use of com.quorum.tessera.config.DefaultKeyVaultConfig in project tessera by ConsenSys.
the class KeyVaultConfigValidator method isValid.
@Override
public boolean isValid(DefaultKeyVaultConfig keyVaultConfig, ConstraintValidatorContext constraintValidatorContext) {
if (keyVaultConfig == null || keyVaultConfig.getKeyVaultType() == null) {
return true;
}
KeyVaultType keyVaultType = keyVaultConfig.getKeyVaultType();
List<Boolean> outcomes = new ArrayList<>();
if (keyVaultType == KeyVaultType.AZURE) {
if (!keyVaultConfig.getProperties().containsKey("url")) {
constraintValidatorContext.disableDefaultConstraintViolation();
constraintValidatorContext.buildConstraintViolationWithTemplate(String.format("%s: is required", URL)).addConstraintViolation();
outcomes.add(Boolean.FALSE);
}
}
if (keyVaultType == KeyVaultType.HASHICORP) {
if (!keyVaultConfig.getProperties().containsKey(URL)) {
constraintValidatorContext.disableDefaultConstraintViolation();
constraintValidatorContext.buildConstraintViolationWithTemplate(String.format("%s: is required", URL)).addConstraintViolation();
outcomes.add(Boolean.FALSE);
}
final ValidPath validPath = this.getClass().getAnnotation(ValidPath.class);
final PathValidator pathValidator = new PathValidator();
pathValidator.initialize(validPath);
Optional.ofNullable(keyVaultConfig.getProperties().get(TLS_KEY_STORE_PATH)).map(Paths::get).filter(path -> !pathValidator.isValid(path, constraintValidatorContext)).ifPresent(b -> {
constraintValidatorContext.disableDefaultConstraintViolation();
constraintValidatorContext.buildConstraintViolationWithTemplate(String.format("%s: %s", TLS_KEY_STORE_PATH, validPath.message())).addConstraintViolation();
outcomes.add(Boolean.FALSE);
});
Optional.ofNullable(keyVaultConfig.getProperties().get(TLS_TRUST_STORE_PATH)).map(Paths::get).filter(path -> !pathValidator.isValid(path, constraintValidatorContext)).ifPresent(b -> {
constraintValidatorContext.disableDefaultConstraintViolation();
constraintValidatorContext.buildConstraintViolationWithTemplate(String.format("%s: %s", TLS_TRUST_STORE_PATH, validPath.message())).addConstraintViolation();
outcomes.add(Boolean.FALSE);
});
}
if (keyVaultType == KeyVaultType.AWS) {
// we do not require endpoint to be provided as AWS client will fallback to alternate methods
// (e.g. environment variables or properties files)
Optional.ofNullable(keyVaultConfig.getProperties().get(ENDPOINT)).filter(endpoint -> !endpoint.matches("^https?://.+$")).ifPresent(b -> {
constraintValidatorContext.disableDefaultConstraintViolation();
constraintValidatorContext.buildConstraintViolationWithTemplate(String.format("%s: must be a valid AWS service endpoint URL with scheme", ENDPOINT)).addConstraintViolation();
outcomes.add(Boolean.FALSE);
});
}
return outcomes.stream().allMatch(Boolean::booleanValue);
}
use of com.quorum.tessera.config.DefaultKeyVaultConfig in project tessera by ConsenSys.
the class KeyVaultConfigValidatorTest method validAWSConfigNoEndpoint.
@Test
public void validAWSConfigNoEndpoint() {
DefaultKeyVaultConfig config = new DefaultKeyVaultConfig();
config.setKeyVaultType(KeyVaultType.AWS);
assertThat(keyVaultConfigValidator.isValid(config, context)).isTrue();
}
use of com.quorum.tessera.config.DefaultKeyVaultConfig in project tessera by ConsenSys.
the class KeyGeneratorFactoryTest method awsVaultKeyGeneratorWhenAwsConfigProvided.
@Test
public void awsVaultKeyGeneratorWhenAwsConfigProvided() {
final DefaultKeyVaultConfig keyVaultConfig = new DefaultKeyVaultConfig();
keyVaultConfig.setKeyVaultType(KeyVaultType.AWS);
EncryptorConfig encryptorConfig = mock(EncryptorConfig.class);
when(encryptorConfig.getType()).thenReturn(EncryptorType.NACL);
when(encryptorConfig.getProperties()).thenReturn(Collections.EMPTY_MAP);
KeyGeneratorFactory keyGeneratorFactory = KeyGeneratorFactory.create();
try (MockedStatic<KeyVaultServiceFactory> mockedKeyVaultServiceFactory = mockStatic(KeyVaultServiceFactory.class)) {
KeyVaultService keyVaultService = mock(KeyVaultService.class);
KeyVaultServiceFactory keyVaultServiceFactory = mock(KeyVaultServiceFactory.class);
when(keyVaultServiceFactory.create(any(), any())).thenReturn(keyVaultService);
mockedKeyVaultServiceFactory.when(() -> KeyVaultServiceFactory.getInstance(KeyVaultType.AWS)).thenReturn(keyVaultServiceFactory);
final KeyGenerator keyGenerator = keyGeneratorFactory.create(keyVaultConfig, encryptorConfig);
assertThat(keyGenerator).isNotNull();
assertThat(keyGenerator).isExactlyInstanceOf(AWSSecretManagerKeyGenerator.class);
}
}
use of com.quorum.tessera.config.DefaultKeyVaultConfig in project tessera by ConsenSys.
the class AwsKeyVaultHandler method handle.
@Override
public KeyVaultConfig handle(KeyVaultConfigOptions configOptions) {
DefaultKeyVaultConfig awsKeyVaultConfig = new DefaultKeyVaultConfig();
awsKeyVaultConfig.setKeyVaultType(KeyVaultType.AWS);
Optional.ofNullable(configOptions).map(KeyVaultConfigOptions::getVaultUrl).ifPresent(u -> awsKeyVaultConfig.setProperty("endpoint", u));
return awsKeyVaultConfig;
}
use of com.quorum.tessera.config.DefaultKeyVaultConfig in project tessera by ConsenSys.
the class DefaultKeyVaultConfigValidationsTest method validCase.
@Test
public void validCase() {
KeyConfiguration keyConfiguration = mock(KeyConfiguration.class);
// Not ideal. Having to use config object in tests to apply validation rules.
KeyVaultConfig keyVaultConfig = new DefaultKeyVaultConfig() {
{
setKeyVaultType(KeyVaultType.AZURE);
}
};
List<KeyVaultConfig> keyVaultConfigList = Arrays.asList(mock(KeyVaultConfig.class));
when(keyConfiguration.getKeyVaultConfigs()).thenReturn(keyVaultConfigList);
ConfigKeyPair keyPair = new AzureVaultKeyPair("publicKeyId", "privateKeyId", null, null);
List<ConfigKeyPair> keyPairs = Arrays.asList(keyPair);
Set<ConstraintViolation<?>> results = validator.validate(keyConfiguration, keyPairs);
assertThat(results).isEmpty();
}
Aggregations