diff --git a/spring-vault-core/src/main/java/org/springframework/vault/core/ReactiveVaultOperations.java b/spring-vault-core/src/main/java/org/springframework/vault/core/ReactiveVaultOperations.java index 913178af..ea182040 100644 --- a/spring-vault-core/src/main/java/org/springframework/vault/core/ReactiveVaultOperations.java +++ b/spring-vault-core/src/main/java/org/springframework/vault/core/ReactiveVaultOperations.java @@ -23,6 +23,7 @@ import reactor.core.publisher.Flux; import reactor.core.publisher.Mono; import org.springframework.vault.VaultException; +import org.springframework.vault.client.VaultEndpoint; import org.springframework.vault.support.VaultResponse; import org.springframework.vault.support.VaultResponseSupport; import org.springframework.web.reactive.function.client.WebClient; @@ -39,6 +40,11 @@ import static org.springframework.vault.core.VaultKeyValueOperationsSupport.*; * {@link ReactiveVaultOperations} allows execution of callback methods. Callbacks can * execute requests within a {@link #doWithSession(Function) session context} and the * {@link #doWithVault(Function) without a session}. + *
+ * Paths used in this interface (and interfaces accessible from here) are considered + * relative to the {@link VaultEndpoint}. Paths that are fully-qualified URI's can be used + * to access Vault cluster members in an authenticated context. To prevent unwanted full + * URI access, make sure to sanitize paths before passing them to this interface. * * @author Mark Paluch * @author James Luke diff --git a/spring-vault-core/src/main/java/org/springframework/vault/core/ReactiveVaultTemplate.java b/spring-vault-core/src/main/java/org/springframework/vault/core/ReactiveVaultTemplate.java index 170e051f..76734373 100644 --- a/spring-vault-core/src/main/java/org/springframework/vault/core/ReactiveVaultTemplate.java +++ b/spring-vault-core/src/main/java/org/springframework/vault/core/ReactiveVaultTemplate.java @@ -54,7 +54,18 @@ import static org.springframework.web.reactive.function.client.ExchangeFilterFun /** * This class encapsulates main Vault interaction. {@link ReactiveVaultTemplate} will log - * into Vault on initialization and use the token throughout the whole lifetime. + * into Vault on initialization and use the token throughout the whole lifetime. This is + * the main entry point to interact with Vault in an authenticated and unauthenticated + * context. + *
+ * {@link ReactiveVaultTemplate} allows execution of callback methods. Callbacks can + * execute requests within a {@link #doWithSession(Function) session context} and the + * {@link #doWithVault(Function) without a session}. + *
+ * Paths used in this interface (and interfaces accessible from here) are considered + * relative to the {@link VaultEndpoint}. Paths that are fully-qualified URI's can be used + * to access Vault cluster members in an authenticated context. To prevent unwanted full + * URI access, make sure to sanitize paths before passing them to this interface. * * @author Mark Paluch * @author Raoof Mohammed diff --git a/spring-vault-core/src/main/java/org/springframework/vault/core/VaultOperations.java b/spring-vault-core/src/main/java/org/springframework/vault/core/VaultOperations.java index 3cdd507e..d39c8133 100644 --- a/spring-vault-core/src/main/java/org/springframework/vault/core/VaultOperations.java +++ b/spring-vault-core/src/main/java/org/springframework/vault/core/VaultOperations.java @@ -20,6 +20,7 @@ import java.util.List; import org.jspecify.annotations.Nullable; import org.springframework.vault.VaultException; +import org.springframework.vault.client.VaultEndpoint; import org.springframework.vault.core.VaultKeyValueOperationsSupport.KeyValueBackend; import org.springframework.vault.support.VaultResponse; import org.springframework.vault.support.VaultResponseSupport; @@ -33,6 +34,11 @@ import org.springframework.web.client.RestClientException; * {@link VaultOperations} allows execution of callback methods. Callbacks can execute * requests within a {@link #doWithSession(RestOperationsCallback) session context} and * the {@link #doWithVault(RestOperationsCallback) without a session}. + *
+ * Paths used in this interface (and interfaces accessible from here) are considered + * relative to the {@link VaultEndpoint}. Paths that are fully-qualified URI's can be used + * to access Vault cluster members in an authenticated context. To prevent unwanted full + * URI access, make sure to sanitize paths before passing them to this interface. * * @author Mark Paluch * @author Lauren Voswinkel diff --git a/spring-vault-core/src/main/java/org/springframework/vault/core/VaultTemplate.java b/spring-vault-core/src/main/java/org/springframework/vault/core/VaultTemplate.java index 21020f4a..ec2ff25c 100644 --- a/spring-vault-core/src/main/java/org/springframework/vault/core/VaultTemplate.java +++ b/spring-vault-core/src/main/java/org/springframework/vault/core/VaultTemplate.java @@ -47,8 +47,19 @@ import org.springframework.web.client.RestOperations; import org.springframework.web.client.RestTemplate; /** - * This class encapsulates main Vault interaction. {@link VaultTemplate} will log into - * Vault on initialization and use the token throughout the whole lifetime. + * This class encapsulates main Vault interaction. {@code VaultTemplate} will log into + * Vault on initialization and use the token throughout the whole lifetime. This is the + * main entry point to interact with Vault in an authenticated and unauthenticated + * context. + *
+ * {@code VaultTemplate} allows execution of callback methods. Callbacks can execute + * requests within a {@link #doWithSession(RestOperationsCallback) session context} and + * the {@link #doWithVault(RestOperationsCallback) without a session}. + *
+ * Paths used in this interface (and interfaces accessible from here) are considered + * relative to the {@link VaultEndpoint}. Paths that are fully-qualified URI's can be used + * to access Vault cluster members in an authenticated context. To prevent unwanted full + * URI access, make sure to sanitize paths before passing them to this interface. * * @author Mark Paluch * @see SessionManager diff --git a/src/main/antora/modules/ROOT/pages/vault/imperative-template.adoc b/src/main/antora/modules/ROOT/pages/vault/imperative-template.adoc index 29860d8b..06bacc67 100644 --- a/src/main/antora/modules/ROOT/pages/vault/imperative-template.adoc +++ b/src/main/antora/modules/ROOT/pages/vault/imperative-template.adoc @@ -23,6 +23,11 @@ the use of the Vault API and `VaultOperations`. A major difference in between the two APIs is that `VaultOperations` can be passed domain objects instead of JSON Key-Value pairs. +Paths used in `VaultTemplate` (and interfaces accessible from there) are considered +relative to the `VaultEndpoint`. Paths that are fully-qualified URI's can be used +to access Vault cluster members in an authenticated context. To prevent unwanted +full URI access, make sure to sanitize paths before passing them to `VaultTemplate`. + NOTE: The preferred way to reference the operations on javadoc:org.springframework.vault.core.VaultTemplate[] instance is via its interface javadoc:org.springframework.vault.core.VaultOperations[]. diff --git a/src/main/antora/modules/ROOT/pages/vault/reactive-template.adoc b/src/main/antora/modules/ROOT/pages/vault/reactive-template.adoc index b9db2d88..dbea0733 100644 --- a/src/main/antora/modules/ROOT/pages/vault/reactive-template.adoc +++ b/src/main/antora/modules/ROOT/pages/vault/reactive-template.adoc @@ -47,6 +47,11 @@ the use of the Vault API and javadoc:org.springframework.vault.core.ReactiveVaul the two APIs is that javadoc:org.springframework.vault.core.ReactiveVaultOperations[] can be passed domain objects instead of JSON Key-Value pairs. +Paths used in `ReactiveVaultTemplate` (and interfaces accessible from there) are considered +relative to the `VaultEndpoint`. Paths that are fully-qualified URI's can be used +to access Vault cluster members in an authenticated context. To prevent unwanted +full URI access, make sure to sanitize paths before passing them to `ReactiveVaultTemplate`. + NOTE: The preferred way to reference the operations on javadoc:org.springframework.vault.core.ReactiveVaultTemplate[] instance is via its interface javadoc:org.springframework.vault.core.ReactiveVaultOperations[].