update the example to use localstack

Author: itstheceo

pom.xml

@@ -273,9 +273,15 @@
             <scope>test</scope>
         </dependency>
         <dependency>
-            <groupId>software.amazon.awssdk</groupId>
-            <artifactId>sso</artifactId>
-            <version>2.25.65</version>
+            <groupId>org.testcontainers</groupId>
+            <artifactId>junit-jupiter</artifactId>
+            <version>1.19.8</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.testcontainers</groupId>
+            <artifactId>localstack</artifactId>
+            <version>1.19.8</version>
             <scope>test</scope>
         </dependency>
     </dependencies>

src/test/java/org/biscuitsec/biscuit/token/KmsSignerExampleTest.java

@@ -1,109 +1,94 @@
 package org.biscuitsec.biscuit.token;
 
 import biscuit.format.schema.Schema.PublicKey.Algorithm;
-import net.i2p.crypto.eddsa.Utils;
 import org.biscuitsec.biscuit.crypto.KeyPair;
 import org.biscuitsec.biscuit.crypto.PublicKey;
 import org.biscuitsec.biscuit.crypto.Signer;
 import org.biscuitsec.biscuit.error.Error;
 import org.bouncycastle.asn1.ASN1InputStream;
 import org.bouncycastle.asn1.x509.SubjectPublicKeyInfo;
 import org.bouncycastle.asn1.x9.ECNamedCurveTable;
-import org.junit.jupiter.api.AfterAll;
-import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
+import org.testcontainers.containers.localstack.LocalStackContainer;
+import org.testcontainers.junit.jupiter.Container;
+import org.testcontainers.junit.jupiter.Testcontainers;
+import org.testcontainers.utility.DockerImageName;
+import software.amazon.awssdk.auth.credentials.AwsBasicCredentials;
+import software.amazon.awssdk.auth.credentials.StaticCredentialsProvider;
 import software.amazon.awssdk.core.SdkBytes;
-import software.amazon.awssdk.core.exception.SdkClientException;
+import software.amazon.awssdk.regions.Region;
 import software.amazon.awssdk.services.kms.KmsClient;
+import software.amazon.awssdk.services.kms.model.KeySpec;
+import software.amazon.awssdk.services.kms.model.KeyUsageType;
 import software.amazon.awssdk.services.kms.model.SigningAlgorithmSpec;
 
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
 import java.security.InvalidKeyException;
 import java.security.NoSuchAlgorithmException;
 import java.security.SignatureException;
-import java.util.function.Function;
 
-import static java.lang.ProcessBuilder.Redirect;
 import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
-import static org.junit.jupiter.api.Assertions.fail;
-
 
+@Testcontainers
 public class KmsSignerExampleTest {
 
-    private static final String AWS_PROFILE = null;
-    private static final String AWS_REGION = null;
-    private static final String KMS_KEY_ARN = null;
+    private static final DockerImageName LOCALSTACK_IMAGE = DockerImageName.parse("localstack/localstack:3.0.1");
 
-    @BeforeAll
-    public static void setup() {
-        System.setProperty("aws.region", AWS_REGION);
-        System.setProperty("aws.profile", AWS_PROFILE);
-    }
+    @Container
+    public static LocalStackContainer LOCALSTACK = new LocalStackContainer(LOCALSTACK_IMAGE)
+            .withServices(LocalStackContainer.Service.KMS);
 
-    @AfterAll
-    public static void teardown() {
-        System.clearProperty("aws.region");
-        System.clearProperty("aws.profile");
-    }
+    private KmsClient kmsClient;
+    private String kmsKeyId;
 
-//    @Test
-    public void createWithRemoteSigner() throws Error {
-        Function<String, byte[]> getPublicKeyBytes = (keyId) -> {
-            try (var kmsClient = KmsClient.create()) {
-                var publicKeyResponse = kmsClient.getPublicKey(b -> b.keyId(keyId).build());
-                return convertDEREncodedX509PublicKeyToSEC1CompressedEncodedPublicKey(publicKeyResponse.publicKey().asByteArray());
-            }
-        };
+    @BeforeEach
+    public void setup() {
+        var credentials = AwsBasicCredentials.create(LOCALSTACK.getAccessKey(), LOCALSTACK.getSecretKey());
+        kmsClient = KmsClient.builder()
+                .endpointOverride(LOCALSTACK.getEndpointOverride(LocalStackContainer.Service.KMS))
+                .credentialsProvider(StaticCredentialsProvider.create(credentials))
+                .region(Region.of(LOCALSTACK.getRegion()))
+                .build();
 
-        byte[] publicKeyBytes;
-        try {
-            publicKeyBytes = getPublicKeyBytes.apply(KMS_KEY_ARN);
-        } catch (SdkClientException e) {
-            sso();
-            publicKeyBytes = getPublicKeyBytes.apply(KMS_KEY_ARN);
-        }
+        // ECC_NIST_P256 == SECP256R1
+        kmsKeyId = kmsClient.createKey(b -> b
+                .keySpec(KeySpec.ECC_NIST_P256)
+                .keyUsage(KeyUsageType.SIGN_VERIFY)
+                .build()
+        ).keyMetadata().keyId();
+    }
 
-        var publicKey = new PublicKey(Algorithm.SECP256R1, publicKeyBytes);
+    @Test
+    public void testCreateBiscuitWithRemoteSigner() throws Error, NoSuchAlgorithmException, SignatureException, InvalidKeyException {
+        var getPublicKeyResponse = kmsClient.getPublicKey(b -> b.keyId(kmsKeyId).build());
+        var x509EncodedPublicKey = getPublicKeyResponse.publicKey().asByteArray();
+        var sec1CompressedEncodedPublicKey = convertDEREncodedX509PublicKeyToSEC1CompressedEncodedPublicKey(x509EncodedPublicKey);
+        var publicKey = new PublicKey(Algorithm.SECP256R1, sec1CompressedEncodedPublicKey);
         var keyPair = KeyPair.generate(publicKey, new Signer() {
-
             @Override
             public byte[] sign(byte[] bytes) {
-                try (var kmsClient = KmsClient.create()) {
-                    var response = kmsClient.sign(builder -> builder
-                            .keyId(KMS_KEY_ARN)
-                            .signingAlgorithm(SigningAlgorithmSpec.ECDSA_SHA_256)
-                            .message(SdkBytes.fromByteArray(bytes))
-                    );
-                    var signature = response.signature().asByteArray();
-                    var hex = Utils.bytesToHex(signature);
-                    System.out.println("Signature: " + hex);
-
-                    var sgr = KeyPair.generateSignature(Algorithm.SECP256R1);
-                    sgr.initVerify(publicKey.key);
-                    sgr.update(bytes);
-                    var verified = sgr.verify(signature);
-                    System.out.println("Verified: " + verified);
-
-                    if (!verified) {
-                        fail("Signature verification failed");
-                    }
-
-                    return signature;
-                } catch (NoSuchAlgorithmException | SignatureException | InvalidKeyException e) {
-                    throw new RuntimeException(e);
-                }
+                var signResponse = kmsClient.sign(b -> b
+                        .keyId(kmsKeyId)
+                        .signingAlgorithm(SigningAlgorithmSpec.ECDSA_SHA_256)
+                        .message(SdkBytes.fromByteArray(bytes))
+                );
+                return signResponse.signature().asByteArray();
             }
         });
-
         var biscuit = Biscuit.builder(keyPair)
                 .add_authority_fact("user(\"1234\")")
                 .add_authority_check("check if operation(\"read\")")
                 .build();
-        assertDoesNotThrow(biscuit::serialize);
+        var serializedBiscuit = assertDoesNotThrow(biscuit::serialize);
+        var unverifiedBiscuit = Biscuit.from_bytes(serializedBiscuit);
+        var deserializedBiscuit = unverifiedBiscuit.verify(publicKey);
+
+        System.out.println(deserializedBiscuit.print());
     }
 
-    static byte[] convertDEREncodedX509PublicKeyToSEC1CompressedEncodedPublicKey(byte[] publicKeyBytes) {
+    private static byte[] convertDEREncodedX509PublicKeyToSEC1CompressedEncodedPublicKey(byte[] publicKeyBytes) {
         try (ASN1InputStream asn1InputStream = new ASN1InputStream(new ByteArrayInputStream(publicKeyBytes))) {
 
             // Parse the ASN.1 encoded public key bytes
@@ -122,20 +107,4 @@ static byte[] convertDEREncodedX509PublicKeyToSEC1CompressedEncodedPublicKey(byt
             throw new RuntimeException("Error converting DER-encoded X.509 to SEC1 compressed format", e);
         }
     }
-
-    private void sso() {
-        try {
-            var code = new ProcessBuilder()
-                    .command("aws", "sso", "login", "--profile", AWS_PROFILE)
-                    .redirectOutput(Redirect.INHERIT)
-                    .redirectError(Redirect.INHERIT)
-                    .start()
-                    .waitFor();
-            if (code != 0) {
-                throw new RuntimeException("SSO login failed");
-            }
-        } catch (InterruptedException | IOException e) {
-            throw new RuntimeException(e);
-        }
-    }
 }