Add prefix support for AWS secrets fetch (#154)

* Add prefix support for AWS secrets fetch * Use @EnabledIfEnvironmentVariable annotation. Use AWS_SECRET* env variable instead of RO_AWS_SECRET* to allow correct initialization of default AWS secret manager. * Add test for map secrets with both prefix and tag filtering * changelog
Consensys · Jun 8, 2022 · 6ac5165 · 6ac5165
1 parent 728557a
commit 6ac5165
Show file tree

Hide file tree

Showing 6 changed files with 418 additions and 104 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,12 +1,15 @@
 # Changelog
+## 2.2.3
+- Added support for prefix filter for AWS secrets manager
 
+---
 ## 2.2.2
 ### Features Added
  - Added support for bulk loading of secrets from AWS Secrets Manager
 
 ### Bugs Fixed
  - AWS secrets manager using environment config didn't work when using web identity tokens due to missing sts library.
-
+---
 ## 2.2.1
 ### Features Added
  - Update various dependent libraries versions

diff --git a/keystorage/aws/src/main/java/tech/pegasys/signers/aws/AwsSecretsManager.java b/keystorage/aws/src/main/java/tech/pegasys/signers/aws/AwsSecretsManager.java
@@ -83,9 +83,14 @@ public Optional<String> fetchSecret(final String secretName) {
   }
 
   private ListSecretsIterable listSecrets(
-      final Collection<String> tagKeys, final Collection<String> tagValues) {
+      final Collection<String> namePrefixes,
+      final Collection<String> tagKeys,
+      final Collection<String> tagValues) {
     final ListSecretsRequest.Builder listSecretsRequestBuilder = ListSecretsRequest.builder();
     final List<Filter> filters = new ArrayList<>();
+    if (!namePrefixes.isEmpty()) {
+      filters.add(Filter.builder().key(FilterNameStringType.NAME).values(namePrefixes).build());
+    }
     if (!tagKeys.isEmpty()) {
       filters.add(Filter.builder().key(FilterNameStringType.TAG_KEY).values(tagKeys).build());
     }
@@ -97,11 +102,12 @@ private ListSecretsIterable listSecrets(
   }
 
   public <R> Collection<R> mapSecrets(
+      final Collection<String> namePrefixes,
       final Collection<String> tagKeys,
       final Collection<String> tagValues,
       final BiFunction<String, String, R> mapper) {
     final Set<R> result = ConcurrentHashMap.newKeySet();
-    listSecrets(tagKeys, tagValues)
+    listSecrets(namePrefixes, tagKeys, tagValues)
         .iterator()
         .forEachRemaining(
             listSecretsResponse -> {
@@ -128,8 +134,9 @@ public <R> Collection<R> mapSecrets(
                           }
                         } catch (final Exception e) {
                           LOG.warn(
-                              "Failed to map secret '{}' to requested object type.",
-                              secretEntry.name());
+                              "Failed to map secret '{}' to requested object type due to: {}.",
+                              secretEntry.name(),
+                              e.getMessage());
                         }
                       });
             });

diff --git a/keystorage/aws/src/test/java/tech/pegasys/signers/aws/AwsSecret.java b/keystorage/aws/src/test/java/tech/pegasys/signers/aws/AwsSecret.java
@@ -0,0 +1,54 @@
+/*
+ * Copyright 2022 ConsenSys AG.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
+ * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations under the License.
+ */
+package tech.pegasys.signers.aws;
+
+import java.util.Objects;
+
+public class AwsSecret {
+  private final String secretValue;
+  private final String tagKey;
+  private final String tagValue;
+
+  public AwsSecret(final String secretValue, final String tagKey, final String tagValue) {
+    this.secretValue = secretValue;
+    this.tagKey = tagKey;
+    this.tagValue = tagValue;
+  }
+
+  public String getSecretValue() {
+    return secretValue;
+  }
+
+  public String getTagKey() {
+    return tagKey;
+  }
+
+  public String getTagValue() {
+    return tagValue;
+  }
+
+  @Override
+  public boolean equals(final Object o) {
+    if (this == o) return true;
+    if (o == null || getClass() != o.getClass()) return false;
+    AwsSecret that = (AwsSecret) o;
+    return secretValue.equals(that.secretValue)
+        && tagKey.equals(that.tagKey)
+        && tagValue.equals(that.tagValue);
+  }
+
+  @Override
+  public int hashCode() {
+    return Objects.hash(secretValue, tagKey, tagValue);
+  }
+}
diff --git a/keystorage/aws/src/test/java/tech/pegasys/signers/aws/AwsSecretsManagerProviderTest.java b/keystorage/aws/src/test/java/tech/pegasys/signers/aws/AwsSecretsManagerProviderTest.java
@@ -14,36 +14,47 @@
 
 import static org.assertj.core.api.Assertions.assertThat;
 
+import java.util.Optional;
+
 import org.junit.jupiter.api.AfterEach;
-import org.junit.jupiter.api.Assumptions;
-import org.junit.jupiter.api.BeforeAll;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.TestInstance;
+import org.junit.jupiter.api.condition.EnabledIfEnvironmentVariable;
 
 @TestInstance(TestInstance.Lifecycle.PER_CLASS)
+@EnabledIfEnvironmentVariable(
+    named = "RW_AWS_ACCESS_KEY_ID",
+    matches = ".*",
+    disabledReason = "RW_AWS_ACCESS_KEY_ID env variable is required")
+@EnabledIfEnvironmentVariable(
+    named = "RW_AWS_SECRET_ACCESS_KEY",
+    matches = ".*",
+    disabledReason = "RW_AWS_SECRET_ACCESS_KEY env variable is required")
+@EnabledIfEnvironmentVariable(
+    named = "AWS_ACCESS_KEY_ID",
+    matches = ".*",
+    disabledReason = "AWS_ACCESS_KEY_ID env variable is required")
+@EnabledIfEnvironmentVariable(
+    named = "AWS_SECRET_ACCESS_KEY",
+    matches = ".*",
+    disabledReason = "AWS_SECRET_ACCESS_KEY env variable is required")
+@EnabledIfEnvironmentVariable(
+    named = "AWS_REGION",
+    matches = ".*",
+    disabledReason = "AWS_REGION env variable is required")
 class AwsSecretsManagerProviderTest {
 
   private final String AWS_ACCESS_KEY_ID = System.getenv("AWS_ACCESS_KEY_ID");
   private final String AWS_SECRET_ACCESS_KEY = System.getenv("AWS_SECRET_ACCESS_KEY");
-  private final String AWS_REGION = "us-east-2";
+  private final String AWS_REGION =
+      Optional.ofNullable(System.getenv("AWS_REGION")).orElse("us-east-2");
   private final String DIFFERENT_AWS_ACCESS_KEY_ID = System.getenv("RW_AWS_ACCESS_KEY_ID");
   private final String DIFFERENT_AWS_SECRET_ACCESS_KEY = System.getenv("RW_AWS_SECRET_ACCESS_KEY");
   private final String DIFFERENT_AWS_REGION = "us-east-1";
 
   private AwsSecretsManagerProvider awsSecretsManagerProvider;
 
-  private void verifyEnvironmentVariables() {
-    Assumptions.assumeTrue(
-        DIFFERENT_AWS_ACCESS_KEY_ID != null, "Set RW_AWS_ACCESS_KEY_ID environment variable");
-    Assumptions.assumeTrue(
-        DIFFERENT_AWS_SECRET_ACCESS_KEY != null,
-        "Set RW_AWS_SECRET_ACCESS_KEY environment variable");
-    Assumptions.assumeTrue(AWS_ACCESS_KEY_ID != null, "Set AWS_ACCESS_KEY_ID environment variable");
-    Assumptions.assumeTrue(
-        AWS_SECRET_ACCESS_KEY != null, "Set AWS_SECRET_ACCESS_KEY environment variable");
-  }
-
   private AwsSecretsManager createDefaultSecretsManager() {
     return awsSecretsManagerProvider.createAwsSecretsManager();
   }
@@ -68,11 +79,6 @@ private AwsSecretsManager createSecretsManagerDifferentKeysDifferentRegion() {
         DIFFERENT_AWS_ACCESS_KEY_ID, DIFFERENT_AWS_SECRET_ACCESS_KEY, DIFFERENT_AWS_REGION);
   }
 
-  @BeforeAll
-  void setup() {
-    verifyEnvironmentVariables();
-  }
-
   @BeforeEach
   void initializeCacheableAwsSecretsManagerProvider() {
     awsSecretsManagerProvider = new AwsSecretsManagerProvider(4);