Package org.forgerock.secrets.vault
Class VaultDatabaseCredentialsSecretStore
- java.lang.Object
-
- org.forgerock.secrets.vault.VaultDatabaseCredentialsSecretStore
-
- All Implemented Interfaces:
SecretStore<GenericSecret>
public class VaultDatabaseCredentialsSecretStore extends Object
A secret store that can fetch fresh database credentials from the Vault Database secret engine.
-
-
Field Summary
Fields Modifier and Type Field Description static String
DEFAULT_PATH
The default path at which this secret engine is mounted by Vault.-
Fields inherited from interface org.forgerock.secrets.SecretStore
CLOCK, LEASE_EXPIRY_DURATION
-
-
Constructor Summary
Constructors Constructor Description VaultDatabaseCredentialsSecretStore(SecretReference<GenericSecret> tokenReference, VaultConfig config)
Constructs a secret store to retrieve database credentials from Vault with the given options.
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description <S extends T>
Promise<S,NoSuchSecretException>getActive(Purpose<S> purpose)
Returns the active secret for the given purpose.<S extends T>
Promise<S,NoSuchSecretException>getNamed(Purpose<S> purpose, String name)
Returns the named secret from this store.Class<T>
getStoredType()
The top-level class that this store is capable of storing.<S extends T>
Promise<Stream<S>,NeverThrowsException>getValid(Purpose<S> purpose)
Returns all valid secrets for the given purpose from this store.void
refresh()
Indicates that the store should refresh its secrets from the backing storage mechanism.-
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
-
Methods inherited from interface org.forgerock.secrets.SecretStore
retire, revoke, rotate
-
-
-
-
Field Detail
-
DEFAULT_PATH
public static final String DEFAULT_PATH
The default path at which this secret engine is mounted by Vault.- See Also:
- Constant Field Values
-
-
Constructor Detail
-
VaultDatabaseCredentialsSecretStore
public VaultDatabaseCredentialsSecretStore(SecretReference<GenericSecret> tokenReference, VaultConfig config)
Constructs a secret store to retrieve database credentials from Vault with the given options.- Parameters:
tokenReference
- the Vault authentication token reference. SeeAppRoleTokenStore
orJwtAuthenticationTokenStore
.config
- the configuration options. SeeVaultConfig
.
-
-
Method Detail
-
getStoredType
public Class<T> getStoredType()
Description copied from interface:SecretStore
The top-level class that this store is capable of storing. This is a reification of the type parameter and can be used to lookup stores for a given type.- Specified by:
getStoredType
in interfaceSecretStore<T extends Secret>
- Returns:
- the top-most type that this store is capable of storing, typically either
CryptoKey
for key-stores,GenericSecret
for password stores, orSecret
if the store is capable of storing any type of secret.
-
getActive
public <S extends T> Promise<S,NoSuchSecretException> getActive(Purpose<S> purpose)
Description copied from interface:SecretStore
Returns the active secret for the given purpose.- Specified by:
getActive
in interfaceSecretStore<T extends Secret>
- Type Parameters:
S
- the type of secret.- Parameters:
purpose
- the purpose for which a secret is required.- Returns:
- the active secret from this store.
-
getNamed
public <S extends T> Promise<S,NoSuchSecretException> getNamed(Purpose<S> purpose, String name)
Description copied from interface:SecretStore
Returns the named secret from this store. The default implementation callsSecretStore.getValid(Purpose)
and then returns the first valid key with a matching stable ID.- Specified by:
getNamed
in interfaceSecretStore<T extends Secret>
- Type Parameters:
S
- the type of secret.- Parameters:
purpose
- the secret purpose.name
- the name (stable id) of the secret.- Returns:
- a promise for the named secret, or a
NoSuchSecretException
promise if no such secret exists.
-
getValid
public <S extends T> Promise<Stream<S>,NeverThrowsException> getValid(Purpose<S> purpose)
Description copied from interface:SecretStore
Returns all valid secrets for the given purpose from this store.- Specified by:
getValid
in interfaceSecretStore<T extends Secret>
- Type Parameters:
S
- the type of secret.- Parameters:
purpose
- the purpose.- Returns:
- a stream of all valid secrets of the given type from this store, or an empty stream if none exist.
-
refresh
public void refresh()
Description copied from interface:SecretStore
Indicates that the store should refresh its secrets from the backing storage mechanism. This can be used to cause reload of a store after a secret rotation if the backend does not automatically detect such changes. Refresh may be an asynchronous operation and no guarantees are made about when clients of this secret store may see updated secrets after a call to refresh.- Specified by:
refresh
in interfaceSecretStore<T extends Secret>
-
-