Prepare 0.8.0 release

We're using JUnit 5 so leverage some new features to make reasonable
test groups.

.drone.yml

@@ -0,0 +1,33 @@
+kind: pipeline
+name: default
+
+clone:
+  disable: true
+
+steps:
+- name: clone
+  image: plugins/git
+  settings:
+    depth: 10
+    skip_verify: true
+- name: test-online
+  image: maven:3-jdk-11-slim
+  commands:
+  - export VAULT_VERSION=1.1.0
+  - wget https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip
+  - wget -q -O - https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_SHA256SUMS | grep linux_amd64 | sha256sum -c
+  - unzip vault_${VAULT_VERSION}_linux_amd64.zip
+  - rm vault_${VAULT_VERSION}_linux_amd64.zip
+  - mv vault /bin/
+  - mvn clean test
+  when:
+    branch:
+    - master
+- name: test-offline
+  image: maven:3-jdk-11-slim
+  commands:
+  - mvn clean test -Dtest='!HTTPVaultConnectorTest'
+  when:
+    branch:
+    - develop
+    - feature/*

.gitignore

@@ -0,0 +1,5 @@
+/target/
+/*.iml
+/.idea/
+/*.project
+*~

.travis.yml

@@ -0,0 +1,28 @@
+branches:
+  only:
+    - master
+language: java
+jdk:
+  - openjdk11
+install: true
+addons:
+  sonarcloud:
+    organization: "stklcode-github"
+    token:
+      secure: "sM9OfX5jW764pn9cb2LSXArnXucKMws+eGeg5NnZxHRcGYt4hpBKLSregBSsBNzUoWVj0zNzPCpnh+UQvgxQzUerOqwEdjTBpy3SNPaxSn7UpoSg+Wz3aUmL9ugmx01b51/wMG4UCHEwTZt2tpgTPVtw8K6uSO78e0dSICCBHDnRcdQwOjMEQHIJJ/qHVRwuy/MzLCAP3W1JPZlsphZg9QsFyhB4hW97dE90joZezfocQIv2xI/r6k+BLz0pY6MxYCul0RiDumaiaej0CPvEJI/uSu//BAQjUdHw+mQgnKUYIbrn2ONOviwNfwdr94JyoZEN2B6zASUmNLjPf4AbIojDeyS+CrpQpm17EVm/Qk/Ds+Xra4PPPIcsZhiWzV0KoDUz9xLfXuRJ526VT5tDPiaeI7oETf0+8l+JIS1b399FyqHi7smzjpvC6GuKflQrbuHK4MuKzDh7WTHiqokGG4SS0wOQIaaHB3dfdwwQzPh6IM24e8CETxh3DjMeqUTU4DWmv5po55jZ934TtxVQvVN78bTG9O0zS9u+JmRY04OZ+OaXuFam6MfMUFQi0EPZzdGul/oWSibGUu3bNfVEBp60CnJwYNM/dKG6U7pJthLHvSwiQFOdKzHZ+l1jZJ4gPaXaIGqpwqVGr28ntqA/El1rytPixr2driE6bYMt5jw="
+env:
+  - PATH=$PATH:. VAULT_VERSION=1.1.0
+before_script:
+  - wget https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_linux_amd64.zip
+  - wget -q -O - https://releases.hashicorp.com/vault/${VAULT_VERSION}/vault_${VAULT_VERSION}_SHA256SUMS | grep linux_amd64 | sha256sum -c
+  - unzip vault_${VAULT_VERSION}_linux_amd64.zip
+  - rm vault_${VAULT_VERSION}_linux_amd64.zip
+cache:
+  directories:
+    - '$HOME/.m2/repository'
+    - '$HOME/.sonar/cache'
+script:
+  - mvn clean org.jacoco:jacoco-maven-plugin:prepare-agent package sonar:sonar
+notifications:
+  slack:
+    secure: "YyE5GePOLkCVTtCy8j507BRmQrtrWhtvmUt4kY0Z2/ptf0LzfuDEJQ4ZbCxO5ri5IDJrrvyPAedjft818+bMzdFfxvi1oviIL+LZNhyev8gfeIBF/U2pvSLGKCRX4g4aZ6NKN3Untjdm8lmiVTltOyZ59JizQVwXzAl3LiOpnJugyBqbhOx4EIqBzwW3gaYAofMqY2LczW5W/M+99HJCst8Mb8H06GstCPEHCizAq7VRaUS68PstlxQMV0Q6bsSYMLFbLWmhuXs96WHqOrT+nNsl07ikr3N8c4HafhFutt2Jyc1+8gXO417+eSvVM0iBpHGwTmfGFfCqx/4Pf62DTJuvh8dR4fLgLDiqEeDrBEcRRDOs9cvXVOO22NN1HuBBJY8VRiFcwNAvuVMXCtnC+1RJRAZB2zubsANiFe+ygk/ywj37cVXY+NpqlBwcSph6jPHo2hD6cIl2rTWn1EnZH519Rh38xTSv6MRzAO9kWNVrAlX+UtvYS8Sk7Owrc0tET9Lc4zj6aI5tsA1wYbN3Jk6EbMhsF6K/XF2npt2qg09pxkj8wmxoUoR6/rGuSv55aSxTdLDmH+en4ahEm3uc4h1lYoVCk0yrZoTAas3zS4WpBCKnl+mweuKNxaejyy0Wv6NR9ZCTaS3yFgibNOjvDpxZxTAPdNBL7hn+k4LwgN4="

CHANGELOG.md

@@ -0,0 +1,154 @@
+## 0.8.0 (2019-03-24)
+### Breaking
+* Moved Maven artifact to `de.stklcode.jvault:jvault-connector` (#28)
+* Removed support for `HTTPVaultConnectorFactory#withSslContext()` in favor of `#withTrustedCA()` due to
+
+### Features
+* Support for KV version 2 secret engine (#16)
+* Ability to pass custom mount point to KV v2 read/write methods (#25)
+
+### Improvements
+* refactoring of the internal SSL handling (#17)
+* `VaultConnector` extends `java.io.Serializable` (#19)
+* Added missing flags to `SealResponse` (#20)
+* Added replication flags to `HealthResponse` (#21)
+* Enforce TLS 1.2 by default with option to override (#22)
+* Build environment and tests now compatible with Java 10
+* Updated dependencies to fix vulnerabilities (i.e. CVE-2018-7489)
+* New static method `Token.builder()` to get token builder instance
+* New static method `AppRole.builder()` to get AppRole builder instance
+
+### Deprecation
+* `VaultConnectorFactory` is deprecated in favor of `VaultConnectorBuilder` with identical API (#18)
+* `AppRoleBuilder#withBoundCidrList(List)` is deprecated in favor of `AppRoleBuilder#withSecretIdBoundCidrs(List)` (#24)
+
+
+## 0.7.1 (2018-03-17)
+### Improvements
+* Added automatic module name for JPMS compatibility
+* Minor dependency updates
+
+### Test
+* Tested against Vault 0.9.5
+
+
+## 0.7.0 (2017-10-03)
+### Features
+* Retrieval of health status via `getHealth()` (#15)
+
+### Improvements
+* `seal()`, `unseal()` are now `void` and throw Exception on error (#12)
+* Adaptation to Vault 0.8 endpoints for `renew` and `revoke`, **breaking** 0.7 compatibility (#11)
+
+### Removed
+* Removed deprecated `listAppRoleSecretss()` (use `listAppRoleSecrets()`) (#14)
+
+### Test
+* Tested against Vault 0.8.3
+
+
+## 0.6.2 [2017-08-19]
+### Fixes
+* Prevent potential NPE on SecretResponse getter
+* Removed stack traces on PUT request and response deserialization (#13)
+
+### Improvements
+* Fields of InvalidResposneException made final
+
+### Deprecation
+* `listAppRoleSecretss()` in favor of `listAppRoleSecrets()` (#14)
+
+### Test
+* Tested against Vault 0.8.1, increased coverage
+
+
+## 0.6.1 (2017-08-02)
+### Fixes
+* `TokenModel.getPassword()` returned username instead of password
+* `TokenModel.getUsername()` and `getPassword()` could produce NPE in multithreaded environments
+* `TokenData.getCreatinTtl()` renamed to `getCreationTtl()` (typo fix)
+
+### Test
+* Tested against Vault 0.7.3
+
+
+## 0.6.0 (2017-05-12)
+### Features
+* Initialization from environment variables using `fromEnv()` in factory (#8)
+* Automatic authentication with `buildAndAuth()`
+* Custom timeout and number of retries (#9)
+* Connector implements `AutoCloseable`
+
+### Fixes
+* `SecretResponse` does not throw NPE on `get(key)` and `getData()`
+
+### Test 
+* Tested against Vault 0.7.2
+
+
+## 0.5.0 (2017-03-18)
+### Features
+* Convenience methods for DB credentials (#7)
+
+### Fixes
+* Minor bugfix in TokenBuilder
+
+### Deprecation
+* `SecretResponse.getValue()` deprecated
+
+### Test
+* Tested against Vault 0.7.0
+
+
+## 0.4.1 [2016-12-24]
+### Fixes
+* Factory Null-tolerant for trusted certificate (#6)
+
+### Test
+* StackTraces tested for secret leaks
+* Tested against Vault 0.6.4
+
+
+## 0.4.0 (2016-11-06)
+### Features
+* Option to provide a trusted CA certificate (#2)
+* Deletion, revocation and renewal of secrets (#3)
+* Token creation (#4)
+* AppRole auth backend supported (#5)
+
+### Improvements
+* Support for complex secrets
+
+### Deprecation
+* App-ID backend marked as deprecated
+
+
+## 0.3.0 (2016-10-07)
+### Features
+* Retrieval of JSON objects (#1)
+
+### Test
+* Tested against Vault 0.6.2
+
+
+## 0.2.0 (2016-09-01)
+### Improvements
+* Dependecies updated and CommonsIO removed
+
+### Fixes
+* Fixed auth backend detection for Vault 0.6.1
+
+### Test
+* Tested against Vault 0.6.1
+
+
+## 0.1.1 (2016-06-20)
+### Fixes
+* Check for "permission denied" without status code 400 instead of 403
+
+### Test
+* Tested against Vault 0.6.0
+
+
+## 0.1.0 (2016-03-29)
+* First release

README.md

@@ -1,58 +1,129 @@
-Java Vault Connector
-=========
+# Java Vault Connector 
+
+[![Build Status](https://travis-ci.org/stklcode/jvaultconnector.svg?branch=master)](https://travis-ci.org/stklcode/jvaultconnector)
+[![Quality Gate](https://sonarcloud.io/api/project_badges/measure?project=de.stklcode.jvault%3Ajvault-connector&metric=alert_status)](https://sonarcloud.io/dashboard?id=de.stklcode.jvault%3Aconnector)
+[![License](https://img.shields.io/badge/license-Apache%202.0-blue.svg)](https://github.com/stklcode/jvaultconnector/blob/master/LICENSE.txt) 
+[![Maven Central](https://img.shields.io/maven-central/v/de.stklcode.jvault/jvault-connector.svg)](https://search.maven.org/#search%7Cga%7C1%7Cg%3A%22de.stklcode.jvault%22%20AND%20a%3A%22jvault-connector%22)
+
+![Logo](https://raw.githubusercontent.com/stklcode/jvaultconnector/master/assets/logo.png)
+
 Java Vault Connector is a connector library for [Vault](https://www.vaultproject.io) by [Hashicorp](https://www.hashicorp.com) written in Java. The connector allows simple usage of Vault's secret store in own applications.
 
-**Current available features:**
+## Features:
 
 * HTTP(S) backend connector
-* Authorization methods:
+    *  Ability to provide or enforce custom CA certificate
+    * Optional initialization from environment variables
+* Authorization methods
     * Token
     * Username/Password
-    * AppID (register and authenticate)
+    * AppRole (register and authenticate)
+    * AppID (register and authenticate) [_deprecated_]
+* Tokens
+    * Creation and lookup of tokens
+    * TokenBuilder for speaking creation of complex configuraitons
 * Secrets
     * Read secrets
     * Write secrets
     * List secrets
+    * Delete secrets
+    * Renew/revoke leases
+    * Raw secret content or JSON decoding
+    * SQL secret handling
+    * KV v1 and v2 support
 * Connector Factory with builder pattern
-* Tested against Vault 0.5.2
+* Tested against Vault 1.1.0
 
-**Usage Example**
+
+## Maven Artifact
+```xml
+<dependency>
+    <groupId>de.stklcode.jvault</groupId>
+    <artifactId>jvault-connector</artifactId>
+    <version>0.8.0</version>
+</dependency>
+```
+
+## Usage Examples
+
+### Initialization
 
 ```java
-// Instanciate using builder pattern style factory
-VaultConnector vault = VaultConnectorFactory.httpFactory()
- .wiithHost("127.0.0.1")
+// Instantiate using builder pattern style factory (TLS enabled by default)
+VaultConnector vault = VaultConnectorBuilder.http()
+ .withHost("127.0.0.1")
  .withPort(8200)
  .withTLS()
  .build();
 
-//authenticate with token
+// Instantiate with custom SSL context
+VaultConnector vault = VaultConnectorBuilder.http()
+ .withHost("example.com")
+ .withPort(8200)
+ .withTrustedCA(Paths.get("/path/to/CA.pem"))
+ .build();
+
+// Initialization from environment variables 
+VaultConnector vault = VaultConnectorBuilder.http()
+ .fromEnv()
+ .build();
+```
+
+### Authentication
+
+```java
+// Authenticate with token.
 vault.authToken("01234567-89ab-cdef-0123-456789abcdef");
 
-// retrieve secret
-String secret = vault.readSecret("some/secret/key").getValue();
+// Authenticate with username and password.
+vault.authUserPass("username", "p4ssw0rd");
+
+// Authenticate with AppRole (secret - 2nd argument - is optional).
+vault.authAppRole("01234567-89ab-cdef-0123-456789abcdef", "fedcba98-7654-3210-fedc-ba9876543210");
 ```
 
-**Maven Artifact**
-```
-<dependency>
-    <groupId>de.stklcode.jvault</groupId>
-    <artifactId>connector</artifactId>
-    <version>0.1</version>
-</dependency>
+### Secret read & write
+
+```java
+// Retrieve secret (prefix "secret/" assumed, use read() to read arbitrary paths)
+String secret = vault.readSecret("some/secret/key").get("value", String.class);
+
+// Complex secret.
+Map<String, Object> secretData = vault.readSecret("another/secret/key").getData();
+
+// Write simple secret.
+vault.writeSecret("new/secret/key", "secret value");
+
+// Write complex data to arbitraty path.
+Map<String, Object> map = ...;
+vault.write("any/path/to/write", map);
+
+// Delete secret.
+vault.delete("any/path/to/write");
 ```
 
-**Links**
+### Token and role creation
+
+```java
+// Create token using TokenBuilder
+Token token = Token.builder()
+                   .withId("token id")
+                   .withDisplayName("new test token")
+                   .withPolicies("pol1", "pol2")
+                   .build();
+vault.createToken(token);
+
+// Create AppRole credentials
+vault.createAppRole("testrole", policyList);
+AppRoleSecretResponse secret = vault.createAppRoleSecret("testrole");
+```
+
+## Links
 
 [Project Page](http://jvault.stklcode.de)
 
 [JavaDoc API](http://jvault.stklcode.de/apidocs/)
 
-**Planned features:**
-
-* Creation and modification of policies
-* Implement more authentication methods
-
-**License**
+## License
 
 The project is licensed under [Apache License 2.0](http://www.apache.org/licenses/LICENSE-2.0).

assets/logo.svg

@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<svg xmlns="http://www.w3.org/2000/svg" width="128" height="128">
+    <path d="M4,12 l60,104 l60,-104 z" stroke="none" fill="#000000" />
+    <rect x="74" y="20" width="8" height="8" stroke="none" fill="#00abe0" />
+    <rect x="74" y="34" width="8" height="8" stroke="none" fill="#00abe0" />
+    <rect x="74" y="48" width="8" height="8" stroke="none" fill="#00abe0" />
+    <rect x="74" y="62" width="8" height="8" stroke="none" fill="#00abe0" />
+    <rect x="68" y="74" width="8" height="8" stroke="none" fill="#00abe0" />
+    <rect x="54" y="74" width="8" height="8" stroke="none" fill="#00abe0" />
+    <rect x="48" y="62" width="8" height="8" stroke="none" fill="#00abe0" />
+</svg>

pom.xml

@@ -2,65 +2,214 @@
          xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
     <modelVersion>4.0.0</modelVersion>
 
-    <name>jVaultConnector</name>
-
     <groupId>de.stklcode.jvault</groupId>
-    <artifactId>connector</artifactId>
-    <version>0.1</version>
+    <artifactId>jvault-connector</artifactId>
+    <version>0.8.0</version>
+
+    <packaging>jar</packaging>
+
+    <name>jVaultConnector</name>
+    <description>Connector artifact for Hashicorp's Vault secret management</description>
+    <url>https://jvault.stklcode.de</url>
+    <inceptionYear>2016</inceptionYear>
+
+    <licenses>
+        <license>
+            <name>Apache License 2.0</name>
+            <url>http://www.apache.org/licenses/LICENSE-2.0.html</url>
+            <distribution>repo</distribution>
+        </license>
+    </licenses>
+
+    <properties>
+        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+    </properties>
+
+    <developers>
+        <developer>
+            <name>Stefan Kalscheuer</name>
+            <email>stefan@stklcode.de</email>
+            <timezone>+1</timezone>
+        </developer>
+    </developers>
+
+    <scm>
+        <connection>scm:git:git://github.com/stklcode/jvaultconnector.git</connection>
+        <developerConnection>scm:git:git@github.com:stklcode/jvaultconnector.git</developerConnection>
+        <url>https://github.com/stklcode/jvaultconnector</url>
+    </scm>
+
+    <issueManagement>
+        <system>GitHub Issues</system>
+        <url>https://github.com/stklcode/jvaultconnector/issues</url>
+    </issueManagement>
 
     <build>
         <plugins>
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-compiler-plugin</artifactId>
-                <version>3.3</version>
+                <version>3.8.0</version>
                 <configuration>
                     <source>1.8</source>
                     <target>1.8</target>
                 </configuration>
             </plugin>
         </plugins>
+        <pluginManagement>
+            <plugins>
+                <plugin>
+                    <groupId>org.apache.maven.plugins</groupId>
+                    <artifactId>maven-clean-plugin</artifactId>
+                    <version>3.1.0</version>
+                </plugin>
+                <plugin>
+                    <groupId>org.apache.maven.plugins</groupId>
+                    <artifactId>maven-resources-plugin</artifactId>
+                    <version>3.1.0</version>
+                </plugin>
+                <plugin>
+                    <groupId>org.apache.maven.plugins</groupId>
+                    <artifactId>maven-jar-plugin</artifactId>
+                    <version>3.1.1</version>
+                    <configuration>
+                        <archive>
+                            <manifestEntries>
+                                <Automatic-Module-Name>de.stklcode.jvault.connector</Automatic-Module-Name>
+                            </manifestEntries>
+                        </archive>
+                    </configuration>
+                </plugin>
+                <plugin>
+                    <groupId>org.apache.maven.plugins</groupId>
+                    <artifactId>maven-install-plugin</artifactId>
+                    <version>2.5.2</version>
+                </plugin>
+                <plugin>
+                    <groupId>org.apache.maven.plugins</groupId>
+                    <artifactId>maven-surefire-plugin</artifactId>
+                    <version>2.22.1</version>
+                    <configuration>
+                        <reuseForks>false</reuseForks>
+                    </configuration>
+                </plugin>
+            </plugins>
+        </pluginManagement>
     </build>
-    <packaging>jar</packaging>
 
     <dependencies>
-        <dependency>
-            <groupId>commons-io</groupId>
-            <artifactId>commons-io</artifactId>
-            <version>2.4</version>
-        </dependency>
         <dependency>
             <groupId>org.apache.httpcomponents</groupId>
             <artifactId>httpcore</artifactId>
-            <version>4.0.1</version>
+            <version>4.4.11</version>
         </dependency>
         <dependency>
             <groupId>org.apache.httpcomponents</groupId>
             <artifactId>httpclient</artifactId>
-            <version>4.0.2</version>
+            <version>4.5.7</version>
         </dependency>
         <dependency>
             <groupId>com.fasterxml.jackson.core</groupId>
             <artifactId>jackson-core</artifactId>
-            <version>2.7.2</version>
+            <version>2.9.8</version>
         </dependency>
         <dependency>
             <groupId>com.fasterxml.jackson.core</groupId>
             <artifactId>jackson-databind</artifactId>
-            <version>2.7.2</version>
+            <version>2.9.8</version>
         </dependency>
 
         <dependency>
-            <groupId>junit</groupId>
-            <artifactId>junit</artifactId>
-            <version>4.11</version>
+            <groupId>org.junit.jupiter</groupId>
+            <artifactId>junit-jupiter-engine</artifactId>
+            <version>5.4.1</version>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>org.junit.jupiter</groupId>
+            <artifactId>junit-jupiter-migrationsupport</artifactId>
+            <version>5.4.1</version>
+        </dependency>
         <dependency>
             <groupId>org.hamcrest</groupId>
             <artifactId>hamcrest-junit</artifactId>
             <version>2.0.0.0</version>
             <scope>test</scope>
         </dependency>
+        <dependency>
+            <groupId>com.github.stefanbirkner</groupId>
+            <artifactId>system-rules</artifactId>
+            <version>1.17.2</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.mockito</groupId>
+            <artifactId>mockito-core</artifactId>
+            <version>2.25.1</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.mockito</groupId>
+            <artifactId>mockito-inline</artifactId>
+            <version>2.25.1</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>commons-io</groupId>
+            <artifactId>commons-io</artifactId>
+            <version>2.6</version>
+            <scope>test</scope>
+        </dependency>
     </dependencies>
+
+
+    <profiles>
+        <profile>
+            <id>sources</id>
+            <activation>
+                <activeByDefault>false</activeByDefault>
+            </activation>
+            <build>
+                <plugins>
+                    <plugin>
+                        <groupId>org.apache.maven.plugins</groupId>
+                        <artifactId>maven-source-plugin</artifactId>
+                        <version>3.0.1</version>
+                        <executions>
+                            <execution>
+                                <id>attach-sources</id>
+                                <goals>
+                                    <goal>jar-no-fork</goal>
+                                </goals>
+                            </execution>
+                        </executions>
+                    </plugin>
+                </plugins>
+            </build>
+        </profile>
+
+        <profile>
+            <id>javadoc</id>
+            <activation>
+                <activeByDefault>false</activeByDefault>
+            </activation>
+            <build>
+                <plugins>
+                    <plugin>
+                        <groupId>org.apache.maven.plugins</groupId>
+                        <artifactId>maven-javadoc-plugin</artifactId>
+                        <version>3.1.0</version>
+                        <executions>
+                            <execution>
+                                <id>attach-javadocs</id>
+                                <goals>
+                                    <goal>jar</goal>
+                                </goals>
+                            </execution>
+                        </executions>
+                    </plugin>
+                </plugins>
+            </build>
+        </profile>
+    </profiles>
 </project>

src/main/java/de/stklcode/jvault/connector/HTTPVaultConnector.java

@@ -1,401 +1,713 @@
+/*
+ * Copyright 2016-2019 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
 package de.stklcode.jvault.connector;
 
-import com.fasterxml.jackson.core.JsonProcessingException;
-import com.fasterxml.jackson.databind.ObjectMapper;
-import de.stklcode.jvault.connector.exception.*;
+import de.stklcode.jvault.connector.exception.AuthorizationRequiredException;
+import de.stklcode.jvault.connector.exception.InvalidRequestException;
+import de.stklcode.jvault.connector.exception.VaultConnectorException;
+import de.stklcode.jvault.connector.internal.RequestHelper;
+import de.stklcode.jvault.connector.model.AppRole;
+import de.stklcode.jvault.connector.model.AppRoleSecret;
 import de.stklcode.jvault.connector.model.AuthBackend;
+import de.stklcode.jvault.connector.model.Token;
 import de.stklcode.jvault.connector.model.response.*;
 import de.stklcode.jvault.connector.model.response.embedded.AuthMethod;
-import org.apache.commons.io.IOUtils;
-import org.apache.http.HttpResponse;
-import org.apache.http.client.HttpClient;
-import org.apache.http.client.methods.HttpGet;
-import org.apache.http.client.methods.HttpPost;
-import org.apache.http.client.methods.HttpPut;
-import org.apache.http.client.methods.HttpRequestBase;
-import org.apache.http.entity.StringEntity;
-import org.apache.http.impl.client.DefaultHttpClient;
-import org.apache.http.params.BasicHttpParams;
-import org.apache.http.params.HttpParams;
-import org.apache.http.protocol.HTTP;
 
-import java.io.IOException;
-import java.io.UnsupportedEncodingException;
-import java.util.*;
+import java.security.cert.X509Certificate;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
 import java.util.stream.Collectors;
 
-
 /**
  * Vault Connector implementatin using Vault's HTTP API.
  *
- * @author  Stefan Kalscheuer
- * @since   0.1
+ * @author Stefan Kalscheuer
+ * @since 0.1
  */
 public class HTTPVaultConnector implements VaultConnector {
-    private static final String PATH_PREFIX =        "/v1/";
-    private static final String PATH_SEAL_STATUS =   "sys/seal-status";
-    private static final String PATH_SEAL =          "sys/seal";
-    private static final String PATH_UNSEAL =        "sys/unseal";
-    private static final String PATH_INIT =          "sys/init";
-    private static final String PATH_AUTH =          "sys/auth";
-    private static final String PATH_TOKEN_LOOKUP =  "auth/token/lookup";
+    private static final String PATH_PREFIX = "/v1/";
+    private static final String PATH_SEAL_STATUS = "sys/seal-status";
+    private static final String PATH_SEAL = "sys/seal";
+    private static final String PATH_UNSEAL = "sys/unseal";
+    private static final String PATH_RENEW = "sys/leases/renew";
+    private static final String PATH_AUTH = "sys/auth";
+    private static final String PATH_TOKEN = "auth/token";
+    private static final String PATH_LOOKUP = "/lookup";
+    private static final String PATH_CREATE = "/create";
+    private static final String PATH_CREATE_ORPHAN = "/create-orphan";
     private static final String PATH_AUTH_USERPASS = "auth/userpass/login/";
-    private static final String PATH_AUTH_APPID =    "auth/app-id/";
-    private static final String PATH_SECRET =        "secret";
+    private static final String PATH_AUTH_APPID = "auth/app-id/";
+    private static final String PATH_AUTH_APPROLE = "auth/approle/";
+    private static final String PATH_AUTH_APPROLE_ROLE = "auth/approle/role/%s%s";
+    private static final String PATH_REVOKE = "sys/leases/revoke/";
+    private static final String PATH_HEALTH = "sys/health";
+    private static final String PATH_DATA = "/data/";
+    private static final String PATH_METADATA = "/metadata/";
+    private static final String PATH_DELETE = "/delete/";
+    private static final String PATH_UNDELETE = "/undelete/";
+    private static final String PATH_DESTROY = "/destroy/";
 
-    private final ObjectMapper jsonMapper;
+    public static final String DEFAULT_TLS_VERSION = "TLSv1.2";
 
-    private final HttpClient httpClient;        /* HTTP client for connection */
-    private final String baseURL;               /* Base URL of Vault */
+    private final RequestHelper request;
 
-    private boolean authorized = false;         /* authorization status */
-    private String token;                       /* current token */
+    private boolean authorized = false;     // Authorization status.
+    private String token;                   // Current token.
+    private long tokenTTL = 0;              // Expiration time for current token.
 
     /**
      * Create connector using hostname and schema.
-     * @param hostname  The hostname
-     * @param useTLS    If TRUE, use HTTPS, otherwise HTTP
+     *
+     * @param hostname The hostname
+     * @param useTLS   If TRUE, use HTTPS, otherwise HTTP
      */
-    public HTTPVaultConnector(String hostname, boolean useTLS) {
+    public HTTPVaultConnector(final String hostname, final boolean useTLS) {
         this(hostname, useTLS, null);
     }
 
     /**
      * Create connector using hostname, schema and port.
-     * @param hostname  The hostname
-     * @param useTLS    If TRUE, use HTTPS, otherwise HTTP
-     * @param port      The port
+     *
+     * @param hostname The hostname
+     * @param useTLS   If TRUE, use HTTPS, otherwise HTTP
+     * @param port     The port
      */
-    public HTTPVaultConnector(String hostname, boolean useTLS, Integer port) {
+    public HTTPVaultConnector(final String hostname, final boolean useTLS, final Integer port) {
         this(hostname, useTLS, port, PATH_PREFIX);
     }
 
     /**
-     * Create connector using hostname, schame, port and path
-     * @param hostname  The hostname
-     * @param useTLS    If TRUE, use HTTPS, otherwise HTTP
-     * @param port      The port
-     * @param prefix    HTTP API prefix (default: /v1/"
+     * Create connector using hostname, schema, port and path.
+     *
+     * @param hostname The hostname
+     * @param useTLS   If TRUE, use HTTPS, otherwise HTTP
+     * @param port     The port
+     * @param prefix   HTTP API prefix (default: /v1/)
      */
-    public HTTPVaultConnector(String hostname, boolean useTLS, Integer port, String prefix) {
-        this(((useTLS) ? "https" : "http") +
-                "://" + hostname +
-                ((port != null) ? ":" + port : "") +
-                prefix);
+    public HTTPVaultConnector(final String hostname, final boolean useTLS, final Integer port, final String prefix) {
+        this(((useTLS) ? "https" : "http")
+                + "://" + hostname
+                + ((port != null) ? ":" + port : "")
+                + prefix);
     }
 
     /**
-     * Create connector using full URL
-     * @param baseURL   The URL
+     * Create connector using hostname, schema, port, path and trusted certificate.
+     *
+     * @param hostname      The hostname
+     * @param useTLS        If TRUE, use HTTPS, otherwise HTTP
+     * @param port          The port
+     * @param prefix        HTTP API prefix (default: /v1/)
+     * @param trustedCaCert Trusted CA certificate
      */
-    public HTTPVaultConnector(String baseURL) {
-        this.baseURL = baseURL;
-        this.httpClient = new DefaultHttpClient();
-        this.jsonMapper = new ObjectMapper();
+    public HTTPVaultConnector(final String hostname,
+                              final boolean useTLS,
+                              final Integer port,
+                              final String prefix,
+                              final X509Certificate trustedCaCert) {
+        this(hostname, useTLS, DEFAULT_TLS_VERSION, port, prefix, trustedCaCert, 0, null);
+    }
+
+    /**
+     * Create connector using hostname, schema, port, path and trusted certificate.
+     *
+     * @param hostname        The hostname
+     * @param useTLS          If TRUE, use HTTPS, otherwise HTTP
+     * @param tlsVersion      TLS version
+     * @param port            The port
+     * @param prefix          HTTP API prefix (default: /v1/)
+     * @param trustedCaCert   Trusted CA certificate
+     * @param numberOfRetries Number of retries on 5xx errors
+     * @param timeout         Timeout for HTTP requests (milliseconds)
+     */
+    public HTTPVaultConnector(final String hostname,
+                              final boolean useTLS,
+                              final String tlsVersion,
+                              final Integer port,
+                              final String prefix,
+                              final X509Certificate trustedCaCert,
+                              final int numberOfRetries,
+                              final Integer timeout) {
+        this(((useTLS) ? "https" : "http")
+                        + "://" + hostname
+                        + ((port != null) ? ":" + port : "")
+                        + prefix,
+                trustedCaCert,
+                numberOfRetries,
+                timeout,
+                tlsVersion);
+    }
+
+    /**
+     * Create connector using full URL.
+     *
+     * @param baseURL The URL
+     */
+    public HTTPVaultConnector(final String baseURL) {
+        this(baseURL, null);
+    }
+
+    /**
+     * Create connector using full URL and trusted certificate.
+     *
+     * @param baseURL       The URL
+     * @param trustedCaCert Trusted CA certificate
+     */
+    public HTTPVaultConnector(final String baseURL, final X509Certificate trustedCaCert) {
+        this(baseURL, trustedCaCert, 0, null);
+    }
+
+    /**
+     * Create connector using full URL and trusted certificate.
+     *
+     * @param baseURL         The URL
+     * @param trustedCaCert   Trusted CA certificate
+     * @param numberOfRetries Number of retries on 5xx errors
+     */
+    public HTTPVaultConnector(final String baseURL, final X509Certificate trustedCaCert, final int numberOfRetries) {
+        this(baseURL, trustedCaCert, numberOfRetries, null);
+    }
+
+    /**
+     * Create connector using full URL and trusted certificate.
+     *
+     * @param baseURL         The URL
+     * @param trustedCaCert   Trusted CA certificate
+     * @param numberOfRetries Number of retries on 5xx errors
+     * @param timeout         Timeout for HTTP requests (milliseconds)
+     */
+    public HTTPVaultConnector(final String baseURL,
+                              final X509Certificate trustedCaCert,
+                              final int numberOfRetries,
+                              final Integer timeout) {
+        this(baseURL, trustedCaCert, numberOfRetries, timeout, DEFAULT_TLS_VERSION);
+    }
+
+    /**
+     * Create connector using full URL and trusted certificate.
+     *
+     * @param baseURL         The URL
+     * @param trustedCaCert   Trusted CA certificate
+     * @param numberOfRetries Number of retries on 5xx errors
+     * @param timeout         Timeout for HTTP requests (milliseconds)
+     * @param tlsVersion      TLS Version.
+     */
+    public HTTPVaultConnector(final String baseURL,
+                              final X509Certificate trustedCaCert,
+                              final int numberOfRetries,
+                              final Integer timeout,
+                              final String tlsVersion) {
+        this.request = new RequestHelper(baseURL, numberOfRetries, timeout, tlsVersion, trustedCaCert);
     }
 
     @Override
-    public void resetAuth() {
+    public final void resetAuth() {
         token = null;
+        tokenTTL = 0;
         authorized = false;
     }
 
     @Override
-    public SealResponse sealStatus() {
-        try {
-            String response = requestGet(PATH_SEAL_STATUS, new HashMap<>());
-            return jsonMapper.readValue(response, SealResponse.class);
-        } catch (VaultConnectorException | IOException e) {
-            e.printStackTrace();
-            return null;
-        }
+    public final SealResponse sealStatus() throws VaultConnectorException {
+        return request.get(PATH_SEAL_STATUS, new HashMap<>(), token, SealResponse.class);
     }
 
     @Override
-    public boolean seal() {
-        try {
-            requestPut(PATH_SEAL, new HashMap<>());
-            return true;
-        } catch (VaultConnectorException e) {
-            e.printStackTrace();
-            return false;
-        }
+    public final void seal() throws VaultConnectorException {
+        request.put(PATH_SEAL, new HashMap<>(), token);
     }
 
     @Override
-    public SealResponse unseal(final String key, final Boolean reset) {
-        Map<String, Object> param = new HashMap<>();
+    public final SealResponse unseal(final String key, final Boolean reset) throws VaultConnectorException {
+        Map<String, String> param = new HashMap<>();
         param.put("key", key);
-        if (reset != null)
-            param.put("reset", reset);
-        try {
-            String response = requestPut(PATH_UNSEAL, param);
-            return jsonMapper.readValue(response, SealResponse.class);
-        } catch (VaultConnectorException | IOException e) {
-            e.printStackTrace();
-            return null;
+        if (reset != null) {
+            param.put("reset", reset.toString());
         }
+
+        return request.put(PATH_UNSEAL, param, token, SealResponse.class);
     }
 
     @Override
-    public boolean isAuthorized() {
-        return authorized;
+    public HealthResponse getHealth() throws VaultConnectorException {
+        /* Force status code to be 200, so we don't need to modify the request sequence. */
+        Map<String, String> param = new HashMap<>();
+        param.put("standbycode", "200");    // Default: 429.
+        param.put("sealedcode", "200");     // Default: 503.
+        param.put("uninitcode", "200");     // Default: 501.
+
+        return request.get(PATH_HEALTH, param, token, HealthResponse.class);
     }
 
     @Override
-    public boolean init() {
-        /* TODO: implement init() */
-        return true;
+    public final boolean isAuthorized() {
+        return authorized && (tokenTTL == 0 || tokenTTL >= System.currentTimeMillis());
     }
 
     @Override
-    public List<AuthBackend> getAuthBackends() throws VaultConnectorException {
-        try {
-            String response = requestGet(PATH_AUTH, new HashMap<>());
-            /* Parse response */
-            AuthMethodsResponse amr = jsonMapper.readValue(response, AuthMethodsResponse.class);
-            return amr.getSupportedMethods().stream().map(AuthMethod::getType).collect(Collectors.toList());
-        } catch (IOException e) {
-            throw new InvalidResponseException("Unable to parse response", e);
-        }
+    public final List<AuthBackend> getAuthBackends() throws VaultConnectorException {
+        /* Issue request and parse response */
+        AuthMethodsResponse amr = request.get(PATH_AUTH, new HashMap<>(), token, AuthMethodsResponse.class);
+
+        return amr.getSupportedMethods().values().stream().map(AuthMethod::getType).collect(Collectors.toList());
     }
 
     @Override
-    public TokenResponse authToken(final String token) throws VaultConnectorException {
+    public final TokenResponse authToken(final String token) throws VaultConnectorException {
         /* set token */
         this.token = token;
-        try {
-            String response = requestPost(PATH_TOKEN_LOOKUP, new HashMap<>());
-            TokenResponse res = jsonMapper.readValue(response, TokenResponse.class);
-            authorized = true;
-            return res;
-        } catch (IOException e) {
-            throw new InvalidResponseException("Unable to parse response", e);
-        }
+        this.tokenTTL = 0;
+        TokenResponse res = request.post(PATH_TOKEN + PATH_LOOKUP, new HashMap<>(), token, TokenResponse.class);
+        authorized = true;
+
+        return res;
     }
 
     @Override
-    public AuthResponse authUserPass(final String username, final String password) throws VaultConnectorException {
-        Map<String, String> payload = new HashMap<>();
+    public final AuthResponse authUserPass(final String username, final String password)
+            throws VaultConnectorException {
+        final Map<String, String> payload = new HashMap<>();
         payload.put("password", password);
-        try {
-            /* Get response */
-            String response = requestPost(PATH_AUTH_USERPASS + username, payload);
-            /* Parse response */
-            AuthResponse upr = jsonMapper.readValue(response, AuthResponse.class);
-            /* verify response */
-            this.token = upr.getAuth().getClientToken();
-            this.authorized = true;
-            return upr;
-        } catch (IOException e) {
-            throw new InvalidResponseException("Unable to parse response", e);
-        }
+        return queryAuth(PATH_AUTH_USERPASS + username, payload);
     }
 
     @Override
-    public AuthResponse authAppId(final String appID, final String userID) throws VaultConnectorException {
-        Map<String, String> payload = new HashMap<>();
+    @Deprecated
+    public final AuthResponse authAppId(final String appID, final String userID) throws VaultConnectorException {
+        final Map<String, String> payload = new HashMap<>();
         payload.put("app_id", appID);
         payload.put("user_id", userID);
-        try {
-            /* Get response */
-            String response = requestPost(PATH_AUTH_APPID + "login", payload);
-            /* Parse response */
-            AuthResponse auth = jsonMapper.readValue(response, AuthResponse.class);
-            /* verify response */
-            this.token = auth.getAuth().getClientToken();
-            this.authorized = true;
-            return auth;
-        } catch (IOException e) {
-            throw new InvalidResponseException("Unable to parse response", e);
-        }
+        return queryAuth(PATH_AUTH_APPID + "login", payload);
     }
 
     @Override
-    public boolean registerAppId(final String appID, final String policy, final String displayName) throws VaultConnectorException {
-        if (!isAuthorized())
-            throw new AuthorizationRequiredException();
+    public final AuthResponse authAppRole(final String roleID, final String secretID) throws VaultConnectorException {
+        final Map<String, String> payload = new HashMap<>();
+        payload.put("role_id", roleID);
+        if (secretID != null) {
+            payload.put("secret_id", secretID);
+        }
+        return queryAuth(PATH_AUTH_APPROLE + "login", payload);
+    }
+
+    /**
+     * Query authorization request to given backend.
+     *
+     * @param path    The path to request
+     * @param payload Payload (credentials)
+     * @return The AuthResponse
+     * @throws VaultConnectorException on errors
+     */
+    private AuthResponse queryAuth(final String path, final Map<String, String> payload)
+            throws VaultConnectorException {
+        /* Issue request and parse response */
+        AuthResponse auth = request.post(path, payload, token, AuthResponse.class);
+        /* verify response */
+        this.token = auth.getAuth().getClientToken();
+        this.tokenTTL = System.currentTimeMillis() + auth.getAuth().getLeaseDuration() * 1000L;
+        this.authorized = true;
+
+        return auth;
+    }
+
+    @Override
+    @Deprecated
+    public final boolean registerAppId(final String appID, final String policy, final String displayName)
+            throws VaultConnectorException {
+        requireAuth();
         Map<String, String> payload = new HashMap<>();
         payload.put("value", policy);
         payload.put("display_name", displayName);
-        /* Get response */
-        String response = requestPost(PATH_AUTH_APPID + "map/app-id/" + appID, payload);
-        /* Response should be code 204 without content */
-        if (!response.equals(""))
-            throw new InvalidResponseException("Received response where non was expected.");
+
+        /* Issue request and expect code 204 with empty response */
+        request.postWithoutResponse(PATH_AUTH_APPID + "map/app-id/" + appID, payload, token);
+
         return true;
     }
 
     @Override
-    public boolean registerUserId(final String appID, final String userID) throws VaultConnectorException {
-        if (!isAuthorized())
-            throw new AuthorizationRequiredException();
+    @Deprecated
+    public final boolean registerUserId(final String appID, final String userID) throws VaultConnectorException {
+        requireAuth();
         Map<String, String> payload = new HashMap<>();
         payload.put("value", appID);
-        /* Get response */
-        String response = requestPost(PATH_AUTH_APPID + "map/user-id/" + userID, payload);
-        /* Response should be code 204 without content */
-        if (!response.equals(""))
-            throw new InvalidResponseException("Received response where non was expected.");
+
+        /* Issue request and expect code 204 with empty response */
+        request.postWithoutResponse(PATH_AUTH_APPID + "map/user-id/" + userID, payload, token);
+
         return true;
     }
 
     @Override
-    public SecretResponse readSecret(final String key) throws VaultConnectorException {
-        if (!isAuthorized())
-            throw new AuthorizationRequiredException();
+    public final boolean createAppRole(final AppRole role) throws VaultConnectorException {
+        requireAuth();
+
+        /* Issue request and expect code 204 with empty response */
+        request.postWithoutResponse(String.format(PATH_AUTH_APPROLE_ROLE, role.getName(), ""), role, token);
+
+        /* Set custom ID if provided */
+        return !(role.getId() != null && !role.getId().isEmpty()) || setAppRoleID(role.getName(), role.getId());
+    }
+
+    @Override
+    public final AppRoleResponse lookupAppRole(final String roleName) throws VaultConnectorException {
+        requireAuth();
         /* Request HTTP response and parse Secret */
-        try {
-            String response = requestGet(PATH_SECRET + "/" + key, new HashMap<>());
-            return jsonMapper.readValue(response, SecretResponse.class);
-        } catch (IOException e) {
-            throw new InvalidResponseException("Unable to parse response", e);
+        return request.get(String.format(PATH_AUTH_APPROLE_ROLE, roleName, ""), new HashMap<>(), token, AppRoleResponse.class);
+    }
+
+    @Override
+    public final boolean deleteAppRole(final String roleName) throws VaultConnectorException {
+        requireAuth();
+
+        /* Issue request and expect code 204 with empty response */
+        request.deleteWithoutResponse(String.format(PATH_AUTH_APPROLE_ROLE, roleName, ""), token);
+
+        return true;
+    }
+
+    @Override
+    public final String getAppRoleID(final String roleName) throws VaultConnectorException {
+        requireAuth();
+        /* Issue request, parse response and extract Role ID */
+        return request.get(
+                String.format(PATH_AUTH_APPROLE_ROLE, roleName, "/role-id"),
+                new HashMap<>(),
+                token,
+                RawDataResponse.class
+        ).getData().get("role_id").toString();
+    }
+
+    @Override
+    public final boolean setAppRoleID(final String roleName, final String roleID) throws VaultConnectorException {
+        requireAuth();
+        /* Request HTTP response and parse Secret */
+        Map<String, String> payload = new HashMap<>();
+        payload.put("role_id", roleID);
+
+        /* Issue request and expect code 204 with empty response */
+        request.postWithoutResponse(String.format(PATH_AUTH_APPROLE_ROLE, roleName, "/role-id"), payload, token);
+
+        return true;
+    }
+
+    @Override
+    public final AppRoleSecretResponse createAppRoleSecret(final String roleName, final AppRoleSecret secret)
+            throws VaultConnectorException {
+        requireAuth();
+
+        if (secret.getId() != null && !secret.getId().isEmpty()) {
+            return request.post(
+                    String.format(PATH_AUTH_APPROLE_ROLE, roleName, "/custom-secret-id"),
+                    secret,
+                    token,
+                    AppRoleSecretResponse.class
+            );
+        } else {
+            return request.post(
+                    String.format(PATH_AUTH_APPROLE_ROLE, roleName, "/secret-id"),
+                    secret, token,
+                    AppRoleSecretResponse.class
+            );
         }
     }
 
     @Override
-    public List<String> listSecrets(final String path) throws VaultConnectorException {
-        if (!isAuthorized())
-            throw new AuthorizationRequiredException();
+    public final AppRoleSecretResponse lookupAppRoleSecret(final String roleName, final String secretID)
+            throws VaultConnectorException {
+        requireAuth();
 
-        String response = requestGet(PATH_SECRET + "/" + path + "/?list=true", new HashMap<>());
-        try {
-            SecretListResponse secrets = jsonMapper.readValue(response, SecretListResponse.class);
-            return secrets.getKeys();
-        } catch (IOException e) {
-            throw new InvalidResponseException("Unable to parse response", e);
-        }
+        /* Issue request and parse secret response */
+        return request.post(
+                String.format(PATH_AUTH_APPROLE_ROLE, roleName, "/secret-id/lookup"),
+                new AppRoleSecret(secretID),
+                token,
+                AppRoleSecretResponse.class
+        );
     }
 
     @Override
-    public boolean writeSecret(final String key, final String value) throws VaultConnectorException {
-        if (key == null || key.isEmpty())
+    public final boolean destroyAppRoleSecret(final String roleName, final String secretID)
+            throws VaultConnectorException {
+        requireAuth();
+
+        /* Issue request and expect code 204 with empty response */
+        request.postWithoutResponse(
+                String.format(PATH_AUTH_APPROLE_ROLE, roleName, "/secret-id/destroy"),
+                new AppRoleSecret(secretID),
+                token);
+
+        return true;
+    }
+
+    @Override
+    public final List<String> listAppRoles() throws VaultConnectorException {
+        requireAuth();
+
+        SecretListResponse secrets = request.get(PATH_AUTH_APPROLE + "role?list=true", new HashMap<>(), token, SecretListResponse.class);
+        return secrets.getKeys();
+    }
+
+    @Override
+    public final List<String> listAppRoleSecrets(final String roleName) throws VaultConnectorException {
+        requireAuth();
+
+        SecretListResponse secrets = request.get(
+                String.format(PATH_AUTH_APPROLE_ROLE, roleName, "/secret-id?list=true"),
+                new HashMap<>(),
+                token,
+                SecretListResponse.class
+        );
+
+        return secrets.getKeys();
+    }
+
+    @Override
+    public final SecretResponse read(final String key) throws VaultConnectorException {
+        requireAuth();
+        /* Issue request and parse secret response */
+        return request.get(key, new HashMap<>(), token, SecretResponse.class);
+    }
+
+    @Override
+    public final SecretResponse readSecretVersion(final String mount, final String key, final Integer version) throws VaultConnectorException {
+        requireAuth();
+        /* Request HTTP response and parse secret metadata */
+        Map<String, String> args = new HashMap<>();
+        if (version != null) {
+            args.put("version", version.toString());
+        }
+
+        return request.get(mount + PATH_DATA + key, args, token, SecretResponse.class);
+    }
+
+    @Override
+    public final MetadataResponse readSecretMetadata(final String mount, final String key) throws VaultConnectorException {
+        requireAuth();
+
+        /* Request HTTP response and parse secret metadata */
+        return request.get(mount + PATH_METADATA + key, new HashMap<>(), token, MetadataResponse.class);
+    }
+
+    @Override
+    public void updateSecretMetadata(final String mount, final String key, final Integer maxVersions, final boolean casRequired) throws VaultConnectorException {
+        requireAuth();
+
+        Map<String, Object> payload = new HashMap<>();
+        if (maxVersions != null) {
+            payload.put("max_versions", maxVersions);
+        }
+        payload.put("cas_required", casRequired);
+
+        write(mount + PATH_METADATA + key, payload);
+    }
+
+    @Override
+    public final SecretVersionResponse writeSecretData(final String mount, final String key, final Map<String, Object> data, final Integer cas) throws VaultConnectorException {
+        requireAuth();
+
+        if (key == null || key.isEmpty()) {
             throw new InvalidRequestException("Secret path must not be empty.");
-
-        Map<String, String> param = new HashMap<>();
-        param.put("value", value);
-        return requestPost(PATH_SECRET + "/" + key, param).equals("");
-    }
-
-
-
-    /**
-     * Execute HTTP request using POST method.
-     * @param path      URL path (relative to base)
-     * @param payload   Map of payload values (will be converted to JSON)
-     * @return          HTTP response
-     * @throws VaultConnectorException
-     */
-    private String requestPost(final String path, final Map payload) throws VaultConnectorException {
-        /* Initialize post */
-        HttpPost post = new HttpPost(baseURL + path);
-        /* generate JSON from payload */
-        StringEntity input;
-        try {
-            input = new StringEntity(jsonMapper.writeValueAsString(payload), HTTP.UTF_8);
-        } catch (UnsupportedEncodingException | JsonProcessingException e) {
-            throw new InvalidRequestException("Unable to parse response", e);
         }
-        input.setContentEncoding("UTF-8");
-        input.setContentType("application/json");
-        post.setEntity(input);
-        /* Set X-Vault-Token header */
-        if (token != null)
-            post.addHeader("X-Vault-Token", token);
 
-        return request(post);
-    }
-
-    /**
-     * Execute HTTP request using PUT method.
-     * @param path      URL path (relative to base)
-     * @param payload   Map of payload values (will be converted to JSON)
-     * @return          HTTP response
-     * @throws VaultConnectorException
-     */
-    private String requestPut(final String path, final Map<String, Object> payload) throws VaultConnectorException {
-        /* Initialize post */
-        HttpPut put = new HttpPut(baseURL + path);
-        /* generate JSON from payload */
-        StringEntity entity = null;
-        try {
-            entity = new StringEntity(jsonMapper.writeValueAsString(payload));
-        } catch (UnsupportedEncodingException | JsonProcessingException e) {
-            e.printStackTrace();
+        // Add CAS value to options map if present.
+        Map<String, Object> options = new HashMap<>();
+        if (cas != null) {
+            options.put("cas", cas);
         }
-        /* Parse parameters */
-        put.setEntity(entity);
-        /* Set X-Vault-Token header */
-        if (token != null)
-            put.addHeader("X-Vault-Token", token);
+        
+        Map<String, Object> payload = new HashMap<>();
+        payload.put("data", data);
+        payload.put("options", options);
 
-        return request(put);
+        /* Issue request and parse metadata response */
+        return request.post(mount + PATH_DATA + key, payload, token, SecretVersionResponse.class);
     }
 
-    /**
-     * Execute HTTP request using GET method.
-     * @param path      URL path (relative to base)
-     * @param payload   Map of payload values (will be converted to JSON)
-     * @return          HTTP response
-     * @throws VaultConnectorException
-     */
-    private String requestGet(final String path, final Map<String, Object> payload) throws VaultConnectorException {
-        /* Initialize post */
-        HttpGet get = new HttpGet(baseURL + path);
-        /* Parse parameters */
-        HttpParams params = new BasicHttpParams();
-        payload.forEach(params::setParameter);
-        get.setParams(params);
+    @Override
+    public final List<String> list(final String path) throws VaultConnectorException {
+        requireAuth();
 
-        /* Set X-Vault-Token header */
-        if (token != null)
-            get.addHeader("X-Vault-Token", token);
+        SecretListResponse secrets = request.get(path + "/?list=true", new HashMap<>(), token, SecretListResponse.class);
 
-        return request(get);
+        return secrets.getKeys();
     }
 
-    /**
-     * Execute prepared HTTP request and return result
-     * @param base      Prepares Request
-     * @return          HTTP response
-     * @throws VaultConnectorException
-     */
-    private String request(HttpRequestBase base) throws VaultConnectorException {
-        /* Set JSON Header */
-        base.addHeader("accept", "application/json");
+    @Override
+    public final void write(final String key, final Map<String, Object> data, final Map<String, Object> options) throws VaultConnectorException {
+        requireAuth();
 
-        HttpResponse response = null;
-        try {
-            response = httpClient.execute(base);
-            /* Check if response is valid */
-            if (response == null)
-                throw new InvalidResponseException("Response unavailable");
-            switch (response.getStatusLine().getStatusCode()) {
-                case 200:
-                    return IOUtils.toString(response.getEntity().getContent());
-                case 204:
-                    return "";
-                case 403:
-                    throw new PermissionDeniedException();
-                default:
-                    InvalidResponseException ex = new InvalidResponseException("Invalid response code")
-                            .withStatusCode(response.getStatusLine().getStatusCode());
-                    try {
-                        throw ex.withResponse(IOUtils.toString(response.getEntity().getContent()));
-                    }
-                    catch (IOException e) {
-                        throw ex;
-                    }
-            }
-        } catch (IOException e) {
-            throw new InvalidResponseException("Unable to read response", e);
+        if (key == null || key.isEmpty()) {
+            throw new InvalidRequestException("Secret path must not be empty.");
         }
-        finally {
-            if (response != null && response.getEntity() != null)
-                try {
-                    response.getEntity().consumeContent();
-                } catch (IOException ignored) {
-                }
+
+        // By default data is directly passed as payload.
+        Object payload = data;
+
+        // If options are given, split payload in two parts.
+        if (options != null) {
+            Map<String, Object> payloadMap = new HashMap<>();
+            payloadMap.put("data", data);
+            payloadMap.put("options", options);
+            payload = payloadMap;
+        }
+
+        /* Issue request and expect code 204 with empty response */
+        request.postWithoutResponse(key, payload, token);
+    }
+
+    @Override
+    public final void delete(final String key) throws VaultConnectorException {
+        requireAuth();
+
+        /* Issue request and expect code 204 with empty response */
+        request.deleteWithoutResponse(key, token);
+    }
+
+    @Override
+    public final void deleteLatestSecretVersion(final String mount, final String key) throws VaultConnectorException {
+        delete(mount + PATH_DATA + key);
+    }
+
+    @Override
+    public final void deleteAllSecretVersions(final String mount, final String key) throws VaultConnectorException {
+        delete(mount + PATH_METADATA + key);
+    }
+
+    @Override
+    public final void deleteSecretVersions(final String mount, final String key, final int... versions) throws VaultConnectorException {
+        handleSecretVersions(mount, PATH_DELETE, key, versions);
+    }
+
+    @Override
+    public final void undeleteSecretVersions(final String mount, final String key, final int... versions) throws VaultConnectorException {
+        handleSecretVersions(mount, PATH_UNDELETE, key, versions);
+    }
+
+    @Override
+    public final void destroySecretVersions(final String mount, final String key, final int... versions) throws VaultConnectorException {
+        handleSecretVersions(mount, PATH_DESTROY, key, versions);
+    }
+
+    /**
+     * Common method to bundle secret version operations.
+     *
+     * @param mount    Secret store mountpoint (without leading or trailing slash).
+     * @param pathPart Path part to query.
+     * @param key      Secret key.
+     * @param versions Versions to handle.
+     * @throws VaultConnectorException on error
+     * @since 0.8
+     */
+    private void handleSecretVersions(final String mount, final String pathPart, final String key, final int... versions) throws VaultConnectorException {
+        requireAuth();
+
+        /* Request HTTP response and expect empty result */
+        Map<String, Object> payload = new HashMap<>();
+        payload.put("versions", versions);
+
+        /* Issue request and expect code 204 with empty response */
+        request.postWithoutResponse(mount + pathPart + key, payload, token);
+    }
+
+    @Override
+    public final void revoke(final String leaseID) throws VaultConnectorException {
+        requireAuth();
+
+        /* Issue request and expect code 204 with empty response */
+        request.putWithoutResponse(PATH_REVOKE + leaseID, new HashMap<>(), token);
+    }
+
+    @Override
+    public final SecretResponse renew(final String leaseID, final Integer increment) throws VaultConnectorException {
+        requireAuth();
+
+        Map<String, String> payload = new HashMap<>();
+        payload.put("lease_id", leaseID);
+        if (increment != null) {
+            payload.put("increment", increment.toString());
+        }
+
+        /* Issue request and parse secret response */
+        return request.put(PATH_RENEW, payload, token, SecretResponse.class);
+    }
+
+    @Override
+    public final AuthResponse createToken(final Token token) throws VaultConnectorException {
+        return createTokenInternal(token, PATH_TOKEN + PATH_CREATE);
+    }
+
+    @Override
+    public final AuthResponse createToken(final Token token, final boolean orphan) throws VaultConnectorException {
+        return createTokenInternal(token, PATH_TOKEN + PATH_CREATE_ORPHAN);
+    }
+
+    @Override
+    public final AuthResponse createToken(final Token token, final String role) throws VaultConnectorException {
+        if (role == null || role.isEmpty()) {
+            throw new InvalidRequestException("No role name specified.");
+        }
+        return createTokenInternal(token, PATH_TOKEN + PATH_CREATE + "/" + role);
+    }
+
+    @Override
+    public final void close() {
+        authorized = false;
+        token = null;
+        tokenTTL = 0;
+    }
+
+    /**
+     * Create token.
+     * Centralized method to handle different token creation requests.
+     *
+     * @param token the token
+     * @param path  request path
+     * @return the response
+     * @throws VaultConnectorException on error
+     */
+    private AuthResponse createTokenInternal(final Token token, final String path) throws VaultConnectorException {
+        requireAuth();
+
+        if (token == null) {
+            throw new InvalidRequestException("Token must be provided.");
+        }
+
+        return request.post(path, token, this.token, AuthResponse.class);
+    }
+
+    @Override
+    public final TokenResponse lookupToken(final String token) throws VaultConnectorException {
+        requireAuth();
+
+        /* Request HTTP response and parse Secret */
+        return request.get(PATH_TOKEN + "/lookup/" + token, new HashMap<>(), token, TokenResponse.class);
+    }
+
+    /**
+     * Check for required authorization.
+     *
+     * @throws AuthorizationRequiredException Connector is not authorized.
+     * @since 0.8 Bundled in method to reduce repetition.
+     */
+    private void requireAuth() throws AuthorizationRequiredException {
+        if (!isAuthorized()) {
+            throw new AuthorizationRequiredException();
         }
     }
 }

src/main/java/de/stklcode/jvault/connector/builder/HTTPVaultConnectorBuilder.java

@@ -0,0 +1,298 @@
+/*
+ * Copyright 2016-2019 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector.builder;
+
+import de.stklcode.jvault.connector.HTTPVaultConnector;
+import de.stklcode.jvault.connector.exception.ConnectionException;
+import de.stklcode.jvault.connector.exception.TlsException;
+import de.stklcode.jvault.connector.exception.VaultConnectorException;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.MalformedURLException;
+import java.net.URL;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.nio.file.Paths;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
+
+/**
+ * Vault Connector Factory implementation for HTTP Vault connectors.
+ *
+ * @author Stefan Kalscheuer
+ * @since 0.8.0
+ */
+public final class HTTPVaultConnectorBuilder implements VaultConnectorBuilder {
+    private static final String ENV_VAULT_ADDR = "VAULT_ADDR";
+    private static final String ENV_VAULT_CACERT = "VAULT_CACERT";
+    private static final String ENV_VAULT_TOKEN = "VAULT_TOKEN";
+    private static final String ENV_VAULT_MAX_RETRIES = "VAULT_MAX_RETRIES";
+
+    public static final String DEFAULT_HOST = "127.0.0.1";
+    public static final Integer DEFAULT_PORT = 8200;
+    public static final boolean DEFAULT_TLS = true;
+    public static final String DEFAULT_TLS_VERSION = "TLSv1.2";
+    public static final String DEFAULT_PREFIX = "/v1/";
+    public static final int DEFAULT_NUMBER_OF_RETRIES = 0;
+
+    private String host;
+    private Integer port;
+    private boolean tls;
+    private String tlsVersion;
+    private String prefix;
+    private X509Certificate trustedCA;
+    private int numberOfRetries;
+    private Integer timeout;
+    private String token;
+
+    /**
+     * Default empty constructor.
+     * Initializes factory with default values.
+     */
+    public HTTPVaultConnectorBuilder() {
+        host = DEFAULT_HOST;
+        port = DEFAULT_PORT;
+        tls = DEFAULT_TLS;
+        tlsVersion = DEFAULT_TLS_VERSION;
+        prefix = DEFAULT_PREFIX;
+        numberOfRetries = DEFAULT_NUMBER_OF_RETRIES;
+    }
+
+    /**
+     * Set hostname (default: 127.0.0.1).
+     *
+     * @param host Hostname or IP address
+     * @return self
+     */
+    public HTTPVaultConnectorBuilder withHost(final String host) {
+        this.host = host;
+        return this;
+    }
+
+    /**
+     * Set port (default: 8200).
+     *
+     * @param port Vault TCP port
+     * @return self
+     */
+    public HTTPVaultConnectorBuilder withPort(final Integer port) {
+        this.port = port;
+        return this;
+    }
+
+    /**
+     * Set TLS usage (default: TRUE).
+     *
+     * @param useTLS use TLS or not
+     * @return self
+     */
+    public HTTPVaultConnectorBuilder withTLS(final boolean useTLS) {
+        this.tls = useTLS;
+        return this;
+    }
+
+    /**
+     * Set TLS usage (default: TRUE).
+     *
+     * @param useTLS  Use TLS or not.
+     * @param version Supported TLS version ({@code TLSv1.2}, {@code TLSv1.1}, {@code TLSv1.0}, {@code TLS}).
+     * @return self
+     * @since 0.8 Added version parameter (#22).
+     */
+    public HTTPVaultConnectorBuilder withTLS(final boolean useTLS, final String version) {
+        this.tls = useTLS;
+        this.tlsVersion = version;
+        return this;
+    }
+
+    /**
+     * Convenience Method for TLS usage (enabled by default).
+     *
+     * @param version Supported TLS version ({@code TLSv1.2}, {@code TLSv1.1}, {@code TLSv1.0}, {@code TLS}).
+     * @return self
+     * @since 0.8 Added version parameter (#22).
+     */
+    public HTTPVaultConnectorBuilder withTLS(final String version) {
+        return withTLS(true, version);
+    }
+
+    /**
+     * Convenience Method for TLS usage (enabled by default).
+     *
+     * @return self
+     */
+    public HTTPVaultConnectorBuilder withTLS() {
+        return withTLS(true);
+    }
+
+    /**
+     * Convenience Method for NOT using TLS.
+     *
+     * @return self
+     */
+    public HTTPVaultConnectorBuilder withoutTLS() {
+        return withTLS(false);
+    }
+
+    /**
+     * Set API prefix. Default is "/v1/" and changes should not be necessary for current state of development.
+     *
+     * @param prefix Vault API prefix (default: "/v1/"
+     * @return self
+     */
+    public HTTPVaultConnectorBuilder withPrefix(final String prefix) {
+        this.prefix = prefix;
+        return this;
+    }
+
+    /**
+     * Add a trusted CA certifiate for HTTPS connections.
+     *
+     * @param cert path to certificate file
+     * @return self
+     * @throws VaultConnectorException on error
+     * @since 0.4.0
+     */
+    public HTTPVaultConnectorBuilder withTrustedCA(final Path cert) throws VaultConnectorException {
+        if (cert != null) {
+            return withTrustedCA(certificateFromFile(cert));
+        } else {
+            this.trustedCA = null;
+        }
+        return this;
+    }
+
+    /**
+     * Add a trusted CA certifiate for HTTPS connections.
+     *
+     * @param cert path to certificate file
+     * @return self
+     * @since 0.8.0
+     */
+    public HTTPVaultConnectorBuilder withTrustedCA(final X509Certificate cert) {
+        this.trustedCA = cert;
+        return this;
+    }
+
+    /**
+     * Set token for automatic authentication, using {@link #buildAndAuth()}.
+     *
+     * @param token Vault token
+     * @return self
+     * @since 0.6.0
+     */
+    public HTTPVaultConnectorBuilder withToken(final String token) {
+        this.token = token;
+        return this;
+    }
+
+    /**
+     * Build connector based on the {@code }VAULT_ADDR} and {@code VAULT_CACERT} (optional) environment variables.
+     *
+     * @return self
+     * @throws VaultConnectorException if Vault address from environment variables is malformed
+     * @since 0.6.0
+     */
+    public HTTPVaultConnectorBuilder fromEnv() throws VaultConnectorException {
+        /* Parse URL from environment variable */
+        if (System.getenv(ENV_VAULT_ADDR) != null && !System.getenv(ENV_VAULT_ADDR).trim().isEmpty()) {
+            try {
+                URL url = new URL(System.getenv(ENV_VAULT_ADDR));
+                this.host = url.getHost();
+                this.port = url.getPort();
+                this.tls = url.getProtocol().equals("https");
+            } catch (MalformedURLException e) {
+                throw new ConnectionException("URL provided in environment variable malformed", e);
+            }
+        }
+
+        /* Read number of retries */
+        if (System.getenv(ENV_VAULT_MAX_RETRIES) != null) {
+            try {
+                numberOfRetries = Integer.parseInt(System.getenv(ENV_VAULT_MAX_RETRIES));
+            } catch (NumberFormatException ignored) {
+                /* Ignore malformed values. */
+            }
+        }
+
+        /* Read token */
+        token = System.getenv(ENV_VAULT_TOKEN);
+
+        /* Parse certificate, if set */
+        if (System.getenv(ENV_VAULT_CACERT) != null && !System.getenv(ENV_VAULT_CACERT).trim().isEmpty()) {
+            return withTrustedCA(Paths.get(System.getenv(ENV_VAULT_CACERT)));
+        }
+        return this;
+    }
+
+    /**
+     * Define the number of retries to attempt on 5xx errors.
+     *
+     * @param numberOfRetries The number of retries to attempt on 5xx errors (default: 0)
+     * @return self
+     * @since 0.6.0
+     */
+    public HTTPVaultConnectorBuilder withNumberOfRetries(final int numberOfRetries) {
+        this.numberOfRetries = numberOfRetries;
+        return this;
+    }
+
+    /**
+     * Define a custom timeout for the HTTP connection.
+     *
+     * @param milliseconds Timeout value in milliseconds.
+     * @return self
+     * @since 0.6.0
+     */
+    public HTTPVaultConnectorBuilder withTimeout(final int milliseconds) {
+        this.timeout = milliseconds;
+        return this;
+    }
+
+    @Override
+    public HTTPVaultConnector build() {
+        return new HTTPVaultConnector(host, tls, tlsVersion, port, prefix, trustedCA, numberOfRetries, timeout);
+    }
+
+    @Override
+    public HTTPVaultConnector buildAndAuth() throws VaultConnectorException {
+        if (token == null) {
+            throw new ConnectionException("No vault token provided, unable to authenticate.");
+        }
+        HTTPVaultConnector con = build();
+        con.authToken(token);
+        return con;
+    }
+
+    /**
+     * Read given certificate file to X.509 certificate.
+     *
+     * @param certFile Path to certificate file
+     * @return X.509 Certificate object
+     * @throws TlsException on error
+     * @since 0.4.0
+     */
+    private X509Certificate certificateFromFile(final Path certFile) throws TlsException {
+        try (InputStream is = Files.newInputStream(certFile)) {
+            return (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(is);
+        } catch (IOException | CertificateException e) {
+            throw new TlsException("Unable to read certificate.", e);
+        }
+    }
+}

src/main/java/de/stklcode/jvault/connector/builder/VaultConnectorBuilder.java

@@ -0,0 +1,54 @@
+/*
+ * Copyright 2016-2019 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector.builder;
+
+import de.stklcode.jvault.connector.VaultConnector;
+import de.stklcode.jvault.connector.exception.VaultConnectorException;
+
+/**
+ * Abstract Vault Connector Builder interface.
+ * Provides builder style for Vault connectors.
+ *
+ * @author Stefan Kalscheuer
+ * @since 0.8.0
+ */
+public interface VaultConnectorBuilder {
+    /**
+     * Get Factory implementation for HTTP Vault Connector.
+     *
+     * @return HTTP Connector Factory
+     */
+    static HTTPVaultConnectorBuilder http() {
+        return new HTTPVaultConnectorBuilder();
+    }
+
+    /**
+     * Build command, produces connector after initialization.
+     *
+     * @return Vault Connector instance.
+     */
+    VaultConnector build();
+
+    /**
+     * Build connector and authenticate with token set in factory or from environment.
+     *
+     * @return Authenticated Vault connector instance.
+     * @throws VaultConnectorException if authentication failed
+     * @since 0.6.0
+     */
+    VaultConnector buildAndAuth() throws VaultConnectorException;
+}

src/main/java/de/stklcode/jvault/connector/builder/package-info.java

@@ -0,0 +1,21 @@
+/*
+ * Copyright 2016-2019 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * This package contains the {@link de.stklcode.jvault.connector.builder.VaultConnectorBuilder} to initialize a
+ * connector instance.
+ */
+package de.stklcode.jvault.connector.builder;

src/main/java/de/stklcode/jvault/connector/exception/AuthorizationRequiredException.java

@@ -1,3 +1,19 @@
+/*
+ * Copyright 2016-2019 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
 package de.stklcode.jvault.connector.exception;
 
 /**

src/main/java/de/stklcode/jvault/connector/exception/ConnectionException.java

@@ -1,24 +1,59 @@
+/*
+ * Copyright 2016-2019 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
 package de.stklcode.jvault.connector.exception;
 
 /**
  * Exception thrown on problems with connection to Vault backend.
  *
- * @author  Stefan Kalscheuer
- * @since   0.1
+ * @author Stefan Kalscheuer
+ * @since 0.1
  */
 public class ConnectionException extends VaultConnectorException {
+    /**
+     * Constructs a new empty exception.
+     */
     public ConnectionException() {
     }
 
-    public ConnectionException(String message) {
+    /**
+     * Constructs a new exception with the specified detail message.
+     *
+     * @param message the detail message
+     */
+    public ConnectionException(final String message) {
         super(message);
     }
 
-    public ConnectionException(Throwable cause) {
+    /**
+     * Constructs a new exception with the specified cause.
+     *
+     * @param cause the cause
+     */
+    public ConnectionException(final Throwable cause) {
         super(cause);
     }
 
-    public ConnectionException(String message, Throwable cause) {
+    /**
+     * Constructs a new exception with the specified detail message and cause.
+     *
+     * @param message the detail message
+     * @param cause   the cause
+     */
+    public ConnectionException(final String message, final Throwable cause) {
         super(message, cause);
     }
 }

src/main/java/de/stklcode/jvault/connector/exception/InvalidRequestException.java

@@ -1,3 +1,19 @@
+/*
+ * Copyright 2016-2019 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
 package de.stklcode.jvault.connector.exception;
 
 /**
@@ -7,18 +23,37 @@ package de.stklcode.jvault.connector.exception;
  * @since   0.1
  */
 public class InvalidRequestException extends VaultConnectorException {
+    /**
+     * Constructs a new empty exception.
+     */
     public InvalidRequestException() {
     }
 
-    public InvalidRequestException(String message) {
+    /**
+     * Constructs a new exception with the specified detail message.
+     *
+     * @param message the detail message
+     */
+    public InvalidRequestException(final String message) {
         super(message);
     }
 
-    public InvalidRequestException(Throwable cause) {
+    /**
+     * Constructs a new exception with the specified cause.
+     *
+     * @param cause the cause
+     */
+    public InvalidRequestException(final Throwable cause) {
         super(cause);
     }
 
-    public InvalidRequestException(String message, Throwable cause) {
+    /**
+     * Constructs a new exception with the specified detail message and cause.
+     *
+     * @param message the detail message
+     * @param cause   the cause
+     */
+    public InvalidRequestException(final String message, final Throwable cause) {
         super(message, cause);
     }
 }

src/main/java/de/stklcode/jvault/connector/exception/InvalidResponseException.java

@@ -1,45 +1,179 @@
+/*
+ * Copyright 2016-2019 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
 package de.stklcode.jvault.connector.exception;
 
 /**
  * Exception thrown when response from vault returned with erroneous status code or payload could not be parsed
  * to entity class.
  *
- * @author  Stefan Kalscheuer
- * @since   0.1
+ * @author Stefan Kalscheuer
+ * @since 0.1
  */
-public class InvalidResponseException extends VaultConnectorException {
-    private Integer statusCode;
-    private String response;
+public final class InvalidResponseException extends VaultConnectorException {
+    private final Integer statusCode;
+    private final String response;
 
+    /**
+     * Constructs a new empty exception.
+     */
     public InvalidResponseException() {
+        this.statusCode = null;
+        this.response = null;
     }
 
-    public InvalidResponseException(String message) {
+    /**
+     * Constructs a new exception with the specified detail message.
+     *
+     * @param message The detail message
+     */
+    public InvalidResponseException(final String message) {
         super(message);
+        this.statusCode = null;
+        this.response = null;
     }
 
-    public InvalidResponseException(Throwable cause) {
+    /**
+     * Constructs a new exception with the specified cause.
+     *
+     * @param cause The cause
+     */
+    public InvalidResponseException(final Throwable cause) {
         super(cause);
+        this.statusCode = null;
+        this.response = null;
     }
 
-    public InvalidResponseException(String message, Throwable cause) {
+    /**
+     * Constructs a new exception with the specified detail message and cause.
+     *
+     * @param message The detail message
+     * @param cause   The cause
+     */
+    public InvalidResponseException(final String message, final Throwable cause) {
         super(message, cause);
+        this.statusCode = null;
+        this.response = null;
     }
 
-    public InvalidResponseException withStatusCode(Integer statusCode) {
+    /**
+     * Constructs a new exception with the specified detail message and status code.
+     * <p>
+     * The HTTP status code can be retrieved by {@link #getStatusCode()} later.
+     *
+     * @param message    The detail message
+     * @param statusCode Status code of the HTTP response
+     * @since 0.6.2
+     */
+    public InvalidResponseException(final String message, final Integer statusCode) {
+        super(message);
         this.statusCode = statusCode;
-        return this;
+        this.response = null;
     }
 
-    public InvalidResponseException withResponse(String response) {
+    /**
+     * Constructs a new exception with the specified detail message, cause and status code.
+     * <p>
+     * The HTTP status code can be retrieved by {@link #getStatusCode()} later.
+     *
+     * @param message    The detail message
+     * @param statusCode Status code of the HTTP response
+     * @param cause      The cause
+     * @since 0.6.2
+     */
+    public InvalidResponseException(final String message, final Integer statusCode, final Throwable cause) {
+        this(message, statusCode, null, cause);
+    }
+
+    /**
+     * Constructs a new exception with the specified detail message, cause and status code.
+     * <p>
+     * The HTTP status code can be retrieved by {@link #getStatusCode()} later.
+     *
+     * @param message    The detail message
+     * @param statusCode Status code of the HTTP response
+     * @param response   HTTP response string
+     * @since 0.6.2
+     */
+    public InvalidResponseException(final String message,
+                                    final Integer statusCode,
+                                    final String response) {
+        super(message);
+        this.statusCode = statusCode;
         this.response = response;
-        return this;
     }
 
+    /**
+     * Constructs a new exception with the specified detail message, cause and status code.
+     * <p>
+     * The HTTP status code can be retrieved by {@link #getStatusCode()} later.
+     *
+     * @param message    The detail message
+     * @param statusCode Status code of the HTTP response
+     * @param response   HTTP response string
+     * @param cause      The cause
+     * @since 0.6.2
+     */
+    public InvalidResponseException(final String message,
+                                    final Integer statusCode,
+                                    final String response,
+                                    final Throwable cause) {
+        super(message, cause);
+        this.statusCode = statusCode;
+        this.response = response;
+    }
+
+    /**
+     * Specify the HTTP status code. Can be retrieved by {@link #getStatusCode()} later.
+     *
+     * @param statusCode The status code
+     * @return self
+     * @deprecated as of 0.6.2, use constructor with status code argument instead
+     */
+    @Deprecated
+    public InvalidResponseException withStatusCode(final Integer statusCode) {
+        return new InvalidResponseException(getMessage(), statusCode, getResponse(), getCause());
+    }
+
+    /**
+     * Specify the response string. Can be retrieved by {@link #getResponse()} later.
+     *
+     * @param response Response text
+     * @return self
+     * @deprecated use constructor with response argument instead
+     */
+    @Deprecated
+    public InvalidResponseException withResponse(final String response) {
+        return new InvalidResponseException(getMessage(), getStatusCode(), response, getCause());
+    }
+
+    /**
+     * Retrieve the HTTP status code.
+     *
+     * @return The status code or {@code null} if none specified.
+     */
     public Integer getStatusCode() {
         return statusCode;
     }
 
+    /**
+     * Retrieve the response text.
+     *
+     * @return The response text or {@code null} if none specified.
+     */
     public String getResponse() {
         return response;
     }

src/main/java/de/stklcode/jvault/connector/exception/PermissionDeniedException.java

@@ -1,3 +1,19 @@
+/*
+ * Copyright 2016-2019 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
 package de.stklcode.jvault.connector.exception;
 
 /**
@@ -7,19 +23,38 @@ package de.stklcode.jvault.connector.exception;
  * @since   0.1
  */
 public class PermissionDeniedException extends VaultConnectorException {
+    /**
+     * Constructs a new empty exception.
+     */
     public PermissionDeniedException() {
         super("Permission denied");
     }
 
-    public PermissionDeniedException(String message) {
+    /**
+     * Constructs a new exception with the specified detail message.
+     *
+     * @param message the detail message
+     */
+    public PermissionDeniedException(final String message) {
         super(message);
     }
 
-    public PermissionDeniedException(Throwable cause) {
+    /**
+     * Constructs a new exception with the specified cause.
+     *
+     * @param cause the cause
+     */
+    public PermissionDeniedException(final Throwable cause) {
         super(cause);
     }
 
-    public PermissionDeniedException(String message, Throwable cause) {
+    /**
+     * Constructs a new exception with the specified detail message and cause.
+     *
+     * @param message the detail message
+     * @param cause   the cause
+     */
+    public PermissionDeniedException(final String message, final Throwable cause) {
         super(message, cause);
     }
 }

src/main/java/de/stklcode/jvault/connector/exception/TlsException.java

@@ -0,0 +1,59 @@
+/*
+ * Copyright 2016-2019 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector.exception;
+
+/**
+ * Exception thrown on errors with TLS connection.
+ *
+ * @author  Stefan Kalscheuer
+ * @since   0.4.0
+ */
+public class TlsException extends VaultConnectorException {
+    /**
+     * Constructs a new empty exception.
+     */
+    public TlsException() {
+    }
+
+    /**
+     * Constructs a new exception with the specified detail message.
+     *
+     * @param message the detail message
+     */
+    public TlsException(final String message) {
+        super(message);
+    }
+
+    /**
+     * Constructs a new exception with the specified cause.
+     *
+     * @param cause the cause
+     */
+    public TlsException(final Throwable cause) {
+        super(cause);
+    }
+
+    /**
+     * Constructs a new exception with the specified detail message and cause.
+     *
+     * @param message the detail message
+     * @param cause   the cause
+     */
+    public TlsException(final String message, final Throwable cause) {
+        super(message, cause);
+    }
+}

src/main/java/de/stklcode/jvault/connector/exception/VaultConnectorException.java

@@ -1,3 +1,19 @@
+/*
+ * Copyright 2016-2019 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
 package de.stklcode.jvault.connector.exception;
 
 /**
@@ -7,18 +23,37 @@ package de.stklcode.jvault.connector.exception;
  * @since   0.1
  */
 public abstract class VaultConnectorException extends Exception {
+    /**
+     * Constructs a new empty exception.
+     */
     public VaultConnectorException() {
     }
 
-    public VaultConnectorException(String message) {
+    /**
+     * Constructs a new exception with the specified detail message.
+     *
+     * @param message the detail message
+     */
+    public VaultConnectorException(final String message) {
         super(message);
     }
 
-    public VaultConnectorException(Throwable cause) {
+    /**
+     * Constructs a new exception with the specified cause.
+     *
+     * @param cause the cause
+     */
+    public VaultConnectorException(final Throwable cause) {
         super(cause);
     }
 
-    public VaultConnectorException(String message, Throwable cause) {
+    /**
+     * Constructs a new exception with the specified detail message and cause.
+     *
+     * @param message the detail message
+     * @param cause   the cause
+     */
+    public VaultConnectorException(final String message, final Throwable cause) {
         super(message, cause);
     }
 }

src/main/java/de/stklcode/jvault/connector/exception/package-info.java

@@ -0,0 +1,20 @@
+/*
+ * Copyright 2016-2019 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * Some custom exceptions for error handling.
+ */
+package de.stklcode.jvault.connector.exception;

src/main/java/de/stklcode/jvault/connector/factory/HTTPVaultConnectorFactory.java

@@ -1,76 +1,95 @@
+/*
+ * Copyright 2016-2019 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
 package de.stklcode.jvault.connector.factory;
 
 import de.stklcode.jvault.connector.HTTPVaultConnector;
+import de.stklcode.jvault.connector.builder.HTTPVaultConnectorBuilder;
+import de.stklcode.jvault.connector.exception.VaultConnectorException;
+
+import javax.net.ssl.SSLContext;
+import java.nio.file.Path;
+import java.security.cert.X509Certificate;
 
 /**
  * Vault Connector Factory implementation for HTTP Vault connectors.
  *
- * @author  Stefan Kalscheuer
- * @since   0.1
+ * @author Stefan Kalscheuer
+ * @since 0.1
+ * @deprecated As of 0.8.0 please refer to {@link de.stklcode.jvault.connector.builder.HTTPVaultConnectorBuilder} with identical API.
  */
-public class HTTPVaultConnectorFactory extends VaultConnectorFactory {
-    public static final String DEFAULT_HOST = "127.0.0.1";
-    public static final Integer DEFAULT_PORT = 8200;
-    public static final boolean DEFAULT_TLS = true;
-    public static final String DEFAULT_PREFIX = "/v1/";
+@Deprecated
+public final class HTTPVaultConnectorFactory extends VaultConnectorFactory {
 
-    private String host;
-    private Integer port;
-    private boolean tls;
-    private String prefix;
+    private final HTTPVaultConnectorBuilder delegate;
 
     /**
      * Default empty constructor.
      * Initializes factory with default values.
      */
     public HTTPVaultConnectorFactory() {
-        host = DEFAULT_HOST;
-        port = DEFAULT_PORT;
-        tls = DEFAULT_TLS;
-        prefix = DEFAULT_PREFIX;
+        delegate = new HTTPVaultConnectorBuilder();
     }
 
     /**
-     * Set hostname (default: 127.0.0.1)
-     * @param host  Hostname or IP address
-     * @return      self
+     * Set hostname (default: 127.0.0.1).
+     *
+     * @param host Hostname or IP address
+     * @return self
      */
-    public HTTPVaultConnectorFactory withHost(String host) {
-        this.host = host;
+    public HTTPVaultConnectorFactory withHost(final String host) {
+        delegate.withHost(host);
         return this;
     }
 
     /**
-     * Set port (default: 8200)
-     * @param port  Vault TCP port
-     * @return      self
+     * Set port (default: 8200).
+     *
+     * @param port Vault TCP port
+     * @return self
      */
-    public HTTPVaultConnectorFactory withPort(Integer port) {
-        this.port = port;
+    public HTTPVaultConnectorFactory withPort(final Integer port) {
+        delegate.withPort(port);
         return this;
     }
 
     /**
-     * Set TLS usage (default: TRUE)
-     * @param useTLS    use TLS or not
-     * @return          self
+     * Set TLS usage (default: TRUE).
+     *
+     * @param useTLS use TLS or not
+     * @return self
      */
-    public HTTPVaultConnectorFactory withTLS(boolean useTLS) {
-        this.tls = useTLS;
+    public HTTPVaultConnectorFactory withTLS(final boolean useTLS) {
+        delegate.withTLS(useTLS);
         return this;
     }
 
     /**
-     * Convenience Method for TLS usage (enabled by default)
-     * @return      self
+     * Convenience Method for TLS usage (enabled by default).
+     *
+     * @return self
      */
     public HTTPVaultConnectorFactory withTLS() {
         return withTLS(true);
     }
 
     /**
-     * Convenience Method for NOT using TLS
-     * @return      self
+     * Convenience Method for NOT using TLS.
+     *
+     * @return self
      */
     public HTTPVaultConnectorFactory withoutTLS() {
         return withTLS(false);
@@ -78,16 +97,108 @@ public class HTTPVaultConnectorFactory extends VaultConnectorFactory {
 
     /**
      * Set API prefix. Default is "/v1/" and changes should not be necessary for current state of development.
-     * @param prefix    Vault API prefix (default: "/v1/"
-     * @return          self
+     *
+     * @param prefix Vault API prefix (default: "/v1/"
+     * @return self
      */
-    public HTTPVaultConnectorFactory withPrefix(String prefix) {
-        this.prefix = prefix;
+    public HTTPVaultConnectorFactory withPrefix(final String prefix) {
+        delegate.withPrefix(prefix);
+        return this;
+    }
+
+    /**
+     * Add a trusted CA certifiate for HTTPS connections.
+     *
+     * @param cert path to certificate file
+     * @return self
+     * @throws VaultConnectorException on error
+     * @since 0.4.0
+     */
+    public HTTPVaultConnectorFactory withTrustedCA(final Path cert) throws VaultConnectorException {
+        delegate.withTrustedCA(cert);
+        return this;
+    }
+
+    /**
+     * Add a trusted CA certifiate for HTTPS connections.
+     *
+     * @param cert path to certificate file
+     * @return self
+     * @since 0.8.0
+     */
+    public HTTPVaultConnectorFactory withTrustedCA(final X509Certificate cert) {
+        delegate.withTrustedCA(cert);
+        return this;
+    }
+
+    /**
+     * Add a custom SSL context.
+     * Overwrites certificates set by {@link #withTrustedCA}.
+     *
+     * @param sslContext the SSL context
+     * @return self
+     * @since 0.4.0
+     * @deprecated As of 0.8.0 this is no longer supported, please use {@link #withTrustedCA(Path)} or {@link #withTrustedCA(X509Certificate)}.
+     */
+    public HTTPVaultConnectorFactory withSslContext(final SSLContext sslContext) {
+        throw new UnsupportedOperationException("Use of deprecated method, please switch to withTrustedCA()");
+    }
+
+    /**
+     * Set token for automatic authentication, using {@link #buildAndAuth()}.
+     *
+     * @param token Vault token
+     * @return self
+     * @since 0.6.0
+     */
+    public HTTPVaultConnectorFactory withToken(final String token) {
+        delegate.withToken(token);
+        return this;
+    }
+
+    /**
+     * Build connector based on the {@code }VAULT_ADDR} and {@code VAULT_CACERT} (optional) environment variables.
+     *
+     * @return self
+     * @throws VaultConnectorException if Vault address from environment variables is malformed
+     * @since 0.6.0
+     */
+    public HTTPVaultConnectorFactory fromEnv() throws VaultConnectorException {
+        delegate.fromEnv();
+        return this;
+    }
+
+    /**
+     * Define the number of retries to attempt on 5xx errors.
+     *
+     * @param numberOfRetries The number of retries to attempt on 5xx errors (default: 0)
+     * @return self
+     * @since 0.6.0
+     */
+    public HTTPVaultConnectorFactory withNumberOfRetries(final int numberOfRetries) {
+        delegate.withNumberOfRetries(numberOfRetries);
+        return this;
+    }
+
+    /**
+     * Define a custom timeout for the HTTP connection.
+     *
+     * @param milliseconds Timeout value in milliseconds.
+     * @return self
+     * @since 0.6.0
+     */
+    public HTTPVaultConnectorFactory withTimeout(final int milliseconds) {
+        delegate.withTimeout(milliseconds);
         return this;
     }
 
     @Override
     public HTTPVaultConnector build() {
-        return new HTTPVaultConnector(host, tls, port, prefix);
+        return delegate.build();
+    }
+
+    @Override
+    public HTTPVaultConnector buildAndAuth() throws VaultConnectorException {
+        return delegate.buildAndAuth();
     }
 }

src/main/java/de/stklcode/jvault/connector/factory/VaultConnectorFactory.java

@@ -1,26 +1,42 @@
+/*
+ * Copyright 2016-2019 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
 package de.stklcode.jvault.connector.factory;
 
-import de.stklcode.jvault.connector.VaultConnector;
+import de.stklcode.jvault.connector.builder.VaultConnectorBuilder;
 
 /**
  * Abstract Vault Connector Factory interface.
  * Provides builder pattern style factory for Vault connectors.
  *
- * @author  Stefan Kalscheuer
- * @since   0.1
+ * @author Stefan Kalscheuer
+ * @since 0.1
+ * @deprecated As of 0.8.0 please refer to {@link VaultConnectorBuilder} with identical API.
  */
-public abstract class VaultConnectorFactory {
+@Deprecated
+public abstract class VaultConnectorFactory implements VaultConnectorBuilder {
     /**
-     * Get Factory implementation for HTTP Vault Connector
-     * @return  HTTP Connector Factory
+     * Get Factory implementation for HTTP Vault Connector.
+     *
+     * @return HTTP Connector Factory
+     * @deprecated As of 0.8.0 please refer to {@link VaultConnectorBuilder#http()}.
      */
+    @Deprecated
     public static HTTPVaultConnectorFactory httpFactory() {
         return new HTTPVaultConnectorFactory();
     }
 
-    /**
-     * Build command, produces connector after initialization.
-     * @return  Vault Connector instance.
-     */
-    public abstract VaultConnector build();
 }

src/main/java/de/stklcode/jvault/connector/factory/package-info.java

@@ -0,0 +1,23 @@
+/*
+ * Copyright 2016-2019 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * This package contains the {@link de.stklcode.jvault.connector.factory.VaultConnectorFactory} to initialize a
+ * connector instance.
+ *
+ * @deprecated As of v0.8.0 please refer to {@link de.stklcode.jvault.connector.builder}.
+ */
+package de.stklcode.jvault.connector.factory;

src/main/java/de/stklcode/jvault/connector/internal/Error.java

@@ -0,0 +1,38 @@
+/*
+ * Copyright 2016-2019 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector.internal;
+
+/**
+ * Utility class to bundle common error messages.
+ *
+ * @author Stefan Kalscheuer
+ * @since 0.8 Extracted from static inner class.
+ */
+final class Error {
+    static final String READ_RESPONSE = "Unable to read response";
+    static final String PARSE_RESPONSE = "Unable to parse response";
+    static final String UNEXPECTED_RESPONSE = "Received response where none was expected";
+    static final String URI_FORMAT = "Invalid URI format";
+    static final String RESPONSE_CODE = "Invalid response code";
+    static final String INIT_SSL_CONTEXT = "Unable to intialize SSLContext";
+
+    /**
+     * Constructor hidden, this class should not be instantiated.
+     */
+    private Error() {
+    }
+}

src/main/java/de/stklcode/jvault/connector/internal/RequestHelper.java

@@ -0,0 +1,433 @@
+package de.stklcode.jvault.connector.internal;
+
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import de.stklcode.jvault.connector.exception.*;
+import de.stklcode.jvault.connector.model.response.ErrorResponse;
+import org.apache.http.HttpResponse;
+import org.apache.http.client.config.RequestConfig;
+import org.apache.http.client.methods.*;
+import org.apache.http.client.utils.URIBuilder;
+import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
+import org.apache.http.entity.StringEntity;
+import org.apache.http.impl.client.CloseableHttpClient;
+import org.apache.http.impl.client.HttpClientBuilder;
+import org.apache.http.util.EntityUtils;
+
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.TrustManagerFactory;
+import java.io.*;
+import java.net.URISyntaxException;
+import java.nio.charset.StandardCharsets;
+import java.security.*;
+import java.security.cert.CertificateException;
+import java.security.cert.X509Certificate;
+import java.util.Map;
+import java.util.stream.Collectors;
+
+/**
+ * Helper class to bundle Vault HTTP requests.
+ *
+ * @author Stefan Kalscheuer
+ * @since 0.8 Extracted methods from {@link de.stklcode.jvault.connector.HTTPVaultConnector}.
+ */
+public final class RequestHelper implements Serializable {
+    private static final String HEADER_VAULT_TOKEN = "X-Vault-Token";
+
+    private final String baseURL;                   // Base URL of Vault.
+    private final Integer timeout;                  // Timeout in milliseconds.
+    private final int retries;                      // Number of retries on 5xx errors.
+    private final String tlsVersion;                // TLS version (#22).
+    private final X509Certificate trustedCaCert;    // Trusted CA certificate.
+    private final ObjectMapper jsonMapper;
+
+    /**
+     * Constructor of the request helper.
+     *
+     * @param baseURL       The URL
+     * @param retries       Number of retries on 5xx errors
+     * @param timeout       Timeout for HTTP requests (milliseconds)
+     * @param tlsVersion    TLS Version.
+     * @param trustedCaCert Trusted CA certificate
+     */
+    public RequestHelper(final String baseURL,
+                         final int retries,
+                         final Integer timeout,
+                         final String tlsVersion,
+                         final X509Certificate trustedCaCert) {
+        this.baseURL = baseURL;
+        this.retries = retries;
+        this.timeout = timeout;
+        this.tlsVersion = tlsVersion;
+        this.trustedCaCert = trustedCaCert;
+        this.jsonMapper = new ObjectMapper();
+    }
+
+    /**
+     * Execute HTTP request using POST method.
+     *
+     * @param path    URL path (relative to base).
+     * @param payload Map of payload values (will be converted to JSON).
+     * @param token   Vault token (may be {@code null}).
+     * @return HTTP response
+     * @throws VaultConnectorException on connection error
+     * @since 0.8 Added {@code token} parameter.
+     */
+    public String post(final String path, final Object payload, final String token) throws VaultConnectorException {
+        /* Initialize post */
+        HttpPost post = new HttpPost(baseURL + path);
+
+        /* generate JSON from payload */
+        StringEntity input;
+        try {
+            input = new StringEntity(jsonMapper.writeValueAsString(payload), StandardCharsets.UTF_8);
+        } catch (JsonProcessingException e) {
+            throw new InvalidRequestException(Error.PARSE_RESPONSE, e);
+        }
+        input.setContentEncoding("UTF-8");
+        input.setContentType("application/json");
+        post.setEntity(input);
+
+        /* Set X-Vault-Token header */
+        if (token != null) {
+            post.addHeader(HEADER_VAULT_TOKEN, token);
+        }
+
+        return request(post, retries);
+    }
+
+    /**
+     * Execute HTTP request using POST method and parse JSON result.
+     *
+     * @param path    URL path (relative to base).
+     * @param payload Map of payload values (will be converted to JSON).
+     * @param token   Vault token (may be {@code null}).
+     * @param target  Target class.
+     * @param <T>     Target type.
+     * @return HTTP response
+     * @throws VaultConnectorException on connection error
+     * @since 0.8
+     */
+    public <T> T post(final String path, final Object payload, final String token, final Class<T> target)
+            throws VaultConnectorException {
+        try {
+            String response = post(path, payload, token);
+            return jsonMapper.readValue(response, target);
+        } catch (IOException e) {
+            throw new InvalidResponseException(Error.PARSE_RESPONSE, e);
+        }
+    }
+
+    /**
+     * Execute HTTP request using POST method and expect empty (204) response.
+     *
+     * @param path    URL path (relative to base).
+     * @param payload Map of payload values (will be converted to JSON).
+     * @param token   Vault token (may be {@code null}).
+     * @throws VaultConnectorException on connection error
+     * @since 0.8
+     */
+    public void postWithoutResponse(final String path, final Object payload, final String token) throws VaultConnectorException {
+        if (!post(path, payload, token).isEmpty()) {
+            throw new InvalidResponseException(Error.UNEXPECTED_RESPONSE);
+        }
+    }
+
+    /**
+     * Execute HTTP request using PUT method.
+     *
+     * @param path    URL path (relative to base).
+     * @param payload Map of payload values (will be converted to JSON).
+     * @param token   Vault token (may be {@code null}).
+     * @return HTTP response
+     * @throws VaultConnectorException on connection error
+     * @since 0.8 Added {@code token} parameter.
+     */
+    public String put(final String path, final Map<String, String> payload, final String token) throws VaultConnectorException {
+        /* Initialize put */
+        HttpPut put = new HttpPut(baseURL + path);
+
+        /* generate JSON from payload */
+        StringEntity entity = null;
+        try {
+            entity = new StringEntity(jsonMapper.writeValueAsString(payload));
+        } catch (UnsupportedEncodingException | JsonProcessingException e) {
+            throw new InvalidRequestException("Payload serialization failed", e);
+        }
+
+        /* Parse parameters */
+        put.setEntity(entity);
+
+        /* Set X-Vault-Token header */
+        if (token != null) {
+            put.addHeader(HEADER_VAULT_TOKEN, token);
+        }
+
+        return request(put, retries);
+    }
+
+    /**
+     * Execute HTTP request using PUT method and parse JSON result.
+     *
+     * @param path    URL path (relative to base).
+     * @param payload Map of payload values (will be converted to JSON).
+     * @param token   Vault token (may be {@code null}).
+     * @param target  Target class.
+     * @param <T>     Target type.
+     * @return HTTP response
+     * @throws VaultConnectorException on connection error
+     * @since 0.8
+     */
+    public <T> T put(final String path, final Map<String, String> payload, final String token, final Class<T> target)
+            throws VaultConnectorException {
+        try {
+            String response = put(path, payload, token);
+            return jsonMapper.readValue(response, target);
+        } catch (IOException e) {
+            throw new InvalidResponseException(Error.PARSE_RESPONSE, e);
+        }
+    }
+
+    /**
+     * Execute HTTP request using PUT method and expect empty (204) response.
+     *
+     * @param path    URL path (relative to base).
+     * @param payload Map of payload values (will be converted to JSON).
+     * @param token   Vault token (may be {@code null}).
+     * @throws VaultConnectorException on connection error
+     * @since 0.8
+     */
+    public void putWithoutResponse(final String path, final Map<String, String> payload, final String token)
+            throws VaultConnectorException {
+        if (!put(path, payload, token).isEmpty()) {
+            throw new InvalidResponseException(Error.UNEXPECTED_RESPONSE);
+        }
+    }
+
+    /**
+     * Execute HTTP request using DELETE method.
+     *
+     * @param path  URL path (relative to base).
+     * @param token Vault token (may be {@code null}).
+     * @return HTTP response
+     * @throws VaultConnectorException on connection error
+     * @since 0.8 Added {@code token} parameter.
+     */
+    public String delete(final String path, final String token) throws VaultConnectorException {
+        /* Initialize delete */
+        HttpDelete delete = new HttpDelete(baseURL + path);
+
+        /* Set X-Vault-Token header */
+        if (token != null) {
+            delete.addHeader(HEADER_VAULT_TOKEN, token);
+        }
+
+        return request(delete, retries);
+    }
+
+    /**
+     * Execute HTTP request using DELETE method and expect empty (204) response.
+     *
+     * @param path  URL path (relative to base).
+     * @param token Vault token (may be {@code null}).
+     * @throws VaultConnectorException on connection error
+     * @since 0.8
+     */
+    public void deleteWithoutResponse(final String path, final String token) throws VaultConnectorException {
+        if (!delete(path, token).isEmpty()) {
+            throw new InvalidResponseException(Error.UNEXPECTED_RESPONSE);
+        }
+    }
+
+    /**
+     * Execute HTTP request using GET method.
+     *
+     * @param path    URL path (relative to base).
+     * @param payload Map of payload values (will be converted to JSON).
+     * @param token   Vault token (may be {@code null}).
+     * @return HTTP response
+     * @throws VaultConnectorException on connection error
+     * @since 0.8 Added {@code token} parameter.
+     */
+    public String get(final String path, final Map<String, String> payload, final String token)
+            throws VaultConnectorException {
+        HttpGet get;
+        try {
+            /* Add parameters to URI */
+            URIBuilder uriBuilder = new URIBuilder(baseURL + path);
+            payload.forEach(uriBuilder::addParameter);
+
+            /* Initialize request */
+            get = new HttpGet(uriBuilder.build());
+        } catch (URISyntaxException e) {
+            /* this should never occur and may leak sensible information */
+            throw new InvalidRequestException(Error.URI_FORMAT);
+        }
+
+        /* Set X-Vault-Token header */
+        if (token != null) {
+            get.addHeader(HEADER_VAULT_TOKEN, token);
+        }
+
+        return request(get, retries);
+    }
+
+    /**
+     * Execute HTTP request using GET method and parse JSON result to target class.
+     *
+     * @param path    URL path (relative to base).
+     * @param payload Map of payload values (will be converted to JSON).
+     * @param token   Vault token (may be {@code null}).
+     * @param target  Target class.
+     * @param <T>     Target type.
+     * @return HTTP response
+     * @throws VaultConnectorException on connection error
+     * @since 0.8
+     */
+    public <T> T get(final String path, final Map<String, String> payload, final String token, final Class<T> target)
+            throws VaultConnectorException {
+        try {
+            String response = get(path, payload, token);
+            return jsonMapper.readValue(response, target);
+        } catch (IOException e) {
+            throw new InvalidResponseException(Error.PARSE_RESPONSE, e);
+        }
+    }
+
+    /**
+     * Execute prepared HTTP request and return result.
+     *
+     * @param base    Prepares Request
+     * @param retries number of retries
+     * @return HTTP response
+     * @throws VaultConnectorException on connection error
+     */
+    private String request(final HttpRequestBase base, final int retries) throws VaultConnectorException {
+        /* Set JSON Header */
+        base.addHeader("accept", "application/json");
+
+        CloseableHttpResponse response = null;
+
+        try (CloseableHttpClient httpClient = HttpClientBuilder.create()
+                .setSSLSocketFactory(createSSLSocketFactory())
+                .build()) {
+            /* Set custom timeout, if defined */
+            if (this.timeout != null) {
+                base.setConfig(RequestConfig.copy(RequestConfig.DEFAULT).setConnectTimeout(timeout).build());
+            }
+
+            /* Execute request */
+            response = httpClient.execute(base);
+
+            /* Check if response is valid */
+            if (response == null) {
+                throw new InvalidResponseException("Response unavailable");
+            }
+
+            switch (response.getStatusLine().getStatusCode()) {
+                case 200:
+                    return handleResult(response);
+                case 204:
+                    return "";
+                case 403:
+                    throw new PermissionDeniedException();
+                default:
+                    if (response.getStatusLine().getStatusCode() >= 500
+                            && response.getStatusLine().getStatusCode() < 600 && retries > 0) {
+                        /* Retry on 5xx errors */
+                        return request(base, retries - 1);
+                    } else {
+                        /* Fail on different error code and/or no retries left */
+                        handleError(response);
+
+                        /* Throw exception withoud details, if response entity is empty. */
+                        throw new InvalidResponseException(Error.RESPONSE_CODE,
+                                response.getStatusLine().getStatusCode());
+                    }
+            }
+        } catch (IOException e) {
+            throw new InvalidResponseException(Error.READ_RESPONSE, e);
+        } finally {
+            if (response != null && response.getEntity() != null) {
+                try {
+                    EntityUtils.consume(response.getEntity());
+                } catch (IOException ignored) {
+                    // Exception ignored.
+                }
+            }
+        }
+    }
+
+    /**
+     * Create a custom socket factory from trusted CA certificate.
+     *
+     * @return The factory.
+     * @throws TlsException An error occured during initialization of the SSL context.
+     * @since 0.8.0
+     */
+    private SSLConnectionSocketFactory createSSLSocketFactory() throws TlsException {
+        try {
+            // Create Keystore with trusted certificate.
+            KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
+            keyStore.load(null, null);
+            keyStore.setCertificateEntry("trustedCert", trustedCaCert);
+
+            // Initialize TrustManager.
+            TrustManagerFactory tmf = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
+            tmf.init(keyStore);
+
+            // Create context usint this TrustManager.
+            SSLContext context = SSLContext.getInstance(tlsVersion);
+            context.init(null, tmf.getTrustManagers(), new SecureRandom());
+
+            return new SSLConnectionSocketFactory(
+                    context,
+                    null,
+                    null,
+                    SSLConnectionSocketFactory.getDefaultHostnameVerifier()
+            );
+        } catch (CertificateException | NoSuchAlgorithmException | KeyStoreException | IOException | KeyManagementException e) {
+            throw new TlsException(Error.INIT_SSL_CONTEXT, e);
+        }
+    }
+
+    /**
+     * Handle successful result.
+     *
+     * @param response The raw HTTP response (assuming status code 200)
+     * @return Complete response body as String
+     * @throws InvalidResponseException on reading errors
+     */
+    private String handleResult(final HttpResponse response) throws InvalidResponseException {
+        try (BufferedReader br = new BufferedReader(
+                new InputStreamReader(response.getEntity().getContent()))) {
+            return br.lines().collect(Collectors.joining("\n"));
+        } catch (IOException ignored) {
+            throw new InvalidResponseException(Error.READ_RESPONSE, 200);
+        }
+    }
+
+    /**
+     * Handle unsuccessful response. Throw detailed exception if possible.
+     *
+     * @param response The raw HTTP response (assuming status code 5xx)
+     * @throws VaultConnectorException Expected exception with details to throw
+     */
+    private void handleError(final HttpResponse response) throws VaultConnectorException {
+        if (response.getEntity() != null) {
+            try (BufferedReader br = new BufferedReader(
+                    new InputStreamReader(response.getEntity().getContent()))) {
+                String responseString = br.lines().collect(Collectors.joining("\n"));
+                ErrorResponse er = jsonMapper.readValue(responseString, ErrorResponse.class);
+                /* Check for "permission denied" response */
+                if (!er.getErrors().isEmpty() && er.getErrors().get(0).equals("permission denied")) {
+                    throw new PermissionDeniedException();
+                }
+                throw new InvalidResponseException(Error.RESPONSE_CODE,
+                        response.getStatusLine().getStatusCode(), er.toString());
+            } catch (IOException ignored) {
+                // Exception ignored.
+            }
+        }
+    }
+}

src/main/java/de/stklcode/jvault/connector/model/AppRole.java

@@ -0,0 +1,293 @@
+/*
+ * Copyright 2016-2019 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector.model;
+
+import com.fasterxml.jackson.annotation.*;
+
+import java.util.List;
+
+/**
+ * Vault AppRole role metamodel.
+ *
+ * @author Stefan Kalscheuer
+ * @since 0.4.0
+ */
+@JsonIgnoreProperties(ignoreUnknown = true)
+public final class AppRole {
+    /**
+     * Get {@link AppRoleBuilder} instance.
+     *
+     * @param name Role name.
+     * @return AppRole Builder.
+     * @since 0.8
+     */
+    public static AppRoleBuilder builder(final String name) {
+        return new AppRoleBuilder(name);
+    }
+
+    @JsonProperty("role_name")
+    private String name;
+
+    @JsonProperty("role_id")
+    @JsonInclude(JsonInclude.Include.NON_NULL)
+    private String id;
+
+    @JsonProperty("bind_secret_id")
+    @JsonInclude(JsonInclude.Include.NON_NULL)
+    private Boolean bindSecretId;
+
+    private List<String> boundCidrList;
+
+    private List<String> secretIdBoundCidrs;
+
+    private List<String> policies;
+
+    @JsonProperty("secret_id_num_uses")
+    @JsonInclude(JsonInclude.Include.NON_NULL)
+    private Integer secretIdNumUses;
+
+    @JsonProperty("secret_id_ttl")
+    @JsonInclude(JsonInclude.Include.NON_NULL)
+    private Integer secretIdTtl;
+
+    @JsonProperty("token_ttl")
+    @JsonInclude(JsonInclude.Include.NON_NULL)
+    private Integer tokenTtl;
+
+    @JsonProperty("token_max_ttl")
+    @JsonInclude(JsonInclude.Include.NON_NULL)
+    private Integer tokenMaxTtl;
+
+    @JsonProperty("period")
+    @JsonInclude(JsonInclude.Include.NON_NULL)
+    private Integer period;
+
+    /**
+     * Construct empty {@link AppRole} object.
+     */
+    public AppRole() {
+
+    }
+
+    /**
+     * Construct complete {@link AppRole} object.
+     *
+     * @param name               Role name (required)
+     * @param id                 Role ID (optional)
+     * @param bindSecretId       Bind secret ID (optional)
+     * @param secretIdBoundCidrs Whitelist of subnets in CIDR notation (optional)
+     * @param policies           List of policies (optional)
+     * @param secretIdNumUses    Maximum number of uses per secret (optional)
+     * @param secretIdTtl        Maximum TTL in seconds for secrets (optional)
+     * @param tokenTtl           Token TTL in seconds (optional)
+     * @param tokenMaxTtl        Maximum token TTL in seconds, including renewals (optional)
+     * @param period             Duration in seconds, if set the token is a periodic token (optional)
+     */
+    public AppRole(final String name, final String id, final Boolean bindSecretId, final List<String> secretIdBoundCidrs,
+                   final List<String> policies, final Integer secretIdNumUses, final Integer secretIdTtl,
+                   final Integer tokenTtl, final Integer tokenMaxTtl, final Integer period) {
+        this.name = name;
+        this.id = id;
+        this.bindSecretId = bindSecretId;
+        this.secretIdBoundCidrs = secretIdBoundCidrs;
+        this.policies = policies;
+        this.secretIdNumUses = secretIdNumUses;
+        this.secretIdTtl = secretIdTtl;
+        this.tokenTtl = tokenTtl;
+        this.tokenMaxTtl = tokenMaxTtl;
+        this.period = period;
+    }
+
+    /**
+     * Construct complete {@link AppRole} object.
+     * <p>
+     * This constructor is used for transition from {@code bound_cidr_list} to {@code secret_id_bound_cidrs} only.
+     *
+     * @param name               Role name (required)
+     * @param id                 Role ID (optional)
+     * @param bindSecretId       Bind secret ID (optional)
+     * @param boundCidrList      Whitelist of subnets in CIDR notation (optional)
+     * @param secretIdBoundCidrs Whitelist of subnets in CIDR notation (optional)
+     * @param policies           List of policies (optional)
+     * @param secretIdNumUses    Maximum number of uses per secret (optional)
+     * @param secretIdTtl        Maximum TTL in seconds for secrets (optional)
+     * @param tokenTtl           Token TTL in seconds (optional)
+     * @param tokenMaxTtl        Maximum token TTL in seconds, including renewals (optional)
+     * @param period             Duration in seconds, if set the token is a periodic token (optional)
+     */
+    AppRole(final String name, final String id, final Boolean bindSecretId, final List<String> boundCidrList,
+            final List<String> secretIdBoundCidrs, final List<String> policies, final Integer secretIdNumUses,
+            final Integer secretIdTtl, final Integer tokenTtl, final Integer tokenMaxTtl, final Integer period) {
+        this.name = name;
+        this.id = id;
+        this.bindSecretId = bindSecretId;
+        this.boundCidrList = boundCidrList;
+        this.secretIdBoundCidrs = secretIdBoundCidrs;
+        this.policies = policies;
+        this.secretIdNumUses = secretIdNumUses;
+        this.secretIdTtl = secretIdTtl;
+        this.tokenTtl = tokenTtl;
+        this.tokenMaxTtl = tokenMaxTtl;
+        this.period = period;
+    }
+
+    /**
+     * @return the role name
+     */
+    public String getName() {
+        return name;
+    }
+
+    /**
+     * @return the role ID
+     */
+    public String getId() {
+        return id;
+    }
+
+    /**
+     * @return bind secret ID
+     */
+    public Boolean getBindSecretId() {
+        return bindSecretId;
+    }
+
+    /**
+     * @return list of bound CIDR subnets
+     * @deprecated Use {@link #getSecretIdBoundCidrs()} instead, as this parameter is deprecated in Vault.
+     */
+    @Deprecated
+    public List<String> getBoundCidrList() {
+        return boundCidrList;
+    }
+
+    /**
+     * @param boundCidrList list of subnets in CIDR notation to bind role to
+     * @deprecated Use {@link #setSecretIdBoundCidrs(List)} instead, as this parameter is deprecated in Vault.
+     */
+    @Deprecated
+    @JsonSetter("bound_cidr_list")
+    public void setBoundCidrList(final List<String> boundCidrList) {
+        this.boundCidrList = boundCidrList;
+    }
+
+    /**
+     * @return list of subnets in CIDR notation as comma-separated {@link String}
+     * @deprecated Use {@link #getSecretIdBoundCidrsString()} instead, as this parameter is deprecated in Vault.
+     */
+    @Deprecated
+    @JsonGetter("bound_cidr_list")
+    @JsonInclude(JsonInclude.Include.NON_EMPTY)
+    public String getBoundCidrListString() {
+        if (boundCidrList == null || boundCidrList.isEmpty()) {
+            return "";
+        }
+        return String.join(",", boundCidrList);
+    }
+
+    /**
+     * @return list of bound CIDR subnets
+     * @since 0.8 replaces {@link #getBoundCidrList()}
+     */
+    public List<String> getSecretIdBoundCidrs() {
+        return secretIdBoundCidrs;
+    }
+
+    /**
+     * @param secretIdBoundCidrs List of subnets in CIDR notation to bind secrets of this role to.
+     * @since 0.8 replaces {@link #setBoundCidrList(List)}
+     */
+    @JsonSetter("secret_id_bound_cidrs")
+    public void setSecretIdBoundCidrs(final List<String> secretIdBoundCidrs) {
+        this.secretIdBoundCidrs = secretIdBoundCidrs;
+    }
+
+    /**
+     * @return List of subnets in CIDR notation as comma-separated {@link String}
+     * @since 0.8 replaces {@link #getBoundCidrListString()} ()}
+     */
+    @JsonGetter("secret_id_bound_cidrs")
+    @JsonInclude(JsonInclude.Include.NON_EMPTY)
+    public String getSecretIdBoundCidrsString() {
+        if (secretIdBoundCidrs == null || secretIdBoundCidrs.isEmpty()) {
+            return "";
+        }
+        return String.join(",", secretIdBoundCidrs);
+    }
+
+    /**
+     * @return list of policies
+     */
+    public List<String> getPolicies() {
+        return policies;
+    }
+
+    /**
+     * @param policies list of policies
+     */
+    @JsonSetter("policies")
+    public void setPolicies(final List<String> policies) {
+        this.policies = policies;
+    }
+
+    /**
+     * @return list of policies as comma-separated {@link String}
+     */
+    @JsonGetter("policies")
+    @JsonInclude(JsonInclude.Include.NON_EMPTY)
+    public String getPoliciesString() {
+        if (policies == null || policies.isEmpty()) {
+            return "";
+        }
+        return String.join(",", policies);
+    }
+
+    /**
+     * @return maximum number of uses per secret
+     */
+    public Integer getSecretIdNumUses() {
+        return secretIdNumUses;
+    }
+
+    /**
+     * @return maximum TTL in seconds for secrets
+     */
+    public Integer getSecretIdTtl() {
+        return secretIdTtl;
+    }
+
+    /**
+     * @return token TTL in seconds
+     */
+    public Integer getTokenTtl() {
+        return tokenTtl;
+    }
+
+    /**
+     * @return maximum token TTL in seconds, including renewals
+     */
+    public Integer getTokenMaxTtl() {
+        return tokenMaxTtl;
+    }
+
+    /**
+     * @return duration in seconds, if specified
+     */
+    public Integer getPeriod() {
+        return period;
+    }
+}

src/main/java/de/stklcode/jvault/connector/model/AppRoleBuilder.java

@@ -0,0 +1,238 @@
+/*
+ * Copyright 2016-2019 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector.model;
+
+import java.util.ArrayList;
+import java.util.List;
+
+/**
+ * A builder for vault AppRole roles..
+ *
+ * @author Stefan Kalscheuer
+ * @since 0.4.0
+ */
+public final class AppRoleBuilder {
+    private String name;
+    private String id;
+    private Boolean bindSecretId;
+    private List<String> boundCidrList;
+    private List<String> secretIdBoundCidrs;
+    private List<String> policies;
+    private Integer secretIdNumUses;
+    private Integer secretIdTtl;
+    private Integer tokenTtl;
+    private Integer tokenMaxTtl;
+    private Integer period;
+
+    /**
+     * Construct {@link AppRoleBuilder} with only the role name set.
+     *
+     * @param name Role name
+     */
+    public AppRoleBuilder(final String name) {
+        this.name = name;
+    }
+
+    /**
+     * Add custom role ID. (optional)
+     *
+     * @param id the ID
+     * @return self
+     */
+    public AppRoleBuilder withId(final String id) {
+        this.id = id;
+        return this;
+    }
+
+    /**
+     * Set if role is bound to secret ID.
+     *
+     * @param bindSecretId the display name
+     * @return self
+     */
+    public AppRoleBuilder withBindSecretID(final Boolean bindSecretId) {
+        this.bindSecretId = bindSecretId;
+        return this;
+    }
+
+    /**
+     * Bind role to secret ID.
+     * Convenience method for {@link #withBindSecretID(Boolean)}
+     *
+     * @return self
+     */
+    public AppRoleBuilder withBindSecretID() {
+        return withBindSecretID(true);
+    }
+
+    /**
+     * Do not bind role to secret ID.
+     * Convenience method for {@link #withBindSecretID(Boolean)}
+     *
+     * @return self
+     */
+    public AppRoleBuilder withoutBindSecretID() {
+        return withBindSecretID(false);
+    }
+
+    /**
+     * Set bound CIDR blocks.
+     *
+     * @param boundCidrList List of CIDR blocks which can perform login
+     * @return self
+     * @deprecated Use {@link #withSecretIdBoundCidrs(List)} instead, as this parameter is deprecated in Vault.
+     */
+    @Deprecated
+    public AppRoleBuilder withBoundCidrList(final List<String> boundCidrList) {
+        this.boundCidrList = boundCidrList;
+        return this;
+    }
+
+    /**
+     * Set bound CIDR blocks.
+     *
+     * @param secretIdBoundCidrs List of CIDR blocks which can perform login
+     * @return self
+     * @since 0.8 replaces {@link #withBoundCidrList(List)}
+     */
+    public AppRoleBuilder withSecretIdBoundCidrs(final List<String> secretIdBoundCidrs) {
+        this.secretIdBoundCidrs = secretIdBoundCidrs;
+        return this;
+    }
+
+    /**
+     * Add a CIDR block to list of bound blocks.
+     *
+     * @param cidrBlock the CIDR block
+     * @return self
+     */
+    public AppRoleBuilder withCidrBlock(final String cidrBlock) {
+        if (boundCidrList == null) {
+            boundCidrList = new ArrayList<>();
+        }
+        boundCidrList.add(cidrBlock);
+
+        if (secretIdBoundCidrs == null) {
+            secretIdBoundCidrs = new ArrayList<>();
+        }
+        secretIdBoundCidrs.add(cidrBlock);
+        return this;
+    }
+
+    /**
+     * Add given policies.
+     *
+     * @param policies the policies
+     * @return self
+     */
+    public AppRoleBuilder withPolicies(final List<String> policies) {
+        if (this.policies == null) {
+            this.policies = new ArrayList<>();
+        }
+        this.policies.addAll(policies);
+        return this;
+    }
+
+    /**
+     * Add a single policy.
+     *
+     * @param policy the policy
+     * @return self
+     */
+    public AppRoleBuilder withPolicy(final String policy) {
+        if (this.policies == null) {
+            this.policies = new ArrayList<>();
+        }
+        policies.add(policy);
+        return this;
+    }
+
+    /**
+     * Set number of uses for sectet IDs.
+     *
+     * @param secredIdNumUses the number of uses
+     * @return self
+     */
+    public AppRoleBuilder withSecretIdNumUses(final Integer secredIdNumUses) {
+        this.secretIdNumUses = secredIdNumUses;
+        return this;
+    }
+
+    /**
+     * Set default sectet ID TTL in seconds.
+     *
+     * @param secredIdTtl the TTL
+     * @return self
+     */
+    public AppRoleBuilder withSecretIdTtl(final Integer secredIdTtl) {
+        this.secretIdTtl = secredIdTtl;
+        return this;
+    }
+
+    /**
+     * Set default token TTL in seconds.
+     *
+     * @param tokenTtl the TTL
+     * @return self
+     */
+    public AppRoleBuilder withTokenTtl(final Integer tokenTtl) {
+        this.tokenTtl = tokenTtl;
+        return this;
+    }
+
+    /**
+     * Set maximum token TTL in seconds.
+     *
+     * @param tokenMaxTtl the TTL
+     * @return self
+     */
+    public AppRoleBuilder withTokenMaxTtl(final Integer tokenMaxTtl) {
+        this.tokenMaxTtl = tokenMaxTtl;
+        return this;
+    }
+
+    /**
+     * Set renewal period for generated token in seconds.
+     *
+     * @param period period in seconds
+     * @return self
+     */
+    public AppRoleBuilder withPeriod(final Integer period) {
+        this.period = period;
+        return this;
+    }
+
+
+    /**
+     * Build the AppRole role based on given parameters.
+     *
+     * @return the role
+     */
+    public AppRole build() {
+        return new AppRole(name,
+                id,
+                bindSecretId,
+                boundCidrList,
+                secretIdBoundCidrs,
+                policies,
+                secretIdNumUses,
+                secretIdTtl,
+                tokenTtl,
+                tokenMaxTtl,
+                period);
+    }
+}

src/main/java/de/stklcode/jvault/connector/model/AppRoleSecret.java

@@ -0,0 +1,169 @@
+/*
+ * Copyright 2016-2019 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector.model;
+
+import com.fasterxml.jackson.annotation.*;
+
+import java.util.List;
+import java.util.Map;
+
+/**
+ * Vault AppRole role metamodel.
+ *
+ * @author Stefan Kalscheuer
+ * @since 0.4.0
+ */
+@JsonIgnoreProperties(ignoreUnknown = true)
+public final class AppRoleSecret {
+    @JsonProperty("secret_id")
+    @JsonInclude(JsonInclude.Include.NON_NULL)
+    private String id;
+
+    @JsonProperty(value = "secret_id_accessor", access = JsonProperty.Access.WRITE_ONLY)
+    private String accessor;
+
+    @JsonProperty("metadata")
+    @JsonInclude(JsonInclude.Include.NON_EMPTY)
+    private Map<String, Object> metadata;
+
+    private List<String> cidrList;
+
+    @JsonProperty(value = "creation_time", access = JsonProperty.Access.WRITE_ONLY)
+    private String creationTime;
+
+    @JsonProperty(value = "expiration_time", access = JsonProperty.Access.WRITE_ONLY)
+    private String expirationTime;
+
+    @JsonProperty(value = "last_updated_time", access = JsonProperty.Access.WRITE_ONLY)
+    private String lastUpdatedTime;
+
+    @JsonProperty(value = "secret_id_num_uses", access = JsonProperty.Access.WRITE_ONLY)
+    private Integer numUses;
+
+    @JsonProperty(value = "secret_id_ttl", access = JsonProperty.Access.WRITE_ONLY)
+    private Integer ttl;
+
+    /**
+     * Construct empty {@link AppRoleSecret} object.
+     */
+    public AppRoleSecret() {
+    }
+
+    /**
+     * Construct {@link AppRoleSecret} with secret ID.
+     *
+     * @param id Secret ID
+     */
+    public AppRoleSecret(final String id) {
+        this.id = id;
+    }
+
+    /**
+     * Construct {@link AppRoleSecret} with ID and metadata.
+     *
+     * @param id       Secret ID
+     * @param metadata Secret metadata
+     * @param cidrList List of subnets in CIDR notation, the role is bound to
+     */
+    public AppRoleSecret(final String id, final Map<String, Object> metadata, final List<String> cidrList) {
+        this.id = id;
+        this.metadata = metadata;
+        this.cidrList = cidrList;
+    }
+
+    /**
+     * @return Secret ID
+     */
+    public String getId() {
+        return id;
+    }
+
+    /**
+     * @return Secret accessor
+     */
+    public String getAccessor() {
+        return accessor;
+    }
+
+    /**
+     * @return Secret metadata
+     */
+    public Map<String, Object> getMetadata() {
+        return metadata;
+    }
+
+    /**
+     * @return List of bound subnets in CIDR notation
+     */
+    public List<String> getCidrList() {
+        return cidrList;
+    }
+
+    /**
+     * @param cidrList List of subnets in CIDR notation
+     */
+    @JsonSetter("cidr_list")
+    public void setCidrList(final List<String> cidrList) {
+        this.cidrList = cidrList;
+    }
+
+    /**
+     * @return List of bound subnets in CIDR notation as comma-separated {@link String}
+     */
+    @JsonGetter("cidr_list")
+    public String getCidrListString() {
+        if (cidrList == null || cidrList.isEmpty()) {
+            return "";
+        }
+        return String.join(",", cidrList);
+    }
+
+    /**
+     * @return Creation time
+     */
+    public String getCreationTime() {
+        return creationTime;
+    }
+
+    /**
+     * @return Expiration time
+     */
+    public String getExpirationTime() {
+        return expirationTime;
+    }
+
+    /**
+     * @return Time of last update
+     */
+    public String getLastUpdatedTime() {
+        return lastUpdatedTime;
+    }
+
+    /**
+     * @return Number of uses
+     */
+    public Integer getNumUses() {
+        return numUses;
+    }
+
+    /**
+     * @return Time-to-live
+     */
+    public Integer getTtl() {
+        return ttl;
+    }
+}

src/main/java/de/stklcode/jvault/connector/model/AuthBackend.java

@@ -1,27 +1,58 @@
+/*
+ * Copyright 2016-2019 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
 package de.stklcode.jvault.connector.model;
 
 /**
  * Currently supported authentication backends.
  *
- * @author  Stefan Kalscheuer
- * @since   0.1
+ * @author Stefan Kalscheuer
+ * @since 0.1
  */
 public enum AuthBackend {
     TOKEN("token"),
     APPID("app-id"),
+    APPROLE("approle"),
     USERPASS("userpass"),
+    GITHUB("github"),   // Not supported yet.
     UNKNOWN("");
 
     private final String type;
 
-    AuthBackend(String type) {
+    /**
+     * Construct {@link AuthBackend} of given type.
+     *
+     * @param type Backend type
+     */
+    AuthBackend(final String type) {
         this.type = type;
     }
 
-    public static AuthBackend forType(String type) {
-        for (AuthBackend v : values())
-            if (v.type.equalsIgnoreCase(type))
+    /**
+     * Retrieve {@link AuthBackend} value for given type string.
+     *
+     * @param type Type string
+     * @return Auth backend value
+     */
+    public static AuthBackend forType(final String type) {
+        for (AuthBackend v : values()) {
+            if (v.type.equalsIgnoreCase(type)) {
                 return v;
+            }
+        }
         return UNKNOWN;
     }
 }

src/main/java/de/stklcode/jvault/connector/model/Token.java

@@ -0,0 +1,175 @@
+/*
+ * Copyright 2016-2019 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector.model;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonInclude;
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+import java.util.List;
+import java.util.Map;
+
+/**
+ * Vault Token metamodel.
+ *
+ * @author Stefan Kalscheuer
+ * @since 0.4.0
+ */
+@JsonIgnoreProperties(ignoreUnknown = true)
+public final class Token {
+    /**
+     * Get {@link TokenBuilder} instance.
+     *
+     * @return Token Builder.
+     * @since 0.8
+     */
+    public static TokenBuilder builder() {
+        return new TokenBuilder();
+    }
+
+    @JsonProperty("id")
+    @JsonInclude(JsonInclude.Include.NON_NULL)
+    private String id;
+
+    @JsonProperty("display_name")
+    @JsonInclude(JsonInclude.Include.NON_NULL)
+    private String displayName;
+
+    @JsonProperty("no_parent")
+    @JsonInclude(JsonInclude.Include.NON_NULL)
+    private Boolean noParent;
+
+    @JsonProperty("no_default_policy")
+    @JsonInclude(JsonInclude.Include.NON_NULL)
+    private Boolean noDefaultPolicy;
+
+    @JsonProperty("ttl")
+    @JsonInclude(JsonInclude.Include.NON_NULL)
+    private Integer ttl;
+
+    @JsonProperty("num_uses")
+    @JsonInclude(JsonInclude.Include.NON_NULL)
+    private Integer numUses;
+
+    @JsonProperty("policies")
+    @JsonInclude(JsonInclude.Include.NON_NULL)
+    private List<String> policies;
+
+    @JsonProperty("meta")
+    @JsonInclude(JsonInclude.Include.NON_NULL)
+    private Map<String, String> meta;
+
+    @JsonProperty("renewable")
+    @JsonInclude(JsonInclude.Include.NON_NULL)
+    private Boolean renewable;
+
+    /**
+     * Construct complete {@link Token} object.
+     *
+     * @param id              Token ID (optional)
+     * @param displayName     Token display name (optional)
+     * @param noParent        Token has no parent (optional)
+     * @param noDefaultPolicy Do not add default policy (optional)
+     * @param ttl             Token TTL in seconds (optional)
+     * @param numUses         Number of uses (optional)
+     * @param policies        List of policies (optional)
+     * @param meta            Metadata (optional)
+     * @param renewable       Is the token renewable (optional)
+     */
+    public Token(final String id,
+                 final String displayName,
+                 final Boolean noParent,
+                 final Boolean noDefaultPolicy,
+                 final Integer ttl,
+                 final Integer numUses,
+                 final List<String> policies,
+                 final Map<String, String> meta,
+                 final Boolean renewable) {
+        this.id = id;
+        this.displayName = displayName;
+        this.ttl = ttl;
+        this.numUses = numUses;
+        this.noParent = noParent;
+        this.noDefaultPolicy = noDefaultPolicy;
+        this.policies = policies;
+        this.meta = meta;
+        this.renewable = renewable;
+    }
+
+    /**
+     * @return Token ID
+     */
+    public String getId() {
+        return id;
+    }
+
+    /**
+     * @return Token display name
+     */
+    public String getDisplayName() {
+        return displayName;
+    }
+
+    /**
+     * @return Token has no parent
+     */
+    public Boolean getNoParent() {
+        return noParent;
+    }
+
+    /**
+     * @return Token has no default policy
+     */
+    public Boolean getNoDefaultPolicy() {
+        return noDefaultPolicy;
+    }
+
+    /**
+     * @return Time-to-live in seconds
+     */
+    public Integer getTtl() {
+        return ttl;
+    }
+
+    /**
+     * @return Number of uses
+     */
+    public Integer getNumUses() {
+        return numUses;
+    }
+
+    /**
+     * @return List of policies
+     */
+    public List<String> getPolicies() {
+        return policies;
+    }
+
+    /**
+     * @return Metadata
+     */
+    public Map<String, String> getMeta() {
+        return meta;
+    }
+
+    /**
+     * @return Token is renewable
+     */
+    public Boolean isRenewable() {
+        return renewable;
+    }
+}

src/main/java/de/stklcode/jvault/connector/model/TokenBuilder.java

@@ -0,0 +1,259 @@
+/*
+ * Copyright 2016-2019 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector.model;
+
+import java.util.*;
+
+/**
+ * A builder for vault tokens.
+ *
+ * @author Stefan Kalscheuer
+ * @since 0.4.0
+ */
+public final class TokenBuilder {
+    private String id;
+    private String displayName;
+    private Boolean noParent;
+    private Boolean noDefaultPolicy;
+    private Integer ttl;
+    private Integer numUses;
+    private List<String> policies;
+    private Map<String, String> meta;
+    private Boolean renewable;
+
+    /**
+     * Add token ID. (optional)
+     *
+     * @param id the ID
+     * @return self
+     */
+    public TokenBuilder withId(final String id) {
+        this.id = id;
+        return this;
+    }
+
+    /**
+     * Add display name.
+     *
+     * @param displayName the display name
+     * @return self
+     */
+    public TokenBuilder withDisplayName(final String displayName) {
+        this.displayName = displayName;
+        return this;
+    }
+
+    /**
+     * Set desired time to live.
+     *
+     * @param ttl the ttl
+     * @return self
+     */
+    public TokenBuilder withTtl(final Integer ttl) {
+        this.ttl = ttl;
+        return this;
+    }
+
+    /**
+     * Set desired number of uses.
+     *
+     * @param numUses the number of uses
+     * @return self
+     */
+    public TokenBuilder withNumUses(final Integer numUses) {
+        this.numUses = numUses;
+        return this;
+    }
+
+    /**
+     * Set TRUE if the token should be created without parent.
+     *
+     * @param noParent if TRUE, token is created as orphan
+     * @return self
+     */
+    public TokenBuilder withNoParent(final boolean noParent) {
+        this.noParent = noParent;
+        return this;
+    }
+
+    /**
+     * Create token without parent.
+     * Convenience method for withNoParent()
+     *
+     * @return self
+     */
+    public TokenBuilder asOrphan() {
+        return withNoParent(true);
+    }
+
+    /**
+     * Create token with parent.
+     * Convenience method for withNoParent()
+     *
+     * @return self
+     */
+    public TokenBuilder withParent() {
+        return withNoParent(false);
+    }
+
+    /**
+     * Set TRUE if the default policy should not be part of this token.
+     *
+     * @param noDefaultPolicy if TRUE, default policy is not attached
+     * @return self
+     */
+    public TokenBuilder withNoDefaultPolicy(final boolean noDefaultPolicy) {
+        this.noDefaultPolicy = noDefaultPolicy;
+        return this;
+    }
+
+    /**
+     * Attach default policy to token.
+     * Convenience method for withNoDefaultPolicy()
+     *
+     * @return self
+     */
+    public TokenBuilder withDefaultPolicy() {
+        return withNoDefaultPolicy(false);
+    }
+
+    /**
+     * Do not attach default policy to token.
+     * Convenience method for withNoDefaultPolicy()
+     *
+     * @return self
+     */
+    public TokenBuilder withoutDefaultPolicy() {
+        return withNoDefaultPolicy(true);
+    }
+
+    /**
+     * Add given policies.
+     *
+     * @param policies the policies
+     * @return self
+     * @since 0.5.0
+     */
+    public TokenBuilder withPolicies(final String... policies) {
+        return withPolicies(Arrays.asList(policies));
+    }
+
+    /**
+     * Add given policies.
+     *
+     * @param policies the policies
+     * @return self
+     */
+    public TokenBuilder withPolicies(final List<String> policies) {
+        if (this.policies == null) {
+            this.policies = new ArrayList<>();
+        }
+        this.policies.addAll(policies);
+        return this;
+    }
+
+    /**
+     * Add a single policy.
+     *
+     * @param policy the policy
+     * @return self
+     */
+    public TokenBuilder withPolicy(final String policy) {
+        if (this.policies == null) {
+            this.policies = new ArrayList<>();
+        }
+        policies.add(policy);
+        return this;
+    }
+
+    /**
+     * Add meta data.
+     *
+     * @param meta the metadata
+     * @return self
+     */
+    public TokenBuilder withMeta(final Map<String, String> meta) {
+        if (this.meta == null) {
+            this.meta = new HashMap<>();
+        }
+        this.meta.putAll(meta);
+        return this;
+    }
+
+    /**
+     * Add meta data.
+     *
+     * @param key   the key
+     * @param value the value
+     * @return self
+     */
+    public TokenBuilder withMeta(final String key, final String value) {
+        if (this.meta == null) {
+            this.meta = new HashMap<>();
+        }
+        this.meta.put(key, value);
+        return this;
+    }
+
+    /**
+     * Set if token is renewable.
+     *
+     * @param renewable TRUE, if renewable
+     * @return self
+     */
+    public TokenBuilder withRenewable(final Boolean renewable) {
+        this.renewable = renewable;
+        return this;
+    }
+
+    /**
+     * Set token to be renewable.
+     * Convenience method for withRenewable()
+     *
+     * @return self
+     */
+    public TokenBuilder renewable() {
+        return withRenewable(true);
+    }
+
+    /**
+     * Set token to be not renewable.
+     * Convenience method for withRenewable()
+     *
+     * @return self
+     */
+    public TokenBuilder notRenewable() {
+        return withRenewable(false);
+    }
+
+    /**
+     * Build the token based on given parameters.
+     *
+     * @return the token
+     */
+    public Token build() {
+        return new Token(id,
+                displayName,
+                noParent,
+                noDefaultPolicy,
+                ttl,
+                numUses,
+                policies,
+                meta,
+                renewable);
+    }
+}

src/main/java/de/stklcode/jvault/connector/model/package-info.java

@@ -0,0 +1,20 @@
+/*
+ * Copyright 2016-2019 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * Model classes for communication with the Vault API.
+ */
+package de.stklcode.jvault.connector.model;

src/main/java/de/stklcode/jvault/connector/model/response/AppRoleResponse.java

@@ -0,0 +1,61 @@
+/*
+ * Copyright 2016-2019 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector.model.response;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import de.stklcode.jvault.connector.exception.InvalidResponseException;
+import de.stklcode.jvault.connector.model.AppRole;
+
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.Map;
+
+/**
+ * Vault response for AppRole lookup.
+ *
+ * @author Stefan Kalscheuer
+ * @since 0.4.0
+ */
+@JsonIgnoreProperties(ignoreUnknown = true)
+public final class AppRoleResponse extends VaultDataResponse {
+    private AppRole role;
+
+    @Override
+    public void setData(final Map<String, Object> data) throws InvalidResponseException {
+        ObjectMapper mapper = new ObjectMapper();
+        try {
+            /* null empty strings on list objects */
+            Map<String, Object> filteredData = new HashMap<>();
+            data.forEach((k, v) -> {
+                if (!(v instanceof String && ((String) v).isEmpty())) {
+                    filteredData.put(k, v);
+                }
+            });
+            this.role = mapper.readValue(mapper.writeValueAsString(filteredData), AppRole.class);
+        } catch (IOException e) {
+            throw new InvalidResponseException("Failed deserializing response", e);
+        }
+    }
+
+    /**
+     * @return The role
+     */
+    public AppRole getRole() {
+        return role;
+    }
+}

src/main/java/de/stklcode/jvault/connector/model/response/AppRoleSecretResponse.java

@@ -0,0 +1,61 @@
+/*
+ * Copyright 2016-2019 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector.model.response;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import de.stklcode.jvault.connector.exception.InvalidResponseException;
+import de.stklcode.jvault.connector.model.AppRoleSecret;
+
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.Map;
+
+/**
+ * Vault response for AppRole lookup.
+ *
+ * @author Stefan Kalscheuer
+ * @since 0.4.0
+ */
+@JsonIgnoreProperties(ignoreUnknown = true)
+public final class AppRoleSecretResponse extends VaultDataResponse {
+    private AppRoleSecret secret;
+
+    @Override
+    public void setData(final Map<String, Object> data) throws InvalidResponseException {
+        ObjectMapper mapper = new ObjectMapper();
+        try {
+            /* null empty strings on list objects */
+            Map<String, Object> filteredData = new HashMap<>();
+            data.forEach((k, v) -> {
+                if (!(v instanceof String && ((String) v).isEmpty())) {
+                    filteredData.put(k, v);
+                }
+            });
+            this.secret = mapper.readValue(mapper.writeValueAsString(filteredData), AppRoleSecret.class);
+        } catch (IOException e) {
+            throw new InvalidResponseException("Failed deserializing response", e);
+        }
+    }
+
+    /**
+     * @return The secret
+     */
+    public AppRoleSecret getSecret() {
+        return secret;
+    }
+}

src/main/java/de/stklcode/jvault/connector/model/response/AuthMethodsResponse.java

@@ -1,11 +1,28 @@
+/*
+ * Copyright 2016-2019 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
 package de.stklcode.jvault.connector.model.response;
 
-import com.fasterxml.jackson.annotation.JsonAnySetter;
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.databind.ObjectMapper;
 import de.stklcode.jvault.connector.exception.InvalidResponseException;
 import de.stklcode.jvault.connector.model.response.embedded.AuthMethod;
 
-import java.util.ArrayList;
-import java.util.List;
+import java.io.IOException;
+import java.util.HashMap;
 import java.util.Map;
 
 /**
@@ -14,19 +31,34 @@ import java.util.Map;
  * @author  Stefan Kalscheuer
  * @since   0.1
  */
-public class AuthMethodsResponse implements VaultResponse {
+@JsonIgnoreProperties(ignoreUnknown = true)
+public final class AuthMethodsResponse extends VaultDataResponse {
+    private Map<String, AuthMethod> supportedMethods;
 
-    private List<AuthMethod> supportedMethods;
-
-    @JsonAnySetter
-    public void setMethod(String path, Map<String, String> data) throws InvalidResponseException {
-        if (supportedMethods == null)
-            supportedMethods = new ArrayList<>();
-
-        supportedMethods.add(new AuthMethod(path, data.get("description"), data.get("type")));
+    /**
+     * Construct empty {@link AuthMethodsResponse} object.
+     */
+    public AuthMethodsResponse() {
+        this.supportedMethods = new HashMap<>();
     }
 
-    public List<AuthMethod> getSupportedMethods() {
+    @Override
+    public void setData(final Map<String, Object> data) throws InvalidResponseException {
+        ObjectMapper mapper = new ObjectMapper();
+        for (Map.Entry<String, Object> entry : data.entrySet()) {
+            try {
+                this.supportedMethods.put(entry.getKey(),
+                        mapper.readValue(mapper.writeValueAsString(entry.getValue()), AuthMethod.class));
+            } catch (IOException e) {
+                throw new InvalidResponseException();
+            }
+        }
+    }
+
+    /**
+     * @return Supported authentication methods
+     */
+    public Map<String, AuthMethod> getSupportedMethods() {
         return supportedMethods;
     }
 }

src/main/java/de/stklcode/jvault/connector/model/response/AuthResponse.java

@@ -1,3 +1,19 @@
+/*
+ * Copyright 2016-2019 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
 package de.stklcode.jvault.connector.model.response;
 
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
@@ -12,35 +28,46 @@ import java.util.Map;
 /**
  * Vault response for authentication providing auth info in {@link AuthData} field.
  *
- * @author  Stefan Kalscheuer
- * @since   0.1
+ * @author Stefan Kalscheuer
+ * @since 0.1
  */
 @JsonIgnoreProperties(ignoreUnknown = true)
-public class AuthResponse extends VaultDataResponse {
+public final class AuthResponse extends VaultDataResponse {
     private Map<String, Object> data;
 
     private AuthData auth;
 
+    /**
+     * Set authentication data. The input will be mapped to the {@link AuthData} model.
+     *
+     * @param auth Raw authentication data
+     * @throws InvalidResponseException on mapping errors
+     */
     @JsonProperty("auth")
-    public void setAuth(Map<String, Object> auth) throws InvalidResponseException {
+    public void setAuth(final Map<String, Object> auth) throws InvalidResponseException {
         ObjectMapper mapper = new ObjectMapper();
         try {
             this.auth = mapper.readValue(mapper.writeValueAsString(auth), AuthData.class);
         } catch (IOException e) {
-            e.printStackTrace();
-            throw new InvalidResponseException();
+            throw new InvalidResponseException("Failed deserializing response", e);
         }
     }
 
     @Override
-    public void setData(Map<String, Object> data) {
+    public void setData(final Map<String, Object> data) {
         this.data = data;
     }
 
+    /**
+     * @return Raw data
+     */
     public Map<String, Object> getData() {
         return data;
     }
 
+    /**
+     * @return Authentication data
+     */
     public AuthData getAuth() {
         return auth;
     }

src/main/java/de/stklcode/jvault/connector/model/response/CredentialsResponse.java

@@ -0,0 +1,51 @@
+/*
+ * Copyright 2016-2019 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector.model.response;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+
+/**
+ * Vault response from credentials lookup. Simple wrapper for data objects containing username and password fields.
+ *
+ * @author  Stefan Kalscheuer
+ * @since   0.5.0
+ */
+@JsonIgnoreProperties(ignoreUnknown = true)
+public final class CredentialsResponse extends SecretResponse {
+
+    /**
+     * @return Username
+     */
+    public String getUsername() {
+        Object username = get("username");
+        if (username != null) {
+            return username.toString();
+        }
+        return null;
+    }
+
+    /**
+     * @return Password
+     */
+    public String getPassword() {
+        Object password = get("password");
+        if (password != null) {
+            return password.toString();
+        }
+        return null;
+    }
+}

src/main/java/de/stklcode/jvault/connector/model/response/ErrorResponse.java

@@ -1,3 +1,19 @@
+/*
+ * Copyright 2016-2019 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
 package de.stklcode.jvault.connector.model.response;
 
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
@@ -12,11 +28,23 @@ import java.util.List;
  * @since   0.1
  */
 @JsonIgnoreProperties(ignoreUnknown = true)
-public class ErrorResponse implements VaultResponse {
+public final class ErrorResponse implements VaultResponse {
     @JsonProperty("errors")
     private List<String> errors;
 
-    public List<String > getErrors() {
+    /**
+     * @return List of errors
+     */
+    public List<String> getErrors() {
         return errors;
     }
-}
+
+    @Override
+    public String toString() {
+        if (errors == null || errors.isEmpty()) {
+            return "error response";
+        } else {
+            return errors.get(0);
+        }
+    }
+}

src/main/java/de/stklcode/jvault/connector/model/response/HealthResponse.java

@@ -0,0 +1,132 @@
+/*
+ * Copyright 2016-2019 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector.model.response;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+/**
+ * Vault response for health query.
+ *
+ * @author  Stefan Kalscheuer
+ * @since   0.7.0
+ */
+@JsonIgnoreProperties(ignoreUnknown = true)
+public final class HealthResponse implements VaultResponse {
+    @JsonProperty("cluster_id")
+    private String clusterID;
+
+    @JsonProperty("cluster_name")
+    private String clusterName;
+
+    @JsonProperty("version")
+    private String version;
+
+    @JsonProperty("server_time_utc")
+    private Long serverTimeUTC;
+
+    @JsonProperty("standby")
+    private Boolean standby;
+
+    @JsonProperty("sealed")
+    private Boolean sealed;
+
+    @JsonProperty("initialized")
+    private Boolean initialized;
+
+    @JsonProperty("replication_perf_mode")
+    private String replicationPerfMode;
+
+    @JsonProperty("replication_dr_mode")
+    private String replicationDrMode;
+
+    @JsonProperty("performance_standby")
+    private Boolean performanceStandby;
+
+    /**
+     * @return The Cluster ID.
+     */
+    public String getClusterID() {
+        return clusterID;
+    }
+
+    /**
+     * @return The Cluster name.
+     */
+    public String getClusterName() {
+        return clusterName;
+    }
+
+    /**
+     * @return Vault version.
+     */
+    public String getVersion() {
+        return version;
+    }
+
+    /**
+     * @return Server time UTC (timestamp).
+     */
+    public Long getServerTimeUTC() {
+        return serverTimeUTC;
+    }
+
+    /**
+     * @return Server standby status.
+     */
+    public Boolean isStandby() {
+        return standby;
+    }
+
+    /**
+     * @return Server seal status.
+     */
+    public Boolean isSealed() {
+        return sealed;
+    }
+
+    /**
+     * @return Server initialization status.
+     */
+    public Boolean isInitialized() {
+        return initialized;
+    }
+
+    /**
+     * @return Replication performance mode of the active node (since Vault 0.9.2).
+     * @since 0.8 (#21)
+     */
+    public String getReplicationPerfMode() {
+        return replicationPerfMode;
+    }
+
+    /**
+     * @return Replication DR mode of the active node (since Vault 0.9.2).
+     * @since 0.8 (#21)
+     */
+    public String getReplicationDrMode() {
+        return replicationDrMode;
+    }
+
+    /**
+     * @return Performance standby status.
+     * @since 0.8 (#21)
+     */
+    public Boolean isPerformanceStandby() {
+        return performanceStandby;
+    }
+}

src/main/java/de/stklcode/jvault/connector/model/response/HelpResponse.java

@@ -1,3 +1,19 @@
+/*
+ * Copyright 2016-2019 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
 package de.stklcode.jvault.connector.model.response;
 
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
@@ -10,11 +26,14 @@ import com.fasterxml.jackson.annotation.JsonProperty;
  * @since   0.1
  */
 @JsonIgnoreProperties(ignoreUnknown = true)
-public class HelpResponse implements VaultResponse {
+public final class HelpResponse implements VaultResponse {
     @JsonProperty("help")
     private String help;
 
+    /**
+     * @return Help text
+     */
     public String getHelp() {
         return help;
     }
-}
+}

src/main/java/de/stklcode/jvault/connector/model/response/MetadataResponse.java

@@ -0,0 +1,56 @@
+/*
+ * Copyright 2016-2019 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector.model.response;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import de.stklcode.jvault.connector.exception.InvalidResponseException;
+import de.stklcode.jvault.connector.model.response.embedded.SecretMetadata;
+
+import java.io.IOException;
+import java.util.Map;
+
+/**
+ * Vault response for secret metadata (KV v2).
+ *
+ * @author Stefan Kalscheuer
+ * @since 0.8
+ */
+@JsonIgnoreProperties(ignoreUnknown = true)
+public class MetadataResponse extends VaultDataResponse {
+
+    private SecretMetadata metadata;
+
+    @Override
+    public final void setData(final Map<String, Object> data) throws InvalidResponseException {
+        ObjectMapper mapper = new ObjectMapper();
+        try {
+            this.metadata = mapper.readValue(mapper.writeValueAsString(data), SecretMetadata.class);
+        } catch (IOException e) {
+            throw new InvalidResponseException("Failed deserializing response", e);
+        }
+    }
+
+    /**
+     * Get the actual metadata.
+     *
+     * @return Metadata.
+     */
+    public SecretMetadata getMetadata() {
+        return metadata;
+    }
+}

src/main/java/de/stklcode/jvault/connector/model/response/RawDataResponse.java

@@ -0,0 +1,44 @@
+/*
+ * Copyright 2016-2019 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector.model.response;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+
+import java.util.Map;
+
+/**
+ * Simple Vault data response.
+ *
+ * @author  Stefan Kalscheuer
+ * @since   0.4.0
+ */
+@JsonIgnoreProperties(ignoreUnknown = true)
+public final class RawDataResponse extends VaultDataResponse {
+    private Map<String, Object> data;
+
+    @Override
+    public void setData(final Map<String, Object> data) {
+        this.data = data;
+    }
+
+    /**
+     * @return Raw data {@link Map}
+     */
+    public Map<String, Object> getData() {
+        return data;
+    }
+}

src/main/java/de/stklcode/jvault/connector/model/response/SealResponse.java

@@ -1,3 +1,19 @@
+/*
+ * Copyright 2016-2019 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
 package de.stklcode.jvault.connector.model.response;
 
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
@@ -6,14 +22,20 @@ import com.fasterxml.jackson.annotation.JsonProperty;
 /**
  * Vault response for seal status or unseal request.
  *
- * @author  Stefan Kalscheuer
- * @since   0.1
+ * @author Stefan Kalscheuer
+ * @since 0.1
  */
 @JsonIgnoreProperties(ignoreUnknown = true)
-public class SealResponse implements VaultResponse {
+public final class SealResponse implements VaultResponse {
+    @JsonProperty("type")
+    private String type;
+
     @JsonProperty("sealed")
     private boolean sealed;
 
+    @JsonProperty("initialized")
+    private boolean initialized;
+
     @JsonProperty("t")
     private Integer threshold;
 
@@ -23,19 +45,91 @@ public class SealResponse implements VaultResponse {
     @JsonProperty("progress")
     private Integer progress;
 
+    @JsonProperty("version")
+    private String version;
+
+    @JsonProperty("nonce")
+    private String nonce;
+
+    @JsonProperty("cluster_name")
+    private String clusterName;
+
+    @JsonProperty("cluster_id")
+    private String clusterId;
+
+    /**
+     * @return Seal type.
+     * @since 0.8
+     */
+    public String getType() {
+        return type;
+    }
+
+    /**
+     * @return Seal status
+     */
     public boolean isSealed() {
         return sealed;
     }
 
+    /**
+     * @return Vault initialization status (since Vault 0.11.2).
+     * @since 0.8
+     */
+    public boolean isInitialized() {
+        return initialized;
+    }
+
+    /**
+     * @return Required threshold of secret shares
+     */
     public Integer getThreshold() {
         return threshold;
     }
 
+    /**
+     * @return Number of secret shares
+     */
     public Integer getNumberOfShares() {
         return numberOfShares;
     }
 
+    /**
+     * @return Current unseal progress (remaining required shares)
+     */
     public Integer getProgress() {
         return progress;
     }
+
+    /**
+     * @return Vault version.
+     * @since 0.8
+     */
+    public String getVersion() {
+        return version;
+    }
+
+    /**
+     * @return A random nonce.
+     * @since 0.8
+     */
+    public String getNonce() {
+        return nonce;
+    }
+
+    /**
+     * @return Vault cluster name (only if unsealed).
+     * @since 0.8
+     */
+    public String getClusterName() {
+        return clusterName;
+    }
+
+    /**
+     * @return Vault cluster ID (only if unsealed).
+     * @since 0.8
+     */
+    public String getClusterId() {
+        return clusterId;
+    }
 }

src/main/java/de/stklcode/jvault/connector/model/response/SecretListResponse.java

@@ -1,3 +1,19 @@
+/*
+ * Copyright 2016-2019 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
 package de.stklcode.jvault.connector.model.response;
 
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
@@ -10,23 +26,31 @@ import java.util.Map;
 /**
  * Vault response for secret list request.
  *
- * @author  Stefan Kalscheuer
- * @since   0.1
+ * @author Stefan Kalscheuer
+ * @since 0.1
  */
 @JsonIgnoreProperties(ignoreUnknown = true)
-public class SecretListResponse extends VaultDataResponse {
+public final class SecretListResponse extends VaultDataResponse {
     private List<String> keys;
 
+    /**
+     * Set data. Extracts list of keys from raw response data.
+     *
+     * @param data Raw data
+     * @throws InvalidResponseException on parsing errors
+     */
     @JsonProperty("data")
-    public void setData(Map<String, Object> data) throws InvalidResponseException {
+    public void setData(final Map<String, Object> data) throws InvalidResponseException {
         try {
-            this.keys = (List<String>)data.get("keys");
-        }
-        catch (ClassCastException e) {
+            this.keys = (List<String>) data.get("keys");
+        } catch (ClassCastException e) {
             throw new InvalidResponseException("Keys could not be parsed from data.", e);
         }
     }
 
+    /**
+     * @return List of secret keys
+     */
     public List<String> getKeys() {
         return keys;
     }

src/main/java/de/stklcode/jvault/connector/model/response/SecretResponse.java

@@ -1,30 +1,150 @@
+/*
+ * Copyright 2016-2019 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
 package de.stklcode.jvault.connector.model.response;
 
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.databind.ObjectMapper;
 import de.stklcode.jvault.connector.exception.InvalidResponseException;
+import de.stklcode.jvault.connector.model.response.embedded.VersionMetadata;
 
+import java.io.IOException;
+import java.util.HashMap;
 import java.util.Map;
 
 /**
  * Vault response for secret request.
  *
- * @author  Stefan Kalscheuer
- * @since   0.1
+ * @author Stefan Kalscheuer
+ * @since 0.1
  */
 @JsonIgnoreProperties(ignoreUnknown = true)
 public class SecretResponse extends VaultDataResponse {
-    private String value;
+    private static final String KEY_DATA = "data";
+    private static final String KEY_METADATA = "metadata";
+
+    private Map<String, Object> data;
+    private VersionMetadata metadata;
 
     @Override
-    public void setData(Map<String, Object> data) throws InvalidResponseException {
-        try {
-            this.value = (String) data.get("value");
-        } catch (ClassCastException e) {
-            throw new InvalidResponseException("Value could not be parsed", e);
+    public final void setData(final Map<String, Object> data) throws InvalidResponseException {
+        if (data.size() == 2
+                && data.containsKey(KEY_DATA) && data.get(KEY_DATA) instanceof Map
+                && data.containsKey(KEY_METADATA) && data.get(KEY_METADATA) instanceof Map) {
+            ObjectMapper mapper = new ObjectMapper();
+            try {
+                // This is apparently a KV v2 value.
+                this.data = (Map<String, Object>) data.get(KEY_DATA);
+                this.metadata = mapper.readValue(mapper.writeValueAsString(data.get(KEY_METADATA)), VersionMetadata.class);
+            } catch (ClassCastException | IOException e) {
+                throw new InvalidResponseException("Failed deserializing response", e);
+            }
+        } else {
+            // For KV v1 without metadata just store the data map.
+            this.data = data;
         }
     }
 
-    public String getValue() {
-        return value;
+    /**
+     * Get complete data object.
+     *
+     * @return data map
+     * @since 0.4.0
+     */
+    public final Map<String, Object> getData() {
+        if (data == null) {
+            return new HashMap<>();
+        }
+        return data;
     }
-}
+
+    /**
+     * Get secret metadata. This is only available for KV v2 secrets.
+     *
+     * @return Metadata of the secret.
+     * @since 0.8
+     */
+    public final VersionMetadata getMetadata() {
+        return metadata;
+    }
+
+    /**
+     * Get a single value for given key.
+     *
+     * @param key the key
+     * @return the value or {@code null} if absent
+     * @since 0.4.0
+     */
+    public final Object get(final String key) {
+        if (data == null) {
+            return null;
+        }
+        return getData().get(key);
+    }
+
+    /**
+     * Get data element for key "value".
+     * Method for backwards compatibility in case of simple secrets.
+     *
+     * @return the value
+     * @deprecated Deprecated artifact, will be removed at latest at v1.0.0
+     */
+    @Deprecated
+    public final String getValue() {
+        Object value = get("value");
+        if (value == null) {
+            return null;
+        }
+        return value.toString();
+    }
+
+    /**
+     * Get response parsed as JSON.
+     *
+     * @param type Class to parse response
+     * @param <T>  Class to parse response
+     * @return Parsed object
+     * @throws InvalidResponseException on parsing error
+     * @since 0.3
+     * @deprecated Deprecated artifact, will be removed at latest at v1.0.0
+     */
+    @Deprecated
+    public final <T> T getValue(final Class<T> type) throws InvalidResponseException {
+        return get("value", type);
+    }
+
+    /**
+     * Get response parsed as JSON.
+     *
+     * @param key  the key
+     * @param type Class to parse response
+     * @param <T>  Class to parse response
+     * @return Parsed object or {@code null} if absent
+     * @throws InvalidResponseException on parsing error
+     * @since 0.4.0
+     */
+    public final <T> T get(final String key, final Class<T> type) throws InvalidResponseException {
+        try {
+            Object rawValue = get(key);
+            if (rawValue == null) {
+                return null;
+            }
+            return new ObjectMapper().readValue(rawValue.toString(), type);
+        } catch (IOException e) {
+            throw new InvalidResponseException("Unable to parse response payload: " + e.getMessage());
+        }
+    }
+}

src/main/java/de/stklcode/jvault/connector/model/response/SecretVersionResponse.java

@@ -0,0 +1,56 @@
+/*
+ * Copyright 2016-2019 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector.model.response;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import de.stklcode.jvault.connector.exception.InvalidResponseException;
+import de.stklcode.jvault.connector.model.response.embedded.VersionMetadata;
+
+import java.io.IOException;
+import java.util.Map;
+
+/**
+ * Vault response for a single secret version metatada, i.e. after update (KV v2).
+ *
+ * @author Stefan Kalscheuer
+ * @since 0.8
+ */
+@JsonIgnoreProperties(ignoreUnknown = true)
+public class SecretVersionResponse extends VaultDataResponse {
+
+    private VersionMetadata metadata;
+
+    @Override
+    public final void setData(final Map<String, Object> data) throws InvalidResponseException {
+        ObjectMapper mapper = new ObjectMapper();
+        try {
+            this.metadata = mapper.readValue(mapper.writeValueAsString(data), VersionMetadata.class);
+        } catch (IOException e) {
+            throw new InvalidResponseException("Failed deserializing response", e);
+        }
+    }
+
+    /**
+     * Get the actual metadata.
+     *
+     * @return Metadata.
+     */
+    public VersionMetadata getMetadata() {
+        return metadata;
+    }
+}

src/main/java/de/stklcode/jvault/connector/model/response/TokenResponse.java

@@ -1,5 +1,20 @@
-package de.stklcode.jvault.connector.model.response;
+/*
+ * Copyright 2016-2019 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
 
+package de.stklcode.jvault.connector.model.response;
 
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
 import com.fasterxml.jackson.annotation.JsonProperty;
@@ -13,27 +28,35 @@ import java.util.Map;
 /**
  * Vault response from token lookup providing Token information in {@link TokenData} field.
  *
- * @author  Stefan Kalscheuer
- * @since   0.1
+ * @author Stefan Kalscheuer
+ * @since 0.1
  */
 @JsonIgnoreProperties(ignoreUnknown = true)
-public class TokenResponse extends VaultDataResponse {
+public final class TokenResponse extends VaultDataResponse {
     private TokenData data;
 
     @JsonProperty("auth")
     private Boolean auth;
 
+    /**
+     * Set data. Parses response data map to {@link TokenData}.
+     *
+     * @param data Raw response data
+     * @throws InvalidResponseException on parsing errors
+     */
     @Override
-    public void setData(Map<String, Object> data) throws InvalidResponseException {
+    public void setData(final Map<String, Object> data) throws InvalidResponseException {
         ObjectMapper mapper = new ObjectMapper();
         try {
             this.data = mapper.readValue(mapper.writeValueAsString(data), TokenData.class);
         } catch (IOException e) {
-            e.printStackTrace();
-            throw new InvalidResponseException();
+            throw new InvalidResponseException("Failed deserializing response", e);
         }
     }
 
+    /**
+     * @return Token data
+     */
     public TokenData getData() {
         return data;
     }

src/main/java/de/stklcode/jvault/connector/model/response/VaultDataResponse.java

@@ -1,3 +1,19 @@
+/*
+ * Copyright 2016-2019 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
 package de.stklcode.jvault.connector.model.response;
 
 import com.fasterxml.jackson.annotation.JsonProperty;
@@ -9,8 +25,8 @@ import java.util.Map;
 /**
  * Abstract Vault response with default payload fields.
  *
- * @author  Stefan Kalscheuer
- * @since   0.1
+ * @author Stefan Kalscheuer
+ * @since 0.1
  */
 public abstract class VaultDataResponse implements VaultResponse {
     @JsonProperty("lease_id")
@@ -25,22 +41,40 @@ public abstract class VaultDataResponse implements VaultResponse {
     @JsonProperty("warnings")
     private List<String> warnings;
 
+    /**
+     * Set data. To be implemented in the specific subclasses, as data can be of arbitrary structure.
+     *
+     * @param data Raw response data
+     * @throws InvalidResponseException on parsing errors
+     */
     @JsonProperty("data")
-    public abstract void setData(Map<String, Object> data) throws InvalidResponseException;
+    public abstract void setData(final Map<String, Object> data) throws InvalidResponseException;
 
-    public String getLeaseId() {
+    /**
+     * @return Lease ID
+     */
+    public final String getLeaseId() {
         return leaseId;
     }
 
-    public boolean isRenewable() {
+    /**
+     * @return Lease is renewable
+     */
+    public final boolean isRenewable() {
         return renewable;
     }
 
-    public Integer getLeaseDuration() {
+    /**
+     * @return Lease duration
+     */
+    public final Integer getLeaseDuration() {
         return leaseDuration;
     }
 
-    public List<String> getWarnings() {
+    /**
+     * @return List of warnings
+     */
+    public final List<String> getWarnings() {
         return warnings;
     }
 }

src/main/java/de/stklcode/jvault/connector/model/response/VaultResponse.java

@@ -1,3 +1,19 @@
+/*
+ * Copyright 2016-2019 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
 package de.stklcode.jvault.connector.model.response;
 
 /**

src/main/java/de/stklcode/jvault/connector/model/response/embedded/AuthData.java

@@ -1,3 +1,19 @@
+/*
+ * Copyright 2016-2019 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
 package de.stklcode.jvault.connector.model.response.embedded;
 
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
@@ -13,7 +29,7 @@ import java.util.Map;
  * @since   0.1
  */
 @JsonIgnoreProperties(ignoreUnknown = true)
-public class AuthData {
+public final class AuthData {
     @JsonProperty("client_token")
     private String clientToken;
 
@@ -32,27 +48,45 @@ public class AuthData {
     @JsonProperty("renewable")
     private boolean renewable;
 
+    /**
+     * @return Client token
+     */
     public String getClientToken() {
         return clientToken;
     }
 
+    /**
+     * @return Token accessor
+     */
     public String getAccessor() {
         return accessor;
     }
 
+    /**
+     * @return List of policies
+     */
     public List<String> getPolicies() {
         return policies;
     }
 
+    /**
+     * @return Metadata
+     */
     public Map<String, Object> getMetadata() {
         return metadata;
     }
 
+    /**
+     * @return Lease duration
+     */
     public Integer getLeaseDuration() {
         return leaseDuration;
     }
 
+    /**
+     * @return Lease is renewable
+     */
     public boolean isRenewable() {
         return renewable;
     }
-}
+}

src/main/java/de/stklcode/jvault/connector/model/response/embedded/AuthMethod.java

@@ -1,40 +1,89 @@
+/*
+ * Copyright 2016-2019 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
 package de.stklcode.jvault.connector.model.response.embedded;
 
-
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import com.fasterxml.jackson.annotation.JsonSetter;
 import de.stklcode.jvault.connector.model.AuthBackend;
 
+import java.util.Map;
+
 /**
  * Embedded authentication method response.
  *
  * @author  Stefan Kalscheuer
  * @since   0.1
  */
-public class AuthMethod {
+@JsonIgnoreProperties(ignoreUnknown = true)
+public final class AuthMethod {
     private AuthBackend type;
     private String rawType;
-    private String path;
+
+    @JsonProperty("description")
     private String description;
 
-    public AuthMethod(String path, String description, String type) {
-        this.path = path;
-        this.description = description;
+    @JsonProperty("config")
+    private Map<String, String> config;
+
+    @JsonProperty("local")
+    private boolean local;
+
+    /**
+     * @param type Backend type, passed to {@link AuthBackend#forType(String)}
+     */
+    @JsonSetter("type")
+    public void setType(final String type) {
         this.rawType = type;
         this.type = AuthBackend.forType(type);
     }
 
+    /**
+     * @return Backend type
+     */
     public AuthBackend getType() {
         return type;
     }
 
+    /**
+     * @return Raw backend type string
+     */
     public String getRawType() {
         return rawType;
     }
 
-    public String getPath() {
-        return path;
-    }
-
+    /**
+     * @return Description
+     */
     public String getDescription() {
         return description;
     }
+
+    /**
+     * @return Configuration data
+     */
+    public Map<String, String> getConfig() {
+        return config;
+    }
+
+    /**
+     * @return Is local backend
+     */
+    public boolean isLocal() {
+        return local;
+    }
 }

src/main/java/de/stklcode/jvault/connector/model/response/embedded/SecretMetadata.java

@@ -0,0 +1,127 @@
+/*
+ * Copyright 2016-2019 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector.model.response.embedded;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+import java.time.ZonedDateTime;
+import java.time.format.DateTimeFormatter;
+import java.time.format.DateTimeParseException;
+import java.util.Map;
+
+/**
+ * Embedded metadata for Key-Value v2 secrets.
+ *
+ * @author  Stefan Kalscheuer
+ * @since   0.8
+ */
+@JsonIgnoreProperties(ignoreUnknown = true)
+public final class SecretMetadata {
+    private static final DateTimeFormatter TIME_FORMAT = DateTimeFormatter.ofPattern("yyyy-MM-dd'T'HH:mm:ss.SSSSSSSSSX");
+
+    @JsonProperty("created_time")
+    private String createdTimeString;
+
+    @JsonProperty("current_version")
+    private Integer currentVersion;
+
+    @JsonProperty("max_versions")
+    private Integer maxVersions;
+
+    @JsonProperty("oldest_version")
+    private Integer oldestVersion;
+
+    @JsonProperty("updated_time")
+    private String updatedTime;
+
+    @JsonProperty("versions")
+    private Map<Integer, VersionMetadata> versions;
+
+    /**
+     * @return Time of secret creation as raw string representation.
+     */
+    public String getCreatedTimeString() {
+        return createdTimeString;
+    }
+
+    /**
+     * @return Time of secret creation.
+     */
+    public ZonedDateTime getCreatedTime() {
+        if (createdTimeString != null && !createdTimeString.isEmpty()) {
+            try {
+                return ZonedDateTime.parse(createdTimeString, TIME_FORMAT);
+            } catch (DateTimeParseException e) {
+                // Ignore.
+            }
+        }
+
+        return null;
+    }
+
+    /**
+     * @return Current version number.
+     */
+    public Integer getCurrentVersion() {
+        return currentVersion;
+    }
+
+    /**
+     * @return Maximum number of versions.
+     */
+    public Integer getMaxVersions() {
+        return maxVersions;
+    }
+
+    /**
+     * @return Oldest available version number.
+     */
+    public Integer getOldestVersion() {
+        return oldestVersion;
+    }
+
+    /**
+     * @return Time of secret update as raw string representation.
+     */
+    public String getUpdatedTimeString() {
+        return updatedTime;
+    }
+
+    /**
+     * @return Time of secret update..
+     */
+    public ZonedDateTime getUpdatedTime() {
+        if (updatedTime != null && !updatedTime.isEmpty()) {
+            try {
+                return ZonedDateTime.parse(updatedTime, TIME_FORMAT);
+            } catch (DateTimeParseException e) {
+                // Ignore.
+            }
+        }
+
+        return null;
+    }
+
+    /**
+     * @return Version of the entry.
+     */
+    public Map<Integer, VersionMetadata> getVersions() {
+        return versions;
+    }
+
+}

src/main/java/de/stklcode/jvault/connector/model/response/embedded/TokenData.java

@@ -1,3 +1,19 @@
+/*
+ * Copyright 2016-2019 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
 package de.stklcode.jvault.connector.model.response.embedded;
 
 import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
@@ -10,7 +26,7 @@ import com.fasterxml.jackson.annotation.JsonProperty;
  * @since   0.1
  */
 @JsonIgnoreProperties(ignoreUnknown = true)
-public class TokenData {
+public final class TokenData {
     @JsonProperty("accessor")
     private String accessor;
 
@@ -18,7 +34,7 @@ public class TokenData {
     private Integer creationTime;
 
     @JsonProperty("creation_ttl")
-    private Integer creatinTtl;
+    private Integer creationTtl;
 
     @JsonProperty("display_name")
     private String name;
@@ -44,47 +60,80 @@ public class TokenData {
     @JsonProperty("ttl")
     private Integer ttl;
 
+    /**
+     * @return Token accessor
+     */
     public String getAccessor() {
         return accessor;
     }
 
+    /**
+     * @return Creation time
+     */
     public Integer getCreationTime() {
         return creationTime;
     }
 
-    public Integer getCreatinTtl() {
-        return creatinTtl;
+    /**
+     * @return Creation TTL (in seconds)
+     */
+    public Integer getCreationTtl() {
+        return creationTtl;
     }
 
+    /**
+     * @return Token name
+     */
     public String getName() {
         return name;
     }
 
+    /**
+     * @return Token ID
+     */
     public String getId() {
         return id;
     }
 
+    /**
+     * @return Number of uses
+     */
     public Integer getNumUses() {
         return numUses;
     }
 
+    /**
+     * @return Token is orphan
+     */
     public boolean isOrphan() {
         return orphan;
     }
 
+    /**
+     * @return Token path
+     */
     public String getPath() {
         return path;
     }
 
+    /**
+     * @return Token role
+     */
     public String getRole() {
         return role;
     }
 
+    /**
+     * @return Token TTL (in seconds)
+     */
     public Integer getTtl() {
         return ttl;
     }
 
+    /**
+     * @return Metadata
+     */
     public String getMeta() {
         return meta;
     }
-}
+}

src/main/java/de/stklcode/jvault/connector/model/response/embedded/VersionMetadata.java

@@ -0,0 +1,106 @@
+/*
+ * Copyright 2016-2019 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector.model.response.embedded;
+
+import com.fasterxml.jackson.annotation.JsonIgnoreProperties;
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+import java.time.ZonedDateTime;
+import java.time.format.DateTimeFormatter;
+import java.time.format.DateTimeParseException;
+
+/**
+ * Embedded metadata for a single Key-Value v2 version.
+ *
+ * @author  Stefan Kalscheuer
+ * @since   0.8
+ */
+@JsonIgnoreProperties(ignoreUnknown = true)
+public final class VersionMetadata {
+    private static final DateTimeFormatter TIME_FORMAT = DateTimeFormatter.ofPattern("yyyy-MM-dd'T'HH:mm:ss.SSSSSSSSSX");
+
+    @JsonProperty("created_time")
+    private String createdTimeString;
+
+    @JsonProperty("deletion_time")
+    private String deletionTimeString;
+
+    @JsonProperty("destroyed")
+    private boolean destroyed;
+
+    @JsonProperty("version")
+    private Integer version;
+
+    /**
+     * @return Time of secret creation as raw string representation.
+     */
+    public String getCreatedTimeString() {
+        return createdTimeString;
+    }
+
+    /**
+     * @return Time of secret creation.
+     */
+    public ZonedDateTime getCreatedTime() {
+        if (createdTimeString != null && !createdTimeString.isEmpty()) {
+            try {
+                return ZonedDateTime.parse(createdTimeString, TIME_FORMAT);
+            } catch (DateTimeParseException e) {
+                // Ignore.
+            }
+        }
+
+        return null;
+    }
+
+    /**
+     * @return Time for secret deletion as raw string representation.
+     */
+    public String getDeletionTimeString() {
+        return deletionTimeString;
+    }
+
+    /**
+     * @return Time for secret deletion.
+     */
+    public ZonedDateTime getDeletionTime() {
+        if (deletionTimeString != null && !deletionTimeString.isEmpty()) {
+            try {
+                return ZonedDateTime.parse(deletionTimeString, TIME_FORMAT);
+            } catch (DateTimeParseException e) {
+                // Ignore.
+            }
+        }
+
+        return null;
+    }
+
+    /**
+     * @return Whether the secret is destroyed.
+     */
+    public boolean isDestroyed() {
+        return destroyed;
+    }
+
+    /**
+     * @return Version of the entry.
+     */
+    public Integer getVersion() {
+        return version;
+    }
+
+}

src/main/java/de/stklcode/jvault/connector/model/response/embedded/package-info.java

@@ -0,0 +1,20 @@
+/*
+ * Copyright 2016-2019 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * Embedded data classes for responses from the Vault API.
+ */
+package de.stklcode.jvault.connector.model.response.embedded;

src/main/java/de/stklcode/jvault/connector/model/response/package-info.java

@@ -0,0 +1,20 @@
+/*
+ * Copyright 2016-2019 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * Model classes for responses from the Vault API.
+ */
+package de.stklcode.jvault.connector.model.response;

src/main/java/de/stklcode/jvault/connector/package-info.java

@@ -0,0 +1,21 @@
+/*
+ * Copyright 2016-2019 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+/**
+ * Java Vault Connector base package - contains {@link de.stklcode.jvault.connector.VaultConnector} interface and
+ * default implementation.
+ */
+package de.stklcode.jvault.connector;

src/main/javadoc/overview.html

@@ -0,0 +1,13 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <meta charset="UTF-8">
+    <title>API Overview</title>
+</head>
+<body>
+<p>Java Vault Connector is a connector library for Vault by Hashicorp written in Java.</p>
+<p>The connector allows simple usage of Vault's secret store in own applications.</p>
+<p>It features a default implementation for the HTTP(S) interface and supports various authorization methods including
+    AppRole, token and secret handling.</p>
+</body>
+</html>

src/test/java/de/stklcode/jvault/connector/HTTPVaultConnectorOfflineTest.java

@@ -0,0 +1,504 @@
+/*
+ * Copyright 2016-2019 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector;
+
+import de.stklcode.jvault.connector.exception.InvalidRequestException;
+import de.stklcode.jvault.connector.exception.InvalidResponseException;
+import de.stklcode.jvault.connector.exception.PermissionDeniedException;
+import de.stklcode.jvault.connector.exception.VaultConnectorException;
+import net.bytebuddy.ByteBuddy;
+import net.bytebuddy.agent.ByteBuddyAgent;
+import net.bytebuddy.dynamic.loading.ClassReloadingStrategy;
+import org.apache.http.ProtocolVersion;
+import org.apache.http.client.methods.CloseableHttpResponse;
+import org.apache.http.entity.ContentType;
+import org.apache.http.entity.StringEntity;
+import org.apache.http.impl.client.CloseableHttpClient;
+import org.apache.http.impl.client.HttpClientBuilder;
+import org.apache.http.message.BasicStatusLine;
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.BeforeEach;
+import org.junit.jupiter.api.Test;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.lang.reflect.Field;
+import java.security.cert.CertificateException;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
+import java.util.Collections;
+
+import static net.bytebuddy.implementation.MethodDelegation.to;
+import static net.bytebuddy.matcher.ElementMatchers.named;
+import static org.hamcrest.CoreMatchers.instanceOf;
+import static org.hamcrest.CoreMatchers.nullValue;
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.core.Is.is;
+import static org.junit.jupiter.api.Assertions.fail;
+import static org.mockito.ArgumentMatchers.any;
+import static org.mockito.Mockito.*;
+
+/**
+ * JUnit test for HTTP Vault connector.
+ * This test suite contains tests that do not require connection to an actual Vault instance.
+ *
+ * @author Stefan Kalscheuer
+ * @since 0.7.0
+ */
+public class HTTPVaultConnectorOfflineTest {
+    private static final String INVALID_URL = "foo:/\\1nv4l1d_UrL";
+
+    private static CloseableHttpClient httpMock = mock(CloseableHttpClient.class);
+    private CloseableHttpResponse responseMock = mock(CloseableHttpResponse.class);
+
+    @BeforeAll
+    public static void initByteBuddy() {
+        // Install ByteBuddy Agent.
+        ByteBuddyAgent.install();
+    }
+
+    /**
+     * Helper method for redefinition of {@link HttpClientBuilder#create()} from {@link #initHttpMock()}.
+     *
+     * @return Mocked HTTP client builder.
+     */
+    public static HttpClientBuilder create() {
+        return new MockedHttpClientBuilder();
+    }
+
+    @BeforeEach
+    public void initHttpMock() {
+        // Redefine static method to return Mock on HttpClientBuilder creation.
+        new ByteBuddy().redefine(HttpClientBuilder.class)
+                .method(named("create"))
+                .intercept(to(HTTPVaultConnectorOfflineTest.class))
+                .make()
+                .load(HttpClientBuilder.class.getClassLoader(), ClassReloadingStrategy.fromInstalledAgent());
+
+        // Re-initialize HTTP mock to ensure fresh (empty) results.
+        httpMock = mock(CloseableHttpClient.class);
+    }
+
+    /**
+     * Test exceptions thrown during request.
+     */
+    @Test
+    public void requestExceptionTest() throws IOException {
+        HTTPVaultConnector connector = new HTTPVaultConnector("http://127.0.0.1", null, 0, 250);
+
+        // Test invalid response code.
+        final int responseCode = 400;
+        mockResponse(responseCode, "", ContentType.APPLICATION_JSON);
+        try {
+            connector.getHealth();
+            fail("Querying health status succeeded on invalid instance");
+        } catch (Exception e) {
+            assertThat("Unexpected type of exception", e, instanceOf(InvalidResponseException.class));
+            assertThat("Unexpected exception message", e.getMessage(), is("Invalid response code"));
+            assertThat("Unexpected status code in exception", ((InvalidResponseException) e).getStatusCode(), is(responseCode));
+            assertThat("Response message where none was expected", ((InvalidResponseException) e).getResponse(), is(nullValue()));
+        }
+
+        // Simulate permission denied response.
+        mockResponse(responseCode, "{\"errors\":[\"permission denied\"]}", ContentType.APPLICATION_JSON);
+        try {
+            connector.getHealth();
+            fail("Querying health status succeeded on invalid instance");
+        } catch (Exception e) {
+            assertThat("Unexpected type of exception", e, instanceOf(PermissionDeniedException.class));
+        }
+
+        // Test exception thrown during request.
+        when(httpMock.execute(any())).thenThrow(new IOException("Test Exception"));
+        try {
+            connector.getHealth();
+            fail("Querying health status succeeded on invalid instance");
+        } catch (Exception e) {
+            assertThat("Unexpected type of exception", e, instanceOf(InvalidResponseException.class));
+            assertThat("Unexpected exception message", e.getMessage(), is("Unable to read response"));
+            assertThat("Unexpected cause", e.getCause(), instanceOf(IOException.class));
+        }
+
+        // Now simulate a failing request that succeeds on second try.
+        connector = new HTTPVaultConnector("https://127.0.0.1", null, 1, 250);
+        doReturn(responseMock).doReturn(responseMock).when(httpMock).execute(any());
+        doReturn(new BasicStatusLine(new ProtocolVersion("HTTP", 1, 1), 500, ""))
+                .doReturn(new BasicStatusLine(new ProtocolVersion("HTTP", 1, 1), 500, ""))
+                .doReturn(new BasicStatusLine(new ProtocolVersion("HTTP", 1, 1), 500, ""))
+                .doReturn(new BasicStatusLine(new ProtocolVersion("HTTP", 1, 1), 200, ""))
+                .when(responseMock).getStatusLine();
+        when(responseMock.getEntity()).thenReturn(new StringEntity("{}", ContentType.APPLICATION_JSON));
+
+        try {
+            connector.getHealth();
+        } catch (Exception e) {
+            fail("Request failed unexpectedly: " + e.getMessage());
+        }
+    }
+
+    /**
+     * Test constductors of the {@link HTTPVaultConnector} class.
+     */
+    @Test
+    public void constructorTest() throws IOException, CertificateException {
+        final String url = "https://vault.example.net/test/";
+        final String hostname = "vault.example.com";
+        final Integer port = 1337;
+        final String prefix = "/custom/prefix/";
+        final int retries = 42;
+        final String expectedNoTls = "http://" + hostname + "/v1/";
+        final String expectedCustomPort = "https://" + hostname + ":" + port + "/v1/";
+        final String expectedCustomPrefix = "https://" + hostname + ":" + port + prefix;
+        X509Certificate trustedCaCert;
+
+        try (InputStream is = getClass().getResourceAsStream("/tls/ca.pem")) {
+            trustedCaCert = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(is);
+        }
+
+        // Most basic constructor expects complete URL.
+        HTTPVaultConnector connector = new HTTPVaultConnector(url);
+        assertThat("Unexpected base URL", getRequestHelperPrivate(connector, "baseURL"), is(url));
+
+        // Now override TLS usage.
+        connector = new HTTPVaultConnector(hostname, false);
+        assertThat("Unexpected base URL with TLS disabled", getRequestHelperPrivate(connector, "baseURL"), is(expectedNoTls));
+
+        // Specify custom port.
+        connector = new HTTPVaultConnector(hostname, true, port);
+        assertThat("Unexpected base URL with custom port", getRequestHelperPrivate(connector, "baseURL"), is(expectedCustomPort));
+
+        // Specify custom prefix.
+        connector = new HTTPVaultConnector(hostname, true, port, prefix);
+        assertThat("Unexpected base URL with custom prefix", getRequestHelperPrivate(connector, "baseURL"), is(expectedCustomPrefix));
+        assertThat("Trusted CA cert set, but not specified", getRequestHelperPrivate(connector, "trustedCaCert"), is(nullValue()));
+
+        // Provide custom SSL context.
+        connector = new HTTPVaultConnector(hostname, true, port, prefix, trustedCaCert);
+        assertThat("Unexpected base URL with custom prefix", getRequestHelperPrivate(connector, "baseURL"), is(expectedCustomPrefix));
+        assertThat("Trusted CA cert not filled correctly", getRequestHelperPrivate(connector, "trustedCaCert"), is(trustedCaCert));
+
+        // Specify number of retries.
+        connector = new HTTPVaultConnector(url, trustedCaCert, retries);
+        assertThat("Number of retries not set correctly", getRequestHelperPrivate(connector, "retries"), is(retries));
+
+        // Test TLS version (#22).
+        assertThat("TLS version should be 1.2 if not specified", getRequestHelperPrivate(connector, "tlsVersion"), is("TLSv1.2"));
+        // Now override.
+        connector = new HTTPVaultConnector(url, trustedCaCert, retries, null, "TLSv1.1");
+        assertThat("Overridden TLS version 1.1 not correct", getRequestHelperPrivate(connector, "tlsVersion"), is("TLSv1.1"));
+    }
+
+    /**
+     * This test is designed to test exceptions caught and thrown by seal-methods if Vault is not reachable.
+     */
+    @Test
+    public void sealExceptionTest() throws IOException {
+        HTTPVaultConnector connector = new HTTPVaultConnector(INVALID_URL);
+        try {
+            connector.sealStatus();
+            fail("Querying seal status succeeded on invalid URL");
+        } catch (Exception e) {
+            assertThat("Unexpected type of exception", e, instanceOf(InvalidRequestException.class));
+            assertThat("Unexpected exception message", e.getMessage(), is("Invalid URI format"));
+        }
+
+        connector = new HTTPVaultConnector("https://127.0.0.1", null, 0, 250);
+
+        // Simulate NULL response (mock not supplied with data).
+
+        try {
+            connector.sealStatus();
+            fail("Querying seal status succeeded on invalid instance");
+        } catch (Exception e) {
+            assertThat("Unexpected type of exception", e, instanceOf(InvalidResponseException.class));
+            assertThat("Unexpected exception message", e.getMessage(), is("Response unavailable"));
+        }
+    }
+
+    /**
+     * This test is designed to test exceptions caught and thrown by seal-methods if Vault is not reachable.
+     */
+    @Test
+    public void healthExceptionTest() throws IOException {
+        HTTPVaultConnector connector = new HTTPVaultConnector(INVALID_URL);
+        try {
+            connector.getHealth();
+            fail("Querying health status succeeded on invalid URL");
+        } catch (Exception e) {
+            assertThat("Unexpected type of exception", e, instanceOf(InvalidRequestException.class));
+            assertThat("Unexpected exception message", e.getMessage(), is("Invalid URI format"));
+        }
+
+        connector = new HTTPVaultConnector("https://127.0.0.1", null, 0, 250);
+
+        // Simulate NULL response (mock not supplied with data).
+        try {
+            connector.getHealth();
+            fail("Querying health status succeeded on invalid instance");
+        } catch (Exception e) {
+            assertThat("Unexpected type of exception", e, instanceOf(InvalidResponseException.class));
+            assertThat("Unexpected exception message", e.getMessage(), is("Response unavailable"));
+        }
+    }
+
+    /**
+     * Test behavior on unparsable responses.
+     */
+    @Test
+    public void parseExceptionTest() throws IOException {
+        HTTPVaultConnector connector = new HTTPVaultConnector("https://127.0.0.1", null, 0, 250);
+        // Mock authorization.
+        setPrivate(connector, "authorized", true);
+        // Mock response.
+        mockResponse(200, "invalid", ContentType.APPLICATION_JSON);
+
+        // Now test the methods.
+        try {
+            connector.sealStatus();
+            fail("sealStatus() succeeded on invalid instance");
+        } catch (Exception e) {
+            assertParseError(e);
+        }
+
+        try {
+            connector.unseal("key");
+            fail("unseal() succeeded on invalid instance");
+        } catch (Exception e) {
+            assertParseError(e);
+        }
+
+        try {
+            connector.getHealth();
+            fail("getHealth() succeeded on invalid instance");
+        } catch (Exception e) {
+            assertParseError(e);
+        }
+
+        try {
+            connector.getAuthBackends();
+            fail("getAuthBackends() succeeded on invalid instance");
+        } catch (Exception e) {
+            assertParseError(e);
+        }
+
+        try {
+            connector.authToken("token");
+            fail("authToken() succeeded on invalid instance");
+        } catch (Exception e) {
+            assertParseError(e);
+        }
+
+        try {
+            connector.lookupAppRole("roleName");
+            fail("lookupAppRole() succeeded on invalid instance");
+        } catch (Exception e) {
+            assertParseError(e);
+        }
+
+        try {
+            connector.getAppRoleID("roleName");
+            fail("getAppRoleID() succeeded on invalid instance");
+        } catch (Exception e) {
+            assertParseError(e);
+        }
+
+        try {
+            connector.createAppRoleSecret("roleName");
+            fail("createAppRoleSecret() succeeded on invalid instance");
+        } catch (Exception e) {
+            assertParseError(e);
+        }
+
+        try {
+            connector.lookupAppRoleSecret("roleName", "secretID");
+            fail("lookupAppRoleSecret() succeeded on invalid instance");
+        } catch (Exception e) {
+            assertParseError(e);
+        }
+
+        try {
+            connector.listAppRoles();
+            fail("listAppRoles() succeeded on invalid instance");
+        } catch (Exception e) {
+            assertParseError(e);
+        }
+
+        try {
+            connector.listAppRoleSecrets("roleName");
+            fail("listAppRoleSecrets() succeeded on invalid instance");
+        } catch (Exception e) {
+            assertParseError(e);
+        }
+
+        try {
+            connector.read("key");
+            fail("read() succeeded on invalid instance");
+        } catch (Exception e) {
+            assertParseError(e);
+        }
+
+        try {
+            connector.list("path");
+            fail("list() succeeded on invalid instance");
+        } catch (Exception e) {
+            assertParseError(e);
+        }
+
+        try {
+            connector.renew("leaseID");
+            fail("renew() succeeded on invalid instance");
+        } catch (Exception e) {
+            assertParseError(e);
+        }
+
+        try {
+            connector.lookupToken("token");
+            fail("lookupToken() succeeded on invalid instance");
+        } catch (Exception e) {
+            assertParseError(e);
+        }
+    }
+
+    private void assertParseError(Exception e) {
+        assertThat("Unexpected type of exception", e, instanceOf(InvalidResponseException.class));
+        assertThat("Unexpected exception message", e.getMessage(), is("Unable to parse response"));
+    }
+
+    /**
+     * Test requests that expect an empty response with code 204, but receive a 200 body.
+     */
+    @Test
+    public void nonEmpty204ResponseTest() throws IOException {
+        HTTPVaultConnector connector = new HTTPVaultConnector("https://127.0.0.1", null, 0, 250);
+        // Mock authorization.
+        setPrivate(connector, "authorized", true);
+        // Mock response.
+        mockResponse(200, "{}", ContentType.APPLICATION_JSON);
+
+        // Now test the methods expecting a 204.
+        try {
+            connector.registerAppId("appID", "policy", "displayName");
+            fail("registerAppId() with 200 response succeeded");
+        } catch (VaultConnectorException e) {
+            assertThat("Unexpected exception type", e, instanceOf(InvalidResponseException.class));
+        }
+
+        try {
+            connector.registerUserId("appID", "userID");
+            fail("registerUserId() with 200 response succeeded");
+        } catch (VaultConnectorException e) {
+            assertThat("Unexpected exception type", e, instanceOf(InvalidResponseException.class));
+        }
+
+        try {
+            connector.createAppRole("appID", Collections.singletonList("policy"));
+            fail("createAppRole() with 200 response succeeded");
+        } catch (VaultConnectorException e) {
+            assertThat("Unexpected exception type", e, instanceOf(InvalidResponseException.class));
+        }
+
+        try {
+            connector.deleteAppRole("roleName");
+            fail("deleteAppRole() with 200 response succeeded");
+        } catch (VaultConnectorException e) {
+            assertThat("Unexpected exception type", e, instanceOf(InvalidResponseException.class));
+        }
+
+        try {
+            connector.setAppRoleID("roleName", "roleID");
+            fail("setAppRoleID() with 200 response succeeded");
+        } catch (VaultConnectorException e) {
+            assertThat("Unexpected exception type", e, instanceOf(InvalidResponseException.class));
+        }
+
+        try {
+            connector.destroyAppRoleSecret("roleName", "secretID");
+            fail("destroyAppRoleSecret() with 200 response succeeded");
+        } catch (VaultConnectorException e) {
+            assertThat("Unexpected exception type", e, instanceOf(InvalidResponseException.class));
+        }
+
+        try {
+            connector.destroyAppRoleSecret("roleName", "secretUD");
+            fail("destroyAppRoleSecret() with 200 response succeeded");
+        } catch (VaultConnectorException e) {
+            assertThat("Unexpected exception type", e, instanceOf(InvalidResponseException.class));
+        }
+
+        try {
+            connector.delete("key");
+            fail("delete() with 200 response succeeded");
+        } catch (VaultConnectorException e) {
+            assertThat("Unexpected exception type", e, instanceOf(InvalidResponseException.class));
+        }
+
+        try {
+            connector.revoke("leaseID");
+            fail("destroyAppRoleSecret() with 200 response succeeded");
+        } catch (VaultConnectorException e) {
+            assertThat("Unexpected exception type", e, instanceOf(InvalidResponseException.class));
+        }
+    }
+
+    private Object getRequestHelperPrivate(HTTPVaultConnector connector, String fieldName)  {
+        try {
+            return getPrivate(getPrivate(connector, "request"), fieldName);
+        } catch (NoSuchFieldException | IllegalAccessException e) {
+            return null;
+        }
+    }
+
+    private Object getPrivate(Object target, String fieldName) throws NoSuchFieldException, IllegalAccessException {
+        Field field = target.getClass().getDeclaredField(fieldName);
+        if (field.isAccessible()) {
+            return field.get(target);
+        }
+        field.setAccessible(true);
+        Object value = field.get(target);
+        field.setAccessible(false);
+        return value;
+    }
+
+    private void setPrivate(Object target, String fieldName, Object value) {
+        try {
+            Field field = target.getClass().getDeclaredField(fieldName);
+            boolean accessible = field.isAccessible();
+            field.setAccessible(true);
+            field.set(target, value);
+            field.setAccessible(accessible);
+        } catch (NoSuchFieldException | IllegalAccessException e) {
+            // Should not occur, to be taken care of in test code.
+        }
+    }
+
+    private void mockResponse(int status, String body, ContentType type) throws IOException {
+        when(httpMock.execute(any())).thenReturn(responseMock);
+        when(responseMock.getStatusLine()).thenReturn(new BasicStatusLine(new ProtocolVersion("HTTP", 1, 1), status, ""));
+        when(responseMock.getEntity()).thenReturn(new StringEntity(body, type));
+    }
+
+    /**
+     * Mocked {@link HttpClientBuilder} that always returns the mocked client.
+     */
+    private static class MockedHttpClientBuilder extends HttpClientBuilder {
+        @Override
+        public CloseableHttpClient build() {
+            return httpMock;
+        }
+    }
+
+}

src/test/java/de/stklcode/jvault/connector/builder/HTTPVaultConnectorBuilderTest.java

@@ -0,0 +1,135 @@
+/*
+ * Copyright 2016-2019 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector.builder;
+
+import de.stklcode.jvault.connector.HTTPVaultConnector;
+import de.stklcode.jvault.connector.exception.TlsException;
+import de.stklcode.jvault.connector.exception.VaultConnectorException;
+import org.junit.Rule;
+import org.junit.contrib.java.lang.system.EnvironmentVariables;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.io.TempDir;
+import org.junit.jupiter.migrationsupport.rules.EnableRuleMigrationSupport;
+
+import java.io.File;
+import java.io.IOException;
+import java.lang.reflect.Field;
+import java.nio.file.NoSuchFileException;
+
+import static org.hamcrest.CoreMatchers.*;
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.junit.jupiter.api.Assertions.fail;
+
+/**
+ * JUnit test for HTTP Vault connector factory
+ *
+ * @author Stefan Kalscheuer
+ * @since 0.8.0
+ */
+@EnableRuleMigrationSupport
+public class HTTPVaultConnectorBuilderTest {
+    private static String VAULT_ADDR = "https://localhost:8201";
+    private static Integer VAULT_MAX_RETRIES = 13;
+    private static String VAULT_TOKEN = "00001111-2222-3333-4444-555566667777";
+
+    @TempDir
+    File tempDir;
+
+    @Rule
+    public final EnvironmentVariables environment = new EnvironmentVariables();
+
+    /**
+     * Test building from environment variables
+     */
+    @Test
+    public void testFromEnv() throws NoSuchFieldException, IllegalAccessException, IOException {
+        /* Provide address only should be enough */
+        setenv(VAULT_ADDR, null, null, null);
+
+        HTTPVaultConnectorBuilder factory = null;
+        HTTPVaultConnector connector;
+        try {
+            factory = VaultConnectorBuilder.http().fromEnv();
+        } catch (VaultConnectorException e) {
+            fail("Factory creation from minimal environment failed");
+        }
+        connector = factory.build();
+
+        assertThat("URL nor set correctly", getRequestHelperPrivate(connector, "baseURL"), is(equalTo(VAULT_ADDR + "/v1/")));
+        assertThat("Trusted CA cert set when no cert provided", getRequestHelperPrivate(connector, "trustedCaCert"), is(nullValue()));
+        assertThat("Non-default number of retries, when none set", getRequestHelperPrivate(connector, "retries"), is(0));
+
+        /* Provide address and number of retries */
+        setenv(VAULT_ADDR, null, VAULT_MAX_RETRIES.toString(), null);
+
+        try {
+            factory = VaultConnectorBuilder.http().fromEnv();
+        } catch (VaultConnectorException e) {
+            fail("Factory creation from environment failed");
+        }
+        connector = factory.build();
+
+        assertThat("URL nor set correctly", getRequestHelperPrivate(connector, "baseURL"), is(equalTo(VAULT_ADDR + "/v1/")));
+        assertThat("Trusted CA cert set when no cert provided", getRequestHelperPrivate(connector, "trustedCaCert"), is(nullValue()));
+        assertThat("Number of retries not set correctly", getRequestHelperPrivate(connector, "retries"), is(VAULT_MAX_RETRIES));
+
+        /* Provide CA certificate */
+        String VAULT_CACERT = tempDir.toString() + "/doesnotexist";
+        setenv(VAULT_ADDR, VAULT_CACERT, VAULT_MAX_RETRIES.toString(), null);
+
+        try {
+            VaultConnectorBuilder.http().fromEnv();
+            fail("Creation with unknown cert path failed.");
+        } catch (VaultConnectorException e) {
+            assertThat(e, is(instanceOf(TlsException.class)));
+            assertThat(e.getCause(), is(instanceOf(NoSuchFileException.class)));
+            assertThat(((NoSuchFileException) e.getCause()).getFile(), is(VAULT_CACERT));
+        }
+
+        /* Automatic authentication */
+        setenv(VAULT_ADDR, null, VAULT_MAX_RETRIES.toString(), VAULT_TOKEN);
+
+        try {
+            factory = VaultConnectorBuilder.http().fromEnv();
+        } catch (VaultConnectorException e) {
+            fail("Factory creation from minimal environment failed");
+        }
+        assertThat("Token nor set correctly", getPrivate(factory, "token"), is(equalTo(VAULT_TOKEN)));
+    }
+
+    private void setenv(String vault_addr, String vault_cacert, String vault_max_retries, String vault_token) {
+        environment.set("VAULT_ADDR", vault_addr);
+        environment.set("VAULT_CACERT", vault_cacert);
+        environment.set("VAULT_MAX_RETRIES", vault_max_retries);
+        environment.set("VAULT_TOKEN", vault_token);
+    }
+
+    private Object getRequestHelperPrivate(HTTPVaultConnector connector, String fieldName) throws NoSuchFieldException, IllegalAccessException {
+        return getPrivate(getPrivate(connector, "request"), fieldName);
+    }
+
+    private Object getPrivate(Object target, String fieldName) throws NoSuchFieldException, IllegalAccessException {
+        Field field = target.getClass().getDeclaredField(fieldName);
+        if (field.isAccessible()) {
+            return field.get(target);
+        }
+        field.setAccessible(true);
+        Object value = field.get(target);
+        field.setAccessible(false);
+        return value;
+    }
+}

src/test/java/de/stklcode/jvault/connector/exception/VaultConnectorExceptionTest.java

@@ -0,0 +1,160 @@
+/*
+ * Copyright 2016-2019 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector.exception;
+
+import org.junit.jupiter.api.Test;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.instanceOf;
+import static org.hamcrest.Matchers.nullValue;
+import static org.hamcrest.core.Is.is;
+
+/**
+ * Common JUnit test for Exceptions extending {@link VaultConnectorException}.
+ *
+ * @author Stefan Kalscheuer
+ * @since 0.6.2
+ */
+public class VaultConnectorExceptionTest {
+    private static final String MSG = "This is a test exception!";
+    private static final Throwable CAUSE = new Exception("Test-Cause");
+    private static final Integer STATUS_CODE = 1337;
+    private static final String RESPONSE = "Dummy response";
+
+    @Test
+    public void authorizationRequiredExceptionTest() {
+        assertEmptyConstructor(new AuthorizationRequiredException());
+    }
+
+    @Test
+    public void connectionExceptionTest() {
+        assertEmptyConstructor(new ConnectionException());
+        assertMsgConstructor(new ConnectionException(MSG));
+        assertCauseConstructor(new ConnectionException(CAUSE));
+        assertMsgCauseConstructor(new ConnectionException(MSG, CAUSE));
+    }
+
+    @Test
+    public void invalidRequestExceptionTest() {
+        assertEmptyConstructor(new InvalidRequestException());
+        assertMsgConstructor(new InvalidRequestException(MSG));
+        assertCauseConstructor(new InvalidRequestException(CAUSE));
+        assertMsgCauseConstructor(new InvalidRequestException(MSG, CAUSE));
+    }
+
+    @Test
+    public void invalidResponseExceptionTest() {
+        assertEmptyConstructor(new InvalidResponseException());
+        assertMsgConstructor(new InvalidResponseException(MSG));
+        assertCauseConstructor(new InvalidResponseException(CAUSE));
+        assertMsgCauseConstructor(new InvalidResponseException(MSG, CAUSE));
+
+        // Constructor with message and status code.
+        InvalidResponseException e = new InvalidResponseException(MSG, STATUS_CODE);
+        assertThat(e.getMessage(), is(MSG));
+        assertThat(e.getCause(), is(nullValue()));
+        assertThat(e.getStatusCode(), is(STATUS_CODE));
+        assertThat(e.getResponse(), is(nullValue()));
+
+        // Constructor with message, status code and cause.
+        e = new InvalidResponseException(MSG, STATUS_CODE, CAUSE);
+        assertThat(e.getMessage(), is(MSG));
+        assertThat(e.getCause(), is(CAUSE));
+        assertThat(e.getStatusCode(), is(STATUS_CODE));
+        assertThat(e.getResponse(), is(nullValue()));
+
+        // Constructor with message, status code and response.
+        e = new InvalidResponseException(MSG, STATUS_CODE, RESPONSE);
+        assertThat(e.getMessage(), is(MSG));
+        assertThat(e.getCause(), is(nullValue()));
+        assertThat(e.getStatusCode(), is(STATUS_CODE));
+        assertThat(e.getResponse(), is(RESPONSE));
+
+        // Constructor with message, status code, response and cause.
+        e = new InvalidResponseException(MSG, STATUS_CODE, RESPONSE, CAUSE);
+        assertThat(e.getMessage(), is(MSG));
+        assertThat(e.getCause(), is(CAUSE));
+        assertThat(e.getStatusCode(), is(STATUS_CODE));
+        assertThat(e.getResponse(), is(RESPONSE));
+    }
+
+    @Test
+    public void permissionDeniedExceptionTest() {
+        // Default message overwritten.
+        PermissionDeniedException e = new PermissionDeniedException();
+        assertThat(e, is(instanceOf(VaultConnectorException.class)));
+        assertThat(e, is(instanceOf(Exception.class)));
+        assertThat(e, is(instanceOf(Throwable.class)));
+        assertThat(e.getMessage(), is("Permission denied"));
+        assertThat(e.getCause(), is(nullValue()));
+
+        assertMsgConstructor(new PermissionDeniedException(MSG));
+        assertCauseConstructor(new PermissionDeniedException(CAUSE));
+        assertMsgCauseConstructor(new PermissionDeniedException(MSG, CAUSE));
+    }
+
+    @Test
+    public void tlsExceptionTest() {
+        assertEmptyConstructor(new TlsException());
+        assertMsgConstructor(new TlsException(MSG));
+        assertCauseConstructor(new TlsException(CAUSE));
+        assertMsgCauseConstructor(new TlsException(MSG, CAUSE));
+    }
+
+    /**
+     * Assertions for empty constructor.
+     *
+     * @param e the exception
+     */
+    private void assertEmptyConstructor(VaultConnectorException e) {
+        assertThat(e, is(instanceOf(VaultConnectorException.class)));
+        assertThat(e, is(instanceOf(Exception.class)));
+        assertThat(e, is(instanceOf(Throwable.class)));
+        assertThat(e.getMessage(), is(nullValue()));
+        assertThat(e.getCause(), is(nullValue()));
+    }
+
+    /**
+     * Assertions for constructor with message.
+     *
+     * @param e the exception
+     */
+    private void assertMsgConstructor(VaultConnectorException e) {
+        assertThat(e.getMessage(), is(MSG));
+        assertThat(e.getCause(), is(nullValue()));
+    }
+
+    /**
+     * Assertions for constructor with cause.
+     *
+     * @param e the exception
+     */
+    private void assertCauseConstructor(VaultConnectorException e) {
+        assertThat(e.getMessage(), is(CAUSE.toString()));
+        assertThat(e.getCause(), is(CAUSE));
+    }
+
+    /**
+     * Assertions for constructor with message and cause.
+     *
+     * @param e the exception
+     */
+    private void assertMsgCauseConstructor(VaultConnectorException e) {
+        assertThat(e.getMessage(), is(MSG));
+        assertThat(e.getCause(), is(CAUSE));
+    }
+}

src/test/java/de/stklcode/jvault/connector/factory/HTTPVaultConnectorFactoryTest.java

@@ -0,0 +1,135 @@
+/*
+ * Copyright 2016-2019 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector.factory;
+
+import de.stklcode.jvault.connector.HTTPVaultConnector;
+import de.stklcode.jvault.connector.exception.TlsException;
+import de.stklcode.jvault.connector.exception.VaultConnectorException;
+import org.junit.Rule;
+import org.junit.contrib.java.lang.system.EnvironmentVariables;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.io.TempDir;
+import org.junit.jupiter.migrationsupport.rules.EnableRuleMigrationSupport;
+
+import java.io.File;
+import java.io.IOException;
+import java.lang.reflect.Field;
+import java.nio.file.NoSuchFileException;
+
+import static org.hamcrest.CoreMatchers.*;
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.junit.jupiter.api.Assertions.fail;
+
+/**
+ * JUnit test for HTTP Vault connector factory
+ *
+ * @author Stefan Kalscheuer
+ * @since 0.6.0
+ */
+@EnableRuleMigrationSupport
+public class HTTPVaultConnectorFactoryTest {
+    private static String VAULT_ADDR = "https://localhost:8201";
+    private static Integer VAULT_MAX_RETRIES = 13;
+    private static String VAULT_TOKEN = "00001111-2222-3333-4444-555566667777";
+
+    @TempDir
+    File tempDir;
+
+    @Rule
+    public final EnvironmentVariables environment = new EnvironmentVariables();
+
+    /**
+     * Test building from environment variables
+     */
+    @Test
+    public void testFromEnv() throws NoSuchFieldException, IllegalAccessException, IOException {
+        /* Provide address only should be enough */
+        setenv(VAULT_ADDR, null, null, null);
+
+        HTTPVaultConnectorFactory factory = null;
+        HTTPVaultConnector connector;
+        try {
+            factory = VaultConnectorFactory.httpFactory().fromEnv();
+        } catch (VaultConnectorException e) {
+            fail("Factory creation from minimal environment failed");
+        }
+        connector = factory.build();
+
+        assertThat("URL nor set correctly", getRequestHelperPrivate(connector, "baseURL"), is(equalTo(VAULT_ADDR + "/v1/")));
+        assertThat("Trusted CA cert set when no cert provided", getRequestHelperPrivate(connector, "trustedCaCert"), is(nullValue()));
+        assertThat("Non-default number of retries, when none set", getRequestHelperPrivate(connector, "retries"), is(0));
+
+        /* Provide address and number of retries */
+        setenv(VAULT_ADDR, null, VAULT_MAX_RETRIES.toString(), null);
+
+        try {
+            factory = VaultConnectorFactory.httpFactory().fromEnv();
+        } catch (VaultConnectorException e) {
+            fail("Factory creation from environment failed");
+        }
+        connector = factory.build();
+
+        assertThat("URL nor set correctly", getRequestHelperPrivate(connector, "baseURL"), is(equalTo(VAULT_ADDR + "/v1/")));
+        assertThat("Trusted CA cert set when no cert provided", getRequestHelperPrivate(connector, "trustedCaCert"), is(nullValue()));
+        assertThat("Number of retries not set correctly", getRequestHelperPrivate(connector, "retries"), is(VAULT_MAX_RETRIES));
+
+        /* Provide CA certificate */
+        String VAULT_CACERT = tempDir.toString() + "/doesnotexist";
+        setenv(VAULT_ADDR, VAULT_CACERT, VAULT_MAX_RETRIES.toString(), null);
+
+        try {
+            VaultConnectorFactory.httpFactory().fromEnv();
+            fail("Creation with unknown cert path failed.");
+        } catch (VaultConnectorException e) {
+            assertThat(e, is(instanceOf(TlsException.class)));
+            assertThat(e.getCause(), is(instanceOf(NoSuchFileException.class)));
+            assertThat(((NoSuchFileException) e.getCause()).getFile(), is(VAULT_CACERT));
+        }
+
+        /* Automatic authentication */
+        setenv(VAULT_ADDR, null, VAULT_MAX_RETRIES.toString(), VAULT_TOKEN);
+
+        try {
+            factory = VaultConnectorFactory.httpFactory().fromEnv();
+        } catch (VaultConnectorException e) {
+            fail("Factory creation from minimal environment failed");
+        }
+        assertThat("Token nor set correctly", getPrivate(getPrivate(factory, "delegate"), "token"), is(equalTo(VAULT_TOKEN)));
+    }
+
+    private void setenv(String vault_addr, String vault_cacert, String vault_max_retries, String vault_token) {
+        environment.set("VAULT_ADDR", vault_addr);
+        environment.set("VAULT_CACERT", vault_cacert);
+        environment.set("VAULT_MAX_RETRIES", vault_max_retries);
+        environment.set("VAULT_TOKEN", vault_token);
+    }
+
+    private Object getRequestHelperPrivate(HTTPVaultConnector connector, String fieldName) throws NoSuchFieldException, IllegalAccessException {
+        return getPrivate(getPrivate(connector, "request"), fieldName);
+    }
+
+    private Object getPrivate(Object target, String fieldName) throws NoSuchFieldException, IllegalAccessException {
+        Field field = target.getClass().getDeclaredField(fieldName);
+        if (field.isAccessible()) {
+            return field.get(target);
+        }
+        field.setAccessible(true);
+        Object value = field.get(target);
+        field.setAccessible(false);
+        return value;
+    }
+}

src/test/java/de/stklcode/jvault/connector/model/AppRoleBuilderTest.java

@@ -0,0 +1,156 @@
+/*
+ * Copyright 2016-2019 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector.model;
+
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.Test;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.*;
+
+/**
+ * JUnit Test for AppRole Builder.
+ *
+ * @author Stefan Kalscheuer
+ * @since 0.4.0
+ */
+public class AppRoleBuilderTest {
+
+
+    private static final String NAME = "TestRole";
+    private static final String ID = "test-id";
+    private static final Boolean BIND_SECRET_ID = true;
+    private static final List<String> BOUND_CIDR_LIST = new ArrayList<>();
+    private static final String CIDR_1 = "192.168.1.0/24";
+    private static final String CIDR_2 = "172.16.0.0/16";
+    private static final List<String> POLICIES = new ArrayList<>();
+    private static final String POLICY = "policy";
+    private static final String POLICY_2 = "policy2";
+    private static final Integer SECRET_ID_NUM_USES = 10;
+    private static final Integer SECRET_ID_TTL = 7200;
+    private static final Integer TOKEN_TTL = 4800;
+    private static final Integer TOKEN_MAX_TTL = 9600;
+    private static final Integer PERIOD = 1234;
+    private static final String JSON_MIN = "{\"role_name\":\"" + NAME + "\"}";
+    private static final String JSON_FULL = String.format("{\"role_name\":\"%s\",\"role_id\":\"%s\",\"bind_secret_id\":%s,\"bound_cidr_list\":\"%s\",\"secret_id_bound_cidrs\":\"%s\",\"policies\":\"%s\",\"secret_id_num_uses\":%d,\"secret_id_ttl\":%d,\"token_ttl\":%d,\"token_max_ttl\":%d,\"period\":%d}",
+            NAME, ID, BIND_SECRET_ID, CIDR_1, CIDR_1, POLICY, SECRET_ID_NUM_USES, SECRET_ID_TTL, TOKEN_TTL, TOKEN_MAX_TTL, PERIOD);
+
+    @BeforeAll
+    public static void init() {
+        BOUND_CIDR_LIST.add(CIDR_1);
+        POLICIES.add(POLICY);
+    }
+
+    /**
+     * Build role with only a name.
+     */
+    @Test
+    public void buildDefaultTest() throws JsonProcessingException {
+        AppRole role = new AppRoleBuilder(NAME).build();
+        assertThat(role.getId(), is(nullValue()));
+        assertThat(role.getBindSecretId(), is(nullValue()));
+        assertThat(role.getBoundCidrList(), is(nullValue()));
+        assertThat(role.getSecretIdBoundCidrs(), is(nullValue()));
+        assertThat(role.getPolicies(), is(nullValue()));
+        assertThat(role.getSecretIdNumUses(), is(nullValue()));
+        assertThat(role.getSecretIdTtl(), is(nullValue()));
+        assertThat(role.getTokenTtl(), is(nullValue()));
+        assertThat(role.getTokenMaxTtl(), is(nullValue()));
+        assertThat(role.getPeriod(), is(nullValue()));
+
+        /* optional fields should be ignored, so JSON string should only contain role_name */
+        assertThat(new ObjectMapper().writeValueAsString(role), is(JSON_MIN));
+    }
+
+    /**
+     * Build token without all parameters set.
+     */
+    @Test
+    public void buildFullTest() throws JsonProcessingException {
+        AppRole role = new AppRoleBuilder(NAME)
+                .withId(ID)
+                .withBindSecretID(BIND_SECRET_ID)
+                .withBoundCidrList(BOUND_CIDR_LIST)
+                .withSecretIdBoundCidrs(BOUND_CIDR_LIST)
+                .withPolicies(POLICIES)
+                .withSecretIdNumUses(SECRET_ID_NUM_USES)
+                .withSecretIdTtl(SECRET_ID_TTL)
+                .withTokenTtl(TOKEN_TTL)
+                .withTokenMaxTtl(TOKEN_MAX_TTL)
+                .withPeriod(PERIOD)
+                .build();
+        assertThat(role.getName(), is(NAME));
+        assertThat(role.getId(), is(ID));
+        assertThat(role.getBindSecretId(), is(BIND_SECRET_ID));
+        assertThat(role.getBoundCidrList(), is(BOUND_CIDR_LIST));
+        assertThat(role.getSecretIdBoundCidrs(), is(BOUND_CIDR_LIST));
+        assertThat(role.getPolicies(), is(POLICIES));
+        assertThat(role.getSecretIdNumUses(), is(SECRET_ID_NUM_USES));
+        assertThat(role.getSecretIdTtl(), is(SECRET_ID_TTL));
+        assertThat(role.getTokenTtl(), is(TOKEN_TTL));
+        assertThat(role.getTokenMaxTtl(), is(TOKEN_MAX_TTL));
+        assertThat(role.getPeriod(), is(PERIOD));
+
+        /* Verify that all parameters are included in JSON string */
+        assertThat(new ObjectMapper().writeValueAsString(role), is(JSON_FULL));
+    }
+
+    /**
+     * Test convenience methods
+     */
+    @Test
+    public void convenienceMethodsTest() {
+        /* bind_secret_id */
+        AppRole role = new AppRoleBuilder(NAME).build();
+        assertThat(role.getBindSecretId(), is(nullValue()));
+        role = new AppRoleBuilder(NAME).withBindSecretID().build();
+        assertThat(role.getBindSecretId(), is(true));
+        role = new AppRoleBuilder(NAME).withoutBindSecretID().build();
+        assertThat(role.getBindSecretId(), is(false));
+
+        /* Add single CIDR subnet */
+        role = new AppRoleBuilder(NAME).withCidrBlock(CIDR_2).build();
+        assertThat(role.getBoundCidrList(), hasSize(1));
+        assertThat(role.getBoundCidrList(), contains(CIDR_2));
+        assertThat(role.getSecretIdBoundCidrs(), hasSize(1));
+        assertThat(role.getSecretIdBoundCidrs(), contains(CIDR_2));
+        role = new AppRoleBuilder(NAME)
+                .withSecretIdBoundCidrs(BOUND_CIDR_LIST)
+                .withCidrBlock(CIDR_2)
+                .build();
+        assertThat(role.getBoundCidrList(), hasSize(1));
+        assertThat(role.getBoundCidrList(), contains(CIDR_2));
+        assertThat(role.getSecretIdBoundCidrs(), hasSize(2));
+        assertThat(role.getSecretIdBoundCidrs(), contains(CIDR_1, CIDR_2));
+
+        /* Add single policy */
+        role = new AppRoleBuilder(NAME).withPolicy(POLICY_2).build();
+        assertThat(role.getPolicies(), hasSize(1));
+        assertThat(role.getPolicies(), contains(POLICY_2));
+        role = new AppRoleBuilder(NAME)
+                .withPolicies(POLICIES)
+                .withPolicy(POLICY_2)
+                .build();
+        assertThat(role.getPolicies(), hasSize(2));
+        assertThat(role.getPolicies(), contains(POLICY, POLICY_2));
+    }
+}

src/test/java/de/stklcode/jvault/connector/model/AppRoleSecretTest.java

@@ -0,0 +1,212 @@
+/*
+ * Copyright 2016-2019 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector.model;
+
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import org.junit.jupiter.api.Test;
+
+import java.io.IOException;
+import java.lang.reflect.Field;
+import java.util.Arrays;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.*;
+import static org.hamcrest.junit.MatcherAssume.assumeThat;
+import static org.junit.jupiter.api.Assertions.fail;
+
+
+/**
+ * JUnit Test for AppRoleSecret model.
+ *
+ * @author Stefan Kalscheuer
+ * @since 0.5.0
+ */
+public class AppRoleSecretTest {
+
+    private static final String TEST_ID = "abc123";
+    private static final Map<String, Object> TEST_META = new HashMap<>();
+    private static final List<String> TEST_CIDR = Arrays.asList("203.0.113.0/24", "198.51.100.0/24");
+
+    static {
+        TEST_META.put("foo", "bar");
+        TEST_META.put("number", 1337);
+    }
+
+    /**
+     * Test constructors.
+     */
+    @Test
+    public void constructorTest() {
+        /* Empty constructor */
+        AppRoleSecret secret = new AppRoleSecret();
+        assertThat(secret.getId(), is(nullValue()));
+        assertThat(secret.getAccessor(), is(nullValue()));
+        assertThat(secret.getMetadata(), is(nullValue()));
+        assertThat(secret.getCidrList(), is(nullValue()));
+        assertThat(secret.getCidrListString(), is(emptyString()));
+        assertThat(secret.getCreationTime(), is(nullValue()));
+        assertThat(secret.getExpirationTime(), is(nullValue()));
+        assertThat(secret.getLastUpdatedTime(), is(nullValue()));
+        assertThat(secret.getNumUses(), is(nullValue()));
+        assertThat(secret.getTtl(), is(nullValue()));
+
+        /* Constructor with ID */
+        secret = new AppRoleSecret(TEST_ID);
+        assertThat(secret.getId(), is(TEST_ID));
+        assertThat(secret.getAccessor(), is(nullValue()));
+        assertThat(secret.getMetadata(), is(nullValue()));
+        assertThat(secret.getCidrList(), is(nullValue()));
+        assertThat(secret.getCidrListString(), is(emptyString()));
+        assertThat(secret.getCreationTime(), is(nullValue()));
+        assertThat(secret.getExpirationTime(), is(nullValue()));
+        assertThat(secret.getLastUpdatedTime(), is(nullValue()));
+        assertThat(secret.getNumUses(), is(nullValue()));
+        assertThat(secret.getTtl(), is(nullValue()));
+
+        /* Constructor with Metadata and CIDR bindings */
+        secret = new AppRoleSecret(TEST_ID, TEST_META, TEST_CIDR);
+        assertThat(secret.getId(), is(TEST_ID));
+        assertThat(secret.getAccessor(), is(nullValue()));
+        assertThat(secret.getMetadata(), is(TEST_META));
+        assertThat(secret.getCidrList(), is(TEST_CIDR));
+        assertThat(secret.getCidrListString(), is(String.join(",", TEST_CIDR)));
+        assertThat(secret.getCreationTime(), is(nullValue()));
+        assertThat(secret.getExpirationTime(), is(nullValue()));
+        assertThat(secret.getLastUpdatedTime(), is(nullValue()));
+        assertThat(secret.getNumUses(), is(nullValue()));
+        assertThat(secret.getTtl(), is(nullValue()));
+    }
+
+    /**
+     * Test setter.
+     */
+    @Test
+    public void setterTest() {
+        AppRoleSecret secret = new AppRoleSecret(TEST_ID);
+        assertThat(secret.getCidrList(), is(nullValue()));
+        assertThat(secret.getCidrListString(), is(emptyString()));
+        secret.setCidrList(TEST_CIDR);
+        assertThat(secret.getCidrList(), is(TEST_CIDR));
+        assertThat(secret.getCidrListString(), is(String.join(",", TEST_CIDR)));
+        secret.setCidrList(null);
+        assertThat(secret.getCidrList(), is(nullValue()));
+        assertThat(secret.getCidrListString(), is(emptyString()));
+    }
+
+    /**
+     * Test JSON (de)serialization.
+     */
+    @Test
+    public void jsonTest() throws NoSuchFieldException, IllegalAccessException {
+        ObjectMapper mapper = new ObjectMapper();
+
+        /* A simple roundtrip first. All set fields should be present afterwards. */
+        AppRoleSecret secret = new AppRoleSecret(TEST_ID, TEST_META, TEST_CIDR);
+        String secretJson = "";
+        try {
+            secretJson = mapper.writeValueAsString(secret);
+        } catch (JsonProcessingException e) {
+            e.printStackTrace();
+            fail("Serialization failed");
+        }
+        /* CIDR list is comma-separated when used as input, but List otherwise, hence convert string to list */
+        secretJson = commaSeparatedToList(secretJson);
+
+        AppRoleSecret secret2;
+        try {
+            secret2 = mapper.readValue(secretJson, AppRoleSecret.class);
+            assertThat(secret.getId(), is(secret2.getId()));
+            assertThat(secret.getMetadata(), is(secret2.getMetadata()));
+            assertThat(secret.getCidrList(), is(secret2.getCidrList()));
+        } catch (IOException e) {
+            e.printStackTrace();
+            fail("Deserialization failed");
+        }
+
+        /* Test fields, that should not be written to JSON */
+        setPrivateField(secret, "accessor", "TEST_ACCESSOR");
+        assumeThat(secret.getAccessor(), is("TEST_ACCESSOR"));
+        setPrivateField(secret, "creationTime", "TEST_CREATION");
+        assumeThat(secret.getCreationTime(), is("TEST_CREATION"));
+        setPrivateField(secret, "expirationTime", "TEST_EXPIRATION");
+        assumeThat(secret.getExpirationTime(), is("TEST_EXPIRATION"));
+        setPrivateField(secret, "lastUpdatedTime", "TEST_UPDATETIME");
+        assumeThat(secret.getLastUpdatedTime(), is("TEST_UPDATETIME"));
+        setPrivateField(secret, "numUses", 678);
+        assumeThat(secret.getNumUses(), is(678));
+        setPrivateField(secret, "ttl", 12345);
+        assumeThat(secret.getTtl(), is(12345));
+        try {
+            secretJson = mapper.writeValueAsString(secret);
+        } catch (JsonProcessingException e) {
+            e.printStackTrace();
+            fail("Serialization failed");
+        }
+        try {
+            secret2 = mapper.readValue(commaSeparatedToList(secretJson), AppRoleSecret.class);
+            assertThat(secret.getId(), is(secret2.getId()));
+            assertThat(secret.getMetadata(), is(secret2.getMetadata()));
+            assertThat(secret.getCidrList(), is(secret2.getCidrList()));
+            assertThat(secret2.getAccessor(), is(nullValue()));
+            assertThat(secret2.getCreationTime(), is(nullValue()));
+            assertThat(secret2.getExpirationTime(), is(nullValue()));
+            assertThat(secret2.getLastUpdatedTime(), is(nullValue()));
+            assertThat(secret2.getNumUses(), is(nullValue()));
+            assertThat(secret2.getTtl(), is(nullValue()));
+        } catch (IOException e) {
+            e.printStackTrace();
+            fail("Deserialization failed");
+        }
+
+        /* Those fields should be deserialized from JSON though */
+        secretJson = "{\"secret_id\":\"abc123\",\"metadata\":{\"number\":1337,\"foo\":\"bar\"}," +
+                "\"cidr_list\":[\"203.0.113.0/24\",\"198.51.100.0/24\"],\"secret_id_accessor\":\"TEST_ACCESSOR\"," +
+                "\"creation_time\":\"TEST_CREATION\",\"expiration_time\":\"TEST_EXPIRATION\"," +
+                "\"last_updated_time\":\"TEST_LASTUPDATE\",\"secret_id_num_uses\":678,\"secret_id_ttl\":12345}";
+        try {
+            secret2 = mapper.readValue(secretJson, AppRoleSecret.class);
+            assertThat(secret2.getAccessor(), is("TEST_ACCESSOR"));
+            assertThat(secret2.getCreationTime(), is("TEST_CREATION"));
+            assertThat(secret2.getExpirationTime(), is("TEST_EXPIRATION"));
+            assertThat(secret2.getLastUpdatedTime(), is("TEST_LASTUPDATE"));
+            assertThat(secret2.getNumUses(), is(678));
+            assertThat(secret2.getTtl(), is(12345));
+        } catch (IOException e) {
+            e.printStackTrace();
+            fail("Deserialization failed");
+        }
+
+    }
+
+    private static void setPrivateField(Object object, String fieldName, Object value) throws NoSuchFieldException, IllegalAccessException {
+        Field field = object.getClass().getDeclaredField(fieldName);
+        boolean accessible = field.isAccessible();
+        field.setAccessible(true);
+        field.set(object, value);
+        field.setAccessible(accessible);
+    }
+
+    private static String commaSeparatedToList(String json) {
+        return json.replaceAll("\"cidr_list\":\"([^\"]*)\"", "\"cidr_list\":\\[$1\\]")
+                .replaceAll("(\\d+\\.\\d+\\.\\d+\\.\\d+/\\d+)", "\"$1\"");
+    }
+
+}

src/test/java/de/stklcode/jvault/connector/model/AuthBackendTest.java

@@ -0,0 +1,45 @@
+/*
+ * Copyright 2016-2019 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector.model;
+
+import org.junit.jupiter.api.Test;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.is;
+
+/**
+ * JUnit Test for AuthBackend model.
+ *
+ * @author Stefan Kalscheuer
+ * @since 0.4.0
+ */
+public class AuthBackendTest {
+
+    /**
+     * Test forType() method.
+     */
+    @Test
+    public void forTypeTest() {
+        assertThat(AuthBackend.forType("token"), is(AuthBackend.TOKEN));
+        assertThat(AuthBackend.forType("app-id"), is(AuthBackend.APPID));
+        assertThat(AuthBackend.forType("userpass"), is(AuthBackend.USERPASS));
+        assertThat(AuthBackend.forType("github"), is(AuthBackend.GITHUB));
+        assertThat(AuthBackend.forType(""), is(AuthBackend.UNKNOWN));
+        assertThat(AuthBackend.forType("foobar"), is(AuthBackend.UNKNOWN));
+    }
+
+}

src/test/java/de/stklcode/jvault/connector/model/TokenBuilderTest.java

@@ -0,0 +1,161 @@
+/*
+ * Copyright 2016-2019 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector.model;
+
+import com.fasterxml.jackson.core.JsonProcessingException;
+import com.fasterxml.jackson.databind.ObjectMapper;
+import org.junit.jupiter.api.BeforeAll;
+import org.junit.jupiter.api.Test;
+
+import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.*;
+
+/**
+ * JUnit Test for Token Builder.
+ *
+ * @author Stefan Kalscheuer
+ * @since 0.4.0
+ */
+public class TokenBuilderTest {
+
+    private static final String ID = "test-id";
+    private static final String DISPLAY_NAME = "display-name";
+    private static final Boolean NO_PARENT = false;
+    private static final Boolean NO_DEFAULT_POLICY = false;
+    private static final Integer TTL = 123;
+    private static final Integer NUM_USES = 4;
+    private static final List<String> POLICIES = new ArrayList<>();
+    private static final String POLICY = "policy";
+    private static final String POLICY_2 = "policy2";
+    private static final String POLICY_3 = "policy3";
+    private static final Map<String, String> META = new HashMap<>();
+    private static final String META_KEY = "key";
+    private static final String META_VALUE = "value";
+    private static final String META_KEY_2 = "key2";
+    private static final String META_VALUE_2 = "value2";
+    private static final Boolean RENEWABLE = true;
+    private static final String JSON_FULL = "{\"id\":\"test-id\",\"display_name\":\"display-name\",\"no_parent\":false,\"no_default_policy\":false,\"ttl\":123,\"num_uses\":4,\"policies\":[\"policy\"],\"meta\":{\"key\":\"value\"},\"renewable\":true}";
+
+    @BeforeAll
+    public static void init() {
+        POLICIES.add(POLICY);
+        META.put(META_KEY, META_VALUE);
+    }
+
+    /**
+     * Build token without any parameters.
+     */
+    @Test
+    public void buildDefaultTest() throws JsonProcessingException {
+        Token token = new TokenBuilder().build();
+        assertThat(token.getId(), is(nullValue()));
+        assertThat(token.getDisplayName(), is(nullValue()));
+        assertThat(token.getNoParent(), is(nullValue()));
+        assertThat(token.getNoDefaultPolicy(), is(nullValue()));
+        assertThat(token.getTtl(), is(nullValue()));
+        assertThat(token.getNumUses(), is(nullValue()));
+        assertThat(token.getPolicies(), is(nullValue()));
+        assertThat(token.getMeta(), is(nullValue()));
+        assertThat(token.isRenewable(), is(nullValue()));
+
+        /* optional fields should be ignored, so JSON string should be empty */
+        assertThat(new ObjectMapper().writeValueAsString(token), is("{}"));
+    }
+
+    /**
+     * Build token without all parameters set.
+     */
+    @Test
+    public void buildFullTest() throws JsonProcessingException {
+        Token token = new TokenBuilder()
+                .withId(ID)
+                .withDisplayName(DISPLAY_NAME)
+                .withNoParent(NO_PARENT)
+                .withNoDefaultPolicy(NO_DEFAULT_POLICY)
+                .withTtl(TTL)
+                .withNumUses(NUM_USES)
+                .withPolicies(POLICIES)
+                .withMeta(META)
+                .withRenewable(RENEWABLE)
+                .build();
+        assertThat(token.getId(), is(ID));
+        assertThat(token.getDisplayName(), is(DISPLAY_NAME));
+        assertThat(token.getNoParent(), is(NO_PARENT));
+        assertThat(token.getNoDefaultPolicy(), is(NO_DEFAULT_POLICY));
+        assertThat(token.getTtl(), is(TTL));
+        assertThat(token.getNumUses(), is(NUM_USES));
+        assertThat(token.getPolicies(), is(POLICIES));
+        assertThat(token.getMeta(), is(META));
+        assertThat(token.isRenewable(), is(RENEWABLE));
+
+        /* Verify that all parameters are included in JSON string */
+        assertThat(new ObjectMapper().writeValueAsString(token), is(JSON_FULL));
+    }
+
+    /**
+     * Test convenience methods
+     */
+    @Test
+    public void convenienceMethodsTest() {
+        /* Parent */
+        Token token = new TokenBuilder().asOrphan().build();
+        assertThat(token.getNoParent(), is(true));
+        token = new TokenBuilder().withParent().build();
+        assertThat(token.getNoParent(), is(false));
+
+        /* Default policy */
+        token = new TokenBuilder().withDefaultPolicy().build();
+        assertThat(token.getNoDefaultPolicy(), is(false));
+        token = new TokenBuilder().withoutDefaultPolicy().build();
+        assertThat(token.getNoDefaultPolicy(), is(true));
+
+        /* Renewability */
+        token = new TokenBuilder().renewable().build();
+        assertThat(token.isRenewable(), is(true));
+        token = new TokenBuilder().notRenewable().build();
+        assertThat(token.isRenewable(), is(false));
+
+        /* Add single policy */
+        token = new TokenBuilder().withPolicy(POLICY_2).build();
+        assertThat(token.getPolicies(), hasSize(1));
+        assertThat(token.getPolicies(), contains(POLICY_2));
+        token = new TokenBuilder()
+                .withPolicies(POLICY, POLICY_2)
+                .withPolicy(POLICY_3)
+                .build();
+        assertThat(token.getPolicies(), hasSize(3));
+        assertThat(token.getPolicies(), contains(POLICY, POLICY_2, POLICY_3));
+
+        /* Add single metadata */
+        token = new TokenBuilder().withMeta(META_KEY_2, META_VALUE_2).build();
+        assertThat(token.getMeta().size(), is(1));
+        assertThat(token.getMeta().keySet(), contains(META_KEY_2));
+        assertThat(token.getMeta().get(META_KEY_2), is(META_VALUE_2));
+        token = new TokenBuilder()
+                .withMeta(META)
+                .withMeta(META_KEY_2, META_VALUE_2)
+                .build();
+        assertThat(token.getMeta().size(), is(2));
+        assertThat(token.getMeta().get(META_KEY), is(META_VALUE));
+        assertThat(token.getMeta().get(META_KEY_2), is(META_VALUE_2));
+    }
+}

src/test/java/de/stklcode/jvault/connector/model/response/AppRoleResponseTest.java

@@ -0,0 +1,117 @@
+/*
+ * Copyright 2016-2019 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector.model.response;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import de.stklcode.jvault.connector.exception.InvalidResponseException;
+import de.stklcode.jvault.connector.model.AppRole;
+import org.junit.jupiter.api.Test;
+
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.Map;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.*;
+import static org.junit.jupiter.api.Assertions.fail;
+
+/**
+ * JUnit Test for {@link AppRoleResponse} model.
+ *
+ * @author Stefan Kalscheuer
+ * @since 0.6.2
+ */
+public class AppRoleResponseTest {
+    private static final Integer ROLE_TOKEN_TTL = 1200;
+    private static final Integer ROLE_TOKEN_MAX_TTL = 1800;
+    private static final Integer ROLE_SECRET_TTL = 600;
+    private static final Integer ROLE_SECRET_NUM_USES = 40;
+    private static final String ROLE_POLICY = "default";
+    private static final Integer ROLE_PERIOD = 0;
+    private static final Boolean ROLE_BIND_SECRET = true;
+
+    private static final String RES_JSON = "{\n" +
+            "  \"auth\": null,\n" +
+            "  \"warnings\": null,\n" +
+            "  \"wrap_info\": null,\n" +
+            "  \"data\": {\n" +
+            "    \"token_ttl\": " + ROLE_TOKEN_TTL + ",\n" +
+            "    \"token_max_ttl\": " + ROLE_TOKEN_MAX_TTL + ",\n" +
+            "    \"secret_id_ttl\": " + ROLE_SECRET_TTL + ",\n" +
+            "    \"secret_id_num_uses\": " + ROLE_SECRET_NUM_USES + ",\n" +
+            "    \"policies\": [\n" +
+            "      \"" + ROLE_POLICY + "\"\n" +
+            "    ],\n" +
+            "    \"period\": " + ROLE_PERIOD + ",\n" +
+            "    \"bind_secret_id\": " + ROLE_BIND_SECRET + ",\n" +
+            "    \"bound_cidr_list\": \"\"\n" +
+            "  },\n" +
+            "  \"lease_duration\": 0,\n" +
+            "  \"renewable\": false,\n" +
+            "  \"lease_id\": \"\"\n" +
+            "}";
+
+    private static final Map<String, Object> INVALID_DATA = new HashMap<>();
+
+    static {
+        INVALID_DATA.put("policies", "fancy-policy");
+    }
+
+    /**
+     * Test getter, setter and get-methods for response data.
+     */
+    @Test
+    public void getDataRoundtrip() {
+        // Create empty Object.
+        AppRoleResponse res = new AppRoleResponse();
+        assertThat("Initial data should be empty", res.getRole(), is(nullValue()));
+
+        // Parsing invalid auth data map should fail.
+        try {
+            res.setData(INVALID_DATA);
+            fail("Parsing invalid data succeeded");
+        } catch (Exception e) {
+            assertThat(e, is(instanceOf(InvalidResponseException.class)));
+        }
+    }
+
+    /**
+     * Test creation from JSON value as returned by Vault (JSON example copied from Vault documentation).
+     */
+    @Test
+    public void jsonRoundtrip() {
+        try {
+            AppRoleResponse res = new ObjectMapper().readValue(RES_JSON, AppRoleResponse.class);
+            assertThat("Parsed response is NULL", res, is(notNullValue()));
+            // Extract role data.
+            AppRole role = res.getRole();
+            assertThat("Role data is NULL", role, is(notNullValue()));
+            assertThat("Incorrect token TTL", role.getTokenTtl(), is(ROLE_TOKEN_TTL));
+            assertThat("Incorrect token max TTL", role.getTokenMaxTtl(), is(ROLE_TOKEN_MAX_TTL));
+            assertThat("Incorrect secret ID TTL", role.getSecretIdTtl(), is(ROLE_SECRET_TTL));
+            assertThat("Incorrect secret ID umber of uses", role.getSecretIdNumUses(), is(ROLE_SECRET_NUM_USES));
+            assertThat("Incorrect number of policies", role.getPolicies(), hasSize(1));
+            assertThat("Incorrect role policies", role.getPolicies(), contains(ROLE_POLICY));
+            assertThat("Incorrect role period", role.getPeriod(), is(ROLE_PERIOD));
+            assertThat("Incorrect role bind secret ID flag", role.getBindSecretId(), is(ROLE_BIND_SECRET));
+            assertThat("Incorrect biund CIDR list", role.getBoundCidrList(), is(nullValue()));
+            assertThat("Incorrect biund CIDR list string", role.getBoundCidrListString(), is(emptyString()));
+        } catch (IOException e) {
+            fail("AuthResponse deserialization failed: " + e.getMessage());
+        }
+    }
+}

src/test/java/de/stklcode/jvault/connector/model/response/AuthMethodsResponseTest.java

@@ -0,0 +1,128 @@
+/*
+ * Copyright 2016-2019 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector.model.response;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import de.stklcode.jvault.connector.exception.InvalidResponseException;
+import de.stklcode.jvault.connector.model.AuthBackend;
+import de.stklcode.jvault.connector.model.response.embedded.AuthMethod;
+import org.junit.jupiter.api.Test;
+
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.Map;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.*;
+import static org.junit.jupiter.api.Assertions.fail;
+
+/**
+ * JUnit Test for {@link AuthMethodsResponse} model.
+ *
+ * @author Stefan Kalscheuer
+ * @since 0.6.2
+ */
+public class AuthMethodsResponseTest {
+    private static final String GH_PATH = "github/";
+    private static final String GH_TYPE = "github";
+    private static final String GH_DESCR = "GitHub auth";
+    private static final String TK_PATH = "token/";
+    private static final String TK_TYPE = "token";
+    private static final String TK_DESCR = "token based credentials";
+    private static final Integer TK_LEASE_TTL = 0;
+    private static final Integer TK_MAX_LEASE_TTL = 0;
+
+    private static final String RES_JSON = "{\n" +
+            "  \"data\": {" +
+            "    \"" + GH_PATH + "\": {\n" +
+            "      \"type\": \"" + GH_TYPE + "\",\n" +
+            "      \"description\": \"" + GH_DESCR + "\"\n" +
+            "    },\n" +
+            "    \"" + TK_PATH + "\": {\n" +
+            "      \"config\": {\n" +
+            "        \"default_lease_ttl\": " + TK_LEASE_TTL + ",\n" +
+            "        \"max_lease_ttl\": " + TK_MAX_LEASE_TTL + "\n" +
+            "      },\n" +
+            "      \"description\": \"" + TK_DESCR + "\",\n" +
+            "      \"type\": \"" + TK_TYPE + "\"\n" +
+            "    }\n" +
+            "  }\n" +
+            "}";
+
+    private static final Map<String, Object> INVALID_DATA = new HashMap<>();
+
+    static {
+        INVALID_DATA.put("dummy/", new Dummy());
+    }
+
+    /**
+     * Test getter, setter and get-methods for response data.
+     */
+    @Test
+    public void getDataRoundtrip() {
+        // Create empty Object.
+        AuthMethodsResponse res = new AuthMethodsResponse();
+        assertThat("Initial method map should be empty", res.getSupportedMethods(), is(anEmptyMap()));
+
+        // Parsing invalid data map should fail.
+        try {
+            res.setData(INVALID_DATA);
+            fail("Parsing invalid data succeeded");
+        } catch (Exception e) {
+            assertThat(e, is(instanceOf(InvalidResponseException.class)));
+        }
+    }
+
+    /**
+     * Test creation from JSON value as returned by Vault (JSON example copied from Vault documentation).
+     */
+    @Test
+    public void jsonRoundtrip() {
+        try {
+            AuthMethodsResponse res = new ObjectMapper().readValue(RES_JSON, AuthMethodsResponse.class);
+            assertThat("Parsed response is NULL", res, is(notNullValue()));
+            // Extract auth data.
+            Map<String, AuthMethod> supported = res.getSupportedMethods();
+            assertThat("Auth data is NULL", supported, is(notNullValue()));
+            assertThat("Incorrect number of supported methods", supported.entrySet(), hasSize(2));
+            assertThat("Incorrect method paths", supported.keySet(), containsInAnyOrder(GH_PATH, TK_PATH));
+
+            // Verify first method.
+            AuthMethod method = supported.get(GH_PATH);
+            assertThat("Incorrect raw type for GitHub", method.getRawType(), is(GH_TYPE));
+            assertThat("Incorrect parsed type for GitHub", method.getType(), is(AuthBackend.GITHUB));
+            assertThat("Incorrect description for GitHub", method.getDescription(), is(GH_DESCR));
+            assertThat("Unexpected config for GitHub", method.getConfig(), is(nullValue()));
+
+            // Verify first method.
+            method = supported.get(TK_PATH);
+            assertThat("Incorrect raw type for Token", method.getRawType(), is(TK_TYPE));
+            assertThat("Incorrect parsed type for Token", method.getType(), is(AuthBackend.TOKEN));
+            assertThat("Incorrect description for Token", method.getDescription(), is(TK_DESCR));
+            assertThat("Missing config for Token", method.getConfig(), is(notNullValue()));
+            assertThat("Unexpected config size for Token", method.getConfig().keySet(), hasSize(2));
+            assertThat("Incorrect lease TTL config", method.getConfig().get("default_lease_ttl"), is(TK_LEASE_TTL.toString()));
+            assertThat("Incorrect max lease TTL config", method.getConfig().get("max_lease_ttl"), is(TK_MAX_LEASE_TTL.toString()));
+        } catch (IOException e) {
+            fail("AuthResponse deserialization failed: " + e.getMessage());
+        }
+    }
+
+    private static class Dummy {
+
+    }
+}

src/test/java/de/stklcode/jvault/connector/model/response/AuthResponseTest.java

@@ -0,0 +1,113 @@
+/*
+ * Copyright 2016-2019 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector.model.response;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import de.stklcode.jvault.connector.exception.InvalidResponseException;
+import de.stklcode.jvault.connector.model.response.embedded.AuthData;
+import org.junit.jupiter.api.Test;
+
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.Map;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.*;
+import static org.junit.jupiter.api.Assertions.fail;
+
+/**
+ * JUnit Test for {@link AuthResponse} model.
+ *
+ * @author Stefan Kalscheuer
+ * @since 0.6.2
+ */
+public class AuthResponseTest {
+    private static final String AUTH_ACCESSOR = "2c84f488-2133-4ced-87b0-570f93a76830";
+    private static final String AUTH_CLIENT_TOKEN = "ABCD";
+    private static final String AUTH_POLICY_1 = "web";
+    private static final String AUTH_POLICY_2 = "stage";
+    private static final String AUTH_META_KEY = "user";
+    private static final String AUTH_META_VALUE = "armon";
+    private static final Integer AUTH_LEASE_DURATION = 3600;
+    private static final Boolean AUTH_RENEWABLE = true;
+
+    private static final String RES_JSON = "{\n" +
+            "  \"auth\": {\n" +
+            "    \"accessor\": \"" + AUTH_ACCESSOR + "\",\n" +
+            "    \"client_token\": \"" + AUTH_CLIENT_TOKEN + "\",\n" +
+            "    \"policies\": [\n" +
+            "      \"" + AUTH_POLICY_1 + "\", \n" +
+            "      \"" + AUTH_POLICY_2 + "\"\n" +
+            "    ],\n" +
+            "    \"metadata\": {\n" +
+            "      \"" + AUTH_META_KEY + "\": \"" + AUTH_META_VALUE + "\"\n" +
+            "    },\n" +
+            "    \"lease_duration\": " + AUTH_LEASE_DURATION + ",\n" +
+            "    \"renewable\": " + AUTH_RENEWABLE + "\n" +
+            "  }\n" +
+            "}";
+
+    private static final Map<String, Object> INVALID_AUTH_DATA = new HashMap<>();
+
+    static {
+        INVALID_AUTH_DATA.put("policies", "fancy-policy");
+    }
+
+    /**
+     * Test getter, setter and get-methods for response data.
+     */
+    @Test
+    public void getDataRoundtrip() {
+        // Create empty Object.
+        AuthResponse res = new AuthResponse();
+        assertThat("Initial data should be empty", res.getData(), is(nullValue()));
+
+        // Parsing invalid auth data map should fail.
+        try {
+            res.setAuth(INVALID_AUTH_DATA);
+            fail("Parsing invalid auth data succeeded");
+        } catch (Exception e) {
+            assertThat(e, is(instanceOf(InvalidResponseException.class)));
+        }
+
+        // Data method should be agnostic.
+        res.setData(INVALID_AUTH_DATA);
+        assertThat("Data not passed through", res.getData(), is(INVALID_AUTH_DATA));
+    }
+
+    /**
+     * Test creation from JSON value as returned by Vault (JSON example copied from Vault documentation).
+     */
+    @Test
+    public void jsonRoundtrip() {
+        try {
+            AuthResponse res = new ObjectMapper().readValue(RES_JSON, AuthResponse.class);
+            assertThat("Parsed response is NULL", res, is(notNullValue()));
+            // Extract auth data.
+            AuthData data = res.getAuth();
+            assertThat("Auth data is NULL", data, is(notNullValue()));
+            assertThat("Incorrect auth accessor", data.getAccessor(), is(AUTH_ACCESSOR));
+            assertThat("Incorrect auth client token", data.getClientToken(), is(AUTH_CLIENT_TOKEN));
+            assertThat("Incorrect auth lease duration", data.getLeaseDuration(), is(AUTH_LEASE_DURATION));
+            assertThat("Incorrect auth renewable flag", data.isRenewable(), is(AUTH_RENEWABLE));
+            assertThat("Incorrect number of policies", data.getPolicies(), hasSize(2));
+            assertThat("Incorrect auth policies", data.getPolicies(), containsInAnyOrder(AUTH_POLICY_1, AUTH_POLICY_2));
+        } catch (IOException e) {
+            fail("AuthResponse deserialization failed: " + e.getMessage());
+        }
+    }
+}

src/test/java/de/stklcode/jvault/connector/model/response/CredentialsResponseTest.java

@@ -0,0 +1,66 @@
+/*
+ * Copyright 2016-2019 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector.model.response;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import de.stklcode.jvault.connector.exception.InvalidResponseException;
+import org.junit.jupiter.api.Test;
+
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.*;
+import static org.junit.jupiter.api.Assertions.fail;
+
+/**
+ * JUnit Test for {@link CredentialsResponse} model.
+ *
+ * @author Stefan Kalscheuer
+ * @since 0.8
+ */
+public class CredentialsResponseTest {
+    private static final Map<String, Object> DATA = new HashMap<>();
+    private static final String VAL_USER = "testUserName";
+    private static final String VAL_PASS = "5up3r5ecr3tP455";
+
+    static {
+        DATA.put("username", VAL_USER);
+        DATA.put("password", VAL_PASS);
+    }
+
+    /**
+     * Test getter, setter and get-methods for response data.
+     *
+     * @throws InvalidResponseException Should not occur
+     */
+    @Test
+    @SuppressWarnings("unchecked")
+    public void getCredentialsTest() throws InvalidResponseException {
+        // Create empty Object.
+        CredentialsResponse res = new CredentialsResponse();
+        assertThat("Username not present in data map should not return anything", res.getUsername(), is(nullValue()));
+        assertThat("Password not present in data map should not return anything", res.getPassword(), is(nullValue()));
+
+        // Fill data map.
+        res.setData(DATA);
+        assertThat("Incorrect username", res.getUsername(), is(VAL_USER));
+        assertThat("Incorrect password", res.getPassword(), is(VAL_PASS));
+    }
+}

src/test/java/de/stklcode/jvault/connector/model/response/HealthResponseTest.java

@@ -0,0 +1,81 @@
+/*
+ * Copyright 2016-2019 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector.model.response;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import org.junit.jupiter.api.Test;
+
+import java.io.IOException;
+
+import static org.hamcrest.CoreMatchers.is;
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.notNullValue;
+import static org.junit.jupiter.api.Assertions.fail;
+
+/**
+ * JUnit Test for {@link AuthResponse} model.
+ *
+ * @author Stefan Kalscheuer
+ * @since 0.7.0
+ */
+public class HealthResponseTest {
+    private static final String CLUSTER_ID = "c9abceea-4f46-4dab-a688-5ce55f89e228";
+    private static final String CLUSTER_NAME = "vault-cluster-5515c810";
+    private static final String VERSION = "0.9.2";
+    private static final Long SERVER_TIME_UTC = 1469555798L;
+    private static final Boolean STANDBY = false;
+    private static final Boolean SEALED = false;
+    private static final Boolean INITIALIZED = true;
+    private static final Boolean PERF_STANDBY = false;
+    private static final String REPL_PERF_MODE = "disabled";
+    private static final String REPL_DR_MODE = "disabled";
+
+    private static final String RES_JSON = "{\n" +
+            "  \"cluster_id\": \"" + CLUSTER_ID + "\",\n" +
+            "  \"cluster_name\": \"" + CLUSTER_NAME + "\",\n" +
+            "  \"version\": \"" + VERSION + "\",\n" +
+            "  \"server_time_utc\": " + SERVER_TIME_UTC + ",\n" +
+            "  \"standby\": " + STANDBY + ",\n" +
+            "  \"sealed\": " + SEALED + ",\n" +
+            "  \"initialized\": " + INITIALIZED + ",\n" +
+            "  \"replication_perf_mode\": \"" + REPL_PERF_MODE + "\",\n" +
+            "  \"replication_dr_mode\": \"" + REPL_DR_MODE + "\",\n" +
+            "  \"performance_standby\": " + PERF_STANDBY + "\n" +
+            "}";
+    /**
+     * Test creation from JSON value as returned by Vault (JSON example copied from Vault documentation).
+     */
+    @Test
+    public void jsonRoundtrip() {
+        try {
+            HealthResponse res = new ObjectMapper().readValue(RES_JSON, HealthResponse.class);
+            assertThat("Parsed response is NULL", res, is(notNullValue()));
+            assertThat("Incorrect cluster ID", res.getClusterID(), is(CLUSTER_ID));
+            assertThat("Incorrect cluster name", res.getClusterName(), is(CLUSTER_NAME));
+            assertThat("Incorrect version", res.getVersion(), is(VERSION));
+            assertThat("Incorrect server time", res.getServerTimeUTC(), is(SERVER_TIME_UTC));
+            assertThat("Incorrect standby state", res.isStandby(), is(STANDBY));
+            assertThat("Incorrect seal state", res.isSealed(), is(SEALED));
+            assertThat("Incorrect initialization state", res.isInitialized(), is(INITIALIZED));
+            assertThat("Incorrect performance standby state", res.isPerformanceStandby(), is(PERF_STANDBY));
+            assertThat("Incorrect replication perf mode", res.getReplicationPerfMode(), is(REPL_PERF_MODE));
+            assertThat("Incorrect replication DR mode", res.getReplicationDrMode(), is(REPL_DR_MODE));
+        } catch (IOException e) {
+            fail("Health deserialization failed: " + e.getMessage());
+        }
+    }
+}

src/test/java/de/stklcode/jvault/connector/model/response/MetadataResponseTest.java

@@ -0,0 +1,100 @@
+/*
+ * Copyright 2016-2019 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector.model.response;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import de.stklcode.jvault.connector.exception.InvalidResponseException;
+import org.junit.jupiter.api.Test;
+
+import java.io.IOException;
+import java.util.List;
+import java.util.Map;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.*;
+import static org.junit.jupiter.api.Assertions.fail;
+
+/**
+ * JUnit Test for {@link MetadataResponse} model.
+ *
+ * @author Stefan Kalscheuer
+ * @since 0.8
+ */
+public class MetadataResponseTest {
+    private static final String V1_TIME = "2018-03-22T02:24:06.945319214Z";
+    private static final String V3_TIME = "2018-03-22T02:36:43.986212308Z";
+    private static final String V2_TIME = "2018-03-22T02:36:33.954880664Z";
+    private static final Integer CURRENT_VERSION = 3;
+    private static final Integer MAX_VERSIONS = 0;
+    private static final Integer OLDEST_VERSION = 1;
+
+    private static final String META_JSON = "{\n" +
+            "  \"data\": {\n" +
+            "    \"created_time\": \"" + V1_TIME + "\",\n" +
+            "    \"current_version\": " + CURRENT_VERSION + ",\n" +
+            "    \"max_versions\": " + MAX_VERSIONS + ",\n" +
+            "    \"oldest_version\": " + OLDEST_VERSION + ",\n" +
+            "    \"updated_time\": \"" + V3_TIME + "\",\n" +
+            "    \"versions\": {\n" +
+            "      \"1\": {\n" +
+            "        \"created_time\": \"" + V1_TIME + "\",\n" +
+            "        \"deletion_time\": \"" + V2_TIME + "\",\n" +
+            "        \"destroyed\": true\n" +
+            "      },\n" +
+            "      \"2\": {\n" +
+            "        \"created_time\": \"" + V2_TIME + "\",\n" +
+            "        \"deletion_time\": \"\",\n" +
+            "        \"destroyed\": false\n" +
+            "      },\n" +
+            "      \"3\": {\n" +
+            "        \"created_time\": \"" + V3_TIME + "\",\n" +
+            "        \"deletion_time\": \"\",\n" +
+            "        \"destroyed\": false\n" +
+            "      }\n" +
+            "    }\n" +
+            "  }\n" +
+            "}";
+
+    /**
+     * Test creation from JSON value as returned by Vault (JSON example copied from Vault documentation).
+     */
+    @Test
+    public void jsonRoundtrip() {
+        try {
+            MetadataResponse res = new ObjectMapper().readValue(META_JSON, MetadataResponse.class);
+            assertThat("Parsed response is NULL", res, is(notNullValue()));
+            assertThat("Parsed metadatra is NULL", res.getMetadata(), is(notNullValue()));
+            assertThat("Incorrect created time", res.getMetadata().getCreatedTimeString(), is(V1_TIME));
+            assertThat("Parting created time failed", res.getMetadata().getCreatedTime(), is(notNullValue()));
+            assertThat("Incorrect current version", res.getMetadata().getCurrentVersion(), is(CURRENT_VERSION));
+            assertThat("Incorrect max versions", res.getMetadata().getMaxVersions(), is(MAX_VERSIONS));
+            assertThat("Incorrect oldest version", res.getMetadata().getOldestVersion(), is(OLDEST_VERSION));
+            assertThat("Incorrect updated time", res.getMetadata().getUpdatedTimeString(), is(V3_TIME));
+            assertThat("Parting updated time failed", res.getMetadata().getUpdatedTime(), is(notNullValue()));
+            assertThat("Incorrect number of versions", res.getMetadata().getVersions().size(), is(3));
+            assertThat("Incorrect version 1 delete time", res.getMetadata().getVersions().get(1).getDeletionTimeString(), is(V2_TIME));
+            assertThat("Parsion version delete time failed", res.getMetadata().getVersions().get(1).getDeletionTime(), is(notNullValue()));
+            assertThat("Incorrect version 1 destroyed state", res.getMetadata().getVersions().get(1).isDestroyed(), is(true));
+            assertThat("Incorrect version 2 created time", res.getMetadata().getVersions().get(2).getCreatedTimeString(), is(V2_TIME));
+            assertThat("Parsion version created failed", res.getMetadata().getVersions().get(2).getCreatedTime(), is(notNullValue()));
+            assertThat("Incorrect version 3 destroyed state", res.getMetadata().getVersions().get(3).isDestroyed(), is(false));
+
+        } catch (IOException e) {
+            fail("MetadataResoponse deserialization failed: " + e.getMessage());
+        }
+    }
+}

src/test/java/de/stklcode/jvault/connector/model/response/SealResponseTest.java

@@ -0,0 +1,112 @@
+/*
+ * Copyright 2016-2019 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector.model.response;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import org.junit.jupiter.api.Test;
+
+import java.io.IOException;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.*;
+import static org.junit.jupiter.api.Assertions.fail;
+
+/**
+ * JUnit Test for {@link SealResponse} model.
+ *
+ * @author Stefan Kalscheuer
+ * @since 0.8
+ */
+public class SealResponseTest {
+    private static final String TYPE = "shamir";
+    private static final Integer THRESHOLD = 3;
+    private static final Integer SHARES = 5;
+    private static final Integer PROGRESS_SEALED = 2;
+    private static final Integer PROGRESS_UNSEALED = 0;
+    private static final String VERSION = "0.11.2";
+    private static final String CLUSTER_NAME = "vault-cluster-d6ec3c7f";
+    private static final String CLUSTER_ID = "3e8b3fec-3749-e056-ba41-b62a63b997e8";
+    private static final String NONCE = "ef05d55d-4d2c-c594-a5e8-55bc88604c24";
+
+    private static final String RES_SEALED = "{\n" +
+            "  \"type\": \"" + TYPE + "\",\n" +
+            "  \"sealed\": true,\n" +
+            "  \"initialized\": true,\n" +
+            "  \"t\": " + THRESHOLD + ",\n" +
+            "  \"n\": " + SHARES + ",\n" +
+            "  \"progress\": " + PROGRESS_SEALED + ",\n" +
+            "  \"nonce\": \"\",\n" +
+            "  \"version\": \"" + VERSION + "\"\n" +
+            "}";
+
+    private static final String RES_UNSEALED = "{\n" +
+            "  \"type\": \"" + TYPE + "\",\n" +
+            "  \"sealed\": false,\n" +
+            "  \"initialized\": true,\n" +
+            "  \"t\": " + THRESHOLD + ",\n" +
+            "  \"n\": " + SHARES + ",\n" +
+            "  \"progress\": " + PROGRESS_UNSEALED + ",\n" +
+            "  \"version\": \"" + VERSION + "\",\n" +
+            "  \"cluster_name\": \"" + CLUSTER_NAME + "\",\n" +
+            "  \"cluster_id\": \"" + CLUSTER_ID + "\",\n" +
+            "  \"nonce\": \"" + NONCE + "\"\n" +
+            "}";
+
+    /**
+     * Test creation from JSON value as returned by Vault when sealed (JSON example close to Vault documentation).
+     */
+    @Test
+    public void jsonRoundtripSealed() {
+        // First test sealed Vault's response.
+        try {
+            SealResponse res = new ObjectMapper().readValue(RES_SEALED, SealResponse.class);
+            assertThat("Parsed response is NULL", res, is(notNullValue()));
+            assertThat("Incorrect seal type", res.getType(), is(TYPE));
+            assertThat("Incorrect seal status", res.isSealed(), is(true));
+            assertThat("Incorrect initialization status", res.isInitialized(), is(true));
+            assertThat("Incorrect threshold", res.getThreshold(), is(THRESHOLD));
+            assertThat("Incorrect number of shares", res.getNumberOfShares(), is(SHARES));
+            assertThat("Incorrect progress", res.getProgress(), is(PROGRESS_SEALED));
+            assertThat("Nonce not empty", res.getNonce(), is(""));
+            assertThat("Incorrect version", res.getVersion(), is(VERSION));
+            // And the fields, that should not be filled.
+            assertThat("Cluster name should not be populated", res.getClusterName(), is(nullValue()));
+            assertThat("Cluster ID should not be populated", res.getClusterId(), is(nullValue()));
+        } catch (IOException e) {
+            fail("TokenResponse deserialization failed: " + e.getMessage());
+        }
+
+
+        // Not test unsealed Vault's response.
+        try {
+            SealResponse res = new ObjectMapper().readValue(RES_UNSEALED, SealResponse.class);
+            assertThat("Parsed response is NULL", res, is(notNullValue()));
+            assertThat("Incorrect seal type", res.getType(), is(TYPE));
+            assertThat("Incorrect seal status", res.isSealed(), is(false));
+            assertThat("Incorrect initialization status", res.isInitialized(), is(true));
+            assertThat("Incorrect threshold", res.getThreshold(), is(THRESHOLD));
+            assertThat("Incorrect number of shares", res.getNumberOfShares(), is(SHARES));
+            assertThat("Incorrect progress", res.getProgress(), is(PROGRESS_UNSEALED));
+            assertThat("Incorrect nonce", res.getNonce(), is(NONCE));
+            assertThat("Incorrect version", res.getVersion(), is(VERSION));
+            assertThat("Incorrect cluster name", res.getClusterName(), is(CLUSTER_NAME));
+            assertThat("Incorrect cluster ID", res.getClusterId(), is(CLUSTER_ID));
+        } catch (IOException e) {
+            fail("TokenResponse deserialization failed: " + e.getMessage());
+        }
+    }
+}

src/test/java/de/stklcode/jvault/connector/model/response/SecretListResponseTest.java

@@ -0,0 +1,75 @@
+/*
+ * Copyright 2016-2019 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector.model.response;
+
+import de.stklcode.jvault.connector.exception.InvalidResponseException;
+import org.junit.jupiter.api.Test;
+
+import java.util.Arrays;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.*;
+import static org.junit.Assert.fail;
+
+/**
+ * JUnit Test for {@link SecretListResponse} model.
+ *
+ * @author Stefan Kalscheuer
+ * @since 0.8
+ */
+public class SecretListResponseTest {
+    private static final Map<String, Object> DATA = new HashMap<>();
+    private static final String KEY1 = "key1";
+    private static final String KEY2 = "key-2";
+    private static final List<String> KEYS = Arrays.asList(KEY1, KEY2);
+
+    static {
+        DATA.put("keys", KEYS);
+    }
+
+    /**
+     * Test getter, setter and get-methods for response data.
+     *
+     * @throws InvalidResponseException Should not occur
+     */
+    @Test
+    @SuppressWarnings("unchecked")
+    public void getKeysTest() throws InvalidResponseException {
+        // Create empty Object.
+        SecretListResponse res = new SecretListResponse();
+        assertThat("Keys should be null without initialization", res.getKeys(), is(nullValue()));
+
+        // Provoke internal ClassCastException.
+        try {
+            Map<String, Object> invalidData = new HashMap<>();
+            invalidData.put("keys", "some string");
+            res.setData(invalidData);
+            fail("Setting incorrect class succeeded");
+        } catch (Exception e) {
+            assertThat("Unexpected exception type", e, instanceOf(InvalidResponseException.class));
+        }
+
+        // Fill correct data.
+        res.setData(DATA);
+        assertThat("Keys should be filled here", res.getKeys(), is(notNullValue()));
+        assertThat("Unexpected number of keys", res.getKeys(), hasSize(2));
+        assertThat("Unexpected keys", res.getKeys(), contains(KEY1, KEY2));
+    }
+}

src/test/java/de/stklcode/jvault/connector/model/response/SecretResponseTest.java

@@ -0,0 +1,206 @@
+/*
+ * Copyright 2016-2019 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector.model.response;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import de.stklcode.jvault.connector.exception.InvalidResponseException;
+import org.junit.jupiter.api.Test;
+
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.List;
+import java.util.Map;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.*;
+import static org.junit.jupiter.api.Assertions.fail;
+
+/**
+ * JUnit Test for {@link SecretResponse} model.
+ *
+ * @author Stefan Kalscheuer
+ * @since 0.6.2
+ */
+public class SecretResponseTest {
+    private static final Map<String, Object> DATA = new HashMap<>();
+    private static final String KEY_UNKNOWN = "unknown";
+    private static final String KEY_STRING = "test1";
+    private static final String VAL_STRING = "testvalue";
+    private static final String KEY_INTEGER = "test2";
+    private static final Integer VAL_INTEGER = 42;
+    private static final String KEY_LIST = "list";
+    private static final String VAL_LIST = "[\"first\",\"second\"]";
+
+    private static final String SECRET_REQUEST_ID = "68315073-6658-e3ff-2da7-67939fb91bbd";
+    private static final String SECRET_LEASE_ID = "";
+    private static final Integer SECRET_LEASE_DURATION = 2764800;
+    private static final boolean SECRET_RENEWABLE = false;
+    private static final String SECRET_DATA_K1 = "excited";
+    private static final String SECRET_DATA_V1 = "yes";
+    private static final String SECRET_DATA_K2 = "value";
+    private static final String SECRET_DATA_V2 = "world";
+    private static final String SECRET_META_CREATED = "2018-03-22T02:24:06.945319214Z";
+    private static final String SECRET_META_DELETED = "2018-03-23T03:25:07.056420325Z";
+    private static final List<String> SECRET_WARNINGS = null;
+    private static final String SECRET_JSON = "{\n" +
+            "    \"request_id\": \"" + SECRET_REQUEST_ID + "\",\n" +
+            "    \"lease_id\": \"" + SECRET_LEASE_ID + "\",\n" +
+            "    \"lease_duration\": " + SECRET_LEASE_DURATION + ",\n" +
+            "    \"renewable\": " + SECRET_RENEWABLE + ",\n" +
+            "    \"data\": {\n" +
+            "        \"" + SECRET_DATA_K1 + "\": \"" + SECRET_DATA_V1 + "\",\n" +
+            "        \"" + SECRET_DATA_K2 + "\": \"" + SECRET_DATA_V2 + "\"\n" +
+            "    },\n" +
+            "    \"warnings\": " + SECRET_WARNINGS + "\n" +
+            "}";
+    private static final String SECRET_JSON_V2 = "{\n" +
+            "    \"request_id\": \"" + SECRET_REQUEST_ID + "\",\n" +
+            "    \"lease_id\": \"" + SECRET_LEASE_ID + "\",\n" +
+            "    \"lease_duration\": " + SECRET_LEASE_DURATION + ",\n" +
+            "    \"renewable\": " + SECRET_RENEWABLE + ",\n" +
+            "    \"data\": {\n" +
+            "      \"data\": {\n" +
+            "          \"" + SECRET_DATA_K1 + "\": \"" + SECRET_DATA_V1 + "\",\n" +
+            "          \"" + SECRET_DATA_K2 + "\": \"" + SECRET_DATA_V2 + "\"\n" +
+            "      },\n" +
+            "      \"metadata\": {\n" +
+            "          \"created_time\": \"" + SECRET_META_CREATED + "\",\n" +
+            "          \"deletion_time\": \"\",\n" +
+            "          \"destroyed\": false,\n" +
+            "          \"version\": 1\n" +
+            "      }\n" +
+            "    },\n" +
+            "    \"warnings\": " + SECRET_WARNINGS + "\n" +
+            "}";
+    private static final String SECRET_JSON_V2_2 = "{\n" +
+            "    \"request_id\": \"" + SECRET_REQUEST_ID + "\",\n" +
+            "    \"lease_id\": \"" + SECRET_LEASE_ID + "\",\n" +
+            "    \"lease_duration\": " + SECRET_LEASE_DURATION + ",\n" +
+            "    \"renewable\": " + SECRET_RENEWABLE + ",\n" +
+            "    \"data\": {\n" +
+            "      \"data\": {\n" +
+            "          \"" + SECRET_DATA_K1 + "\": \"" + SECRET_DATA_V1 + "\",\n" +
+            "          \"" + SECRET_DATA_K2 + "\": \"" + SECRET_DATA_V2 + "\"\n" +
+            "      },\n" +
+            "      \"metadata\": {\n" +
+            "          \"created_time\": \"" + SECRET_META_CREATED + "\",\n" +
+            "          \"deletion_time\": \"" + SECRET_META_DELETED + "\",\n" +
+            "          \"destroyed\": true,\n" +
+            "          \"version\": 2\n" +
+            "      }\n" +
+            "    },\n" +
+            "    \"warnings\": " + SECRET_WARNINGS + "\n" +
+            "}";
+
+
+    static {
+        DATA.put(KEY_STRING, VAL_STRING);
+        DATA.put(KEY_INTEGER, VAL_INTEGER);
+        DATA.put(KEY_LIST, VAL_LIST);
+    }
+
+    /**
+     * Test getter, setter and get-methods for response data.
+     *
+     * @throws InvalidResponseException Should not occur
+     */
+    @Test
+    @SuppressWarnings("unchecked")
+    public void getDataRoundtrip() throws InvalidResponseException {
+        // Create empty Object.
+        SecretResponse res = new SecretResponse();
+        assertThat("Initial data should be Map", res.getData(), is(instanceOf(Map.class)));
+        assertThat("Initial data should be empty", res.getData().entrySet(), empty());
+        assertThat("Getter should return NULL on empty data map", res.get(KEY_STRING), is(nullValue()));
+
+        // Fill data map.
+        res.setData(DATA);
+        assertThat("Data setter/getter not transparent", res.getData(), is(DATA));
+        assertThat("Data size modified", res.getData().keySet(), hasSize(DATA.size()));
+        assertThat("Data keys not passed correctly", res.getData().keySet(), containsInAnyOrder(KEY_STRING, KEY_INTEGER, KEY_LIST));
+        assertThat("Data values not passed correctly", res.get(KEY_STRING), is(VAL_STRING));
+        assertThat("Data values not passed correctly", res.get(KEY_INTEGER), is(VAL_INTEGER));
+        assertThat("Non-Null returned on unknown key", res.get(KEY_UNKNOWN), is(nullValue()));
+
+        // Try explicit JSON conversion.
+        final List list = res.get(KEY_LIST, List.class);
+        assertThat("JSON parsing of list failed", list, is(notNullValue()));
+        assertThat("JSON parsing of list returned incorrect size", list.size(), is(2));
+        assertThat("JSON parsing of list returned incorrect elements", (List<Object>)list, contains("first", "second"));
+        assertThat("Non-Null returned on unknown key", res.get(KEY_UNKNOWN, Object.class), is(nullValue()));
+
+        // Requesting invalid class should result in Exception.
+        try {
+            res.get(KEY_LIST, Double.class);
+            fail("JSON parsing to incorrect type succeeded.");
+        } catch (Exception e) {
+            assertThat(e, is(instanceOf(InvalidResponseException.class)));
+        }
+    }
+
+    /**
+     * Test creation from JSON value as returned by Vault (JSON example copied from Vault documentation).
+     */
+    @Test
+    public void jsonRoundtrip() {
+        try {
+            assertSecretData(new ObjectMapper().readValue(SECRET_JSON, SecretResponse.class));
+        } catch (IOException e) {
+            fail("SecretResponse deserialization failed: " + e.getMessage());
+        }
+
+        // KV v2 secret.
+        try {
+            SecretResponse res = new ObjectMapper().readValue(SECRET_JSON_V2, SecretResponse.class);
+            assertSecretData(res);
+            assertThat("SecretResponse does not contain metadata", res.getMetadata(), is(notNullValue()));
+            assertThat("Incorrect creation date string", res.getMetadata().getCreatedTimeString(), is(SECRET_META_CREATED));
+            assertThat("Creation date parsing failed", res.getMetadata().getCreatedTime(), is(notNullValue()));
+            assertThat("Incorrect deletion date string", res.getMetadata().getDeletionTimeString(), is(emptyString()));
+            assertThat("Incorrect deletion date", res.getMetadata().getDeletionTime(), is(nullValue()));
+            assertThat("Secret destroyed when not expected", res.getMetadata().isDestroyed(), is(false));
+            assertThat("Incorrect secret version", res.getMetadata().getVersion(), is(1));
+        } catch (IOException e) {
+            fail("SecretResponse deserialization failed: " + e.getMessage());
+        }
+
+        // Deleted KV v2 secret.
+        try {
+            SecretResponse res = new ObjectMapper().readValue(SECRET_JSON_V2_2, SecretResponse.class);
+            assertSecretData(res);
+            assertThat("SecretResponse does not contain metadata", res.getMetadata(), is(notNullValue()));
+            assertThat("Incorrect creation date string", res.getMetadata().getCreatedTimeString(), is(SECRET_META_CREATED));
+            assertThat("Creation date parsing failed", res.getMetadata().getCreatedTime(), is(notNullValue()));
+            assertThat("Incorrect deletion date string", res.getMetadata().getDeletionTimeString(), is(SECRET_META_DELETED));
+            assertThat("Incorrect deletion date", res.getMetadata().getDeletionTime(), is(notNullValue()));
+            assertThat("Secret destroyed when not expected", res.getMetadata().isDestroyed(), is(true));
+            assertThat("Incorrect secret version", res.getMetadata().getVersion(), is(2));
+        } catch (IOException e) {
+            fail("SecretResponse deserialization failed: " + e.getMessage());
+        }
+    }
+
+    private void assertSecretData(SecretResponse res) {
+        assertThat("Parsed response is NULL", res, is(notNullValue()));
+        assertThat("Incorrect lease ID", res.getLeaseId(), is(SECRET_LEASE_ID));
+        assertThat("Incorrect lease duration", res.getLeaseDuration(), is(SECRET_LEASE_DURATION));
+        assertThat("Incorrect renewable status", res.isRenewable(), is(SECRET_RENEWABLE));
+        assertThat("Incorrect warnings", res.getWarnings(), is(SECRET_WARNINGS));
+        assertThat("Response does not contain correct data", res.get(SECRET_DATA_K1), is(SECRET_DATA_V1));
+        assertThat("Response does not contain correct data", res.get(SECRET_DATA_K2), is(SECRET_DATA_V2));
+    }
+}

src/test/java/de/stklcode/jvault/connector/model/response/SecretVersionResponseTest.java

@@ -0,0 +1,66 @@
+/*
+ * Copyright 2016-2019 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector.model.response;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import org.junit.jupiter.api.Test;
+
+import java.io.IOException;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.is;
+import static org.hamcrest.Matchers.notNullValue;
+import static org.junit.jupiter.api.Assertions.fail;
+
+/**
+ * JUnit Test for {@link SecretVersionResponse} model.
+ *
+ * @author Stefan Kalscheuer
+ * @since 0.8
+ */
+public class SecretVersionResponseTest {
+    private static final String CREATION_TIME = "2018-03-22T02:24:06.945319214Z";
+    private static final String DELETION_TIME = "2018-03-22T02:36:43.986212308Z";
+    private static final Integer VERSION = 42;
+
+    private static final String META_JSON = "{\n" +
+            "  \"data\": {\n" +
+            "    \"created_time\": \"" + CREATION_TIME + "\",\n" +
+            "    \"deletion_time\": \"" + DELETION_TIME + "\",\n" +
+            "    \"destroyed\": false,\n" +
+            "    \"version\": " + VERSION + "\n" +
+            "  }\n" +
+            "}";
+
+    /**
+     * Test creation from JSON value as returned by Vault (JSON example copied from Vault documentation).
+     */
+    @Test
+    public void jsonRoundtrip() {
+        try {
+            SecretVersionResponse res = new ObjectMapper().readValue(META_JSON, SecretVersionResponse.class);
+            assertThat("Parsed response is NULL", res, is(notNullValue()));
+            assertThat("Parsed metadatra is NULL", res.getMetadata(), is(notNullValue()));
+            assertThat("Incorrect created time", res.getMetadata().getCreatedTimeString(), is(CREATION_TIME));
+            assertThat("Incorrect deletion time", res.getMetadata().getDeletionTimeString(), is(DELETION_TIME));
+            assertThat("Incorrect destroyed state", res.getMetadata().isDestroyed(), is(false));
+            assertThat("Incorrect version", res.getMetadata().getVersion(), is(VERSION));
+        } catch (IOException e) {
+            fail("SecretVersionResponse deserialization failed: " + e.getMessage());
+        }
+    }
+}

src/test/java/de/stklcode/jvault/connector/model/response/TokenResponseTest.java

@@ -0,0 +1,123 @@
+/*
+ * Copyright 2016-2019 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector.model.response;
+
+import com.fasterxml.jackson.databind.ObjectMapper;
+import de.stklcode.jvault.connector.exception.InvalidResponseException;
+import de.stklcode.jvault.connector.model.response.embedded.TokenData;
+import org.junit.jupiter.api.Test;
+
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.Map;
+
+import static org.hamcrest.MatcherAssert.assertThat;
+import static org.hamcrest.Matchers.*;
+import static org.junit.jupiter.api.Assertions.fail;
+
+/**
+ * JUnit Test for {@link TokenResponse} model.
+ *
+ * @author Stefan Kalscheuer
+ * @since 0.6.2
+ */
+public class TokenResponseTest {
+    private static final Integer TOKEN_CREATION_TIME = 1457533232;
+    private static final Integer TOKEN_TTL = 2764800;
+    private static final String TOKEN_DISPLAY_NAME = "token";
+    private static final Integer TOKEN_NUM_USES = 0;
+    private static final Boolean TOKEN_ORPHAN = false;
+    private static final String TOKEN_PATH = "auth/token/create";
+    private static final String TOKEN_POLICY_1 = "default";
+    private static final String TOKEN_POLICY_2 = "web";
+    private static final Boolean RES_RENEWABLE = false;
+    private static final Integer RES_TTL = 2591976;
+    private static final Integer RES_LEASE_DURATION = 0;
+
+    private static final String RES_JSON = "{\n" +
+            "  \"lease_id\": \"\",\n" +
+            "  \"renewable\": " + RES_RENEWABLE + ",\n" +
+            "  \"lease_duration\": " + RES_LEASE_DURATION + ",\n" +
+            "  \"data\": {\n" +
+            "    \"creation_time\": " + TOKEN_CREATION_TIME + ",\n" +
+            "    \"creation_ttl\": " + TOKEN_TTL + ",\n" +
+            "    \"display_name\": \"" + TOKEN_DISPLAY_NAME + "\",\n" +
+            "    \"meta\": null,\n" +
+            "    \"num_uses\": " + TOKEN_NUM_USES + ",\n" +
+            "    \"orphan\": " + TOKEN_ORPHAN + ",\n" +
+            "    \"path\": \"" + TOKEN_PATH + "\",\n" +
+            "    \"policies\": [\n" +
+            "      \"" + TOKEN_POLICY_1 + "\", \n" +
+            "      \"" + TOKEN_POLICY_2 + "\"\n" +
+            "    ],\n" +
+            "    \"ttl\": " + RES_TTL + "\n" +
+            "  },\n" +
+            "  \"warnings\": null,\n" +
+            "  \"auth\": null\n" +
+            "}";
+
+    private static final Map<String, Object> INVALID_TOKEN_DATA = new HashMap<>();
+
+    static {
+        INVALID_TOKEN_DATA.put("num_uses", "fourtytwo");
+    }
+
+    /**
+     * Test getter, setter and get-methods for response data.
+     */
+    @Test
+    public void getDataRoundtrip() {
+        // Create empty Object.
+        TokenResponse res = new TokenResponse();
+        assertThat("Initial data should be empty", res.getData(), is(nullValue()));
+
+        // Parsing invalid data map should fail.
+        try {
+            res.setData(INVALID_TOKEN_DATA);
+            fail("Parsing invalid token data succeeded");
+        } catch (Exception e) {
+            assertThat(e, is(instanceOf(InvalidResponseException.class)));
+        }
+    }
+
+    /**
+     * Test creation from JSON value as returned by Vault (JSON example copied from Vault documentation).
+     */
+    @Test
+    public void jsonRoundtrip() {
+        try {
+            TokenResponse res = new ObjectMapper().readValue(RES_JSON, TokenResponse.class);
+            assertThat("Parsed response is NULL", res, is(notNullValue()));
+            assertThat("Incorrect lease duration", res.getLeaseDuration(), is(RES_LEASE_DURATION));
+            assertThat("Incorrect renewable status", res.isRenewable(), is(RES_RENEWABLE));
+            // Extract token data.
+            TokenData data = res.getData();
+            assertThat("Token data is NULL", data, is(notNullValue()));
+            assertThat("Incorrect token creation time", data.getCreationTime(), is(TOKEN_CREATION_TIME));
+            assertThat("Incorrect token creation TTL", data.getCreationTtl(), is(TOKEN_TTL));
+            assertThat("Incorrect token display name", data.getName(), is(TOKEN_DISPLAY_NAME));
+            assertThat("Incorrect token number of uses", data.getNumUses(), is(TOKEN_NUM_USES));
+            assertThat("Incorrect token orphan flag", data.isOrphan(), is(TOKEN_ORPHAN));
+            assertThat("Incorrect token path", data.getPath(), is(TOKEN_PATH));
+            assertThat("Incorrect response renewable flag", res.isRenewable(), is(RES_RENEWABLE));
+            assertThat("Incorrect response TTL", data.getTtl(), is(RES_TTL));
+            assertThat("Incorrect response lease duration", res.getLeaseDuration(), is(RES_LEASE_DURATION));
+        } catch (IOException e) {
+            fail("TokenResponse deserialization failed: " + e.getMessage());
+        }
+    }
+}

src/test/java/de/stklcode/jvault/connector/test/Credentials.java

@@ -0,0 +1,41 @@
+/*
+ * Copyright 2016-2019 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package de.stklcode.jvault.connector.test;
+
+import com.fasterxml.jackson.annotation.JsonProperty;
+
+/**
+ * Simple credentials class for JSON testing.
+ *
+ * @author  Stefan Kalscheuer
+ * @since   0.1
+ */
+public class Credentials {
+    @JsonProperty("username")
+    private String username;
+
+    @JsonProperty("password")
+    private String password;
+
+    public String getUsername() {
+        return username;
+    }
+
+    public String getPassword() {
+        return password;
+    }
+}

src/test/java/de/stklcode/jvault/connector/test/VaultConfiguration.java

@@ -1,3 +1,19 @@
+/*
+ * Copyright 2016-2019 Stefan Kalscheuer
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
 package de.stklcode.jvault.connector.test;
 
 import java.nio.file.Path;
@@ -6,8 +22,8 @@ import java.nio.file.Paths;
 /**
  * Vault configuration String using builder pattern.
  *
- * @author  Stefan Kalscheuer
- * @since   0.1
+ * @author Stefan Kalscheuer
+ * @since 0.1
  */
 public class VaultConfiguration {
     private String host;
@@ -15,6 +31,8 @@ public class VaultConfiguration {
     private boolean disableTLS;
     private boolean disableMlock;
     private Path dataLocation;
+    private String certFile;
+    private String keyFile;
 
     public VaultConfiguration() {
         this.disableTLS = true;
@@ -36,6 +54,16 @@ public class VaultConfiguration {
         return this;
     }
 
+    public VaultConfiguration withCert(String certFile) {
+        this.certFile = certFile;
+        return this;
+    }
+
+    public VaultConfiguration withKey(String keyFile) {
+        this.keyFile = keyFile;
+        return this;
+    }
+
     public VaultConfiguration disableMlock() {
         this.disableMlock = true;
         return this;
@@ -64,12 +92,14 @@ public class VaultConfiguration {
 
     @Override
     public String toString() {
-        return  "backend \"file\" {\n" +
+        return "storage \"file\" {\n" +
                 "  path = \"" + dataLocation + "\"\n" +
                 "}\n" +
                 "listener \"tcp\" {\n" +
                 "  address = \"" + host + ":" + port + "\"\n" +
                 ((disableTLS) ? "  tls_disable = 1\n" : "") +
+                ((certFile != null) ? "  tls_cert_file = \"" + certFile + "\"\n" : "") +
+                ((keyFile != null) ? "  tls_key_file = \"" + keyFile + "\"\n" : "") +
                 "}\n" +
                 ((disableMlock) ? "disable_mlock = true" : "");
     }

src/test/resources/data_dir/auth/20e9c2e6-5b1f-b9c9-5a99-21667e0a899d/_salt

@@ -1 +0,0 @@
-{"Key":"auth/20e9c2e6-5b1f-b9c9-5a99-21667e0a899d/salt","Value":"AAAAAQJUsuXXEpmdNY5aIh5HdzZRTFpOUIgyKLGiw65DBwSXW6yGAYe/zhN/Ow+vyRZxG4temgnTjN7RVGjyzXGG5yLY"}

src/test/resources/data_dir/auth/20e9c2e6-5b1f-b9c9-5a99-21667e0a899d/struct/map/app-id/_19d90b9adcec2bf5088304034622a169a148ff43

@@ -1 +0,0 @@
-{"Key":"auth/20e9c2e6-5b1f-b9c9-5a99-21667e0a899d/struct/map/app-id/19d90b9adcec2bf5088304034622a169a148ff43","Value":"AAAAAQJuuRcCRinyawQ05brruZQY7ypgs1mOsFHI16XLwYB4dzwJob71wW+74RjvK4FVL4qPfgyMPKEtV2uO9+4hr2mC6BrcN///Ksxv+ns8FMVlBOMJpQ=="}

src/test/resources/data_dir/auth/20e9c2e6-5b1f-b9c9-5a99-21667e0a899d/struct/map/user-id/_55a852babe045b5980fc8ac4a13af27021dbbfd4

@@ -1 +0,0 @@
-{"Key":"auth/20e9c2e6-5b1f-b9c9-5a99-21667e0a899d/struct/map/user-id/55a852babe045b5980fc8ac4a13af27021dbbfd4","Value":"AAAAAQICaFIxG2xAq0AuJryVn1XghDulkVdQicXvhEL45K2S48aZcvMEsrDUXm9o427Bp6eMiq0Hw070nosnB9SWSQJEFUfPmM6I7Jhsou6CKmocs/AmocxY3Du4Lg=="}

src/test/resources/data_dir/auth/243a5842-b58f-24d5-d3b0-24304c57b7cc/user/_validuser

@@ -0,0 +1 @@
+{"Value":"AAAAAQINZKQEssY4IzHI/0k27nBtxSvnC6LkivYrqky6CblcjyAmQIg/4/cKQIBCXzmrWEv/SqMQbLw+4Lp63Xu1niF+U0NbyqDmFaPqnD2yfPs7meXvZr21+P9E/0APZMHQaSR7DIEY46zedHRjQ/pkhR2Axcjuy5gdfzBzC2XvUcNqdyR0pQwcDwGhAIdO0gxJfZCeBuvv8ceYS+aPs4gDHtIlA3szi+5qAQ8HvPBTDKQn1lHVYnzTdNbMS7v3mtzCyG8AeMkaUw=="}

src/test/resources/data_dir/auth/3ec9e5b4-41b0-a20c-cc8f-04c2b7bb2602/_salt

@@ -0,0 +1 @@
+{"Value":"AAAAAQJiN0bHxM8aNJpY7aHGZ/p3qOhJbd7JIXwFMEI4LtKmO6pP5Oa4P5z+2LK+2qzZhhX/iDeM4u+nR+lxt/GsBPKf"}

src/test/resources/data_dir/auth/3ec9e5b4-41b0-a20c-cc8f-04c2b7bb2602/accessor/_a9566f93ca05120fa8955f887ee0ca1a1422802df2ad979f2ac2951e95703089

@@ -0,0 +1 @@
+{"Value":"AAAAAQIZ5rvzLtBcBQvWqwwDoRADwUo6W0ECKgmcvXejbLKiYcbO0hP8fceCqB12J41wxcMViQ8vvWoIgyOX2HwcZS09GGCqQbjvyVfz/w+kyox9dJzr845f26tJjHVYlHX2YFsnxytwe5qCKdCsD5QP9kyz8J0="}

src/test/resources/data_dir/auth/3ec9e5b4-41b0-a20c-cc8f-04c2b7bb2602/role/_testrole1

@@ -0,0 +1 @@
+{"Value":"AAAAAQJIKXgvJ2Prr92Fn7qZK/WZxb+Q+vJsXyjMo44en/+zqbbnLfs5m7uH7hEUOfDM/MjzTrhfkOWxf6qcrC4MR3ocrFJwtbJ6j+QrNLg61gVIiLBUVBkvh8ErqCFnSjNIqhaIMQhuZXWANsgGF9K2+HBGJerWGe26C1rdWRZV4J0M23HnxLBf8aYDlOfkHe24I30rHUqXIk9/BKEuekcnhETw9Tx4Fk7KxxxEdGmHPbg+4G14c27wVj8IrpWHBpyLmt55Qdb/y24i5RzFYv1FQ2kQZIO6TQiYkwAUxJ5cIdCiAsEDNt+rBJ9zX1MvkEfkVj/WvzC9pxB7ad+j5vYIJgCUD1o09t0w2ChjBojGoOAWDSvNAeY8kr5PDKwYk+gBY5M2JHDI6ELvOVu8gsW+sqk9St9V3VisShTfU3+qln7TOWw/LQ+fUzGvYrAWG6UyPVpIEYeNmN0iGCIM8rzjQYvVC3KcQMG96MwK3ZlSQzgPpvTGxNxFm2omTn3ue7QHn7Ni6+c/K6xVy0bbJ+jS4yyfl2wFBm1tF1l3BITLqw3TiP3LEw=="}

src/test/resources/data_dir/auth/3ec9e5b4-41b0-a20c-cc8f-04c2b7bb2602/role/_testrole2

@@ -0,0 +1 @@
+{"Value":"AAAAAQIUt2iYYy9zOwkx1mtNMHt69RjdHbUmcN8zydVQTMGjhv1kjEW+d4AaBv1qE22rPTs0xL3pJ1AjIvkBXXVBAuc/FE63t5dE81Fa+MvSY4tBeMtl6i09ykkAYyQUeeV2HlbjRpMUwPyq2QIslYw3d4lc73yT0S82s5I3MfjodKmDpheWMOgg5hGes/wstBHN5HEZkKV8gOPRZ/BsTM7tMXH1piM/JT8sNfsDh6TAGD1OEsS+N2QlKvS4yImNzcKrH0EgdkXB4sRZ9e/SmMaEVaagB1n0M5LukC+pyExgC7eK4EU8o2Xye3iij3YMWBaGollDzJBJFP5aSO4E5u+NnRc5/ZbLRCbqgfQj8IY86WF9hya31aJxbc8Pg28Yfez8hbGRJZZws/ojIUgEz+VtH3OyaW2Wohnycop7i4fK8xlJ2gYOGvlw43czOH6Y6joTce+QBZWI7KR6ugB0dI8pnK2eFy14OZeww1NEew7r1u7PgD10Obg8okIJSD8cGkxUHu/oOLxvKKOAJBLSPfKnJfKEiKrqYED7EPkmgP/t7okvo4c95qeuWy1BLtKfxw5lkv0="}

src/test/resources/data_dir/auth/3ec9e5b4-41b0-a20c-cc8f-04c2b7bb2602/role_id/_4b3d052da8b3d9af8d551a4e515289bc4319f2c21012a70de2c9e9fea6e0f7e0

@@ -0,0 +1 @@
+{"Value":"AAAAAQKv0Yr+QFSWxYe8o51TBwGz/yAhNYFmkNHPISEK6EbIVGkpEJMHFYvHWxTXUzF7f2/a"}

src/test/resources/data_dir/auth/3ec9e5b4-41b0-a20c-cc8f-04c2b7bb2602/role_id/_c779a2e6599b8e4b6b6a3c68a7690a8e7d31fa0201ad73973dcd24f83e2950de

@@ -0,0 +1 @@
+{"Value":"AAAAAQKs2/ICwQPLv6siBGDbBnB52fBVo52BkSKGvm74p4oHrdMEvejJ4cJljOADYyDT2QYa"}

src/test/resources/data_dir/auth/3ec9e5b4-41b0-a20c-cc8f-04c2b7bb2602/secret_id/c79a3b6ce2e8e8b725c8c0fcdd23521375fadf2190fb5823d459a2fd2cb5a670/_f5954e87c0b1a0eb9c8fa4fc2ed7ab6f4338a8d77341e06460de0870316e7320

@@ -0,0 +1 @@
+{"Value":"AAAAAQIq05o3NmsucipTxPrcRbT1sXpAJ8w2PpiShnof74Kuzf/4kkHj3AZL5AObGFLAkYUvUrv3RRmYBIhw6Jk4FCbgdQyJAjPNVUTwBun/kQVyzP5sQ9hUFgHJwINomtVDiDgPkOc92zk8ydr1hfnMmTAtS71G3xloHDn6CF/1Y9WI1PkHdSkZ8d+yBNxr+qjGyewrV3QVmQvAfpY56uQ6AOztItD9NgiPrtNP+clbCczsieY6Y9Ce2FZawmuKFi9svMcBtnEcMILV/SGt4iCiMgFwkCJ9gQsGEdWPifu6ITPB92LgT4Ccw4gVRO31QVcPl6S+FG6iCeN6lk2yRXYjyhBuU+GklouEZIsA6SoxlIXPZuvauyS1MWwMxtSOQUFVYr3kvtXzCpcpEHDyBOEUdxPaYUZXHNdhGtMr/JuJCN50t0ng5mEAqfhjoJfJ/tBTqAjySj4zmEHuY0RnqYLPmsp203Q="}

src/test/resources/data_dir/auth/6802ec63-11b0-0ccc-280a-982ad0a90621/user/_validuser

@@ -1 +0,0 @@
-{"Key":"auth/6802ec63-11b0-0ccc-280a-982ad0a90621/user/validuser","Value":"AAAAAQJwFKMpgopAFjJaftTVY/iiawMw4Yj0S3pPDkzMPAfLxxaM3sCjOJt0q/07ozjTharT52wBv+s2ZEurPpr7VKDDzgy4xTMxFJbJs+0VkG3cjxRYEfW3bOIVAHhjLjmxZwYEATh0UUG7bQRNt56+/622bwR99ifWZ6e9zyRDGEwIn74JFN/3dY44qLQZmqfvDUrRQP5RfqDxqVdzbwse61s692Vy/QvlPsRFVRTkZHlNPqxT+OXd"}

src/test/resources/data_dir/auth/77603e3c-3db8-2d39-0e51-6c8eee76c3d5/_salt

@@ -0,0 +1 @@
+{"Value":"AAAAAQK5U1GclNj+Tga7D4bQ5wExYfVu2y+djHlAlhiJ/JHOS1gS0G/kDrjR8gCdg/Aw2UunrObAq/mrKw0HEe1wo2qA"}

src/test/resources/data_dir/auth/77603e3c-3db8-2d39-0e51-6c8eee76c3d5/struct/map/app-id/_sfbe1922bae1f565115b4b933d76152e1a098ab507118283971184d58528e3411

@@ -0,0 +1 @@
+{"Value":"AAAAAQLbvc+neI458Mqhl2WUUjY5HMC1Ast0KjZ5pslwW+5TtjVHcqdzls4whrrYHGUWv+nTg6wxJaS46j5+FER+4gsgWVJE1S33ZqvGtmmueCVpac5ZM0biBDXOvE/YFQ=="}

src/test/resources/data_dir/auth/77603e3c-3db8-2d39-0e51-6c8eee76c3d5/struct/map/user-id/_s595229a9e81315fd0a5fb274f504622359e6024477ade54db93e36ca3b7801cf

@@ -0,0 +1 @@
+{"Value":"AAAAAQIK4FkvUHPiWUfHY7l9lGW1qf+sU2mAIWbjlfSvEIecbg94Mu4KAPxY3E2YLwOs7VyPZtWNZrZAZDMJJJzxM/pLux2o/IctJ5oXGtfPPjTjwNRRJ4U62wpRqBnBGX4="}

src/test/resources/data_dir/core/_audit

@@ -1 +1 @@
-{"Key":"core/audit","Value":"AAAAAQJ+0lfxYOKIXzquksd3Il4zfW4ja6BdScu7mCAijGDph63S5yWH92olwI2SQA=="}
+{"Value":"AAAAAQI695zhv1Tv/6m1Fx/L62lITd+ZWCi+xCDHkev2YtCSIDPrZgNzYnrCHG3cUjBePZt6NYUSgzvZTXbxZPN4rK2rPj/BN9xj9v1vH1woOMY6lNPmBR7r"}

src/test/resources/data_dir/core/_auth

@@ -1 +1 @@
-{"Key":"core/auth","Value":"AAAAAQJeg+aK83bfYUPm5KV/+Y1Cf8fVX8Oq7cFiYE3PN4Tcl2j9YD7c+fijkopFzPLxh/EBRVzGTjBBkWBDTLC4EKn2lU8A+NJK6frGOu5Vjc4+WipBUcsGGcfosvxrZk8ZrTt09PRo7CnAFzmH4CgIVuEFv3NZyjXX08EMakxmH6R4S8Ti3cmit5Kr1TKSGnHeMfO6lBnAobAfNlfgNDM90yAxaQUT9gR27TabSKsVvkIY/0oxIcVFQ1RuF7xcdAOJ82wlWkcfT+rMhSS6roGt9Njx9t0PQNjv2eomh/leuhTUzfu4oAbtJJO3IPuC/KkJZpKinjJaGlA5Kx5m7W09DHieyI0GXmjJXH9oCj0z9w6eKDNZmjC1xeFylBvkvnkAKA6QmUmZjoq+m81/UC/C/ShJYxDFxaHwCPgF92qSrT1VTrz5lYAyyjJmrnbyuUXfgG6d4dbDxT/DVddHtIzHbBBT0xxjNM/+WxOSdRYZXKsfm8ovGaFWJr9AyFfEnyS0E9FJvkEXp68eNdacgdM3Ow5Zchm2/I9F4wN577ZwK9oGO2kjkDv4pwKQJ6uDYXeJDZxeMO2rXk/9sY8rAV20loOnqryfO3IE876H97KyE1LEzrky7mVw3YL/CDlZCO5Sf2IHTmwKylTRlsnUO1I5bviFD3a3EdeIGeDuNbWIqiju2fpMQX4l2gUuY4pysBM28AwbTe3zp348PePFpTcGE0/YwsW/aJit3VOc6xNX9WU="}
+{"Value":"AAAAAQKHd7fFuNKfj/RnIQoxQEOTorNNl1NfcVtynLwYvtvZGDvhAO34YmOFKJSQVSiT4Js08ik48DWWnZHCZzAyMlK0HqNGYQRzCkuHkzYpH0uLrTcddXLuKyc7j6IiRTl3qYb1pzdlTzDtlwsi4J7s+7orETS146yY/GnGPWM/Tmet7p5qOECRq7m04gBX0pnwZl12iRqWG4aHHY5D4aFp9KjKUBKCIhz2Tb9wcSKV/Aa/ct1d0K0k8pyu1r1OkaJqCQXQeIaJR/WBMECR4omezvg7IGCoBIkMjwFR1urSaB0xNdgk+ByZE0C5zeDfmVRylYlypPAlIBrGL/Q/d6+NWiiOzXdoQoqAa/Pyg7e2gClsKDBFDvSL1QVBdsnBIskDeig2t46Ew5qM00wY58BWlUxqjlCgsNm3nPHtWpc6+XiR4ZkEZ9VeEIQhwC/R+NxS+QCDKeuSfyZM3OqQBwOx22mTL0i86YzlUph0alBmDF1b1FkDbg46MSWTANrkov1LPDnOvvNet7pb0L6exN5Q+HKitmxn36E0KAiqj1hEaHMZF6Pe+IIScLPClgPNeMkZWLeD5kvLv9kfObTYneHVHqj8O9jGtk03T4vOoaUNJY9U0irBGzlV+GkneJUgBL1QBspfK4GvFvUrd0Ds/teayJba8HDxlpCEWr6h062BXsNPg5gUn4H/uvginsFng02M8IyrDA1QOb4XS1zdfrvq"}

src/test/resources/data_dir/core/_keyring

@@ -1 +1 @@
-{"Key":"core/keyring","Value":"AAAAAQKCYFhCtIpVCVfA/MaX9/fCtNJB5z1z+tsi6VQzlDxo9dUxSsZC3ppnZZ9TYwRj6TUeP8QqyNDDhwiXp/i/WhAeoMV9UDKHQq7Ay4BO+AOz3VpHTX1ZYFrF0ZrYELqyFrOkhETpSpNzD6rxcwoJD9NuC+oQhR4TsMEXNzX3AqMKJE+b8iTbEl3tRZRQ5qgjIIy835JDTI3JoSXUxJAxYAbZLxunx2TF6fXs1urpY6GfCrvb/bidzBsfOT37y9Fok8TnOo8a1laqJpsdL6yOQnHj+ZmJVG+Pj5QLETg2L8hBikIMKA=="}
+{"Value":"AAAAAQKyaZ3WVPXS+CbQr/JTfSM4yHT5DN21JfJlKh7ALVkue05z4cy703LvXnlfx5ZRqszSbFAe98ZzwELK89SEq26v2GYe2/7tFYeIAp0YvWNe5uahL0N6KUhFArPtC9gMV+9f7ZdjRDS6AKIHmzWRiXVtTsb+j4MnE+RM9NmwmvpDDTRAFgzjxEQ9IT/nGXieacg49U8NhjmZMh9Dt/7db3e5bGRJFDc3IDuF5xgHr5q+NJBbGrU3X1siH0oiCUbHUKsssmbVI0rwf6lkhvFQIIckYRgwL8/70WjrfELZeN+CgBliwQ=="}

src/test/resources/data_dir/core/_local-audit

@@ -0,0 +1 @@
+{"Value":"AAAAAQII71tl2nQI+IFOoGw3z5x+xUwHdaZUXNW2GLNCJaq7tc2Lv3cLz9loi+q9yDVm/tVDhqK8k0D8lA2adOOGXOiaituANawDLAZu8VrwzpX73+mwtoEk"}