feat: Modifies the AWS vault implementation to update existing secrets (

#379) * Modifies the store method in the vault to update existing secrets instead of only creating new ones * Adds a catch block to handle runtime excetption when doing update
eclipse-edc · Jul 23, 2024 · 6830f80 · 6830f80
1 parent e85d389
commit 6830f80
Show file tree

Hide file tree

Showing 2 changed files with 36 additions and 9 deletions.
diff --git a/...ommon/vault/vault-aws/src/main/java/org/eclipse/edc/vault/aws/AwsSecretsManagerVault.java b/...ommon/vault/vault-aws/src/main/java/org/eclipse/edc/vault/aws/AwsSecretsManagerVault.java
@@ -23,6 +23,7 @@
 import software.amazon.awssdk.services.secretsmanager.model.DeleteSecretRequest;
 import software.amazon.awssdk.services.secretsmanager.model.GetSecretValueRequest;
 import software.amazon.awssdk.services.secretsmanager.model.ResourceNotFoundException;
+import software.amazon.awssdk.services.secretsmanager.model.UpdateSecretRequest;
 
 /**
  * Vault adapter for AWS Secrets Manager.
@@ -62,7 +63,7 @@ public AwsSecretsManagerVault(SecretsManagerClient smClient, Monitor monitor, Aw
     }
 
     /**
-     * Creates a new secret. Does not overwrite secrets.
+     * Creates/Updates a secret.
      *
      * @param key   the secret key
      * @param value the serialized secret value
@@ -71,12 +72,21 @@ public AwsSecretsManagerVault(SecretsManagerClient smClient, Monitor monitor, Aw
     @Override
     public Result<Void> storeSecret(String key, String value) {
         var sanitizedKey = sanitizer.sanitizeKey(key);
-        var request = CreateSecretRequest.builder().name(sanitizedKey)
-                .secretString(value).build();
         try {
-            monitor.debug(String.format("Storing secret '%s' to AWS Secrets manager", sanitizedKey));
-            smClient.createSecret(request);
+            var updateSecretRequest = UpdateSecretRequest.builder().secretId(sanitizedKey).secretString(value).build();
+            smClient.updateSecret(updateSecretRequest);
+            monitor.debug(String.format("Secret '%s' updated in AWS Secrets Manager", sanitizedKey));
             return Result.success();
+        } catch (ResourceNotFoundException e) {
+            try {
+                var createSecretRequest = CreateSecretRequest.builder().name(sanitizedKey).secretString(value).build();
+                smClient.createSecret(createSecretRequest);
+                monitor.debug(String.format("Secret '%s' stored in AWS Secrets Manager", sanitizedKey));
+                return Result.success();
+            } catch (RuntimeException serviceException) {
+                monitor.severe(serviceException.getMessage(), serviceException);
+                return Result.failure(serviceException.getMessage());
+            }
         } catch (RuntimeException serviceException) {
             monitor.severe(serviceException.getMessage(), serviceException);
             return Result.failure(serviceException.getMessage());
@@ -104,5 +114,4 @@ public Result<Void> deleteSecret(String key) {
         }
     }
 
-
 }
diff --git a/...n/vault/vault-aws/src/test/java/org/eclipse/edc/vault/aws/AwsSecretsManagerVaultTest.java b/...n/vault/vault-aws/src/test/java/org/eclipse/edc/vault/aws/AwsSecretsManagerVaultTest.java
@@ -25,12 +25,15 @@
 import software.amazon.awssdk.services.secretsmanager.model.DeleteSecretRequest;
 import software.amazon.awssdk.services.secretsmanager.model.GetSecretValueRequest;
 import software.amazon.awssdk.services.secretsmanager.model.ResourceNotFoundException;
+import software.amazon.awssdk.services.secretsmanager.model.UpdateSecretRequest;
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.junit.jupiter.api.TestInstance.Lifecycle;
 import static org.mockito.ArgumentMatchers.any;
 import static org.mockito.ArgumentMatchers.anyString;
+import static org.mockito.Mockito.doThrow;
 import static org.mockito.Mockito.mock;
+import static org.mockito.Mockito.never;
 import static org.mockito.Mockito.reset;
 import static org.mockito.Mockito.times;
 import static org.mockito.Mockito.verify;
@@ -63,16 +66,31 @@ void storeSecret_shouldSanitizeKey() {
 
         vault.storeSecret(KEY, value);
 
-        verify(secretClient).createSecret(CreateSecretRequest.builder().name(SANITIZED_KEY)
+        verify(secretClient).updateSecret(UpdateSecretRequest.builder().secretId(SANITIZED_KEY)
                 .secretString(value).build());
     }
 
     @Test
-    void storeSecret_shouldNotOverwriteSecrets() {
-        var value = "value";
+    void storeSecret_shouldUpdateSecretIfExist() {
+        String value = "value";
+
+        vault.storeSecret(KEY, value);
+
+        verify(secretClient).updateSecret(UpdateSecretRequest.builder().secretId(SANITIZED_KEY)
+                .secretString(value).build());
+        verify(secretClient, never()).createSecret(any(CreateSecretRequest.class));
+
+    }
+
+    @Test
+    void storeSecret_shouldCreateSecretIfNotExist() {
+        String value = "value";
+
+        doThrow(ResourceNotFoundException.class).when(secretClient).updateSecret(any(UpdateSecretRequest.class));
 
         vault.storeSecret(KEY, value);
 
+        verify(secretClient).updateSecret(any(UpdateSecretRequest.class));
         verify(secretClient).createSecret(CreateSecretRequest.builder().name(SANITIZED_KEY)
                 .secretString(value).build());
     }