implement methods for token role handling (#27)

Create, update, read, delete and list token roles is now possible.

src/main/java/de/stklcode/jvault/connector/HTTPVaultConnector.java

@@ -20,10 +20,7 @@ import de.stklcode.jvault.connector.exception.AuthorizationRequiredException;
 import de.stklcode.jvault.connector.exception.InvalidRequestException;
 import de.stklcode.jvault.connector.exception.VaultConnectorException;
 import de.stklcode.jvault.connector.internal.RequestHelper;
-import de.stklcode.jvault.connector.model.AppRole;
-import de.stklcode.jvault.connector.model.AppRoleSecret;
-import de.stklcode.jvault.connector.model.AuthBackend;
-import de.stklcode.jvault.connector.model.Token;
+import de.stklcode.jvault.connector.model.*;
 import de.stklcode.jvault.connector.model.response.*;
 import de.stklcode.jvault.connector.model.response.embedded.AuthMethod;
 
@@ -49,6 +46,7 @@ public class HTTPVaultConnector implements VaultConnector {
     private static final String PATH_TOKEN = "auth/token";
     private static final String PATH_LOOKUP = "/lookup";
     private static final String PATH_CREATE = "/create";
+    private static final String PATH_ROLES = "/roles";
     private static final String PATH_CREATE_ORPHAN = "/create-orphan";
     private static final String PATH_AUTH_USERPASS = "auth/userpass/login/";
     private static final String PATH_AUTH_APPID = "auth/app-id/";
@@ -530,7 +528,7 @@ public class HTTPVaultConnector implements VaultConnector {
         if (cas != null) {
             options.put("cas", cas);
         }
-        
+
         Map<String, Object> payload = new HashMap<>();
         payload.put("data", data);
         payload.put("options", options);
@@ -701,6 +699,51 @@ public class HTTPVaultConnector implements VaultConnector {
         return request.get(PATH_TOKEN + PATH_LOOKUP, param, token, TokenResponse.class);
     }
 
+    @Override
+    public boolean createOrUpdateTokenRole(final String name, final TokenRole role) throws VaultConnectorException {
+        requireAuth();
+
+        if (name == null) {
+            throw new InvalidRequestException("Role name must be provided.");
+        } else if (role == null) {
+            throw new InvalidRequestException("Role must be provided.");
+        }
+
+        // Issue request and expect code 204 with empty response.
+        request.postWithoutResponse(PATH_TOKEN + PATH_ROLES + "/" + name, role, token);
+
+        return true;
+    }
+
+    @Override
+    public TokenRoleResponse readTokenRole(final String name) throws VaultConnectorException {
+        requireAuth();
+
+        // Request HTTP response and parse response.
+        return request.get(PATH_TOKEN + PATH_ROLES + "/" + name, new HashMap<>(), token, TokenRoleResponse.class);
+    }
+
+    @Override
+    public List<String> listTokenRoles() throws VaultConnectorException {
+        requireAuth();
+
+        return list(PATH_TOKEN + PATH_ROLES);
+    }
+
+    @Override
+    public boolean deleteTokenRole(final String name) throws VaultConnectorException {
+        requireAuth();
+
+        if (name == null) {
+            throw new InvalidRequestException("Role name must be provided.");
+        }
+
+        // Issue request and expect code 204 with empty response.
+        request.deleteWithoutResponse(PATH_TOKEN + PATH_ROLES + "/" + name, token);
+
+        return true;
+    }
+
     /**
      * Check for required authorization.
      *

src/main/java/de/stklcode/jvault/connector/VaultConnector.java

@@ -233,7 +233,7 @@ public interface VaultConnector extends AutoCloseable, Serializable {
      * Delete AppRole role from Vault.
      *
      * @param roleName The role anme
-     * @return {@code true} on succevss
+     * @return {@code true} on success
      * @throws VaultConnectorException on error
      */
     boolean deleteAppRole(final String roleName) throws VaultConnectorException;
@@ -446,7 +446,7 @@ public interface VaultConnector extends AutoCloseable, Serializable {
      * Prefix {@code secret/} is automatically added to path.
      * Only available for KV v2 secrets.
      *
-     * @param key Secret identifier.
+     * @param key  Secret identifier.
      * @param data Secret content. Value must be be JSON serializable.
      * @return Metadata for the created/updated secret.
      * @throws VaultConnectorException on error
@@ -463,8 +463,8 @@ public interface VaultConnector extends AutoCloseable, Serializable {
      * Only available for KV v2 secrets.
      *
      * @param mount Secret store mountpoint (without leading or trailing slash).
-     * @param key Secret identifier
-     * @param data Secret content. Value must be be JSON serializable.
+     * @param key   Secret identifier
+     * @param data  Secret content. Value must be be JSON serializable.
      * @return Metadata for the created/updated secret.
      * @throws VaultConnectorException on error
      * @since 0.8
@@ -480,9 +480,9 @@ public interface VaultConnector extends AutoCloseable, Serializable {
      * Only available for KV v2 secrets.
      *
      * @param mount Secret store mountpoint (without leading or trailing slash).
-     * @param key Secret identifier
-     * @param data Secret content. Value must be be JSON serializable.
-     * @param cas  Use Check-And-Set operation, i.e. only allow writing if current version matches this value.
+     * @param key   Secret identifier
+     * @param data  Secret content. Value must be be JSON serializable.
+     * @param cas   Use Check-And-Set operation, i.e. only allow writing if current version matches this value.
      * @return Metadata for the created/updated secret.
      * @throws VaultConnectorException on error
      * @since 0.8
@@ -540,7 +540,7 @@ public interface VaultConnector extends AutoCloseable, Serializable {
      * Path {@code secret/metadata/<key>} is read here.
      * Only available for KV v2 secrets.
      *
-     * @param key Secret identifier
+     * @param key         Secret identifier
      * @param maxVersions Maximum number of versions (fallback to backend default if {@code null})
      * @param casRequired Specify if Check-And-Set is required for this secret.
      * @throws VaultConnectorException on error
@@ -737,8 +737,8 @@ public interface VaultConnector extends AutoCloseable, Serializable {
      * Prefix {@code secret/} is automatically added to path.
      * Only available for KV v2 stores.
      *
-     * @param mount    Secret store mountpoint (without leading or trailing slash).
-     * @param key Secret path.
+     * @param mount Secret store mountpoint (without leading or trailing slash).
+     * @param key   Secret path.
      * @throws VaultConnectorException on error
      * @since 0.8
      */
@@ -888,7 +888,57 @@ public interface VaultConnector extends AutoCloseable, Serializable {
      */
     TokenResponse lookupToken(final String token) throws VaultConnectorException;
 
+    /**
+     * Create a new or update an existing token role.
+     *
+     * @param role the role entity (name must be set)
+     * @return {@code true} on success
+     * @throws VaultConnectorException on error
+     * @since 0.9
+     */
+    default boolean createOrUpdateTokenRole(final TokenRole role) throws VaultConnectorException {
+        return createOrUpdateTokenRole(role.getName(), role);
+    }
 
+    /**
+     * Create a new or update an existing token role.
+     *
+     * @param name the role name (overrides name possibly set in role entity)
+     * @param role the role entity
+     * @return {@code true} on success
+     * @throws VaultConnectorException on error
+     * @since 0.9
+     */
+    boolean createOrUpdateTokenRole(final String name, final TokenRole role) throws VaultConnectorException;
+
+    /**
+     * Lookup token information.
+     *
+     * @param name the role name
+     * @return the result response
+     * @throws VaultConnectorException on error
+     * @since 0.9
+     */
+    TokenRoleResponse readTokenRole(final String name) throws VaultConnectorException;
+
+    /**
+     * List available token roles from Vault.
+     *
+     * @return List of token roles
+     * @throws VaultConnectorException on error
+     * @since 0.9
+     */
+    List<String> listTokenRoles() throws VaultConnectorException;
+
+    /**
+     * Delete a token role.
+     *
+     * @param name the role name to delete
+     * @return {@code true} on success
+     * @throws VaultConnectorException on error
+     * @since 0.9
+     */
+    boolean deleteTokenRole(final String name) throws VaultConnectorException;
 
     /**
      * Read credentials for MySQL backend at default mount point.

src/main/java/de/stklcode/jvault/connector/model/TokenRole.java

@@ -92,6 +92,11 @@ public final class TokenRole {
     @JsonInclude(JsonInclude.Include.NON_NULL)
     private String tokenType;
 
+    /**
+     * Construct empty {@link TokenRole} object.
+     */
+    public TokenRole() {
+    }
 
     /**
      * Construct complete {@link TokenRole} object.

src/main/java/de/stklcode/jvault/connector/model/TokenRoleBuilder.java

@@ -26,6 +26,7 @@ import java.util.List;
  * @since 0.9
  */
 public final class TokenRoleBuilder {
+    private String name;
     private List<String> allowedPolicies;
     private List<String> disallowedPolicies;
     private Boolean orphan;
@@ -39,6 +40,17 @@ public final class TokenRoleBuilder {
     private Integer tokenPeriod;
     private Token.Type tokenType;
 
+    /**
+     * Add token role name.
+     *
+     * @param name role name
+     * @return self
+     */
+    public TokenRoleBuilder forName(final String name) {
+        this.name = name;
+        return this;
+    }
+
     /**
      * Add an allowed policy.
      *
@@ -262,7 +274,7 @@ public final class TokenRoleBuilder {
      */
     public TokenRole build() {
         return new TokenRole(
-                null,
+                name,
                 allowedPolicies,
                 disallowedPolicies,
                 orphan,

src/main/java/de/stklcode/jvault/connector/model/response/TokenRoleResponse.java

@@ -0,0 +1,60 @@
+/*
+ * Copyright 2016-2020 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector.model.response;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import de.stklcode.jvault.connector.exception.InvalidResponseException;
+import de.stklcode.jvault.connector.model.TokenRole;
+import de.stklcode.jvault.connector.model.response.embedded.TokenData;
+
+import java.io.IOException;
+import java.util.Map;
+
+/**
+ * Vault response from token role lookup providing Token information in {@link TokenData} field.
+ *
+ * @author Stefan Kalscheuer
+ * @since 0.9
+ */
+@JsonIgnoreProperties(ignoreUnknown = true)
+public final class TokenRoleResponse extends VaultDataResponse {
+    private TokenRole data;
+
+    /**
+     * Set data. Parses response data map to {@link TokenRole}.
+     *
+     * @param data Raw response data
+     * @throws InvalidResponseException on parsing errors
+     */
+    @Override
+    public void setData(final Map<String, Object> data) throws InvalidResponseException {
+        ObjectMapper mapper = new ObjectMapper();
+        try {
+            this.data = mapper.readValue(mapper.writeValueAsString(data), TokenRole.class);
+        } catch (IOException e) {
+            throw new InvalidResponseException("Failed deserializing response", e);
+        }
+    }
+
+    /**
+     * @return TokenRole data
+     */
+    public TokenRole getData() {
+        return data;
+    }
+}