stklcode/jvaultconnector
stklcode/jvaultconnector
1
0
Fork 0
Code Issues Actions Releases 33 Wiki Activity

remove convenience methods to interact with "secret/" mount (#53)
All checks were successful
continuous-integration/drone/push Build is passing
Details

Browse Source
This commit is contained in:
Stefan Kalscheuer 2021-06-12 10:44:41 +02:00 committed by GitHub
parent ce24de7347
commit 71564e87e8
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 25 additions and 238 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
CHANGELOG.md
View File

@ -8,7 +8,8 @@
* Remove deprecated `VaultConnectorFactory` in favor of `VaultConnectorBuilder` with identical API
* Remove deprecated `AppRoleBuilder` and `TokenBuilder` in favor of `AppRole.Builder` and `Token.Builder`
* Remove deprecated `Period`, `Policy` and `Policies` methods from `AppRole` in favor of `Token`-prefixed versions
* Remove deprecated `SecretResponse#getValue()` method, use `get("value")` instead.
* Remove deprecated `SecretResponse#getValue()` method, use `get("value")` instead
* Remove deprecated convenience methods for interaction with "secret" mount
### Improvements
* Use pre-sized map objects for fixed-size payloads

222
src/main/java/de/stklcode/jvault/connector/VaultConnector.java
View File

@ -16,13 +16,15 @@
package de.stklcode.jvault.connector;
import de.stklcode.jvault.connector.exception.InvalidRequestException;
import de.stklcode.jvault.connector.exception.VaultConnectorException;
import de.stklcode.jvault.connector.model.*;
import de.stklcode.jvault.connector.model.response.*;
import java.io.Serializable;
import java.util.*;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import java.util.Map;
/**
* Vault Connector interface.
@ -32,10 +34,6 @@ import java.util.*;
* @since 0.1
*/
public interface VaultConnector extends AutoCloseable, Serializable {
/**
* Default sub-path for Vault secrets.
*/
String PATH_SECRET = "secret";
/**
* Reset authorization information.
@ -393,34 +391,6 @@ public interface VaultConnector extends AutoCloseable, Serializable {
*/
SecretResponse read(final String key) throws VaultConnectorException;
/**
* Retrieve secret from Vault.
* <br>
* Prefix {@code secret/} is automatically added to key.
*
* @param key Secret identifier
* @return Secret response
* @throws VaultConnectorException on error
*/
default SecretResponse readSecret(final String key) throws VaultConnectorException {
return read(PATH_SECRET + "/" + key);
}
/**
* Retrieve the latest secret data for specific version from Vault.
* <br>
* Prefix "secret/data" is automatically added to key.
* Only available for KV v2 secrets.
*
* @param key Secret identifier
* @return Secret response
* @throws VaultConnectorException on error
* @since 0.8
*/
default SecretResponse readSecretData(final String key) throws VaultConnectorException {
return readSecretVersion(key, null);
}
/**
* Retrieve the latest secret data for specific version from Vault.
* <br>
@ -437,22 +407,6 @@ public interface VaultConnector extends AutoCloseable, Serializable {
return readSecretVersion(mount, key, null);
}
/**
* Write secret to Vault.
* <br>
* Prefix {@code secret/} is automatically added to path.
* Only available for KV v2 secrets.
*
* @param key Secret identifier.
* @param data Secret content. Value must be be JSON serializable.
* @return Metadata for the created/updated secret.
* @throws VaultConnectorException on error
* @since 0.8
*/
default SecretVersionResponse writeSecretData(final String key, final Map<String, Object> data) throws VaultConnectorException {
return writeSecretData(PATH_SECRET, key, data, null);
}
/**
* Write secret to Vault.
* <br>
@ -486,22 +440,6 @@ public interface VaultConnector extends AutoCloseable, Serializable {
*/
SecretVersionResponse writeSecretData(final String mount, final String key, final Map<String, Object> data, final Integer cas) throws VaultConnectorException;
/**
* Retrieve secret data from Vault.
* <br>
* Path {@code <mount>/data/<key>} is read here.
* Only available for KV v2 secrets.
*
* @param key Secret identifier
* @param version Version to read. If {@code null} or zero, the latest version will be returned.
* @return Secret response
* @throws VaultConnectorException on error
* @since 0.8
*/
default SecretResponse readSecretVersion(final String key, final Integer version) throws VaultConnectorException {
return readSecretVersion(PATH_SECRET, key, version);
}
/**
* Retrieve secret data from Vault.
* <br>
@ -517,36 +455,6 @@ public interface VaultConnector extends AutoCloseable, Serializable {
*/
SecretResponse readSecretVersion(final String mount, final String key, final Integer version) throws VaultConnectorException;
/**
* Retrieve secret metadata from Vault.
* Path {@code secret/metadata/<key>} is read here.
* Only available for KV v2 secrets.
*
* @param key Secret identifier
* @return Metadata response
* @throws VaultConnectorException on error
* @since 0.8
*/
default MetadataResponse readSecretMetadata(final String key) throws VaultConnectorException {
return readSecretMetadata(PATH_SECRET, key);
}
/**
* Update secret metadata.
* <br>
* Path {@code secret/metadata/<key>} is read here.
* Only available for KV v2 secrets.
*
* @param key Secret identifier
* @param maxVersions Maximum number of versions (fallback to backend default if {@code null})
* @param casRequired Specify if Check-And-Set is required for this secret.
* @throws VaultConnectorException on error
* @since 0.8
*/
default void updateSecretMetadata(final String key, final Integer maxVersions, final boolean casRequired) throws VaultConnectorException {
updateSecretMetadata(PATH_SECRET, key, maxVersions, casRequired);
}
/**
* Retrieve secret metadata from Vault.
* <br>
@ -586,19 +494,6 @@ public interface VaultConnector extends AutoCloseable, Serializable {
*/
List<String> list(final String path) throws VaultConnectorException;
/**
* List available secrets from Vault.
* <br>
* Prefix {@code secret/} is automatically added to path.
*
* @param path Root path to search
* @return List of secret keys
* @throws VaultConnectorException on error
*/
default List<String> listSecrets(final String path) throws VaultConnectorException {
return list(PATH_SECRET + "/" + path);
}
/**
* Write simple value to Vault.
*
@ -634,36 +529,6 @@ public interface VaultConnector extends AutoCloseable, Serializable {
*/
void write(final String key, final Map<String, Object> data, final Map<String, Object> options) throws VaultConnectorException;
/**
* Write secret to Vault.
* <br>
* Prefix {@code secret/} is automatically added to path.
*
* @param key Secret path
* @param value Secret value
* @throws VaultConnectorException on error
*/
default void writeSecret(final String key, final String value) throws VaultConnectorException {
writeSecret(key, Collections.singletonMap("value", value));
}
/**
* Write secret to Vault.
* <br>
* Prefix {@code secret/} is automatically added to path.
*
* @param key Secret path
* @param data Secret content. Value must be be JSON serializable.
* @throws VaultConnectorException on error
* @since 0.5.0
*/
default void writeSecret(final String key, final Map<String, Object> data) throws VaultConnectorException {
if (key == null || key.isEmpty()) {
throw new InvalidRequestException("Secret path must not be empty.");
}
write(PATH_SECRET + "/" + key, data);
}
/**
* Delete key from Vault.
*
@ -673,31 +538,6 @@ public interface VaultConnector extends AutoCloseable, Serializable {
*/
void delete(final String key) throws VaultConnectorException;
/**
* Delete secret from Vault.
* <br>
* Prefix {@code secret/} is automatically added to path.
*
* @param key Secret path
* @throws VaultConnectorException on error
*/
default void deleteSecret(final String key) throws VaultConnectorException {
delete(PATH_SECRET + "/" + key);
}
/**
* Delete latest version of a secret from Vault.
* <br>
* Prefix {@code secret/} is automatically added to path. Only available for KV v2 stores.
*
* @param key Secret path.
* @throws VaultConnectorException on error
* @since 0.8
*/
default void deleteLatestSecretVersion(final String key) throws VaultConnectorException {
deleteLatestSecretVersion(PATH_SECRET, key);
}
/**
* Delete latest version of a secret from Vault.
* <br>
@ -710,20 +550,6 @@ public interface VaultConnector extends AutoCloseable, Serializable {
*/
void deleteLatestSecretVersion(final String mount, final String key) throws VaultConnectorException;
/**
* Delete latest version of a secret from Vault.
* <br>
* Prefix {@code secret/} is automatically added to path.
* Only available for KV v2 stores.
*
* @param key Secret path.
* @throws VaultConnectorException on error
* @since 0.8
*/
default void deleteAllSecretVersions(final String key) throws VaultConnectorException {
deleteAllSecretVersions(PATH_SECRET, key);
}
/**
* Delete latest version of a secret from Vault.
* <br>
@ -737,20 +563,6 @@ public interface VaultConnector extends AutoCloseable, Serializable {
*/
void deleteAllSecretVersions(final String mount, final String key) throws VaultConnectorException;
/**
* Delete secret versions from Vault.
* <br>
* Only available for KV v2 stores.
*
* @param key Secret path.
* @param versions Versions of the secret to delete.
* @throws VaultConnectorException on error
* @since 0.8
*/
default void deleteSecretVersions(final String key, final int... versions) throws VaultConnectorException {
deleteSecretVersions(PATH_SECRET, key, versions);
}
/**
* Delete secret versions from Vault.
* <br>
@ -764,19 +576,6 @@ public interface VaultConnector extends AutoCloseable, Serializable {
*/
void deleteSecretVersions(final String mount, final String key, final int... versions) throws VaultConnectorException;
/**
* Undelete (restore) secret versions from Vault.
* Only available for KV v2 stores.
*
* @param key Secret path.
* @param versions Versions of the secret to undelete.
* @throws VaultConnectorException on error
* @since 0.8
*/
default void undeleteSecretVersions(final String key, final int... versions) throws VaultConnectorException {
undeleteSecretVersions(PATH_SECRET, key, versions);
}
/**
* Undelete (restore) secret versions from Vault.
* Only available for KV v2 stores.
@ -789,19 +588,6 @@ public interface VaultConnector extends AutoCloseable, Serializable {
*/
void undeleteSecretVersions(final String mount, final String key, final int... versions) throws VaultConnectorException;
/**
* Destroy secret versions from Vault.
* Only available for KV v2 stores.
*
* @param key Secret path.
* @param versions Versions of the secret to destroy.
* @throws VaultConnectorException on error
* @since 0.8
*/
default void destroySecretVersions(final String key, final int... versions) throws VaultConnectorException {
destroySecretVersions(PATH_SECRET, key, versions);
}
/**
* Destroy secret versions from Vault.
* Only available for KV v2 stores.

38
src/test/java/de/stklcode/jvault/connector/HTTPVaultConnectorTest.java
View File

@ -119,7 +119,7 @@ class HTTPVaultConnectorTest {
@DisplayName("Read/Write Tests")
@TestMethodOrder(MethodOrderer.OrderAnnotation.class)
class ReadWriteTests {
private static final String SECRET_PATH = "userstore";
private static final String SECRET_PATH = "secret/userstore";
private static final String SECRET_KEY = "foo";
private static final String SECRET_VALUE = "bar";
private static final String SECRET_KEY_JSON = "json";
@ -138,11 +138,11 @@ class HTTPVaultConnectorTest {
/* Try to read path user has no permission to read */
SecretResponse res = null;
final String invalidPath = "invalid/path";
final String invalidPath = "secret/invalid/path";
VaultConnectorException e = assertThrows(
PermissionDeniedException.class,
() -> connector.readSecret(invalidPath),
() -> connector.read(invalidPath),
"Invalid secret path should raise an exception"
);
@ -154,14 +154,14 @@ class HTTPVaultConnectorTest {
/* Try to read accessible path with known value */
res = assertDoesNotThrow(
() -> connector.readSecret(SECRET_PATH + "/" + SECRET_KEY),
() -> connector.read(SECRET_PATH + "/" + SECRET_KEY),
"Valid secret path could not be read"
);
assertThat("Known secret returned invalid value.", res.get("value"), is(SECRET_VALUE));
/* Try to read accessible path with JSON value */
res = assertDoesNotThrow(
() -> connector.readSecret(SECRET_PATH + "/" + SECRET_KEY_JSON),
() -> connector.read(SECRET_PATH + "/" + SECRET_KEY_JSON),
"Valid secret path could not be read"
);
assertThat("Known secret returned null value.", res.get("value"), notNullValue());
@ -174,7 +174,7 @@ class HTTPVaultConnectorTest {
/* Try to read accessible path with JSON value */
res = assertDoesNotThrow(
() -> connector.readSecret(SECRET_PATH + "/" + SECRET_KEY_JSON),
() -> connector.read(SECRET_PATH + "/" + SECRET_KEY_JSON),
"Valid secret path could not be read"
);
assertThat("Known secret returned null value.", res.get("value"), notNullValue());
@ -187,7 +187,7 @@ class HTTPVaultConnectorTest {
/* Try to read accessible complex secret */
res = assertDoesNotThrow(
() -> connector.readSecret(SECRET_PATH + "/" + SECRET_KEY_COMPLEX),
() -> connector.read(SECRET_PATH + "/" + SECRET_KEY_COMPLEX),
"Valid secret path could not be read"
);
assertThat("Known secret returned null value.", res.getData(), notNullValue());
@ -207,7 +207,7 @@ class HTTPVaultConnectorTest {
assumeTrue(connector.isAuthorized());
/* Try to list secrets from valid path */
List<String> secrets = assertDoesNotThrow(
() -> connector.listSecrets(SECRET_PATH),
() -> connector.list(SECRET_PATH),
"Secrets could not be listed"
);
assertThat("Invalid nmber of secrets.", secrets.size(), greaterThan(0));
@ -228,31 +228,31 @@ class HTTPVaultConnectorTest {
/* Try to write to null path */
assertThrows(
InvalidRequestException.class,
() -> connector.writeSecret(null, "someValue"),
() -> connector.write(null, "someValue"),
"Secret written to null path."
);
/* Try to write to invalid path */
assertThrows(
InvalidRequestException.class,
() -> connector.writeSecret("", "someValue"),
() -> connector.write("", "someValue"),
"Secret written to invalid path."
);
/* Try to write to a path the user has no access for */
assertThrows(
PermissionDeniedException.class,
() -> connector.writeSecret("invalid/path", "someValue"),
() -> connector.write("invalid/path", "someValue"),
"Secret written to inaccessible path."
);
/* Perform a valid write/read roundtrip to valid path. Also check UTF8-encoding. */
assertDoesNotThrow(
() -> connector.writeSecret(SECRET_PATH + "/temp", "Abc123äöü,!"),
() -> connector.write(SECRET_PATH + "/temp", "Abc123äöü,!"),
"Failed to write secret to accessible path."
);
SecretResponse res = assertDoesNotThrow(
() -> connector.readSecret(SECRET_PATH + "/temp"),
() -> connector.read(SECRET_PATH + "/temp"),
"Written secret could not be read."
);
assertThat(res.get("value"), is("Abc123äöü,!"));
@ -270,25 +270,25 @@ class HTTPVaultConnectorTest {
/* Write a test secret to vault */
assertDoesNotThrow(
() -> connector.writeSecret(SECRET_PATH + "/toDelete", "secret content"),
() -> connector.write(SECRET_PATH + "/toDelete", "secret content"),
"Secret written to inaccessible path."
);
SecretResponse res = assertDoesNotThrow(
() -> connector.readSecret(SECRET_PATH + "/toDelete"),
() -> connector.read(SECRET_PATH + "/toDelete"),
"Written secret could not be read."
);
assumeTrue(res != null);
/* Delete secret */
assertDoesNotThrow(
() -> connector.deleteSecret(SECRET_PATH + "/toDelete"),
() -> connector.delete(SECRET_PATH + "/toDelete"),
"Revocation threw unexpected exception."
);
/* Try to read again */
InvalidResponseException e = assertThrows(
InvalidResponseException.class,
() -> connector.readSecret(SECRET_PATH + "/toDelete"),
() -> connector.read(SECRET_PATH + "/toDelete"),
"Successfully read deleted secret."
);
assertThat(e.getStatusCode(), is(404));
@ -306,11 +306,11 @@ class HTTPVaultConnectorTest {
/* Write a test secret to vault */
assertDoesNotThrow(
() -> connector.writeSecret(SECRET_PATH + "/toRevoke", "secret content"),
() -> connector.write(SECRET_PATH + "/toRevoke", "secret content"),
"Secret written to inaccessible path."
);
SecretResponse res = assertDoesNotThrow(
() -> connector.readSecret(SECRET_PATH + "/toRevoke"),
() -> connector.read(SECRET_PATH + "/toRevoke"),
"Written secret could not be read."
);
assumeTrue(res != null);