AppRoleClientAuthenticationProvider.java
/*
* Copyright 2018-2019 the original author or authors.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* https://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package org.springframework.cloud.config.server.environment.vault.authentication;
import org.springframework.cloud.config.server.environment.VaultEnvironmentProperties;
import org.springframework.cloud.config.server.environment.VaultEnvironmentProperties.AuthenticationMethod;
import org.springframework.cloud.config.server.environment.vault.SpringVaultClientAuthenticationProvider;
import org.springframework.util.StringUtils;
import org.springframework.vault.authentication.AppRoleAuthentication;
import org.springframework.vault.authentication.AppRoleAuthenticationOptions;
import org.springframework.vault.authentication.ClientAuthentication;
import org.springframework.vault.support.VaultToken;
import org.springframework.web.client.RestOperations;
public class AppRoleClientAuthenticationProvider extends SpringVaultClientAuthenticationProvider {
public AppRoleClientAuthenticationProvider() {
super(AuthenticationMethod.APPROLE);
}
@Override
public ClientAuthentication getClientAuthentication(VaultEnvironmentProperties vaultProperties,
RestOperations vaultRestOperations, RestOperations externalRestOperations) {
AppRoleAuthenticationOptions options = getAppRoleAuthenticationOptions(vaultProperties);
return new AppRoleAuthentication(options, vaultRestOperations);
}
static AppRoleAuthenticationOptions getAppRoleAuthenticationOptions(VaultEnvironmentProperties vaultProperties) {
VaultEnvironmentProperties.AppRoleProperties appRole = vaultProperties.getAppRole();
AppRoleAuthenticationOptions.AppRoleAuthenticationOptionsBuilder builder = AppRoleAuthenticationOptions
.builder().path(appRole.getAppRolePath());
if (StringUtils.hasText(appRole.getRole())) {
builder.appRole(appRole.getRole());
}
AppRoleAuthenticationOptions.RoleId roleId = getRoleId(vaultProperties, appRole);
AppRoleAuthenticationOptions.SecretId secretId = getSecretId(vaultProperties, appRole);
builder.roleId(roleId).secretId(secretId);
return builder.build();
}
private static AppRoleAuthenticationOptions.RoleId getRoleId(VaultEnvironmentProperties vaultProperties,
VaultEnvironmentProperties.AppRoleProperties appRole) {
if (StringUtils.hasText(appRole.getRoleId())) {
return AppRoleAuthenticationOptions.RoleId.provided(appRole.getRoleId());
}
if (StringUtils.hasText(vaultProperties.getToken()) && StringUtils.hasText(appRole.getRole())) {
return AppRoleAuthenticationOptions.RoleId.pull(VaultToken.of(vaultProperties.getToken()));
}
if (StringUtils.hasText(vaultProperties.getToken())) {
return AppRoleAuthenticationOptions.RoleId.wrapped(VaultToken.of(vaultProperties.getToken()));
}
throw new IllegalArgumentException("Any of '" + VAULT_PROPERTIES_PREFIX + "app-role.role-id', '.token', "
+ "or '.app-role.role' and '.token' must be provided if the " + AuthenticationMethod.APPROLE
+ " authentication method is specified.");
}
private static AppRoleAuthenticationOptions.SecretId getSecretId(VaultEnvironmentProperties vaultProperties,
VaultEnvironmentProperties.AppRoleProperties appRole) {
if (StringUtils.hasText(appRole.getSecretId())) {
return AppRoleAuthenticationOptions.SecretId.provided(appRole.getSecretId());
}
if (StringUtils.hasText(vaultProperties.getToken()) && StringUtils.hasText(appRole.getRole())) {
return AppRoleAuthenticationOptions.SecretId.pull(VaultToken.of(vaultProperties.getToken()));
}
if (StringUtils.hasText(vaultProperties.getToken())) {
return AppRoleAuthenticationOptions.SecretId.wrapped(VaultToken.of(vaultProperties.getToken()));
}
return AppRoleAuthenticationOptions.SecretId.absent();
}
}