Package org.keycloak.vault
Class AbstractVaultProvider
java.lang.Object
org.keycloak.vault.AbstractVaultProvider
- All Implemented Interfaces:
Provider
,VaultProvider
- Direct Known Subclasses:
FilesKeystoreVaultProvider
,FilesPlainTextVaultProvider
Abstract class that is meant to be extended by implementations of
VaultProvider
that want to have support for
key resolvers.
This class implements the obtainSecret(String)
method by iterating through the configured resolvers in order and,
using the final key name provided by each resolver, calls the obtainSecretInternal(String)
method that must be
implemented by sub-classes. If obtainSecretInternal(String)
returns a non-empty secret, it is immediately returned;
otherwise the implementation tries again using the next configured resolver until a non-empty secret is obtained or all
resolvers have been tried, in which case an empty VaultRawSecret
is returned.
Concrete implementations must, in addition to implementing the obtainSecretInternal(String)
method, ensure that
each constructor calls the AbstractVaultProvider(String, List)
constructor from this class
so that the realm and list of key resolvers are properly initialized.- Author:
- Stefan Guilhen
-
Field Summary
-
Constructor Summary
ConstructorDescriptionAbstractVaultProvider
(String realm, List<VaultKeyResolver> configuredResolvers) Creates an instance ofAbstractVaultProvider
with the specified realm and list of key resolvers. -
Method Summary
Modifier and TypeMethodDescriptionobtainSecret
(String vaultSecretId) Retrieves a secret from vault.protected abstract VaultRawSecret
obtainSecretInternal
(String vaultKey) Subclasses ofAbstractVaultProvider
must implement this method.protected boolean
validate
(VaultKeyResolver resolver, String key, String resolvedKey) Validates the resolved key to ensure it meets the necessary criteria.
-
Field Details
-
realm
-
resolvers
-
-
Constructor Details
-
AbstractVaultProvider
Creates an instance ofAbstractVaultProvider
with the specified realm and list of key resolvers.- Parameters:
realm
- the name of the keycloak realm.configuredResolvers
- aList
containing the configured key resolvers.
-
-
Method Details
-
obtainSecret
Description copied from interface:VaultProvider
Retrieves a secret from vault. The implementation should respect at least the realm ID to separate the secrets within the vault. If the secret is retrieved successfully, it is returned; otherwise this method results into an emptyVaultRawSecret.get()
. This method is intended to be used within a try-with-resources block so that the secret is destroyed immediately after use. Note that it is responsibility of the implementor to provide a way to destroy the secret in the returnedVaultRawSecret.close()
method.- Specified by:
obtainSecret
in interfaceVaultProvider
- Parameters:
vaultSecretId
- Identifier of the secret. It corresponds to the value entered by user in the respective configuration, which in turn is obtained from the vault when storing the secret.- Returns:
- Always a non-
null
value with the raw secret. Within the returned value, the secret ornull
is stored in theVaultRawSecret.get()
return value if the secret was successfully resolved, or an emptyOptional
if the secret has not been found in the vault.
-
validate
Validates the resolved key to ensure it meets the necessary criteria.- Parameters:
resolver
- theVaultKeyResolver
used to resolve the key.key
- the original key provided.resolvedKey
- the key after being resolved by the resolver.- Returns:
- a boolean indicating whether the validation passed.
-
obtainSecretInternal
Subclasses ofAbstractVaultProvider
must implement this method. It is meant to be implemented in the same way as theobtainSecret(String)
method from theVaultProvider
interface, but the specified vault key must be used as is - i.e. implementations should refrain from processing the key again as the format was already defined by one of the configured key resolvers.- Parameters:
vaultKey
- aString
representing the name of the entry that is being fetched from the vault.- Returns:
- a
VaultRawSecret
representing the obtained secret. It can be a empty secret if no secret could be obtained using the specified vault key.
-