Package org.forgerock.openig.secrets
Class KeyStoreSecretStoreHeaplet
- java.lang.Object
-
- org.forgerock.openig.heap.GenericHeaplet
-
- org.forgerock.openig.secrets.KeyStoreSecretStoreHeaplet
-
- All Implemented Interfaces:
Heaplet
public class KeyStoreSecretStoreHeaplet extends GenericHeaplet
This heaplet represents an instance of aKeyStoreSecretStore.{ "type": "KeyStoreSecretStore", "config": { "file": expression [REQUIRED - location of the KeyStore.] "storeType": expression [OPTIONAL - type of the store, default: "PKCS12". ] "storePasswordSecretId": expression [OPTIONAL - Secret ID referring to the KeyStore password. when not set expect unprotected KeyStore] "entryPasswordSecretId": expression [OPTIONAL - Secret ID referring to the entries' password. default to storePasswordSecretId. (1)] "secretsProvider": Secrets Provider [OPTIONAL - resolve keystore passwords. defaults to route's secret service] "leaseExpiry": expression<duration> [OPTIONAL - defaults to 5 minutes.] "mappings": [ array [REQUIRED - array of object.] { object "secretId": expression [REQUIRED - ID of the secret.] "aliases": [ expression ] [OPTIONAL - list of aliases corresponding to the above secret. Order matters here and the first is the active secret. Required if 'aliasesMatching' not set.] "aliasesMatching": [ expression ] [OPTIONAL - list of regular expressions matching the keystore aliases to map. Required if 'alias' not set.] } ] "autoRefresh": { object [OPTIONAL - indicate if this KeyStoreSecretStore should be refreshed on keystore change (edit and delete).] "enabled": expression<boolean> [OPTIONAL - Configure with boolean expression resolving to 'true' to enable, or 'false' to disable. Default is enabled.] "executor": executor [OPTIONAL - Executor to use in monitoring the keystore, defaults to heap-configured {@literal SCHEDULED_EXECUTOR_SERVICE_HEAP_KEY}.] } } }Example:
(1) Note that if the entryPasswordSecretId is used, it must be the same for all entries in the keystore. This said, it will not work with JKS having different password for their entries.{ "type": "KeyStoreSecretStore", "config": { "file": "/path/to/keystore.file", "storePasswordSecretId": "keystore.pass", "entryPasswordSecretId": "keystore.entries.pass", "mappings": [{ "secretId": "global.pcookie.crypt", "aliases": [ "rsapair72", "rsapair72-inactive" ] }] } }Example showing "autoRefresh" config, supporting keystore file monitoring and refresh:
{ "type": "KeyStoreSecretStore", "config": { "file": "/path/to/keystore.file", "storePasswordSecretId": "keystore.pass", "entryPasswordSecretId": "keystore.entries.pass", "mappings": [{ "secretId": "global.pcookie.crypt", "aliases": [ "rsapair72", "rsapair72-inactive" ], }] "autoRefresh": { "enabled": "${my.boolean.property}", "executor": "#refreshExecutor" } } }- See Also:
KeyStoreSecretStore
-
-
Constructor Summary
Constructors Constructor Description KeyStoreSecretStoreHeaplet()
-
Method Summary
All Methods Static Methods Instance Methods Concrete Methods Modifier and Type Method Description Objectcreate()Called to request the heaplet create an object.voiddestroy()Called to indicate that the object created by the heaplet is going to be dereferenced.KeyStoreSecretStorekeyStore(SecretsProvider secretsProvider, Purpose<GenericSecret> storePasswordPurpose, Options options)Instantiate theKeyStoreSecretStore.protected static SecretReference<GenericSecret>toSecretsReference(SecretsProvider secretsProvider, Purpose<GenericSecret> purpose)-
Methods inherited from class org.forgerock.openig.heap.GenericHeaplet
create, endpointRegistry, evaluatedWithHeapProperties, expression, getConfig, getHeap, getSecretService, getSecretsProvider, getType, initialBindings, meterRegistryHolder, start
-
-
-
-
Method Detail
-
keyStore
public KeyStoreSecretStore keyStore(SecretsProvider secretsProvider, Purpose<GenericSecret> storePasswordPurpose, Options options) throws HeapException
Instantiate theKeyStoreSecretStore.- Parameters:
secretsProvider- TheSecretsProvidercontaining every secrets needed to unlock the underlying KeyStorestorePasswordPurpose- The main KeyStore password, may benullif unprotected.options- Some options to pass to the keyStore.- Returns:
- a new instance of a KeyStore.
- Throws:
HeapException- if something went wrong.
-
destroy
public void destroy()
Description copied from interface:HeapletCalled to indicate that the object created by the heaplet is going to be dereferenced. This gives the heaplet an opportunity to free any resources that are being held prior to its dereference.- Specified by:
destroyin interfaceHeaplet- Overrides:
destroyin classGenericHeaplet
-
create
public Object create() throws HeapException
Description copied from class:GenericHeapletCalled to request the heaplet create an object. Called byHeaplet.create(Name, JsonValue, Heap)after initializing the protected field members. Implementations should parse configuration but not acquire resources, start threads, or log any initialization messages. These tasks should be performed by theGenericHeaplet.start()method.- Specified by:
createin classGenericHeaplet- Returns:
- The created object.
- Throws:
HeapException- if an exception occurred during creation of the heap object or any of its dependencies.
-
toSecretsReference
protected static SecretReference<GenericSecret> toSecretsReference(SecretsProvider secretsProvider, Purpose<GenericSecret> purpose)
-
-