Merge pull request #574 from QuorumEngineering/feature/azure-vault-ve…

…rsioning Enable retrieval of previous versions of Azure secrets
Consensys · Dec 19, 2018 · 0872f4f · 0872f4f
2 parents 08fa1bb + 5fac387
commit 0872f4f
Show file tree

Hide file tree

Showing 21 changed files with 372 additions and 76 deletions.
diff --git a/config/src/main/java/com/quorum/tessera/config/KeyData.java b/config/src/main/java/com/quorum/tessera/config/KeyData.java
@@ -43,6 +43,12 @@ public class KeyData extends ConfigItem {
     @Pattern(regexp = "^[0-9a-zA-Z\\-]*$")
     private String azureVaultPrivateKeyId;
 
+    @XmlElement
+    private String azureVaultPublicKeyVersion;
+
+    @XmlElement
+    private String azureVaultPrivateKeyVersion;
+
     @XmlElement
     private String hashicorpVaultPublicKeyId;
 
@@ -58,14 +64,16 @@ public class KeyData extends ConfigItem {
     @XmlElement
     private String hashicorpVaultSecretVersion;
 
-    public KeyData(KeyDataConfig config, String privateKey, String publicKey, Path privateKeyPath, Path publicKeyPath, String azureVaultPublicKeyId, String azureVaultPrivateKeyId, String hashicorpVaultPublicKeyId, String hashicorpVaultPrivateKeyId, String hashicorpVaultSecretEngineName, String hashicorpVaultSecretName, String hashicorpVaultSecretVersion) {
+    public KeyData(KeyDataConfig config, String privateKey, String publicKey, Path privateKeyPath, Path publicKeyPath, String azureVaultPublicKeyId, String azureVaultPrivateKeyId, String azureVaultPublicKeyVersion, String azureVaultPrivateKeyVersion, String hashicorpVaultPublicKeyId, String hashicorpVaultPrivateKeyId, String hashicorpVaultSecretEngineName, String hashicorpVaultSecretName, String hashicorpVaultSecretVersion) {
         this.config = config;
         this.privateKey = privateKey;
         this.publicKey = publicKey;
         this.privateKeyPath = privateKeyPath;
         this.publicKeyPath = publicKeyPath;
         this.azureVaultPublicKeyId = azureVaultPublicKeyId;
         this.azureVaultPrivateKeyId = azureVaultPrivateKeyId;
+        this.azureVaultPublicKeyVersion = azureVaultPublicKeyVersion;
+        this.azureVaultPrivateKeyVersion = azureVaultPrivateKeyVersion;
         this.hashicorpVaultPublicKeyId = hashicorpVaultPublicKeyId;
         this.hashicorpVaultPrivateKeyId = hashicorpVaultPrivateKeyId;
         this.hashicorpVaultSecretEngineName = hashicorpVaultSecretEngineName;
@@ -105,6 +113,14 @@ public String getAzureVaultPrivateKeyId() {
         return azureVaultPrivateKeyId;
     }
 
+    public String getAzureVaultPublicKeyVersion() {
+        return azureVaultPublicKeyVersion;
+    }
+
+    public String getAzureVaultPrivateKeyVersion() {
+        return azureVaultPrivateKeyVersion;
+    }
+
     public String getHashicorpVaultPublicKeyId() {
         return hashicorpVaultPublicKeyId;
     }
@@ -153,6 +169,14 @@ public void setAzureVaultPrivateKeyId(String azureVaultPrivateKeyId) {
         this.azureVaultPrivateKeyId = azureVaultPrivateKeyId;
     }
 
+    public void setAzureVaultPublicKeyVersion(String azureVaultPublicKeyVersion) {
+        this.azureVaultPublicKeyVersion = azureVaultPublicKeyVersion;
+    }
+
+    public void setAzureVaultPrivateKeyVersion(String azureVaultPrivateKeyVersion) {
+        this.azureVaultPrivateKeyVersion = azureVaultPrivateKeyVersion;
+    }
+
     public void setHashicorpVaultPublicKeyId(String hashicorpVaultPublicKeyId) {
         this.hashicorpVaultPublicKeyId = hashicorpVaultPublicKeyId;
     }

diff --git a/config/src/main/java/com/quorum/tessera/config/adapters/KeyDataAdapter.java b/config/src/main/java/com/quorum/tessera/config/adapters/KeyDataAdapter.java
@@ -25,7 +25,7 @@ public ConfigKeyPair unmarshal(final KeyData keyData) {
 
         //case 3, the Azure Key Vault data is provided
         if(keyData.getAzureVaultPublicKeyId() != null && keyData.getAzureVaultPrivateKeyId() != null) {
-            return new AzureVaultKeyPair(keyData.getAzureVaultPublicKeyId(), keyData.getAzureVaultPrivateKeyId());
+            return new AzureVaultKeyPair(keyData.getAzureVaultPublicKeyId(), keyData.getAzureVaultPrivateKeyId(), keyData.getAzureVaultPublicKeyVersion(), keyData.getAzureVaultPrivateKeyVersion());
         }
 
         //case 4, the Hashicorp Vault data is provided
@@ -48,6 +48,8 @@ public ConfigKeyPair unmarshal(final KeyData keyData) {
             keyData.getPublicKeyPath(),
             keyData.getAzureVaultPublicKeyId(),
             keyData.getAzureVaultPrivateKeyId(),
+            keyData.getAzureVaultPublicKeyVersion(),
+            keyData.getAzureVaultPrivateKeyVersion(),
             keyData.getHashicorpVaultPublicKeyId(),
             keyData.getHashicorpVaultPrivateKeyId(),
             keyData.getHashicorpVaultSecretEngineName(),
@@ -82,6 +84,8 @@ public KeyData marshal(final ConfigKeyPair keyPair) {
 
             keyData.setAzureVaultPublicKeyId(kp.getPublicKeyId());
             keyData.setAzureVaultPrivateKeyId(kp.getPrivateKeyId());
+            keyData.setAzureVaultPublicKeyVersion(kp.getPublicKeyVersion());
+            keyData.setAzureVaultPrivateKeyVersion(kp.getPrivateKeyVersion());
             return keyData;
         }
 
@@ -113,6 +117,8 @@ public KeyData marshal(final ConfigKeyPair keyPair) {
                 kp.getPublicKeyPath(),
                 kp.getAzureVaultPrivateKeyId(),
                 kp.getAzureVaultPublicKeyId(),
+                kp.getAzureVaultPublicKeyVersion(),
+                kp.getAzureVaultPrivateKeyVersion(),
                 kp.getHashicorpVaultPrivateKeyId(),
                 kp.getHashicorpVaultPublicKeyId(),
                 kp.getHashicorpVaultSecretEngineName(),

diff --git a/config/src/main/java/com/quorum/tessera/config/constraints/AzureVaultKeyPairValidator.java b/config/src/main/java/com/quorum/tessera/config/constraints/AzureVaultKeyPairValidator.java
@@ -0,0 +1,29 @@
+package com.quorum.tessera.config.constraints;
+
+import com.quorum.tessera.config.keypairs.AzureVaultKeyPair;
+
+import javax.validation.ConstraintValidator;
+import javax.validation.ConstraintValidatorContext;
+import java.util.Objects;
+
+public class AzureVaultKeyPairValidator implements ConstraintValidator<ValidAzureVaultKeyPair, AzureVaultKeyPair> {
+
+    private ValidAzureVaultKeyPair annotation;
+
+    @Override
+    public void initialize(ValidAzureVaultKeyPair annotation) {
+        this.annotation = annotation;
+    }
+
+    @Override
+    public boolean isValid(AzureVaultKeyPair azureVaultKeyPair, ConstraintValidatorContext cvc) {
+
+        if (azureVaultKeyPair == null) {
+            return true;
+        }
+
+        return Objects.isNull(azureVaultKeyPair.getPublicKeyVersion()) == Objects.isNull(azureVaultKeyPair.getPrivateKeyVersion());
+
+    }
+
+}
diff --git a/config/src/main/java/com/quorum/tessera/config/constraints/ValidAzureVaultKeyPair.java b/config/src/main/java/com/quorum/tessera/config/constraints/ValidAzureVaultKeyPair.java
@@ -0,0 +1,25 @@
+package com.quorum.tessera.config.constraints;
+
+import javax.validation.Constraint;
+import javax.validation.Payload;
+import java.lang.annotation.Documented;
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.Target;
+
+import static java.lang.annotation.ElementType.*;
+import static java.lang.annotation.RetentionPolicy.RUNTIME;
+
+@Target({FIELD, PARAMETER, ANNOTATION_TYPE, ElementType.TYPE})
+@Retention(RUNTIME)
+@Constraint(validatedBy = AzureVaultKeyPairValidator.class)
+@Documented
+public @interface ValidAzureVaultKeyPair {
+
+    String message() default "{AzureVaultKeyData.message}";
+
+    Class<?>[] groups() default {};
+
+    Class<? extends Payload>[] payload() default {};
+
+}
diff --git a/config/src/main/java/com/quorum/tessera/config/keypairs/AzureVaultKeyPair.java b/config/src/main/java/com/quorum/tessera/config/keypairs/AzureVaultKeyPair.java
@@ -1,9 +1,13 @@
 package com.quorum.tessera.config.keypairs;
 
+import com.quorum.tessera.config.constraints.ValidAzureVaultKeyPair;
+
 import javax.validation.constraints.NotNull;
 import javax.validation.constraints.Pattern;
+import javax.validation.constraints.Size;
 import javax.xml.bind.annotation.XmlElement;
 
+@ValidAzureVaultKeyPair
 public class AzureVaultKeyPair implements ConfigKeyPair {
 
     @NotNull
@@ -18,9 +22,19 @@ public class AzureVaultKeyPair implements ConfigKeyPair {
             message = "Azure Key Vault key IDs can only contain alphanumeric characters and dashes (-)")
     private String privateKeyId;
 
-    public AzureVaultKeyPair(String publicKeyId, String privateKeyId) {
+    @XmlElement
+    @Size(min = 32, max = 32, message = "length must be 32 characters")
+    private String publicKeyVersion;
+
+    @XmlElement
+    @Size(min = 32, max = 32, message = "length must be 32 characters")
+    private String privateKeyVersion;
+
+    public AzureVaultKeyPair(String publicKeyId, String privateKeyId, String publicKeyVersion, String privateKeyVersion) {
         this.publicKeyId = publicKeyId;
         this.privateKeyId = privateKeyId;
+        this.publicKeyVersion = publicKeyVersion;
+        this.privateKeyVersion = privateKeyVersion;
     }
 
     public String getPublicKeyId() {
@@ -31,6 +45,14 @@ public String getPrivateKeyId() {
         return this.privateKeyId;
     }
 
+    public String getPublicKeyVersion() {
+        return publicKeyVersion;
+    }
+
+    public String getPrivateKeyVersion() {
+        return privateKeyVersion;
+    }
+
     @Override
     public String getPublicKey() {
         //keys are not fetched from vault yet so return null

diff --git a/config/src/main/java/com/quorum/tessera/config/keypairs/UnsupportedKeyPair.java b/config/src/main/java/com/quorum/tessera/config/keypairs/UnsupportedKeyPair.java
@@ -34,6 +34,12 @@ public class UnsupportedKeyPair implements ConfigKeyPair {
     @XmlElement
     private String azureVaultPrivateKeyId;
 
+    @XmlElement
+    private String azureVaultPublicKeyVersion;
+
+    @XmlElement
+    private String azureVaultPrivateKeyVersion;
+
     @XmlElement
     private String hashicorpVaultPublicKeyId;
 
@@ -49,14 +55,16 @@ public class UnsupportedKeyPair implements ConfigKeyPair {
     @XmlElement
     private String hashicorpVaultSecretVersion;
 
-    public UnsupportedKeyPair(KeyDataConfig config, String privateKey, String publicKey, Path privateKeyPath, Path publicKeyPath, String azureVaultPublicKeyId, String azureVaultPrivateKeyId, String hashicorpVaultPublicKeyId, String hashicorpVaultPrivateKeyId, String hashicorpVaultSecretEngineName, String hashicorpVaultSecretName, String hashicorpVaultSecretVersion) {
+    public UnsupportedKeyPair(KeyDataConfig config, String privateKey, String publicKey, Path privateKeyPath, Path publicKeyPath, String azureVaultPublicKeyId, String azureVaultPrivateKeyId, String azureVaultPublicKeyVersion, String azureVaultPrivateKeyVersion, String hashicorpVaultPublicKeyId, String hashicorpVaultPrivateKeyId, String hashicorpVaultSecretEngineName, String hashicorpVaultSecretName, String hashicorpVaultSecretVersion) {
         this.config = config;
         this.privateKey = privateKey;
         this.publicKey = publicKey;
         this.privateKeyPath = privateKeyPath;
         this.publicKeyPath = publicKeyPath;
         this.azureVaultPublicKeyId = azureVaultPublicKeyId;
         this.azureVaultPrivateKeyId = azureVaultPrivateKeyId;
+        this.azureVaultPublicKeyVersion = azureVaultPublicKeyVersion;
+        this.azureVaultPrivateKeyVersion = azureVaultPrivateKeyVersion;
         this.hashicorpVaultPublicKeyId = hashicorpVaultPublicKeyId;
         this.hashicorpVaultPrivateKeyId = hashicorpVaultPrivateKeyId;
         this.hashicorpVaultSecretEngineName = hashicorpVaultSecretEngineName;
@@ -98,6 +106,14 @@ public String getAzureVaultPrivateKeyId() {
         return azureVaultPrivateKeyId;
     }
 
+    public String getAzureVaultPublicKeyVersion() {
+        return azureVaultPublicKeyVersion;
+    }
+
+    public String getAzureVaultPrivateKeyVersion() {
+        return azureVaultPrivateKeyVersion;
+    }
+
     public String getHashicorpVaultPublicKeyId() {
         return hashicorpVaultPublicKeyId;
     }
@@ -156,6 +172,14 @@ public void setAzureVaultPrivateKeyId(String azureVaultPrivateKeyId) {
         this.azureVaultPrivateKeyId = azureVaultPrivateKeyId;
     }
 
+    public void setAzureVaultPublicKeyVersion(String azureVaultPublicKeyVersion) {
+        this.azureVaultPublicKeyVersion = azureVaultPublicKeyVersion;
+    }
+
+    public void setAzureVaultPrivateKeyVersion(String azureVaultPrivateKeyVersion) {
+        this.azureVaultPrivateKeyVersion = azureVaultPrivateKeyVersion;
+    }
+
     public void setHashicorpVaultPublicKeyId(String hashicorpVaultPublicKeyId) {
         this.hashicorpVaultPublicKeyId = hashicorpVaultPublicKeyId;
     }

diff --git a/config/src/main/java/com/quorum/tessera/config/vault/data/AzureGetSecretData.java b/config/src/main/java/com/quorum/tessera/config/vault/data/AzureGetSecretData.java
@@ -6,8 +6,11 @@ public class AzureGetSecretData implements GetSecretData {
 
     private String secretName;
 
-    public AzureGetSecretData(String secretName) {
+    private String secretVersion;
+
+    public AzureGetSecretData(String secretName, String secretVersion) {
         this.secretName = secretName;
+        this.secretVersion = secretVersion;
     }
 
     @Override
@@ -18,4 +21,8 @@ public KeyVaultType getType() {
     public String getSecretName() {
         return secretName;
     }
+
+    public String getSecretVersion() {
+        return secretVersion;
+    }
 }
diff --git a/config/src/main/resources/ValidationMessages.properties b/config/src/main/resources/ValidationMessages.properties
@@ -16,10 +16,11 @@ UnsupportedKeyPair.message=Invalid key-pair. Ensure that the public and private
 UnsupportedKeyPair.bothDirectKeysRequired.message=Invalid direct key-pair. Ensure that both the public and private keys for the key-pair have been provided.
 UnsupportedKeyPair.bothInlineKeysRequired.message=Invalid inline key-pair. Ensure that both the public key and private key config for the key-pair have been provided.
 UnsupportedKeyPair.bothAzureKeysRequired.message=Invalid Azure Key Vault key-pair. Ensure that both the public key ID and private key ID for the key-pair have been provided.
-UnsupportedKeyPair.allHashicorpKeyDataRequired.message=Invalid Hashicorp Key Vault key-pair. Ensure that the public key ID, private key ID and secret path for the key-pair have been provided.
+UnsupportedKeyPair.allHashicorpKeyDataRequired.message=Invalid Hashicorp Key Vault key-pair. Ensure that the secret name, secret engine name, public key ID and private key ID for the key-pair have been provided.
 UnsupportedKeyPair.bothFilesystemKeysRequired.message=Invalid filesystem key-pair. Ensure that both the public key path and private key path for the key-pair have been provided.
 ValidKeyDataConfig.message=A locked key was provided without a password.\n Please ensure the same number of passwords are provided as there are keys and remember to include empty passwords for unlocked keys
 InlineKeyData.message=A locked key was provided without a password.\n Please ensure the same number of passwords are provided as there are keys and remember to include empty passwords for unlocked keys
+AzureVaultKeyData.message=Only one key version was provided for the Azure vault key pair.  Either set the version for both the public and private key, or leave both unset
 ValidKeyConfiguration.message=A password file and inline passwords were provided. Please choose one or the other
 ValidKeyVaultConfiguration.message=No key vault configuration was specified but vault key data was provided
 ValidKeyVaultConfiguration.azure.message=No azureKeyVaultConfig was specified but azureVaultPublicKeyId and azureVaultPrivateKeyId were provided