Package org.springframework.vault.core.lease

Class SecretLeaseContainer

java.lang.Object

org.springframework.vault.core.lease.SecretLeaseEventPublisher

org.springframework.vault.core.lease.SecretLeaseContainer

All Implemented Interfaces:

DisposableBean, InitializingBean, Lifecycle, Phased, SmartLifecycle

public class SecretLeaseContainer
extends SecretLeaseEventPublisher
implements InitializingBean, DisposableBean, SmartLifecycle

Event-based container to request secrets from Vault and renew the associated Lease. Secrets can be rotated, depending on the requested RequestedSecret.getMode(). Usage example:

 
 SecretLeaseContainer container = new SecretLeaseContainer(vaultOperations,
                taskScheduler);
 RequestedSecret requestedSecret = container
                .requestRotatingSecret("mysql/creds/my-role");
 container.addLeaseListener(new LeaseListenerAdapter() {
        @Override
        public void onLeaseEvent(SecretLeaseEvent secretLeaseEvent) {
                if (requestedSecret == secretLeaseEvent.getSource()) {
                        if (secretLeaseEvent instanceof SecretLeaseCreatedEvent) {
            }
                        if (secretLeaseEvent instanceof SecretLeaseExpiredEvent) {
            }
        }
    }
 });
 container.afterPropertiesSet();
 container.start(); // events are triggered after starting the container
  

This container keeps track over RequestedSecrets and requests secrets upon start(). Leases qualified for renewal are renewed by this container applying minRenewalSeconds/expiryThresholdSeconds on a background thread.

Requests for secrets can define either renewal or rotation. The container renews leases until expiry. Rotating secrets renew their associated lease until expiry and request new secrets after expiry. Vault requires active interaction from a caller side to determine a secret is expired. Vault does not send any events. Expired secrets events can dispatch later than the actual expiry.

The container dispatches lease events to LeaseListener and LeaseErrorListener. Event notifications are dispatched either on the starting Thread or worker threads used for background renewal.

Instances are thread-safe once initialized.

Author:

Mark Paluch, Steven Swor, Erik Lindblom

See Also:

• RequestedSecret
• SecretLeaseEventPublisher
• Lease
• LeaseEndpoints
• LeaseStrategy

Nested Class Summary

Nested classes/interfaces inherited from class org.springframework.vault.core.lease.SecretLeaseEventPublisher

SecretLeaseEventPublisher.LoggingErrorListener

Field Summary

Fields

Modifier and Type	Field	Description
static Predicate<Lease>	NO_LEASE_DURATION	Predicate to test whether a Lease has no lease identifier.
static Predicate<Lease>	NO_LEASE_ID	Predicate to test whether a Lease has no lease identifier.

Fields inherited from interface org.springframework.context.SmartLifecycle

DEFAULT_PHASE

Constructor Summary

Constructors

Constructor	Description
SecretLeaseContainer(VaultOperations operations)	Create a new SecretLeaseContainer given VaultOperations.
SecretLeaseContainer(VaultOperations operations, TaskScheduler taskScheduler)	Create a new SecretLeaseContainer given VaultOperations and TaskScheduler.

Method Summary

Modifier and Type	Method	Description
RequestedSecret	addRequestedSecret(RequestedSecret requestedSecret)	Add a RequestedSecret.
void	afterPropertiesSet()
void	destroy()	Shutdown this SecretLeaseContainer, disable lease renewal and revoke leases.
protected VaultResponseSupport<Map<String,Object>>	doGetSecrets(RequestedSecret requestedSecret)	Retrieve secrets from VaultOperations.
protected Lease	doRenewLease(RequestedSecret requestedSecret, Lease lease)	Renew a Lease for a RequestedSecret.
protected void	doRevokeLease(RequestedSecret requestedSecret, Lease lease)	Revoke the Lease.
AuthenticationErrorListener	getAuthenticationErrorListener()	Returns the AuthenticationListener to listen for login token error events.
AuthenticationListener	getAuthenticationListener()	Returns the AuthenticationListener to listen for login token events.
Duration	getExpiryThreshold()
int	getExpiryThresholdSeconds()
Duration	getMinRenewal()
int	getMinRenewalSeconds()
int	getPhase()
boolean	isRunning()
protected void	onLeaseExpired(RequestedSecret requestedSecret, Lease lease)	Hook method called when a Lease expires.
boolean	renew(RequestedSecret secret)	Renew a secret.
RequestedSecret	requestRenewableSecret(String path)	Request a renewable secret at path.
RequestedSecret	requestRotatingSecret(String path)	Request a rotating secret at path.
void	rotate(RequestedSecret secret)	Rotate a secret.
void	setExpiryPredicate(Predicate<Lease> isExpired)	Sets the Predicate to determine whether a Lease is expired.
void	setExpiryThreshold(Duration expiryThreshold)	Set the expiry threshold.
void	setLeaseEndpoints(LeaseEndpoints leaseEndpoints)	Set the LeaseEndpoints to delegate renewal/revocation calls to.
void	setLeaseStrategy(LeaseStrategy leaseStrategy)	Set the LeaseStrategy for lease renewal error handling.
void	setMinRenewal(Duration minRenewal)	Sets the amount Duration that is at least required before renewing a lease.
void	setTaskScheduler(TaskScheduler taskScheduler)	Sets the TaskScheduler to use for scheduling and execution of lease renewals.
void	start()	Start the SecretLeaseContainer.
void	stop()	Stop the SecretLeaseContainer.

Methods inherited from class org.springframework.vault.core.lease.SecretLeaseEventPublisher

addErrorListener, addLeaseListener, onAfterLeaseRenewed, onAfterLeaseRevocation, onBeforeLeaseRevocation, onError, onSecretsNotFound, onSecretsObtained, onSecretsRotated, removeLeaseErrorListener, removeLeaseListener

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.springframework.context.SmartLifecycle

isAutoStartup, stop

Field Details

NO_LEASE_ID

public static Predicate<Lease> NO_LEASE_ID

Predicate to test whether a Lease has no lease identifier.

NO_LEASE_DURATION

public static Predicate<Lease> NO_LEASE_DURATION

Predicate to test whether a Lease has no lease identifier.

Constructor Details

SecretLeaseContainer

public SecretLeaseContainer(VaultOperations operations)

Create a new SecretLeaseContainer given VaultOperations.

Parameters:

operations - must not be null.

SecretLeaseContainer

public SecretLeaseContainer(VaultOperations operations,
 TaskScheduler taskScheduler)

Create a new SecretLeaseContainer given VaultOperations and TaskScheduler.

Parameters:

operations - must not be null.

taskScheduler - must not be null.

Method Details

getAuthenticationListener

public AuthenticationListener getAuthenticationListener()

Returns the AuthenticationListener to listen for login token events.

Returns:

the AuthenticationListener to listen for login token events.

Since:

3.1

getAuthenticationErrorListener

public AuthenticationErrorListener getAuthenticationErrorListener()

Returns the AuthenticationListener to listen for login token error events.

Returns:

the AuthenticationListener to listen for login token error events

Since:

3.1

setLeaseEndpoints

public void setLeaseEndpoints(LeaseEndpoints leaseEndpoints)

Set the LeaseEndpoints to delegate renewal/revocation calls to. LeaseEndpoints encapsulates differences between Vault versions that affect the location of renewal/revocation endpoints.

Parameters:

leaseEndpoints - must not be null.

Since:

2.1

See Also:

• LeaseEndpoints

setMinRenewal

public void setMinRenewal(Duration minRenewal)

Sets the amount Duration that is at least required before renewing a lease. minRenewal prevents renewals from happening too often.

Parameters:

minRenewal - duration that is at least required before renewing a Lease, must not be null or negative.

Since:

2.0

setExpiryPredicate

public void setExpiryPredicate(Predicate<Lease> isExpired)

Sets the Predicate to determine whether a Lease is expired. Defaults to comparing whether a lease has no identifier, its remaining TTL is zero or less or equal to minRenewal.

Since:

3.2

setExpiryThreshold

public void setExpiryThreshold(Duration expiryThreshold)

Set the expiry threshold. A Lease is renewed the given time before it expires.

Parameters:

expiryThreshold - duration before Lease expiry, must not be null or negative.

Since:

2.0

getMinRenewalSeconds

public int getMinRenewalSeconds()

getMinRenewal

public Duration getMinRenewal()

Returns:

minimum renewal timeout.

Since:

2.0

getExpiryThresholdSeconds

public int getExpiryThresholdSeconds()

getExpiryThreshold

public Duration getExpiryThreshold()

Returns:

expiry threshold.

Since:

2.0

setLeaseStrategy

public void setLeaseStrategy(LeaseStrategy leaseStrategy)

Set the LeaseStrategy for lease renewal error handling.

Parameters:

leaseStrategy - the LeaseStrategy, must not be null.

Since:

2.2

setTaskScheduler

public void setTaskScheduler(TaskScheduler taskScheduler)

Sets the TaskScheduler to use for scheduling and execution of lease renewals.

Parameters:

taskScheduler - must not be null.

requestRenewableSecret

public RequestedSecret requestRenewableSecret(String path)

Request a renewable secret at path.

Parameters:

path - must not be null or empty.

Returns:

the RequestedSecret.

requestRotatingSecret

public RequestedSecret requestRotatingSecret(String path)

Request a rotating secret at path.

Parameters:

path - must not be null or empty.

Returns:

the RequestedSecret.

addRequestedSecret

public RequestedSecret addRequestedSecret(RequestedSecret requestedSecret)

Add a RequestedSecret.

Parameters:

requestedSecret - must not be null.

start

public void start()

Start the SecretLeaseContainer. Starting the container will initially obtain secrets and leases for the requested secrets. A started container publishes events through LeaseListener. Additional secrets can be requested at any time.

Multiple calls are synchronized to start the container only once. Container start requires initialization and cannot be started once the container was destroyed.

Specified by:

start in interface Lifecycle

See Also:

• afterPropertiesSet()
• stop()

stop

public void stop()

Stop the SecretLeaseContainer. Stopping the container will stop lease renewal, secrets rotation and event publishing. Active leases are not expired.

Multiple calls are synchronized to stop the container only once.

Specified by:

stop in interface Lifecycle

See Also:

• start()

isRunning

public boolean isRunning()

Specified by:

isRunning in interface Lifecycle

getPhase

public int getPhase()

Specified by:

getPhase in interface Phased

Specified by:

getPhase in interface SmartLifecycle

afterPropertiesSet

public void afterPropertiesSet()

Specified by:

afterPropertiesSet in interface InitializingBean

Overrides:

afterPropertiesSet in class SecretLeaseEventPublisher

destroy

public void destroy()
             throws Exception

Shutdown this SecretLeaseContainer, disable lease renewal and revoke leases.

Specified by:

destroy in interface DisposableBean

Throws:

Exception

See Also:

• afterPropertiesSet()
• start()
• stop()

renew

public boolean renew(RequestedSecret secret)

Renew a secret.

Parameters:

secret - the secret' to renew.

Returns:

true if the lease was renewed.

Throws:

IllegalArgumentException - if the secret was not previously registered.

IllegalStateException - if there's no Lease associated with the secret or the secret is not qualified for renewal.

Since:

2.2

rotate

public void rotate(RequestedSecret secret)

Rotate a secret.

Parameters:

secret - the secret' to rotate.

Throws:

IllegalArgumentException - if the secret was not previously registered.

IllegalStateException - if there's no Lease associated with the secret or the secret is not qualified for rotation.

Since:

2.2

doGetSecrets

@Nullable
protected VaultResponseSupport<Map<String,Object>> doGetSecrets(RequestedSecret requestedSecret)

Retrieve secrets from VaultOperations.

Parameters:

requestedSecret - the RequestedSecret providing the secret path.

Returns:

the response.

doRenewLease

protected Lease doRenewLease(RequestedSecret requestedSecret,
 Lease lease)

Renew a Lease for a RequestedSecret.

Parameters:

requestedSecret - the requested secret.

lease - the lease.

Returns:

the new lease or null if expired/secret cannot be rotated.

onLeaseExpired

protected void onLeaseExpired(RequestedSecret requestedSecret,
 Lease lease)

Hook method called when a Lease expires. The default implementation is to notify LeaseListener. Implementations can override this method in subclasses.

Overrides:

onLeaseExpired in class SecretLeaseEventPublisher

Parameters:

requestedSecret - must not be null.

lease - must not be null.

See Also:

• SecretLeaseExpiredEvent

doRevokeLease

protected void doRevokeLease(RequestedSecret requestedSecret,
 Lease lease)

Revoke the Lease.

Parameters:

requestedSecret - must not be null.

lease - must not be null.