Keys domains criteria from name to tag.

Now the division of keys into domains is no longer done based on the name but based on the tags.
pagopa · Jun 6, 2024 · a075ebd · a075ebd
1 parent 8110136
commit a075ebd
Show file tree

Hide file tree

Showing 7 changed files with 221 additions and 142 deletions.
diff --git a/...swclient/mil/azureservices/keyvault/keys/service/AzureKeyVaultKeysExtReactiveService.java b/...swclient/mil/azureservices/keyvault/keys/service/AzureKeyVaultKeysExtReactiveService.java
@@ -138,15 +138,15 @@ private Multi<KeyItem> getKeyVersions(String keyName) {
 
 	/**
 	 * 
-	 * @param prefix
+	 * @param domain
 	 * @param expectedOps  {@link JsonWebKeyOperation}
 	 * @param expectedKtys {@link JsonWebKeyType}
 	 * @return
 	 */
-	public Multi<KeyBundle> getKeys(String prefix, List<String> expectedOps, List<String> expectedKtys) {
+	public Multi<KeyBundle> getKeys(String domain, List<String> expectedOps, List<String> expectedKtys) {
 		return getKeys() // Multi<KeyItem>
+			.filter(keyItem -> KeyUtils.doesDomainMatch(keyItem, domain))
 			.map(KeyUtils::getKeyName) // Multi<String> keyName
-			.filter(keyName -> KeyUtils.doesPrefixMatch(keyName, prefix))
 			.onItem().transformToMultiAndConcatenate(this::getKeyVersions) // Multi<KeyItem>
 			.filter(KeyUtils::isValid)
 			.map(KeyUtils::getKeyNameVersion) // Multi<String[]>

diff --git a/.../pagopa/swclient/mil/azureservices/keyvault/keys/service/AzureKeyVaultKeysExtService.java b/.../pagopa/swclient/mil/azureservices/keyvault/keys/service/AzureKeyVaultKeysExtService.java
@@ -62,15 +62,15 @@ private Stream<KeyItem> getKeyVersions(String keyName) {
 
 	/**
 	 * 
-	 * @param prefix
+	 * @param domain
 	 * @param expectedOps  {@link JsonWebKeyOperation}
 	 * @param expectedKtys {@link JsonWebKeyType}
 	 * @return
 	 */
-	public Stream<KeyBundle> getKeys(String prefix, List<String> expectedOps, List<String> expectedKtys) {
+	public Stream<KeyBundle> getKeys(String domain, List<String> expectedOps, List<String> expectedKtys) {
 		return getKeys() // Stream<KeyItem>
+			.filter(keyItem -> KeyUtils.doesDomainMatch(keyItem, domain))
 			.map(KeyUtils::getKeyName) // Stream<String> keyName
-			.filter(keyName -> KeyUtils.doesPrefixMatch(keyName, prefix))
 			.flatMap(this::getKeyVersions) // Stream<KeyItem>
 			.filter(KeyUtils::isValid)
 			.map(KeyUtils::getKeyNameVersion) // Stream<String[]>

diff --git a/src/main/java/it/pagopa/swclient/mil/azureservices/keyvault/keys/util/KeyUtils.java b/src/main/java/it/pagopa/swclient/mil/azureservices/keyvault/keys/util/KeyUtils.java
@@ -28,6 +28,11 @@
  * @author Antonio Tarricone
  */
 public class KeyUtils {
+	/*
+	 * 
+	 */
+	public static final String DOMAIN_KEY = "domain";
+
 	/**
 	 * 
 	 */
@@ -57,18 +62,14 @@ public static String[] getKeyNameVersion(KeyItem keyItem) {
 
 	/**
 	 * 
-	 * @param keyName
-	 * @param prefix
+	 * @param keyItem
+	 * @param domain
 	 * @return
 	 */
-	public static boolean doesPrefixMatch(String keyName, String prefix) {
-		if (prefix == null || keyName.startsWith(prefix)) {
-			Log.tracef("Prefix matches or is null: keyName = %s, prefix = %s", keyName, prefix);
-			return true;
-		}
-
-		Log.debugf("Prefix doesn't match: keyName = %s, prefix = %s", keyName, prefix);
-		return false;
+	public static boolean doesDomainMatch(KeyItem keyItem, String domain) {
+		Map<String, String> tags = keyItem.getTags();
+		return (tags != null && Objects.equals(domain, tags.get(DOMAIN_KEY))) ||
+			(tags == null && domain == null);
 	}
 
 	/**

diff --git a/...ient/mil/azureservices/keyvault/keys/service/AzureKeyVaultKeysExtReactiveServiceTest.java b/...ient/mil/azureservices/keyvault/keys/service/AzureKeyVaultKeysExtReactiveServiceTest.java
@@ -11,6 +11,7 @@
 import java.time.Instant;
 import java.time.temporal.ChronoUnit;
 import java.util.List;
+import java.util.Map;
 import java.util.Optional;
 
 import org.junit.jupiter.api.AfterEach;
@@ -30,6 +31,7 @@
 import it.pagopa.swclient.mil.azureservices.keyvault.keys.bean.KeyBundle;
 import it.pagopa.swclient.mil.azureservices.keyvault.keys.bean.KeyItem;
 import it.pagopa.swclient.mil.azureservices.keyvault.keys.bean.KeyListResult;
+import it.pagopa.swclient.mil.azureservices.keyvault.keys.util.KeyUtils;
 import jakarta.inject.Inject;
 
 /**
@@ -158,162 +160,161 @@ private void setup() {
 
 		KeyItem item__attr_ok__key_no_rsa_sign_verify = new KeyItem()
 			.setAttributes(attr_ok)
-			.setKid("https://myvault.vault.azure.net/keys/attr_ok__key_no_rsa_sign_verify");
+			.setKid("https://myvault.vault.azure.net/keys/attr_ok__key_no_rsa_sign_verify")
+			.setTags(Map.of(KeyUtils.DOMAIN_KEY, "my_domain"));
 
 		KeyItem item__attr_ok__key_rsa_no_sign_verify = new KeyItem()
 			.setAttributes(attr_ok)
-			.setKid("https://myvault.vault.azure.net/keys/attr_ok__key_rsa_no_sign_verify");
+			.setKid("https://myvault.vault.azure.net/keys/attr_ok__key_rsa_no_sign_verify")
+			.setTags(Map.of(KeyUtils.DOMAIN_KEY, "my_domain"));
 
 		KeyItem item__attr_ok_longest_exp__key_rsa_sign_verify = new KeyItem()
 			.setAttributes(attr_ok_longest_exp)
-			.setKid("https://myvault.vault.azure.net/keys/attr_ok_longest_exp__key_rsa_sign_verify");
+			.setKid("https://myvault.vault.azure.net/keys/attr_ok_longest_exp__key_rsa_sign_verify")
+			.setTags(Map.of(KeyUtils.DOMAIN_KEY, "my_domain"));
 
 		KeyItem item__attr_ok_longest_exp__key_no_rsa_sign_verify = new KeyItem()
 			.setAttributes(attr_ok_longest_exp)
-			.setKid("https://myvault.vault.azure.net/keys/attr_ok_longest_exp__key_no_rsa_sign_verify");
+			.setKid("https://myvault.vault.azure.net/keys/attr_ok_longest_exp__key_no_rsa_sign_verify")
+			.setTags(Map.of(KeyUtils.DOMAIN_KEY, "my_domain"));
 
 		KeyItem item__attr_ok_longest_exp__key_rsa_no_sign_verify = new KeyItem()
 			.setAttributes(attr_ok_longest_exp)
-			.setKid("https://myvault.vault.azure.net/keys/attr_ok_longest_exp__key_rsa_no_sign_verify");
+			.setKid("https://myvault.vault.azure.net/keys/attr_ok_longest_exp__key_rsa_no_sign_verify")
+			.setTags(Map.of(KeyUtils.DOMAIN_KEY, "my_domain"));
 
 		KeyItem item__attr_wo_nbf__key_rsa_sign_verify = new KeyItem()
 			.setAttributes(attr_wo_nbf)
-			.setKid("https://myvault.vault.azure.net/keys/attr_wo_nbf__key_rsa_sign_verify");
+			.setKid("https://myvault.vault.azure.net/keys/attr_wo_nbf__key_rsa_sign_verify")
+			.setTags(Map.of(KeyUtils.DOMAIN_KEY, "my_domain"));
 
 		KeyItem item__attr_nbf_not_reached__key_rsa_sign_verify = new KeyItem()
 			.setAttributes(attr_nbf_not_reached)
-			.setKid("https://myvault.vault.azure.net/keys/attr_nbf_not_reached__key_rsa_sign_verify");
+			.setKid("https://myvault.vault.azure.net/keys/attr_nbf_not_reached__key_rsa_sign_verify")
+			.setTags(Map.of(KeyUtils.DOMAIN_KEY, "my_domain"));
 
 		KeyItem item__attr_expired__key_rsa_sign_verify = new KeyItem()
 			.setAttributes(attr_expired)
-			.setKid("https://myvault.vault.azure.net/keys/attr_expired__key_rsa_sign_verify");
+			.setKid("https://myvault.vault.azure.net/keys/attr_expired__key_rsa_sign_verify")
+			.setTags(Map.of(KeyUtils.DOMAIN_KEY, "my_domain"));
 
 		KeyItem item__attr_wo_exp__key_rsa_sign_verify = new KeyItem()
 			.setAttributes(attr_wo_exp)
-			.setKid("https://myvault.vault.azure.net/keys/attr_wo_exp__key_rsa_sign_verify");
+			.setKid("https://myvault.vault.azure.net/keys/attr_wo_exp__key_rsa_sign_verify")
+			.setTags(Map.of(KeyUtils.DOMAIN_KEY, "my_domain"));
 
 		KeyItem item__attr_not_enabled__key_rsa_sign_verify = new KeyItem()
 			.setAttributes(attr_not_enabled)
-			.setKid("https://myvault.vault.azure.net/keys/attr_not_enabled__key_rsa_sign_verify");
+			.setKid("https://myvault.vault.azure.net/keys/attr_not_enabled__key_rsa_sign_verify")
+			.setTags(Map.of(KeyUtils.DOMAIN_KEY, "my_domain"));
 
 		KeyItem item__attr_wo_created__key_rsa_sign_verify = new KeyItem()
 			.setAttributes(attr_wo_created)
-			.setKid("https://myvault.vault.azure.net/keys/attr_wo_created__key_rsa_sign_verify");
+			.setKid("https://myvault.vault.azure.net/keys/attr_wo_created__key_rsa_sign_verify")
+			.setTags(Map.of(KeyUtils.DOMAIN_KEY, "my_domain"));
 
 		KeyItem item__attr_inconsistent_created__key_rsa_sign_verify = new KeyItem()
 			.setAttributes(attr_inconsistent_created)
-			.setKid("https://myvault.vault.azure.net/keys/attr_inconsistent_created__key_rsa_sign_verify");
+			.setKid("https://myvault.vault.azure.net/keys/attr_inconsistent_created__key_rsa_sign_verify")
+			.setTags(Map.of(KeyUtils.DOMAIN_KEY, "my_domain"));
 
-		KeyListResult keyListPage1 = new KeyListResult()
+		KeyListResult keyList = new KeyListResult()
 			.setValue(List.of(
 				item__wo_prefix,
 				item__attr_ok__key_no_rsa_sign_verify,
 				item__attr_ok__key_rsa_no_sign_verify,
-				item__attr_ok_longest_exp__key_rsa_sign_verify))
-			.setNextLink("https://myvault.vault.azure.net:443/keys?api-version=7.2&$skiptoken=skip_1st_page&maxresults=4");
-
-		KeyListResult keyListPage2 = new KeyListResult()
-			.setValue(List.of(
+				item__attr_ok_longest_exp__key_rsa_sign_verify,
 				item__attr_ok_longest_exp__key_no_rsa_sign_verify,
 				item__attr_ok_longest_exp__key_rsa_no_sign_verify,
 				item__attr_wo_nbf__key_rsa_sign_verify,
-				item__attr_nbf_not_reached__key_rsa_sign_verify))
-			.setNextLink("https://myvault.vault.azure.net:443/keys?api-version=7.2&$skiptoken=skip_2nd_page&maxresults=4");
-
-		KeyListResult keyListPage3 = new KeyListResult()
-			.setValue(List.of(
+				item__attr_nbf_not_reached__key_rsa_sign_verify,
 				item__attr_expired__key_rsa_sign_verify,
 				item__attr_wo_exp__key_rsa_sign_verify,
 				item__attr_not_enabled__key_rsa_sign_verify,
-				item__attr_wo_created__key_rsa_sign_verify))
-			.setNextLink("https://myvault.vault.azure.net:443/keys?api-version=7.2&$skiptoken=skip_3rd_page&maxresults=4");
-
-		KeyListResult keyListPage4 = new KeyListResult()
-			.setValue(List.of(item__attr_inconsistent_created__key_rsa_sign_verify))
-			.setNextLink(null);
+				item__attr_wo_created__key_rsa_sign_verify,
+				item__attr_inconsistent_created__key_rsa_sign_verify));
 
 		when(keysService.getKeys())
-			.thenReturn(Uni.createFrom().item(keyListPage1));
-
-		when(keysService.getKeys("skip_1st_page"))
-			.thenReturn(Uni.createFrom().item(keyListPage2));
-
-		when(keysService.getKeys("skip_2nd_page"))
-			.thenReturn(Uni.createFrom().item(keyListPage3));
-
-		when(keysService.getKeys("skip_3rd_page"))
-			.thenReturn(Uni.createFrom().item(keyListPage4));
+			.thenReturn(Uni.createFrom().item(keyList));
 
 		/*
 		 * Versions
 		 */
 		KeyItem version__attr_ok__key_rsa_sign_verify = new KeyItem()
 			.setAttributes(attr_ok)
-			.setKid("https://myvault.vault.azure.net/keys/attr_ok_longest_exp__key_rsa_sign_verify/shortest_exp");
+			.setKid("https://myvault.vault.azure.net/keys/attr_ok_longest_exp__key_rsa_sign_verify/shortest_exp")
+			.setTags(Map.of(KeyUtils.DOMAIN_KEY, "my_domain"));
 
 		KeyItem version__attr_ok__key_no_rsa_sign_verify = new KeyItem()
 			.setAttributes(attr_ok)
-			.setKid("https://myvault.vault.azure.net/keys/attr_ok__key_no_rsa_sign_verify/dont_care");
+			.setKid("https://myvault.vault.azure.net/keys/attr_ok__key_no_rsa_sign_verify/dont_care")
+			.setTags(Map.of(KeyUtils.DOMAIN_KEY, "my_domain"));
 
 		KeyItem version__attr_ok__key_rsa_no_sign_verify = new KeyItem()
 			.setAttributes(attr_ok)
-			.setKid("https://myvault.vault.azure.net/keys/attr_ok__key_rsa_no_sign_verify/dont_care");
+			.setKid("https://myvault.vault.azure.net/keys/attr_ok__key_rsa_no_sign_verify/dont_care")
+			.setTags(Map.of(KeyUtils.DOMAIN_KEY, "my_domain"));
 
 		KeyItem version__attr_ok_longest_exp__key_rsa_sign_verify = new KeyItem()
 			.setAttributes(attr_ok_longest_exp)
-			.setKid("https://myvault.vault.azure.net/keys/attr_ok_longest_exp__key_rsa_sign_verify/longest_exp");
+			.setKid("https://myvault.vault.azure.net/keys/attr_ok_longest_exp__key_rsa_sign_verify/longest_exp")
+			.setTags(Map.of(KeyUtils.DOMAIN_KEY, "my_domain"));
 
 		KeyItem version__attr_ok_longest_exp__key_no_rsa_sign_verify = new KeyItem()
 			.setAttributes(attr_ok_longest_exp)
-			.setKid("https://myvault.vault.azure.net/keys/attr_ok_longest_exp__key_no_rsa_sign_verify/dont_care");
+			.setKid("https://myvault.vault.azure.net/keys/attr_ok_longest_exp__key_no_rsa_sign_verify/dont_care")
+			.setTags(Map.of(KeyUtils.DOMAIN_KEY, "my_domain"));
 
 		KeyItem version__attr_ok_longest_exp__key_rsa_no_sign_verify = new KeyItem()
 			.setAttributes(attr_ok_longest_exp)
-			.setKid("https://myvault.vault.azure.net/keys/attr_ok_longest_exp__key_rsa_no_sign_verify/dont_care");
+			.setKid("https://myvault.vault.azure.net/keys/attr_ok_longest_exp__key_rsa_no_sign_verify/dont_care")
+			.setTags(Map.of(KeyUtils.DOMAIN_KEY, "my_domain"));
 
 		KeyItem version__attr_wo_nbf__key_rsa_sign_verify = new KeyItem()
 			.setAttributes(attr_wo_nbf)
-			.setKid("https://myvault.vault.azure.net/keys/attr_wo_nbf__key_rsa_sign_verify/dont_care");
+			.setKid("https://myvault.vault.azure.net/keys/attr_wo_nbf__key_rsa_sign_verify/dont_care")
+			.setTags(Map.of(KeyUtils.DOMAIN_KEY, "my_domain"));
 
 		KeyItem version__attr_nbf_not_reached__key_rsa_sign_verify = new KeyItem()
 			.setAttributes(attr_nbf_not_reached)
-			.setKid("https://myvault.vault.azure.net/keys/attr_nbf_not_reached__key_rsa_sign_verify/dont_care");
+			.setKid("https://myvault.vault.azure.net/keys/attr_nbf_not_reached__key_rsa_sign_verify/dont_care")
+			.setTags(Map.of(KeyUtils.DOMAIN_KEY, "my_domain"));
 
 		KeyItem version__attr_expired__key_rsa_sign_verify = new KeyItem()
 			.setAttributes(attr_expired)
-			.setKid("https://myvault.vault.azure.net/keys/attr_expired__key_rsa_sign_verify/dont_care");
+			.setKid("https://myvault.vault.azure.net/keys/attr_expired__key_rsa_sign_verify/dont_care")
+			.setTags(Map.of(KeyUtils.DOMAIN_KEY, "my_domain"));
 
 		KeyItem version__attr_wo_exp__key_rsa_sign_verify = new KeyItem()
 			.setAttributes(attr_wo_exp)
-			.setKid("https://myvault.vault.azure.net/keys/attr_wo_exp__key_rsa_sign_verify/dont_care");
+			.setKid("https://myvault.vault.azure.net/keys/attr_wo_exp__key_rsa_sign_verify/dont_care")
+			.setTags(Map.of(KeyUtils.DOMAIN_KEY, "my_domain"));
 
 		KeyItem version__attr_not_enabled__key_rsa_sign_verify = new KeyItem()
 			.setAttributes(attr_not_enabled)
-			.setKid("https://myvault.vault.azure.net/keys/attr_not_enabled__key_rsa_sign_verify/dont_care");
+			.setKid("https://myvault.vault.azure.net/keys/attr_not_enabled__key_rsa_sign_verify/dont_care")
+			.setTags(Map.of(KeyUtils.DOMAIN_KEY, "my_domain"));
 
 		KeyItem version__attr_wo_created__key_rsa_sign_verify = new KeyItem()
 			.setAttributes(attr_wo_created)
-			.setKid("https://myvault.vault.azure.net/keys/attr_wo_created__key_rsa_sign_verify/dont_care");
+			.setKid("https://myvault.vault.azure.net/keys/attr_wo_created__key_rsa_sign_verify/dont_care")
+			.setTags(Map.of(KeyUtils.DOMAIN_KEY, "my_domain"));
 
 		KeyItem version__attr_inconsistent_created__key_rsa_sign_verify = new KeyItem()
 			.setAttributes(attr_inconsistent_created)
-			.setKid("https://myvault.vault.azure.net/keys/attr_inconsistent_created__key_rsa_sign_verify/dont_care");
+			.setKid("https://myvault.vault.azure.net/keys/attr_inconsistent_created__key_rsa_sign_verify/dont_care")
+			.setTags(Map.of(KeyUtils.DOMAIN_KEY, "my_domain"));
 
 		KeyListResult versionList__attr_ok__key_no_rsa_sign_verify = new KeyListResult()
 			.setValue(List.of(version__attr_ok__key_no_rsa_sign_verify));
 
 		KeyListResult versionList__attr_ok__key_rsa_no_sign_verify = new KeyListResult()
 			.setValue(List.of(version__attr_ok__key_rsa_no_sign_verify));
 
-		KeyListResult versionList__attr_ok_longest_exp__key_rsa_sign_verify_page1 = new KeyListResult()
+		KeyListResult versionList__attr_ok_longest_exp__key_rsa_sign_verify = new KeyListResult()
 			.setValue(List.of(
-				version__attr_ok__key_rsa_sign_verify))
-			.setNextLink("https://myvault.vault.azure.net:443/keys/attr_ok_longest_exp__key_rsa_sign_verify/versions?api-version=7.2&$skiptoken=skip_1st_page&maxresults=1");
-
-		KeyListResult versionList__attr_ok_longest_exp__key_rsa_sign_verify_page2 = new KeyListResult()
-			.setValue(List.of(
-				version__attr_ok_longest_exp__key_rsa_sign_verify))
-			.setNextLink(null);
+				version__attr_ok__key_rsa_sign_verify,
+				version__attr_ok_longest_exp__key_rsa_sign_verify));
 
 		KeyListResult versionList__attr_ok_longest_exp__key_no_rsa_sign_verify = new KeyListResult()
 			.setValue(List.of(version__attr_ok_longest_exp__key_no_rsa_sign_verify));
@@ -349,10 +350,7 @@ private void setup() {
 			.thenReturn(Uni.createFrom().item(versionList__attr_ok__key_rsa_no_sign_verify));
 
 		when(keysService.getKeyVersions("attr_ok_longest_exp__key_rsa_sign_verify"))
-			.thenReturn(Uni.createFrom().item(versionList__attr_ok_longest_exp__key_rsa_sign_verify_page1));
-
-		when(keysService.getKeyVersions("attr_ok_longest_exp__key_rsa_sign_verify", "skip_1st_page"))
-			.thenReturn(Uni.createFrom().item(versionList__attr_ok_longest_exp__key_rsa_sign_verify_page2));
+			.thenReturn(Uni.createFrom().item(versionList__attr_ok_longest_exp__key_rsa_sign_verify));
 
 		when(keysService.getKeyVersions("attr_ok_longest_exp__key_no_rsa_sign_verify"))
 			.thenReturn(Uni.createFrom().item(versionList__attr_ok_longest_exp__key_no_rsa_sign_verify));
@@ -568,7 +566,7 @@ void given_setOfKeys_when_getKeysInvoked_then_getRelevantKeys() {
 		 * Test
 		 */
 		Iterable<KeyBundle> actualBundles = extService.getKeys(
-			"attr",
+			"my_domain",
 			List.of(JsonWebKeyOperation.SIGN, JsonWebKeyOperation.VERIFY),
 			List.of(JsonWebKeyType.RSA))
 			.subscribe()
@@ -596,7 +594,7 @@ void given_setOfKeys_when_getKeyWithLongestExpInvoked_then_getRelevantKey() {
 		 * Test
 		 */
 		extService.getKeyWithLongestExp(
-			"attr",
+			"my_domain",
 			List.of(JsonWebKeyOperation.SIGN, JsonWebKeyOperation.VERIFY),
 			List.of(JsonWebKeyType.RSA))
 			.subscribe()
@@ -621,12 +619,12 @@ void given_noKey_when_getKeyWithLongestExpInvoked_then_getEmpty() {
 		 * Test
 		 */
 		extService.getKeyWithLongestExp(
-			"attr",
+			"my_domain",
 			List.of(JsonWebKeyOperation.SIGN, JsonWebKeyOperation.VERIFY),
 			List.of(JsonWebKeyType.RSA))
 			.subscribe()
 			.withSubscriber(UniAssertSubscriber.create())
 			.awaitItem()
 			.assertItem(Optional.empty());
 	}
-}
+}