Package org.keycloak.vault
Class AbstractVaultProvider
- java.lang.Object
-
- org.keycloak.vault.AbstractVaultProvider
-
- All Implemented Interfaces:
Provider,VaultProvider
- Direct Known Subclasses:
FilesPlainTextVaultProvider
public abstract class AbstractVaultProvider extends Object implements VaultProvider
Abstract class that is meant to be extended by implementations ofVaultProviderthat want to have support for key resolvers. This class implements theobtainSecret(String)method by iterating through the configured resolvers in order and, using the final key name provided by each resolver, calls theobtainSecretInternal(String)method that must be implemented by sub-classes. IfobtainSecretInternal(String)returns a non-empty secret, it is immediately returned; otherwise the implementation tries again using the next configured resolver until a non-empty secret is obtained or all resolvers have been tried, in which case an emptyVaultRawSecretis returned. Concrete implementations must, in addition to implementing theobtainSecretInternal(String)method, ensure that each constructor calls theAbstractVaultProvider(String, List)constructor from this class so that the realm and list of key resolvers are properly initialized.- Author:
- Stefan Guilhen
-
-
Field Summary
Fields Modifier and Type Field Description protected Stringrealmprotected List<VaultKeyResolver>resolvers
-
Constructor Summary
Constructors Constructor Description AbstractVaultProvider(String realm, List<VaultKeyResolver> configuredResolvers)Creates an instance ofAbstractVaultProviderwith the specified realm and list of key resolvers.
-
Method Summary
All Methods Instance Methods Abstract Methods Concrete Methods Modifier and Type Method Description VaultRawSecretobtainSecret(String vaultSecretId)Retrieves a secret from vault.protected abstract VaultRawSecretobtainSecretInternal(String vaultKey)Subclasses ofAbstractVaultProvidermust implement this method.
-
-
-
Field Detail
-
realm
protected final String realm
-
resolvers
protected final List<VaultKeyResolver> resolvers
-
-
Constructor Detail
-
AbstractVaultProvider
public AbstractVaultProvider(String realm, List<VaultKeyResolver> configuredResolvers)
Creates an instance ofAbstractVaultProviderwith the specified realm and list of key resolvers.- Parameters:
realm- the name of the keycloak realm.configuredResolvers- aListcontaining the configured key resolvers.
-
-
Method Detail
-
obtainSecret
public VaultRawSecret obtainSecret(String vaultSecretId)
Description copied from interface:VaultProviderRetrieves a secret from vault. The implementation should respect at least the realm ID to separate the secrets within the vault. If the secret is retrieved successfully, it is returned; otherwise this method results into an emptyVaultRawSecret.get(). This method is intended to be used within a try-with-resources block so that the secret is destroyed immediately after use. Note that it is responsibility of the implementor to provide a way to destroy the secret in the returnedVaultRawSecret.close()method.- Specified by:
obtainSecretin interfaceVaultProvider- Parameters:
vaultSecretId- Identifier of the secret. It corresponds to the value entered by user in the respective configuration, which in turn is obtained from the vault when storing the secret.- Returns:
- Always a non-
nullvalue with the raw secret. Within the returned value, the secret ornullis stored in theVaultRawSecret.get()return value if the secret was successfully resolved, or an emptyOptionalif the secret has not been found in the vault.
-
obtainSecretInternal
protected abstract VaultRawSecret obtainSecretInternal(String vaultKey)
Subclasses ofAbstractVaultProvidermust implement this method. It is meant to be implemented in the same way as theobtainSecret(String)method from theVaultProviderinterface, but the specified vault key must be used as is - i.e. implementations should refrain from processing the key again as the format was already defined by one of the configured key resolvers.- Parameters:
vaultKey- aStringrepresenting the name of the entry that is being fetched from the vault.- Returns:
- a
VaultRawSecretrepresenting the obtained secret. It can be a empty secret if no secret could be obtained using the specified vault key.
-
-