults.newInstance(result, errorCount.intValue()); } + private boolean isKeyEnabled(final KeyListEntry keyListEntry) { + final DescribeKeyResponse describeKeyResponse = + kmsClient.describeKey(DescribeKeyRequest.builder().keyId(keyListEntry.keyId()).build()); + return describeKeyResponse.keyMetadata().keyState() == KeyState.ENABLED; + } + private boolean keyListPredicate( final String keyId, final Collection tagKeys, final Collection tagValues) { if (tagKeys.isEmpty() && tagValues.isEmpty()) diff --git a/signing/src/testFixtures/java/tech/pegasys/web3signer/AwsKmsUtil.java b/signing/src/testFixtures/java/tech/pegasys/web3signer/AwsKmsUtil.java index f92617f7a..a695660ff 100644 --- a/signing/src/testFixtures/java/tech/pegasys/web3signer/AwsKmsUtil.java +++ b/signing/src/testFixtures/java/tech/pegasys/web3signer/AwsKmsUtil.java @@ -49,9 +49,9 @@ public AwsKmsUtil( final AwsCredentialsProvider awsCredentialsProvider = AwsCredentialsProviderFactory.createAwsCredentialsProvider( AwsAuthenticationMode.SPECIFIED, Optional.of(awsCredentialsBuilder.build())); - final CachedAwsKmsClientFactory cachedAwsKmsClientFactory1 = new CachedAwsKmsClientFactory(1); + final CachedAwsKmsClientFactory cachedAwsKmsClientFactory = new CachedAwsKmsClientFactory(1); awsKMSClient = - cachedAwsKmsClientFactory1.createKmsClient( + cachedAwsKmsClientFactory.createKmsClient( awsCredentialsProvider, region, awsEndpointOverride); } diff --git a/signing/src/testFixtures/java/tech/pegasys/web3signer/signing/config/AwsParametersBuilder.java b/signing/src/testFixtures/java/tech/pegasys/web3signer/signing/config/AwsParametersBuilder.java index 7853c89ed..1a51ec61e 100644 --- a/signing/src/testFixtures/java/tech/pegasys/web3signer/signing/config/AwsParametersBuilder.java +++ b/signing/src/testFixtures/java/tech/pegasys/web3signer/signing/config/AwsParametersBuilder.java @@ -33,7 +33,7 @@ public final class AwsParametersBuilder { private AwsParametersBuilder() {} - public static AwsParametersBuilder anAwsSecretsManagerParameters() { + public static AwsParametersBuilder anAwsParameters() { return new AwsParametersBuilder(); } From 614851a018d262124746416be6c2e962ecc413f7 Mon Sep 17 00:00:00 2001 From: Jason Frame Date: Thu, 31 Aug 2023 13:40:39 +1000 Subject: [PATCH 09/21] change the CachedAwsKmsClientFactory to use the kms properties and build the AwsCredentials itself so all the building code for the credentials can be in one place --- .../dsl/signer/runner/Web3SignerRunner.java | 14 ++-- .../bulkloading/SecpAwsBulkLoader.java | 11 +-- .../secp256k1/aws/AwsKmsClientKey.java | 30 ++++--- .../secp256k1/aws/AwsKmsSignerFactory.java | 10 +-- .../aws/CachedAwsKmsClientFactory.java | 15 +++- .../aws/CachedAwsKmsClientFactoryTest.java | 83 +++++++++---------- .../tech/pegasys/web3signer/AwsKmsUtil.java | 10 +-- 7 files changed, 86 insertions(+), 87 deletions(-) diff --git a/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/runner/Web3SignerRunner.java b/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/runner/Web3SignerRunner.java index 03baedc13..2a612bd80 100644 --- a/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/runner/Web3SignerRunner.java +++ b/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/runner/Web3SignerRunner.java @@ -48,13 +48,13 @@ public abstract class Web3SignerRunner { private static final String METRICS_PORT_KEY = "metrics-port"; public static Web3SignerRunner createRunner(final SignerConfiguration signerConfig) { - // if (Boolean.getBoolean("acctests.runWeb3SignerAsProcess")) { - // LOG.info("Web3Signer running as a process."); - // return new Web3SignerProcessRunner(signerConfig); - // } else { - LOG.info("Web3Signer running in a thread."); - return new Web3SignerThreadRunner(signerConfig); - // } + if (Boolean.getBoolean("acctests.runWeb3SignerAsProcess")) { + LOG.info("Web3Signer running as a process."); + return new Web3SignerProcessRunner(signerConfig); + } else { + LOG.info("Web3Signer running in a thread."); + return new Web3SignerThreadRunner(signerConfig); + } } protected Web3SignerRunner(final SignerConfiguration signerConfig) { diff --git a/signing/src/main/java/tech/pegasys/web3signer/signing/bulkloading/SecpAwsBulkLoader.java b/signing/src/main/java/tech/pegasys/web3signer/signing/bulkloading/SecpAwsBulkLoader.java index 4572ec92a..0e0b51a68 100644 --- a/signing/src/main/java/tech/pegasys/web3signer/signing/bulkloading/SecpAwsBulkLoader.java +++ b/signing/src/main/java/tech/pegasys/web3signer/signing/bulkloading/SecpAwsBulkLoader.java @@ -17,7 +17,6 @@ import tech.pegasys.web3signer.keystorage.common.MappedResults; import tech.pegasys.web3signer.signing.ArtifactSigner; import tech.pegasys.web3signer.signing.EthSecpArtifactSigner; -import tech.pegasys.web3signer.signing.config.AwsCredentialsProviderFactory; import tech.pegasys.web3signer.signing.config.AwsParameters; import tech.pegasys.web3signer.signing.config.metadata.AwsKmsMetadata; import tech.pegasys.web3signer.signing.secp256k1.aws.AwsKmsClient; @@ -26,8 +25,6 @@ import java.util.Optional; -import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider; - public class SecpAwsBulkLoader { private final CachedAwsKmsClientFactory cachedAwsKmsClientFactory; private final AwsKmsSignerFactory awsKmsSignerFactory; @@ -49,12 +46,12 @@ public MappedResults load(final AwsParameters parameters) { .build()) : Optional.empty(); - final AwsCredentialsProvider awsCredentialsProvider = - AwsCredentialsProviderFactory.createAwsCredentialsProvider( - parameters.getAuthenticationMode(), awsCredentials); final AwsKmsClient kmsClient = cachedAwsKmsClientFactory.createKmsClient( - awsCredentialsProvider, parameters.getRegion(), parameters.getEndpointOverride()); + parameters.getAuthenticationMode(), + awsCredentials, + parameters.getRegion(), + parameters.getEndpointOverride()); return kmsClient.mapKeyList( kl -> createSigner(awsCredentials, parameters, kl.keyId()), parameters.getPrefixesFilter(), diff --git a/signing/src/main/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsClientKey.java b/signing/src/main/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsClientKey.java index 4794fac9c..5ff082031 100644 --- a/signing/src/main/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsClientKey.java +++ b/signing/src/main/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsClientKey.java @@ -12,32 +12,39 @@ */ package tech.pegasys.web3signer.signing.secp256k1.aws; +import tech.pegasys.web3signer.common.config.AwsAuthenticationMode; +import tech.pegasys.web3signer.common.config.AwsCredentials; + import java.net.URI; import java.util.Objects; import java.util.Optional; -import software.amazon.awssdk.auth.credentials.AwsCredentials; -import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider; - /** This class acts as a key to identify Aws KmsClient from the cache. */ final class AwsKmsClientKey { - private final AwsCredentialsProvider awsCredentialsProvider; - private final AwsCredentials awsCredentials; + + private final Optional awsCredentials; + private final AwsAuthenticationMode awsAuthenticationMode; private final String region; private final Optional endpointOverride; AwsKmsClientKey( - final AwsCredentialsProvider awsCredentialsProvider, + final AwsAuthenticationMode awsAuthenticationMode, + final Optional awsCredentials, final String region, final Optional endpointOverride) { - this.awsCredentialsProvider = awsCredentialsProvider; - this.awsCredentials = awsCredentialsProvider.resolveCredentials(); + this.awsAuthenticationMode = awsAuthenticationMode; + this.awsCredentials = awsCredentials; + this.region = region; this.endpointOverride = endpointOverride; } - public AwsCredentialsProvider getAwsCredentialsProvider() { - return awsCredentialsProvider; + public Optional getAwsCredentials() { + return awsCredentials; + } + + public AwsAuthenticationMode getAwsAuthenticationMode() { + return awsAuthenticationMode; } public String getRegion() { @@ -54,12 +61,13 @@ public boolean equals(Object o) { if (o == null || getClass() != o.getClass()) return false; AwsKmsClientKey that = (AwsKmsClientKey) o; return Objects.equals(awsCredentials, that.awsCredentials) + && awsAuthenticationMode == that.awsAuthenticationMode && Objects.equals(region, that.region) && Objects.equals(endpointOverride, that.endpointOverride); } @Override public int hashCode() { - return Objects.hash(awsCredentials, region, endpointOverride); + return Objects.hash(awsCredentials, awsAuthenticationMode, region, endpointOverride); } } diff --git a/signing/src/main/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsSignerFactory.java b/signing/src/main/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsSignerFactory.java index 1ef18a588..78b2fef67 100644 --- a/signing/src/main/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsSignerFactory.java +++ b/signing/src/main/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsSignerFactory.java @@ -14,14 +14,11 @@ import static com.google.common.base.Preconditions.checkArgument; -import tech.pegasys.web3signer.signing.config.AwsCredentialsProviderFactory; import tech.pegasys.web3signer.signing.config.metadata.AwsKmsMetadata; import tech.pegasys.web3signer.signing.secp256k1.Signer; import java.security.interfaces.ECPublicKey; -import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider; - /** A Signer factory that create an instance of `Signer` type backed by AWS KMS. */ public class AwsKmsSignerFactory { @@ -44,13 +41,10 @@ public AwsKmsSignerFactory( public Signer createSigner(final AwsKmsMetadata awsKmsMetadata) { checkArgument(awsKmsMetadata != null, "awsKmsMetadata must not be null"); - final AwsCredentialsProvider awsCredentialsProvider = - AwsCredentialsProviderFactory.createAwsCredentialsProvider( - awsKmsMetadata.getAuthenticationMode(), awsKmsMetadata.getAwsCredentials()); - final AwsKmsClient kmsClient = cachedAwsKmsClientFactory.createKmsClient( - awsCredentialsProvider, + awsKmsMetadata.getAuthenticationMode(), + awsKmsMetadata.getAwsCredentials(), awsKmsMetadata.getRegion(), awsKmsMetadata.getEndpointOverride()); diff --git a/signing/src/main/java/tech/pegasys/web3signer/signing/secp256k1/aws/CachedAwsKmsClientFactory.java b/signing/src/main/java/tech/pegasys/web3signer/signing/secp256k1/aws/CachedAwsKmsClientFactory.java index 21d74a430..bf90562f5 100644 --- a/signing/src/main/java/tech/pegasys/web3signer/signing/secp256k1/aws/CachedAwsKmsClientFactory.java +++ b/signing/src/main/java/tech/pegasys/web3signer/signing/secp256k1/aws/CachedAwsKmsClientFactory.java @@ -14,6 +14,10 @@ import static com.google.common.base.Preconditions.checkArgument; +import tech.pegasys.web3signer.common.config.AwsAuthenticationMode; +import tech.pegasys.web3signer.common.config.AwsCredentials; +import tech.pegasys.web3signer.signing.config.AwsCredentialsProviderFactory; + import java.net.URI; import java.util.Optional; @@ -45,10 +49,14 @@ public CachedAwsKmsClientFactory(final long cacheSize) { new CacheLoader<>() { @Override public AwsKmsClient load(final AwsKmsClientKey key) { + final AwsCredentialsProvider awsCredentialsProvider = + AwsCredentialsProviderFactory.createAwsCredentialsProvider( + key.getAwsAuthenticationMode(), key.getAwsCredentials()); + final KmsClientBuilder kmsClientBuilder = KmsClient.builder(); key.getEndpointOverride().ifPresent(kmsClientBuilder::endpointOverride); kmsClientBuilder - .credentialsProvider(key.getAwsCredentialsProvider()) + .credentialsProvider(awsCredentialsProvider) .region(Region.of(key.getRegion())); return new AwsKmsClient(kmsClientBuilder.build()); @@ -57,10 +65,11 @@ public AwsKmsClient load(final AwsKmsClientKey key) { } public AwsKmsClient createKmsClient( - final AwsCredentialsProvider awsCredentialsProvider, + final AwsAuthenticationMode awsAuthenticationMode, + final Optional awsCredentials, final String region, final Optional endpointOverride) { return cache.getUnchecked( - new AwsKmsClientKey(awsCredentialsProvider, region, endpointOverride)); + new AwsKmsClientKey(awsAuthenticationMode, awsCredentials, region, endpointOverride)); } } diff --git a/signing/src/test/java/tech/pegasys/web3signer/signing/secp256k1/aws/CachedAwsKmsClientFactoryTest.java b/signing/src/test/java/tech/pegasys/web3signer/signing/secp256k1/aws/CachedAwsKmsClientFactoryTest.java index dab8c34bd..d3c232736 100644 --- a/signing/src/test/java/tech/pegasys/web3signer/signing/secp256k1/aws/CachedAwsKmsClientFactoryTest.java +++ b/signing/src/test/java/tech/pegasys/web3signer/signing/secp256k1/aws/CachedAwsKmsClientFactoryTest.java @@ -16,7 +16,6 @@ import tech.pegasys.web3signer.common.config.AwsAuthenticationMode; import tech.pegasys.web3signer.common.config.AwsCredentials; -import tech.pegasys.web3signer.signing.config.AwsCredentialsProviderFactory; import java.util.Optional; @@ -35,49 +34,45 @@ void init() { void cachedInstanceOfKmsClientIsReturnedForSpecifiedCredentials() { final AwsKmsClient kmsClient_1 = cachedAwsKmsClientFactory.createKmsClient( - AwsCredentialsProviderFactory.createAwsCredentialsProvider( - AwsAuthenticationMode.SPECIFIED, - Optional.of( - AwsCredentials.builder() - .withAccessKeyId("test") - .withSecretAccessKey("test") - .build())), + AwsAuthenticationMode.SPECIFIED, + Optional.of( + AwsCredentials.builder() + .withAccessKeyId("test") + .withSecretAccessKey("test") + .build()), "us-east-2", Optional.empty()); final AwsKmsClient kmsClient_2 = cachedAwsKmsClientFactory.createKmsClient( - AwsCredentialsProviderFactory.createAwsCredentialsProvider( - AwsAuthenticationMode.SPECIFIED, - Optional.of( - AwsCredentials.builder() - .withAccessKeyId("test3") - .withSecretAccessKey("test3") - .build())), + AwsAuthenticationMode.SPECIFIED, + Optional.of( + AwsCredentials.builder() + .withAccessKeyId("test3") + .withSecretAccessKey("test3") + .build()), "us-east-2", Optional.empty()); final AwsKmsClient kmsClient_3 = cachedAwsKmsClientFactory.createKmsClient( - AwsCredentialsProviderFactory.createAwsCredentialsProvider( - AwsAuthenticationMode.SPECIFIED, - Optional.of( - AwsCredentials.builder() - .withAccessKeyId("test") - .withSecretAccessKey("test") - .build())), + AwsAuthenticationMode.SPECIFIED, + Optional.of( + AwsCredentials.builder() + .withAccessKeyId("test") + .withSecretAccessKey("test") + .build()), "us-east-2", Optional.empty()); final AwsKmsClient kmsClient_4 = cachedAwsKmsClientFactory.createKmsClient( - AwsCredentialsProviderFactory.createAwsCredentialsProvider( - AwsAuthenticationMode.SPECIFIED, - Optional.of( - AwsCredentials.builder() - .withAccessKeyId("test3") - .withSecretAccessKey("test3") - .build())), + AwsAuthenticationMode.SPECIFIED, + Optional.of( + AwsCredentials.builder() + .withAccessKeyId("test3") + .withSecretAccessKey("test3") + .build()), "us-east-2", Optional.empty()); @@ -91,27 +86,25 @@ void cachedInstanceOfKmsClientIsReturnedForSpecifiedCredentials() { void cachedInstanceOfKmsClientIsReturnedForSpecifiedCredentialsWithSessionToken() { final AwsKmsClient kmsClient_1 = cachedAwsKmsClientFactory.createKmsClient( - AwsCredentialsProviderFactory.createAwsCredentialsProvider( - AwsAuthenticationMode.SPECIFIED, - Optional.of( - AwsCredentials.builder() - .withAccessKeyId("test") - .withSecretAccessKey("test") - .withSessionToken("test") - .build())), + AwsAuthenticationMode.SPECIFIED, + Optional.of( + AwsCredentials.builder() + .withAccessKeyId("test") + .withSecretAccessKey("test") + .withSessionToken("test") + .build()), "us-east-2", Optional.empty()); final AwsKmsClient kmsClient_2 = cachedAwsKmsClientFactory.createKmsClient( - AwsCredentialsProviderFactory.createAwsCredentialsProvider( - AwsAuthenticationMode.SPECIFIED, - Optional.of( - AwsCredentials.builder() - .withAccessKeyId("test") - .withSecretAccessKey("test") - .withSessionToken("test") - .build())), + AwsAuthenticationMode.SPECIFIED, + Optional.of( + AwsCredentials.builder() + .withAccessKeyId("test") + .withSecretAccessKey("test") + .withSessionToken("test") + .build()), "us-east-2", Optional.empty()); diff --git a/signing/src/testFixtures/java/tech/pegasys/web3signer/AwsKmsUtil.java b/signing/src/testFixtures/java/tech/pegasys/web3signer/AwsKmsUtil.java index a695660ff..ee5130082 100644 --- a/signing/src/testFixtures/java/tech/pegasys/web3signer/AwsKmsUtil.java +++ b/signing/src/testFixtures/java/tech/pegasys/web3signer/AwsKmsUtil.java @@ -15,7 +15,6 @@ import tech.pegasys.web3signer.common.config.AwsAuthenticationMode; import tech.pegasys.web3signer.common.config.AwsCredentials; import tech.pegasys.web3signer.common.config.AwsCredentials.AwsCredentialsBuilder; -import tech.pegasys.web3signer.signing.config.AwsCredentialsProviderFactory; import tech.pegasys.web3signer.signing.secp256k1.aws.AwsKmsClient; import tech.pegasys.web3signer.signing.secp256k1.aws.CachedAwsKmsClientFactory; @@ -25,7 +24,6 @@ import java.util.Map; import java.util.Optional; -import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider; import software.amazon.awssdk.services.kms.model.CreateKeyRequest; import software.amazon.awssdk.services.kms.model.KeySpec; import software.amazon.awssdk.services.kms.model.KeyUsageType; @@ -46,13 +44,13 @@ public AwsKmsUtil( awsCredentialsBuilder.withAccessKeyId(accessKeyId).withSecretAccessKey(secretAccessKey); sessionToken.ifPresent(awsCredentialsBuilder::withSessionToken); - final AwsCredentialsProvider awsCredentialsProvider = - AwsCredentialsProviderFactory.createAwsCredentialsProvider( - AwsAuthenticationMode.SPECIFIED, Optional.of(awsCredentialsBuilder.build())); final CachedAwsKmsClientFactory cachedAwsKmsClientFactory = new CachedAwsKmsClientFactory(1); awsKMSClient = cachedAwsKmsClientFactory.createKmsClient( - awsCredentialsProvider, region, awsEndpointOverride); + AwsAuthenticationMode.SPECIFIED, + Optional.of(awsCredentialsBuilder.build()), + region, + awsEndpointOverride); } public String createKey(final Map tags) { From 2129c87e7b6431232a74c844be769d15755c5193 Mon Sep 17 00:00:00 2001 From: Jason Frame Date: Thu, 31 Aug 2023 13:47:42 +1000 Subject: [PATCH 10/21] Bulk loading kms with values specified using env variables --- .../web3signer/tests/bulkloading/AwsKmsAcceptanceTest.java | 2 +- .../signing/secp256k1/aws/CachedAwsKmsClientFactory.java | 6 +++++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/bulkloading/AwsKmsAcceptanceTest.java b/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/bulkloading/AwsKmsAcceptanceTest.java index fe2e55e74..4c7fca57c 100644 --- a/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/bulkloading/AwsKmsAcceptanceTest.java +++ b/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/bulkloading/AwsKmsAcceptanceTest.java @@ -208,7 +208,7 @@ void keysAreLoadedFromAwsKmsWithEnvironmentAuthModeAndReportedByPublicApi( startSigner(configBuilder.build()); signer - .callApiPublicKeys(KeyType.BLS) + .callApiPublicKeys(KeyType.SECP256K1) .then() .statusCode(200) .contentType(ContentType.JSON) diff --git a/signing/src/main/java/tech/pegasys/web3signer/signing/secp256k1/aws/CachedAwsKmsClientFactory.java b/signing/src/main/java/tech/pegasys/web3signer/signing/secp256k1/aws/CachedAwsKmsClientFactory.java index bf90562f5..733e00fb9 100644 --- a/signing/src/main/java/tech/pegasys/web3signer/signing/secp256k1/aws/CachedAwsKmsClientFactory.java +++ b/signing/src/main/java/tech/pegasys/web3signer/signing/secp256k1/aws/CachedAwsKmsClientFactory.java @@ -55,9 +55,13 @@ public AwsKmsClient load(final AwsKmsClientKey key) { final KmsClientBuilder kmsClientBuilder = KmsClient.builder(); key.getEndpointOverride().ifPresent(kmsClientBuilder::endpointOverride); + final String region = + key.getAwsAuthenticationMode() == AwsAuthenticationMode.SPECIFIED + ? key.getRegion() + : System.getenv("AWS_REGION"); kmsClientBuilder .credentialsProvider(awsCredentialsProvider) - .region(Region.of(key.getRegion())); + .region(Region.of(region)); return new AwsKmsClient(kmsClientBuilder.build()); } From 5b80cfe9657e58fc0ec10a0478ce8e102ba0c0a4 Mon Sep 17 00:00:00 2001 From: Jason Frame Date: Fri, 1 Sep 2023 14:00:12 +1000 Subject: [PATCH 11/21] cleanup --- .../signing/bulkloading/SecpAwsBulkLoader.java | 1 - .../signing/config/AwsParameters.java | 2 -- .../signing/secp256k1/aws/AwsKmsClient.java | 1 - .../signing/secp256k1/aws/AwsKmsClientTest.java | 17 ++++++----------- 4 files changed, 6 insertions(+), 15 deletions(-) diff --git a/signing/src/main/java/tech/pegasys/web3signer/signing/bulkloading/SecpAwsBulkLoader.java b/signing/src/main/java/tech/pegasys/web3signer/signing/bulkloading/SecpAwsBulkLoader.java index 0e0b51a68..07e20ea95 100644 --- a/signing/src/main/java/tech/pegasys/web3signer/signing/bulkloading/SecpAwsBulkLoader.java +++ b/signing/src/main/java/tech/pegasys/web3signer/signing/bulkloading/SecpAwsBulkLoader.java @@ -54,7 +54,6 @@ public MappedResults load(final AwsParameters parameters) { parameters.getEndpointOverride()); return kmsClient.mapKeyList( kl -> createSigner(awsCredentials, parameters, kl.keyId()), - parameters.getPrefixesFilter(), parameters.getTagNamesFilter(), parameters.getTagValuesFilter()); } diff --git a/signing/src/main/java/tech/pegasys/web3signer/signing/config/AwsParameters.java b/signing/src/main/java/tech/pegasys/web3signer/signing/config/AwsParameters.java index 2d2d01669..034959121 100644 --- a/signing/src/main/java/tech/pegasys/web3signer/signing/config/AwsParameters.java +++ b/signing/src/main/java/tech/pegasys/web3signer/signing/config/AwsParameters.java @@ -30,8 +30,6 @@ public interface AwsParameters { String getRegion(); - // TODO JF change the defaults to throw unsupported operation exceptions? - default long getCacheMaximumSize() { return 1; } diff --git a/signing/src/main/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsClient.java b/signing/src/main/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsClient.java index e7c52ab16..6483f77fc 100644 --- a/signing/src/main/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsClient.java +++ b/signing/src/main/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsClient.java @@ -101,7 +101,6 @@ public byte[] sign(final String kmsKeyId, final byte[] data) { public MappedResults mapKeyList( final Function mapper, - final Collection namePrefixes, final Collection tagKeys, final Collection tagValues) { final Set result = ConcurrentHashMap.newKeySet(); diff --git a/signing/src/test/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsClientTest.java b/signing/src/test/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsClientTest.java index 312c802f8..3f85cf5ae 100644 --- a/signing/src/test/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsClientTest.java +++ b/signing/src/test/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsClientTest.java @@ -116,8 +116,7 @@ void keyPropertiesCanBeMappedUsingCustomMappingFunction() { final MappedResults result = awsKmsClient.mapKeyList( KeyListEntry::keyId, - Collections.emptyList(), - Collections.emptyList(), + Collections.emptyList(), Collections.emptyList()); final Optional testKeyEntry = @@ -138,8 +137,7 @@ void mapKeyPropertiesThrowsAwayObjectsWhichFailMapper() { return kl.keyId(); } }, - Collections.emptyList(), - Collections.emptyList(), + Collections.emptyList(), Collections.emptyList()); final Optional testKeyEntry = @@ -153,8 +151,7 @@ void mapKeyPropertiesUsingTagsKey() { final MappedResults result = awsKmsClient.mapKeyList( KeyListEntry::keyId, - Collections.emptyList(), - List.of("tagKey"), + List.of("tagKey"), Collections.emptyList()); final Optional testKeyEntry = @@ -169,8 +166,7 @@ void mapKeyPropertiesUsingTagsValue() { final MappedResults result = awsKmsClient.mapKeyList( KeyListEntry::keyId, - Collections.emptyList(), - Collections.emptyList(), + Collections.emptyList(), List.of("tagValue")); final Optional testKeyEntry = @@ -184,7 +180,7 @@ void mapKeyPropertiesUsingTagsValue() { void mapKeyPropertiesUsingTagsKeyAndValue() { final MappedResults result = awsKmsClient.mapKeyList( - KeyListEntry::keyId, Collections.emptyList(), List.of("tagKey"), List.of("tagValue")); + KeyListEntry::keyId, List.of("tagKey"), List.of("tagValue")); final Optional testKeyEntry = result.getValues().stream().filter(e -> e.equals(testWithTagKeyId)).findAny(); @@ -198,8 +194,7 @@ void mapKeyPropertiesWhenTagDoesNotExist() { final MappedResults result = awsKmsClient.mapKeyList( KeyListEntry::keyId, - Collections.emptyList(), - List.of("unknownKey"), + List.of("unknownKey"), List.of("unknownValue")); final Optional testKeyEntry = From 313989acdce1fee37490b2bfbe7510eb89729bd0 Mon Sep 17 00:00:00 2001 From: Jason Frame Date: Fri, 1 Sep 2023 14:03:39 +1000 Subject: [PATCH 12/21] remove unnecessary renames --- .../runner/CmdLineParamsConfigFileImpl.java | 32 +++++++++---------- .../runner/CmdLineParamsDefaultImpl.java | 32 +++++++++---------- ...ters.java => PicoCliAwsKmsParameters.java} | 2 +- ...> PicoCliAwsSecretsManagerParameters.java} | 2 +- .../subcommands/Eth1SubCommand.java | 4 +-- .../subcommands/Eth2SubCommand.java | 14 ++++---- .../commandline/CommandlineParserTest.java | 16 +++++----- .../secp256k1/aws/AwsKmsClientTest.java | 23 ++++--------- 8 files changed, 57 insertions(+), 68 deletions(-) rename commandline/src/main/java/tech/pegasys/web3signer/commandline/{PicoCliKmsAwsParameters.java => PicoCliAwsKmsParameters.java} (98%) rename commandline/src/main/java/tech/pegasys/web3signer/commandline/{PicoCliSecretsMangerAwsParameters.java => PicoCliAwsSecretsManagerParameters.java} (98%) diff --git a/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/runner/CmdLineParamsConfigFileImpl.java b/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/runner/CmdLineParamsConfigFileImpl.java index ee0fa711d..b6eba9ddb 100644 --- a/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/runner/CmdLineParamsConfigFileImpl.java +++ b/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/runner/CmdLineParamsConfigFileImpl.java @@ -12,22 +12,22 @@ */ package tech.pegasys.web3signer.dsl.signer.runner; -import static tech.pegasys.web3signer.commandline.PicoCliKmsAwsParameters.AWS_KMS_ACCESS_KEY_ID_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliKmsAwsParameters.AWS_KMS_AUTH_MODE_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliKmsAwsParameters.AWS_KMS_ENABLED_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliKmsAwsParameters.AWS_KMS_REGION_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliKmsAwsParameters.AWS_KMS_SECRET_ACCESS_KEY_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliKmsAwsParameters.AWS_KMS_TAG_NAMES_FILTER_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliKmsAwsParameters.AWS_KMS_TAG_VALUES_FILTER_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliSecretsMangerAwsParameters.AWS_ENDPOINT_OVERRIDE_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliSecretsMangerAwsParameters.AWS_SECRETS_ACCESS_KEY_ID_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliSecretsMangerAwsParameters.AWS_SECRETS_AUTH_MODE_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliSecretsMangerAwsParameters.AWS_SECRETS_ENABLED_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliSecretsMangerAwsParameters.AWS_SECRETS_PREFIXES_FILTER_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliSecretsMangerAwsParameters.AWS_SECRETS_REGION_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliSecretsMangerAwsParameters.AWS_SECRETS_SECRET_ACCESS_KEY_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliSecretsMangerAwsParameters.AWS_SECRETS_TAG_NAMES_FILTER_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliSecretsMangerAwsParameters.AWS_SECRETS_TAG_VALUES_FILTER_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliAwsKmsParameters.AWS_KMS_ACCESS_KEY_ID_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliAwsKmsParameters.AWS_KMS_AUTH_MODE_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliAwsKmsParameters.AWS_KMS_ENABLED_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliAwsKmsParameters.AWS_KMS_REGION_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliAwsKmsParameters.AWS_KMS_SECRET_ACCESS_KEY_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliAwsKmsParameters.AWS_KMS_TAG_NAMES_FILTER_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliAwsKmsParameters.AWS_KMS_TAG_VALUES_FILTER_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliAwsSecretsManagerParameters.AWS_ENDPOINT_OVERRIDE_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliAwsSecretsManagerParameters.AWS_SECRETS_ACCESS_KEY_ID_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliAwsSecretsManagerParameters.AWS_SECRETS_AUTH_MODE_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliAwsSecretsManagerParameters.AWS_SECRETS_ENABLED_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliAwsSecretsManagerParameters.AWS_SECRETS_PREFIXES_FILTER_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliAwsSecretsManagerParameters.AWS_SECRETS_REGION_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliAwsSecretsManagerParameters.AWS_SECRETS_SECRET_ACCESS_KEY_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliAwsSecretsManagerParameters.AWS_SECRETS_TAG_NAMES_FILTER_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliAwsSecretsManagerParameters.AWS_SECRETS_TAG_VALUES_FILTER_OPTION; import tech.pegasys.web3signer.core.config.ClientAuthConstraints; import tech.pegasys.web3signer.core.config.TlsOptions; diff --git a/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/runner/CmdLineParamsDefaultImpl.java b/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/runner/CmdLineParamsDefaultImpl.java index 3ceec8ae0..c42010372 100644 --- a/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/runner/CmdLineParamsDefaultImpl.java +++ b/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/runner/CmdLineParamsDefaultImpl.java @@ -12,22 +12,22 @@ */ package tech.pegasys.web3signer.dsl.signer.runner; -import static tech.pegasys.web3signer.commandline.PicoCliKmsAwsParameters.AWS_KMS_ACCESS_KEY_ID_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliKmsAwsParameters.AWS_KMS_AUTH_MODE_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliKmsAwsParameters.AWS_KMS_ENABLED_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliKmsAwsParameters.AWS_KMS_REGION_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliKmsAwsParameters.AWS_KMS_SECRET_ACCESS_KEY_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliKmsAwsParameters.AWS_KMS_TAG_NAMES_FILTER_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliKmsAwsParameters.AWS_KMS_TAG_VALUES_FILTER_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliSecretsMangerAwsParameters.AWS_ENDPOINT_OVERRIDE_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliSecretsMangerAwsParameters.AWS_SECRETS_ACCESS_KEY_ID_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliSecretsMangerAwsParameters.AWS_SECRETS_AUTH_MODE_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliSecretsMangerAwsParameters.AWS_SECRETS_ENABLED_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliSecretsMangerAwsParameters.AWS_SECRETS_PREFIXES_FILTER_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliSecretsMangerAwsParameters.AWS_SECRETS_REGION_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliSecretsMangerAwsParameters.AWS_SECRETS_SECRET_ACCESS_KEY_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliSecretsMangerAwsParameters.AWS_SECRETS_TAG_NAMES_FILTER_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliSecretsMangerAwsParameters.AWS_SECRETS_TAG_VALUES_FILTER_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliAwsKmsParameters.AWS_KMS_ACCESS_KEY_ID_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliAwsKmsParameters.AWS_KMS_AUTH_MODE_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliAwsKmsParameters.AWS_KMS_ENABLED_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliAwsKmsParameters.AWS_KMS_REGION_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliAwsKmsParameters.AWS_KMS_SECRET_ACCESS_KEY_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliAwsKmsParameters.AWS_KMS_TAG_NAMES_FILTER_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliAwsKmsParameters.AWS_KMS_TAG_VALUES_FILTER_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliAwsSecretsManagerParameters.AWS_ENDPOINT_OVERRIDE_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliAwsSecretsManagerParameters.AWS_SECRETS_ACCESS_KEY_ID_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliAwsSecretsManagerParameters.AWS_SECRETS_AUTH_MODE_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliAwsSecretsManagerParameters.AWS_SECRETS_ENABLED_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliAwsSecretsManagerParameters.AWS_SECRETS_PREFIXES_FILTER_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliAwsSecretsManagerParameters.AWS_SECRETS_REGION_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliAwsSecretsManagerParameters.AWS_SECRETS_SECRET_ACCESS_KEY_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliAwsSecretsManagerParameters.AWS_SECRETS_TAG_NAMES_FILTER_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliAwsSecretsManagerParameters.AWS_SECRETS_TAG_VALUES_FILTER_OPTION; import tech.pegasys.web3signer.core.config.ClientAuthConstraints; import tech.pegasys.web3signer.core.config.TlsOptions; diff --git a/commandline/src/main/java/tech/pegasys/web3signer/commandline/PicoCliKmsAwsParameters.java b/commandline/src/main/java/tech/pegasys/web3signer/commandline/PicoCliAwsKmsParameters.java similarity index 98% rename from commandline/src/main/java/tech/pegasys/web3signer/commandline/PicoCliKmsAwsParameters.java rename to commandline/src/main/java/tech/pegasys/web3signer/commandline/PicoCliAwsKmsParameters.java index 2999c0cf1..7929cfc1e 100644 --- a/commandline/src/main/java/tech/pegasys/web3signer/commandline/PicoCliKmsAwsParameters.java +++ b/commandline/src/main/java/tech/pegasys/web3signer/commandline/PicoCliAwsKmsParameters.java @@ -23,7 +23,7 @@ import picocli.CommandLine.Option; -public class PicoCliKmsAwsParameters implements AwsParameters { +public class PicoCliAwsKmsParameters implements AwsParameters { public static final String AWS_KMS_ENABLED_OPTION = "--aws-kms-enabled"; public static final String AWS_KMS_AUTH_MODE_OPTION = "--aws-kms-auth-mode"; public static final String AWS_KMS_ACCESS_KEY_ID_OPTION = "--aws-kms-access-key-id"; diff --git a/commandline/src/main/java/tech/pegasys/web3signer/commandline/PicoCliSecretsMangerAwsParameters.java b/commandline/src/main/java/tech/pegasys/web3signer/commandline/PicoCliAwsSecretsManagerParameters.java similarity index 98% rename from commandline/src/main/java/tech/pegasys/web3signer/commandline/PicoCliSecretsMangerAwsParameters.java rename to commandline/src/main/java/tech/pegasys/web3signer/commandline/PicoCliAwsSecretsManagerParameters.java index 13beda170..cc8d858c7 100644 --- a/commandline/src/main/java/tech/pegasys/web3signer/commandline/PicoCliSecretsMangerAwsParameters.java +++ b/commandline/src/main/java/tech/pegasys/web3signer/commandline/PicoCliAwsSecretsManagerParameters.java @@ -24,7 +24,7 @@ import picocli.CommandLine; import picocli.CommandLine.Option; -public class PicoCliSecretsMangerAwsParameters implements AwsParameters { +public class PicoCliAwsSecretsManagerParameters implements AwsParameters { public static final String AWS_SECRETS_ENABLED_OPTION = "--aws-secrets-enabled"; public static final String AWS_SECRETS_AUTH_MODE_OPTION = "--aws-secrets-auth-mode"; public static final String AWS_SECRETS_ACCESS_KEY_ID_OPTION = "--aws-secrets-access-key-id"; diff --git a/commandline/src/main/java/tech/pegasys/web3signer/commandline/subcommands/Eth1SubCommand.java b/commandline/src/main/java/tech/pegasys/web3signer/commandline/subcommands/Eth1SubCommand.java index 5ed9cd9d6..abf857084 100644 --- a/commandline/src/main/java/tech/pegasys/web3signer/commandline/subcommands/Eth1SubCommand.java +++ b/commandline/src/main/java/tech/pegasys/web3signer/commandline/subcommands/Eth1SubCommand.java @@ -18,8 +18,8 @@ import static tech.pegasys.web3signer.commandline.DefaultCommandValues.PORT_FORMAT_HELP; import static tech.pegasys.web3signer.commandline.util.RequiredOptionsUtil.checkIfRequiredOptionsAreInitialized; +import tech.pegasys.web3signer.commandline.PicoCliAwsKmsParameters; import tech.pegasys.web3signer.commandline.PicoCliEth1AzureKeyVaultParameters; -import tech.pegasys.web3signer.commandline.PicoCliKmsAwsParameters; import tech.pegasys.web3signer.commandline.annotations.RequiredOption; import tech.pegasys.web3signer.commandline.config.client.PicoCliClientTlsOptions; import tech.pegasys.web3signer.core.Eth1Runner; @@ -148,7 +148,7 @@ public void setDownstreamHttpPath(final String path) { @CommandLine.Mixin private PicoCliEth1AzureKeyVaultParameters azureKeyVaultParameters; - @CommandLine.Mixin private PicoCliKmsAwsParameters awsParameters; + @CommandLine.Mixin private PicoCliAwsKmsParameters awsParameters; @Override public Runner createRunner() { diff --git a/commandline/src/main/java/tech/pegasys/web3signer/commandline/subcommands/Eth2SubCommand.java b/commandline/src/main/java/tech/pegasys/web3signer/commandline/subcommands/Eth2SubCommand.java index 5d41d1410..f54e57b08 100644 --- a/commandline/src/main/java/tech/pegasys/web3signer/commandline/subcommands/Eth2SubCommand.java +++ b/commandline/src/main/java/tech/pegasys/web3signer/commandline/subcommands/Eth2SubCommand.java @@ -12,10 +12,10 @@ */ package tech.pegasys.web3signer.commandline.subcommands; -import static tech.pegasys.web3signer.commandline.PicoCliSecretsMangerAwsParameters.AWS_SECRETS_ACCESS_KEY_ID_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliSecretsMangerAwsParameters.AWS_SECRETS_AUTH_MODE_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliSecretsMangerAwsParameters.AWS_SECRETS_REGION_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliSecretsMangerAwsParameters.AWS_SECRETS_SECRET_ACCESS_KEY_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliAwsSecretsManagerParameters.AWS_SECRETS_ACCESS_KEY_ID_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliAwsSecretsManagerParameters.AWS_SECRETS_AUTH_MODE_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliAwsSecretsManagerParameters.AWS_SECRETS_REGION_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliAwsSecretsManagerParameters.AWS_SECRETS_SECRET_ACCESS_KEY_OPTION; import static tech.pegasys.web3signer.signing.config.AzureAuthenticationMode.CLIENT_SECRET; import static tech.pegasys.web3signer.signing.config.AzureAuthenticationMode.USER_ASSIGNED_MANAGED_IDENTITY; @@ -25,8 +25,8 @@ import tech.pegasys.teku.spec.ForkSchedule; import tech.pegasys.teku.spec.SpecMilestone; import tech.pegasys.teku.spec.networks.Eth2Network; +import tech.pegasys.web3signer.commandline.PicoCliAwsSecretsManagerParameters; import tech.pegasys.web3signer.commandline.PicoCliEth2AzureKeyVaultParameters; -import tech.pegasys.web3signer.commandline.PicoCliSecretsMangerAwsParameters; import tech.pegasys.web3signer.commandline.PicoCliSlashingProtectionParameters; import tech.pegasys.web3signer.commandline.config.PicoKeystoresParameters; import tech.pegasys.web3signer.common.config.AwsAuthenticationMode; @@ -144,7 +144,7 @@ private static class NetworkCliCompletionCandidates extends ArrayList { @Mixin private PicoCliSlashingProtectionParameters slashingProtectionParameters; @Mixin private PicoCliEth2AzureKeyVaultParameters azureKeyVaultParameters; @Mixin private PicoKeystoresParameters keystoreParameters; - @Mixin private PicoCliSecretsMangerAwsParameters awsSecretsManagerParameters; + @Mixin private PicoCliAwsSecretsManagerParameters awsSecretsManagerParameters; private tech.pegasys.teku.spec.Spec eth2Spec; public Eth2SubCommand() { @@ -339,7 +339,7 @@ public SlashingProtectionParameters getSlashingProtectionParameters() { } @VisibleForTesting - public PicoCliSecretsMangerAwsParameters getAwsSecretsManagerParameters() { + public PicoCliAwsSecretsManagerParameters getAwsSecretsManagerParameters() { return awsSecretsManagerParameters; } diff --git a/commandline/src/test/java/tech/pegasys/web3signer/commandline/CommandlineParserTest.java b/commandline/src/test/java/tech/pegasys/web3signer/commandline/CommandlineParserTest.java index 7ae18643a..80bc077aa 100644 --- a/commandline/src/test/java/tech/pegasys/web3signer/commandline/CommandlineParserTest.java +++ b/commandline/src/test/java/tech/pegasys/web3signer/commandline/CommandlineParserTest.java @@ -15,14 +15,14 @@ import static org.assertj.core.api.Assertions.assertThat; import static tech.pegasys.web3signer.CmdlineHelpers.removeFieldFrom; import static tech.pegasys.web3signer.CmdlineHelpers.validBaseCommandOptions; -import static tech.pegasys.web3signer.commandline.PicoCliSecretsMangerAwsParameters.AWS_SECRETS_ACCESS_KEY_ID_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliSecretsMangerAwsParameters.AWS_SECRETS_AUTH_MODE_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliSecretsMangerAwsParameters.AWS_SECRETS_ENABLED_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliSecretsMangerAwsParameters.AWS_SECRETS_PREFIXES_FILTER_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliSecretsMangerAwsParameters.AWS_SECRETS_REGION_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliSecretsMangerAwsParameters.AWS_SECRETS_SECRET_ACCESS_KEY_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliSecretsMangerAwsParameters.AWS_SECRETS_TAG_NAMES_FILTER_OPTION; -import static tech.pegasys.web3signer.commandline.PicoCliSecretsMangerAwsParameters.AWS_SECRETS_TAG_VALUES_FILTER_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliAwsSecretsManagerParameters.AWS_SECRETS_ACCESS_KEY_ID_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliAwsSecretsManagerParameters.AWS_SECRETS_AUTH_MODE_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliAwsSecretsManagerParameters.AWS_SECRETS_ENABLED_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliAwsSecretsManagerParameters.AWS_SECRETS_PREFIXES_FILTER_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliAwsSecretsManagerParameters.AWS_SECRETS_REGION_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliAwsSecretsManagerParameters.AWS_SECRETS_SECRET_ACCESS_KEY_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliAwsSecretsManagerParameters.AWS_SECRETS_TAG_NAMES_FILTER_OPTION; +import static tech.pegasys.web3signer.commandline.PicoCliAwsSecretsManagerParameters.AWS_SECRETS_TAG_VALUES_FILTER_OPTION; import tech.pegasys.web3signer.commandline.subcommands.Eth2SubCommand; import tech.pegasys.web3signer.common.config.AwsAuthenticationMode; diff --git a/signing/src/test/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsClientTest.java b/signing/src/test/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsClientTest.java index 3f85cf5ae..753fedcb1 100644 --- a/signing/src/test/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsClientTest.java +++ b/signing/src/test/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsClientTest.java @@ -115,9 +115,7 @@ static void cleanup() { void keyPropertiesCanBeMappedUsingCustomMappingFunction() { final MappedResults result = awsKmsClient.mapKeyList( - KeyListEntry::keyId, - Collections.emptyList(), - Collections.emptyList()); + KeyListEntry::keyId, Collections.emptyList(), Collections.emptyList()); final Optional testKeyEntry = result.getValues().stream().filter(e -> e.equals(testKeyId)).findAny(); @@ -137,7 +135,7 @@ void mapKeyPropertiesThrowsAwayObjectsWhichFailMapper() { return kl.keyId(); } }, - Collections.emptyList(), + Collections.emptyList(), Collections.emptyList()); final Optional testKeyEntry = @@ -149,10 +147,7 @@ void mapKeyPropertiesThrowsAwayObjectsWhichFailMapper() { @Test void mapKeyPropertiesUsingTagsKey() { final MappedResults result = - awsKmsClient.mapKeyList( - KeyListEntry::keyId, - List.of("tagKey"), - Collections.emptyList()); + awsKmsClient.mapKeyList(KeyListEntry::keyId, List.of("tagKey"), Collections.emptyList()); final Optional testKeyEntry = result.getValues().stream().filter(e -> e.equals(testWithTagKeyId)).findAny(); @@ -164,10 +159,7 @@ void mapKeyPropertiesUsingTagsKey() { @Test void mapKeyPropertiesUsingTagsValue() { final MappedResults result = - awsKmsClient.mapKeyList( - KeyListEntry::keyId, - Collections.emptyList(), - List.of("tagValue")); + awsKmsClient.mapKeyList(KeyListEntry::keyId, Collections.emptyList(), List.of("tagValue")); final Optional testKeyEntry = result.getValues().stream().filter(e -> e.equals(testWithTagKeyId)).findAny(); @@ -179,8 +171,7 @@ void mapKeyPropertiesUsingTagsValue() { @Test void mapKeyPropertiesUsingTagsKeyAndValue() { final MappedResults result = - awsKmsClient.mapKeyList( - KeyListEntry::keyId, List.of("tagKey"), List.of("tagValue")); + awsKmsClient.mapKeyList(KeyListEntry::keyId, List.of("tagKey"), List.of("tagValue")); final Optional testKeyEntry = result.getValues().stream().filter(e -> e.equals(testWithTagKeyId)).findAny(); @@ -193,9 +184,7 @@ void mapKeyPropertiesUsingTagsKeyAndValue() { void mapKeyPropertiesWhenTagDoesNotExist() { final MappedResults result = awsKmsClient.mapKeyList( - KeyListEntry::keyId, - List.of("unknownKey"), - List.of("unknownValue")); + KeyListEntry::keyId, List.of("unknownKey"), List.of("unknownValue")); final Optional testKeyEntry = result.getValues().stream().filter(e -> e.equals(testWithTagKeyId)).findAny(); From 10e7516187b292cca555c0612c5111b785b6eff5 Mon Sep 17 00:00:00 2001 From: Jason Frame Date: Fri, 1 Sep 2023 15:02:07 +1000 Subject: [PATCH 13/21] additional AwsKmsClient tests for being enabled and secp256k1 --- .../pegasys/web3signer/core/Eth1Runner.java | 73 +++++++++++-------- .../signing/secp256k1/aws/AwsKmsClient.java | 22 ++++-- .../secp256k1/aws/AwsKmsClientTest.java | 36 ++++++++- .../tech/pegasys/web3signer/AwsKmsUtil.java | 29 +++++--- 4 files changed, 109 insertions(+), 51 deletions(-) diff --git a/core/src/main/java/tech/pegasys/web3signer/core/Eth1Runner.java b/core/src/main/java/tech/pegasys/web3signer/core/Eth1Runner.java index b958d39ed..4c6c31129 100644 --- a/core/src/main/java/tech/pegasys/web3signer/core/Eth1Runner.java +++ b/core/src/main/java/tech/pegasys/web3signer/core/Eth1Runner.java @@ -227,44 +227,53 @@ private MappedResults bulkLoadSigners( final AzureKeyVaultSignerFactory azureSignerFactory, final CachedAwsKmsClientFactory cachedAwsKmsClientFactory, final AwsKmsSignerFactory awsKmsSignerFactory) { - final AzureKeyVaultParameters azureKeyVaultConfig = eth1Config.getAzureKeyVaultConfig(); - if (azureKeyVaultConfig.isAzureKeyVaultEnabled()) { - LOG.info("Bulk loading keys from Azure key vault ... "); - final AzureKeyVault azureKeyVault = - azureKeyVaultFactory.createAzureKeyVault( - azureKeyVaultConfig.getClientId(), - azureKeyVaultConfig.getClientSecret(), - azureKeyVaultConfig.getKeyVaultName(), - azureKeyVaultConfig.getTenantId(), - azureKeyVaultConfig.getAuthenticationMode()); - final SecpAzureBulkLoader secpAzureBulkLoader = - new SecpAzureBulkLoader(azureKeyVault, azureSignerFactory); - final MappedResults azureResult = - secpAzureBulkLoader.load(azureKeyVaultConfig); - LOG.info( - "Keys loaded from Azure: [{}], with error count: [{}]", - azureResult.getValues().size(), - azureResult.getErrorCount()); - registerSignerLoadingHealthCheck(KEYS_CHECK_AZURE_BULK_LOADING, azureResult); - return azureResult; + if (eth1Config.getAzureKeyVaultConfig().isAzureKeyVaultEnabled()) { + return bulkLoadAzureKeys(azureKeyVaultFactory, azureSignerFactory); } if (eth1Config.getAwsParameters().isEnabled()) { - LOG.info("Bulk loading keys from AWS KMS key vault ... "); - final SecpAwsBulkLoader secpAwsBulkLoader = - new SecpAwsBulkLoader(cachedAwsKmsClientFactory, awsKmsSignerFactory); - final MappedResults awsResult = - secpAwsBulkLoader.load(eth1Config.getAwsParameters()); - LOG.info( - "Keys loaded from AWS: [{}], with error count: [{}]", - awsResult.getValues().size(), - awsResult.getErrorCount()); - registerSignerLoadingHealthCheck(KEYS_CHECK_AWS_BULK_LOADING, awsResult); - return awsResult; + return bulkLoadAwsKeys(cachedAwsKmsClientFactory, awsKmsSignerFactory); } - return MappedResults.newSetInstance(); } + private MappedResults bulkLoadAzureKeys( + AzureKeyVaultFactory azureKeyVaultFactory, AzureKeyVaultSignerFactory azureSignerFactory) { + LOG.info("Bulk loading keys from Azure key vault ... "); + final AzureKeyVaultParameters azureKeyVaultConfig = eth1Config.getAzureKeyVaultConfig(); + final AzureKeyVault azureKeyVault = + azureKeyVaultFactory.createAzureKeyVault( + azureKeyVaultConfig.getClientId(), + azureKeyVaultConfig.getClientSecret(), + azureKeyVaultConfig.getKeyVaultName(), + azureKeyVaultConfig.getTenantId(), + azureKeyVaultConfig.getAuthenticationMode()); + final SecpAzureBulkLoader secpAzureBulkLoader = + new SecpAzureBulkLoader(azureKeyVault, azureSignerFactory); + final MappedResults azureResult = secpAzureBulkLoader.load(azureKeyVaultConfig); + LOG.info( + "Keys loaded from Azure: [{}], with error count: [{}]", + azureResult.getValues().size(), + azureResult.getErrorCount()); + registerSignerLoadingHealthCheck(KEYS_CHECK_AZURE_BULK_LOADING, azureResult); + return azureResult; + } + + private MappedResults bulkLoadAwsKeys( + CachedAwsKmsClientFactory cachedAwsKmsClientFactory, + AwsKmsSignerFactory awsKmsSignerFactory) { + LOG.info("Bulk loading keys from AWS KMS key vault ... "); + final SecpAwsBulkLoader secpAwsBulkLoader = + new SecpAwsBulkLoader(cachedAwsKmsClientFactory, awsKmsSignerFactory); + final MappedResults awsResult = + secpAwsBulkLoader.load(eth1Config.getAwsParameters()); + LOG.info( + "Keys loaded from AWS: [{}], with error count: [{}]", + awsResult.getValues().size(), + awsResult.getErrorCount()); + registerSignerLoadingHealthCheck(KEYS_CHECK_AWS_BULK_LOADING, awsResult); + return awsResult; + } + private String formatSecpSignature(final SecpArtifactSignature signature) { return SecpArtifactSignature.toBytes(signature).toHexString(); } diff --git a/signing/src/main/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsClient.java b/signing/src/main/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsClient.java index 6483f77fc..6c026e813 100644 --- a/signing/src/main/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsClient.java +++ b/signing/src/main/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsClient.java @@ -37,10 +37,11 @@ import software.amazon.awssdk.services.kms.KmsClient; import software.amazon.awssdk.services.kms.model.CreateKeyRequest; import software.amazon.awssdk.services.kms.model.DescribeKeyRequest; -import software.amazon.awssdk.services.kms.model.DescribeKeyResponse; +import software.amazon.awssdk.services.kms.model.DisableKeyRequest; import software.amazon.awssdk.services.kms.model.GetPublicKeyRequest; import software.amazon.awssdk.services.kms.model.GetPublicKeyResponse; import software.amazon.awssdk.services.kms.model.KeyListEntry; +import software.amazon.awssdk.services.kms.model.KeyMetadata; import software.amazon.awssdk.services.kms.model.KeySpec; import software.amazon.awssdk.services.kms.model.KeyState; import software.amazon.awssdk.services.kms.model.ListResourceTagsRequest; @@ -116,7 +117,7 @@ public MappedResults mapKeyList( .filter( keyListEntry -> keyListPredicate(keyListEntry.keyId(), tagKeys, tagValues)) - .filter(this::isKeyEnabled) + .filter(this::isEnabledSecp256k1Key) .forEach( keyListEntry -> { try { @@ -138,10 +139,14 @@ public MappedResults mapKeyList( return MappedResults.newInstance(result, errorCount.intValue()); } - private boolean isKeyEnabled(final KeyListEntry keyListEntry) { - final DescribeKeyResponse describeKeyResponse = - kmsClient.describeKey(DescribeKeyRequest.builder().keyId(keyListEntry.keyId()).build()); - return describeKeyResponse.keyMetadata().keyState() == KeyState.ENABLED; + private boolean isEnabledSecp256k1Key(final KeyListEntry keyListEntry) { + final KeyMetadata keyMetadata = + kmsClient + .describeKey(DescribeKeyRequest.builder().keyId(keyListEntry.keyId()).build()) + .keyMetadata(); + final boolean isEnabled = keyMetadata.keyState() == KeyState.ENABLED; + final boolean isSecp256k1 = keyMetadata.keySpec() == KeySpec.ECC_SECG_P256_K1; + return isEnabled && isSecp256k1; } private boolean keyListPredicate( @@ -172,4 +177,9 @@ public String createKey(CreateKeyRequest createKeyRequest) { public void scheduleKeyDeletion(ScheduleKeyDeletionRequest deletionRequest) { kmsClient.scheduleKeyDeletion(deletionRequest); } + + @VisibleForTesting + public void disableKey(final DisableKeyRequest disableKeyRequest) { + kmsClient.disableKey(disableKeyRequest); + } } diff --git a/signing/src/test/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsClientTest.java b/signing/src/test/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsClientTest.java index 753fedcb1..15e8bf79b 100644 --- a/signing/src/test/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsClientTest.java +++ b/signing/src/test/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsClientTest.java @@ -35,6 +35,7 @@ import software.amazon.awssdk.services.kms.KmsClient; import software.amazon.awssdk.services.kms.KmsClientBuilder; import software.amazon.awssdk.services.kms.model.KeyListEntry; +import software.amazon.awssdk.services.kms.model.KeySpec; @EnabledIfEnvironmentVariable( named = "RW_AWS_ACCESS_KEY_ID", @@ -69,6 +70,8 @@ public class AwsKmsClientTest { private static String testKeyId; private static String testWithTagKeyId; + private static String testWithDisabledKeyId; + private static String testWithNistSecpKeyId; private static AwsKmsUtil awsKmsUtil; private static AwsKmsClient awsKmsClient; @@ -82,7 +85,10 @@ static void init() { AWS_SESSION_TOKEN, ENDPOINT_OVERRIDE); testKeyId = awsKmsUtil.createKey(Collections.emptyMap()); - testWithTagKeyId = awsKmsUtil.createKey(Map.of("tagKey", "tagValue")); + testWithTagKeyId = awsKmsUtil.createKey(Map.of("name", "tagged")); + testWithDisabledKeyId = awsKmsUtil.createKey(Map.of("name", "disabled")); + awsKmsUtil.disableKey(testWithDisabledKeyId); + testWithNistSecpKeyId = awsKmsUtil.createKey(Map.of("name", "nist"), KeySpec.ECC_NIST_P256); final AwsCredentialsBuilder awsCredentialsBuilder = AwsCredentials.builder(); awsCredentialsBuilder @@ -147,7 +153,7 @@ void mapKeyPropertiesThrowsAwayObjectsWhichFailMapper() { @Test void mapKeyPropertiesUsingTagsKey() { final MappedResults result = - awsKmsClient.mapKeyList(KeyListEntry::keyId, List.of("tagKey"), Collections.emptyList()); + awsKmsClient.mapKeyList(KeyListEntry::keyId, List.of("name"), Collections.emptyList()); final Optional testKeyEntry = result.getValues().stream().filter(e -> e.equals(testWithTagKeyId)).findAny(); @@ -159,7 +165,7 @@ void mapKeyPropertiesUsingTagsKey() { @Test void mapKeyPropertiesUsingTagsValue() { final MappedResults result = - awsKmsClient.mapKeyList(KeyListEntry::keyId, Collections.emptyList(), List.of("tagValue")); + awsKmsClient.mapKeyList(KeyListEntry::keyId, Collections.emptyList(), List.of("tagged")); final Optional testKeyEntry = result.getValues().stream().filter(e -> e.equals(testWithTagKeyId)).findAny(); @@ -171,7 +177,7 @@ void mapKeyPropertiesUsingTagsValue() { @Test void mapKeyPropertiesUsingTagsKeyAndValue() { final MappedResults result = - awsKmsClient.mapKeyList(KeyListEntry::keyId, List.of("tagKey"), List.of("tagValue")); + awsKmsClient.mapKeyList(KeyListEntry::keyId, List.of("name"), List.of("tagged")); final Optional testKeyEntry = result.getValues().stream().filter(e -> e.equals(testWithTagKeyId)).findAny(); @@ -191,4 +197,26 @@ void mapKeyPropertiesWhenTagDoesNotExist() { Assertions.assertThat(testKeyEntry).isEmpty(); Assertions.assertThat(result.getErrorCount()).isZero(); } + + @Test + void mapKeyPropertiesIgnoresDisabledKeys() { + final MappedResults result = + awsKmsClient.mapKeyList(KeyListEntry::keyId, List.of("name"), List.of("disabled")); + + final Optional disableTestKeyEntry = + result.getValues().stream().filter(e -> e.equals(testWithDisabledKeyId)).findAny(); + Assertions.assertThat(disableTestKeyEntry).isEmpty(); + Assertions.assertThat(result.getErrorCount()).isZero(); + } + + @Test + void mapKeyPropertiesIgnoresNonSecpKeys() { + final MappedResults result = + awsKmsClient.mapKeyList(KeyListEntry::keyId, List.of("name"), List.of("nist")); + + final Optional disableTestKeyEntry = + result.getValues().stream().filter(e -> e.equals(testWithNistSecpKeyId)).findAny(); + Assertions.assertThat(disableTestKeyEntry).isEmpty(); + Assertions.assertThat(result.getErrorCount()).isZero(); + } } diff --git a/signing/src/testFixtures/java/tech/pegasys/web3signer/AwsKmsUtil.java b/signing/src/testFixtures/java/tech/pegasys/web3signer/AwsKmsUtil.java index ee5130082..29214b523 100644 --- a/signing/src/testFixtures/java/tech/pegasys/web3signer/AwsKmsUtil.java +++ b/signing/src/testFixtures/java/tech/pegasys/web3signer/AwsKmsUtil.java @@ -25,6 +25,7 @@ import java.util.Optional; import software.amazon.awssdk.services.kms.model.CreateKeyRequest; +import software.amazon.awssdk.services.kms.model.DisableKeyRequest; import software.amazon.awssdk.services.kms.model.KeySpec; import software.amazon.awssdk.services.kms.model.KeyUsageType; import software.amazon.awssdk.services.kms.model.ScheduleKeyDeletionRequest; @@ -53,19 +54,24 @@ public AwsKmsUtil( awsEndpointOverride); } - public String createKey(final Map tags) { + public String createKey(final Map tags, final KeySpec keySpec) { + final CreateKeyRequest.Builder keyRequestBuilder = + CreateKeyRequest.builder() + .keySpec(keySpec) + .description("Web3Signer Testing Key") + .keyUsage(KeyUsageType.SIGN_VERIFY); final List awsTags = tags.entrySet().stream() .map(e -> Tag.builder().tagKey(e.getKey()).tagValue(e.getValue()).build()) .toList(); - final CreateKeyRequest web3SignerTestingKey = - CreateKeyRequest.builder() - .keySpec(KeySpec.ECC_SECG_P256_K1) - .description("Web3Signer Testing Key") - .keyUsage(KeyUsageType.SIGN_VERIFY) - .tags(awsTags) - .build(); - return awsKMSClient.createKey(web3SignerTestingKey); + if (!awsTags.isEmpty()) { + keyRequestBuilder.tags(awsTags); + } + return awsKMSClient.createKey(keyRequestBuilder.build()); + } + + public String createKey(final Map tags) { + return createKey(tags, KeySpec.ECC_SECG_P256_K1); } public void deleteKey(final String keyId) { @@ -74,6 +80,11 @@ public void deleteKey(final String keyId) { awsKMSClient.scheduleKeyDeletion(deletionRequest); } + public void disableKey(final String keyId) { + final DisableKeyRequest disableKeyRequest = DisableKeyRequest.builder().keyId(keyId).build(); + awsKMSClient.disableKey(disableKeyRequest); + } + public ECPublicKey publicKey(final String keyId) { return awsKMSClient.getECPublicKey(keyId); } From 77343bb5eec784aad5b3ec7606ab19cc171fd173 Mon Sep 17 00:00:00 2001 From: Jason Frame Date: Mon, 4 Sep 2023 12:47:59 +1000 Subject: [PATCH 14/21] filter on enabled keys before checking tags as we might not have permission on some keys to list tags --- .../pegasys/web3signer/signing/secp256k1/aws/AwsKmsClient.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/signing/src/main/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsClient.java b/signing/src/main/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsClient.java index 6c026e813..16d507afc 100644 --- a/signing/src/main/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsClient.java +++ b/signing/src/main/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsClient.java @@ -114,10 +114,10 @@ public MappedResults mapKeyList( .forEachRemaining( listKeysResponse -> listKeysResponse.keys().parallelStream() + .filter(this::isEnabledSecp256k1Key) .filter( keyListEntry -> keyListPredicate(keyListEntry.keyId(), tagKeys, tagValues)) - .filter(this::isEnabledSecp256k1Key) .forEach( keyListEntry -> { try { From f9748a4ec4c573a08f5afe892a06da245bf78d1a Mon Sep 17 00:00:00 2001 From: Jason Frame Date: Mon, 4 Sep 2023 13:18:28 +1000 Subject: [PATCH 15/21] Use AwsRegionProvider if auth mode is not specified --- .../secp256k1/aws/CachedAwsKmsClientFactory.java | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/signing/src/main/java/tech/pegasys/web3signer/signing/secp256k1/aws/CachedAwsKmsClientFactory.java b/signing/src/main/java/tech/pegasys/web3signer/signing/secp256k1/aws/CachedAwsKmsClientFactory.java index 733e00fb9..722ea0db7 100644 --- a/signing/src/main/java/tech/pegasys/web3signer/signing/secp256k1/aws/CachedAwsKmsClientFactory.java +++ b/signing/src/main/java/tech/pegasys/web3signer/signing/secp256k1/aws/CachedAwsKmsClientFactory.java @@ -26,6 +26,7 @@ import com.google.common.cache.LoadingCache; import software.amazon.awssdk.auth.credentials.AwsCredentialsProvider; import software.amazon.awssdk.regions.Region; +import software.amazon.awssdk.regions.providers.DefaultAwsRegionProviderChain; import software.amazon.awssdk.services.kms.KmsClient; import software.amazon.awssdk.services.kms.KmsClientBuilder; @@ -55,13 +56,11 @@ public AwsKmsClient load(final AwsKmsClientKey key) { final KmsClientBuilder kmsClientBuilder = KmsClient.builder(); key.getEndpointOverride().ifPresent(kmsClientBuilder::endpointOverride); - final String region = + final Region region = key.getAwsAuthenticationMode() == AwsAuthenticationMode.SPECIFIED - ? key.getRegion() - : System.getenv("AWS_REGION"); - kmsClientBuilder - .credentialsProvider(awsCredentialsProvider) - .region(Region.of(region)); + ? Region.of(key.getRegion()) + : DefaultAwsRegionProviderChain.builder().build().getRegion(); + kmsClientBuilder.credentialsProvider(awsCredentialsProvider).region(region); return new AwsKmsClient(kmsClientBuilder.build()); } From ea123734d21b1b1f64fa51e66ec17e497ee71db4 Mon Sep 17 00:00:00 2001 From: Jason Frame Date: Mon, 4 Sep 2023 14:58:42 +1000 Subject: [PATCH 16/21] catch any exceptions that occur filtering keys --- .../signing/secp256k1/aws/AwsKmsClient.java | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/signing/src/main/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsClient.java b/signing/src/main/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsClient.java index 16d507afc..73c5e717e 100644 --- a/signing/src/main/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsClient.java +++ b/signing/src/main/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsClient.java @@ -114,10 +114,8 @@ public MappedResults mapKeyList( .forEachRemaining( listKeysResponse -> listKeysResponse.keys().parallelStream() - .filter(this::isEnabledSecp256k1Key) .filter( - keyListEntry -> - keyListPredicate(keyListEntry.keyId(), tagKeys, tagValues)) + keyListEntry -> filterKeys(keyListEntry, tagKeys, tagValues, errorCount)) .forEach( keyListEntry -> { try { @@ -139,6 +137,21 @@ public MappedResults mapKeyList( return MappedResults.newInstance(result, errorCount.intValue()); } + private boolean filterKeys( + final KeyListEntry keyListEntry, + final Collection tagKeys, + final Collection tagValues, + final AtomicInteger errorCount) { + try { + return isEnabledSecp256k1Key(keyListEntry) + && keyListPredicate(keyListEntry.keyId(), tagKeys, tagValues); + } catch (Exception e) { + LOG.error("Unexpected error during Aws mapKeyList", e); + errorCount.incrementAndGet(); + return false; + } + } + private boolean isEnabledSecp256k1Key(final KeyListEntry keyListEntry) { final KeyMetadata keyMetadata = kmsClient From b8953a95bc770a103d1174d70cdb1f27c82ee904 Mon Sep 17 00:00:00 2001 From: Jason Frame Date: Mon, 4 Sep 2023 16:12:16 +1000 Subject: [PATCH 17/21] after pr review --- .../tests/bulkloading/AwsKmsAcceptanceTest.java | 12 +++++++----- .../signing/secp256k1/aws/AwsKmsClient.java | 4 ++-- .../signing/secp256k1/aws/AwsKmsClientTest.java | 16 ++++++++-------- 3 files changed, 17 insertions(+), 15 deletions(-) diff --git a/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/bulkloading/AwsKmsAcceptanceTest.java b/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/bulkloading/AwsKmsAcceptanceTest.java index 4c7fca57c..09bcae869 100644 --- a/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/bulkloading/AwsKmsAcceptanceTest.java +++ b/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/bulkloading/AwsKmsAcceptanceTest.java @@ -1,5 +1,5 @@ /* - * Copyright 2022 ConsenSys AG. + * Copyright 2023 ConsenSys AG. * * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with * the License. You may obtain a copy of the License at @@ -179,10 +179,12 @@ void healthCheckErrorCountWhenInvalidCredentialsAreUsed() { private static int getAwsBulkLoadingData(String healthCheckJsonBody, String dataKey) { final JsonObject jsonObject = new JsonObject(healthCheckJsonBody); return jsonObject.getJsonArray("checks").stream() - .filter(o -> "keys-check".equals(((JsonObject) o).getString("id"))) - .flatMap(o -> ((JsonObject) o).getJsonArray("checks").stream()) - .filter(o -> "aws-bulk-loading".equals(((JsonObject) o).getString("id"))) - .mapToInt(o -> ((JsonObject) ((JsonObject) o).getValue("data")).getInteger(dataKey)) + .map(JsonObject.class::cast) + .filter(check -> "keys-check".equals(check.getString("id"))) + .flatMap(check -> check.getJsonArray("checks").stream()) + .map(JsonObject.class::cast) + .filter(check -> "aws-bulk-loading".equals(check.getString("id"))) + .mapToInt(check -> check.getJsonObject("data").getInteger(dataKey)) .findFirst() .orElse(-1); } diff --git a/signing/src/main/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsClient.java b/signing/src/main/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsClient.java index 73c5e717e..924dfcb19 100644 --- a/signing/src/main/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsClient.java +++ b/signing/src/main/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsClient.java @@ -144,7 +144,7 @@ private boolean filterKeys( final AtomicInteger errorCount) { try { return isEnabledSecp256k1Key(keyListEntry) - && keyListPredicate(keyListEntry.keyId(), tagKeys, tagValues); + && keyMatchesTags(keyListEntry.keyId(), tagKeys, tagValues); } catch (Exception e) { LOG.error("Unexpected error during Aws mapKeyList", e); errorCount.incrementAndGet(); @@ -162,7 +162,7 @@ private boolean isEnabledSecp256k1Key(final KeyListEntry keyListEntry) { return isEnabled && isSecp256k1; } - private boolean keyListPredicate( + private boolean keyMatchesTags( final String keyId, final Collection tagKeys, final Collection tagValues) { if (tagKeys.isEmpty() && tagValues.isEmpty()) return true; // we don't want to filter if user-supplied tags map is empty diff --git a/signing/src/test/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsClientTest.java b/signing/src/test/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsClientTest.java index 15e8bf79b..254403440 100644 --- a/signing/src/test/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsClientTest.java +++ b/signing/src/test/java/tech/pegasys/web3signer/signing/secp256k1/aws/AwsKmsClientTest.java @@ -118,7 +118,7 @@ static void cleanup() { } @Test - void keyPropertiesCanBeMappedUsingCustomMappingFunction() { + void keyListCanBeMappedUsingCustomMappingFunction() { final MappedResults result = awsKmsClient.mapKeyList( KeyListEntry::keyId, Collections.emptyList(), Collections.emptyList()); @@ -131,7 +131,7 @@ void keyPropertiesCanBeMappedUsingCustomMappingFunction() { } @Test - void mapKeyPropertiesThrowsAwayObjectsWhichFailMapper() { + void mapKeyListThrowsAwayObjectsWhichFailMapper() { final MappedResults result = awsKmsClient.mapKeyList( kl -> { @@ -151,7 +151,7 @@ void mapKeyPropertiesThrowsAwayObjectsWhichFailMapper() { } @Test - void mapKeyPropertiesUsingTagsKey() { + void mapKeyListUsingTagsKey() { final MappedResults result = awsKmsClient.mapKeyList(KeyListEntry::keyId, List.of("name"), Collections.emptyList()); @@ -163,7 +163,7 @@ void mapKeyPropertiesUsingTagsKey() { } @Test - void mapKeyPropertiesUsingTagsValue() { + void mapKeyListUsingTagsValue() { final MappedResults result = awsKmsClient.mapKeyList(KeyListEntry::keyId, Collections.emptyList(), List.of("tagged")); @@ -175,7 +175,7 @@ void mapKeyPropertiesUsingTagsValue() { } @Test - void mapKeyPropertiesUsingTagsKeyAndValue() { + void mapKeyListUsingTagsKeyAndValue() { final MappedResults result = awsKmsClient.mapKeyList(KeyListEntry::keyId, List.of("name"), List.of("tagged")); @@ -187,7 +187,7 @@ void mapKeyPropertiesUsingTagsKeyAndValue() { } @Test - void mapKeyPropertiesWhenTagDoesNotExist() { + void mapKeyListWhenTagDoesNotExist() { final MappedResults result = awsKmsClient.mapKeyList( KeyListEntry::keyId, List.of("unknownKey"), List.of("unknownValue")); @@ -199,7 +199,7 @@ void mapKeyPropertiesWhenTagDoesNotExist() { } @Test - void mapKeyPropertiesIgnoresDisabledKeys() { + void mapKeyListIgnoresDisabledKeys() { final MappedResults result = awsKmsClient.mapKeyList(KeyListEntry::keyId, List.of("name"), List.of("disabled")); @@ -210,7 +210,7 @@ void mapKeyPropertiesIgnoresDisabledKeys() { } @Test - void mapKeyPropertiesIgnoresNonSecpKeys() { + void mapKeyListIgnoresNonSecpKeys() { final MappedResults result = awsKmsClient.mapKeyList(KeyListEntry::keyId, List.of("name"), List.of("nist")); From 3775f9fde0e0aa2331297029f3d38ee0df86b3b7 Mon Sep 17 00:00:00 2001 From: Jason Frame Date: Tue, 5 Sep 2023 13:31:28 +1000 Subject: [PATCH 18/21] changelog --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 1a00ece03..8ef74e083 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,6 +8,7 @@ ### Features Added - Signing support for BlobSidecar and BlindedBlobSidecar in Deneb fork. - Add `--azure-response-timeout` to allow request response timeout to be configurable, the field `timeout` is also accepted in the Azure metadata file. [#888](https://github.com/Consensys/web3signer/pull/888) +- Aws bulk loading for secp256k1 keys in eth1 mode [#889](https://github.com/Consensys/web3signer/pull/889) ### Bugs fixed - Upcheck was using application/json accept headers instead text/plain accept headers From 4bd6d956111147e99df99ef4d2485f7ba11d78d5 Mon Sep 17 00:00:00 2001 From: Jason Frame Date: Tue, 5 Sep 2023 13:33:54 +1000 Subject: [PATCH 19/21] rename AwsParameters to AwsVaultParameters --- .../dsl/signer/SignerConfiguration.java | 8 +-- .../signer/SignerConfigurationBuilder.java | 10 +-- .../runner/CmdLineParamsConfigFileImpl.java | 62 +++++++++---------- .../runner/CmdLineParamsDefaultImpl.java | 62 +++++++++---------- .../bulkloading/AwsKmsAcceptanceTest.java | 12 ++-- .../AwsSecretsManagerAcceptanceTest.java | 12 ++-- ...ecretsManagerMultiValueAcceptanceTest.java | 6 +- ...cretsManagerPerformanceAcceptanceTest.java | 6 +- .../commandline/PicoCliAwsKmsParameters.java | 4 +- .../PicoCliAwsSecretsManagerParameters.java | 4 +- .../subcommands/Eth1SubCommand.java | 4 +- .../jsonrpcproxy/support/TestEth1Config.java | 4 +- .../pegasys/web3signer/core/Eth2Runner.java | 14 ++--- .../web3signer/core/config/Eth1Config.java | 4 +- .../signing/bulkloading/BlsAwsBulkLoader.java | 4 +- .../bulkloading/SecpAwsBulkLoader.java | 12 ++-- .../config/AwsSecretsManagerFactory.java | 14 ++--- ...arameters.java => AwsVaultParameters.java} | 2 +- .../metadata/AwsKeySigningMetadata.java | 4 +- .../signing/config/AwsParametersBuilder.java | 8 +-- 20 files changed, 128 insertions(+), 128 deletions(-) rename signing/src/main/java/tech/pegasys/web3signer/signing/config/{AwsParameters.java => AwsVaultParameters.java} (97%) diff --git a/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/SignerConfiguration.java b/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/SignerConfiguration.java index 32b7c5156..6a76df5dc 100644 --- a/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/SignerConfiguration.java +++ b/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/SignerConfiguration.java @@ -16,7 +16,7 @@ import tech.pegasys.web3signer.core.config.client.ClientTlsOptions; import tech.pegasys.web3signer.core.service.jsonrpc.handlers.signing.ChainIdProvider; import tech.pegasys.web3signer.dsl.tls.TlsCertificateDefinition; -import tech.pegasys.web3signer.signing.config.AwsParameters; +import tech.pegasys.web3signer.signing.config.AwsVaultParameters; import tech.pegasys.web3signer.signing.config.AzureKeyVaultParameters; import tech.pegasys.web3signer.signing.config.KeystoresParameters; @@ -41,7 +41,7 @@ public class SignerConfiguration { private final List metricsCategories; private final boolean metricsEnabled; private final Optional azureKeyVaultParameters; - private final Optional awsSecretsManagerParameters; + private final Optional awsSecretsManagerParameters; private final Optional keystoresParameters; private final Optional serverTlsOptions; private final Optional overriddenCaTrustStore; @@ -88,7 +88,7 @@ public SignerConfiguration( final List metricsCategories, final boolean metricsEnabled, final Optional azureKeyVaultParameters, - final Optional awsSecretsManagerParameters, + final Optional awsSecretsManagerParameters, final Optional keystoresParameters, final Optional serverTlsOptions, final Optional overriddenCaTrustStore, @@ -218,7 +218,7 @@ public Optional getAzureKeyVaultParameters() { return azureKeyVaultParameters; } - public Optional getAwsParameters() { + public Optional getAwsParameters() { return awsSecretsManagerParameters; } diff --git a/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/SignerConfigurationBuilder.java b/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/SignerConfigurationBuilder.java index 3862da234..fe32dd958 100644 --- a/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/SignerConfigurationBuilder.java +++ b/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/SignerConfigurationBuilder.java @@ -20,7 +20,7 @@ import tech.pegasys.web3signer.core.service.jsonrpc.handlers.signing.ChainIdProvider; import tech.pegasys.web3signer.core.service.jsonrpc.handlers.signing.ConfigurationChainId; import tech.pegasys.web3signer.dsl.tls.TlsCertificateDefinition; -import tech.pegasys.web3signer.signing.config.AwsParameters; +import tech.pegasys.web3signer.signing.config.AwsVaultParameters; import tech.pegasys.web3signer.signing.config.AzureKeyVaultParameters; import tech.pegasys.web3signer.signing.config.KeystoresParameters; @@ -50,7 +50,7 @@ public class SignerConfigurationBuilder { private Path slashingProtectionDbPoolConfigurationFile = null; private String mode; private AzureKeyVaultParameters azureKeyVaultParameters; - private AwsParameters awsParameters; + private AwsVaultParameters awsVaultParameters; private Map web3SignerEnvironment; private Duration startupTimeout = Boolean.getBoolean("debugSubProcess") ? Duration.ofHours(1) : Duration.ofSeconds(30); @@ -141,8 +141,8 @@ public SignerConfigurationBuilder withAzureKeyVaultParameters( return this; } - public SignerConfigurationBuilder withAwsParameters(final AwsParameters awsParameters) { - this.awsParameters = awsParameters; + public SignerConfigurationBuilder withAwsParameters(final AwsVaultParameters awsVaultParameters) { + this.awsVaultParameters = awsVaultParameters; return this; } @@ -323,7 +323,7 @@ public SignerConfiguration build() { metricsCategories, metricsEnabled, Optional.ofNullable(azureKeyVaultParameters), - Optional.ofNullable(awsParameters), + Optional.ofNullable(awsVaultParameters), Optional.ofNullable(keystoresParameters), Optional.ofNullable(serverTlsOptions), Optional.ofNullable(overriddenCaTrustStore), diff --git a/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/runner/CmdLineParamsConfigFileImpl.java b/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/runner/CmdLineParamsConfigFileImpl.java index b6eba9ddb..66f2b4232 100644 --- a/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/runner/CmdLineParamsConfigFileImpl.java +++ b/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/runner/CmdLineParamsConfigFileImpl.java @@ -35,7 +35,7 @@ import tech.pegasys.web3signer.dsl.signer.SignerConfiguration; import tech.pegasys.web3signer.dsl.signer.WatermarkRepairParameters; import tech.pegasys.web3signer.dsl.utils.DatabaseUtil; -import tech.pegasys.web3signer.signing.config.AwsParameters; +import tech.pegasys.web3signer.signing.config.AwsVaultParameters; import tech.pegasys.web3signer.signing.config.AzureKeyVaultParameters; import tech.pegasys.web3signer.signing.config.KeystoresParameters; @@ -453,70 +453,70 @@ private String createEth2SlashingProtectionArgs() { return yamlConfig.toString(); } - private String awsSecretsManagerBulkLoadingOptions(final AwsParameters awsParameters) { + private String awsSecretsManagerBulkLoadingOptions(final AwsVaultParameters awsVaultParameters) { final StringBuilder yamlConfig = new StringBuilder(); yamlConfig.append( String.format( YAML_BOOLEAN_FMT, "eth2." + AWS_SECRETS_ENABLED_OPTION.substring(2), - awsParameters.isEnabled())); + awsVaultParameters.isEnabled())); yamlConfig.append( String.format( YAML_STRING_FMT, "eth2." + AWS_SECRETS_AUTH_MODE_OPTION.substring(2), - awsParameters.getAuthenticationMode().name())); + awsVaultParameters.getAuthenticationMode().name())); - if (awsParameters.getAccessKeyId() != null) { + if (awsVaultParameters.getAccessKeyId() != null) { yamlConfig.append( String.format( YAML_STRING_FMT, "eth2." + AWS_SECRETS_ACCESS_KEY_ID_OPTION.substring(2), - awsParameters.getAccessKeyId())); + awsVaultParameters.getAccessKeyId())); } - if (awsParameters.getSecretAccessKey() != null) { + if (awsVaultParameters.getSecretAccessKey() != null) { yamlConfig.append( String.format( YAML_STRING_FMT, "eth2." + AWS_SECRETS_SECRET_ACCESS_KEY_OPTION.substring(2), - awsParameters.getSecretAccessKey())); + awsVaultParameters.getSecretAccessKey())); } - if (awsParameters.getRegion() != null) { + if (awsVaultParameters.getRegion() != null) { yamlConfig.append( String.format( YAML_STRING_FMT, "eth2." + AWS_SECRETS_REGION_OPTION.substring(2), - awsParameters.getRegion())); + awsVaultParameters.getRegion())); } - if (!awsParameters.getPrefixesFilter().isEmpty()) { + if (!awsVaultParameters.getPrefixesFilter().isEmpty()) { yamlConfig.append( String.format( YAML_STRING_FMT, "eth2." + AWS_SECRETS_PREFIXES_FILTER_OPTION.substring(2), - String.join(",", awsParameters.getPrefixesFilter()))); + String.join(",", awsVaultParameters.getPrefixesFilter()))); } - if (!awsParameters.getTagNamesFilter().isEmpty()) { + if (!awsVaultParameters.getTagNamesFilter().isEmpty()) { yamlConfig.append( String.format( YAML_STRING_FMT, "eth2." + AWS_SECRETS_TAG_NAMES_FILTER_OPTION.substring(2), - String.join(",", awsParameters.getTagNamesFilter()))); + String.join(",", awsVaultParameters.getTagNamesFilter()))); } - if (!awsParameters.getTagValuesFilter().isEmpty()) { + if (!awsVaultParameters.getTagValuesFilter().isEmpty()) { yamlConfig.append( String.format( YAML_STRING_FMT, "eth2." + AWS_SECRETS_TAG_VALUES_FILTER_OPTION.substring(2), - String.join(",", awsParameters.getTagValuesFilter()))); + String.join(",", awsVaultParameters.getTagValuesFilter()))); } - awsParameters + awsVaultParameters .getEndpointOverride() .ifPresent( uri -> @@ -529,62 +529,62 @@ private String awsSecretsManagerBulkLoadingOptions(final AwsParameters awsParame return yamlConfig.toString(); } - private String awsKmsBulkLoadingOptions(final AwsParameters awsParameters) { + private String awsKmsBulkLoadingOptions(final AwsVaultParameters awsVaultParameters) { final StringBuilder yamlConfig = new StringBuilder(); yamlConfig.append( String.format( YAML_BOOLEAN_FMT, "eth1." + AWS_KMS_ENABLED_OPTION.substring(2), - awsParameters.isEnabled())); + awsVaultParameters.isEnabled())); yamlConfig.append( String.format( YAML_STRING_FMT, "eth1." + AWS_KMS_AUTH_MODE_OPTION.substring(2), - awsParameters.getAuthenticationMode().name())); + awsVaultParameters.getAuthenticationMode().name())); - if (awsParameters.getAccessKeyId() != null) { + if (awsVaultParameters.getAccessKeyId() != null) { yamlConfig.append( String.format( YAML_STRING_FMT, "eth1." + AWS_KMS_ACCESS_KEY_ID_OPTION.substring(2), - awsParameters.getAccessKeyId())); + awsVaultParameters.getAccessKeyId())); } - if (awsParameters.getSecretAccessKey() != null) { + if (awsVaultParameters.getSecretAccessKey() != null) { yamlConfig.append( String.format( YAML_STRING_FMT, "eth1." + AWS_KMS_SECRET_ACCESS_KEY_OPTION.substring(2), - awsParameters.getSecretAccessKey())); + awsVaultParameters.getSecretAccessKey())); } - if (awsParameters.getRegion() != null) { + if (awsVaultParameters.getRegion() != null) { yamlConfig.append( String.format( YAML_STRING_FMT, "eth1." + AWS_KMS_REGION_OPTION.substring(2), - awsParameters.getRegion())); + awsVaultParameters.getRegion())); } - if (!awsParameters.getTagNamesFilter().isEmpty()) { + if (!awsVaultParameters.getTagNamesFilter().isEmpty()) { yamlConfig.append( String.format( YAML_STRING_FMT, "eth1." + AWS_KMS_TAG_NAMES_FILTER_OPTION.substring(2), - String.join(",", awsParameters.getTagNamesFilter()))); + String.join(",", awsVaultParameters.getTagNamesFilter()))); } - if (!awsParameters.getTagValuesFilter().isEmpty()) { + if (!awsVaultParameters.getTagValuesFilter().isEmpty()) { yamlConfig.append( String.format( YAML_STRING_FMT, "eth1." + AWS_KMS_TAG_VALUES_FILTER_OPTION.substring(2), - String.join(",", awsParameters.getTagValuesFilter()))); + String.join(",", awsVaultParameters.getTagValuesFilter()))); } - awsParameters + awsVaultParameters .getEndpointOverride() .ifPresent( uri -> diff --git a/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/runner/CmdLineParamsDefaultImpl.java b/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/runner/CmdLineParamsDefaultImpl.java index c42010372..6562d006a 100644 --- a/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/runner/CmdLineParamsDefaultImpl.java +++ b/acceptance-tests/src/test/java/tech/pegasys/web3signer/dsl/signer/runner/CmdLineParamsDefaultImpl.java @@ -35,7 +35,7 @@ import tech.pegasys.web3signer.dsl.signer.SignerConfiguration; import tech.pegasys.web3signer.dsl.signer.WatermarkRepairParameters; import tech.pegasys.web3signer.dsl.utils.DatabaseUtil; -import tech.pegasys.web3signer.signing.config.AwsParameters; +import tech.pegasys.web3signer.signing.config.AwsVaultParameters; import tech.pegasys.web3signer.signing.config.AzureKeyVaultParameters; import tech.pegasys.web3signer.signing.config.KeystoresParameters; @@ -287,30 +287,30 @@ private Collection createEth2Args() { } private Collection awsSecretsManagerBulkLoadingOptions( - final AwsParameters awsParameters) { + final AwsVaultParameters awsVaultParameters) { final List params = new ArrayList<>(); - params.add(AWS_SECRETS_ENABLED_OPTION + "=" + awsParameters.isEnabled()); + params.add(AWS_SECRETS_ENABLED_OPTION + "=" + awsVaultParameters.isEnabled()); params.add(AWS_SECRETS_AUTH_MODE_OPTION); - params.add(awsParameters.getAuthenticationMode().name()); + params.add(awsVaultParameters.getAuthenticationMode().name()); - if (awsParameters.getAccessKeyId() != null) { + if (awsVaultParameters.getAccessKeyId() != null) { params.add(AWS_SECRETS_ACCESS_KEY_ID_OPTION); - params.add(awsParameters.getAccessKeyId()); + params.add(awsVaultParameters.getAccessKeyId()); } - if (awsParameters.getSecretAccessKey() != null) { + if (awsVaultParameters.getSecretAccessKey() != null) { params.add(AWS_SECRETS_SECRET_ACCESS_KEY_OPTION); - params.add(awsParameters.getSecretAccessKey()); + params.add(awsVaultParameters.getSecretAccessKey()); } - if (awsParameters.getRegion() != null) { + if (awsVaultParameters.getRegion() != null) { params.add(AWS_SECRETS_REGION_OPTION); - params.add(awsParameters.getRegion()); + params.add(awsVaultParameters.getRegion()); } - awsParameters + awsVaultParameters .getEndpointOverride() .ifPresent( uri -> { @@ -318,48 +318,48 @@ private Collection awsSecretsManagerBulkLoadingOptions( params.add(uri.toString()); }); - if (!awsParameters.getPrefixesFilter().isEmpty()) { + if (!awsVaultParameters.getPrefixesFilter().isEmpty()) { params.add(AWS_SECRETS_PREFIXES_FILTER_OPTION); - params.add(String.join(",", awsParameters.getPrefixesFilter())); + params.add(String.join(",", awsVaultParameters.getPrefixesFilter())); } - if (!awsParameters.getTagNamesFilter().isEmpty()) { + if (!awsVaultParameters.getTagNamesFilter().isEmpty()) { params.add(AWS_SECRETS_TAG_NAMES_FILTER_OPTION); - params.add(String.join(",", awsParameters.getTagNamesFilter())); + params.add(String.join(",", awsVaultParameters.getTagNamesFilter())); } - if (!awsParameters.getTagValuesFilter().isEmpty()) { + if (!awsVaultParameters.getTagValuesFilter().isEmpty()) { params.add(AWS_SECRETS_TAG_VALUES_FILTER_OPTION); - params.add(String.join(",", awsParameters.getTagValuesFilter())); + params.add(String.join(",", awsVaultParameters.getTagValuesFilter())); } return params; } - private Collection awsKmsBulkLoadingOptions(final AwsParameters awsParameters) { + private Collection awsKmsBulkLoadingOptions(final AwsVaultParameters awsVaultParameters) { final List params = new ArrayList<>(); - params.add(AWS_KMS_ENABLED_OPTION + "=" + awsParameters.isEnabled()); + params.add(AWS_KMS_ENABLED_OPTION + "=" + awsVaultParameters.isEnabled()); params.add(AWS_KMS_AUTH_MODE_OPTION); - params.add(awsParameters.getAuthenticationMode().name()); + params.add(awsVaultParameters.getAuthenticationMode().name()); - if (awsParameters.getAccessKeyId() != null) { + if (awsVaultParameters.getAccessKeyId() != null) { params.add(AWS_KMS_ACCESS_KEY_ID_OPTION); - params.add(awsParameters.getAccessKeyId()); + params.add(awsVaultParameters.getAccessKeyId()); } - if (awsParameters.getSecretAccessKey() != null) { + if (awsVaultParameters.getSecretAccessKey() != null) { params.add(AWS_KMS_SECRET_ACCESS_KEY_OPTION); - params.add(awsParameters.getSecretAccessKey()); + params.add(awsVaultParameters.getSecretAccessKey()); } - if (awsParameters.getRegion() != null) { + if (awsVaultParameters.getRegion() != null) { params.add(AWS_KMS_REGION_OPTION); - params.add(awsParameters.getRegion()); + params.add(awsVaultParameters.getRegion()); } - awsParameters + awsVaultParameters .getEndpointOverride() .ifPresent( uri -> { @@ -367,14 +367,14 @@ private Collection awsKmsBulkLoadingOptions(final AwsParameters awsParam params.add(uri.toString()); }); - if (!awsParameters.getTagNamesFilter().isEmpty()) { + if (!awsVaultParameters.getTagNamesFilter().isEmpty()) { params.add(AWS_KMS_TAG_NAMES_FILTER_OPTION); - params.add(String.join(",", awsParameters.getTagNamesFilter())); + params.add(String.join(",", awsVaultParameters.getTagNamesFilter())); } - if (!awsParameters.getTagValuesFilter().isEmpty()) { + if (!awsVaultParameters.getTagValuesFilter().isEmpty()) { params.add(AWS_KMS_TAG_VALUES_FILTER_OPTION); - params.add(String.join(",", awsParameters.getTagValuesFilter())); + params.add(String.join(",", awsVaultParameters.getTagValuesFilter())); } return params; diff --git a/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/bulkloading/AwsKmsAcceptanceTest.java b/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/bulkloading/AwsKmsAcceptanceTest.java index 09bcae869..2462ff156 100644 --- a/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/bulkloading/AwsKmsAcceptanceTest.java +++ b/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/bulkloading/AwsKmsAcceptanceTest.java @@ -21,8 +21,8 @@ import tech.pegasys.web3signer.common.config.AwsAuthenticationMode; import tech.pegasys.web3signer.dsl.signer.SignerConfigurationBuilder; import tech.pegasys.web3signer.signing.KeyType; -import tech.pegasys.web3signer.signing.config.AwsParameters; import tech.pegasys.web3signer.signing.config.AwsParametersBuilder; +import tech.pegasys.web3signer.signing.config.AwsVaultParameters; import tech.pegasys.web3signer.signing.secp256k1.EthPublicKeyUtils; import tech.pegasys.web3signer.tests.AcceptanceTestBase; @@ -107,7 +107,7 @@ void setupAwsResources() { @ParameterizedTest(name = "{index} - Using config file: {0}") @ValueSource(booleans = {true, false}) void keysAreLoadedFromAwsKmsAndReportedByPublicApi(final boolean useConfigFile) { - final AwsParameters awsParameters = + final AwsVaultParameters awsVaultParameters = AwsParametersBuilder.anAwsParameters() .withAuthenticationMode(AwsAuthenticationMode.SPECIFIED) .withRegion(AWS_REGION) @@ -122,7 +122,7 @@ void keysAreLoadedFromAwsKmsAndReportedByPublicApi(final boolean useConfigFile) new SignerConfigurationBuilder() .withUseConfigFile(useConfigFile) .withMode("eth1") - .withAwsParameters(awsParameters); + .withAwsParameters(awsVaultParameters); startSigner(configBuilder.build()); @@ -148,7 +148,7 @@ void keysAreLoadedFromAwsKmsAndReportedByPublicApi(final boolean useConfigFile) @Test void healthCheckErrorCountWhenInvalidCredentialsAreUsed() { final boolean useConfigFile = false; - final AwsParameters invalidCredsParams = + final AwsVaultParameters invalidCredsParams = AwsParametersBuilder.anAwsParameters() .withAuthenticationMode(AwsAuthenticationMode.SPECIFIED) .withRegion("us-east-2") @@ -193,7 +193,7 @@ private static int getAwsBulkLoadingData(String healthCheckJsonBody, String data @ValueSource(booleans = {true, false}) void keysAreLoadedFromAwsKmsWithEnvironmentAuthModeAndReportedByPublicApi( final boolean useConfigFile) { - final AwsParameters awsParameters = + final AwsVaultParameters awsVaultParameters = AwsParametersBuilder.anAwsParameters() .withAuthenticationMode(AwsAuthenticationMode.ENVIRONMENT) .withTagNamesFilter(List.of("TagName2", "TagName3")) @@ -205,7 +205,7 @@ void keysAreLoadedFromAwsKmsWithEnvironmentAuthModeAndReportedByPublicApi( new SignerConfigurationBuilder() .withUseConfigFile(useConfigFile) .withMode("eth1") - .withAwsParameters(awsParameters); + .withAwsParameters(awsVaultParameters); startSigner(configBuilder.build()); diff --git a/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/bulkloading/AwsSecretsManagerAcceptanceTest.java b/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/bulkloading/AwsSecretsManagerAcceptanceTest.java index 9229da77a..f93dc49f1 100644 --- a/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/bulkloading/AwsSecretsManagerAcceptanceTest.java +++ b/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/bulkloading/AwsSecretsManagerAcceptanceTest.java @@ -21,8 +21,8 @@ import tech.pegasys.web3signer.common.config.AwsAuthenticationMode; import tech.pegasys.web3signer.dsl.signer.SignerConfigurationBuilder; import tech.pegasys.web3signer.signing.KeyType; -import tech.pegasys.web3signer.signing.config.AwsParameters; import tech.pegasys.web3signer.signing.config.AwsParametersBuilder; +import tech.pegasys.web3signer.signing.config.AwsVaultParameters; import tech.pegasys.web3signer.tests.AcceptanceTestBase; import java.net.URI; @@ -102,7 +102,7 @@ void setupAwsResources() { @ParameterizedTest(name = "{index} - Using config file: {0}") @ValueSource(booleans = {true, false}) void secretsAreLoadedFromAWSSecretsManagerAndReportedByPublicApi(final boolean useConfigFile) { - final AwsParameters awsParameters = + final AwsVaultParameters awsVaultParameters = AwsParametersBuilder.anAwsParameters() .withAuthenticationMode(AwsAuthenticationMode.SPECIFIED) .withRegion(AWS_REGION) @@ -118,7 +118,7 @@ void secretsAreLoadedFromAWSSecretsManagerAndReportedByPublicApi(final boolean u new SignerConfigurationBuilder() .withUseConfigFile(useConfigFile) .withMode("eth2") - .withAwsParameters(awsParameters); + .withAwsParameters(awsVaultParameters); startSigner(configBuilder.build()); @@ -144,7 +144,7 @@ void secretsAreLoadedFromAWSSecretsManagerAndReportedByPublicApi(final boolean u @Test void healthCheckErrorCountWhenInvalidCredentialsAreUsed() { final boolean useConfigFile = false; - final AwsParameters invalidCredsParams = + final AwsVaultParameters invalidCredsParams = AwsParametersBuilder.anAwsParameters() .withAuthenticationMode(AwsAuthenticationMode.SPECIFIED) .withRegion("us-east-2") @@ -189,7 +189,7 @@ private static int getAwsBulkLoadingData(String healthCheckJsonBody, String data @ValueSource(booleans = {true, false}) void secretsAreLoadedFromAWSSecretsManagerWithEnvironmentAuthModeAndReportedByPublicApi( final boolean useConfigFile) { - final AwsParameters awsParameters = + final AwsVaultParameters awsVaultParameters = AwsParametersBuilder.anAwsParameters() .withAuthenticationMode(AwsAuthenticationMode.ENVIRONMENT) .withPrefixesFilter(List.of(awsSecretsManagerUtil.getSecretsManagerPrefix())) @@ -202,7 +202,7 @@ void secretsAreLoadedFromAWSSecretsManagerWithEnvironmentAuthModeAndReportedByPu new SignerConfigurationBuilder() .withUseConfigFile(useConfigFile) .withMode("eth2") - .withAwsParameters(awsParameters); + .withAwsParameters(awsVaultParameters); startSigner(configBuilder.build()); diff --git a/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/bulkloading/AwsSecretsManagerMultiValueAcceptanceTest.java b/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/bulkloading/AwsSecretsManagerMultiValueAcceptanceTest.java index 46a4d4f79..bd7f6a693 100644 --- a/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/bulkloading/AwsSecretsManagerMultiValueAcceptanceTest.java +++ b/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/bulkloading/AwsSecretsManagerMultiValueAcceptanceTest.java @@ -21,8 +21,8 @@ import tech.pegasys.web3signer.common.config.AwsAuthenticationMode; import tech.pegasys.web3signer.dsl.signer.SignerConfigurationBuilder; import tech.pegasys.web3signer.signing.KeyType; -import tech.pegasys.web3signer.signing.config.AwsParameters; import tech.pegasys.web3signer.signing.config.AwsParametersBuilder; +import tech.pegasys.web3signer.signing.config.AwsVaultParameters; import tech.pegasys.web3signer.tests.AcceptanceTestBase; import java.net.URI; @@ -103,7 +103,7 @@ void setupAwsResources() { @ParameterizedTest(name = "{index} -> use config file: {0}") @ValueSource(booleans = {true, false}) void secretsAreLoadedFromAWSSecretsManagerAndReportedByPublicApi(final boolean useConfigFile) { - final AwsParameters awsParameters = + final AwsVaultParameters awsVaultParameters = AwsParametersBuilder.anAwsParameters() .withAuthenticationMode(AwsAuthenticationMode.SPECIFIED) .withRegion(AWS_REGION) @@ -118,7 +118,7 @@ void secretsAreLoadedFromAWSSecretsManagerAndReportedByPublicApi(final boolean u new SignerConfigurationBuilder() .withUseConfigFile(useConfigFile) .withMode("eth2") - .withAwsParameters(awsParameters); + .withAwsParameters(awsVaultParameters); startSigner(configBuilder.build()); diff --git a/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/bulkloading/AwsSecretsManagerPerformanceAcceptanceTest.java b/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/bulkloading/AwsSecretsManagerPerformanceAcceptanceTest.java index 7732e96ce..43d6905da 100644 --- a/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/bulkloading/AwsSecretsManagerPerformanceAcceptanceTest.java +++ b/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/bulkloading/AwsSecretsManagerPerformanceAcceptanceTest.java @@ -19,8 +19,8 @@ import tech.pegasys.web3signer.common.config.AwsAuthenticationMode; import tech.pegasys.web3signer.dsl.signer.SignerConfigurationBuilder; import tech.pegasys.web3signer.signing.KeyType; -import tech.pegasys.web3signer.signing.config.AwsParameters; import tech.pegasys.web3signer.signing.config.AwsParametersBuilder; +import tech.pegasys.web3signer.signing.config.AwsVaultParameters; import tech.pegasys.web3signer.tests.AcceptanceTestBase; import java.net.URI; @@ -120,7 +120,7 @@ void setupAwsResources() { @Test void largeNumberOfKeysAreLoadedSuccessfully() { - final AwsParameters awsParameters = + final AwsVaultParameters awsVaultParameters = AwsParametersBuilder.anAwsParameters() .withAuthenticationMode(AwsAuthenticationMode.SPECIFIED) .withRegion(AWS_REGION) @@ -133,7 +133,7 @@ void largeNumberOfKeysAreLoadedSuccessfully() { final SignerConfigurationBuilder configBuilder = new SignerConfigurationBuilder() .withMode("eth2") - .withAwsParameters(awsParameters) + .withAwsParameters(awsVaultParameters) .withStartupTimeout(STARTUP_TIMEOUT) .withLogLevel(Level.INFO); diff --git a/commandline/src/main/java/tech/pegasys/web3signer/commandline/PicoCliAwsKmsParameters.java b/commandline/src/main/java/tech/pegasys/web3signer/commandline/PicoCliAwsKmsParameters.java index 7929cfc1e..c9bfcf6ba 100644 --- a/commandline/src/main/java/tech/pegasys/web3signer/commandline/PicoCliAwsKmsParameters.java +++ b/commandline/src/main/java/tech/pegasys/web3signer/commandline/PicoCliAwsKmsParameters.java @@ -13,7 +13,7 @@ package tech.pegasys.web3signer.commandline; import tech.pegasys.web3signer.common.config.AwsAuthenticationMode; -import tech.pegasys.web3signer.signing.config.AwsParameters; +import tech.pegasys.web3signer.signing.config.AwsVaultParameters; import java.net.URI; import java.util.Collection; @@ -23,7 +23,7 @@ import picocli.CommandLine.Option; -public class PicoCliAwsKmsParameters implements AwsParameters { +public class PicoCliAwsKmsParameters implements AwsVaultParameters { public static final String AWS_KMS_ENABLED_OPTION = "--aws-kms-enabled"; public static final String AWS_KMS_AUTH_MODE_OPTION = "--aws-kms-auth-mode"; public static final String AWS_KMS_ACCESS_KEY_ID_OPTION = "--aws-kms-access-key-id"; diff --git a/commandline/src/main/java/tech/pegasys/web3signer/commandline/PicoCliAwsSecretsManagerParameters.java b/commandline/src/main/java/tech/pegasys/web3signer/commandline/PicoCliAwsSecretsManagerParameters.java index cc8d858c7..ae59ad906 100644 --- a/commandline/src/main/java/tech/pegasys/web3signer/commandline/PicoCliAwsSecretsManagerParameters.java +++ b/commandline/src/main/java/tech/pegasys/web3signer/commandline/PicoCliAwsSecretsManagerParameters.java @@ -13,7 +13,7 @@ package tech.pegasys.web3signer.commandline; import tech.pegasys.web3signer.common.config.AwsAuthenticationMode; -import tech.pegasys.web3signer.signing.config.AwsParameters; +import tech.pegasys.web3signer.signing.config.AwsVaultParameters; import java.net.URI; import java.util.Collection; @@ -24,7 +24,7 @@ import picocli.CommandLine; import picocli.CommandLine.Option; -public class PicoCliAwsSecretsManagerParameters implements AwsParameters { +public class PicoCliAwsSecretsManagerParameters implements AwsVaultParameters { public static final String AWS_SECRETS_ENABLED_OPTION = "--aws-secrets-enabled"; public static final String AWS_SECRETS_AUTH_MODE_OPTION = "--aws-secrets-auth-mode"; public static final String AWS_SECRETS_ACCESS_KEY_ID_OPTION = "--aws-secrets-access-key-id"; diff --git a/commandline/src/main/java/tech/pegasys/web3signer/commandline/subcommands/Eth1SubCommand.java b/commandline/src/main/java/tech/pegasys/web3signer/commandline/subcommands/Eth1SubCommand.java index abf857084..48a9b96bc 100644 --- a/commandline/src/main/java/tech/pegasys/web3signer/commandline/subcommands/Eth1SubCommand.java +++ b/commandline/src/main/java/tech/pegasys/web3signer/commandline/subcommands/Eth1SubCommand.java @@ -28,7 +28,7 @@ import tech.pegasys.web3signer.core.config.client.ClientTlsOptions; import tech.pegasys.web3signer.core.service.jsonrpc.handlers.signing.ChainIdProvider; import tech.pegasys.web3signer.core.service.jsonrpc.handlers.signing.ConfigurationChainId; -import tech.pegasys.web3signer.signing.config.AwsParameters; +import tech.pegasys.web3signer.signing.config.AwsVaultParameters; import tech.pegasys.web3signer.signing.config.AzureKeyVaultParameters; import java.net.URI; @@ -221,7 +221,7 @@ public AzureKeyVaultParameters getAzureKeyVaultConfig() { } @Override - public AwsParameters getAwsParameters() { + public AwsVaultParameters getAwsParameters() { return awsParameters; } diff --git a/core/src/integrationTest/java/tech/pegasys/web3signer/core/jsonrpcproxy/support/TestEth1Config.java b/core/src/integrationTest/java/tech/pegasys/web3signer/core/jsonrpcproxy/support/TestEth1Config.java index c18e9c5c6..d18edc042 100644 --- a/core/src/integrationTest/java/tech/pegasys/web3signer/core/jsonrpcproxy/support/TestEth1Config.java +++ b/core/src/integrationTest/java/tech/pegasys/web3signer/core/jsonrpcproxy/support/TestEth1Config.java @@ -16,8 +16,8 @@ import tech.pegasys.web3signer.core.config.client.ClientTlsOptions; import tech.pegasys.web3signer.core.service.jsonrpc.handlers.signing.ChainIdProvider; import tech.pegasys.web3signer.core.service.jsonrpc.handlers.signing.ConfigurationChainId; -import tech.pegasys.web3signer.signing.config.AwsParameters; import tech.pegasys.web3signer.signing.config.AwsParametersBuilder; +import tech.pegasys.web3signer.signing.config.AwsVaultParameters; import tech.pegasys.web3signer.signing.config.AzureKeyVaultParameters; import tech.pegasys.web3signer.signing.config.DefaultAzureKeyVaultParameters; @@ -100,7 +100,7 @@ public AzureKeyVaultParameters getAzureKeyVaultConfig() { } @Override - public AwsParameters getAwsParameters() { + public AwsVaultParameters getAwsParameters() { return AwsParametersBuilder.anAwsParameters().build(); } diff --git a/core/src/main/java/tech/pegasys/web3signer/core/Eth2Runner.java b/core/src/main/java/tech/pegasys/web3signer/core/Eth2Runner.java index 27cc74958..295d3e517 100644 --- a/core/src/main/java/tech/pegasys/web3signer/core/Eth2Runner.java +++ b/core/src/main/java/tech/pegasys/web3signer/core/Eth2Runner.java @@ -45,7 +45,7 @@ import tech.pegasys.web3signer.signing.ValidatorManager; import tech.pegasys.web3signer.signing.bulkloading.BlsAwsBulkLoader; import tech.pegasys.web3signer.signing.bulkloading.BlsKeystoreBulkLoader; -import tech.pegasys.web3signer.signing.config.AwsParameters; +import tech.pegasys.web3signer.signing.config.AwsVaultParameters; import tech.pegasys.web3signer.signing.config.AzureKeyVaultFactory; import tech.pegasys.web3signer.signing.config.AzureKeyVaultParameters; import tech.pegasys.web3signer.signing.config.DefaultArtifactSignerProvider; @@ -94,7 +94,7 @@ public class Eth2Runner extends Runner { private final Optional slashingProtectionContext; private final AzureKeyVaultParameters azureKeyVaultParameters; - private final AwsParameters awsParameters; + private final AwsVaultParameters awsVaultParameters; private final SlashingProtectionParameters slashingProtectionParameters; private final boolean pruningEnabled; private final KeystoresParameters keystoresParameters; @@ -106,7 +106,7 @@ public Eth2Runner( final SlashingProtectionParameters slashingProtectionParameters, final AzureKeyVaultParameters azureKeyVaultParameters, final KeystoresParameters keystoresParameters, - final AwsParameters awsParameters, + final AwsVaultParameters awsVaultParameters, final Spec eth2Spec, final boolean isKeyManagerApiEnabled) { super(baseConfig); @@ -117,7 +117,7 @@ public Eth2Runner( this.keystoresParameters = keystoresParameters; this.eth2Spec = eth2Spec; this.isKeyManagerApiEnabled = isKeyManagerApiEnabled; - this.awsParameters = awsParameters; + this.awsVaultParameters = awsVaultParameters; } private Optional createSlashingProtection( @@ -272,7 +272,7 @@ private MappedResults loadSignersFromKeyConfigFiles( final YubiHsmOpaqueDataProvider yubiHsmOpaqueDataProvider = new YubiHsmOpaqueDataProvider(); final AwsSecretsManagerProvider awsSecretsManagerProvider = - new AwsSecretsManagerProvider(awsParameters.getCacheMaximumSize()); ) { + new AwsSecretsManagerProvider(awsVaultParameters.getCacheMaximumSize()); ) { final AbstractArtifactSignerFactory artifactSignerFactory = new BlsArtifactSignerFactory( baseConfig.getKeyConfigPath(), @@ -338,11 +338,11 @@ private MappedResults bulkLoadSigners( results = MappedResults.merge(results, keystoreSignersResult); } - if (awsParameters.isEnabled()) { + if (awsVaultParameters.isEnabled()) { LOG.info("Bulk loading keys from AWS Secrets Manager ... "); final BlsAwsBulkLoader blsAwsBulkLoader = new BlsAwsBulkLoader(); - final MappedResults awsResult = blsAwsBulkLoader.load(awsParameters); + final MappedResults awsResult = blsAwsBulkLoader.load(awsVaultParameters); LOG.info( "Keys loaded from AWS Secrets Manager: [{}], with error count: [{}]", awsResult.getValues().size(), diff --git a/core/src/main/java/tech/pegasys/web3signer/core/config/Eth1Config.java b/core/src/main/java/tech/pegasys/web3signer/core/config/Eth1Config.java index a917696c8..7395e523b 100644 --- a/core/src/main/java/tech/pegasys/web3signer/core/config/Eth1Config.java +++ b/core/src/main/java/tech/pegasys/web3signer/core/config/Eth1Config.java @@ -14,7 +14,7 @@ import tech.pegasys.web3signer.core.config.client.ClientTlsOptions; import tech.pegasys.web3signer.core.service.jsonrpc.handlers.signing.ChainIdProvider; -import tech.pegasys.web3signer.signing.config.AwsParameters; +import tech.pegasys.web3signer.signing.config.AwsVaultParameters; import tech.pegasys.web3signer.signing.config.AzureKeyVaultParameters; import java.time.Duration; @@ -44,7 +44,7 @@ public interface Eth1Config { AzureKeyVaultParameters getAzureKeyVaultConfig(); - AwsParameters getAwsParameters(); + AwsVaultParameters getAwsParameters(); long getAwsKmsClientCacheSize(); } diff --git a/signing/src/main/java/tech/pegasys/web3signer/signing/bulkloading/BlsAwsBulkLoader.java b/signing/src/main/java/tech/pegasys/web3signer/signing/bulkloading/BlsAwsBulkLoader.java index 51750254e..8ef9368a3 100644 --- a/signing/src/main/java/tech/pegasys/web3signer/signing/bulkloading/BlsAwsBulkLoader.java +++ b/signing/src/main/java/tech/pegasys/web3signer/signing/bulkloading/BlsAwsBulkLoader.java @@ -19,8 +19,8 @@ import tech.pegasys.web3signer.keystorage.common.MappedResults; import tech.pegasys.web3signer.signing.ArtifactSigner; import tech.pegasys.web3signer.signing.BlsArtifactSigner; -import tech.pegasys.web3signer.signing.config.AwsParameters; import tech.pegasys.web3signer.signing.config.AwsSecretsManagerFactory; +import tech.pegasys.web3signer.signing.config.AwsVaultParameters; import tech.pegasys.web3signer.signing.config.metadata.SignerOrigin; import org.apache.tuweni.bytes.Bytes; @@ -28,7 +28,7 @@ public class BlsAwsBulkLoader { - public MappedResults load(final AwsParameters parameters) { + public MappedResults load(final AwsVaultParameters parameters) { try (final AwsSecretsManagerProvider awsSecretsManagerProvider = new AwsSecretsManagerProvider(parameters.getCacheMaximumSize())) { final AwsSecretsManager awsSecretsManager = diff --git a/signing/src/main/java/tech/pegasys/web3signer/signing/bulkloading/SecpAwsBulkLoader.java b/signing/src/main/java/tech/pegasys/web3signer/signing/bulkloading/SecpAwsBulkLoader.java index 07e20ea95..b82364975 100644 --- a/signing/src/main/java/tech/pegasys/web3signer/signing/bulkloading/SecpAwsBulkLoader.java +++ b/signing/src/main/java/tech/pegasys/web3signer/signing/bulkloading/SecpAwsBulkLoader.java @@ -17,7 +17,7 @@ import tech.pegasys.web3signer.keystorage.common.MappedResults; import tech.pegasys.web3signer.signing.ArtifactSigner; import tech.pegasys.web3signer.signing.EthSecpArtifactSigner; -import tech.pegasys.web3signer.signing.config.AwsParameters; +import tech.pegasys.web3signer.signing.config.AwsVaultParameters; import tech.pegasys.web3signer.signing.config.metadata.AwsKmsMetadata; import tech.pegasys.web3signer.signing.secp256k1.aws.AwsKmsClient; import tech.pegasys.web3signer.signing.secp256k1.aws.AwsKmsSignerFactory; @@ -36,7 +36,7 @@ public SecpAwsBulkLoader( this.awsKmsSignerFactory = awsKmsSignerFactory; } - public MappedResults load(final AwsParameters parameters) { + public MappedResults load(final AwsVaultParameters parameters) { final Optional awsCredentials = parameters.getAuthenticationMode() == AwsAuthenticationMode.SPECIFIED ? Optional.of( @@ -60,15 +60,15 @@ public MappedResults load(final AwsParameters parameters) { private EthSecpArtifactSigner createSigner( final Optional awsCredentials, - final AwsParameters awsParameters, + final AwsVaultParameters awsVaultParameters, final String keyId) { return new EthSecpArtifactSigner( awsKmsSignerFactory.createSigner( new AwsKmsMetadata( - awsParameters.getAuthenticationMode(), - awsParameters.getRegion(), + awsVaultParameters.getAuthenticationMode(), + awsVaultParameters.getRegion(), awsCredentials, keyId, - awsParameters.getEndpointOverride()))); + awsVaultParameters.getEndpointOverride()))); } } diff --git a/signing/src/main/java/tech/pegasys/web3signer/signing/config/AwsSecretsManagerFactory.java b/signing/src/main/java/tech/pegasys/web3signer/signing/config/AwsSecretsManagerFactory.java index 130adbf15..c0c81d302 100644 --- a/signing/src/main/java/tech/pegasys/web3signer/signing/config/AwsSecretsManagerFactory.java +++ b/signing/src/main/java/tech/pegasys/web3signer/signing/config/AwsSecretsManagerFactory.java @@ -19,17 +19,17 @@ public class AwsSecretsManagerFactory { public static AwsSecretsManager createAwsSecretsManager( final AwsSecretsManagerProvider awsSecretsManagerProvider, - final AwsParameters awsParameters) { - switch (awsParameters.getAuthenticationMode()) { + final AwsVaultParameters awsVaultParameters) { + switch (awsVaultParameters.getAuthenticationMode()) { case SPECIFIED: return awsSecretsManagerProvider.createAwsSecretsManager( - awsParameters.getAccessKeyId(), - awsParameters.getSecretAccessKey(), - awsParameters.getRegion(), - awsParameters.getEndpointOverride()); + awsVaultParameters.getAccessKeyId(), + awsVaultParameters.getSecretAccessKey(), + awsVaultParameters.getRegion(), + awsVaultParameters.getEndpointOverride()); default: return awsSecretsManagerProvider.createAwsSecretsManager( - awsParameters.getEndpointOverride()); + awsVaultParameters.getEndpointOverride()); } } } diff --git a/signing/src/main/java/tech/pegasys/web3signer/signing/config/AwsParameters.java b/signing/src/main/java/tech/pegasys/web3signer/signing/config/AwsVaultParameters.java similarity index 97% rename from signing/src/main/java/tech/pegasys/web3signer/signing/config/AwsParameters.java rename to signing/src/main/java/tech/pegasys/web3signer/signing/config/AwsVaultParameters.java index 034959121..cc1e5a281 100644 --- a/signing/src/main/java/tech/pegasys/web3signer/signing/config/AwsParameters.java +++ b/signing/src/main/java/tech/pegasys/web3signer/signing/config/AwsVaultParameters.java @@ -19,7 +19,7 @@ import java.util.Collections; import java.util.Optional; -public interface AwsParameters { +public interface AwsVaultParameters { boolean isEnabled(); AwsAuthenticationMode getAuthenticationMode(); diff --git a/signing/src/main/java/tech/pegasys/web3signer/signing/config/metadata/AwsKeySigningMetadata.java b/signing/src/main/java/tech/pegasys/web3signer/signing/config/metadata/AwsKeySigningMetadata.java index e2d38814c..18781c12b 100644 --- a/signing/src/main/java/tech/pegasys/web3signer/signing/config/metadata/AwsKeySigningMetadata.java +++ b/signing/src/main/java/tech/pegasys/web3signer/signing/config/metadata/AwsKeySigningMetadata.java @@ -15,7 +15,7 @@ import tech.pegasys.web3signer.common.config.AwsAuthenticationMode; import tech.pegasys.web3signer.signing.ArtifactSigner; import tech.pegasys.web3signer.signing.KeyType; -import tech.pegasys.web3signer.signing.config.AwsParameters; +import tech.pegasys.web3signer.signing.config.AwsVaultParameters; import java.net.URI; import java.util.Optional; @@ -23,7 +23,7 @@ import com.fasterxml.jackson.databind.annotation.JsonDeserialize; @JsonDeserialize(using = AwsKeySigningMetadataDeserializer.class) -public class AwsKeySigningMetadata extends SigningMetadata implements AwsParameters { +public class AwsKeySigningMetadata extends SigningMetadata implements AwsVaultParameters { public static final String TYPE = "aws-secret"; private final AwsAuthenticationMode authenticationMode; private final String region; diff --git a/signing/src/testFixtures/java/tech/pegasys/web3signer/signing/config/AwsParametersBuilder.java b/signing/src/testFixtures/java/tech/pegasys/web3signer/signing/config/AwsParametersBuilder.java index 1a51ec61e..95095630f 100644 --- a/signing/src/testFixtures/java/tech/pegasys/web3signer/signing/config/AwsParametersBuilder.java +++ b/signing/src/testFixtures/java/tech/pegasys/web3signer/signing/config/AwsParametersBuilder.java @@ -83,7 +83,7 @@ public AwsParametersBuilder withEndpointOverride(final Optional endpointOve return this; } - public AwsParameters build() { + public AwsVaultParameters build() { if (authenticationMode == AwsAuthenticationMode.SPECIFIED) { if (accessKeyId == null) { throw new IllegalArgumentException("accessKeyId is required"); @@ -98,7 +98,7 @@ public AwsParameters build() { } } - return new TestAwsParameters( + return new TestAwsVaultParameters( authenticationMode, accessKeyId, secretAccessKey, @@ -110,7 +110,7 @@ public AwsParameters build() { endpointURI); } - private static class TestAwsParameters implements AwsParameters { + private static class TestAwsVaultParameters implements AwsVaultParameters { private final AwsAuthenticationMode authenticationMode; private final String accessKeyId; private final String secretAccessKey; @@ -121,7 +121,7 @@ private static class TestAwsParameters implements AwsParameters { private final long cacheMaximumSize; private final Optional endpointOverride; - TestAwsParameters( + TestAwsVaultParameters( final AwsAuthenticationMode authenticationMode, final String accessKeyId, final String secretAccessKey, From 03867ee04ec616716618f46e135cee5c34e01e18 Mon Sep 17 00:00:00 2001 From: Jason Frame Date: Tue, 5 Sep 2023 13:55:54 +1000 Subject: [PATCH 20/21] spotless --- .../pegasys/web3signer/core/Eth1Runner.java | 55 ++++++++++--------- 1 file changed, 29 insertions(+), 26 deletions(-) diff --git a/core/src/main/java/tech/pegasys/web3signer/core/Eth1Runner.java b/core/src/main/java/tech/pegasys/web3signer/core/Eth1Runner.java index d496f9c00..1508e8b68 100644 --- a/core/src/main/java/tech/pegasys/web3signer/core/Eth1Runner.java +++ b/core/src/main/java/tech/pegasys/web3signer/core/Eth1Runner.java @@ -227,16 +227,19 @@ private MappedResults loadSignersFromKeyConfigFiles( } private MappedResults bulkLoadSigners( - final AzureKeyVaultFactory azureKeyVaultFactory, - final AzureKeyVaultSignerFactory azureSignerFactory, - final CachedAwsKmsClientFactory cachedAwsKmsClientFactory, - final AwsKmsSignerFactory awsKmsSignerFactory) { + final AzureKeyVaultFactory azureKeyVaultFactory, + final AzureKeyVaultSignerFactory azureSignerFactory, + final CachedAwsKmsClientFactory cachedAwsKmsClientFactory, + final AwsKmsSignerFactory awsKmsSignerFactory) { MappedResults results = MappedResults.newSetInstance(); if (eth1Config.getAzureKeyVaultConfig().isAzureKeyVaultEnabled()) { - results = MappedResults.merge(results, bulkLoadAzureKeys(azureKeyVaultFactory, azureSignerFactory)); + results = + MappedResults.merge(results, bulkLoadAzureKeys(azureKeyVaultFactory, azureSignerFactory)); } if (eth1Config.getAwsParameters().isEnabled()) { - results = MappedResults.merge(results, bulkLoadAwsKeys(cachedAwsKmsClientFactory, awsKmsSignerFactory)); + results = + MappedResults.merge( + results, bulkLoadAwsKeys(cachedAwsKmsClientFactory, awsKmsSignerFactory)); } // v3 bulk loading @@ -246,26 +249,26 @@ private MappedResults bulkLoadSigners( } private MappedResults bulkLoadAzureKeys( - AzureKeyVaultFactory azureKeyVaultFactory, AzureKeyVaultSignerFactory azureSignerFactory) { - LOG.info("Bulk loading keys from Azure key vault ... "); - final AzureKeyVaultParameters azureKeyVaultConfig = eth1Config.getAzureKeyVaultConfig(); - final AzureKeyVault azureKeyVault = - azureKeyVaultFactory.createAzureKeyVault( - azureKeyVaultConfig.getClientId(), - azureKeyVaultConfig.getClientSecret(), - azureKeyVaultConfig.getKeyVaultName(), - azureKeyVaultConfig.getTenantId(), - azureKeyVaultConfig.getAuthenticationMode(), - azureKeyVaultConfig.getTimeout()); - final SecpAzureBulkLoader secpAzureBulkLoader = - new SecpAzureBulkLoader(azureKeyVault, azureSignerFactory); - final MappedResults azureResult = secpAzureBulkLoader.load(azureKeyVaultConfig); - LOG.info( - "Keys loaded from Azure: [{}], with error count: [{}]", - azureResult.getValues().size(), - azureResult.getErrorCount()); - registerSignerLoadingHealthCheck(KEYS_CHECK_AZURE_BULK_LOADING, azureResult); - return azureResult; + AzureKeyVaultFactory azureKeyVaultFactory, AzureKeyVaultSignerFactory azureSignerFactory) { + LOG.info("Bulk loading keys from Azure key vault ... "); + final AzureKeyVaultParameters azureKeyVaultConfig = eth1Config.getAzureKeyVaultConfig(); + final AzureKeyVault azureKeyVault = + azureKeyVaultFactory.createAzureKeyVault( + azureKeyVaultConfig.getClientId(), + azureKeyVaultConfig.getClientSecret(), + azureKeyVaultConfig.getKeyVaultName(), + azureKeyVaultConfig.getTenantId(), + azureKeyVaultConfig.getAuthenticationMode(), + azureKeyVaultConfig.getTimeout()); + final SecpAzureBulkLoader secpAzureBulkLoader = + new SecpAzureBulkLoader(azureKeyVault, azureSignerFactory); + final MappedResults azureResult = secpAzureBulkLoader.load(azureKeyVaultConfig); + LOG.info( + "Keys loaded from Azure: [{}], with error count: [{}]", + azureResult.getValues().size(), + azureResult.getErrorCount()); + registerSignerLoadingHealthCheck(KEYS_CHECK_AZURE_BULK_LOADING, azureResult); + return azureResult; } private MappedResults bulkLoadAwsKeys( From 5bd260a4621a0ea9e0c3fe538d5b798cef18b73d Mon Sep 17 00:00:00 2001 From: Jason Frame Date: Thu, 7 Sep 2023 15:47:12 +1000 Subject: [PATCH 21/21] Fix intg test broken validation of aws and azure vault params and changed the params to be disabled to remove noise from tests. --- .../bulkloading/AwsKmsAcceptanceTest.java | 8 ++-- .../AwsSecretsManagerAcceptanceTest.java | 8 ++-- ...ecretsManagerMultiValueAcceptanceTest.java | 4 +- ...cretsManagerPerformanceAcceptanceTest.java | 4 +- .../subcommands/Eth1SubCommand.java | 2 +- .../jsonrpcproxy/support/TestEth1Config.java | 14 +++++-- .../pegasys/web3signer/core/Eth1Runner.java | 4 +- .../web3signer/core/config/Eth1Config.java | 2 +- ...er.java => AwsVaultParametersBuilder.java} | 42 ++++++++++++------- .../DefaultAzureKeyVaultParameters.java | 22 +++++++--- 10 files changed, 69 insertions(+), 41 deletions(-) rename signing/src/testFixtures/java/tech/pegasys/web3signer/signing/config/{AwsParametersBuilder.java => AwsVaultParametersBuilder.java} (78%) diff --git a/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/bulkloading/AwsKmsAcceptanceTest.java b/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/bulkloading/AwsKmsAcceptanceTest.java index 2462ff156..614ebafe5 100644 --- a/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/bulkloading/AwsKmsAcceptanceTest.java +++ b/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/bulkloading/AwsKmsAcceptanceTest.java @@ -21,8 +21,8 @@ import tech.pegasys.web3signer.common.config.AwsAuthenticationMode; import tech.pegasys.web3signer.dsl.signer.SignerConfigurationBuilder; import tech.pegasys.web3signer.signing.KeyType; -import tech.pegasys.web3signer.signing.config.AwsParametersBuilder; import tech.pegasys.web3signer.signing.config.AwsVaultParameters; +import tech.pegasys.web3signer.signing.config.AwsVaultParametersBuilder; import tech.pegasys.web3signer.signing.secp256k1.EthPublicKeyUtils; import tech.pegasys.web3signer.tests.AcceptanceTestBase; @@ -108,7 +108,7 @@ void setupAwsResources() { @ValueSource(booleans = {true, false}) void keysAreLoadedFromAwsKmsAndReportedByPublicApi(final boolean useConfigFile) { final AwsVaultParameters awsVaultParameters = - AwsParametersBuilder.anAwsParameters() + AwsVaultParametersBuilder.anAwsParameters() .withAuthenticationMode(AwsAuthenticationMode.SPECIFIED) .withRegion(AWS_REGION) .withAccessKeyId(RO_AWS_ACCESS_KEY_ID) @@ -149,7 +149,7 @@ void keysAreLoadedFromAwsKmsAndReportedByPublicApi(final boolean useConfigFile) void healthCheckErrorCountWhenInvalidCredentialsAreUsed() { final boolean useConfigFile = false; final AwsVaultParameters invalidCredsParams = - AwsParametersBuilder.anAwsParameters() + AwsVaultParametersBuilder.anAwsParameters() .withAuthenticationMode(AwsAuthenticationMode.SPECIFIED) .withRegion("us-east-2") .withAccessKeyId("invalid") @@ -194,7 +194,7 @@ private static int getAwsBulkLoadingData(String healthCheckJsonBody, String data void keysAreLoadedFromAwsKmsWithEnvironmentAuthModeAndReportedByPublicApi( final boolean useConfigFile) { final AwsVaultParameters awsVaultParameters = - AwsParametersBuilder.anAwsParameters() + AwsVaultParametersBuilder.anAwsParameters() .withAuthenticationMode(AwsAuthenticationMode.ENVIRONMENT) .withTagNamesFilter(List.of("TagName2", "TagName3")) .withTagValuesFilter(List.of("TagValue0", "TagValue2", "TagValue3")) diff --git a/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/bulkloading/AwsSecretsManagerAcceptanceTest.java b/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/bulkloading/AwsSecretsManagerAcceptanceTest.java index a5400629c..08a860319 100644 --- a/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/bulkloading/AwsSecretsManagerAcceptanceTest.java +++ b/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/bulkloading/AwsSecretsManagerAcceptanceTest.java @@ -25,8 +25,8 @@ import tech.pegasys.web3signer.common.config.AwsAuthenticationMode; import tech.pegasys.web3signer.dsl.signer.SignerConfigurationBuilder; import tech.pegasys.web3signer.signing.KeyType; -import tech.pegasys.web3signer.signing.config.AwsParametersBuilder; import tech.pegasys.web3signer.signing.config.AwsVaultParameters; +import tech.pegasys.web3signer.signing.config.AwsVaultParametersBuilder; import tech.pegasys.web3signer.tests.AcceptanceTestBase; import java.net.URI; @@ -106,7 +106,7 @@ void setupAwsResources() { @ValueSource(booleans = {true, false}) void secretsAreLoadedFromAWSSecretsManagerAndReportedByPublicApi(final boolean useConfigFile) { final AwsVaultParameters awsVaultParameters = - AwsParametersBuilder.anAwsParameters() + AwsVaultParametersBuilder.anAwsParameters() .withAuthenticationMode(AwsAuthenticationMode.SPECIFIED) .withRegion(AWS_REGION) .withAccessKeyId(RO_AWS_ACCESS_KEY_ID) @@ -148,7 +148,7 @@ void secretsAreLoadedFromAWSSecretsManagerAndReportedByPublicApi(final boolean u void healthCheckErrorCountWhenInvalidCredentialsAreUsed() { final boolean useConfigFile = false; final AwsVaultParameters invalidCredsParams = - AwsParametersBuilder.anAwsParameters() + AwsVaultParametersBuilder.anAwsParameters() .withAuthenticationMode(AwsAuthenticationMode.SPECIFIED) .withRegion("us-east-2") .withAccessKeyId("invalid") @@ -180,7 +180,7 @@ void healthCheckErrorCountWhenInvalidCredentialsAreUsed() { void secretsAreLoadedFromAWSSecretsManagerWithEnvironmentAuthModeAndReportedByPublicApi( final boolean useConfigFile) { final AwsVaultParameters awsVaultParameters = - AwsParametersBuilder.anAwsParameters() + AwsVaultParametersBuilder.anAwsParameters() .withAuthenticationMode(AwsAuthenticationMode.ENVIRONMENT) .withPrefixesFilter(List.of(awsSecretsManagerUtil.getSecretsManagerPrefix())) .withTagNamesFilter(List.of("TagName2", "TagName3")) diff --git a/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/bulkloading/AwsSecretsManagerMultiValueAcceptanceTest.java b/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/bulkloading/AwsSecretsManagerMultiValueAcceptanceTest.java index bd7f6a693..839d4fe66 100644 --- a/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/bulkloading/AwsSecretsManagerMultiValueAcceptanceTest.java +++ b/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/bulkloading/AwsSecretsManagerMultiValueAcceptanceTest.java @@ -21,8 +21,8 @@ import tech.pegasys.web3signer.common.config.AwsAuthenticationMode; import tech.pegasys.web3signer.dsl.signer.SignerConfigurationBuilder; import tech.pegasys.web3signer.signing.KeyType; -import tech.pegasys.web3signer.signing.config.AwsParametersBuilder; import tech.pegasys.web3signer.signing.config.AwsVaultParameters; +import tech.pegasys.web3signer.signing.config.AwsVaultParametersBuilder; import tech.pegasys.web3signer.tests.AcceptanceTestBase; import java.net.URI; @@ -104,7 +104,7 @@ void setupAwsResources() { @ValueSource(booleans = {true, false}) void secretsAreLoadedFromAWSSecretsManagerAndReportedByPublicApi(final boolean useConfigFile) { final AwsVaultParameters awsVaultParameters = - AwsParametersBuilder.anAwsParameters() + AwsVaultParametersBuilder.anAwsParameters() .withAuthenticationMode(AwsAuthenticationMode.SPECIFIED) .withRegion(AWS_REGION) .withAccessKeyId(RO_AWS_ACCESS_KEY_ID) diff --git a/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/bulkloading/AwsSecretsManagerPerformanceAcceptanceTest.java b/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/bulkloading/AwsSecretsManagerPerformanceAcceptanceTest.java index 43d6905da..b22d6b772 100644 --- a/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/bulkloading/AwsSecretsManagerPerformanceAcceptanceTest.java +++ b/acceptance-tests/src/test/java/tech/pegasys/web3signer/tests/bulkloading/AwsSecretsManagerPerformanceAcceptanceTest.java @@ -19,8 +19,8 @@ import tech.pegasys.web3signer.common.config.AwsAuthenticationMode; import tech.pegasys.web3signer.dsl.signer.SignerConfigurationBuilder; import tech.pegasys.web3signer.signing.KeyType; -import tech.pegasys.web3signer.signing.config.AwsParametersBuilder; import tech.pegasys.web3signer.signing.config.AwsVaultParameters; +import tech.pegasys.web3signer.signing.config.AwsVaultParametersBuilder; import tech.pegasys.web3signer.tests.AcceptanceTestBase; import java.net.URI; @@ -121,7 +121,7 @@ void setupAwsResources() { @Test void largeNumberOfKeysAreLoadedSuccessfully() { final AwsVaultParameters awsVaultParameters = - AwsParametersBuilder.anAwsParameters() + AwsVaultParametersBuilder.anAwsParameters() .withAuthenticationMode(AwsAuthenticationMode.SPECIFIED) .withRegion(AWS_REGION) .withAccessKeyId(RO_AWS_ACCESS_KEY_ID) diff --git a/commandline/src/main/java/tech/pegasys/web3signer/commandline/subcommands/Eth1SubCommand.java b/commandline/src/main/java/tech/pegasys/web3signer/commandline/subcommands/Eth1SubCommand.java index 7dcdcff7e..487f191ff 100644 --- a/commandline/src/main/java/tech/pegasys/web3signer/commandline/subcommands/Eth1SubCommand.java +++ b/commandline/src/main/java/tech/pegasys/web3signer/commandline/subcommands/Eth1SubCommand.java @@ -245,7 +245,7 @@ public AzureKeyVaultParameters getAzureKeyVaultConfig() { } @Override - public AwsVaultParameters getAwsParameters() { + public AwsVaultParameters getAwsVaultParameters() { return awsParameters; } diff --git a/core/src/integrationTest/java/tech/pegasys/web3signer/core/jsonrpcproxy/support/TestEth1Config.java b/core/src/integrationTest/java/tech/pegasys/web3signer/core/jsonrpcproxy/support/TestEth1Config.java index eeef6b670..8c67d1794 100644 --- a/core/src/integrationTest/java/tech/pegasys/web3signer/core/jsonrpcproxy/support/TestEth1Config.java +++ b/core/src/integrationTest/java/tech/pegasys/web3signer/core/jsonrpcproxy/support/TestEth1Config.java @@ -16,14 +16,15 @@ import tech.pegasys.web3signer.core.config.client.ClientTlsOptions; import tech.pegasys.web3signer.core.service.jsonrpc.handlers.signing.ChainIdProvider; import tech.pegasys.web3signer.core.service.jsonrpc.handlers.signing.ConfigurationChainId; -import tech.pegasys.web3signer.signing.config.AwsParametersBuilder; import tech.pegasys.web3signer.signing.config.AwsVaultParameters; +import tech.pegasys.web3signer.signing.config.AwsVaultParametersBuilder; import tech.pegasys.web3signer.signing.config.AzureKeyVaultParameters; import tech.pegasys.web3signer.signing.config.DefaultAzureKeyVaultParameters; import tech.pegasys.web3signer.signing.config.KeystoresParameters; import java.nio.file.Path; import java.time.Duration; +import java.util.Collections; import java.util.Optional; public class TestEth1Config implements Eth1Config { @@ -98,12 +99,17 @@ public ChainIdProvider getChainId() { @Override public AzureKeyVaultParameters getAzureKeyVaultConfig() { - return new DefaultAzureKeyVaultParameters("", "", "", ""); + return new DefaultAzureKeyVaultParameters("", "", "", "", Collections.emptyMap(), 60, false); } @Override - public AwsVaultParameters getAwsParameters() { - return AwsParametersBuilder.anAwsParameters().build(); + public AwsVaultParameters getAwsVaultParameters() { + return AwsVaultParametersBuilder.anAwsParameters() + .withAccessKeyId("") + .withSecretAccessKey("") + .withRegion("") + .withEnabled(false) + .build(); } @Override diff --git a/core/src/main/java/tech/pegasys/web3signer/core/Eth1Runner.java b/core/src/main/java/tech/pegasys/web3signer/core/Eth1Runner.java index 1508e8b68..18afedca8 100644 --- a/core/src/main/java/tech/pegasys/web3signer/core/Eth1Runner.java +++ b/core/src/main/java/tech/pegasys/web3signer/core/Eth1Runner.java @@ -236,7 +236,7 @@ private MappedResults bulkLoadSigners( results = MappedResults.merge(results, bulkLoadAzureKeys(azureKeyVaultFactory, azureSignerFactory)); } - if (eth1Config.getAwsParameters().isEnabled()) { + if (eth1Config.getAwsVaultParameters().isEnabled()) { results = MappedResults.merge( results, bulkLoadAwsKeys(cachedAwsKmsClientFactory, awsKmsSignerFactory)); @@ -278,7 +278,7 @@ private MappedResults bulkLoadAwsKeys( final SecpAwsBulkLoader secpAwsBulkLoader = new SecpAwsBulkLoader(cachedAwsKmsClientFactory, awsKmsSignerFactory); final MappedResults awsResult = - secpAwsBulkLoader.load(eth1Config.getAwsParameters()); + secpAwsBulkLoader.load(eth1Config.getAwsVaultParameters()); LOG.info( "Keys loaded from AWS: [{}], with error count: [{}]", awsResult.getValues().size(), diff --git a/core/src/main/java/tech/pegasys/web3signer/core/config/Eth1Config.java b/core/src/main/java/tech/pegasys/web3signer/core/config/Eth1Config.java index 86ce2107c..649352a48 100644 --- a/core/src/main/java/tech/pegasys/web3signer/core/config/Eth1Config.java +++ b/core/src/main/java/tech/pegasys/web3signer/core/config/Eth1Config.java @@ -45,7 +45,7 @@ public interface Eth1Config { AzureKeyVaultParameters getAzureKeyVaultConfig(); - AwsVaultParameters getAwsParameters(); + AwsVaultParameters getAwsVaultParameters(); long getAwsKmsClientCacheSize(); diff --git a/signing/src/testFixtures/java/tech/pegasys/web3signer/signing/config/AwsParametersBuilder.java b/signing/src/testFixtures/java/tech/pegasys/web3signer/signing/config/AwsVaultParametersBuilder.java similarity index 78% rename from signing/src/testFixtures/java/tech/pegasys/web3signer/signing/config/AwsParametersBuilder.java rename to signing/src/testFixtures/java/tech/pegasys/web3signer/signing/config/AwsVaultParametersBuilder.java index 95095630f..a74b576d9 100644 --- a/signing/src/testFixtures/java/tech/pegasys/web3signer/signing/config/AwsParametersBuilder.java +++ b/signing/src/testFixtures/java/tech/pegasys/web3signer/signing/config/AwsVaultParametersBuilder.java @@ -19,7 +19,7 @@ import java.util.Collections; import java.util.Optional; -public final class AwsParametersBuilder { +public final class AwsVaultParametersBuilder { private AwsAuthenticationMode authenticationMode = AwsAuthenticationMode.SPECIFIED; private String accessKeyId; private String secretAccessKey; @@ -30,59 +30,65 @@ public final class AwsParametersBuilder { private long cacheMaximumSize = 1; private Optional endpointURI = Optional.empty(); + private boolean enabled; - private AwsParametersBuilder() {} + private AwsVaultParametersBuilder() {} - public static AwsParametersBuilder anAwsParameters() { - return new AwsParametersBuilder(); + public static AwsVaultParametersBuilder anAwsParameters() { + return new AwsVaultParametersBuilder(); } - public AwsParametersBuilder withAuthenticationMode( + public AwsVaultParametersBuilder withAuthenticationMode( final AwsAuthenticationMode authenticationMode) { this.authenticationMode = authenticationMode; return this; } - public AwsParametersBuilder withAccessKeyId(final String accessKeyId) { + public AwsVaultParametersBuilder withAccessKeyId(final String accessKeyId) { this.accessKeyId = accessKeyId; return this; } - public AwsParametersBuilder withSecretAccessKey(final String secretAccessKey) { + public AwsVaultParametersBuilder withSecretAccessKey(final String secretAccessKey) { this.secretAccessKey = secretAccessKey; return this; } - public AwsParametersBuilder withRegion(final String region) { + public AwsVaultParametersBuilder withRegion(final String region) { this.region = region; return this; } - public AwsParametersBuilder withPrefixesFilter(final Collection prefixesFilter) { + public AwsVaultParametersBuilder withPrefixesFilter(final Collection prefixesFilter) { this.prefixesFilter = prefixesFilter; return this; } - public AwsParametersBuilder withTagNamesFilter(final Collection tagNameFilters) { + public AwsVaultParametersBuilder withTagNamesFilter(final Collection tagNameFilters) { this.tagNamesFilter = tagNameFilters; return this; } - public AwsParametersBuilder withTagValuesFilter(final Collection tagValuesFilter) { + public AwsVaultParametersBuilder withTagValuesFilter(final Collection tagValuesFilter) { this.tagValuesFilter = tagValuesFilter; return this; } - public AwsParametersBuilder withCacheMaximumSize(final long cacheMaximumSize) { + public AwsVaultParametersBuilder withCacheMaximumSize(final long cacheMaximumSize) { this.cacheMaximumSize = cacheMaximumSize; return this; } - public AwsParametersBuilder withEndpointOverride(final Optional endpointOverride) { + public AwsVaultParametersBuilder withEndpointOverride(final Optional endpointOverride) { this.endpointURI = endpointOverride; return this; } + public AwsVaultParametersBuilder withEnabled(final boolean enabled) { + this.enabled = enabled; + return this; + } + public AwsVaultParameters build() { if (authenticationMode == AwsAuthenticationMode.SPECIFIED) { if (accessKeyId == null) { @@ -107,7 +113,8 @@ public AwsVaultParameters build() { tagNamesFilter, tagValuesFilter, cacheMaximumSize, - endpointURI); + endpointURI, + enabled); } private static class TestAwsVaultParameters implements AwsVaultParameters { @@ -120,6 +127,7 @@ private static class TestAwsVaultParameters implements AwsVaultParameters { private final Collection tagValuesFilter; private final long cacheMaximumSize; private final Optional endpointOverride; + private final boolean enabled; TestAwsVaultParameters( final AwsAuthenticationMode authenticationMode, @@ -130,7 +138,8 @@ private static class TestAwsVaultParameters implements AwsVaultParameters { final Collection tagNamesFilter, final Collection tagValuesFilter, final long cacheMaximumSize, - final Optional endpointOverride) { + final Optional endpointOverride, + final boolean enabled) { this.authenticationMode = authenticationMode; this.accessKeyId = accessKeyId; this.secretAccessKey = secretAccessKey; @@ -140,11 +149,12 @@ private static class TestAwsVaultParameters implements AwsVaultParameters { this.tagValuesFilter = tagValuesFilter; this.cacheMaximumSize = cacheMaximumSize; this.endpointOverride = endpointOverride; + this.enabled = enabled; } @Override public boolean isEnabled() { - return true; + return enabled; } @Override diff --git a/signing/src/testFixtures/java/tech/pegasys/web3signer/signing/config/DefaultAzureKeyVaultParameters.java b/signing/src/testFixtures/java/tech/pegasys/web3signer/signing/config/DefaultAzureKeyVaultParameters.java index 349dad8c4..ffae9ffff 100644 --- a/signing/src/testFixtures/java/tech/pegasys/web3signer/signing/config/DefaultAzureKeyVaultParameters.java +++ b/signing/src/testFixtures/java/tech/pegasys/web3signer/signing/config/DefaultAzureKeyVaultParameters.java @@ -18,7 +18,8 @@ public class DefaultAzureKeyVaultParameters implements AzureKeyVaultParameters { - private static long AZURE_DEFAULT_TIMEOUT = 60; + private static final long AZURE_DEFAULT_TIMEOUT = 60; + private static final boolean AZURE_DEFAULT_ENABLED = true; private final String keyVaultName; private final AzureAuthenticationMode authenticationMode; @@ -27,6 +28,7 @@ public class DefaultAzureKeyVaultParameters implements AzureKeyVaultParameters { private final String clientSecret; private final Map tags = new HashMap<>(); private final long timeout; + private final boolean enabled; public DefaultAzureKeyVaultParameters( final String keyVaultName, @@ -39,7 +41,8 @@ public DefaultAzureKeyVaultParameters( tenantId, clientSecret, Collections.emptyMap(), - AZURE_DEFAULT_TIMEOUT); + AZURE_DEFAULT_TIMEOUT, + AZURE_DEFAULT_ENABLED); } public DefaultAzureKeyVaultParameters( @@ -48,7 +51,14 @@ public DefaultAzureKeyVaultParameters( final String tenantId, final String clientSecret, final Map tags) { - this(keyVaultName, clientId, tenantId, clientSecret, tags, AZURE_DEFAULT_TIMEOUT); + this( + keyVaultName, + clientId, + tenantId, + clientSecret, + tags, + AZURE_DEFAULT_TIMEOUT, + AZURE_DEFAULT_ENABLED); } public DefaultAzureKeyVaultParameters( @@ -57,7 +67,8 @@ public DefaultAzureKeyVaultParameters( final String tenantId, final String clientSecret, final Map tags, - final long timeout) { + final long timeout, + final boolean enabled) { this.keyVaultName = keyVaultName; this.clientId = clientId; this.tenantId = tenantId; @@ -65,6 +76,7 @@ public DefaultAzureKeyVaultParameters( this.authenticationMode = AzureAuthenticationMode.CLIENT_SECRET; this.tags.putAll(tags); this.timeout = timeout; + this.enabled = enabled; } @Override @@ -89,7 +101,7 @@ public String getClientSecret() { @Override public boolean isAzureKeyVaultEnabled() { - return true; + return enabled; } @Override