Package org.forgerock.secrets
Class GenericSecret
- java.lang.Object
-
- org.forgerock.secrets.Secret
-
- org.forgerock.secrets.GenericSecret
-
- All Implemented Interfaces:
AutoCloseable
,Destroyable
public final class GenericSecret extends Secret implements AutoCloseable, Destroyable
A generic secret represented as an opaque blob of bytes, such as a password or API key. Secret data is held in an off-heap byte buffer where supported, and is encrypted using a random key. These protections provide best-effort obfuscation against heap dump inspection. Secrets should be held in memory for as short a time as possible and thedestroy()
method called when no longer required.
-
-
Constructor Summary
Constructors Constructor Description GenericSecret(SecretBuilder builder)
Constructs a generic secret with the given stable identifier and secret data.
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description void
close()
Scrubs the secret value from memory on a best-effort basis.void
destroy()
boolean
isClosed()
Indicates whether this secret has been closed by calling theSecret.close()
method.boolean
isDestroyed()
static GenericSecret
password(char[] password)
A helper utility for constructing a Generic Secret from a password that never expires.static GenericSecret
password(String id, char[] password)
A helper utility for constructing a Generic Secret from a password that never expires.static GenericSecret
password(String id, char[] password, Clock clock)
A helper utility for constructing a Generic Secret from a password with a default expiry time.<T,E extends Exception>
Treveal(Function<byte[],T,E> function)
Reveals the secret temporarily, allowing it to be used for its intended purpose.<T,E extends Exception>
TrevealAndDestroy(Function<byte[],T,E> function)
Reveals the secret temporarily and then scrubs the secret material from memory.<T,E extends Exception>
TrevealAsText(Charset charset, Function<char[],T,E> function)
Reveals the secret temporarily as characters in the given character set.<T,E extends Exception>
TrevealAsTextAndDestroy(Charset charset, Function<char[],T,E> function)
Reveals the secret temporarily as characters in the given character set and then scrubs the secret material from memory.<T,E extends Exception>
TrevealAsUtf8(Function<char[],T,E> function)
Reveals the secret temporarily as characters in UTF-8.<T,E extends Exception>
TrevealAsUtf8AndDestroy(Function<char[],T,E> function)
Reveals the secret temporarily as characters in UTF-8 and then scrubs the secret from memory.-
Methods inherited from class org.forgerock.secrets.Secret
equals, getExpiryTime, getStableId, hashCode, isExpired, toString
-
-
-
-
Constructor Detail
-
GenericSecret
public GenericSecret(SecretBuilder builder) throws NoSuchSecretException
Constructs a generic secret with the given stable identifier and secret data.- Parameters:
builder
- the secret builder.- Throws:
NoSuchSecretException
- if the secret could not be constructed from the builder.
-
-
Method Detail
-
password
public static GenericSecret password(String id, char[] password, Clock clock)
A helper utility for constructing a Generic Secret from a password with a default expiry time. This will take a copy of the password, so the password argument can safely be wiped after this call returns.- Parameters:
id
- the stable id of the password.password
- the password.clock
- The clock to use for expiry time.- Returns:
- a generic secret that wraps the given password.
-
password
public static GenericSecret password(char[] password)
A helper utility for constructing a Generic Secret from a password that never expires. This will take a copy of the password, so the password argument can safely be wiped after this call returns. A random stable id will be assigned.- Parameters:
password
- the password.- Returns:
- a generic secret that wraps the given password.
-
password
public static GenericSecret password(String id, char[] password)
A helper utility for constructing a Generic Secret from a password that never expires. This will take a copy of the password, so the password argument can safely be wiped after this call returns.- Parameters:
id
- the stable id of the password.password
- the password.- Returns:
- a generic secret that wraps the given password.
-
reveal
public <T,E extends Exception> T reveal(Function<byte[],T,E> function) throws E extends Exception
Reveals the secret temporarily, allowing it to be used for its intended purpose. Note that the consumer should not make any assumptions about the availability of the secret bytes after the function returns. They may be overwritten or destroyed, so the consumer should make a defensive copy if they need to retain the secret material beyond the lifetime of this call. The GenericSecret object is not destroyed by this method and so can be reused. UserevealAndDestroy(Function)
to also destroy the GenericSecret itself after the method completes.- Type Parameters:
T
- the type of object returned by the consumer.E
- the type of exceptions thrown by the consumer.- Parameters:
function
- the consumer function to reveal the secret to.- Returns:
- the result of the consumer function.
- Throws:
E
- if the consumer throws.E extends Exception
-
revealAndDestroy
public <T,E extends Exception> T revealAndDestroy(Function<byte[],T,E> function) throws E extends Exception
Reveals the secret temporarily and then scrubs the secret material from memory. Seereveal(Function)
.- Type Parameters:
T
- the type of object returned by the consumer.E
- the type of exceptions thrown by the consumer.- Parameters:
function
- the consumer function to reveal the secret to.- Returns:
- the result of the consumer function.
- Throws:
E
- if the consumer throws.E extends Exception
-
revealAsText
public <T,E extends Exception> T revealAsText(Charset charset, Function<char[],T,E> function) throws E extends Exception
Reveals the secret temporarily as characters in the given character set. Any bytes that cannot be interpreted in the given character set will be replaced with the charset's replacement character. Note that the consumer should not make any assumptions about the availability of the secret characters after the function returns. They may be overwritten or destroyed, so the consumer should make a defensive copy if they need to retain the secret beyond the lifetime of this call.- Type Parameters:
T
- the type of object returned by the consumer.E
- the type of exceptions thrown by the consumer.- Parameters:
charset
- the character set to interpret the secret as.function
- the consumer function to reveal the secret to.- Returns:
- the result of the consumer function.
- Throws:
E
- if the consumer throws.E extends Exception
-
revealAsTextAndDestroy
public <T,E extends Exception> T revealAsTextAndDestroy(Charset charset, Function<char[],T,E> function) throws E extends Exception
Reveals the secret temporarily as characters in the given character set and then scrubs the secret material from memory. SeerevealAsText(Charset, Function)
.- Type Parameters:
T
- the type of object returned by the consumer.E
- the type of exceptions thrown by the consumer.- Parameters:
charset
- the character set to interpret the secret as.function
- the consumer function to reveal the secret to.- Returns:
- the result of the consumer function.
- Throws:
E
- if the consumer throws.E extends Exception
-
revealAsUtf8
public <T,E extends Exception> T revealAsUtf8(Function<char[],T,E> function) throws E extends Exception
Reveals the secret temporarily as characters in UTF-8. Any bytes that cannot be interpreted as UTF-8 will be replaced with the replacement character. Note that the consumer should not make any assumptions about the availability of the secret characters after the function returns. They may be overwritten or destroyed, so the consumer should make a defensive copy if they need to retain the secret beyond the lifetime of this call.- Type Parameters:
T
- the type of object returned by the consumer.E
- the type of exceptions thrown by the consumer.- Parameters:
function
- the consumer function to reveal the secret to.- Returns:
- the result of the consumer function.
- Throws:
E
- if the consumer throws.E extends Exception
-
revealAsUtf8AndDestroy
public <T,E extends Exception> T revealAsUtf8AndDestroy(Function<char[],T,E> function) throws E extends Exception
Reveals the secret temporarily as characters in UTF-8 and then scrubs the secret from memory. SeerevealAsUtf8(Function)
.- Type Parameters:
T
- the type of object returned by the consumer.E
- the type of exceptions thrown by the consumer.- Parameters:
function
- the consumer function to reveal the secret to.- Returns:
- the result of the consumer function.
- Throws:
E
- if the consumer throws.E extends Exception
-
close
public void close()
Scrubs the secret value from memory on a best-effort basis.- Specified by:
close
in interfaceAutoCloseable
- Overrides:
close
in classSecret
-
isClosed
public boolean isClosed()
Description copied from class:Secret
Indicates whether this secret has been closed by calling theSecret.close()
method. A secret that has been closed should be considered invalid and re-fetched from the SecretsProvider.
-
destroy
public void destroy()
- Specified by:
destroy
in interfaceDestroyable
-
isDestroyed
public boolean isDestroyed()
- Specified by:
isDestroyed
in interfaceDestroyable
-
-