com.bettercloud.vault.VaultConfig Java Examples
The following examples show how to use
com.bettercloud.vault.VaultConfig.
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example. You may check out the related API usage on the sidebar.
Example #1
| Source File: VaultKubernetesAuthenticator.java From hashicorp-vault-plugin with MIT License | 6 votes |
|
@SuppressFBWarnings(value = "DMI_HARDCODED_ABSOLUTE_FILENAME")
public void authenticate(Vault vault, VaultConfig config) throws VaultException, VaultPluginException {
if (isTokenTTLExpired()) {
try (Stream<String> input = Files.lines(Paths.get(SERVICE_ACCOUNT_TOKEN_PATH)) ) {
this.jwt = input.collect(Collectors.joining());
} catch (IOException e) {
throw new VaultPluginException("could not get JWT from Service Account Token", e);
}
// authenticate
currentAuthToken = vault.auth()
.loginByJwt(mountPath, kubernetes.getRole(), this.jwt)
.getAuthClientToken();
config.token(currentAuthToken).build();
LOGGER.log(Level.FINE, "Login to Vault using Kubernetes successful");
getTTLExpiryOfCurrentToken(vault);
} else {
// make sure current auth token is set in config
config.token(currentAuthToken).build();
}
}
Example #2
| Source File: SecretsClientIT.java From java-sdk with MIT License | 6 votes |
|
@BeforeClass
public static void init() throws Exception {
daprRun = startDaprApp(
SecretsClientIT.class.getSimpleName(),
EmptyService.SUCCESS_MESSAGE,
EmptyService.class,
false,
5000
);
VaultConfig vaultConfig = new VaultConfig()
.address(LOCAL_VAULT_ADDRESS)
.token(LOCAL_VAULT_TOKEN)
.prefixPath(PREFIX)
.build();
vault = new Vault(vaultConfig);
}
Example #3
| Source File: VaultConfiguration.java From hashicorp-vault-plugin with MIT License | 6 votes |
|
@NonNull
public VaultConfig getVaultConfig() {
VaultConfig vaultConfig = new VaultConfig();
vaultConfig.address(this.getVaultUrl());
vaultConfig.engineVersion(this.getEngineVersion());
try {
if (this.isSkipSslVerification()) {
vaultConfig.sslConfig(new SslConfig().verify(false).build());
}
if (StringUtils.isNotEmpty(this.getVaultNamespace())) {
vaultConfig.nameSpace(this.getVaultNamespace());
}
if (StringUtils.isNotEmpty(this.getPrefixPath())) {
vaultConfig.prefixPath(this.getPrefixPath());
}
} catch (VaultException e) {
throw new VaultPluginException("Could not set up VaultConfig.", e);
}
return vaultConfig;
}
Example #4
| Source File: VaultConfigurationIT.java From hashicorp-vault-plugin with MIT License | 5 votes |
|
@Test
public void shouldFailIfNoConfigurationExists() throws Exception {
GlobalVaultConfiguration globalConfig = GlobalConfiguration.all()
.get(GlobalVaultConfiguration.class);
assertThat(globalConfig, is(notNullValue()));
globalConfig.setConfiguration(null);
globalConfig.save();
List<VaultSecret> secrets = standardSecrets();
VaultBuildWrapper vaultBuildWrapper = new VaultBuildWrapper(secrets);
VaultAccessor mockAccessor = mockVaultAccessor(GLOBAL_ENGINE_VERSION_2);
vaultBuildWrapper.setVaultAccessor(mockAccessor);
this.project.getBuildWrappersList().add(vaultBuildWrapper);
this.project.getBuildersList().add(echoSecret());
FreeStyleBuild build = this.project.scheduleBuild2(0).get();
jenkins.assertBuildStatus(Result.FAILURE, build);
VaultConfig config = new VaultConfig().address(anyString());
mockAccessor.setConfig(config);
mockAccessor.setCredential(any(VaultCredential.class));
verify(mockAccessor, times(0)).init();
verify(mockAccessor, times(0)).read(anyString(), anyInt());
jenkins
.assertLogContains("No configuration found - please configure the VaultPlugin.", build);
}
Example #5
| Source File: VaultContainer.java From hashicorp-vault-plugin with MIT License | 5 votes |
|
/**
* Constructs an instance of the Vault driver using a custom Vault config.
*
* @return
* @throws VaultException
*/
public Vault getRootVaultWithCustomVaultConfig(VaultConfig vaultConfig) throws VaultException {
final VaultConfig config =
vaultConfig
.address(getAddress())
.token(rootToken)
.openTimeout(5)
.readTimeout(30)
.sslConfig(new SslConfig().pemFile(new File(CERT_PEMFILE)).build())
.build();
return new Vault(config).withRetries(MAX_RETRIES, RETRY_MILLIS);
}
Example #6
| Source File: VaultContainer.java From hashicorp-vault-plugin with MIT License | 5 votes |
|
/**
* Constructs an instance of the Vault driver with sensible defaults, configured to use the supplied token
* for authentication.
*
* @param token
* @return
* @throws VaultException
*/
public Vault getVault(final String token) throws VaultException {
final VaultConfig config =
new VaultConfig()
.address(getAddress())
.token(token)
.openTimeout(5)
.readTimeout(30)
.sslConfig(new SslConfig().pemFile(new File(CERT_PEMFILE)).build())
.build();
return new Vault(config).withRetries(MAX_RETRIES, RETRY_MILLIS);
}
Example #7
| Source File: VaultContainer.java From hashicorp-vault-plugin with MIT License | 5 votes |
|
/**
* Constructs a VaultConfig that can be used to configure your own tests
*
* @return
* @throws VaultException
*/
public VaultConfig getVaultConfig() throws VaultException {
return new VaultConfig()
.address(getAddress())
.openTimeout(5)
.readTimeout(30)
.sslConfig(new SslConfig().pemFile(new File(CERT_PEMFILE)).build())
.build();
}
Example #8
| Source File: VaultContainer.java From hashicorp-vault-plugin with MIT License | 5 votes |
|
/**
* Constructs an instance of the Vault driver, using sensible defaults.
*
* @return
* @throws VaultException
*/
public Vault getVault() throws VaultException {
final VaultConfig config =
new VaultConfig()
.address(getAddress())
.openTimeout(5)
.readTimeout(30)
.sslConfig(new SslConfig().pemFile(new File(CERT_PEMFILE)).build())
.build();
return getVault(config, MAX_RETRIES, RETRY_MILLIS);
}
Example #9
| Source File: VaultConfigurationIT.java From hashicorp-vault-plugin with MIT License | 5 votes |
|
@Test
public void shouldUseGlobalConfiguration() throws Exception {
List<VaultSecret> secrets = standardSecrets();
VaultBuildWrapper vaultBuildWrapper = new VaultBuildWrapper(secrets);
VaultAccessor mockAccessor = mockVaultAccessor(GLOBAL_ENGINE_VERSION_2);
vaultBuildWrapper.setVaultAccessor(mockAccessor);
this.project.getBuildWrappersList().add(vaultBuildWrapper);
this.project.getBuildersList().add(echoSecret());
FreeStyleBuild build = this.project.scheduleBuild2(0).get();
assertThat(vaultBuildWrapper.getConfiguration().getVaultUrl(),
is("http://global-vault-url.com"));
assertThat(vaultBuildWrapper.getConfiguration().getVaultCredentialId(),
is(GLOBAL_CREDENTIALS_ID_1));
assertThat(vaultBuildWrapper.getConfiguration().getEngineVersion(),
is(GLOBAL_ENGINE_VERSION_2));
jenkins.assertBuildStatus(Result.SUCCESS, build);
jenkins.assertLogContains("echo ****", build);
jenkins.assertLogNotContains("some-secret", build);
VaultConfig config = new VaultConfig().address("http://global-vault-url.com");
mockAccessor.setConfig(config);
mockAccessor.setCredential((VaultCredential) GLOBAL_CREDENTIAL_1);
verify(mockAccessor, times(1)).init();
verify(mockAccessor, times(1)).read("secret/path1", GLOBAL_ENGINE_VERSION_2);
}
Example #10
| Source File: VaultConfigurationIT.java From hashicorp-vault-plugin with MIT License | 5 votes |
|
@Test
public void shouldUseJobConfiguration() throws Exception {
List<VaultSecret> secrets = standardSecrets();
VaultBuildWrapper vaultBuildWrapper = new VaultBuildWrapper(secrets);
VaultAccessor mockAccessor = mockVaultAccessor(GLOBAL_ENGINE_VERSION_2);
vaultBuildWrapper.setVaultAccessor(mockAccessor);
this.project.getBuildWrappersList().add(vaultBuildWrapper);
VaultConfiguration vaultConfig = new VaultConfiguration();
vaultConfig.setVaultUrl("http://job-vault-url.com");
vaultConfig.setVaultCredentialId(GLOBAL_CREDENTIALS_ID_2);
vaultConfig.setFailIfNotFound(false);
vaultConfig.setEngineVersion(GLOBAL_ENGINE_VERSION_2);
vaultConfig.setVaultNamespace("mynamespace");
vaultConfig.setTimeout(TIMEOUT);
vaultBuildWrapper.setConfiguration(vaultConfig);
this.project.getBuildersList().add(echoSecret());
FreeStyleBuild build = this.project.scheduleBuild2(0).get();
assertThat(vaultBuildWrapper.getConfiguration().getVaultUrl(),
is("http://job-vault-url.com"));
assertThat(vaultBuildWrapper.getConfiguration().getVaultCredentialId(),
is(GLOBAL_CREDENTIALS_ID_2));
assertThat(vaultBuildWrapper.getConfiguration().getEngineVersion(),
is(GLOBAL_ENGINE_VERSION_2));
jenkins.assertBuildStatus(Result.SUCCESS, build);
VaultConfig config = new VaultConfig().address("http://job-vault-url.com");
mockAccessor.setConfig(config);
mockAccessor.setCredential((VaultCredential) GLOBAL_CREDENTIAL_2);
verify(mockAccessor, times(1)).init();
verify(mockAccessor, times(1)).read("secret/path1", GLOBAL_ENGINE_VERSION_2);
jenkins.assertLogContains("echo ****", build);
jenkins.assertLogNotContains("some-secret", build);
}
Example #11
| Source File: VaultTokenCredentialBinding.java From hashicorp-vault-plugin with MIT License | 5 votes |
|
private String getToken(AbstractVaultTokenCredential credentials) {
try {
VaultConfig config = new VaultConfig().address(vaultAddr);
if (StringUtils.isNotEmpty(vaultNamespace)) {
config.nameSpace(vaultNamespace);
}
config.build();
return credentials.getToken(new Vault(config));
} catch (VaultException e) {
throw new VaultPluginException("could not log in into vault", e);
}
}
Example #12
| Source File: VaultConfigurationIT.java From hashicorp-vault-plugin with MIT License | 5 votes |
|
@Test
public void shouldDealWithTokenBasedCredential() throws Exception {
VaultBuildWrapper vaultBuildWrapper = new VaultBuildWrapper(standardSecrets());
VaultAccessor mockAccessor = mockVaultAccessor(GLOBAL_ENGINE_VERSION_2);
vaultBuildWrapper.setVaultAccessor(mockAccessor);
VaultCredential credential = new VaultTokenCredential(CredentialsScope.GLOBAL, "token-1",
"description", Secret.fromString("test-token"));
SystemCredentialsProvider.getInstance().setDomainCredentialsMap(
Collections.singletonMap(Domain.global(), Collections.singletonList(credential)));
this.project.getBuildWrappersList().add(vaultBuildWrapper);
VaultConfiguration vaultConfig = new VaultConfiguration();
vaultConfig.setVaultUrl("http://job-vault-url.com");
vaultConfig.setVaultCredentialId("token-1");
vaultConfig.setFailIfNotFound(false);
vaultConfig.setVaultNamespace("mynamespace");
vaultConfig.setTimeout(TIMEOUT);
vaultBuildWrapper.setConfiguration(vaultConfig);
this.project.getBuildersList().add(echoSecret());
FreeStyleBuild build = this.project.scheduleBuild2(0).get();
assertThat(vaultBuildWrapper.getConfiguration().getVaultUrl(),
is("http://job-vault-url.com"));
assertThat(vaultBuildWrapper.getConfiguration().getVaultCredentialId(), is("token-1"));
jenkins.assertBuildStatus(Result.SUCCESS, build);
VaultConfig config = new VaultConfig().address("http://job-vault-url.com");
mockAccessor.setConfig(config);
mockAccessor.setCredential(credential);
verify(mockAccessor, times(1)).init();
verify(mockAccessor, times(1)).read("secret/path1", GLOBAL_ENGINE_VERSION_2);
jenkins.assertLogContains("echo ****", build);
jenkins.assertLogNotContains("some-secret", build);
}
Example #13
| Source File: VaultConfigurationIT.java From hashicorp-vault-plugin with MIT License | 5 votes |
|
@Test
public void shouldFailIfCredentialsNotConfigured() throws Exception {
GlobalVaultConfiguration globalConfig = GlobalConfiguration.all()
.get(GlobalVaultConfiguration.class);
assertThat(globalConfig, is(notNullValue()));
VaultConfiguration vaultConfig = new VaultConfiguration();
vaultConfig.setVaultUrl("http://global-vault-url.com");
vaultConfig.setFailIfNotFound(false);
vaultConfig.setVaultNamespace("mynamespace");
vaultConfig.setTimeout(TIMEOUT);
globalConfig.setConfiguration(vaultConfig);
globalConfig.save();
List<VaultSecret> secrets = standardSecrets();
VaultBuildWrapper vaultBuildWrapper = new VaultBuildWrapper(secrets);
VaultAccessor mockAccessor = mockVaultAccessor(GLOBAL_ENGINE_VERSION_2);
vaultBuildWrapper.setVaultAccessor(mockAccessor);
this.project.getBuildWrappersList().add(vaultBuildWrapper);
this.project.getBuildersList().add(echoSecret());
FreeStyleBuild build = this.project.scheduleBuild2(0).get();
jenkins.assertBuildStatus(Result.FAILURE, build);
VaultConfig config = new VaultConfig().address(anyString());
mockAccessor.setConfig(config);
mockAccessor.setCredential(any(VaultCredential.class));
verify(mockAccessor, times(0)).init();
verify(mockAccessor, times(0)).read(anyString(), anyInt());
jenkins.assertLogContains(
"The credential id was not configured - please specify the credentials to use.", build);
}
Example #14
| Source File: VaultConfigurationIT.java From hashicorp-vault-plugin with MIT License | 5 votes |
|
@Test
public void shouldFailIfUrlNotConfigured() throws Exception {
GlobalVaultConfiguration globalConfig = GlobalConfiguration.all()
.get(GlobalVaultConfiguration.class);
assertThat(globalConfig, is(notNullValue()));
VaultConfiguration vaultConfig = new VaultConfiguration();
vaultConfig.setVaultCredentialId(GLOBAL_CREDENTIALS_ID_2);
vaultConfig.setFailIfNotFound(false);
vaultConfig.setVaultNamespace("mynamespace");
vaultConfig.setTimeout(TIMEOUT);
globalConfig.setConfiguration(vaultConfig);
globalConfig.save();
List<VaultSecret> secrets = standardSecrets();
VaultBuildWrapper vaultBuildWrapper = new VaultBuildWrapper(secrets);
VaultAccessor mockAccessor = mockVaultAccessor(GLOBAL_ENGINE_VERSION_2);
vaultBuildWrapper.setVaultAccessor(mockAccessor);
this.project.getBuildWrappersList().add(vaultBuildWrapper);
this.project.getBuildersList().add(echoSecret());
FreeStyleBuild build = this.project.scheduleBuild2(0).get();
jenkins.assertBuildStatus(Result.FAILURE, build);
VaultConfig config = new VaultConfig().address(anyString());
mockAccessor.setConfig(config);
mockAccessor.setCredential(any(VaultCredential.class));
verify(mockAccessor, times(0)).init();
verify(mockAccessor, times(0)).read(anyString(), anyInt());
jenkins.assertLogContains(
"The vault url was not configured - please specify the vault url to use.", build);
}
Example #15
| Source File: VaultConfigurationIT.java From hashicorp-vault-plugin with MIT License | 5 votes |
|
@Test
public void shouldFailIfCredentialsDoNotExist() throws Exception {
GlobalVaultConfiguration globalConfig = GlobalConfiguration.all()
.get(GlobalVaultConfiguration.class);
assertThat(globalConfig, is(notNullValue()));
VaultConfiguration vaultConfig = new VaultConfiguration();
vaultConfig.setVaultUrl("http://example.com");
vaultConfig.setVaultCredentialId("some-made-up-ID");
vaultConfig.setFailIfNotFound(false);
vaultConfig.setVaultNamespace("mynamespace");
vaultConfig.setTimeout(TIMEOUT);
globalConfig.setConfiguration(vaultConfig);
globalConfig.save();
List<VaultSecret> secrets = standardSecrets();
VaultBuildWrapper vaultBuildWrapper = new VaultBuildWrapper(secrets);
VaultAccessor mockAccessor = mockVaultAccessor(GLOBAL_ENGINE_VERSION_2);
vaultBuildWrapper.setVaultAccessor(mockAccessor);
this.project.getBuildWrappersList().add(vaultBuildWrapper);
this.project.getBuildersList().add(echoSecret());
FreeStyleBuild build = this.project.scheduleBuild2(0).get();
jenkins.assertBuildStatus(Result.FAILURE, build);
VaultConfig config = new VaultConfig().address(anyString());
mockAccessor.setConfig(config);
mockAccessor.setCredential(any(VaultCredential.class));
verify(mockAccessor, times(0)).init();
verify(mockAccessor, times(0)).read(anyString(), anyInt());
jenkins.assertLogContains("CredentialsUnavailableException", build);
}
Example #16
| Source File: FolderIT.java From hashicorp-vault-plugin with MIT License | 5 votes |
|
@Test
public void folderShouldOverwriteGlobal() throws Exception {
List<VaultSecret> secrets = standardSecrets();
VaultBuildWrapper vaultBuildWrapper = new VaultBuildWrapper(secrets);
VaultAccessor mockAccessor = mockVaultAccessor();
vaultBuildWrapper.setVaultAccessor(mockAccessor);
VaultConfiguration vaultConfig = new VaultConfiguration();
vaultConfig.setVaultUrl("http://folder1.com");
vaultConfig.setVaultCredentialId(FOLDER_1_CREDENTIALS_ID);
vaultConfig.setFailIfNotFound(false);
vaultConfig.setVaultNamespace("mynamespace");
vaultConfig.setTimeout(TIMEOUT);
this.folder1.addProperty(new FolderVaultConfiguration(vaultConfig));
this.projectInFolder1.getBuildWrappersList().add(vaultBuildWrapper);
this.projectInFolder1.getBuildersList().add(echoSecret());
FreeStyleBuild build = this.projectInFolder1.scheduleBuild2(0).get();
assertThat(vaultBuildWrapper.getConfiguration().getVaultUrl(), is("http://folder1.com"));
assertThat(vaultBuildWrapper.getConfiguration().getVaultCredentialId(),
is(FOLDER_1_CREDENTIALS_ID));
assertThat(vaultBuildWrapper.getConfiguration().isFailIfNotFound(), is(false));
jenkins.assertBuildStatus(Result.SUCCESS, build);
jenkins.assertLogContains("echo ****", build);
VaultConfig config = new VaultConfig().address("http://folder1.com")
.nameSpace("mynamespace");
mockAccessor.setConfig(config);
mockAccessor.setCredential((VaultCredential) FOLDER_1_CREDENTIAL);
verify(mockAccessor, times(1)).init();
verify(mockAccessor, times(1)).read("secret/path1", 2);
}
Example #17
| Source File: FolderIT.java From hashicorp-vault-plugin with MIT License | 5 votes |
|
@Test
public void jobInFolderShouldBeAbleToAccessCredentialsScopedToTheFolder() throws Exception {
List<VaultSecret> secrets = standardSecrets();
VaultBuildWrapper vaultBuildWrapper = new VaultBuildWrapper(secrets);
VaultAccessor mockAccessor = mockVaultAccessor();
vaultBuildWrapper.setVaultAccessor(mockAccessor);
VaultConfiguration vaultConfig = new VaultConfiguration();
vaultConfig.setVaultUrl("http://folder1.com");
vaultConfig.setVaultCredentialId(FOLDER_1_CREDENTIALS_ID);
vaultConfig.setFailIfNotFound(false);
vaultConfig.setVaultNamespace("mynamespace");
vaultConfig.setTimeout(TIMEOUT);
this.folder1.addProperty(new FolderVaultConfiguration(vaultConfig));
this.projectInFolder1.getBuildWrappersList().add(vaultBuildWrapper);
this.projectInFolder1.getBuildersList().add(echoSecret());
FreeStyleBuild build = this.projectInFolder1.scheduleBuild2(0).get();
VaultConfig config = new VaultConfig()
.address("http://folder1.com")
.nameSpace("mynamespace");
mockAccessor.setConfig(config);
mockAccessor.setCredential((VaultCredential) FOLDER_1_CREDENTIAL);
verify(mockAccessor, times(1)).init();
assertThat(vaultBuildWrapper.getConfiguration().getVaultCredentialId(),
is(FOLDER_1_CREDENTIALS_ID));
assertThat(vaultBuildWrapper.getConfiguration().isFailIfNotFound(), is(false));
jenkins.assertBuildStatus(Result.SUCCESS, build);
jenkins.assertLogContains("echo ****", build);
verify(mockAccessor, times(1)).init();
verify(mockAccessor, times(1)).read("secret/path1", 2);
}
Example #18
| Source File: VaultDisposer.java From hashicorp-vault-plugin with MIT License | 5 votes |
|
@Override
public void tearDown(final Run<?, ?> build, final FilePath workspace, final Launcher launcher,
final TaskListener listener) throws IOException, InterruptedException {
VaultConfig vaultConfig = new VaultConfig().address(vaultConfiguration.getVaultUrl());
VaultAccessor vaultAccessor = new VaultAccessor(vaultConfig, vaultCredential).init();
for (String leaseId : leaseIds) {
if (leaseId != null && !leaseId.isEmpty()) {
vaultAccessor.revoke(leaseId);
}
}
}
Example #19
| Source File: VaultUserPassAuthenticator.java From hashicorp-vault-plugin with MIT License | 5 votes |
|
public void authenticate(Vault vault, VaultConfig config) throws VaultException {
if (isTokenTTLExpired()) {
// authenticate
currentAuthToken = vault.auth()
.loginByUserPass(userPass.getUsername(), userPass.getPassword(), mountPath)
.getAuthClientToken();
config.token(currentAuthToken).build();
LOGGER.log(Level.FINE, "Login to Vault using AppRole/SecretID successful");
getTTLExpiryOfCurrentToken(vault);
} else {
// make sure current auth token is set in config
config.token(currentAuthToken).build();
}
}
Example #20
| Source File: FolderIT.java From hashicorp-vault-plugin with MIT License | 5 votes |
|
@Test
public void jobInFolderShouldNotBeAbleToAccessCredentialsScopedToAnotherFolder()
throws Exception {
List<VaultSecret> secrets = standardSecrets();
VaultBuildWrapper vaultBuildWrapper = new VaultBuildWrapper(secrets);
VaultAccessor mockAccessor = mockVaultAccessor();
vaultBuildWrapper.setVaultAccessor(mockAccessor);
VaultConfiguration vaultConfig = new VaultConfiguration();
vaultConfig.setVaultUrl("http://folder1.com");
vaultConfig.setVaultCredentialId(FOLDER_2_CREDENTIALS_ID);
vaultConfig.setFailIfNotFound(false);
vaultConfig.setVaultNamespace("mynamespace");
vaultConfig.setTimeout(TIMEOUT);
this.folder1.addProperty(new FolderVaultConfiguration(vaultConfig));
this.projectInFolder1.getBuildWrappersList().add(vaultBuildWrapper);
this.projectInFolder1.getBuildersList().add(echoSecret());
FreeStyleBuild build = this.projectInFolder1.scheduleBuild2(0).get();
assertThat(vaultBuildWrapper.getConfiguration().getVaultUrl(), is("http://folder1.com"));
assertThat(vaultBuildWrapper.getConfiguration().getVaultCredentialId(),
is(FOLDER_2_CREDENTIALS_ID));
assertThat(vaultBuildWrapper.getConfiguration().isFailIfNotFound(), is(false));
jenkins.assertBuildStatus(Result.FAILURE, build);
jenkins.assertLogContains("CredentialsUnavailableException", build);
VaultConfig config = new VaultConfig().address(anyString());
mockAccessor.setConfig(config);
mockAccessor.setCredential(any(VaultCredential.class));
verify(mockAccessor, times(0)).init();
verify(mockAccessor, times(0)).read(anyString(), anyInt());
}
Example #21
| Source File: VaultAppRoleAuthenticator.java From hashicorp-vault-plugin with MIT License | 5 votes |
|
public void authenticate(Vault vault, VaultConfig config) throws VaultException {
if (isTokenTTLExpired()) {
// authenticate
currentAuthToken = vault.auth()
.loginByAppRole(mountPath, appRole.getAppRole(), appRole.getAppRoleSecret())
.getAuthClientToken();
config.token(currentAuthToken).build();
LOGGER.log(Level.FINE, "Login to Vault using AppRole/SecretID successful");
getTTLExpiryOfCurrentToken(vault);
} else {
// make sure current auth token is set in config
config.token(currentAuthToken).build();
}
}
Example #22
| Source File: VaultClientTest.java From testcontainers-java with MIT License | 5 votes |
|
@Test
public void writeAndReadMultipleValues() throws VaultException {
try (
VaultContainer vaultContainer = new VaultContainer<>()
.withVaultToken(VAULT_TOKEN)
) {
vaultContainer.start();
final VaultConfig config = new VaultConfig()
.address("http://" + vaultContainer.getHost() + ":" + vaultContainer.getFirstMappedPort())
.token(VAULT_TOKEN)
.build();
final Vault vault = new Vault(config);
final Map<String, Object> secrets = new HashMap<>();
secrets.put("value", "world");
secrets.put("other_value", "another world");
// Write operation
final LogicalResponse writeResponse = vault.logical()
.write("secret/hello", secrets);
assertThat(writeResponse.getRestResponse().getStatus()).isEqualTo(200);
// Read operation
final Map<String, String> value = vault.logical()
.read("secret/hello")
.getData();
assertThat(value)
.containsEntry("value", "world")
.containsEntry("other_value", "another world");
}
}
Example #23
| Source File: VaultBuildWrapperWithMockAccessor.java From hashicorp-vault-plugin with MIT License | 4 votes |
|
@DataBoundConstructor
public VaultBuildWrapperWithMockAccessor(@CheckForNull List<VaultSecret> vaultSecrets) {
super(vaultSecrets);
setVaultAccessor(new VaultAccessor() {
@Override
public void setConfig(VaultConfig config) {
if (!config.getAddress().equals("http://jenkinsfile-vault-url.com")) {
throw new AssertionError(
"URL " + config.getAddress() + " does not match expected value of "
+ "http://jenkinsfile-vault-url.com");
}
}
@Override
public void setCredential(VaultCredential credential) {
VaultAppRoleCredential appRoleCredential = (VaultAppRoleCredential) credential;
if (!appRoleCredential.getRoleId().equals("role-id-global-2") || !appRoleCredential
.getSecretId().getPlainText().equals("secret-id-global-2")) {
throw new AssertionError(
"role-id " + appRoleCredential.getRoleId() + " or secret-id "
+ appRoleCredential.getSecretId()
+ " do not match expected: -global-2");
}
}
@Override
public VaultAccessor init() {
return this;
}
@Override
public LogicalResponse read(String path, Integer engineVersion) {
if (!path.equals("secret/path1")) {
throw new AssertionError(
"path " + path + " does not match expected: secret/path1");
}
Map<String, String> returnValue = new HashMap<>();
returnValue.put("key1", "some-secret");
LogicalResponse resp = mock(LogicalResponse.class);
RestResponse rest = mock(RestResponse.class);
when(resp.getData()).thenReturn(returnValue);
when(resp.getData()).thenReturn(returnValue);
when(resp.getRestResponse()).thenReturn(rest);
when(rest.getStatus()).thenReturn(200);
return resp;
}
});
}
Example #24
| Source File: VaultHelper.java From hashicorp-vault-plugin with MIT License | 4 votes |
|
@Override
public String call() throws IOException {
Jenkins jenkins = Jenkins.get();
String msg = String.format(
"Retrieving vault secret path=%s key=%s engineVersion=%s",
secretPath, secretKey, engineVersion);
LOGGER.info(msg);
GlobalVaultConfiguration globalConfig = GlobalConfiguration.all()
.get(GlobalVaultConfiguration.class);
if (globalConfig == null) {
throw new IllegalStateException("Vault plugin has not been configured.");
}
ExtensionList<VaultBuildWrapper.DescriptorImpl> extensionList = jenkins
.getExtensionList(VaultBuildWrapper.DescriptorImpl.class);
VaultBuildWrapper.DescriptorImpl descriptor = extensionList.get(0);
VaultConfiguration configuration = globalConfig.getConfiguration();
if (descriptor == null || configuration == null) {
throw new IllegalStateException("Vault plugin has not been configured.");
}
try {
SslConfig sslConfig = new SslConfig()
.verify(configuration.isSkipSslVerification())
.build();
VaultConfig vaultConfig = new VaultConfig()
.address(configuration.getVaultUrl())
.sslConfig(sslConfig)
.engineVersion(engineVersion);
if (isNotEmpty(configuration.getVaultNamespace())) {
vaultConfig.nameSpace(configuration.getVaultNamespace());
}
if (isNotEmpty(configuration.getPrefixPath())) {
vaultConfig.prefixPath(configuration.getPrefixPath());
}
VaultCredential vaultCredential = configuration.getVaultCredential();
if (vaultCredential == null) vaultCredential = retrieveVaultCredentials(configuration.getVaultCredentialId());
VaultAccessor vaultAccessor = new VaultAccessor(vaultConfig, vaultCredential);
vaultAccessor.setMaxRetries(configuration.getMaxRetries());
vaultAccessor.setRetryIntervalMilliseconds(configuration.getRetryIntervalMilliseconds());
vaultAccessor.init();
Map<String, String> values = vaultAccessor.read(secretPath, engineVersion).getData();
if (!values.containsKey(secretKey)) {
String message = String.format(
"Key %s could not be found in path %s",
secretKey, secretPath);
throw new VaultPluginException(message);
}
return values.get(secretKey);
} catch (Exception e) {
throw new RuntimeException(e);
}
}
Example #25
| Source File: AbstractVaultTokenCredential.java From hashicorp-vault-plugin with MIT License | 4 votes |
|
@Override
public Vault authorizeWithVault(VaultConfig config) {
Vault vault = new Vault(config);
return new Vault(config.token(getToken(vault)));
}
Example #26
| Source File: VaultAccessor.java From hashicorp-vault-plugin with MIT License | 4 votes |
|
public void setConfig(VaultConfig config) {
this.config = config;
}
Example #27
| Source File: VaultAccessor.java From hashicorp-vault-plugin with MIT License | 4 votes |
|
public VaultConfig getConfig() {
return config;
}
Example #28
| Source File: VaultAccessor.java From hashicorp-vault-plugin with MIT License | 4 votes |
|
public VaultAccessor(VaultConfig config, VaultCredential credential) {
this.config = config;
this.credential = credential;
}
Example #29
| Source File: VaultAccessor.java From hashicorp-vault-plugin with MIT License | 4 votes |
|
public VaultAccessor() {
this.config = new VaultConfig();
}
Example #30
| Source File: VaultBuildWrapper.java From hashicorp-vault-plugin with MIT License | 4 votes |
|
protected void provideEnvironmentVariablesFromVault(Context context, Run build, EnvVars envVars) {
VaultConfiguration config = getConfiguration();
String url = config.getVaultUrl();
if (StringUtils.isBlank(url)) {
throw new VaultPluginException(
"The vault url was not configured - please specify the vault url to use.");
}
VaultConfig vaultConfig = config.getVaultConfig();
VaultCredential credential = config.getVaultCredential();
if (credential == null) credential = retrieveVaultCredentials(build);
if (vaultAccessor == null) vaultAccessor = new VaultAccessor();
vaultAccessor.setConfig(vaultConfig);
vaultAccessor.setCredential(credential);
vaultAccessor.setMaxRetries(config.getMaxRetries());
vaultAccessor.setRetryIntervalMilliseconds(config.getRetryIntervalMilliseconds());
vaultAccessor.init();
for (VaultSecret vaultSecret : vaultSecrets) {
String path = envVars.expand(vaultSecret.getPath());
Integer engineVersion = Optional.ofNullable(vaultSecret.getEngineVersion())
.orElse(configuration.getEngineVersion());
try {
LogicalResponse response = vaultAccessor.read(path, engineVersion);
if (responseHasErrors(path, response)) {
continue;
}
Map<String, String> values = response.getData();
for (VaultSecretValue value : vaultSecret.getSecretValues()) {
String vaultKey = value.getVaultKey();
String secret = values.get(vaultKey);
if (StringUtils.isBlank(secret)) {
throw new IllegalArgumentException(
"Vault Secret " + vaultKey + " at " + path
+ " is either null or empty. Please check the Secret in Vault.");
}
valuesToMask.add(secret);
context.env(value.getEnvVar(), secret);
}
} catch (VaultPluginException ex) {
VaultException e = (VaultException) ex.getCause();
if (e != null) {
throw new VaultPluginException(String
.format("Vault response returned %d for secret path %s",
e.getHttpStatusCode(), path),
e);
}
throw ex;
}
}
}
