[ENG-xxx] Migrate KMS signer tests and set up CI

Co-Authored-By: Joe Petrich <[email protected]>

Author: devin-ai-integration[bot]

.github/workflows/ci.yml

@@ -0,0 +1,57 @@
+name: Go
+
+on:
+  push:
+    branches: ["main"]
+  pull_request:
+    branches: ["main"]
+
+permissions:
+  id-token: write
+  contents: read
+
+jobs:
+  test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+        with:
+          ref: ${{ github.head_ref }}
+          fetch-depth: 0
+
+      - name: Authenticate to Google Cloud
+        uses: google-github-actions/auth@v1
+        with:
+          workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}
+          service_account: ${{ secrets.GCP_SERVICE_ACCOUNT_EMAIL }}
+  
+      - name: Set up gcloud (for KMS client lib to auth)
+        uses: google-github-actions/setup-gcloud@v1
+        with:
+          project_id: courtyard-frontend
+
+      - name: Set up Go
+        uses: actions/setup-go@v3
+        with:
+          go-version: 1.24.1
+
+      - name: Lint Go files
+        run: |
+          find . -name '*.go' | xargs gofmt -d -s -w
+          if ! git diff-index --quiet HEAD --; then
+              echo "Code style issues found. Please run 'go fmt ./...' locally and commit changes."
+              exit 1
+          fi
+
+      - name: Build
+        run: go build -v ./...
+
+      - name: Run unit tests
+        run: go test -v -timeout 120s ./... -short
+
+      - name: Run integration tests
+        env:
+          GOOGLE_CLOUD_PROJECT: courtyard-frontend
+          TEST_KMS_KEY_NAME: ${{ secrets.KMS_KEY_NAME }}
+        run: go test -v -timeout 300s ./... -run "TestKMSSigner(Integration|Retry)"

go.mod

@@ -6,6 +6,7 @@ require (
 	cloud.google.com/go/kms v1.21.1
 	github.com/cenkalti/backoff/v4 v4.3.0
 	github.com/ethereum/go-ethereum v1.15.7
+	github.com/stretchr/testify v1.10.0
 )
 
 require (
@@ -22,6 +23,7 @@ require (
 	github.com/consensys/gnark-crypto v0.14.0 // indirect
 	github.com/crate-crypto/go-ipa v0.0.0-20240724233137-53bbb0ceb27a // indirect
 	github.com/crate-crypto/go-kzg-4844 v1.1.0 // indirect
+	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/deckarep/golang-set/v2 v2.6.0 // indirect
 	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.0.1 // indirect
 	github.com/ethereum/c-kzg-4844 v1.0.0 // indirect
@@ -38,6 +40,7 @@ require (
 	github.com/gorilla/websocket v1.4.2 // indirect
 	github.com/holiman/uint256 v1.3.2 // indirect
 	github.com/mmcloughlin/addchain v0.4.0 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/shirou/gopsutil v3.21.4-0.20210419000835-c7a38de76ee5+incompatible // indirect
 	github.com/supranational/blst v0.3.14 // indirect
 	github.com/tklauser/go-sysconf v0.3.12 // indirect
@@ -61,5 +64,6 @@ require (
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20250227231956-55c901821b1e // indirect
 	google.golang.org/grpc v1.71.0 // indirect
 	google.golang.org/protobuf v1.36.5 // indirect
+	gopkg.in/yaml.v3 v3.0.1 // indirect
 	rsc.io/tmplfunc v0.0.3 // indirect
 )

go.sum

@@ -261,6 +261,9 @@ google.golang.org/grpc v1.71.0 h1:kF77BGdPTQ4/JZWMlb9VpJ5pa25aqvVqogsxNHHdeBg=
 google.golang.org/grpc v1.71.0/go.mod h1:H0GRtasmQOh9LkFoCPDu3ZrwUtD1YGE+b2vYBYd/8Ec=
 google.golang.org/protobuf v1.36.5 h1:tPhr+woSbjfYvY6/GPufUoYizxw1cF/yFoxJ2fmpwlM=
 google.golang.org/protobuf v1.36.5/go.mod h1:9fA7Ob0pmnwhb644+1+CVWFRbNajQ6iRojtC/QF5bRE=
+gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/natefinch/lumberjack.v2 v2.2.1 h1:bBRl1b0OH9s/DuPhuXpNl+VtCaJXFZ5/uEFST95x9zc=
 gopkg.in/natefinch/lumberjack.v2 v2.2.1/go.mod h1:YD8tP3GAjkrDg1eZH7EGmyESg/lsYskCTPBJVb9jqSc=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=

kms_signer_integration_test.go

@@ -0,0 +1,115 @@
+package signer
+
+import (
+	"context"
+	"os"
+	"sync"
+	"testing"
+
+	"github.com/ethereum/go-ethereum/crypto"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+type TestKeyConfig struct {
+	KeyName string
+}
+
+func getTestKeyConfig(t *testing.T) TestKeyConfig {
+	keyName := os.Getenv("TEST_KMS_KEY_NAME")
+	if keyName == "" {
+		t.Skip("TEST_KMS_KEY_NAME not set, skipping integration test")
+	}
+
+	return TestKeyConfig{
+		KeyName: keyName,
+	}
+}
+
+func TestKMSSignerIntegration(t *testing.T) {
+	if testing.Short() {
+		t.Skip("Skipping integration test in short mode")
+	}
+
+	config := getTestKeyConfig(t)
+	ctx := context.Background()
+
+	signer, err := NewKMSSigner(ctx, KMSSignerConfig{
+		KeyName: config.KeyName,
+	})
+	require.NoError(t, err)
+	defer signer.Close()
+
+	tests := []struct {
+		name    string
+		message []byte
+	}{
+		{
+			name:    "Simple message",
+			message: []byte("Hello, world!"),
+		},
+		{
+			name:    "Empty message",
+			message: []byte{},
+		},
+		{
+			name:    "Long message",
+			message: []byte("Lorem ipsum dolor sit amet, consectetur adipiscing elit. Sed do eiusmod tempor incididunt ut labore et dolore magna aliqua."),
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			hash := crypto.Keccak256(tt.message)
+			signature, err := signer.Sign(ctx, hash)
+			require.NoError(t, err)
+
+			assert.Equal(t, 65, len(signature))
+
+			assert.True(t, signature[64] >= 27, "v value should be >= 27")
+			sigCopy := make([]byte, len(signature))
+			copy(sigCopy, signature)
+			sigCopy[64] -= 27
+
+			_, err = crypto.Ecrecover(hash, sigCopy)
+			assert.NoError(t, err, "should be able to recover public key from signature")
+		})
+	}
+}
+
+func TestKMSSignerIntegrationRetry(t *testing.T) {
+	if testing.Short() {
+		t.Skip("Skipping integration test in short mode")
+	}
+
+	config := getTestKeyConfig(t)
+	ctx := context.Background()
+
+	signer, err := NewKMSSigner(ctx, KMSSignerConfig{
+		KeyName: config.KeyName,
+	})
+	require.NoError(t, err)
+	defer signer.Close()
+
+	message := []byte("Test message for concurrent signing")
+	hash := crypto.Keccak256(message)
+	var wg sync.WaitGroup
+	numConcurrent := 5
+	results := make(chan error, numConcurrent)
+
+	for i := 0; i < numConcurrent; i++ {
+		wg.Add(1)
+		go func() {
+			defer wg.Done()
+			_, err := signer.Sign(ctx, hash)
+			results <- err
+		}()
+	}
+
+	wg.Wait()
+	close(results)
+
+	for err := range results {
+		assert.NoError(t, err, "concurrent signing operation should succeed")
+	}
+}