From 6ce974994617cff31dd6649457b87989359fe0e3 Mon Sep 17 00:00:00 2001 From: Stefan Kalscheuer Date: Tue, 25 Feb 2025 18:00:11 +0100 Subject: [PATCH] feat: introduce methods for transit API interaction --- pom.xml | 2 +- .../jvault/connector/HTTPVaultConnector.java | 44 ++++++++++++++++++ .../jvault/connector/VaultConnector.java | 45 +++++++++++++++++++ .../model/response/TransitResponse.java | 36 +++++++++++++++ 4 files changed, 126 insertions(+), 1 deletion(-) create mode 100644 src/main/java/de/stklcode/jvault/connector/model/response/TransitResponse.java diff --git a/pom.xml b/pom.xml index 1127189..956892c 100644 --- a/pom.xml +++ b/pom.xml @@ -4,7 +4,7 @@ de.stklcode.jvault jvault-connector - 1.4.1-SNAPSHOT + 1.5.0-SNAPSHOT jar diff --git a/src/main/java/de/stklcode/jvault/connector/HTTPVaultConnector.java b/src/main/java/de/stklcode/jvault/connector/HTTPVaultConnector.java index 788af95..2f1c299 100644 --- a/src/main/java/de/stklcode/jvault/connector/HTTPVaultConnector.java +++ b/src/main/java/de/stklcode/jvault/connector/HTTPVaultConnector.java @@ -68,6 +68,11 @@ public class HTTPVaultConnector implements VaultConnector { private static final String PATH_UNDELETE = "/undelete/"; private static final String PATH_DESTROY = "/destroy/"; + private static final String PATH_TRANSIT = "transit"; + private static final String PATH_TRANSIT_ENCRYPT = PATH_TRANSIT + "/encrypt/"; + private static final String PATH_TRANSIT_DECRYPT = PATH_TRANSIT + "/decrypt/"; + private static final String PATH_TRANSIT_HASH = PATH_TRANSIT + "/hash/"; + private final RequestHelper request; private boolean authorized = false; // Authorization status. @@ -646,6 +651,45 @@ public class HTTPVaultConnector implements VaultConnector { return true; } + @Override + public final TransitResponse transitEncrypt(final String keyName, final String plaintext) throws VaultConnectorException { + requireAuth(); + + Map payload = mapOf( + "plaintext", plaintext + ); + + return request.post(PATH_TRANSIT_ENCRYPT + keyName, payload, token, TransitResponse.class); + } + + @Override + public final TransitResponse transitDecrypt(final String keyName, final String ciphertext) throws VaultConnectorException { + requireAuth(); + + Map payload = mapOf( + "ciphertext", ciphertext + ); + + return request.post(PATH_TRANSIT_DECRYPT + keyName, payload, token, TransitResponse.class); + } + + @Override + public final TransitResponse transitHash(final String algorithm, final String input) throws VaultConnectorException { + return transitHash(algorithm, input, "hex"); + } + + @Override + public final TransitResponse transitHash(final String algorithm, final String input, final String format) throws VaultConnectorException { + requireAuth(); + + Map payload = mapOf( + "input", input, + "format", format + ); + + return request.post(PATH_TRANSIT_HASH + algorithm, payload, token, TransitResponse.class); + } + /** * Check for required authorization. * diff --git a/src/main/java/de/stklcode/jvault/connector/VaultConnector.java b/src/main/java/de/stklcode/jvault/connector/VaultConnector.java index 3d82ba1..394a565 100644 --- a/src/main/java/de/stklcode/jvault/connector/VaultConnector.java +++ b/src/main/java/de/stklcode/jvault/connector/VaultConnector.java @@ -674,6 +674,51 @@ public interface VaultConnector extends AutoCloseable, Serializable { */ boolean deleteTokenRole(final String name) throws VaultConnectorException; + /** + * encrypt plaintext via transit engine from Vault. + * + * @param name Transit key name + * @param plaintext Text to encrypt + * @return Transit response + * @throws VaultConnectorException on error + * @since 1.4.1 + */ + TransitResponse transitEncrypt(final String name, final String plaintext) throws VaultConnectorException; + + /** + * decrypt ciphertext via transit engine from Vault. + * + * @param name Transit key name + * @param ciphertext Text to decrypt + * @return Transit response + * @throws VaultConnectorException on error + * @since 1.4.1 + */ + TransitResponse transitDecrypt(final String name, final String ciphertext) throws VaultConnectorException; + + /** + * hash data in hex format via transit engine from Vault. + * + * @param algorithm Specifies the hash algorithm to use + * @param input Data to hash + * @return Transit response + * @throws VaultConnectorException on error + * @since 1.4.1 + */ + TransitResponse transitHash(final String algorithm, final String input) throws VaultConnectorException; + + /** + * hash data via transit engine from Vault. + * + * @param algorithm Specifies the hash algorithm to use + * @param input Data to hash + * @param format Specifies the output encoding (hex/base64) + * @return Transit response + * @throws VaultConnectorException on error + * @since 1.4.1 + */ + TransitResponse transitHash(final String algorithm, final String input, final String format) throws VaultConnectorException; + /** * Read credentials for MySQL backend at default mount point. * diff --git a/src/main/java/de/stklcode/jvault/connector/model/response/TransitResponse.java b/src/main/java/de/stklcode/jvault/connector/model/response/TransitResponse.java new file mode 100644 index 0000000..ee9b7be --- /dev/null +++ b/src/main/java/de/stklcode/jvault/connector/model/response/TransitResponse.java @@ -0,0 +1,36 @@ +package de.stklcode.jvault.connector.model.response; + +import java.io.Serializable; +import java.util.Collections; +import java.util.Map; +import java.util.Objects; + +import com.fasterxml.jackson.annotation.JsonProperty; + +public class TransitResponse extends VaultDataResponse { + private static final long serialVersionUID = -4823865538268326557L; + + @JsonProperty("data") + private Map data; + + //@Override + public final Map getData() { + return Objects.requireNonNullElseGet(data, Collections::emptyMap); + } + + @Override + public boolean equals(Object o) { + if (this == o) { + return true; + } else if (o == null || getClass() != o.getClass() || !super.equals(o)) { + return false; + } + TransitResponse that = (TransitResponse) o; + return Objects.equals(data, that.data); + } + + @Override + public int hashCode() { + return Objects.hash(super.hashCode(), data); + } +}