java source code of LifecycleAwareSessionManager

spring-vault-master
- src
  - main
    - resources
      - license.txt
      - changelog.txt
      - notice.txt
    - asciidoc
      - preface.adoc
      - reference
        vault.adoc
        imperative-template.adoc
        authentication.adoc
        vault-repositories.adoc
        client-support.adoc
        getting-started.adoc
        reactive-template.adoc
        misc.adoc
        propertysource.adoc
        dependencies.adoc
      - new-features.adoc
      - index.adoc
  - test
    - bash
      - env.sh
      - intermediate.cnf
      - openssl.cnf
      - minikube_ci_initialize.sh
      - vault-agent.conf
      - install_vault.sh
      - local_run_k8s.sh
      - create_certificates.sh
      - local_run_vault.sh
      - start.sh
      - vault.conf
- pom.xml
- mvnw
- SECURITY.adoc
- README.adoc
- .mvn
  - wrapper
    - maven-wrapper.properties
- spring-vault-core
  - src
    - main
      - kotlin
        org
        springframework
        vault
        core
        ReactiveVaultOperationsExtensions.kt
        VaultOperationsExtensions.kt
        VaultWrappingOperationsExtensions.kt
        VaultVersionedKeyValueOperationsExtensions.kt
        VaultKeyValueOperationsExtensions.kt
      - java
        org
        springframework
        vault
        security
        VaultBytesEncryptor.java
        VaultBytesKeyGenerator.java
        package-info.java
        authentication
        GcpIamAuthenticationOptions.java
        AuthenticationStepsFactory.java
        AppRoleAuthenticationOptions.java
        AuthenticationEventPublisher.java
        CachingVaultTokenSupplier.java
        AwsIamAuthentication.java
        GcpProjectIdAccessor.java
        AzureVmEnvironment.java
        ClientAuthentication.java
        CredentialSupplier.java
        TokenAuthentication.java
        ClientCertificateAuthentication.java
        VaultSessionManagerException.java
        GcpComputeAuthentication.java
        VaultTokenSupplier.java
        CubbyholeAuthentication.java
        UnwrappingEndpoints.java
        KubernetesJwtSupplier.java
        IpAddressUserId.java
        KubernetesAuthenticationOptions.java
        GcpCredentialSupplier.java
        SessionManager.java
        AppIdAuthenticationOptions.java
        GcpJwtAuthenticationSupport.java
        LifecycleAwareSessionManagerSupport.java
        ReactiveLifecycleAwareSessionManager.java
        AppRoleAuthentication.java
        LoginTokenAdapter.java
        VaultTokenLookupException.java
        AppIdUserIdMechanism.java
        AuthenticationSteps.java
        MacAddressUserId.java
        StaticUserId.java
        AzureMsiAuthentication.java
        VaultLoginException.java
        package-info.java
        AwsEc2AuthenticationOptions.java
        PcfAuthentication.java
        event
        AfterLoginTokenRevocationEvent.java
        BeforeLoginTokenRevocationEvent.java
        LoginFailedEvent.java
        AuthenticationErrorEvent.java
        AuthenticationListener.java
        AuthenticationEvent.java
        LoginTokenRenewalFailedEvent.java
        BeforeLoginTokenRenewedEvent.java
        LoginTokenRevocationFailedEvent.java
        package-info.java
        AfterLoginTokenRenewedEvent.java
        AfterLoginEvent.java
        LoginTokenExpiredEvent.java
        AuthenticationErrorListener.java
        VaultTokenRenewalException.java
        AuthenticationStepsExecutor.java
        ResourceCredentialSupplier.java
        Sha256.java
        GcpComputeAuthenticationOptions.java
        AuthenticationUtil.java
        ClientCertificateAuthenticationOptions.java
        AzureMsiAuthenticationOptions.java
        AwsIamAuthenticationOptions.java
        DefaultGcpCredentialAccessors.java
        CubbyholeAuthenticationOptions.java
        GcpIamAuthentication.java
        AppRoleTokens.java
        KubernetesAuthentication.java
        AwsEc2Authentication.java
        LifecycleAwareSessionManager.java
        KubernetesServiceAccountTokenFile.java
        LoginToken.java
        SimpleSessionManager.java
        PcfAuthenticationOptions.java
        AuthenticationStepsOperator.java
        ReactiveSessionManager.java
        LoginTokenUtil.java
        GcpServiceAccountIdAccessor.java
        AppIdAuthentication.java
        client
        RestTemplateRequestCustomizer.java
        VaultEndpoint.java
        VaultEndpointProvider.java
        RestTemplateFactory.java
        VaultHttpHeaders.java
        VaultResponses.java
        RestTemplateBuilder.java
        ClientHttpConnectorFactory.java
        RestTemplateCustomizer.java
        ReactiveVaultClients.java
        package-info.java
        VaultClients.java
        SimpleVaultEndpointProvider.java
        WebClientFactory.java
        WebClientCustomizer.java
        WebClientBuilder.java
        ReactiveVaultEndpointProvider.java
        ClientHttpRequestFactoryFactory.java
        VaultException.java
        support
        Versioned.java
        KeystoreUtil.java
        SignatureValidation.java
        VaultTransitContext.java
        VaultTokenResponse.java
        LeaseStrategy.java
        CertificateBundle.java
        Ciphertext.java
        WrappedMetadata.java
        VaultCertificateResponse.java
        VaultUnsealStatus.java
        VaultTokenRequest.java
        VaultHmacRequest.java
        VaultInitializationRequest.java
        VaultInitializationResponse.java
        VaultToken.java
        RawTransitKey.java
        VaultSignRequest.java
        Policy.java
        VaultCertificateRequest.java
        VaultMetadataRequest.java
        JsonMapFlattener.java
        Certificate.java
        ClientOptions.java
        VaultTransitKeyConfiguration.java
        VaultResponseSupport.java
        VaultSignCertificateRequestResponse.java
        VaultSignatureVerificationRequest.java
        VaultTransitKeyCreationRequest.java
        SslConfiguration.java
        package-info.java
        TransitKeyType.java
        VaultDecryptionResult.java
        VaultMetadataResponse.java
        Hmac.java
        VaultMount.java
        AbstractResult.java
        VaultHealth.java
        VaultTransitKey.java
        PemObject.java
        VaultEncryptionResult.java
        Plaintext.java
        DurationParser.java
        Signature.java
        VaultResponse.java
        config
        DefaultRestTemplateFactory.java
        EnvironmentVaultConfiguration.java
        ClientHttpConnectorFactory.java
        AbstractReactiveVaultConfiguration.java
        AbstractVaultConfiguration.java
        package-info.java
        DefaultWebClientFactory.java
        ClientHttpRequestFactoryFactory.java
        package-info.java
        annotation
        VaultPropertySources.java
        VaultPropertySourceRegistrar.java
        VaultPropertySource.java
        package-info.java
        core
        VaultTokenOperations.java
        VaultTokenTemplate.java
        VaultKeyValueOperationsSupport.java
        VaultTemplate.java
        VaultVersionedKeyValueOperations.java
        VaultKeyValue2Accessor.java
        VaultListResponse.java
        VaultTransitTemplate.java
        VaultKeyValue1Template.java
        VaultPkiTemplate.java
        VaultTransitOperations.java
        VaultVersionedKeyValueTemplate.java
        VaultPkiOperations.java
        VaultWrappingTemplate.java
        VaultKeyValueMetadataOperations.java
        VaultKeyValueMetadataTemplate.java
        ReactiveVaultOperations.java
        util
        PropertyTransformer.java
        PropertyTransformers.java
        KeyValueDelegate.java
        package-info.java
        VaultSysTemplate.java
        VaultKeyValueAccessor.java
        ReactiveVaultTemplate.java
        VaultOperations.java
        VaultKeyValue2Template.java
        package-info.java
        VaultSysOperations.java
        VaultKeyValueOperations.java
        RestOperationsCallback.java
        VaultWrappingOperations.java
        lease
        SecretLeaseContainer.java
        SecretLeaseEventPublisher.java
        package-info.java
        event
        BeforeSecretLeaseRevocationEvent.java
        SecretLeaseCreatedEvent.java
        LeaseErrorListener.java
        SecretLeaseEvent.java
        AfterSecretLeaseRevocationEvent.java
        AfterSecretLeaseRenewedEvent.java
        SecretNotFoundEvent.java
        SecretLeaseExpiredEvent.java
        SecretLeaseErrorEvent.java
        LeaseListener.java
        package-info.java
        LeaseListenerAdapter.java
        LeaseEndpoints.java
        domain
        RequestedSecret.java
        Lease.java
        package-info.java
        env
        VaultPropertySource.java
        package-info.java
        LeaseAwareVaultPropertySource.java
        VaultPropertySourceNotFoundException.java
        repository
        configuration
        VaultRepositoriesRegistrar.java
        EnableVaultRepositories.java
        package-info.java
        VaultRepositoryConfigurationExtension.java
        mapping
        Secret.java
        VaultPersistentEntity.java
        VaultPersistentProperty.java
        VaultSimpleTypes.java
        BasicVaultPersistentEntity.java
        package-info.java
        VaultMappingContext.java
        support
        VaultRepositoryFactoryBean.java
        VaultRepositoryFactory.java
        package-info.java
        query
        VaultQuery.java
        VaultQueryCreator.java
        package-info.java
        VaultPartTreeQuery.java
        convert
        VaultConverter.java
        AbstractVaultConverter.java
        VaultCustomConversions.java
        MappingVaultConverter.java
        SecretDocument.java
        package-info.java
        VaultTypeMapper.java
        DefaultVaultTypeMapper.java
        SecretDocumentAccessor.java
        core
        MappingVaultEntityInformation.java
        VaultEntityInformation.java
        VaultKeyValueAdapter.java
        package-info.java
        VaultQueryEngine.java
        VaultKeyValueTemplate.java
    - test
      - resources
        logback.xml
        certificate.json
        policy.json
        org
        springframework
        vault
        demo
        other.properties
        secure-introduction.properties
        kube-jwt-token
      - kotlin
        org
        springframework
        vault
        core
        VaultWrappingOperationsExtensionsTests.kt
        VaultKeyValueOperationsExtensionsTests.kt
        ReactiveVaultOperationsExtensionsTests.kt
        VaultOperationsExtensionsTests.kt
        VaultVersionedKeyValueOperationsExtensionsTests.kt
      - java
        org
        springframework
        vault
        security
        VaultBytesEncryptorIntegrationTests.java
        VaultBytesKeyGeneratorIntegrationTests.java
        demo
        VaultApp.java
        SecurePropertyUsage.java
        authentication
        ClientCertificateAuthenticationOperatorIntegrationTests.java
        PcfAuthenticationOptionsUnitTests.java
        KubernetesAuthenticationIntegrationTests.java
        LifecycleAwareSessionManagerSupportUnitTests.java
        TokenAuthenticationIntegrationTestBase.java
        CubbyholeAuthenticationStepsIntegrationTests.java
        AwsIamAuthenticationUnitTests.java
        LoginTokenAdapterUnitTests.java
        LoginTokenUnitTests.java
        CubbyholeAuthenticationIntegrationTests.java
        CubbyholeAuthenticationUnitTests.java
        LifecycleAwareSessionManagerIntegrationTests.java
        TokenAuthenticationStepsIntegrationTests.java
        ReactiveLifecycleAwareSessionManagerUnitTests.java
        ClientCertificateAuthenticationStepsIntegrationTests.java
        AppIdAuthenticationOperatorIntegrationTests.java
        GcpIamAuthenticationOptionsBuilderUnitTests.java
        AppRoleAuthenticationIntegrationTestBase.java
        AuthenticationStepsExecutorUnitTests.java
        ClientCertificateAuthenticationIntegrationTestBase.java
        GcpIamAuthenticationUnitTests.java
        AppRoleAuthenticationIntegrationTests.java
        MacAddressUserIdUnitTests.java
        KubernetesAuthenticationStepsIntegrationTests.java
        ClientCertificateAuthenticationUnitTests.java
        PcfAuthenticationUnitTests.java
        AppIdAuthenticationUnitTests.java
        LifecycleAwareSessionManagerUnitTests.java
        AuthenticationStepsOperatorUnitTests.java
        KubernetesAuthenticationUnitTests.java
        KubeServiceAccountTokenFileUnitTests.java
        GcpComputeAuthenticationUnitTests.java
        ClientCertificateAuthenticationIntegrationTests.java
        ClientCertificateNamespaceIntegrationTests.java
        TokenAuthenticationOperatorIntegrationTests.java
        KubernetesAuthenticationIntegrationTestBase.java
        AppIdAuthenticationStepsIntegrationTests.java
        IpAddressUserIdTests.java
        ReactiveLifecycleAwareSessionManagerIntegrationTests.java
        AppRoleAuthenticationStepsIntegrationTests.java
        AppIdAuthenticationIntegrationTestBase.java
        AwsEc2AuthenticationUnitTests.java
        AzureMsiAuthenticationUnitTests.java
        CubbyholeAuthenticationOperatorIntegrationTests.java
        CubbyholeAuthenticationIntegrationTestBase.java
        AppRoleAuthenticationUnitTests.java
        AppIdAuthenticationIntegrationTests.java
        client
        VaultClientsUnitTests.java
        ReactiveVaultClientsIntegrationTests.java
        RestTemplateBuilderUnitTests.java
        VaultResponsesUnitTests.java
        ReactiveVaultClientsUnitTests.java
        VaultEndpointUnitTests.java
        ClientHttpConnectorFactoryIntegrationTests.java
        ClientHttpRequestFactoryFactoryIntegrationTests.java
        support
        VaultTokenRequestUnitTests.java
        VaultCertificateRequestUnitTests.java
        PemObjectUnitTests.java
        VaultTransitContextUnitTests.java
        CertificateBundleUnitTests.java
        PolicySerializationUnitTests.java
        DurationParserUnitTests.java
        JsonMapFlattenerUnitTests.java
        CertificateUnitTests.java
        ObjectMapperSupplier.java
        SslConfigurationUnitTests.java
        util
        TestWebClientFactory.java
        RequiresVaultVersion.java
        VaultVersionExtension.java
        PrepareVault.java
        TestRestTemplateFactory.java
        CanConnect.java
        VaultExtension.java
        VaultInitializer.java
        Version.java
        Settings.java
        IntegrationTestSupport.java
        config
        EnvironmentVaultConfigurationAwsEc2AuthenticationUnitTests.java
        AbstractVaultConfigurationUnitTests.java
        EnvironmentVaultConfigurationAppIdAuthenticationUnitTests.java
        EnvironmentVaultConfigurationAppRoleAuthenticationUnitTests.java
        EnvironmentVaultConfigurationKubernetesAuthenticationUnitTests.java
        EnvironmentVaultConfigurationAzureMSIAuthenticationUnitTests.java
        EnvironmentVaultConfigurationClientCertAuthenticationUnitTests.java
        EnvironmentVaultConfigurationCubbyholeAuthenticationUnitTests.java
        EnvironmentVaultConfigurationUnitTests.java
        AbstractReactiveVaultConfigurationUnitTests.java
        annotation
        VaultPropertySourceMultipleIntegrationTests.java
        VaultPropertySourceUnitTests.java
        VaultPropertySourceIntegrationTests.java
        VaultPropertySourceInBeanConfigurationIntegrationTest.java
        LeaseAwareVaultPropertySourceIntegrationTests.java
        domain
        Person.java
        core
        VaultIntegrationTestConfiguration.java
        ReactiveVaultTemplateGenericIntegrationTests.java
        PkiSecretIntegrationTests.java
        VaultNamespaceSecretIntegrationTests.java
        VaultKeyValueTemplateVersionedIntegrationTests.java
        VaultSysTemplateIntegrationTests.java
        VaultVersionedKeyValueTemplateIntegrationTests.java
        VaultTransitTemplateIntegrationTests.java
        VaultSysTemplateUnitTests.java
        util
        PropertyTransformersUnitTests.java
        KeyValueDelegateUnitTests.java
        VaultTemplateGenericIntegrationTests.java
        VaultWrappingTemplateIntegrationTests.java
        VaultKeyValueTemplateIntegrationTests.java
        VaultTokenTemplateIntegrationTests.java
        VaultPkiTemplateIntegrationTests.java
        VaultTemplateTransitIntegrationTests.java
        VaultTemplateAgentIntegrationTests.java
        VaultKeyValueMetadataTemplateIntegrationTests.java
        lease
        RotatingGenericSecretsIntegrationTestConfiguration.java
        SecretLeaseContainerUnitTests.java
        domain
        RequestedSecretTests.java
        env
        VersionedKeyValueBackendIntegrationTests.java
        VaultPropertySourceUnitTests.java
        LeaseAwareVaultPropertySourceUnitTests.java
        AbstractVaultKeyValueTemplateIntegrationTests.java
        ReactiveVaultTemplateAgentIntegrationTests.java
        repository
        mapping
        BasicVaultPersistentEntityUnitTests.java
        VaultMappingContextUnitTests.java
        VaultRepositoryIntegrationTests.java
        query
        VaultQueryCreatorUnitTests.java
        convert
        MappingVaultConverterUnitTests.java
        DefaultVaultTypeMapperUnitTests.java
        MultipleSpringDataModulesIntegrationTests.java
  - pom.xml
- .travis.yml
- spring-vault-dependencies
  - pom.xml
- etc
  - ide
    - eclipse.importorder
- spring-vault-distribution
  - src
    - assembly
      - docs.xml
  - pom.xml
- .gitignore
- docs
  - index.html
- LICENSE.txt
- mvnw.cmd

/*
 * Copyright 2016-2020 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      https://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.springframework.vault.authentication;

import java.time.Duration;
import java.util.Map;
import java.util.Optional;

import org.springframework.beans.factory.DisposableBean;
import org.springframework.http.HttpEntity;
import org.springframework.scheduling.TaskScheduler;
import org.springframework.util.Assert;
import org.springframework.util.ClassUtils;
import org.springframework.vault.VaultException;
import org.springframework.vault.authentication.event.AfterLoginEvent;
import org.springframework.vault.authentication.event.AfterLoginTokenRenewedEvent;
import org.springframework.vault.authentication.event.AfterLoginTokenRevocationEvent;
import org.springframework.vault.authentication.event.AuthenticationErrorEvent;
import org.springframework.vault.authentication.event.AuthenticationErrorListener;
import org.springframework.vault.authentication.event.AuthenticationListener;
import org.springframework.vault.authentication.event.BeforeLoginTokenRenewedEvent;
import org.springframework.vault.authentication.event.BeforeLoginTokenRevocationEvent;
import org.springframework.vault.authentication.event.LoginFailedEvent;
import org.springframework.vault.authentication.event.LoginTokenExpiredEvent;
import org.springframework.vault.authentication.event.LoginTokenRenewalFailedEvent;
import org.springframework.vault.authentication.event.LoginTokenRevocationFailedEvent;
import org.springframework.vault.client.VaultHttpHeaders;
import org.springframework.vault.client.VaultResponses;
import org.springframework.vault.support.VaultResponse;
import org.springframework.vault.support.VaultToken;
import org.springframework.web.client.HttpStatusCodeException;
import org.springframework.web.client.RestOperations;

/**
 * Lifecycle-aware {@link SessionManager Session Manager}. This {@link SessionManager}
 * obtains tokens from a {@link ClientAuthentication} upon {@link #getSessionToken()
 * request} synchronizing multiple threads attempting to obtain a token concurrently.
 * <p>
 * Tokens are renewed asynchronously if a token has a lease duration. This happens 5
 * seconds before the token expires, see {@link #REFRESH_PERIOD_BEFORE_EXPIRY}.
 * <p>
 * This {@link SessionManager} also implements {@link DisposableBean} to revoke the
 * {@link LoginToken} once it's not required anymore. Token revocation will stop regular
 * token refresh. Tokens are only revoked only if the associated
 * {@link ClientAuthentication} returns a {@link LoginToken}.
 * <p>
 * If Token renewal runs into a client-side error, it assumes the token was
 * revoked/expired. It discards the token state so the next attempt will lead to another
 * login attempt.
 * <p>
 * By default, {@link VaultToken} are looked up in Vault to determine renewability and the
 * remaining TTL, see {@link #setTokenSelfLookupEnabled(boolean)}.
 * <p>
 * The session manager dispatches authentication events to {@link AuthenticationListener}
 * and {@link AuthenticationErrorListener}. Event notifications are dispatched either on
 * the calling {@link Thread} or worker threads used for background renewal.
 * <p>
 * This class is thread-safe.
 *
 * @author Mark Paluch
 * @author Steven Swor
 * @see LoginToken
 * @see SessionManager
 * @see TaskScheduler
 * @see AuthenticationEventPublisher
 */
public class LifecycleAwareSessionManager extends LifecycleAwareSessionManagerSupport
		implements SessionManager, DisposableBean {

	/**
	 * Client authentication mechanism. Used to obtain a {@link VaultToken} or
	 * {@link LoginToken}.
	 */
	private final ClientAuthentication clientAuthentication;

	/**
	 * HTTP client.
	 */
	private final RestOperations restOperations;

	private final Object lock = new Object();

	/**
	 * The token state: Contains the currently valid token that identifies the Vault
	 * session.
	 */
	private volatile Optional<TokenWrapper> token = Optional.empty();

	/**
	 * Create a {@link LifecycleAwareSessionManager} given {@link ClientAuthentication},
	 * {@link TaskScheduler} and {@link RestOperations}.
	 * @param clientAuthentication must not be {@literal null}.
	 * @param taskScheduler must not be {@literal null}.
	 * @param restOperations must not be {@literal null}.
	 * @since 1.0.1
	 */
	public LifecycleAwareSessionManager(ClientAuthentication clientAuthentication, TaskScheduler taskScheduler,
			RestOperations restOperations) {

		super(taskScheduler);

		Assert.notNull(clientAuthentication, "ClientAuthentication must not be null");
		Assert.notNull(taskScheduler, "TaskScheduler must not be null");
		Assert.notNull(restOperations, "RestOperations must not be null");

		this.clientAuthentication = clientAuthentication;
		this.restOperations = restOperations;
	}

	/**
	 * Create a {@link LifecycleAwareSessionManager} given {@link ClientAuthentication},
	 * {@link TaskScheduler} and {@link RestOperations}.
	 * @param clientAuthentication must not be {@literal null}.
	 * @param taskScheduler must not be {@literal null}.
	 * @param restOperations must not be {@literal null}.
	 * @param refreshTrigger must not be {@literal null}.
	 * @since 1.0.1
	 */
	public LifecycleAwareSessionManager(ClientAuthentication clientAuthentication, TaskScheduler taskScheduler,
			RestOperations restOperations, RefreshTrigger refreshTrigger) {

		super(taskScheduler, refreshTrigger);

		Assert.notNull(clientAuthentication, "ClientAuthentication must not be null");
		Assert.notNull(taskScheduler, "TaskScheduler must not be null");
		Assert.notNull(restOperations, "RestOperations must not be null");
		Assert.notNull(refreshTrigger, "RefreshTrigger must not be null");

		this.clientAuthentication = clientAuthentication;
		this.restOperations = restOperations;
	}

	/**
	 * The token state: Contains the currently valid token that identifies the Vault
	 * session.
	 */
	protected Optional<TokenWrapper> getToken() {
		return this.token;
	}

	protected void setToken(Optional<TokenWrapper> token) {
		this.token = token;
	}

	@Override
	public void destroy() {

		Optional<TokenWrapper> token = getToken();
		setToken(Optional.empty());

		token.filter(TokenWrapper::isRevocable).map(TokenWrapper::getToken).ifPresent(this::revoke);
	}

	/**
	 * Revoke a {@link VaultToken}.
	 * @param token the token to revoke, must not be {@literal null}.
	 */
	protected void revoke(VaultToken token) {

		try {
			dispatch(new BeforeLoginTokenRevocationEvent(token));
			this.restOperations.postForObject("auth/token/revoke-self", new HttpEntity<>(VaultHttpHeaders.from(token)),
					Map.class);
			dispatch(new AfterLoginTokenRevocationEvent(token));
		}
		catch (RuntimeException e) {
			this.logger.warn("Cannot revoke VaultToken: %s", e);
			dispatch(new LoginTokenRevocationFailedEvent(token, e));
		}
	}

	/**
	 * Performs a token refresh. Create a new token if no token was obtained before. If a
	 * token was obtained before, it uses self-renewal to renew the current token.
	 * Client-side errors (like permission denied) indicate the token cannot be renewed
	 * because it's expired or simply not found.
	 * @return {@literal true} if the refresh was successful. {@literal false} if a new
	 * token was obtained or refresh failed.
	 */
	public boolean renewToken() {

		this.logger.info("Renewing token");

		Optional<TokenWrapper> token = getToken();
		if (!token.isPresent()) {
			getSessionToken();
			return false;
		}

		TokenWrapper tokenWrapper = token.get();
		try {
			return doRenew(tokenWrapper);
		}
		catch (RuntimeException e) {

			VaultTokenRenewalException exception = new VaultTokenRenewalException(format("Cannot renew token", e), e);

			if (getLeaseStrategy().shouldDrop(exception)) {
				setToken(Optional.empty());
			}

			if (this.logger.isDebugEnabled()) {
				this.logger.debug(exception.getMessage(), exception);
			}
			else {
				this.logger.warn(exception.getMessage());
			}

			dispatch(new LoginTokenRenewalFailedEvent(tokenWrapper.getToken(), exception));
			return false;
		}
	}

	private boolean doRenew(TokenWrapper wrapper) {

		dispatch(new BeforeLoginTokenRenewedEvent(wrapper.getToken()));
		VaultResponse vaultResponse = this.restOperations.postForObject("auth/token/renew-self",
				new HttpEntity<>(VaultHttpHeaders.from(wrapper.token)), VaultResponse.class);

		LoginToken renewed = LoginTokenUtil.from(vaultResponse.getRequiredAuth());

		if (isExpired(renewed)) {

			if (this.logger.isDebugEnabled()) {
				Duration validTtlThreshold = getRefreshTrigger().getValidTtlThreshold(renewed);
				this.logger.info(String.format("Token TTL (%s) exceeded validity TTL threshold (%s). Dropping token.",
						renewed.getLeaseDuration(), validTtlThreshold));
			}
			else {
				this.logger.info("Token TTL exceeded validity TTL threshold. Dropping token.");
			}

			setToken(Optional.empty());
			dispatch(new LoginTokenExpiredEvent(renewed));
			return false;
		}

		setToken(Optional.of(new TokenWrapper(renewed, wrapper.revocable)));
		dispatch(new AfterLoginTokenRenewedEvent(renewed));

		return true;
	}

	@Override
	public VaultToken getSessionToken() {

		if (!getToken().isPresent()) {

			synchronized (this.lock) {

				if (!getToken().isPresent()) {
					doGetSessionToken();
				}
			}
		}

		return getToken().map(TokenWrapper::getToken)
				.orElseThrow(() -> new IllegalStateException("Cannot obtain VaultToken"));
	}

	private void doGetSessionToken() {

		VaultToken token;

		try {
			token = this.clientAuthentication.login();
		}
		catch (VaultException e) {
			dispatch(new LoginFailedEvent(this.clientAuthentication, e));
			throw e;
		}

		TokenWrapper wrapper = new TokenWrapper(token, token instanceof LoginToken);

		if (isTokenSelfLookupEnabled() && !ClassUtils.isAssignableValue(LoginToken.class, token)) {
			try {
				token = LoginTokenAdapter.augmentWithSelfLookup(this.restOperations, token);
				wrapper = new TokenWrapper(token, false);
			}
			catch (VaultTokenLookupException e) {
				this.logger.warn(String.format("Cannot enhance VaultToken to a LoginToken: %s", e.getMessage()));
				dispatch(new AuthenticationErrorEvent(token, e));
			}
		}

		setToken(Optional.of(wrapper));
		dispatch(new AfterLoginEvent(token));

		if (isTokenRenewable()) {
			scheduleRenewal();
		}
	}

	protected VaultToken login() {
		return this.clientAuthentication.login();
	}

	/**
	 * @return {@literal true} if the token is renewable.
	 */
	protected boolean isTokenRenewable() {

		return getToken().map(TokenWrapper::getToken).filter(LoginToken.class::isInstance)
				//
				.filter(it -> {

					LoginToken loginToken = (LoginToken) it;
					return !loginToken.getLeaseDuration().isZero() && loginToken.isRenewable();
				}).isPresent();
	}

	private void scheduleRenewal() {

		this.logger.info("Scheduling Token renewal");

		Runnable task = () -> {
			Optional<TokenWrapper> tokenWrapper = getToken();

			if (!tokenWrapper.isPresent()) {
				return;
			}

			VaultToken token = tokenWrapper.get().getToken();

			try {
				if (isTokenRenewable()) {
					if (renewToken()) {
						scheduleRenewal();
					}
				}
			}
			catch (Exception e) {
				this.logger.error("Cannot renew VaultToken", e);
				dispatch(new LoginTokenRenewalFailedEvent(token, e));
			}
		};

		Optional<TokenWrapper> token = getToken();

		token.ifPresent(tokenWrapper -> getTaskScheduler().schedule(task, createTrigger(tokenWrapper)));
	}

	private OneShotTrigger createTrigger(TokenWrapper tokenWrapper) {

		return new OneShotTrigger(getRefreshTrigger().nextExecutionTime((LoginToken) tokenWrapper.getToken()));
	}

	private static String format(String message, RuntimeException e) {

		if (e instanceof HttpStatusCodeException) {

			HttpStatusCodeException hsce = (HttpStatusCodeException) e;
			return String.format("%s: Status %s %s %s", message, hsce.getRawStatusCode(), hsce.getStatusText(),
					VaultResponses.getError(hsce.getResponseBodyAsString()));
		}

		return message;
	}

	/**
	 * Wraps a {@link VaultToken} and specifies whether the token is revocable on factory
	 * shutdown.
	 *
	 * @since 2.0
	 */
	protected static class TokenWrapper {

		private final VaultToken token;

		private final boolean revocable;

		TokenWrapper(VaultToken token, boolean revocable) {
			this.token = token;
			this.revocable = revocable;
		}

		public VaultToken getToken() {
			return this.token;
		}

		public boolean isRevocable() {
			return this.revocable;
		}

	}

}