Package org.forgerock.secrets.propertyresolver

Class PropertyResolverSecretStore

java.lang.Object
org.forgerock.secrets.propertyresolver.PropertyResolverSecretStore
All Implemented Interfaces:
SecretStore<Secret>
public class PropertyResolverSecretStore extends Object implements SecretStore<Secret>
A SecretStore implementation that resolves secrets as base64-encoded strings from an underlying PropertyResolver. This provides a devops-friendly deployment option, resolving secrets from environment variables or properties files.

By default, secrets loaded this way do not expire as properties are assumed to be stable for the life of the process. When properties are mutable, the expireSecretsAfter method can be called to enable secret rotation. The purpose label is used as the stable identifier for the active secrets, so each property should be named after the purpose label and there can be only one valid secret per purpose. Retired secrets need to use fresh property names if it is desirable to maintain access to previous values over a long period of time.

  • Constructor Details

    • PropertyResolverSecretStore

      public PropertyResolverSecretStore(PropertyResolver propertyResolver)
      Initialises the property resolver secret store using base64-encoded properties.
      Parameters:
      propertyResolver - the resolver to use to read secrets from configuration.

    • PropertyResolverSecretStore

      public PropertyResolverSecretStore(PropertyResolver propertyResolver, SecretPropertyFormat defaultPropertyFormat)
      Initialises the property resolver secret store.
      Parameters:
      propertyResolver - the resolver to use to read secrets from configuration.
      defaultPropertyFormat - the format that the secret properties are in.

    • PropertyResolverSecretStore

      public PropertyResolverSecretStore(PropertyResolver propertyResolver, SecretPropertyFormat defaultPropertyFormat, Map<String,SecretPropertyFormat> mappings)
      Initialises the property resolver secret store with a mapping of purpose to format.

      This allows a single store to support files in multiple formats (raw, passwords, JWK, encoded or not, ...).

      Parameters:
      propertyResolver - the resolver to use to read secrets from configuration.
      defaultPropertyFormat - the default format to be used when no mapping is configured for the looked up purpose.
      mappings - table of purpose to format that the secret properties are in

  • Method Details

    • getStoredType

      public Class<Secret> getStoredType()
      Description copied from interface: SecretStore
      The top-level class that this store is capable of storing. This is a reification of the type parameter and can be used to lookup stores for a given type.
      Specified by:
      getStoredType in interface SecretStore<Secret>
      Returns:
      the top-most type that this store is capable of storing, typically either CryptoKey for key-stores, GenericSecret for password stores, or Secret if the store is capable of storing any type of secret.

    • getActive

      public <S extends Secret> Promise<S,NoSuchSecretException> getActive(Purpose<S> purpose)
      Description copied from interface: SecretStore
      Returns the active secret for the given purpose.
      Specified by:
      getActive in interface SecretStore<Secret>
      Type Parameters:
      S - the type of secret.
      Parameters:
      purpose - the purpose for which a secret is required.
      Returns:
      the active secret from this store.

    • getNamed

      public <S extends Secret> Promise<S,NoSuchSecretException> getNamed(Purpose<S> purpose, String name)
      Description copied from interface: SecretStore
      Returns the named secret from this store. The default implementation calls SecretStore.getValid(Purpose) and then returns the first valid key with a matching stable ID.
      Specified by:
      getNamed in interface SecretStore<Secret>
      Type Parameters:
      S - the type of secret.
      Parameters:
      purpose - the secret purpose.
      name - the name (stable id) of the secret.
      Returns:
      a promise for the named secret, or a NoSuchSecretException promise if no such secret exists.

    • getValid

      public <S extends Secret> Promise<Stream<S>,NeverThrowsException> getValid(Purpose<S> purpose)
      Returns a stream of the active secret for the given purpose.
      Specified by:
      getValid in interface SecretStore<Secret>
      Type Parameters:
      S - the type of secret.
      Parameters:
      purpose - the purpose.
      Returns:
      a stream of the active secret for the given purpose or an empty stream if there is no active secret for the purpose.

    • refresh

      public void refresh()
      Description copied from interface: SecretStore
      Indicates that the store should refresh its secrets from the backing storage mechanism. This can be used to cause reload of a store after a secret rotation if the backend does not automatically detect such changes. Refresh may be an asynchronous operation and no guarantees are made about when clients of this secret store may see updated secrets after a call to refresh.
      Specified by:
      refresh in interface SecretStore<Secret>

    • expireSecretsAfter

      public PropertyResolverSecretStore expireSecretsAfter(Duration expiryTime, Clock clock)
      Sets the amount of time that secrets produced by this store can be cached before they must be refreshed. The default is to never expire.
      Parameters:
      expiryTime - the amount of time to allow secrets to be reused until they must be refreshed.
      clock - the clock to determine the expiry deadline. Use null to disable expiring secrets.
      Returns:
      this secret store.

    • toString

      public String toString()
      Overrides:
      toString in class Object