Class CubbyholeAuthentication

java.lang.Object
org.springframework.vault.authentication.CubbyholeAuthentication
All Implemented Interfaces:
AuthenticationStepsFactory, ClientAuthentication

public class CubbyholeAuthentication extends Object implements ClientAuthentication, AuthenticationStepsFactory
Cubbyhole ClientAuthentication implementation.

Cubbyhole authentication uses Vault primitives to provide a secured authentication workflow. Cubbyhole authentication uses tokens as primary login method. An ephemeral token is used to obtain a second, login VaultToken from Vault's Cubbyhole secret backend. The login token is usually longer-lived and used to interact with Vault. The login token can be retrieved either from a wrapped response or from the data section.

Wrapped token response usage

Create a Token
 
  $ vault token-create -wrap-ttl="10m"
  Key                           Value
  ---                           -----
  wrapping_token:               397ccb93-ff6c-b17b-9389-380b01ca2645
  wrapping_token_ttl:           0h10m0s
  wrapping_token_creation_time: 2016-09-18 20:29:48.652957077 +0200 CEST
  wrapped_accessor:             46b6aebb-187f-932a-26d7-4f3d86a68319
  
Setup CubbyholeAuthentication
 
  CubbyholeAuthenticationOptions options = CubbyholeAuthenticationOptions
                .builder()
                .initialToken(VaultToken.of("397ccb93-ff6c-b17b-9389-380b01ca2645"))
                .wrapped()
                .build();
  CubbyholeAuthentication authentication = new CubbyholeAuthentication(options, restOperations);
  

Stored token response usage

Create a Token
 
  $ vault token-create
  Key                   Value
  ---                   -----
  token                 f9e30681-d46a-cdaf-aaa0-2ae0a9ad0819
  token_accessor        4eee9bd9-81bb-06d6-af01-723c54a72148
  token_duration        0s
  token_renewable       false
  token_policies        [root]

  $ token-create -use-limit=2 -orphan -no-default-policy -policy=none
  Key                   Value
  ---                   -----
  token                 895cb88b-aef4-0e33-ba65-d50007290780
  token_accessor        e84b661c-8aa8-2286-b788-f258f30c8325
  token_duration        0s
  token_renewable       false
  token_policies        [none]

  $ export VAULT_TOKEN=895cb88b-aef4-0e33-ba65-d50007290780
  $ vault write cubbyhole/token token=f9e30681-d46a-cdaf-aaa0-2ae0a9ad0819
  
Setup CubbyholeAuthentication
 
  CubbyholeAuthenticationOptions options = CubbyholeAuthenticationOptions
                .builder()
                .initialToken(VaultToken.of("895cb88b-aef4-0e33-ba65-d50007290780"))
                .path("cubbyhole/token")
                .build();
  CubbyholeAuthentication authentication = new CubbyholeAuthentication(options, restOperations);
  
Remaining TTL/Renewability

Tokens retrieved from Cubbyhole associated with a non-zero TTL start their TTL at the time of token creation. That time is not necessarily identical with application startup. To compensate for the initial delay, Cubbyhole authentication performs a self lookup for tokens associated with a non-zero TTL to retrieve the remaining TTL. Cubbyhole authentication will not self-lookup wrapped tokens without a TTL because a zero TTL indicates there is no TTL associated.

Non-wrapped tokens do not provide details regarding renewability and TTL by just retrieving the token. A self-lookup will lookup renewability and the remaining TTL.

Author:
Mark Paluch
See Also: