POC: Show how SignerStore already supports AWS KMS

Add test setup and test to load a signer from AWS KMS (localstack) via SignerStore (pending in #451), with 0 worker code changes. Run as `tox -e local-aws-kms` **Change details** * Add independent tox environment to init/cleanup localstack, configure ambient AWS KMS credentials, create a test key, and run the test. * Add test to "import" test public key from AWS KMS and configure private key URI - this would typically happen in a key management UI (e.g. RSTUF CLI) - and use `SignerStore.get` to load the signer. Signed-off-by: Lukas Puehringer <[email protected]>
repository-service-tuf · Feb 6, 2024 · edcf2e0 · edcf2e0
1 parent d5d915c
commit edcf2e0
Show file tree

Hide file tree

Showing 3 changed files with 60 additions and 1 deletion.
diff --git a/tests/files/aws/init-kms.sh b/tests/files/aws/init-kms.sh
@@ -0,0 +1,8 @@
+#!/usr/bin/env bash
+awslocal kms create-key \
+    --key-spec RSA_4096 \
+    --key-usage SIGN_VERIFY
+
+awslocal kms create-alias \
+    --alias-name alias/aws-test-key \
+    --target-key-id $(awslocal kms list-keys --query "Keys[0].KeyId" --output text)
diff --git a/tests/unit/tuf_repository_service_worker/test_signer.py b/tests/unit/tuf_repository_service_worker/test_signer.py
@@ -2,11 +2,12 @@
 #
 # SPDX-License-Identifier: MIT
 
+import os
 from pathlib import Path
 
 import pytest
 from pretend import stub
-from securesystemslib.signer import CryptoSigner, Key
+from securesystemslib.signer import AWSSigner, CryptoSigner, Key
 
 from repository_service_tuf_worker.interfaces import IKeyVault
 from repository_service_tuf_worker.signer import (
@@ -87,3 +88,22 @@ def test_get_from_file_uri(self):
         signer = store.get(key)
 
         assert isinstance(signer, CryptoSigner)
+
+    @pytest.mark.skipif(
+        not os.environ.get("AWS_ENDPOINT_URL"), reason="No AWS endpoint"
+    )
+    def test_get_from_aws(self):
+        # Import test public key of given key type and keyid alias from AWS KMS
+        # - see tests/files/aws/init-kms.sh for how such a key is created
+        # - see tox.ini for how credentials etc. are passed via env vars
+        scheme = "rsassa-pss-sha256"
+        aws_keyid = "alias/aws-test-key"
+        uri, key = AWSSigner.import_(aws_keyid, scheme)
+
+        key.unrecognized_fields[RSTUF_ONLINE_KEY_URI_FIELD] = uri
+
+        # Load signer from AWS KMS
+        fake_settings = stub()
+        store = SignerStore(fake_settings)
+        signer = store.get(key)
+        assert isinstance(signer, AWSSigner)
diff --git a/tox.ini b/tox.ini
@@ -64,3 +64,34 @@ commands =
 python =
     3.10: py310,pep8,lint,requirements,test
     3.11: py311,pep8,lint,requirements,test
+
+[testenv:local-aws-kms]
+deps =
+    -r{toxinidir}/requirements-dev.txt
+    localstack
+
+allowlist_externals =
+    localstack
+    bash
+
+setenv =
+    DATA_DIR = ./data-test
+    AWS_ACCESS_KEY_ID = test
+    AWS_SECRET_ACCESS_KEY = test
+    AWS_ENDPOINT_URL = http://localhost:4566/
+    AWS_DEFAULT_REGION = us-east-1
+
+commands_pre =
+    # Start virtual AWS KMS
+    localstack start --detached
+    localstack wait
+
+    # Create signing key
+    bash {toxinidir}/tests/files/aws/init-kms.sh
+
+commands =
+    python3 -m pytest tests/unit/tuf_repository_service_worker/test_signer.py -k test_get_from_aws
+
+commands_post =
+    # Stop virtual AWS KMS
+    localstack stop