From 6830f801c96c409331aede6cad30bf76cf7518b4 Mon Sep 17 00:00:00 2001 From: Marco Augusto <30879430+zub4t@users.noreply.github.com> Date: Tue, 23 Jul 2024 11:05:06 +0100 Subject: [PATCH] feat: Modifies the AWS vault implementation to update existing secrets (#379) * Modifies the store method in the vault to update existing secrets instead of only creating new ones * Adds a catch block to handle runtime excetption when doing update --- .../edc/vault/aws/AwsSecretsManagerVault.java | 21 +++++++++++----- .../vault/aws/AwsSecretsManagerVaultTest.java | 24 ++++++++++++++++--- 2 files changed, 36 insertions(+), 9 deletions(-) diff --git a/extensions/common/vault/vault-aws/src/main/java/org/eclipse/edc/vault/aws/AwsSecretsManagerVault.java b/extensions/common/vault/vault-aws/src/main/java/org/eclipse/edc/vault/aws/AwsSecretsManagerVault.java index 3f60556b..f53b95ac 100644 --- a/extensions/common/vault/vault-aws/src/main/java/org/eclipse/edc/vault/aws/AwsSecretsManagerVault.java +++ b/extensions/common/vault/vault-aws/src/main/java/org/eclipse/edc/vault/aws/AwsSecretsManagerVault.java @@ -23,6 +23,7 @@ import software.amazon.awssdk.services.secretsmanager.model.DeleteSecretRequest; import software.amazon.awssdk.services.secretsmanager.model.GetSecretValueRequest; import software.amazon.awssdk.services.secretsmanager.model.ResourceNotFoundException; +import software.amazon.awssdk.services.secretsmanager.model.UpdateSecretRequest; /** * Vault adapter for AWS Secrets Manager. @@ -62,7 +63,7 @@ public AwsSecretsManagerVault(SecretsManagerClient smClient, Monitor monitor, Aw } /** - * Creates a new secret. Does not overwrite secrets. + * Creates/Updates a secret. * * @param key the secret key * @param value the serialized secret value @@ -71,12 +72,21 @@ public AwsSecretsManagerVault(SecretsManagerClient smClient, Monitor monitor, Aw @Override public Result storeSecret(String key, String value) { var sanitizedKey = sanitizer.sanitizeKey(key); - var request = CreateSecretRequest.builder().name(sanitizedKey) - .secretString(value).build(); try { - monitor.debug(String.format("Storing secret '%s' to AWS Secrets manager", sanitizedKey)); - smClient.createSecret(request); + var updateSecretRequest = UpdateSecretRequest.builder().secretId(sanitizedKey).secretString(value).build(); + smClient.updateSecret(updateSecretRequest); + monitor.debug(String.format("Secret '%s' updated in AWS Secrets Manager", sanitizedKey)); return Result.success(); + } catch (ResourceNotFoundException e) { + try { + var createSecretRequest = CreateSecretRequest.builder().name(sanitizedKey).secretString(value).build(); + smClient.createSecret(createSecretRequest); + monitor.debug(String.format("Secret '%s' stored in AWS Secrets Manager", sanitizedKey)); + return Result.success(); + } catch (RuntimeException serviceException) { + monitor.severe(serviceException.getMessage(), serviceException); + return Result.failure(serviceException.getMessage()); + } } catch (RuntimeException serviceException) { monitor.severe(serviceException.getMessage(), serviceException); return Result.failure(serviceException.getMessage()); @@ -104,5 +114,4 @@ public Result deleteSecret(String key) { } } - } diff --git a/extensions/common/vault/vault-aws/src/test/java/org/eclipse/edc/vault/aws/AwsSecretsManagerVaultTest.java b/extensions/common/vault/vault-aws/src/test/java/org/eclipse/edc/vault/aws/AwsSecretsManagerVaultTest.java index 6905c212..22aa6992 100644 --- a/extensions/common/vault/vault-aws/src/test/java/org/eclipse/edc/vault/aws/AwsSecretsManagerVaultTest.java +++ b/extensions/common/vault/vault-aws/src/test/java/org/eclipse/edc/vault/aws/AwsSecretsManagerVaultTest.java @@ -25,12 +25,15 @@ import software.amazon.awssdk.services.secretsmanager.model.DeleteSecretRequest; import software.amazon.awssdk.services.secretsmanager.model.GetSecretValueRequest; import software.amazon.awssdk.services.secretsmanager.model.ResourceNotFoundException; +import software.amazon.awssdk.services.secretsmanager.model.UpdateSecretRequest; import static org.assertj.core.api.Assertions.assertThat; import static org.junit.jupiter.api.TestInstance.Lifecycle; import static org.mockito.ArgumentMatchers.any; import static org.mockito.ArgumentMatchers.anyString; +import static org.mockito.Mockito.doThrow; import static org.mockito.Mockito.mock; +import static org.mockito.Mockito.never; import static org.mockito.Mockito.reset; import static org.mockito.Mockito.times; import static org.mockito.Mockito.verify; @@ -63,16 +66,31 @@ void storeSecret_shouldSanitizeKey() { vault.storeSecret(KEY, value); - verify(secretClient).createSecret(CreateSecretRequest.builder().name(SANITIZED_KEY) + verify(secretClient).updateSecret(UpdateSecretRequest.builder().secretId(SANITIZED_KEY) .secretString(value).build()); } @Test - void storeSecret_shouldNotOverwriteSecrets() { - var value = "value"; + void storeSecret_shouldUpdateSecretIfExist() { + String value = "value"; + + vault.storeSecret(KEY, value); + + verify(secretClient).updateSecret(UpdateSecretRequest.builder().secretId(SANITIZED_KEY) + .secretString(value).build()); + verify(secretClient, never()).createSecret(any(CreateSecretRequest.class)); + + } + + @Test + void storeSecret_shouldCreateSecretIfNotExist() { + String value = "value"; + + doThrow(ResourceNotFoundException.class).when(secretClient).updateSecret(any(UpdateSecretRequest.class)); vault.storeSecret(KEY, value); + verify(secretClient).updateSecret(any(UpdateSecretRequest.class)); verify(secretClient).createSecret(CreateSecretRequest.builder().name(SANITIZED_KEY) .secretString(value).build()); }