Add option to set a property prefix on Secrets Manager property sources (#630)

snigdhasjg · web-flow · commit 0ff91d3aaa8e · 2023-01-22T21:17:33.000+01:00
Fixes #621
diff --git a/docs/src/main/asciidoc/secrets-manager.adoc b/docs/src/main/asciidoc/secrets-manager.adoc
@@ -109,6 +109,9 @@ import. The table below provides examples of supported property values and descr
 |`spring.config.import=aws-secretsmanager:secret-key;other-secret-key`
 |Importing secrets by individual keys
 
+|`spring.config.import=aws-secretsmanager:secret-key?prefix=db.`
+|To avoid property keys collisions it is possible to configure property key prefix that gets added to each resolved property from a secret
+
 |`spring.config.import=optional:aws-secretsmanager:secret-key;other-secret-key`
 |When `optional` is used the application will start even if the specified secret is not found.
 
diff --git a/spring-cloud-aws-secrets-manager-config/src/main/java/io/awspring/cloud/secretsmanager/AwsSecretsManagerPropertySource.java b/spring-cloud-aws-secrets-manager-config/src/main/java/io/awspring/cloud/secretsmanager/AwsSecretsManagerPropertySource.java
@@ -31,6 +31,7 @@
 import org.apache.commons.logging.LogFactory;
 
 import org.springframework.core.env.EnumerablePropertySource;
+import org.springframework.lang.Nullable;
 
 /**
  * Retrieves secret value under the given context / path from the AWS Secrets Manager
@@ -44,15 +45,25 @@ public class AwsSecretsManagerPropertySource extends EnumerablePropertySource<AW
 
 	private static Log LOG = LogFactory.getLog(AwsSecretsManagerPropertySource.class);
 
+	private static final String PREFIX_PART = "?prefix=";
+
 	private final ObjectMapper jsonMapper = new ObjectMapper();
 
-	private final String context;
+	private final String secretId;
+
+	/**
+	 * Prefix that gets added to resolved property keys. Useful same property keys are
+	 * returned by multiple property sources.
+	 */
+	@Nullable
+	private final String prefix;
 
 	private final Map<String, Object> properties = new LinkedHashMap<>();
 
 	public AwsSecretsManagerPropertySource(String context, AWSSecretsManager smClient) {
 		super(context, smClient);
-		this.context = context;
+		this.secretId = resolveSecretId(context);
+		this.prefix = resolvePrefix(context);
 	}
 
 	/**
@@ -61,7 +72,7 @@ public AwsSecretsManagerPropertySource(String context, AWSSecretsManager smClien
 	 * database.
 	 */
 	public void init() {
-		readSecretValue(new GetSecretValueRequest().withSecretId(context));
+		readSecretValue(new GetSecretValueRequest().withSecretId(secretId));
 	}
 
 	@Override
@@ -84,12 +95,30 @@ private void readSecretValue(GetSecretValueRequest secretValueRequest) {
 
 			for (Map.Entry<String, Object> secretEntry : secretMap.entrySet()) {
 				LOG.debug("Populating property retrieved from AWS Secrets Manager: " + secretEntry.getKey());
-				properties.put(secretEntry.getKey(), secretEntry.getValue());
+				String propertyKey = prefix != null ? prefix + secretEntry.getKey() : secretEntry.getKey();
+				properties.put(propertyKey, secretEntry.getValue());
 			}
 		}
 		catch (JsonProcessingException e) {
 			throw new RuntimeException(e);
 		}
 	}
 
+	@Nullable
+	private static String resolvePrefix(String context) {
+		int prefixIndex = context.indexOf(PREFIX_PART);
+		if (prefixIndex != -1) {
+			return context.substring(prefixIndex + PREFIX_PART.length());
+		}
+		return null;
+	}
+
+	private static String resolveSecretId(String context) {
+		int prefixIndex = context.indexOf(PREFIX_PART);
+		if (prefixIndex != -1) {
+			return context.substring(0, prefixIndex);
+		}
+		return context;
+	}
+
 }
diff --git a/spring-cloud-aws-secrets-manager-config/src/test/java/io/awspring/cloud/secretsmanager/AwsSecretsManagerPropertySourceTest.java b/spring-cloud-aws-secrets-manager-config/src/test/java/io/awspring/cloud/secretsmanager/AwsSecretsManagerPropertySourceTest.java
@@ -20,7 +20,10 @@
 import com.amazonaws.services.secretsmanager.model.GetSecretValueRequest;
 import com.amazonaws.services.secretsmanager.model.GetSecretValueResult;
 import com.amazonaws.services.secretsmanager.model.ResourceNotFoundException;
+import com.fasterxml.jackson.core.JsonProcessingException;
+import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
+import org.mockito.ArgumentCaptor;
 
 import static org.assertj.core.api.Assertions.assertThat;
 import static org.assertj.core.api.Assertions.assertThatThrownBy;
@@ -30,31 +33,67 @@
 
 class AwsSecretsManagerPropertySourceTest {
 
-	private AWSSecretsManager client = mock(AWSSecretsManager.class);
+	private AWSSecretsManager client;
 
-	private AwsSecretsManagerPropertySource propertySource = new AwsSecretsManagerPropertySource("/config/myservice",
-			client);
+	private AwsSecretsManagerPropertySource propertySource;
+
+	private ArgumentCaptor<GetSecretValueRequest> secretValueRequestArgumentCaptor;
+
+	@BeforeEach
+	void setUp() {
+		client = mock(AWSSecretsManager.class);
+		secretValueRequestArgumentCaptor = ArgumentCaptor.forClass(GetSecretValueRequest.class);
+		propertySource = new AwsSecretsManagerPropertySource("/config/myservice", client);
+	}
 
 	@Test
 	void shouldParseSecretValue() {
-		GetSecretValueResult secretValueResult = new GetSecretValueResult();
-		secretValueResult.setSecretString("{\"key1\": \"value1\", \"key2\": \"value2\"}");
+		GetSecretValueResult secretValueResult = new GetSecretValueResult()
+				.withSecretString("{\"key1\": \"value1\", \"key2\": \"value2\"}");
 
-		when(client.getSecretValue(any(GetSecretValueRequest.class))).thenReturn(secretValueResult);
+		when(client.getSecretValue(secretValueRequestArgumentCaptor.capture())).thenReturn(secretValueResult);
 
 		propertySource.init();
 
+		assertThat(secretValueRequestArgumentCaptor.getValue().getSecretId()).isEqualTo("/config/myservice");
 		assertThat(propertySource.getPropertyNames()).containsExactly("key1", "key2");
 		assertThat(propertySource.getProperty("key1")).isEqualTo("value1");
 		assertThat(propertySource.getProperty("key2")).isEqualTo("value2");
 	}
 
+	@Test
+	void shouldAppendPrefixIfPrefixConfigured() {
+		propertySource = new AwsSecretsManagerPropertySource("/config/myservice2?prefix=service2.", client);
+		GetSecretValueResult secretValueResult = new GetSecretValueResult()
+				.withSecretString("{\"key1\": \"value1\", \"key2\": \"value2\"}");
+
+		when(client.getSecretValue(secretValueRequestArgumentCaptor.capture())).thenReturn(secretValueResult);
+
+		propertySource.init();
+
+		assertThat(secretValueRequestArgumentCaptor.getValue().getSecretId()).isEqualTo("/config/myservice2");
+		assertThat(propertySource.getPropertyNames()).containsExactly("service2.key1", "service2.key2");
+		assertThat(propertySource.getProperty("service2.key1")).isEqualTo("value1");
+		assertThat(propertySource.getProperty("service2.key2")).isEqualTo("value2");
+	}
+
 	@Test
 	void throwsExceptionWhenSecretNotFound() {
 		when(client.getSecretValue(any(GetSecretValueRequest.class)))
 				.thenThrow(new ResourceNotFoundException("secret not found"));
 
-		assertThatThrownBy(() -> propertySource.init()).isInstanceOf(ResourceNotFoundException.class);
+		assertThatThrownBy(() -> propertySource.init()).isInstanceOf(ResourceNotFoundException.class)
+				.hasMessageContaining("secret not found");
+	}
+
+	@Test
+	void throwsExceptionWhenSecretIsNotJsonSecret() {
+		GetSecretValueResult secretValueResult = new GetSecretValueResult()
+				.withSecretString("plain text secret string, not json secret");
+		when(client.getSecretValue(any(GetSecretValueRequest.class))).thenReturn(secretValueResult);
+
+		assertThatThrownBy(() -> propertySource.init()).isInstanceOf(RuntimeException.class)
+				.extracting(Throwable::getCause).isInstanceOf(JsonProcessingException.class);
 	}
 
 }
