We now perform a self-lookup by default for tokens retrieved from CubbyholeAuthentication to determine the remaining TTL and renewability. Static tokens and wrapped tokens with a TTL associated qualify for self-lookup. Wrapped tokens without a TTL are not self-looked up because all details are already given at the time of reading the wrapped response.
TTL starts at the time of the token creation and this delay can impact the first renewal time so the token can expire and then a renewal happens which fails because of the offset delay.
Fixes gh-88.
We now calculate renewal schedule after obtaining the token/the last renewal before scheduling the next renewal. We also made LoginToken public and provide a RefreshTrigger API to implement custom renewal time calculation strategies. Custom strategies can be fine-tuned to specific requirements (rate limiting, fine-grained control). We provide with FixedTimeoutRefreshTrigger an implementation to calculate refresh time based on a fixed timeout.
Previously, the renewal time was calculated inside the Trigger callback that was invoked eventually which allowed a time to pass between login/last renewal and the actual time calculation. This difference can lead to token expiry before the actual renewal.
Fixes gh-87.
Spring Vault now attempts to lookup a network interface with a hardware address if localhost network address lookup fails. Network interfaces are sorted by their index, if available (since Java 1.7) before scanning interfaces for a hardware address. The index is a OS and platform-specific identifier that usually describes the order of services in which the underlying system orders the interfaces. The ordering of NetworkInterface.getNetworkInterfaces() does not necessarily reflect the system order.
Fixes gh-84.
We now remove null-valued properties when transforming properties to their PropertySource representation. Vault can reply with null-valued properties that causes NullPointerException with the ConcurrentHashMap implementations.
Closes gh-69.
Replace static imports with qualified use. Add author tags. Add copyright header. Simplify code. Simplify JavaDoc documentation. Rename test class and methods to align with project style.
Original pull request: #64.
We now accept TaskScheduler in LifecycleAwareSessionManager to schedule session refresh tasks. Previously, LifecycleAwareSessionManager used AsyncTaskExecutor with Thread.sleep(…) to delay execution. Thread.sleep blocks a thread exclusively which is an inefficient resource usage.
Closes gh-59.
We now provide a Lease-aware PropertySource to renew and rotate secrets requested by that PropertySource. Lease renewal is applied per property source to control individual secrets with individual lease durations. A terminal expired lease can be either rotated to obtain new credentials. A non-rotated secret that terminally expires is removed from the property source. LeaseAwareVaultPropertySource is updated by SecretLeaseContainer on a background thread.
Components created with properties retrieved from LeaseAwareVaultPropertySource are not refreshed upon secret rotation.
@VaultPropertySource(value = "aws/creds/s3", renewal = Renewal.ROTATE)
public class Config {
}
@VaultPropertySource(value = "mysql/creds/my-role", renewal = Renewal.RENEW)
public class Config {
}
Closes gh-50.
Provide a EnvironmentVaultConfiguration for common configuration scenarios to obtain configuration from Spring's Environment. EnvironmentVaultConfiguration supports various authentication mechanisms: Token, AppId, AppRole, AWS EC2, Client-Certificates, and Cubbyhole.
Java-based configuration class:
@PropertySource("vault.properties")
@Import(EnvironmentVaultConfiguration.class)
public class MyConfiguration{
}
vault.properties
vault.uri=https://localhost:8200
vault.token=…
Closes gh-30.