org.forgerock.secrets

Class SecretsProvider

java.lang.Object

org.forgerock.secrets.SecretsProvider

Direct Known Subclasses:

SecretsProviderFacade

public class SecretsProvider
extends Object

The secrets provider is used to get hold of active, named or valid secret objects. An active secret is the preferred secret to use for a particular Purpose at a given point in time. The active secret may change over time as the old secret is revoked or rotated. Previously active secrets can be looked up using SecretsProvider.getNamedSecret(Purpose, String) using the secret's stable id. Alternatively, all still-valid secrets for a given purpose can be obtained via the SecretsProvider.getValidSecrets(Purpose) method.

As not all secret storage backends are appropriate for storing all kinds of secrets, the provider allows different SecretStores to be configured for one or more different purposes, via the SecretsProvider.setActiveStore(SecretStore, Purpose[]) method. This installs the provided store as the preferred storage backend for that purpose. All requests for active secrets for that purpose will be routed to that backend. Any previously configured stores for that purpose will be retained but only queried to find existing named or valid secrets.

A set of default stores can be configured using SecretsProvider.setDefaultStores(SecretStore, SecretStore[]). These stores will be consulted if no specific store has been configured for a particular purpose. By default there is no default store and so a NoSuchSecretException is thrown by any attempt to access a secret for a purpose without a specific store configured.

Constructor Summary

Constructors

Constructor and Description
SecretsProvider()

Method Summary

Modifier and Type	Method and Description
<S extends Secret> Promise<S,NoSuchSecretException>	getActiveSecret(Purpose<S> purpose) Gets the currently active secret for the given purpose.
<S extends Secret> Promise<Stream<S>,NeverThrowsException>	getNamedOrValidSecrets(Purpose<S> purpose, String id) If the given id is not null, then this returns the single named secret that corresponds to that stable id (or a stream of valid secrets for the given purpose if no such secret exists), otherwise it returns all valid secrets for the given purpose.
<S extends Secret> Promise<S,NoSuchSecretException>	getNamedSecret(Purpose<S> purpose, String id) Gets the secret for the given purpose with the given stable secret id.
<S extends Secret> Promise<Stream<S>,NeverThrowsException>	getValidSecrets(Purpose<S> purpose) Returns all secrets for the given purpose which have not yet expired.
<T extends Secret> SecretsProvider	setActiveStore(SecretStore<? super T> store, Purpose<? extends T>... purposes) Sets the active store to use for the given purpose.
protected <T extends Secret> void	setActiveStore(SecretStore<? super T> store, Purpose<? extends T> purpose) Sets the active store to use for the given purpose.
SecretsProvider	setDefaultStores(SecretStore<?> activeStore, SecretStore<?>... defaultStores) Sets the default store(s) to use if there is no specific store configured for a particular purpose.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

SecretsProvider

public SecretsProvider()

Method Detail

setActiveStore

@SafeVarargs
public final <T extends Secret> SecretsProvider setActiveStore(SecretStore<? super T> store,
                                                                            Purpose<? extends T>... purposes)

Sets the active store to use for the given purpose. All existing stores for that purpose will be deactivated and will only be used to serve requests for existing keys that are still valid rather than to produce new active keys.

This method delegates to SecretsProvider.setActiveStore(SecretStore, Purpose) to make the change.

Type Parameters:

T - the type of secrets required by this purpose.

Parameters:

purposes - the purpose(s) to change the active store for.

store - the new secret store to make active for this purpose.

Returns:

the updated secrets provider object.

setActiveStore

protected <T extends Secret> void setActiveStore(SecretStore<? super T> store,
                                                 Purpose<? extends T> purpose)

Sets the active store to use for the given purpose. All existing stores for that purpose will be deactivated and will only be used to serve requests for existing keys that are still valid rather than to produce new active keys.

Type Parameters:

T - the type of secrets required by this purpose.

Parameters:

purpose - the purpose(s) to change the active store for.

store - the new secret store to make active for this purpose.

setDefaultStores

public SecretsProvider setDefaultStores(SecretStore<?> activeStore,
                                        SecretStore<?>... defaultStores)

Sets the default store(s) to use if there is no specific store configured for a particular purpose.

Parameters:

activeStore - the store to use for all requests for active secrets.

defaultStores - remaining valid stores to consult for existing named/valid secrets.

Returns:

the updated secrets provider object.

getActiveSecret

public <S extends Secret> Promise<S,NoSuchSecretException> getActiveSecret(Purpose<S> purpose)

Gets the currently active secret for the given purpose. If more than one secret exists for this purpose, then this method returns the secret that is currently active and should be used for new operations. The returned secret is guaranteed to be within the valid periods specified by its validFrom and expiry times. If no valid secret is configured for the purpose then a NoSuchSecretException is thrown instead.

The active secret is found by first consulting the currently active store for the purpose label. If no active stores exist for the purpose, all default stores are consulted, and the first matching secret is used.

Type Parameters:

S - the type of secret to return.

Parameters:

purpose - the purpose for which the secret is intended to be used.

Returns:

A promise containing either the active secret for this purpose, or a NoSuchSecretException if one cannot be found.

getNamedSecret

public <S extends Secret> Promise<S,NoSuchSecretException> getNamedSecret(Purpose<S> purpose,
                                                                          String id)

Gets the secret for the given purpose with the given stable secret id.

Type Parameters:

S - the type of secret to return

Parameters:

purpose - the purpose for which the secret is intended to be used.

id - the stable id of the particular secret to get.

Returns:

the secret with that id, or an empty result if no such secret exists.

See Also:

Secret.getStableId()

getValidSecrets

public <S extends Secret> Promise<Stream<S>,NeverThrowsException> getValidSecrets(Purpose<S> purpose)

Returns all secrets for the given purpose which have not yet expired. This can be used, for instance, to get a list of all signature validation keys that are still trusted. The secrets will be returned in the order of preference of the store they are from: secrets from the active store will be first, then the most recent previous active store, and so on.

Type Parameters:

S - the type of secret to return.

Parameters:

purpose - the purpose for which the secrets are intended for.

Returns:

a stream of all valid secrets for the given purpose, or an empty stream if not configured.

getNamedOrValidSecrets

public <S extends Secret> Promise<Stream<S>,NeverThrowsException> getNamedOrValidSecrets(Purpose<S> purpose,
                                                                                         String id)

If the given id is not null, then this returns the single named secret that corresponds to that stable id (or a stream of valid secrets for the given purpose if no such secret exists), otherwise it returns all valid secrets for the given purpose. This is a convenience method for a frequent case where you want to process an incoming message (e.g., to decrypt or verify it) and the message may or may not have a secret/key identifier.

For example, to verify a JSON Web Token that might have a "kid" claim, we can do:

  SignedJwt jwt = ...;
  secrets.getNamedOrValidSecrets(Purpose.VERIFY, jwt.getHeader().getKeyId())
      .map(rethrowFunction(key -> signingManager.newVerificationHandler(key)))
      .anyMatch(jwt::verify);

 

Type Parameters:

S - the type of secrets to return.

Parameters:

purpose - the purpose for which the secrets are intended.

id - the optional stable id of the secret, or null if not known.

Returns:

a stream of all secrets to try, or an empty stream if none are applicable.