public abstract class AbstractVaultProviderFactory extends Object implements VaultProviderFactory
VaultProviderFactory that want to offer support
for the configuration of key resolvers.
It implements the init(Config.Scope) method, where is looks for the keyResolvers property. The value is
a comma-separated list of key resolver names. It then verifies if the resolver names match one of the available key resolver
implementations and then creates a list of VaultKeyResolver instances that subclasses can pass to VaultProvider
instances on ProviderFactory.create(KeycloakSession).
The list of currently available resolvers follows:
KEY_ONLY: only the key name is used as is, realm is ignored;REALM_UNDERSCORE_KEY: realm and key are combined using an underscore ('_') character. Any occurrences of
underscore in both the realm and key are escaped by an additional underscore character;REALM_FILESEPARATOR_KEY: realm and key are combined using the platform file separator character. It might not be
suitable for every vault provider but it enables the grouping of secrets using a directory structure;FACTORY_PROVIDED: the format of the constructed key is determined by the factory's getFactoryResolver()
implementation. it allows for the customization of the final key format by extending the factory and overriding the
getFactoryResolver() method.FACTORY_PROVIDED resolver, it is important to also
override the ProviderFactory.getId() method so that the custom factory has its own id and as such can be configured in the keycloak
server.
If no resolver is explicitly configured for the factory, it defaults to using the REALM_UNDERSCORE_KEY resolver.
When one or more resolvers are explicitly configured, this factory iterates through them in order and for each one attempts
to obtain the respective VaultKeyResolver implementation. If it fails (for example, the name doesn't match one of
the existing resolvers), it logs a message and ignores the resolver. If it fails to load all configured resolvers, it
throws a VaultConfigurationException.
Concrete implementations must also make sure to call the super.init(config) in their own init(Config.Scope)
implementations so tha the processing of the key resolvers is performed correctly.| Modifier and Type | Class and Description |
|---|---|
protected static class |
AbstractVaultProviderFactory.AvailableResolvers
Enum containing the available
VaultKeyResolvers. |
| Modifier and Type | Field and Description |
|---|---|
protected static String |
KEY_RESOLVERS |
protected List<VaultKeyResolver> |
keyResolvers |
| Constructor and Description |
|---|
AbstractVaultProviderFactory() |
| Modifier and Type | Method and Description |
|---|---|
protected VaultKeyResolver |
getFactoryResolver()
Obtains the
VaultKeyResolver implementation that is provided by the factory itself. |
protected String |
getRealmName(KeycloakSession session)
Obtains the name of realm from the
KeycloakSession. |
void |
init(Config.Scope config)
Only called once when the factory is first created.
|
protected static final String KEY_RESOLVERS
protected List<VaultKeyResolver> keyResolvers
public void init(Config.Scope config)
ProviderFactoryinit in interface ProviderFactory<VaultProvider>protected VaultKeyResolver getFactoryResolver()
VaultKeyResolver implementation that is provided by the factory itself. By default this method
throws an UnsupportedOperationException, so an attempt to use the FACTORY_PROVIDED resolver on a
factory that doesn't override this method will result in a failure to use this resolver.VaultKeyResolver.protected String getRealmName(KeycloakSession session)
KeycloakSession.session - a reference to the KeycloakSession.Copyright © 2021 JBoss by Red Hat. All rights reserved.