From 71564e87e84f0eddb18236ae7659ffda2072bfc6 Mon Sep 17 00:00:00 2001 From: Stefan Kalscheuer Date: Sat, 12 Jun 2021 10:44:41 +0200 Subject: [PATCH] remove convenience methods to interact with "secret/" mount (#53) --- CHANGELOG.md | 3 +- .../jvault/connector/VaultConnector.java | 222 +----------------- .../connector/HTTPVaultConnectorTest.java | 38 +-- 3 files changed, 25 insertions(+), 238 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 625e624..8a14cd4 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -8,7 +8,8 @@ * Remove deprecated `VaultConnectorFactory` in favor of `VaultConnectorBuilder` with identical API * Remove deprecated `AppRoleBuilder` and `TokenBuilder` in favor of `AppRole.Builder` and `Token.Builder` * Remove deprecated `Period`, `Policy` and `Policies` methods from `AppRole` in favor of `Token`-prefixed versions -* Remove deprecated `SecretResponse#getValue()` method, use `get("value")` instead. +* Remove deprecated `SecretResponse#getValue()` method, use `get("value")` instead +* Remove deprecated convenience methods for interaction with "secret" mount ### Improvements * Use pre-sized map objects for fixed-size payloads diff --git a/src/main/java/de/stklcode/jvault/connector/VaultConnector.java b/src/main/java/de/stklcode/jvault/connector/VaultConnector.java index 45174dc..2d26f5d 100644 --- a/src/main/java/de/stklcode/jvault/connector/VaultConnector.java +++ b/src/main/java/de/stklcode/jvault/connector/VaultConnector.java @@ -16,13 +16,15 @@ package de.stklcode.jvault.connector; -import de.stklcode.jvault.connector.exception.InvalidRequestException; import de.stklcode.jvault.connector.exception.VaultConnectorException; import de.stklcode.jvault.connector.model.*; import de.stklcode.jvault.connector.model.response.*; import java.io.Serializable; -import java.util.*; +import java.util.ArrayList; +import java.util.Collections; +import java.util.List; +import java.util.Map; /** * Vault Connector interface. @@ -32,10 +34,6 @@ import java.util.*; * @since 0.1 */ public interface VaultConnector extends AutoCloseable, Serializable { - /** - * Default sub-path for Vault secrets. - */ - String PATH_SECRET = "secret"; /** * Reset authorization information. @@ -393,34 +391,6 @@ public interface VaultConnector extends AutoCloseable, Serializable { */ SecretResponse read(final String key) throws VaultConnectorException; - /** - * Retrieve secret from Vault. - *
- * Prefix {@code secret/} is automatically added to key. - * - * @param key Secret identifier - * @return Secret response - * @throws VaultConnectorException on error - */ - default SecretResponse readSecret(final String key) throws VaultConnectorException { - return read(PATH_SECRET + "/" + key); - } - - /** - * Retrieve the latest secret data for specific version from Vault. - *
- * Prefix "secret/data" is automatically added to key. - * Only available for KV v2 secrets. - * - * @param key Secret identifier - * @return Secret response - * @throws VaultConnectorException on error - * @since 0.8 - */ - default SecretResponse readSecretData(final String key) throws VaultConnectorException { - return readSecretVersion(key, null); - } - /** * Retrieve the latest secret data for specific version from Vault. *
@@ -437,22 +407,6 @@ public interface VaultConnector extends AutoCloseable, Serializable { return readSecretVersion(mount, key, null); } - /** - * Write secret to Vault. - *
- * Prefix {@code secret/} is automatically added to path. - * Only available for KV v2 secrets. - * - * @param key Secret identifier. - * @param data Secret content. Value must be be JSON serializable. - * @return Metadata for the created/updated secret. - * @throws VaultConnectorException on error - * @since 0.8 - */ - default SecretVersionResponse writeSecretData(final String key, final Map data) throws VaultConnectorException { - return writeSecretData(PATH_SECRET, key, data, null); - } - /** * Write secret to Vault. *
@@ -486,22 +440,6 @@ public interface VaultConnector extends AutoCloseable, Serializable { */ SecretVersionResponse writeSecretData(final String mount, final String key, final Map data, final Integer cas) throws VaultConnectorException; - /** - * Retrieve secret data from Vault. - *
- * Path {@code /data/} is read here. - * Only available for KV v2 secrets. - * - * @param key Secret identifier - * @param version Version to read. If {@code null} or zero, the latest version will be returned. - * @return Secret response - * @throws VaultConnectorException on error - * @since 0.8 - */ - default SecretResponse readSecretVersion(final String key, final Integer version) throws VaultConnectorException { - return readSecretVersion(PATH_SECRET, key, version); - } - /** * Retrieve secret data from Vault. *
@@ -517,36 +455,6 @@ public interface VaultConnector extends AutoCloseable, Serializable { */ SecretResponse readSecretVersion(final String mount, final String key, final Integer version) throws VaultConnectorException; - /** - * Retrieve secret metadata from Vault. - * Path {@code secret/metadata/} is read here. - * Only available for KV v2 secrets. - * - * @param key Secret identifier - * @return Metadata response - * @throws VaultConnectorException on error - * @since 0.8 - */ - default MetadataResponse readSecretMetadata(final String key) throws VaultConnectorException { - return readSecretMetadata(PATH_SECRET, key); - } - - /** - * Update secret metadata. - *
- * Path {@code secret/metadata/} is read here. - * Only available for KV v2 secrets. - * - * @param key Secret identifier - * @param maxVersions Maximum number of versions (fallback to backend default if {@code null}) - * @param casRequired Specify if Check-And-Set is required for this secret. - * @throws VaultConnectorException on error - * @since 0.8 - */ - default void updateSecretMetadata(final String key, final Integer maxVersions, final boolean casRequired) throws VaultConnectorException { - updateSecretMetadata(PATH_SECRET, key, maxVersions, casRequired); - } - /** * Retrieve secret metadata from Vault. *
@@ -586,19 +494,6 @@ public interface VaultConnector extends AutoCloseable, Serializable { */ List list(final String path) throws VaultConnectorException; - /** - * List available secrets from Vault. - *
- * Prefix {@code secret/} is automatically added to path. - * - * @param path Root path to search - * @return List of secret keys - * @throws VaultConnectorException on error - */ - default List listSecrets(final String path) throws VaultConnectorException { - return list(PATH_SECRET + "/" + path); - } - /** * Write simple value to Vault. * @@ -634,36 +529,6 @@ public interface VaultConnector extends AutoCloseable, Serializable { */ void write(final String key, final Map data, final Map options) throws VaultConnectorException; - /** - * Write secret to Vault. - *
- * Prefix {@code secret/} is automatically added to path. - * - * @param key Secret path - * @param value Secret value - * @throws VaultConnectorException on error - */ - default void writeSecret(final String key, final String value) throws VaultConnectorException { - writeSecret(key, Collections.singletonMap("value", value)); - } - - /** - * Write secret to Vault. - *
- * Prefix {@code secret/} is automatically added to path. - * - * @param key Secret path - * @param data Secret content. Value must be be JSON serializable. - * @throws VaultConnectorException on error - * @since 0.5.0 - */ - default void writeSecret(final String key, final Map data) throws VaultConnectorException { - if (key == null || key.isEmpty()) { - throw new InvalidRequestException("Secret path must not be empty."); - } - write(PATH_SECRET + "/" + key, data); - } - /** * Delete key from Vault. * @@ -673,31 +538,6 @@ public interface VaultConnector extends AutoCloseable, Serializable { */ void delete(final String key) throws VaultConnectorException; - /** - * Delete secret from Vault. - *
- * Prefix {@code secret/} is automatically added to path. - * - * @param key Secret path - * @throws VaultConnectorException on error - */ - default void deleteSecret(final String key) throws VaultConnectorException { - delete(PATH_SECRET + "/" + key); - } - - /** - * Delete latest version of a secret from Vault. - *
- * Prefix {@code secret/} is automatically added to path. Only available for KV v2 stores. - * - * @param key Secret path. - * @throws VaultConnectorException on error - * @since 0.8 - */ - default void deleteLatestSecretVersion(final String key) throws VaultConnectorException { - deleteLatestSecretVersion(PATH_SECRET, key); - } - /** * Delete latest version of a secret from Vault. *
@@ -710,20 +550,6 @@ public interface VaultConnector extends AutoCloseable, Serializable { */ void deleteLatestSecretVersion(final String mount, final String key) throws VaultConnectorException; - /** - * Delete latest version of a secret from Vault. - *
- * Prefix {@code secret/} is automatically added to path. - * Only available for KV v2 stores. - * - * @param key Secret path. - * @throws VaultConnectorException on error - * @since 0.8 - */ - default void deleteAllSecretVersions(final String key) throws VaultConnectorException { - deleteAllSecretVersions(PATH_SECRET, key); - } - /** * Delete latest version of a secret from Vault. *
@@ -737,20 +563,6 @@ public interface VaultConnector extends AutoCloseable, Serializable { */ void deleteAllSecretVersions(final String mount, final String key) throws VaultConnectorException; - /** - * Delete secret versions from Vault. - *
- * Only available for KV v2 stores. - * - * @param key Secret path. - * @param versions Versions of the secret to delete. - * @throws VaultConnectorException on error - * @since 0.8 - */ - default void deleteSecretVersions(final String key, final int... versions) throws VaultConnectorException { - deleteSecretVersions(PATH_SECRET, key, versions); - } - /** * Delete secret versions from Vault. *
@@ -764,19 +576,6 @@ public interface VaultConnector extends AutoCloseable, Serializable { */ void deleteSecretVersions(final String mount, final String key, final int... versions) throws VaultConnectorException; - /** - * Undelete (restore) secret versions from Vault. - * Only available for KV v2 stores. - * - * @param key Secret path. - * @param versions Versions of the secret to undelete. - * @throws VaultConnectorException on error - * @since 0.8 - */ - default void undeleteSecretVersions(final String key, final int... versions) throws VaultConnectorException { - undeleteSecretVersions(PATH_SECRET, key, versions); - } - /** * Undelete (restore) secret versions from Vault. * Only available for KV v2 stores. @@ -789,19 +588,6 @@ public interface VaultConnector extends AutoCloseable, Serializable { */ void undeleteSecretVersions(final String mount, final String key, final int... versions) throws VaultConnectorException; - /** - * Destroy secret versions from Vault. - * Only available for KV v2 stores. - * - * @param key Secret path. - * @param versions Versions of the secret to destroy. - * @throws VaultConnectorException on error - * @since 0.8 - */ - default void destroySecretVersions(final String key, final int... versions) throws VaultConnectorException { - destroySecretVersions(PATH_SECRET, key, versions); - } - /** * Destroy secret versions from Vault. * Only available for KV v2 stores. diff --git a/src/test/java/de/stklcode/jvault/connector/HTTPVaultConnectorTest.java b/src/test/java/de/stklcode/jvault/connector/HTTPVaultConnectorTest.java index b8a4e0a..f8a7de9 100644 --- a/src/test/java/de/stklcode/jvault/connector/HTTPVaultConnectorTest.java +++ b/src/test/java/de/stklcode/jvault/connector/HTTPVaultConnectorTest.java @@ -119,7 +119,7 @@ class HTTPVaultConnectorTest { @DisplayName("Read/Write Tests") @TestMethodOrder(MethodOrderer.OrderAnnotation.class) class ReadWriteTests { - private static final String SECRET_PATH = "userstore"; + private static final String SECRET_PATH = "secret/userstore"; private static final String SECRET_KEY = "foo"; private static final String SECRET_VALUE = "bar"; private static final String SECRET_KEY_JSON = "json"; @@ -138,11 +138,11 @@ class HTTPVaultConnectorTest { /* Try to read path user has no permission to read */ SecretResponse res = null; - final String invalidPath = "invalid/path"; + final String invalidPath = "secret/invalid/path"; VaultConnectorException e = assertThrows( PermissionDeniedException.class, - () -> connector.readSecret(invalidPath), + () -> connector.read(invalidPath), "Invalid secret path should raise an exception" ); @@ -154,14 +154,14 @@ class HTTPVaultConnectorTest { /* Try to read accessible path with known value */ res = assertDoesNotThrow( - () -> connector.readSecret(SECRET_PATH + "/" + SECRET_KEY), + () -> connector.read(SECRET_PATH + "/" + SECRET_KEY), "Valid secret path could not be read" ); assertThat("Known secret returned invalid value.", res.get("value"), is(SECRET_VALUE)); /* Try to read accessible path with JSON value */ res = assertDoesNotThrow( - () -> connector.readSecret(SECRET_PATH + "/" + SECRET_KEY_JSON), + () -> connector.read(SECRET_PATH + "/" + SECRET_KEY_JSON), "Valid secret path could not be read" ); assertThat("Known secret returned null value.", res.get("value"), notNullValue()); @@ -174,7 +174,7 @@ class HTTPVaultConnectorTest { /* Try to read accessible path with JSON value */ res = assertDoesNotThrow( - () -> connector.readSecret(SECRET_PATH + "/" + SECRET_KEY_JSON), + () -> connector.read(SECRET_PATH + "/" + SECRET_KEY_JSON), "Valid secret path could not be read" ); assertThat("Known secret returned null value.", res.get("value"), notNullValue()); @@ -187,7 +187,7 @@ class HTTPVaultConnectorTest { /* Try to read accessible complex secret */ res = assertDoesNotThrow( - () -> connector.readSecret(SECRET_PATH + "/" + SECRET_KEY_COMPLEX), + () -> connector.read(SECRET_PATH + "/" + SECRET_KEY_COMPLEX), "Valid secret path could not be read" ); assertThat("Known secret returned null value.", res.getData(), notNullValue()); @@ -207,7 +207,7 @@ class HTTPVaultConnectorTest { assumeTrue(connector.isAuthorized()); /* Try to list secrets from valid path */ List secrets = assertDoesNotThrow( - () -> connector.listSecrets(SECRET_PATH), + () -> connector.list(SECRET_PATH), "Secrets could not be listed" ); assertThat("Invalid nmber of secrets.", secrets.size(), greaterThan(0)); @@ -228,31 +228,31 @@ class HTTPVaultConnectorTest { /* Try to write to null path */ assertThrows( InvalidRequestException.class, - () -> connector.writeSecret(null, "someValue"), + () -> connector.write(null, "someValue"), "Secret written to null path." ); /* Try to write to invalid path */ assertThrows( InvalidRequestException.class, - () -> connector.writeSecret("", "someValue"), + () -> connector.write("", "someValue"), "Secret written to invalid path." ); /* Try to write to a path the user has no access for */ assertThrows( PermissionDeniedException.class, - () -> connector.writeSecret("invalid/path", "someValue"), + () -> connector.write("invalid/path", "someValue"), "Secret written to inaccessible path." ); /* Perform a valid write/read roundtrip to valid path. Also check UTF8-encoding. */ assertDoesNotThrow( - () -> connector.writeSecret(SECRET_PATH + "/temp", "Abc123äöü,!"), + () -> connector.write(SECRET_PATH + "/temp", "Abc123äöü,!"), "Failed to write secret to accessible path." ); SecretResponse res = assertDoesNotThrow( - () -> connector.readSecret(SECRET_PATH + "/temp"), + () -> connector.read(SECRET_PATH + "/temp"), "Written secret could not be read." ); assertThat(res.get("value"), is("Abc123äöü,!")); @@ -270,25 +270,25 @@ class HTTPVaultConnectorTest { /* Write a test secret to vault */ assertDoesNotThrow( - () -> connector.writeSecret(SECRET_PATH + "/toDelete", "secret content"), + () -> connector.write(SECRET_PATH + "/toDelete", "secret content"), "Secret written to inaccessible path." ); SecretResponse res = assertDoesNotThrow( - () -> connector.readSecret(SECRET_PATH + "/toDelete"), + () -> connector.read(SECRET_PATH + "/toDelete"), "Written secret could not be read." ); assumeTrue(res != null); /* Delete secret */ assertDoesNotThrow( - () -> connector.deleteSecret(SECRET_PATH + "/toDelete"), + () -> connector.delete(SECRET_PATH + "/toDelete"), "Revocation threw unexpected exception." ); /* Try to read again */ InvalidResponseException e = assertThrows( InvalidResponseException.class, - () -> connector.readSecret(SECRET_PATH + "/toDelete"), + () -> connector.read(SECRET_PATH + "/toDelete"), "Successfully read deleted secret." ); assertThat(e.getStatusCode(), is(404)); @@ -306,11 +306,11 @@ class HTTPVaultConnectorTest { /* Write a test secret to vault */ assertDoesNotThrow( - () -> connector.writeSecret(SECRET_PATH + "/toRevoke", "secret content"), + () -> connector.write(SECRET_PATH + "/toRevoke", "secret content"), "Secret written to inaccessible path." ); SecretResponse res = assertDoesNotThrow( - () -> connector.readSecret(SECRET_PATH + "/toRevoke"), + () -> connector.read(SECRET_PATH + "/toRevoke"), "Written secret could not be read." ); assumeTrue(res != null);