Package org.forgerock.openam.secrets
Class SecretsProviderFacade
java.lang.Object
org.forgerock.secrets.SecretsProvider
org.forgerock.openam.secrets.SecretsProviderFacade
A facade around
SecretsProvider
instances from the realm and global levels that will delegate correctly
to the global provider when a secret is not found in the realm, and knows how to resolve secrets for a
DefaultingPurpose
.- Since:
- AM 6.5.0
-
Constructor Summary
ModifierConstructorDescriptionprotected
SecretsProviderFacade
(SecretsProvider secretsProvider, org.forgerock.openam.secrets.rotation.SecretLabelListener secretLabelListener, org.forgerock.openam.audit.AuditEventFactory auditEventFactory, org.forgerock.openam.audit.AuditEventPublisher auditEventPublisher) protected
SecretsProviderFacade
(SecretsProvider globalSecretsProvider, SecretsProvider realmSecretsProvider, org.forgerock.openam.secrets.rotation.SecretLabelListener secretLabelListener, org.forgerock.openam.audit.AuditEventFactory auditEventFactory, org.forgerock.openam.audit.AuditEventPublisher auditEventPublisher) -
Method Summary
Modifier and TypeMethodDescription<S extends Secret>
Promise<S,NoSuchSecretException> getActiveSecret
(DefaultingPurpose<S> defaultingPurpose, String instanceId) Get the active secret for aDefaultingPurpose
.<S extends Secret>
Promise<S,NoSuchSecretException> getActiveSecret
(Purpose<S> purpose) Gets the currently active secret for the given purpose.getKeyManager
(Purpose<? extends CryptoKey> purpose) Returns aKeyManager
that can be used toinitialize an SSLContext
, allowing certificates and private keys to be retrieved from this secrets provider.getKeyManager
(Purpose<? extends CryptoKey> purpose, Options options) Returns aKeyManager
that can be used toinitialize an SSLContext
, allowing certificates and private keys to be retrieved from this secrets provider.<S extends Secret>
Promise<S,NoSuchSecretException> getNamedSecret
(DefaultingPurpose<S> defaultingPurpose, String instanceId, String keyId) Get the named secret for aDefaultingPurpose
.<S extends Secret>
Promise<S,NoSuchSecretException> getNamedSecret
(Purpose<S> purpose, String id) Gets the secret for the given purpose with the given stable secret id.Get aSecretsReferenceProvider
from this secrets provider.Get aSigningManager
from this secrets provider.getTrustManager
(Purpose<? extends CryptoKey> purpose, Options options) Constructs anX509ExtendedTrustManager
that will retrieve certificates from this secrets provider for the provided purpose.<S extends Secret>
Promise<Stream<S>,NeverThrowsException> getValidSecrets
(DefaultingPurpose<S> defaultingPurpose, String instanceId) Get a stream of the valid secrets for aDefaultingPurpose
.<S extends Secret>
Promise<Stream<S>,NeverThrowsException> getValidSecrets
(Purpose<S> purpose) Returns all secrets for the given purpose which have not yet expired.Methods inherited from class org.forgerock.secrets.SecretsProvider
asKeyStore, asKeyStore, createActiveReference, createNamedReference, createValidOrNamedReference, createValidReference, getKeyManager, getNamedOrValidSecrets, getTrustManager, getTrustManager, setActiveStore, setActiveStore, setDefaultStores, useSpecificSecretForPurpose, useSpecificSecretsForPurpose
-
Constructor Details
-
SecretsProviderFacade
protected SecretsProviderFacade(SecretsProvider secretsProvider, org.forgerock.openam.secrets.rotation.SecretLabelListener secretLabelListener, org.forgerock.openam.audit.AuditEventFactory auditEventFactory, org.forgerock.openam.audit.AuditEventPublisher auditEventPublisher) -
SecretsProviderFacade
protected SecretsProviderFacade(SecretsProvider globalSecretsProvider, SecretsProvider realmSecretsProvider, org.forgerock.openam.secrets.rotation.SecretLabelListener secretLabelListener, org.forgerock.openam.audit.AuditEventFactory auditEventFactory, org.forgerock.openam.audit.AuditEventPublisher auditEventPublisher)
-
-
Method Details
-
getActiveSecret
public <S extends Secret> Promise<S,NoSuchSecretException> getActiveSecret(DefaultingPurpose<S> defaultingPurpose, String instanceId) Get the active secret for aDefaultingPurpose
. This method will first check for a secret using the custom purpose for the giveninstanceId
, and if this is not found, will then check for a secret using the default purpose.- Type Parameters:
S
- The type of the secret.- Parameters:
defaultingPurpose
- The purpose.instanceId
- The instance ID of the item that may have a custom purpose configured. May be null.- Returns:
- A promise of the active secret, or an exception if one could not be found.
-
getActiveSecret
Description copied from class:SecretsProvider
Gets the currently active secret for the given purpose. If more than one secret exists for this purpose, then this method returns the secret that is currently active and should be used for new operations. The returned secret is guaranteed to be within the valid periods specified by its validFrom and expiry times. If no valid secret is configured for the purpose then aNoSuchSecretException
is thrown instead.The active secret is found by first consulting the currently active store for the purpose label. If no active stores exist for the purpose, all default stores are consulted, and the first matching secret is used.
- Overrides:
getActiveSecret
in classSecretsProvider
- Type Parameters:
S
- the type of secret to return.- Parameters:
purpose
- the purpose for which the secret is intended to be used.- Returns:
- A promise containing either the active secret for this purpose, or a
NoSuchSecretException
if one cannot be found.
-
getNamedSecret
public <S extends Secret> Promise<S,NoSuchSecretException> getNamedSecret(DefaultingPurpose<S> defaultingPurpose, String instanceId, String keyId) Get the named secret for aDefaultingPurpose
. This method will first check for a secret using the custom purpose for the giveninstanceId
, and if this is not found, will then check for a secret using the default purpose.- Type Parameters:
S
- The type of the secret.- Parameters:
defaultingPurpose
- The purpose.instanceId
- The instance ID of the item that may have a custom purpose configured. May be null.keyId
- The secret's stable ID.- Returns:
- A promise of the named secret, or an exception if one could not be found.
-
getNamedSecret
public <S extends Secret> Promise<S,NoSuchSecretException> getNamedSecret(Purpose<S> purpose, String id) Description copied from class:SecretsProvider
Gets the secret for the given purpose with the given stable secret id.- Overrides:
getNamedSecret
in classSecretsProvider
- Type Parameters:
S
- the type of secret to return- Parameters:
purpose
- the purpose for which the secret is intended to be used.id
- the stable id of the particular secret to get.- Returns:
- the secret with that id, or an empty result if no such secret exists.
- See Also:
-
getValidSecrets
public <S extends Secret> Promise<Stream<S>,NeverThrowsException> getValidSecrets(DefaultingPurpose<S> defaultingPurpose, String instanceId) Get a stream of the valid secrets for aDefaultingPurpose
. This method will first check for secrets using the custom purpose for the giveninstanceId
, and if this is not found, will then check for secrets using the default purpose.- Type Parameters:
S
- The type of the secret.- Parameters:
defaultingPurpose
- The purpose.instanceId
- The instance ID of the item that may have a custom purpose configured. May be null.- Returns:
- A promise of a stream of secrets.
-
getValidSecrets
public <S extends Secret> Promise<Stream<S>,NeverThrowsException> getValidSecrets(Purpose<S> purpose) Description copied from class:SecretsProvider
Returns all secrets for the given purpose which have not yet expired. This can be used, for instance, to get a list of all signature validation keys that are still trusted. The secrets will be returned in the order of preference of the store they are from: secrets from the active store will be first, then the most recent previous active store, and so on.- Overrides:
getValidSecrets
in classSecretsProvider
- Type Parameters:
S
- the type of secret to return.- Parameters:
purpose
- the purpose for which the secrets are intended for.- Returns:
- a stream of all valid secrets for the given purpose, or an empty stream if not configured.
-
getSecretsReferenceProvider
Get aSecretsReferenceProvider
from this secrets provider.- Returns:
- The SecretsReferenceProvider for this SecretsProvider.
-
getSigningManager
Get aSigningManager
from this secrets provider.- Returns:
- The SigningManager for thisSecretsProvider.
-
getTrustManager
Description copied from class:SecretsProvider
Constructs anX509ExtendedTrustManager
that will retrieve certificates from this secrets provider for the provided purpose. This can be used to configured SSL connections viaSSLContext.init(KeyManager[], TrustManager[], SecureRandom)
.- Overrides:
getTrustManager
in classSecretsProvider
- Parameters:
purpose
- the purpose to use to lookup trusted certificates.options
- the trust manager options - seeSecretsTrustManager
for details.- Returns:
- the trust manager to use
-
getKeyManager
Description copied from class:SecretsProvider
Returns aKeyManager
that can be used toinitialize an SSLContext
, allowing certificates and private keys to be retrieved from this secrets provider.- Overrides:
getKeyManager
in classSecretsProvider
- Parameters:
purpose
- the purpose to use for retrieving TLS certificates and keys.- Returns:
- a
KeyManager
that obtains keys and certificates from this secrets provider.
-
getKeyManager
Description copied from class:SecretsProvider
Returns aKeyManager
that can be used toinitialize an SSLContext
, allowing certificates and private keys to be retrieved from this secrets provider.- Overrides:
getKeyManager
in classSecretsProvider
- Parameters:
purpose
- the purpose to use for retrieving TLS certificates and keys.options
- the options to configure the key manager. SeeSecretsKeyManager.KEY_MANAGER_ALGORITHM
.- Returns:
- a
KeyManager
that obtains keys and certificates from this secrets provider.
-