internal: use go-kms-wrapping for KMS backends (#1012)

* Replace external KMS backend logic for AWS, Azure, and GCP with go-kms-wrapping * Move kms client setup config into its own package for easier parsing * Update kms integration flag naming * Error if nil storage is passed to external KMS --------- Signed-off-by: Daniel Weiße <dw@edgeless.systems>
2025-08-09 23:42:21 -04:00 · 2023-02-08 12:03:54 +01:00 · 2023-02-08 12:03:54 +01:00 · 3a7b829107
commit 3a7b829107
parent 68ce23b909
36 changed files with 1319 additions and 3121 deletions
--- a/internal/kms/test/azure_test.go
+++ b/internal/kms/test/azure_test.go
@ -0,0 +1,111 @@
+//go:build integration
+
+/*
+Copyright (c) Edgeless Systems GmbH
+
+SPDX-License-Identifier: AGPL-3.0-only
+*/
+
+package test
+
+import (
+	"context"
+	"flag"
+	"testing"
+	"time"
+
+	"github.com/edgelesssys/constellation/v2/internal/kms/kms/azure"
+	"github.com/edgelesssys/constellation/v2/internal/kms/storage"
+	"github.com/edgelesssys/constellation/v2/internal/kms/uri"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestAzureStorage(t *testing.T) {
+	if !*runAzStorage {
+		t.Skip("Skipping Azure storage test")
+	}
+	if *azConnectionString == "" || *azContainer == "" {
+		flag.Usage()
+		t.Fatal("Required flags not set: --az-connection-string, --az-container")
+	}
+
+	assert := assert.New(t)
+	require := require.New(t)
+
+	ctx, cancel := context.WithTimeout(context.Background(), time.Second*30)
+	defer cancel()
+	store, err := storage.NewAzureStorage(ctx, *azConnectionString, *azContainer, nil)
+	require.NoError(err)
+
+	testData := []byte("Constellation test data")
+	testName := "constellation-test"
+
+	err = store.Put(ctx, testName, testData)
+	assert.NoError(err)
+
+	got, err := store.Get(ctx, testName)
+	assert.NoError(err)
+	assert.Equal(testData, got)
+
+	_, err = store.Get(ctx, addSuffix("does-not-exist"))
+	assert.ErrorIs(err, storage.ErrDEKUnset)
+}
+
+func TestAzureKeyKMS(t *testing.T) {
+	if !*runAzKms {
+		t.Skip("Skipping Azure Key Vault test")
+	}
+
+	if *kekID == "" || *azClientID == "" || *azClientSecret == "" || *azTenantID == "" || *azVaultName == "" {
+		flag.Usage()
+		t.Fatal("Required flags not set: --az-tenant-id, --az-client-id, --az-client-secret, --az-vault-name, --kek-id")
+	}
+	require := require.New(t)
+
+	store := storage.NewMemMapStorage()
+	ctx, cancel := context.WithTimeout(context.Background(), time.Second*30)
+	defer cancel()
+
+	cfg := uri.AzureConfig{
+		TenantID:     *azTenantID,
+		ClientID:     *azClientID,
+		ClientSecret: *azClientSecret,
+		VaultName:    *azVaultName,
+		VaultType:    uri.DefaultCloud,
+		KeyName:      *kekID,
+	}
+	kmsClient, err := azure.New(ctx, store, cfg)
+	require.NoError(err)
+
+	runKMSTest(t, kmsClient)
+}
+
+func TestAzureKeyHSM(t *testing.T) {
+	if !*runAzHsm {
+		t.Skip("Skipping Azure HSM test")
+	}
+
+	if *kekID == "" || *azClientID == "" || *azClientSecret == "" || *azTenantID == "" || *azVaultName == "" {
+		flag.Usage()
+		t.Fatal("Required flags not set: --az-tenant-id, --az-client-id, --az-client-secret, --az-vault-name, --kek-id")
+	}
+	require := require.New(t)
+
+	store := storage.NewMemMapStorage()
+	ctx, cancel := context.WithTimeout(context.Background(), time.Second*30)
+	defer cancel()
+
+	cfg := uri.AzureConfig{
+		TenantID:     *azTenantID,
+		ClientID:     *azClientID,
+		ClientSecret: *azClientSecret,
+		VaultName:    *azVaultName,
+		VaultType:    uri.HSMDefaultCloud,
+		KeyName:      *kekID,
+	}
+	kmsClient, err := azure.New(ctx, store, cfg)
+	require.NoError(err)
+
+	runKMSTest(t, kmsClient)
+}