Package org.forgerock.openig.secrets
Class SecretsUtils
- java.lang.Object
-
- org.forgerock.openig.secrets.SecretsUtils
-
public final class SecretsUtils extends Object
Utility class to use the Commons Secret API.- Since:
- 6.5
-
-
Field Summary
Fields Modifier and Type Field Description static StringCONFIG_SECRETS_PROVIDERThe common key to name secrets provider properties.static DurationDEFAULT_LEASE_EXPIRY_DURATIONThe default duration used to for lease expiry where not supplied or the supplied duration is not acceptable.
-
Method Summary
All Methods Static Methods Concrete Methods Modifier and Type Method Description static SecretConstraint<CryptoKey>allowedKeyType(KeyType expected)Enforce that aCryptoKeysatisfies the given key type constraint.static KeyexportAsKey(CryptoKey cryptoKey)Exports the key material in the raw format.static byte[]getPasswordSecretIdOrPasswordAsByte(SecretsProvider secretsProvider, JsonValue secretIdNode, JsonValue deprecatedNode, org.slf4j.Logger logger)Retrieve a required shared secret value (asbyte[]) from the givensecretIdNodeanddeprecatedNodenodes.static SecretsProvidergetSecretsProvider(org.slf4j.Logger logger, JsonValue node, Heap heap)Returns aSecretsProvideras specified with theCONFIG_SECRETS_PROVIDERattribute or falling back to the defaultSecretsProviderfound in the heap.static <S extends CryptoKey>
SretrieveCryptoKeyFromSecretId(SecretsProvider secretsProvider, JsonValue secretIdNode, Class<S> type)Retrieves aCryptoKeyfrom the given node.static SecretReference<GenericSecret>retrievePasswordAsReference(SecretsProvider secretsProvider, JsonValue secretIdNode, JsonValue deprecatedNode, org.slf4j.Logger logger)Retrieve a required password as aSecretReferencefrom the givensecretIdNodeanddeprecatedNodenodes.static SecretReference<GenericSecret>retrievePasswordAsReference(SecretsProvider secretsProvider, JsonValue secretIdNode, JsonValue deprecatedNode, org.slf4j.Logger logger, boolean isRequired)
-
-
-
Field Detail
-
CONFIG_SECRETS_PROVIDER
public static final String CONFIG_SECRETS_PROVIDER
The common key to name secrets provider properties.- See Also:
- Constant Field Values
-
DEFAULT_LEASE_EXPIRY_DURATION
public static final Duration DEFAULT_LEASE_EXPIRY_DURATION
The default duration used to for lease expiry where not supplied or the supplied duration is not acceptable. This default comes fromSecretStore.LEASE_EXPIRY_DURATION, duplicated here to manage it independently.
-
-
Method Detail
-
getPasswordSecretIdOrPasswordAsByte
public static byte[] getPasswordSecretIdOrPasswordAsByte(SecretsProvider secretsProvider, JsonValue secretIdNode, JsonValue deprecatedNode, org.slf4j.Logger logger) throws NoSuchSecretException
Retrieve a required shared secret value (asbyte[]) from the givensecretIdNodeanddeprecatedNodenodes.- Shared secret referenced from the
secretIdNodenode has precedence. - When secret reference is provided but secret not found, a
NoSuchSecretExceptionis thrown - When secret reference is not used, Base64 decoded value (from
deprecatedNode) is returned - If value is missing, an exception is thrown
This method logs deprecation warnings if shared secret is resolved from the
deprecatedNodenode value.- Parameters:
secretsProvider- TheSecretsProviderused to retrieve the secret.secretIdNode- The node describing thePurposewhere the password will be available.deprecatedNode- The deprecated node holding the password. Deprecated since 6.5.logger- The logger used to display warnings and other deprecation messages.- Returns:
- The
Stringrepresenting the password. - Throws:
NoSuchSecretException- If secret reference cannot be resolved.
- Shared secret referenced from the
-
exportAsKey
public static Key exportAsKey(CryptoKey cryptoKey) throws NoSuchSecretException
Exports the key material in the raw format.- Parameters:
cryptoKey- The key material to export- Returns:
- the exported key material.
- Throws:
NoSuchSecretException- if the secret could not be exported.
-
retrieveCryptoKeyFromSecretId
public static <S extends CryptoKey> S retrieveCryptoKeyFromSecretId(SecretsProvider secretsProvider, JsonValue secretIdNode, Class<S> type) throws NoSuchSecretException
Retrieves aCryptoKeyfrom the given node.- Type Parameters:
S- The type of the secret.- Parameters:
secretsProvider- TheSecretsProviderused to retrieve the secret.secretIdNode- The secretId node.type- The expected type of the secret.- Returns:
CryptoKeyif the secret is found.- Throws:
NoSuchSecretException- If there is no corresponding key.
-
getSecretsProvider
public static SecretsProvider getSecretsProvider(org.slf4j.Logger logger, JsonValue node, Heap heap) throws HeapException
Returns aSecretsProvideras specified with theCONFIG_SECRETS_PROVIDERattribute or falling back to the defaultSecretsProviderfound in the heap.Note: using the new attribute triggers a deprecation warning.
Note: using secretsService has been deprecated in 7.0.0.
- Parameters:
logger- Used for logging deprecation warnings (if any)node- JsonValue containing secretsProvider attributeheap- heap for objects retrieval- Returns:
- a
SecretsProvider - Throws:
HeapException- if provider cannot be created/found in the heap
-
retrievePasswordAsReference
public static SecretReference<GenericSecret> retrievePasswordAsReference(SecretsProvider secretsProvider, JsonValue secretIdNode, JsonValue deprecatedNode, org.slf4j.Logger logger)
Retrieve a required password as aSecretReferencefrom the givensecretIdNodeanddeprecatedNodenodes.- Password referenced from the
secretIdNodenode has precedence. - When secret reference is provided but secret not found, a
NoSuchSecretExceptionis thrown - When secret reference is not used, direct password value (from
deprecatedNode) is returned - If value is missing, an exception is thrown
This method logs deprecation warnings if password is resolved from the
deprecatedNodenode value.- Parameters:
secretsProvider- TheSecretsProviderused to retrieve the secret.secretIdNode- The node describing thePurposewhere the password will be available.deprecatedNode- The deprecated node holding the password. Deprecated since 6.5.logger- The logger used to display warnings and other deprecation messages.- Returns:
- The
SecretReferenceto this password.
- Password referenced from the
-
retrievePasswordAsReference
public static SecretReference<GenericSecret> retrievePasswordAsReference(SecretsProvider secretsProvider, JsonValue secretIdNode, JsonValue deprecatedNode, org.slf4j.Logger logger, boolean isRequired)
Retrieve a password as aSecretReferencefrom the givensecretIdNodeanddeprecatedNodenodes.- Password referenced from the
secretIdNodenode has precedence. - When secret reference is provided but secret not found, a
NoSuchSecretExceptionis thrown - When secret reference is not used, direct password value (from
deprecatedNode) is returned - If value is missing, an exception is thrown
This method logs deprecation warnings if password is resolved from the
deprecatedNodenode value.- Parameters:
secretsProvider- TheSecretsProviderused to retrieve the secret.secretIdNode- The node describing thePurposewhere the password will be available.deprecatedNode- The deprecated node holding the password. Deprecated since 6.5.logger- The logger used to display warnings and other deprecation messages.isRequired- If set totrue, this method will throw an exception ifdeprecatedNodehas a null value.- Returns:
- The
SecretReferenceto this password.
- Password referenced from the
-
allowedKeyType
public static SecretConstraint<CryptoKey> allowedKeyType(KeyType expected)
Enforce that aCryptoKeysatisfies the given key type constraint.- Parameters:
expected- The expectedKeyType(i.e:KeyType.SECRET) the given Crypto Key must satisfy.- Returns:
- the
SecretConstraint.
-
-