Package io.axoniq.dataprotection.cryptoengine.vault

Class VaultCryptoEngine

java.lang.Object

io.axoniq.dataprotection.cryptoengine.DatabaseBackedCryptoEngine

io.axoniq.dataprotection.cryptoengine.vault.VaultCryptoEngine

All Implemented Interfaces:

CryptoEngine

public class VaultCryptoEngine
extends DatabaseBackedCryptoEngine

HashiCorp Vault-based implementation of the CryptoEngine interface.

Constructor Summary

Constructors

Constructor	Description
VaultCryptoEngine(okhttp3.OkHttpClient okHttpClient, String address, String token, String prefix)	Instantiate a new VaultCryptoEngine, using 'key' as the property name.
VaultCryptoEngine(okhttp3.OkHttpClient okHttpClient, String address, String token, String prefix, String propertyName)	Instantiate a new VaultCryptoEngine.

Method Summary

Modifier and Type	Method	Description
void	deleteKey(String id)	Deletes the key for a given id.
SecretKey	getKey(String id)	Retrieves the key for a given id.
void	putKey(String id, SecretKeySpec secretKeySpec)	Tries to put a key in Vault.
protected SecretKey	putKeyIfAbsent(String id, SecretKeySpec secretKeySpec)	Stores the key for the given id, if no key is currently registered for this id.
void	setToken(String token)	Set the Vault token to be used in subsequent requests.

Methods inherited from class io.axoniq.dataprotection.cryptoengine.DatabaseBackedCryptoEngine

createCipher, createDigestCipher, getKeyType, getOrCreateKey, setKeyType

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

VaultCryptoEngine

public VaultCryptoEngine(okhttp3.OkHttpClient okHttpClient,
                         String address,
                         String token,
                         String prefix)

Instantiate a new VaultCryptoEngine, using 'key' as the property name.

Parameters:

okHttpClient - the OkHttpClient to use

address - the URL of the Vault server

token - the token to be used initially

prefix - the prefix to use in the Vault namespace; could be "secret/" in a simple test, but probably something more specific in a real-life scenario

VaultCryptoEngine

public VaultCryptoEngine(okhttp3.OkHttpClient okHttpClient,
                         String address,
                         String token,
                         String prefix,
                         String propertyName)

Instantiate a new VaultCryptoEngine.

Parameters:

okHttpClient - the OkHttpClient to use

address - the URL of the Vault server

token - the token to be used initially

prefix - the prefix to use in the Vault namespace; could be "secret/" in a simple test, but probably something more specific in a real-life scenario

propertyName - the property to be used to store the AES key.

Method Detail

setToken

public void setToken(String token)

Set the Vault token to be used in subsequent requests.

Parameters:

token - the new token

putKeyIfAbsent

protected SecretKey putKeyIfAbsent(String id,
                                   SecretKeySpec secretKeySpec)

Description copied from class: DatabaseBackedCryptoEngine

Stores the key for the given id, if no key is currently registered for this id. Returns the new key belonging to id, which is either the key that was already registered or the key provided as the 2nd argument if no key was registered yet. (Please note that this is different behaviour from ConcurrentHashMap.putIfAbsent(Object, Object), which always returns the prior value belonging to key.)

Specified by:

putKeyIfAbsent in class DatabaseBackedCryptoEngine

Parameters:

id - the id for which to store/retrieve the secret key

secretKeySpec - the SecretKeySpec to store if none has been stored yet for id

Returns:

the effective SecretKeySpec for id

putKey

public void putKey(String id,
                   SecretKeySpec secretKeySpec)
            throws IOException

Tries to put a key in Vault. Will throw an exception if this fails, in particular a PermissionDeniedException when receiving a 403 response. This should occur when there is an attempt to overwrite a key. There is no need to call this method directly from the application. It is made public to enable testing of Vault policies.

Parameters:

id - the id of the key

secretKeySpec - the key data itself

Throws:

IOException - if it can't write the key

getKey

public SecretKey getKey(String id)

Description copied from interface: CryptoEngine

Retrieves the key for a given id.

Parameters:

id - the id of the SecretKey

Returns:

the existing SecretKey associated with the id, or null if no such key exists

deleteKey

public void deleteKey(String id)

Description copied from interface: CryptoEngine

Deletes the key for a given id. Does nothing if the key doesn't exist.

Parameters:

id - the id of the SecretKey