Package org.keycloak.vault
Class DefaultVaultTranscriber
- java.lang.Object
-
- org.keycloak.vault.DefaultVaultTranscriber
-
- All Implemented Interfaces:
VaultTranscriber
public class DefaultVaultTranscriber extends Object implements VaultTranscriber
DefaultVaultTranscriber
implementation that uses the configuredVaultProvider
to obtain raw secrets and convert them into other types. By default, theVaultProvider
provides raw secrets through aByteBuffer
. This class offers methods to convert the raw secrets into other types (such asVaultCharSecret
orWeakReference
).- Author:
- Stefan Guilhen
- See Also:
VaultRawSecret
,VaultCharSecret
-
-
Constructor Summary
Constructors Constructor Description DefaultVaultTranscriber(VaultProvider provider)
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description VaultCharSecret
getCharSecret(String value)
Obtains the secret represented as aVaultCharSecret
from the vault that matches the entry in the specified value string.VaultRawSecret
getRawSecret(String value)
Obtains the raw secret from the vault that matches the entry in the specified value string.VaultStringSecret
getStringSecret(String value)
Obtains the secret represented as aString
from the vault that matches the entry in the specified value.
-
-
-
Constructor Detail
-
DefaultVaultTranscriber
public DefaultVaultTranscriber(VaultProvider provider)
-
-
Method Detail
-
getRawSecret
public VaultRawSecret getRawSecret(String value)
Description copied from interface:VaultTranscriber
Obtains the raw secret from the vault that matches the entry in the specified value string. The value must follow the format${vault.<KEY>}
where<KEY>
identifies the entry in the vault. If the value doesn't follow the vault expression format, it is assumed to be the secret itself and is encoded into aVaultRawSecret
. The returnedVaultRawSecret
extendsAutoCloseable
and it is strongly recommended that it is used in try-with-resources blocks to ensure the raw secret is overridden (destroyed) when the calling code is finished using it.- Specified by:
getRawSecret
in interfaceVaultTranscriber
- Parameters:
value
- aString
that might be a vault expression containing a vault entry key.- Returns:
- a
VaultRawSecret
representing the secret that was read from the vault. If the specified value is not a vault expression then the returned secret is the value itself encoded as aVaultRawSecret
.
-
getCharSecret
public VaultCharSecret getCharSecret(String value)
Description copied from interface:VaultTranscriber
Obtains the secret represented as aVaultCharSecret
from the vault that matches the entry in the specified value string. The value must follow the format${vault.<KEY>}
where<KEY>
identifies the entry in the vault. If the value doesn't follow the vault expression format, it is assumed to be the secret itself and is encoded into aVaultCharSecret
. The returnedVaultCharSecret
extendsAutoCloseable
and it is strongly recommended that it is used in try-with-resources blocks to ensure the raw secret is overridden (destroyed) when the calling code is finished using it.- Specified by:
getCharSecret
in interfaceVaultTranscriber
- Parameters:
value
- aString
that might be a vault expression containing a vault entry key.- Returns:
- a
VaultRawSecret
representing the secret that was read from the vault. If the specified value is not a vault expression then the returned secret is the value itself encoded as aVaultRawSecret
.
-
getStringSecret
public VaultStringSecret getStringSecret(String value)
Description copied from interface:VaultTranscriber
Obtains the secret represented as aString
from the vault that matches the entry in the specified value. The value must follow the format${vault.<KEY>}
where<KEY>
identifies the entry in the vault. If the value doesn't follow the vault expression format, it is assumed to be the secret itself. Due to the immutable nature of strings and the way the JVM handles them internally, implementations that keep a reference to the secret string might consider doing so using aWeakReference
that can be cleared in theAutoCloseable.close()
method. Being immutable, such strings cannot be overridden (destroyed) by the implementation, but using aWeakReference
guarantees that at least no hard references to the secret are held by the implementation class itself (which would prevent proper GC disposal of the secrets). WARNING: It is strongly recommended that callers of this method use the returned secret in try-with-resources blocks and they should strive not to keep hard references to the enclosed secret string for any longer than necessary so that the secret becomes available for GC as soon as possible. These measures help shorten the window of time when the secret strings are readable from memory.- Specified by:
getStringSecret
in interfaceVaultTranscriber
- Parameters:
value
- aString
that might be a vault expression containing a vault entry key.- Returns:
- a
VaultStringSecret
representing the secret that was read from the vault. If the specified value is not a vault expression then the returned secret is the value itself encoded as aVaultStringSecret
.
-
-