Package org.forgerock.secrets.vault

Class VaultKeyValueSecretStore

java.lang.Object

org.forgerock.secrets.vault.VaultKeyValueSecretStore

All Implemented Interfaces:

SecretStore<Secret>

public class VaultKeyValueSecretStore
extends Object

A secret store that fetches secrets from a Hashicorp Vault server, using version 2 of the key-value backend. This backend allows storing arbitrary data as secrets, while also allowing versioning of those secrets. We make use of the versioning capability to allow secret rotation - the latest version is always the active secret, while previous versions are valid until they are destroyed.

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
static enum	VaultKeyValueSecretStore.SecretField	Standard implementations of VaultKeyValueSecretStore.SecretFieldDecoder for common fields.
static interface	VaultKeyValueSecretStore.SecretFieldDecoder	Determines how a field in the Vault JSON response should be decoded into one or more fields on a SecretBuilder object.

Field Summary

Fields

Modifier and Type	Field	Description
static final String	DEFAULT_PATH	The default path at which this secret engine is mounted by Vault.

Fields inherited from interface org.forgerock.secrets.SecretStore

CLOCK, LEASE_EXPIRY_DURATION

Constructor Summary

Constructors

Constructor	Description
VaultKeyValueSecretStore(SecretReference<GenericSecret> tokenReference, Map<JsonPointer,? extends VaultKeyValueSecretStore.SecretFieldDecoder> fieldDecoders, VaultConfig config)	Constructs the key-value store using the given authentication token and options.

Method Summary

Modifier and Type	Method	Description
<S extends T> Promise<S,NoSuchSecretException>	getActive(Purpose<S> purpose)	Returns the active secret for the given purpose.
<S extends T> Promise<S,NoSuchSecretException>	getNamed(Purpose<S> purpose, String name)	Returns the named secret from this store.
Class<Secret>	getStoredType()	The top-level class that this store is capable of storing.
<S extends T> Promise<Stream<S>,NeverThrowsException>	getValid(Purpose<S> purpose)	Returns all valid secrets for the given purpose from this store.
void	refresh()	Indicates that the store should refresh its secrets from the backing storage mechanism.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.forgerock.secrets.SecretStore

retire, revoke, rotate

Field Details

DEFAULT_PATH

public static final String DEFAULT_PATH

The default path at which this secret engine is mounted by Vault.

See Also:

• Constant Field Values

Constructor Details

VaultKeyValueSecretStore

public VaultKeyValueSecretStore(SecretReference<GenericSecret> tokenReference,
 Map<JsonPointer,? extends VaultKeyValueSecretStore.SecretFieldDecoder> fieldDecoders,
 VaultConfig config)

Constructs the key-value store using the given authentication token and options.

Parameters:

tokenReference - the reference for obtaining a Vault authentication token. See AppRoleTokenStore or JwtAuthenticationTokenStore.

fieldDecoders - determines how the JSON content of the secret value should be decoded into a Secret object.

config - the configuration options.

Method Details

refresh

public void refresh()

Description copied from interface: SecretStore

Indicates that the store should refresh its secrets from the backing storage mechanism. This can be used to cause reload of a store after a secret rotation if the backend does not automatically detect such changes. Refresh may be an asynchronous operation and no guarantees are made about when clients of this secret store may see updated secrets after a call to refresh.

Specified by:

refresh in interface SecretStore<Secret>

getStoredType

public Class<Secret> getStoredType()

Description copied from interface: SecretStore

The top-level class that this store is capable of storing. This is a reification of the type parameter and can be used to lookup stores for a given type.

Specified by:

getStoredType in interface SecretStore<T extends Secret>

Returns:

the top-most type that this store is capable of storing, typically either CryptoKey for key-stores, GenericSecret for password stores, or Secret if the store is capable of storing any type of secret.

getActive

public <S extends T>
Promise<S,NoSuchSecretException> getActive(Purpose<S> purpose)

Description copied from interface: SecretStore

Returns the active secret for the given purpose.

Specified by:

getActive in interface SecretStore<T extends Secret>

Type Parameters:

S - the type of secret.

Parameters:

purpose - the purpose for which a secret is required.

Returns:

the active secret from this store.

getNamed

public <S extends T>
Promise<S,NoSuchSecretException> getNamed(Purpose<S> purpose,
 String name)

Description copied from interface: SecretStore

Returns the named secret from this store. The default implementation calls SecretStore.getValid(Purpose) and then returns the first valid key with a matching stable ID.

Specified by:

getNamed in interface SecretStore<T extends Secret>

Type Parameters:

S - the type of secret.

Parameters:

purpose - the secret purpose.

name - the name (stable id) of the secret.

Returns:

a promise for the named secret, or a NoSuchSecretException promise if no such secret exists.

getValid

public <S extends T>
Promise<Stream<S>,NeverThrowsException> getValid(Purpose<S> purpose)

Description copied from interface: SecretStore

Returns all valid secrets for the given purpose from this store.

Specified by:

getValid in interface SecretStore<T extends Secret>

Type Parameters:

S - the type of secret.

Parameters:

purpose - the purpose.

Returns:

a stream of all valid secrets of the given type from this store, or an empty stream if none exist.