T - the type of secrets that this backend can store.public interface SecretStore<T extends Secret>
SecretsProvider a store may only be
capable of storing certain types of secrets.| Modifier and Type | Field and Description |
|---|---|
static Option<Clock> |
CLOCK
Option used to specify how long secrets from a store should be used before being refreshed.
|
static Option<Duration> |
LEASE_EXPIRY_DURATION
Option used to specify how long secrets from a store should be used before being refreshed.
|
| Modifier and Type | Method and Description |
|---|---|
<S extends T> |
getActive(Purpose<S> purpose)
Returns the active secret for the given purpose.
|
<S extends T> |
getNamed(Purpose<S> purpose,
String name)
Returns the named secret from this store.
|
Class<T> |
getStoredType()
The top-level class that this store is capable of storing.
|
<S extends T> |
getValid(Purpose<S> purpose)
Returns all valid secrets for the given purpose from this store.
|
void |
refresh()
Indicates that the store should refresh its secrets from the backing storage mechanism.
|
default void |
retire(Purpose<? extends T> purpose,
String secretIdToRetire)
Retires the given secret for the given purpose.
|
default void |
revoke(String secretId)
Revokes the given secret for all purposes in this store.
|
default void |
rotate(Purpose<? extends T> purpose,
String newActiveSecretId)
Rotates the active secret for the given purpose.
|
static final Option<Duration> LEASE_EXPIRY_DURATION
Class<T> getStoredType()
CryptoKey for key-stores, GenericSecret for password stores, or
Secret if the store is capable of storing any type of secret.<S extends T> Promise<S,NoSuchSecretException> getActive(Purpose<S> purpose)
S - the type of secret.purpose - the purpose for which a secret is required.<S extends T> Promise<S,NoSuchSecretException> getNamed(Purpose<S> purpose, String name)
S - the type of secret.purpose - the secret purpose.name - the name (stable id) of the secret.Optional.empty() if no such secret exists.<S extends T> Promise<Stream<S>,NeverThrowsException> getValid(Purpose<S> purpose)
S - the type of secret.purpose - the purpose.void refresh()
default void rotate(Purpose<? extends T> purpose, String newActiveSecretId)
UnsupportedOperationException if the store does not implement rotation directly. Some stores natively
support rotation, in which case this should be done using store-specific interfaces.purpose - the purpose for which to rotate the active secret.newActiveSecretId - the stable id of the new active secret.IllegalArgumentException - if there is no such secret in this store, or if it is inappropriate for this
purpose.UnsupportedOperationException - if this store does not support direct secret rotation.default void retire(Purpose<? extends T> purpose, String secretIdToRetire)
UnsupportedOperationException if the store does
not implement rotation directly. Some stores natively support rotation, in which case this should be done using
store-specific interfaces. If the given secret is the current active secret for the purpose then the previous
active secret will become active. If there are no still-valid previous secrets then there will be no active
secret for that purpose and any attempts to use it will generate NoSuchSecretExceptions.purpose - the purpose for which to retire the secret.secretIdToRetire - the stable id of the secret to retire.UnsupportedOperationException - if this store does not support direct secret rotation.default void revoke(String secretId)
NoSuchSecretException. It is therefore advised to rotate a new secret into use for all such
purposes before revoking the active secret.
Note that if the store does not contain the named secret then it will silently ignore this request.
secretId - the stable id of the secret to revoke.UnsupportedOperationException - if the store does not support directly revoking secrets.Copyright © 2010-2018, ForgeRock All Rights Reserved.