Abstract class that is meant to be extended by implementations of
VaultProviderthat want to have support for key resolvers. This class implements the
obtainSecret(String)method by iterating through the configured resolvers in order and, using the final key name provided by each resolver, calls the
obtainSecretInternal(String)method that must be implemented by sub-classes. If
obtainSecretInternal(String)returns a non-empty secret, it is immediately returned; otherwise the implementation tries again using the next configured resolver until a non-empty secret is obtained or all resolvers have been tried, in which case an empty
VaultRawSecretis returned. Concrete implementations must, in addition to implementing the
obtainSecretInternal(String)method, ensure that each constructor calls the
AbstractVaultProvider(String, List)constructor from this class so that the realm and list of key resolvers are properly initialized.
- Stefan Guilhen
realmprotected final String realm
AbstractVaultProviderCreates an instance of
AbstractVaultProviderwith the specified realm and list of key resolvers.
realm- the name of the keycloak realm.
Listcontaining the configured key resolvers.
obtainSecretDescription copied from interface:
VaultProviderRetrieves a secret from vault. The implementation should respect at least the realm ID to separate the secrets within the vault. If the secret is retrieved successfully, it is returned; otherwise this method results into an empty
VaultRawSecret.get(). This method is intended to be used within a try-with-resources block so that the secret is destroyed immediately after use. Note that it is responsibility of the implementor to provide a way to destroy the secret in the returned
- Specified by:
vaultSecretId- Identifier of the secret. It corresponds to the value entered by user in the respective configuration, which in turn is obtained from the vault when storing the secret.
- Always a non-
nullvalue with the raw secret. Within the returned value, the secret or
nullis stored in the
VaultRawSecret.get()return value if the secret was successfully resolved, or an empty
Optionalif the secret has not been found in the vault.
AbstractVaultProvidermust implement this method. It is meant to be implemented in the same way as the
obtainSecret(String)method from the
VaultProviderinterface, but the specified vault key must be used as is - i.e. implementations should refrain from processing the key again as the format was already defined by one of the configured key resolvers.