org.forgerock.secrets.propertyresolver

Class PropertyResolverSecretStore

java.lang.Object

org.forgerock.secrets.propertyresolver.PropertyResolverSecretStore

All Implemented Interfaces:

SecretStore<Secret>

public final class PropertyResolverSecretStore
extends Object
implements SecretStore<Secret>

A SecretStore implementation that resolves secrets as base64-encoded strings from an underlying PropertyResolver. This provides a devops-friendly deployment option, resolving secrets from environment variables or properties files.

We assume that secrets loaded this way are stable for the life of the process and will not be rotated without a restart. In addition, the property name is used as the stable identifier for all loaded secrets so rotation would need to use fresh property names if it is desirable to maintain access to previous values over a long period of time.

Field Summary

Fields inherited from interface org.forgerock.secrets.SecretStore

CLOCK, LEASE_EXPIRY_DURATION

Constructor Summary

Constructors

Constructor and Description
PropertyResolverSecretStore(PropertyResolver propertyResolver) Initialises the property resolver secret store using base64-encoded properties.
PropertyResolverSecretStore(PropertyResolver propertyResolver, SecretPropertyFormat propertyFormat) Initialises the property resolver secret store.

Method Summary

Modifier and Type	Method and Description
<S extends Secret> Promise<S,NoSuchSecretException>	getActive(Purpose<S> purpose) Returns the active secret for the given purpose.
<S extends Secret> Promise<S,NoSuchSecretException>	getNamed(Purpose<S> purpose, String name) Returns the named secret from this store.
Class<Secret>	getStoredType() The top-level class that this store is capable of storing.
<S extends Secret> Promise<Stream<S>,NeverThrowsException>	getValid(Purpose<S> purpose) Returns all valid secrets for the given purpose from this store.
void	refresh() Indicates that the store should refresh its secrets from the backing storage mechanism.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Methods inherited from interface org.forgerock.secrets.SecretStore

retire, revoke, rotate

Constructor Detail

PropertyResolverSecretStore

public PropertyResolverSecretStore(PropertyResolver propertyResolver,
                                   SecretPropertyFormat propertyFormat)

Initialises the property resolver secret store.

Parameters:

propertyResolver - the resolver to use to read secrets from configuration.

propertyFormat - the format that the secret properties are in.

PropertyResolverSecretStore

public PropertyResolverSecretStore(PropertyResolver propertyResolver)

Initialises the property resolver secret store using base64-encoded properties.

Parameters:

propertyResolver - the resolver to use to read secrets from configuration.

Method Detail

getStoredType

public Class<Secret> getStoredType()

Description copied from interface: SecretStore

The top-level class that this store is capable of storing. This is a reification of the type parameter and can be used to lookup stores for a given type.

Specified by:

getStoredType in interface SecretStore<Secret>

Returns:

the top-most type that this store is capable of storing, typically either CryptoKey for key-stores, GenericSecret for password stores, or Secret if the store is capable of storing any type of secret.

getActive

public <S extends Secret> Promise<S,NoSuchSecretException> getActive(Purpose<S> purpose)

Description copied from interface: SecretStore

Returns the active secret for the given purpose.

Specified by:

getActive in interface SecretStore<Secret>

Type Parameters:

S - the type of secret.

Parameters:

purpose - the purpose for which a secret is required.

Returns:

the active secret from this store.

getNamed

public <S extends Secret> Promise<S,NoSuchSecretException> getNamed(Purpose<S> purpose,
                                                                    String name)

Description copied from interface: SecretStore

Returns the named secret from this store.

Specified by:

getNamed in interface SecretStore<Secret>

Type Parameters:

S - the type of secret.

Parameters:

purpose - the secret purpose.

name - the name (stable id) of the secret.

Returns:

the named secret, or Optional.empty() if no such secret exists.

getValid

public <S extends Secret> Promise<Stream<S>,NeverThrowsException> getValid(Purpose<S> purpose)

Description copied from interface: SecretStore

Returns all valid secrets for the given purpose from this store.

Specified by:

getValid in interface SecretStore<Secret>

Type Parameters:

S - the type of secret.

Parameters:

purpose - the purpose.

Returns:

a stream of all valid secrets of the given type from this store, or an empty stream if none exist.

refresh

public void refresh()

Description copied from interface: SecretStore

Indicates that the store should refresh its secrets from the backing storage mechanism. This can be used to cause reload of a store after a secret rotation if the backend does not automatically detect such changes.

Specified by:

refresh in interface SecretStore<Secret>