Add the ability to specify KMS endpoint/credentials in the environment.

Required to override them for signtool integration testing with FakeKMS. Change-Id: I2c44e801d809996a85ca195ce3f1430a59ecad51
GoogleCloudPlatform · May 12, 2023 · 850f451 · 850f451
1 parent 8b633b0
commit 850f451
Show file tree

Hide file tree

Showing 4 changed files with 38 additions and 2 deletions.
diff --git a/kmscng/BUILD.bazel b/kmscng/BUILD.bazel
@@ -106,9 +106,11 @@ cc_test(
     deps = [
         ":provider",
         ":version",
+        "//common/test:test_platform",
         "//common/test:test_status_macros",
         "//kmscng:cng_headers",
         "//kmscng/test:matchers",
+        "@com_google_absl//absl/cleanup",
         "@com_google_googletest//:gtest_main",
     ],
 )

diff --git a/kmscng/cng_headers.h b/kmscng/cng_headers.h
@@ -44,6 +44,9 @@ constexpr std::wstring_view kEndpointAddressProperty = L"KMSEndpointAddress";
 constexpr std::wstring_view kChannelCredentialsProperty =
     L"KMSChannelCredentials";
 
+constexpr char kEndpointAddressEnvVariable[] = "KMS_ENDPOINT_ADDRESS";
+constexpr char kChannelCredentialsEnvVariable[] = "KMS_CHANNEL_CREDENTIALS";
+
 }  // namespace cloud_kms::kmscng
 
 #endif  // KMSCNG_CNG_HEADERS_H_
diff --git a/kmscng/provider.cc b/kmscng/provider.cc
@@ -35,11 +35,20 @@ absl::flat_hash_set<std::wstring> mutable_properties = {
 };
 
 absl::flat_hash_map<std::wstring, std::string> BuildInfo() {
+  const char* env_endpoint_address = std::getenv(kEndpointAddressEnvVariable);
+  std::string endpoint_address = env_endpoint_address
+                                     ? env_endpoint_address
+                                     : "cloudkms.googleapis.com:443";
+  const char* env_channel_credentials =
+      std::getenv(kChannelCredentialsEnvVariable);
+  std::string channel_credentials =
+      env_channel_credentials ? env_channel_credentials : "default";
+
   return {
       {NCRYPT_IMPL_TYPE_PROPERTY, Uint32ToBytes(NCRYPT_IMPL_HARDWARE_FLAG)},
       {NCRYPT_VERSION_PROPERTY, Uint32ToBytes(kLibraryVersionHex)},
-      {std::wstring(kEndpointAddressProperty), "cloudkms.googleapis.com:443"},
-      {std::wstring(kChannelCredentialsProperty), "default"},
+      {std::wstring(kEndpointAddressProperty), endpoint_address},
+      {std::wstring(kChannelCredentialsProperty), channel_credentials},
   };
 }
 

diff --git a/kmscng/provider_test.cc b/kmscng/provider_test.cc
@@ -14,6 +14,8 @@
 
 #include "kmscng/provider.h"
 
+#include "absl/cleanup/cleanup.h"
+#include "common/test/test_platform.h"
 #include "common/test/test_status_macros.h"
 #include "gmock/gmock.h"
 #include "kmscng/cng_headers.h"
@@ -59,6 +61,26 @@ TEST(ProviderTest, GetProviderPropertyChannelCredentialsSuccess) {
               IsOkAndHolds("default"));
 }
 
+TEST(ProviderTest, SetEndpointAddressInEnvVariable) {
+  std::string address = "invalid.address";
+  SetEnvVariable(kEndpointAddressEnvVariable, address);
+  absl::Cleanup c = [] { ClearEnvVariable(kEndpointAddressEnvVariable); };
+
+  Provider provider;
+  EXPECT_THAT(provider.GetProperty(kEndpointAddressProperty),
+              IsOkAndHolds(address));
+}
+
+TEST(ProviderTest, SetChannelCredentialsInEnvVariable) {
+  std::string credentials = "unknown";
+  SetEnvVariable(kChannelCredentialsEnvVariable, credentials);
+  absl::Cleanup c = [] { ClearEnvVariable(kChannelCredentialsEnvVariable); };
+
+  Provider provider;
+  EXPECT_THAT(provider.GetProperty(kChannelCredentialsProperty),
+              IsOkAndHolds(credentials));
+}
+
 TEST(ProviderTest, SetProviderPropertyUnsupportedProperty) {
   Provider provider;