#3 Secret revocation implemented

2016-10-15 18:36:49 +02:00 · 2016-10-15 18:36:49 +02:00 · 048e4d12b4
commit 048e4d12b4
parent c3ad6b6edd
3 changed files with 152 additions and 58 deletions
--- a/src/main/java/de/stklcode/jvault/connector/HTTPVaultConnector.java
+++ b/src/main/java/de/stklcode/jvault/connector/HTTPVaultConnector.java
@ -60,6 +60,7 @@ public class HTTPVaultConnector implements VaultConnector {
    private static final String PATH_AUTH_USERPASS = "auth/userpass/login/";
    private static final String PATH_AUTH_APPID =    "auth/app-id/";
    private static final String PATH_SECRET =        "secret";
+    private static final String PATH_REVOKE =        "sys/revoke/";

    private final ObjectMapper jsonMapper;

@ -71,6 +72,7 @@ public class HTTPVaultConnector implements VaultConnector {

    /**
     * Create connector using hostname and schema.
+     *
     * @param hostname  The hostname
     * @param useTLS    If TRUE, use HTTPS, otherwise HTTP
     */
@ -80,6 +82,7 @@ public class HTTPVaultConnector implements VaultConnector {

    /**
     * Create connector using hostname, schema and port.
+     *
     * @param hostname  The hostname
     * @param useTLS    If TRUE, use HTTPS, otherwise HTTP
     * @param port      The port
@ -89,7 +92,8 @@ public class HTTPVaultConnector implements VaultConnector {
    }

    /**
-     * Create connector using hostname, schame, port and path
+     * Create connector using hostname, schame, port and path.
+     *
     * @param hostname  The hostname
     * @param useTLS    If TRUE, use HTTPS, otherwise HTTP
     * @param port      The port
@ -103,7 +107,8 @@ public class HTTPVaultConnector implements VaultConnector {
    }

    /**
-     * Create connector using full URL
+     * Create connector using full URL.
+     *
     * @param baseURL   The URL
     */
    public HTTPVaultConnector(String baseURL) {
@ -310,10 +315,26 @@ public class HTTPVaultConnector implements VaultConnector {
        return requestPost(PATH_SECRET + "/" + key, param).equals("");
    }

+    @Override
+    public boolean revoke(String leaseID) throws VaultConnectorException {
+        if (!isAuthorized())
+            throw new AuthorizationRequiredException();
+
+        /* Request HTTP response and expect empty result */
+        String response = requestPut(PATH_REVOKE + leaseID, new HashMap<>());
+        return response.equals("");
+    }
+
+    @Override
+    public VaultResponse renew(String leaseID, Integer seconds) {
+        /* TODO */
+        return null;
+    }


    /**
     * Execute HTTP request using POST method.
+     *
     * @param path      URL path (relative to base)
     * @param payload   Map of payload values (will be converted to JSON)
     * @return          HTTP response
@ -341,6 +362,7 @@ public class HTTPVaultConnector implements VaultConnector {

    /**
     * Execute HTTP request using PUT method.
+     *
     * @param path      URL path (relative to base)
     * @param payload   Map of payload values (will be converted to JSON)
     * @return          HTTP response
@ -367,6 +389,7 @@ public class HTTPVaultConnector implements VaultConnector {

    /**
     * Execute HTTP request using GET method.
+     *
     * @param path      URL path (relative to base)
     * @param payload   Map of payload values (will be converted to JSON)
     * @return HTTP response
@ -388,7 +411,8 @@ public class HTTPVaultConnector implements VaultConnector {
    }

    /**
-     * Execute prepared HTTP request and return result
+     * Execute prepared HTTP request and return result.
+     *
     * @param base  Prepares Request
     * @return      HTTP response
     * @throws VaultConnectorException  on connection error
--- a/src/main/java/de/stklcode/jvault/connector/VaultConnector.java
+++ b/src/main/java/de/stklcode/jvault/connector/VaultConnector.java
@ -32,6 +32,7 @@ import java.util.List;
 public interface VaultConnector {
    /**
     * Verify that vault connection is initialized.
+     *
     * @return TRUE if correctly initialized
     */
    boolean init();
@ -43,18 +44,21 @@ public interface VaultConnector {

    /**
     * Retrieve status of vault seal.
+     *
     * @return Seal status
     */
    SealResponse sealStatus();

    /**
     * Seal vault.
+     *
     * @return TRUE on success
     */
    boolean seal();

    /**
     * Unseal vault.
+     *
     * @param key   A single master share key
     * @param reset Discard previously provided keys (optional)
     * @return TRUE on success
@ -63,6 +67,7 @@ public interface VaultConnector {

    /**
     * Unseal vault.
+     *
     * @param key A single master share key
     * @return TRUE on success
     */
@ -72,6 +77,7 @@ public interface VaultConnector {

    /**
     * Get all availale authentication backends.
+     *
     * @return List of backends
     * @throws VaultConnectorException on error
     */
@ -79,6 +85,7 @@ public interface VaultConnector {

    /**
     * Authorize to Vault using token.
+     *
     * @param token The token
     * @return Token response
     * @throws VaultConnectorException on error
@ -87,6 +94,7 @@ public interface VaultConnector {

    /**
     * Authorize to Vault using username and password.
+     *
     * @param username The username
     * @param password The password
     * @return Authorization result
@ -96,6 +104,7 @@ public interface VaultConnector {

    /**
     * Authorize to Vault using AppID method.
+     *
     * @param appID  The App ID
     * @param userID The User ID
     * @return TRUE on success
@ -105,6 +114,7 @@ public interface VaultConnector {

    /**
     * Register new App-ID with policy.
+     *
     * @param appID       The unique App-ID
     * @param policy      The policy to associate with
     * @param displayName Arbitrary name to display
@ -115,6 +125,7 @@ public interface VaultConnector {

    /**
     * Register User-ID with App-ID
+     *
     * @param appID  The App-ID
     * @param userID The User-ID
     * @return TRUE on success
@ -124,6 +135,7 @@ public interface VaultConnector {

    /**
     * Register new App-ID and User-ID at once.
+     *
     * @param appID       The App-ID
     * @param policy      The policy to associate with
     * @param displayName Arbitrary name to display
@ -137,12 +149,14 @@ public interface VaultConnector {

    /**
     * Get authorization status
+     *
     * @return TRUE, if successfully authorized
     */
    boolean isAuthorized();

    /**
     * Retrieve secret form Vault.
+     *
     * @param key Secret identifier
     * @return Secret response
     * @throws VaultConnectorException on error
@ -151,6 +165,7 @@ public interface VaultConnector {

    /**
     * List available secrets from Vault.
+     *
     * @param path Root path to search
     * @return List of secret keys
     * @throws VaultConnectorException on error
@ -159,10 +174,29 @@ public interface VaultConnector {

    /**
     * Write secret to Vault.
+     *
     * @param key   Secret path
     * @param value Secret value
     * @return TRUE on success
     * @throws VaultConnectorException on error
     */
    boolean writeSecret(final String key, final String value) throws VaultConnectorException;
+
+    /**
+     * Revoke given lease immediately.
+     *
+     * @param leaseID the lease ID
+     * @return TRUE on success
+     * @throws VaultConnectorException on error
+     */
+    boolean revoke(final String leaseID) throws VaultConnectorException;
+
+    /**
+     * Renew lease with given ID.
+     *
+     * @param leaseID the lase ID
+     * @param seconds number of seconds to extend lease time
+     * @return Renewed lease
+     */
+    VaultResponse renew(final String leaseID, final Integer seconds);
 }
--- a/src/test/java/de/stklcode/jvault/connector/HTTPVaultConnectorTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/HTTPVaultConnectorTest.java
@ -35,13 +35,10 @@ import java.io.IOException;
 import java.net.ServerSocket;
 import java.util.List;

-import static org.hamcrest.CoreMatchers.*;
-import static org.hamcrest.Matchers.greaterThan;
+import static org.hamcrest.Matchers.*;
 import static org.hamcrest.core.Is.is;
 import static org.junit.Assert.*;
-import static org.junit.Assume.assumeFalse;
-import static org.junit.Assume.assumeNotNull;
-import static org.junit.Assume.assumeTrue;
+import static org.junit.Assume.*;

 /**
 * JUnit Test for HTTP Vault connector.
@ -303,6 +300,45 @@ public class HTTPVaultConnectorTest {
        }
    }

+    /**
+     * Test revocation of secrets.
+     */
+    @Test
+    public void revokeTest() {
+        authRoot();
+        assumeTrue(connector.isAuthorized());
+
+        /* Write a test secret to vault */
+        try {
+            boolean res = connector.writeSecret(SECRET_PATH + "/toRevoke", "secret content");
+            assumeThat("Secret could not be written path.", res, is(true));
+        } catch (VaultConnectorException e) {
+            fail("Secret written to inaccessible path.");
+        }
+        SecretResponse res = null;
+        try {
+            res = connector.readSecret(SECRET_PATH + "/toRevoke");
+        } catch (VaultConnectorException e) {
+            fail("Written secret could not be read.");
+        }
+        assumeThat(res, is(notNullValue()));
+
+        /* Revoke secret by lease id */
+        try {
+            boolean revoked = connector.revoke(SECRET_PATH + "/toRevoke");
+            assertThat("Revocation of secret faiked.", revoked, is(true));
+        } catch (VaultConnectorException e) {
+            fail("Revocation threw unexpected exception.");
+        }
+
+        try {
+            connector.readSecret(SECRET_PATH + "/toRevoke");
+            fail("Revoked secret could still be read");
+        } catch (VaultConnectorException e) {
+            assertThat(e, is(notNullValue()));
+        }
+    }
+
    /**
     * Initialize Vault with resource datastore and generated configuration.
     * @return  Vault Configuration