com.bettercloud.vault.VaultConfig Java Examples

@SuppressFBWarnings(value = "DMI_HARDCODED_ABSOLUTE_FILENAME")
public void authenticate(Vault vault, VaultConfig config) throws VaultException, VaultPluginException {
    if (isTokenTTLExpired()) {
        try (Stream<String> input =  Files.lines(Paths.get(SERVICE_ACCOUNT_TOKEN_PATH)) ) {
            this.jwt = input.collect(Collectors.joining());
        } catch (IOException e) {
            throw new VaultPluginException("could not get JWT from Service Account Token", e);
        }
        // authenticate
        currentAuthToken = vault.auth()
            .loginByJwt(mountPath, kubernetes.getRole(), this.jwt)
            .getAuthClientToken();
        config.token(currentAuthToken).build();
        LOGGER.log(Level.FINE, "Login to Vault using Kubernetes successful");
        getTTLExpiryOfCurrentToken(vault);
    } else {
        // make sure current auth token is set in config
        config.token(currentAuthToken).build();
    }
}
 

@BeforeClass
public static void init() throws Exception {
  daprRun = startDaprApp(
      SecretsClientIT.class.getSimpleName(),
      EmptyService.SUCCESS_MESSAGE,
      EmptyService.class,
      false,
      5000
  );

  VaultConfig vaultConfig = new VaultConfig()
    .address(LOCAL_VAULT_ADDRESS)
    .token(LOCAL_VAULT_TOKEN)
    .prefixPath(PREFIX)
    .build();
  vault = new Vault(vaultConfig);
}
 

@NonNull
public VaultConfig getVaultConfig() {
    VaultConfig vaultConfig = new VaultConfig();
    vaultConfig.address(this.getVaultUrl());
    vaultConfig.engineVersion(this.getEngineVersion());
    try {
        if (this.isSkipSslVerification()) {
            vaultConfig.sslConfig(new SslConfig().verify(false).build());
        }

        if (StringUtils.isNotEmpty(this.getVaultNamespace())) {
            vaultConfig.nameSpace(this.getVaultNamespace());
        }

        if (StringUtils.isNotEmpty(this.getPrefixPath())) {
            vaultConfig.prefixPath(this.getPrefixPath());
        }
    } catch (VaultException e) {
        throw new VaultPluginException("Could not set up VaultConfig.", e);
    }
    return vaultConfig;
}
 

@Test
public void shouldFailIfNoConfigurationExists() throws Exception {
    GlobalVaultConfiguration globalConfig = GlobalConfiguration.all()
        .get(GlobalVaultConfiguration.class);
    assertThat(globalConfig, is(notNullValue()));
    globalConfig.setConfiguration(null);

    globalConfig.save();
    List<VaultSecret> secrets = standardSecrets();

    VaultBuildWrapper vaultBuildWrapper = new VaultBuildWrapper(secrets);
    VaultAccessor mockAccessor = mockVaultAccessor(GLOBAL_ENGINE_VERSION_2);
    vaultBuildWrapper.setVaultAccessor(mockAccessor);

    this.project.getBuildWrappersList().add(vaultBuildWrapper);
    this.project.getBuildersList().add(echoSecret());

    FreeStyleBuild build = this.project.scheduleBuild2(0).get();

    jenkins.assertBuildStatus(Result.FAILURE, build);
    VaultConfig config = new VaultConfig().address(anyString());
    mockAccessor.setConfig(config);
    mockAccessor.setCredential(any(VaultCredential.class));
    verify(mockAccessor, times(0)).init();
    verify(mockAccessor, times(0)).read(anyString(), anyInt());
    jenkins
        .assertLogContains("No configuration found - please configure the VaultPlugin.", build);
}
 

/**
 * Constructs an instance of the Vault driver using a custom Vault config.
 *
 * @return
 * @throws VaultException
 */
public Vault getRootVaultWithCustomVaultConfig(VaultConfig vaultConfig) throws VaultException {
    final VaultConfig config =
        vaultConfig
            .address(getAddress())
            .token(rootToken)
            .openTimeout(5)
            .readTimeout(30)
            .sslConfig(new SslConfig().pemFile(new File(CERT_PEMFILE)).build())
            .build();
    return new Vault(config).withRetries(MAX_RETRIES, RETRY_MILLIS);
}
 

/**
 * Constructs an instance of the Vault driver with sensible defaults, configured to use the supplied token
 * for authentication.
 *
 * @param token
 * @return
 * @throws VaultException
 */
public Vault getVault(final String token) throws VaultException {
    final VaultConfig config =
        new VaultConfig()
            .address(getAddress())
            .token(token)
            .openTimeout(5)
            .readTimeout(30)
            .sslConfig(new SslConfig().pemFile(new File(CERT_PEMFILE)).build())
            .build();
    return new Vault(config).withRetries(MAX_RETRIES, RETRY_MILLIS);
}
 

/**
 * Constructs a VaultConfig that can be used to configure your own tests
 *
 * @return
 * @throws VaultException
 */

public VaultConfig getVaultConfig() throws VaultException {
    return new VaultConfig()
        .address(getAddress())
        .openTimeout(5)
        .readTimeout(30)
        .sslConfig(new SslConfig().pemFile(new File(CERT_PEMFILE)).build())
        .build();
}
 

/**
 * Constructs an instance of the Vault driver, using sensible defaults.
 *
 * @return
 * @throws VaultException
 */
public Vault getVault() throws VaultException {
    final VaultConfig config =
        new VaultConfig()
            .address(getAddress())
            .openTimeout(5)
            .readTimeout(30)
            .sslConfig(new SslConfig().pemFile(new File(CERT_PEMFILE)).build())
            .build();
    return getVault(config, MAX_RETRIES, RETRY_MILLIS);
}
 

@Test
public void shouldUseGlobalConfiguration() throws Exception {
    List<VaultSecret> secrets = standardSecrets();

    VaultBuildWrapper vaultBuildWrapper = new VaultBuildWrapper(secrets);
    VaultAccessor mockAccessor = mockVaultAccessor(GLOBAL_ENGINE_VERSION_2);
    vaultBuildWrapper.setVaultAccessor(mockAccessor);

    this.project.getBuildWrappersList().add(vaultBuildWrapper);
    this.project.getBuildersList().add(echoSecret());

    FreeStyleBuild build = this.project.scheduleBuild2(0).get();
    assertThat(vaultBuildWrapper.getConfiguration().getVaultUrl(),
        is("http://global-vault-url.com"));
    assertThat(vaultBuildWrapper.getConfiguration().getVaultCredentialId(),
        is(GLOBAL_CREDENTIALS_ID_1));
    assertThat(vaultBuildWrapper.getConfiguration().getEngineVersion(),
        is(GLOBAL_ENGINE_VERSION_2));

    jenkins.assertBuildStatus(Result.SUCCESS, build);
    jenkins.assertLogContains("echo ****", build);
    jenkins.assertLogNotContains("some-secret", build);

    VaultConfig config = new VaultConfig().address("http://global-vault-url.com");
    mockAccessor.setConfig(config);
    mockAccessor.setCredential((VaultCredential) GLOBAL_CREDENTIAL_1);

    verify(mockAccessor, times(1)).init();
    verify(mockAccessor, times(1)).read("secret/path1", GLOBAL_ENGINE_VERSION_2);
}
 

@Test
public void shouldUseJobConfiguration() throws Exception {
    List<VaultSecret> secrets = standardSecrets();

    VaultBuildWrapper vaultBuildWrapper = new VaultBuildWrapper(secrets);
    VaultAccessor mockAccessor = mockVaultAccessor(GLOBAL_ENGINE_VERSION_2);
    vaultBuildWrapper.setVaultAccessor(mockAccessor);

    this.project.getBuildWrappersList().add(vaultBuildWrapper);
    VaultConfiguration vaultConfig = new VaultConfiguration();
    vaultConfig.setVaultUrl("http://job-vault-url.com");
    vaultConfig.setVaultCredentialId(GLOBAL_CREDENTIALS_ID_2);
    vaultConfig.setFailIfNotFound(false);
    vaultConfig.setEngineVersion(GLOBAL_ENGINE_VERSION_2);
    vaultConfig.setVaultNamespace("mynamespace");
    vaultConfig.setTimeout(TIMEOUT);
    vaultBuildWrapper.setConfiguration(vaultConfig);
    this.project.getBuildersList().add(echoSecret());

    FreeStyleBuild build = this.project.scheduleBuild2(0).get();

    assertThat(vaultBuildWrapper.getConfiguration().getVaultUrl(),
        is("http://job-vault-url.com"));
    assertThat(vaultBuildWrapper.getConfiguration().getVaultCredentialId(),
        is(GLOBAL_CREDENTIALS_ID_2));
    assertThat(vaultBuildWrapper.getConfiguration().getEngineVersion(),
        is(GLOBAL_ENGINE_VERSION_2));

    jenkins.assertBuildStatus(Result.SUCCESS, build);

    VaultConfig config = new VaultConfig().address("http://job-vault-url.com");
    mockAccessor.setConfig(config);
    mockAccessor.setCredential((VaultCredential) GLOBAL_CREDENTIAL_2);
    verify(mockAccessor, times(1)).init();
    verify(mockAccessor, times(1)).read("secret/path1", GLOBAL_ENGINE_VERSION_2);
    jenkins.assertLogContains("echo ****", build);
    jenkins.assertLogNotContains("some-secret", build);
}
 

private String getToken(AbstractVaultTokenCredential credentials) {
    try {
        VaultConfig config = new VaultConfig().address(vaultAddr);
        if (StringUtils.isNotEmpty(vaultNamespace)) {
            config.nameSpace(vaultNamespace);
        }
        config.build();

        return credentials.getToken(new Vault(config));
    } catch (VaultException e) {
        throw new VaultPluginException("could not log in into vault", e);
    }
}
 

@Test
public void shouldDealWithTokenBasedCredential() throws Exception {
    VaultBuildWrapper vaultBuildWrapper = new VaultBuildWrapper(standardSecrets());
    VaultAccessor mockAccessor = mockVaultAccessor(GLOBAL_ENGINE_VERSION_2);
    vaultBuildWrapper.setVaultAccessor(mockAccessor);

    VaultCredential credential = new VaultTokenCredential(CredentialsScope.GLOBAL, "token-1",
        "description", Secret.fromString("test-token"));
    SystemCredentialsProvider.getInstance().setDomainCredentialsMap(
        Collections.singletonMap(Domain.global(), Collections.singletonList(credential)));

    this.project.getBuildWrappersList().add(vaultBuildWrapper);

    VaultConfiguration vaultConfig = new VaultConfiguration();
    vaultConfig.setVaultUrl("http://job-vault-url.com");
    vaultConfig.setVaultCredentialId("token-1");
    vaultConfig.setFailIfNotFound(false);
    vaultConfig.setVaultNamespace("mynamespace");
    vaultConfig.setTimeout(TIMEOUT);
    vaultBuildWrapper.setConfiguration(vaultConfig);
    this.project.getBuildersList().add(echoSecret());

    FreeStyleBuild build = this.project.scheduleBuild2(0).get();

    assertThat(vaultBuildWrapper.getConfiguration().getVaultUrl(),
        is("http://job-vault-url.com"));
    assertThat(vaultBuildWrapper.getConfiguration().getVaultCredentialId(), is("token-1"));

    jenkins.assertBuildStatus(Result.SUCCESS, build);

    VaultConfig config = new VaultConfig().address("http://job-vault-url.com");
    mockAccessor.setConfig(config);
    mockAccessor.setCredential(credential);
    verify(mockAccessor, times(1)).init();
    verify(mockAccessor, times(1)).read("secret/path1", GLOBAL_ENGINE_VERSION_2);
    jenkins.assertLogContains("echo ****", build);
    jenkins.assertLogNotContains("some-secret", build);
}
 

@Test
public void shouldFailIfCredentialsNotConfigured() throws Exception {
    GlobalVaultConfiguration globalConfig = GlobalConfiguration.all()
        .get(GlobalVaultConfiguration.class);
    assertThat(globalConfig, is(notNullValue()));
    VaultConfiguration vaultConfig = new VaultConfiguration();
    vaultConfig.setVaultUrl("http://global-vault-url.com");
    vaultConfig.setFailIfNotFound(false);
    vaultConfig.setVaultNamespace("mynamespace");
    vaultConfig.setTimeout(TIMEOUT);

    globalConfig.setConfiguration(vaultConfig);

    globalConfig.save();

    List<VaultSecret> secrets = standardSecrets();

    VaultBuildWrapper vaultBuildWrapper = new VaultBuildWrapper(secrets);
    VaultAccessor mockAccessor = mockVaultAccessor(GLOBAL_ENGINE_VERSION_2);
    vaultBuildWrapper.setVaultAccessor(mockAccessor);

    this.project.getBuildWrappersList().add(vaultBuildWrapper);
    this.project.getBuildersList().add(echoSecret());

    FreeStyleBuild build = this.project.scheduleBuild2(0).get();

    jenkins.assertBuildStatus(Result.FAILURE, build);
    VaultConfig config = new VaultConfig().address(anyString());
    mockAccessor.setConfig(config);
    mockAccessor.setCredential(any(VaultCredential.class));
    verify(mockAccessor, times(0)).init();
    verify(mockAccessor, times(0)).read(anyString(), anyInt());
    jenkins.assertLogContains(
        "The credential id was not configured - please specify the credentials to use.", build);
}
 

@Test
public void shouldFailIfUrlNotConfigured() throws Exception {
    GlobalVaultConfiguration globalConfig = GlobalConfiguration.all()
        .get(GlobalVaultConfiguration.class);
    assertThat(globalConfig, is(notNullValue()));
    VaultConfiguration vaultConfig = new VaultConfiguration();
    vaultConfig.setVaultCredentialId(GLOBAL_CREDENTIALS_ID_2);
    vaultConfig.setFailIfNotFound(false);
    vaultConfig.setVaultNamespace("mynamespace");
    vaultConfig.setTimeout(TIMEOUT);
    globalConfig.setConfiguration(vaultConfig);

    globalConfig.save();

    List<VaultSecret> secrets = standardSecrets();

    VaultBuildWrapper vaultBuildWrapper = new VaultBuildWrapper(secrets);
    VaultAccessor mockAccessor = mockVaultAccessor(GLOBAL_ENGINE_VERSION_2);
    vaultBuildWrapper.setVaultAccessor(mockAccessor);

    this.project.getBuildWrappersList().add(vaultBuildWrapper);
    this.project.getBuildersList().add(echoSecret());

    FreeStyleBuild build = this.project.scheduleBuild2(0).get();

    jenkins.assertBuildStatus(Result.FAILURE, build);
    VaultConfig config = new VaultConfig().address(anyString());
    mockAccessor.setConfig(config);
    mockAccessor.setCredential(any(VaultCredential.class));

    verify(mockAccessor, times(0)).init();
    verify(mockAccessor, times(0)).read(anyString(), anyInt());
    jenkins.assertLogContains(
        "The vault url was not configured - please specify the vault url to use.", build);
}
 

@Test
public void shouldFailIfCredentialsDoNotExist() throws Exception {
    GlobalVaultConfiguration globalConfig = GlobalConfiguration.all()
        .get(GlobalVaultConfiguration.class);
    assertThat(globalConfig, is(notNullValue()));
    VaultConfiguration vaultConfig = new VaultConfiguration();
    vaultConfig.setVaultUrl("http://example.com");
    vaultConfig.setVaultCredentialId("some-made-up-ID");
    vaultConfig.setFailIfNotFound(false);
    vaultConfig.setVaultNamespace("mynamespace");
    vaultConfig.setTimeout(TIMEOUT);
    globalConfig.setConfiguration(vaultConfig);

    globalConfig.save();

    List<VaultSecret> secrets = standardSecrets();

    VaultBuildWrapper vaultBuildWrapper = new VaultBuildWrapper(secrets);
    VaultAccessor mockAccessor = mockVaultAccessor(GLOBAL_ENGINE_VERSION_2);
    vaultBuildWrapper.setVaultAccessor(mockAccessor);

    this.project.getBuildWrappersList().add(vaultBuildWrapper);
    this.project.getBuildersList().add(echoSecret());

    FreeStyleBuild build = this.project.scheduleBuild2(0).get();

    jenkins.assertBuildStatus(Result.FAILURE, build);
    VaultConfig config = new VaultConfig().address(anyString());
    mockAccessor.setConfig(config);
    mockAccessor.setCredential(any(VaultCredential.class));
    verify(mockAccessor, times(0)).init();
    verify(mockAccessor, times(0)).read(anyString(), anyInt());
    jenkins.assertLogContains("CredentialsUnavailableException", build);
}
 

@Test
public void folderShouldOverwriteGlobal() throws Exception {
    List<VaultSecret> secrets = standardSecrets();

    VaultBuildWrapper vaultBuildWrapper = new VaultBuildWrapper(secrets);
    VaultAccessor mockAccessor = mockVaultAccessor();
    vaultBuildWrapper.setVaultAccessor(mockAccessor);

    VaultConfiguration vaultConfig = new VaultConfiguration();
    vaultConfig.setVaultUrl("http://folder1.com");
    vaultConfig.setVaultCredentialId(FOLDER_1_CREDENTIALS_ID);
    vaultConfig.setFailIfNotFound(false);
    vaultConfig.setVaultNamespace("mynamespace");
    vaultConfig.setTimeout(TIMEOUT);

    this.folder1.addProperty(new FolderVaultConfiguration(vaultConfig));

    this.projectInFolder1.getBuildWrappersList().add(vaultBuildWrapper);
    this.projectInFolder1.getBuildersList().add(echoSecret());

    FreeStyleBuild build = this.projectInFolder1.scheduleBuild2(0).get();
    assertThat(vaultBuildWrapper.getConfiguration().getVaultUrl(), is("http://folder1.com"));
    assertThat(vaultBuildWrapper.getConfiguration().getVaultCredentialId(),
        is(FOLDER_1_CREDENTIALS_ID));
    assertThat(vaultBuildWrapper.getConfiguration().isFailIfNotFound(), is(false));

    jenkins.assertBuildStatus(Result.SUCCESS, build);
    jenkins.assertLogContains("echo ****", build);
    VaultConfig config = new VaultConfig().address("http://folder1.com")
        .nameSpace("mynamespace");
    mockAccessor.setConfig(config);
    mockAccessor.setCredential((VaultCredential) FOLDER_1_CREDENTIAL);
    verify(mockAccessor, times(1)).init();
    verify(mockAccessor, times(1)).read("secret/path1", 2);
}
 

@Test
public void jobInFolderShouldBeAbleToAccessCredentialsScopedToTheFolder() throws Exception {
    List<VaultSecret> secrets = standardSecrets();

    VaultBuildWrapper vaultBuildWrapper = new VaultBuildWrapper(secrets);
    VaultAccessor mockAccessor = mockVaultAccessor();
    vaultBuildWrapper.setVaultAccessor(mockAccessor);

    VaultConfiguration vaultConfig = new VaultConfiguration();
    vaultConfig.setVaultUrl("http://folder1.com");
    vaultConfig.setVaultCredentialId(FOLDER_1_CREDENTIALS_ID);
    vaultConfig.setFailIfNotFound(false);
    vaultConfig.setVaultNamespace("mynamespace");
    vaultConfig.setTimeout(TIMEOUT);

    this.folder1.addProperty(new FolderVaultConfiguration(vaultConfig));

    this.projectInFolder1.getBuildWrappersList().add(vaultBuildWrapper);
    this.projectInFolder1.getBuildersList().add(echoSecret());

    FreeStyleBuild build = this.projectInFolder1.scheduleBuild2(0).get();
    VaultConfig config = new VaultConfig()
        .address("http://folder1.com")
        .nameSpace("mynamespace");
    mockAccessor.setConfig(config);
    mockAccessor.setCredential((VaultCredential) FOLDER_1_CREDENTIAL);
    verify(mockAccessor, times(1)).init();
    assertThat(vaultBuildWrapper.getConfiguration().getVaultCredentialId(),
        is(FOLDER_1_CREDENTIALS_ID));
    assertThat(vaultBuildWrapper.getConfiguration().isFailIfNotFound(), is(false));

    jenkins.assertBuildStatus(Result.SUCCESS, build);
    jenkins.assertLogContains("echo ****", build);
    verify(mockAccessor, times(1)).init();
    verify(mockAccessor, times(1)).read("secret/path1", 2);
}
 

@Override
public void tearDown(final Run<?, ?> build, final FilePath workspace, final Launcher launcher,
    final TaskListener listener) throws IOException, InterruptedException {
    VaultConfig vaultConfig = new VaultConfig().address(vaultConfiguration.getVaultUrl());
    VaultAccessor vaultAccessor = new VaultAccessor(vaultConfig, vaultCredential).init();
    for (String leaseId : leaseIds) {
        if (leaseId != null && !leaseId.isEmpty()) {
            vaultAccessor.revoke(leaseId);
        }
    }
}
 

public void authenticate(Vault vault, VaultConfig config) throws VaultException {
    if (isTokenTTLExpired()) {
        // authenticate
        currentAuthToken = vault.auth()
            .loginByUserPass(userPass.getUsername(), userPass.getPassword(), mountPath)
            .getAuthClientToken();
        config.token(currentAuthToken).build();
        LOGGER.log(Level.FINE, "Login to Vault using AppRole/SecretID successful");
        getTTLExpiryOfCurrentToken(vault);
    } else {
        // make sure current auth token is set in config
        config.token(currentAuthToken).build();
    }
}
 

@Test
public void jobInFolderShouldNotBeAbleToAccessCredentialsScopedToAnotherFolder()
    throws Exception {
    List<VaultSecret> secrets = standardSecrets();

    VaultBuildWrapper vaultBuildWrapper = new VaultBuildWrapper(secrets);
    VaultAccessor mockAccessor = mockVaultAccessor();
    vaultBuildWrapper.setVaultAccessor(mockAccessor);

    VaultConfiguration vaultConfig = new VaultConfiguration();
    vaultConfig.setVaultUrl("http://folder1.com");
    vaultConfig.setVaultCredentialId(FOLDER_2_CREDENTIALS_ID);
    vaultConfig.setFailIfNotFound(false);
    vaultConfig.setVaultNamespace("mynamespace");
    vaultConfig.setTimeout(TIMEOUT);

    this.folder1.addProperty(new FolderVaultConfiguration(vaultConfig));

    this.projectInFolder1.getBuildWrappersList().add(vaultBuildWrapper);
    this.projectInFolder1.getBuildersList().add(echoSecret());

    FreeStyleBuild build = this.projectInFolder1.scheduleBuild2(0).get();
    assertThat(vaultBuildWrapper.getConfiguration().getVaultUrl(), is("http://folder1.com"));
    assertThat(vaultBuildWrapper.getConfiguration().getVaultCredentialId(),
        is(FOLDER_2_CREDENTIALS_ID));
    assertThat(vaultBuildWrapper.getConfiguration().isFailIfNotFound(), is(false));

    jenkins.assertBuildStatus(Result.FAILURE, build);
    jenkins.assertLogContains("CredentialsUnavailableException", build);
    VaultConfig config = new VaultConfig().address(anyString());
    mockAccessor.setConfig(config);
    mockAccessor.setCredential(any(VaultCredential.class));
    verify(mockAccessor, times(0)).init();
    verify(mockAccessor, times(0)).read(anyString(), anyInt());
}
 

public void authenticate(Vault vault, VaultConfig config) throws VaultException {
    if (isTokenTTLExpired()) {
        // authenticate
        currentAuthToken = vault.auth()
            .loginByAppRole(mountPath, appRole.getAppRole(), appRole.getAppRoleSecret())
            .getAuthClientToken();
        config.token(currentAuthToken).build();
        LOGGER.log(Level.FINE, "Login to Vault using AppRole/SecretID successful");
        getTTLExpiryOfCurrentToken(vault);
    } else {
        // make sure current auth token is set in config
        config.token(currentAuthToken).build();
    }
}
 

@Test
public void writeAndReadMultipleValues() throws VaultException {
    try (
        VaultContainer vaultContainer = new VaultContainer<>()
                .withVaultToken(VAULT_TOKEN)
    ) {

        vaultContainer.start();

        final VaultConfig config = new VaultConfig()
            .address("http://" + vaultContainer.getHost() + ":" + vaultContainer.getFirstMappedPort())
            .token(VAULT_TOKEN)
            .build();

        final Vault vault = new Vault(config);

        final Map<String, Object> secrets = new HashMap<>();
        secrets.put("value", "world");
        secrets.put("other_value", "another world");

        // Write operation
        final LogicalResponse writeResponse = vault.logical()
            .write("secret/hello", secrets);

        assertThat(writeResponse.getRestResponse().getStatus()).isEqualTo(200);

        // Read operation
        final Map<String, String> value = vault.logical()
            .read("secret/hello")
            .getData();


        assertThat(value)
            .containsEntry("value", "world")
            .containsEntry("other_value", "another world");

    }

}
 

@DataBoundConstructor
public VaultBuildWrapperWithMockAccessor(@CheckForNull List<VaultSecret> vaultSecrets) {
    super(vaultSecrets);
    setVaultAccessor(new VaultAccessor() {

        @Override
        public void setConfig(VaultConfig config) {
            if (!config.getAddress().equals("http://jenkinsfile-vault-url.com")) {
                throw new AssertionError(
                    "URL " + config.getAddress() + " does not match expected value of "
                        + "http://jenkinsfile-vault-url.com");
            }
        }

        @Override
        public void setCredential(VaultCredential credential) {
            VaultAppRoleCredential appRoleCredential = (VaultAppRoleCredential) credential;
            if (!appRoleCredential.getRoleId().equals("role-id-global-2") || !appRoleCredential
                .getSecretId().getPlainText().equals("secret-id-global-2")) {
                throw new AssertionError(
                    "role-id " + appRoleCredential.getRoleId() + " or secret-id "
                        + appRoleCredential.getSecretId()
                        + " do not match expected: -global-2");
            }
        }

        @Override
        public VaultAccessor init() {
            return this;
        }

        @Override
        public LogicalResponse read(String path, Integer engineVersion) {
            if (!path.equals("secret/path1")) {
                throw new AssertionError(
                    "path " + path + " does not match expected: secret/path1");
            }
            Map<String, String> returnValue = new HashMap<>();
            returnValue.put("key1", "some-secret");
            LogicalResponse resp = mock(LogicalResponse.class);
            RestResponse rest = mock(RestResponse.class);
            when(resp.getData()).thenReturn(returnValue);
            when(resp.getData()).thenReturn(returnValue);
            when(resp.getRestResponse()).thenReturn(rest);
            when(rest.getStatus()).thenReturn(200);
            return resp;
        }
    });
}
 

@Override
public String call() throws IOException {
    Jenkins jenkins = Jenkins.get();

    String msg = String.format(
        "Retrieving vault secret path=%s key=%s engineVersion=%s",
        secretPath, secretKey, engineVersion);
    LOGGER.info(msg);

    GlobalVaultConfiguration globalConfig = GlobalConfiguration.all()
        .get(GlobalVaultConfiguration.class);

    if (globalConfig == null) {
        throw new IllegalStateException("Vault plugin has not been configured.");
    }

    ExtensionList<VaultBuildWrapper.DescriptorImpl> extensionList = jenkins
        .getExtensionList(VaultBuildWrapper.DescriptorImpl.class);
    VaultBuildWrapper.DescriptorImpl descriptor = extensionList.get(0);

    VaultConfiguration configuration = globalConfig.getConfiguration();

    if (descriptor == null || configuration == null) {
        throw new IllegalStateException("Vault plugin has not been configured.");
    }

    try {
        SslConfig sslConfig = new SslConfig()
            .verify(configuration.isSkipSslVerification())
            .build();

        VaultConfig vaultConfig = new VaultConfig()
            .address(configuration.getVaultUrl())
            .sslConfig(sslConfig)
            .engineVersion(engineVersion);

        if (isNotEmpty(configuration.getVaultNamespace())) {
            vaultConfig.nameSpace(configuration.getVaultNamespace());
        }

        if (isNotEmpty(configuration.getPrefixPath())) {
            vaultConfig.prefixPath(configuration.getPrefixPath());
        }

        VaultCredential vaultCredential = configuration.getVaultCredential();
        if (vaultCredential == null) vaultCredential = retrieveVaultCredentials(configuration.getVaultCredentialId());

        VaultAccessor vaultAccessor = new VaultAccessor(vaultConfig, vaultCredential);
        vaultAccessor.setMaxRetries(configuration.getMaxRetries());
        vaultAccessor.setRetryIntervalMilliseconds(configuration.getRetryIntervalMilliseconds());
        vaultAccessor.init();

        Map<String, String> values = vaultAccessor.read(secretPath, engineVersion).getData();

        if (!values.containsKey(secretKey)) {
            String message = String.format(
                "Key %s could not be found in path %s",
                secretKey, secretPath);
            throw new VaultPluginException(message);
        }

        return values.get(secretKey);
    } catch (Exception e) {
        throw new RuntimeException(e);
    }
}
 

@Override
public Vault authorizeWithVault(VaultConfig config) {
    Vault vault = new Vault(config);
    return new Vault(config.token(getToken(vault)));
}
 

public void setConfig(VaultConfig config) {
    this.config = config;
}
 

public VaultConfig getConfig() {
    return config;
}
 

public VaultAccessor(VaultConfig config, VaultCredential credential) {
    this.config = config;
    this.credential = credential;
}
 

public VaultAccessor() {
    this.config = new VaultConfig();
}
 

protected void provideEnvironmentVariablesFromVault(Context context, Run build, EnvVars envVars) {
    VaultConfiguration config = getConfiguration();
    String url = config.getVaultUrl();

    if (StringUtils.isBlank(url)) {
        throw new VaultPluginException(
            "The vault url was not configured - please specify the vault url to use.");
    }

    VaultConfig vaultConfig = config.getVaultConfig();

    VaultCredential credential = config.getVaultCredential();
    if (credential == null) credential = retrieveVaultCredentials(build);

    if (vaultAccessor == null) vaultAccessor = new VaultAccessor();
    vaultAccessor.setConfig(vaultConfig);
    vaultAccessor.setCredential(credential);
    vaultAccessor.setMaxRetries(config.getMaxRetries());
    vaultAccessor.setRetryIntervalMilliseconds(config.getRetryIntervalMilliseconds());
    vaultAccessor.init();

    for (VaultSecret vaultSecret : vaultSecrets) {
        String path = envVars.expand(vaultSecret.getPath());
        Integer engineVersion = Optional.ofNullable(vaultSecret.getEngineVersion())
            .orElse(configuration.getEngineVersion());
        try {
            LogicalResponse response = vaultAccessor.read(path, engineVersion);
            if (responseHasErrors(path, response)) {
                continue;
            }
            Map<String, String> values = response.getData();
            for (VaultSecretValue value : vaultSecret.getSecretValues()) {
                String vaultKey = value.getVaultKey();
                String secret = values.get(vaultKey);
                if (StringUtils.isBlank(secret)) {
                    throw new IllegalArgumentException(
                        "Vault Secret " + vaultKey + " at " + path
                            + " is either null or empty. Please check the Secret in Vault.");
                }
                valuesToMask.add(secret);
                context.env(value.getEnvVar(), secret);
            }
        } catch (VaultPluginException ex) {
            VaultException e = (VaultException) ex.getCause();
            if (e != null) {
                throw new VaultPluginException(String
                    .format("Vault response returned %d for secret path %s",
                        e.getHttpStatusCode(), path),
                    e);
            }
            throw ex;
        }
    }
}