FilesKeystoreVaultProvider.java
package org.keycloak.vault;
import java.nio.ByteBuffer;
import org.jboss.logging.Logger;
import jakarta.annotation.Nonnull;
import java.io.IOException;
import java.lang.invoke.MethodHandles;
import java.nio.file.Files;
import java.nio.file.Path;
import java.security.Key;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.UnrecoverableEntryException;
import java.security.cert.CertificateException;
import java.util.List;
import java.util.Optional;
public class FilesKeystoreVaultProvider extends AbstractVaultProvider {
private static final Logger logger = Logger.getLogger(MethodHandles.lookup().lookupClass());
private final Path keystorePath;
private final String keystorePass;
private final String keystoreType;
/**
* Creates a new {@link FilesKeystoreVaultProvider}.
*
* @param keystorePath A path to a vault. Can not be null.
* @param keystorePass A password to a vault. Can not be null.
* @param keystoreType Specifies a type of keystore. Can not be null. Default value is PKCS12.
* @param realmName A realm name. Can not be null.
*/
public FilesKeystoreVaultProvider(@Nonnull Path keystorePath, @Nonnull String keystorePass, @Nonnull String keystoreType,
@Nonnull String realmName, @Nonnull List<VaultKeyResolver> resolvers) {
super(realmName, resolvers);
this.keystorePath = keystorePath;
this.keystorePass = keystorePass;
this.keystoreType = keystoreType;
logger.debugf("KeystoreVaultProvider will operate in %s directory", keystorePath.toAbsolutePath());
}
@Override
protected VaultRawSecret obtainSecretInternal(String alias) {
KeyStore ks;
Key key;
try {
if (!Files.exists(keystorePath.toRealPath())) {
throw new VaultNotFoundException("The keystore file for Keycloak Vault was not found");
}
ks = KeyStore.getInstance(keystoreType);
ks.load(Files.newInputStream(keystorePath.toRealPath()), keystorePass.toCharArray());
key = ks.getKey(alias, keystorePass.toCharArray());
if (key == null) {
logger.warnf("Cannot find secret %s in %s", alias, keystorePath);
return DefaultVaultRawSecret.forBuffer(Optional.empty());
}
} catch (KeyStoreException | IOException | CertificateException | NoSuchAlgorithmException | UnrecoverableEntryException e) {
throw new RuntimeException(e);
}
return DefaultVaultRawSecret.forBuffer(Optional.of(ByteBuffer.wrap(new String(key.getEncoded()).getBytes())));
}
@Override
public void close() {
}
}