Package org.forgerock.openig.secrets

Class KeyStoreSecretStoreHeaplet

java.lang.Object

org.forgerock.openig.heap.GenericHeaplet

org.forgerock.openig.secrets.KeyStoreSecretStoreHeaplet

All Implemented Interfaces:

Heaplet

public class KeyStoreSecretStoreHeaplet
extends GenericHeaplet

This heaplet represents an instance of a KeyStoreSecretStore.

 {
       "type": "KeyStoreSecretStore",
       "config": {
         "file":                  expression             [REQUIRED - location of the KeyStore.]
         "storeType":             expression             [OPTIONAL - type of the store, default: "PKCS12". ]
         "storePasswordSecretId": expression             [OPTIONAL - Secret ID referring to the KeyStore password.
                                                                     when not set expect unprotected KeyStore]
         "entryPasswordSecretId": expression             [OPTIONAL - Secret ID referring to the entries' password.
                                                                     default to storePasswordSecretId. (1)]
         "secretsProvider":       Secrets Provider       [REQUIRED - resolve keystore passwords.]
         "leaseExpiry":           expression<duration>   [OPTIONAL - defaults to 5 minutes.]
         "mappings": [            array                  [REQUIRED - array of object.]
           {                      object
             "secretId":          expression             [REQUIRED - ID of the secret.]
             "aliases":           [ expression  ]        [OPTIONAL - list of aliases corresponding to the above
                                                                     secret. Order matters here and the first is the
                                                                     active secret. Required if 'aliasesMatching' not
                                                                     set.]
             "aliasesMatching":   [ expression  ]        [OPTIONAL - list of regular expressions matching the
                                                                     keystore aliases to map. Required if 'alias' not
                                                                     set.]
           }
         ]
         "autoRefresh": {         object                 [OPTIONAL - indicate if this KeyStoreSecretStore should be
                                                                     refreshed on keystore change (edit and delete).]
           "enabled":             expression<boolean>    [OPTIONAL - Configure with boolean expression resolving to
                                                                     'true' to enable, or 'false' to disable.
                                                                     Default is enabled.]
           "executor":            executor               [OPTIONAL - Executor to use in monitoring the keystore,
                                                                     defaults to heap-configured
                                                                     {@literal SCHEDULED_EXECUTOR_SERVICE_HEAP_KEY}.]
         }
       }
    }
 

Example:

 {
       "type": "KeyStoreSecretStore",
       "config": {
           "file": "/path/to/keystore.file",
           "storePasswordSecretId": "keystore.pass",
           "entryPasswordSecretId": "keystore.entries.pass",
           "secretsProvider": "mySecretsProvider",
           "mappings": [{
               "secretId": "global.pcookie.crypt",
               "aliases": [ "rsapair72", "rsapair72-inactive" ]
           }]
        }
    }
 

(1) Note that if the entryPasswordSecretId is used, it must be the same for all entries in the keystore. This said, it will not work with JKS having different password for their entries.

Example showing "autoRefresh" config, supporting keystore file monitoring and refresh:

 {
       "type": "KeyStoreSecretStore",
       "config": {
           "file": "/path/to/keystore.file",
           "storePasswordSecretId": "keystore.pass",
           "entryPasswordSecretId": "keystore.entries.pass",
           "secretsProvider": "mySecretsProvider",
           "mappings": [{
               "secretId": "global.pcookie.crypt",
               "aliases": [ "rsapair72", "rsapair72-inactive" ],
           }]
           "autoRefresh": {
               "enabled": "${my.boolean.property}",
               "executor": "#refreshExecutor"
           }
       }
    }
 

See Also:

• KeyStoreSecretStore

Field Summary

Fields inherited from class org.forgerock.openig.heap.GenericHeaplet

config, heap, name, object, qualified

Constructor Summary

Constructors

Constructor	Description
KeyStoreSecretStoreHeaplet()

Method Summary

Modifier and Type	Method	Description
Object	create()	Called to request the heaplet create an object.
void	destroy()	Called to indicate that the object created by the heaplet is going to be dereferenced.
KeyStoreSecretStore	keyStore(SecretsProvider secretsProvider, Purpose<GenericSecret> storePasswordPurpose, Options options)	Instantiate the KeyStoreSecretStore.
protected static SecretReference<GenericSecret>	toSecretsReference(SecretsProvider secretsProvider, Purpose<GenericSecret> purpose)

Methods inherited from class org.forgerock.openig.heap.GenericHeaplet

create, endpointRegistry, evaluatedWithHeapProperties, expression, getConfig, getHeap, getType, initialBindings, meterRegistryHolder, start

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

KeyStoreSecretStoreHeaplet

public KeyStoreSecretStoreHeaplet()

Method Details

keyStore

public KeyStoreSecretStore keyStore(SecretsProvider secretsProvider,
 Purpose<GenericSecret> storePasswordPurpose,
 Options options)
                             throws HeapException

Instantiate the KeyStoreSecretStore.

Parameters:

secretsProvider - The SecretsProvider containing every secrets needed to unlock the underlying KeyStore

storePasswordPurpose - The main KeyStore password, may be null if unprotected.

options - Some options to pass to the keyStore.

Returns:

a new instance of a KeyStore.

Throws:

HeapException - if something went wrong.

destroy

public void destroy()

Description copied from interface: Heaplet

Called to indicate that the object created by the heaplet is going to be dereferenced. This gives the heaplet an opportunity to free any resources that are being held prior to its dereference.

Specified by:

destroy in interface Heaplet

Overrides:

destroy in class GenericHeaplet

create

public Object create()
              throws HeapException

Description copied from class: GenericHeaplet

Called to request the heaplet create an object. Called by Heaplet.create(Name, JsonValue, Heap) after initializing the protected field members. Implementations should parse configuration but not acquire resources, start threads, or log any initialization messages. These tasks should be performed by the GenericHeaplet.start() method.

Specified by:

create in class GenericHeaplet

Returns:

The created object.

Throws:

HeapException - if an exception occurred during creation of the heap object or any of its dependencies.

toSecretsReference

protected static SecretReference<GenericSecret> toSecretsReference(SecretsProvider secretsProvider,
 Purpose<GenericSecret> purpose)