From 0101fe80c5a596bf323bc9e4a4849d79ad496980 Mon Sep 17 00:00:00 2001 From: MohitKatare-protean Date: Fri, 16 May 2025 18:06:12 +0530 Subject: [PATCH 1/8] Initial commit for the keymanager plugin --- go.mod | 21 +- go.sum | 60 ++- .../implementation/keymanager/cmd/plugin.go | 31 ++ .../implementation/keymanager/keymanager.go | 370 ++++++++++++++++++ 4 files changed, 478 insertions(+), 4 deletions(-) create mode 100644 pkg/plugin/implementation/keymanager/cmd/plugin.go create mode 100644 pkg/plugin/implementation/keymanager/keymanager.go diff --git a/go.mod b/go.mod index 12fad60..2e23b33 100644 --- a/go.mod +++ b/go.mod @@ -13,9 +13,9 @@ require ( require github.com/stretchr/testify v1.10.0 require ( - github.com/davecgh/go-spew v1.1.1 // indirect + github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect github.com/hashicorp/go-cleanhttp v0.5.2 // indirect - github.com/pmezard/go-difflib v1.0.0 // indirect + github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect github.com/stretchr/objx v0.5.2 // indirect gopkg.in/yaml.v3 v3.0.1 ) @@ -25,13 +25,30 @@ require github.com/zenazn/pkcs7pad v0.0.0-20170308005700-253a5b1f0e03 require golang.org/x/text v0.23.0 // indirect require ( + github.com/cenkalti/backoff/v4 v4.3.0 // indirect + github.com/go-jose/go-jose/v4 v4.0.1 // indirect + github.com/google/go-cmp v0.6.0 // indirect + github.com/hashicorp/errwrap v1.1.0 // indirect + github.com/hashicorp/go-multierror v1.1.1 // indirect + github.com/hashicorp/go-rootcerts v1.0.2 // indirect + github.com/hashicorp/go-secure-stdlib/parseutil v0.1.6 // indirect + github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 // indirect + github.com/hashicorp/go-sockaddr v1.0.2 // indirect + github.com/hashicorp/hcl v1.0.0 // indirect github.com/mattn/go-colorable v0.1.13 // indirect github.com/mattn/go-isatty v0.0.20 // indirect + github.com/mitchellh/go-homedir v1.1.0 // indirect + github.com/mitchellh/mapstructure v1.5.0 // indirect + github.com/ryanuber/go-glob v1.0.0 // indirect + golang.org/x/net v0.38.0 // indirect golang.org/x/sys v0.31.0 // indirect + golang.org/x/time v0.0.0-20200416051211-89c76fbcd5d1 // indirect ) require ( + github.com/google/uuid v1.6.0 github.com/hashicorp/go-retryablehttp v0.7.7 + github.com/hashicorp/vault/api v1.16.0 github.com/rs/zerolog v1.34.0 gopkg.in/natefinch/lumberjack.v2 v2.2.1 gopkg.in/yaml.v2 v2.4.0 diff --git a/go.sum b/go.sum index 821e117..c909290 100644 --- a/go.sum +++ b/go.sum @@ -1,18 +1,52 @@ +github.com/armon/go-radix v0.0.0-20180808171621-7fddfc383310/go.mod h1:ufUuZ+zHj4x4TnLV4JWEpy2hxWSpsRywHrMgIH9cCH8= +github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs= +github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8= +github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= -github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= +github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= +github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM= +github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/dlclark/regexp2 v1.11.0 h1:G/nrcoOa7ZXlpoa/91N3X7mM3r8eIlMBBJZvsz/mxKI= github.com/dlclark/regexp2 v1.11.0/go.mod h1:DHkYz0B9wPfa6wondMfaivmHpzrQ3v9q8cnmRbL6yW8= +github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4= github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM= github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE= +github.com/go-jose/go-jose/v4 v4.0.1 h1:QVEPDE3OluqXBQZDcnNvQrInro2h0e4eqNbnZSWqS6U= +github.com/go-jose/go-jose/v4 v4.0.1/go.mod h1:WVf9LFMHh/QVrmqrOfqun0C45tMe3RoiKJMPvgWwLfY= +github.com/go-test/deep v1.0.2 h1:onZX1rnHT3Wv6cqNgYyFOOlgVKJrksuCMCRvJStbMYw= +github.com/go-test/deep v1.0.2/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA= github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA= +github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= +github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0= +github.com/google/uuid v1.6.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= +github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= +github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I= +github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ= github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48= github.com/hashicorp/go-hclog v1.6.3 h1:Qr2kF+eVWjTiYmU7Y31tYlP1h0q/X3Nl3tPGdaB11/k= github.com/hashicorp/go-hclog v1.6.3/go.mod h1:W4Qnvbt70Wk/zYJryRzDRU/4r0kIg0PVHBcfoyhpF5M= +github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk= +github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo= +github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM= github.com/hashicorp/go-retryablehttp v0.7.7 h1:C8hUCYzor8PIfXHa4UrZkU4VvK8o9ISHxT2Q8+VepXU= github.com/hashicorp/go-retryablehttp v0.7.7/go.mod h1:pkQpWZeYWskR+D1tR2O5OcBFOxfA7DoAO6xtkuQnHTk= +github.com/hashicorp/go-rootcerts v1.0.2 h1:jzhAVGtqPKbwpyCPELlgNWhE1znq+qwJtW5Oi2viEzc= +github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8= +github.com/hashicorp/go-secure-stdlib/parseutil v0.1.6 h1:om4Al8Oy7kCm/B86rLCLah4Dt5Aa0Fr5rYBG60OzwHQ= +github.com/hashicorp/go-secure-stdlib/parseutil v0.1.6/go.mod h1:QmrqtbKuxxSWTN3ETMPuB+VtEiBJ/A9XhoYGv8E1uD8= +github.com/hashicorp/go-secure-stdlib/strutil v0.1.1/go.mod h1:gKOamz3EwoIoJq7mlMIRBpVTAUn8qPCrEclOKKWhD3U= +github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 h1:kes8mmyCpxJsI7FTwtzRqEy9CdjCtrXrXGuOpxEA7Ts= +github.com/hashicorp/go-secure-stdlib/strutil v0.1.2/go.mod h1:Gou2R9+il93BqX25LAKCLuM+y9U2T4hlwvT1yprcna4= +github.com/hashicorp/go-sockaddr v1.0.2 h1:ztczhD1jLxIRjVejw8gFomI1BQZOe2WoVOu0SyteCQc= +github.com/hashicorp/go-sockaddr v1.0.2/go.mod h1:rB4wwRAUzs07qva3c5SdrY/NEtAUjGlgmH/UkBUC97A= +github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4= +github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= +github.com/hashicorp/vault/api v1.16.0 h1:nbEYGJiAPGzT9U4oWgaaB0g+Rj8E59QuHKyA5LhwQN4= +github.com/hashicorp/vault/api v1.16.0/go.mod h1:KhuUhzOD8lDSk29AtzNjgAu2kxRA9jL9NAbkFlqvkBA= github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= @@ -20,32 +54,51 @@ github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= +github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA= github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg= +github.com/mattn/go-isatty v0.0.3/go.mod h1:M+lRXTBqGeGNdLjl/ufCoiOlB5xdOkqRJdNxMWT7Zi4= github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM= github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY= github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= +github.com/mitchellh/cli v1.0.0/go.mod h1:hNIlj7HEI86fIcpObd7a0FcrxTWetlwJDGcceTlRvqc= +github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y= +github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0= +github.com/mitchellh/go-wordwrap v1.0.0/go.mod h1:ZXFpozHsX6DPmq2I0TCekCxypsnAUbP2oI0UX1GXzOo= +github.com/mitchellh/mapstructure v1.4.1/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= +github.com/mitchellh/mapstructure v1.5.0 h1:jeMsZIYE/09sWLaz43PL7Gy6RuMjD2eJVyuac5Z2hdY= +github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RRV2QTWOzhPopBRo= github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= -github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= +github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= +github.com/posener/complete v1.1.1/go.mod h1:em0nMJCgc9GFtwrmVmEMR/ZL6WyhyjMBndrE9hABlRI= github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs= github.com/rogpeppe/go-internal v1.13.1 h1:KvO1DLK/DRN07sQ1LQKScxyZJuNnedQ5/wKSR38lUII= github.com/rogpeppe/go-internal v1.13.1/go.mod h1:uMEvuHeurkdAXX61udpOXGD/AzZDWNMNyH2VO9fmH0o= github.com/rs/xid v1.6.0/go.mod h1:7XoLgs4eV+QndskICGsho+ADou8ySMSjJKDIan90Nz0= github.com/rs/zerolog v1.34.0 h1:k43nTLIwcTVQAncfCw4KZ2VY6ukYoZaBPNOE8txlOeY= github.com/rs/zerolog v1.34.0/go.mod h1:bJsvje4Z08ROH4Nhs5iH600c3IkWhwp44iRc54W6wYQ= +github.com/ryanuber/columnize v2.1.0+incompatible/go.mod h1:sm1tb6uqfes/u+d4ooFouqFdy9/2g9QGwK3SQygK0Ts= +github.com/ryanuber/go-glob v1.0.0 h1:iQh3xXAumdQ+4Ufa5b25cRpC5TYKlno6hsv6Cb3pkBk= +github.com/ryanuber/go-glob v1.0.0/go.mod h1:807d1WSdnB0XRJzKNil9Om6lcp/3a0v4qIHxIXzX/Yc= github.com/santhosh-tekuri/jsonschema/v6 v6.0.1 h1:PKK9DyHxif4LZo+uQSgXNqs0jj5+xZwwfKHgph2lxBw= github.com/santhosh-tekuri/jsonschema/v6 v6.0.1/go.mod h1:JXeL+ps8p7/KNMjDQk3TCwPpBy0wYklyWTfbkIzdIFU= +github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY= github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA= +github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.10.0 h1:Xv5erBjTwe/5IxqUQTdXv5kgmIvbHo3QQyRwhJsOfJA= github.com/stretchr/testify v1.10.0/go.mod h1:r2ic/lqez/lEtzL7wO/rwa5dbSLXVDPFyf8C91i36aY= github.com/zenazn/pkcs7pad v0.0.0-20170308005700-253a5b1f0e03 h1:m1h+vudopHsI67FPT9MOncyndWhTcdUoBtI1R1uajGY= github.com/zenazn/pkcs7pad v0.0.0-20170308005700-253a5b1f0e03/go.mod h1:8sheVFH84v3PCyFY/O02mIgSQY9I6wMYPWsq7mDnEZY= golang.org/x/crypto v0.36.0 h1:AnAEvhDddvBdpY+uR+MyHmuZzzNqXSe/GvuDeob5L34= golang.org/x/crypto v0.36.0/go.mod h1:Y4J0ReaxCR1IMaabaSMugxJES1EpwhBHhv2bDHklZvc= +golang.org/x/net v0.38.0 h1:vRMAPTMaeGqVhG5QyLJHqNDwecKTomGeqbnfZyKlBI8= +golang.org/x/net v0.38.0/go.mod h1:ivrbrMbzFq5J41QOQh0siUuly180yBYtLp+CKbEaFx8= +golang.org/x/sys v0.0.0-20180823144017-11551d06cbcc/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= @@ -53,6 +106,8 @@ golang.org/x/sys v0.31.0 h1:ioabZlmFYtWhL+TRYpcnNlLwhyxaM9kWTDEmfnprqik= golang.org/x/sys v0.31.0/go.mod h1:BJP2sWEmIv4KK5OTEluFJCKSidICx8ciO85XgH3Ak8k= golang.org/x/text v0.23.0 h1:D71I7dUrlY+VX0gQShAThNGHFxZ13dGLBHQLVl1mJlY= golang.org/x/text v0.23.0/go.mod h1:/BLNzu4aZCJ1+kcD0DNRotWKage4q2rGVAg4o22unh4= +golang.org/x/time v0.0.0-20200416051211-89c76fbcd5d1 h1:NusfzzA6yGQ+ua51ck7E3omNUX/JuqbFSaRGqU8CcLI= +golang.org/x/time v0.0.0-20200416051211-89c76fbcd5d1/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= @@ -60,5 +115,6 @@ gopkg.in/natefinch/lumberjack.v2 v2.2.1 h1:bBRl1b0OH9s/DuPhuXpNl+VtCaJXFZ5/uEFST gopkg.in/natefinch/lumberjack.v2 v2.2.1/go.mod h1:YD8tP3GAjkrDg1eZH7EGmyESg/lsYskCTPBJVb9jqSc= gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= +gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= diff --git a/pkg/plugin/implementation/keymanager/cmd/plugin.go b/pkg/plugin/implementation/keymanager/cmd/plugin.go new file mode 100644 index 0000000..9326a8b --- /dev/null +++ b/pkg/plugin/implementation/keymanager/cmd/plugin.go @@ -0,0 +1,31 @@ +package main + +import ( + "context" + + "github.com/beckn/beckn-onix/pkg/log" + "github.com/beckn/beckn-onix/pkg/plugin/definition" + "github.com/beckn/beckn-onix/pkg/plugin/implementation/keymanager" +) + +// keyManagerProvider implements the plugin provider for the KeyManager plugin. +type keyManagerProvider struct{} + +// New creates and initializes a new KeyManager instance using the provided cache, registry lookup, and configuration. +func (k *keyManagerProvider) New(ctx context.Context, cache definition.Cache, registry definition.RegistryLookup, cfg map[string]string) (definition.KeyManager, func() error, error) { + config := &keymanager.Config{ + VaultAddr: cfg["vault_addr"], + KVVersion: cfg["kv_version"], + } + log.Debugf(ctx, "Keymanager config mapped: %+v", cfg) + km, cleanup, err := keymanager.New(ctx, cache, registry, config) + if err != nil { + log.Error(ctx, err, "Failed to initialize KeyManager") + return nil, nil, err + } + log.Debugf(ctx, "KeyManager instance created successfully") + return km, cleanup, nil +} + +// Provider is the exported instance of keyManagerProvider used for plugin registration. +var Provider = keyManagerProvider{} diff --git a/pkg/plugin/implementation/keymanager/keymanager.go b/pkg/plugin/implementation/keymanager/keymanager.go new file mode 100644 index 0000000..229fa2b --- /dev/null +++ b/pkg/plugin/implementation/keymanager/keymanager.go @@ -0,0 +1,370 @@ +package keymanager + +import ( + "context" + "crypto/ecdh" + "crypto/ed25519" + "crypto/rand" + "encoding/base64" + "encoding/json" + "errors" + "fmt" + "os" + "time" + + "github.com/beckn/beckn-onix/pkg/log" + "github.com/beckn/beckn-onix/pkg/model" + "github.com/beckn/beckn-onix/pkg/plugin/definition" + "github.com/google/uuid" + vault "github.com/hashicorp/vault/api" +) + +// Config holds configuration parameters for connecting to Vault. +type Config struct { + VaultAddr string + KVVersion string +} + +// KeyMgr provides methods for managing cryptographic keys using Vault. +type KeyMgr struct { + VaultClient *vault.Client + Registry definition.RegistryLookup + Cache definition.Cache + KvVersion string + SecretPath string +} + +var ( + // ErrEmptyKeyID indicates that the provided key ID is empty. + ErrEmptyKeyID = errors.New("invalid request: keyID cannot be empty") + + // ErrNilKeySet indicates that the provided keyset is nil. + ErrNilKeySet = errors.New("keyset cannot be nil") + + // ErrEmptySubscriberID indicates that the provided subscriber ID is empty. + ErrEmptySubscriberID = errors.New("invalid request: subscriberID cannot be empty") + + // ErrEmptyUniqueKeyID indicates that the provided unique key ID is empty. + ErrEmptyUniqueKeyID = errors.New("invalid request: uniqueKeyID cannot be empty") + + // ErrSubscriberNotFound indicates that no subscriber was found with the provided credentials. + ErrSubscriberNotFound = errors.New("no subscriber found with given credentials") + + // ErrNilCache indicates that the cache implementation is nil. + ErrNilCache = errors.New("cache implementation cannot be nil") + + // ErrNilRegistryLookup indicates that the registry lookup implementation is nil. + ErrNilRegistryLookup = errors.New("registry lookup implementation cannot be nil") +) + +// ValidateCfg validates the Vault configuration and sets default KV version if missing. +func ValidateCfg(cfg *Config) error { + if cfg.VaultAddr == "" { + return errors.New("invalid config: VaultAddr cannot be empty") + } + if cfg.KVVersion == "" { + cfg.KVVersion = "v1" + } else if cfg.KVVersion != "v1" && cfg.KVVersion != "v2" { + return fmt.Errorf("invalid KVVersion: must be 'v1' or 'v2'") + } + return nil +} + +func New(ctx context.Context, cache definition.Cache, registryLookup definition.RegistryLookup, cfg *Config) (*KeyMgr, func() error, error) { + log.Info(ctx, "Initializing KeyManager plugin") + // Validate configuration. + if err := ValidateCfg(cfg); err != nil { + log.Error(ctx, err, "Invalid configuration for KeyManager") + return nil, nil, err + } + // Check if cache implementation is provided. + if cache == nil { + log.Error(ctx, ErrNilCache, "Cache is nil in KeyManager initialization") + return nil, nil, ErrNilCache + } + + // Check if registry lookup implementation is provided. + if registryLookup == nil { + log.Error(ctx, ErrNilRegistryLookup, "RegistryLookup is nil in KeyManager initialization") + return nil, nil, ErrNilRegistryLookup + } + + // Initialize Vault client. + log.Debugf(ctx, "Creating Vault client with address: %s", cfg.VaultAddr) + vaultClient, err := GetVaultClient(ctx, cfg.VaultAddr) + if err != nil { + log.Errorf(ctx, err, "Failed to create Vault client at address: %s", cfg.VaultAddr) + return nil, nil, fmt.Errorf("failed to create vault client: %w", err) + } + + log.Info(ctx, "Successfully created Vault client") + + // Create KeyManager instance. + km := &KeyMgr{ + VaultClient: vaultClient, + Registry: registryLookup, + Cache: cache, + KvVersion: cfg.KVVersion, + } + + // Cleanup function to release KeyManager resources. + cleanup := func() error { + log.Info(ctx, "Cleaning up KeyManager resources") + km.VaultClient = nil + km.Cache = nil + km.Registry = nil + return nil + } + + log.Info(ctx, "KeyManager plugin initialized successfully") + return km, cleanup, nil +} + +// GetVaultClient creates and authenticates a Vault client using AppRole. +func GetVaultClient(ctx context.Context, vaultAddr string) (*vault.Client, error) { + roleID := os.Getenv("VAULT_ROLE_ID") + secretID := os.Getenv("VAULT_SECRET_ID") + + if roleID == "" || secretID == "" { + log.Error(ctx, fmt.Errorf("missing credentials"), "VAULT_ROLE_ID or VAULT_SECRET_ID is not set") + return nil, fmt.Errorf("VAULT_ROLE_ID or VAULT_SECRET_ID is not set") + } + + config := vault.DefaultConfig() + config.Address = vaultAddr + + client, err := vault.NewClient(config) + if err != nil { + log.Error(ctx, err, "failed to create Vault client") + return nil, fmt.Errorf("failed to create Vault client: %w", err) + } + + data := map[string]interface{}{ + "role_id": roleID, + "secret_id": secretID, + } + + log.Info(ctx, "Logging into Vault with AppRole") + resp, err := client.Logical().Write("auth/approle/login", data) + if err != nil { + log.Error(ctx, err, "failed to login with AppRole") + return nil, fmt.Errorf("failed to login with AppRole: %w", err) + } + if resp == nil || resp.Auth == nil { + log.Error(ctx, nil, "AppRole login failed: no auth info returned") + return nil, errors.New("AppRole login failed: no auth info returned") + } + + log.Info(ctx, "Vault login successful") + client.SetToken(resp.Auth.ClientToken) + return client, nil +} + +// GenerateKeyPairs generates a new signing (Ed25519) and encryption (X25519) key pair. +func (km *KeyMgr) GenerateKeyPairs() (*model.Keyset, error) { + signingPublic, signingPrivate, err := ed25519.GenerateKey(rand.Reader) + if err != nil { + return nil, fmt.Errorf("failed to generate signing key pair: %w", err) + } + + encrPrivateKey, err := ecdh.X25519().GenerateKey(rand.Reader) + if err != nil { + return nil, fmt.Errorf("failed to generate encryption key pair: %w", err) + } + encrPublicKey := encrPrivateKey.PublicKey().Bytes() + uuid, err := uuid.NewRandom() + if err != nil { + return nil, fmt.Errorf("failed to generate unique key id uuid: %w", err) + } + return &model.Keyset{ + UniqueKeyID: uuid.String(), + SigningPrivate: encodeBase64(signingPrivate.Seed()), + SigningPublic: encodeBase64(signingPublic), + EncrPrivate: encodeBase64(encrPrivateKey.Bytes()), + EncrPublic: encodeBase64(encrPublicKey), + }, nil +} + +// StorePrivateKeys stores the given keyset in Vault under the specified key ID. +func (km *KeyMgr) StorePrivateKeys(ctx context.Context, keyID string, keys *model.Keyset) error { + if keyID == "" { + return ErrEmptyKeyID + } + if keys == nil { + return ErrNilKeySet + } + + keyData := map[string]interface{}{ + "uniqueKeyID": keys.UniqueKeyID, + "signingPublicKey": keys.SigningPublic, + "signingPrivateKey": keys.SigningPrivate, + "encrPublicKey": keys.EncrPublic, + "encrPrivateKey": keys.EncrPrivate, + } + var path string + var payload map[string]interface{} + if km.KvVersion == "v2" { + path = fmt.Sprintf("secret/data/keys/%s", keyID) + payload = map[string]interface{}{"data": keyData} + } else { + path = fmt.Sprintf("secret/keys/%s", keyID) + payload = keyData + } + + _, err := km.VaultClient.Logical().Write(path, payload) + if err != nil { + return fmt.Errorf("failed to store secret in Vault: %w", err) + } + return nil +} + +// SigningPrivateKey retrieves the unique key ID and signing private key for the given key ID. +func (km *KeyMgr) SigningPrivateKey(ctx context.Context, keyID string) (string, string, error) { + keys, err := km.getKeys(ctx, keyID) + if err != nil { + return "", "", err + } + return keys.UniqueKeyID, keys.SigningPrivate, nil +} + +// EncrPrivateKey retrieves the unique key ID and encryption private key for the given key ID. +func (km *KeyMgr) EncrPrivateKey(ctx context.Context, keyID string) (string, string, error) { + keys, err := km.getKeys(ctx, keyID) + if err != nil { + return "", "", err + } + return keys.UniqueKeyID, keys.EncrPrivate, nil +} + +// SigningPublicKey returns the signing public key for the given subscriber ID and key ID. +func (km *KeyMgr) SigningPublicKey(ctx context.Context, subscriberID, uniqueKeyID string) (string, error) { + keys, err := km.getPublicKeys(ctx, subscriberID, uniqueKeyID) + if err != nil { + return "", err + } + return keys.SigningPublic, nil +} + +// EncrPublicKey returns the encryption public key for the given subscriber ID and key ID. +func (km *KeyMgr) EncrPublicKey(ctx context.Context, subscriberID, uniqueKeyID string) (string, error) { + keys, err := km.getPublicKeys(ctx, subscriberID, uniqueKeyID) + if err != nil { + return "", err + } + return keys.EncrPublic, nil +} + +// DeletePrivateKeys deletes the private keys for the given key ID from Vault. +func (km *KeyMgr) DeletePrivateKeys(ctx context.Context, keyID string) error { + if keyID == "" { + return ErrEmptyKeyID + } + var path string + if km.KvVersion == "v2" { + path = fmt.Sprintf("secret/data/private_keys/%s", keyID) + } else { + path = fmt.Sprintf("secret/private_keys/%s", keyID) + } + return km.VaultClient.KVv2(path).Delete(ctx, keyID) +} + +// getKeys retrieves the full keyset from Vault for the given key ID. +func (km *KeyMgr) getKeys(ctx context.Context, keyID string) (*model.Keyset, error) { + if keyID == "" { + return nil, ErrEmptyKeyID + } + + var path string + if km.KvVersion == "v2" { + path = fmt.Sprintf("secret/data/private_keys/%s", keyID) + } else { + path = fmt.Sprintf("secret/private_keys/%s", keyID) + } + + secret, err := km.VaultClient.Logical().Read(path) + if err != nil || secret == nil { + return nil, fmt.Errorf("failed to read secret from Vault: %w", err) + } + + var data map[string]interface{} + if km.KvVersion == "v2" { + dataRaw, ok := secret.Data["data"] + if !ok { + return nil, errors.New("missing 'data' in secret response") + } + data, ok = dataRaw.(map[string]interface{}) + if !ok { + return nil, errors.New("invalid 'data' format in Vault response") + } + } else { + data = secret.Data + } + + return &model.Keyset{ + UniqueKeyID: data["uniqueKeyID"].(string), + SigningPublic: data["signingPublicKey"].(string), + SigningPrivate: data["signingPrivateKey"].(string), + EncrPublic: data["encrPublicKey"].(string), + EncrPrivate: data["encrPrivateKey"].(string), + }, nil +} + +// getPublicKeys fetches the public keys from cache or registry for the given subscriber and key ID. +func (km *KeyMgr) getPublicKeys(ctx context.Context, subscriberID, uniqueKeyID string) (*model.Keyset, error) { + if err := validateParams(subscriberID, uniqueKeyID); err != nil { + return nil, err + } + cacheKey := fmt.Sprintf("%s_%s", subscriberID, uniqueKeyID) + cachedData, err := km.Cache.Get(ctx, cacheKey) + if err == nil { + var keys model.Keyset + if err := json.Unmarshal([]byte(cachedData), &keys); err == nil { + return &keys, nil + } + } + publicKeys, err := km.lookupRegistry(ctx, subscriberID, uniqueKeyID) + if err != nil { + return nil, err + } + cacheValue, err := json.Marshal(publicKeys) + if err == nil { + _ = km.Cache.Set(ctx, cacheKey, string(cacheValue), time.Hour) + } + return publicKeys, nil +} + +// lookupRegistry queries the registry for public keys based on subscriber ID and key ID. +func (km *KeyMgr) lookupRegistry(ctx context.Context, subscriberID, uniqueKeyID string) (*model.Keyset, error) { + subscribers, err := km.Registry.Lookup(ctx, &model.Subscription{ + Subscriber: model.Subscriber{ + SubscriberID: subscriberID, + }, + KeyID: uniqueKeyID, + }) + if err != nil { + return nil, fmt.Errorf("failed to lookup registry: %w", err) + } + if len(subscribers) == 0 { + return nil, ErrSubscriberNotFound + } + return &model.Keyset{ + SigningPublic: subscribers[0].SigningPublicKey, + EncrPublic: subscribers[0].EncrPublicKey, + }, nil +} + +// validateParams checks that subscriberID and uniqueKeyID are not empty. +func validateParams(subscriberID, uniqueKeyID string) error { + if subscriberID == "" { + return ErrEmptySubscriberID + } + if uniqueKeyID == "" { + return ErrEmptyUniqueKeyID + } + return nil +} + +// encodeBase64 returns the base64-encoded string of the given data. +func encodeBase64(data []byte) string { + return base64.StdEncoding.EncodeToString(data) +} From 63e1bc44d9c37db938f0917bd3314dfb02bd2bbc Mon Sep 17 00:00:00 2001 From: MohitKatare-protean Date: Tue, 20 May 2025 12:01:14 +0530 Subject: [PATCH 2/8] added test cases for keymanager and plugin --- .../implementation/keymanager/cmd/plugin.go | 9 +- .../keymanager/cmd/plugin_test.go | 164 +++ .../implementation/keymanager/keymanager.go | 25 +- .../keymanager/keymanager_test.go | 1182 +++++++++++++++++ 4 files changed, 1373 insertions(+), 7 deletions(-) create mode 100644 pkg/plugin/implementation/keymanager/cmd/plugin_test.go create mode 100644 pkg/plugin/implementation/keymanager/keymanager_test.go diff --git a/pkg/plugin/implementation/keymanager/cmd/plugin.go b/pkg/plugin/implementation/keymanager/cmd/plugin.go index 9326a8b..5e37af4 100644 --- a/pkg/plugin/implementation/keymanager/cmd/plugin.go +++ b/pkg/plugin/implementation/keymanager/cmd/plugin.go @@ -9,7 +9,12 @@ import ( ) // keyManagerProvider implements the plugin provider for the KeyManager plugin. -type keyManagerProvider struct{} +type keyManagerProvider struct { + newFunc func(ctx context.Context, cache definition.Cache, registry definition.RegistryLookup, cfg *keymanager.Config) (definition.KeyManager, func() error, error) +} + +// newKeyManagerFunc is a function type that creates a new KeyManager instance. +var newKeyManagerFunc = keymanager.New // New creates and initializes a new KeyManager instance using the provided cache, registry lookup, and configuration. func (k *keyManagerProvider) New(ctx context.Context, cache definition.Cache, registry definition.RegistryLookup, cfg map[string]string) (definition.KeyManager, func() error, error) { @@ -18,7 +23,7 @@ func (k *keyManagerProvider) New(ctx context.Context, cache definition.Cache, re KVVersion: cfg["kv_version"], } log.Debugf(ctx, "Keymanager config mapped: %+v", cfg) - km, cleanup, err := keymanager.New(ctx, cache, registry, config) + km, cleanup, err := newKeyManagerFunc(ctx, cache, registry, config) if err != nil { log.Error(ctx, err, "Failed to initialize KeyManager") return nil, nil, err diff --git a/pkg/plugin/implementation/keymanager/cmd/plugin_test.go b/pkg/plugin/implementation/keymanager/cmd/plugin_test.go new file mode 100644 index 0000000..bec7c6f --- /dev/null +++ b/pkg/plugin/implementation/keymanager/cmd/plugin_test.go @@ -0,0 +1,164 @@ +package main + +import ( + "context" + "fmt" + "testing" + "time" + + "github.com/beckn/beckn-onix/pkg/model" + "github.com/beckn/beckn-onix/pkg/plugin/definition" + "github.com/beckn/beckn-onix/pkg/plugin/implementation/keymanager" +) + +// Mock KeyManager implementation +type mockKeyManager struct{} + +func (m *mockKeyManager) SigningPublicKey(ctx context.Context, subscriberID, keyID string) (string, error) { + return "mock-signing-public-key", nil +} + +func (m *mockKeyManager) SigningPrivateKey(ctx context.Context, subscriberID string) (string, string, error) { + return "mock-key-id", "mock-signing-private-key", nil +} + +func (m *mockKeyManager) EncrPublicKey(ctx context.Context, subscriberID, keyID string) (string, error) { + return "mock-encryption-public-key", nil +} + +func (m *mockKeyManager) EncrPrivateKey(ctx context.Context, subscriberID string) (string, string, error) { + return "mock-key-id", "mock-encryption-private-key", nil +} + +func (m *mockKeyManager) DeletePrivateKeys(ctx context.Context, subscriberID string) error { + return nil +} + +func (m *mockKeyManager) StorePrivateKeys(ctx context.Context, subscriberID string, keys *model.Keyset) error { + return nil +} + +func (m *mockKeyManager) GenerateKeyPairs() (*model.Keyset, error) { + return &model.Keyset{ + UniqueKeyID: "mock-key-id", + SigningPrivate: "mock-signing-private-key", + SigningPublic: "mock-signing-public-key", + EncrPrivate: "mock-encryption-private-key", + EncrPublic: "mock-encryption-public-key", + }, nil +} + +type mockRegistry struct { + LookupFunc func(ctx context.Context, sub *model.Subscription) ([]model.Subscription, error) +} + +func (m *mockRegistry) Lookup(ctx context.Context, sub *model.Subscription) ([]model.Subscription, error) { + if m.LookupFunc != nil { + return m.LookupFunc(ctx, sub) + } + return []model.Subscription{ + { + Subscriber: model.Subscriber{ + SubscriberID: sub.SubscriberID, + URL: "https://mock.registry/subscriber", + Type: "BPP", + Domain: "retail", + }, + KeyID: sub.KeyID, + SigningPublicKey: "mock-signing-public-key", + EncrPublicKey: "mock-encryption-public-key", + ValidFrom: time.Now().Add(-time.Hour), + ValidUntil: time.Now().Add(time.Hour), + Status: "SUBSCRIBED", + Created: time.Now().Add(-2 * time.Hour), + Updated: time.Now(), + Nonce: "mock-nonce", + }, + }, nil +} + +type mockCache struct{} + +func (m *mockCache) Get(ctx context.Context, key string) (string, error) { + return "", nil +} +func (m *mockCache) Set(ctx context.Context, key string, value string, ttl time.Duration) error { + return nil +} +func (m *mockCache) Clear(ctx context.Context) error { + return nil +} + +func (m *mockCache) Delete(ctx context.Context, key string) error { + return nil +} + +func TestNewSuccess(t *testing.T) { + // Setup dummy implementations and variables + ctx := context.Background() + cache := &mockCache{} + registry := &mockRegistry{} + cfg := map[string]string{ + "vault_addr": "http://dummy-vault", + "kv_version": "2", + } + + cleanupCalled := false + fakeCleanup := func() error { + cleanupCalled = true + return nil + } + + newKeyManagerFunc = func(ctx context.Context, cache definition.Cache, registry definition.RegistryLookup, cfg *keymanager.Config) (*keymanager.KeyMgr, func() error, error) { + // return a mock struct pointer of *keymanager.KeyMgr or a stub instance + return &keymanager.KeyMgr{}, fakeCleanup, nil + } + + // Create provider and call New + provider := &keyManagerProvider{} + km, cleanup, err := provider.New(ctx, cache, registry, cfg) + if err != nil { + t.Fatalf("Expected no error, got %v", err) + } + if km == nil { + t.Fatal("Expected non-nil KeyManager instance") + } + if cleanup == nil { + t.Fatal("Expected non-nil cleanup function") + } + + // Call cleanup and check if it behaves correctly + if err := cleanup(); err != nil { + t.Fatalf("Expected no error from cleanup, got %v", err) + } + if !cleanupCalled { + t.Error("Expected cleanup function to be called") + } +} + +func TestNewFailure(t *testing.T) { + // Setup dummy variables + ctx := context.Background() + cache := &mockCache{} + registry := &mockRegistry{} + cfg := map[string]string{ + "vault_addr": "http://dummy-vault", + "kv_version": "2", + } + + newKeyManagerFunc = func(ctx context.Context, cache definition.Cache, registry definition.RegistryLookup, cfg *keymanager.Config) (*keymanager.KeyMgr, func() error, error) { + return nil, nil, fmt.Errorf("some error") + } + + provider := &keyManagerProvider{} + km, cleanup, err := provider.New(ctx, cache, registry, cfg) + if err == nil { + t.Fatal("Expected error, got nil") + } + if km != nil { + t.Error("Expected nil KeyManager on error") + } + if cleanup != nil { + t.Error("Expected nil cleanup function on error") + } +} diff --git a/pkg/plugin/implementation/keymanager/keymanager.go b/pkg/plugin/implementation/keymanager/keymanager.go index 229fa2b..c50079d 100644 --- a/pkg/plugin/implementation/keymanager/keymanager.go +++ b/pkg/plugin/implementation/keymanager/keymanager.go @@ -70,6 +70,11 @@ func ValidateCfg(cfg *Config) error { return nil } +// getVaultClient is a function that creates a new Vault client. +// This is exported for testing purposes. +var getVaultClient = GetVaultClient + +// New creates a new KeyMgr instance with the provided configuration, cache, and registry lookup. func New(ctx context.Context, cache definition.Cache, registryLookup definition.RegistryLookup, cfg *Config) (*KeyMgr, func() error, error) { log.Info(ctx, "Initializing KeyManager plugin") // Validate configuration. @@ -91,7 +96,7 @@ func New(ctx context.Context, cache definition.Cache, registryLookup definition. // Initialize Vault client. log.Debugf(ctx, "Creating Vault client with address: %s", cfg.VaultAddr) - vaultClient, err := GetVaultClient(ctx, cfg.VaultAddr) + vaultClient, err := getVaultClient(ctx, cfg.VaultAddr) if err != nil { log.Errorf(ctx, err, "Failed to create Vault client at address: %s", cfg.VaultAddr) return nil, nil, fmt.Errorf("failed to create vault client: %w", err) @@ -120,6 +125,10 @@ func New(ctx context.Context, cache definition.Cache, registryLookup definition. return km, cleanup, nil } +// NewVaultClient creates a new Vault client instance. +// This function is exported for testing purposes. +var NewVaultClient = vault.NewClient + // GetVaultClient creates and authenticates a Vault client using AppRole. func GetVaultClient(ctx context.Context, vaultAddr string) (*vault.Client, error) { roleID := os.Getenv("VAULT_ROLE_ID") @@ -133,7 +142,7 @@ func GetVaultClient(ctx context.Context, vaultAddr string) (*vault.Client, error config := vault.DefaultConfig() config.Address = vaultAddr - client, err := vault.NewClient(config) + client, err := NewVaultClient(config) if err != nil { log.Error(ctx, err, "failed to create Vault client") return nil, fmt.Errorf("failed to create Vault client: %w", err) @@ -160,19 +169,25 @@ func GetVaultClient(ctx context.Context, vaultAddr string) (*vault.Client, error return client, nil } +var ( + ed25519KeyGenFunc = ed25519.GenerateKey + x25519KeyGenFunc = ecdh.X25519().GenerateKey + uuidGenFunc = uuid.NewRandom +) + // GenerateKeyPairs generates a new signing (Ed25519) and encryption (X25519) key pair. func (km *KeyMgr) GenerateKeyPairs() (*model.Keyset, error) { - signingPublic, signingPrivate, err := ed25519.GenerateKey(rand.Reader) + signingPublic, signingPrivate, err := ed25519KeyGenFunc(rand.Reader) if err != nil { return nil, fmt.Errorf("failed to generate signing key pair: %w", err) } - encrPrivateKey, err := ecdh.X25519().GenerateKey(rand.Reader) + encrPrivateKey, err := x25519KeyGenFunc(rand.Reader) if err != nil { return nil, fmt.Errorf("failed to generate encryption key pair: %w", err) } encrPublicKey := encrPrivateKey.PublicKey().Bytes() - uuid, err := uuid.NewRandom() + uuid, err := uuidGenFunc() if err != nil { return nil, fmt.Errorf("failed to generate unique key id uuid: %w", err) } diff --git a/pkg/plugin/implementation/keymanager/keymanager_test.go b/pkg/plugin/implementation/keymanager/keymanager_test.go new file mode 100644 index 0000000..b08215e --- /dev/null +++ b/pkg/plugin/implementation/keymanager/keymanager_test.go @@ -0,0 +1,1182 @@ +package keymanager + +import ( + "context" + "crypto/ecdh" + "crypto/ed25519" + "errors" + "fmt" + "io" + "net/http" + "net/http/httptest" + "os" + "strings" + "testing" + "time" + + "github.com/beckn/beckn-onix/pkg/model" + "github.com/beckn/beckn-onix/pkg/plugin/definition" + "github.com/google/uuid" + "github.com/hashicorp/vault/api" + vault "github.com/hashicorp/vault/api" +) + +type mockRegistry struct { + LookupFunc func(ctx context.Context, sub *model.Subscription) ([]model.Subscription, error) +} + +func (m *mockRegistry) Lookup(ctx context.Context, sub *model.Subscription) ([]model.Subscription, error) { + if m.LookupFunc != nil { + return m.LookupFunc(ctx, sub) + } + return []model.Subscription{ + { + Subscriber: model.Subscriber{ + SubscriberID: sub.SubscriberID, + URL: "https://mock.registry/subscriber", + Type: "BPP", + Domain: "retail", + }, + KeyID: sub.KeyID, + SigningPublicKey: "mock-signing-public-key", + EncrPublicKey: "mock-encryption-public-key", + ValidFrom: time.Now().Add(-time.Hour), + ValidUntil: time.Now().Add(time.Hour), + Status: "SUBSCRIBED", + Created: time.Now().Add(-2 * time.Hour), + Updated: time.Now(), + Nonce: "mock-nonce", + }, + }, nil +} + +type mockCache struct{} + +func (m *mockCache) Get(ctx context.Context, key string) (string, error) { + return "", nil +} +func (m *mockCache) Set(ctx context.Context, key string, value string, ttl time.Duration) error { + return nil +} +func (m *mockCache) Clear(ctx context.Context) error { + return nil +} + +func (m *mockCache) Delete(ctx context.Context, key string) error { + return nil +} + +func TestValidateCfgSuccess(t *testing.T) { + tests := []struct { + name string + cfg *Config + wantKV string + }{ + { + name: "valid config with v1", + cfg: &Config{VaultAddr: "http://localhost:8200", KVVersion: "v1"}, + wantKV: "v1", + }, + { + name: "valid config with v2", + cfg: &Config{VaultAddr: "http://localhost:8200", KVVersion: "v2"}, + wantKV: "v2", + }, + { + name: "default KV version applied", + cfg: &Config{VaultAddr: "http://localhost:8200"}, + wantKV: "v1", + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + err := ValidateCfg(tt.cfg) + if err != nil { + t.Errorf("expected no error, got %v", err) + } + if tt.cfg.KVVersion != tt.wantKV { + t.Errorf("expected KVVersion %s, got %s", tt.wantKV, tt.cfg.KVVersion) + } + }) + } +} + +func TestValidateCfgFailure(t *testing.T) { + tests := []struct { + name string + cfg *Config + }{ + { + name: "missing Vault address", + cfg: &Config{VaultAddr: "", KVVersion: "v1"}, + }, + { + name: "invalid KV version", + cfg: &Config{VaultAddr: "http://localhost:8200", KVVersion: "v3"}, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + err := ValidateCfg(tt.cfg) + if err == nil { + t.Errorf("expected error, got nil") + } + }) + } +} + +func TestGenerateKeyPairs(t *testing.T) { + originalEd25519 := ed25519KeyGenFunc + originalX25519 := x25519KeyGenFunc + originalUUID := uuidGenFunc + + defer func() { + ed25519KeyGenFunc = originalEd25519 + x25519KeyGenFunc = originalX25519 + uuidGenFunc = originalUUID + }() + + tests := []struct { + name string + mockEd25519Err error + mockX25519Err error + mockUUIDErr error + expectErr bool + }{ + { + name: "success case", + expectErr: false, + }, + { + name: "ed25519 key generation failure", + mockEd25519Err: errors.New("mock ed25519 failure"), + expectErr: true, + }, + { + name: "x25519 key generation failure", + mockX25519Err: errors.New("mock x25519 failure"), + expectErr: true, + }, + { + name: "UUID generation failure", + mockUUIDErr: errors.New("mock uuid failure"), + expectErr: true, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + if tt.mockEd25519Err != nil { + ed25519KeyGenFunc = func(_ io.Reader) (ed25519.PublicKey, ed25519.PrivateKey, error) { + return nil, nil, tt.mockEd25519Err + } + } else { + ed25519KeyGenFunc = ed25519.GenerateKey + } + + if tt.mockX25519Err != nil { + x25519KeyGenFunc = func(_ io.Reader) (*ecdh.PrivateKey, error) { + return nil, tt.mockX25519Err + } + } else { + x25519KeyGenFunc = ecdh.X25519().GenerateKey + } + + if tt.mockUUIDErr != nil { + uuidGenFunc = func() (uuid.UUID, error) { + return uuid.Nil, tt.mockUUIDErr + } + } else { + uuidGenFunc = uuid.NewRandom + } + + km := &KeyMgr{} + keyset, err := km.GenerateKeyPairs() + + if tt.expectErr { + if err == nil { + t.Errorf("expected error, got nil") + } + if keyset != nil { + t.Errorf("expected nil keyset, got non-nil") + } + } else { + if err != nil { + t.Errorf("unexpected error: %v", err) + } + if keyset == nil { + t.Fatal("expected keyset, got nil") + } + if keyset.SigningPrivate == "" || keyset.SigningPublic == "" || keyset.EncrPrivate == "" || keyset.EncrPublic == "" { + t.Error("expected all keys to be populated and base64-encoded") + } + if keyset.UniqueKeyID == "" { + t.Error("expected UniqueKeyID to be non-empty") + } + } + }) + } +} + +type mockLogical struct { + writeFn func(path string, data map[string]interface{}) (*vault.Secret, error) +} + +func (m *mockLogical) Write(path string, data map[string]interface{}) (*vault.Secret, error) { + return m.writeFn(path, data) +} + +type mockClient struct { + *vault.Client + setTokenFn func(string) + logicalFn func() *vault.Logical +} + +func (m *mockClient) SetToken(token string) { + if m.setTokenFn != nil { + m.setTokenFn(token) + } +} + +func (m *mockClient) Logical() *vault.Logical { + if m.logicalFn != nil { + return m.logicalFn() + } + return &vault.Logical{} +} + +func TestGetVaultClient_Failures(t *testing.T) { + originalNewVaultClient := NewVaultClient + defer func() { NewVaultClient = originalNewVaultClient }() + + ctx := context.Background() + + tests := []struct { + name string + roleID string + secretID string + setupServer func(t *testing.T) *httptest.Server + expectErr string + }{ + { + name: "missing credentials", + roleID: "", + secretID: "", + expectErr: "VAULT_ROLE_ID or VAULT_SECRET_ID is not set", + }, + { + name: "vault client creation failure", + roleID: "test-role", + secretID: "test-secret", + setupServer: func(t *testing.T) *httptest.Server { + NewVaultClient = func(cfg *vault.Config) (*vault.Client, error) { + return nil, errors.New("mock client creation error") + } + return nil + }, + expectErr: "failed to create Vault client: mock client creation error", + }, + { + name: "AppRole login failure", + roleID: "test-role", + secretID: "test-secret", + setupServer: func(t *testing.T) *httptest.Server { + return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + http.Error(w, "login failed", http.StatusBadRequest) + })) + }, + expectErr: "failed to login with AppRole: Error making API request", + }, + { + name: "AppRole login returns nil auth", + roleID: "test-role", + secretID: "test-secret", + setupServer: func(t *testing.T) *httptest.Server { + return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + w.WriteHeader(http.StatusOK) + w.Header().Set("Content-Type", "application/json") + io.WriteString(w, `{ "auth": null }`) + })) + }, + expectErr: "AppRole login failed: no auth info returned", + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + os.Setenv("VAULT_ROLE_ID", tt.roleID) + os.Setenv("VAULT_SECRET_ID", tt.secretID) + + var server *httptest.Server + if tt.setupServer != nil { + server = tt.setupServer(t) + if server != nil { + NewVaultClient = func(cfg *vault.Config) (*vault.Client, error) { + cfg.Address = server.URL + return vault.NewClient(cfg) + } + defer server.Close() + } + } + + client, err := GetVaultClient(ctx, "http://ignored") + if err == nil || !strings.Contains(err.Error(), tt.expectErr) { + t.Errorf("expected error to contain '%s', got: %v", tt.expectErr, err) + } + if client != nil { + t.Error("expected client to be nil on failure") + } + }) + } +} + +func TestGetVaultClient_Success(t *testing.T) { + originalNewVaultClient := NewVaultClient + defer func() { NewVaultClient = originalNewVaultClient }() + + ctx := context.Background() + + os.Setenv("VAULT_ROLE_ID", "test-role") + os.Setenv("VAULT_SECRET_ID", "test-secret") + + // Mock Vault server + server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + if !strings.HasSuffix(r.URL.Path, "/auth/approle/login") { + t.Errorf("unexpected request path: %s", r.URL.Path) + } + w.WriteHeader(http.StatusOK) + w.Header().Set("Content-Type", "application/json") + io.WriteString(w, `{ + "auth": { + "client_token": "mock-token" + } + }`) + })) + defer server.Close() + + NewVaultClient = func(cfg *vault.Config) (*vault.Client, error) { + cfg.Address = server.URL + return vault.NewClient(cfg) + } + + client, err := GetVaultClient(ctx, "http://ignored") + if err != nil { + t.Fatalf("expected success, got error: %v", err) + } + if client == nil { + t.Fatal("expected non-nil client") + } + if token := client.Token(); token != "mock-token" { + t.Errorf("expected token to be 'mock-token', got: %s", token) + } +} + +type mockRegistryLookup struct{} + +func (m *mockRegistryLookup) Lookup(ctx context.Context, sub *model.Subscription) ([]model.Subscription, error) { + return []model.Subscription{ + { + Subscriber: model.Subscriber{ + SubscriberID: sub.SubscriberID, + Type: sub.Type, + }, + KeyID: "mock-key-id", + SigningPublicKey: "mock-signing-pubkey", + EncrPublicKey: "mock-encryption-pubkey", + ValidFrom: time.Now().Add(-time.Hour), + ValidUntil: time.Now().Add(time.Hour), + Status: "SUBSCRIBED", + Created: time.Now(), + Updated: time.Now(), + Nonce: "mock-nonce", + }, + }, nil +} + +func TestNewSuccess(t *testing.T) { + tests := []struct { + name string + cfg *Config + cache definition.Cache + registry definition.RegistryLookup + mockVaultStatus int + mockVaultBody string + }{ + { + name: "valid config", + cfg: &Config{ + VaultAddr: "http://dummy", + KVVersion: "v2", + }, + cache: &mockCache{}, + registry: &mockRegistryLookup{}, + mockVaultStatus: http.StatusOK, + mockVaultBody: `{}`, + }, + } + + originalGetVaultClient := getVaultClient + defer func() { getVaultClient = originalGetVaultClient }() + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + vaultServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + w.WriteHeader(tt.mockVaultStatus) + fmt.Fprint(w, tt.mockVaultBody) + })) + defer vaultServer.Close() + + tt.cfg.VaultAddr = vaultServer.URL + + getVaultClient = func(ctx context.Context, addr string) (*vault.Client, error) { + cfg := vault.DefaultConfig() + cfg.Address = addr + return vault.NewClient(cfg) + } + + ctx := context.Background() + km, cleanup, err := New(ctx, tt.cache, tt.registry, tt.cfg) + + if err != nil { + t.Fatalf("unexpected error: %v", err) + } + if km == nil { + t.Fatalf("expected KeyMgr instance, got nil") + } + if cleanup == nil { + t.Fatalf("expected cleanup function, got nil") + } + _ = cleanup() + }) + } +} + +func TestNewFailure(t *testing.T) { + tests := []struct { + name string + cfg *Config + cache definition.Cache + registry definition.RegistryLookup + mockVaultStatus int + mockVaultBody string + }{ + { + name: "nil cache", + cfg: &Config{ + VaultAddr: "http://dummy", + KVVersion: "v2", + }, + cache: nil, + registry: &mockRegistryLookup{}, + mockVaultStatus: http.StatusOK, + mockVaultBody: `{}`, + }, + { + name: "nil registry", + cfg: &Config{ + VaultAddr: "http://dummy", + KVVersion: "v2", + }, + cache: &mockCache{}, + registry: nil, + mockVaultStatus: http.StatusOK, + mockVaultBody: `{}`, + }, + { + name: "invalid config", + cfg: &Config{ + VaultAddr: "", // Invalid + KVVersion: "v3", // Unsupported + }, + cache: &mockCache{}, + registry: &mockRegistryLookup{}, + mockVaultStatus: http.StatusOK, + mockVaultBody: `{}`, + }, + { + name: "vault client creation failure", + cfg: &Config{ + VaultAddr: "http://dummy", + KVVersion: "v2", + }, + cache: &mockCache{}, + registry: &mockRegistryLookup{}, + mockVaultStatus: http.StatusOK, + mockVaultBody: `{}`, + }, + } + + originalGetVaultClient := getVaultClient + defer func() { getVaultClient = originalGetVaultClient }() + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + vaultServer := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + w.WriteHeader(tt.mockVaultStatus) + fmt.Fprint(w, tt.mockVaultBody) + })) + defer vaultServer.Close() + + if tt.cfg != nil { + tt.cfg.VaultAddr = vaultServer.URL + } + + getVaultClient = func(ctx context.Context, addr string) (*vault.Client, error) { + if tt.name == "vault client creation failure" { + return nil, errors.New("simulated vault client creation error") + } + cfg := vault.DefaultConfig() + cfg.Address = addr + return vault.NewClient(cfg) + } + + ctx := context.Background() + km, cleanup, err := New(ctx, tt.cache, tt.registry, tt.cfg) + + if err == nil { + t.Error("expected error, got nil") + } + if km != nil { + t.Error("expected KeyMgr to be nil, got non-nil") + } + if cleanup != nil { + t.Error("expected cleanup to be nil, got non-nil") + } + }) + } + +} + +func TestStorePrivateKeysSuccess(t *testing.T) { + ctx := context.Background() + + keys := &model.Keyset{ + UniqueKeyID: "uuid", + SigningPublic: "signPub", + SigningPrivate: "signPriv", + EncrPublic: "encrPub", + EncrPrivate: "encrPriv", + } + + tests := []struct { + name string + kvVersion string + keyID string + keys *model.Keyset + }{ + { + name: "success kv v1", + kvVersion: "v1", + keyID: "mykeyid", + keys: keys, + }, + { + name: "success kv v2", + kvVersion: "v2", + keyID: "mykeyid", + keys: keys, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + expectedPath := "" + if tt.kvVersion == "v2" { + expectedPath = "/v1/secret/data/keys/" + tt.keyID + } else { + expectedPath = "/v1/secret/keys/" + tt.keyID + } + + if r.URL.Path != expectedPath { + t.Errorf("unexpected request path: got %s, want %s", r.URL.Path, expectedPath) + } + + w.Header().Set("Content-Type", "application/json") + w.WriteHeader(200) + fmt.Fprintln(w, `{"data":{}}`) + })) + defer server.Close() + + config := api.DefaultConfig() + config.Address = server.URL + client, err := api.NewClient(config) + if err != nil { + t.Fatalf("failed to create Vault client: %v", err) + } + + km := &KeyMgr{ + VaultClient: client, + KvVersion: tt.kvVersion, + } + + err = km.StorePrivateKeys(ctx, tt.keyID, tt.keys) + if err != nil { + t.Errorf("expected no error, got %v", err) + } + }) + } +} + +func TestStorePrivateKeysFailure(t *testing.T) { + ctx := context.Background() + + keys := &model.Keyset{ + UniqueKeyID: "uuid", + SigningPublic: "signPub", + SigningPrivate: "signPriv", + EncrPublic: "encrPub", + EncrPrivate: "encrPriv", + } + + tests := []struct { + name string + kvVersion string + keyID string + keys *model.Keyset + statusCode int // for HTTP error simulation + expectedErr string + }{ + { + name: "empty keyID", + keyID: "", + keys: keys, + expectedErr: ErrEmptyKeyID.Error(), + }, + { + name: "nil keys", + keyID: "mykeyid", + keys: nil, + expectedErr: ErrNilKeySet.Error(), + }, + { + name: "vault write error", + kvVersion: "v1", + keyID: "mykeyid", + keys: keys, + statusCode: 500, + expectedErr: "failed to store secret in Vault: Error making API request", + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + var server *httptest.Server + if tt.statusCode != 0 { + // Setup test HTTP server to simulate Vault error + server = httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + http.Error(w, "internal error", tt.statusCode) + })) + defer server.Close() + } + + var client *api.Client + var err error + if server != nil { + config := api.DefaultConfig() + config.Address = server.URL + client, err = api.NewClient(config) + if err != nil { + t.Fatalf("failed to create Vault client: %v", err) + } + } else { + client = nil + } + + km := &KeyMgr{ + VaultClient: client, + KvVersion: tt.kvVersion, + } + + err = km.StorePrivateKeys(ctx, tt.keyID, tt.keys) + + if err == nil { + t.Fatalf("expected error %q but got nil", tt.expectedErr) + } + if !strings.Contains(err.Error(), tt.expectedErr) { + t.Errorf("expected error containing %q, got %v", tt.expectedErr, err) + } + }) + } +} + +func TestDeletePrivateKeys(t *testing.T) { + tests := []struct { + name string + kvVersion string + keyID string + wantPath string + wantErr error + }{ + { + name: "empty keyID", + kvVersion: "v1", + keyID: "", + wantErr: ErrEmptyKeyID, + }, + { + name: "v1 delete", + kvVersion: "v1", + keyID: "key123", + wantPath: "/v1/secret/private_keys/key123/data/key123", + wantErr: nil, + }, + { + name: "v2 delete", + kvVersion: "v2", + keyID: "key123", + wantPath: "/v1/secret/data/private_keys/key123/data/key123", + wantErr: nil, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + // If empty keyID, no Vault calls, just check error + if tt.keyID == "" { + km := &KeyMgr{ + KvVersion: tt.kvVersion, + VaultClient: nil, + } + err := km.DeletePrivateKeys(context.Background(), tt.keyID) + if err != tt.wantErr { + t.Errorf("expected error %v, got %v", tt.wantErr, err) + } + return + } + + ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + if r.Method != http.MethodDelete { + t.Errorf("Expected DELETE method, got %s", r.Method) + } + if r.URL.Path != tt.wantPath { + t.Errorf("Expected path %s, got %s", tt.wantPath, r.URL.Path) + } + w.WriteHeader(http.StatusNoContent) + })) + defer ts.Close() + + vaultClient, err := NewVaultClient(&vault.Config{Address: ts.URL}) + if err != nil { + t.Fatalf("failed to create vault client: %v", err) + } + + km := &KeyMgr{ + KvVersion: tt.kvVersion, + VaultClient: vaultClient, + } + + err = km.DeletePrivateKeys(context.Background(), tt.keyID) + if err != tt.wantErr { + t.Errorf("DeletePrivateKeys() error = %v, want %v", err, tt.wantErr) + } + }) + } +} + +func setupMockVaultServer(t *testing.T, kvVersion, keyID string, success bool) *httptest.Server { + t.Helper() + + handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + // Check that request path is expected + expectedPathV1 := fmt.Sprintf("/v1/secret/private_keys/%s", keyID) + expectedPathV2 := fmt.Sprintf("/v1/secret/data/private_keys/%s", keyID) + + if (kvVersion == "v2" && r.URL.Path != expectedPathV2) || (kvVersion != "v2" && r.URL.Path != expectedPathV1) { + http.Error(w, "not found", http.StatusNotFound) + return + } + + if !success { + // Simulate Vault error or not found + http.Error(w, `{"errors":["key not found"]}`, http.StatusNotFound) + return + } + + // Success response JSON, different for v1 and v2 + if kvVersion == "v2" { + resp := fmt.Sprintf(`{ + "data": { + "data": { + "uniqueKeyID": "%s", + "signingPublicKey": "sign-pub", + "signingPrivateKey": "sign-priv", + "encrPublicKey": "encr-pub", + "encrPrivateKey": "encr-priv" + } + } + }`, keyID) + w.Header().Set("Content-Type", "application/json") + w.Write([]byte(resp)) + } else { + resp := fmt.Sprintf(`{ + "data": { + "uniqueKeyID": "%s", + "signingPublicKey": "sign-pub", + "signingPrivateKey": "sign-priv", + "encrPublicKey": "encr-pub", + "encrPrivateKey": "encr-priv" + } + }`, keyID) + w.Header().Set("Content-Type", "application/json") + w.Write([]byte(resp)) + } + }) + + return httptest.NewServer(handler) +} + +func TestGetKeysSuccess(t *testing.T) { + tests := []struct { + name string + kvVersion string + keyID string + }{ + { + name: "success with KV v2", + kvVersion: "v2", + keyID: "test-key-v2", + }, + { + name: "success with KV v1", + kvVersion: "v1", + keyID: "test-key-v1", + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + ts := setupMockVaultServer(t, tt.kvVersion, tt.keyID, true) + defer ts.Close() + + cfg := vault.DefaultConfig() + cfg.Address = ts.URL + + client, err := vault.NewClient(cfg) + if err != nil { + t.Fatalf("failed to create Vault client: %v", err) + } + + km := &KeyMgr{ + VaultClient: client, + KvVersion: tt.kvVersion, + } + + keys, err := km.getKeys(context.Background(), tt.keyID) + if err != nil { + t.Fatalf("unexpected error: %v", err) + } + if keys == nil { + t.Fatalf("expected keys but got nil") + } + if keys.UniqueKeyID != tt.keyID { + t.Errorf("expected UniqueKeyID %q, got %q", tt.keyID, keys.UniqueKeyID) + } + if keys.SigningPrivate != "sign-priv" { + t.Errorf("expected SigningPrivate 'sign-priv', got %q", keys.SigningPrivate) + } + }) + } +} + +func TestGetKeysFailure(t *testing.T) { + tests := []struct { + name string + kvVersion string + keyID string + success bool + }{ + { + name: "failure: vault returns 404 v2", + kvVersion: "v2", + keyID: "missing-key-v2", + success: false, + }, + { + name: "failure: vault returns 404 v1", + kvVersion: "v1", + keyID: "missing-key-v1", + success: false, + }, + { + name: "failure: empty keyID", + kvVersion: "v2", + keyID: "", + success: false, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + var ts *httptest.Server + if tt.keyID != "" { + ts = setupMockVaultServer(t, tt.kvVersion, tt.keyID, tt.success) + defer ts.Close() + } + + cfg := vault.DefaultConfig() + if ts != nil { + cfg.Address = ts.URL + } else { + // For empty keyID case or no mock server, use invalid URL to force error + cfg.Address = "http://invalid" + } + + client, err := vault.NewClient(cfg) + if err != nil { + t.Fatalf("failed to create Vault client: %v", err) + } + + km := &KeyMgr{ + VaultClient: client, + KvVersion: tt.kvVersion, + } + + keys, err := km.getKeys(context.Background(), tt.keyID) + if err == nil { + t.Fatalf("expected error but got nil") + } + if keys != nil { + t.Fatalf("expected nil keys but got %+v", keys) + } + }) + } +} + +func TestGetPublicKeysSuccess(t *testing.T) { + km := &KeyMgr{ + Cache: &mockCache{}, + Registry: &mockRegistry{ + LookupFunc: func(ctx context.Context, sub *model.Subscription) ([]model.Subscription, error) { + return []model.Subscription{ + { + Subscriber: model.Subscriber{ + SubscriberID: sub.SubscriberID, + }, + KeyID: sub.KeyID, + SigningPublicKey: "mock-signing-public-key", + EncrPublicKey: "mock-encryption-public-key", + }, + }, nil + }, + }, + } + + got, err := km.getPublicKeys(context.Background(), "sub-id", "key-id") + if err != nil { + t.Fatalf("getPublicKeys() unexpected error: %v", err) + } + if got == nil { + t.Fatal("getPublicKeys() returned nil Keyset") + } + if got.SigningPublic != "mock-signing-public-key" { + t.Errorf("SigningPublic = %v, want %v", got.SigningPublic, "mock-signing-public-key") + } + if got.EncrPublic != "mock-encryption-public-key" { + t.Errorf("EncrPublic = %v, want %v", got.EncrPublic, "mock-encryption-public-key") + } +} + +func TestGetPublicKeysFailure(t *testing.T) { + type fields struct { + cache definition.Cache + registry definition.RegistryLookup + } + type args struct { + subscriberID string + uniqueKeyID string + } + tests := []struct { + name string + fields fields + args args + errMessage string + }{ + { + name: "failure - invalid parameters", + fields: fields{ + cache: &mockCache{}, + registry: &mockRegistry{}, + }, + args: args{ + subscriberID: "", + uniqueKeyID: "", + }, + errMessage: "invalid", + }, + { + name: "failure - registry lookup fails", + fields: fields{ + cache: &mockCache{}, + registry: &mockRegistry{ + LookupFunc: func(ctx context.Context, sub *model.Subscription) ([]model.Subscription, error) { + return nil, fmt.Errorf("registry down") + }, + }, + }, + args: args{ + subscriberID: "sub-id", + uniqueKeyID: "key-id", + }, + errMessage: "registry down", + }, + { + name: "failure - registry returns empty", + fields: fields{ + cache: &mockCache{}, + registry: &mockRegistry{ + LookupFunc: func(ctx context.Context, sub *model.Subscription) ([]model.Subscription, error) { + return []model.Subscription{}, nil + }, + }, + }, + args: args{ + subscriberID: "sub-id", + uniqueKeyID: "key-id", + }, + errMessage: "no subscriber found", + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + km := &KeyMgr{ + Cache: tt.fields.cache, + Registry: tt.fields.registry, + } + got, err := km.getPublicKeys(context.Background(), tt.args.subscriberID, tt.args.uniqueKeyID) + if err == nil { + t.Errorf("getPublicKeys() expected error but got none, result: %v", got) + return + } + if !strings.Contains(err.Error(), tt.errMessage) { + t.Errorf("getPublicKeys() error = %v, want error message to contain %v", err.Error(), tt.errMessage) + } + }) + } +} + +func TestLookupRegistrySuccess(t *testing.T) { + km := &KeyMgr{ + Registry: &mockRegistry{ + LookupFunc: func(ctx context.Context, sub *model.Subscription) ([]model.Subscription, error) { + return []model.Subscription{ + { + Subscriber: model.Subscriber{ + SubscriberID: sub.SubscriberID, + }, + KeyID: sub.KeyID, + SigningPublicKey: "signing-key", + EncrPublicKey: "encryption-key", + }, + }, nil + }, + }, + } + + got, err := km.lookupRegistry(context.Background(), "test-subscriber", "key123") + if err != nil { + t.Fatalf("expected no error, got %v", err) + } + + want := &model.Keyset{ + SigningPublic: "signing-key", + EncrPublic: "encryption-key", + } + + if got.SigningPublic != want.SigningPublic { + t.Errorf("SigningPublic = %v, want %v", got.SigningPublic, want.SigningPublic) + } + if got.EncrPublic != want.EncrPublic { + t.Errorf("EncrPublic = %v, want %v", got.EncrPublic, want.EncrPublic) + } +} + +func TestLookupRegistryFailure(t *testing.T) { + tests := []struct { + name string + mockLookup func(ctx context.Context, sub *model.Subscription) ([]model.Subscription, error) + wantErr error + }{ + { + name: "lookup error", + mockLookup: func(ctx context.Context, sub *model.Subscription) ([]model.Subscription, error) { + return nil, fmt.Errorf("registry failure") + }, + wantErr: fmt.Errorf("registry failure"), + }, + { + name: "no subscriber found", + mockLookup: func(ctx context.Context, sub *model.Subscription) ([]model.Subscription, error) { + return []model.Subscription{}, nil + }, + wantErr: ErrSubscriberNotFound, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + km := &KeyMgr{ + Registry: &mockRegistry{ + LookupFunc: tt.mockLookup, + }, + } + got, err := km.lookupRegistry(context.Background(), "some-id", "key-id") + if err == nil { + t.Fatalf("expected error, got none") + } + if got != nil { + t.Errorf("expected nil keyset, got %v", got) + } + }) + } +} + +func TestValidateParamsSuccess(t *testing.T) { + err := validateParams("someSubscriberID", "someUniqueKeyID") + if err != nil { + t.Fatalf("expected no error, got %v", err) + } +} + +func TestValidateParamsFailure(t *testing.T) { + tests := []struct { + name string + subscriberID string + uniqueKeyID string + wantErr error + }{ + { + name: "empty subscriberID", + subscriberID: "", + uniqueKeyID: "validKeyID", + wantErr: ErrEmptySubscriberID, + }, + { + name: "empty uniqueKeyID", + subscriberID: "validSubscriberID", + uniqueKeyID: "", + wantErr: ErrEmptyUniqueKeyID, + }, + { + name: "both empty", + subscriberID: "", + uniqueKeyID: "", + wantErr: ErrEmptySubscriberID, + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + err := validateParams(tt.subscriberID, tt.uniqueKeyID) + if err == nil { + t.Fatalf("expected error %v but got nil", tt.wantErr) + } + if err != tt.wantErr { + t.Errorf("expected error %v, got %v", tt.wantErr, err) + } + }) + } +} From 019b526b6fb11dc859cb9658ec809828daf88e2d Mon Sep 17 00:00:00 2001 From: MohitKatare-protean Date: Tue, 20 May 2025 12:10:58 +0530 Subject: [PATCH 3/8] Resolved linting issues --- .../implementation/keymanager/cmd/plugin.go | 4 +- .../keymanager/cmd/plugin_test.go | 37 --------------- .../keymanager/keymanager_test.go | 46 +++++++------------ 3 files changed, 17 insertions(+), 70 deletions(-) diff --git a/pkg/plugin/implementation/keymanager/cmd/plugin.go b/pkg/plugin/implementation/keymanager/cmd/plugin.go index 5e37af4..b4450d3 100644 --- a/pkg/plugin/implementation/keymanager/cmd/plugin.go +++ b/pkg/plugin/implementation/keymanager/cmd/plugin.go @@ -9,9 +9,7 @@ import ( ) // keyManagerProvider implements the plugin provider for the KeyManager plugin. -type keyManagerProvider struct { - newFunc func(ctx context.Context, cache definition.Cache, registry definition.RegistryLookup, cfg *keymanager.Config) (definition.KeyManager, func() error, error) -} +type keyManagerProvider struct{} // newKeyManagerFunc is a function type that creates a new KeyManager instance. var newKeyManagerFunc = keymanager.New diff --git a/pkg/plugin/implementation/keymanager/cmd/plugin_test.go b/pkg/plugin/implementation/keymanager/cmd/plugin_test.go index bec7c6f..881b837 100644 --- a/pkg/plugin/implementation/keymanager/cmd/plugin_test.go +++ b/pkg/plugin/implementation/keymanager/cmd/plugin_test.go @@ -11,43 +11,6 @@ import ( "github.com/beckn/beckn-onix/pkg/plugin/implementation/keymanager" ) -// Mock KeyManager implementation -type mockKeyManager struct{} - -func (m *mockKeyManager) SigningPublicKey(ctx context.Context, subscriberID, keyID string) (string, error) { - return "mock-signing-public-key", nil -} - -func (m *mockKeyManager) SigningPrivateKey(ctx context.Context, subscriberID string) (string, string, error) { - return "mock-key-id", "mock-signing-private-key", nil -} - -func (m *mockKeyManager) EncrPublicKey(ctx context.Context, subscriberID, keyID string) (string, error) { - return "mock-encryption-public-key", nil -} - -func (m *mockKeyManager) EncrPrivateKey(ctx context.Context, subscriberID string) (string, string, error) { - return "mock-key-id", "mock-encryption-private-key", nil -} - -func (m *mockKeyManager) DeletePrivateKeys(ctx context.Context, subscriberID string) error { - return nil -} - -func (m *mockKeyManager) StorePrivateKeys(ctx context.Context, subscriberID string, keys *model.Keyset) error { - return nil -} - -func (m *mockKeyManager) GenerateKeyPairs() (*model.Keyset, error) { - return &model.Keyset{ - UniqueKeyID: "mock-key-id", - SigningPrivate: "mock-signing-private-key", - SigningPublic: "mock-signing-public-key", - EncrPrivate: "mock-encryption-private-key", - EncrPublic: "mock-encryption-public-key", - }, nil -} - type mockRegistry struct { LookupFunc func(ctx context.Context, sub *model.Subscription) ([]model.Subscription, error) } diff --git a/pkg/plugin/implementation/keymanager/keymanager_test.go b/pkg/plugin/implementation/keymanager/keymanager_test.go index b08215e..f70e345 100644 --- a/pkg/plugin/implementation/keymanager/keymanager_test.go +++ b/pkg/plugin/implementation/keymanager/keymanager_test.go @@ -220,33 +220,6 @@ func TestGenerateKeyPairs(t *testing.T) { } } -type mockLogical struct { - writeFn func(path string, data map[string]interface{}) (*vault.Secret, error) -} - -func (m *mockLogical) Write(path string, data map[string]interface{}) (*vault.Secret, error) { - return m.writeFn(path, data) -} - -type mockClient struct { - *vault.Client - setTokenFn func(string) - logicalFn func() *vault.Logical -} - -func (m *mockClient) SetToken(token string) { - if m.setTokenFn != nil { - m.setTokenFn(token) - } -} - -func (m *mockClient) Logical() *vault.Logical { - if m.logicalFn != nil { - return m.logicalFn() - } - return &vault.Logical{} -} - func TestGetVaultClient_Failures(t *testing.T) { originalNewVaultClient := NewVaultClient defer func() { NewVaultClient = originalNewVaultClient }() @@ -297,7 +270,9 @@ func TestGetVaultClient_Failures(t *testing.T) { return httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { w.WriteHeader(http.StatusOK) w.Header().Set("Content-Type", "application/json") - io.WriteString(w, `{ "auth": null }`) + if _, err := io.WriteString(w, `{ "auth": null }`); err != nil { + t.Fatalf("failed to write response: %v", err) + } })) }, expectErr: "AppRole login failed: no auth info returned", @@ -353,6 +328,13 @@ func TestGetVaultClient_Success(t *testing.T) { "client_token": "mock-token" } }`) + if _, err := io.WriteString(w, `{ + "auth": { + "client_token": "mock-token" + } + }`); err != nil { + t.Fatalf("failed to write response: %v", err) + } })) defer server.Close() @@ -809,7 +791,9 @@ func setupMockVaultServer(t *testing.T, kvVersion, keyID string, success bool) * } }`, keyID) w.Header().Set("Content-Type", "application/json") - w.Write([]byte(resp)) + if _, err := w.Write([]byte(resp)); err != nil { + t.Fatalf("failed to write response: %v", err) + } } else { resp := fmt.Sprintf(`{ "data": { @@ -821,7 +805,9 @@ func setupMockVaultServer(t *testing.T, kvVersion, keyID string, success bool) * } }`, keyID) w.Header().Set("Content-Type", "application/json") - w.Write([]byte(resp)) + if _, err := w.Write([]byte(resp)); err != nil { + t.Fatalf("failed to write response: %v", err) + } } }) From 0eb0cc572f9c8def723d27dd85d1cd75c8786670 Mon Sep 17 00:00:00 2001 From: MohitKatare-protean Date: Tue, 20 May 2025 12:12:36 +0530 Subject: [PATCH 4/8] fixed linting issue for not checked --- pkg/plugin/implementation/keymanager/keymanager_test.go | 5 ----- 1 file changed, 5 deletions(-) diff --git a/pkg/plugin/implementation/keymanager/keymanager_test.go b/pkg/plugin/implementation/keymanager/keymanager_test.go index f70e345..c66b2fe 100644 --- a/pkg/plugin/implementation/keymanager/keymanager_test.go +++ b/pkg/plugin/implementation/keymanager/keymanager_test.go @@ -323,11 +323,6 @@ func TestGetVaultClient_Success(t *testing.T) { } w.WriteHeader(http.StatusOK) w.Header().Set("Content-Type", "application/json") - io.WriteString(w, `{ - "auth": { - "client_token": "mock-token" - } - }`) if _, err := io.WriteString(w, `{ "auth": { "client_token": "mock-token" From ea872338f6d9b71242b5076988c9523ed3d85c41 Mon Sep 17 00:00:00 2001 From: MohitKatare-protean Date: Thu, 22 May 2025 12:53:54 +0530 Subject: [PATCH 5/8] change in the keymanager interface --- pkg/plugin/definition/keymanager.go | 12 +- .../implementation/keymanager/keymanager.go | 84 +---- .../keymanager/keymanager_test.go | 334 +++++++----------- 3 files changed, 154 insertions(+), 276 deletions(-) diff --git a/pkg/plugin/definition/keymanager.go b/pkg/plugin/definition/keymanager.go index f2c0e2f..749ad0a 100644 --- a/pkg/plugin/definition/keymanager.go +++ b/pkg/plugin/definition/keymanager.go @@ -8,13 +8,11 @@ import ( // KeyManager defines the interface for key management operations/methods. type KeyManager interface { - GenerateKeyPairs() (*model.Keyset, error) - StorePrivateKeys(ctx context.Context, keyID string, keys *model.Keyset) error - SigningPrivateKey(ctx context.Context, keyID string) (string, string, error) - EncrPrivateKey(ctx context.Context, keyID string) (string, string, error) - SigningPublicKey(ctx context.Context, subscriberID, uniqueKeyID string) (string, error) - EncrPublicKey(ctx context.Context, subscriberID, uniqueKeyID string) (string, error) - DeletePrivateKeys(ctx context.Context, keyID string) error + GenerateKeyset() (*model.Keyset, error) + InsertKeyset(ctx context.Context, keyID string, keyset *model.Keyset) error + Keyset(ctx context.Context, keyID string) (*model.Keyset, error) + LookupNPKeys(ctx context.Context, subscriberID, uniqueKeyID string) (string, string, error) + DeleteKeyset(ctx context.Context, keyID string) error } // KeyManagerProvider initializes a new signer instance. diff --git a/pkg/plugin/implementation/keymanager/keymanager.go b/pkg/plugin/implementation/keymanager/keymanager.go index c50079d..c79b8c1 100644 --- a/pkg/plugin/implementation/keymanager/keymanager.go +++ b/pkg/plugin/implementation/keymanager/keymanager.go @@ -10,7 +10,6 @@ import ( "errors" "fmt" "os" - "time" "github.com/beckn/beckn-onix/pkg/log" "github.com/beckn/beckn-onix/pkg/model" @@ -175,8 +174,8 @@ var ( uuidGenFunc = uuid.NewRandom ) -// GenerateKeyPairs generates a new signing (Ed25519) and encryption (X25519) key pair. -func (km *KeyMgr) GenerateKeyPairs() (*model.Keyset, error) { +// GenerateKeyset generates a new signing (Ed25519) and encryption (X25519) key pair. +func (km *KeyMgr) GenerateKeyset() (*model.Keyset, error) { signingPublic, signingPrivate, err := ed25519KeyGenFunc(rand.Reader) if err != nil { return nil, fmt.Errorf("failed to generate signing key pair: %w", err) @@ -200,8 +199,8 @@ func (km *KeyMgr) GenerateKeyPairs() (*model.Keyset, error) { }, nil } -// StorePrivateKeys stores the given keyset in Vault under the specified key ID. -func (km *KeyMgr) StorePrivateKeys(ctx context.Context, keyID string, keys *model.Keyset) error { +// InsertKeyset stores the given keyset in Vault under the specified key ID. +func (km *KeyMgr) InsertKeyset(ctx context.Context, keyID string, keys *model.Keyset) error { if keyID == "" { return ErrEmptyKeyID } @@ -233,44 +232,8 @@ func (km *KeyMgr) StorePrivateKeys(ctx context.Context, keyID string, keys *mode return nil } -// SigningPrivateKey retrieves the unique key ID and signing private key for the given key ID. -func (km *KeyMgr) SigningPrivateKey(ctx context.Context, keyID string) (string, string, error) { - keys, err := km.getKeys(ctx, keyID) - if err != nil { - return "", "", err - } - return keys.UniqueKeyID, keys.SigningPrivate, nil -} - -// EncrPrivateKey retrieves the unique key ID and encryption private key for the given key ID. -func (km *KeyMgr) EncrPrivateKey(ctx context.Context, keyID string) (string, string, error) { - keys, err := km.getKeys(ctx, keyID) - if err != nil { - return "", "", err - } - return keys.UniqueKeyID, keys.EncrPrivate, nil -} - -// SigningPublicKey returns the signing public key for the given subscriber ID and key ID. -func (km *KeyMgr) SigningPublicKey(ctx context.Context, subscriberID, uniqueKeyID string) (string, error) { - keys, err := km.getPublicKeys(ctx, subscriberID, uniqueKeyID) - if err != nil { - return "", err - } - return keys.SigningPublic, nil -} - -// EncrPublicKey returns the encryption public key for the given subscriber ID and key ID. -func (km *KeyMgr) EncrPublicKey(ctx context.Context, subscriberID, uniqueKeyID string) (string, error) { - keys, err := km.getPublicKeys(ctx, subscriberID, uniqueKeyID) - if err != nil { - return "", err - } - return keys.EncrPublic, nil -} - -// DeletePrivateKeys deletes the private keys for the given key ID from Vault. -func (km *KeyMgr) DeletePrivateKeys(ctx context.Context, keyID string) error { +// DeleteKeyset deletes the private keys for the given key ID from Vault. +func (km *KeyMgr) DeleteKeyset(ctx context.Context, keyID string) error { if keyID == "" { return ErrEmptyKeyID } @@ -283,8 +246,8 @@ func (km *KeyMgr) DeletePrivateKeys(ctx context.Context, keyID string) error { return km.VaultClient.KVv2(path).Delete(ctx, keyID) } -// getKeys retrieves the full keyset from Vault for the given key ID. -func (km *KeyMgr) getKeys(ctx context.Context, keyID string) (*model.Keyset, error) { +// Keyset retrieves the keyset for the given key ID from Vault and public keys from the registry. +func (km *KeyMgr) Keyset(ctx context.Context, keyID string) (*model.Keyset, error) { if keyID == "" { return nil, ErrEmptyKeyID } @@ -324,32 +287,16 @@ func (km *KeyMgr) getKeys(ctx context.Context, keyID string) (*model.Keyset, err }, nil } -// getPublicKeys fetches the public keys from cache or registry for the given subscriber and key ID. -func (km *KeyMgr) getPublicKeys(ctx context.Context, subscriberID, uniqueKeyID string) (*model.Keyset, error) { - if err := validateParams(subscriberID, uniqueKeyID); err != nil { - return nil, err - } +// LookupNPKeys retrieves the signing and encryption public keys for the given subscriber ID and unique key ID. +func (km *KeyMgr) LookupNPKeys(ctx context.Context, subscriberID, uniqueKeyID string) (string, string, error) { cacheKey := fmt.Sprintf("%s_%s", subscriberID, uniqueKeyID) cachedData, err := km.Cache.Get(ctx, cacheKey) if err == nil { var keys model.Keyset if err := json.Unmarshal([]byte(cachedData), &keys); err == nil { - return &keys, nil + return keys.SigningPublic, keys.EncrPublic, nil } } - publicKeys, err := km.lookupRegistry(ctx, subscriberID, uniqueKeyID) - if err != nil { - return nil, err - } - cacheValue, err := json.Marshal(publicKeys) - if err == nil { - _ = km.Cache.Set(ctx, cacheKey, string(cacheValue), time.Hour) - } - return publicKeys, nil -} - -// lookupRegistry queries the registry for public keys based on subscriber ID and key ID. -func (km *KeyMgr) lookupRegistry(ctx context.Context, subscriberID, uniqueKeyID string) (*model.Keyset, error) { subscribers, err := km.Registry.Lookup(ctx, &model.Subscription{ Subscriber: model.Subscriber{ SubscriberID: subscriberID, @@ -357,15 +304,12 @@ func (km *KeyMgr) lookupRegistry(ctx context.Context, subscriberID, uniqueKeyID KeyID: uniqueKeyID, }) if err != nil { - return nil, fmt.Errorf("failed to lookup registry: %w", err) + return "", "", fmt.Errorf("failed to lookup registry: %w", err) } if len(subscribers) == 0 { - return nil, ErrSubscriberNotFound + return "", "", ErrSubscriberNotFound } - return &model.Keyset{ - SigningPublic: subscribers[0].SigningPublicKey, - EncrPublic: subscribers[0].EncrPublicKey, - }, nil + return subscribers[0].SigningPublicKey, subscribers[0].EncrPublicKey, nil } // validateParams checks that subscriberID and uniqueKeyID are not empty. diff --git a/pkg/plugin/implementation/keymanager/keymanager_test.go b/pkg/plugin/implementation/keymanager/keymanager_test.go index c66b2fe..47d0fa2 100644 --- a/pkg/plugin/implementation/keymanager/keymanager_test.go +++ b/pkg/plugin/implementation/keymanager/keymanager_test.go @@ -50,7 +50,9 @@ func (m *mockRegistry) Lookup(ctx context.Context, sub *model.Subscription) ([]m }, nil } -type mockCache struct{} +type mockCache struct { + GetFunc func(ctx context.Context, key string) (string, error) +} func (m *mockCache) Get(ctx context.Context, key string) (string, error) { return "", nil @@ -193,7 +195,7 @@ func TestGenerateKeyPairs(t *testing.T) { } km := &KeyMgr{} - keyset, err := km.GenerateKeyPairs() + keyset, err := km.GenerateKeyset() if tt.expectErr { if err == nil { @@ -589,7 +591,7 @@ func TestStorePrivateKeysSuccess(t *testing.T) { KvVersion: tt.kvVersion, } - err = km.StorePrivateKeys(ctx, tt.keyID, tt.keys) + err = km.InsertKeyset(ctx, tt.keyID, tt.keys) if err != nil { t.Errorf("expected no error, got %v", err) } @@ -667,7 +669,7 @@ func TestStorePrivateKeysFailure(t *testing.T) { KvVersion: tt.kvVersion, } - err = km.StorePrivateKeys(ctx, tt.keyID, tt.keys) + err = km.InsertKeyset(ctx, tt.keyID, tt.keys) if err == nil { t.Fatalf("expected error %q but got nil", tt.expectedErr) @@ -717,7 +719,7 @@ func TestDeletePrivateKeys(t *testing.T) { KvVersion: tt.kvVersion, VaultClient: nil, } - err := km.DeletePrivateKeys(context.Background(), tt.keyID) + err := km.DeleteKeyset(context.Background(), tt.keyID) if err != tt.wantErr { t.Errorf("expected error %v, got %v", tt.wantErr, err) } @@ -745,7 +747,7 @@ func TestDeletePrivateKeys(t *testing.T) { VaultClient: vaultClient, } - err = km.DeletePrivateKeys(context.Background(), tt.keyID) + err = km.DeleteKeyset(context.Background(), tt.keyID) if err != tt.wantErr { t.Errorf("DeletePrivateKeys() error = %v, want %v", err, tt.wantErr) } @@ -809,7 +811,7 @@ func setupMockVaultServer(t *testing.T, kvVersion, keyID string, success bool) * return httptest.NewServer(handler) } -func TestGetKeysSuccess(t *testing.T) { +func TestKeysetSuccess(t *testing.T) { tests := []struct { name string kvVersion string @@ -845,7 +847,7 @@ func TestGetKeysSuccess(t *testing.T) { KvVersion: tt.kvVersion, } - keys, err := km.getKeys(context.Background(), tt.keyID) + keys, err := km.Keyset(context.Background(), tt.keyID) if err != nil { t.Fatalf("unexpected error: %v", err) } @@ -862,7 +864,7 @@ func TestGetKeysSuccess(t *testing.T) { } } -func TestGetKeysFailure(t *testing.T) { +func TestKeysetFailure(t *testing.T) { tests := []struct { name string kvVersion string @@ -915,7 +917,7 @@ func TestGetKeysFailure(t *testing.T) { KvVersion: tt.kvVersion, } - keys, err := km.getKeys(context.Background(), tt.keyID) + keys, err := km.Keyset(context.Background(), tt.keyID) if err == nil { t.Fatalf("expected error but got nil") } @@ -926,195 +928,6 @@ func TestGetKeysFailure(t *testing.T) { } } -func TestGetPublicKeysSuccess(t *testing.T) { - km := &KeyMgr{ - Cache: &mockCache{}, - Registry: &mockRegistry{ - LookupFunc: func(ctx context.Context, sub *model.Subscription) ([]model.Subscription, error) { - return []model.Subscription{ - { - Subscriber: model.Subscriber{ - SubscriberID: sub.SubscriberID, - }, - KeyID: sub.KeyID, - SigningPublicKey: "mock-signing-public-key", - EncrPublicKey: "mock-encryption-public-key", - }, - }, nil - }, - }, - } - - got, err := km.getPublicKeys(context.Background(), "sub-id", "key-id") - if err != nil { - t.Fatalf("getPublicKeys() unexpected error: %v", err) - } - if got == nil { - t.Fatal("getPublicKeys() returned nil Keyset") - } - if got.SigningPublic != "mock-signing-public-key" { - t.Errorf("SigningPublic = %v, want %v", got.SigningPublic, "mock-signing-public-key") - } - if got.EncrPublic != "mock-encryption-public-key" { - t.Errorf("EncrPublic = %v, want %v", got.EncrPublic, "mock-encryption-public-key") - } -} - -func TestGetPublicKeysFailure(t *testing.T) { - type fields struct { - cache definition.Cache - registry definition.RegistryLookup - } - type args struct { - subscriberID string - uniqueKeyID string - } - tests := []struct { - name string - fields fields - args args - errMessage string - }{ - { - name: "failure - invalid parameters", - fields: fields{ - cache: &mockCache{}, - registry: &mockRegistry{}, - }, - args: args{ - subscriberID: "", - uniqueKeyID: "", - }, - errMessage: "invalid", - }, - { - name: "failure - registry lookup fails", - fields: fields{ - cache: &mockCache{}, - registry: &mockRegistry{ - LookupFunc: func(ctx context.Context, sub *model.Subscription) ([]model.Subscription, error) { - return nil, fmt.Errorf("registry down") - }, - }, - }, - args: args{ - subscriberID: "sub-id", - uniqueKeyID: "key-id", - }, - errMessage: "registry down", - }, - { - name: "failure - registry returns empty", - fields: fields{ - cache: &mockCache{}, - registry: &mockRegistry{ - LookupFunc: func(ctx context.Context, sub *model.Subscription) ([]model.Subscription, error) { - return []model.Subscription{}, nil - }, - }, - }, - args: args{ - subscriberID: "sub-id", - uniqueKeyID: "key-id", - }, - errMessage: "no subscriber found", - }, - } - - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - km := &KeyMgr{ - Cache: tt.fields.cache, - Registry: tt.fields.registry, - } - got, err := km.getPublicKeys(context.Background(), tt.args.subscriberID, tt.args.uniqueKeyID) - if err == nil { - t.Errorf("getPublicKeys() expected error but got none, result: %v", got) - return - } - if !strings.Contains(err.Error(), tt.errMessage) { - t.Errorf("getPublicKeys() error = %v, want error message to contain %v", err.Error(), tt.errMessage) - } - }) - } -} - -func TestLookupRegistrySuccess(t *testing.T) { - km := &KeyMgr{ - Registry: &mockRegistry{ - LookupFunc: func(ctx context.Context, sub *model.Subscription) ([]model.Subscription, error) { - return []model.Subscription{ - { - Subscriber: model.Subscriber{ - SubscriberID: sub.SubscriberID, - }, - KeyID: sub.KeyID, - SigningPublicKey: "signing-key", - EncrPublicKey: "encryption-key", - }, - }, nil - }, - }, - } - - got, err := km.lookupRegistry(context.Background(), "test-subscriber", "key123") - if err != nil { - t.Fatalf("expected no error, got %v", err) - } - - want := &model.Keyset{ - SigningPublic: "signing-key", - EncrPublic: "encryption-key", - } - - if got.SigningPublic != want.SigningPublic { - t.Errorf("SigningPublic = %v, want %v", got.SigningPublic, want.SigningPublic) - } - if got.EncrPublic != want.EncrPublic { - t.Errorf("EncrPublic = %v, want %v", got.EncrPublic, want.EncrPublic) - } -} - -func TestLookupRegistryFailure(t *testing.T) { - tests := []struct { - name string - mockLookup func(ctx context.Context, sub *model.Subscription) ([]model.Subscription, error) - wantErr error - }{ - { - name: "lookup error", - mockLookup: func(ctx context.Context, sub *model.Subscription) ([]model.Subscription, error) { - return nil, fmt.Errorf("registry failure") - }, - wantErr: fmt.Errorf("registry failure"), - }, - { - name: "no subscriber found", - mockLookup: func(ctx context.Context, sub *model.Subscription) ([]model.Subscription, error) { - return []model.Subscription{}, nil - }, - wantErr: ErrSubscriberNotFound, - }, - } - - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - km := &KeyMgr{ - Registry: &mockRegistry{ - LookupFunc: tt.mockLookup, - }, - } - got, err := km.lookupRegistry(context.Background(), "some-id", "key-id") - if err == nil { - t.Fatalf("expected error, got none") - } - if got != nil { - t.Errorf("expected nil keyset, got %v", got) - } - }) - } -} - func TestValidateParamsSuccess(t *testing.T) { err := validateParams("someSubscriberID", "someUniqueKeyID") if err != nil { @@ -1161,3 +974,126 @@ func TestValidateParamsFailure(t *testing.T) { }) } } + +func TestLookupNPKeysSuccess(t *testing.T) { + tests := []struct { + name string + cacheGetFunc func(ctx context.Context, key string) (string, error) + registryLookupFunc func(ctx context.Context, sub *model.Subscription) ([]model.Subscription, error) + expectedSigningPub string + expectedEncrPub string + }{ + { + name: "Cache hit with valid keys", + cacheGetFunc: func(ctx context.Context, key string) (string, error) { + return `{"SigningPublic":"mock-signing-public-key","EncrPublic":"mock-encryption-public-key"}`, nil + }, + registryLookupFunc: nil, + expectedSigningPub: "mock-signing-public-key", + expectedEncrPub: "mock-encryption-public-key", + }, + { + name: "Cache miss and registry success", + cacheGetFunc: func(ctx context.Context, key string) (string, error) { + + return "", nil + }, + registryLookupFunc: func(ctx context.Context, sub *model.Subscription) ([]model.Subscription, error) { + return []model.Subscription{ + { + Subscriber: model.Subscriber{ + SubscriberID: sub.SubscriberID, + }, + KeyID: sub.KeyID, + SigningPublicKey: "mock-signing-public-key", + EncrPublicKey: "mock-encryption-public-key", + }, + }, nil + }, + expectedSigningPub: "mock-signing-public-key", + expectedEncrPub: "mock-encryption-public-key", + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + // Set up the KeyMgr with mocks + km := &KeyMgr{ + Cache: &mockCache{ + GetFunc: tt.cacheGetFunc, + }, + Registry: &mockRegistry{ + LookupFunc: tt.registryLookupFunc, + }, + } + + // Call the method + signingPublic, encrPublic, err := km.LookupNPKeys(context.Background(), "sub-id", "key-id") + + // Validate no errors in success cases + if err != nil { + t.Fatalf("LookupNPKeys() unexpected error: %v", err) + } + + // Validate returned public keys + if signingPublic != tt.expectedSigningPub { + t.Errorf("SigningPublic = %v, want %v", signingPublic, tt.expectedSigningPub) + } + if encrPublic != tt.expectedEncrPub { + t.Errorf("EncrPublic = %v, want %v", encrPublic, tt.expectedEncrPub) + } + }) + } +} + +func TestLookupNPKeysFailure(t *testing.T) { + tests := []struct { + name string + cacheGetFunc func(ctx context.Context, key string) (string, error) + registryLookupFunc func(ctx context.Context, sub *model.Subscription) ([]model.Subscription, error) + expectedError string + }{ + { + name: "Cache miss and registry failure", + cacheGetFunc: func(ctx context.Context, key string) (string, error) { + return "", nil + }, + registryLookupFunc: func(ctx context.Context, sub *model.Subscription) ([]model.Subscription, error) { + return nil, fmt.Errorf("registry down") + }, + expectedError: "registry down", + }, + { + name: "Cache miss and registry returns no subscriber", + cacheGetFunc: func(ctx context.Context, key string) (string, error) { + return "", nil + }, + registryLookupFunc: func(ctx context.Context, sub *model.Subscription) ([]model.Subscription, error) { + return nil, nil + }, + expectedError: "no subscriber found with given credentials", + }, + } + + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + // Set up the KeyMgr with mocks + km := &KeyMgr{ + Cache: &mockCache{ + GetFunc: tt.cacheGetFunc, + }, + Registry: &mockRegistry{ + LookupFunc: tt.registryLookupFunc, + }, + } + _, _, err := km.LookupNPKeys(context.Background(), "sub-id", "key-id") + if err == nil { + t.Fatalf("expected an error but got none") + } + + if !strings.Contains(err.Error(), tt.expectedError) { + t.Errorf("expected error to contain %v, got %v", tt.expectedError, err.Error()) + } + }) + } +} From 3ebf4e981550ca4fd68db1a9e793ce2d58b3f079 Mon Sep 17 00:00:00 2001 From: MohitKatare-protean Date: Tue, 27 May 2025 10:51:40 +0530 Subject: [PATCH 6/8] updated steps to use updated keymanager interface function --- core/module/handler/step.go | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/core/module/handler/step.go b/core/module/handler/step.go index 936ee98..9edd3b0 100644 --- a/core/module/handler/step.go +++ b/core/module/handler/step.go @@ -31,18 +31,18 @@ func newSignStep(signer definition.Signer, km definition.KeyManager) (definition // Run executes the signing step. func (s *signStep) Run(ctx *model.StepContext) error { - keyID, key, err := s.km.SigningPrivateKey(ctx, ctx.SubID) + keySet, err := s.km.Keyset(ctx, ctx.SubID) if err != nil { return fmt.Errorf("failed to get signing key: %w", err) } createdAt := time.Now().Unix() validTill := time.Now().Add(5 * time.Minute).Unix() - sign, err := s.signer.Sign(ctx, ctx.Body, key, createdAt, validTill) + sign, err := s.signer.Sign(ctx, ctx.Body, keySet.SigningPrivate, createdAt, validTill) if err != nil { return fmt.Errorf("failed to sign request: %w", err) } - authHeader := s.generateAuthHeader(ctx.SubID, keyID, createdAt, validTill, sign) + authHeader := s.generateAuthHeader(ctx.SubID, keySet.UniqueKeyID, createdAt, validTill, sign) header := model.AuthHeaderSubscriber if ctx.Role == model.RoleGateway { @@ -107,13 +107,12 @@ func (s *validateSignStep) validate(ctx *model.StepContext, value string) error if len(ids) < 2 || len(headerParts) < 3 { return fmt.Errorf("malformed sign header") } - subID := ids[1] keyID := headerParts[1] - key, err := s.km.SigningPublicKey(ctx, subID, keyID) + keySet, err := s.km.Keyset(ctx, keyID) if err != nil { return fmt.Errorf("failed to get validation key: %w", err) } - if err := s.validator.Validate(ctx, ctx.Body, value, key); err != nil { + if err := s.validator.Validate(ctx, ctx.Body, value, keySet.SigningPublic); err != nil { return fmt.Errorf("sign validation failed: %w", err) } return nil From 1db8aa48ac88efd55493a566a94969121aa14d9b Mon Sep 17 00:00:00 2001 From: MohitKatare-protean Date: Wed, 28 May 2025 11:25:11 +0530 Subject: [PATCH 7/8] Resolved PR review comments --- core/module/handler/step.go | 4 +- .../implementation/keymanager/cmd/plugin.go | 4 +- .../keymanager/cmd/plugin_test.go | 8 ++-- .../implementation/keymanager/keymanager.go | 37 +++++++-------- .../keymanager/keymanager_test.go | 47 ++++++++++++------- 5 files changed, 55 insertions(+), 45 deletions(-) diff --git a/core/module/handler/step.go b/core/module/handler/step.go index 9edd3b0..3998986 100644 --- a/core/module/handler/step.go +++ b/core/module/handler/step.go @@ -108,11 +108,11 @@ func (s *validateSignStep) validate(ctx *model.StepContext, value string) error return fmt.Errorf("malformed sign header") } keyID := headerParts[1] - keySet, err := s.km.Keyset(ctx, keyID) + signingPublicKey, _, err := s.km.LookupNPKeys(ctx, ctx.SubID, keyID) if err != nil { return fmt.Errorf("failed to get validation key: %w", err) } - if err := s.validator.Validate(ctx, ctx.Body, value, keySet.SigningPublic); err != nil { + if err := s.validator.Validate(ctx, ctx.Body, value, signingPublicKey); err != nil { return fmt.Errorf("sign validation failed: %w", err) } return nil diff --git a/pkg/plugin/implementation/keymanager/cmd/plugin.go b/pkg/plugin/implementation/keymanager/cmd/plugin.go index b4450d3..f7579e9 100644 --- a/pkg/plugin/implementation/keymanager/cmd/plugin.go +++ b/pkg/plugin/implementation/keymanager/cmd/plugin.go @@ -17,8 +17,8 @@ var newKeyManagerFunc = keymanager.New // New creates and initializes a new KeyManager instance using the provided cache, registry lookup, and configuration. func (k *keyManagerProvider) New(ctx context.Context, cache definition.Cache, registry definition.RegistryLookup, cfg map[string]string) (definition.KeyManager, func() error, error) { config := &keymanager.Config{ - VaultAddr: cfg["vault_addr"], - KVVersion: cfg["kv_version"], + VaultAddr: cfg["vaultAddr"], + KVVersion: cfg["kvVersion"], } log.Debugf(ctx, "Keymanager config mapped: %+v", cfg) km, cleanup, err := newKeyManagerFunc(ctx, cache, registry, config) diff --git a/pkg/plugin/implementation/keymanager/cmd/plugin_test.go b/pkg/plugin/implementation/keymanager/cmd/plugin_test.go index 881b837..bafd4bb 100644 --- a/pkg/plugin/implementation/keymanager/cmd/plugin_test.go +++ b/pkg/plugin/implementation/keymanager/cmd/plugin_test.go @@ -62,8 +62,8 @@ func TestNewSuccess(t *testing.T) { cache := &mockCache{} registry := &mockRegistry{} cfg := map[string]string{ - "vault_addr": "http://dummy-vault", - "kv_version": "2", + "vaultAddr": "http://dummy-vault", + "kvVersion": "2", } cleanupCalled := false @@ -105,8 +105,8 @@ func TestNewFailure(t *testing.T) { cache := &mockCache{} registry := &mockRegistry{} cfg := map[string]string{ - "vault_addr": "http://dummy-vault", - "kv_version": "2", + "vaultAddr": "http://dummy-vault", + "kvVersion": "2", } newKeyManagerFunc = func(ctx context.Context, cache definition.Cache, registry definition.RegistryLookup, cfg *keymanager.Config) (*keymanager.KeyMgr, func() error, error) { diff --git a/pkg/plugin/implementation/keymanager/keymanager.go b/pkg/plugin/implementation/keymanager/keymanager.go index c79b8c1..7dcac67 100644 --- a/pkg/plugin/implementation/keymanager/keymanager.go +++ b/pkg/plugin/implementation/keymanager/keymanager.go @@ -10,6 +10,7 @@ import ( "errors" "fmt" "os" + "strings" "github.com/beckn/beckn-onix/pkg/log" "github.com/beckn/beckn-onix/pkg/model" @@ -61,11 +62,13 @@ func ValidateCfg(cfg *Config) error { if cfg.VaultAddr == "" { return errors.New("invalid config: VaultAddr cannot be empty") } - if cfg.KVVersion == "" { - cfg.KVVersion = "v1" - } else if cfg.KVVersion != "v1" && cfg.KVVersion != "v2" { + kvVersion := strings.ToLower(cfg.KVVersion) + if kvVersion == "" { + kvVersion = "v1" + } else if kvVersion != "v1" && kvVersion != "v2" { return fmt.Errorf("invalid KVVersion: must be 'v1' or 'v2'") } + cfg.KVVersion = kvVersion return nil } @@ -199,6 +202,14 @@ func (km *KeyMgr) GenerateKeyset() (*model.Keyset, error) { }, nil } +// getSecretPath constructs the Vault secret path for storing keys based on the KV version. +func (km *KeyMgr) getSecretPath(keyID string) string { + if km.KvVersion == "v2" { + return fmt.Sprintf("secret/data/keys/%s", keyID) + } + return fmt.Sprintf("secret/keys/%s", keyID) +} + // InsertKeyset stores the given keyset in Vault under the specified key ID. func (km *KeyMgr) InsertKeyset(ctx context.Context, keyID string, keys *model.Keyset) error { if keyID == "" { @@ -215,19 +226,17 @@ func (km *KeyMgr) InsertKeyset(ctx context.Context, keyID string, keys *model.Ke "encrPublicKey": keys.EncrPublic, "encrPrivateKey": keys.EncrPrivate, } - var path string + path := km.getSecretPath(keyID) var payload map[string]interface{} if km.KvVersion == "v2" { - path = fmt.Sprintf("secret/data/keys/%s", keyID) payload = map[string]interface{}{"data": keyData} } else { - path = fmt.Sprintf("secret/keys/%s", keyID) payload = keyData } _, err := km.VaultClient.Logical().Write(path, payload) if err != nil { - return fmt.Errorf("failed to store secret in Vault: %w", err) + return fmt.Errorf("failed to store secret in Vault at path %s: %w", path, err) } return nil } @@ -237,12 +246,7 @@ func (km *KeyMgr) DeleteKeyset(ctx context.Context, keyID string) error { if keyID == "" { return ErrEmptyKeyID } - var path string - if km.KvVersion == "v2" { - path = fmt.Sprintf("secret/data/private_keys/%s", keyID) - } else { - path = fmt.Sprintf("secret/private_keys/%s", keyID) - } + path := km.getSecretPath(keyID) return km.VaultClient.KVv2(path).Delete(ctx, keyID) } @@ -252,12 +256,7 @@ func (km *KeyMgr) Keyset(ctx context.Context, keyID string) (*model.Keyset, erro return nil, ErrEmptyKeyID } - var path string - if km.KvVersion == "v2" { - path = fmt.Sprintf("secret/data/private_keys/%s", keyID) - } else { - path = fmt.Sprintf("secret/private_keys/%s", keyID) - } + path := km.getSecretPath(keyID) secret, err := km.VaultClient.Logical().Read(path) if err != nil || secret == nil { diff --git a/pkg/plugin/implementation/keymanager/keymanager_test.go b/pkg/plugin/implementation/keymanager/keymanager_test.go index 47d0fa2..48a6b7c 100644 --- a/pkg/plugin/implementation/keymanager/keymanager_test.go +++ b/pkg/plugin/implementation/keymanager/keymanager_test.go @@ -636,7 +636,7 @@ func TestStorePrivateKeysFailure(t *testing.T) { keyID: "mykeyid", keys: keys, statusCode: 500, - expectedErr: "failed to store secret in Vault: Error making API request", + expectedErr: "failed to store secret in Vault at path secret/keys/mykeyid: Error making API request.", }, } @@ -699,14 +699,14 @@ func TestDeletePrivateKeys(t *testing.T) { name: "v1 delete", kvVersion: "v1", keyID: "key123", - wantPath: "/v1/secret/private_keys/key123/data/key123", + wantPath: "/v1/secret/keys/key123/data/key123", wantErr: nil, }, { name: "v2 delete", kvVersion: "v2", keyID: "key123", - wantPath: "/v1/secret/data/private_keys/key123/data/key123", + wantPath: "/v1/secret/data/keys/key123/data/key123", wantErr: nil, }, } @@ -759,9 +759,8 @@ func setupMockVaultServer(t *testing.T, kvVersion, keyID string, success bool) * t.Helper() handler := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - // Check that request path is expected - expectedPathV1 := fmt.Sprintf("/v1/secret/private_keys/%s", keyID) - expectedPathV2 := fmt.Sprintf("/v1/secret/data/private_keys/%s", keyID) + expectedPathV1 := fmt.Sprintf("/v1/secret/keys/%s", keyID) + expectedPathV2 := fmt.Sprintf("/v1/secret/data/keys/%s", keyID) if (kvVersion == "v2" && r.URL.Path != expectedPathV2) || (kvVersion != "v2" && r.URL.Path != expectedPathV1) { http.Error(w, "not found", http.StatusNotFound) @@ -769,14 +768,18 @@ func setupMockVaultServer(t *testing.T, kvVersion, keyID string, success bool) * } if !success { - // Simulate Vault error or not found http.Error(w, `{"errors":["key not found"]}`, http.StatusNotFound) return } - // Success response JSON, different for v1 and v2 + w.Header().Set("Content-Type", "application/json") + if kvVersion == "v2" { resp := fmt.Sprintf(`{ + "request_id": "req-1234", + "lease_id": "", + "renewable": false, + "lease_duration": 0, "data": { "data": { "uniqueKeyID": "%s", @@ -784,27 +787,35 @@ func setupMockVaultServer(t *testing.T, kvVersion, keyID string, success bool) * "signingPrivateKey": "sign-priv", "encrPublicKey": "encr-pub", "encrPrivateKey": "encr-priv" + }, + "metadata": { + "created_time": "2025-05-28T00:00:00Z", + "deletion_time": "", + "destroyed": false, + "version": 1 } - } + }, + "warnings": null, + "auth": null }`, keyID) - w.Header().Set("Content-Type", "application/json") - if _, err := w.Write([]byte(resp)); err != nil { - t.Fatalf("failed to write response: %v", err) - } + w.Write([]byte(resp)) } else { resp := fmt.Sprintf(`{ + "request_id": "req-1234", + "lease_id": "", + "renewable": false, + "lease_duration": 0, "data": { "uniqueKeyID": "%s", "signingPublicKey": "sign-pub", "signingPrivateKey": "sign-priv", "encrPublicKey": "encr-pub", "encrPrivateKey": "encr-priv" - } + }, + "warnings": null, + "auth": null }`, keyID) - w.Header().Set("Content-Type", "application/json") - if _, err := w.Write([]byte(resp)); err != nil { - t.Fatalf("failed to write response: %v", err) - } + w.Write([]byte(resp)) } }) From 3fc1ef53f04c343421c83eb2fae67f632e7d3023 Mon Sep 17 00:00:00 2001 From: MohitKatare-protean Date: Wed, 28 May 2025 11:28:40 +0530 Subject: [PATCH 8/8] Resolved linting issue --- pkg/plugin/implementation/keymanager/keymanager_test.go | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/pkg/plugin/implementation/keymanager/keymanager_test.go b/pkg/plugin/implementation/keymanager/keymanager_test.go index 48a6b7c..5415f46 100644 --- a/pkg/plugin/implementation/keymanager/keymanager_test.go +++ b/pkg/plugin/implementation/keymanager/keymanager_test.go @@ -798,7 +798,9 @@ func setupMockVaultServer(t *testing.T, kvVersion, keyID string, success bool) * "warnings": null, "auth": null }`, keyID) - w.Write([]byte(resp)) + if _, err := w.Write([]byte(resp)); err != nil { + t.Fatalf("failed to write response: %v", err) + } } else { resp := fmt.Sprintf(`{ "request_id": "req-1234", @@ -815,7 +817,9 @@ func setupMockVaultServer(t *testing.T, kvVersion, keyID string, success bool) * "warnings": null, "auth": null }`, keyID) - w.Write([]byte(resp)) + if _, err := w.Write([]byte(resp)); err != nil { + t.Fatalf("failed to write response: %v", err) + } } })