Package org.forgerock.openam.secrets

Class SecretsProviderFacade

  • @EvolvingAll
public class SecretsProviderFacade
extends SecretsProvider
    A facade around SecretsProvider instances from the realm and global levels that will delegate correctly to the global provider when a secret is not found in the realm, and knows how to resolve secrets for a DefaultingPurpose.
    Since:
    AM 6.5.0

    • Method Detail

      • singleton

        public static SecretsProviderFacade singleton​(SecretsProvider secretsProvider)
        Make a facade from a single secrets provider.
        Parameters:
        secretsProvider - The underlying secrets provider.
        Returns:
        The facade.

      • singleton

        public static SecretsProviderFacade singleton​(SecretsProvider globalSecretsProvider,
                                              SecretsProvider realmSecretsProvider)
        Make a facade from the given secrets provider.
        Parameters:
        globalSecretsProvider - The underlying global secrets provider.
        realmSecretsProvider - The underlying realm secrets provider.
        Returns:
        The facade.

      • getActiveSecret

        public <S extends SecretPromise<S,​NoSuchSecretException> getActiveSecret​(DefaultingPurpose<S> defaultingPurpose,
                                                                                 String instanceId)
        Get the active secret for a DefaultingPurpose. This method will first check for a secret using the custom purpose for the given instanceId, and if this is not found, will then check for a secret using the default purpose.
        Type Parameters:
        S - The type of the secret.
        Parameters:
        defaultingPurpose - The purpose.
        instanceId - The instance ID of the item that may have a custom purpose configured. May be null.
        Returns:
        A promise of the active secret, or an exception if one could not be found.

      • getActiveSecret

        public <S extends SecretPromise<S,​NoSuchSecretException> getActiveSecret​(Purpose<S> purpose)
        Description copied from class: SecretsProvider
        Gets the currently active secret for the given purpose. If more than one secret exists for this purpose, then this method returns the secret that is currently active and should be used for new operations. The returned secret is guaranteed to be within the valid periods specified by its validFrom and expiry times. If no valid secret is configured for the purpose then a NoSuchSecretException is thrown instead.

        The active secret is found by first consulting the currently active store for the purpose label. If no active stores exist for the purpose, all default stores are consulted, and the first matching secret is used.

        Overrides:
        getActiveSecret in class SecretsProvider
        Type Parameters:
        S - the type of secret to return.
        Parameters:
        purpose - the purpose for which the secret is intended to be used.
        Returns:
        A promise containing either the active secret for this purpose, or a NoSuchSecretException if one cannot be found.

      • getNamedSecret

        public <S extends SecretPromise<S,​NoSuchSecretException> getNamedSecret​(DefaultingPurpose<S> defaultingPurpose,
                                                                                String instanceId,
                                                                                String keyId)
        Get the named secret for a DefaultingPurpose. This method will first check for a secret using the custom purpose for the given instanceId, and if this is not found, will then check for a secret using the default purpose.
        Type Parameters:
        S - The type of the secret.
        Parameters:
        defaultingPurpose - The purpose.
        instanceId - The instance ID of the item that may have a custom purpose configured. May be null.
        keyId - The secret's stable ID.
        Returns:
        A promise of the named secret, or an exception if one could not be found.

      • getNamedSecret

        public <S extends SecretPromise<S,​NoSuchSecretException> getNamedSecret​(Purpose<S> purpose,
                                                                                String id)
        Description copied from class: SecretsProvider
        Gets the secret for the given purpose with the given stable secret id.
        Overrides:
        getNamedSecret in class SecretsProvider
        Type Parameters:
        S - the type of secret to return
        Parameters:
        purpose - the purpose for which the secret is intended to be used.
        id - the stable id of the particular secret to get.
        Returns:
        the secret with that id, or an empty result if no such secret exists.
        See Also:
        Secret.getStableId()

      • getValidSecrets

        public <S extends SecretPromise<Stream<S>,​NeverThrowsException> getValidSecrets​(DefaultingPurpose<S> defaultingPurpose,
                                                                                        String instanceId)
        Get a stream of the valid secrets for a DefaultingPurpose. This method will first check for secrets using the custom purpose for the given instanceId, and if this is not found, will then check for secrets using the default purpose.
        Type Parameters:
        S - The type of the secret.
        Parameters:
        defaultingPurpose - The purpose.
        instanceId - The instance ID of the item that may have a custom purpose configured. May be null.
        Returns:
        A promise of a stream of secrets.

      • getValidSecrets

        public <S extends SecretPromise<Stream<S>,​NeverThrowsException> getValidSecrets​(Purpose<S> purpose)
        Description copied from class: SecretsProvider
        Returns all secrets for the given purpose which have not yet expired. This can be used, for instance, to get a list of all signature validation keys that are still trusted. The secrets will be returned in the order of preference of the store they are from: secrets from the active store will be first, then the most recent previous active store, and so on.
        Overrides:
        getValidSecrets in class SecretsProvider
        Type Parameters:
        S - the type of secret to return.
        Parameters:
        purpose - the purpose for which the secrets are intended for.
        Returns:
        a stream of all valid secrets for the given purpose, or an empty stream if not configured.

      • getSigningManager

        public SigningManager getSigningManager()
        Get a SigningManager from this secrets provider.
        Returns:
        The SigningManager for thisSecretsProvider.