Add EnvironmentVaultConfiguration.
Provide a EnvironmentVaultConfiguration for common configuration scenarios to obtain configuration from Spring's Environment. EnvironmentVaultConfiguration supports various authentication mechanisms: Token, AppId, AppRole, AWS EC2, Client-Certificates, and Cubbyhole.
Java-based configuration class:
@PropertySource("vault.properties")
@Import(EnvironmentVaultConfiguration.class)
public class MyConfiguration{
}
vault.properties
vault.uri=https://localhost:8200
vault.token=…
Closes gh-30.
This commit is contained in:
@@ -132,7 +132,7 @@ public class ClientHttpRequestFactoryFactory {
|
||||
return new SimpleClientHttpRequestFactory();
|
||||
}
|
||||
|
||||
private static SSLContext getSSLContext(SslConfiguration sslConfiguration)
|
||||
static SSLContext getSSLContext(SslConfiguration sslConfiguration)
|
||||
throws GeneralSecurityException, IOException {
|
||||
|
||||
KeyManager[] keyManagers = sslConfiguration.getKeyStore() != null ? createKeyManagerFactory(
|
||||
|
||||
@@ -0,0 +1,326 @@
|
||||
/*
|
||||
* Copyright 2017 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package org.springframework.vault.config;
|
||||
|
||||
import java.net.URI;
|
||||
|
||||
import org.springframework.beans.BeansException;
|
||||
import org.springframework.context.ApplicationContext;
|
||||
import org.springframework.context.ApplicationContextAware;
|
||||
import org.springframework.context.annotation.Configuration;
|
||||
import org.springframework.core.io.Resource;
|
||||
import org.springframework.util.Assert;
|
||||
import org.springframework.util.StringUtils;
|
||||
import org.springframework.vault.authentication.AppIdAuthentication;
|
||||
import org.springframework.vault.authentication.AppIdAuthenticationOptions;
|
||||
import org.springframework.vault.authentication.AppIdUserIdMechanism;
|
||||
import org.springframework.vault.authentication.AppRoleAuthentication;
|
||||
import org.springframework.vault.authentication.AppRoleAuthenticationOptions;
|
||||
import org.springframework.vault.authentication.AwsEc2Authentication;
|
||||
import org.springframework.vault.authentication.AwsEc2AuthenticationOptions;
|
||||
import org.springframework.vault.authentication.AwsEc2AuthenticationOptions.AwsEc2AuthenticationOptionsBuilder;
|
||||
import org.springframework.vault.authentication.ClientAuthentication;
|
||||
import org.springframework.vault.authentication.ClientCertificateAuthentication;
|
||||
import org.springframework.vault.authentication.CubbyholeAuthentication;
|
||||
import org.springframework.vault.authentication.CubbyholeAuthenticationOptions;
|
||||
import org.springframework.vault.authentication.IpAddressUserId;
|
||||
import org.springframework.vault.authentication.MacAddressUserId;
|
||||
import org.springframework.vault.authentication.StaticUserId;
|
||||
import org.springframework.vault.authentication.TokenAuthentication;
|
||||
import org.springframework.vault.client.VaultEndpoint;
|
||||
import org.springframework.vault.support.SslConfiguration;
|
||||
import org.springframework.vault.support.VaultToken;
|
||||
import org.springframework.web.client.RestOperations;
|
||||
|
||||
/**
|
||||
* Configuration using Spring's {@link org.springframework.core.env.Environment} to
|
||||
* configure Spring Vault endpoint, SSL options and authentication options. This
|
||||
* configuration class uses predefined property keys and is usually imported as part of an
|
||||
* existing Java-based configuration. Configuration is obtained from other, existing
|
||||
* property sources.
|
||||
* <p>
|
||||
* Usage:
|
||||
*
|
||||
* Java-based configuration part:
|
||||
*
|
||||
* <pre>
|
||||
* <code>
|
||||
* @Configuration
|
||||
* @Import(EnvironmentVaultConfiguration.class)
|
||||
* public class MyConfiguration {
|
||||
* }
|
||||
* </code>
|
||||
* </pre>
|
||||
*
|
||||
* Supplied properties:
|
||||
*
|
||||
* <pre>
|
||||
* <code>
|
||||
* vault.uri=https://localhost:8200
|
||||
* vault.token=00000000-0000-0000-0000-000000000000
|
||||
* </code>
|
||||
* </pre>
|
||||
*
|
||||
* <h3>Property keys</h3>
|
||||
*
|
||||
* Authentication-specific properties must be provided depending on the authentication
|
||||
* method.
|
||||
* <ul>
|
||||
* <li>Vault URI: {@code vault.uri}</li>
|
||||
* <li>SSL Configuration
|
||||
* <ul>
|
||||
* <li>Keystore resource: {@code vault.ssl.key-store} (optional)</li>
|
||||
* <li>Keystore password: {@code vault.ssl.key-store-password} (optional)</li>
|
||||
* <li>Truststore resource: {@code vault.ssl.trust-store} (optional)</li>
|
||||
* <li>Truststore password: {@code vault.ssl.trust-store-password} (optional)</li>
|
||||
* </ul>
|
||||
* </li>
|
||||
* <li>Authentication method: {@code vault.authentication} (defaults to {@literal TOKEN},
|
||||
* supported authentication methods are:
|
||||
* {@literal TOKEN, APPID, APPROLE, AWS_EC2, CERT, CUBBYHOLE})</li>
|
||||
* <li>Token authentication
|
||||
* <ul>
|
||||
* <li>Vault Token: {@code vault.token}</li>
|
||||
* </ul>
|
||||
* <li>AppId authentication
|
||||
* <ul>
|
||||
* <li>AppId: {@code vault.app-id.app-id}</li>
|
||||
* <li>UserId: {@code vault.app-id.user-id}. {@literal MAC_ADDRESS} and
|
||||
* {@literal IP_ADDRESS} use {@link MacAddressUserId}, respective {@link IpAddressUserId}.
|
||||
* Any other value is used with {@link StaticUserId}.</li>
|
||||
* </ul>
|
||||
* <li>AppRole authentication
|
||||
* <ul>
|
||||
* <li>RoleId: {@code vault.app-role.role-id}</li>
|
||||
* <li>SecretId: {@code vault.app-role.secret-id} (optional)</li>
|
||||
* </ul>
|
||||
* <li>AWS EC2 authentication
|
||||
* <ul>
|
||||
* <li>RoleId: {@code vault.aws-ec2.role-id}</li>
|
||||
* <li>Identity Document URL: {@code vault.aws-ec2.identity-document} (optional)</li>
|
||||
* </ul>
|
||||
* <li>Client Certificate authentication
|
||||
* <ul>
|
||||
* <li>(no configuration options)</li>
|
||||
* </ul>
|
||||
* <li>Cubbyhole authentication
|
||||
* <ul>
|
||||
* <li>Initial Vault Token: {@code vault.token}</li>
|
||||
* </ul>
|
||||
* </ul>
|
||||
*
|
||||
* @author Mark Paluch
|
||||
* @see org.springframework.core.env.Environment
|
||||
* @see org.springframework.core.env.PropertySource
|
||||
* @see VaultEndpoint
|
||||
* @see AppIdAuthentication
|
||||
* @see AppRoleAuthentication
|
||||
* @see AwsEc2Authentication
|
||||
* @see ClientCertificateAuthentication
|
||||
* @see CubbyholeAuthentication
|
||||
*/
|
||||
@Configuration
|
||||
public class EnvironmentVaultConfiguration extends AbstractVaultConfiguration
|
||||
implements ApplicationContextAware {
|
||||
|
||||
private RestOperations cachedRestOperations;
|
||||
private ApplicationContext applicationContext;
|
||||
|
||||
@Override
|
||||
public RestOperations restOperations() {
|
||||
|
||||
if (this.cachedRestOperations != null) {
|
||||
return this.cachedRestOperations;
|
||||
}
|
||||
|
||||
this.cachedRestOperations = super.restOperations();
|
||||
return this.cachedRestOperations;
|
||||
}
|
||||
|
||||
@Override
|
||||
public void setApplicationContext(ApplicationContext applicationContext)
|
||||
throws BeansException {
|
||||
|
||||
this.applicationContext = applicationContext;
|
||||
super.setApplicationContext(applicationContext);
|
||||
}
|
||||
|
||||
@Override
|
||||
public VaultEndpoint vaultEndpoint() {
|
||||
|
||||
String uri = getProperty("vault.uri");
|
||||
if (uri != null) {
|
||||
return VaultEndpoint.from(URI.create(uri));
|
||||
}
|
||||
|
||||
throw new IllegalStateException("Vault URI (vault.uri) is null");
|
||||
}
|
||||
|
||||
@Override
|
||||
public SslConfiguration sslConfiguration() {
|
||||
|
||||
Resource keyStore = getResource("vault.ssl.key-store");
|
||||
String keyStorePassword = getProperty("vault.ssl.key-store-password");
|
||||
Resource trustStore = getResource("vault.ssl.trust-store");
|
||||
String trustStorePassword = getProperty("vault.ssl.trust-store-password");
|
||||
|
||||
return new SslConfiguration(keyStore, keyStorePassword, trustStore,
|
||||
trustStorePassword);
|
||||
}
|
||||
|
||||
@Override
|
||||
public ClientAuthentication clientAuthentication() {
|
||||
|
||||
String authentication = getEnvironment()
|
||||
.getProperty("vault.authentication", AuthenticationMethod.TOKEN.name())
|
||||
.toUpperCase().replace('-', '_');
|
||||
|
||||
AuthenticationMethod authenticationMethod = AuthenticationMethod
|
||||
.valueOf(authentication);
|
||||
|
||||
switch (authenticationMethod) {
|
||||
|
||||
case TOKEN:
|
||||
return tokenAuthentication();
|
||||
case APPID:
|
||||
return appIdAuthentication();
|
||||
case APPROLE:
|
||||
return appRoleAuthentication();
|
||||
case AWS_EC2:
|
||||
return awsEc2Authentication();
|
||||
case CERT:
|
||||
return new ClientCertificateAuthentication(restOperations());
|
||||
case CUBBYHOLE:
|
||||
return cubbyholeAuthentication();
|
||||
|
||||
default:
|
||||
throw new IllegalStateException(String.format(
|
||||
"Vault authentication method %s is not supported with %s",
|
||||
authenticationMethod, getClass().getSimpleName()));
|
||||
}
|
||||
}
|
||||
|
||||
// -------------------------------------------------------------------------
|
||||
// Implementation hooks and helper methods
|
||||
// -------------------------------------------------------------------------
|
||||
|
||||
protected ClientAuthentication tokenAuthentication() {
|
||||
|
||||
String token = getProperty("vault.token");
|
||||
Assert.hasText(token,
|
||||
"Vault Token authentication: Token (vault.token) must not be empty");
|
||||
|
||||
return new TokenAuthentication(token);
|
||||
}
|
||||
|
||||
protected ClientAuthentication appIdAuthentication() {
|
||||
|
||||
String appId = getEnvironment().getProperty("vault.app-id.app-id",
|
||||
getProperty("spring.application.name"));
|
||||
String userId = getProperty("vault.app-id.user-id");
|
||||
|
||||
Assert.hasText(appId,
|
||||
"Vault AppId authentication: AppId (vault.app-id.app-id) must not be empty");
|
||||
Assert.hasText(userId,
|
||||
"Vault AppId authentication: UserId (vault.app-id.user-id) must not be empty");
|
||||
|
||||
AppIdAuthenticationOptions authenticationOptions = AppIdAuthenticationOptions
|
||||
.builder().appId(appId) //
|
||||
.userIdMechanism(getAppIdUserIdMechanism(userId)).build();
|
||||
|
||||
return new AppIdAuthentication(authenticationOptions, restOperations());
|
||||
}
|
||||
|
||||
protected ClientAuthentication appRoleAuthentication() {
|
||||
|
||||
String roleId = getProperty("vault.app-role.role-id");
|
||||
String secretId = getProperty("vault.app-role.secret-id");
|
||||
Assert.hasText(roleId,
|
||||
"Vault AppRole authentication: RoleId (vault.app-role.role-id) must not be empty");
|
||||
|
||||
AppRoleAuthenticationOptions.AppRoleAuthenticationOptionsBuilder builder = AppRoleAuthenticationOptions
|
||||
.builder().roleId(roleId);
|
||||
|
||||
if (StringUtils.hasText(secretId)) {
|
||||
builder = builder.secretId(secretId);
|
||||
}
|
||||
|
||||
return new AppRoleAuthentication(builder.build(), restOperations());
|
||||
}
|
||||
|
||||
protected AppIdUserIdMechanism getAppIdUserIdMechanism(String userId) {
|
||||
|
||||
if (userId.equalsIgnoreCase(AppIdUserId.IP_ADDRESS.name())) {
|
||||
return new IpAddressUserId();
|
||||
}
|
||||
|
||||
if (userId.equalsIgnoreCase(AppIdUserId.MAC_ADDRESS.name())) {
|
||||
return new MacAddressUserId();
|
||||
}
|
||||
|
||||
return new StaticUserId(userId);
|
||||
}
|
||||
|
||||
protected ClientAuthentication awsEc2Authentication() {
|
||||
|
||||
String roleId = getProperty("vault.aws-ec2.role-id");
|
||||
String identityDocument = getProperty("vault.aws-ec2.identity-document");
|
||||
Assert.hasText(roleId,
|
||||
"Vault AWS EC2 authentication: RoleId (vault.aws-ec2.role-id) must not be empty");
|
||||
|
||||
AwsEc2AuthenticationOptionsBuilder builder = AwsEc2AuthenticationOptions.builder()
|
||||
.role(roleId);
|
||||
|
||||
if (StringUtils.hasText(identityDocument)) {
|
||||
builder.identityDocumentUri(URI.create(identityDocument));
|
||||
}
|
||||
|
||||
return new AwsEc2Authentication(builder.build(), restOperations(),
|
||||
restOperations());
|
||||
}
|
||||
|
||||
protected ClientAuthentication cubbyholeAuthentication() {
|
||||
|
||||
String token = getProperty("vault.token");
|
||||
Assert.hasText(token,
|
||||
"Vault Cubbyhole authentication: Initial token (vault.token) must not be empty");
|
||||
|
||||
CubbyholeAuthenticationOptions options = CubbyholeAuthenticationOptions.builder() //
|
||||
.wrapped() //
|
||||
.initialToken(VaultToken.of(token)) //
|
||||
.build();
|
||||
|
||||
return new CubbyholeAuthentication(options, restOperations());
|
||||
}
|
||||
|
||||
private String getProperty(String key) {
|
||||
return getEnvironment().getProperty(key);
|
||||
}
|
||||
|
||||
private Resource getResource(String key) {
|
||||
|
||||
String value = getProperty(key);
|
||||
return value != null ? applicationContext.getResource(value) : null;
|
||||
}
|
||||
|
||||
enum AppIdUserId {
|
||||
IP_ADDRESS, MAC_ADDRESS;
|
||||
}
|
||||
|
||||
enum AuthenticationMethod {
|
||||
TOKEN, APPID, APPROLE, AWS_EC2, CERT, CUBBYHOLE;
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,57 @@
|
||||
/*
|
||||
* Copyright 2017 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package org.springframework.vault.config;
|
||||
|
||||
import org.junit.Test;
|
||||
import org.junit.runner.RunWith;
|
||||
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.context.annotation.Configuration;
|
||||
import org.springframework.context.annotation.Import;
|
||||
import org.springframework.test.context.TestPropertySource;
|
||||
import org.springframework.test.context.junit4.SpringRunner;
|
||||
import org.springframework.vault.authentication.AppIdAuthentication;
|
||||
import org.springframework.vault.authentication.ClientAuthentication;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
|
||||
/**
|
||||
* Unit tests for {@link EnvironmentVaultConfiguration} with AppId authentication.
|
||||
*
|
||||
* @author Mark Paluch
|
||||
*/
|
||||
@RunWith(SpringRunner.class)
|
||||
@TestPropertySource(properties = { "vault.uri=https://localhost:8123",
|
||||
"vault.authentication=appid", "vault.app-id.user-id=IP_ADDRESS",
|
||||
"vault.app-id.app-id=foo" })
|
||||
public class EnvironmentVaultConfigurationAppIdAuthenticationUnitTests {
|
||||
|
||||
@Configuration
|
||||
@Import(EnvironmentVaultConfiguration.class)
|
||||
static class ApplicationConfiguration {
|
||||
}
|
||||
|
||||
@Autowired
|
||||
private EnvironmentVaultConfiguration configuration;
|
||||
|
||||
@Test
|
||||
public void shouldConfigureAuthentication() {
|
||||
|
||||
ClientAuthentication clientAuthentication = configuration.clientAuthentication();
|
||||
|
||||
assertThat(clientAuthentication).isInstanceOf(AppIdAuthentication.class);
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,57 @@
|
||||
/*
|
||||
* Copyright 2017 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package org.springframework.vault.config;
|
||||
|
||||
import org.junit.Test;
|
||||
import org.junit.runner.RunWith;
|
||||
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.context.annotation.Configuration;
|
||||
import org.springframework.context.annotation.Import;
|
||||
import org.springframework.test.context.TestPropertySource;
|
||||
import org.springframework.test.context.junit4.SpringRunner;
|
||||
import org.springframework.vault.authentication.AppRoleAuthentication;
|
||||
import org.springframework.vault.authentication.ClientAuthentication;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
|
||||
/**
|
||||
* Unit tests for {@link EnvironmentVaultConfiguration} with AppRole authentication.
|
||||
*
|
||||
* @author Mark Paluch
|
||||
*/
|
||||
@RunWith(SpringRunner.class)
|
||||
@TestPropertySource(properties = { "vault.uri=https://localhost:8123",
|
||||
"vault.authentication=approle", "vault.app-role.role-id=role",
|
||||
"vault.app-role.secret-id=foo" })
|
||||
public class EnvironmentVaultConfigurationAppRoleAuthenticationUnitTests {
|
||||
|
||||
@Configuration
|
||||
@Import(EnvironmentVaultConfiguration.class)
|
||||
static class ApplicationConfiguration {
|
||||
}
|
||||
|
||||
@Autowired
|
||||
private EnvironmentVaultConfiguration configuration;
|
||||
|
||||
@Test
|
||||
public void shouldConfigureAuthentication() {
|
||||
|
||||
ClientAuthentication clientAuthentication = configuration.clientAuthentication();
|
||||
|
||||
assertThat(clientAuthentication).isInstanceOf(AppRoleAuthentication.class);
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,56 @@
|
||||
/*
|
||||
* Copyright 2017 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package org.springframework.vault.config;
|
||||
|
||||
import org.junit.Test;
|
||||
import org.junit.runner.RunWith;
|
||||
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.context.annotation.Configuration;
|
||||
import org.springframework.context.annotation.Import;
|
||||
import org.springframework.test.context.TestPropertySource;
|
||||
import org.springframework.test.context.junit4.SpringRunner;
|
||||
import org.springframework.vault.authentication.AwsEc2Authentication;
|
||||
import org.springframework.vault.authentication.ClientAuthentication;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
|
||||
/**
|
||||
* Unit tests for {@link EnvironmentVaultConfiguration} with AppRole authentication.
|
||||
*
|
||||
* @author Mark Paluch
|
||||
*/
|
||||
@RunWith(SpringRunner.class)
|
||||
@TestPropertySource(properties = { "vault.uri=https://localhost:8123",
|
||||
"vault.authentication=aws-ec2", "vault.aws-ec2.role-id=role" })
|
||||
public class EnvironmentVaultConfigurationAwsEc2AuthenticationUnitTests {
|
||||
|
||||
@Configuration
|
||||
@Import(EnvironmentVaultConfiguration.class)
|
||||
static class ApplicationConfiguration {
|
||||
}
|
||||
|
||||
@Autowired
|
||||
private EnvironmentVaultConfiguration configuration;
|
||||
|
||||
@Test
|
||||
public void shouldConfigureAuthentication() {
|
||||
|
||||
ClientAuthentication clientAuthentication = configuration.clientAuthentication();
|
||||
|
||||
assertThat(clientAuthentication).isInstanceOf(AwsEc2Authentication.class);
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,57 @@
|
||||
/*
|
||||
* Copyright 2017 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package org.springframework.vault.config;
|
||||
|
||||
import org.junit.Test;
|
||||
import org.junit.runner.RunWith;
|
||||
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.context.annotation.Configuration;
|
||||
import org.springframework.context.annotation.Import;
|
||||
import org.springframework.test.context.TestPropertySource;
|
||||
import org.springframework.test.context.junit4.SpringRunner;
|
||||
import org.springframework.vault.authentication.ClientAuthentication;
|
||||
import org.springframework.vault.authentication.ClientCertificateAuthentication;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
|
||||
/**
|
||||
* Unit tests for {@link EnvironmentVaultConfiguration} with AppRole authentication.
|
||||
*
|
||||
* @author Mark Paluch
|
||||
*/
|
||||
@RunWith(SpringRunner.class)
|
||||
@TestPropertySource(properties = { "vault.uri=https://localhost:8123",
|
||||
"vault.authentication=cert", "vault.aws-ec2.role-id=role" })
|
||||
public class EnvironmentVaultConfigurationClientCertAuthenticationUnitTests {
|
||||
|
||||
@Configuration
|
||||
@Import(EnvironmentVaultConfiguration.class)
|
||||
static class ApplicationConfiguration {
|
||||
}
|
||||
|
||||
@Autowired
|
||||
private EnvironmentVaultConfiguration configuration;
|
||||
|
||||
@Test
|
||||
public void shouldConfigureAuthentication() {
|
||||
|
||||
ClientAuthentication clientAuthentication = configuration.clientAuthentication();
|
||||
|
||||
assertThat(clientAuthentication)
|
||||
.isInstanceOf(ClientCertificateAuthentication.class);
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,56 @@
|
||||
/*
|
||||
* Copyright 2017 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package org.springframework.vault.config;
|
||||
|
||||
import org.junit.Test;
|
||||
import org.junit.runner.RunWith;
|
||||
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.context.annotation.Configuration;
|
||||
import org.springframework.context.annotation.Import;
|
||||
import org.springframework.test.context.TestPropertySource;
|
||||
import org.springframework.test.context.junit4.SpringRunner;
|
||||
import org.springframework.vault.authentication.ClientAuthentication;
|
||||
import org.springframework.vault.authentication.CubbyholeAuthentication;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
|
||||
/**
|
||||
* Unit tests for {@link EnvironmentVaultConfiguration} with AppRole authentication.
|
||||
*
|
||||
* @author Mark Paluch
|
||||
*/
|
||||
@RunWith(SpringRunner.class)
|
||||
@TestPropertySource(properties = { "vault.uri=https://localhost:8123",
|
||||
"vault.authentication=cubbyhole", "vault.token=my-token" })
|
||||
public class EnvironmentVaultConfigurationCubbyholeAuthenticationUnitTests {
|
||||
|
||||
@Configuration
|
||||
@Import(EnvironmentVaultConfiguration.class)
|
||||
static class ApplicationConfiguration {
|
||||
}
|
||||
|
||||
@Autowired
|
||||
private EnvironmentVaultConfiguration configuration;
|
||||
|
||||
@Test
|
||||
public void shouldConfigureAuthentication() {
|
||||
|
||||
ClientAuthentication clientAuthentication = configuration.clientAuthentication();
|
||||
|
||||
assertThat(clientAuthentication).isInstanceOf(CubbyholeAuthentication.class);
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,100 @@
|
||||
/*
|
||||
* Copyright 2017 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* http://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
package org.springframework.vault.config;
|
||||
|
||||
import java.util.HashMap;
|
||||
import java.util.Map;
|
||||
|
||||
import org.junit.Test;
|
||||
import org.junit.runner.RunWith;
|
||||
|
||||
import org.springframework.beans.factory.annotation.Autowired;
|
||||
import org.springframework.context.annotation.Configuration;
|
||||
import org.springframework.context.annotation.Import;
|
||||
import org.springframework.core.env.ConfigurableEnvironment;
|
||||
import org.springframework.core.env.MapPropertySource;
|
||||
import org.springframework.core.io.ClassPathResource;
|
||||
import org.springframework.core.io.UrlResource;
|
||||
import org.springframework.test.context.TestPropertySource;
|
||||
import org.springframework.test.context.junit4.SpringRunner;
|
||||
import org.springframework.vault.authentication.ClientAuthentication;
|
||||
import org.springframework.vault.authentication.TokenAuthentication;
|
||||
import org.springframework.vault.support.SslConfiguration;
|
||||
import org.springframework.vault.support.VaultToken;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
|
||||
/**
|
||||
* Unit tests for {@link EnvironmentVaultConfiguration}.
|
||||
*
|
||||
* @author Mark Paluch
|
||||
*/
|
||||
@RunWith(SpringRunner.class)
|
||||
@TestPropertySource(properties = { "vault.uri=https://localhost:8123",
|
||||
"vault.token=my-token", "vault.ssl.key-store-password=key store password",
|
||||
"vault.ssl.trust-store-password=trust store password" })
|
||||
public class EnvironmentVaultConfigurationUnitTests {
|
||||
|
||||
@Configuration
|
||||
@Import(EnvironmentVaultConfiguration.class)
|
||||
static class ApplicationConfiguration {
|
||||
}
|
||||
|
||||
@Autowired
|
||||
private EnvironmentVaultConfiguration configuration;
|
||||
|
||||
@Autowired
|
||||
private ConfigurableEnvironment configurableEnvironment;
|
||||
|
||||
@Test
|
||||
public void shouldConfigureEndpoint() {
|
||||
assertThat(configuration.vaultEndpoint().getPort()).isEqualTo(8123);
|
||||
}
|
||||
|
||||
@Test
|
||||
public void shouldConfigureTokenAuthentication() {
|
||||
|
||||
ClientAuthentication clientAuthentication = configuration.clientAuthentication();
|
||||
|
||||
assertThat(clientAuthentication).isInstanceOf(TokenAuthentication.class);
|
||||
assertThat(clientAuthentication.login()).isEqualTo(VaultToken.of("my-token"));
|
||||
}
|
||||
|
||||
@Test
|
||||
public void shouldConfigureSsl() {
|
||||
|
||||
Map<String, Object> map = new HashMap<String, Object>();
|
||||
map.put("vault.ssl.key-store", "http://foo.bar");
|
||||
map.put("vault.ssl.trust-store", "classpath:certificate.json");
|
||||
|
||||
MapPropertySource propertySource = new MapPropertySource("shouldConfigureSsl",
|
||||
map);
|
||||
configurableEnvironment.getPropertySources().addFirst(propertySource);
|
||||
|
||||
SslConfiguration sslConfiguration = configuration.sslConfiguration();
|
||||
|
||||
assertThat(sslConfiguration.getKeyStore()).isInstanceOf(UrlResource.class);
|
||||
assertThat(sslConfiguration.getKeyStorePassword())
|
||||
.isEqualTo("key store password");
|
||||
|
||||
assertThat(sslConfiguration.getTrustStore())
|
||||
.isInstanceOf(ClassPathResource.class);
|
||||
assertThat(sslConfiguration.getTrustStorePassword())
|
||||
.isEqualTo("trust store password");
|
||||
|
||||
configurableEnvironment.getPropertySources().remove(propertySource.getName());
|
||||
}
|
||||
}
|
||||
@@ -261,6 +261,11 @@ public class AppConfig extends AbstractVaultConfiguration {
|
||||
`AbstractVaultConfiguration` or provided by your configuration.
|
||||
====
|
||||
|
||||
NOTE: Creating a custom configuration class might be cumbersome in some cases.
|
||||
Take a look at `EnvironmentVaultConfiguration` that allows configuration by using
|
||||
properties from existing property sources and Spring's `Environment`. Read more
|
||||
in <<vault.core.environment-vault-configuration>>.
|
||||
|
||||
[[vault.core.template.sessionmanagement]]
|
||||
=== Session Management
|
||||
|
||||
@@ -309,6 +314,75 @@ Please note that providing `SslConfiguration` can be only
|
||||
applied when either Apache Http Components or the OkHttp client
|
||||
is on your class-path.
|
||||
|
||||
|
||||
[[vault.core.environment-vault-configuration]]
|
||||
== Using `EnvironmentVaultConfiguration`
|
||||
|
||||
Spring Vault includes `EnvironmentVaultConfiguration` configure the Vault client from Spring's `Environment` and a set of predefined
|
||||
property keys. `EnvironmentVaultConfiguration` supports frequently applied configurations. Other configurations are supported by deriving from the most appropriate configuration class. Include `EnvironmentVaultConfiguration` with `@Import(EnvironmentVaultConfiguration.class)` to existing
|
||||
Java-based configuration classes and supply configuration properties through any of Spring's ``PropertySource``s.
|
||||
|
||||
.Using EnvironmentVaultConfiguration with a property file
|
||||
====
|
||||
|
||||
.Java-based configuration class
|
||||
[source,java]
|
||||
----
|
||||
@PropertySource("vault.properties")
|
||||
@Import(EnvironmentVaultConfiguration.class)
|
||||
public class MyConfiguration{
|
||||
}
|
||||
----
|
||||
|
||||
.vault.properties
|
||||
[source,properties]
|
||||
----
|
||||
vault.uri=https://localhost:8200
|
||||
vault.token=00000000-0000-0000-0000-000000000000
|
||||
----
|
||||
====
|
||||
|
||||
**Property keys**
|
||||
|
||||
* Vault URI: `vault.uri`
|
||||
* SSL Configuration
|
||||
** Keystore resource: `vault.ssl.key-store` (optional)
|
||||
** Keystore password: `vault.ssl.key-store-password` (optional)
|
||||
** Truststore resource: `vault.ssl.trust-store` (optional)
|
||||
** Truststore password: `vault.ssl.trust-store-password` (optional)
|
||||
* Authentication method: `vault.authentication` (defaults to `TOKEN`, supported authentication methods are: `TOKEN`, `APPID`, `APPROLE`, `AWS_EC2`, `CERT`, `CUBBYHOLE`)
|
||||
|
||||
|
||||
**Authentication-specific property keys**
|
||||
|
||||
**<<vault.authentication.token>>**
|
||||
|
||||
* Vault Token: `vault.token`
|
||||
|
||||
**<<vault.authentication.appid>>**
|
||||
|
||||
* AppId: `vault.app-id.app-id`
|
||||
* UserId: `vault.app-id.user-id`. `MAC_ADDRESS` and `IP_ADDRESS` use `MacAddressUserId`, respective `IpAddressUserId` user id mechanisms. Any other value is used with `StaticUserId`.
|
||||
|
||||
**<<vault.authentication.approle>>**
|
||||
|
||||
* RoleId: `vault.app-role.role-id`
|
||||
* SecretId: `vault.app-role.secret-id` (optional)
|
||||
|
||||
**<<vault.authentication.awsec2>>**
|
||||
|
||||
* RoleId: `vault.aws-ec2.role-id`
|
||||
* Identity Document URL: `vault.aws-ec2.identity-document` (optional)
|
||||
|
||||
**<<vault.authentication.clientcert>>**
|
||||
|
||||
No configuration options.
|
||||
|
||||
**<<vault.authentication.cubbyhole>>**
|
||||
|
||||
* Initial Vault Token: `vault.token`
|
||||
|
||||
|
||||
[[vault.core.propertysupport]]
|
||||
== Vault Property Source Support
|
||||
|
||||
|
||||
Reference in New Issue
Block a user