POC: Show how SignerStore already supports AWS KMS

Add test setup and test to load a signer from AWS KMS (localstack) via SignerStore (pending in #451), with 0 worker code changes. Run as `tox -e local-aws-kms` **Change details** * Add independent tox environment to init/cleanup localstack, configure ambient AWS KMS credentials, create a test key, and run the test. * Add test to "import" test public key from AWS KMS and configure private key URI - this would typically happen in a key management UI (e.g. RSTUF CLI) - and use `SignerStore.get` to load the signer. Signed-off-by: Lukas Puehringer <[email protected]>
repository-service-tuf · Mar 2, 2024 · 5fb1341 · 5fb1341
1 parent b4f77f2
commit 5fb1341
Show file tree

Hide file tree

Showing 4 changed files with 67 additions and 1 deletion.
diff --git a/repository_service_tuf_worker/signer.py b/repository_service_tuf_worker/signer.py
@@ -97,6 +97,10 @@ def isolated_env(env: dict[str, str]):
 # List of Dyanconf settings needed in the signer environment
 _AMBIENT_SETTING_NAMES = [
     "ONLINE_KEY_DIR",
+    "AWS_ACCESS_KEY_ID",
+    "AWS_SECRET_ACCESS_KEY",
+    "AWS_ENDPOINT_URL",
+    "AWS_DEFAULT_REGION",
 ]
 
 

diff --git a/tests/files/aws/init-kms.sh b/tests/files/aws/init-kms.sh
@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+awslocal kms create-key \
+    --key-spec RSA_4096 \
+    --key-usage SIGN_VERIFY
+
+awslocal kms create-alias \
+    --alias-name alias/aws-test-key \
+    --target-key-id $(awslocal kms list-keys --query "Keys[0].KeyId" --output text)
diff --git a/tests/unit/tuf_repository_service_worker/test_signer.py b/tests/unit/tuf_repository_service_worker/test_signer.py
@@ -2,19 +2,21 @@
 #
 # SPDX-License-Identifier: MIT
 
+import os
 from pathlib import Path
 from unittest.mock import patch
 
 import pytest
 from dynaconf import Dynaconf
 from pretend import stub
-from securesystemslib.signer import CryptoSigner, Key
+from securesystemslib.signer import AWSSigner, CryptoSigner, Key
 
 from repository_service_tuf_worker.interfaces import IKeyVault
 from repository_service_tuf_worker.signer import (
     RSTUF_ONLINE_KEY_URI_FIELD,
     FileNameSigner,
     SignerStore,
+    isolated_env,
 )
 
 _FILES = Path(__file__).parent.parent.parent / "files"
@@ -131,3 +133,24 @@ def test_get_from_file_name_uri_no_envvar(self):
 
         with patch.dict("os.environ", {}, clear=True), pytest.raises(KeyError):
             store.get(fake_key)
+
+    @pytest.mark.skipif(
+        not os.environ.get("RSTUF_AWS_ENDPOINT_URL"), reason="No AWS endpoint"
+    )
+    def test_get_from_aws(self):
+        # Import test public key of given key type and keyid alias from AWS KMS
+        # - see tests/files/aws/init-kms.sh for how such a key is created
+        # - see tox.ini for how credentials etc. are passed via env vars
+        scheme = "rsassa-pss-sha256"
+        aws_keyid = "alias/aws-test-key"
+
+        settings = Dynaconf(envvar_prefix="RSTUF")
+        with isolated_env(settings.to_dict()):
+            uri, key = AWSSigner.import_(aws_keyid, scheme)
+
+        key.unrecognized_fields[RSTUF_ONLINE_KEY_URI_FIELD] = uri
+
+        # Load signer from AWS KMS
+        store = SignerStore(settings)
+        signer = store.get(key)
+        assert isinstance(signer, AWSSigner)
diff --git a/tox.ini b/tox.ini
@@ -64,3 +64,34 @@ commands =
 python =
     3.10: py310,pep8,lint,requirements,test
     3.11: py311,pep8,lint,requirements,test
+
+[testenv:local-aws-kms]
+deps =
+    -r{toxinidir}/requirements-dev.txt
+    localstack
+
+allowlist_externals =
+    localstack
+    bash
+
+setenv =
+    DATA_DIR = ./data-test
+    RSTUF_AWS_ACCESS_KEY_ID = test
+    RSTUF_AWS_SECRET_ACCESS_KEY = test
+    RSTUF_AWS_ENDPOINT_URL = http://localhost:4566/
+    RSTUF_AWS_DEFAULT_REGION = us-east-1
+
+commands_pre =
+    # Start virtual AWS KMS
+    localstack start --detached
+    localstack wait
+
+    # Create signing key
+    bash {toxinidir}/tests/files/aws/init-kms.sh
+
+commands =
+    python3 -m pytest tests/unit/tuf_repository_service_worker/test_signer.py -k test_get_from_aws
+
+commands_post =
+    # Stop virtual AWS KMS
+    localstack stop