java source code of ReactiveLifecycleAwareSessionManagerUnitTests

spring-vault-master
- src
  - main
    - resources
      - license.txt
      - changelog.txt
      - notice.txt
    - asciidoc
      - preface.adoc
      - reference
        vault.adoc
        imperative-template.adoc
        authentication.adoc
        vault-repositories.adoc
        client-support.adoc
        getting-started.adoc
        reactive-template.adoc
        misc.adoc
        propertysource.adoc
        dependencies.adoc
      - new-features.adoc
      - index.adoc
  - test
    - bash
      - env.sh
      - intermediate.cnf
      - openssl.cnf
      - minikube_ci_initialize.sh
      - vault-agent.conf
      - install_vault.sh
      - local_run_k8s.sh
      - create_certificates.sh
      - local_run_vault.sh
      - start.sh
      - vault.conf
- pom.xml
- mvnw
- SECURITY.adoc
- README.adoc
- .mvn
  - wrapper
    - maven-wrapper.properties
- spring-vault-core
  - src
    - main
      - kotlin
        org
        springframework
        vault
        core
        ReactiveVaultOperationsExtensions.kt
        VaultOperationsExtensions.kt
        VaultWrappingOperationsExtensions.kt
        VaultVersionedKeyValueOperationsExtensions.kt
        VaultKeyValueOperationsExtensions.kt
      - java
        org
        springframework
        vault
        security
        VaultBytesEncryptor.java
        VaultBytesKeyGenerator.java
        package-info.java
        authentication
        GcpIamAuthenticationOptions.java
        AuthenticationStepsFactory.java
        AppRoleAuthenticationOptions.java
        AuthenticationEventPublisher.java
        CachingVaultTokenSupplier.java
        AwsIamAuthentication.java
        GcpProjectIdAccessor.java
        AzureVmEnvironment.java
        ClientAuthentication.java
        CredentialSupplier.java
        TokenAuthentication.java
        ClientCertificateAuthentication.java
        VaultSessionManagerException.java
        GcpComputeAuthentication.java
        VaultTokenSupplier.java
        CubbyholeAuthentication.java
        UnwrappingEndpoints.java
        KubernetesJwtSupplier.java
        IpAddressUserId.java
        KubernetesAuthenticationOptions.java
        GcpCredentialSupplier.java
        SessionManager.java
        AppIdAuthenticationOptions.java
        GcpJwtAuthenticationSupport.java
        LifecycleAwareSessionManagerSupport.java
        ReactiveLifecycleAwareSessionManager.java
        AppRoleAuthentication.java
        LoginTokenAdapter.java
        VaultTokenLookupException.java
        AppIdUserIdMechanism.java
        AuthenticationSteps.java
        MacAddressUserId.java
        StaticUserId.java
        AzureMsiAuthentication.java
        VaultLoginException.java
        package-info.java
        AwsEc2AuthenticationOptions.java
        PcfAuthentication.java
        event
        AfterLoginTokenRevocationEvent.java
        BeforeLoginTokenRevocationEvent.java
        LoginFailedEvent.java
        AuthenticationErrorEvent.java
        AuthenticationListener.java
        AuthenticationEvent.java
        LoginTokenRenewalFailedEvent.java
        BeforeLoginTokenRenewedEvent.java
        LoginTokenRevocationFailedEvent.java
        package-info.java
        AfterLoginTokenRenewedEvent.java
        AfterLoginEvent.java
        LoginTokenExpiredEvent.java
        AuthenticationErrorListener.java
        VaultTokenRenewalException.java
        AuthenticationStepsExecutor.java
        ResourceCredentialSupplier.java
        Sha256.java
        GcpComputeAuthenticationOptions.java
        AuthenticationUtil.java
        ClientCertificateAuthenticationOptions.java
        AzureMsiAuthenticationOptions.java
        AwsIamAuthenticationOptions.java
        DefaultGcpCredentialAccessors.java
        CubbyholeAuthenticationOptions.java
        GcpIamAuthentication.java
        AppRoleTokens.java
        KubernetesAuthentication.java
        AwsEc2Authentication.java
        LifecycleAwareSessionManager.java
        KubernetesServiceAccountTokenFile.java
        LoginToken.java
        SimpleSessionManager.java
        PcfAuthenticationOptions.java
        AuthenticationStepsOperator.java
        ReactiveSessionManager.java
        LoginTokenUtil.java
        GcpServiceAccountIdAccessor.java
        AppIdAuthentication.java
        client
        RestTemplateRequestCustomizer.java
        VaultEndpoint.java
        VaultEndpointProvider.java
        RestTemplateFactory.java
        VaultHttpHeaders.java
        VaultResponses.java
        RestTemplateBuilder.java
        ClientHttpConnectorFactory.java
        RestTemplateCustomizer.java
        ReactiveVaultClients.java
        package-info.java
        VaultClients.java
        SimpleVaultEndpointProvider.java
        WebClientFactory.java
        WebClientCustomizer.java
        WebClientBuilder.java
        ReactiveVaultEndpointProvider.java
        ClientHttpRequestFactoryFactory.java
        VaultException.java
        support
        Versioned.java
        KeystoreUtil.java
        SignatureValidation.java
        VaultTransitContext.java
        VaultTokenResponse.java
        LeaseStrategy.java
        CertificateBundle.java
        Ciphertext.java
        WrappedMetadata.java
        VaultCertificateResponse.java
        VaultUnsealStatus.java
        VaultTokenRequest.java
        VaultHmacRequest.java
        VaultInitializationRequest.java
        VaultInitializationResponse.java
        VaultToken.java
        RawTransitKey.java
        VaultSignRequest.java
        Policy.java
        VaultCertificateRequest.java
        VaultMetadataRequest.java
        JsonMapFlattener.java
        Certificate.java
        ClientOptions.java
        VaultTransitKeyConfiguration.java
        VaultResponseSupport.java
        VaultSignCertificateRequestResponse.java
        VaultSignatureVerificationRequest.java
        VaultTransitKeyCreationRequest.java
        SslConfiguration.java
        package-info.java
        TransitKeyType.java
        VaultDecryptionResult.java
        VaultMetadataResponse.java
        Hmac.java
        VaultMount.java
        AbstractResult.java
        VaultHealth.java
        VaultTransitKey.java
        PemObject.java
        VaultEncryptionResult.java
        Plaintext.java
        DurationParser.java
        Signature.java
        VaultResponse.java
        config
        DefaultRestTemplateFactory.java
        EnvironmentVaultConfiguration.java
        ClientHttpConnectorFactory.java
        AbstractReactiveVaultConfiguration.java
        AbstractVaultConfiguration.java
        package-info.java
        DefaultWebClientFactory.java
        ClientHttpRequestFactoryFactory.java
        package-info.java
        annotation
        VaultPropertySources.java
        VaultPropertySourceRegistrar.java
        VaultPropertySource.java
        package-info.java
        core
        VaultTokenOperations.java
        VaultTokenTemplate.java
        VaultKeyValueOperationsSupport.java
        VaultTemplate.java
        VaultVersionedKeyValueOperations.java
        VaultKeyValue2Accessor.java
        VaultListResponse.java
        VaultTransitTemplate.java
        VaultKeyValue1Template.java
        VaultPkiTemplate.java
        VaultTransitOperations.java
        VaultVersionedKeyValueTemplate.java
        VaultPkiOperations.java
        VaultWrappingTemplate.java
        VaultKeyValueMetadataOperations.java
        VaultKeyValueMetadataTemplate.java
        ReactiveVaultOperations.java
        util
        PropertyTransformer.java
        PropertyTransformers.java
        KeyValueDelegate.java
        package-info.java
        VaultSysTemplate.java
        VaultKeyValueAccessor.java
        ReactiveVaultTemplate.java
        VaultOperations.java
        VaultKeyValue2Template.java
        package-info.java
        VaultSysOperations.java
        VaultKeyValueOperations.java
        RestOperationsCallback.java
        VaultWrappingOperations.java
        lease
        SecretLeaseContainer.java
        SecretLeaseEventPublisher.java
        package-info.java
        event
        BeforeSecretLeaseRevocationEvent.java
        SecretLeaseCreatedEvent.java
        LeaseErrorListener.java
        SecretLeaseEvent.java
        AfterSecretLeaseRevocationEvent.java
        AfterSecretLeaseRenewedEvent.java
        SecretNotFoundEvent.java
        SecretLeaseExpiredEvent.java
        SecretLeaseErrorEvent.java
        LeaseListener.java
        package-info.java
        LeaseListenerAdapter.java
        LeaseEndpoints.java
        domain
        RequestedSecret.java
        Lease.java
        package-info.java
        env
        VaultPropertySource.java
        package-info.java
        LeaseAwareVaultPropertySource.java
        VaultPropertySourceNotFoundException.java
        repository
        configuration
        VaultRepositoriesRegistrar.java
        EnableVaultRepositories.java
        package-info.java
        VaultRepositoryConfigurationExtension.java
        mapping
        Secret.java
        VaultPersistentEntity.java
        VaultPersistentProperty.java
        VaultSimpleTypes.java
        BasicVaultPersistentEntity.java
        package-info.java
        VaultMappingContext.java
        support
        VaultRepositoryFactoryBean.java
        VaultRepositoryFactory.java
        package-info.java
        query
        VaultQuery.java
        VaultQueryCreator.java
        package-info.java
        VaultPartTreeQuery.java
        convert
        VaultConverter.java
        AbstractVaultConverter.java
        VaultCustomConversions.java
        MappingVaultConverter.java
        SecretDocument.java
        package-info.java
        VaultTypeMapper.java
        DefaultVaultTypeMapper.java
        SecretDocumentAccessor.java
        core
        MappingVaultEntityInformation.java
        VaultEntityInformation.java
        VaultKeyValueAdapter.java
        package-info.java
        VaultQueryEngine.java
        VaultKeyValueTemplate.java
    - test
      - resources
        logback.xml
        certificate.json
        policy.json
        org
        springframework
        vault
        demo
        other.properties
        secure-introduction.properties
        kube-jwt-token
      - kotlin
        org
        springframework
        vault
        core
        VaultWrappingOperationsExtensionsTests.kt
        VaultKeyValueOperationsExtensionsTests.kt
        ReactiveVaultOperationsExtensionsTests.kt
        VaultOperationsExtensionsTests.kt
        VaultVersionedKeyValueOperationsExtensionsTests.kt
      - java
        org
        springframework
        vault
        security
        VaultBytesEncryptorIntegrationTests.java
        VaultBytesKeyGeneratorIntegrationTests.java
        demo
        VaultApp.java
        SecurePropertyUsage.java
        authentication
        ClientCertificateAuthenticationOperatorIntegrationTests.java
        PcfAuthenticationOptionsUnitTests.java
        KubernetesAuthenticationIntegrationTests.java
        LifecycleAwareSessionManagerSupportUnitTests.java
        TokenAuthenticationIntegrationTestBase.java
        CubbyholeAuthenticationStepsIntegrationTests.java
        AwsIamAuthenticationUnitTests.java
        LoginTokenAdapterUnitTests.java
        LoginTokenUnitTests.java
        CubbyholeAuthenticationIntegrationTests.java
        CubbyholeAuthenticationUnitTests.java
        LifecycleAwareSessionManagerIntegrationTests.java
        TokenAuthenticationStepsIntegrationTests.java
        ReactiveLifecycleAwareSessionManagerUnitTests.java
        ClientCertificateAuthenticationStepsIntegrationTests.java
        AppIdAuthenticationOperatorIntegrationTests.java
        GcpIamAuthenticationOptionsBuilderUnitTests.java
        AppRoleAuthenticationIntegrationTestBase.java
        AuthenticationStepsExecutorUnitTests.java
        ClientCertificateAuthenticationIntegrationTestBase.java
        GcpIamAuthenticationUnitTests.java
        AppRoleAuthenticationIntegrationTests.java
        MacAddressUserIdUnitTests.java
        KubernetesAuthenticationStepsIntegrationTests.java
        ClientCertificateAuthenticationUnitTests.java
        PcfAuthenticationUnitTests.java
        AppIdAuthenticationUnitTests.java
        LifecycleAwareSessionManagerUnitTests.java
        AuthenticationStepsOperatorUnitTests.java
        KubernetesAuthenticationUnitTests.java
        KubeServiceAccountTokenFileUnitTests.java
        GcpComputeAuthenticationUnitTests.java
        ClientCertificateAuthenticationIntegrationTests.java
        ClientCertificateNamespaceIntegrationTests.java
        TokenAuthenticationOperatorIntegrationTests.java
        KubernetesAuthenticationIntegrationTestBase.java
        AppIdAuthenticationStepsIntegrationTests.java
        IpAddressUserIdTests.java
        ReactiveLifecycleAwareSessionManagerIntegrationTests.java
        AppRoleAuthenticationStepsIntegrationTests.java
        AppIdAuthenticationIntegrationTestBase.java
        AwsEc2AuthenticationUnitTests.java
        AzureMsiAuthenticationUnitTests.java
        CubbyholeAuthenticationOperatorIntegrationTests.java
        CubbyholeAuthenticationIntegrationTestBase.java
        AppRoleAuthenticationUnitTests.java
        AppIdAuthenticationIntegrationTests.java
        client
        VaultClientsUnitTests.java
        ReactiveVaultClientsIntegrationTests.java
        RestTemplateBuilderUnitTests.java
        VaultResponsesUnitTests.java
        ReactiveVaultClientsUnitTests.java
        VaultEndpointUnitTests.java
        ClientHttpConnectorFactoryIntegrationTests.java
        ClientHttpRequestFactoryFactoryIntegrationTests.java
        support
        VaultTokenRequestUnitTests.java
        VaultCertificateRequestUnitTests.java
        PemObjectUnitTests.java
        VaultTransitContextUnitTests.java
        CertificateBundleUnitTests.java
        PolicySerializationUnitTests.java
        DurationParserUnitTests.java
        JsonMapFlattenerUnitTests.java
        CertificateUnitTests.java
        ObjectMapperSupplier.java
        SslConfigurationUnitTests.java
        util
        TestWebClientFactory.java
        RequiresVaultVersion.java
        VaultVersionExtension.java
        PrepareVault.java
        TestRestTemplateFactory.java
        CanConnect.java
        VaultExtension.java
        VaultInitializer.java
        Version.java
        Settings.java
        IntegrationTestSupport.java
        config
        EnvironmentVaultConfigurationAwsEc2AuthenticationUnitTests.java
        AbstractVaultConfigurationUnitTests.java
        EnvironmentVaultConfigurationAppIdAuthenticationUnitTests.java
        EnvironmentVaultConfigurationAppRoleAuthenticationUnitTests.java
        EnvironmentVaultConfigurationKubernetesAuthenticationUnitTests.java
        EnvironmentVaultConfigurationAzureMSIAuthenticationUnitTests.java
        EnvironmentVaultConfigurationClientCertAuthenticationUnitTests.java
        EnvironmentVaultConfigurationCubbyholeAuthenticationUnitTests.java
        EnvironmentVaultConfigurationUnitTests.java
        AbstractReactiveVaultConfigurationUnitTests.java
        annotation
        VaultPropertySourceMultipleIntegrationTests.java
        VaultPropertySourceUnitTests.java
        VaultPropertySourceIntegrationTests.java
        VaultPropertySourceInBeanConfigurationIntegrationTest.java
        LeaseAwareVaultPropertySourceIntegrationTests.java
        domain
        Person.java
        core
        VaultIntegrationTestConfiguration.java
        ReactiveVaultTemplateGenericIntegrationTests.java
        PkiSecretIntegrationTests.java
        VaultNamespaceSecretIntegrationTests.java
        VaultKeyValueTemplateVersionedIntegrationTests.java
        VaultSysTemplateIntegrationTests.java
        VaultVersionedKeyValueTemplateIntegrationTests.java
        VaultTransitTemplateIntegrationTests.java
        VaultSysTemplateUnitTests.java
        util
        PropertyTransformersUnitTests.java
        KeyValueDelegateUnitTests.java
        VaultTemplateGenericIntegrationTests.java
        VaultWrappingTemplateIntegrationTests.java
        VaultKeyValueTemplateIntegrationTests.java
        VaultTokenTemplateIntegrationTests.java
        VaultPkiTemplateIntegrationTests.java
        VaultTemplateTransitIntegrationTests.java
        VaultTemplateAgentIntegrationTests.java
        VaultKeyValueMetadataTemplateIntegrationTests.java
        lease
        RotatingGenericSecretsIntegrationTestConfiguration.java
        SecretLeaseContainerUnitTests.java
        domain
        RequestedSecretTests.java
        env
        VersionedKeyValueBackendIntegrationTests.java
        VaultPropertySourceUnitTests.java
        LeaseAwareVaultPropertySourceUnitTests.java
        AbstractVaultKeyValueTemplateIntegrationTests.java
        ReactiveVaultTemplateAgentIntegrationTests.java
        repository
        mapping
        BasicVaultPersistentEntityUnitTests.java
        VaultMappingContextUnitTests.java
        VaultRepositoryIntegrationTests.java
        query
        VaultQueryCreatorUnitTests.java
        convert
        MappingVaultConverterUnitTests.java
        DefaultVaultTypeMapperUnitTests.java
        MultipleSpringDataModulesIntegrationTests.java
  - pom.xml
- .travis.yml
- spring-vault-dependencies
  - pom.xml
- etc
  - ide
    - eclipse.importorder
- spring-vault-distribution
  - src
    - assembly
      - docs.xml
  - pom.xml
- .gitignore
- docs
  - index.html
- LICENSE.txt
- mvnw.cmd

/*
 * Copyright 2018-2020 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      https://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.springframework.vault.authentication;

import java.time.Duration;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import java.util.concurrent.atomic.AtomicReference;

import org.junit.jupiter.api.BeforeEach;
import org.junit.jupiter.api.Test;
import org.junit.jupiter.api.extension.ExtendWith;
import org.mockito.ArgumentCaptor;
import org.mockito.Captor;
import org.mockito.Mock;
import org.mockito.junit.jupiter.MockitoExtension;
import org.mockito.junit.jupiter.MockitoSettings;
import org.mockito.quality.Strictness;
import reactor.core.publisher.Mono;
import reactor.test.StepVerifier;

import org.springframework.scheduling.TaskScheduler;
import org.springframework.scheduling.Trigger;
import org.springframework.vault.authentication.event.AfterLoginEvent;
import org.springframework.vault.authentication.event.AfterLoginTokenRenewedEvent;
import org.springframework.vault.authentication.event.AfterLoginTokenRevocationEvent;
import org.springframework.vault.authentication.event.AuthenticationErrorEvent;
import org.springframework.vault.authentication.event.AuthenticationErrorListener;
import org.springframework.vault.authentication.event.AuthenticationEvent;
import org.springframework.vault.authentication.event.AuthenticationListener;
import org.springframework.vault.authentication.event.BeforeLoginTokenRenewedEvent;
import org.springframework.vault.authentication.event.BeforeLoginTokenRevocationEvent;
import org.springframework.vault.authentication.event.LoginFailedEvent;
import org.springframework.vault.authentication.event.LoginTokenExpiredEvent;
import org.springframework.vault.support.LeaseStrategy;
import org.springframework.vault.support.VaultResponse;
import org.springframework.vault.support.VaultToken;
import org.springframework.web.reactive.function.client.WebClient;
import org.springframework.web.reactive.function.client.WebClient.RequestBodySpec;
import org.springframework.web.reactive.function.client.WebClient.RequestBodyUriSpec;
import org.springframework.web.reactive.function.client.WebClient.RequestHeadersSpec;
import org.springframework.web.reactive.function.client.WebClient.RequestHeadersUriSpec;
import org.springframework.web.reactive.function.client.WebClient.ResponseSpec;
import org.springframework.web.reactive.function.client.WebClientResponseException;

import static org.assertj.core.api.Assertions.assertThat;
import static org.mockito.ArgumentMatchers.any;
import static org.mockito.ArgumentMatchers.anyString;
import static org.mockito.Mockito.never;
import static org.mockito.Mockito.times;
import static org.mockito.Mockito.verify;
import static org.mockito.Mockito.verifyNoMoreInteractions;
import static org.mockito.Mockito.verifyZeroInteractions;
import static org.mockito.Mockito.when;

/**
 * Unit tests for {@link ReactiveLifecycleAwareSessionManager}.
 *
 * @author Mark Paluch
 */
@ExtendWith(MockitoExtension.class)
@MockitoSettings(strictness = Strictness.LENIENT)
class ReactiveLifecycleAwareSessionManagerUnitTests {

	@Mock
	VaultTokenSupplier tokenSupplier;

	@Mock
	TaskScheduler taskScheduler;

	@Mock
	WebClient webClient;

	@Mock
	RequestHeadersSpec requestHeadersSpec;

	@Mock
	RequestHeadersUriSpec requestHeadersUriSpec;

	@Mock
	RequestBodyUriSpec requestBodyUriSpec;

	@Mock
	RequestBodySpec requestBodySpec;

	@Mock
	ResponseSpec responseSpec;

	@Mock
	AuthenticationListener listener;

	@Mock
	AuthenticationErrorListener errorListener;

	@Captor
	ArgumentCaptor<AuthenticationEvent> captor;

	private ReactiveLifecycleAwareSessionManager sessionManager;

	@BeforeEach
	void before() {

		// POST
		when(this.webClient.post()).thenReturn(this.requestBodyUriSpec);
		when(this.requestBodyUriSpec.uri(anyString())).thenReturn(this.requestBodySpec);
		when(this.requestBodySpec.headers(any())).thenReturn(this.requestBodySpec);
		when(this.requestBodySpec.retrieve()).thenReturn(this.responseSpec);

		// GET
		when(this.webClient.get()).thenReturn(this.requestHeadersUriSpec);
		when(this.requestHeadersUriSpec.uri(anyString())).thenReturn(this.requestHeadersSpec);
		when(this.requestHeadersSpec.headers(any())).thenReturn(this.requestHeadersSpec);
		when(this.requestHeadersSpec.retrieve()).thenReturn(this.responseSpec);

		this.sessionManager = new ReactiveLifecycleAwareSessionManager(this.tokenSupplier, this.taskScheduler,
				this.webClient);
		this.sessionManager.addAuthenticationListener(this.listener);
		this.sessionManager.addErrorListener(this.errorListener);
	}

	@Test
	void shouldObtainTokenFromClientAuthentication() {

		mockToken(LoginToken.of("login"));

		this.sessionManager.getSessionToken() //
				.as(StepVerifier::create) //
				.expectNext(LoginToken.of("login")) //
				.verifyComplete();
		verify(this.listener).onAuthenticationEvent(any(AfterLoginEvent.class));
	}

	@Test
	void loginShouldFail() {

		when(this.tokenSupplier.getVaultToken()).thenReturn(Mono.error(new VaultLoginException("foo")));

		this.sessionManager.getSessionToken() //
				.as(StepVerifier::create) //
				.verifyError();
		verifyZeroInteractions(this.listener);
		verify(this.errorListener).onAuthenticationError(any(LoginFailedEvent.class));
	}

	@Test
	@SuppressWarnings("unchecked")
	void shouldSelfLookupToken() {

		VaultResponse vaultResponse = new VaultResponse();
		vaultResponse.setData(Collections.singletonMap("ttl", 100));

		mockToken(VaultToken.of("login"));

		when(this.responseSpec.bodyToMono((Class) any())).thenReturn(Mono.just(vaultResponse));

		this.sessionManager.getSessionToken().as(StepVerifier::create).assertNext(it -> {

			LoginToken sessionToken = (LoginToken) it;
			assertThat(sessionToken.getLeaseDuration()).isEqualTo(Duration.ofSeconds(100));
		}).verifyComplete();

		verify(this.webClient.get()).uri("auth/token/lookup-self");
		verify(this.listener).onAuthenticationEvent(this.captor.capture());
		AfterLoginEvent event = (AfterLoginEvent) this.captor.getValue();
		assertThat(event.getSource()).isInstanceOf(LoginToken.class);
	}

	@Test
	@SuppressWarnings("unchecked")
	void shouldContinueIfSelfLookupFails() {

		VaultResponse vaultResponse = new VaultResponse();
		vaultResponse.setData(Collections.singletonMap("ttl", 100));

		mockToken(VaultToken.of("login"));

		when(this.responseSpec.bodyToMono((Class) any())).thenReturn(
				Mono.error(new WebClientResponseException("forbidden", 403, "Forbidden", null, null, null)));

		this.sessionManager.getSessionToken() //
				.as(StepVerifier::create) //
				.assertNext(it -> {
					assertThat(it).isExactlyInstanceOf(VaultToken.class);
				}).verifyComplete();
		verify(this.listener).onAuthenticationEvent(any(AfterLoginEvent.class));
		verify(this.errorListener).onAuthenticationError(any());
	}

	@Test
	void tokenRenewalShouldMapException() {

		mockToken(LoginToken.renewable("foo".toCharArray(), Duration.ofMinutes(1)));

		when(this.responseSpec.bodyToMono((Class) any())).thenReturn(Mono.error(
				new WebClientResponseException("Some server error", 500, "Some server error", null, null, null)));

		AtomicReference<AuthenticationErrorEvent> listener = new AtomicReference<>();
		this.sessionManager.addErrorListener(listener::set);

		this.sessionManager.getVaultToken().as(StepVerifier::create).expectNextCount(1).verifyComplete();
		this.sessionManager.renewToken().as(StepVerifier::create).verifyComplete();
		assertThat(listener.get().getException()).isInstanceOf(VaultTokenRenewalException.class)
				.hasCauseInstanceOf(WebClientResponseException.class)
				.hasMessageContaining("Cannot renew token: Status 500 Some server error");

	}

	@Test
	void shouldRevokeLoginTokenOnDestroy() {

		VaultResponse vaultResponse = new VaultResponse();
		vaultResponse.setData(Collections.singletonMap("ttl", 100));

		mockToken(LoginToken.of("login"));
		when(this.responseSpec.bodyToMono(String.class)).thenReturn(Mono.just("OK"));

		this.sessionManager.getVaultToken() //
				.as(StepVerifier::create) //
				.expectNextCount(1) //
				.verifyComplete();

		this.sessionManager.destroy();

		verify(this.webClient.post()).uri("auth/token/revoke-self");
		verify(this.listener).onAuthenticationEvent(any(BeforeLoginTokenRevocationEvent.class));
		verify(this.listener).onAuthenticationEvent(any(AfterLoginTokenRevocationEvent.class));
	}

	@Test
	void shouldNotRevokeRegularTokenOnDestroy() {

		mockToken(VaultToken.of("login"));

		this.sessionManager.setTokenSelfLookupEnabled(false);
		this.sessionManager.renewToken() //
				.as(StepVerifier::create) //
				.expectNextCount(1) //
				.verifyComplete();
		this.sessionManager.destroy();

		verify(this.webClient, never()).post();
		verify(this.webClient.post(), never()).uri("auth/token/revoke-self");
		verify(this.listener).onAuthenticationEvent(any(AfterLoginEvent.class));
		verifyNoMoreInteractions(this.listener);
	}

	@Test
	void shouldNotThrowExceptionsOnRevokeErrors() {

		mockToken(LoginToken.of("login"));

		when(this.responseSpec.bodyToMono((Class) any())).thenReturn(
				Mono.error(new WebClientResponseException("forbidden", 403, "Forbidden", null, null, null)));

		this.sessionManager.renewToken() //
				.as(StepVerifier::create) //
				.expectNextCount(1) //
				.verifyComplete();
		this.sessionManager.destroy();

		verify(this.requestBodyUriSpec).uri("auth/token/revoke-self");
	}

	@Test
	void shouldScheduleTokenRenewal() {

		mockToken(LoginToken.renewable("login".toCharArray(), Duration.ofSeconds(5)));

		this.sessionManager.getSessionToken() //
				.as(StepVerifier::create) //
				.expectNextCount(1) //
				.verifyComplete();

		verify(this.taskScheduler).schedule(any(Runnable.class), any(Trigger.class));
	}

	@Test
	void shouldRunTokenRenewal() {

		mockToken(LoginToken.renewable("login".toCharArray(), Duration.ofSeconds(5)));
		ArgumentCaptor<Runnable> runnableCaptor = ArgumentCaptor.forClass(Runnable.class);

		VaultResponse vaultResponse = new VaultResponse();
		Map<String, Object> auth = new HashMap<>();
		auth.put("client_token", "login");
		auth.put("ttl", 100);
		vaultResponse.setAuth(auth);

		when(this.responseSpec.bodyToMono(VaultResponse.class)).thenReturn(Mono.just(vaultResponse));

		this.sessionManager.getSessionToken() //
				.as(StepVerifier::create) //
				.expectNextCount(1) //
				.verifyComplete();

		verify(this.taskScheduler).schedule(runnableCaptor.capture(), any(Trigger.class));

		runnableCaptor.getValue().run();

		verify(this.webClient).post();
		verify(this.webClient.post()).uri("auth/token/renew-self");

		verify(this.tokenSupplier, times(1)).getVaultToken();
		verify(this.listener).onAuthenticationEvent(any(BeforeLoginTokenRenewedEvent.class));
		verify(this.listener).onAuthenticationEvent(any(AfterLoginTokenRenewedEvent.class));
	}

	@Test
	void shouldReScheduleTokenRenewalAfterSuccessfulRenewal() {

		mockToken(LoginToken.renewable("login".toCharArray(), Duration.ofSeconds(5)));

		when(this.responseSpec.bodyToMono(VaultResponse.class))
				.thenReturn(Mono.just(fromToken(LoginToken.of("foo".toCharArray(), Duration.ofSeconds(10)))));

		ArgumentCaptor<Runnable> runnableCaptor = ArgumentCaptor.forClass(Runnable.class);

		this.sessionManager.getSessionToken() //
				.as(StepVerifier::create) //
				.expectNextCount(1) //
				.verifyComplete();
		verify(this.taskScheduler).schedule(runnableCaptor.capture(), any(Trigger.class));

		runnableCaptor.getValue().run();

		verify(this.taskScheduler, times(2)).schedule(any(Runnable.class), any(Trigger.class));
	}

	@Test
	void shouldNotScheduleRenewalIfRenewalTtlExceedsThreshold() {

		mockToken(LoginToken.renewable("login".toCharArray(), Duration.ofSeconds(5)));
		when(this.responseSpec.bodyToMono(VaultResponse.class))
				.thenReturn(Mono.just(fromToken(LoginToken.of("foo".toCharArray(), Duration.ofSeconds(2)))));

		ArgumentCaptor<Runnable> runnableCaptor = ArgumentCaptor.forClass(Runnable.class);

		this.sessionManager.getSessionToken().as(StepVerifier::create).expectNextCount(1).verifyComplete();
		verify(this.taskScheduler).schedule(runnableCaptor.capture(), any(Trigger.class));

		runnableCaptor.getValue().run();

		verify(this.taskScheduler, times(1)).schedule(any(Runnable.class), any(Trigger.class));
	}

	@Test
	void shouldReLoginIfRenewalTtlExceedsThreshold() {

		when(this.tokenSupplier.getVaultToken()).thenReturn(
				Mono.just(LoginToken.renewable("login".toCharArray(), Duration.ofSeconds(5))),
				Mono.just(LoginToken.renewable("bar".toCharArray(), Duration.ofSeconds(5))));
		when(this.responseSpec.bodyToMono(VaultResponse.class))
				.thenReturn(Mono.just(fromToken(LoginToken.of("foo".toCharArray(), Duration.ofSeconds(2)))));

		ArgumentCaptor<Runnable> runnableCaptor = ArgumentCaptor.forClass(Runnable.class);
		this.sessionManager.getSessionToken() //
				.as(StepVerifier::create) //
				.expectNextCount(1) //
				.verifyComplete();
		verify(this.taskScheduler).schedule(runnableCaptor.capture(), any(Trigger.class));
		runnableCaptor.getValue().run();

		this.sessionManager.getSessionToken().as(StepVerifier::create)
				.expectNext(LoginToken.renewable("bar".toCharArray(), Duration.ofSeconds(5))).verifyComplete();

		verify(this.tokenSupplier, times(2)).getVaultToken();
		verify(this.listener, times(2)).onAuthenticationEvent(any(AfterLoginEvent.class));
		verify(this.listener).onAuthenticationEvent(any(LoginTokenExpiredEvent.class));
	}

	@Test
	void shouldReLoginIfRenewFails() {

		when(this.tokenSupplier.getVaultToken()).thenReturn(
				Mono.just(LoginToken.renewable("login".toCharArray(), Duration.ofSeconds(5))),
				Mono.just(LoginToken.renewable("bar".toCharArray(), Duration.ofSeconds(5))));
		when(this.responseSpec.bodyToMono(VaultResponse.class)).thenReturn(Mono.error(new RuntimeException("foo")));

		ArgumentCaptor<Runnable> runnableCaptor = ArgumentCaptor.forClass(Runnable.class);
		this.sessionManager.getSessionToken() //
				.as(StepVerifier::create) //
				.expectNextCount(1) //
				.verifyComplete();
		verify(this.taskScheduler).schedule(runnableCaptor.capture(), any(Trigger.class));
		runnableCaptor.getValue().run();

		this.sessionManager.getSessionToken().as(StepVerifier::create)
				.expectNext(LoginToken.renewable("bar".toCharArray(), Duration.ofSeconds(5))).verifyComplete();

		verify(this.tokenSupplier, times(2)).getVaultToken();
	}

	@Test
	void shouldRetainTokenAfterRenewalFailure() {

		when(this.tokenSupplier.getVaultToken()).thenReturn(
				Mono.just(LoginToken.renewable("login".toCharArray(), Duration.ofSeconds(5))),
				Mono.just(LoginToken.renewable("bar".toCharArray(), Duration.ofSeconds(5))));
		when(this.responseSpec.bodyToMono(VaultResponse.class)).thenReturn(Mono.error(new RuntimeException("foo")));
		this.sessionManager.setLeaseStrategy(LeaseStrategy.retainOnError());

		ArgumentCaptor<Runnable> runnableCaptor = ArgumentCaptor.forClass(Runnable.class);
		this.sessionManager.getSessionToken() //
				.as(StepVerifier::create) //
				.expectNextCount(1) //
				.verifyComplete();
		verify(this.taskScheduler).schedule(runnableCaptor.capture(), any(Trigger.class));
		runnableCaptor.getValue().run();

		this.sessionManager.getSessionToken().as(StepVerifier::create)
				.expectNext(LoginToken.renewable("login".toCharArray(), Duration.ofSeconds(5))).verifyComplete();

		verify(this.tokenSupplier).getVaultToken();
	}

	private static VaultResponse fromToken(LoginToken loginToken) {

		Map<String, Object> auth = new HashMap<>();

		auth.put("client_token", loginToken.getToken());
		auth.put("renewable", loginToken.isRenewable());
		auth.put("lease_duration", loginToken.getLeaseDuration().getSeconds());

		VaultResponse response = new VaultResponse();
		response.setAuth(auth);

		return response;
	}

	private void mockToken(VaultToken token) {
		when(this.tokenSupplier.getVaultToken()).thenReturn(Mono.just(token));
	}

}