public abstract class AbstractVaultProviderFactory extends Object implements VaultProviderFactory
VaultProviderFactory
that want to offer support
for the configuration of key resolvers.
It implements the init(Config.Scope)
method, where is looks for the keyResolvers
property. The value is
a comma-separated list of key resolver names. It then verifies if the resolver names match one of the available key resolver
implementations and then creates a list of VaultKeyResolver
instances that subclasses can pass to VaultProvider
instances on ProviderFactory.create(KeycloakSession)
.
The list of currently available resolvers follows:
KEY_ONLY
: only the key name is used as is, realm is ignored;REALM_UNDERSCORE_KEY
: realm and key are combined using an underscore ('_'
) character. Any occurrences of
underscore in both the realm and key are escaped by an additional underscore character;REALM_FILESEPARATOR_KEY
: realm and key are combined using the platform file separator character. It might not be
suitable for every vault provider but it enables the grouping of secrets using a directory structure;FACTORY_PROVIDED
: the format of the constructed key is determined by the factory's getFactoryResolver()
implementation. it allows for the customization of the final key format by extending the factory and overriding the
getFactoryResolver()
method.FACTORY_PROVIDED
resolver, it is important to also
override the ProviderFactory.getId()
method so that the custom factory has its own id and as such can be configured in the keycloak
server.
If no resolver is explicitly configured for the factory, it defaults to using the REALM_UNDERSCORE_KEY
resolver.
When one or more resolvers are explicitly configured, this factory iterates through them in order and for each one attempts
to obtain the respective VaultKeyResolver
implementation. If it fails (for example, the name doesn't match one of
the existing resolvers), it logs a message and ignores the resolver. If it fails to load all configured resolvers, it
throws a VaultConfigurationException
.
Concrete implementations must also make sure to call the super.init(config)
in their own init(Config.Scope)
implementations so tha the processing of the key resolvers is performed correctly.Modifier and Type | Class and Description |
---|---|
protected static class |
AbstractVaultProviderFactory.AvailableResolvers
Enum containing the available
VaultKeyResolver s. |
Modifier and Type | Field and Description |
---|---|
protected static String |
KEY_RESOLVERS |
protected List<VaultKeyResolver> |
keyResolvers |
Constructor and Description |
---|
AbstractVaultProviderFactory() |
Modifier and Type | Method and Description |
---|---|
protected VaultKeyResolver |
getFactoryResolver()
Obtains the
VaultKeyResolver implementation that is provided by the factory itself. |
protected String |
getRealmName(KeycloakSession session)
Obtains the name of realm from the
KeycloakSession . |
void |
init(Config.Scope config)
Only called once when the factory is first created.
|
protected static final String KEY_RESOLVERS
protected List<VaultKeyResolver> keyResolvers
public void init(Config.Scope config)
ProviderFactory
init
in interface ProviderFactory<VaultProvider>
protected VaultKeyResolver getFactoryResolver()
VaultKeyResolver
implementation that is provided by the factory itself. By default this method
throws an UnsupportedOperationException
, so an attempt to use the FACTORY_PROVIDED
resolver on a
factory that doesn't override this method will result in a failure to use this resolver.VaultKeyResolver
.protected String getRealmName(KeycloakSession session)
KeycloakSession
.session
- a reference to the KeycloakSession
.Copyright © 2021 JBoss by Red Hat. All rights reserved.