Package org.keycloak.vault
Class AbstractVaultProviderFactory
- java.lang.Object
-
- org.keycloak.vault.AbstractVaultProviderFactory
-
- All Implemented Interfaces:
ProviderFactory<VaultProvider>
,VaultProviderFactory
- Direct Known Subclasses:
FilesPlainTextVaultProviderFactory
public abstract class AbstractVaultProviderFactory extends Object implements VaultProviderFactory
Abstract class that is meant to be extended by implementations ofVaultProviderFactory
that want to offer support for the configuration of key resolvers. It implements theinit(Config.Scope)
method, where is looks for thekeyResolvers
property. The value is a comma-separated list of key resolver names. It then verifies if the resolver names match one of the available key resolver implementations and then creates a list ofVaultKeyResolver
instances that subclasses can pass toVaultProvider
instances onProviderFactory.create(KeycloakSession)
. The list of currently available resolvers follows:KEY_ONLY
: only the key name is used as is, realm is ignored;REALM_UNDERSCORE_KEY
: realm and key are combined using an underscore ('_'
) character. Any occurrences of underscore in both the realm and key are escaped by an additional underscore character;REALM_FILESEPARATOR_KEY
: realm and key are combined using the platform file separator character. It might not be suitable for every vault provider but it enables the grouping of secrets using a directory structure;FACTORY_PROVIDED
: the format of the constructed key is determined by the factory'sgetFactoryResolver()
implementation. it allows for the customization of the final key format by extending the factory and overriding thegetFactoryResolver()
method.
FACTORY_PROVIDED
resolver, it is important to also override theProviderFactory.getId()
method so that the custom factory has its own id and as such can be configured in the keycloak server. If no resolver is explicitly configured for the factory, it defaults to using theREALM_UNDERSCORE_KEY
resolver. When one or more resolvers are explicitly configured, this factory iterates through them in order and for each one attempts to obtain the respectiveVaultKeyResolver
implementation. If it fails (for example, the name doesn't match one of the existing resolvers), it logs a message and ignores the resolver. If it fails to load all configured resolvers, it throws aVaultConfigurationException
. Concrete implementations must also make sure to call thesuper.init(config)
in their owninit(Config.Scope)
implementations so tha the processing of the key resolvers is performed correctly.- Author:
- Stefan Guilhen
-
-
Nested Class Summary
Nested Classes Modifier and Type Class Description protected static class
AbstractVaultProviderFactory.AvailableResolvers
Enum containing the availableVaultKeyResolver
s.
-
Field Summary
Fields Modifier and Type Field Description protected static String
KEY_RESOLVERS
protected List<VaultKeyResolver>
keyResolvers
-
Constructor Summary
Constructors Constructor Description AbstractVaultProviderFactory()
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description protected VaultKeyResolver
getFactoryResolver()
Obtains theVaultKeyResolver
implementation that is provided by the factory itself.protected String
getRealmName(KeycloakSession session)
Obtains the name of realm from theKeycloakSession
.void
init(Config.Scope config)
Only called once when the factory is first created.-
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
-
Methods inherited from interface org.keycloak.provider.ProviderFactory
close, create, getConfigMetadata, getId, order, postInit
-
-
-
-
Field Detail
-
KEY_RESOLVERS
protected static final String KEY_RESOLVERS
- See Also:
- Constant Field Values
-
keyResolvers
protected List<VaultKeyResolver> keyResolvers
-
-
Method Detail
-
init
public void init(Config.Scope config)
Description copied from interface:ProviderFactory
Only called once when the factory is first created. This config is pulled from keycloak_server.json- Specified by:
init
in interfaceProviderFactory<VaultProvider>
-
getFactoryResolver
protected VaultKeyResolver getFactoryResolver()
Obtains theVaultKeyResolver
implementation that is provided by the factory itself. By default this method throws anUnsupportedOperationException
, so an attempt to use theFACTORY_PROVIDED
resolver on a factory that doesn't override this method will result in a failure to use this resolver.- Returns:
- the factory-provided
VaultKeyResolver
.
-
getRealmName
protected String getRealmName(KeycloakSession session)
Obtains the name of realm from theKeycloakSession
.- Parameters:
session
- a reference to theKeycloakSession
.- Returns:
- the name of the realm.
-
-