From a5ddf954f60db2fff47d66d94ed299cac215a46d Mon Sep 17 00:00:00 2001
From: Daniele Lisi <22307776+danielelisi@users.noreply.github.com>
Date: Fri, 17 Feb 2023 18:29:36 -0800
Subject: [PATCH 01/10] Add address and op labels to
 vault_sign_request_duration Prometheus metric

---
 pkg/metrics/vaultmetrics.go | 16 +++++++++-------
 1 file changed, 9 insertions(+), 7 deletions(-)

diff --git a/pkg/metrics/vaultmetrics.go b/pkg/metrics/vaultmetrics.go
index 2503cdfe..650d3842 100644
--- a/pkg/metrics/vaultmetrics.go
+++ b/pkg/metrics/vaultmetrics.go
@@ -32,7 +32,7 @@ var (
 		Name:    "vault_sign_request_duration_milliseconds",
 		Help:    "Vaults signing requests latencies in milliseconds",
 		Buckets: prometheus.ExponentialBuckets(10, 10, 5),
-	}, []string{"vault"})
+	}, []string{"vault", "address", "op"})
 
 	vaultErrorCounter = prometheus.NewCounterVec(
 		prometheus.CounterOpts{
@@ -41,12 +41,14 @@ var (
 		}, []string{"vault", "code"})
 )
 
-// Interceptor function collects sing operation metrics
-func Interceptor(opt *signatory.SignInterceptorOptions, sing func() error) error {
-	timer := prometheus.NewTimer(prometheus.ObserverFunc(func(seconds float64) {
-		vaultSigningHist.WithLabelValues(opt.Vault).Observe(seconds * 1000)
-	}))
-	err := sing()
+// Interceptor function collects sign operation metrics
+func Interceptor(opt *signatory.SignInterceptorOptions, sign func() error) error {
+	timer := prometheus.NewTimer(
+		prometheus.ObserverFunc(
+			func(seconds float64) {
+				vaultSigningHist.WithLabelValues(opt.Vault, opt.Address, opt.Req).Observe(seconds * 1000)
+			}))
+	err := sign()
 	timer.ObserveDuration()
 
 	if err != nil {

From 1978a601164534622647bbe9b68325ee1767152c Mon Sep 17 00:00:00 2001
From: stephengaudet <stephen.gaudet@shaw.ca>
Date: Wed, 17 May 2023 11:51:07 -0700
Subject: [PATCH 02/10] sg-integrationtest-includebaker add baking operations
 to allow policy test

---
 integration_test/docker-compose.yml     |  22 +++-
 integration_test/flextesa.sh            |   6 +-
 integration_test/flextesanobaking.sh    |  18 +++
 integration_test/octezclient.go         |  19 ++-
 integration_test/operationkinds_test.go | 159 +++++++++++++++---------
 integration_test/signatory.yaml         |   2 +-
 6 files changed, 160 insertions(+), 66 deletions(-)
 create mode 100755 integration_test/flextesanobaking.sh

diff --git a/integration_test/docker-compose.yml b/integration_test/docker-compose.yml
index e96f62ae..4e67367a 100644
--- a/integration_test/docker-compose.yml
+++ b/integration_test/docker-compose.yml
@@ -23,6 +23,26 @@ services:
       retries: 10
       start_period: 1s
 
+  flextesanobaking:
+    container_name: flextesanobaking
+    image: oxheadalpha/flextesa:latest
+    ports:
+      - "30000:20000"
+      - "30001:20001"
+    networks:
+      - ecadnet
+    volumes:
+      - ./flextesanobaking.sh:/usr/bin/sigybox
+    environment:
+      - block_time=3
+    command: sigybox $PROTOCOL
+    healthcheck:
+      test: "curl --fail http://localhost:20000/chains/main/blocks/head/header || exit 1"
+      interval: 1s
+      timeout: 1s
+      retries: 10
+      start_period: 1s
+
   octez:
     container_name: octez
     image: tezos/tezos:$OCTEZ_VERSION
@@ -59,7 +79,7 @@ services:
         target: /etc/secret.json
     command: serve
     healthcheck:
-      test: "curl --fail http://localhost:6732/authorized_keys || exit 1"
+      test: "curl --fail http://localhost:9583/healthz || exit 1"
       interval: 1s
       timeout: 1s
       retries: 10
diff --git a/integration_test/flextesa.sh b/integration_test/flextesa.sh
index 93d2ff87..ffaa0957 100755
--- a/integration_test/flextesa.sh
+++ b/integration_test/flextesa.sh
@@ -1,8 +1,6 @@
 #! /bin/sh
 
 protocol=$1
-time_bb=${block_time:-1}
-
 
 export alice="$(flextesa key alice)"
 export bob="$(flextesa key bob)"
@@ -15,9 +13,9 @@ root_path=/tmp/mini-box
 flextesa mini-net \
          --root "$root_path" --size 1 \
          --set-history-mode N000:archive \
-         --number-of-b 1 \
+         --number-of-bootstrap-accounts 1 \
          --balance-of-bootstrap-accounts tez:100_000_000 \
-         --time-b "$time_bb" \
+         --time-between-blocks='2,3,2' \
          --add-bootstrap-account="$alice@2_000_000_000_000" \
          --add-bootstrap-account="$speculos@2_000_000_000_000" \
          --add-bootstrap-account="$bob@2_000_000_000_000" \
diff --git a/integration_test/flextesanobaking.sh b/integration_test/flextesanobaking.sh
new file mode 100755
index 00000000..cfada16a
--- /dev/null
+++ b/integration_test/flextesanobaking.sh
@@ -0,0 +1,18 @@
+#! /bin/sh
+
+protocol=$1
+
+export opstest='opstest,edpkvSkEEfVMKvAv87env4kMNwLfuLYe7y7wXqgfvrwJwhJJpmL1GB,tz1RKGhRF4TZNCXEfwyqZshGsVfrZeVU446B,http://signatory:6732/tz1RKGhRF4TZNCXEfwyqZshGsVfrZeVU446B'
+
+root_path=/tmp/mini-box
+
+flextesa mini-net \
+         --no-baking \
+         --root "$root_path" --size 1 \
+         --set-history-mode N000:archive \
+         --number-of-bootstrap-accounts 0 \
+         --remove-default-bootstrap-accounts \
+         --time-between-blocks='2,3,2' \
+         --add-bootstrap-account="$opstest@2_000_000_000_000" \
+         --until-level 200_000_000 \
+         --protocol-kind "$protocol"
diff --git a/integration_test/octezclient.go b/integration_test/octezclient.go
index 122cd64c..22658c52 100644
--- a/integration_test/octezclient.go
+++ b/integration_test/octezclient.go
@@ -11,12 +11,18 @@ func OctezClient(arg ...string) ([]byte, error) {
 	return exec.Command(cmd, args...).CombinedOutput()
 }
 
+func clean_tezos_folder() {
+	delete_contracts_aliases()
+	delete_wallet_lock()
+	delete_watermark_files()
+}
+
 func delete_wallet_lock() {
 	var cmd = "docker"
 	var args = []string{"exec", "octez", "rm", "-f", "/home/tezos/.tezos-client/wallet_lock"}
 	out, err := exec.Command(cmd, args...).CombinedOutput()
 	if err != nil {
-		panic("Failed to delete wallet lock: " + string(out))
+		panic("Clean tezos: Failed to delete wallet lock: " + string(out))
 	}
 }
 
@@ -25,6 +31,15 @@ func delete_contracts_aliases() {
 	var args = []string{"exec", "octez", "rm", "-f", "/home/tezos/.tezos-client/contracts"}
 	out, err := exec.Command(cmd, args...).CombinedOutput()
 	if err != nil {
-		panic("Failed to delete contracts: " + string(out))
+		panic("Clean tezos: Failed to delete contracts: " + string(out))
+	}
+}
+
+func delete_watermark_files() {
+	var cmd = "docker"
+	var args = []string{"exec", "octez", "/bin/sh", "-c", "rm -f /home/tezos/.tezos-client/*_highwatermarks"}
+	out, err := exec.Command(cmd, args...).CombinedOutput()
+	if err != nil {
+		panic("Clean tezos: Failed to delete watermarks: " + string(out))
 	}
 }
diff --git a/integration_test/operationkinds_test.go b/integration_test/operationkinds_test.go
index 634341a1..6e975009 100644
--- a/integration_test/operationkinds_test.go
+++ b/integration_test/operationkinds_test.go
@@ -17,87 +17,126 @@ const (
 	alias1        = "opstest1"
 	contract      = "contract.event.tz"
 	contractAlias = "emit_event"
+	flextesanob   = "http://flextesanobaking:20000"
 )
 
 type testCase struct {
-	opName         string
-	testSetupOps   [][]string
-	testOp         []string
-	account        string
-	allowPolicy    map[string][]string
-	notAllowPolicy map[string][]string
+	opName              string
+	testSetupOps        [][]string
+	testOp              []string
+	account             string
+	allowPolicy         map[string][]string
+	notAllowPolicy      map[string][]string
+	successMessage      string
+	validateOctezReturn bool
 }
 
 // these test cases are not atomic -- some tests depend on previous tests (order matters)
 var testcases = []testCase{
 	{
-		opName:         "reveal",
-		testSetupOps:   [][]string{{"-w", "1", "transfer", "100", "from", "alice", "to", alias, "--burn-cap", "0.06425"}},
-		testOp:         []string{"reveal", "key", "for", alias},
-		account:        account,
-		allowPolicy:    map[string][]string{"generic": {"reveal"}},
-		notAllowPolicy: map[string][]string{"generic": getAllOpsExcluding([]string{"reveal"})},
+		opName:              "preendorsement",
+		testSetupOps:        nil,
+		testOp:              []string{"--endpoint", flextesanob, "preendorse", "for", alias, "--force"},
+		account:             account,
+		allowPolicy:         map[string][]string{"generic": {"preendorsement"}, "preendorsement": {}},
+		notAllowPolicy:      map[string][]string{"generic": getAllOpsExcluding([]string{"preendorsement"}), "endorsement": {}, "block": {}},
+		successMessage:      "injected preendorsement",
+		validateOctezReturn: false,
 	},
 	{
-		opName:         "register_global_constant",
-		testSetupOps:   nil,
-		testOp:         []string{"register", "global", "constant", "999", "from", alias, "--burn-cap", "0.017"},
-		account:        account,
-		allowPolicy:    map[string][]string{"generic": {"register_global_constant"}},
-		notAllowPolicy: map[string][]string{"generic": getAllOpsExcluding([]string{"register_global_constant"})},
+		opName:              "endorsement",
+		testSetupOps:        nil,
+		testOp:              []string{"--endpoint", flextesanob, "endorse", "for", alias, "--force"},
+		account:             account,
+		allowPolicy:         map[string][]string{"generic": {"endorsement"}, "endorsement": {}},
+		notAllowPolicy:      map[string][]string{"generic": getAllOpsExcluding([]string{"endorsement"}), "preendorsement": {}, "block": {}},
+		successMessage:      "injected endorsement",
+		validateOctezReturn: false,
 	},
 	{
-		opName:         "transaction",
-		testSetupOps:   nil,
-		account:        account,
-		testOp:         []string{"transfer", "1", "from", alias, "to", "alice", "--burn-cap", "0.06425"},
-		allowPolicy:    map[string][]string{"generic": {"transaction"}},
-		notAllowPolicy: map[string][]string{"generic": getAllOpsExcluding([]string{"transaction"})},
+		opName:              "reveal",
+		testSetupOps:        [][]string{{"-w", "1", "transfer", "100", "from", "alice", "to", alias, "--burn-cap", "0.06425"}},
+		testOp:              []string{"reveal", "key", "for", alias},
+		account:             account,
+		allowPolicy:         map[string][]string{"generic": {"reveal"}},
+		notAllowPolicy:      map[string][]string{"generic": getAllOpsExcluding([]string{"reveal"})},
+		successMessage:      "Operation successfully injected in the node",
+		validateOctezReturn: true,
 	},
 	{
-		opName:         "delegation",
-		testSetupOps:   nil,
-		account:        account,
-		testOp:         []string{"register", "key", alias, "as", "delegate"},
-		allowPolicy:    map[string][]string{"generic": {"delegation"}},
-		notAllowPolicy: map[string][]string{"generic": getAllOpsExcluding([]string{"delegation"})},
+		opName:              "register_global_constant",
+		testSetupOps:        nil,
+		testOp:              []string{"register", "global", "constant", "999", "from", alias, "--burn-cap", "0.017"},
+		account:             account,
+		allowPolicy:         map[string][]string{"generic": {"register_global_constant"}},
+		notAllowPolicy:      map[string][]string{"generic": getAllOpsExcluding([]string{"register_global_constant"})},
+		successMessage:      "Operation successfully injected in the node",
+		validateOctezReturn: true,
 	},
 	{
-		opName:         "set_deposits_limit",
-		testSetupOps:   nil,
-		account:        account,
-		testOp:         []string{"set", "deposits", "limit", "for", alias, "to", "10000"},
-		allowPolicy:    map[string][]string{"generic": {"set_deposits_limit"}},
-		notAllowPolicy: map[string][]string{"generic": getAllOpsExcluding([]string{"set_deposits_limit"})},
+		opName:              "transaction",
+		testSetupOps:        nil,
+		account:             account,
+		testOp:              []string{"transfer", "1", "from", alias, "to", "alice", "--burn-cap", "0.06425"},
+		allowPolicy:         map[string][]string{"generic": {"transaction"}},
+		notAllowPolicy:      map[string][]string{"generic": getAllOpsExcluding([]string{"transaction"})},
+		successMessage:      "Operation successfully injected in the node",
+		validateOctezReturn: true,
 	},
 	{
-		opName:         "update_consensus_key",
-		testSetupOps:   nil,
-		account:        account,
-		testOp:         []string{"set", "consensus", "key", "for", alias, "to", alias1},
-		allowPolicy:    map[string][]string{"generic": {"update_consensus_key"}},
-		notAllowPolicy: map[string][]string{"generic": getAllOpsExcluding([]string{"update_consensus_key"})},
+		opName:              "delegation",
+		testSetupOps:        nil,
+		account:             account,
+		testOp:              []string{"register", "key", alias, "as", "delegate"},
+		allowPolicy:         map[string][]string{"generic": {"delegation"}},
+		notAllowPolicy:      map[string][]string{"generic": getAllOpsExcluding([]string{"delegation"})},
+		successMessage:      "Operation successfully injected in the node",
+		validateOctezReturn: true,
 	},
 	{
-		opName:         "origination",
-		testSetupOps:   nil,
-		account:        account,
-		testOp:         []string{"originate", "contract", contractAlias, "transferring", "1", "from", alias, "running", contract, "--burn-cap", "0.4"},
-		allowPolicy:    map[string][]string{"generic": {"origination", "transaction"}},
-		notAllowPolicy: map[string][]string{"generic": getAllOpsExcluding([]string{"origination"})},
+		opName:              "set_deposits_limit",
+		testSetupOps:        nil,
+		account:             account,
+		testOp:              []string{"set", "deposits", "limit", "for", alias, "to", "10000"},
+		allowPolicy:         map[string][]string{"generic": {"set_deposits_limit"}},
+		notAllowPolicy:      map[string][]string{"generic": getAllOpsExcluding([]string{"set_deposits_limit"})},
+		successMessage:      "Operation successfully injected in the node",
+		validateOctezReturn: true,
 	},
 	{
-		opName:         "increase_paid_storage",
-		testSetupOps:   nil,
-		account:        account,
-		testOp:         []string{"increase", "the", "paid", "storage", "of", contractAlias, "by", "0x5c", "bytes", "from", alias},
-		allowPolicy:    map[string][]string{"generic": {"increase_paid_storage"}},
-		notAllowPolicy: map[string][]string{"generic": getAllOpsExcluding([]string{"increase_paid_storage"})},
+		opName:              "update_consensus_key",
+		testSetupOps:        nil,
+		account:             account,
+		testOp:              []string{"set", "consensus", "key", "for", alias, "to", alias1},
+		allowPolicy:         map[string][]string{"generic": {"update_consensus_key"}},
+		notAllowPolicy:      map[string][]string{"generic": getAllOpsExcluding([]string{"update_consensus_key"})},
+		successMessage:      "Operation successfully injected in the node",
+		validateOctezReturn: true,
+	},
+	{
+		opName:              "origination",
+		testSetupOps:        nil,
+		account:             account,
+		testOp:              []string{"originate", "contract", contractAlias, "transferring", "1", "from", alias, "running", contract, "--burn-cap", "0.4"},
+		allowPolicy:         map[string][]string{"generic": {"origination", "transaction"}},
+		notAllowPolicy:      map[string][]string{"generic": getAllOpsExcluding([]string{"origination"})},
+		successMessage:      "Operation successfully injected in the node",
+		validateOctezReturn: true,
+	},
+	{
+		opName:              "increase_paid_storage",
+		testSetupOps:        nil,
+		account:             account,
+		testOp:              []string{"increase", "the", "paid", "storage", "of", contractAlias, "by", "0x5c", "bytes", "from", alias},
+		allowPolicy:         map[string][]string{"generic": {"increase_paid_storage"}},
+		notAllowPolicy:      map[string][]string{"generic": getAllOpsExcluding([]string{"increase_paid_storage"})},
+		successMessage:      "Operation successfully injected in the node",
+		validateOctezReturn: true,
 	},
 }
 
 func TestOperationAllowPolicy(t *testing.T) {
-	defer delete_contracts_aliases()
+	defer clean_tezos_folder()
 	for _, test := range testcases {
 		t.Run(test.opName, func(t *testing.T) {
 			//first, do any setup steps that have to happen before the operation to be tested
@@ -115,8 +154,12 @@ func TestOperationAllowPolicy(t *testing.T) {
 			defer restore_config()
 			restart_signatory()
 			out, err := OctezClient(test.testOp...)
-			assert.Error(t, err)
-			require.Contains(t, string(out), "operation `"+test.opName+"' is not allowed")
+			if test.validateOctezReturn {
+				//the baking operations in octez-client do not return an error when they fail
+				//so, we do this assert when we can
+				assert.Error(t, err)
+			}
+			assert.Contains(t, string(out), "`"+test.opName+"' is not allowed")
 
 			//finally, configure the operation being tested as the only one allowed and test it is successful
 			c.Read(config)
@@ -128,7 +171,7 @@ func TestOperationAllowPolicy(t *testing.T) {
 				log.Println("error received: " + err.Error() + " " + string(out))
 			}
 			assert.NoError(t, err)
-			require.Contains(t, string(out), "Operation successfully injected in the node")
+			assert.Contains(t, string(out), test.successMessage)
 		})
 	}
 }
diff --git a/integration_test/signatory.yaml b/integration_test/signatory.yaml
index 82e8b470..5dc4a4bd 100644
--- a/integration_test/signatory.yaml
+++ b/integration_test/signatory.yaml
@@ -57,4 +57,4 @@ tezos:
         - transaction
       block:
       endorsement:
-      preendorsement:
\ No newline at end of file
+      preendorsement:

From 9c23e501574f6951ddf9a95b4064f5b18f3d71cc Mon Sep 17 00:00:00 2001
From: stephengaudet <stephen.gaudet@shaw.ca>
Date: Wed, 17 May 2023 15:19:27 -0700
Subject: [PATCH 03/10] sg-integrationtest add block operation

---
 integration_test/operationkinds_test.go | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/integration_test/operationkinds_test.go b/integration_test/operationkinds_test.go
index 6e975009..4096299d 100644
--- a/integration_test/operationkinds_test.go
+++ b/integration_test/operationkinds_test.go
@@ -53,6 +53,16 @@ var testcases = []testCase{
 		successMessage:      "injected endorsement",
 		validateOctezReturn: false,
 	},
+	{
+		opName:              "block",
+		testSetupOps:        nil,
+		testOp:              []string{"--endpoint", flextesanob, "bake", "for", alias, "--force"},
+		account:             account,
+		allowPolicy:         map[string][]string{"generic": {}, "block": {}},
+		notAllowPolicy:      map[string][]string{"generic": getAllOpsExcluding([]string{"block"}), "preendorsement": {}, "endorsement": {}},
+		successMessage:      ".baker.actions:   injected for " + alias + " (" + account + ")",
+		validateOctezReturn: false,
+	},
 	{
 		opName:              "reveal",
 		testSetupOps:        [][]string{{"-w", "1", "transfer", "100", "from", "alice", "to", alias, "--burn-cap", "0.06425"}},

From 12107393a51ebb9d6e83cf42292be1027ae673ae Mon Sep 17 00:00:00 2001
From: stephengaudet <stephen.gaudet@shaw.ca>
Date: Tue, 23 May 2023 15:53:18 -0700
Subject: [PATCH 04/10] sg-integrationtest add aws kms test and simple
 signatory-cli test

---
 integration_test/.env.current.amd64     |  2 +
 integration_test/.env.current.arm64     |  2 +
 integration_test/.env.next.amd64        |  2 +
 integration_test/.env.next.arm64        |  2 +
 integration_test/.env.vaults            |  6 +++
 integration_test/README.md              | 44 ++++++++++++++--
 integration_test/authorizedkeys_test.go |  2 +-
 integration_test/cli_test.go            | 17 +++++++
 integration_test/config.go              | 14 +++---
 integration_test/env.current.amd64      |  2 -
 integration_test/env.current.arm64      |  2 -
 integration_test/env.next.amd64         |  2 -
 integration_test/env.next.arm64         |  2 -
 integration_test/operationkinds_test.go |  7 ++-
 integration_test/service.go             |  2 +-
 integration_test/signatory.yaml         |  8 +++
 integration_test/signatorycli.go        | 12 +++++
 integration_test/vault_aws_test.go      | 67 +++++++++++++++++++++++++
 18 files changed, 170 insertions(+), 25 deletions(-)
 create mode 100644 integration_test/.env.current.amd64
 create mode 100644 integration_test/.env.current.arm64
 create mode 100644 integration_test/.env.next.amd64
 create mode 100644 integration_test/.env.next.arm64
 create mode 100644 integration_test/.env.vaults
 create mode 100644 integration_test/cli_test.go
 delete mode 100644 integration_test/env.current.amd64
 delete mode 100644 integration_test/env.current.arm64
 delete mode 100644 integration_test/env.next.amd64
 delete mode 100644 integration_test/env.next.arm64
 create mode 100644 integration_test/signatorycli.go
 create mode 100644 integration_test/vault_aws_test.go

diff --git a/integration_test/.env.current.amd64 b/integration_test/.env.current.amd64
new file mode 100644
index 00000000..1131e215
--- /dev/null
+++ b/integration_test/.env.current.amd64
@@ -0,0 +1,2 @@
+export OCTEZ_VERSION=amd64_v16.0-rc3
+export PROTOCOL=Mumbai
diff --git a/integration_test/.env.current.arm64 b/integration_test/.env.current.arm64
new file mode 100644
index 00000000..2e6d2034
--- /dev/null
+++ b/integration_test/.env.current.arm64
@@ -0,0 +1,2 @@
+export OCTEZ_VERSION=arm64_v16.0-rc3
+export PROTOCOL=Mumbai
diff --git a/integration_test/.env.next.amd64 b/integration_test/.env.next.amd64
new file mode 100644
index 00000000..593d61b9
--- /dev/null
+++ b/integration_test/.env.next.amd64
@@ -0,0 +1,2 @@
+export OCTEZ_VERSION=amd64_v17.0-beta1
+export PROTOCOL=Nairobi
diff --git a/integration_test/.env.next.arm64 b/integration_test/.env.next.arm64
new file mode 100644
index 00000000..86550e19
--- /dev/null
+++ b/integration_test/.env.next.arm64
@@ -0,0 +1,2 @@
+export OCTEZ_VERSION=arm64_v17.0-beta1
+export PROTOCOL=Nairobi
diff --git a/integration_test/.env.vaults b/integration_test/.env.vaults
new file mode 100644
index 00000000..613b52bc
--- /dev/null
+++ b/integration_test/.env.vaults
@@ -0,0 +1,6 @@
+export VAULT_AWS_USER=${{ secrets.INTEGRATIONTEST_VAULT_AWS_USER }}
+export VAULT_AWS_KEY=${{ secrets.INTEGRATIONTEST_VAULT_AWS_KEY }}
+export VAULT_AWS_SECRET=${{ secrets.INTEGRATIONTEST_VAULT_AWS_SECRET }}
+export VAULT_AWS_REGION=${{ secrets.INTEGRATIONTEST_VAULT_AWS_REGION }}
+export VAULT_AWS_PKH_TZ2=${{ secrets.INTEGRATIONTEST_VAULT_AWS_TZ2 }}
+export VAULT_AWS_PKH_TZ3=${{ secrets.INTEGRATIONTEST_VAULT_AWS_TZ3 }}
diff --git a/integration_test/README.md b/integration_test/README.md
index 9fc0c684..969b4ee4 100644
--- a/integration_test/README.md
+++ b/integration_test/README.md
@@ -32,22 +32,50 @@ echo $PAT |docker login ghcr.io -u <your_github_name> --password-stdin
 cd integration_test
 ```
 
-Exporting the Environment Variables used by the test is required. Choose the set of env var to use from the files `env.current.arm64`, `env.next.arm64`, `env.current.amd64`, `env.next.amd64`.  Use `current` if you'd like the economic protocol run by flextesa to match mainnet, use `next` if you'd like the next protocol instead.  Use `arm64` or `amd64` depending on your host architecture. 
+Exporting the Environment Variables used by the test is required. There are 3 groups of environment variables to consider:
 
-So, to set the env to use mainnet protocol, using a build of Signatory's `main` branch, on a macbook m1 host:
+1. Signatory image
+2. chain protocol and octez version
+3. vault specifics
+
+### Signatory image env var
+
+using a build of Signatory's main branch, on a macbook m1 host:
 
 ```sh
-export $(xargs <env.current.arm64)
 export IMAGE=ghcr.io/ecadlabs/signatory:main-arm64
 ```
 
-Likewise, to set the env to use the next protocol, using a build of Signatory's `main` branch, on an x86_64 host:
+or, on a `x86_64` host:
 
 ```sh
-export $(xargs <env.next.amd64)
 export IMAGE=ghcr.io/ecadlabs/signatory:main-amd64
 ```
 
+### chain protocol and octez version env var
+
+Choose the set of env var to use from the files `env.current.arm64`, `env.next.arm64`, `env.current.amd64`, `env.next.amd64`.  Use `current` if you'd like the economic protocol run by flextesa to match mainnet, use `next` if you'd like the next protocol instead.  Use `arm64` or `amd64` depending on your host architecture.
+
+So, to set the env to use mainnet protocol on a macbook m1 host:
+
+```sh
+. .env.current.arm64
+```
+
+Likewise, to set the env to use the next protocol, using a build of Signatory's `main` branch, on an x86_64 host:
+
+```sh
+. .env.next.amd64
+```
+
+### vault env var
+
+Github secrets are used to define vault env var used in github workflows. To run vault tests localhost, one must configure vaults and provide values in the file `.env.vaults` before sourcing it:
+
+```sh
+. .env.vaults
+```
+
 Next, start the stack:
 
 ```sh
@@ -66,6 +94,12 @@ Or, just run a single test:
 go clean -testcache && go test -run ^TestOperationAllowPolicy
 ```
 
+To run all tests but not vault tests:
+
+```sh
+go clean -testcache && go test $(go list |grep -v vault)
+```
+
 Stop the stack when you are done:
 
 ```sh
diff --git a/integration_test/authorizedkeys_test.go b/integration_test/authorizedkeys_test.go
index bfaaec8a..bff5e718 100644
--- a/integration_test/authorizedkeys_test.go
+++ b/integration_test/authorizedkeys_test.go
@@ -9,7 +9,7 @@ import (
 
 func TestAuthorizedKeys(t *testing.T) {
 	var c Config
-	c.Read("signatory.yaml")
+	c.Read()
 	c.Server.Keys = []string{"edpkujLb5ZCZ2gprnRzE9aVHKZfx9A8EtWu2xxkwYSjBUJbesJ9rWE"}
 	backup_then_update_config(c)
 	defer restore_config()
diff --git a/integration_test/cli_test.go b/integration_test/cli_test.go
new file mode 100644
index 00000000..82deffc5
--- /dev/null
+++ b/integration_test/cli_test.go
@@ -0,0 +1,17 @@
+package integrationtest
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestCliList(t *testing.T) {
+	var c Config
+	c.Read()
+
+	out, err := SignatoryCli("list")
+	assert.Nil(t, err)
+	require.Contains(t, string(out), "tz1VSUr8wwNhLAzempoch5d6hLRiTh8Cjcjb")
+}
diff --git a/integration_test/config.go b/integration_test/config.go
index de270127..f74baa0f 100644
--- a/integration_test/config.go
+++ b/integration_test/config.go
@@ -6,6 +6,10 @@ import (
 	yaml "gopkg.in/yaml.v3"
 )
 
+const (
+	filename = "signatory.yaml"
+)
+
 type Config struct {
 	Server ServerConfig            `yaml:"server"`
 	Vaults map[string]*VaultConfig `yaml:"vaults"`
@@ -34,26 +38,24 @@ type FileVault struct {
 	File string `yaml:"file"`
 }
 
-func (c *Config) Read(file string) error {
-	yamlFile, err := os.ReadFile(file)
+func (c *Config) Read() error {
+	yamlFile, err := os.ReadFile(filename)
 	if err != nil {
 		return err
 	}
 	if err = yaml.Unmarshal(yamlFile, c); err != nil {
 		return err
 	}
-
 	return nil
 }
 
-func (c *Config) Write(file string) error {
+func (c *Config) Write() error {
 	yamlFile, err := yaml.Marshal(c)
 	if err != nil {
 		panic(err)
 	}
-	if err = os.WriteFile(file, yamlFile, 0644); err != nil {
+	if err = os.WriteFile(filename, yamlFile, 0644); err != nil {
 		panic(err)
 	}
-
 	return nil
 }
diff --git a/integration_test/env.current.amd64 b/integration_test/env.current.amd64
deleted file mode 100644
index 1f257218..00000000
--- a/integration_test/env.current.amd64
+++ /dev/null
@@ -1,2 +0,0 @@
-OCTEZ_VERSION=amd64_v16.0-rc3
-PROTOCOL=Mumbai
diff --git a/integration_test/env.current.arm64 b/integration_test/env.current.arm64
deleted file mode 100644
index e24f4f3d..00000000
--- a/integration_test/env.current.arm64
+++ /dev/null
@@ -1,2 +0,0 @@
-OCTEZ_VERSION=arm64_v16.0-rc3
-PROTOCOL=Mumbai
diff --git a/integration_test/env.next.amd64 b/integration_test/env.next.amd64
deleted file mode 100644
index 2f518944..00000000
--- a/integration_test/env.next.amd64
+++ /dev/null
@@ -1,2 +0,0 @@
-OCTEZ_VERSION=amd64_v17.0-beta1
-PROTOCOL=Nairobi
diff --git a/integration_test/env.next.arm64 b/integration_test/env.next.arm64
deleted file mode 100644
index 8856638a..00000000
--- a/integration_test/env.next.arm64
+++ /dev/null
@@ -1,2 +0,0 @@
-OCTEZ_VERSION=arm64_v17.0-beta1
-PROTOCOL=Nairobi
diff --git a/integration_test/operationkinds_test.go b/integration_test/operationkinds_test.go
index 4096299d..1854410d 100644
--- a/integration_test/operationkinds_test.go
+++ b/integration_test/operationkinds_test.go
@@ -10,7 +10,6 @@ import (
 )
 
 const (
-	config        = "signatory.yaml"
 	account       = "tz1RKGhRF4TZNCXEfwyqZshGsVfrZeVU446B"
 	alias         = "opstest"
 	account1      = "tz1R8HJMzVdZ9RqLCknxeq9w5rSbiqJ41szi"
@@ -158,7 +157,7 @@ func TestOperationAllowPolicy(t *testing.T) {
 
 			//next, configure every operation allowed except for the one tested, to test it will be denied
 			var c Config
-			c.Read(config)
+			c.Read()
 			c.Tezos[test.account].Allow = test.notAllowPolicy
 			backup_then_update_config(c)
 			defer restore_config()
@@ -172,9 +171,9 @@ func TestOperationAllowPolicy(t *testing.T) {
 			assert.Contains(t, string(out), "`"+test.opName+"' is not allowed")
 
 			//finally, configure the operation being tested as the only one allowed and test it is successful
-			c.Read(config)
+			c.Read()
 			c.Tezos[test.account].Allow = test.allowPolicy
-			c.Write(config)
+			c.Write()
 			restart_signatory()
 			out, err = OctezClient(test.testOp...)
 			if err != nil {
diff --git a/integration_test/service.go b/integration_test/service.go
index 86f442d8..ea0e6b6d 100644
--- a/integration_test/service.go
+++ b/integration_test/service.go
@@ -20,7 +20,7 @@ func backup_then_update_config(c Config) {
 	if err != nil {
 		panic("failed to backup config")
 	}
-	err = c.Write("signatory.yaml")
+	err = c.Write()
 	if err != nil {
 		panic("failed to write new config")
 	}
diff --git a/integration_test/signatory.yaml b/integration_test/signatory.yaml
index 5dc4a4bd..e59d373b 100644
--- a/integration_test/signatory.yaml
+++ b/integration_test/signatory.yaml
@@ -6,6 +6,14 @@ vaults:
     driver: file
     config:
       file: /etc/secret.json
+  aws:
+    driver: awskms
+    config:
+      user_name: stephen
+      access_key_id: AKIAWXBZ6RID2G4MXWIP
+      secret_access_key: 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
+      region: us-west-2
+    
 tezos:
   #alice
   tz1VSUr8wwNhLAzempoch5d6hLRiTh8Cjcjb:
diff --git a/integration_test/signatorycli.go b/integration_test/signatorycli.go
new file mode 100644
index 00000000..e217b6ef
--- /dev/null
+++ b/integration_test/signatorycli.go
@@ -0,0 +1,12 @@
+package integrationtest
+
+import (
+	"os/exec"
+)
+
+func SignatoryCli(arg ...string) ([]byte, error) {
+	var cmd = "docker"
+	var args = []string{"exec", "signatory", "signatory-cli"}
+	args = append(args, arg...)
+	return exec.Command(cmd, args...).CombinedOutput()
+}
diff --git a/integration_test/vault_aws_test.go b/integration_test/vault_aws_test.go
new file mode 100644
index 00000000..533fec9d
--- /dev/null
+++ b/integration_test/vault_aws_test.go
@@ -0,0 +1,67 @@
+package integrationtest
+
+import (
+	"os"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestAWSVault(t *testing.T) {
+
+	tz2 := os.Getenv("VAULT_AWS_PKH_TZ2")
+	tz3 := os.Getenv("VAULT_AWS_PKH_TZ3")
+	user := os.Getenv("VAULT_AWS_USER")
+	key := os.Getenv("VAULT_AWS_KEY")
+	secret := os.Getenv("VAULT_AWS_SECRET")
+	region := os.Getenv("VAULT_AWS_REGION")
+
+	tz2alias := "awstz2"
+	tz3alias := "awstz3"
+
+	//setup
+	out, err := OctezClient("transfer", "100", "from", "alice", "to", tz2, "--burn-cap", "0.06425")
+	assert.NoError(t, err)
+	require.Contains(t, string(out), "Operation successfully injected in the node")
+
+	out, err = OctezClient("transfer", "100", "from", "alice", "to", tz3, "--burn-cap", "0.06425")
+	assert.NoError(t, err)
+	require.Contains(t, string(out), "Operation successfully injected in the node")
+
+	out, err = OctezClient("import", "secret", "key", tz2alias, "http://signatory:6732/"+tz2)
+	assert.NoError(t, err)
+	assert.Contains(t, string(out), "Tezos address added: "+tz2)
+	defer OctezClient("forget", "address", tz2alias, "--force")
+
+	out, err = OctezClient("import", "secret", "key", tz3alias, "http://signatory:6732/"+tz3)
+	assert.NoError(t, err)
+	assert.Contains(t, string(out), "Tezos address added: "+tz3)
+	defer OctezClient("forget", "address", tz3alias, "--force")
+
+	//config
+	var c Config
+	c.Read()
+	var v VaultConfig
+	v.Driver = "awskms"
+	v.Conf = map[string]*string{"user_name": &user, "access_key_id": &key, "secret_access_key": &secret, "region": &region}
+	c.Vaults["aws"] = &v
+	var p TezosPolicy
+	p.LogPayloads = true
+	p.Allow = map[string][]string{"generic": {"reveal", "transaction"}}
+	c.Tezos[tz2] = &p
+	c.Tezos[tz3] = &p
+	backup_then_update_config(c)
+	defer restore_config()
+	restart_signatory()
+
+	//test
+	//TODO: resolve issue #364 and enable the tz2 test
+	//out, err = OctezClient("transfer", "1", "from", tz2alias, "to", "alice", "--burn-cap", "0.06425")
+	//assert.NoError(t, err)
+	//require.Contains(t, string(out), "Operation successfully injected in the node")
+
+	out, err = OctezClient("transfer", "1", "from", tz3alias, "to", "alice", "--burn-cap", "0.06425")
+	assert.NoError(t, err)
+	require.Contains(t, string(out), "Operation successfully injected in the node")
+}

From 621da6810353b93872bb0be8363470fa37459b10 Mon Sep 17 00:00:00 2001
From: stephengaudet <stephen.gaudet@shaw.ca>
Date: Tue, 23 May 2023 15:53:58 -0700
Subject: [PATCH 05/10] sg-integrationtest missed workflow changes last commit

---
 .github/workflows/build.yaml | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index 2f79cf9a..aed9e8bc 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -108,8 +108,8 @@ jobs:
       fail-fast: false
       matrix:
         testenvs:
-          - env.current.amd64
-          - env.next.amd64
+          - current.amd64
+          - next.amd64
     steps:
       - uses: actions/checkout@v2
       - name: Login to DockerHub
@@ -120,9 +120,16 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
       - name: Run tests
+        env:
+          IMAGE: ghcr.io/ecadlabs/signatory:${{ github.head_ref || github.ref_name }}-amd64
+          VAULT_AWS_USER: ${{ secrets.INTEGRATIONTEST_VAULT_AWS_USER }}
+          VAULT_AWS_KEY: ${{ secrets.INTEGRATIONTEST_VAULT_AWS_KEY }}
+          VAULT_AWS_SECRET: ${{ secrets.INTEGRATIONTEST_VAULT_AWS_SECRET }}
+          VAULT_AWS_REGION: ${{ secrets.INTEGRATIONTEST_VAULT_AWS_REGION }}
+          VAULT_AWS_PKH_TZ2: ${{ secrets.INTEGRATIONTEST_VAULT_AWS_TZ2 }}
+          VAULT_AWS_PKH_TZ3: ${{ secrets.INTEGRATIONTEST_VAULT_AWS_TZ3 }}
         run: >
-         export $(xargs <integration_test/${{ matrix.testenvs }}); 
-         export IMAGE=ghcr.io/ecadlabs/signatory:${{ github.head_ref || github.ref_name }}-amd64;        
+         . integration_test/.env.${{ matrix.testenvs }};
          docker compose -f integration_test/docker-compose.yml up -d --wait --pull always;
          docker exec octez sudo chown -R tezos /home/tezos/.tezos-client;
          go test $(go list ./... | grep integration_test);

From a3171ff8b664841771f9f63b3cd6b4647b3a0d91 Mon Sep 17 00:00:00 2001
From: stephengaudet <stephen.gaudet@shaw.ca>
Date: Tue, 23 May 2023 20:45:53 -0700
Subject: [PATCH 06/10] sg-integrationtest revert config file

---
 integration_test/signatory.yaml | 7 -------
 1 file changed, 7 deletions(-)

diff --git a/integration_test/signatory.yaml b/integration_test/signatory.yaml
index e59d373b..4428489b 100644
--- a/integration_test/signatory.yaml
+++ b/integration_test/signatory.yaml
@@ -6,13 +6,6 @@ vaults:
     driver: file
     config:
       file: /etc/secret.json
-  aws:
-    driver: awskms
-    config:
-      user_name: stephen
-      access_key_id: AKIAWXBZ6RID2G4MXWIP
-      secret_access_key: 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
-      region: us-west-2
     
 tezos:
   #alice

From 33e007ff1724878b242348c5af0128fa1f644388 Mon Sep 17 00:00:00 2001
From: stephengaudet <stephen.gaudet@shaw.ca>
Date: Wed, 24 May 2023 15:03:54 -0700
Subject: [PATCH 07/10] sg-integrationtest improve readme

---
 integration_test/README.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/integration_test/README.md b/integration_test/README.md
index e9032dd7..8fea2401 100644
--- a/integration_test/README.md
+++ b/integration_test/README.md
@@ -54,15 +54,15 @@ export IMAGE=ghcr.io/ecadlabs/signatory:main-amd64
 
 ### chain protocol and octez version env var
 
-Choose the set of env var to use from the files `env.current.arm64`, `env.next.arm64`, `env.current.amd64`, `env.next.amd64`.  Use `current` if you'd like the economic protocol run by flextesa to match mainnet, use `next` if you'd like the next protocol instead.  Use `arm64` or `amd64` depending on your host architecture.
+Choose the set of env var to use from the files `.env.current.arm64`, `.env.next.arm64`, `.env.current.amd64`, `.env.next.amd64`.  Use `current` if you'd like the economic protocol run by flextesa to match mainnet, use `next` if you'd like the next protocol instead.  Use `arm64` or `amd64` depending on your host architecture.
 
-So, to set the env to use mainnet protocol on a macbook m1 host:
+So, to set the env to use mainnet protocol on macbook m1 host:
 
 ```sh
 . .env.current.arm64
 ```
 
-Likewise, to set the env to use the next protocol, using a build of Signatory's `main` branch, on an x86_64 host:
+Likewise, to set the env to use the next protocol, using a build of Signatory's `main` branch, on x86_64 host:
 
 ```sh
 . .env.next.amd64
@@ -108,7 +108,7 @@ docker compose down
 
 ## Re-Running Tests
 
-Most tests can be re-run successfully as detailed above.  Some tests (like the `reveal` operation) can only be run once on a chain.  So, when re-running all, stop the stack and bring it up again in between test runs. 
+Most tests can be re-run successfully as detailed above.  Some tests (like the `reveal` operation) can only be run once on a chain.  So, when re-running all, stop the stack and bring it up again in between test runs.
 
 ## Notes to the operator
 

From f1c77a56f0c6760b61e47e3b06dd408c4568025d Mon Sep 17 00:00:00 2001
From: stephengaudet <stephen.gaudet@shaw.ca>
Date: Thu, 25 May 2023 09:54:55 -0700
Subject: [PATCH 08/10] sg-integrationtest fix aws vault test

---
 integration_test/vault_aws_test.go | 38 +++++++++++++++---------------
 1 file changed, 19 insertions(+), 19 deletions(-)

diff --git a/integration_test/vault_aws_test.go b/integration_test/vault_aws_test.go
index 533fec9d..fcf3c14f 100644
--- a/integration_test/vault_aws_test.go
+++ b/integration_test/vault_aws_test.go
@@ -20,25 +20,6 @@ func TestAWSVault(t *testing.T) {
 	tz2alias := "awstz2"
 	tz3alias := "awstz3"
 
-	//setup
-	out, err := OctezClient("transfer", "100", "from", "alice", "to", tz2, "--burn-cap", "0.06425")
-	assert.NoError(t, err)
-	require.Contains(t, string(out), "Operation successfully injected in the node")
-
-	out, err = OctezClient("transfer", "100", "from", "alice", "to", tz3, "--burn-cap", "0.06425")
-	assert.NoError(t, err)
-	require.Contains(t, string(out), "Operation successfully injected in the node")
-
-	out, err = OctezClient("import", "secret", "key", tz2alias, "http://signatory:6732/"+tz2)
-	assert.NoError(t, err)
-	assert.Contains(t, string(out), "Tezos address added: "+tz2)
-	defer OctezClient("forget", "address", tz2alias, "--force")
-
-	out, err = OctezClient("import", "secret", "key", tz3alias, "http://signatory:6732/"+tz3)
-	assert.NoError(t, err)
-	assert.Contains(t, string(out), "Tezos address added: "+tz3)
-	defer OctezClient("forget", "address", tz3alias, "--force")
-
 	//config
 	var c Config
 	c.Read()
@@ -55,6 +36,25 @@ func TestAWSVault(t *testing.T) {
 	defer restore_config()
 	restart_signatory()
 
+	//setup
+	out, err := OctezClient("import", "secret", "key", tz2alias, "http://signatory:6732/"+tz2)
+	assert.NoError(t, err)
+	assert.Contains(t, string(out), "Tezos address added: "+tz2)
+	defer OctezClient("forget", "address", tz2alias, "--force")
+
+	out, err = OctezClient("import", "secret", "key", tz3alias, "http://signatory:6732/"+tz3)
+	assert.NoError(t, err)
+	assert.Contains(t, string(out), "Tezos address added: "+tz3)
+	defer OctezClient("forget", "address", tz3alias, "--force")
+
+	out, err = OctezClient("transfer", "100", "from", "alice", "to", tz2alias, "--burn-cap", "0.06425")
+	assert.NoError(t, err)
+	require.Contains(t, string(out), "Operation successfully injected in the node")
+
+	out, err = OctezClient("transfer", "100", "from", "alice", "to", tz3alias, "--burn-cap", "0.06425")
+	assert.NoError(t, err)
+	require.Contains(t, string(out), "Operation successfully injected in the node")
+
 	//test
 	//TODO: resolve issue #364 and enable the tz2 test
 	//out, err = OctezClient("transfer", "1", "from", tz2alias, "to", "alice", "--burn-cap", "0.06425")

From 326b96cf1f102255ab4c615eb5ad9a36d396e683 Mon Sep 17 00:00:00 2001
From: stephengaudet <stephen.gaudet@shaw.ca>
Date: Thu, 25 May 2023 15:22:46 -0700
Subject: [PATCH 09/10] fix build break from gotez integration changes

---
 pkg/metrics/vaultmetrics.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/metrics/vaultmetrics.go b/pkg/metrics/vaultmetrics.go
index bcfb4618..cf38c6c9 100644
--- a/pkg/metrics/vaultmetrics.go
+++ b/pkg/metrics/vaultmetrics.go
@@ -46,7 +46,7 @@ func Interceptor(opt *signatory.SignInterceptorOptions, sign func() error) error
 	timer := prometheus.NewTimer(
 		prometheus.ObserverFunc(
 			func(seconds float64) {
-				vaultSigningHist.WithLabelValues(opt.Vault, opt.Address, opt.Req).Observe(seconds * 1000)
+				vaultSigningHist.WithLabelValues(opt.Vault, string(opt.Address.PublicKeyHash()), opt.Req).Observe(seconds * 1000)
 			}))
 	err := sign()
 	timer.ObserveDuration()

From 2ef983e7a4824f9acd9d4304454b43390ff6b914 Mon Sep 17 00:00:00 2001
From: stephengaudet <stephen.gaudet@shaw.ca>
Date: Fri, 9 Jun 2023 13:29:41 -0700
Subject: [PATCH 10/10] fix metric label

---
 pkg/metrics/vaultmetrics.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/metrics/vaultmetrics.go b/pkg/metrics/vaultmetrics.go
index cf38c6c9..48af9442 100644
--- a/pkg/metrics/vaultmetrics.go
+++ b/pkg/metrics/vaultmetrics.go
@@ -46,7 +46,7 @@ func Interceptor(opt *signatory.SignInterceptorOptions, sign func() error) error
 	timer := prometheus.NewTimer(
 		prometheus.ObserverFunc(
 			func(seconds float64) {
-				vaultSigningHist.WithLabelValues(opt.Vault, string(opt.Address.PublicKeyHash()), opt.Req).Observe(seconds * 1000)
+				vaultSigningHist.WithLabelValues(opt.Vault, string(opt.Address.ToBase58()), opt.Req).Observe(seconds * 1000)
 			}))
 	err := sign()
 	timer.ObserveDuration()