-
Notifications
You must be signed in to change notification settings - Fork 27
/
VaultCredentialsProvider.java
70 lines (55 loc) · 2.69 KB
/
VaultCredentialsProvider.java
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
package io.quarkus.vault.runtime;
import static io.quarkus.vault.runtime.config.CredentialsProviderConfig.DATABASE_DEFAULT_MOUNT;
import static io.quarkus.vault.runtime.config.CredentialsProviderConfig.DEFAULT_REQUEST_PATH;
import java.util.HashMap;
import java.util.Map;
import jakarta.enterprise.context.ApplicationScoped;
import jakarta.inject.Inject;
import jakarta.inject.Named;
import io.quarkus.credentials.CredentialsProvider;
import io.quarkus.vault.VaultException;
import io.quarkus.vault.VaultKVSecretEngine;
import io.quarkus.vault.runtime.config.CredentialsProviderConfig;
import io.quarkus.vault.runtime.config.VaultBootstrapConfig;
@ApplicationScoped
@Named("vault-credentials-provider")
public class VaultCredentialsProvider implements CredentialsProvider {
@Inject
private VaultKVSecretEngine vaultKVSecretEngine;
@Inject
private VaultDynamicCredentialsManager vaultDynamicCredentialsManager;
@Inject
private VaultConfigHolder vaultConfigHolder;
@SuppressWarnings("deprecation")
@Override
public Map<String, String> getCredentials(String credentialsProviderName) {
VaultBootstrapConfig vaultConfig = getConfig();
if (vaultConfig == null) {
throw new VaultException(
"missing Vault configuration required for credentials providers with name " + credentialsProviderName);
}
CredentialsProviderConfig config = vaultConfig.credentialsProvider.get(credentialsProviderName);
if (config == null) {
throw new VaultException("unknown credentials provider with name " + credentialsProviderName);
}
if (config.databaseCredentialsRole.isPresent()) {
return vaultDynamicCredentialsManager.getDynamicCredentials(DATABASE_DEFAULT_MOUNT, DEFAULT_REQUEST_PATH,
config.databaseCredentialsRole.get()).await().indefinitely();
}
if (config.credentialsRole.isPresent()) {
return vaultDynamicCredentialsManager.getDynamicCredentials(config.credentialsMount, config.credentialsRequestPath,
config.credentialsRole.get()).await().indefinitely();
}
if (config.kvPath.isPresent()) {
String password = vaultKVSecretEngine.readSecret(config.kvPath.get()).get(config.kvKey);
Map<String, String> result = new HashMap<>();
result.put(PASSWORD_PROPERTY_NAME, password);
return result;
}
throw new VaultException(
"one of database-credentials-role or kv-path is required on credentials provider " + credentialsProviderName);
}
private VaultBootstrapConfig getConfig() {
return vaultConfigHolder.getVaultBootstrapConfig();
}
}