Package org.forgerock.openig.secrets

Class SecretsUtils

  • public final class SecretsUtils
extends Object
    Utility class to use the Commons Secret API.
    Since:
    6.5

    • Field Detail

      • CONFIG_SECRETS_PROVIDER

        public static final String CONFIG_SECRETS_PROVIDER
        The common key to name secrets provider properties.
        See Also:
        Constant Field Values

      • DEFAULT_LEASE_EXPIRY_DURATION

        public static final Duration DEFAULT_LEASE_EXPIRY_DURATION
        The default duration used to for lease expiry where not supplied or the supplied duration is not acceptable. This default comes from SecretStore.LEASE_EXPIRY_DURATION, duplicated here to manage it independently.

    • Method Detail

      • getPasswordSecretIdOrPasswordAsByte

        public static byte[] getPasswordSecretIdOrPasswordAsByte​(SecretsProvider secretsProvider,
                                                         JsonValue secretIdNode,
                                                         JsonValue deprecatedNode,
                                                         org.slf4j.Logger logger)
                                                  throws NoSuchSecretException
        Retrieve a required shared secret value (as byte[]) from the given secretIdNode and deprecatedNode nodes.
        • Shared secret referenced from the secretIdNode node has precedence.
        • When secret reference is provided but secret not found, a NoSuchSecretException is thrown
        • When secret reference is not used, Base64 decoded value (from deprecatedNode) is returned
        • If value is missing, an exception is thrown

        This method logs deprecation warnings if shared secret is resolved from the deprecatedNode node value.

        Parameters:
        secretsProvider - The SecretsProvider used to retrieve the secret.
        secretIdNode - The node describing the Purpose where the password will be available.
        deprecatedNode - The deprecated node holding the password. Deprecated since 6.5.
        logger - The logger used to display warnings and other deprecation messages.
        Returns:
        The String representing the password.
        Throws:
        NoSuchSecretException - If secret reference cannot be resolved.

      • exportAsKey

        public static Key exportAsKey​(CryptoKey cryptoKey)
                       throws NoSuchSecretException
        Exports the key material in the raw format.
        Parameters:
        cryptoKey - The key material to export
        Returns:
        the exported key material.
        Throws:
        NoSuchSecretException - if the secret could not be exported.

      • exportAsKeyAndClose

        public static Key exportAsKeyAndClose​(CryptoKey cryptoKey)
                               throws NoSuchSecretException
        Exports the key material in the raw format and close the provided key material.
        Parameters:
        cryptoKey - The key material to export
        Returns:
        the exported key material.
        Throws:
        NoSuchSecretException - if the secret could not be exported.

      • getSecretsProvider

        public static SecretsProvider getSecretsProvider​(org.slf4j.Logger logger,
                                                 JsonValue node,
                                                 Heap heap)
                                          throws HeapException
        Returns a SecretsProvider as specified with the CONFIG_SECRETS_PROVIDER attribute or falling back to the default SecretsProvider found in the heap.

        Note: using the new attribute triggers a deprecation warning.

        Note: using secretsService has been deprecated in 7.0.0.

        Parameters:
        logger - Used for logging deprecation warnings (if any)
        node - JsonValue containing secretsProvider attribute
        heap - heap for objects retrieval
        Returns:
        a SecretsProvider
        Throws:
        HeapException - if provider cannot be created/found in the heap

      • retrievePasswordAsReference

        public static SecretReference<GenericSecret> retrievePasswordAsReference​(SecretsProvider secretsProvider,
                                                                         JsonValue secretIdNode,
                                                                         JsonValue deprecatedNode,
                                                                         org.slf4j.Logger logger)
        Retrieve a required password as a SecretReference from the given secretIdNode and deprecatedNode nodes.
        • Password referenced from the secretIdNode node has precedence.
        • When secret reference is provided but secret not found, a NoSuchSecretException is thrown
        • When secret reference is not used, direct password value (from deprecatedNode) is returned
        • If value is missing, an exception is thrown

        This method logs deprecation warnings if password is resolved from the deprecatedNode node value.

        Parameters:
        secretsProvider - The SecretsProvider used to retrieve the secret.
        secretIdNode - The node describing the Purpose where the password will be available.
        deprecatedNode - The deprecated node holding the password. Deprecated since 6.5.
        logger - The logger used to display warnings and other deprecation messages.
        Returns:
        The SecretReference to this password.

      • retrievePasswordAsReference

        public static SecretReference<GenericSecret> retrievePasswordAsReference​(SecretsProvider secretsProvider,
                                                                         JsonValue secretIdNode,
                                                                         JsonValue deprecatedNode,
                                                                         org.slf4j.Logger logger,
                                                                         boolean isRequired)
        Retrieve a password as a SecretReference from the given secretIdNode and deprecatedNode nodes.
        • Password referenced from the secretIdNode node has precedence.
        • When secret reference is provided but secret not found, a NoSuchSecretException is thrown
        • When secret reference is not used, direct password value (from deprecatedNode) is returned
        • If value is missing, an exception is thrown

        This method logs deprecation warnings if password is resolved from the deprecatedNode node value.

        Parameters:
        secretsProvider - The SecretsProvider used to retrieve the secret.
        secretIdNode - The node describing the Purpose where the password will be available.
        deprecatedNode - The deprecated node holding the password. Deprecated since 6.5.
        logger - The logger used to display warnings and other deprecation messages.
        isRequired - If set to true, this method will throw an exception if deprecatedNode has a null value.
        Returns:
        The SecretReference to this password.