Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: implement Hashicorp Vault signing service #4749

Merged
merged 8 commits into from
Jan 22, 2025
Merged

feat: implement Hashicorp Vault signing service #4749

merged 8 commits into from
Jan 22, 2025

Conversation

paullatzelsperger
Copy link
Member

@paullatzelsperger paullatzelsperger commented Jan 21, 2025
edited
Loading

What this PR changes/adds

This PR mainly adds the SignatureService interface and an implementation for it based on Hashicorp Vault.

Why it does that

remote signing of content and key rotation

Further notes

the HashicorpVault implementation was slightly refactored and simplified. And by "slightly" i mean massively. The HashicorpVaultClient is now only responsible for token renewal and health checks and was thus renamed to HashicorpVaultHealthService.

I think, the token renewal stuff should get pulled out into a separate service too, but I'd wait for #4720 for that, and do it in a subsequent PR

Linked Issue(s)

Closes # <-- insert Issue number if one exists

Please be sure to take a look at the contributing guidelines and our etiquette for pull requests.

@paullatzelsperger paullatzelsperger added the enhancement New feature or request label Jan 21, 2025
@paullatzelsperger paullatzelsperger force-pushed the feat/implement_signing_service branch from c7e7fd9 to 645661d Compare January 21, 2025 16:38
@SaschaIsele SaschaIsele mentioned this pull request Jan 22, 2025
Open
@paullatzelsperger paullatzelsperger force-pushed the feat/implement_signing_service branch from 645661d to 0639c83 Compare January 22, 2025 06:33
@paullatzelsperger paullatzelsperger marked this pull request as ready for review January 22, 2025 07:06
@paullatzelsperger paullatzelsperger requested review from ndr-brt and a team and removed request for ndr-brt January 22, 2025 07:06
jimmarino
jimmarino approved these changes Jan 22, 2025
View reviewed changes
Copy link
Contributor

@jimmarino jimmarino left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Need to update the headers

...-hashicorp/src/main/java/org/eclipse/edc/vault/hashicorp/HashicorpVaultSignatureService.java Outdated Show resolved Hide resolved
@paullatzelsperger paullatzelsperger force-pushed the feat/implement_signing_service branch from 3549d45 to 3edaa7f Compare January 22, 2025 11:09
ndr-brt
ndr-brt reviewed Jan 22, 2025
View reviewed changes
spi/common/boot-spi/src/main/java/org/eclipse/edc/spi/security/SignatureService.java Show resolved Hide resolved
spi/common/boot-spi/src/main/java/org/eclipse/edc/spi/security/SignatureService.java Outdated Show resolved Hide resolved
spi/common/boot-spi/src/main/java/org/eclipse/edc/spi/security/SignatureService.java Outdated Show resolved Hide resolved
...hicorp/src/main/java/org/eclipse/edc/vault/hashicorp/client/HashicorpVaultHealthService.java
*/
public class HashicorpVaultClient {
private static final String VAULT_DATA_ENTRY_NAME = "content";
public class HashicorpVaultHealthService {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd also move the renew logic into the HashicorpVaultTokenRenewTask

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

no argument there, but lets do this once #4720 is done, so we don't have to do it twice.

...ashicorp/src/main/java/org/eclipse/edc/vault/hashicorp/health/HashicorpVaultHealthCheck.java Outdated Show resolved Hide resolved
...mmon/vault/vault-hashicorp/src/main/java/org/eclipse/edc/vault/hashicorp/HashicorpVault.java Outdated Show resolved Hide resolved
...mmon/vault/vault-hashicorp/src/main/java/org/eclipse/edc/vault/hashicorp/HashicorpVault.java Outdated Show resolved Hide resolved
...mmon/vault/vault-hashicorp/src/main/java/org/eclipse/edc/vault/hashicorp/HashicorpVault.java Outdated Show resolved Hide resolved
...t/vault-hashicorp/src/main/java/org/eclipse/edc/vault/hashicorp/HashicorpVaultExtension.java Show resolved Hide resolved
...t/vault-hashicorp/src/main/java/org/eclipse/edc/vault/hashicorp/HashicorpVaultExtension.java Outdated Show resolved Hide resolved
@paullatzelsperger
Copy link
Member Author

paullatzelsperger commented Jan 22, 2025
edited
Loading

note that configuration values are not yet implemented. this should also come in another PR, when the JWSSigner and JWSVerifier are implemented. a separate PR, when the default impl. will be provided.

#4752

@paullatzelsperger paullatzelsperger force-pushed the feat/implement_signing_service branch from f82b69a to 55c06d9 Compare January 22, 2025 17:51
@paullatzelsperger paullatzelsperger merged commit 82df774 into eclipse-edc:main Jan 22, 2025
21 checks passed
@paullatzelsperger paullatzelsperger deleted the feat/implement_signing_service branch January 22, 2025 18:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ndr-brt ndr-brt ndr-brt approved these changes

@jimmarino jimmarino jimmarino approved these changes

@wolf4ood wolf4ood wolf4ood approved these changes

Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@paullatzelsperger @wolf4ood @jimmarino @ndr-brt