Package org.keycloak.vault

Interface VaultTranscriber

All Known Implementing Classes:
DefaultVaultTranscriber
public interface VaultTranscriber
A facade to the configured vault provider that exposes utility methods for obtaining the vault secrets in different formats (such as VaultRawSecret, VaultCharSecret or VaultStringSecret).
Author:
Stefan Guilhen
See Also:

  • Method Details

    • getRawSecret

      VaultRawSecret getRawSecret(String value)
      Obtains the raw secret from the vault that matches the entry in the specified value string. The value must follow the format ${vault.<KEY>} where <KEY> identifies the entry in the vault. If the value doesn't follow the vault expression format, it is assumed to be the secret itself and is encoded into a VaultRawSecret.

      The returned VaultRawSecret extends AutoCloseable and it is strongly recommended that it is used in try-with-resources blocks to ensure the raw secret is overridden (destroyed) when the calling code is finished using it.

      Parameters:
      value - a String that might be a vault expression containing a vault entry key.
      Returns:
      a VaultRawSecret representing the secret that was read from the vault. If the specified value is not a vault expression then the returned secret is the value itself encoded as a VaultRawSecret.

    • getCharSecret

      VaultCharSecret getCharSecret(String value)
      Obtains the secret represented as a VaultCharSecret from the vault that matches the entry in the specified value string. The value must follow the format ${vault.<KEY>} where <KEY> identifies the entry in the vault. If the value doesn't follow the vault expression format, it is assumed to be the secret itself and is encoded into a VaultCharSecret.

      The returned VaultCharSecret extends AutoCloseable and it is strongly recommended that it is used in try-with-resources blocks to ensure the raw secret is overridden (destroyed) when the calling code is finished using it.

      Parameters:
      value - a String that might be a vault expression containing a vault entry key.
      Returns:
      a VaultRawSecret representing the secret that was read from the vault. If the specified value is not a vault expression then the returned secret is the value itself encoded as a VaultRawSecret.

    • getStringSecret

      VaultStringSecret getStringSecret(String value)
      Obtains the secret represented as a String from the vault that matches the entry in the specified value. The value must follow the format ${vault.<KEY>} where <KEY> identifies the entry in the vault. If the value doesn't follow the vault expression format, it is assumed to be the secret itself.

      Due to the immutable nature of strings and the way the JVM handles them internally, implementations that keep a reference to the secret string might consider doing so using a WeakReference that can be cleared in the AutoCloseable.close() method. Being immutable, such strings cannot be overridden (destroyed) by the implementation, but using a WeakReference guarantees that at least no hard references to the secret are held by the implementation class itself (which would prevent proper GC disposal of the secrets).

      WARNING: It is strongly recommended that callers of this method use the returned secret in try-with-resources blocks and they should strive not to keep hard references to the enclosed secret string for any longer than necessary so that the secret becomes available for GC as soon as possible. These measures help shorten the window of time when the secret strings are readable from memory.

      Parameters:
      value - a String that might be a vault expression containing a vault entry key.
      Returns:
      a VaultStringSecret representing the secret that was read from the vault. If the specified value is not a vault expression then the returned secret is the value itself encoded as a VaultStringSecret.