diff --git a/CHANGELOG.md b/CHANGELOG.md
index 625e624..8a14cd4 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -8,7 +8,8 @@
* Remove deprecated `VaultConnectorFactory` in favor of `VaultConnectorBuilder` with identical API
* Remove deprecated `AppRoleBuilder` and `TokenBuilder` in favor of `AppRole.Builder` and `Token.Builder`
* Remove deprecated `Period`, `Policy` and `Policies` methods from `AppRole` in favor of `Token`-prefixed versions
-* Remove deprecated `SecretResponse#getValue()` method, use `get("value")` instead.
+* Remove deprecated `SecretResponse#getValue()` method, use `get("value")` instead
+* Remove deprecated convenience methods for interaction with "secret" mount
### Improvements
* Use pre-sized map objects for fixed-size payloads
diff --git a/src/main/java/de/stklcode/jvault/connector/VaultConnector.java b/src/main/java/de/stklcode/jvault/connector/VaultConnector.java
index 45174dc..2d26f5d 100644
--- a/src/main/java/de/stklcode/jvault/connector/VaultConnector.java
+++ b/src/main/java/de/stklcode/jvault/connector/VaultConnector.java
@@ -16,13 +16,15 @@
package de.stklcode.jvault.connector;
-import de.stklcode.jvault.connector.exception.InvalidRequestException;
import de.stklcode.jvault.connector.exception.VaultConnectorException;
import de.stklcode.jvault.connector.model.*;
import de.stklcode.jvault.connector.model.response.*;
import java.io.Serializable;
-import java.util.*;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+import java.util.Map;
/**
* Vault Connector interface.
@@ -32,10 +34,6 @@ import java.util.*;
* @since 0.1
*/
public interface VaultConnector extends AutoCloseable, Serializable {
- /**
- * Default sub-path for Vault secrets.
- */
- String PATH_SECRET = "secret";
/**
* Reset authorization information.
@@ -393,34 +391,6 @@ public interface VaultConnector extends AutoCloseable, Serializable {
*/
SecretResponse read(final String key) throws VaultConnectorException;
- /**
- * Retrieve secret from Vault.
- *
- * Prefix {@code secret/} is automatically added to key.
- *
- * @param key Secret identifier
- * @return Secret response
- * @throws VaultConnectorException on error
- */
- default SecretResponse readSecret(final String key) throws VaultConnectorException {
- return read(PATH_SECRET + "/" + key);
- }
-
- /**
- * Retrieve the latest secret data for specific version from Vault.
- *
- * Prefix "secret/data" is automatically added to key.
- * Only available for KV v2 secrets.
- *
- * @param key Secret identifier
- * @return Secret response
- * @throws VaultConnectorException on error
- * @since 0.8
- */
- default SecretResponse readSecretData(final String key) throws VaultConnectorException {
- return readSecretVersion(key, null);
- }
-
/**
* Retrieve the latest secret data for specific version from Vault.
*
@@ -437,22 +407,6 @@ public interface VaultConnector extends AutoCloseable, Serializable {
return readSecretVersion(mount, key, null);
}
- /**
- * Write secret to Vault.
- *
- * Prefix {@code secret/} is automatically added to path.
- * Only available for KV v2 secrets.
- *
- * @param key Secret identifier.
- * @param data Secret content. Value must be be JSON serializable.
- * @return Metadata for the created/updated secret.
- * @throws VaultConnectorException on error
- * @since 0.8
- */
- default SecretVersionResponse writeSecretData(final String key, final Map data) throws VaultConnectorException {
- return writeSecretData(PATH_SECRET, key, data, null);
- }
-
/**
* Write secret to Vault.
*
@@ -486,22 +440,6 @@ public interface VaultConnector extends AutoCloseable, Serializable {
*/
SecretVersionResponse writeSecretData(final String mount, final String key, final Map data, final Integer cas) throws VaultConnectorException;
- /**
- * Retrieve secret data from Vault.
- *
- * Path {@code /data/} is read here.
- * Only available for KV v2 secrets.
- *
- * @param key Secret identifier
- * @param version Version to read. If {@code null} or zero, the latest version will be returned.
- * @return Secret response
- * @throws VaultConnectorException on error
- * @since 0.8
- */
- default SecretResponse readSecretVersion(final String key, final Integer version) throws VaultConnectorException {
- return readSecretVersion(PATH_SECRET, key, version);
- }
-
/**
* Retrieve secret data from Vault.
*
@@ -517,36 +455,6 @@ public interface VaultConnector extends AutoCloseable, Serializable {
*/
SecretResponse readSecretVersion(final String mount, final String key, final Integer version) throws VaultConnectorException;
- /**
- * Retrieve secret metadata from Vault.
- * Path {@code secret/metadata/} is read here.
- * Only available for KV v2 secrets.
- *
- * @param key Secret identifier
- * @return Metadata response
- * @throws VaultConnectorException on error
- * @since 0.8
- */
- default MetadataResponse readSecretMetadata(final String key) throws VaultConnectorException {
- return readSecretMetadata(PATH_SECRET, key);
- }
-
- /**
- * Update secret metadata.
- *
- * Path {@code secret/metadata/} is read here.
- * Only available for KV v2 secrets.
- *
- * @param key Secret identifier
- * @param maxVersions Maximum number of versions (fallback to backend default if {@code null})
- * @param casRequired Specify if Check-And-Set is required for this secret.
- * @throws VaultConnectorException on error
- * @since 0.8
- */
- default void updateSecretMetadata(final String key, final Integer maxVersions, final boolean casRequired) throws VaultConnectorException {
- updateSecretMetadata(PATH_SECRET, key, maxVersions, casRequired);
- }
-
/**
* Retrieve secret metadata from Vault.
*
@@ -586,19 +494,6 @@ public interface VaultConnector extends AutoCloseable, Serializable {
*/
List list(final String path) throws VaultConnectorException;
- /**
- * List available secrets from Vault.
- *
- * Prefix {@code secret/} is automatically added to path.
- *
- * @param path Root path to search
- * @return List of secret keys
- * @throws VaultConnectorException on error
- */
- default List listSecrets(final String path) throws VaultConnectorException {
- return list(PATH_SECRET + "/" + path);
- }
-
/**
* Write simple value to Vault.
*
@@ -634,36 +529,6 @@ public interface VaultConnector extends AutoCloseable, Serializable {
*/
void write(final String key, final Map data, final Map options) throws VaultConnectorException;
- /**
- * Write secret to Vault.
- *
- * Prefix {@code secret/} is automatically added to path.
- *
- * @param key Secret path
- * @param value Secret value
- * @throws VaultConnectorException on error
- */
- default void writeSecret(final String key, final String value) throws VaultConnectorException {
- writeSecret(key, Collections.singletonMap("value", value));
- }
-
- /**
- * Write secret to Vault.
- *
- * Prefix {@code secret/} is automatically added to path.
- *
- * @param key Secret path
- * @param data Secret content. Value must be be JSON serializable.
- * @throws VaultConnectorException on error
- * @since 0.5.0
- */
- default void writeSecret(final String key, final Map data) throws VaultConnectorException {
- if (key == null || key.isEmpty()) {
- throw new InvalidRequestException("Secret path must not be empty.");
- }
- write(PATH_SECRET + "/" + key, data);
- }
-
/**
* Delete key from Vault.
*
@@ -673,31 +538,6 @@ public interface VaultConnector extends AutoCloseable, Serializable {
*/
void delete(final String key) throws VaultConnectorException;
- /**
- * Delete secret from Vault.
- *
- * Prefix {@code secret/} is automatically added to path.
- *
- * @param key Secret path
- * @throws VaultConnectorException on error
- */
- default void deleteSecret(final String key) throws VaultConnectorException {
- delete(PATH_SECRET + "/" + key);
- }
-
- /**
- * Delete latest version of a secret from Vault.
- *
- * Prefix {@code secret/} is automatically added to path. Only available for KV v2 stores.
- *
- * @param key Secret path.
- * @throws VaultConnectorException on error
- * @since 0.8
- */
- default void deleteLatestSecretVersion(final String key) throws VaultConnectorException {
- deleteLatestSecretVersion(PATH_SECRET, key);
- }
-
/**
* Delete latest version of a secret from Vault.
*
@@ -710,20 +550,6 @@ public interface VaultConnector extends AutoCloseable, Serializable {
*/
void deleteLatestSecretVersion(final String mount, final String key) throws VaultConnectorException;
- /**
- * Delete latest version of a secret from Vault.
- *
- * Prefix {@code secret/} is automatically added to path.
- * Only available for KV v2 stores.
- *
- * @param key Secret path.
- * @throws VaultConnectorException on error
- * @since 0.8
- */
- default void deleteAllSecretVersions(final String key) throws VaultConnectorException {
- deleteAllSecretVersions(PATH_SECRET, key);
- }
-
/**
* Delete latest version of a secret from Vault.
*
@@ -737,20 +563,6 @@ public interface VaultConnector extends AutoCloseable, Serializable {
*/
void deleteAllSecretVersions(final String mount, final String key) throws VaultConnectorException;
- /**
- * Delete secret versions from Vault.
- *
- * Only available for KV v2 stores.
- *
- * @param key Secret path.
- * @param versions Versions of the secret to delete.
- * @throws VaultConnectorException on error
- * @since 0.8
- */
- default void deleteSecretVersions(final String key, final int... versions) throws VaultConnectorException {
- deleteSecretVersions(PATH_SECRET, key, versions);
- }
-
/**
* Delete secret versions from Vault.
*
@@ -764,19 +576,6 @@ public interface VaultConnector extends AutoCloseable, Serializable {
*/
void deleteSecretVersions(final String mount, final String key, final int... versions) throws VaultConnectorException;
- /**
- * Undelete (restore) secret versions from Vault.
- * Only available for KV v2 stores.
- *
- * @param key Secret path.
- * @param versions Versions of the secret to undelete.
- * @throws VaultConnectorException on error
- * @since 0.8
- */
- default void undeleteSecretVersions(final String key, final int... versions) throws VaultConnectorException {
- undeleteSecretVersions(PATH_SECRET, key, versions);
- }
-
/**
* Undelete (restore) secret versions from Vault.
* Only available for KV v2 stores.
@@ -789,19 +588,6 @@ public interface VaultConnector extends AutoCloseable, Serializable {
*/
void undeleteSecretVersions(final String mount, final String key, final int... versions) throws VaultConnectorException;
- /**
- * Destroy secret versions from Vault.
- * Only available for KV v2 stores.
- *
- * @param key Secret path.
- * @param versions Versions of the secret to destroy.
- * @throws VaultConnectorException on error
- * @since 0.8
- */
- default void destroySecretVersions(final String key, final int... versions) throws VaultConnectorException {
- destroySecretVersions(PATH_SECRET, key, versions);
- }
-
/**
* Destroy secret versions from Vault.
* Only available for KV v2 stores.
diff --git a/src/test/java/de/stklcode/jvault/connector/HTTPVaultConnectorTest.java b/src/test/java/de/stklcode/jvault/connector/HTTPVaultConnectorTest.java
index b8a4e0a..f8a7de9 100644
--- a/src/test/java/de/stklcode/jvault/connector/HTTPVaultConnectorTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/HTTPVaultConnectorTest.java
@@ -119,7 +119,7 @@ class HTTPVaultConnectorTest {
@DisplayName("Read/Write Tests")
@TestMethodOrder(MethodOrderer.OrderAnnotation.class)
class ReadWriteTests {
- private static final String SECRET_PATH = "userstore";
+ private static final String SECRET_PATH = "secret/userstore";
private static final String SECRET_KEY = "foo";
private static final String SECRET_VALUE = "bar";
private static final String SECRET_KEY_JSON = "json";
@@ -138,11 +138,11 @@ class HTTPVaultConnectorTest {
/* Try to read path user has no permission to read */
SecretResponse res = null;
- final String invalidPath = "invalid/path";
+ final String invalidPath = "secret/invalid/path";
VaultConnectorException e = assertThrows(
PermissionDeniedException.class,
- () -> connector.readSecret(invalidPath),
+ () -> connector.read(invalidPath),
"Invalid secret path should raise an exception"
);
@@ -154,14 +154,14 @@ class HTTPVaultConnectorTest {
/* Try to read accessible path with known value */
res = assertDoesNotThrow(
- () -> connector.readSecret(SECRET_PATH + "/" + SECRET_KEY),
+ () -> connector.read(SECRET_PATH + "/" + SECRET_KEY),
"Valid secret path could not be read"
);
assertThat("Known secret returned invalid value.", res.get("value"), is(SECRET_VALUE));
/* Try to read accessible path with JSON value */
res = assertDoesNotThrow(
- () -> connector.readSecret(SECRET_PATH + "/" + SECRET_KEY_JSON),
+ () -> connector.read(SECRET_PATH + "/" + SECRET_KEY_JSON),
"Valid secret path could not be read"
);
assertThat("Known secret returned null value.", res.get("value"), notNullValue());
@@ -174,7 +174,7 @@ class HTTPVaultConnectorTest {
/* Try to read accessible path with JSON value */
res = assertDoesNotThrow(
- () -> connector.readSecret(SECRET_PATH + "/" + SECRET_KEY_JSON),
+ () -> connector.read(SECRET_PATH + "/" + SECRET_KEY_JSON),
"Valid secret path could not be read"
);
assertThat("Known secret returned null value.", res.get("value"), notNullValue());
@@ -187,7 +187,7 @@ class HTTPVaultConnectorTest {
/* Try to read accessible complex secret */
res = assertDoesNotThrow(
- () -> connector.readSecret(SECRET_PATH + "/" + SECRET_KEY_COMPLEX),
+ () -> connector.read(SECRET_PATH + "/" + SECRET_KEY_COMPLEX),
"Valid secret path could not be read"
);
assertThat("Known secret returned null value.", res.getData(), notNullValue());
@@ -207,7 +207,7 @@ class HTTPVaultConnectorTest {
assumeTrue(connector.isAuthorized());
/* Try to list secrets from valid path */
List secrets = assertDoesNotThrow(
- () -> connector.listSecrets(SECRET_PATH),
+ () -> connector.list(SECRET_PATH),
"Secrets could not be listed"
);
assertThat("Invalid nmber of secrets.", secrets.size(), greaterThan(0));
@@ -228,31 +228,31 @@ class HTTPVaultConnectorTest {
/* Try to write to null path */
assertThrows(
InvalidRequestException.class,
- () -> connector.writeSecret(null, "someValue"),
+ () -> connector.write(null, "someValue"),
"Secret written to null path."
);
/* Try to write to invalid path */
assertThrows(
InvalidRequestException.class,
- () -> connector.writeSecret("", "someValue"),
+ () -> connector.write("", "someValue"),
"Secret written to invalid path."
);
/* Try to write to a path the user has no access for */
assertThrows(
PermissionDeniedException.class,
- () -> connector.writeSecret("invalid/path", "someValue"),
+ () -> connector.write("invalid/path", "someValue"),
"Secret written to inaccessible path."
);
/* Perform a valid write/read roundtrip to valid path. Also check UTF8-encoding. */
assertDoesNotThrow(
- () -> connector.writeSecret(SECRET_PATH + "/temp", "Abc123äöü,!"),
+ () -> connector.write(SECRET_PATH + "/temp", "Abc123äöü,!"),
"Failed to write secret to accessible path."
);
SecretResponse res = assertDoesNotThrow(
- () -> connector.readSecret(SECRET_PATH + "/temp"),
+ () -> connector.read(SECRET_PATH + "/temp"),
"Written secret could not be read."
);
assertThat(res.get("value"), is("Abc123äöü,!"));
@@ -270,25 +270,25 @@ class HTTPVaultConnectorTest {
/* Write a test secret to vault */
assertDoesNotThrow(
- () -> connector.writeSecret(SECRET_PATH + "/toDelete", "secret content"),
+ () -> connector.write(SECRET_PATH + "/toDelete", "secret content"),
"Secret written to inaccessible path."
);
SecretResponse res = assertDoesNotThrow(
- () -> connector.readSecret(SECRET_PATH + "/toDelete"),
+ () -> connector.read(SECRET_PATH + "/toDelete"),
"Written secret could not be read."
);
assumeTrue(res != null);
/* Delete secret */
assertDoesNotThrow(
- () -> connector.deleteSecret(SECRET_PATH + "/toDelete"),
+ () -> connector.delete(SECRET_PATH + "/toDelete"),
"Revocation threw unexpected exception."
);
/* Try to read again */
InvalidResponseException e = assertThrows(
InvalidResponseException.class,
- () -> connector.readSecret(SECRET_PATH + "/toDelete"),
+ () -> connector.read(SECRET_PATH + "/toDelete"),
"Successfully read deleted secret."
);
assertThat(e.getStatusCode(), is(404));
@@ -306,11 +306,11 @@ class HTTPVaultConnectorTest {
/* Write a test secret to vault */
assertDoesNotThrow(
- () -> connector.writeSecret(SECRET_PATH + "/toRevoke", "secret content"),
+ () -> connector.write(SECRET_PATH + "/toRevoke", "secret content"),
"Secret written to inaccessible path."
);
SecretResponse res = assertDoesNotThrow(
- () -> connector.readSecret(SECRET_PATH + "/toRevoke"),
+ () -> connector.read(SECRET_PATH + "/toRevoke"),
"Written secret could not be read."
);
assumeTrue(res != null);