Merge pull request #398 from adorsys/393-update-keystore-to-use-aws-secrets-manager

Ogenbertrand · web-flow · commit c883c1b4f296 · 2025-06-27T10:34:47.000+01:00
393 update keystore to use aws secrets manager
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -98,10 +98,12 @@ curve25519-dalek = "4.1.3"
 ed25519-dalek = "2.1.1"
 tracing-subscriber = "0.3.19"
 tower-http = "0.6.2"
-aws-config = "1.1"
+aws-config = "1.6"
+aws-sdk-kms = "1.76"
+aws-sdk-secretsmanager = "1.68"
+aws_secretsmanager_caching = "1.2"
 axum-prometheus = "0.8.0"
 prometheus-client = "0.23.1"
-aws-sdk-kms = "1.49"
 base64ct = { version = "1.6.0", default-features = false }
 zeroize = { version = "1.8.1", default-features = false }
 
diff --git a/README.md b/README.md
@@ -66,16 +66,7 @@ docker run --name mongodb -d mongo
 
 ### Environmental variables
 
-You need to create a **`.env`** file in the root directory of the project and add the following variables:
-
-```sh
-SERVER_PUBLIC_DOMAIN="http://localhost:8080"
-STORAGE_DIRPATH="./storage"
-MONGO_DBN="DIDComm_DB"
-MONGO_URI="mongodb://localhost:27017"
-```
-
-> The values can be changed according to your needs.  
+You need to create a **`.env`** file in the root directory of the project. Take a look at the [example](.env.example) file for more information about the needed variables.
 
 You can now start the mediator server:
 
diff --git a/crates/keystore/Cargo.toml b/crates/keystore/Cargo.toml
@@ -1,11 +1,17 @@
 [package]
 name = "keystore"
-version = "0.1.0" 
-authors = ["adorsys GmbH Co. KG"] 
+version = "0.1.0"
+authors = ["adorsys GmbH Co. KG"]
 license = "Apache-2.0"
 description = "The `keystore` is a core component of the DIDComm Mediator system, designed to facilitate secure, decentralized communication within the Self-Sovereign Identity (SSI) ecosystem."
 repository = "https://github.com/adorsys/didcomm-mediator-rs/tree/main/crates/web-plugins/keystore"
-keywords = ["keystore", "didcomm", "didcomm mediator", "didcomm messaging", "rust mediator"]
+keywords = [
+    "keystore",
+    "didcomm",
+    "didcomm mediator",
+    "didcomm messaging",
+    "rust mediator",
+]
 categories = ["cryptography"]
 edition = "2021"
 
@@ -19,9 +25,13 @@ mongodb.workspace = true
 database.workspace = true
 serde.workspace = true
 eyre.workspace = true
+tracing.workspace = true
 thiserror.workspace = true
 serde_json.workspace = true
+aws-config.workspace = true
 aws-sdk-kms.workspace = true
+aws-sdk-secretsmanager.workspace = true
+aws_secretsmanager_caching.workspace = true
 tokio = { workspace = true, features = ["full"] }
 
 [features]
diff --git a/crates/keystore/src/error.rs b/crates/keystore/src/error.rs
@@ -2,6 +2,10 @@ use core::fmt::{Debug, Display};
 use std::error::Error as StdError;
 
 use aws_sdk_kms::operation::{decrypt::DecryptError, encrypt::EncryptError};
+use aws_sdk_secretsmanager::operation::{
+    create_secret::CreateSecretError, delete_secret::DeleteSecretError,
+    describe_secret::DescribeSecretError, get_secret_value::GetSecretValueError,
+};
 use serde_json::error::Category;
 
 /// Kind of error that can occur during key store operations.
@@ -106,6 +110,30 @@ impl From<aws_sdk_kms::error::SdkError<DecryptError>> for Error {
     }
 }
 
+impl From<aws_sdk_secretsmanager::error::SdkError<DescribeSecretError>> for Error {
+    fn from(err: aws_sdk_secretsmanager::error::SdkError<DescribeSecretError>) -> Self {
+        Error::new(ErrorKind::RepositoryFailure, err)
+    }
+}
+
+impl From<aws_sdk_secretsmanager::error::SdkError<CreateSecretError>> for Error {
+    fn from(err: aws_sdk_secretsmanager::error::SdkError<CreateSecretError>) -> Self {
+        Error::new(ErrorKind::RepositoryFailure, err)
+    }
+}
+
+impl From<aws_sdk_secretsmanager::error::SdkError<GetSecretValueError>> for Error {
+    fn from(err: aws_sdk_secretsmanager::error::SdkError<GetSecretValueError>) -> Self {
+        Error::new(ErrorKind::RepositoryFailure, err)
+    }
+}
+
+impl From<aws_sdk_secretsmanager::error::SdkError<DeleteSecretError>> for Error {
+    fn from(err: aws_sdk_secretsmanager::error::SdkError<DeleteSecretError>) -> Self {
+        Error::new(ErrorKind::RepositoryFailure, err)
+    }
+}
+
 impl std::error::Error for Error {
     fn source(&self) -> Option<&(dyn StdError + 'static)> {
         Some(self.source())
diff --git a/crates/keystore/src/lib.rs b/crates/keystore/src/lib.rs
@@ -10,14 +10,15 @@ mod repository;
 #[cfg(any(test, feature = "test-utils"))]
 mod tests;
 
+use aws_config::SdkConfig;
 // Public re-exports
 pub use encryptor::KeyEncryption;
 pub use error::{Error, ErrorKind};
 pub use repository::SecretRepository;
 
 use aws_sdk_kms::Client as KmsClient;
 use encryptor::{aws_kms::AwsKmsEncryptor, plaintext::NoEncryption};
-use repository::{mongodb::MongoSecretRepository, no_repo::NoRepository};
+use repository::{aws::AwsSecretsManager, mongodb::MongoSecretRepository, no_repo::NoRepository};
 use serde::{Deserialize, Serialize};
 use std::sync::Arc;
 
@@ -98,6 +99,25 @@ impl Keystore {
         }
     }
 
+    /// Create a new key store with AWS Secrets Manager as storage backend.
+    ///
+    /// # Example
+    ///
+    /// ```no_run
+    /// use keystore::Keystore;
+    ///
+    /// let config = aws_config::load_from_env().await;
+    /// let keystore = Keystore::with_aws_secrets_manager(&config);
+    /// ```
+    pub async fn with_aws_secrets_manager(config: &SdkConfig) -> Self {
+        let repository = AwsSecretsManager::new(config).await;
+        let encryptor = NoEncryption;
+        Self {
+            repository: Arc::new(repository),
+            encryptor: Arc::new(encryptor),
+        }
+    }
+
     /// Create a new key store with **AWS KMS** as encryption backend and mongoDB as storage backend.
     ///
     /// # Example
diff --git a/crates/keystore/src/repository.rs b/crates/keystore/src/repository.rs
@@ -1,3 +1,4 @@
+pub(crate) mod aws;
 pub(crate) mod mongodb;
 pub(crate) mod no_repo;
 
diff --git a/crates/keystore/src/repository/aws.rs b/crates/keystore/src/repository/aws.rs
@@ -0,0 +1,93 @@
+use std::{num::NonZeroUsize, time::Duration};
+
+use async_trait::async_trait;
+use aws_config::SdkConfig;
+use aws_sdk_secretsmanager::{
+    operation::get_secret_value::GetSecretValueError, Client as SecretsClient,
+    Config as SecretsConfig,
+};
+use aws_secretsmanager_caching::SecretsManagerCachingClient as SecretsCacheClient;
+use eyre::eyre;
+use tracing::warn;
+
+use crate::{Error, ErrorKind};
+
+use super::SecretRepository;
+
+/// Type used for AWS Secrets Manager operations
+pub(crate) struct AwsSecretsManager {
+    client: SecretsClient,
+    cache: SecretsCacheClient,
+}
+
+impl AwsSecretsManager {
+    /// Create a new instance of [AwsSecretsManager] with the given AWS SDK config
+    pub async fn new(config: &SdkConfig) -> Self {
+        let client = SecretsClient::new(config);
+        // Cache size: 100 and a TTL of 5 minutes
+        let cache = SecretsCacheClient::from_builder(
+            SecretsConfig::from(config).to_builder(),
+            NonZeroUsize::new(100).unwrap(),
+            Duration::from_secs(300),
+            true,
+        )
+        .await
+        .unwrap();
+
+        Self { client, cache }
+    }
+}
+
+#[async_trait]
+impl SecretRepository for AwsSecretsManager {
+    async fn store(&self, name: &str, data: &[u8]) -> Result<(), Error> {
+        use aws_sdk_secretsmanager::error::SdkError;
+
+        // Store a secret only if it does not already exist
+        match self.client.describe_secret().secret_id(name).send().await {
+            Ok(_) => {
+                warn!("Secret {name} already exists. Skipping...");
+                Ok(())
+            }
+            Err(SdkError::ServiceError(err)) if err.err().is_resource_not_found_exception() => {
+                let secret = String::from_utf8_lossy(data).to_string();
+                // Secret does not exist, try to create it
+                self.client
+                    .create_secret()
+                    .name(name)
+                    .secret_string(secret)
+                    .send()
+                    .await?;
+                Ok(())
+            }
+            Err(sdk_err) => Err(sdk_err.into()),
+        }
+    }
+
+    async fn find(&self, name: &str) -> Result<Option<Vec<u8>>, Error> {
+        use aws_sdk_secretsmanager::error::SdkError;
+
+        match self.cache.get_secret_value(name, None, None, false).await {
+            Ok(value) => Ok(value.secret_string.map(|s| s.into_bytes())),
+            Err(err) => {
+                // Check for ResourceNotFoundException
+                if let Some(SdkError::ServiceError(service_err)) =
+                    err.downcast_ref::<SdkError<GetSecretValueError>>()
+                {
+                    if service_err.err().is_resource_not_found_exception() {
+                        return Ok(None);
+                    }
+                }
+                Err(Error::msg(ErrorKind::RepositoryFailure, eyre!("{err}")))
+            }
+        }
+    }
+
+    async fn delete(&self, name: &str) -> Result<(), Error> {
+        self.client.delete_secret().secret_id(name).send().await?;
+
+        // Invalidate cache by refreshing the secret
+        let _ = self.cache.get_secret_value(name, None, None, true).await;
+        Ok(())
+    }
+}
diff --git a/crates/web-plugins/did-endpoint/Cargo.toml b/crates/web-plugins/did-endpoint/Cargo.toml
@@ -23,6 +23,7 @@ dotenv-flow.workspace = true
 multibase.workspace = true
 tracing.workspace = true
 http-body-util.workspace = true
+aws-config.workspace = true
 uuid = { workspace = true, features = ["v4"] }
 hyper = { workspace = true, features = ["full"] }
 tokio = { workspace = true, features = ["full"] }
diff --git a/crates/web-plugins/did-endpoint/src/plugin.rs b/crates/web-plugins/did-endpoint/src/plugin.rs
@@ -1,9 +1,11 @@
 use super::{didgen, web};
+use aws_config::BehaviorVersion;
 use axum::Router;
 use filesystem::FileSystem;
 use keystore::Keystore;
 use plugin_api::{Plugin, PluginError};
 use std::sync::{Arc, Mutex};
+use tokio::{runtime::Handle, task};
 
 #[derive(Default)]
 pub struct DidEndpoint {
@@ -44,7 +46,12 @@ impl Plugin for DidEndpoint {
     fn mount(&mut self) -> Result<(), PluginError> {
         let env = get_env()?;
         let mut filesystem = filesystem::StdFileSystem;
-        let keystore = Keystore::with_mongodb();
+        let keystore = task::block_in_place(move || {
+            Handle::current().block_on(async move {
+                let aws_config = aws_config::load_defaults(BehaviorVersion::latest()).await;
+                Keystore::with_aws_secrets_manager(&aws_config).await
+            })
+        });
 
         if didgen::validate_diddoc(env.storage_dirpath.as_ref(), &keystore, &mut filesystem)
             .is_err()
diff --git a/crates/web-plugins/didcomm-messaging/Cargo.toml b/crates/web-plugins/didcomm-messaging/Cargo.toml
@@ -34,6 +34,7 @@ once_cell.workspace = true
 serde_json.workspace = true
 thiserror.workspace = true
 http-body-util.workspace = true
+aws-config.workspace = true
 tokio = { workspace = true, features = ["full"] }
 hyper = { workspace = true, features = ["full"] }
 axum = { workspace = true, features = ["macros"] }
diff --git a/crates/web-plugins/didcomm-messaging/src/plugin.rs b/crates/web-plugins/didcomm-messaging/src/plugin.rs
@@ -1,6 +1,7 @@
 use crate::{manager::MessagePluginContainer, web};
 use axum::Router;
 use filesystem::StdFileSystem;
+use keystore::Keystore;
 use mongodb::Database;
 use once_cell::sync::OnceCell;
 use plugin_api::{Plugin, PluginError};
@@ -19,6 +20,7 @@ pub struct DidcommMessaging {
     env: Option<DidcommMessagingPluginEnv>,
     db: Option<Database>,
     msg_types: Option<Vec<String>>,
+    keystore: Option<Keystore>,
 }
 
 struct DidcommMessagingPluginEnv {
@@ -51,10 +53,18 @@ impl Plugin for DidcommMessaging {
     }
 
     fn mount(&mut self) -> Result<(), PluginError> {
+        use aws_config::BehaviorVersion;
+        use tokio::{runtime::Handle, task};
+
         let env = load_plugin_env()?;
 
         let mut filesystem = filesystem::StdFileSystem;
-        let keystore = keystore::Keystore::with_mongodb();
+        let keystore = task::block_in_place(move || {
+            Handle::current().block_on(async move {
+                let aws_config = aws_config::load_defaults(BehaviorVersion::latest()).await;
+                Keystore::with_aws_secrets_manager(&aws_config).await
+            })
+        });
 
         // Expect DID document from file system
         if let Err(err) =
@@ -99,6 +109,7 @@ impl Plugin for DidcommMessaging {
         self.env = Some(env);
         self.db = Some(db);
         self.msg_types = Some(msg_types);
+        self.keystore = Some(keystore);
 
         Ok(())
     }
@@ -118,6 +129,9 @@ impl Plugin for DidcommMessaging {
         let msg_types = self.msg_types.as_ref().ok_or(PluginError::Other(
             "Failed to get message types. Check if the plugin is mounted".to_owned(),
         ))?;
+        let keystore = self.keystore.as_ref().ok_or(PluginError::Other(
+            "Failed to get keystore. Check if the plugin is mounted".to_owned(),
+        ))?;
 
         // Load crypto identity
         let fs = StdFileSystem;
@@ -127,12 +141,10 @@ impl Plugin for DidcommMessaging {
                 err
             ))
         })?;
-        let keystore = keystore::Keystore::with_mongodb();
-
         // Load persistence layer
         let repository = AppStateRepository {
             connection_repository: Arc::new(MongoConnectionRepository::from_db(db)),
-            keystore,
+            keystore: keystore.clone(),
             message_repository: Arc::new(MongoMessagesRepository::from_db(db)),
         };
 
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -1,5 +1,3 @@
-version: '3.8'
-
 services:
   mediator:
     build:
@@ -10,7 +8,8 @@ services:
     env_file:
       - .env  
     depends_on:
-      - mongodb
+      mongodb:
+        condition: service_healthy
     networks:
       - mediator-network
 

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,4 @@`
	`1`	`+pub(crate) mod aws;`
`1`	`2`	`pub(crate) mod mongodb;`
`2`	`3`	`pub(crate) mod no_repo;`
`3`	`4`