Update the localstack/localstack docker tag to v4.3.0 adapting to new LocalStack limited key rotation capabilities. (kroxylicious#2024)

* Bump localstack version and fix the test

Signed-off-by: ShubhamRwt <[email protected]>

* Added suggestions by Keith

Signed-off-by: ShubhamRwt <[email protected]>

* Added suggestions by Keith

Signed-off-by: ShubhamRwt <[email protected]>

* Added unit test for AwsKmsTestKmsFacade

Signed-off-by: ShubhamRwt <[email protected]>

* Added suggestion by Keith and fixed the issues

Signed-off-by: ShubhamRwt <[email protected]>

---------

Signed-off-by: ShubhamRwt <[email protected]>

Author: ShubhamRwt

kroxylicious-kms-provider-aws-kms-test-support/pom.xml

@@ -83,5 +83,10 @@
             <groupId>com.github.spotbugs</groupId>
             <artifactId>spotbugs-annotations</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.wiremock</groupId>
+            <artifactId>wiremock</artifactId>
+            <scope>test</scope>
+        </dependency>
     </dependencies>
 </project>

kroxylicious-kms-provider-aws-kms-test-support/src/main/java/io/kroxylicious/kms/provider/aws/kms/AbstractAwsKmsTestKmsFacade.java

@@ -28,6 +28,8 @@
 import io.kroxylicious.kms.provider.aws.kms.model.DescribeKeyRequest;
 import io.kroxylicious.kms.provider.aws.kms.model.DescribeKeyResponse;
 import io.kroxylicious.kms.provider.aws.kms.model.ErrorResponse;
+import io.kroxylicious.kms.provider.aws.kms.model.ListKeyRotationsRequest;
+import io.kroxylicious.kms.provider.aws.kms.model.ListKeyRotationsResponse;
 import io.kroxylicious.kms.provider.aws.kms.model.RotateKeyRequest;
 import io.kroxylicious.kms.provider.aws.kms.model.ScheduleKeyDeletionRequest;
 import io.kroxylicious.kms.provider.aws.kms.model.ScheduleKeyDeletionResponse;
@@ -53,13 +55,16 @@ public abstract class AbstractAwsKmsTestKmsFacade implements TestKmsFacade<Confi
     private static final String TRENT_SERVICE_ROTATE_KEY = "TrentService.RotateKeyOnDemand";
     private static final String TRENT_SERVICE_DELETE_ALIAS = "TrentService.DeleteAlias";
     private static final String TRENT_SERVICE_SCHEDULE_KEY_DELETION = "TrentService.ScheduleKeyDeletion";
+    private static final String TRENT_SERVICE_LIST_KEY_ROTATIONS = "TrentService.ListKeyRotations";
 
     private static final TypeReference<CreateKeyResponse> CREATE_KEY_RESPONSE_TYPE_REF = new TypeReference<>() {
     };
     private static final TypeReference<DescribeKeyResponse> DESCRIBE_KEY_RESPONSE_TYPE_REF = new TypeReference<>() {
     };
     private static final TypeReference<ScheduleKeyDeletionResponse> SCHEDULE_KEY_DELETION_RESPONSE_TYPE_REF = new TypeReference<>() {
     };
+    private static final TypeReference<ListKeyRotationsResponse> LIST_KEY_ROTATIONS_RESPONSE_TYPE_REF = new TypeReference<>() {
+    };
     private static final TypeReference<ErrorResponse> ERROR_RESPONSE_TYPE_REF = new TypeReference<>() {
     };
     private final HttpClient client = HttpClient.newBuilder().followRedirects(HttpClient.Redirect.NORMAL).build();
@@ -142,9 +147,21 @@ public void deleteKek(String alias) {
         @Override
         public void rotateKek(String alias) {
             var key = read(alias);
+            // The LocalStack (4.3.0) implementation of RotateOnDemand doesn't preserve key history
+            // https://docs.localstack.cloud/references/coverage/coverage_kms/#:~:text=Show%20Tests-,RotateKeyOnDemand,-ScheduleKeyDeletion
+            // https://github.com/localstack/localstack/pull/12342
+
+            // We are using ListKeyRotationsRequest as a probe to discover AWS's capabilities.
+            // If we get 501 status code we will know that we are on LocalStack as it does not implement it
+            // (see https://docs.localstack.cloud/references/coverage/coverage_kms/#:~:text=Show%20Tests-,ListKeyRotations,-ListKeys)
+            final ListKeyRotationsRequest listKeyRotationKey = new ListKeyRotationsRequest(key.keyMetadata().keyId());
+            var listKeyRotationRequest = createRequest(listKeyRotationKey, TRENT_SERVICE_LIST_KEY_ROTATIONS);
+
             final RotateKeyRequest rotateKey = new RotateKeyRequest(key.keyMetadata().keyId());
             var rotateKeyRequest = createRequest(rotateKey, TRENT_SERVICE_ROTATE_KEY);
+
             try {
+                sendRequest(alias, listKeyRotationRequest, LIST_KEY_ROTATIONS_RESPONSE_TYPE_REF);
                 sendRequestExpectingNoResponse(rotateKeyRequest);
             }
             catch (AwsNotImplementException e) {
@@ -153,9 +170,6 @@ public void rotateKek(String alias) {
         }
 
         private void pseudoRotate(String alias) {
-            // RotateKeyOnDemand is not implemented in localstack.
-            // https://docs.localstack.cloud/references/coverage/coverage_kms/#:~:text=Show%20Tests-,RotateKeyOnDemand,-ScheduleKeyDeletion
-            // https://github.com/localstack/localstack/issues/10723
 
             // mimic rotate by creating a new key and repoint the alias at it, leaving the original key in place.
             final CreateKeyRequest request = new CreateKeyRequest("[rotated] key for alias: " + alias);

kroxylicious-kms-provider-aws-kms-test-support/src/main/java/io/kroxylicious/kms/provider/aws/kms/AwsKmsTestKmsFacade.java

@@ -18,7 +18,7 @@
 
 public class AwsKmsTestKmsFacade extends AbstractAwsKmsTestKmsFacade {
     private static final Logger LOG = LoggerFactory.getLogger(AwsKmsTestKmsFacade.class);
-    private static final DockerImageName LOCALSTACK_IMAGE = DockerImageName.parse("localstack/localstack:4.2.0");
+    private static final DockerImageName LOCALSTACK_IMAGE = DockerImageName.parse("localstack/localstack:4.3.0");
     private LocalStackContainer localStackContainer;
 
     @Override

kroxylicious-kms-provider-aws-kms-test-support/src/main/java/io/kroxylicious/kms/provider/aws/kms/model/ListKeyRotationsRequest.java

@@ -0,0 +1,19 @@
+/*
+ * Copyright Kroxylicious Authors.
+ *
+ * Licensed under the Apache Software License version 2.0, available at http://www.apache.org/licenses/LICENSE-2.0
+ */
+
+package io.kroxylicious.kms.provider.aws.kms.model;
+
+import java.util.Objects;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+import edu.umd.cs.findbugs.annotations.NonNull;
+
+public record ListKeyRotationsRequest(@JsonProperty("KeyId") @NonNull String keyId) {
+    public ListKeyRotationsRequest {
+        Objects.requireNonNull(keyId);
+    }
+}

kroxylicious-kms-provider-aws-kms-test-support/src/main/java/io/kroxylicious/kms/provider/aws/kms/model/ListKeyRotationsResponse.java

@@ -0,0 +1,21 @@
+/*
+ * Copyright Kroxylicious Authors.
+ *
+ * Licensed under the Apache Software License version 2.0, available at http://www.apache.org/licenses/LICENSE-2.0
+ */
+
+package io.kroxylicious.kms.provider.aws.kms.model;
+
+import java.util.Objects;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+import edu.umd.cs.findbugs.annotations.NonNull;
+
+@JsonIgnoreProperties(ignoreUnknown = true)
+public record ListKeyRotationsResponse(@JsonProperty("Truncated") @NonNull Boolean truncated) {
+    public ListKeyRotationsResponse {
+        Objects.requireNonNull(truncated);
+    }
+}

kroxylicious-kms-provider-aws-kms-test-support/src/test/java/io/kroxylicious/kms/provider/aws/kms/AwsKmsTestKmsFacadeIT.java

@@ -0,0 +1,75 @@
+/*
+ * Copyright Kroxylicious Authors.
+ *
+ * Licensed under the Apache Software License version 2.0, available at http://www.apache.org/licenses/LICENSE-2.0
+ */
+
+package io.kroxylicious.kms.provider.aws.kms;
+
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+import org.testcontainers.DockerClientFactory;
+
+import io.kroxylicious.kms.provider.aws.kms.config.Config;
+import io.kroxylicious.kms.service.AbstractTestKmsFacadeTest;
+import io.kroxylicious.kms.service.UnknownAliasException;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.api.Assertions.assertThatThrownBy;
+import static org.assertj.core.api.Assumptions.assumeThat;
+
+class AwsKmsTestKmsFacadeIT extends AbstractTestKmsFacadeTest<Config, String, AwsKmsEdek> {
+
+    AwsKmsTestKmsFacadeIT() {
+        super(new AwsKmsTestKmsFacadeFactory());
+    }
+
+    @BeforeEach
+    void beforeEach() {
+        assumeThat(DockerClientFactory.instance().isDockerAvailable()).withFailMessage("docker unavailable").isTrue();
+    }
+
+    @Test
+    void classAndConfig() {
+        try (var facade = factory.build()) {
+            facade.start();
+            assertThat(facade.getKmsServiceClass()).isEqualTo(AwsKmsService.class);
+            assertThat(facade.getKmsServiceConfig()).isInstanceOf(Config.class);
+        }
+    }
+
+    @Test
+    void generateKekFailsIfAliasExists() {
+        try (var facade = factory.build()) {
+            facade.start();
+            var manager = facade.getTestKekManager();
+            manager.generateKek(ALIAS);
+
+            assertThatThrownBy(() -> manager.generateKek(ALIAS))
+                    .isInstanceOf(IllegalStateException.class)
+                    .hasMessageContaining("400");
+        }
+    }
+
+    @Test
+    void rotateKekFailsIfAliasDoesNotExist() {
+        try (var facade = factory.build()) {
+            facade.start();
+            var manager = facade.getTestKekManager();
+
+            assertThatThrownBy(() -> manager.rotateKek(ALIAS))
+                    .isInstanceOf(UnknownAliasException.class);
+        }
+    }
+
+    @Test
+    void deleteKekFailsIfAliasDoesNotExist() {
+        try (var facade = factory.build()) {
+            facade.start();
+            var manager = facade.getTestKekManager();
+
+            assertThatThrownBy(() -> manager.deleteKek(ALIAS))
+                    .isInstanceOf(UnknownAliasException.class);
+        }
+    }
+}