implement methods for token role handling (#27)

Create, update, read, delete and list token roles is now possible.

CHANGELOG.md

@@ -6,6 +6,7 @@
 
 ### Features
 * Support for token types (#26)
+* Support for token role handling (#27)
 
 ### Improvements
 * Added `entity_id`, `token_policies`, `token_type` and `orphan` flags to auth response

src/main/java/de/stklcode/jvault/connector/HTTPVaultConnector.java

@@ -20,10 +20,7 @@ import de.stklcode.jvault.connector.exception.AuthorizationRequiredException;
 import de.stklcode.jvault.connector.exception.InvalidRequestException;
 import de.stklcode.jvault.connector.exception.VaultConnectorException;
 import de.stklcode.jvault.connector.internal.RequestHelper;
-import de.stklcode.jvault.connector.model.AppRole;
+import de.stklcode.jvault.connector.model.*;
-import de.stklcode.jvault.connector.model.AppRoleSecret;
-import de.stklcode.jvault.connector.model.AuthBackend;
-import de.stklcode.jvault.connector.model.Token;
 import de.stklcode.jvault.connector.model.response.*;
 import de.stklcode.jvault.connector.model.response.embedded.AuthMethod;
 
@@ -49,6 +46,7 @@ public class HTTPVaultConnector implements VaultConnector {
     private static final String PATH_TOKEN = "auth/token";
     private static final String PATH_LOOKUP = "/lookup";
     private static final String PATH_CREATE = "/create";
+    private static final String PATH_ROLES = "/roles";
     private static final String PATH_CREATE_ORPHAN = "/create-orphan";
     private static final String PATH_AUTH_USERPASS = "auth/userpass/login/";
     private static final String PATH_AUTH_APPID = "auth/app-id/";
@@ -701,6 +699,51 @@ public class HTTPVaultConnector implements VaultConnector {
         return request.get(PATH_TOKEN + PATH_LOOKUP, param, token, TokenResponse.class);
     }
 
+    @Override
+    public boolean createOrUpdateTokenRole(final String name, final TokenRole role) throws VaultConnectorException {
+        requireAuth();
+
+        if (name == null) {
+            throw new InvalidRequestException("Role name must be provided.");
+        } else if (role == null) {
+            throw new InvalidRequestException("Role must be provided.");
+        }
+
+        // Issue request and expect code 204 with empty response.
+        request.postWithoutResponse(PATH_TOKEN + PATH_ROLES + "/" + name, role, token);
+
+        return true;
+    }
+
+    @Override
+    public TokenRoleResponse readTokenRole(final String name) throws VaultConnectorException {
+        requireAuth();
+
+        // Request HTTP response and parse response.
+        return request.get(PATH_TOKEN + PATH_ROLES + "/" + name, new HashMap<>(), token, TokenRoleResponse.class);
+    }
+
+    @Override
+    public List<String> listTokenRoles() throws VaultConnectorException {
+        requireAuth();
+
+        return list(PATH_TOKEN + PATH_ROLES);
+    }
+
+    @Override
+    public boolean deleteTokenRole(final String name) throws VaultConnectorException {
+        requireAuth();
+
+        if (name == null) {
+            throw new InvalidRequestException("Role name must be provided.");
+        }
+
+        // Issue request and expect code 204 with empty response.
+        request.deleteWithoutResponse(PATH_TOKEN + PATH_ROLES + "/" + name, token);
+
+        return true;
+    }
+
     /**
      * Check for required authorization.
      *

src/main/java/de/stklcode/jvault/connector/VaultConnector.java

@@ -233,7 +233,7 @@ public interface VaultConnector extends AutoCloseable, Serializable {
      * Delete AppRole role from Vault.
      *
      * @param roleName The role anme
-     * @return {@code true} on succevss
+     * @return {@code true} on success
      * @throws VaultConnectorException on error
      */
     boolean deleteAppRole(final String roleName) throws VaultConnectorException;
@@ -446,7 +446,7 @@ public interface VaultConnector extends AutoCloseable, Serializable {
      * Prefix {@code secret/} is automatically added to path.
      * Only available for KV v2 secrets.
      *
-     * @param key Secret identifier.
+     * @param key  Secret identifier.
      * @param data Secret content. Value must be be JSON serializable.
      * @return Metadata for the created/updated secret.
      * @throws VaultConnectorException on error
@@ -463,8 +463,8 @@ public interface VaultConnector extends AutoCloseable, Serializable {
      * Only available for KV v2 secrets.
      *
      * @param mount Secret store mountpoint (without leading or trailing slash).
-     * @param key Secret identifier
+     * @param key   Secret identifier
-     * @param data Secret content. Value must be be JSON serializable.
+     * @param data  Secret content. Value must be be JSON serializable.
      * @return Metadata for the created/updated secret.
      * @throws VaultConnectorException on error
      * @since 0.8
@@ -480,9 +480,9 @@ public interface VaultConnector extends AutoCloseable, Serializable {
      * Only available for KV v2 secrets.
      *
      * @param mount Secret store mountpoint (without leading or trailing slash).
-     * @param key Secret identifier
+     * @param key   Secret identifier
-     * @param data Secret content. Value must be be JSON serializable.
+     * @param data  Secret content. Value must be be JSON serializable.
-     * @param cas  Use Check-And-Set operation, i.e. only allow writing if current version matches this value.
+     * @param cas   Use Check-And-Set operation, i.e. only allow writing if current version matches this value.
      * @return Metadata for the created/updated secret.
      * @throws VaultConnectorException on error
      * @since 0.8
@@ -540,7 +540,7 @@ public interface VaultConnector extends AutoCloseable, Serializable {
      * Path {@code secret/metadata/<key>} is read here.
      * Only available for KV v2 secrets.
      *
-     * @param key Secret identifier
+     * @param key         Secret identifier
      * @param maxVersions Maximum number of versions (fallback to backend default if {@code null})
      * @param casRequired Specify if Check-And-Set is required for this secret.
      * @throws VaultConnectorException on error
@@ -737,8 +737,8 @@ public interface VaultConnector extends AutoCloseable, Serializable {
      * Prefix {@code secret/} is automatically added to path.
      * Only available for KV v2 stores.
      *
-     * @param mount    Secret store mountpoint (without leading or trailing slash).
+     * @param mount Secret store mountpoint (without leading or trailing slash).
-     * @param key Secret path.
+     * @param key   Secret path.
      * @throws VaultConnectorException on error
      * @since 0.8
      */
@@ -888,7 +888,57 @@ public interface VaultConnector extends AutoCloseable, Serializable {
      */
     TokenResponse lookupToken(final String token) throws VaultConnectorException;
 
+    /**
+     * Create a new or update an existing token role.
+     *
+     * @param role the role entity (name must be set)
+     * @return {@code true} on success
+     * @throws VaultConnectorException on error
+     * @since 0.9
+     */
+    default boolean createOrUpdateTokenRole(final TokenRole role) throws VaultConnectorException {
+        return createOrUpdateTokenRole(role.getName(), role);
+    }
 
+    /**
+     * Create a new or update an existing token role.
+     *
+     * @param name the role name (overrides name possibly set in role entity)
+     * @param role the role entity
+     * @return {@code true} on success
+     * @throws VaultConnectorException on error
+     * @since 0.9
+     */
+    boolean createOrUpdateTokenRole(final String name, final TokenRole role) throws VaultConnectorException;
+
+    /**
+     * Lookup token information.
+     *
+     * @param name the role name
+     * @return the result response
+     * @throws VaultConnectorException on error
+     * @since 0.9
+     */
+    TokenRoleResponse readTokenRole(final String name) throws VaultConnectorException;
+
+    /**
+     * List available token roles from Vault.
+     *
+     * @return List of token roles
+     * @throws VaultConnectorException on error
+     * @since 0.9
+     */
+    List<String> listTokenRoles() throws VaultConnectorException;
+
+    /**
+     * Delete a token role.
+     *
+     * @param name the role name to delete
+     * @return {@code true} on success
+     * @throws VaultConnectorException on error
+     * @since 0.9
+     */
+    boolean deleteTokenRole(final String name) throws VaultConnectorException;
 
     /**
      * Read credentials for MySQL backend at default mount point.

src/main/java/de/stklcode/jvault/connector/model/TokenRole.java

@@ -92,6 +92,11 @@ public final class TokenRole {
     @JsonInclude(JsonInclude.Include.NON_NULL)
     private String tokenType;
 
+    /**
+     * Construct empty {@link TokenRole} object.
+     */
+    public TokenRole() {
+    }
 
     /**
      * Construct complete {@link TokenRole} object.

src/main/java/de/stklcode/jvault/connector/model/TokenRoleBuilder.java

@@ -26,6 +26,7 @@ import java.util.List;
  * @since 0.9
  */
 public final class TokenRoleBuilder {
+    private String name;
     private List<String> allowedPolicies;
     private List<String> disallowedPolicies;
     private Boolean orphan;
@@ -39,6 +40,17 @@ public final class TokenRoleBuilder {
     private Integer tokenPeriod;
     private Token.Type tokenType;
 
+    /**
+     * Add token role name.
+     *
+     * @param name role name
+     * @return self
+     */
+    public TokenRoleBuilder forName(final String name) {
+        this.name = name;
+        return this;
+    }
+
     /**
      * Add an allowed policy.
      *
@@ -262,7 +274,7 @@ public final class TokenRoleBuilder {
      */
     public TokenRole build() {
         return new TokenRole(
-                null,
+                name,
                 allowedPolicies,
                 disallowedPolicies,
                 orphan,

src/main/java/de/stklcode/jvault/connector/model/response/TokenRoleResponse.java

@@ -0,0 +1,60 @@
+/*
+ * Copyright 2016-2020 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector.model.response;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import de.stklcode.jvault.connector.exception.InvalidResponseException;
+import de.stklcode.jvault.connector.model.TokenRole;
+import de.stklcode.jvault.connector.model.response.embedded.TokenData;
+
+import java.io.IOException;
+import java.util.Map;
+
+/**
+ * Vault response from token role lookup providing Token information in {@link TokenData} field.
+ *
+ * @author Stefan Kalscheuer
+ * @since 0.9
+ */
+@JsonIgnoreProperties(ignoreUnknown = true)
+public final class TokenRoleResponse extends VaultDataResponse {
+    private TokenRole data;
+
+    /**
+     * Set data. Parses response data map to {@link TokenRole}.
+     *
+     * @param data Raw response data
+     * @throws InvalidResponseException on parsing errors
+     */
+    @Override
+    public void setData(final Map<String, Object> data) throws InvalidResponseException {
+        ObjectMapper mapper = new ObjectMapper();
+        try {
+            this.data = mapper.readValue(mapper.writeValueAsString(data), TokenRole.class);
+        } catch (IOException e) {
+            throw new InvalidResponseException("Failed deserializing response", e);
+        }
+    }
+
+    /**
+     * @return TokenRole data
+     */
+    public TokenRole getData() {
+        return data;
+    }
+}

src/test/java/de/stklcode/jvault/connector/HTTPVaultConnectorTest.java

@@ -22,6 +22,7 @@ import de.stklcode.jvault.connector.exception.*;
 import de.stklcode.jvault.connector.model.AppRole;
 import de.stklcode.jvault.connector.model.AuthBackend;
 import de.stklcode.jvault.connector.model.Token;
+import de.stklcode.jvault.connector.model.TokenRole;
 import de.stklcode.jvault.connector.model.response.*;
 import de.stklcode.jvault.connector.test.Credentials;
 import de.stklcode.jvault.connector.test.VaultConfiguration;
@@ -39,8 +40,7 @@ import static org.apache.commons.io.FileUtils.copyDirectory;
 import static org.hamcrest.MatcherAssert.assertThat;
 import static org.hamcrest.Matchers.*;
 import static org.hamcrest.core.Is.is;
-import static org.junit.jupiter.api.Assertions.assertNotNull;
+import static org.junit.jupiter.api.Assertions.*;
-import static org.junit.jupiter.api.Assertions.fail;
 import static org.junit.jupiter.api.Assumptions.assumeFalse;
 import static org.junit.jupiter.api.Assumptions.assumeTrue;
 
@@ -1163,6 +1163,92 @@ public class HTTPVaultConnectorTest {
                 fail("Token creation failed.");
             }
         }
+
+        /**
+         * Test token role handling.
+         */
+        @Test
+        @Order(40)
+        @DisplayName("Token roles")
+        public void tokenRolesTest() {
+            authRoot();
+            assumeTrue(connector.isAuthorized());
+
+            // Create token role.
+            final String roleName = "test-role";
+            final TokenRole role = TokenRole.builder().build();
+
+            try {
+                assertThat(connector.createOrUpdateTokenRole(roleName, role), is(true));
+            } catch (VaultConnectorException e) {
+                fail("Token role creation failed.");
+            }
+
+            // Read the role.
+            TokenRoleResponse res = null;
+            try {
+                res = connector.readTokenRole(roleName);
+            } catch (VaultConnectorException e) {
+                fail("Reading token role failed.");
+            }
+
+            assertThat("Token role response must not be null", res, is(notNullValue()));
+            assertThat("Token role must not be null", res.getData(), is(notNullValue()));
+            assertThat("Token role name not as expected", res.getData().getName(), is(roleName));
+            assertThat("Token role expected to be renewable by default", res.getData().getRenewable(), is(true));
+            assertThat("Token role not expected to be orphan by default", res.getData().getOrphan(), is(false));
+            assertThat("Unexpected default token type", res.getData().getTokenType(), is(Token.Type.DEFAULT_SERVICE.value()));
+
+            // Update the role, i.e. change some attributes.
+            final TokenRole role2 = TokenRole.builder()
+                    .forName(roleName)
+                    .withPathSuffix("suffix")
+                    .orphan(true)
+                    .renewable(false)
+                    .withTokenNumUses(42)
+                    .build();
+
+            try {
+                assertThat(connector.createOrUpdateTokenRole(role2), is(true));
+            } catch (VaultConnectorException e) {
+                fail("Token role update failed.");
+            }
+
+            try {
+                res = connector.readTokenRole(roleName);
+            } catch (VaultConnectorException e) {
+                fail("Reading token role failed.");
+            }
+
+            assertThat("Token role response must not be null", res, is(notNullValue()));
+            assertThat("Token role must not be null", res.getData(), is(notNullValue()));
+            assertThat("Token role name not as expected", res.getData().getName(), is(roleName));
+            assertThat("Token role not expected to be renewable  after update", res.getData().getRenewable(), is(false));
+            assertThat("Token role expected to be orphan  after update", res.getData().getOrphan(), is(true));
+            assertThat("Unexpected number of token uses after update", res.getData().getTokenNumUses(), is(42));
+
+            // List roles.
+            List<String> listRes = null;
+            try {
+                listRes = connector.listTokenRoles();
+            } catch (VaultConnectorException e) {
+                fail("Listing token roles failed.");
+            }
+
+            assertThat("Token role list must not be null", listRes, is(notNullValue()));
+            assertThat("Unexpected number of token roles", listRes, hasSize(1));
+            assertThat("Unexpected token role in list", listRes, contains(roleName));
+
+            // Delete the role.
+            try {
+                assertThat(connector.deleteTokenRole(roleName), is(true));
+            } catch (VaultConnectorException e) {
+                fail("Token role deletion failed.");
+            }
+
+            assertThrows(InvalidResponseException.class, () -> connector.readTokenRole(roleName), "Reading inexistent token role should fail");
+            assertThrows(InvalidResponseException.class, () -> connector.listTokenRoles(), "Listing inexistent token roles should fail");
+        }
     }
 
     @Nested

src/test/java/de/stklcode/jvault/connector/model/TokenRoleBuilderTest.java

@@ -33,6 +33,7 @@ import static org.hamcrest.Matchers.*;
  * @since 0.9
  */
 public class TokenRoleBuilderTest {
+    private static final String NAME = "test-role";
     private static final String ALLOWED_POLICY_1 = "apol-1";
     private static final String ALLOWED_POLICY_2 = "apol-2";
     private static final String ALLOWED_POLICY_3 = "apol-3";
@@ -59,6 +60,7 @@ public class TokenRoleBuilderTest {
     private static final Token.Type TOKEN_TYPE = Token.Type.SERVICE;
 
     private static final String JSON_FULL = "{" +
+            "\"name\":\"" + NAME + "\"," +
             "\"allowed_policies\":[\"" + ALLOWED_POLICY_1 + "\",\"" + ALLOWED_POLICY_2 + "\",\"" + ALLOWED_POLICY_3 + "\"]," +
             "\"disallowed_policies\":[\"" + DISALLOWED_POLICY_1 + "\",\"" + DISALLOWED_POLICY_2 + "\",\"" + DISALLOWED_POLICY_3 + "\"]," +
             "\"orphan\":" + ORPHAN + "," +
@@ -100,6 +102,7 @@ public class TokenRoleBuilderTest {
     @Test
     public void buildNullTest() throws JsonProcessingException {
         TokenRole role = TokenRole.builder()
+                .forName(null)
                 .withAllowedPolicies(null)
                 .withAllowedPolicy(null)
                 .withDisallowedPolicy(null)
@@ -140,6 +143,7 @@ public class TokenRoleBuilderTest {
     @Test
     public void buildFullTest() throws JsonProcessingException {
         TokenRole role = TokenRole.builder()
+                .forName(NAME)
                 .withAllowedPolicies(ALLOWED_POLICIES)
                 .withAllowedPolicy(ALLOWED_POLICY_3)
                 .withDisallowedPolicy(DISALLOWED_POLICY_1)
@@ -157,7 +161,7 @@ public class TokenRoleBuilderTest {
                 .withTokenPeriod(TOKEN_PERIOD)
                 .withTokenType(TOKEN_TYPE)
                 .build();
-        assertThat(role.getName(), is(nullValue()));
+        assertThat(role.getName(), is(NAME));
         assertThat(role.getAllowedPolicies(), hasSize(ALLOWED_POLICIES.size() + 1));
         assertThat(role.getAllowedPolicies(), containsInAnyOrder(ALLOWED_POLICY_1, ALLOWED_POLICY_2, ALLOWED_POLICY_3));
         assertThat(role.getDisallowedPolicies(), hasSize(DISALLOWED_POLICIES.size() + 1));