From eb4dfc69498ea77e01d2c3fb9ae1821eb0de3538 Mon Sep 17 00:00:00 2001 From: Marco Augusto Date: Tue, 13 Aug 2024 16:25:55 +0100 Subject: [PATCH 1/4] init --- .../edc/vault/aws/AwsSecretsManagerVault.java | 23 +++++++++++----- .../vault/aws/AwsSecretsManagerVaultTest.java | 26 ++++++++++++++++--- 2 files changed, 38 insertions(+), 11 deletions(-) diff --git a/extensions/common/vault/vault-aws/src/main/java/org/eclipse/edc/vault/aws/AwsSecretsManagerVault.java b/extensions/common/vault/vault-aws/src/main/java/org/eclipse/edc/vault/aws/AwsSecretsManagerVault.java index 3f60556b..1f4994fb 100644 --- a/extensions/common/vault/vault-aws/src/main/java/org/eclipse/edc/vault/aws/AwsSecretsManagerVault.java +++ b/extensions/common/vault/vault-aws/src/main/java/org/eclipse/edc/vault/aws/AwsSecretsManagerVault.java @@ -23,6 +23,7 @@ import software.amazon.awssdk.services.secretsmanager.model.DeleteSecretRequest; import software.amazon.awssdk.services.secretsmanager.model.GetSecretValueRequest; import software.amazon.awssdk.services.secretsmanager.model.ResourceNotFoundException; +import software.amazon.awssdk.services.secretsmanager.model.UpdateSecretRequest; /** * Vault adapter for AWS Secrets Manager. @@ -62,7 +63,7 @@ public AwsSecretsManagerVault(SecretsManagerClient smClient, Monitor monitor, Aw } /** - * Creates a new secret. Does not overwrite secrets. + * Creates/Updates a secret. * * @param key the secret key * @param value the serialized secret value @@ -71,12 +72,21 @@ public AwsSecretsManagerVault(SecretsManagerClient smClient, Monitor monitor, Aw @Override public Result storeSecret(String key, String value) { var sanitizedKey = sanitizer.sanitizeKey(key); - var request = CreateSecretRequest.builder().name(sanitizedKey) - .secretString(value).build(); try { - monitor.debug(String.format("Storing secret '%s' to AWS Secrets manager", sanitizedKey)); - smClient.createSecret(request); + var updateSecretRequest = UpdateSecretRequest.builder().secretId(sanitizedKey).secretString(value).build(); + smClient.updateSecret(updateSecretRequest); + monitor.debug(String.format("Secret '%s' updated in AWS Secrets Manager", sanitizedKey)); return Result.success(); + } catch (ResourceNotFoundException e) { + try { + var createSecretRequest = CreateSecretRequest.builder().name(sanitizedKey).secretString(value).build(); + smClient.createSecret(createSecretRequest); + monitor.debug(String.format("Secret '%s' stored in AWS Secrets Manager", sanitizedKey)); + return Result.success(); + } catch (RuntimeException serviceException) { + monitor.severe(serviceException.getMessage(), serviceException); + return Result.failure(serviceException.getMessage()); + } } catch (RuntimeException serviceException) { monitor.severe(serviceException.getMessage(), serviceException); return Result.failure(serviceException.getMessage()); @@ -104,5 +114,4 @@ public Result deleteSecret(String key) { } } - -} +} \ No newline at end of file diff --git a/extensions/common/vault/vault-aws/src/test/java/org/eclipse/edc/vault/aws/AwsSecretsManagerVaultTest.java b/extensions/common/vault/vault-aws/src/test/java/org/eclipse/edc/vault/aws/AwsSecretsManagerVaultTest.java index 6905c212..a056f8f9 100644 --- a/extensions/common/vault/vault-aws/src/test/java/org/eclipse/edc/vault/aws/AwsSecretsManagerVaultTest.java +++ b/extensions/common/vault/vault-aws/src/test/java/org/eclipse/edc/vault/aws/AwsSecretsManagerVaultTest.java @@ -25,12 +25,15 @@ import software.amazon.awssdk.services.secretsmanager.model.DeleteSecretRequest; import software.amazon.awssdk.services.secretsmanager.model.GetSecretValueRequest; import software.amazon.awssdk.services.secretsmanager.model.ResourceNotFoundException; +import software.amazon.awssdk.services.secretsmanager.model.UpdateSecretRequest; import static org.assertj.core.api.Assertions.assertThat; import static org.junit.jupiter.api.TestInstance.Lifecycle; import static org.mockito.ArgumentMatchers.any; import static org.mockito.ArgumentMatchers.anyString; +import static org.mockito.Mockito.doThrow; import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.never; import static org.mockito.Mockito.reset; import static org.mockito.Mockito.times; import static org.mockito.Mockito.verify; @@ -63,16 +66,31 @@ void storeSecret_shouldSanitizeKey() { vault.storeSecret(KEY, value); - verify(secretClient).createSecret(CreateSecretRequest.builder().name(SANITIZED_KEY) + verify(secretClient).updateSecret(UpdateSecretRequest.builder().secretId(SANITIZED_KEY) .secretString(value).build()); } @Test - void storeSecret_shouldNotOverwriteSecrets() { - var value = "value"; + void storeSecret_shouldUpdateSecretIfExist() { + String value = "value"; + + vault.storeSecret(KEY, value); + + verify(secretClient).updateSecret(UpdateSecretRequest.builder().secretId(SANITIZED_KEY) + .secretString(value).build()); + verify(secretClient, never()).createSecret(any(CreateSecretRequest.class)); + + } + + @Test + void storeSecret_shouldCreateSecretIfNotExist() { + String value = "value"; + + doThrow(ResourceNotFoundException.class).when(secretClient).updateSecret(any(UpdateSecretRequest.class)); vault.storeSecret(KEY, value); + verify(secretClient).updateSecret(any(UpdateSecretRequest.class)); verify(secretClient).createSecret(CreateSecretRequest.builder().name(SANITIZED_KEY) .secretString(value).build()); } @@ -122,4 +140,4 @@ void resolveSecret_shouldReturnNullAndLogErrorOnGenericException() { verify(monitor).debug(anyString()); verify(monitor).severe(anyString(), ArgumentMatchers.isA(RuntimeException.class)); } -} +} \ No newline at end of file From c831dad2337f50d63b2f2aceb4fed935812d0f9e Mon Sep 17 00:00:00 2001 From: Marco Augusto <30879430+zub4t@users.noreply.github.com> Date: Wed, 14 Aug 2024 08:41:05 +0100 Subject: [PATCH 2/4] Update extensions/common/vault/vault-aws/src/test/java/org/eclipse/edc/vault/aws/AwsSecretsManagerVaultTest.java Co-authored-by: Paul Latzelsperger <43503240+paullatzelsperger@users.noreply.github.com> --- .../org/eclipse/edc/vault/aws/AwsSecretsManagerVaultTest.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/extensions/common/vault/vault-aws/src/test/java/org/eclipse/edc/vault/aws/AwsSecretsManagerVaultTest.java b/extensions/common/vault/vault-aws/src/test/java/org/eclipse/edc/vault/aws/AwsSecretsManagerVaultTest.java index a056f8f9..6adc04cb 100644 --- a/extensions/common/vault/vault-aws/src/test/java/org/eclipse/edc/vault/aws/AwsSecretsManagerVaultTest.java +++ b/extensions/common/vault/vault-aws/src/test/java/org/eclipse/edc/vault/aws/AwsSecretsManagerVaultTest.java @@ -72,7 +72,7 @@ void storeSecret_shouldSanitizeKey() { @Test void storeSecret_shouldUpdateSecretIfExist() { - String value = "value"; + var value = "value"; vault.storeSecret(KEY, value); From 2994f546d677f86b0623b21a9b2428dae5f1081f Mon Sep 17 00:00:00 2001 From: Marco Augusto Date: Fri, 16 Aug 2024 09:40:00 +0100 Subject: [PATCH 3/4] address modification requests --- .../vault/aws/AwsSecretsManagerVaultTest.java | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/extensions/common/vault/vault-aws/src/test/java/org/eclipse/edc/vault/aws/AwsSecretsManagerVaultTest.java b/extensions/common/vault/vault-aws/src/test/java/org/eclipse/edc/vault/aws/AwsSecretsManagerVaultTest.java index 6adc04cb..1ffea55b 100644 --- a/extensions/common/vault/vault-aws/src/test/java/org/eclipse/edc/vault/aws/AwsSecretsManagerVaultTest.java +++ b/extensions/common/vault/vault-aws/src/test/java/org/eclipse/edc/vault/aws/AwsSecretsManagerVaultTest.java @@ -31,12 +31,13 @@ import static org.junit.jupiter.api.TestInstance.Lifecycle; import static org.mockito.ArgumentMatchers.any; import static org.mockito.ArgumentMatchers.anyString; +import static org.mockito.ArgumentMatchers.argThat; import static org.mockito.Mockito.doThrow; import static org.mockito.Mockito.mock; -import static org.mockito.Mockito.never; import static org.mockito.Mockito.reset; import static org.mockito.Mockito.times; import static org.mockito.Mockito.verify; +import static org.mockito.Mockito.verifyNoMoreInteractions; import static org.mockito.Mockito.when; @TestInstance(Lifecycle.PER_CLASS) @@ -66,8 +67,11 @@ void storeSecret_shouldSanitizeKey() { vault.storeSecret(KEY, value); - verify(secretClient).updateSecret(UpdateSecretRequest.builder().secretId(SANITIZED_KEY) - .secretString(value).build()); + verify(secretClient).updateSecret(argThat((UpdateSecretRequest request) -> { + var secretId = request.secretId(); + var secretValue = request.secretString(); + return SANITIZED_KEY.equals(secretId) && value.equals(secretValue); + })); } @Test @@ -78,7 +82,8 @@ void storeSecret_shouldUpdateSecretIfExist() { verify(secretClient).updateSecret(UpdateSecretRequest.builder().secretId(SANITIZED_KEY) .secretString(value).build()); - verify(secretClient, never()).createSecret(any(CreateSecretRequest.class)); + + verifyNoMoreInteractions(secretClient); } @@ -99,8 +104,8 @@ void storeSecret_shouldCreateSecretIfNotExist() { void resolveSecret_shouldSanitizeKey() { vault.resolveSecret(KEY); - verify(secretClient).getSecretValue(GetSecretValueRequest.builder().secretId(SANITIZED_KEY) - .build()); + verify(secretClient).getSecretValue(argThat((GetSecretValueRequest request) -> + SANITIZED_KEY.equals(request.secretId()))); } @Test From b011425192f128d40e65b0c2d189700ff2439055 Mon Sep 17 00:00:00 2001 From: Marco Augusto Date: Fri, 16 Aug 2024 10:50:30 +0100 Subject: [PATCH 4/4] changes in all places to use argThat to check how the function arguments were passed in --- .../edc/vault/aws/AwsSecretsManagerVaultTest.java | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/extensions/common/vault/vault-aws/src/test/java/org/eclipse/edc/vault/aws/AwsSecretsManagerVaultTest.java b/extensions/common/vault/vault-aws/src/test/java/org/eclipse/edc/vault/aws/AwsSecretsManagerVaultTest.java index 1ffea55b..1cd32d2b 100644 --- a/extensions/common/vault/vault-aws/src/test/java/org/eclipse/edc/vault/aws/AwsSecretsManagerVaultTest.java +++ b/extensions/common/vault/vault-aws/src/test/java/org/eclipse/edc/vault/aws/AwsSecretsManagerVaultTest.java @@ -80,8 +80,11 @@ void storeSecret_shouldUpdateSecretIfExist() { vault.storeSecret(KEY, value); - verify(secretClient).updateSecret(UpdateSecretRequest.builder().secretId(SANITIZED_KEY) - .secretString(value).build()); + verify(secretClient).updateSecret(argThat((UpdateSecretRequest request) -> { + var secretId = request.secretId(); + var secretValue = request.secretString(); + return SANITIZED_KEY.equals(secretId) && value.equals(secretValue); + })); verifyNoMoreInteractions(secretClient); @@ -96,8 +99,11 @@ void storeSecret_shouldCreateSecretIfNotExist() { vault.storeSecret(KEY, value); verify(secretClient).updateSecret(any(UpdateSecretRequest.class)); - verify(secretClient).createSecret(CreateSecretRequest.builder().name(SANITIZED_KEY) - .secretString(value).build()); + verify(secretClient).createSecret(argThat((CreateSecretRequest request) -> { + var secretId = request.name(); + var secretValue = request.secretString(); + return SANITIZED_KEY.equals(secretId) && value.equals(secretValue); + })); } @Test