java source code of CubbyholeAuthentication

spring-vault-master
- src
  - main
    - resources
      - license.txt
      - changelog.txt
      - notice.txt
    - asciidoc
      - preface.adoc
      - reference
        vault.adoc
        imperative-template.adoc
        authentication.adoc
        vault-repositories.adoc
        client-support.adoc
        getting-started.adoc
        reactive-template.adoc
        misc.adoc
        propertysource.adoc
        dependencies.adoc
      - new-features.adoc
      - index.adoc
  - test
    - bash
      - env.sh
      - intermediate.cnf
      - openssl.cnf
      - minikube_ci_initialize.sh
      - vault-agent.conf
      - install_vault.sh
      - local_run_k8s.sh
      - create_certificates.sh
      - local_run_vault.sh
      - start.sh
      - vault.conf
- pom.xml
- mvnw
- SECURITY.adoc
- README.adoc
- .mvn
  - wrapper
    - maven-wrapper.properties
- spring-vault-core
  - src
    - main
      - kotlin
        org
        springframework
        vault
        core
        ReactiveVaultOperationsExtensions.kt
        VaultOperationsExtensions.kt
        VaultWrappingOperationsExtensions.kt
        VaultVersionedKeyValueOperationsExtensions.kt
        VaultKeyValueOperationsExtensions.kt
      - java
        org
        springframework
        vault
        security
        VaultBytesEncryptor.java
        VaultBytesKeyGenerator.java
        package-info.java
        authentication
        GcpIamAuthenticationOptions.java
        AuthenticationStepsFactory.java
        AppRoleAuthenticationOptions.java
        AuthenticationEventPublisher.java
        CachingVaultTokenSupplier.java
        AwsIamAuthentication.java
        GcpProjectIdAccessor.java
        AzureVmEnvironment.java
        ClientAuthentication.java
        CredentialSupplier.java
        TokenAuthentication.java
        ClientCertificateAuthentication.java
        VaultSessionManagerException.java
        GcpComputeAuthentication.java
        VaultTokenSupplier.java
        CubbyholeAuthentication.java
        UnwrappingEndpoints.java
        KubernetesJwtSupplier.java
        IpAddressUserId.java
        KubernetesAuthenticationOptions.java
        GcpCredentialSupplier.java
        SessionManager.java
        AppIdAuthenticationOptions.java
        GcpJwtAuthenticationSupport.java
        LifecycleAwareSessionManagerSupport.java
        ReactiveLifecycleAwareSessionManager.java
        AppRoleAuthentication.java
        LoginTokenAdapter.java
        VaultTokenLookupException.java
        AppIdUserIdMechanism.java
        AuthenticationSteps.java
        MacAddressUserId.java
        StaticUserId.java
        AzureMsiAuthentication.java
        VaultLoginException.java
        package-info.java
        AwsEc2AuthenticationOptions.java
        PcfAuthentication.java
        event
        AfterLoginTokenRevocationEvent.java
        BeforeLoginTokenRevocationEvent.java
        LoginFailedEvent.java
        AuthenticationErrorEvent.java
        AuthenticationListener.java
        AuthenticationEvent.java
        LoginTokenRenewalFailedEvent.java
        BeforeLoginTokenRenewedEvent.java
        LoginTokenRevocationFailedEvent.java
        package-info.java
        AfterLoginTokenRenewedEvent.java
        AfterLoginEvent.java
        LoginTokenExpiredEvent.java
        AuthenticationErrorListener.java
        VaultTokenRenewalException.java
        AuthenticationStepsExecutor.java
        ResourceCredentialSupplier.java
        Sha256.java
        GcpComputeAuthenticationOptions.java
        AuthenticationUtil.java
        ClientCertificateAuthenticationOptions.java
        AzureMsiAuthenticationOptions.java
        AwsIamAuthenticationOptions.java
        DefaultGcpCredentialAccessors.java
        CubbyholeAuthenticationOptions.java
        GcpIamAuthentication.java
        AppRoleTokens.java
        KubernetesAuthentication.java
        AwsEc2Authentication.java
        LifecycleAwareSessionManager.java
        KubernetesServiceAccountTokenFile.java
        LoginToken.java
        SimpleSessionManager.java
        PcfAuthenticationOptions.java
        AuthenticationStepsOperator.java
        ReactiveSessionManager.java
        LoginTokenUtil.java
        GcpServiceAccountIdAccessor.java
        AppIdAuthentication.java
        client
        RestTemplateRequestCustomizer.java
        VaultEndpoint.java
        VaultEndpointProvider.java
        RestTemplateFactory.java
        VaultHttpHeaders.java
        VaultResponses.java
        RestTemplateBuilder.java
        ClientHttpConnectorFactory.java
        RestTemplateCustomizer.java
        ReactiveVaultClients.java
        package-info.java
        VaultClients.java
        SimpleVaultEndpointProvider.java
        WebClientFactory.java
        WebClientCustomizer.java
        WebClientBuilder.java
        ReactiveVaultEndpointProvider.java
        ClientHttpRequestFactoryFactory.java
        VaultException.java
        support
        Versioned.java
        KeystoreUtil.java
        SignatureValidation.java
        VaultTransitContext.java
        VaultTokenResponse.java
        LeaseStrategy.java
        CertificateBundle.java
        Ciphertext.java
        WrappedMetadata.java
        VaultCertificateResponse.java
        VaultUnsealStatus.java
        VaultTokenRequest.java
        VaultHmacRequest.java
        VaultInitializationRequest.java
        VaultInitializationResponse.java
        VaultToken.java
        RawTransitKey.java
        VaultSignRequest.java
        Policy.java
        VaultCertificateRequest.java
        VaultMetadataRequest.java
        JsonMapFlattener.java
        Certificate.java
        ClientOptions.java
        VaultTransitKeyConfiguration.java
        VaultResponseSupport.java
        VaultSignCertificateRequestResponse.java
        VaultSignatureVerificationRequest.java
        VaultTransitKeyCreationRequest.java
        SslConfiguration.java
        package-info.java
        TransitKeyType.java
        VaultDecryptionResult.java
        VaultMetadataResponse.java
        Hmac.java
        VaultMount.java
        AbstractResult.java
        VaultHealth.java
        VaultTransitKey.java
        PemObject.java
        VaultEncryptionResult.java
        Plaintext.java
        DurationParser.java
        Signature.java
        VaultResponse.java
        config
        DefaultRestTemplateFactory.java
        EnvironmentVaultConfiguration.java
        ClientHttpConnectorFactory.java
        AbstractReactiveVaultConfiguration.java
        AbstractVaultConfiguration.java
        package-info.java
        DefaultWebClientFactory.java
        ClientHttpRequestFactoryFactory.java
        package-info.java
        annotation
        VaultPropertySources.java
        VaultPropertySourceRegistrar.java
        VaultPropertySource.java
        package-info.java
        core
        VaultTokenOperations.java
        VaultTokenTemplate.java
        VaultKeyValueOperationsSupport.java
        VaultTemplate.java
        VaultVersionedKeyValueOperations.java
        VaultKeyValue2Accessor.java
        VaultListResponse.java
        VaultTransitTemplate.java
        VaultKeyValue1Template.java
        VaultPkiTemplate.java
        VaultTransitOperations.java
        VaultVersionedKeyValueTemplate.java
        VaultPkiOperations.java
        VaultWrappingTemplate.java
        VaultKeyValueMetadataOperations.java
        VaultKeyValueMetadataTemplate.java
        ReactiveVaultOperations.java
        util
        PropertyTransformer.java
        PropertyTransformers.java
        KeyValueDelegate.java
        package-info.java
        VaultSysTemplate.java
        VaultKeyValueAccessor.java
        ReactiveVaultTemplate.java
        VaultOperations.java
        VaultKeyValue2Template.java
        package-info.java
        VaultSysOperations.java
        VaultKeyValueOperations.java
        RestOperationsCallback.java
        VaultWrappingOperations.java
        lease
        SecretLeaseContainer.java
        SecretLeaseEventPublisher.java
        package-info.java
        event
        BeforeSecretLeaseRevocationEvent.java
        SecretLeaseCreatedEvent.java
        LeaseErrorListener.java
        SecretLeaseEvent.java
        AfterSecretLeaseRevocationEvent.java
        AfterSecretLeaseRenewedEvent.java
        SecretNotFoundEvent.java
        SecretLeaseExpiredEvent.java
        SecretLeaseErrorEvent.java
        LeaseListener.java
        package-info.java
        LeaseListenerAdapter.java
        LeaseEndpoints.java
        domain
        RequestedSecret.java
        Lease.java
        package-info.java
        env
        VaultPropertySource.java
        package-info.java
        LeaseAwareVaultPropertySource.java
        VaultPropertySourceNotFoundException.java
        repository
        configuration
        VaultRepositoriesRegistrar.java
        EnableVaultRepositories.java
        package-info.java
        VaultRepositoryConfigurationExtension.java
        mapping
        Secret.java
        VaultPersistentEntity.java
        VaultPersistentProperty.java
        VaultSimpleTypes.java
        BasicVaultPersistentEntity.java
        package-info.java
        VaultMappingContext.java
        support
        VaultRepositoryFactoryBean.java
        VaultRepositoryFactory.java
        package-info.java
        query
        VaultQuery.java
        VaultQueryCreator.java
        package-info.java
        VaultPartTreeQuery.java
        convert
        VaultConverter.java
        AbstractVaultConverter.java
        VaultCustomConversions.java
        MappingVaultConverter.java
        SecretDocument.java
        package-info.java
        VaultTypeMapper.java
        DefaultVaultTypeMapper.java
        SecretDocumentAccessor.java
        core
        MappingVaultEntityInformation.java
        VaultEntityInformation.java
        VaultKeyValueAdapter.java
        package-info.java
        VaultQueryEngine.java
        VaultKeyValueTemplate.java
    - test
      - resources
        logback.xml
        certificate.json
        policy.json
        org
        springframework
        vault
        demo
        other.properties
        secure-introduction.properties
        kube-jwt-token
      - kotlin
        org
        springframework
        vault
        core
        VaultWrappingOperationsExtensionsTests.kt
        VaultKeyValueOperationsExtensionsTests.kt
        ReactiveVaultOperationsExtensionsTests.kt
        VaultOperationsExtensionsTests.kt
        VaultVersionedKeyValueOperationsExtensionsTests.kt
      - java
        org
        springframework
        vault
        security
        VaultBytesEncryptorIntegrationTests.java
        VaultBytesKeyGeneratorIntegrationTests.java
        demo
        VaultApp.java
        SecurePropertyUsage.java
        authentication
        ClientCertificateAuthenticationOperatorIntegrationTests.java
        PcfAuthenticationOptionsUnitTests.java
        KubernetesAuthenticationIntegrationTests.java
        LifecycleAwareSessionManagerSupportUnitTests.java
        TokenAuthenticationIntegrationTestBase.java
        CubbyholeAuthenticationStepsIntegrationTests.java
        AwsIamAuthenticationUnitTests.java
        LoginTokenAdapterUnitTests.java
        LoginTokenUnitTests.java
        CubbyholeAuthenticationIntegrationTests.java
        CubbyholeAuthenticationUnitTests.java
        LifecycleAwareSessionManagerIntegrationTests.java
        TokenAuthenticationStepsIntegrationTests.java
        ReactiveLifecycleAwareSessionManagerUnitTests.java
        ClientCertificateAuthenticationStepsIntegrationTests.java
        AppIdAuthenticationOperatorIntegrationTests.java
        GcpIamAuthenticationOptionsBuilderUnitTests.java
        AppRoleAuthenticationIntegrationTestBase.java
        AuthenticationStepsExecutorUnitTests.java
        ClientCertificateAuthenticationIntegrationTestBase.java
        GcpIamAuthenticationUnitTests.java
        AppRoleAuthenticationIntegrationTests.java
        MacAddressUserIdUnitTests.java
        KubernetesAuthenticationStepsIntegrationTests.java
        ClientCertificateAuthenticationUnitTests.java
        PcfAuthenticationUnitTests.java
        AppIdAuthenticationUnitTests.java
        LifecycleAwareSessionManagerUnitTests.java
        AuthenticationStepsOperatorUnitTests.java
        KubernetesAuthenticationUnitTests.java
        KubeServiceAccountTokenFileUnitTests.java
        GcpComputeAuthenticationUnitTests.java
        ClientCertificateAuthenticationIntegrationTests.java
        ClientCertificateNamespaceIntegrationTests.java
        TokenAuthenticationOperatorIntegrationTests.java
        KubernetesAuthenticationIntegrationTestBase.java
        AppIdAuthenticationStepsIntegrationTests.java
        IpAddressUserIdTests.java
        ReactiveLifecycleAwareSessionManagerIntegrationTests.java
        AppRoleAuthenticationStepsIntegrationTests.java
        AppIdAuthenticationIntegrationTestBase.java
        AwsEc2AuthenticationUnitTests.java
        AzureMsiAuthenticationUnitTests.java
        CubbyholeAuthenticationOperatorIntegrationTests.java
        CubbyholeAuthenticationIntegrationTestBase.java
        AppRoleAuthenticationUnitTests.java
        AppIdAuthenticationIntegrationTests.java
        client
        VaultClientsUnitTests.java
        ReactiveVaultClientsIntegrationTests.java
        RestTemplateBuilderUnitTests.java
        VaultResponsesUnitTests.java
        ReactiveVaultClientsUnitTests.java
        VaultEndpointUnitTests.java
        ClientHttpConnectorFactoryIntegrationTests.java
        ClientHttpRequestFactoryFactoryIntegrationTests.java
        support
        VaultTokenRequestUnitTests.java
        VaultCertificateRequestUnitTests.java
        PemObjectUnitTests.java
        VaultTransitContextUnitTests.java
        CertificateBundleUnitTests.java
        PolicySerializationUnitTests.java
        DurationParserUnitTests.java
        JsonMapFlattenerUnitTests.java
        CertificateUnitTests.java
        ObjectMapperSupplier.java
        SslConfigurationUnitTests.java
        util
        TestWebClientFactory.java
        RequiresVaultVersion.java
        VaultVersionExtension.java
        PrepareVault.java
        TestRestTemplateFactory.java
        CanConnect.java
        VaultExtension.java
        VaultInitializer.java
        Version.java
        Settings.java
        IntegrationTestSupport.java
        config
        EnvironmentVaultConfigurationAwsEc2AuthenticationUnitTests.java
        AbstractVaultConfigurationUnitTests.java
        EnvironmentVaultConfigurationAppIdAuthenticationUnitTests.java
        EnvironmentVaultConfigurationAppRoleAuthenticationUnitTests.java
        EnvironmentVaultConfigurationKubernetesAuthenticationUnitTests.java
        EnvironmentVaultConfigurationAzureMSIAuthenticationUnitTests.java
        EnvironmentVaultConfigurationClientCertAuthenticationUnitTests.java
        EnvironmentVaultConfigurationCubbyholeAuthenticationUnitTests.java
        EnvironmentVaultConfigurationUnitTests.java
        AbstractReactiveVaultConfigurationUnitTests.java
        annotation
        VaultPropertySourceMultipleIntegrationTests.java
        VaultPropertySourceUnitTests.java
        VaultPropertySourceIntegrationTests.java
        VaultPropertySourceInBeanConfigurationIntegrationTest.java
        LeaseAwareVaultPropertySourceIntegrationTests.java
        domain
        Person.java
        core
        VaultIntegrationTestConfiguration.java
        ReactiveVaultTemplateGenericIntegrationTests.java
        PkiSecretIntegrationTests.java
        VaultNamespaceSecretIntegrationTests.java
        VaultKeyValueTemplateVersionedIntegrationTests.java
        VaultSysTemplateIntegrationTests.java
        VaultVersionedKeyValueTemplateIntegrationTests.java
        VaultTransitTemplateIntegrationTests.java
        VaultSysTemplateUnitTests.java
        util
        PropertyTransformersUnitTests.java
        KeyValueDelegateUnitTests.java
        VaultTemplateGenericIntegrationTests.java
        VaultWrappingTemplateIntegrationTests.java
        VaultKeyValueTemplateIntegrationTests.java
        VaultTokenTemplateIntegrationTests.java
        VaultPkiTemplateIntegrationTests.java
        VaultTemplateTransitIntegrationTests.java
        VaultTemplateAgentIntegrationTests.java
        VaultKeyValueMetadataTemplateIntegrationTests.java
        lease
        RotatingGenericSecretsIntegrationTestConfiguration.java
        SecretLeaseContainerUnitTests.java
        domain
        RequestedSecretTests.java
        env
        VersionedKeyValueBackendIntegrationTests.java
        VaultPropertySourceUnitTests.java
        LeaseAwareVaultPropertySourceUnitTests.java
        AbstractVaultKeyValueTemplateIntegrationTests.java
        ReactiveVaultTemplateAgentIntegrationTests.java
        repository
        mapping
        BasicVaultPersistentEntityUnitTests.java
        VaultMappingContextUnitTests.java
        VaultRepositoryIntegrationTests.java
        query
        VaultQueryCreatorUnitTests.java
        convert
        MappingVaultConverterUnitTests.java
        DefaultVaultTypeMapperUnitTests.java
        MultipleSpringDataModulesIntegrationTests.java
  - pom.xml
- .travis.yml
- spring-vault-dependencies
  - pom.xml
- etc
  - ide
    - eclipse.importorder
- spring-vault-distribution
  - src
    - assembly
      - docs.xml
  - pom.xml
- .gitignore
- docs
  - index.html
- LICENSE.txt
- mvnw.cmd

/*
 * Copyright 2016-2020 the original author or authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      https://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package org.springframework.vault.authentication;

import java.util.Map;

import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;

import org.springframework.http.HttpEntity;
import org.springframework.http.HttpMethod;
import org.springframework.http.ResponseEntity;
import org.springframework.lang.Nullable;
import org.springframework.util.Assert;
import org.springframework.vault.VaultException;
import org.springframework.vault.authentication.AuthenticationSteps.HttpRequest;
import org.springframework.vault.client.VaultHttpHeaders;
import org.springframework.vault.support.VaultResponse;
import org.springframework.vault.support.VaultToken;
import org.springframework.web.client.RestClientException;
import org.springframework.web.client.RestOperations;

import static org.springframework.vault.authentication.AuthenticationSteps.HttpRequestBuilder.method;

/**
 * Cubbyhole {@link ClientAuthentication} implementation.
 * <p>
 * Cubbyhole authentication uses Vault primitives to provide a secured authentication
 * workflow. Cubbyhole authentication uses {@link VaultToken tokens} as primary login
 * method. An ephemeral token is used to obtain a second, login {@link VaultToken} from
 * Vault's Cubbyhole secret backend. The login token is usually longer-lived and used to
 * interact with Vault. The login token can be retrieved either from a wrapped response or
 * from the {@code data} section.
 *
 * <h2>Wrapped token response usage</h2> <strong>Create a Token</strong>
 *
 * <pre>
 * <code>
 *  $ vault token-create -wrap-ttl="10m"
 *  Key                          	Value
 *  ---                          	-----
 *  wrapping_token:              	397ccb93-ff6c-b17b-9389-380b01ca2645
 *  wrapping_token_ttl:          	0h10m0s
 *  wrapping_token_creation_time:	2016-09-18 20:29:48.652957077 +0200 CEST
 *  wrapped_accessor:            	46b6aebb-187f-932a-26d7-4f3d86a68319
 * </code> </pre>
 *
 * <strong>Setup {@link CubbyholeAuthentication}</strong>
 *
 * <pre>
 * <code>
 *  CubbyholeAuthenticationOptions options = CubbyholeAuthenticationOptions
 * 		.builder()
 * 		.initialToken(VaultToken.of("397ccb93-ff6c-b17b-9389-380b01ca2645"))
 * 		.wrapped()
 *  		.build();
 *  CubbyholeAuthentication authentication = new CubbyholeAuthentication(options, restOperations);
 * </code> </pre>
 *
 * <h2>Stored token response usage</h2> <strong>Create a Token</strong>
 *
 * <pre>
 * <code>
 *  $ vault token-create
 *  Key            	Value
 *  ---            	-----
 *  token          	f9e30681-d46a-cdaf-aaa0-2ae0a9ad0819
 *  token_accessor 	4eee9bd9-81bb-06d6-af01-723c54a72148
 *  token_duration 	0s
 *  token_renewable	false
 *  token_policies 	[root]
 *
 *  $ token-create -use-limit=2 -orphan -no-default-policy -policy=none
 *  Key            	Value
 *  ---            	-----
 *  token          	895cb88b-aef4-0e33-ba65-d50007290780
 *  token_accessor 	e84b661c-8aa8-2286-b788-f258f30c8325
 *  token_duration 	0s
 *  token_renewable	false
 *  token_policies 	[none]
 *
 *  $ export VAULT_TOKEN=895cb88b-aef4-0e33-ba65-d50007290780
 *  $ vault write cubbyhole/token token=f9e30681-d46a-cdaf-aaa0-2ae0a9ad0819
 * </code> </pre>
 *
 * <strong>Setup {@link CubbyholeAuthentication}</strong>
 *
 * <pre>
 * <code>
 *  CubbyholeAuthenticationOptions options = CubbyholeAuthenticationOptions
 * 		.builder()
 * 		.initialToken(VaultToken.of("895cb88b-aef4-0e33-ba65-d50007290780"))
 * 		.path("cubbyhole/token")
 * 		.build();
 *  CubbyholeAuthentication authentication = new CubbyholeAuthentication(options, restOperations);
 * </code> </pre>
 *
 * <strong>Remaining TTL/Renewability</strong>
 * <p>
 * Tokens retrieved from Cubbyhole associated with a non-zero TTL start their TTL at the
 * time of token creation. That time is not necessarily identical with application
 * startup. To compensate for the initial delay, Cubbyhole authentication performs a
 * {@link CubbyholeAuthenticationOptions#isSelfLookup() self lookup} for tokens associated
 * with a non-zero TTL to retrieve the remaining TTL. Cubbyhole authentication will not
 * self-lookup wrapped tokens without a TTL because a zero TTL indicates there is no TTL
 * associated.
 * <p>
 * Non-wrapped tokens do not provide details regarding renewability and TTL by just
 * retrieving the token. A self-lookup will lookup renewability and the remaining TTL.
 *
 * @author Mark Paluch
 * @see CubbyholeAuthenticationOptions
 * @see RestOperations
 * @see <a href="https://www.vaultproject.io/docs/auth/token.html">Auth Backend: Token</a>
 * @see <a href="https://www.vaultproject.io/docs/secrets/cubbyhole/index.html">Cubbyhole
 * Secret Backend</a>
 * @see <a href=
 * "https://www.vaultproject.io/docs/concepts/response-wrapping.html">Response
 * Wrapping</a>
 */
public class CubbyholeAuthentication implements ClientAuthentication, AuthenticationStepsFactory {

	private static final Log logger = LogFactory.getLog(CubbyholeAuthentication.class);

	private final CubbyholeAuthenticationOptions options;

	private final RestOperations restOperations;

	/**
	 * Create a new {@link CubbyholeAuthentication} given
	 * {@link CubbyholeAuthenticationOptions} and {@link RestOperations}.
	 * @param options must not be {@literal null}.
	 * @param restOperations must not be {@literal null}.
	 */
	public CubbyholeAuthentication(CubbyholeAuthenticationOptions options, RestOperations restOperations) {

		Assert.notNull(options, "CubbyholeAuthenticationOptions must not be null");
		Assert.notNull(restOperations, "RestOperations must not be null");

		this.options = options;
		this.restOperations = restOperations;
	}

	/**
	 * Creates a {@link AuthenticationSteps} for cubbyhole authentication given
	 * {@link CubbyholeAuthenticationOptions}.
	 * @param options must not be {@literal null}.
	 * @return {@link AuthenticationSteps} for cubbyhole authentication.
	 * @since 2.0
	 */
	public static AuthenticationSteps createAuthenticationSteps(CubbyholeAuthenticationOptions options) {

		Assert.notNull(options, "CubbyholeAuthenticationOptions must not be null");

		String url = getRequestPath(options);

		HttpMethod unwrapMethod = getRequestMethod(options);
		HttpEntity<Object> requestEntity = getRequestEntity(options);

		HttpRequest<VaultResponse> initialRequest = method(unwrapMethod, url) //
				.with(requestEntity) //
				.as(VaultResponse.class);

		return AuthenticationSteps.fromHttpRequest(initialRequest) //
				.login(it -> getToken(options, it, url));
	}

	@Override
	public VaultToken login() throws VaultException {

		String url = getRequestPath(this.options);
		VaultResponse data = lookupToken(url);

		VaultToken tokenToUse = getToken(this.options, data, url);

		if (shouldEnhanceTokenWithSelfLookup(tokenToUse)) {

			LoginTokenAdapter adapter = new LoginTokenAdapter(new TokenAuthentication(tokenToUse), this.restOperations);
			tokenToUse = adapter.login();
		}

		logger.debug("Login successful using Cubbyhole authentication");
		return tokenToUse;
	}

	@Override
	public AuthenticationSteps getAuthenticationSteps() {
		return createAuthenticationSteps(this.options);
	}

	@Nullable
	private VaultResponse lookupToken(String url) {

		try {
			HttpMethod unwrapMethod = getRequestMethod(this.options);
			HttpEntity<Object> requestEntity = getRequestEntity(this.options);
			ResponseEntity<VaultResponse> entity = this.restOperations.exchange(url, unwrapMethod, requestEntity,
					VaultResponse.class);

			Assert.state(entity.getBody() != null, "Auth response must not be null");

			return entity.getBody();
		}
		catch (RestClientException e) {
			throw VaultLoginException.create("Cubbyhole", e);
		}
	}

	private boolean shouldEnhanceTokenWithSelfLookup(VaultToken token) {

		if (!this.options.isSelfLookup()) {
			return false;
		}

		if (token instanceof LoginToken) {

			LoginToken loginToken = (LoginToken) token;

			if (loginToken.getLeaseDuration().isZero()) {
				return false;
			}
		}

		return true;
	}

	private static HttpEntity<Object> getRequestEntity(CubbyholeAuthenticationOptions options) {
		return new HttpEntity<>(VaultHttpHeaders.from(options.getInitialToken()));
	}

	private static HttpMethod getRequestMethod(CubbyholeAuthenticationOptions options) {

		if (options.isWrappedToken()) {
			return options.getUnwrappingEndpoints().getUnwrapRequestMethod();
		}

		return HttpMethod.GET;
	}

	private static String getRequestPath(CubbyholeAuthenticationOptions options) {

		if (options.isWrappedToken()) {
			return options.getUnwrappingEndpoints().getPath();
		}

		return options.getPath();
	}

	private static VaultToken getToken(CubbyholeAuthenticationOptions options, VaultResponse response, String url) {

		if (options.isWrappedToken()) {

			VaultResponse responseToUse = options.getUnwrappingEndpoints().unwrap(response);

			Assert.state(responseToUse.getAuth() != null, "Auth field must not be null");

			return LoginTokenUtil.from(responseToUse.getAuth());
		}

		Map<String, Object> data = response.getData();
		if (data == null || data.isEmpty()) {
			throw new VaultLoginException(
					String.format("Cannot retrieve Token from Cubbyhole: Response at %s does not contain a token",
							options.getPath()));
		}

		if (data.size() == 1) {
			String token = (String) data.get(data.keySet().iterator().next());
			return VaultToken.of(token);
		}

		throw new VaultLoginException(String
				.format("Cannot retrieve Token from Cubbyhole: Response at %s does not contain an unique token", url));
	}

}