Implement update of KV v2 metadata (#16)

2019-03-22 14:40:27 +01:00 · 2019-03-22 14:40:27 +01:00 · dee7ec0b23
commit dee7ec0b23
parent ab33325b8e
3 changed files with 75 additions and 1 deletions
--- a/src/main/java/de/stklcode/jvault/connector/HTTPVaultConnector.java
+++ b/src/main/java/de/stklcode/jvault/connector/HTTPVaultConnector.java
@ -504,6 +504,19 @@ public class HTTPVaultConnector implements VaultConnector {
        return request.get(mount + PATH_METADATA + key, new HashMap<>(), token, MetadataResponse.class);
    }

+    @Override
+    public void updateSecretMetadata(final String mount, final String key, final Integer maxVersions, final boolean casRequired) throws VaultConnectorException {
+        requireAuth();
+
+        Map<String, Object> payload = new HashMap<>();
+        if (maxVersions != null) {
+            payload.put("max_versions", maxVersions);
+        }
+        payload.put("cas_required", casRequired);
+
+        write(mount + PATH_METADATA + key, payload);
+    }
+
    @Override
    public final SecretVersionResponse writeSecretData(final String mount, final String key, final Map<String, Object> data, final Integer cas) throws VaultConnectorException {
        requireAuth();
--- a/src/main/java/de/stklcode/jvault/connector/VaultConnector.java
+++ b/src/main/java/de/stklcode/jvault/connector/VaultConnector.java
@ -520,7 +520,7 @@ public interface VaultConnector extends AutoCloseable, Serializable {

    /**
     * Retrieve secret metadata from Vault.
-     * Prefix "secret/metadata" is automatically added to key. Only available for KV v2 secrets.
+     * Prefix "metadata" is automatically added to key. Only available for KV v2 secrets.
     *
     * @param mount Secret store mountpoint (without leading or trailing slash).
     * @param key   Secret identifier
@ -530,6 +530,31 @@ public interface VaultConnector extends AutoCloseable, Serializable {
     */
    MetadataResponse readSecretMetadata(final String mount, final String key) throws VaultConnectorException;

+    /**
+     * Update secret metadata.
+     * Prefix "secret/metadata" is automatically added to key. Only available for KV v2 secrets.
+     *
+     * @param key Secret identifier
+     * @throws VaultConnectorException on error
+     * @since 0.8
+     */
+    default void updateSecretMetadata(final String key, final Integer maxVersions, final boolean casRequired) throws VaultConnectorException {
+        updateSecretMetadata(PATH_SECRET, key, maxVersions, casRequired);
+    }
+
+    /**
+     * Update secret metadata.
+     * Prefix "metadata" is automatically added to key. Only available for KV v2 secrets.
+     *
+     * @param mount       Secret store mountpoint (without leading or trailing slash).
+     * @param key         Secret identifier
+     * @param maxVersions Maximum number of versions (fallback to backend default if {@code null})
+     * @param casRequired Specify if Check-And-Set is required for this secret.
+     * @throws VaultConnectorException on error
+     * @since 0.8
+     */
+    void updateSecretMetadata(final String mount, final String key, final Integer maxVersions, final boolean casRequired) throws VaultConnectorException;
+
    /**
     * List available nodes from Vault.
     *
--- a/src/test/java/de/stklcode/jvault/connector/HTTPVaultConnectorTest.java
+++ b/src/test/java/de/stklcode/jvault/connector/HTTPVaultConnectorTest.java
@ -830,6 +830,41 @@ public class HTTPVaultConnectorTest {
        authUser();
        assumeTrue(connector.isAuthorized());

+        // Read current metadata first.
+        Integer maxVersions = -1;
+        try {
+            MetadataResponse res = connector.readSecretMetadata(MOUNT_KV2, SECRET2_KEY);
+            maxVersions = res.getMetadata().getMaxVersions();
+            assumeThat("Unexpected maximum number of versions", res.getMetadata().getMaxVersions(), is(10));
+        } catch (VaultConnectorException e) {
+            fail("Reading secret metadata failed: " + e.getMessage());
+        }
+
+        // Now update the metadata.
+        try {
+            ++maxVersions;
+            connector.updateSecretMetadata(MOUNT_KV2, SECRET2_KEY, maxVersions, true);
+        } catch (VaultConnectorException e) {
+            fail("Updating secret metadata failed: " + e.getMessage());
+        }
+
+        // And verify the result.
+        try {
+            MetadataResponse res = connector.readSecretMetadata(MOUNT_KV2, SECRET2_KEY);
+            assertThat("Unexpected maximum number of versions", res.getMetadata().getMaxVersions(), is(maxVersions));
+        } catch (VaultConnectorException e) {
+            fail("Reading secret metadata failed: " + e.getMessage());
+        }
+    }
+
+    /**
+     * Test updating secret metadata in KV v2 store.
+     */
+    @Test
+    public void updateSecretMetadataTest() {
+        authUser();
+        assumeTrue(connector.isAuthorized());
+
        // Try to read accessible path with known value.
        try {
            MetadataResponse res = connector.readSecretMetadata(MOUNT_KV2, SECRET2_KEY);
@ -838,6 +873,7 @@ public class HTTPVaultConnectorTest {
            assertThat("Unexpected number of secret versions", res.getMetadata().getVersions().size(), is(2));
            assertThat("Creation date should be present", res.getMetadata().getCreatedTime(), is(notNullValue()));
            assertThat("Update date should be present", res.getMetadata().getUpdatedTime(), is(notNullValue()));
+            assertThat("Unexpected maximum number of versions", res.getMetadata().getMaxVersions(), is(10));
        } catch (VaultConnectorException e) {
            fail("Valid secret path could not be read: " + e.getMessage());
        }