public class DefaultVaultTranscriber extends Object implements VaultTranscriber
VaultTranscriber
implementation that uses the configured VaultProvider
to obtain raw secrets
and convert them into other types. By default, the VaultProvider
provides raw secrets through a ByteBuffer
.
This class offers methods to convert the raw secrets into other types (such as VaultCharSecret
or WeakReference
).VaultRawSecret
,
VaultCharSecret
Constructor and Description |
---|
DefaultVaultTranscriber(VaultProvider provider) |
Modifier and Type | Method and Description |
---|---|
VaultCharSecret |
getCharSecret(String value)
Obtains the secret represented as a
VaultCharSecret from the vault that matches the entry in the specified
value string. |
VaultRawSecret |
getRawSecret(String value)
Obtains the raw secret from the vault that matches the entry in the specified value string.
|
VaultStringSecret |
getStringSecret(String value)
Obtains the secret represented as a
String from the vault that matches the entry in the specified value. |
public DefaultVaultTranscriber(VaultProvider provider)
public VaultRawSecret getRawSecret(String value)
VaultTranscriber
${vault.<KEY>}
where <KEY>
identifies the entry in the vault. If the value doesn't follow
the vault expression format, it is assumed to be the secret itself and is encoded into a VaultRawSecret
.
The returned VaultRawSecret
extends AutoCloseable
and it is strongly recommended that it is used in
try-with-resources blocks to ensure the raw secret is overridden (destroyed) when the calling code is finished using
it.getRawSecret
in interface VaultTranscriber
value
- a String
that might be a vault expression containing a vault entry key.VaultRawSecret
representing the secret that was read from the vault. If the specified value is not
a vault expression then the returned secret is the value itself encoded as a VaultRawSecret
.public VaultCharSecret getCharSecret(String value)
VaultTranscriber
VaultCharSecret
from the vault that matches the entry in the specified
value string. The value must follow the format ${vault.<KEY>}
where <KEY>
identifies the entry in
the vault. If the value doesn't follow the vault expression format, it is assumed to be the secret itself and is
encoded into a VaultCharSecret
.
The returned VaultCharSecret
extends AutoCloseable
and it is strongly recommended that it is used in
try-with-resources blocks to ensure the raw secret is overridden (destroyed) when the calling code is finished using
it.getCharSecret
in interface VaultTranscriber
value
- a String
that might be a vault expression containing a vault entry key.VaultRawSecret
representing the secret that was read from the vault. If the specified value is not
a vault expression then the returned secret is the value itself encoded as a VaultRawSecret
.public VaultStringSecret getStringSecret(String value)
VaultTranscriber
String
from the vault that matches the entry in the specified value.
The value must follow the format ${vault.<KEY>}
where <KEY>
identifies the entry in the vault. If
the value doesn't follow the vault expression format, it is assumed to be the secret itself.
Due to the immutable nature of strings and the way the JVM handles them internally, implementations that keep a reference
to the secret string might consider doing so using a WeakReference
that can be cleared in the AutoCloseable.close()
method. Being immutable, such strings cannot be overridden (destroyed) by the implementation, but using a WeakReference
guarantees that at least no hard references to the secret are held by the implementation class itself (which would
prevent proper GC disposal of the secrets).
WARNING: It is strongly recommended that callers of this method use the returned secret in try-with-resources
blocks and they should strive not to keep hard references to the enclosed secret string for any longer than necessary
so that the secret becomes available for GC as soon as possible. These measures help shorten the window of time when
the secret strings are readable from memory.getStringSecret
in interface VaultTranscriber
value
- a String
that might be a vault expression containing a vault entry key.VaultStringSecret
representing the secret that was read from the vault. If the specified value is not
a vault expression then the returned secret is the value itself encoded as a VaultStringSecret
.Copyright © 2021 JBoss by Red Hat. All rights reserved.