From c0708bd288727a1234fb379c74c1c43c9c059620 Mon Sep 17 00:00:00 2001 From: Stefan Kalscheuer Date: Mon, 6 Apr 2020 18:36:42 +0200 Subject: [PATCH] implement methods for token role handling (#27) Create, update, read, delete and list token roles is now possible. --- CHANGELOG.md | 1 + .../jvault/connector/HTTPVaultConnector.java | 53 +++++++++-- .../jvault/connector/VaultConnector.java | 70 ++++++++++++--- .../jvault/connector/model/TokenRole.java | 5 ++ .../connector/model/TokenRoleBuilder.java | 14 ++- .../model/response/TokenRoleResponse.java | 60 +++++++++++++ .../connector/HTTPVaultConnectorTest.java | 90 ++++++++++++++++++- .../connector/model/TokenRoleBuilderTest.java | 6 +- 8 files changed, 280 insertions(+), 19 deletions(-) create mode 100644 src/main/java/de/stklcode/jvault/connector/model/response/TokenRoleResponse.java diff --git a/CHANGELOG.md b/CHANGELOG.md index a107dea..2d5f545 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,7 @@ ### Features * Support for token types (#26) +* Support for token role handling (#27) ### Improvements * Added `entity_id`, `token_policies`, `token_type` and `orphan` flags to auth response diff --git a/src/main/java/de/stklcode/jvault/connector/HTTPVaultConnector.java b/src/main/java/de/stklcode/jvault/connector/HTTPVaultConnector.java index 2494b12..980e876 100644 --- a/src/main/java/de/stklcode/jvault/connector/HTTPVaultConnector.java +++ b/src/main/java/de/stklcode/jvault/connector/HTTPVaultConnector.java @@ -20,10 +20,7 @@ import de.stklcode.jvault.connector.exception.AuthorizationRequiredException; import de.stklcode.jvault.connector.exception.InvalidRequestException; import de.stklcode.jvault.connector.exception.VaultConnectorException; import de.stklcode.jvault.connector.internal.RequestHelper; -import de.stklcode.jvault.connector.model.AppRole; -import de.stklcode.jvault.connector.model.AppRoleSecret; -import de.stklcode.jvault.connector.model.AuthBackend; -import de.stklcode.jvault.connector.model.Token; +import de.stklcode.jvault.connector.model.*; import de.stklcode.jvault.connector.model.response.*; import de.stklcode.jvault.connector.model.response.embedded.AuthMethod; @@ -49,6 +46,7 @@ public class HTTPVaultConnector implements VaultConnector { private static final String PATH_TOKEN = "auth/token"; private static final String PATH_LOOKUP = "/lookup"; private static final String PATH_CREATE = "/create"; + private static final String PATH_ROLES = "/roles"; private static final String PATH_CREATE_ORPHAN = "/create-orphan"; private static final String PATH_AUTH_USERPASS = "auth/userpass/login/"; private static final String PATH_AUTH_APPID = "auth/app-id/"; @@ -530,7 +528,7 @@ public class HTTPVaultConnector implements VaultConnector { if (cas != null) { options.put("cas", cas); } - + Map payload = new HashMap<>(); payload.put("data", data); payload.put("options", options); @@ -701,6 +699,51 @@ public class HTTPVaultConnector implements VaultConnector { return request.get(PATH_TOKEN + PATH_LOOKUP, param, token, TokenResponse.class); } + @Override + public boolean createOrUpdateTokenRole(final String name, final TokenRole role) throws VaultConnectorException { + requireAuth(); + + if (name == null) { + throw new InvalidRequestException("Role name must be provided."); + } else if (role == null) { + throw new InvalidRequestException("Role must be provided."); + } + + // Issue request and expect code 204 with empty response. + request.postWithoutResponse(PATH_TOKEN + PATH_ROLES + "/" + name, role, token); + + return true; + } + + @Override + public TokenRoleResponse readTokenRole(final String name) throws VaultConnectorException { + requireAuth(); + + // Request HTTP response and parse response. + return request.get(PATH_TOKEN + PATH_ROLES + "/" + name, new HashMap<>(), token, TokenRoleResponse.class); + } + + @Override + public List listTokenRoles() throws VaultConnectorException { + requireAuth(); + + return list(PATH_TOKEN + PATH_ROLES); + } + + @Override + public boolean deleteTokenRole(final String name) throws VaultConnectorException { + requireAuth(); + + if (name == null) { + throw new InvalidRequestException("Role name must be provided."); + } + + // Issue request and expect code 204 with empty response. + request.deleteWithoutResponse(PATH_TOKEN + PATH_ROLES + "/" + name, token); + + return true; + } + /** * Check for required authorization. * diff --git a/src/main/java/de/stklcode/jvault/connector/VaultConnector.java b/src/main/java/de/stklcode/jvault/connector/VaultConnector.java index 83b9187..de7579d 100644 --- a/src/main/java/de/stklcode/jvault/connector/VaultConnector.java +++ b/src/main/java/de/stklcode/jvault/connector/VaultConnector.java @@ -233,7 +233,7 @@ public interface VaultConnector extends AutoCloseable, Serializable { * Delete AppRole role from Vault. * * @param roleName The role anme - * @return {@code true} on succevss + * @return {@code true} on success * @throws VaultConnectorException on error */ boolean deleteAppRole(final String roleName) throws VaultConnectorException; @@ -446,7 +446,7 @@ public interface VaultConnector extends AutoCloseable, Serializable { * Prefix {@code secret/} is automatically added to path. * Only available for KV v2 secrets. * - * @param key Secret identifier. + * @param key Secret identifier. * @param data Secret content. Value must be be JSON serializable. * @return Metadata for the created/updated secret. * @throws VaultConnectorException on error @@ -463,8 +463,8 @@ public interface VaultConnector extends AutoCloseable, Serializable { * Only available for KV v2 secrets. * * @param mount Secret store mountpoint (without leading or trailing slash). - * @param key Secret identifier - * @param data Secret content. Value must be be JSON serializable. + * @param key Secret identifier + * @param data Secret content. Value must be be JSON serializable. * @return Metadata for the created/updated secret. * @throws VaultConnectorException on error * @since 0.8 @@ -480,9 +480,9 @@ public interface VaultConnector extends AutoCloseable, Serializable { * Only available for KV v2 secrets. * * @param mount Secret store mountpoint (without leading or trailing slash). - * @param key Secret identifier - * @param data Secret content. Value must be be JSON serializable. - * @param cas Use Check-And-Set operation, i.e. only allow writing if current version matches this value. + * @param key Secret identifier + * @param data Secret content. Value must be be JSON serializable. + * @param cas Use Check-And-Set operation, i.e. only allow writing if current version matches this value. * @return Metadata for the created/updated secret. * @throws VaultConnectorException on error * @since 0.8 @@ -540,7 +540,7 @@ public interface VaultConnector extends AutoCloseable, Serializable { * Path {@code secret/metadata/} is read here. * Only available for KV v2 secrets. * - * @param key Secret identifier + * @param key Secret identifier * @param maxVersions Maximum number of versions (fallback to backend default if {@code null}) * @param casRequired Specify if Check-And-Set is required for this secret. * @throws VaultConnectorException on error @@ -737,8 +737,8 @@ public interface VaultConnector extends AutoCloseable, Serializable { * Prefix {@code secret/} is automatically added to path. * Only available for KV v2 stores. * - * @param mount Secret store mountpoint (without leading or trailing slash). - * @param key Secret path. + * @param mount Secret store mountpoint (without leading or trailing slash). + * @param key Secret path. * @throws VaultConnectorException on error * @since 0.8 */ @@ -888,7 +888,57 @@ public interface VaultConnector extends AutoCloseable, Serializable { */ TokenResponse lookupToken(final String token) throws VaultConnectorException; + /** + * Create a new or update an existing token role. + * + * @param role the role entity (name must be set) + * @return {@code true} on success + * @throws VaultConnectorException on error + * @since 0.9 + */ + default boolean createOrUpdateTokenRole(final TokenRole role) throws VaultConnectorException { + return createOrUpdateTokenRole(role.getName(), role); + } + /** + * Create a new or update an existing token role. + * + * @param name the role name (overrides name possibly set in role entity) + * @param role the role entity + * @return {@code true} on success + * @throws VaultConnectorException on error + * @since 0.9 + */ + boolean createOrUpdateTokenRole(final String name, final TokenRole role) throws VaultConnectorException; + + /** + * Lookup token information. + * + * @param name the role name + * @return the result response + * @throws VaultConnectorException on error + * @since 0.9 + */ + TokenRoleResponse readTokenRole(final String name) throws VaultConnectorException; + + /** + * List available token roles from Vault. + * + * @return List of token roles + * @throws VaultConnectorException on error + * @since 0.9 + */ + List listTokenRoles() throws VaultConnectorException; + + /** + * Delete a token role. + * + * @param name the role name to delete + * @return {@code true} on success + * @throws VaultConnectorException on error + * @since 0.9 + */ + boolean deleteTokenRole(final String name) throws VaultConnectorException; /** * Read credentials for MySQL backend at default mount point. diff --git a/src/main/java/de/stklcode/jvault/connector/model/TokenRole.java b/src/main/java/de/stklcode/jvault/connector/model/TokenRole.java index 160cda0..a980408 100644 --- a/src/main/java/de/stklcode/jvault/connector/model/TokenRole.java +++ b/src/main/java/de/stklcode/jvault/connector/model/TokenRole.java @@ -92,6 +92,11 @@ public final class TokenRole { @JsonInclude(JsonInclude.Include.NON_NULL) private String tokenType; + /** + * Construct empty {@link TokenRole} object. + */ + public TokenRole() { + } /** * Construct complete {@link TokenRole} object. diff --git a/src/main/java/de/stklcode/jvault/connector/model/TokenRoleBuilder.java b/src/main/java/de/stklcode/jvault/connector/model/TokenRoleBuilder.java index 2a79a1c..0c5a4b8 100644 --- a/src/main/java/de/stklcode/jvault/connector/model/TokenRoleBuilder.java +++ b/src/main/java/de/stklcode/jvault/connector/model/TokenRoleBuilder.java @@ -26,6 +26,7 @@ import java.util.List; * @since 0.9 */ public final class TokenRoleBuilder { + private String name; private List allowedPolicies; private List disallowedPolicies; private Boolean orphan; @@ -39,6 +40,17 @@ public final class TokenRoleBuilder { private Integer tokenPeriod; private Token.Type tokenType; + /** + * Add token role name. + * + * @param name role name + * @return self + */ + public TokenRoleBuilder forName(final String name) { + this.name = name; + return this; + } + /** * Add an allowed policy. * @@ -262,7 +274,7 @@ public final class TokenRoleBuilder { */ public TokenRole build() { return new TokenRole( - null, + name, allowedPolicies, disallowedPolicies, orphan, diff --git a/src/main/java/de/stklcode/jvault/connector/model/response/TokenRoleResponse.java b/src/main/java/de/stklcode/jvault/connector/model/response/TokenRoleResponse.java new file mode 100644 index 0000000..68c11cd --- /dev/null +++ b/src/main/java/de/stklcode/jvault/connector/model/response/TokenRoleResponse.java @@ -0,0 +1,60 @@ +/* + * Copyright 2016-2020 Stefan Kalscheuer + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package de.stklcode.jvault.connector.model.response; + +import com.fasterxml.jackson.annotation.JsonIgnoreProperties; +import com.fasterxml.jackson.databind.ObjectMapper; +import de.stklcode.jvault.connector.exception.InvalidResponseException; +import de.stklcode.jvault.connector.model.TokenRole; +import de.stklcode.jvault.connector.model.response.embedded.TokenData; + +import java.io.IOException; +import java.util.Map; + +/** + * Vault response from token role lookup providing Token information in {@link TokenData} field. + * + * @author Stefan Kalscheuer + * @since 0.9 + */ +@JsonIgnoreProperties(ignoreUnknown = true) +public final class TokenRoleResponse extends VaultDataResponse { + private TokenRole data; + + /** + * Set data. Parses response data map to {@link TokenRole}. + * + * @param data Raw response data + * @throws InvalidResponseException on parsing errors + */ + @Override + public void setData(final Map data) throws InvalidResponseException { + ObjectMapper mapper = new ObjectMapper(); + try { + this.data = mapper.readValue(mapper.writeValueAsString(data), TokenRole.class); + } catch (IOException e) { + throw new InvalidResponseException("Failed deserializing response", e); + } + } + + /** + * @return TokenRole data + */ + public TokenRole getData() { + return data; + } +} diff --git a/src/test/java/de/stklcode/jvault/connector/HTTPVaultConnectorTest.java b/src/test/java/de/stklcode/jvault/connector/HTTPVaultConnectorTest.java index 3e6d497..892b5f2 100644 --- a/src/test/java/de/stklcode/jvault/connector/HTTPVaultConnectorTest.java +++ b/src/test/java/de/stklcode/jvault/connector/HTTPVaultConnectorTest.java @@ -22,6 +22,7 @@ import de.stklcode.jvault.connector.exception.*; import de.stklcode.jvault.connector.model.AppRole; import de.stklcode.jvault.connector.model.AuthBackend; import de.stklcode.jvault.connector.model.Token; +import de.stklcode.jvault.connector.model.TokenRole; import de.stklcode.jvault.connector.model.response.*; import de.stklcode.jvault.connector.test.Credentials; import de.stklcode.jvault.connector.test.VaultConfiguration; @@ -39,8 +40,7 @@ import static org.apache.commons.io.FileUtils.copyDirectory; import static org.hamcrest.MatcherAssert.assertThat; import static org.hamcrest.Matchers.*; import static org.hamcrest.core.Is.is; -import static org.junit.jupiter.api.Assertions.assertNotNull; -import static org.junit.jupiter.api.Assertions.fail; +import static org.junit.jupiter.api.Assertions.*; import static org.junit.jupiter.api.Assumptions.assumeFalse; import static org.junit.jupiter.api.Assumptions.assumeTrue; @@ -1163,6 +1163,92 @@ public class HTTPVaultConnectorTest { fail("Token creation failed."); } } + + /** + * Test token role handling. + */ + @Test + @Order(40) + @DisplayName("Token roles") + public void tokenRolesTest() { + authRoot(); + assumeTrue(connector.isAuthorized()); + + // Create token role. + final String roleName = "test-role"; + final TokenRole role = TokenRole.builder().build(); + + try { + assertThat(connector.createOrUpdateTokenRole(roleName, role), is(true)); + } catch (VaultConnectorException e) { + fail("Token role creation failed."); + } + + // Read the role. + TokenRoleResponse res = null; + try { + res = connector.readTokenRole(roleName); + } catch (VaultConnectorException e) { + fail("Reading token role failed."); + } + + assertThat("Token role response must not be null", res, is(notNullValue())); + assertThat("Token role must not be null", res.getData(), is(notNullValue())); + assertThat("Token role name not as expected", res.getData().getName(), is(roleName)); + assertThat("Token role expected to be renewable by default", res.getData().getRenewable(), is(true)); + assertThat("Token role not expected to be orphan by default", res.getData().getOrphan(), is(false)); + assertThat("Unexpected default token type", res.getData().getTokenType(), is(Token.Type.DEFAULT_SERVICE.value())); + + // Update the role, i.e. change some attributes. + final TokenRole role2 = TokenRole.builder() + .forName(roleName) + .withPathSuffix("suffix") + .orphan(true) + .renewable(false) + .withTokenNumUses(42) + .build(); + + try { + assertThat(connector.createOrUpdateTokenRole(role2), is(true)); + } catch (VaultConnectorException e) { + fail("Token role update failed."); + } + + try { + res = connector.readTokenRole(roleName); + } catch (VaultConnectorException e) { + fail("Reading token role failed."); + } + + assertThat("Token role response must not be null", res, is(notNullValue())); + assertThat("Token role must not be null", res.getData(), is(notNullValue())); + assertThat("Token role name not as expected", res.getData().getName(), is(roleName)); + assertThat("Token role not expected to be renewable after update", res.getData().getRenewable(), is(false)); + assertThat("Token role expected to be orphan after update", res.getData().getOrphan(), is(true)); + assertThat("Unexpected number of token uses after update", res.getData().getTokenNumUses(), is(42)); + + // List roles. + List listRes = null; + try { + listRes = connector.listTokenRoles(); + } catch (VaultConnectorException e) { + fail("Listing token roles failed."); + } + + assertThat("Token role list must not be null", listRes, is(notNullValue())); + assertThat("Unexpected number of token roles", listRes, hasSize(1)); + assertThat("Unexpected token role in list", listRes, contains(roleName)); + + // Delete the role. + try { + assertThat(connector.deleteTokenRole(roleName), is(true)); + } catch (VaultConnectorException e) { + fail("Token role deletion failed."); + } + + assertThrows(InvalidResponseException.class, () -> connector.readTokenRole(roleName), "Reading inexistent token role should fail"); + assertThrows(InvalidResponseException.class, () -> connector.listTokenRoles(), "Listing inexistent token roles should fail"); + } } @Nested diff --git a/src/test/java/de/stklcode/jvault/connector/model/TokenRoleBuilderTest.java b/src/test/java/de/stklcode/jvault/connector/model/TokenRoleBuilderTest.java index 483a024..f738fbc 100644 --- a/src/test/java/de/stklcode/jvault/connector/model/TokenRoleBuilderTest.java +++ b/src/test/java/de/stklcode/jvault/connector/model/TokenRoleBuilderTest.java @@ -33,6 +33,7 @@ import static org.hamcrest.Matchers.*; * @since 0.9 */ public class TokenRoleBuilderTest { + private static final String NAME = "test-role"; private static final String ALLOWED_POLICY_1 = "apol-1"; private static final String ALLOWED_POLICY_2 = "apol-2"; private static final String ALLOWED_POLICY_3 = "apol-3"; @@ -59,6 +60,7 @@ public class TokenRoleBuilderTest { private static final Token.Type TOKEN_TYPE = Token.Type.SERVICE; private static final String JSON_FULL = "{" + + "\"name\":\"" + NAME + "\"," + "\"allowed_policies\":[\"" + ALLOWED_POLICY_1 + "\",\"" + ALLOWED_POLICY_2 + "\",\"" + ALLOWED_POLICY_3 + "\"]," + "\"disallowed_policies\":[\"" + DISALLOWED_POLICY_1 + "\",\"" + DISALLOWED_POLICY_2 + "\",\"" + DISALLOWED_POLICY_3 + "\"]," + "\"orphan\":" + ORPHAN + "," + @@ -100,6 +102,7 @@ public class TokenRoleBuilderTest { @Test public void buildNullTest() throws JsonProcessingException { TokenRole role = TokenRole.builder() + .forName(null) .withAllowedPolicies(null) .withAllowedPolicy(null) .withDisallowedPolicy(null) @@ -140,6 +143,7 @@ public class TokenRoleBuilderTest { @Test public void buildFullTest() throws JsonProcessingException { TokenRole role = TokenRole.builder() + .forName(NAME) .withAllowedPolicies(ALLOWED_POLICIES) .withAllowedPolicy(ALLOWED_POLICY_3) .withDisallowedPolicy(DISALLOWED_POLICY_1) @@ -157,7 +161,7 @@ public class TokenRoleBuilderTest { .withTokenPeriod(TOKEN_PERIOD) .withTokenType(TOKEN_TYPE) .build(); - assertThat(role.getName(), is(nullValue())); + assertThat(role.getName(), is(NAME)); assertThat(role.getAllowedPolicies(), hasSize(ALLOWED_POLICIES.size() + 1)); assertThat(role.getAllowedPolicies(), containsInAnyOrder(ALLOWED_POLICY_1, ALLOWED_POLICY_2, ALLOWED_POLICY_3)); assertThat(role.getDisallowedPolicies(), hasSize(DISALLOWED_POLICIES.size() + 1));