Abstract class that is meant to be extended by implementations of
VaultProviderFactorythat want to offer support for the configuration of key resolvers. It implements the
init(Config.Scope)method, where is looks for the
keyResolversproperty. The value is a comma-separated list of key resolver names. It then verifies if the resolver names match one of the available key resolver implementations and then creates a list of
VaultKeyResolverinstances that subclasses can pass to
ProviderFactory.create(KeycloakSession). The list of currently available resolvers follows:
KEY_ONLY: only the key name is used as is, realm is ignored;
REALM_UNDERSCORE_KEY: realm and key are combined using an underscore (
'_') character. Any occurrences of underscore in both the realm and key are escaped by an additional underscore character;
REALM_FILESEPARATOR_KEY: realm and key are combined using the platform file separator character. It might not be suitable for every vault provider but it enables the grouping of secrets using a directory structure;
FACTORY_PROVIDED: the format of the constructed key is determined by the factory's
getFactoryResolver()implementation. it allows for the customization of the final key format by extending the factory and overriding the
FACTORY_PROVIDEDresolver, it is important to also override the
ProviderFactory.getId()method so that the custom factory has its own id and as such can be configured in the keycloak server. If no resolver is explicitly configured for the factory, it defaults to using the
REALM_UNDERSCORE_KEYresolver. When one or more resolvers are explicitly configured, this factory iterates through them in order and for each one attempts to obtain the respective
VaultKeyResolverimplementation. If it fails (for example, the name doesn't match one of the existing resolvers), it logs a message and ignores the resolver. If it fails to load all configured resolvers, it throws a
VaultConfigurationException. Concrete implementations must also make sure to call the
super.init(config)in their own
init(Config.Scope)implementations so tha the processing of the key resolvers is performed correctly.
- Stefan Guilhen
Nested Class Summary
Method SummaryModifier and TypeMethodDescription
protected VaultKeyResolverObtains the
VaultKeyResolverimplementation that is provided by the factory itself.
voidOnly called once when the factory is first created.
Methods inherited from class java.lang.Object
clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait
initpublic void init
(Config.Scope config)Description copied from interface:
ProviderFactoryOnly called once when the factory is first created. This config is pulled from keycloak_server.json
getFactoryResolverprotected VaultKeyResolver getFactoryResolver()Obtains the
VaultKeyResolverimplementation that is provided by the factory itself. By default this method throws an
UnsupportedOperationException, so an attempt to use the
FACTORY_PROVIDEDresolver on a factory that doesn't override this method will result in a failure to use this resolver.
- the factory-provided
session- a reference to the
- the name of the realm.