Package org.keycloak.vault

Class AbstractVaultProviderFactory

java.lang.Object

org.keycloak.vault.AbstractVaultProviderFactory

All Implemented Interfaces:

ProviderFactory<VaultProvider>, VaultProviderFactory

Direct Known Subclasses:

FilesKeystoreVaultProviderFactory, FilesPlainTextVaultProviderFactory

public abstract class AbstractVaultProviderFactory
extends Object
implements VaultProviderFactory

Abstract class that is meant to be extended by implementations of VaultProviderFactory that want to offer support for the configuration of key resolvers.

It implements the init(Config.Scope) method, where is looks for the keyResolvers property. The value is a comma-separated list of key resolver names. It then verifies if the resolver names match one of the available key resolver implementations and then creates a list of VaultKeyResolver instances that subclasses can pass to VaultProvider instances on ProviderFactory.create(KeycloakSession).

The list of currently available resolvers follows:

• KEY_ONLY: only the key name is used as is, realm is ignored;
• REALM_UNDERSCORE_KEY: realm and key are combined using an underscore ('_') character. Any occurrences of underscore in both the realm and key are escaped by an additional underscore character;
• REALM_FILESEPARATOR_KEY: realm and key are combined using the platform file separator character. It might not be suitable for every vault provider but it enables the grouping of secrets using a directory structure;
• FACTORY_PROVIDED: the format of the constructed key is determined by the factory's getFactoryResolver() implementation. it allows for the customization of the final key format by extending the factory and overriding the getFactoryResolver() method.

Note: When extending the standard factories to use the FACTORY_PROVIDED resolver, it is important to also override the ProviderFactory.getId() method so that the custom factory has its own id and as such can be configured in the keycloak server.

If no resolver is explicitly configured for the factory, it defaults to using the REALM_UNDERSCORE_KEY resolver. When one or more resolvers are explicitly configured, this factory iterates through them in order and for each one attempts to obtain the respective VaultKeyResolver implementation. If it fails (for example, the name doesn't match one of the existing resolvers), it logs a message and ignores the resolver. If it fails to load all configured resolvers, it throws a VaultConfigurationException.

Concrete implementations must also make sure to call the super.init(config) in their own init(Config.Scope) implementations so tha the processing of the key resolvers is performed correctly.

Author:

Stefan Guilhen

Nested Class Summary

Nested Classes

Modifier and Type	Class	Description
protected static enum	AbstractVaultProviderFactory.AvailableResolvers	Enum containing the available VaultKeyResolvers.

Field Summary

Fields

Modifier and Type	Field	Description
protected static final String	KEY_RESOLVERS
protected List<VaultKeyResolver>	keyResolvers

Constructor Summary

Constructors

Constructor	Description
AbstractVaultProviderFactory()

Method Summary

Modifier and Type	Method	Description
protected VaultKeyResolver	getFactoryResolver()	Obtains the VaultKeyResolver implementation that is provided by the factory itself.
protected String	getRealmName(KeycloakSession session)	Obtains the name of realm from the KeycloakSession.
void	init(Config.Scope config)	Only called once when the factory is first created.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.keycloak.provider.ProviderFactory

close, create, getConfigMetadata, getId, order, postInit

Field Details

KEY_RESOLVERS

protected static final String KEY_RESOLVERS

See Also:

• Constant Field Values

keyResolvers

protected List<VaultKeyResolver> keyResolvers

Constructor Details

AbstractVaultProviderFactory

public AbstractVaultProviderFactory()

Method Details

init

public void init(Config.Scope config)

Description copied from interface: ProviderFactory

Only called once when the factory is first created. This config is pulled from keycloak_server.json

Specified by:

init in interface ProviderFactory<VaultProvider>

getFactoryResolver

protected VaultKeyResolver getFactoryResolver()

Obtains the VaultKeyResolver implementation that is provided by the factory itself. By default this method throws an UnsupportedOperationException, so an attempt to use the FACTORY_PROVIDED resolver on a factory that doesn't override this method will result in a failure to use this resolver.

Returns:

the factory-provided VaultKeyResolver.

getRealmName

protected String getRealmName(KeycloakSession session)

Obtains the name of realm from the KeycloakSession.

Parameters:

session - a reference to the KeycloakSession.

Returns:

the name of the realm.