Package org.forgerock.secrets.vault

Class VaultPkiSecretStore

  • All Implemented Interfaces:
    SecretStore<CryptoKey>
    public class VaultPkiSecretStore
extends Object
    A secret store that is able to retrieve PKI certificates and private keys from the Hashicorp Vault PKI backend. Calls to get an active secret will involve a POST to the Vault "issue" endpoint, which will dynamically generate a fresh private key and CA-signed certificate. The expiry time of the certificate and private key is set to allow caching using SecretReference (otherwise a fresh key pair will be generated on every call). Certificates (but not private keys) can then be retrieved by serial number using the SecretStore.getNamed(Purpose, String) call.

    • Field Detail

      • DEFAULT_PATH

        public static final String DEFAULT_PATH
        The default path at which this secret engine is mounted by Vault.
        See Also:
        Constant Field Values

    • Constructor Detail

      • VaultPkiSecretStore

        public VaultPkiSecretStore​(SecretReference<GenericSecret> tokenReference,
                           VaultConfig config,
                           JsonValue certificateRequestPayload)
        Initializes the PKI secret store using the given authentication token and configuration options.
        Parameters:
        tokenReference - the Vault authentication token reference. See AppRoleTokenStore or JwtAuthenticationTokenStore.
        config - the configuration options. See VaultConfig.
        certificateRequestPayload - the payload to use when making requests for new certificates. See https://www.vaultproject.io/api/secret/pki/index.html#generate-certificate for allowed fields.

    • Method Detail

      • getStoredType

        public Class<T> getStoredType()
        Description copied from interface: SecretStore
        The top-level class that this store is capable of storing. This is a reification of the type parameter and can be used to lookup stores for a given type.
        Specified by:
        getStoredType in interface SecretStore<T extends Secret>
        Returns:
        the top-most type that this store is capable of storing, typically either CryptoKey for key-stores, GenericSecret for password stores, or Secret if the store is capable of storing any type of secret.

      • getActive

        public <S extends T> Promise<S,​NoSuchSecretException> getActive​(Purpose<S> purpose)
        Description copied from interface: SecretStore
        Returns the active secret for the given purpose.
        Specified by:
        getActive in interface SecretStore<T extends Secret>
        Type Parameters:
        S - the type of secret.
        Parameters:
        purpose - the purpose for which a secret is required.
        Returns:
        the active secret from this store.

      • getValid

        public <S extends T> Promise<Stream<S>,​NeverThrowsException> getValid​(Purpose<S> purpose)
        Description copied from interface: SecretStore
        Returns all valid secrets for the given purpose from this store.
        Specified by:
        getValid in interface SecretStore<T extends Secret>
        Type Parameters:
        S - the type of secret.
        Parameters:
        purpose - the purpose.
        Returns:
        a stream of all valid secrets of the given type from this store, or an empty stream if none exist.

      • refresh

        public void refresh()
        Description copied from interface: SecretStore
        Indicates that the store should refresh its secrets from the backing storage mechanism. This can be used to cause reload of a store after a secret rotation if the backend does not automatically detect such changes. Refresh may be an asynchronous operation and no guarantees are made about when clients of this secret store may see updated secrets after a call to refresh.
        Specified by:
        refresh in interface SecretStore<T extends Secret>