Merge pull request #16 from Ankvik-Tech-Labs/feat/add-gcp-credentials-support

Feat: added gcp credentials support

Author: Aviksaikat

CHANGELOG.md

@@ -2,6 +2,16 @@
 
 All notable changes to this project will be documented in this file.
 
+## [0.1.0] - 2025-01-09
+
+### 🚀 Features
+
+- Added option to pass credentials as dict object
+
+### ⚙️ Miscellaneous Tasks
+
+- Changelog updated
+
 ## [0.0.2] - 2025-01-02
 
 ### 🚀 Features
@@ -29,6 +39,7 @@ All notable changes to this project will be documented in this file.
 - Version updated to 0.0.2
 - Changelog updated
 - Changelog updated
+- Changelog updated
 
 ## [0.0.1] - 2024-12-27
 

README.md

@@ -368,6 +368,114 @@ except Exception as e:
     print(f"Transaction error: {e}")
 ```
 
+## 🚀 CI/CD Pipeline Integration
+
+### 🔄 Using in GitHub Actions or Other CI/CD Pipelines
+
+For CI/CD environments where you can't use traditional environment variables or service account files, you can pass the credentials directly as a JSON string:
+
+```python
+from web3_google_hsm.accounts.gcp_kms_account import GCPKmsAccount
+from web3_google_hsm.config import BaseConfig
+import json
+
+# Create config from environment variables
+config = BaseConfig(
+    project_id="your-project-id",
+    location_id="your-location",
+    key_ring_id="your-keyring",
+    key_id="your-key-id"
+)
+
+# Load credentials from CI/CD secret
+credentials = json.loads(os.environ["GCP_ADC_CREDENTIALS_STRING"])
+
+# Initialize account with both config and credentials
+account = GCPKmsAccount(config=config, credentials=credentials)
+
+# or Let the class read the values from env variables
+account = GCPKmsAccount(credentials=credentials)
+
+```
+
+### 🔒 GitHub Actions Example
+
+```yaml
+name: Deploy with HSM Signing
+
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Set up Python
+        uses: actions/setup-python@v2
+        with:
+          python-version: '3.10'
+
+      - name: Install dependencies
+        run: pip install web3-google-hsm
+
+      - name: Sign and Deploy
+        env:
+          GOOGLE_CLOUD_PROJECT: ${{ secrets.GCP_PROJECT_ID }}
+          GOOGLE_CLOUD_REGION: ${{ secrets.GCP_REGION }}
+          KEY_RING: ${{ secrets.GCP_KEYRING }}
+          KEY_NAME: ${{ secrets.GCP_KEY_NAME }}
+          GCP_ADC_CREDENTIALS_STRING: ${{ secrets.GCP_ADC_CREDENTIALS_STRING }}
+        run: |
+          python your_deployment_script.py
+```
+
+### 📝 Example Deployment Script
+```python
+import os
+import json
+from web3_google_hsm.accounts.gcp_kms_account import GCPKmsAccount
+from web3_google_hsm.config import BaseConfig
+from web3_google_hsm.types.ethereum_types import Transaction
+
+def deploy_contract():
+    # Initialize with both config and credentials
+    config = BaseConfig.from_env()  # Uses environment variables
+    credentials = json.loads(os.environ["GCP_ADC_CREDENTIALS_STRING"])
+
+    account = GCPKmsAccount(config=config, credentials=credentials)
+
+    # Your deployment logic here
+    print(f"Deploying from address: {account.address}")
+
+    # Example transaction
+    tx = Transaction(
+        nonce=0,
+        gas_price=2000000000,
+        gas_limit=1000000,
+        to="0x...",
+        value=0,
+        data="0x...",
+        chain_id=1
+    )
+
+    signed_tx = account.sign_transaction(tx)
+    # Send transaction...
+
+if __name__ == "__main__":
+    deploy_contract()
+```
+
+### 🔑 Required Secrets for CI/CD
+
+Set these secrets in your CI/CD environment:
+
+- `GCP_PROJECT_ID`: Your Google Cloud project ID
+- `GCP_REGION`: The region where your KMS resources are located
+- `GCP_KEYRING`: The name of your KMS key ring
+- `GCP_KEY_NAME`: The name of your KMS key
+- `GCP_ADC_CREDENTIALS_STRING`: Your service account credentials JSON as a string
+
+
+
 
 ---
 

pyproject.toml

@@ -9,7 +9,11 @@ dynamic = ["version"]
 license = { file = "LICENSE" }
 classifiers = [
     "Programming Language :: Python :: 3",
+    "Programming Language :: Python :: 3.9",
     "Programming Language :: Python :: 3.10",
+    "Programming Language :: Python :: 3.11",
+    "Programming Language :: Python :: 3.12",
+    "Programming Language :: Python :: 3.13",
     "Programming Language :: Python :: Implementation :: CPython",
     "Programming Language :: Python :: Implementation :: PyPy",
 ]

src/web3_google_hsm/__version__.py

@@ -1 +1 @@
-VERSION = "0.0.2"
+VERSION = "0.1.0"

src/web3_google_hsm/accounts/gcp_kms_account.py

@@ -8,6 +8,7 @@
 from eth_account.messages import _hash_eip191_message, encode_defunct  # noqa: PLC2701
 from eth_typing import ChecksumAddress
 from eth_utils import keccak, to_checksum_address
+from google.auth import load_credentials_from_dict
 from google.cloud import kms
 from google.protobuf import duration_pb2  # type: ignore
 from pydantic import BaseModel, Field, PrivateAttr
@@ -33,10 +34,33 @@ class GCPKmsAccount(BaseModel):
     _cached_public_key: bytes | None = PrivateAttr(default=None)
     _settings: BaseConfig = PrivateAttr()
 
-    def __init__(self, config: BaseConfig | None = None, **data: Any):
+    def __init__(self, config: BaseConfig | None = None, credentials: dict | None = None, **data: Any):
+        """
+        Initialize GCP KMS Account with either config or credentials.
+        If neither is provided, uses Google SDK default auth mechanism.
+
+        Args:
+            config: BaseConfig instance for environment-based configuration
+            credentials: Dictionary containing GCP credentials
+            **data: Additional data passed to BaseModel
+
+        Raises:
+            ValueError: If both config and credentials are provided
+        """
+
         super().__init__(**data)
-        self._client = kms.KeyManagementServiceClient()
+
+        if isinstance(credentials, dict):
+            credentials, _ = load_credentials_from_dict(credentials)
+        # Initialize client based on provided auth method
+        self._client = (
+            kms.KeyManagementServiceClient(credentials=credentials) if credentials else kms.KeyManagementServiceClient()  # type: ignore
+        )
+
+        # Initialize settings if config is provided, otherwise None
         self._settings = config or BaseConfig.from_env()
+
+        # Set key path based on config or credentials
         self.key_path = self._get_key_version_path()
 
     def _get_key_version_path(self) -> str:

src/web3_google_hsm/exceptions.py

@@ -2,3 +2,9 @@ class SignatureError(Exception):
     """
     Raised when there are issues with signing.
     """
+
+
+class ConfigurationError(Exception):
+    """
+    Raised when there are issues with the configuration.
+    """

tests/integration/accounts/test_gcp_credentials.py

@@ -0,0 +1,113 @@
+import os
+
+from pydantic import ValidationError
+import pytest
+from web3_google_hsm.accounts.gcp_kms_account import GCPKmsAccount
+from web3_google_hsm.config import BaseConfig
+import json
+
+# Define required environment variables
+REQUIRED_ENV_VARS = {
+    "GOOGLE_CLOUD_PROJECT": os.getenv("GOOGLE_CLOUD_PROJECT"),
+    "GOOGLE_CLOUD_REGION": os.getenv("GOOGLE_CLOUD_REGION"),
+    "KEY_RING": os.getenv("KEY_RING"),
+    "KEY_NAME": os.getenv("KEY_NAME"),
+    "GCP_ADC_CREDENTIALS_STRING": os.getenv("GCP_ADC_CREDENTIALS_STRING"),
+}
+
+# Skip all tests if any required env var is missing
+missing_vars = [k for k, v in REQUIRED_ENV_VARS.items() if not v]
+pytestmark = pytest.mark.skipif(
+    bool(missing_vars),
+    reason=f"Missing required environment variables: {', '.join(missing_vars)}"
+)
+
+def test_account_initialization_with_both():
+    """Test initializing account with both config and credentials."""
+    # Load credentials from GCP_ADC_CREDENTIALS_STRING env var
+    credentials = json.loads(os.environ["GCP_ADC_CREDENTIALS_STRING"])
+
+    # Create config from environment
+    config = BaseConfig.from_env()
+
+    # Initialize account with both
+    account = GCPKmsAccount(config=config, credentials=credentials)
+
+    # Verify initialization
+    assert account._client is not None
+    assert account._settings is not None
+    assert account.key_path is not None
+    assert account.address.startswith("0x")
+
+    # Test basic functionality
+    message = "Test message"
+    signature = account.sign_message(message)
+    assert signature.v in (27, 28)
+    assert len(signature.r) == 32
+    assert len(signature.s) == 32
+
+def test_account_initialization_with_neither():
+    """Test initializing account with neither config nor credentials (using env vars)."""
+    # Initialize account without explicit config or credentials
+    account = GCPKmsAccount()
+
+    # Verify initialization
+    assert account._client is not None
+    assert account._settings is not None  # Should be created from env
+    assert account.key_path is not None
+    assert account.address.startswith("0x")
+
+    # Test basic functionality
+    message = "Test message"
+    signature = account.sign_message(message)
+    assert signature.v in (27, 28)
+    assert len(signature.r) == 32
+    assert len(signature.s) == 32
+
+def test_fail_account_initialization_with_only_config(monkeypatch):
+    """Test that initializing with only config raises error."""
+    env_vars_to_clear = [
+        "GOOGLE_CLOUD_PROJECT",
+        "GOOGLE_CLOUD_REGION",
+        "KEY_RING",
+        "KEY_NAME",
+        "GOOGLE_APPLICATION_CREDENTIALS",
+        "GCP_ADC_CREDENTIALS_STRING"
+    ]
+
+    for env_var in env_vars_to_clear:
+        monkeypatch.delenv(env_var, raising=False)
+
+    with pytest.raises(ValidationError):
+        config = BaseConfig.from_env()
+        GCPKmsAccount(config=config)
+
+def test_fail_account_initialization_with_only_credentials(monkeypatch):
+    """Test that initializing with only credentials raises error."""
+    env_vars_to_clear = [
+        "GOOGLE_CLOUD_PROJECT",
+        "GOOGLE_CLOUD_REGION",
+        "KEY_RING",
+        "KEY_NAME",
+    ]
+
+    for env_var in env_vars_to_clear:
+        monkeypatch.delenv(env_var, raising=False)
+    credentials = json.loads(os.environ["GCP_ADC_CREDENTIALS_STRING"])
+
+    with pytest.raises(ValidationError):
+        GCPKmsAccount(credentials=credentials)
+
+def test_key_path_matches_config(monkeypatch):
+    """Test that the key path matches the config values."""
+    # Load both config and credentials
+    credentials = json.loads(os.environ["GCP_ADC_CREDENTIALS_STRING"])
+
+    config = BaseConfig.from_env()
+    account = GCPKmsAccount(config=config, credentials=credentials)
+
+    # Verify key path contains all the expected components
+    assert config.project_id in account.key_path
+    assert config.location_id in account.key_path
+    assert config.key_ring_id in account.key_path
+    assert config.key_id in account.key_path

tests/integration/accounts/test_gcp_kms_account_integration.py

@@ -62,7 +62,7 @@ def test_transaction_signing(gcp_account, fund_account, web3):
         gas_price=web3.eth.gas_price,
         gas_limit=21000,
         to="0xa5D3241A1591061F2a4bB69CA0215F66520E67cf",
-        value=web3.to_wei(0.001, "ether"),
+        value=web3.to_wei(0.0001, "ether"),
         data="0x",
         from_=gcp_account.address
     )

tests/unit/test_cli.py

@@ -122,8 +122,20 @@ def test_generate_with_explicit_args(
         assert result.exit_code == 0
         assert "Created Ethereum signing key" in result.stdout
 
-    def test_fail_generate_missing_required_args(self, runner: CliRunner) -> None:
+    def test_fail_generate_missing_required_args(self, runner: CliRunner, monkeypatch) -> None:
         """Test key generation fails when required arguments are missing."""
+        # ? Need to clrear the env vars in order to raise error in the cli
+        env_vars_to_clear = [
+            "GOOGLE_CLOUD_PROJECT",
+            "GOOGLE_CLOUD_REGION",
+            "KEY_RING",
+            "KEY_NAME",
+            "GOOGLE_APPLICATION_CREDENTIALS",
+            "GCP_ADC_CREDENTIALS_STRING"
+        ]
+
+        for env_var in env_vars_to_clear:
+            monkeypatch.delenv(env_var, raising=False)
         result = runner.invoke(app, ["generate"])
         assert result.exit_code == 2
         assert "Usage:" in result.stdout