Package org.forgerock.secrets.gcpkms

Class GoogleKmsSecretStore

java.lang.Object

org.forgerock.secrets.gcpkms.GoogleKmsSecretStore

All Implemented Interfaces:

SecretStore<CryptoKey>

public final class GoogleKmsSecretStore
extends Object
implements SecretStore<CryptoKey>

A secret store that can provide cryptographic keys based on the Google Cloud Platform Key Management Service. Cryptographic operations are performed by sending requests to the KMS.

Note: You should install the GoogleKmsProvider to use the resulting keys for creating signatures.

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static class	GoogleKmsSecretStore.Builder	Builder class for GoogleKmsSecretStore.

Field Summary

Fields inherited from interface org.forgerock.secrets.SecretStore

CLOCK, LEASE_EXPIRY_DURATION

Method Summary

Modifier and Type	Method	Description
static GoogleKmsSecretStore.Builder	builder()	Creates a new GoogleKmsSecretStore.Builder object for configuring this secret store.
<S extends CryptoKey> Promise<S,NoSuchSecretException>	getActive(Purpose<S> purpose)	Returns the active secret for the given purpose.
<S extends CryptoKey> Promise<S,NoSuchSecretException>	getNamed(Purpose<S> purpose, String name)	Returns the named secret from this store.
Class<CryptoKey>	getStoredType()	The top-level class that this store is capable of storing.
<S extends CryptoKey> Promise<Stream<S>,NeverThrowsException>	getValid(Purpose<S> purpose)	Returns all valid secrets for the given purpose from this store.
void	refresh()	Indicates that the store should refresh its secrets from the backing storage mechanism.
void	shutdown()	Shuts down the underlying Google KMS client library and releases any resources associated with it.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.forgerock.secrets.SecretStore

retire, revoke, rotate

Method Detail

builder

public static GoogleKmsSecretStore.Builder builder()

Creates a new GoogleKmsSecretStore.Builder object for configuring this secret store.

Returns:

the builder object.

shutdown

public void shutdown()

Shuts down the underlying Google KMS client library and releases any resources associated with it.

getStoredType

public Class<CryptoKey> getStoredType()

Description copied from interface: SecretStore

The top-level class that this store is capable of storing. This is a reification of the type parameter and can be used to lookup stores for a given type.

Specified by:

getStoredType in interface SecretStore<CryptoKey>

Returns:

the top-most type that this store is capable of storing, typically either CryptoKey for key-stores, GenericSecret for password stores, or Secret if the store is capable of storing any type of secret.

getActive

public <S extends CryptoKey> Promise<S,NoSuchSecretException> getActive(Purpose<S> purpose)

Description copied from interface: SecretStore

Returns the active secret for the given purpose.

Specified by:

getActive in interface SecretStore<CryptoKey>

Type Parameters:

S - the type of secret.

Parameters:

purpose - the purpose for which a secret is required.

Returns:

the active secret from this store.

getNamed

public <S extends CryptoKey> Promise<S,NoSuchSecretException> getNamed(Purpose<S> purpose,
                                                                             String name)

Description copied from interface: SecretStore

Returns the named secret from this store. The default implementation calls SecretStore.getValid(Purpose) and then returns the first valid key with a matching stable ID.

Specified by:

getNamed in interface SecretStore<CryptoKey>

Type Parameters:

S - the type of secret.

Parameters:

purpose - the secret purpose.

name - the name (stable id) of the secret.

Returns:

a promise for the named secret, or a NoSuchSecretException promise if no such secret exists.

getValid

public <S extends CryptoKey> Promise<Stream<S>,NeverThrowsException> getValid(Purpose<S> purpose)

Description copied from interface: SecretStore

Returns all valid secrets for the given purpose from this store.

Specified by:

getValid in interface SecretStore<CryptoKey>

Type Parameters:

S - the type of secret.

Parameters:

purpose - the purpose.

Returns:

a stream of all valid secrets of the given type from this store, or an empty stream if none exist.

refresh

public void refresh()

Description copied from interface: SecretStore

Indicates that the store should refresh its secrets from the backing storage mechanism. This can be used to cause reload of a store after a secret rotation if the backend does not automatically detect such changes. Refresh may be an asynchronous operation and no guarantees are made about when clients of this secret store may see updated secrets after a call to refresh.

Specified by:

refresh in interface SecretStore<CryptoKey>