Commit Graph

129 Commits

Author SHA1 Message Date
Mark Paluch
fbd75a555e Update changelog.
See gh-106.
2017-06-16 09:45:09 +02:00
Mark Paluch
09e6e9229a Polishing.
Extend time range in assertion to prevent failures due to too fast test execution.
2017-06-12 16:07:46 +02:00
Mark Paluch
b19fb624cc Polishing.
Add author tag. Update LoginToken javadoc. Refactor numeric literals representing milliseconds to TimeUnit use. Add tests.

See gh-96.
Original pull request: gh-97.
2017-05-20 16:56:33 +02:00
Steve Swor
d0be6dc8df Convert login token duration to milliseconds when calculating renewal time.
Fixes gh-96.
Original pull request: gh-97.
2017-05-20 09:42:39 +02:00
Mark Paluch
4fbb6a51a8 Fallback to default port if Endpoint URI does not declare a port.
We now use the default port (scheme-specific) if a URI does not declare an explicit port number.

Fixes gh-99.
2017-05-18 17:26:46 +02:00
Mark Paluch
8d95b9c972 Add central profiles.
See gh-92.
2017-05-12 11:50:15 +02:00
Mark Paluch
e2f13692f0 [maven-release-plugin] prepare for next development iteration 2017-05-12 10:33:57 +02:00
Mark Paluch
b988673059 [maven-release-plugin] prepare release 1.0.1.RELEASE
See gh-92.
2017-05-12 10:33:49 +02:00
Mark Paluch
90d6557b79 Update changelog.
See gh-92.
2017-05-12 10:24:05 +02:00
Mark Paluch
494a10389e Include notice and license in jar files.
Closes gh-93.
2017-05-12 10:20:53 +02:00
Mark Paluch
d56df632e9 Fix links in reference docs. 2017-05-09 21:00:39 +02:00
Mark Paluch
9946f5ed79 Polishing.
Fix ordering of static final modifiers. Fix Cubbyhole lettercasing.

See gh-88.
2017-05-02 09:42:30 +02:00
Mark Paluch
a7d8cdb229 Lookup remaining TTL and renewability in CubbyholeAuthentication.
We now perform a self-lookup by default for tokens retrieved from CubbyholeAuthentication to determine the remaining TTL and renewability. Static tokens and wrapped tokens with a TTL associated qualify for self-lookup. Wrapped tokens without a TTL are not self-looked up because all details are already given at the time of reading the wrapped response.

TTL starts at the time of the token creation and this delay can impact the first renewal time so the token can expire and then a renewal happens which fails because of the offset delay.

Fixes gh-88.
2017-05-02 09:42:26 +02:00
Mark Paluch
7fbd790268 Calculate renewal schedule upfront.
We now calculate renewal schedule after obtaining the token/the last renewal before scheduling the next renewal. We also made LoginToken public and provide a RefreshTrigger API to implement custom renewal time calculation strategies. Custom strategies can be fine-tuned to specific requirements (rate limiting, fine-grained control). We provide with FixedTimeoutRefreshTrigger an implementation to calculate refresh time based on a fixed timeout.

Previously, the renewal time was calculated inside the Trigger callback that was invoked eventually which allowed a time to pass between login/last renewal and the actual time calculation. This difference can lead to token expiry before the actual renewal.

Fixes gh-87.
2017-05-02 09:40:05 +02:00
Mark Paluch
755039114e Improve unsupervised network interface lookup.
Spring Vault now attempts to lookup a network interface with a hardware address if localhost network address lookup fails. Network interfaces are sorted by their index, if available (since Java 1.7) before scanning interfaces for a hardware address. The index is a OS and platform-specific identifier that usually describes the order of services in which the underlying system orders the interfaces. The ordering of NetworkInterface.getNetworkInterfaces() does not necessarily reflect the system order.

Fixes gh-84.
2017-04-25 16:03:19 +02:00
Mark Paluch
78a3d07b48 Consider configured meta attributes in VaultTokenRequestBuilder.
Closes gh-80.
2017-04-25 16:03:19 +02:00
Mark Paluch
7dcaeaa100 Use Maven wrapper for build.
Use a well-defined Maven version to control the build environment.

See gh-83.
2017-04-25 08:53:15 +02:00
Mark Paluch
e2ba73fcc7 Remove settings.xml before starting TravisCI builds.
TravisCI's settings.xml is outdated and contains references to obsolete repositories.

See gh-83.
2017-04-25 08:53:15 +02:00
Mark Paluch
766b9709b5 Fix dependency import version.
See gh-72.
2017-04-19 16:09:04 +02:00
Mark Paluch
d662b691b5 Upgrade to Spring Framework 4.3.8.
Closes gh-81.
2017-04-19 15:53:39 +02:00
Mark Paluch
f4fe1173a8 Upgrade to Maven 3.5.0.
Closes gh-74.
2017-04-11 13:16:39 +02:00
Mark Paluch
af206ecbc4 Add developer, SCM location and project URL to dependency POM.
Closes gh-73.
2017-04-10 18:31:21 +02:00
Mark Paluch
e6817a4b0c Post-release cleanups.
See gh-72.
2017-04-10 10:38:29 +02:00
Spring Buildmaster
cc8fbadbe0 [artifactory-release] Release version 1.0.0.RELEASE
See gh-72.
2017-04-10 08:20:59 +00:00
Mark Paluch
bc766e7377 Prepare release.
See gh-72.
2017-04-10 10:14:26 +02:00
Mark Paluch
16f9994955 Fix AWS code sample in project sample. 2017-04-09 19:21:05 +02:00
Mark Paluch
c0150cf608 Explain current generic secret backend lease behavior in documentation.
See gh-68.
2017-04-07 17:38:51 +02:00
Mark Paluch
a9c2cf72f8 Provide session context to Vault sealing.
We now call /sys/seal with a token again. The session context got lost due to refactoring from VaultClient to RestTemplate use.

Closes gh-70.
2017-04-07 09:07:48 +02:00
Mark Paluch
9c14c4536a Exclude null-valued properties from Vault PropertySources.
We now remove null-valued properties when transforming properties to their PropertySource representation. Vault can reply with null-valued properties that causes NullPointerException with the ConcurrentHashMap implementations.

Closes gh-69.
2017-04-05 19:32:34 +02:00
Mark Paluch
b6d0b04b18 Polishing.
Replace static imports with qualified use. Add author tags. Add copyright header. Simplify code. Simplify JavaDoc documentation. Rename test class and methods to align with project style.

Original pull request: #64.
2017-03-31 12:22:30 +02:00
Pierre-Jean Vardanega
ba135817fa Allow to create RequestedSecret from mode and path.
Original pull request: #64.
2017-03-31 12:16:08 +02:00
Mark Paluch
8b929011d9 Upgrade to Vault 0.7.
Closes gh-66.
2017-03-31 12:08:50 +02:00
Mark Paluch
1989036d0c Polishing.
Remove Spring 5 buildprofile from TravisCI build because of incompatible breaking changes in optional module support.

See gh-65.
2017-03-30 11:09:12 +02:00
Mark Paluch
b9597c2751 Update to Spring-Next build profile to 4.3.8.
Closes gh-65.
2017-03-30 11:08:15 +02:00
Mark Paluch
1512558958 Add defensive check for empty repository key 2017-03-24 11:04:42 +01:00
Mark Paluch
af61d4de46 Improve discovery and error messages in create_certificates.sh.
Print error message if openssl/keytool cannot be found.

Fixes gh-62.
2017-03-18 17:40:50 +01:00
Mark Paluch
04eb02554e Update site.
* Update supported authentication mechanisms
* Add link to examples repo
* Add VaultPropertySource sample

See gh-60.
2017-03-16 13:58:41 +01:00
Mark Paluch
30ce9667c7 [maven-release-plugin] prepare for next development iteration 2017-03-16 13:09:31 +01:00
Mark Paluch
90250d466e [maven-release-plugin] prepare release 1.0.0.RC1 2017-03-16 13:09:31 +01:00
Mark Paluch
3ac06ad0c4 Prepare release.
Update changelog. Update repository to milestone repo in spring-vault-dependencies.

See gh-60.
2017-03-16 13:08:25 +01:00
Mark Paluch
b0d6350b31 Upgrade dependencies.
httpclient 4.5.2 -> 4.5.3
httpcore 4.4.5 -> 4.4.6
netty 4.1.6.Final -> 4.1.8.Final
OkHttp3 3.5.0 ->3.6.0
Jackson 2.8.2 -> 2.8.7

Closes gh-61.
2017-03-16 12:58:39 +01:00
Mark Paluch
d3d44601a9 Polishing.
Use org.mockito.junit.MockitoJUnitRunner instead of the deprecated org.mockito.runners.MockitoJUnitRunner.
2017-03-16 12:20:41 +01:00
Mark Paluch
6875da1a75 Polishing.
Reformar code.
2017-03-16 12:19:25 +01:00
Mark Paluch
20fda62937 Use TaskScheduler in LifecycleAwareSessionManager.
We now accept TaskScheduler in LifecycleAwareSessionManager to schedule session refresh tasks. Previously, LifecycleAwareSessionManager used AsyncTaskExecutor with Thread.sleep(…) to delay execution. Thread.sleep blocks a thread exclusively which is an inefficient resource usage.

Closes gh-59.
2017-03-16 12:17:27 +01:00
Mark Paluch
33c80aea74 Polishing.
Polish JavaDoc wording. Add tests. Prevent lease revocation for secrets without an associated lease.

See gh-50.
2017-03-09 14:56:04 +02:00
Mark Paluch
d8d85e1a67 Polishing.
Align wording in JavaDoc. Provide package-level JavaDoc.
2017-03-08 21:41:03 +01:00
Mark Paluch
51c6a81c25 Add LeaseAwareVaultPropertySource.
We now provide a Lease-aware PropertySource to renew and rotate secrets requested by that PropertySource. Lease renewal is applied per property source to control individual secrets with individual lease durations. A terminal expired lease can be either rotated to obtain new credentials. A non-rotated secret that terminally expires is removed from the property source. LeaseAwareVaultPropertySource is updated by SecretLeaseContainer on a background thread.

Components created with properties retrieved from LeaseAwareVaultPropertySource are not refreshed upon secret rotation.

@VaultPropertySource(value = "aws/creds/s3", renewal = Renewal.ROTATE)
public class Config {
}

@VaultPropertySource(value = "mysql/creds/my-role", renewal = Renewal.RENEW)
public class Config {
}

Closes gh-50.
2017-03-08 21:41:00 +01:00
Mark Paluch
81ade23b8c Add SecretLeaseContainer to renew leases and rotate secrets.
We now provide an event-driven container to request secrets with renewal and rotation on terminal lease expiration.

See gh-50.
2017-03-08 21:18:34 +01:00
Mark Paluch
f8a4e3a4fd Add EnvironmentVaultConfiguration.
Provide a EnvironmentVaultConfiguration for common configuration scenarios to obtain configuration from Spring's Environment. EnvironmentVaultConfiguration supports various authentication mechanisms: Token, AppId, AppRole, AWS EC2, Client-Certificates, and Cubbyhole.

Java-based configuration class:

  @PropertySource("vault.properties")
  @Import(EnvironmentVaultConfiguration.class)
  public class MyConfiguration{
  }

vault.properties

  vault.uri=https://localhost:8200
  vault.token=…

Closes gh-30.
2017-03-02 11:58:44 +01:00
Mark Paluch
64e3f577e6 Upgrade to Spring Framework 4.3.7.
Closes gh-58.
2017-03-02 09:32:54 +01:00