pagopa · antoniotarricone · Jun 6, 2024
@@ -65,15 +65,15 @@ private Multi<KeyItem> getKeyVersions(String keyName) {
 
 	/**
 	 * 
-	 * @param prefix
+	 * @param domain
 	 * @param expectedOps  {@link JsonWebKeyOperation}
 	 * @param expectedKtys {@link JsonWebKeyType}
 	 * @return
 	 */
-	public Multi<KeyBundle> getKeys(String prefix, List<String> expectedOps, List<String> expectedKtys) {
+	public Multi<KeyBundle> getKeys(String domain, List<String> expectedOps, List<String> expectedKtys) {
 		return getKeys() // Multi<KeyItem>
+			.filter(keyItem -> KeyUtils.doesDomainMatch(keyItem, domain))
 			.map(KeyUtils::getKeyName) // Multi<String> keyName
-			.filter(keyName -> KeyUtils.doesPrefixMatch(keyName, prefix))
 			.onItem().transformToMultiAndConcatenate(this::getKeyVersions) // Multi<KeyItem>
 			.filter(KeyUtils::isValid)
 			.map(KeyUtils::getKeyNameVersion) // Multi<String[]>

@@ -62,15 +62,15 @@ private Stream<KeyItem> getKeyVersions(String keyName) {
 
 	/**
 	 * 
-	 * @param prefix
+	 * @param domain
 	 * @param expectedOps  {@link JsonWebKeyOperation}
 	 * @param expectedKtys {@link JsonWebKeyType}
 	 * @return
 	 */
-	public Stream<KeyBundle> getKeys(String prefix, List<String> expectedOps, List<String> expectedKtys) {
+	public Stream<KeyBundle> getKeys(String domain, List<String> expectedOps, List<String> expectedKtys) {
 		return getKeys() // Stream<KeyItem>
+			.filter(keyItem -> KeyUtils.doesDomainMatch(keyItem, domain))
 			.map(KeyUtils::getKeyName) // Stream<String> keyName
-			.filter(keyName -> KeyUtils.doesPrefixMatch(keyName, prefix))
 			.flatMap(this::getKeyVersions) // Stream<KeyItem>
 			.filter(KeyUtils::isValid)
 			.map(KeyUtils::getKeyNameVersion) // Stream<String[]>
@@ -81,12 +81,12 @@ public Stream<KeyBundle> getKeys(String prefix, List<String> expectedOps, List<S
 
 	/**
 	 * 
-	 * @param prefix
+	 * @param domain
 	 * @param expectedOps  {@link JsonWebKeyOperation}
 	 * @param expectedKtys {@link JsonWebKeyType}
 	 * @return
 	 */
-	public Optional<KeyBundle> getKeyWithLongestExp(String prefix, List<String> expectedOps, List<String> expectedKtys) {
+	public Optional<KeyBundle> getKeyWithLongestExp(String domain, List<String> expectedOps, List<String> expectedKtys) {
 		Comparator<KeyBundle> comparator = Comparator.comparing(
 			new Function<KeyBundle, Long>() { // NOSONAR
 				@Override
@@ -97,7 +97,7 @@ public Long apply(KeyBundle t) {
 			})
 			.reversed();
 
-		return getKeys(prefix, expectedOps, expectedKtys)
+		return getKeys(domain, expectedOps, expectedKtys)
 			.sorted(comparator)
 			.findFirst();
 	}

@@ -8,6 +8,7 @@
 import java.net.URI;
 import java.time.Instant;
 import java.util.List;
+import java.util.Map;
 import java.util.Objects;
 
 import io.quarkus.logging.Log;
@@ -29,6 +30,8 @@ public class KeyUtils {
 	private KeyUtils() {
 	}
 
+	public static final String DOMAIN_KEY = "domain";
+
 	/**
 	 * 
 	 * @param keyItem
@@ -52,18 +55,13 @@ public static String[] getKeyNameVersion(KeyItem keyItem) {
 
 	/**
 	 * 
-	 * @param keyName
-	 * @param prefix
+	 * @param keyItem
+	 * @param domain
 	 * @return
 	 */
-	public static boolean doesPrefixMatch(String keyName, String prefix) {
-		if (prefix == null || keyName.startsWith(prefix)) {
-			Log.tracef("Prefix matches or is null: keyName = %s, prefix = %s", keyName, prefix);
-			return true;
-		}
-
-		Log.debugf("Prefix doesn't match: keyName = %s, prefix = %s", keyName, prefix);
-		return false;
+	public static boolean doesDomainMatch(KeyItem keyItem, String domain) {
+		Map<String, String> tags = keyItem.getTags();
+		return tags != null && Objects.equals(domain, tags.get(DOMAIN_KEY));
 	}
 
 	/**

@@ -11,6 +11,7 @@
 import java.time.Instant;
 import java.time.temporal.ChronoUnit;
 import java.util.List;
+import java.util.Map;
 import java.util.Optional;
 
 import org.junit.jupiter.api.AfterEach;
@@ -30,6 +31,7 @@
 import it.pagopa.swclient.mil.azureservices.keyvault.keys.bean.KeyBundle;
 import it.pagopa.swclient.mil.azureservices.keyvault.keys.bean.KeyItem;
 import it.pagopa.swclient.mil.azureservices.keyvault.keys.bean.KeyListResult;
+import it.pagopa.swclient.mil.azureservices.keyvault.keys.util.KeyUtils;
 import jakarta.inject.Inject;
 
 /**
@@ -158,51 +160,63 @@ private void setup() {
 
 		KeyItem item__attr_ok__key_no_rsa_sign_verify = new KeyItem()
 			.setAttributes(attr_ok)
-			.setKid("https://myvault.vault.azure.net/keys/attr_ok__key_no_rsa_sign_verify");
+			.setKid("https://myvault.vault.azure.net/keys/attr_ok__key_no_rsa_sign_verify")
+			.setTags(Map.of(KeyUtils.DOMAIN_KEY, "my_domain"));
 
 		KeyItem item__attr_ok__key_rsa_no_sign_verify = new KeyItem()
 			.setAttributes(attr_ok)
-			.setKid("https://myvault.vault.azure.net/keys/attr_ok__key_rsa_no_sign_verify");
+			.setKid("https://myvault.vault.azure.net/keys/attr_ok__key_rsa_no_sign_verify")
+			.setTags(Map.of(KeyUtils.DOMAIN_KEY, "my_domain"));
 
 		KeyItem item__attr_ok_longest_exp__key_rsa_sign_verify = new KeyItem()
 			.setAttributes(attr_ok_longest_exp)
-			.setKid("https://myvault.vault.azure.net/keys/attr_ok_longest_exp__key_rsa_sign_verify");
+			.setKid("https://myvault.vault.azure.net/keys/attr_ok_longest_exp__key_rsa_sign_verify")
+			.setTags(Map.of(KeyUtils.DOMAIN_KEY, "my_domain"));
 
 		KeyItem item__attr_ok_longest_exp__key_no_rsa_sign_verify = new KeyItem()
 			.setAttributes(attr_ok_longest_exp)
-			.setKid("https://myvault.vault.azure.net/keys/attr_ok_longest_exp__key_no_rsa_sign_verify");
+			.setKid("https://myvault.vault.azure.net/keys/attr_ok_longest_exp__key_no_rsa_sign_verify")
+			.setTags(Map.of(KeyUtils.DOMAIN_KEY, "my_domain"));
 
 		KeyItem item__attr_ok_longest_exp__key_rsa_no_sign_verify = new KeyItem()
 			.setAttributes(attr_ok_longest_exp)
-			.setKid("https://myvault.vault.azure.net/keys/attr_ok_longest_exp__key_rsa_no_sign_verify");
+			.setKid("https://myvault.vault.azure.net/keys/attr_ok_longest_exp__key_rsa_no_sign_verify")
+			.setTags(Map.of(KeyUtils.DOMAIN_KEY, "my_domain"));
 
 		KeyItem item__attr_wo_nbf__key_rsa_sign_verify = new KeyItem()
 			.setAttributes(attr_wo_nbf)
-			.setKid("https://myvault.vault.azure.net/keys/attr_wo_nbf__key_rsa_sign_verify");
+			.setKid("https://myvault.vault.azure.net/keys/attr_wo_nbf__key_rsa_sign_verify")
+			.setTags(Map.of(KeyUtils.DOMAIN_KEY, "my_domain"));
 
 		KeyItem item__attr_nbf_not_reached__key_rsa_sign_verify = new KeyItem()
 			.setAttributes(attr_nbf_not_reached)
-			.setKid("https://myvault.vault.azure.net/keys/attr_nbf_not_reached__key_rsa_sign_verify");
+			.setKid("https://myvault.vault.azure.net/keys/attr_nbf_not_reached__key_rsa_sign_verify")
+			.setTags(Map.of(KeyUtils.DOMAIN_KEY, "my_domain"));
 
 		KeyItem item__attr_expired__key_rsa_sign_verify = new KeyItem()
 			.setAttributes(attr_expired)
-			.setKid("https://myvault.vault.azure.net/keys/attr_expired__key_rsa_sign_verify");
+			.setKid("https://myvault.vault.azure.net/keys/attr_expired__key_rsa_sign_verify")
+			.setTags(Map.of(KeyUtils.DOMAIN_KEY, "my_domain"));
 
 		KeyItem item__attr_wo_exp__key_rsa_sign_verify = new KeyItem()
 			.setAttributes(attr_wo_exp)
-			.setKid("https://myvault.vault.azure.net/keys/attr_wo_exp__key_rsa_sign_verify");
+			.setKid("https://myvault.vault.azure.net/keys/attr_wo_exp__key_rsa_sign_verify")
+			.setTags(Map.of(KeyUtils.DOMAIN_KEY, "my_domain"));
 
 		KeyItem item__attr_not_enabled__key_rsa_sign_verify = new KeyItem()
 			.setAttributes(attr_not_enabled)
-			.setKid("https://myvault.vault.azure.net/keys/attr_not_enabled__key_rsa_sign_verify");
+			.setKid("https://myvault.vault.azure.net/keys/attr_not_enabled__key_rsa_sign_verify")
+			.setTags(Map.of(KeyUtils.DOMAIN_KEY, "my_domain"));
 
 		KeyItem item__attr_wo_created__key_rsa_sign_verify = new KeyItem()
 			.setAttributes(attr_wo_created)
-			.setKid("https://myvault.vault.azure.net/keys/attr_wo_created__key_rsa_sign_verify");
+			.setKid("https://myvault.vault.azure.net/keys/attr_wo_created__key_rsa_sign_verify")
+			.setTags(Map.of(KeyUtils.DOMAIN_KEY, "my_domain"));
 
 		KeyItem item__attr_inconsistent_created__key_rsa_sign_verify = new KeyItem()
 			.setAttributes(attr_inconsistent_created)
-			.setKid("https://myvault.vault.azure.net/keys/attr_inconsistent_created__key_rsa_sign_verify");
+			.setKid("https://myvault.vault.azure.net/keys/attr_inconsistent_created__key_rsa_sign_verify")
+			.setTags(Map.of(KeyUtils.DOMAIN_KEY, "my_domain"));
 
 		KeyListResult keyList = new KeyListResult()
 			.setValue(List.of(
@@ -228,55 +242,68 @@ private void setup() {
 		 */
 		KeyItem version__attr_ok__key_rsa_sign_verify = new KeyItem()
 			.setAttributes(attr_ok)
-			.setKid("https://myvault.vault.azure.net/keys/attr_ok_longest_exp__key_rsa_sign_verify/shortest_exp");
+			.setKid("https://myvault.vault.azure.net/keys/attr_ok_longest_exp__key_rsa_sign_verify/shortest_exp")
+			.setTags(Map.of(KeyUtils.DOMAIN_KEY, "my_domain"));
 
 		KeyItem version__attr_ok__key_no_rsa_sign_verify = new KeyItem()
 			.setAttributes(attr_ok)
-			.setKid("https://myvault.vault.azure.net/keys/attr_ok__key_no_rsa_sign_verify/dont_care");
+			.setKid("https://myvault.vault.azure.net/keys/attr_ok__key_no_rsa_sign_verify/dont_care")
+			.setTags(Map.of(KeyUtils.DOMAIN_KEY, "my_domain"));
 
 		KeyItem version__attr_ok__key_rsa_no_sign_verify = new KeyItem()
 			.setAttributes(attr_ok)
-			.setKid("https://myvault.vault.azure.net/keys/attr_ok__key_rsa_no_sign_verify/dont_care");
+			.setKid("https://myvault.vault.azure.net/keys/attr_ok__key_rsa_no_sign_verify/dont_care")
+			.setTags(Map.of(KeyUtils.DOMAIN_KEY, "my_domain"));
 
 		KeyItem version__attr_ok_longest_exp__key_rsa_sign_verify = new KeyItem()
 			.setAttributes(attr_ok_longest_exp)
-			.setKid("https://myvault.vault.azure.net/keys/attr_ok_longest_exp__key_rsa_sign_verify/longest_exp");
+			.setKid("https://myvault.vault.azure.net/keys/attr_ok_longest_exp__key_rsa_sign_verify/longest_exp")
+			.setTags(Map.of(KeyUtils.DOMAIN_KEY, "my_domain"));
 
 		KeyItem version__attr_ok_longest_exp__key_no_rsa_sign_verify = new KeyItem()
 			.setAttributes(attr_ok_longest_exp)
-			.setKid("https://myvault.vault.azure.net/keys/attr_ok_longest_exp__key_no_rsa_sign_verify/dont_care");
+			.setKid("https://myvault.vault.azure.net/keys/attr_ok_longest_exp__key_no_rsa_sign_verify/dont_care")
+			.setTags(Map.of(KeyUtils.DOMAIN_KEY, "my_domain"));
 
 		KeyItem version__attr_ok_longest_exp__key_rsa_no_sign_verify = new KeyItem()
 			.setAttributes(attr_ok_longest_exp)
-			.setKid("https://myvault.vault.azure.net/keys/attr_ok_longest_exp__key_rsa_no_sign_verify/dont_care");
+			.setKid("https://myvault.vault.azure.net/keys/attr_ok_longest_exp__key_rsa_no_sign_verify/dont_care")
+			.setTags(Map.of(KeyUtils.DOMAIN_KEY, "my_domain"));
 
 		KeyItem version__attr_wo_nbf__key_rsa_sign_verify = new KeyItem()
 			.setAttributes(attr_wo_nbf)
-			.setKid("https://myvault.vault.azure.net/keys/attr_wo_nbf__key_rsa_sign_verify/dont_care");
+			.setKid("https://myvault.vault.azure.net/keys/attr_wo_nbf__key_rsa_sign_verify/dont_care")
+			.setTags(Map.of(KeyUtils.DOMAIN_KEY, "my_domain"));
 
 		KeyItem version__attr_nbf_not_reached__key_rsa_sign_verify = new KeyItem()
 			.setAttributes(attr_nbf_not_reached)
-			.setKid("https://myvault.vault.azure.net/keys/attr_nbf_not_reached__key_rsa_sign_verify/dont_care");
+			.setKid("https://myvault.vault.azure.net/keys/attr_nbf_not_reached__key_rsa_sign_verify/dont_care")
+			.setTags(Map.of(KeyUtils.DOMAIN_KEY, "my_domain"));
 
 		KeyItem version__attr_expired__key_rsa_sign_verify = new KeyItem()
 			.setAttributes(attr_expired)
-			.setKid("https://myvault.vault.azure.net/keys/attr_expired__key_rsa_sign_verify/dont_care");
+			.setKid("https://myvault.vault.azure.net/keys/attr_expired__key_rsa_sign_verify/dont_care")
+			.setTags(Map.of(KeyUtils.DOMAIN_KEY, "my_domain"));
 
 		KeyItem version__attr_wo_exp__key_rsa_sign_verify = new KeyItem()
 			.setAttributes(attr_wo_exp)
-			.setKid("https://myvault.vault.azure.net/keys/attr_wo_exp__key_rsa_sign_verify/dont_care");
+			.setKid("https://myvault.vault.azure.net/keys/attr_wo_exp__key_rsa_sign_verify/dont_care")
+			.setTags(Map.of(KeyUtils.DOMAIN_KEY, "my_domain"));
 
 		KeyItem version__attr_not_enabled__key_rsa_sign_verify = new KeyItem()
 			.setAttributes(attr_not_enabled)
-			.setKid("https://myvault.vault.azure.net/keys/attr_not_enabled__key_rsa_sign_verify/dont_care");
+			.setKid("https://myvault.vault.azure.net/keys/attr_not_enabled__key_rsa_sign_verify/dont_care")
+			.setTags(Map.of(KeyUtils.DOMAIN_KEY, "my_domain"));
 
 		KeyItem version__attr_wo_created__key_rsa_sign_verify = new KeyItem()
 			.setAttributes(attr_wo_created)
-			.setKid("https://myvault.vault.azure.net/keys/attr_wo_created__key_rsa_sign_verify/dont_care");
+			.setKid("https://myvault.vault.azure.net/keys/attr_wo_created__key_rsa_sign_verify/dont_care")
+			.setTags(Map.of(KeyUtils.DOMAIN_KEY, "my_domain"));
 
 		KeyItem version__attr_inconsistent_created__key_rsa_sign_verify = new KeyItem()
 			.setAttributes(attr_inconsistent_created)
-			.setKid("https://myvault.vault.azure.net/keys/attr_inconsistent_created__key_rsa_sign_verify/dont_care");
+			.setKid("https://myvault.vault.azure.net/keys/attr_inconsistent_created__key_rsa_sign_verify/dont_care")
+			.setTags(Map.of(KeyUtils.DOMAIN_KEY, "my_domain"));
 
 		KeyListResult versionList__attr_ok__key_no_rsa_sign_verify = new KeyListResult()
 			.setValue(List.of(version__attr_ok__key_no_rsa_sign_verify));
@@ -539,7 +566,7 @@ void given_setOfKeys_when_getKeysInvoked_then_getRelevantKeys() {
 		 * Test
 		 */
 		Iterable<KeyBundle> actualBundles = extService.getKeys(
-			"attr",
+			"my_domain",
 			List.of(JsonWebKeyOperation.SIGN, JsonWebKeyOperation.VERIFY),
 			List.of(JsonWebKeyType.RSA))
 			.subscribe()
@@ -567,7 +594,7 @@ void given_setOfKeys_when_getKeyWithLongestExpInvoked_then_getRelevantKey() {
 		 * Test
 		 */
 		extService.getKeyWithLongestExp(
-			"attr",
+			"my_domain",
 			List.of(JsonWebKeyOperation.SIGN, JsonWebKeyOperation.VERIFY),
 			List.of(JsonWebKeyType.RSA))
 			.subscribe()
@@ -592,7 +619,7 @@ void given_noKey_when_getKeyWithLongestExpInvoked_then_getEmpty() {
 		 * Test
 		 */
 		extService.getKeyWithLongestExp(
-			"attr",
+			"my_domain",
 			List.of(JsonWebKeyOperation.SIGN, JsonWebKeyOperation.VERIFY),
 			List.of(JsonWebKeyType.RSA))
 			.subscribe()