Class CubbyholeAuthentication

java.lang.Object
org.springframework.vault.authentication.CubbyholeAuthentication
All Implemented Interfaces:
AuthenticationStepsFactory, ClientAuthentication
public class CubbyholeAuthentication extends Object implements ClientAuthentication, AuthenticationStepsFactory
Cubbyhole ClientAuthentication implementation.

Cubbyhole authentication uses Vault primitives to provide a secured authentication workflow. Cubbyhole authentication uses tokens as primary login method. An ephemeral token is used to obtain a second, login VaultToken from Vault's Cubbyhole secret backend. The login token is usually longer-lived and used to interact with Vault. The login token can be retrieved either from a wrapped response or from the data section.

Wrapped token response usage

Create a Token 

 $ vault token-create -wrap-ttl="10m"
 Key                            Value
 ---                            -----
 wrapping_token:                397ccb93-ff6c-b17b-9389-380b01ca2645
 wrapping_token_ttl:            0h10m0s
 wrapping_token_creation_time:  2016-09-18 20:29:48.652957077 +0200 CEST
 wrapped_accessor:              46b6aebb-187f-932a-26d7-4f3d86a68319
Setup CubbyholeAuthentication 

 CubbyholeAuthenticationOptions options = CubbyholeAuthenticationOptions
                .builder()
                .initialToken(VaultToken.of("397ccb93-ff6c-b17b-9389-380b01ca2645"))
                .wrapped()
                .build();
 CubbyholeAuthentication authentication = new CubbyholeAuthentication(options, restOperations);

Stored token response usage

Create a Token 

 $ vault token-create
 Key                    Value
 ---                    -----
 token                  f9e30681-d46a-cdaf-aaa0-2ae0a9ad0819
 token_accessor         4eee9bd9-81bb-06d6-af01-723c54a72148
 token_duration         0s
 token_renewable        false
 token_policies         [root]

 $ token-create -use-limit=2 -orphan -no-default-policy -policy=none
 Key                    Value
 ---                    -----
 token                  895cb88b-aef4-0e33-ba65-d50007290780
 token_accessor         e84b661c-8aa8-2286-b788-f258f30c8325
 token_duration         0s
 token_renewable        false
 token_policies         [none]

 $ export VAULT_TOKEN=895cb88b-aef4-0e33-ba65-d50007290780
 $ vault write cubbyhole/token token=f9e30681-d46a-cdaf-aaa0-2ae0a9ad0819
Setup CubbyholeAuthentication 

 CubbyholeAuthenticationOptions options = CubbyholeAuthenticationOptions
                .builder()
                .initialToken(VaultToken.of("895cb88b-aef4-0e33-ba65-d50007290780"))
                .path("cubbyhole/token")
                .build();
 CubbyholeAuthentication authentication = new CubbyholeAuthentication(options, restOperations);
Remaining TTL/Renewability

Tokens retrieved from Cubbyhole associated with a non-zero TTL start their TTL at the time of token creation. That time is not necessarily identical with application startup. To compensate for the initial delay, Cubbyhole authentication performs a self lookup for tokens associated with a non-zero TTL to retrieve the remaining TTL. Cubbyhole authentication will not self-lookup wrapped tokens without a TTL because a zero TTL indicates there is no TTL associated.

Non-wrapped tokens do not provide details regarding renewability and TTL by just retrieving the token. A self-lookup will lookup renewability and the remaining TTL.

Author:
Mark Paluch
See Also: