Consensys · Krish1979 · Jan 8, 2020 · Oct 24, 2019 · Nov 4, 2019 · Nov 4, 2019
diff --git a/...-api/src/test/java/com/quorum/tessera/cli/keypassresolver/CliKeyPasswordResolverTest.java b/...-api/src/test/java/com/quorum/tessera/cli/keypassresolver/CliKeyPasswordResolverTest.java
@@ -60,7 +60,7 @@ public void emptyPasswordsReturnsSameKeys() {
 
         // null paths since we won't actually be reading them
         final ConfigKeyPair keypair = new FilesystemKeyPair(null, null, null);
-        final KeyConfiguration keyConfig = new KeyConfiguration(null, emptyList(), singletonList(keypair), null, null);
+        final KeyConfiguration keyConfig = new KeyConfiguration(null, emptyList(), singletonList(keypair), null, null, null);
         final Config config = new Config();
         config.setKeys(keyConfig);
 
@@ -79,7 +79,7 @@ public void noPasswordsReturnsSameKeys() {
 
         // null paths since we won't actually be reading them
         final ConfigKeyPair keypair = new FilesystemKeyPair(null, null, null);
-        final KeyConfiguration keyConfig = new KeyConfiguration(null, null, singletonList(keypair), null, null);
+        final KeyConfiguration keyConfig = new KeyConfiguration(null, null, singletonList(keypair), null, null, null);
         final Config config = new Config();
         config.setKeys(keyConfig);
 
@@ -100,7 +100,7 @@ public void passwordsAssignedToKeys() {
         final ConfigKeyPair keypair = new FilesystemKeyPair(null, null, null);
         final KeyConfiguration keyConfig =
                 new KeyConfiguration(
-                        null, singletonList("passwordsAssignedToKeys"), singletonList(keypair), null, null);
+                        null, singletonList("passwordsAssignedToKeys"), singletonList(keypair), null, null, null);
         final Config config = new Config();
         config.setKeys(keyConfig);
 
@@ -117,7 +117,7 @@ public void unreadablePasswordFileGivesNoPasswords() throws IOException {
         final Path passes = Files.createTempDirectory("testdirectory").resolve("nonexistantfile.txt");
 
         final ConfigKeyPair keypair = new FilesystemKeyPair(null, null, null);
-        final KeyConfiguration keyConfig = new KeyConfiguration(passes, null, singletonList(keypair), null, null);
+        final KeyConfiguration keyConfig = new KeyConfiguration(passes, null, singletonList(keypair), null, null, null);
         final Config config = new Config();
         config.setKeys(keyConfig);
 
@@ -135,7 +135,7 @@ public void readablePasswordFileAssignsPasswords() throws IOException {
         Files.write(passes, "q".getBytes());
 
         final ConfigKeyPair keypair = new FilesystemKeyPair(null, null, null);
-        final KeyConfiguration keyConfig = new KeyConfiguration(passes, null, singletonList(keypair), null, null);
+        final KeyConfiguration keyConfig = new KeyConfiguration(passes, null, singletonList(keypair), null, null, null);
         final Config config = new Config();
         config.setKeys(keyConfig);
 

diff --git a/cli/config-cli/src/main/java/com/quorum/tessera/config/cli/parsers/KeyGenerationParser.java b/cli/config-cli/src/main/java/com/quorum/tessera/config/cli/parsers/KeyGenerationParser.java
@@ -119,7 +119,7 @@ private Optional<KeyVaultConfig> keyVaultConfig(CommandLine commandLine) {
             if (!violations.isEmpty()) {
                 throw new ConstraintViolationException(violations);
             }
-        } else {
+        } else if(keyVaultType.equals(KeyVaultType.HASHICORP)) {
             if (!commandLine.hasOption("filename")) {
                 throw new CliException(
                         "At least one -filename must be provided when saving generated keys in a Hashicorp Vault");
@@ -143,7 +143,16 @@ private Optional<KeyVaultConfig> keyVaultConfig(CommandLine commandLine) {
             if (!violations.isEmpty()) {
                 throw new ConstraintViolationException(violations);
             }
-        }
+        } else {
+            keyVaultConfig = new AWSKeyVaultConfig(keyVaultUrl);
+
+            Set<ConstraintViolation<AWSKeyVaultConfig>> violations =
+                validator.validate((AWSKeyVaultConfig) keyVaultConfig);
+
+            if (!violations.isEmpty()) {
+                throw new ConstraintViolationException(violations);
+            }
+        } 
 
         return Optional.of(keyVaultConfig);
     }

diff --git a/cli/config-cli/src/test/java/com/quorum/tessera/config/cli/OverrideUtilTest.java b/cli/config-cli/src/test/java/com/quorum/tessera/config/cli/OverrideUtilTest.java
@@ -52,6 +52,7 @@ public void buildOptions() {
                         "keys.hashicorpKeyVaultConfig.tlsKeyStorePath",
                         "keys.hashicorpKeyVaultConfig.tlsTrustStorePath",
                         "keys.hashicorpKeyVaultConfig.url",
+                        "keys.awsKeyVaultConfig.endpoint",
                         "alwaysSendTo",
                         "unixSocketFile",
                         "useWhiteList",

diff --git a/...nfig-cli/src/test/java/com/quorum/tessera/config/cli/parsers/KeyGenerationParserTest.java b/...nfig-cli/src/test/java/com/quorum/tessera/config/cli/parsers/KeyGenerationParserTest.java
@@ -375,4 +375,50 @@ public void trailingWhitespaceVaultTypeIsOkay() throws Exception {
         verify(commandLine, times(1)).getOptionValue("keygenvaulttruststore");
         verify(commandLine, times(1)).getOptionValue("keygenvaultsecretengine");
     }
+
+    @Test
+    public void ifAwsVaultTypeProvidedAndEndpointProvidedThenOkay() throws Exception {
+        when(commandLine.hasOption("keygenvaulttype")).thenReturn(true);
+        when(commandLine.getOptionValue("keygenvaulturl")).thenReturn("https://localhost.com");
+        when(commandLine.getOptionValue("keygenvaulttype")).thenReturn("AWS");
+
+        this.parser.parse(commandLine);
+
+        verify(commandLine, times(1)).getOptionValue("keygenvaulturl");
+        verify(commandLine, times(1)).getOptionValue("keygenvaulttype");
+    }
+
+    @Test
+    public void ifAwsVaultTypeProvidedAndNoEndpointProvidedThenOkay() throws Exception {
+        when(commandLine.hasOption("keygenvaulttype")).thenReturn(true);
+        when(commandLine.getOptionValue("keygenvaulttype")).thenReturn("AWS");
+
+        this.parser.parse(commandLine);
+
+        verify(commandLine, times(1)).getOptionValue("keygenvaulttype");
+    }
+
+    @Test
+    public void wrongKeygenvaulturlProvidedWhenUsingAwsVaultThrowsException() {
+        when(commandLine.hasOption("keygenvaulttype")).thenReturn(true);
+        when(commandLine.hasOption("keygenvaulturl")).thenReturn(true);
+        when(commandLine.getOptionValue("keygenvaulturl")).thenReturn("notAValidURL");
+        when(commandLine.getOptionValue("keygenvaulttype")).thenReturn("AWS");
+        when(commandLine.hasOption("filename")).thenReturn(false);
+
+        Throwable ex = catchThrowable(() -> this.parser.parse(commandLine));
+
+        verify(commandLine, times(1)).getOptionValue("keygenvaulttype");
+        verify(commandLine, times(1)).getOptionValue("keygenvaulturl");
+
+        assertThat(ex).isInstanceOf(ConstraintViolationException.class);
+
+        Set<ConstraintViolation<?>> violations = ((ConstraintViolationException) ex).getConstraintViolations();
+
+        assertThat(violations.size()).isEqualTo(1);
+
+        ConstraintViolation violation = violations.iterator().next();
+
+        assertThat(violation.getPropertyPath().toString()).isEqualTo("endpoint");
+    }
 }
diff --git a/config-migration/src/main/java/com/quorum/tessera/config/builder/KeyDataBuilder.java b/config-migration/src/main/java/com/quorum/tessera/config/builder/KeyDataBuilder.java
@@ -92,6 +92,6 @@ public KeyConfiguration build() {
             privateKeyPasswordFilePath = null;
         }
 
-        return new KeyConfiguration(privateKeyPasswordFilePath, null, keyData, null, null);
+        return new KeyConfiguration(privateKeyPasswordFilePath, null, keyData, null, null, null);
     }
 }
@@ -133,7 +133,7 @@ public void ifPublicAndPrivateKeyListAreEmptyThenKeyConfigurationIsAllNulls() th
             KeyConfiguration result = tomlConfigFactory.createKeyDataBuilder(configData).build();
             assertThat(result).isNotNull();
 
-            KeyConfiguration expected = new KeyConfiguration(null, null, Collections.emptyList(), null, null);
+            KeyConfiguration expected = new KeyConfiguration(null, null, Collections.emptyList(), null, null, null);
             assertThat(result).isEqualTo(expected);
         }
     }

diff --git a/config-migration/src/test/java/com/quorum/tessera/config/migration/test/FixtureUtil.java b/config-migration/src/test/java/com/quorum/tessera/config/migration/test/FixtureUtil.java
@@ -86,6 +86,7 @@ public static ConfigBuilder builderWithValidValues() {
                                         new FilesystemKeyPair(
                                                 Paths.get("public"), Paths.get("private"), KEY_ENCRYPTOR)),
                                 null,
+                                null,
                                 null));
     }
 
@@ -124,6 +125,7 @@ public static ConfigBuilder builderWithNullValues() {
                                         new FilesystemKeyPair(
                                                 Paths.get("public"), Paths.get("private"), KEY_ENCRYPTOR)),
                                 null,
+                                null,
                                 null));
     }
 

diff --git a/config/pom.xml b/config/pom.xml
@@ -79,7 +79,7 @@
             <artifactId>jasypt</artifactId>
         </dependency>
 
-
+        
     </dependencies>
     <build>
 

diff --git a/config/src/main/java/com/quorum/tessera/config/AWSKeyVaultConfig.java b/config/src/main/java/com/quorum/tessera/config/AWSKeyVaultConfig.java
@@ -0,0 +1,37 @@
+package com.quorum.tessera.config;
+
+import javax.validation.Valid;
+import javax.validation.constraints.Pattern;
+import javax.xml.bind.annotation.XmlAccessType;
+import javax.xml.bind.annotation.XmlAccessorType;
+import javax.xml.bind.annotation.XmlAttribute;
+
+@XmlAccessorType(XmlAccessType.FIELD)
+public class AWSKeyVaultConfig extends ConfigItem implements KeyVaultConfig {
+
+    @Valid
+    @XmlAttribute
+    @Pattern(
+            regexp =
+                    "https?://(www\\.)?[-a-zA-Z0-9@:%._+~#=]{1,256}\\.[a-zA-Z0-9()]{1,6}\\b([-a-zA-Z0-9()@:%_+.~#?&/=]*)")
+    private String endpoint;
+
+    public AWSKeyVaultConfig(String endpoint) {
+        this.endpoint = endpoint;
+    }
+
+    public AWSKeyVaultConfig() {}
+
+    @Override
+    public KeyVaultType getKeyVaultType() {
+        return KeyVaultType.AWS;
+    }
+
+    public String getEndpoint() {
+        return this.endpoint;
+    }
+
+    public void setEndpoint(String url) {
+        this.endpoint = url;
+    }
+}
@@ -39,17 +39,21 @@ public class KeyConfiguration extends ConfigItem {
 
     @Valid @XmlElement private HashicorpKeyVaultConfig hashicorpKeyVaultConfig;
 
+    @Valid @XmlElement private AWSKeyVaultConfig awsKeyVaultConfig;
+
     public KeyConfiguration(
             final Path passwordFile,
             final List<String> passwords,
             final List<ConfigKeyPair> keyData,
             final AzureKeyVaultConfig azureKeyVaultConfig,
-            final HashicorpKeyVaultConfig hashicorpKeyVaultConfig) {
+            final HashicorpKeyVaultConfig hashicorpKeyVaultConfig,
+            final AWSKeyVaultConfig awsKeyVaultConfig) {
         this.passwordFile = passwordFile;
         this.passwords = passwords;
         this.keyData = keyData;
         this.azureKeyVaultConfig = azureKeyVaultConfig;
         this.hashicorpKeyVaultConfig = hashicorpKeyVaultConfig;
+        this.awsKeyVaultConfig = awsKeyVaultConfig;
     }
 
     public KeyConfiguration() {}
@@ -74,6 +78,10 @@ public HashicorpKeyVaultConfig getHashicorpKeyVaultConfig() {
         return hashicorpKeyVaultConfig;
     }
 
+    public AWSKeyVaultConfig getAwsKeyVaultConfig() {
+        return this.awsKeyVaultConfig;
+    }
+
     public void setPasswordFile(Path passwordFile) {
         this.passwordFile = passwordFile;
     }
@@ -93,4 +101,8 @@ public void setAzureKeyVaultConfig(AzureKeyVaultConfig azureKeyVaultConfig) {
     public void setHashicorpKeyVaultConfig(HashicorpKeyVaultConfig hashicorpKeyVaultConfig) {
         this.hashicorpKeyVaultConfig = hashicorpKeyVaultConfig;
     }
+
+    public void setAwsKeyVaultConfig(AWSKeyVaultConfig awsKeyVaultConfig) {
+        this.awsKeyVaultConfig = awsKeyVaultConfig;
+    }
 }
@@ -58,7 +58,13 @@ public class KeyData extends ConfigItem {
     @XmlElement
     private String hashicorpVaultSecretVersion;
 
-    public KeyData(KeyDataConfig config, String privateKey, String publicKey, Path privateKeyPath, Path publicKeyPath, String azureVaultPublicKeyId, String azureVaultPrivateKeyId, String azureVaultPublicKeyVersion, String azureVaultPrivateKeyVersion, String hashicorpVaultPublicKeyId, String hashicorpVaultPrivateKeyId, String hashicorpVaultSecretEngineName, String hashicorpVaultSecretName, String hashicorpVaultSecretVersion) {
+    @XmlElement
+    private String awsSecretsManagerPublicKeyId;
+
+    @XmlElement
+    private String awsSecretsManagerPrivateKeyId;
+
+    public KeyData(KeyDataConfig config, String privateKey, String publicKey, Path privateKeyPath, Path publicKeyPath, String azureVaultPublicKeyId, String azureVaultPrivateKeyId, String azureVaultPublicKeyVersion, String azureVaultPrivateKeyVersion, String hashicorpVaultPublicKeyId, String hashicorpVaultPrivateKeyId, String hashicorpVaultSecretEngineName, String hashicorpVaultSecretName, String hashicorpVaultSecretVersion, String awsSecretsManagerPublicKeyId, String awsSecretsManagerPrivateKeyId) {
         this.config = config;
         this.privateKey = privateKey;
         this.publicKey = publicKey;
@@ -73,6 +79,8 @@ public KeyData(KeyDataConfig config, String privateKey, String publicKey, Path p
         this.hashicorpVaultSecretEngineName = hashicorpVaultSecretEngineName;
         this.hashicorpVaultSecretName = hashicorpVaultSecretName;
         this.hashicorpVaultSecretVersion = hashicorpVaultSecretVersion;
+        this.awsSecretsManagerPublicKeyId = awsSecretsManagerPublicKeyId;
+        this.awsSecretsManagerPrivateKeyId = awsSecretsManagerPrivateKeyId;
     }
 
     public KeyData() {
@@ -135,6 +143,14 @@ public String getHashicorpVaultSecretVersion() {
         return hashicorpVaultSecretVersion;
     }
 
+    public String getAwsSecretsManagerPublicKeyId() {
+        return awsSecretsManagerPublicKeyId;
+    }
+
+    public String getAwsSecretsManagerPrivateKeyId() {
+        return awsSecretsManagerPrivateKeyId;
+    }
+
     public void setConfig(KeyDataConfig config) {
         this.config = config;
     }
@@ -191,4 +207,11 @@ public void setHashicorpVaultSecretVersion(String hashicorpVaultSecretVersion) {
         this.hashicorpVaultSecretVersion = hashicorpVaultSecretVersion;
     }
 
+    public void setAwsSecretsManagerPublicKeyId(String awsSecretsManagerPublicKeyId) {
+        this.awsSecretsManagerPublicKeyId = awsSecretsManagerPublicKeyId;
+    }
+
+    public void setAwsSecretsManagerPrivateKeyId(String awsSecretsManagerPrivateKeyId) {
+        this.awsSecretsManagerPrivateKeyId = awsSecretsManagerPrivateKeyId;
+    }
 }
@@ -1,5 +1,5 @@
 package com.quorum.tessera.config;
 
 public enum KeyVaultType {
-    AZURE, HASHICORP
+    AZURE, HASHICORP, AWS
 }
@@ -59,13 +59,19 @@ public ConfigKeyPair unmarshal(final KeyData keyData) {
                     keyData.getHashicorpVaultSecretVersion());
         }
 
-        // case 5, the keys are provided inside a file
+        // case 5, the AWS Secrets Manager data is provided
+        if (keyData.getAwsSecretsManagerPublicKeyId() != null && keyData.getAwsSecretsManagerPrivateKeyId() != null) {
+            return new AWSKeyPair(
+                    keyData.getAwsSecretsManagerPublicKeyId(), keyData.getAwsSecretsManagerPrivateKeyId());
+        }
+
+        // case 6, the keys are provided inside a file
         if (keyData.getPublicKeyPath() != null && keyData.getPrivateKeyPath() != null) {
             final KeyEncryptor keyEncryptor = keyEncryptorHolder.getKeyEncryptor().get();
             return new FilesystemKeyPair(keyData.getPublicKeyPath(), keyData.getPrivateKeyPath(), keyEncryptor);
         }
 
-        // case 6, the key config specified is invalid
+        // case 7, the key config specified is invalid
         return new UnsupportedKeyPair(
                 keyData.getConfig(),
                 keyData.getPrivateKey(),
@@ -80,7 +86,9 @@ public ConfigKeyPair unmarshal(final KeyData keyData) {
                 keyData.getHashicorpVaultPrivateKeyId(),
                 keyData.getHashicorpVaultSecretEngineName(),
                 keyData.getHashicorpVaultSecretName(),
-                keyData.getHashicorpVaultSecretVersion());
+                keyData.getHashicorpVaultSecretVersion(),
+                keyData.getAwsSecretsManagerPublicKeyId(),
+                keyData.getAwsSecretsManagerPrivateKeyId());
     }
 
     @Override
@@ -128,6 +136,14 @@ public KeyData marshal(final ConfigKeyPair keyPair) {
             return keyData;
         }
 
+        if (keyPair instanceof AWSKeyPair) {
+            AWSKeyPair kp = (AWSKeyPair) keyPair;
+
+            keyData.setAwsSecretsManagerPublicKeyId(kp.getPublicKeyId());
+            keyData.setAwsSecretsManagerPrivateKeyId(kp.getPrivateKeyId());
+            return keyData;
+        }
+
         if (keyPair instanceof FilesystemKeyPair) {
             FilesystemKeyPair kp = (FilesystemKeyPair) keyPair;
 
@@ -152,7 +168,9 @@ public KeyData marshal(final ConfigKeyPair keyPair) {
                     kp.getHashicorpVaultPublicKeyId(),
                     kp.getHashicorpVaultSecretEngineName(),
                     kp.getHashicorpVaultSecretName(),
-                    kp.getHashicorpVaultSecretVersion());
+                    kp.getHashicorpVaultSecretVersion(),
+                    kp.getAwsSecretsManagerPublicKeyId(),
+                    kp.getAwsSecretsManagerPrivateKeyId());
         }
 
         throw new UnsupportedOperationException("The keypair type " + keyPair.getClass() + " is not allowed");