Migrate Keyring secrets to Secret Manager (#1072)

* Migrate Keyring secrets to Secret Manager Implented dual-read of Keyring secrets with Datastore as primary. Implemented dual-write of keyring secrets with Datastore as primary. Secret manager write failures are simply thrown. This is fine since all keyring writes are manual, throught eh update_kms_keyring command. Added a one-way migration command that copies all data to secret manager (unencrypted).
2025-07-06 19:23:31 +02:00 · 2021-04-14 10:17:33 -04:00 · 2021-04-14 10:17:33 -04:00 · bb453b1982
commit bb453b1982
parent 8b41b5c76f
15 changed files with 306 additions and 17 deletions
--- a/core/src/test/java/google/registry/keyring/kms/KmsKeyringTest.java
+++ b/core/src/test/java/google/registry/keyring/kms/KmsKeyringTest.java
@ -20,6 +20,8 @@ import static google.registry.persistence.transaction.TransactionManagerFactory.
 import google.registry.keyring.api.KeySerializer;
 import google.registry.model.server.KmsSecret;
 import google.registry.model.server.KmsSecretRevision;
+import google.registry.privileges.secretmanager.FakeSecretManagerClient;
+import google.registry.privileges.secretmanager.KeyringSecretStore;
 import google.registry.testing.AppEngineExtension;
 import google.registry.testing.BouncyCastleProviderExtension;
 import google.registry.testing.DualDatabaseTest;
@ -45,7 +47,9 @@ class KmsKeyringTest {

  @BeforeEach
  void beforeEach() {
-    keyring = new KmsKeyring(new FakeKmsConnection());
+    keyring =
+        new KmsKeyring(
+            new FakeKmsConnection(), new KeyringSecretStore(new FakeSecretManagerClient()));
  }

  @TestOfyAndSql
--- a/core/src/test/java/google/registry/keyring/kms/KmsUpdaterTest.java
+++ b/core/src/test/java/google/registry/keyring/kms/KmsUpdaterTest.java
@ -24,6 +24,8 @@ import google.registry.keyring.api.KeySerializer;
 import google.registry.model.server.KmsSecret;
 import google.registry.model.server.KmsSecretRevision;
 import google.registry.model.server.KmsSecretRevisionSqlDao;
+import google.registry.privileges.secretmanager.FakeSecretManagerClient;
+import google.registry.privileges.secretmanager.KeyringSecretStore;
 import google.registry.testing.AppEngineExtension;
 import google.registry.testing.BouncyCastleProviderExtension;
 import google.registry.testing.DualDatabaseTest;
@ -49,7 +51,9 @@ public class KmsUpdaterTest {

  @BeforeEach
  void beforeEach() {
-    updater = new KmsUpdater(new FakeKmsConnection());
+    updater =
+        new KmsUpdater(
+            new FakeKmsConnection(), new KeyringSecretStore(new FakeSecretManagerClient()));
  }

  @TestOfyAndSql
--- a/core/src/test/java/google/registry/privileges/secretmanager/FakeSecretManagerClient.java
+++ b/core/src/test/java/google/registry/privileges/secretmanager/FakeSecretManagerClient.java
@ -30,7 +30,7 @@ public class FakeSecretManagerClient implements SecretManagerClient {
  private final HashMap<String, SecretEntry> secrets = new HashMap<>();

  @Inject
-  FakeSecretManagerClient() {}
+  public FakeSecretManagerClient() {}

  @Override
  public String getProject() {
--- a/core/src/test/java/google/registry/privileges/secretmanager/KeyringSecretStoreTest.java
+++ b/core/src/test/java/google/registry/privileges/secretmanager/KeyringSecretStoreTest.java
@ -0,0 +1,53 @@
+// Copyright 2021 The Nomulus Authors. All Rights Reserved.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package google.registry.privileges.secretmanager;
+
+import static com.google.common.truth.Truth.assertThat;
+
+import java.nio.charset.StandardCharsets;
+import java.util.Optional;
+import org.junit.jupiter.api.Test;
+
+/** Unit tests for {@link KeyringSecretStore}. */
+public class KeyringSecretStoreTest {
+
+  private final SecretManagerClient csmClient = new FakeSecretManagerClient();
+  private final KeyringSecretStore secretStore = new KeyringSecretStore(csmClient);
+  private final byte[] data = {1, 2, 3, 0};
+
+  @Test
+  void createSecret() {
+    secretStore.createOrUpdateSecret("a", data);
+    byte[] persistedData = secretStore.getSecret("a");
+    assertThat(persistedData).isEqualTo(data);
+  }
+
+  @Test
+  void createSecret_underTheHood() {
+    secretStore.createOrUpdateSecret("a", data);
+    byte[] persistedData =
+        csmClient.getSecretData("keyring-a", Optional.empty()).getBytes(StandardCharsets.UTF_8);
+    assertThat(persistedData).isEqualTo(data);
+  }
+
+  @Test
+  void updateSecret() {
+    secretStore.createOrUpdateSecret("a", data);
+    byte[] newData = {0, 1, 2, 3};
+    secretStore.createOrUpdateSecret("a", newData);
+    byte[] persistedData = secretStore.getSecret("a");
+    assertThat(persistedData).isEqualTo(newData);
+  }
+}