package com.quorum.tessera.key.vault.hashicorp; import com.quorum.tessera.config.KeyVaultConfig; import com.quorum.tessera.config.util.EnvironmentVariableProvider; import org.springframework.core.io.FileSystemResource; import org.springframework.core.io.Resource; import org.springframework.http.client.ClientHttpRequestFactory; import org.springframework.vault.authentication.AppRoleAuthentication; import org.springframework.vault.authentication.AppRoleAuthenticationOptions; import org.springframework.vault.authentication.ClientAuthentication; import org.springframework.vault.authentication.TokenAuthentication; import org.springframework.vault.client.VaultClients; import org.springframework.vault.client.VaultEndpoint; import org.springframework.vault.config.ClientHttpRequestFactoryFactory; import org.springframework.vault.support.ClientOptions; import org.springframework.vault.support.SslConfiguration; import org.springframework.web.client.RestOperations; import java.nio.file.Path; import java.nio.file.Paths; import java.util.Objects; import static com.quorum.tessera.config.util.EnvironmentVariables.*; class HashicorpKeyVaultServiceFactoryUtil { SslConfiguration configureSsl(KeyVaultConfig keyVaultConfig, EnvironmentVariableProvider envProvider) { if(keyVaultConfig.hasProperty("tlsKeyStorePath","tlsTrustStorePath")) { Path tlsKeyStorePath = keyVaultConfig.getProperty("tlsKeyStorePath").map(Paths::get).get(); Path tlsTrustStorePath = keyVaultConfig.getProperty("tlsTrustStorePath").map(Paths::get).get(); Resource clientKeyStore = new FileSystemResource(tlsKeyStorePath.toFile()); Resource clientTrustStore = new FileSystemResource(tlsTrustStorePath.toFile()); SslConfiguration.KeyStoreConfiguration keyStoreConfiguration = SslConfiguration.KeyStoreConfiguration.of( clientKeyStore, envProvider.getEnvAsCharArray(HASHICORP_CLIENT_KEYSTORE_PWD) ); SslConfiguration.KeyStoreConfiguration trustStoreConfiguration = SslConfiguration.KeyStoreConfiguration.of( clientTrustStore, envProvider.getEnvAsCharArray(HASHICORP_CLIENT_TRUSTSTORE_PWD) ); return new SslConfiguration(keyStoreConfiguration, trustStoreConfiguration); } else if (keyVaultConfig.hasProperty("tlsTrustStorePath")) { Path tlsTrustStorePath = keyVaultConfig.getProperty("tlsTrustStorePath").map(Paths::get).get(); Resource clientTrustStore = new FileSystemResource(tlsTrustStorePath.toFile()); return SslConfiguration.forTrustStore(clientTrustStore, envProvider.getEnvAsCharArray(HASHICORP_CLIENT_TRUSTSTORE_PWD)); } else { return SslConfiguration.unconfigured(); } } ClientHttpRequestFactory createClientHttpRequestFactory(ClientOptions clientOptions, SslConfiguration sslConfiguration) { return ClientHttpRequestFactoryFactory.create(clientOptions, sslConfiguration); } ClientAuthentication configureClientAuthentication(KeyVaultConfig keyVaultConfig, EnvironmentVariableProvider envProvider, ClientHttpRequestFactory clientHttpRequestFactory, VaultEndpoint vaultEndpoint) { final String roleId = envProvider.getEnv(HASHICORP_ROLE_ID); final String secretId = envProvider.getEnv(HASHICORP_SECRET_ID); final String authToken = envProvider.getEnv(HASHICORP_TOKEN); if(roleId != null && secretId != null) { AppRoleAuthenticationOptions appRoleAuthenticationOptions = AppRoleAuthenticationOptions.builder() .path(keyVaultConfig.getProperty("approlePath").get()) .roleId(AppRoleAuthenticationOptions.RoleId.provided(roleId)) .secretId(AppRoleAuthenticationOptions.SecretId.provided(secretId)) .build(); RestOperations restOperations = VaultClients.createRestTemplate(vaultEndpoint, clientHttpRequestFactory); return new AppRoleAuthentication(appRoleAuthenticationOptions, restOperations); } else if (Objects.isNull(roleId) != Objects.isNull(secretId)) { throw new HashicorpCredentialNotSetException("Both " + HASHICORP_ROLE_ID + " and " + HASHICORP_SECRET_ID + " environment variables must be set to use the AppRole authentication method"); } else if (authToken == null){ throw new HashicorpCredentialNotSetException("Both " + HASHICORP_ROLE_ID + " and " + HASHICORP_SECRET_ID + " environment variables must be set to use the AppRole authentication method. Alternatively set " + HASHICORP_TOKEN + " to authenticate using the Token method"); } return new TokenAuthentication(authToken); } }