Package org.forgerock.openig.secrets

Class FileSystemSecretStoreHeaplet

java.lang.Object

org.forgerock.openig.heap.GenericHeaplet

org.forgerock.openig.secrets.FileSystemSecretStoreHeaplet

All Implemented Interfaces:

Heaplet

public class FileSystemSecretStoreHeaplet
extends GenericHeaplet

This heaplet represents an instance of a PropertyResolverSecretStore resolving properties from files in a directory. The FlatFileResolver resolves each property stored in its own file in some directory.

 {
       "type": "FileSystemSecretStore",
       "config": {
         "directory":            expression             [REQUIRED - path to the directory containing the files
                                                                    (one file per password).]
         "format":               expression(enum)       [OPTIONAL - PLAIN or BASE64, default is BASE64],
         "suffix":               expression             [OPTIONAL - the suffix such as ".secret", default: empty.]
         "versionSuffix":        expression             [OPTIONAL - the version suffix such as ".v", default: empty.]
         "mappings":[            array                  [OPTIONAL - secrets mappings.]
           {                     object
             "secretId":           expression             [REQUIRED - the label of the secret to map.]
             "format":             reference              [REQUIRED - a reference to a
                                                                      {@link SecretPropertyFormat} object.]
           }
         ]
         "leaseExpiry":          expression<duration>   [OPTIONAL - defaults to 5 minutes.]
         "autoRefresh": {        object                 [OPTIONAL - indicate if this FileSystemSecretStore should be
                                                                    refreshed on filesystem change (edit and delete).]
           "enabled":              expression<boolean>    [OPTIONAL - Configure with boolean value or expression
                                                                      with 'true' to enable, or 'false' to disable.
                                                                      Default is enabled.]
           "executor":             executor               [OPTIONAL - Executor to use in monitoring the filesystem,
                                                                      defaults to heap-configured
                                                                      {@literal SCHEDULED_EXECUTOR_SERVICE_HEAP_KEY}.]
         }
    }
 }
 

Note: with versionSuffix valued to ".v" and two files named my.secret.v1.txt and my.secret.v2.txt. Then:

• The active secret pointed by my.secret secret ID will be my.secret.v2.txt.
• The valid secrets pointed by my.secret secret ID will be both my.secret.v1.txt and my.secret.v2.txt.

This behavior permits secrets rotation: the new secret can be placed in the directory while still serving the old one, at this point the 2 secrets will be valid, until we remove the old secret from the directory.

Basic example:

 {
       "type": "FileSystemSecretStore",
       "config": {
         "directory": "/path/to/openig/basedir/secrets"
         "format": "PLAIN"
       }
    }
 

Example showing "autoRefresh" config, supporting filesystem monitoring and refresh:

 {
       "type": "FileSystemSecretStore",
       "config": {
         "directory": "/path/to/openig/basedir/secrets"
         "format": "PLAIN",
         "autoRefresh": {
           "enabled": "${my.boolean.property}",
           "executor": "#refreshExecutor"
         }
       }
    }
 

See Also:

• FlatFileResolver

Field Summary

Fields

Modifier and Type	Field	Description
static final String	NAME	Public name used by resolver.

Fields inherited from class org.forgerock.openig.heap.GenericHeaplet

config, heap, name, object, qualified

Constructor Summary

Constructors

Constructor	Description
FileSystemSecretStoreHeaplet()

Method Summary

Modifier and Type	Method	Description
Object	create()	Called to request the heaplet create an object.
void	destroy()	Called to indicate that the object created by the heaplet is going to be dereferenced.

Methods inherited from class org.forgerock.openig.heap.GenericHeaplet

create, endpointRegistry, evaluatedWithHeapProperties, expression, getConfig, getHeap, getType, initialBindings, meterRegistryHolder, start

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Field Details

NAME

public static final String NAME

Public name used by resolver.

See Also:

• Constant Field Values

Constructor Details

FileSystemSecretStoreHeaplet

public FileSystemSecretStoreHeaplet()

Method Details

destroy

public void destroy()

Description copied from interface: Heaplet

Called to indicate that the object created by the heaplet is going to be dereferenced. This gives the heaplet an opportunity to free any resources that are being held prior to its dereference.

Specified by:

destroy in interface Heaplet

Overrides:

destroy in class GenericHeaplet

create

public Object create()
              throws HeapException

Description copied from class: GenericHeaplet

Called to request the heaplet create an object. Called by Heaplet.create(Name, JsonValue, Heap) after initializing the protected field members. Implementations should parse configuration but not acquire resources, start threads, or log any initialization messages. These tasks should be performed by the GenericHeaplet.start() method.

Specified by:

create in class GenericHeaplet

Returns:

The created object.

Throws:

HeapException - if an exception occurred during creation of the heap object or any of its dependencies.