├── settings.gradle ├── bin ├── gradle │ └── wrapper │ │ ├── gradle-wrapper.jar │ │ └── gradle-wrapper.properties ├── setupVaultServer.sh ├── go ├── release-snapshot.sh ├── gradlew.bat └── gradlew ├── .gitignore ├── example ├── src │ ├── main │ │ ├── resources │ │ │ └── application.properties │ │ └── java │ │ │ └── de │ │ │ └── otto │ │ │ └── edison │ │ │ └── vault │ │ │ └── example │ │ │ ├── ExampleApplication.java │ │ │ ├── ExampleBean.java │ │ │ ├── ExampleConfiguration.java │ │ │ └── ExampleConfigurationProperties.java │ └── test │ │ └── java │ │ └── de │ │ └── otto │ │ └── edison │ │ └── vault │ │ └── example │ │ └── ExampleApplicationTests.java └── build.gradle ├── dependencies.gradle ├── .travis.yml ├── src ├── main │ └── java │ │ └── de │ │ └── otto │ │ └── edison │ │ └── vault │ │ ├── VaultPropertySourcePostProcessor.java │ │ ├── VaultPropertySource.java │ │ ├── VaultClient.java │ │ ├── VaultTokenReader.java │ │ └── ConfigProperties.java └── test │ └── java │ └── de │ └── otto │ └── edison │ └── vault │ ├── ConfigPropertiesTest.java │ ├── VaultPropertySourceTest.java │ ├── VaultTokenReaderTest.java │ └── VaultClientTest.java ├── README.md └── LICENSE /settings.gradle: -------------------------------------------------------------------------------- 1 | include 'example' 2 | rootProject.name = 'edison-vault' 3 | -------------------------------------------------------------------------------- /bin/gradle/wrapper/gradle-wrapper.jar: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/otto-de-legacy/edison-vault/master/bin/gradle/wrapper/gradle-wrapper.jar -------------------------------------------------------------------------------- /bin/gradle/wrapper/gradle-wrapper.properties: -------------------------------------------------------------------------------- 1 | #Wed Nov 11 16:26:55 CET 2015 2 | distributionBase=GRADLE_USER_HOME 3 | distributionPath=wrapper/dists 4 | zipStoreBase=GRADLE_USER_HOME 5 | zipStorePath=wrapper/dists 6 | distributionUrl=https\://services.gradle.org/distributions/gradle-2.8-bin.zip 7 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | *.class 2 | 3 | # Mobile Tools for Java (J2ME) 4 | .mtj.tmp/ 5 | 6 | # Package Files # 7 | *.jar 8 | *.war 9 | *.ear 10 | 11 | # virtual machine crash logs, see http://www.java.com/en/download/help/error_hotspot.xml 12 | hs_err_pid* 13 | *.iml 14 | *.ipr 15 | *.iws 16 | build 17 | .gradle/ 18 | out/ 19 | gradle.properties 20 | -------------------------------------------------------------------------------- /example/src/main/resources/application.properties: -------------------------------------------------------------------------------- 1 | edison.vault.enabled=true 2 | edison.vault.base-url=http://127.0.0.1:8200 3 | edison.vault.token-source=login 4 | edison.vault.enableconfigurer=true 5 | edison.vault.secret-path=/secret 6 | edison.vault.appid=test-app-id 7 | edison.vault.userid=test-user-id 8 | edison.vault.properties=keyOne.value,keyTwo.value,keyThree.value,test.config.one,test.config.two,test.config.three -------------------------------------------------------------------------------- /example/src/main/java/de/otto/edison/vault/example/ExampleApplication.java: -------------------------------------------------------------------------------- 1 | package de.otto.edison.vault.example; 2 | 3 | import org.springframework.boot.SpringApplication; 4 | import org.springframework.boot.autoconfigure.SpringBootApplication; 5 | import org.springframework.context.annotation.ComponentScan; 6 | 7 | @ComponentScan("de.otto.edison.vault") 8 | @SpringBootApplication 9 | public class ExampleApplication { 10 | public static void main(String[] args) { 11 | SpringApplication.run(ExampleApplication.class, args); 12 | } 13 | } 14 | -------------------------------------------------------------------------------- /bin/setupVaultServer.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | wget https://releases.hashicorp.com/vault/0.3.1/vault_0.3.1_linux_386.zip 4 | unzip vault_0.3.1_linux_386.zip 5 | ./vault server -dev & 6 | 7 | export VAULT_ADDR='http://127.0.0.1:8200' 8 | sleep 1 9 | 10 | ./vault auth-enable app-id 11 | ./vault write auth/app-id/map/app-id/test-app-id value=root display_name=foo 12 | ./vault write auth/app-id/map/user-id/test-user-id value=test-app-id 13 | 14 | ./vault write secret/keyOne value=secretNumberOne 15 | ./vault write secret/keyTwo value=secretNumberTwo 16 | ./vault write secret/keyThree value=secretNumberThree 17 | 18 | ./vault write secret/test/config one=1 two=2 three=3 19 | -------------------------------------------------------------------------------- /example/src/main/java/de/otto/edison/vault/example/ExampleBean.java: -------------------------------------------------------------------------------- 1 | package de.otto.edison.vault.example; 2 | 3 | public class ExampleBean { 4 | 5 | private final String one; 6 | private final String two; 7 | private final String three; 8 | 9 | public ExampleBean(final String one, final String two, final String three) { 10 | this.one = one; 11 | this.two = two; 12 | this.three = three; 13 | } 14 | 15 | public String getOne() { 16 | return one; 17 | } 18 | 19 | public String getTwo() { 20 | return two; 21 | } 22 | 23 | public String getThree() { 24 | return three; 25 | } 26 | } 27 | -------------------------------------------------------------------------------- /dependencies.gradle: -------------------------------------------------------------------------------- 1 | ext.libraries = [ 2 | test : [ 3 | "org.testng:testng:6.8.1", 4 | "org.hamcrest:hamcrest-all:1.3", 5 | "org.mockito:mockito-core:1.10.19", 6 | 'org.powermock:powermock-api-mockito:1.6.3', 7 | 'org.powermock:powermock-module-testng:1.6.3', 8 | 'org.springframework:spring-test:4.2.5.RELEASE' 9 | ], 10 | asyncHttp: ["org.asynchttpclient:async-http-client:2.0.36"], 11 | gson : ['com.google.code.gson:gson:2.6.2'], 12 | spring : [ 13 | "org.springframework:spring-context:4.2.5.RELEASE", 14 | "org.springframework.boot:spring-boot-autoconfigure:1.3.3.RELEASE" 15 | ] 16 | ] 17 | -------------------------------------------------------------------------------- /example/src/main/java/de/otto/edison/vault/example/ExampleConfiguration.java: -------------------------------------------------------------------------------- 1 | package de.otto.edison.vault.example; 2 | 3 | import org.springframework.beans.factory.annotation.Autowired; 4 | import org.springframework.boot.context.properties.EnableConfigurationProperties; 5 | import org.springframework.context.annotation.Bean; 6 | import org.springframework.context.annotation.Configuration; 7 | 8 | @Configuration 9 | @EnableConfigurationProperties(ExampleConfigurationProperties.class) 10 | public class ExampleConfiguration { 11 | 12 | @Autowired 13 | private ExampleConfigurationProperties properties; 14 | 15 | @Bean 16 | public ExampleBean exampleBean() { 17 | return new ExampleBean(properties.getOne(), properties.getTwo(), properties.getThree()); 18 | } 19 | } 20 | -------------------------------------------------------------------------------- /example/build.gradle: -------------------------------------------------------------------------------- 1 | buildscript { 2 | ext { 3 | springBootVersion = '1.2.7.RELEASE' 4 | } 5 | repositories { 6 | mavenCentral() 7 | } 8 | dependencies { 9 | classpath("org.springframework.boot:spring-boot-gradle-plugin:${springBootVersion}") 10 | } 11 | } 12 | 13 | apply plugin: 'java' 14 | apply plugin: 'idea' 15 | apply plugin: 'spring-boot' 16 | 17 | jar { 18 | baseName = 'example' 19 | } 20 | 21 | sourceCompatibility = 1.8 22 | targetCompatibility = 1.8 23 | 24 | repositories { 25 | mavenCentral() 26 | } 27 | 28 | dependencies { 29 | //compile rootProject 30 | compile rootProject 31 | // testCompile project(":testsupport") 32 | compile('org.springframework.boot:spring-boot-starter') 33 | testCompile('org.springframework.boot:spring-boot-starter-test') 34 | } -------------------------------------------------------------------------------- /example/src/main/java/de/otto/edison/vault/example/ExampleConfigurationProperties.java: -------------------------------------------------------------------------------- 1 | package de.otto.edison.vault.example; 2 | 3 | import org.springframework.boot.context.properties.ConfigurationProperties; 4 | 5 | @ConfigurationProperties(prefix = "test.config") 6 | public class ExampleConfigurationProperties { 7 | 8 | private String one; 9 | private String two; 10 | private String three; 11 | 12 | public String getOne() { 13 | return one; 14 | } 15 | 16 | public void setOne(final String one) { 17 | this.one = one; 18 | } 19 | 20 | public String getTwo() { 21 | return two; 22 | } 23 | 24 | public void setTwo(final String two) { 25 | this.two = two; 26 | } 27 | 28 | public String getThree() { 29 | return three; 30 | } 31 | 32 | public void setThree(final String three) { 33 | this.three = three; 34 | } 35 | } 36 | -------------------------------------------------------------------------------- /.travis.yml: -------------------------------------------------------------------------------- 1 | language: java 2 | jdk: 3 | - oraclejdk8 4 | install: /bin/true # skip gradle assemble 5 | before_install: 6 | - wget https://releases.hashicorp.com/vault/0.3.1/vault_0.3.1_linux_386.zip 7 | - unzip vault_0.3.1_linux_386.zip 8 | - ./vault server -dev & 9 | - sleep 1 10 | - VAULT_ADDR='http://127.0.0.1:8200' ./vault auth-enable app-id 11 | - VAULT_ADDR='http://127.0.0.1:8200' ./vault write auth/app-id/map/app-id/test-app-id value=root display_name=foo 12 | - VAULT_ADDR='http://127.0.0.1:8200' ./vault write auth/app-id/map/user-id/test-user-id value=test-app-id 13 | - VAULT_ADDR='http://127.0.0.1:8200' ./vault write secret/keyOne value=secretNumberOne 14 | - VAULT_ADDR='http://127.0.0.1:8200' ./vault write secret/keyTwo value=secretNumberTwo 15 | - VAULT_ADDR='http://127.0.0.1:8200' ./vault write secret/keyThree value=secretNumberThree 16 | - VAULT_ADDR='http://127.0.0.1:8200' ./vault write secret/test/config one=1 two=2 three=3 17 | - echo "sonatypeUsername=someUsername" > gradle.properties 18 | - echo "sonatypePassword=somePassword" >> gradle.properties 19 | script: ./bin/gradlew check 20 | -------------------------------------------------------------------------------- /bin/go: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | b=`tput bold` 4 | nb=`tput sgr0` 5 | SCRIPT_DIR=$(dirname $0) 6 | 7 | export JAVA_OPTS="-Xms64m -Xmx256m -XX:+UseG1GC" 8 | 9 | function echob { 10 | echo "${b}${1}${nb}" 11 | } 12 | 13 | function ensure_requirements { 14 | command -v ${SCRIPT_DIR}/gradlew >/dev/null 2>&1 || { echob "ERROR: gradlew not in PATH. Aborting."; exit 1; } 15 | } 16 | 17 | function release { 18 | ${SCRIPT_DIR}/release-snapshot.sh 19 | } 20 | 21 | function help { 22 | echo "usage: $0 23 | task can be: 24 | help -- This help message 25 | release -- Release new SNAPSHOT 26 | check -- Run all tests 27 | clean -- Clean working directory 28 | cleanIdea -- Remove IntelliJ IDEA files 29 | idea -- Generate files for IntelliJ IDEA 30 | 31 | -- Anything else accepted by gradlew 32 | " 33 | } 34 | 35 | ensure_requirements 36 | 37 | if [ "$1" == "help" ]; then 38 | help 39 | elif [ "$1" == "release" ]; then 40 | release 41 | elif [ -z "$1" ]; then 42 | ${SCRIPT_DIR}/gradlew clean check 43 | else 44 | ${SCRIPT_DIR}/gradlew $* 45 | fi 46 | 47 | 48 | -------------------------------------------------------------------------------- /bin/release-snapshot.sh: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | set -e 4 | 5 | USER_GRADLE_PROPERTIES=~/.gradle/gradle.properties 6 | SCRIPT_DIR=$(dirname $0) 7 | 8 | check_configured() { 9 | grep -q $1 ${USER_GRADLE_PROPERTIES} || echo "$1 not configured in ${USER_GRADLE_PROPERTIES}. $2" 10 | } 11 | 12 | check_configuration() { 13 | if [ ! -f ${USER_GRADLE_PROPERTIES} ]; then 14 | echo "${USER_GRADLE_PROPERTIES} does not exist" 15 | exit 1 16 | fi 17 | 18 | check_configured "sonatypeUsername" "This is the username you use to authenticate with sonatype nexus (e.g. otto-de)" 19 | check_configured "sonatypePassword" "This is the password you use to authenticate with sonatype nexus (ask Guido or one of the developers)" 20 | check_configured "signing.secretKeyRingFile" "This is the gpg secret key file, e.g. ~/.gnupg/secring.gpg. If this doesn't exist, generate a key: gpg --gen-key" 21 | check_configured "signing.keyId" "This is the id of your key (e.g. 72FE5380). Use gpg --list-keys to find yours" 22 | check_configured "signing.password" "This is the password you defined for your gpg key" 23 | } 24 | 25 | check_configuration 26 | 27 | ${SCRIPT_DIR}/gradlew doRelease 28 | -------------------------------------------------------------------------------- /example/src/test/java/de/otto/edison/vault/example/ExampleApplicationTests.java: -------------------------------------------------------------------------------- 1 | package de.otto.edison.vault.example; 2 | 3 | import org.junit.Test; 4 | import org.junit.runner.RunWith; 5 | import org.springframework.beans.factory.annotation.Autowired; 6 | import org.springframework.beans.factory.annotation.Value; 7 | import org.springframework.boot.test.SpringApplicationConfiguration; 8 | import org.springframework.context.annotation.ComponentScan; 9 | import org.springframework.test.context.junit4.SpringJUnit4ClassRunner; 10 | 11 | import static org.hamcrest.MatcherAssert.assertThat; 12 | import static org.hamcrest.core.Is.is; 13 | 14 | @ComponentScan("de.otto.edison.vault") 15 | @RunWith(SpringJUnit4ClassRunner.class) 16 | @SpringApplicationConfiguration(classes = ExampleApplication.class) 17 | public class ExampleApplicationTests { 18 | 19 | @Value("${keyOne.value}") 20 | private String secretOne; 21 | 22 | @Value("${keyTwo.value}") 23 | private String secretTwo; 24 | 25 | @Value("${keyThree.value}") 26 | private String secretThree; 27 | 28 | @Autowired 29 | ExampleBean exampleBean; 30 | 31 | @Test 32 | public void shouldHaveWiredValuesForValueProcessing() { 33 | assertThat(secretOne, is("secretNumberOne")); 34 | assertThat(secretTwo, is("secretNumberTwo")); 35 | assertThat(secretThree, is("secretNumberThree")); 36 | } 37 | 38 | @Test 39 | public void shouldHaveWiredValuesForConfigurationProcessing() { 40 | assertThat(exampleBean.getOne(), is("1")); 41 | assertThat(exampleBean.getTwo(), is("2")); 42 | assertThat(exampleBean.getThree(), is("3")); 43 | } 44 | } 45 | -------------------------------------------------------------------------------- /src/main/java/de/otto/edison/vault/VaultPropertySourcePostProcessor.java: -------------------------------------------------------------------------------- 1 | package de.otto.edison.vault; 2 | 3 | import org.slf4j.Logger; 4 | import org.slf4j.LoggerFactory; 5 | import org.springframework.beans.BeansException; 6 | import org.springframework.beans.factory.config.BeanFactoryPostProcessor; 7 | import org.springframework.beans.factory.config.ConfigurableListableBeanFactory; 8 | import org.springframework.boot.autoconfigure.condition.ConditionalOnProperty; 9 | import org.springframework.context.EnvironmentAware; 10 | import org.springframework.core.env.ConfigurableEnvironment; 11 | import org.springframework.core.env.Environment; 12 | import org.springframework.core.env.MutablePropertySources; 13 | import org.springframework.stereotype.Component; 14 | 15 | /** 16 | * Adds a new vault property source at the end of all property sources. 17 | */ 18 | @Component 19 | @ConditionalOnProperty(prefix = "edison.vault", name = "enableconfigurer", matchIfMissing = true) 20 | public class VaultPropertySourcePostProcessor implements BeanFactoryPostProcessor, EnvironmentAware { 21 | 22 | private ConfigProperties configProperties; 23 | 24 | @Override 25 | public void postProcessBeanFactory(final ConfigurableListableBeanFactory beanFactory) throws BeansException { 26 | final ConfigurableEnvironment env = beanFactory.getBean(ConfigurableEnvironment.class); 27 | final MutablePropertySources propertySources = env.getPropertySources(); 28 | propertySources.addLast(new VaultPropertySource("vaultPropertySource", configProperties)); 29 | } 30 | 31 | @Override 32 | public void setEnvironment(final Environment environment) { 33 | this.configProperties = new ConfigProperties(environment); 34 | } 35 | 36 | } 37 | -------------------------------------------------------------------------------- /src/test/java/de/otto/edison/vault/ConfigPropertiesTest.java: -------------------------------------------------------------------------------- 1 | package de.otto.edison.vault; 2 | 3 | import org.hamcrest.Matchers; 4 | import org.springframework.core.env.Environment; 5 | import org.testng.annotations.Test; 6 | 7 | import static org.hamcrest.MatcherAssert.assertThat; 8 | import static org.hamcrest.Matchers.hasItems; 9 | import static org.hamcrest.Matchers.hasSize; 10 | import static org.hamcrest.core.Is.is; 11 | import static org.mockito.Mockito.mock; 12 | import static org.mockito.Mockito.when; 13 | 14 | public class ConfigPropertiesTest { 15 | 16 | @Test 17 | public void shouldHaveConfigValues() throws Exception { 18 | // Given 19 | Environment environment = mock(Environment.class); 20 | when(environment.getProperty("edison.vault.enabled")).thenReturn("true"); 21 | when(environment.getProperty("edison.vault.base-url")).thenReturn("someBaseUrl"); 22 | when(environment.getProperty("edison.vault.secret-path")).thenReturn("someSecretPath"); 23 | when(environment.getProperty("edison.vault.properties")).thenReturn("keyOne.key1, keyOne, keyTwo, keyThree.value, keyFour.key4"); 24 | when(environment.getProperty("edison.vault.token-source")).thenReturn("file"); 25 | when(environment.getProperty("edison.vault.environment-token")).thenReturn("someEnvVariable"); 26 | when(environment.getProperty("edison.vault.file-token")).thenReturn("someFile"); 27 | when(environment.getProperty("edison.vault.appid")).thenReturn("someAppId"); 28 | when(environment.getProperty("edison.vault.userid")).thenReturn("someUserId"); 29 | 30 | // When 31 | ConfigProperties testee = new ConfigProperties(environment); 32 | 33 | // Then 34 | assertThat(testee.isEnabled(), is(true)); 35 | assertThat(testee.getBaseUrl(), is("someBaseUrl")); 36 | assertThat(testee.getSecretPath(), is("someSecretPath")); 37 | assertThat(testee.getProperties(), Matchers.hasSize(5)); 38 | assertThat(testee.getProperties(), hasItems("keyOne.key1","keyOne", "keyTwo", "keyThree.value", "keyFour.key4")); 39 | assertThat(testee.getTokenSource(), is("file")); 40 | assertThat(testee.getAppId(), is("someAppId")); 41 | assertThat(testee.getUserId(), is("someUserId")); 42 | 43 | } 44 | } -------------------------------------------------------------------------------- /bin/gradlew.bat: -------------------------------------------------------------------------------- 1 | @if "%DEBUG%" == "" @echo off 2 | @rem ########################################################################## 3 | @rem 4 | @rem Gradle startup script for Windows 5 | @rem 6 | @rem ########################################################################## 7 | 8 | @rem Set local scope for the variables with windows NT shell 9 | if "%OS%"=="Windows_NT" setlocal 10 | 11 | @rem Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. 12 | set DEFAULT_JVM_OPTS= 13 | 14 | set DIRNAME=%~dp0 15 | if "%DIRNAME%" == "" set DIRNAME=. 16 | set APP_BASE_NAME=%~n0 17 | set APP_HOME=%DIRNAME% 18 | 19 | @rem Find java.exe 20 | if defined JAVA_HOME goto findJavaFromJavaHome 21 | 22 | set JAVA_EXE=java.exe 23 | %JAVA_EXE% -version >NUL 2>&1 24 | if "%ERRORLEVEL%" == "0" goto init 25 | 26 | echo. 27 | echo ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. 28 | echo. 29 | echo Please set the JAVA_HOME variable in your environment to match the 30 | echo location of your Java installation. 31 | 32 | goto fail 33 | 34 | :findJavaFromJavaHome 35 | set JAVA_HOME=%JAVA_HOME:"=% 36 | set JAVA_EXE=%JAVA_HOME%/bin/java.exe 37 | 38 | if exist "%JAVA_EXE%" goto init 39 | 40 | echo. 41 | echo ERROR: JAVA_HOME is set to an invalid directory: %JAVA_HOME% 42 | echo. 43 | echo Please set the JAVA_HOME variable in your environment to match the 44 | echo location of your Java installation. 45 | 46 | goto fail 47 | 48 | :init 49 | @rem Get command-line arguments, handling Windowz variants 50 | 51 | if not "%OS%" == "Windows_NT" goto win9xME_args 52 | if "%@eval[2+2]" == "4" goto 4NT_args 53 | 54 | :win9xME_args 55 | @rem Slurp the command line arguments. 56 | set CMD_LINE_ARGS= 57 | set _SKIP=2 58 | 59 | :win9xME_args_slurp 60 | if "x%~1" == "x" goto execute 61 | 62 | set CMD_LINE_ARGS=%* 63 | goto execute 64 | 65 | :4NT_args 66 | @rem Get arguments from the 4NT Shell from JP Software 67 | set CMD_LINE_ARGS=%$ 68 | 69 | :execute 70 | @rem Setup the command line 71 | 72 | set CLASSPATH=%APP_HOME%\gradle\wrapper\gradle-wrapper.jar 73 | 74 | @rem Execute Gradle 75 | "%JAVA_EXE%" %DEFAULT_JVM_OPTS% %JAVA_OPTS% %GRADLE_OPTS% "-Dorg.gradle.appname=%APP_BASE_NAME%" -classpath "%CLASSPATH%" org.gradle.wrapper.GradleWrapperMain %CMD_LINE_ARGS% 76 | 77 | :end 78 | @rem End local scope for the variables with windows NT shell 79 | if "%ERRORLEVEL%"=="0" goto mainEnd 80 | 81 | :fail 82 | rem Set variable GRADLE_EXIT_CONSOLE if you need the _script_ return code instead of 83 | rem the _cmd.exe /c_ return code! 84 | if not "" == "%GRADLE_EXIT_CONSOLE%" exit 1 85 | exit /b 1 86 | 87 | :mainEnd 88 | if "%OS%"=="Windows_NT" endlocal 89 | 90 | :omega 91 | -------------------------------------------------------------------------------- /src/main/java/de/otto/edison/vault/VaultPropertySource.java: -------------------------------------------------------------------------------- 1 | package de.otto.edison.vault; 2 | 3 | import static de.otto.edison.vault.VaultClient.vaultClient; 4 | 5 | import java.util.HashMap; 6 | import java.util.Map; 7 | import java.util.Set; 8 | import java.util.stream.Collectors; 9 | 10 | import org.asynchttpclient.DefaultAsyncHttpClient; 11 | import org.slf4j.Logger; 12 | import org.slf4j.LoggerFactory; 13 | import org.springframework.core.env.MapPropertySource; 14 | 15 | public class VaultPropertySource extends MapPropertySource { 16 | 17 | private static final Logger LOG = LoggerFactory.getLogger(VaultPropertySource.class); 18 | 19 | public VaultPropertySource(final String name, final ConfigProperties configProperties) { 20 | super(name, new HashMap<>()); 21 | if (configProperties.isEnabled()) { 22 | loadPropertiesFromVault(createVaultClient(configProperties), configProperties.getProperties()); 23 | } 24 | } 25 | 26 | protected VaultClient createVaultClient(final ConfigProperties configProperties) { 27 | return vaultClient(configProperties, new VaultTokenReader(new DefaultAsyncHttpClient()).readVaultToken(configProperties)); 28 | } 29 | 30 | private void loadPropertiesFromVault(final VaultClient vaultClient, Set properties) { 31 | properties 32 | .stream() 33 | .map(VaultFieldInfo::new) 34 | .collect(Collectors.groupingBy(VaultFieldInfo::getVaultSecretPathName)) 35 | .forEach( 36 | (vaultSecretPath, fields) -> { 37 | final Map vaultFieldValues = vaultClient.readFields(vaultSecretPath); 38 | fields.forEach(field -> { 39 | final String vaultFieldValue = vaultFieldValues.get(field.getVaultFieldName()); 40 | if (vaultFieldValue != null) { 41 | LOG.info("read of value '{}' from vault property '{}' successful", 42 | field.getVaultFieldName(), 43 | field.getVaultSecretPathName()); 44 | source.put(field.getSpringPropertyPath(), vaultFieldValue); 45 | } else { 46 | throw new RuntimeException("unable read value '" + field.getVaultFieldName() + 47 | "' from vault property '" + field.getVaultSecretPathName() + "' - value not found"); 48 | } 49 | }); 50 | }); 51 | } 52 | 53 | private static class VaultFieldInfo { 54 | 55 | private final String vaultSecretPathName; 56 | private final String vaultFieldName; 57 | private final String springPropertyPath; 58 | 59 | VaultFieldInfo(String springPropertyPath) { 60 | final int lastDotIndex = springPropertyPath.lastIndexOf("."); 61 | if (lastDotIndex >= 0) { 62 | this.vaultSecretPathName = springPropertyPath.substring(0, lastDotIndex).replace(".", "/"); 63 | this.vaultFieldName = springPropertyPath.substring(lastDotIndex + 1); 64 | } else { 65 | this.vaultSecretPathName = ""; 66 | this.vaultFieldName = springPropertyPath; 67 | } 68 | this.springPropertyPath = springPropertyPath; 69 | } 70 | 71 | String getVaultSecretPathName() { 72 | return vaultSecretPathName; 73 | } 74 | 75 | String getVaultFieldName() { 76 | return vaultFieldName; 77 | } 78 | 79 | String getSpringPropertyPath() { 80 | return springPropertyPath; 81 | } 82 | } 83 | } 84 | -------------------------------------------------------------------------------- /src/main/java/de/otto/edison/vault/VaultClient.java: -------------------------------------------------------------------------------- 1 | package de.otto.edison.vault; 2 | 3 | import java.nio.charset.Charset; 4 | import java.util.Map; 5 | import java.util.concurrent.ExecutionException; 6 | 7 | import org.asynchttpclient.AsyncHttpClient; 8 | import org.asynchttpclient.DefaultAsyncHttpClient; 9 | import org.asynchttpclient.Response; 10 | import org.slf4j.Logger; 11 | import org.slf4j.LoggerFactory; 12 | import org.springframework.util.StringUtils; 13 | 14 | import com.google.gson.Gson; 15 | 16 | public class VaultClient { 17 | 18 | private static final Logger LOG = LoggerFactory.getLogger(VaultClient.class); 19 | 20 | private final String vaultBaseUrl; 21 | private final String secretPath; 22 | private final String vaultToken; 23 | 24 | protected AsyncHttpClient asyncHttpClient = new DefaultAsyncHttpClient(); 25 | 26 | public static VaultClient vaultClient(final ConfigProperties configProperties, String vaultToken) { 27 | return vaultClient(configProperties.getBaseUrl(), configProperties.getSecretPath(), vaultToken); 28 | } 29 | 30 | public static VaultClient vaultClient(final String vaultBaseUrl, final String secretPath, final String vaultToken) { 31 | return new VaultClient(vaultBaseUrl, secretPath, vaultToken); 32 | } 33 | 34 | private VaultClient(final String vaultBaseUrl, final String secretPath, final String vaultToken) { 35 | this.vaultBaseUrl = removeTrailingSlash(vaultBaseUrl); 36 | this.secretPath = removeLeadingSlash(removeTrailingSlash(secretPath)); 37 | this.vaultToken = vaultToken; 38 | } 39 | 40 | public Map readFields(final String key) { 41 | try { 42 | final StringBuilder urlBuilder = new StringBuilder(); 43 | urlBuilder.append(vaultBaseUrl).append("/v1"); 44 | 45 | if (!StringUtils.isEmpty(secretPath)) { 46 | urlBuilder.append("/").append(secretPath); 47 | } 48 | 49 | if (!StringUtils.isEmpty(key)) { 50 | urlBuilder.append("/").append(key); 51 | } 52 | 53 | final String url = urlBuilder.toString(); 54 | final Response response = asyncHttpClient 55 | .prepareGet(url) 56 | .setHeader("X-Vault-Token", vaultToken) 57 | .execute() 58 | .get(); 59 | if ((response.getStatusCode() != 200)) { 60 | LOG.error("can't read vault property '{}' with token '{}' from url '{}'", key, vaultToken, url); 61 | throw new RuntimeException( 62 | String.format("read of vault property '%s' with token '%s' from url '%s' failed, return code is '%s'", 63 | key, vaultToken, url, response.getStatusCode())); 64 | } 65 | LOG.info("read of vault property '{}' successful", key); 66 | 67 | return extractFields(response.getResponseBody(Charset.forName("utf-8"))); 68 | } catch (ExecutionException | InterruptedException e) { 69 | LOG.error(String.format("extract of vault property '%s' failed", key), e); 70 | throw new RuntimeException(e); 71 | } 72 | } 73 | 74 | private Map extractFields(final String responseBody) { 75 | Map responseMap = new Gson().fromJson(responseBody, Map.class); 76 | return (Map) responseMap.get("data"); 77 | } 78 | 79 | private String removeTrailingSlash(final String url) { 80 | if (url.endsWith("/")) { 81 | return url.substring(0, url.length() - 1); 82 | } 83 | return url; 84 | } 85 | 86 | private String removeLeadingSlash(final String url) { 87 | if (url.startsWith("/")) { 88 | return url.substring(1); 89 | } 90 | return url; 91 | } 92 | } 93 | -------------------------------------------------------------------------------- /src/main/java/de/otto/edison/vault/VaultTokenReader.java: -------------------------------------------------------------------------------- 1 | package de.otto.edison.vault; 2 | 3 | import java.io.File; 4 | import java.io.IOException; 5 | import java.io.UncheckedIOException; 6 | import java.nio.file.Files; 7 | import java.nio.file.Paths; 8 | import java.util.Map; 9 | import java.util.concurrent.ExecutionException; 10 | 11 | import org.asynchttpclient.AsyncHttpClient; 12 | import org.asynchttpclient.Response; 13 | import org.slf4j.Logger; 14 | import org.slf4j.LoggerFactory; 15 | import org.springframework.util.StringUtils; 16 | 17 | import com.google.gson.Gson; 18 | 19 | public class VaultTokenReader { 20 | private static final Logger LOG = LoggerFactory.getLogger(VaultTokenReader.class); 21 | 22 | private final AsyncHttpClient asyncHttpClient; 23 | 24 | public VaultTokenReader(final AsyncHttpClient asyncHttpClient) { 25 | this.asyncHttpClient = asyncHttpClient; 26 | } 27 | 28 | public String readVaultToken(ConfigProperties configProperties) { 29 | if(configProperties.getTokenSource() == null) { 30 | throw new IllegalArgumentException("tokenSource not set"); 31 | } 32 | switch (configProperties.getTokenSource()) { 33 | case "login": 34 | return readTokenFromLogin(configProperties.getBaseUrl(), configProperties.getAppId(), configProperties.getUserId()); 35 | case "file": 36 | String fileToken = configProperties.getFileToken(); 37 | if (StringUtils.isEmpty(fileToken)) { 38 | fileToken = configProperties.getDefaultVaultTokenFileName(); 39 | } 40 | return readTokenFromFile(fileToken); 41 | case "environment": 42 | return readTokenFromEnv(configProperties.getEnvironmentToken()); 43 | default: 44 | throw new IllegalArgumentException("tokenSource is undefined"); 45 | } 46 | } 47 | 48 | protected String readTokenFromFile(String fileName) { 49 | try { 50 | File tokenFile = new File(fileName); 51 | if (!tokenFile.exists() || !tokenFile.canRead()) { 52 | throw new RuntimeException(String.format("Can not read tokenfile from %s", fileName)); 53 | } 54 | return new String(Files.readAllBytes(Paths.get(fileName)), "UTF-8").replaceAll("\\s+", ""); 55 | } catch (IOException e) { 56 | throw new UncheckedIOException(e); 57 | } 58 | } 59 | 60 | public String readTokenFromEnv(final String env) { 61 | return System.getenv(env); 62 | } 63 | 64 | public String readTokenFromLogin(final String vaultBaseUrl, final String appId, final String userId) { 65 | try { 66 | final Response response = asyncHttpClient 67 | .preparePost(vaultBaseUrl + "/v1/auth/app-id/login") 68 | .setBody(createAuthBody(appId, userId)) 69 | .execute() 70 | .get(); 71 | 72 | if ((response.getStatusCode() != 200)) { 73 | throw new RuntimeException("login to vault failed, return code is " + response.getStatusCode()); 74 | } 75 | LOG.info("login to vault successful"); 76 | 77 | return extractToken(response.getResponseBody()); 78 | } catch (ExecutionException | InterruptedException e) { 79 | LOG.error("could not retrieve token from vault", e); 80 | throw new RuntimeException(e); 81 | } 82 | } 83 | 84 | private static String createAuthBody(final String appId, final String userId) { 85 | return String.format("{\"app_id\":\"%s\", \"user_id\": \"%s\"}", appId, userId); 86 | } 87 | 88 | private static String extractToken(final String responseBody) { 89 | Map responseMap = new Gson().fromJson(responseBody, Map.class); 90 | Map auth = (Map) responseMap.get("auth"); 91 | 92 | return auth.get("client_token"); 93 | } 94 | } 95 | -------------------------------------------------------------------------------- /src/test/java/de/otto/edison/vault/VaultPropertySourceTest.java: -------------------------------------------------------------------------------- 1 | package de.otto.edison.vault; 2 | 3 | import org.springframework.mock.env.MockEnvironment; 4 | import org.testng.annotations.BeforeMethod; 5 | import org.testng.annotations.Test; 6 | 7 | import java.util.Arrays; 8 | import java.util.Collections; 9 | import java.util.List; 10 | import java.util.stream.Collectors; 11 | 12 | import static org.hamcrest.CoreMatchers.nullValue; 13 | import static org.hamcrest.MatcherAssert.assertThat; 14 | import static org.hamcrest.Matchers.is; 15 | import static org.mockito.Mockito.mock; 16 | import static org.mockito.Mockito.verifyZeroInteractions; 17 | import static org.mockito.Mockito.when; 18 | 19 | public class VaultPropertySourceTest { 20 | 21 | private VaultClient vaultClient; 22 | 23 | @Test 24 | public void shouldDoNothingIfVaultIsDeactivated() { 25 | 26 | // given 27 | final List testProperties = Collections.singletonList("testpath.value"); 28 | when(vaultClient.readFields("testpath")).thenReturn(Collections.singletonMap("value", "secret")); 29 | 30 | final VaultPropertySource source = createTestPropertySource(testProperties, false); 31 | 32 | // when 33 | final String result = (String) source.getProperty("testpath.value"); 34 | 35 | // then 36 | verifyZeroInteractions(vaultClient); 37 | assertThat(source.getPropertyNames().length, is(0)); 38 | assertThat(result, nullValue()); 39 | } 40 | 41 | @Test 42 | public void shouldDoNothingIfNoVaultSecret() throws Exception { 43 | 44 | // given 45 | final List testProperties = Collections.emptyList(); 46 | when(vaultClient.readFields("")).thenReturn(Collections.singletonMap("value", "secret")); 47 | 48 | final VaultPropertySource source = createTestPropertySource(testProperties, true); 49 | 50 | // when 51 | final String result = (String) source.getProperty("testpath.value"); 52 | 53 | // then 54 | verifyZeroInteractions(vaultClient); 55 | assertThat(source.getPropertyNames().length, is(0)); 56 | assertThat(result, nullValue()); 57 | } 58 | 59 | @Test 60 | public void shouldLookupNonRootVaultSecret() throws Exception { 61 | 62 | // given 63 | final List testProperties = Collections.singletonList("testpath.value"); 64 | when(vaultClient.readFields("testpath")).thenReturn(Collections.singletonMap("value", "secret")); 65 | 66 | final VaultPropertySource source = createTestPropertySource(testProperties, true); 67 | 68 | // when 69 | final String result = (String) source.getProperty("testpath.value"); 70 | 71 | // then 72 | assertThat(source.getPropertyNames().length, is(1)); 73 | assertThat(result, is("secret")); 74 | } 75 | 76 | @Test 77 | public void shouldLookupRootVaultSecret() throws Exception { 78 | 79 | // given 80 | final List testProperties = Collections.singletonList("testpath-value"); 81 | when(vaultClient.readFields("")).thenReturn(Collections.singletonMap("testpath-value", "secret")); 82 | 83 | final VaultPropertySource source = createTestPropertySource(testProperties, true); 84 | 85 | // when 86 | final String result = (String) source.getProperty("testpath-value"); 87 | 88 | // then 89 | assertThat(result, is("secret")); 90 | } 91 | 92 | @BeforeMethod 93 | public void setUp() throws Exception { 94 | vaultClient = mock(VaultClient.class); 95 | } 96 | 97 | private VaultPropertySource createTestPropertySource(final List properties, final boolean enabled) { 98 | final MockEnvironment environment = new MockEnvironment(); 99 | environment.setProperty("edison.vault.enabled", Boolean.toString(enabled)); 100 | environment.setProperty("edison.vault.properties", properties.stream().collect(Collectors.joining(","))); 101 | final VaultPropertySource source = new VaultPropertySource("testSource", new ConfigProperties(environment)) { 102 | @Override 103 | protected VaultClient createVaultClient(final ConfigProperties configProperties) { 104 | return vaultClient; 105 | } 106 | }; 107 | return source; 108 | } 109 | } -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # edison-vault 2 | Library to access Vault servers and inject secrets into Edison services. 3 | 4 | [![Build Status](https://travis-ci.org/otto-de/edison-vault.svg?branch=master)](https://travis-ci.org/otto-de/edison-vault) 5 | [![Maven Central](https://maven-badges.herokuapp.com/maven-central/de.otto.edison/edison-vault/badge.svg)](https://maven-badges.herokuapp.com/maven-central/de.otto.edison/edison-vault) 6 | 7 | ## Usage 8 | This library implements a Spring PropertySource and appends it to the end of the existing PropertySource list. It maps 9 | values from vault-secrets to properties which can then be easily accessed via 10 | @Value 11 | annotations. To use this library the secrets must be setup like described in the vault configuration section. 12 | 13 | If your vault setup matches the requirements you just need to set the configuration properties in your 14 | application.properties file. You can find them in the application.properties configuration section. 15 | 16 | ## Vault configuration 17 | In Vault the App ID authentication backend has to be enabled. In this context tuples of app-ids and user-ids have to be 18 | created in Vault. 19 | 20 | For further vault documentation see http://www.vaultproject.io/ 21 | 22 | ## Spring property mapping 23 | 24 | All properties you want to save in vault must be located under the same parent path. You can configure the parent path by 25 | setting the configuration property **edison.vault.secret-path** 26 | 27 | Each spring property you want to load from vault has to be added to the configuration property **edison.vault.properties**. 28 | 29 | An individual spring property is mapped to a vault path by the following scheme: 30 | 31 | 1) Every dot (".") is replaced by a slash ("/"). 32 | 2) The part before the last slash is the sub-path of the property and has to exist in vault. 33 | 3) The part after the last slash is the json field name of the vault value. 34 | 35 | 36 | Example 37 | 38 | application.properties: 39 | ... 40 | edison.vault.secret-path=/my/secret/path/ 41 | edison.vault.properties=my-secret-value,my.secret.value,my.secret.othervalue 42 | ... 43 | 44 | "my-secret-value" is mapped to: 45 | GET http://yourVaultHostName:4001/v1/my/secret/path 46 | { 47 | "my-secret-value": "theFirstSecretValueYouWant" 48 | } 49 | 50 | "my.secret.value" is mapped to: 51 | GET http://yourVaultHostName:4001/v1/my/secret/path/my/secret/ 52 | { 53 | "value": "theSecondSecretValueYouWant" 54 | } 55 | 56 | "my.secret.othervalue" is mapped to: 57 | GET http://yourVaultHostName:4001/v1/my/secret/path/my/secret/ 58 | { 59 | "othervalue": "theThirdSecretValueYouWant" 60 | } 61 | 62 | 63 | In this example you will get three spring properties with the following values: 64 | 65 | - my-secret-value=theFirstSecretValueYouWant 66 | - my.secret.value=theSecondSecretValueYouWant 67 | - my.secret.othervalue=theThirdSecretValueYouWant 68 | 69 | You see how the parent secret-path is used and how a spring property key is mapped to a vault path. 70 | Notice the difference between *my-secret-value* and *my.secret.value*. 71 | 72 | ## application.properties configuration 73 | 74 | - edison.vault.enabled enable edison-vault (default=false) 75 | - edison.vault.base-url url of vault server 76 | - edison.vault.secret-path vault secret path 77 | - edison.vault.properties comma-separated list of property keys to fetch from vault (default=empty). 78 | - edison.vault.token-source how to access the vault server token -- possible values are login,file or environment 79 | - edison.vault.appid app id to access the vault server (valid for token-source=login) 80 | - edison.vault.userid user id to access the vault server (valid for token-source=login) 81 | - edison.vault.environment-token environment-variable which holds the token (valid for token-source=environment) 82 | - edison.vault.file-token filename where the token is stored in, if not set then $HOME/.vault-token is used (valid for token-source=file) 83 | 84 | ## Example 85 | 86 | application.properties: 87 | 88 | edison.vault.enabled=true 89 | edison.vault.base-url=https://yourVaultHostName:8200 90 | edison.vault.secret-path=/my/secret/path/ 91 | edison.vault.properties=secretOne@key1,secretOne@key2,secretTwo,secretOne 92 | edison.vault.token-source=login 93 | edison.vault.appid=aaaaaaaa-bbbb-cccc-dddd-eeeeeeffffff 94 | edison.vault.userid=ffffffff-eeee-dddd-cccc-bbbbbbaaaaa 95 | 96 | SomeClass.java: 97 | 98 | public class SomeClass { 99 | 100 | @Value("${secretOne@key1}") 101 | private String theSecretNumberOne; 102 | 103 | public void someMethod(@Value("${secretTwo}") String theSecretNumberTwo) { 104 | 105 | } 106 | } 107 | -------------------------------------------------------------------------------- /bin/gradlew: -------------------------------------------------------------------------------- 1 | #!/usr/bin/env bash 2 | 3 | ############################################################################## 4 | ## 5 | ## Gradle start up script for UN*X 6 | ## 7 | ############################################################################## 8 | 9 | # Add default JVM options here. You can also use JAVA_OPTS and GRADLE_OPTS to pass JVM options to this script. 10 | DEFAULT_JVM_OPTS="" 11 | 12 | APP_NAME="Gradle" 13 | APP_BASE_NAME=`basename "$0"` 14 | 15 | # Use the maximum available, or set MAX_FD != -1 to use that value. 16 | MAX_FD="maximum" 17 | 18 | warn ( ) { 19 | echo "$*" 20 | } 21 | 22 | die ( ) { 23 | echo 24 | echo "$*" 25 | echo 26 | exit 1 27 | } 28 | 29 | # OS specific support (must be 'true' or 'false'). 30 | cygwin=false 31 | msys=false 32 | darwin=false 33 | case "`uname`" in 34 | CYGWIN* ) 35 | cygwin=true 36 | ;; 37 | Darwin* ) 38 | darwin=true 39 | ;; 40 | MINGW* ) 41 | msys=true 42 | ;; 43 | esac 44 | 45 | # Attempt to set APP_HOME 46 | # Resolve links: $0 may be a link 47 | PRG="$0" 48 | # Need this for relative symlinks. 49 | while [ -h "$PRG" ] ; do 50 | ls=`ls -ld "$PRG"` 51 | link=`expr "$ls" : '.*-> \(.*\)$'` 52 | if expr "$link" : '/.*' > /dev/null; then 53 | PRG="$link" 54 | else 55 | PRG=`dirname "$PRG"`"/$link" 56 | fi 57 | done 58 | SAVED="`pwd`" 59 | cd "`dirname \"$PRG\"`/" >/dev/null 60 | APP_HOME="`pwd -P`" 61 | cd "$SAVED" >/dev/null 62 | 63 | CLASSPATH=$APP_HOME/gradle/wrapper/gradle-wrapper.jar 64 | 65 | # Determine the Java command to use to start the JVM. 66 | if [ -n "$JAVA_HOME" ] ; then 67 | if [ -x "$JAVA_HOME/jre/sh/java" ] ; then 68 | # IBM's JDK on AIX uses strange locations for the executables 69 | JAVACMD="$JAVA_HOME/jre/sh/java" 70 | else 71 | JAVACMD="$JAVA_HOME/bin/java" 72 | fi 73 | if [ ! -x "$JAVACMD" ] ; then 74 | die "ERROR: JAVA_HOME is set to an invalid directory: $JAVA_HOME 75 | 76 | Please set the JAVA_HOME variable in your environment to match the 77 | location of your Java installation." 78 | fi 79 | else 80 | JAVACMD="java" 81 | which java >/dev/null 2>&1 || die "ERROR: JAVA_HOME is not set and no 'java' command could be found in your PATH. 82 | 83 | Please set the JAVA_HOME variable in your environment to match the 84 | location of your Java installation." 85 | fi 86 | 87 | # Increase the maximum file descriptors if we can. 88 | if [ "$cygwin" = "false" -a "$darwin" = "false" ] ; then 89 | MAX_FD_LIMIT=`ulimit -H -n` 90 | if [ $? -eq 0 ] ; then 91 | if [ "$MAX_FD" = "maximum" -o "$MAX_FD" = "max" ] ; then 92 | MAX_FD="$MAX_FD_LIMIT" 93 | fi 94 | ulimit -n $MAX_FD 95 | if [ $? -ne 0 ] ; then 96 | warn "Could not set maximum file descriptor limit: $MAX_FD" 97 | fi 98 | else 99 | warn "Could not query maximum file descriptor limit: $MAX_FD_LIMIT" 100 | fi 101 | fi 102 | 103 | # For Darwin, add options to specify how the application appears in the dock 104 | if $darwin; then 105 | GRADLE_OPTS="$GRADLE_OPTS \"-Xdock:name=$APP_NAME\" \"-Xdock:icon=$APP_HOME/media/gradle.icns\"" 106 | fi 107 | 108 | # For Cygwin, switch paths to Windows format before running java 109 | if $cygwin ; then 110 | APP_HOME=`cygpath --path --mixed "$APP_HOME"` 111 | CLASSPATH=`cygpath --path --mixed "$CLASSPATH"` 112 | JAVACMD=`cygpath --unix "$JAVACMD"` 113 | 114 | # We build the pattern for arguments to be converted via cygpath 115 | ROOTDIRSRAW=`find -L / -maxdepth 1 -mindepth 1 -type d 2>/dev/null` 116 | SEP="" 117 | for dir in $ROOTDIRSRAW ; do 118 | ROOTDIRS="$ROOTDIRS$SEP$dir" 119 | SEP="|" 120 | done 121 | OURCYGPATTERN="(^($ROOTDIRS))" 122 | # Add a user-defined pattern to the cygpath arguments 123 | if [ "$GRADLE_CYGPATTERN" != "" ] ; then 124 | OURCYGPATTERN="$OURCYGPATTERN|($GRADLE_CYGPATTERN)" 125 | fi 126 | # Now convert the arguments - kludge to limit ourselves to /bin/sh 127 | i=0 128 | for arg in "$@" ; do 129 | CHECK=`echo "$arg"|egrep -c "$OURCYGPATTERN" -` 130 | CHECK2=`echo "$arg"|egrep -c "^-"` ### Determine if an option 131 | 132 | if [ $CHECK -ne 0 ] && [ $CHECK2 -eq 0 ] ; then ### Added a condition 133 | eval `echo args$i`=`cygpath --path --ignore --mixed "$arg"` 134 | else 135 | eval `echo args$i`="\"$arg\"" 136 | fi 137 | i=$((i+1)) 138 | done 139 | case $i in 140 | (0) set -- ;; 141 | (1) set -- "$args0" ;; 142 | (2) set -- "$args0" "$args1" ;; 143 | (3) set -- "$args0" "$args1" "$args2" ;; 144 | (4) set -- "$args0" "$args1" "$args2" "$args3" ;; 145 | (5) set -- "$args0" "$args1" "$args2" "$args3" "$args4" ;; 146 | (6) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" ;; 147 | (7) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" ;; 148 | (8) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" ;; 149 | (9) set -- "$args0" "$args1" "$args2" "$args3" "$args4" "$args5" "$args6" "$args7" "$args8" ;; 150 | esac 151 | fi 152 | 153 | # Split up the JVM_OPTS And GRADLE_OPTS values into an array, following the shell quoting and substitution rules 154 | function splitJvmOpts() { 155 | JVM_OPTS=("$@") 156 | } 157 | eval splitJvmOpts $DEFAULT_JVM_OPTS $JAVA_OPTS $GRADLE_OPTS 158 | JVM_OPTS[${#JVM_OPTS[*]}]="-Dorg.gradle.appname=$APP_BASE_NAME" 159 | 160 | exec "$JAVACMD" "${JVM_OPTS[@]}" -classpath "$CLASSPATH" org.gradle.wrapper.GradleWrapperMain "$@" 161 | -------------------------------------------------------------------------------- /src/main/java/de/otto/edison/vault/ConfigProperties.java: -------------------------------------------------------------------------------- 1 | package de.otto.edison.vault; 2 | 3 | import org.springframework.core.env.Environment; 4 | import org.springframework.util.StringUtils; 5 | 6 | import java.util.Arrays; 7 | import java.util.Collections; 8 | import java.util.Set; 9 | import java.util.stream.Collectors; 10 | 11 | public class ConfigProperties { 12 | 13 | private final boolean enabled; 14 | private final String baseUrl; 15 | private final String secretPath; 16 | private final Set properties; 17 | private final String tokenSource; 18 | private final String environmentToken; 19 | private final String fileToken; 20 | private final String appId; 21 | private final String userId; 22 | private final String defaultVaultToken; 23 | 24 | public ConfigProperties(Environment environment) { 25 | enabled = Boolean.parseBoolean(environment.getProperty("edison.vault.enabled")); 26 | final String baseUrlProperty = environment.getProperty("edison.vault.base-url"); 27 | baseUrl = StringUtils.isEmpty(baseUrlProperty) ? getVaultAddrFromEnv() : baseUrlProperty; 28 | secretPath = environment.getProperty("edison.vault.secret-path"); 29 | properties = splitVaultPropertyKeys(environment.getProperty("edison.vault.properties")); 30 | tokenSource = environment.getProperty("edison.vault.token-source"); 31 | environmentToken = environment.getProperty("edison.vault.environment-token"); 32 | fileToken = environment.getProperty("edison.vault.file-token"); 33 | appId = environment.getProperty("edison.vault.appid"); 34 | userId = environment.getProperty("edison.vault.userid"); 35 | final String homeDir = environment.getProperty("user.home"); 36 | defaultVaultToken = homeDir + "/.vault-token"; 37 | } 38 | 39 | public boolean isEnabled() { 40 | return enabled; 41 | } 42 | 43 | public String getBaseUrl() { 44 | return baseUrl; 45 | } 46 | 47 | public String getSecretPath() { 48 | return secretPath; 49 | } 50 | 51 | public Set getProperties() { 52 | return properties; 53 | } 54 | 55 | public String getTokenSource() { 56 | return tokenSource; 57 | } 58 | 59 | public String getEnvironmentToken() { 60 | return environmentToken; 61 | } 62 | 63 | public String getFileToken() { 64 | return fileToken; 65 | } 66 | 67 | public String getAppId() { 68 | return appId; 69 | } 70 | 71 | public String getUserId() { 72 | return userId; 73 | } 74 | 75 | public String getDefaultVaultTokenFileName() { 76 | return defaultVaultToken; 77 | } 78 | 79 | private static String getVaultAddrFromEnv() { 80 | return System.getenv("VAULT_ADDR"); 81 | } 82 | 83 | private Set splitVaultPropertyKeys(String properties) { 84 | if (StringUtils.isEmpty(properties)) { 85 | return Collections.emptySet(); 86 | } 87 | return Collections.unmodifiableSet( 88 | Arrays.stream(properties.split(",")).map(String::trim).filter(s -> !s.isEmpty()).collect(Collectors.toSet())); 89 | } 90 | 91 | @Override 92 | public boolean equals(Object o) { 93 | if (this == o) { 94 | return true; 95 | } 96 | if (o == null || getClass() != o.getClass()) { 97 | return false; 98 | } 99 | 100 | ConfigProperties that = (ConfigProperties) o; 101 | 102 | if (enabled != that.enabled) { 103 | return false; 104 | } 105 | if (baseUrl != null ? !baseUrl.equals(that.baseUrl) : that.baseUrl != null) { 106 | return false; 107 | } 108 | if (secretPath != null ? !secretPath.equals(that.secretPath) : that.secretPath != null) { 109 | return false; 110 | } 111 | if (properties != null ? !properties.equals(that.properties) : that.properties != null) { 112 | return false; 113 | } 114 | if (tokenSource != null ? !tokenSource.equals(that.tokenSource) : that.tokenSource != null) { 115 | return false; 116 | } 117 | if (environmentToken != null ? !environmentToken.equals(that.environmentToken) : that.environmentToken != null) { 118 | return false; 119 | } 120 | if (fileToken != null ? !fileToken.equals(that.fileToken) : that.fileToken != null) { 121 | return false; 122 | } 123 | if (appId != null ? !appId.equals(that.appId) : that.appId != null) { 124 | return false; 125 | } 126 | if (userId != null ? !userId.equals(that.userId) : that.userId != null) { 127 | return false; 128 | } 129 | return defaultVaultToken != null ? defaultVaultToken.equals(that.defaultVaultToken) : that.defaultVaultToken == null; 130 | } 131 | 132 | @Override 133 | public int hashCode() { 134 | int result = (enabled ? 1 : 0); 135 | result = 31 * result + (baseUrl != null ? baseUrl.hashCode() : 0); 136 | result = 31 * result + (secretPath != null ? secretPath.hashCode() : 0); 137 | result = 31 * result + (properties != null ? properties.hashCode() : 0); 138 | result = 31 * result + (tokenSource != null ? tokenSource.hashCode() : 0); 139 | result = 31 * result + (environmentToken != null ? environmentToken.hashCode() : 0); 140 | result = 31 * result + (fileToken != null ? fileToken.hashCode() : 0); 141 | result = 31 * result + (appId != null ? appId.hashCode() : 0); 142 | result = 31 * result + (userId != null ? userId.hashCode() : 0); 143 | result = 31 * result + (defaultVaultToken != null ? defaultVaultToken.hashCode() : 0); 144 | return result; 145 | } 146 | 147 | @Override 148 | public String toString() { 149 | return "ConfigProperties{" + 150 | "enabled=" + enabled + 151 | ", baseUrl='" + baseUrl + '\'' + 152 | ", secretPath='" + secretPath + '\'' + 153 | ", properties=" + properties + 154 | ", tokenSource='" + tokenSource + '\'' + 155 | ", environmentToken='" + environmentToken + '\'' + 156 | ", fileToken='" + fileToken + '\'' + 157 | ", appId='" + appId + '\'' + 158 | ", userId='" + userId + '\'' + 159 | ", defaultVaultToken='" + defaultVaultToken + '\'' + 160 | '}'; 161 | } 162 | } 163 | -------------------------------------------------------------------------------- /src/test/java/de/otto/edison/vault/VaultTokenReaderTest.java: -------------------------------------------------------------------------------- 1 | package de.otto.edison.vault; 2 | 3 | import static org.hamcrest.MatcherAssert.assertThat; 4 | import static org.hamcrest.core.Is.is; 5 | import static org.powermock.api.mockito.PowerMockito.mock; 6 | import static org.powermock.api.mockito.PowerMockito.mockStatic; 7 | import static org.powermock.api.mockito.PowerMockito.verifyStatic; 8 | import static org.powermock.api.mockito.PowerMockito.when; 9 | import static org.testng.Assert.fail; 10 | 11 | import java.io.File; 12 | import java.io.FileNotFoundException; 13 | import java.io.IOException; 14 | import java.io.UnsupportedEncodingException; 15 | 16 | import org.asynchttpclient.AsyncHttpClient; 17 | import org.asynchttpclient.BoundRequestBuilder; 18 | import org.asynchttpclient.ListenableFuture; 19 | import org.asynchttpclient.Response; 20 | import org.powermock.core.classloader.annotations.PrepareForTest; 21 | import org.powermock.modules.testng.PowerMockTestCase; 22 | import org.testng.annotations.BeforeMethod; 23 | import org.testng.annotations.Test; 24 | import org.testng.reporters.Files; 25 | 26 | @PrepareForTest(VaultTokenReader.class) 27 | public class VaultTokenReaderTest extends PowerMockTestCase { 28 | 29 | private ConfigProperties configProperties; 30 | private AsyncHttpClient asyncHttpClient; 31 | 32 | @BeforeMethod 33 | public void setUp() throws Exception { 34 | configProperties = mock(ConfigProperties.class); 35 | asyncHttpClient = mock(AsyncHttpClient.class); 36 | } 37 | 38 | @Test 39 | public void shouldGetTokenFromSystemEnvironment() throws Exception { 40 | // given 41 | mockStatic(System.class); 42 | when(configProperties.getTokenSource()).thenReturn("environment"); 43 | when(configProperties.getEnvironmentToken()).thenReturn("SOME_SYSTEM_ENV_VARIABLE"); 44 | when(System.getenv("SOME_SYSTEM_ENV_VARIABLE")).thenReturn("mySecretAccessToken"); 45 | 46 | // when 47 | // then 48 | assertThat(new VaultTokenReader(asyncHttpClient).readVaultToken(configProperties), is("mySecretAccessToken")); 49 | verifyStatic(); 50 | System.getenv("SOME_SYSTEM_ENV_VARIABLE"); 51 | } 52 | 53 | @Test 54 | public void shouldReadTokenFromLogin() throws Exception { 55 | // given 56 | Response response = mock(Response.class); 57 | BoundRequestBuilder boundRequestBuilder = mock(BoundRequestBuilder.class); 58 | ListenableFuture listenableFuture = mock(ListenableFuture.class); 59 | 60 | when(response.getResponseBody()).thenReturn(createValidLoginJson("someClientToken")); 61 | when(response.getStatusCode()).thenReturn(200); 62 | when(asyncHttpClient.preparePost("http://someBaseUrl/v1/auth/app-id/login")).thenReturn(boundRequestBuilder); 63 | when(boundRequestBuilder.setBody("{\"app_id\":\"someAppId\", \"user_id\": \"someUserId\"}")).thenReturn( 64 | boundRequestBuilder); 65 | when(boundRequestBuilder.execute()).thenReturn(listenableFuture); 66 | when(listenableFuture.get()).thenReturn(response); 67 | 68 | // when 69 | when(configProperties.getTokenSource()).thenReturn("login"); 70 | when(configProperties.getBaseUrl()).thenReturn("http://someBaseUrl"); 71 | when(configProperties.getAppId()).thenReturn("someAppId"); 72 | when(configProperties.getUserId()).thenReturn("someUserId"); 73 | 74 | // then 75 | assertThat(new VaultTokenReader(asyncHttpClient).readVaultToken(configProperties), is("someClientToken")); 76 | } 77 | 78 | @Test 79 | public void shouldThrowRuntimeExceptionIfLoginFails() throws Exception { 80 | // given 81 | Response response = mock(Response.class); 82 | BoundRequestBuilder boundRequestBuilder = mock(BoundRequestBuilder.class); 83 | ListenableFuture listenableFuture = mock(ListenableFuture.class); 84 | 85 | when(response.getResponseBody()).thenReturn(null); 86 | when(response.getStatusCode()).thenReturn(401); 87 | when(asyncHttpClient.preparePost("http://someBaseUrl/v1/auth/app-id/login")).thenReturn(boundRequestBuilder); 88 | when(boundRequestBuilder.setBody("{\"app_id\":\"someAppId\", \"user_id\": \"someUserId\"}")).thenReturn( 89 | boundRequestBuilder); 90 | when(boundRequestBuilder.execute()).thenReturn(listenableFuture); 91 | when(listenableFuture.get()).thenReturn(response); 92 | 93 | // when 94 | try { 95 | when(configProperties.getTokenSource()).thenReturn("login"); 96 | when(configProperties.getBaseUrl()).thenReturn("http://someBaseUrl"); 97 | when(configProperties.getAppId()).thenReturn("someAppId"); 98 | when(configProperties.getUserId()).thenReturn("someUserId"); 99 | new VaultTokenReader(asyncHttpClient).readVaultToken(configProperties); 100 | fail(); 101 | } catch (RuntimeException e) { 102 | // then 103 | assertThat(e.getMessage(), is("login to vault failed, return code is 401")); 104 | } 105 | } 106 | 107 | @Test 108 | public void shouldThrowIllegalArgumentExceptionIfTokenSourceIsNotSet() throws Exception { 109 | // given 110 | 111 | // when 112 | try { 113 | new VaultTokenReader(asyncHttpClient).readVaultToken(configProperties); 114 | fail(); 115 | } catch (IllegalArgumentException e) { 116 | // then 117 | assertThat(e.getMessage(), is("tokenSource not set")); 118 | } 119 | } 120 | 121 | @Test 122 | public void shouldThrowIllegalArgumentExceptionIfTokenSourceIsUndefined() throws Exception { 123 | // given 124 | when(configProperties.getTokenSource()).thenReturn("someSource"); 125 | // when 126 | try { 127 | new VaultTokenReader(asyncHttpClient).readVaultToken(configProperties); 128 | fail(); 129 | } catch (IllegalArgumentException e) { 130 | // then 131 | assertThat(e.getMessage(), is("tokenSource is undefined")); 132 | } 133 | } 134 | 135 | @Test 136 | public void shouldReadTokenFromFile() throws Exception { 137 | String tokenFileName = "./someTestFile"; 138 | try { 139 | createTokenFile(tokenFileName, "2434c862-c01c-4bdc-e862-9ba9afceab32"); 140 | when(configProperties.getTokenSource()).thenReturn("file"); 141 | when(configProperties.getFileToken()).thenReturn(tokenFileName); 142 | 143 | assertThat(new VaultTokenReader(asyncHttpClient).readVaultToken(configProperties), 144 | is("2434c862-c01c-4bdc-e862-9ba9afceab32")); 145 | } catch (FileNotFoundException | UnsupportedEncodingException e) { 146 | fail(); 147 | } finally { 148 | new File(tokenFileName).delete(); 149 | } 150 | } 151 | 152 | @Test 153 | public void shouldReadTokenFromFileEvenIfThereIsWhiteSpace() throws Exception { 154 | // Given 155 | String tokenFileName = "./someTestFile"; 156 | try { 157 | createTokenFile(tokenFileName, " 2434c862-c01c-4bdc-e862-9ba9afceab32 \n"); 158 | 159 | // when 160 | String token = new VaultTokenReader(asyncHttpClient).readTokenFromFile(tokenFileName); 161 | 162 | // then 163 | assertThat(token, is("2434c862-c01c-4bdc-e862-9ba9afceab32")); 164 | } catch (FileNotFoundException | UnsupportedEncodingException e) { 165 | fail(); 166 | } finally { 167 | new File(tokenFileName).delete(); 168 | } 169 | } 170 | 171 | private void createTokenFile(String fileName, String content) throws IOException { 172 | Files.writeFile(content, new File(fileName)); 173 | } 174 | 175 | private String createValidLoginJson(String clientToken) { 176 | return "{\n" + 177 | " \"lease_id\": \"\",\n" + 178 | " \"renewable\": false,\n" + 179 | " \"lease_duration\": 0,\n" + 180 | " \"data\": null,\n" + 181 | " \"auth\": {\n" + 182 | " \"client_token\": \"" + clientToken + "\",\n" + 183 | " \"policies\": [\"root\"],\n" + 184 | " \"lease_duration\": 0,\n" + 185 | " \"renewable\": false,\n" + 186 | " \"metadata\": {\n" + 187 | " \"app-id\": \"sha1:1c0401b419280b0771d006bcdae683989086a00e\",\n" + 188 | " \"user-id\": \"sha1:4dbf74fce71648d54c42e28ad193253600853ca6\"\n" + 189 | " }\n" + 190 | " }\n" + 191 | "}\n"; 192 | } 193 | } -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Apache License 2 | Version 2.0, January 2004 3 | http://www.apache.org/licenses/ 4 | 5 | TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 6 | 7 | 1. Definitions. 8 | 9 | "License" shall mean the terms and conditions for use, reproduction, 10 | and distribution as defined by Sections 1 through 9 of this document. 11 | 12 | "Licensor" shall mean the copyright owner or entity authorized by 13 | the copyright owner that is granting the License. 14 | 15 | "Legal Entity" shall mean the union of the acting entity and all 16 | other entities that control, are controlled by, or are under common 17 | control with that entity. For the purposes of this definition, 18 | "control" means (i) the power, direct or indirect, to cause the 19 | direction or management of such entity, whether by contract or 20 | otherwise, or (ii) ownership of fifty percent (50%) or more of the 21 | outstanding shares, or (iii) beneficial ownership of such entity. 22 | 23 | "You" (or "Your") shall mean an individual or Legal Entity 24 | exercising permissions granted by this License. 25 | 26 | "Source" form shall mean the preferred form for making modifications, 27 | including but not limited to software source code, documentation 28 | source, and configuration files. 29 | 30 | "Object" form shall mean any form resulting from mechanical 31 | transformation or translation of a Source form, including but 32 | not limited to compiled object code, generated documentation, 33 | and conversions to other media types. 34 | 35 | "Work" shall mean the work of authorship, whether in Source or 36 | Object form, made available under the License, as indicated by a 37 | copyright notice that is included in or attached to the work 38 | (an example is provided in the Appendix below). 39 | 40 | "Derivative Works" shall mean any work, whether in Source or Object 41 | form, that is based on (or derived from) the Work and for which the 42 | editorial revisions, annotations, elaborations, or other modifications 43 | represent, as a whole, an original work of authorship. For the purposes 44 | of this License, Derivative Works shall not include works that remain 45 | separable from, or merely link (or bind by name) to the interfaces of, 46 | the Work and Derivative Works thereof. 47 | 48 | "Contribution" shall mean any work of authorship, including 49 | the original version of the Work and any modifications or additions 50 | to that Work or Derivative Works thereof, that is intentionally 51 | submitted to Licensor for inclusion in the Work by the copyright owner 52 | or by an individual or Legal Entity authorized to submit on behalf of 53 | the copyright owner. For the purposes of this definition, "submitted" 54 | means any form of electronic, verbal, or written communication sent 55 | to the Licensor or its representatives, including but not limited to 56 | communication on electronic mailing lists, source code control systems, 57 | and issue tracking systems that are managed by, or on behalf of, the 58 | Licensor for the purpose of discussing and improving the Work, but 59 | excluding communication that is conspicuously marked or otherwise 60 | designated in writing by the copyright owner as "Not a Contribution." 61 | 62 | "Contributor" shall mean Licensor and any individual or Legal Entity 63 | on behalf of whom a Contribution has been received by Licensor and 64 | subsequently incorporated within the Work. 65 | 66 | 2. Grant of Copyright License. Subject to the terms and conditions of 67 | this License, each Contributor hereby grants to You a perpetual, 68 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 69 | copyright license to reproduce, prepare Derivative Works of, 70 | publicly display, publicly perform, sublicense, and distribute the 71 | Work and such Derivative Works in Source or Object form. 72 | 73 | 3. Grant of Patent License. Subject to the terms and conditions of 74 | this License, each Contributor hereby grants to You a perpetual, 75 | worldwide, non-exclusive, no-charge, royalty-free, irrevocable 76 | (except as stated in this section) patent license to make, have made, 77 | use, offer to sell, sell, import, and otherwise transfer the Work, 78 | where such license applies only to those patent claims licensable 79 | by such Contributor that are necessarily infringed by their 80 | Contribution(s) alone or by combination of their Contribution(s) 81 | with the Work to which such Contribution(s) was submitted. If You 82 | institute patent litigation against any entity (including a 83 | cross-claim or counterclaim in a lawsuit) alleging that the Work 84 | or a Contribution incorporated within the Work constitutes direct 85 | or contributory patent infringement, then any patent licenses 86 | granted to You under this License for that Work shall terminate 87 | as of the date such litigation is filed. 88 | 89 | 4. Redistribution. You may reproduce and distribute copies of the 90 | Work or Derivative Works thereof in any medium, with or without 91 | modifications, and in Source or Object form, provided that You 92 | meet the following conditions: 93 | 94 | (a) You must give any other recipients of the Work or 95 | Derivative Works a copy of this License; and 96 | 97 | (b) You must cause any modified files to carry prominent notices 98 | stating that You changed the files; and 99 | 100 | (c) You must retain, in the Source form of any Derivative Works 101 | that You distribute, all copyright, patent, trademark, and 102 | attribution notices from the Source form of the Work, 103 | excluding those notices that do not pertain to any part of 104 | the Derivative Works; and 105 | 106 | (d) If the Work includes a "NOTICE" text file as part of its 107 | distribution, then any Derivative Works that You distribute must 108 | include a readable copy of the attribution notices contained 109 | within such NOTICE file, excluding those notices that do not 110 | pertain to any part of the Derivative Works, in at least one 111 | of the following places: within a NOTICE text file distributed 112 | as part of the Derivative Works; within the Source form or 113 | documentation, if provided along with the Derivative Works; or, 114 | within a display generated by the Derivative Works, if and 115 | wherever such third-party notices normally appear. The contents 116 | of the NOTICE file are for informational purposes only and 117 | do not modify the License. You may add Your own attribution 118 | notices within Derivative Works that You distribute, alongside 119 | or as an addendum to the NOTICE text from the Work, provided 120 | that such additional attribution notices cannot be construed 121 | as modifying the License. 122 | 123 | You may add Your own copyright statement to Your modifications and 124 | may provide additional or different license terms and conditions 125 | for use, reproduction, or distribution of Your modifications, or 126 | for any such Derivative Works as a whole, provided Your use, 127 | reproduction, and distribution of the Work otherwise complies with 128 | the conditions stated in this License. 129 | 130 | 5. Submission of Contributions. Unless You explicitly state otherwise, 131 | any Contribution intentionally submitted for inclusion in the Work 132 | by You to the Licensor shall be under the terms and conditions of 133 | this License, without any additional terms or conditions. 134 | Notwithstanding the above, nothing herein shall supersede or modify 135 | the terms of any separate license agreement you may have executed 136 | with Licensor regarding such Contributions. 137 | 138 | 6. Trademarks. This License does not grant permission to use the trade 139 | names, trademarks, service marks, or product names of the Licensor, 140 | except as required for reasonable and customary use in describing the 141 | origin of the Work and reproducing the content of the NOTICE file. 142 | 143 | 7. Disclaimer of Warranty. Unless required by applicable law or 144 | agreed to in writing, Licensor provides the Work (and each 145 | Contributor provides its Contributions) on an "AS IS" BASIS, 146 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or 147 | implied, including, without limitation, any warranties or conditions 148 | of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A 149 | PARTICULAR PURPOSE. You are solely responsible for determining the 150 | appropriateness of using or redistributing the Work and assume any 151 | risks associated with Your exercise of permissions under this License. 152 | 153 | 8. Limitation of Liability. In no event and under no legal theory, 154 | whether in tort (including negligence), contract, or otherwise, 155 | unless required by applicable law (such as deliberate and grossly 156 | negligent acts) or agreed to in writing, shall any Contributor be 157 | liable to You for damages, including any direct, indirect, special, 158 | incidental, or consequential damages of any character arising as a 159 | result of this License or out of the use or inability to use the 160 | Work (including but not limited to damages for loss of goodwill, 161 | work stoppage, computer failure or malfunction, or any and all 162 | other commercial damages or losses), even if such Contributor 163 | has been advised of the possibility of such damages. 164 | 165 | 9. Accepting Warranty or Additional Liability. While redistributing 166 | the Work or Derivative Works thereof, You may choose to offer, 167 | and charge a fee for, acceptance of support, warranty, indemnity, 168 | or other liability obligations and/or rights consistent with this 169 | License. However, in accepting such obligations, You may act only 170 | on Your own behalf and on Your sole responsibility, not on behalf 171 | of any other Contributor, and only if You agree to indemnify, 172 | defend, and hold each Contributor harmless for any liability 173 | incurred by, or claims asserted against, such Contributor by reason 174 | of your accepting any such warranty or additional liability. 175 | 176 | END OF TERMS AND CONDITIONS 177 | 178 | APPENDIX: How to apply the Apache License to your work. 179 | 180 | To apply the Apache License to your work, attach the following 181 | boilerplate notice, with the fields enclosed by brackets "{}" 182 | replaced with your own identifying information. (Don't include 183 | the brackets!) The text should be enclosed in the appropriate 184 | comment syntax for the file format. We also recommend that a 185 | file or class name and description of purpose be included on the 186 | same "printed page" as the copyright notice for easier 187 | identification within third-party archives. 188 | 189 | Copyright {yyyy} {name of copyright owner} 190 | 191 | Licensed under the Apache License, Version 2.0 (the "License"); 192 | you may not use this file except in compliance with the License. 193 | You may obtain a copy of the License at 194 | 195 | http://www.apache.org/licenses/LICENSE-2.0 196 | 197 | Unless required by applicable law or agreed to in writing, software 198 | distributed under the License is distributed on an "AS IS" BASIS, 199 | WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 200 | See the License for the specific language governing permissions and 201 | limitations under the License. 202 | 203 | -------------------------------------------------------------------------------- /src/test/java/de/otto/edison/vault/VaultClientTest.java: -------------------------------------------------------------------------------- 1 | package de.otto.edison.vault; 2 | 3 | import static org.hamcrest.CoreMatchers.notNullValue; 4 | import static org.hamcrest.CoreMatchers.nullValue; 5 | import static org.hamcrest.MatcherAssert.assertThat; 6 | import static org.hamcrest.core.Is.is; 7 | import static org.mockito.Matchers.anyString; 8 | import static org.mockito.Matchers.eq; 9 | import static org.mockito.Mockito.mock; 10 | import static org.mockito.Mockito.verify; 11 | import static org.mockito.Mockito.when; 12 | import static org.testng.Assert.fail; 13 | 14 | import static de.otto.edison.vault.VaultClient.vaultClient; 15 | 16 | import java.nio.charset.Charset; 17 | 18 | import org.asynchttpclient.AsyncHttpClient; 19 | import org.asynchttpclient.BoundRequestBuilder; 20 | import org.asynchttpclient.ListenableFuture; 21 | import org.asynchttpclient.Response; 22 | import org.testng.annotations.BeforeMethod; 23 | import org.testng.annotations.Test; 24 | 25 | public class VaultClientTest { 26 | 27 | private VaultClient testee; 28 | private AsyncHttpClient asyncHttpClient; 29 | private ConfigProperties configProperties; 30 | 31 | @BeforeMethod 32 | public void setUp() throws Exception { 33 | asyncHttpClient = mock(AsyncHttpClient.class); 34 | configProperties = mock(ConfigProperties.class); 35 | } 36 | 37 | @Test 38 | public void shouldReadTheDefaultFieldValue() throws Exception { 39 | // given 40 | when(configProperties.getBaseUrl()).thenReturn("http://someBaseUrl"); 41 | when(configProperties.getSecretPath()).thenReturn("/someSecretPath"); 42 | 43 | testee = vaultClient(configProperties, "someClientToken"); 44 | testee.asyncHttpClient = asyncHttpClient; 45 | 46 | Response response = mock(Response.class); 47 | BoundRequestBuilder boundRequestBuilder = mock(BoundRequestBuilder.class); 48 | ListenableFuture listenableFuture = mock(ListenableFuture.class); 49 | 50 | when(response.getStatusCode()).thenReturn(200); 51 | when(response.getResponseBody(Charset.forName("utf-8"))).thenReturn(createReadResponse("someKey", "value", "someValue")); 52 | when(asyncHttpClient.prepareGet(eq("http://someBaseUrl/v1/someSecretPath/someKey"))).thenReturn(boundRequestBuilder); 53 | when(boundRequestBuilder.setHeader(eq("X-Vault-Token"), eq("someClientToken"))).thenReturn(boundRequestBuilder); 54 | when(boundRequestBuilder.execute()).thenReturn(listenableFuture); 55 | when(listenableFuture.get()).thenReturn(response); 56 | 57 | // when 58 | String propertyValue = testee.readFields("someKey").get("value"); 59 | 60 | // then 61 | assertThat(propertyValue, is("someValue")); 62 | } 63 | 64 | @Test 65 | public void shouldReturnNullIfNoFieldValueExists() throws Exception { 66 | // given 67 | when(configProperties.getBaseUrl()).thenReturn("http://someBaseUrl"); 68 | when(configProperties.getSecretPath()).thenReturn("/someSecretPath"); 69 | 70 | testee = vaultClient(configProperties, "someClientToken"); 71 | testee.asyncHttpClient = asyncHttpClient; 72 | 73 | Response response = mock(Response.class); 74 | BoundRequestBuilder boundRequestBuilder = mock(BoundRequestBuilder.class); 75 | ListenableFuture listenableFuture = mock(ListenableFuture.class); 76 | 77 | when(response.getStatusCode()).thenReturn(200); 78 | when(response.getResponseBody(Charset.forName("utf-8"))).thenReturn( 79 | createReadResponse("someKey", "someField", "someValue")); 80 | when(asyncHttpClient.prepareGet(eq("http://someBaseUrl/v1/someSecretPath/someKey"))).thenReturn(boundRequestBuilder); 81 | when(boundRequestBuilder.setHeader(eq("X-Vault-Token"), eq("someClientToken"))).thenReturn(boundRequestBuilder); 82 | when(boundRequestBuilder.execute()).thenReturn(listenableFuture); 83 | when(listenableFuture.get()).thenReturn(response); 84 | 85 | // when 86 | String fieldValue = testee.readFields("someKey").get("value"); 87 | 88 | // then 89 | assertThat(fieldValue, is(nullValue())); 90 | } 91 | 92 | @Test 93 | public void shouldReadAnArbitraryField() throws Exception { 94 | // given 95 | when(configProperties.getBaseUrl()).thenReturn("http://someBaseUrl"); 96 | when(configProperties.getSecretPath()).thenReturn("/someSecretPath"); 97 | 98 | testee = vaultClient(configProperties, "someClientToken"); 99 | testee.asyncHttpClient = asyncHttpClient; 100 | 101 | Response response = mock(Response.class); 102 | BoundRequestBuilder boundRequestBuilder = mock(BoundRequestBuilder.class); 103 | ListenableFuture listenableFuture = mock(ListenableFuture.class); 104 | 105 | when(response.getStatusCode()).thenReturn(200); 106 | when(response.getResponseBody(Charset.forName("utf-8"))).thenReturn( 107 | createReadResponse("someKey", "someFieldOtherThanValue", "someValue")); 108 | when(asyncHttpClient.prepareGet(eq("http://someBaseUrl/v1/someSecretPath/someKey"))).thenReturn(boundRequestBuilder); 109 | when(boundRequestBuilder.setHeader(eq("X-Vault-Token"), eq("someClientToken"))).thenReturn(boundRequestBuilder); 110 | when(boundRequestBuilder.execute()).thenReturn(listenableFuture); 111 | when(listenableFuture.get()).thenReturn(response); 112 | 113 | // when 114 | String fieldValue = testee.readFields("someKey").get("someFieldOtherThanValue"); 115 | 116 | // then 117 | assertThat(fieldValue, notNullValue()); 118 | assertThat(fieldValue, is("someValue")); 119 | } 120 | 121 | @Test 122 | public void shouldReturnEmptyOptionalForANonExistingField() throws Exception { 123 | // given 124 | when(configProperties.getBaseUrl()).thenReturn("http://someBaseUrl"); 125 | when(configProperties.getSecretPath()).thenReturn("/someSecretPath"); 126 | 127 | testee = vaultClient(configProperties, "someClientToken"); 128 | testee.asyncHttpClient = asyncHttpClient; 129 | 130 | Response response = mock(Response.class); 131 | BoundRequestBuilder boundRequestBuilder = mock(BoundRequestBuilder.class); 132 | ListenableFuture listenableFuture = mock(ListenableFuture.class); 133 | 134 | when(response.getStatusCode()).thenReturn(200); 135 | when(response.getResponseBody(Charset.forName("utf-8"))).thenReturn( 136 | createReadResponse("someKey", "someField", "someValue")); 137 | when(asyncHttpClient.prepareGet(eq("http://someBaseUrl/v1/someSecretPath/someKey"))).thenReturn(boundRequestBuilder); 138 | when(boundRequestBuilder.setHeader(eq("X-Vault-Token"), eq("someClientToken"))).thenReturn(boundRequestBuilder); 139 | when(boundRequestBuilder.execute()).thenReturn(listenableFuture); 140 | when(listenableFuture.get()).thenReturn(response); 141 | 142 | // when 143 | String fieldValue = testee.readFields("someKey").get("someUnknownField"); 144 | 145 | // then 146 | assertThat(fieldValue, nullValue()); 147 | } 148 | 149 | private String createReadResponse(final String key, final String field, final String value) { 150 | return "{\"lease_id\":\"develop/p13n/" + key 151 | + "/b74f148e-12de-dbfb-b03f-c950c587e8ea\",\"renewable\":false,\"lease_duration\":2592000,\"data\":{\"" + field 152 | + "\":\"" + value + "\"},\"auth\":null}"; 153 | } 154 | 155 | @Test 156 | public void shouldThrowRuntimeExceptionIfReadFails() throws Exception { 157 | // given 158 | when(configProperties.getBaseUrl()).thenReturn("http://someBaseUrl"); 159 | when(configProperties.getSecretPath()).thenReturn("/someSecretPath"); 160 | 161 | testee = vaultClient(configProperties, "someClientToken"); 162 | testee.asyncHttpClient = asyncHttpClient; 163 | 164 | Response response = mock(Response.class); 165 | BoundRequestBuilder boundRequestBuilder = mock(BoundRequestBuilder.class); 166 | ListenableFuture listenableFuture = mock(ListenableFuture.class); 167 | 168 | when(response.getResponseBody(Charset.forName("utf-8"))).thenReturn(null); 169 | when(response.getStatusCode()).thenReturn(500); 170 | when(asyncHttpClient.prepareGet("http://someBaseUrl/v1/someSecretPath/someKey")).thenReturn(boundRequestBuilder); 171 | when(boundRequestBuilder.setHeader("X-Vault-Token", "someClientToken")).thenReturn(boundRequestBuilder); 172 | when(boundRequestBuilder.execute()).thenReturn(listenableFuture); 173 | when(listenableFuture.get()).thenReturn(response); 174 | 175 | // when 176 | try { 177 | testee.readFields("someKey"); 178 | fail(); 179 | } catch (RuntimeException e) { 180 | // then 181 | assertThat(e.getMessage(), 182 | is("read of vault property 'someKey' with token 'someClientToken' from url 'http://someBaseUrl/v1/someSecretPath/someKey' failed, return code is '500'")); 183 | } 184 | } 185 | 186 | @Test 187 | public void shouldTrimUrlSlashes() throws Exception { 188 | // given 189 | when(configProperties.getBaseUrl()).thenReturn("http://someBaseUrlWithSlash/"); 190 | when(configProperties.getSecretPath()).thenReturn("/someSecretPath"); 191 | 192 | testee = vaultClient(configProperties, "someClientToken"); 193 | testee.asyncHttpClient = asyncHttpClient; 194 | 195 | Response response = mock(Response.class); 196 | BoundRequestBuilder boundRequestBuilder = mock(BoundRequestBuilder.class); 197 | ListenableFuture listenableFuture = mock(ListenableFuture.class); 198 | when(response.getResponseBody(Charset.forName("utf-8"))).thenReturn("{}"); 199 | when(response.getStatusCode()).thenReturn(200); 200 | when(asyncHttpClient.prepareGet(anyString())).thenReturn(boundRequestBuilder); 201 | when(boundRequestBuilder.setHeader(anyString(), anyString())).thenReturn(boundRequestBuilder); 202 | when(boundRequestBuilder.execute()).thenReturn(listenableFuture); 203 | when(listenableFuture.get()).thenReturn(response); 204 | 205 | // when 206 | testee.readFields("someKey"); 207 | 208 | // then 209 | verify(asyncHttpClient).prepareGet("http://someBaseUrlWithSlash/v1/someSecretPath/someKey"); 210 | } 211 | 212 | @Test 213 | public void shouldAddMissingUrlSlashes() throws Exception { 214 | // given 215 | when(configProperties.getBaseUrl()).thenReturn("http://someBaseUrl"); 216 | when(configProperties.getSecretPath()).thenReturn("someSecretPathWithoutSlash"); 217 | 218 | testee = vaultClient(configProperties, "someClientToken"); 219 | testee.asyncHttpClient = asyncHttpClient; 220 | 221 | Response response = mock(Response.class); 222 | BoundRequestBuilder boundRequestBuilder = mock(BoundRequestBuilder.class); 223 | ListenableFuture listenableFuture = mock(ListenableFuture.class); 224 | when(response.getResponseBody(Charset.forName("utf-8"))).thenReturn("{}"); 225 | when(response.getStatusCode()).thenReturn(200); 226 | when(asyncHttpClient.prepareGet(anyString())).thenReturn(boundRequestBuilder); 227 | when(boundRequestBuilder.setHeader(anyString(), anyString())).thenReturn(boundRequestBuilder); 228 | when(boundRequestBuilder.execute()).thenReturn(listenableFuture); 229 | when(listenableFuture.get()).thenReturn(response); 230 | 231 | // when 232 | testee.readFields("someKey"); 233 | 234 | // then 235 | verify(asyncHttpClient).prepareGet("http://someBaseUrl/v1/someSecretPathWithoutSlash/someKey"); 236 | } 237 | 238 | @Test() 239 | public void shouldIngnoreSlashOnlySecretPath() throws Exception { 240 | // given 241 | when(configProperties.getBaseUrl()).thenReturn("http://someBaseUrl"); 242 | when(configProperties.getSecretPath()).thenReturn("/"); 243 | 244 | testee = vaultClient(configProperties, "someClientToken"); 245 | testee.asyncHttpClient = asyncHttpClient; 246 | 247 | Response response = mock(Response.class); 248 | BoundRequestBuilder boundRequestBuilder = mock(BoundRequestBuilder.class); 249 | ListenableFuture listenableFuture = mock(ListenableFuture.class); 250 | when(response.getResponseBody(Charset.forName("utf-8"))).thenReturn("{}"); 251 | when(response.getStatusCode()).thenReturn(200); 252 | when(asyncHttpClient.prepareGet(anyString())).thenReturn(boundRequestBuilder); 253 | when(boundRequestBuilder.setHeader(anyString(), anyString())).thenReturn(boundRequestBuilder); 254 | when(boundRequestBuilder.execute()).thenReturn(listenableFuture); 255 | when(listenableFuture.get()).thenReturn(response); 256 | 257 | // when 258 | testee.readFields("someKey"); 259 | 260 | // then 261 | verify(asyncHttpClient).prepareGet("http://someBaseUrl/v1/someKey"); 262 | } 263 | 264 | @Test() 265 | public void shouldIngnoreEmptySecretPath() throws Exception { 266 | // given 267 | when(configProperties.getBaseUrl()).thenReturn("http://someBaseUrl"); 268 | when(configProperties.getSecretPath()).thenReturn(""); 269 | 270 | testee = vaultClient(configProperties, "someClientToken"); 271 | testee.asyncHttpClient = asyncHttpClient; 272 | 273 | Response response = mock(Response.class); 274 | BoundRequestBuilder boundRequestBuilder = mock(BoundRequestBuilder.class); 275 | ListenableFuture listenableFuture = mock(ListenableFuture.class); 276 | when(response.getResponseBody(Charset.forName("utf-8"))).thenReturn("{}"); 277 | when(response.getStatusCode()).thenReturn(200); 278 | when(asyncHttpClient.prepareGet(anyString())).thenReturn(boundRequestBuilder); 279 | when(boundRequestBuilder.setHeader(anyString(), anyString())).thenReturn(boundRequestBuilder); 280 | when(boundRequestBuilder.execute()).thenReturn(listenableFuture); 281 | when(listenableFuture.get()).thenReturn(response); 282 | 283 | // when 284 | testee.readFields("someKey"); 285 | 286 | // then 287 | verify(asyncHttpClient).prepareGet("http://someBaseUrl/v1/someKey"); 288 | } 289 | } 290 | --------------------------------------------------------------------------------