Package org.springframework.vault.core.lease

Class SecretLeaseContainer

java.lang.Object
org.springframework.vault.core.lease.SecretLeaseEventPublisher
org.springframework.vault.core.lease.SecretLeaseContainer
All Implemented Interfaces:
DisposableBean, InitializingBean, Lifecycle, Phased, SmartLifecycle, SecretsRegistry
public class SecretLeaseContainer extends SecretLeaseEventPublisher implements SecretsRegistry, InitializingBean, DisposableBean, SmartLifecycle
Event-based container to request secrets from Vault and renew the associated Lease. Secrets can be rotated, depending on the requested RequestedSecret.getMode(). Usage examples: 
 SecretLeaseContainer container = new SecretLeaseContainer(vaultOperations,
                taskScheduler);
 RequestedSecret requestedSecret = container
                .requestRotatingSecret("mysql/creds/my-role");
 container.addLeaseListener(new LeaseListenerAdapter() {
        @Override
        public void onLeaseEvent(SecretLeaseEvent secretLeaseEvent) {
                if (requestedSecret.equals(secretLeaseEvent.getSource())) {
                        if (secretLeaseEvent instanceof SecretLeaseCreatedEvent) {
                        }
                        if (secretLeaseEvent instanceof SecretLeaseExpiredEvent) {
                        }
                }
        }
 });
 container.afterPropertiesSet();
 container.start(); // events are triggered after starting the container
 
 SecretLeaseContainer container = new SecretLeaseContainer(vaultOperations,
                taskScheduler);
 ManagedSecret managedSecret = ManagedSecret.rotating("mysql/creds/my-role", secret -> secret.getRequiredString("key"));
 managedSecret.register(container);
 container.afterPropertiesSet();
 container.start(); // events are triggered after starting the container

This container keeps track over RequestedSecrets and requests secrets upon start(). Leases qualified for renewal are renewed by this container applying minRenewalSeconds/expiryThresholdSeconds on a background thread. The container manages unique RequestedSecret registrations and so multiple registrations of the same RequestedSecret are considered as one registration.

Requests for secrets can define either renewal or rotation. The container renews leases until expiry. Rotating secrets renew their associated lease until expiry and request new secrets after expiry. Vault requires active interaction from a caller side to determine a secret is expired. Vault does not send any events. Expired secrets events can dispatch later than the actual expiry.

The container dispatches lease events to LeaseListener and LeaseErrorListener. Event notifications are dispatched either on the starting Thread or worker threads used for background renewal.

Instances are thread-safe once initialized.

Author:
Mark Paluch, Steven Swor, Erik Lindblom
See Also:

  • Field Details

  • Constructor Details

    • SecretLeaseContainer

      public SecretLeaseContainer(VaultOperations operations)
      Create a new SecretLeaseContainer given VaultOperations.
      Parameters:
      operations - must not be null.

    • SecretLeaseContainer

      public SecretLeaseContainer(VaultOperations operations, TaskScheduler taskScheduler)
      Create a new SecretLeaseContainer given VaultOperations and TaskScheduler.
      Parameters:
      operations - must not be null.
      taskScheduler - must not be null.

  • Method Details

    • getAuthenticationListener

      public AuthenticationListener getAuthenticationListener()
      Return the AuthenticationListener to listen for login token events.
      Returns:
      the AuthenticationListener to listen for login token events.
      Since:
      3.1

    • getAuthenticationErrorListener

      public AuthenticationErrorListener getAuthenticationErrorListener()
      Return the AuthenticationListener to listen for login token error events.
      Returns:
      the AuthenticationListener to listen for login token error events
      Since:
      3.1

    • setLeaseEndpoints

      public void setLeaseEndpoints(LeaseEndpoints leaseEndpoints)
      Set the LeaseEndpoints to delegate renewal/revocation calls to. LeaseEndpoints encapsulates differences between Vault versions that affect the location of renewal/revocation endpoints.
      Parameters:
      leaseEndpoints - must not be null.
      Since:
      2.1
      See Also:

    • setMinRenewal

      public void setMinRenewal(Duration minRenewal)
      Sets the amount Duration that is at least required before renewing a lease. minRenewal prevents renewals from happening too often.
      Parameters:
      minRenewal - duration that is at least required before renewing a Lease, must not be null or negative.
      Since:
      2.0

    • setExpiryPredicate

      public void setExpiryPredicate(Predicate<Lease> isExpired)
      Sets the Predicate to determine whether a Lease is expired. Defaults to comparing whether a lease has no identifier, its remaining TTL is zero or less or equal to minRenewal.
      Since:
      3.2

    • setExpiryThreshold

      public void setExpiryThreshold(Duration expiryThreshold)
      Set the expiry threshold. A Lease is renewed the given time before it expires.
      Parameters:
      expiryThreshold - duration before Lease expiry, must not be null or negative.
      Since:
      2.0

    • getMinRenewalSeconds

      public int getMinRenewalSeconds()

    • getMinRenewal

      public Duration getMinRenewal()
      Returns:
      minimum renewal timeout.
      Since:
      2.0

    • getExpiryThresholdSeconds

      public int getExpiryThresholdSeconds()

    • getExpiryThreshold

      public Duration getExpiryThreshold()
      Returns:
      expiry threshold.
      Since:
      2.0

    • setLeaseStrategy

      public void setLeaseStrategy(LeaseStrategy leaseStrategy)
      Set the LeaseStrategy for lease renewal error handling.
      Parameters:
      leaseStrategy - the LeaseStrategy, must not be null.
      Since:
      2.2

    • setTaskScheduler

      public void setTaskScheduler(TaskScheduler taskScheduler)
      Sets the TaskScheduler to use for scheduling and execution of lease renewals.
      Parameters:
      taskScheduler - must not be null.

    • register

      public void register(RequestedSecret secret)
      Description copied from interface: SecretsRegistry
      Register a RequestedSecret with the registry.

      Subsequent registrations of the same RequestedSecret are considered as a single registration and the secret will be managed only once.

      Specified by:
      register in interface SecretsRegistry
      Parameters:
      secret - the requested secret to be managed.

    • register

      public void register(RequestedSecret secret, LeaseListener listener)
      Description copied from interface: SecretsRegistry
      Register a RequestedSecret with the registry with an associated LeaseListener.

      Subsequent registrations of the same RequestedSecret are considered as a single registration and the secret will be managed only once. A requested secret that has been already been registered and activated by the container will not lead to emission of a new SecretLeaseCreatedEvent with the previous secrets body but rather only to future events such as rotations or renewals.

      Specified by:
      register in interface SecretsRegistry
      Parameters:
      secret - the requested secret to be managed.
      listener - listener to associate with the requested secret. The listener will be notified only with events concerning the requested secret.

    • unregister

      public boolean unregister(RequestedSecret secret)
      Description copied from interface: SecretsRegistry
      Unregister the RequestedSecret from the registry. Removing the secret stops lease renewals and secret rotations, and it removes listener registrations that were associated with the secret registration.
      Specified by:
      unregister in interface SecretsRegistry
      Parameters:
      secret - the secret to be deregistered.
      Returns:
      true if the secret was registered before and has been removed; false otherwise.

    • requestRenewableSecret

      public RequestedSecret requestRenewableSecret(String path)
      Request a renewable secret at path.
      Parameters:
      path - must not be null or empty.
      Returns:
      the RequestedSecret.

    • requestRotatingSecret

      public RequestedSecret requestRotatingSecret(String path)
      Request a rotating secret at path.
      Parameters:
      path - must not be null or empty.
      Returns:
      the RequestedSecret.

    • addRequestedSecret

      public RequestedSecret addRequestedSecret(RequestedSecret requestedSecret)
      Add a RequestedSecret.

      Subsequent registrations of the same RequestedSecret are considered as a single registration and the secret will be managed only once. A requested secret that has been already been registered and activated by the container will not lead to emission of a new SecretLeaseCreatedEvent with the previous secrets body but rather only to future events such as rotations or renewals.

      Parameters:
      requestedSecret - must not be null.

    • start

      public void start()
      Start the SecretLeaseContainer. Starting the container will initially obtain secrets and leases for the requested secrets. A started container publishes events through LeaseListener. Additional secrets can be requested at any time.

      Multiple calls are synchronized to start the container only once. Container start requires initialization and cannot be started once the container was destroyed.

      Specified by:
      start in interface Lifecycle
      See Also:

    • stop

      public void stop()
      Stop the SecretLeaseContainer. Stopping the container will stop lease renewal, secrets rotation and event publishing. Active leases are not expired.

      Multiple calls are synchronized to stop the container only once.

      Specified by:
      stop in interface Lifecycle
      See Also:

    • isRunning

      public boolean isRunning()
      Specified by:
      isRunning in interface Lifecycle

    • getPhase

      public int getPhase()
      Specified by:
      getPhase in interface Phased
      Specified by:
      getPhase in interface SmartLifecycle

    • afterPropertiesSet

      public void afterPropertiesSet()
      Specified by:
      afterPropertiesSet in interface InitializingBean
      Overrides:
      afterPropertiesSet in class SecretLeaseEventPublisher

    • destroy

      public void destroy() throws Exception
      Shutdown this SecretLeaseContainer, disable lease renewal and revoke leases.
      Specified by:
      destroy in interface DisposableBean
      Throws:
      Exception
      See Also:

    • renew

      public boolean renew(RequestedSecret secret)
      Renew a secret.
      Parameters:
      secret - the secret' to renew.
      Returns:
      true if the lease was renewed.
      Throws:
      IllegalArgumentException - if the secret was not previously registered.
      IllegalStateException - if there's no Lease associated with the secret or the secret is not qualified for renewal.
      Since:
      2.2

    • rotate

      public void rotate(RequestedSecret secret)
      Rotate a secret.
      Parameters:
      secret - the secret' to rotate.
      Throws:
      IllegalArgumentException - if the secret was not previously registered.
      IllegalStateException - if there's no Lease associated with the secret or the secret is not qualified for rotation.
      Since:
      2.2

    • doGetSecrets

      protected @Nullable VaultResponseSupport<Map<String,Object>> doGetSecrets(RequestedSecret requestedSecret)
      Retrieve secrets from VaultOperations.
      Parameters:
      requestedSecret - the RequestedSecret providing the secret path.
      Returns:
      the response.

    • doRenewLease

      protected Lease doRenewLease(RequestedSecret requestedSecret, Lease lease)
      Renew a Lease for a RequestedSecret.
      Parameters:
      requestedSecret - the requested secret.
      lease - the lease.
      Returns:
      the new lease or null if expired/secret cannot be rotated.

    • onLeaseExpired

      protected void onLeaseExpired(RequestedSecret requestedSecret, Lease lease)
      Hook method called when a Lease expires. The default implementation is to notify LeaseListener. Implementations can override this method in subclasses.
      Overrides:
      onLeaseExpired in class SecretLeaseEventPublisher
      Parameters:
      requestedSecret - must not be null.
      lease - must not be null.
      See Also:

    • doRevokeLease

      protected void doRevokeLease(RequestedSecret requestedSecret, Lease lease)
      Revoke the Lease.
      Parameters:
      requestedSecret - must not be null.
      lease - must not be null.