org.forgerock.openig.secrets

Class SecretsUtils

java.lang.Object

org.forgerock.openig.secrets.SecretsUtils

public final class SecretsUtils
extends Object

Utility class to use the Commons Secret API.

Since:

6.5

Method Summary

Modifier and Type	Method and Description
static Key	exportAsKey(CryptoKey cryptoKey) Exports the key material in the raw format.
static Key	exportAsKeyAndClose(CryptoKey cryptoKey) Exports the key material in the raw format and close the provided key material.
static String	getPasswordSecretIdOrPassword(SecretsService secretsService, JsonValue secretIdNode, JsonValue deprecatedNode, org.slf4j.Logger logger) Retrieve a required password value from the given secretIdNode and deprecatedNode nodes.
static String	getPasswordSecretIdOrPassword(SecretsService secretsService, JsonValue secretIdNode, JsonValue deprecatedNode, org.slf4j.Logger logger, boolean isRequired) Retrieve a password value from the given secretIdNode and deprecatedNode nodes (can be an optional value).
static byte[]	getPasswordSecretIdOrPasswordAsByte(SecretsService secretsService, JsonValue secretIdNode, JsonValue deprecatedNode, org.slf4j.Logger logger) Retrieve a required shared secret value (as byte[]) from the given secretIdNode and deprecatedNode nodes.
static <S extends CryptoKey> S	retrieveCryptoKeyFromSecretId(SecretsService secretsService, JsonValue secretIdNode, Class<S> type) Retrieves a CryptoKey from the given node.
static <S extends CryptoKey> Key	retrieveKeyFromSecretId(SecretsService secretsService, JsonValue secretIdNode, Class<S> type) Retrieves a Key from the given node.
static SecretReference<GenericSecret>	retrievePasswordAsReference(SecretsService secretsService, JsonValue secretIdNode, JsonValue deprecatedNode, Clock clock) Retrieve a required password as a SecretReference from the given secretIdNode and deprecatedNode nodes.

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Method Detail

getPasswordSecretIdOrPassword

public static String getPasswordSecretIdOrPassword(SecretsService secretsService,
                                                   JsonValue secretIdNode,
                                                   JsonValue deprecatedNode,
                                                   org.slf4j.Logger logger)
                                            throws NoSuchSecretException

Retrieve a required password value from the given secretIdNode and deprecatedNode nodes.

• Password referenced from the secretIdNode node has precedence.
• When secret reference is provided but secret not found, a NoSuchSecretException is thrown
• When secret reference is not used, direct password value (from deprecatedNode) is returned
• If value is missing, an exception is thrown

This method logs deprecation warnings if password is resolved from the deprecatedNode node value.

Parameters:

secretsService - The SecretsService used to retrieve the secret.

secretIdNode - The node describing the Purpose where the password will be available.

deprecatedNode - The deprecated node holding the password. Deprecated since 6.5.

logger - The logger used to display warnings and other deprecation messages.

Returns:

The String representing the password.

Throws:

NoSuchSecretException - If secret reference cannot be resolved.

getPasswordSecretIdOrPassword

public static String getPasswordSecretIdOrPassword(SecretsService secretsService,
                                                   JsonValue secretIdNode,
                                                   JsonValue deprecatedNode,
                                                   org.slf4j.Logger logger,
                                                   boolean isRequired)
                                            throws NoSuchSecretException

Retrieve a password value from the given secretIdNode and deprecatedNode nodes (can be an optional value).

• Password referenced from the secretIdNode node has precedence.
• When secret reference is provided but secret not found, a NoSuchSecretException is thrown
• When secret reference is not used, direct password value (from deprecatedNode) is returned
• If value is missing, null is returned

This method logs deprecation warnings if password is resolved from the deprecatedNode node value.

Parameters:

secretsService - The SecretsService used to retrieve the secret.

secretIdNode - The node describing the Purpose where the password will be available.

deprecatedNode - The deprecated node holding the password. Deprecated since 6.5.

logger - The logger used to display warnings and other deprecation messages.

isRequired - If set to true, this method will throw an exception if deprecatedNode has a null value.

Returns:

The String representing the password (or null if no node value is provided).

Throws:

NoSuchSecretException - If secret reference cannot be resolved.

getPasswordSecretIdOrPasswordAsByte

public static byte[] getPasswordSecretIdOrPasswordAsByte(SecretsService secretsService,
                                                         JsonValue secretIdNode,
                                                         JsonValue deprecatedNode,
                                                         org.slf4j.Logger logger)
                                                  throws NoSuchSecretException

Retrieve a required shared secret value (as byte[]) from the given secretIdNode and deprecatedNode nodes.

• Shared secret referenced from the secretIdNode node has precedence.
• When secret reference is provided but secret not found, a NoSuchSecretException is thrown
• When secret reference is not used, Base64 decoded value (from deprecatedNode) is returned
• If value is missing, an exception is thrown

This method logs deprecation warnings if shared secret is resolved from the deprecatedNode node value.

Parameters:

secretsService - The SecretsService used to retrieve the secret.

secretIdNode - The node describing the Purpose where the password will be available.

deprecatedNode - The deprecated node holding the password. Deprecated since 6.5.

logger - The logger used to display warnings and other deprecation messages.

Returns:

The String representing the password.

Throws:

NoSuchSecretException - If secret reference cannot be resolved.

retrieveKeyFromSecretId

public static <S extends CryptoKey> Key retrieveKeyFromSecretId(SecretsService secretsService,
                                                                JsonValue secretIdNode,
                                                                Class<S> type)
                                                         throws NoSuchSecretException

Retrieves a Key from the given node.

Type Parameters:

S - The type of the secret.

Parameters:

secretsService - The SecretsService used to retrieve the secret.

secretIdNode - The secretId node.

type - The expected type of the secret.

Returns:

Key if the secret is found.

Throws:

NoSuchSecretException - If there is no corresponding key.

exportAsKey

public static Key exportAsKey(CryptoKey cryptoKey)
                       throws NoSuchSecretException

Exports the key material in the raw format.

Parameters:

cryptoKey - The key material to export

Returns:

the exported key material.

Throws:

NoSuchSecretException - if the secret could not be exported.

exportAsKeyAndClose

public static Key exportAsKeyAndClose(CryptoKey cryptoKey)
                               throws NoSuchSecretException

Exports the key material in the raw format and close the provided key material.

Parameters:

cryptoKey - The key material to export

Returns:

the exported key material.

Throws:

NoSuchSecretException - if the secret could not be exported.

retrieveCryptoKeyFromSecretId

public static <S extends CryptoKey> S retrieveCryptoKeyFromSecretId(SecretsService secretsService,
                                                                    JsonValue secretIdNode,
                                                                    Class<S> type)
                                                             throws NoSuchSecretException

Retrieves a CryptoKey from the given node.

Type Parameters:

S - The type of the secret.

Parameters:

secretsService - The SecretsService used to retrieve the secret.

secretIdNode - The secretId node.

type - The expected type of the secret.

Returns:

CryptoKey if the secret is found.

Throws:

NoSuchSecretException - If there is no corresponding key.

retrievePasswordAsReference

public static SecretReference<GenericSecret> retrievePasswordAsReference(SecretsService secretsService,
                                                                         JsonValue secretIdNode,
                                                                         JsonValue deprecatedNode,
                                                                         Clock clock)
                                                                  throws NoSuchSecretException

Retrieve a required password as a SecretReference from the given secretIdNode and deprecatedNode nodes.

• Password referenced from the secretIdNode node has precedence.
• When secret reference is provided but secret not found, a NoSuchSecretException is thrown
• When secret reference is not used, direct password value (from deprecatedNode) is returned
• If value is missing, an exception is thrown

Parameters:

secretsService - A reference to the SecretsService holding references to secret ID.

secretIdNode - The node describing the Purpose where the password will be available.

deprecatedNode - The deprecated node holding the password. Deprecated since 6.5.

clock - A reference to the current Clock.

Returns:

The SecretReference to this password.

Throws:

NoSuchSecretException - when the secret ID cannot be resolved.