Package org.keycloak.vault

Class AbstractVaultProvider

java.lang.Object
org.keycloak.vault.AbstractVaultProvider
All Implemented Interfaces:
Provider, VaultProvider
Direct Known Subclasses:
FilesKeystoreVaultProvider, FilesPlainTextVaultProvider
public abstract class AbstractVaultProvider extends Object implements VaultProvider
Abstract class that is meant to be extended by implementations of VaultProvider that want to have support for key resolvers.

This class implements the obtainSecret(String) method by iterating through the configured resolvers in order and, using the final key name provided by each resolver, calls the obtainSecretInternal(String) method that must be implemented by sub-classes. If obtainSecretInternal(String) returns a non-empty secret, it is immediately returned; otherwise the implementation tries again using the next configured resolver until a non-empty secret is obtained or all resolvers have been tried, in which case an empty VaultRawSecret is returned.

Concrete implementations must, in addition to implementing the obtainSecretInternal(String) method, ensure that each constructor calls the AbstractVaultProvider(String, List) constructor from this class so that the realm and list of key resolvers are properly initialized.

Author:
Stefan Guilhen

  • Field Details

  • Constructor Details

    • AbstractVaultProvider

      public AbstractVaultProvider(String realm, List<VaultKeyResolver> configuredResolvers)
      Creates an instance of AbstractVaultProvider with the specified realm and list of key resolvers.
      Parameters:
      realm - the name of the keycloak realm.
      configuredResolvers - a List containing the configured key resolvers.

  • Method Details

    • obtainSecret

      public VaultRawSecret obtainSecret(String vaultSecretId)
      Description copied from interface: VaultProvider
      Retrieves a secret from vault. The implementation should respect at least the realm ID to separate the secrets within the vault. If the secret is retrieved successfully, it is returned; otherwise this method results into an empty VaultRawSecret.get(). This method is intended to be used within a try-with-resources block so that the secret is destroyed immediately after use. Note that it is responsibility of the implementor to provide a way to destroy the secret in the returned VaultRawSecret.close() method.
      Specified by:
      obtainSecret in interface VaultProvider
      Parameters:
      vaultSecretId - Identifier of the secret. It corresponds to the value entered by user in the respective configuration, which in turn is obtained from the vault when storing the secret.
      Returns:
      Always a non-null value with the raw secret. Within the returned value, the secret or null is stored in the VaultRawSecret.get() return value if the secret was successfully resolved, or an empty Optional if the secret has not been found in the vault.

    • validate

      protected boolean validate(VaultKeyResolver resolver, String key, String resolvedKey)
      Validates the resolved key to ensure it meets the necessary criteria.
      Parameters:
      resolver - the VaultKeyResolver used to resolve the key.
      key - the original key provided.
      resolvedKey - the key after being resolved by the resolver.
      Returns:
      a boolean indicating whether the validation passed.

    • obtainSecretInternal

      protected abstract VaultRawSecret obtainSecretInternal(String vaultKey)
      Subclasses of AbstractVaultProvider must implement this method. It is meant to be implemented in the same way as the obtainSecret(String) method from the VaultProvider interface, but the specified vault key must be used as is - i.e. implementations should refrain from processing the key again as the format was already defined by one of the configured key resolvers.
      Parameters:
      vaultKey - a String representing the name of the entry that is being fetched from the vault.
      Returns:
      a VaultRawSecret representing the obtained secret. It can be a empty secret if no secret could be obtained using the specified vault key.