diff --git a/CHANGELOG.md b/CHANGELOG.md index 2d5f545..7152a1f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -11,8 +11,17 @@ ### Improvements * Added `entity_id`, `token_policies`, `token_type` and `orphan` flags to auth response * Added `entity_id`, `expire_time`, `explicit_max_ttl`, `issue_time`, `renewable` and `type` flags to token data +* Added `enable_local_secret_ids`, `token_bound_cidrs`, `token_explicit_max_ttl`, `token_no_default_policy`, + `token_num_uses`, `token_period` and `token_type` flags to _AppRole_ model * Minor dependency updates +### Deprecations +* `AppRole#getPolicies()` and `#setPolicies()` are deprecated in favor of `#getTokenPolicies()` and `#setTokenPolicies()` +* `AppRole#getPeriod()` is deprecated in favor of `#getTokenPeriod()` + +### Removals +* Deprecated methods `AppRole#getBoundCidrList()`, `#setBoundCidrList()` and `getBoundCidrListString()` have been removed. + ## 0.8.2 (2019-10-20) diff --git a/src/main/java/de/stklcode/jvault/connector/VaultConnector.java b/src/main/java/de/stklcode/jvault/connector/VaultConnector.java index e21ec11..0b0adb9 100644 --- a/src/main/java/de/stklcode/jvault/connector/VaultConnector.java +++ b/src/main/java/de/stklcode/jvault/connector/VaultConnector.java @@ -226,7 +226,7 @@ public interface VaultConnector extends AutoCloseable, Serializable { */ default boolean createAppRole(final String roleName, final List policies, final String roleID) throws VaultConnectorException { - return createAppRole(new AppRoleBuilder(roleName).withPolicies(policies).withId(roleID).build()); + return createAppRole(new AppRoleBuilder(roleName).withTokenPolicies(policies).withId(roleID).build()); } /** diff --git a/src/main/java/de/stklcode/jvault/connector/model/AppRole.java b/src/main/java/de/stklcode/jvault/connector/model/AppRole.java index 4ee4546..8dbb1a6 100644 --- a/src/main/java/de/stklcode/jvault/connector/model/AppRole.java +++ b/src/main/java/de/stklcode/jvault/connector/model/AppRole.java @@ -50,12 +50,8 @@ public final class AppRole { @JsonInclude(JsonInclude.Include.NON_NULL) private Boolean bindSecretId; - private List boundCidrList; - private List secretIdBoundCidrs; - private List policies; - @JsonProperty("secret_id_num_uses") @JsonInclude(JsonInclude.Include.NON_NULL) private Integer secretIdNumUses; @@ -64,6 +60,10 @@ public final class AppRole { @JsonInclude(JsonInclude.Include.NON_NULL) private Integer secretIdTtl; + @JsonProperty("enable_local_secret_ids") + @JsonInclude(JsonInclude.Include.NON_NULL) + private Boolean enableLocalSecretIds; + @JsonProperty("token_ttl") @JsonInclude(JsonInclude.Include.NON_NULL) private Integer tokenTtl; @@ -72,9 +72,31 @@ public final class AppRole { @JsonInclude(JsonInclude.Include.NON_NULL) private Integer tokenMaxTtl; - @JsonProperty("period") + private List tokenPolicies; + + @JsonProperty("token_bound_cidrs") @JsonInclude(JsonInclude.Include.NON_NULL) - private Integer period; + private List tokenBoundCidrs; + + @JsonProperty("token_explicit_max_ttl") + @JsonInclude(JsonInclude.Include.NON_NULL) + private Integer tokenExplicitMaxTtl; + + @JsonProperty("token_no_default_policy") + @JsonInclude(JsonInclude.Include.NON_NULL) + private Boolean tokenNoDefaultPolicy; + + @JsonProperty("token_num_uses") + @JsonInclude(JsonInclude.Include.NON_NULL) + private Integer tokenNumUses; + + @JsonProperty("token_period") + @JsonInclude(JsonInclude.Include.NON_NULL) + private Integer tokenPeriod; + + @JsonProperty("token_type") + @JsonInclude(JsonInclude.Include.NON_NULL) + private String tokenType; /** * Construct empty {@link AppRole} object. @@ -83,66 +105,49 @@ public final class AppRole { } - /** - * Construct complete {@link AppRole} object. - * - * @param name Role name (required) - * @param id Role ID (optional) - * @param bindSecretId Bind secret ID (optional) - * @param secretIdBoundCidrs Whitelist of subnets in CIDR notation (optional) - * @param policies List of policies (optional) - * @param secretIdNumUses Maximum number of uses per secret (optional) - * @param secretIdTtl Maximum TTL in seconds for secrets (optional) - * @param tokenTtl Token TTL in seconds (optional) - * @param tokenMaxTtl Maximum token TTL in seconds, including renewals (optional) - * @param period Duration in seconds, if set the token is a periodic token (optional) - */ - public AppRole(final String name, final String id, final Boolean bindSecretId, final List secretIdBoundCidrs, - final List policies, final Integer secretIdNumUses, final Integer secretIdTtl, - final Integer tokenTtl, final Integer tokenMaxTtl, final Integer period) { - this.name = name; - this.id = id; - this.bindSecretId = bindSecretId; - this.secretIdBoundCidrs = secretIdBoundCidrs; - this.policies = policies; - this.secretIdNumUses = secretIdNumUses; - this.secretIdTtl = secretIdTtl; - this.tokenTtl = tokenTtl; - this.tokenMaxTtl = tokenMaxTtl; - this.period = period; - } - /** * Construct complete {@link AppRole} object. *

* This constructor is used for transition from {@code bound_cidr_list} to {@code secret_id_bound_cidrs} only. * - * @param name Role name (required) - * @param id Role ID (optional) - * @param bindSecretId Bind secret ID (optional) - * @param boundCidrList Whitelist of subnets in CIDR notation (optional) - * @param secretIdBoundCidrs Whitelist of subnets in CIDR notation (optional) - * @param policies List of policies (optional) - * @param secretIdNumUses Maximum number of uses per secret (optional) - * @param secretIdTtl Maximum TTL in seconds for secrets (optional) - * @param tokenTtl Token TTL in seconds (optional) - * @param tokenMaxTtl Maximum token TTL in seconds, including renewals (optional) - * @param period Duration in seconds, if set the token is a periodic token (optional) + * @param name Role name (required) + * @param id Role ID (optional) + * @param bindSecretId Bind secret ID (optional) + * @param secretIdBoundCidrs Whitelist of subnets in CIDR notation (optional) + * @param secretIdNumUses Maximum number of uses per secret (optional) + * @param secretIdTtl Maximum TTL in seconds for secrets (optional) + * @param enableLocalSecretIds Enable local secret IDs (optional) + * @param tokenTtl Token TTL in seconds (optional) + * @param tokenMaxTtl Maximum token TTL in seconds, including renewals (optional) + * @param tokenPolicies List of token policies (optional) + * @param tokenBoundCidrs Whitelist of subnets in CIDR notation for associated tokens (optional) + * @param tokenExplicitMaxTtl Explicit maximum TTL for associated tokens (optional) + * @param tokenNoDefaultPolicy Enable or disable default policy for associated tokens (optional) + * @param tokenNumUses Number of uses for tokens (optional) + * @param tokenPeriod Duration in seconds, if set the token is a periodic token (optional) + * @param tokenType Token type (optional) */ - AppRole(final String name, final String id, final Boolean bindSecretId, final List boundCidrList, - final List secretIdBoundCidrs, final List policies, final Integer secretIdNumUses, - final Integer secretIdTtl, final Integer tokenTtl, final Integer tokenMaxTtl, final Integer period) { + AppRole(final String name, final String id, final Boolean bindSecretId, final List secretIdBoundCidrs, + final Integer secretIdNumUses, final Integer secretIdTtl, final Boolean enableLocalSecretIds, + final Integer tokenTtl, final Integer tokenMaxTtl, final List tokenPolicies, + final List tokenBoundCidrs, final Integer tokenExplicitMaxTtl, final Boolean tokenNoDefaultPolicy, + final Integer tokenNumUses, final Integer tokenPeriod, final String tokenType) { this.name = name; this.id = id; this.bindSecretId = bindSecretId; - this.boundCidrList = boundCidrList; this.secretIdBoundCidrs = secretIdBoundCidrs; - this.policies = policies; + this.tokenPolicies = tokenPolicies; this.secretIdNumUses = secretIdNumUses; this.secretIdTtl = secretIdTtl; + this.enableLocalSecretIds = enableLocalSecretIds; this.tokenTtl = tokenTtl; this.tokenMaxTtl = tokenMaxTtl; - this.period = period; + this.tokenBoundCidrs = tokenBoundCidrs; + this.tokenExplicitMaxTtl = tokenExplicitMaxTtl; + this.tokenNoDefaultPolicy = tokenNoDefaultPolicy; + this.tokenNumUses = tokenNumUses; + this.tokenPeriod = tokenPeriod; + this.tokenType = tokenType; } /** @@ -167,41 +172,38 @@ public final class AppRole { } /** - * @return list of bound CIDR subnets - * @deprecated Use {@link #getSecretIdBoundCidrs()} instead, as this parameter is deprecated in Vault. + * @return list of bound CIDR subnets of assiciated tokens + * @since 0.9 */ - @Deprecated - public List getBoundCidrList() { - return boundCidrList; + public List getTokenBoundCidrs() { + return tokenBoundCidrs; } /** * @param boundCidrList list of subnets in CIDR notation to bind role to - * @deprecated Use {@link #setSecretIdBoundCidrs(List)} instead, as this parameter is deprecated in Vault. + * @since 0.9 */ - @Deprecated - @JsonSetter("bound_cidr_list") - public void setBoundCidrList(final List boundCidrList) { - this.boundCidrList = boundCidrList; + @JsonSetter("token_bound_cidrs") + public void setBoundCidrs(final List boundCidrList) { + this.tokenBoundCidrs = boundCidrList; } /** * @return list of subnets in CIDR notation as comma-separated {@link String} - * @deprecated Use {@link #getSecretIdBoundCidrsString()} instead, as this parameter is deprecated in Vault. + * @since 0.9 */ - @Deprecated - @JsonGetter("bound_cidr_list") + @JsonGetter("token_bound_cidrs") @JsonInclude(JsonInclude.Include.NON_EMPTY) - public String getBoundCidrListString() { - if (boundCidrList == null || boundCidrList.isEmpty()) { + public String getTokenBoundCidrsString() { + if (tokenBoundCidrs == null || tokenBoundCidrs.isEmpty()) { return ""; } - return String.join(",", boundCidrList); + return String.join(",", tokenBoundCidrs); } /** * @return list of bound CIDR subnets - * @since 0.8 replaces {@link #getBoundCidrList()} + * @since 0.8 replaces {@code getBoundCidrList()} */ public List getSecretIdBoundCidrs() { return secretIdBoundCidrs; @@ -209,7 +211,7 @@ public final class AppRole { /** * @param secretIdBoundCidrs List of subnets in CIDR notation to bind secrets of this role to. - * @since 0.8 replaces {@link #setBoundCidrList(List)} + * @since 0.8 replaces {@code setBoundCidrList(List)} */ @JsonSetter("secret_id_bound_cidrs") public void setSecretIdBoundCidrs(final List secretIdBoundCidrs) { @@ -218,7 +220,7 @@ public final class AppRole { /** * @return List of subnets in CIDR notation as comma-separated {@link String} - * @since 0.8 replaces {@link #getBoundCidrListString()} ()} + * @since 0.8 replaces {@code getBoundCidrListString()} ()} */ @JsonGetter("secret_id_bound_cidrs") @JsonInclude(JsonInclude.Include.NON_EMPTY) @@ -230,30 +232,63 @@ public final class AppRole { } /** - * @return list of policies + * @return list of token policies + * @since 0.9 */ + public List getTokenPolicies() { + return tokenPolicies; + } + + /** + * @return list of token policies + * @deprecated Use {@link #getTokenPolicies()} instead. + */ + @Deprecated + @JsonIgnore public List getPolicies() { - return policies; + return getTokenPolicies(); + } + + /** + * @param tokenPolicies list of token policies + * @since 0.9 + */ + @JsonSetter("token_policies") + public void setTokenPolicies(final List tokenPolicies) { + this.tokenPolicies = tokenPolicies; } /** * @param policies list of policies + * @deprecated Use {@link #setTokenPolicies(List)} instead. */ - @JsonSetter("policies") + @Deprecated + @JsonIgnore public void setPolicies(final List policies) { - this.policies = policies; + setTokenPolicies(policies); } /** * @return list of policies as comma-separated {@link String} + * @since 0.9 */ - @JsonGetter("policies") + @JsonGetter("token_policies") @JsonInclude(JsonInclude.Include.NON_EMPTY) - public String getPoliciesString() { - if (policies == null || policies.isEmpty()) { + public String getTokenPoliciesString() { + if (tokenPolicies == null || tokenPolicies.isEmpty()) { return ""; } - return String.join(",", policies); + return String.join(",", tokenPolicies); + } + + /** + * @return list of policies as comma-separated {@link String} + * @deprecated Use {@link #getTokenPoliciesString()} instead. + */ + @Deprecated + @JsonIgnore + public String getPoliciesString() { + return getTokenPoliciesString(); } /** @@ -270,6 +305,14 @@ public final class AppRole { return secretIdTtl; } + /** + * @return Enable local secret IDs? + * @since 0.9 + */ + public Boolean getEnableLocalSecretIds() { + return enableLocalSecretIds; + } + /** * @return token TTL in seconds */ @@ -285,9 +328,52 @@ public final class AppRole { } /** - * @return duration in seconds, if specified + * @return explicit maximum token TTL in seconds, including renewals + * @since 0.9 */ + public Integer getTokenExplicitMaxTtl() { + return tokenExplicitMaxTtl; + } + + /** + * @return enable default policy for token? + * @since 0.9 + */ + public Boolean getTokenNoDefaultPolicy() { + return tokenNoDefaultPolicy; + } + + /** + * @return number of uses for token + * @since 0.9 + */ + public Integer getTokenNumUses() { + return tokenNumUses; + } + + /** + * @return duration in seconds, if specified + * @since 0.9 + */ + public Integer getTokenPeriod() { + return tokenPeriod; + } + + /** + * @return duration in seconds, if specified + * @deprecated Use {@link #getTokenPeriod()} instead. + */ + @Deprecated + @JsonIgnore public Integer getPeriod() { - return period; + return getTokenPeriod(); + } + + /** + * @return duration in seconds, if specified + * @since 0.9 + */ + public String getTokenType() { + return tokenType; } } diff --git a/src/main/java/de/stklcode/jvault/connector/model/AppRoleBuilder.java b/src/main/java/de/stklcode/jvault/connector/model/AppRoleBuilder.java index 15a5674..58859ca 100644 --- a/src/main/java/de/stklcode/jvault/connector/model/AppRoleBuilder.java +++ b/src/main/java/de/stklcode/jvault/connector/model/AppRoleBuilder.java @@ -29,14 +29,19 @@ public final class AppRoleBuilder { private String name; private String id; private Boolean bindSecretId; - private List boundCidrList; private List secretIdBoundCidrs; - private List policies; + private List tokenPolicies; private Integer secretIdNumUses; private Integer secretIdTtl; + private Boolean enableLocalSecretIds; private Integer tokenTtl; private Integer tokenMaxTtl; - private Integer period; + private List tokenBoundCidrs; + private Integer tokenExplicitMaxTtl; + private Boolean tokenNoDefaultPolicy; + private Integer tokenNumUses; + private Integer tokenPeriod; + private Token.Type tokenType; /** * Construct {@link AppRoleBuilder} with only the role name set. @@ -89,47 +94,48 @@ public final class AppRoleBuilder { return withBindSecretID(false); } - /** - * Set bound CIDR blocks. - * - * @param boundCidrList List of CIDR blocks which can perform login - * @return self - * @deprecated Use {@link #withSecretIdBoundCidrs(List)} instead, as this parameter is deprecated in Vault. - */ - @Deprecated - public AppRoleBuilder withBoundCidrList(final List boundCidrList) { - this.boundCidrList = boundCidrList; - return this; - } - /** * Set bound CIDR blocks. * * @param secretIdBoundCidrs List of CIDR blocks which can perform login * @return self - * @since 0.8 replaces {@link #withBoundCidrList(List)} + * @since 0.8 replaces {@code withBoundCidrList(List)} */ public AppRoleBuilder withSecretIdBoundCidrs(final List secretIdBoundCidrs) { - this.secretIdBoundCidrs = secretIdBoundCidrs; + if (this.secretIdBoundCidrs == null) { + this.secretIdBoundCidrs = new ArrayList<>(); + } + this.secretIdBoundCidrs.addAll(secretIdBoundCidrs); return this; } /** - * Add a CIDR block to list of bound blocks. + * Add a CIDR block to list of bound blocks for secret. * - * @param cidrBlock the CIDR block + * @param secretBoundCidr the CIDR block * @return self + * @since 0.9 */ - public AppRoleBuilder withCidrBlock(final String cidrBlock) { - if (boundCidrList == null) { - boundCidrList = new ArrayList<>(); - } - boundCidrList.add(cidrBlock); - + public AppRoleBuilder withSecretBoundCidr(final String secretBoundCidr) { if (secretIdBoundCidrs == null) { secretIdBoundCidrs = new ArrayList<>(); } - secretIdBoundCidrs.add(cidrBlock); + secretIdBoundCidrs.add(secretBoundCidr); + return this; + } + + /** + * Add given policies. + * + * @param tokenPolicies the token policies + * @return self + * @since 0.9 + */ + public AppRoleBuilder withTokenPolicies(final List tokenPolicies) { + if (this.tokenPolicies == null) { + this.tokenPolicies = new ArrayList<>(); + } + this.tokenPolicies.addAll(tokenPolicies); return this; } @@ -138,12 +144,25 @@ public final class AppRoleBuilder { * * @param policies the policies * @return self + * @deprecated Use {@link #withTokenPolicies(List)} instead. */ + @Deprecated public AppRoleBuilder withPolicies(final List policies) { - if (this.policies == null) { - this.policies = new ArrayList<>(); + return withTokenPolicies(policies); + } + + /** + * Add a single policy. + * + * @param tokenPolicy the token policy + * @return self + * @since 0.9 + */ + public AppRoleBuilder withTokenPolicy(final String tokenPolicy) { + if (this.tokenPolicies == null) { + this.tokenPolicies = new ArrayList<>(); } - this.policies.addAll(policies); + tokenPolicies.add(tokenPolicy); return this; } @@ -152,13 +171,11 @@ public final class AppRoleBuilder { * * @param policy the policy * @return self + * @deprecated Use {@link #withTokenPolicy(String)} instead. */ + @Deprecated public AppRoleBuilder withPolicy(final String policy) { - if (this.policies == null) { - this.policies = new ArrayList<>(); - } - policies.add(policy); - return this; + return withTokenPolicy(policy); } /** @@ -183,6 +200,18 @@ public final class AppRoleBuilder { return this; } + /** + * Enable or disable local secret IDs. + * + * @param enableLocalSecretIds Enable local secret IDs? + * @return self + * @since 0.9 + */ + public AppRoleBuilder withEnableLocalSecretIds(final Boolean enableLocalSecretIds) { + this.enableLocalSecretIds = enableLocalSecretIds; + return this; + } + /** * Set default token TTL in seconds. * @@ -205,17 +234,106 @@ public final class AppRoleBuilder { return this; } + /** + * Set bound CIDR blocks for associated tokens. + * + * @param tokenBoundCidrs List of CIDR blocks which can perform login + * @return self + * @since 0.9 + */ + public AppRoleBuilder withTokenBoundCidrs(final List tokenBoundCidrs) { + if (this.tokenBoundCidrs == null) { + this.tokenBoundCidrs = new ArrayList<>(); + } + this.tokenBoundCidrs.addAll(tokenBoundCidrs); + return this; + } + + /** + * Add a CIDR block to list of bound blocks for token. + * + * @param tokenBoundCidr the CIDR block + * @return self + * @since 0.9 + */ + public AppRoleBuilder withTokenBoundCidr(final String tokenBoundCidr) { + if (tokenBoundCidrs == null) { + tokenBoundCidrs = new ArrayList<>(); + } + tokenBoundCidrs.add(tokenBoundCidr); + return this; + } + + /** + * Set explicit maximum token TTL in seconds. + * + * @param tokenExplicitMaxTtl the TTL + * @return self + */ + public AppRoleBuilder withTokenExplicitMaxTtl(final Integer tokenExplicitMaxTtl) { + this.tokenExplicitMaxTtl = tokenExplicitMaxTtl; + return this; + } + + /** + * Enable or disable default policy for generated token. + * + * @param tokenNoDefaultPolicy Enable default policy for token? + * @return self + * @since 0.9 + */ + public AppRoleBuilder withTokenNoDefaultPolicy(final Boolean tokenNoDefaultPolicy) { + this.tokenNoDefaultPolicy = tokenNoDefaultPolicy; + return this; + } + + /** + * Set number of uses for generated tokens. + * + * @param tokenNumUses number of uses for tokens + * @return self + * @since 0.9 + */ + public AppRoleBuilder withTokenNumUses(final Integer tokenNumUses) { + this.tokenNumUses = tokenNumUses; + return this; + } + + /** + * Set renewal period for generated token in seconds. + * + * @param tokenPeriod period in seconds + * @return self + * @since 0.9 + */ + public AppRoleBuilder wit0hTokenPeriod(final Integer tokenPeriod) { + this.tokenPeriod = tokenPeriod; + return this; + } + /** * Set renewal period for generated token in seconds. * * @param period period in seconds * @return self + * @deprecated Use {@link #wit0hTokenPeriod(Integer)} instead. */ + @Deprecated public AppRoleBuilder withPeriod(final Integer period) { - this.period = period; - return this; + return wit0hTokenPeriod(period); } + /** + * Set type of generated token. + * + * @param tokenType token type + * @return self + * @since 0.9 + */ + public AppRoleBuilder withTokenType(final Token.Type tokenType) { + this.tokenType = tokenType; + return this; + } /** * Build the AppRole role based on given parameters. @@ -223,16 +341,23 @@ public final class AppRoleBuilder { * @return the role */ public AppRole build() { - return new AppRole(name, + return new AppRole( + name, id, bindSecretId, - boundCidrList, secretIdBoundCidrs, - policies, secretIdNumUses, secretIdTtl, + enableLocalSecretIds, tokenTtl, tokenMaxTtl, - period); + tokenPolicies, + tokenBoundCidrs, + tokenExplicitMaxTtl, + tokenNoDefaultPolicy, + tokenNumUses, + tokenPeriod, + tokenType != null ? tokenType.value() : null + ); } } diff --git a/src/test/java/de/stklcode/jvault/connector/HTTPVaultConnectorTest.java b/src/test/java/de/stklcode/jvault/connector/HTTPVaultConnectorTest.java index 7e69f1c..08dbb99 100644 --- a/src/test/java/de/stklcode/jvault/connector/HTTPVaultConnectorTest.java +++ b/src/test/java/de/stklcode/jvault/connector/HTTPVaultConnectorTest.java @@ -881,6 +881,28 @@ public class HTTPVaultConnectorTest { fail("Role ID lookup failed."); } + /* Update role model with custom flags */ + role = AppRole.builder(roleName) + .wit0hTokenPeriod(321) + .build(); + + /* Create role */ + try { + boolean res = connector.createAppRole(role); + assertThat("No result given.", res, is(notNullValue())); + } catch (VaultConnectorException e) { + fail("Role creation failed."); + } + + /* Lookup updated role */ + try { + AppRoleResponse res = connector.lookupAppRole(roleName); + assertThat("Role lookup returned no role.", res.getRole(), is(notNullValue())); + assertThat("Token period not set for role.", res.getRole().getTokenPeriod(), is(321)); + } catch (VaultConnectorException e) { + fail("Role lookup failed."); + } + /* Create role by name */ roleName = "RoleByName"; try { diff --git a/src/test/java/de/stklcode/jvault/connector/model/AppRoleBuilderTest.java b/src/test/java/de/stklcode/jvault/connector/model/AppRoleBuilderTest.java index 8ef0229..690ad2e 100644 --- a/src/test/java/de/stklcode/jvault/connector/model/AppRoleBuilderTest.java +++ b/src/test/java/de/stklcode/jvault/connector/model/AppRoleBuilderTest.java @@ -34,8 +34,6 @@ import static org.hamcrest.Matchers.*; * @since 0.4.0 */ public class AppRoleBuilderTest { - - private static final String NAME = "TestRole"; private static final String ID = "test-id"; private static final Boolean BIND_SECRET_ID = true; @@ -47,12 +45,17 @@ public class AppRoleBuilderTest { private static final String POLICY_2 = "policy2"; private static final Integer SECRET_ID_NUM_USES = 10; private static final Integer SECRET_ID_TTL = 7200; + private static final Boolean ENABLE_LOCAL_SECRET_IDS = false; private static final Integer TOKEN_TTL = 4800; private static final Integer TOKEN_MAX_TTL = 9600; - private static final Integer PERIOD = 1234; + private static final Integer TOKEN_EXPLICIT_MAX_TTL = 14400; + private static final Boolean TOKEN_NO_DEFAULT_POLICY = false; + private static final Integer TOKEN_NUM_USES = 42; + private static final Integer TOKEN_PERIOD = 1234; + private static final Token.Type TOKEN_TYPE = Token.Type.DEFAULT_SERVICE; private static final String JSON_MIN = "{\"role_name\":\"" + NAME + "\"}"; - private static final String JSON_FULL = String.format("{\"role_name\":\"%s\",\"role_id\":\"%s\",\"bind_secret_id\":%s,\"bound_cidr_list\":\"%s\",\"secret_id_bound_cidrs\":\"%s\",\"policies\":\"%s\",\"secret_id_num_uses\":%d,\"secret_id_ttl\":%d,\"token_ttl\":%d,\"token_max_ttl\":%d,\"period\":%d}", - NAME, ID, BIND_SECRET_ID, CIDR_1, CIDR_1, POLICY, SECRET_ID_NUM_USES, SECRET_ID_TTL, TOKEN_TTL, TOKEN_MAX_TTL, PERIOD); + private static final String JSON_FULL = String.format("{\"role_name\":\"%s\",\"role_id\":\"%s\",\"bind_secret_id\":%s,\"secret_id_bound_cidrs\":\"%s\",\"secret_id_num_uses\":%d,\"secret_id_ttl\":%d,\"enable_local_secret_ids\":%s,\"token_ttl\":%d,\"token_max_ttl\":%d,\"token_policies\":\"%s\",\"token_bound_cidrs\":\"%s\",\"token_explicit_max_ttl\":%d,\"token_no_default_policy\":%s,\"token_num_uses\":%d,\"token_period\":%d,\"token_type\":\"%s\"}", + NAME, ID, BIND_SECRET_ID, CIDR_1, SECRET_ID_NUM_USES, SECRET_ID_TTL, ENABLE_LOCAL_SECRET_IDS, TOKEN_TTL, TOKEN_MAX_TTL, POLICY, CIDR_1, TOKEN_EXPLICIT_MAX_TTL, TOKEN_NO_DEFAULT_POLICY, TOKEN_NUM_USES, TOKEN_PERIOD, TOKEN_TYPE.value()); @BeforeAll public static void init() { @@ -68,14 +71,21 @@ public class AppRoleBuilderTest { AppRole role = new AppRoleBuilder(NAME).build(); assertThat(role.getId(), is(nullValue())); assertThat(role.getBindSecretId(), is(nullValue())); - assertThat(role.getBoundCidrList(), is(nullValue())); assertThat(role.getSecretIdBoundCidrs(), is(nullValue())); + assertThat(role.getTokenPolicies(), is(nullValue())); assertThat(role.getPolicies(), is(nullValue())); assertThat(role.getSecretIdNumUses(), is(nullValue())); assertThat(role.getSecretIdTtl(), is(nullValue())); + assertThat(role.getEnableLocalSecretIds(), is(nullValue())); assertThat(role.getTokenTtl(), is(nullValue())); assertThat(role.getTokenMaxTtl(), is(nullValue())); + assertThat(role.getTokenBoundCidrs(), is(nullValue())); + assertThat(role.getTokenExplicitMaxTtl(), is(nullValue())); + assertThat(role.getTokenNoDefaultPolicy(), is(nullValue())); + assertThat(role.getTokenNumUses(), is(nullValue())); + assertThat(role.getTokenPeriod(), is(nullValue())); assertThat(role.getPeriod(), is(nullValue())); + assertThat(role.getTokenType(), is(nullValue())); /* optional fields should be ignored, so JSON string should only contain role_name */ assertThat(new ObjectMapper().writeValueAsString(role), is(JSON_MIN)); @@ -89,26 +99,38 @@ public class AppRoleBuilderTest { AppRole role = new AppRoleBuilder(NAME) .withId(ID) .withBindSecretID(BIND_SECRET_ID) - .withBoundCidrList(BOUND_CIDR_LIST) .withSecretIdBoundCidrs(BOUND_CIDR_LIST) - .withPolicies(POLICIES) + .withTokenPolicies(POLICIES) .withSecretIdNumUses(SECRET_ID_NUM_USES) .withSecretIdTtl(SECRET_ID_TTL) + .withEnableLocalSecretIds(ENABLE_LOCAL_SECRET_IDS) .withTokenTtl(TOKEN_TTL) .withTokenMaxTtl(TOKEN_MAX_TTL) - .withPeriod(PERIOD) + .withTokenBoundCidrs(BOUND_CIDR_LIST) + .withTokenExplicitMaxTtl(TOKEN_EXPLICIT_MAX_TTL) + .withTokenNoDefaultPolicy(TOKEN_NO_DEFAULT_POLICY) + .withTokenNumUses(TOKEN_NUM_USES) + .wit0hTokenPeriod(TOKEN_PERIOD) + .withTokenType(TOKEN_TYPE) .build(); assertThat(role.getName(), is(NAME)); assertThat(role.getId(), is(ID)); assertThat(role.getBindSecretId(), is(BIND_SECRET_ID)); - assertThat(role.getBoundCidrList(), is(BOUND_CIDR_LIST)); assertThat(role.getSecretIdBoundCidrs(), is(BOUND_CIDR_LIST)); - assertThat(role.getPolicies(), is(POLICIES)); + assertThat(role.getTokenPolicies(), is(POLICIES)); + assertThat(role.getPolicies(), is(role.getTokenPolicies())); assertThat(role.getSecretIdNumUses(), is(SECRET_ID_NUM_USES)); assertThat(role.getSecretIdTtl(), is(SECRET_ID_TTL)); + assertThat(role.getEnableLocalSecretIds(), is(ENABLE_LOCAL_SECRET_IDS)); assertThat(role.getTokenTtl(), is(TOKEN_TTL)); assertThat(role.getTokenMaxTtl(), is(TOKEN_MAX_TTL)); - assertThat(role.getPeriod(), is(PERIOD)); + assertThat(role.getTokenBoundCidrs(), is(BOUND_CIDR_LIST)); + assertThat(role.getTokenExplicitMaxTtl(), is(TOKEN_EXPLICIT_MAX_TTL)); + assertThat(role.getTokenNoDefaultPolicy(), is(TOKEN_NO_DEFAULT_POLICY)); + assertThat(role.getTokenNumUses(), is(TOKEN_NUM_USES)); + assertThat(role.getTokenPeriod(), is(TOKEN_PERIOD)); + assertThat(role.getPeriod(), is(TOKEN_PERIOD)); + assertThat(role.getTokenType(), is(TOKEN_TYPE.value())); /* Verify that all parameters are included in JSON string */ assertThat(new ObjectMapper().writeValueAsString(role), is(JSON_FULL)); @@ -128,29 +150,33 @@ public class AppRoleBuilderTest { assertThat(role.getBindSecretId(), is(false)); /* Add single CIDR subnet */ - role = new AppRoleBuilder(NAME).withCidrBlock(CIDR_2).build(); - assertThat(role.getBoundCidrList(), hasSize(1)); - assertThat(role.getBoundCidrList(), contains(CIDR_2)); + role = new AppRoleBuilder(NAME).withSecretBoundCidr(CIDR_2).withTokenBoundCidr(CIDR_2).build(); assertThat(role.getSecretIdBoundCidrs(), hasSize(1)); assertThat(role.getSecretIdBoundCidrs(), contains(CIDR_2)); + assertThat(role.getTokenBoundCidrs(), hasSize(1)); + assertThat(role.getTokenBoundCidrs(), contains(CIDR_2)); role = new AppRoleBuilder(NAME) .withSecretIdBoundCidrs(BOUND_CIDR_LIST) - .withCidrBlock(CIDR_2) + .withSecretBoundCidr(CIDR_2) + .withTokenBoundCidrs(BOUND_CIDR_LIST) + .withTokenBoundCidr(CIDR_2) .build(); - assertThat(role.getBoundCidrList(), hasSize(1)); - assertThat(role.getBoundCidrList(), contains(CIDR_2)); assertThat(role.getSecretIdBoundCidrs(), hasSize(2)); assertThat(role.getSecretIdBoundCidrs(), contains(CIDR_1, CIDR_2)); + assertThat(role.getTokenBoundCidrs(), hasSize(2)); + assertThat(role.getSecretIdBoundCidrs(), contains(CIDR_1, CIDR_2)); /* Add single policy */ - role = new AppRoleBuilder(NAME).withPolicy(POLICY_2).build(); - assertThat(role.getPolicies(), hasSize(1)); - assertThat(role.getPolicies(), contains(POLICY_2)); + role = new AppRoleBuilder(NAME).withTokenPolicy(POLICY_2).build(); + assertThat(role.getTokenPolicies(), hasSize(1)); + assertThat(role.getTokenPolicies(), contains(POLICY_2)); + assertThat(role.getPolicies(), is(role.getTokenPolicies())); role = new AppRoleBuilder(NAME) - .withPolicies(POLICIES) - .withPolicy(POLICY_2) + .withTokenPolicies(POLICIES) + .withTokenPolicy(POLICY_2) .build(); - assertThat(role.getPolicies(), hasSize(2)); - assertThat(role.getPolicies(), contains(POLICY, POLICY_2)); + assertThat(role.getTokenPolicies(), hasSize(2)); + assertThat(role.getTokenPolicies(), contains(POLICY, POLICY_2)); + assertThat(role.getPolicies(), is(role.getTokenPolicies())); } } diff --git a/src/test/java/de/stklcode/jvault/connector/model/response/AppRoleResponseTest.java b/src/test/java/de/stklcode/jvault/connector/model/response/AppRoleResponseTest.java index dfb91b7..e428f2b 100644 --- a/src/test/java/de/stklcode/jvault/connector/model/response/AppRoleResponseTest.java +++ b/src/test/java/de/stklcode/jvault/connector/model/response/AppRoleResponseTest.java @@ -53,10 +53,10 @@ public class AppRoleResponseTest { " \"token_max_ttl\": " + ROLE_TOKEN_MAX_TTL + ",\n" + " \"secret_id_ttl\": " + ROLE_SECRET_TTL + ",\n" + " \"secret_id_num_uses\": " + ROLE_SECRET_NUM_USES + ",\n" + - " \"policies\": [\n" + + " \"token_policies\": [\n" + " \"" + ROLE_POLICY + "\"\n" + " ],\n" + - " \"period\": " + ROLE_PERIOD + ",\n" + + " \"token_period\": " + ROLE_PERIOD + ",\n" + " \"bind_secret_id\": " + ROLE_BIND_SECRET + ",\n" + " \"bound_cidr_list\": \"\"\n" + " },\n" + @@ -68,7 +68,7 @@ public class AppRoleResponseTest { private static final Map INVALID_DATA = new HashMap<>(); static { - INVALID_DATA.put("policies", "fancy-policy"); + INVALID_DATA.put("token_policies", "fancy-policy"); } /** @@ -104,12 +104,15 @@ public class AppRoleResponseTest { assertThat("Incorrect token max TTL", role.getTokenMaxTtl(), is(ROLE_TOKEN_MAX_TTL)); assertThat("Incorrect secret ID TTL", role.getSecretIdTtl(), is(ROLE_SECRET_TTL)); assertThat("Incorrect secret ID umber of uses", role.getSecretIdNumUses(), is(ROLE_SECRET_NUM_USES)); + assertThat("Incorrect number of policies", role.getTokenPolicies(), hasSize(1)); + assertThat("Incorrect role policies", role.getTokenPolicies(), contains(ROLE_POLICY)); assertThat("Incorrect number of policies", role.getPolicies(), hasSize(1)); assertThat("Incorrect role policies", role.getPolicies(), contains(ROLE_POLICY)); + assertThat("Incorrect role period", role.getTokenPeriod(), is(ROLE_PERIOD)); assertThat("Incorrect role period", role.getPeriod(), is(ROLE_PERIOD)); assertThat("Incorrect role bind secret ID flag", role.getBindSecretId(), is(ROLE_BIND_SECRET)); - assertThat("Incorrect biund CIDR list", role.getBoundCidrList(), is(nullValue())); - assertThat("Incorrect biund CIDR list string", role.getBoundCidrListString(), is(emptyString())); + assertThat("Incorrect bound CIDR list", role.getTokenBoundCidrs(), is(nullValue())); + assertThat("Incorrect bound CIDR list string", role.getTokenBoundCidrsString(), is(emptyString())); } catch (IOException e) { fail("AuthResponse deserialization failed: " + e.getMessage()); }