Merge pull request BetterCloud#41 from schulzh/master

steve-perkins · web-flow · commit 79a0fbe40641 · 2017-05-17T13:03:58.000-04:00
Token creation against roles and createToken refactor
diff --git a/src/main/java/com/bettercloud/vault/api/Auth.java b/src/main/java/com/bettercloud/vault/api/Auth.java
@@ -24,6 +24,194 @@
  */
 public class Auth {
 
+    /**
+     * Builder-style class for use with {@link #createToken(TokenRequest)}
+     *
+     * <p>All properties are optional and can be <code>null</code>.</p>
+     */
+    public static class TokenRequest {
+        /**
+         * (optional) The ID of the client token. Can only be specified by a root token. Otherwise, the token ID is a randomly generated UUID.
+         */
+        UUID id;
+
+        /**
+         * (optional) A list of policies for the token. This must be a subset of the policies belonging to the token making the request, unless root. If not specified, defaults to all the policies of the calling token.
+         */
+        List<String> polices;
+
+        /**
+         * (optional) A map of string to string valued metadata. This is passed through to the audit backends.
+         */
+        Map<String, String> meta;
+
+        /**
+         * (optional) If true and set by a root caller, the token will not have the parent token of the caller. This creates a token with no parent.
+         */
+        Boolean noParent;
+
+        /**
+         * (optional) If <code>true</code> the default policy will not be a part of this token's policy set.
+         */
+        Boolean noDefaultPolicy;
+
+        /**
+         * (optional) The TTL period of the token, provided as "1h", where hour is the largest suffix. If not provided, the token is valid for the default lease TTL, or indefinitely if the root policy is used.
+         */
+        String ttl;
+
+        /**
+         * (optional) The display name of the token. Defaults to "token".
+         */
+        String displayName;
+
+        /**
+         * (optional) The maximum uses for the given token. This can be used to create a one-time-token or limited use token. Defaults to 0, which has no limit to the number of uses.
+         */
+        Long numUses;
+
+        /**
+         * (optional) The role the token will be created with. Default is no role.
+         */
+        String role;
+
+        /**
+         * {@link #id}
+         */
+        public TokenRequest withId(UUID id) {
+            this.id = id;
+            return this;
+        }
+
+        /**
+         * {@link #polices}
+         */
+        public TokenRequest withPolices(List<String> polices) {
+            this.polices = polices;
+            return this;
+        }
+
+        /**
+         * {@link #meta}
+         */
+        public TokenRequest withMeta(Map<String, String> meta) {
+            this.meta = meta;
+            return this;
+        }
+
+        /**
+         * {@link #noParent}
+         */
+        public TokenRequest withNoParent(Boolean noParent) {
+            this.noParent = noParent;
+            return this;
+        }
+
+        /**
+         * {@link #noDefaultPolicy}
+         */
+        public TokenRequest withNoDefaultPolicy(Boolean noDefaultPolicy) {
+            this.noDefaultPolicy = noDefaultPolicy;
+            return this;
+        }
+
+        /**
+         * {@link #ttl}
+         */
+        public TokenRequest withTtl(String ttl) {
+            this.ttl = ttl;
+            return this;
+        }
+
+        /**
+         * {@link #displayName}
+         */
+        public TokenRequest withDisplayName(String displayName) {
+            this.displayName = displayName;
+            return this;
+        }
+
+        /**
+         * {@link #numUses}
+         */
+        public TokenRequest withNumUses(Long numUses) {
+            this.numUses = numUses;
+            return this;
+        }
+
+        /**
+         * {@link #role}
+         */
+        public TokenRequest withRole(String role) {
+            this.role = role;
+            return this;
+        }
+
+
+        /**
+         * {@link #id}
+         */
+        public UUID getId() {
+            return id;
+        }
+
+        /**
+         * {@link #polices}
+         */
+        public List<String> getPolices() {
+            return polices;
+        }
+
+        /**
+         * {@link #meta}
+         */
+        public Map<String, String> getMeta() {
+            return meta;
+        }
+
+        /**
+         * {@link #noParent}
+         */
+        public Boolean getNoParent() {
+            return noParent;
+        }
+
+        /**
+         * {@link #noDefaultPolicy}
+         */
+        public Boolean getNoDefaultPolicy() {
+            return noDefaultPolicy;
+        }
+
+        /**
+         * {@link #ttl}
+         */
+        public String getTtl() {
+            return ttl;
+        }
+
+        /**
+         * {@link #displayName}
+         */
+        public String getDisplayName() {
+            return displayName;
+        }
+
+        /**
+         * {@link #numUses}
+         */
+        public Long getNumUses() {
+            return numUses;
+        }
+
+        /**
+         * {@link #role}
+         */
+        public String getRole() {
+            return role;
+        }
+    }
+
     private final VaultConfig config;
 
     public Auth(final VaultConfig config) {
@@ -56,7 +244,9 @@ public Auth(final VaultConfig config) {
      * @param numUses (optional) The maximum uses for the given token. This can be used to create a one-time-token or limited use token. Defaults to 0, which has no limit to the number of uses.
      * @return The auth token
      * @throws VaultException If any error occurs, or unexpected response received from Vault
+     * @deprecated Use {@link #createToken(TokenRequest)}
      */
+    @Deprecated
     public AuthResponse createToken(
             final UUID id,
             final List<String> policies,
@@ -67,32 +257,63 @@ public AuthResponse createToken(
             final String displayName,
             final Long numUses
     ) throws VaultException {
+        return createToken(
+                new TokenRequest()
+                        .withId(id)
+                        .withPolices(policies)
+                        .withMeta(meta)
+                        .withNoParent(noParent)
+                        .withNoDefaultPolicy(noDefaultPolicy)
+                        .withTtl(ttl)
+                        .withDisplayName(displayName)
+                        .withNumUses(numUses));
+    }
+
+
+    /**
+     * <p>Operation to create an authentication token.  Relies on another token already being present in
+     * the <code>VaultConfig</code> instance.  Example usage:</p>
+     *
+     * <blockquote>
+     * <pre>{@code
+     * final VaultConfig config = new VaultConfig(address, rootToken);
+     * final Vault vault = new Vault(config);
+     * final AuthResponse response = vault.auth().createToken(new TokenRequest().withTtl("1h"));
+     *
+     * final String token = response.getAuthClientToken();
+     * }</pre>
+     * </blockquote>     */
+    public AuthResponse createToken(TokenRequest tokenRequest) throws VaultException {
         int retryCount = 0;
         while (true) {
             try {
                 // Parse parameters to JSON
                 final JsonObject jsonObject = Json.object();
-                if (id != null) jsonObject.add("id", id.toString());
-                if (policies != null && !policies.isEmpty()) {
-                    jsonObject.add("policies", Json.array(policies.toArray(new String[policies.size()])));//NOPMD
+              
+                if (tokenRequest.id != null) jsonObject.add("id", tokenRequest.id.toString());
+                if (tokenRequest.polices != null && !tokenRequest.polices.isEmpty()) {
+                    jsonObject.add("policies", Json.array(tokenRequest.polices.toArray(new String[tokenRequest.polices.size()])));//NOPMD
                 }
-                if (meta != null && !meta.isEmpty()) {
+                if (tokenRequest.meta != null && !tokenRequest.meta.isEmpty()) {
                     final JsonObject metaMap = Json.object();
-                    for (final Map.Entry<String, String> entry : meta.entrySet()) {
+                    for (final Map.Entry<String, String> entry : tokenRequest.meta.entrySet()) {
                         metaMap.add(entry.getKey(), entry.getValue());
                     }
                     jsonObject.add("meta", metaMap);
                 }
-                if (noParent != null) jsonObject.add("no_parent", noParent);
-                if (noDefaultPolicy != null) jsonObject.add("no_default_policy", noDefaultPolicy);
-                if (ttl != null) jsonObject.add("ttl", ttl);
-                if (displayName != null) jsonObject.add("display_name", displayName);
-                if (numUses != null) jsonObject.add("num_uses", numUses);
+                if (tokenRequest.noParent != null) jsonObject.add("no_parent", tokenRequest.noParent);
+                if (tokenRequest.noDefaultPolicy != null) jsonObject.add("no_default_policy", tokenRequest.noDefaultPolicy);
+                if (tokenRequest.ttl != null) jsonObject.add("ttl", tokenRequest.ttl);
+                if (tokenRequest.displayName != null) jsonObject.add("display_name", tokenRequest.displayName);
+                if (tokenRequest.numUses != null) jsonObject.add("num_uses", tokenRequest.numUses);
                 final String requestJson = jsonObject.toString();
 
+                String url = config.getAddress() + "/v1/auth/token/create";
+                if (tokenRequest.role != null) url += "/" + tokenRequest.role;
+
                 // HTTP request to Vault
                 final RestResponse restResponse = new Rest()//NOPMD
-                        .url(config.getAddress() + "/v1/auth/token/create")
+                        .url(url)
                         .header("X-Vault-Token", config.getToken())
                         .body(requestJson.getBytes("UTF-8"))
                         .connectTimeoutSeconds(config.getOpenTimeout())
diff --git a/src/test-integration/java/com/bettercloud/vault/api/AuthTests.java b/src/test-integration/java/com/bettercloud/vault/api/AuthTests.java
@@ -69,6 +69,21 @@ public void testCreateToken() throws VaultException {
         assertNotNull(token);
     }
 
+    /**
+     * Test creation of a new client auth token via a TokenRequest, using the Vault root token
+     *
+     * @throws VaultException
+     */
+    @Test
+    public void testCreateTokenWithRequest() throws VaultException {
+        final VaultConfig config = new VaultConfig(address, rootToken);
+        final Vault vault = new Vault(config);
+
+        final AuthResponse response = vault.auth().createToken(new Auth.TokenRequest().withTtl("1h"));
+        final String token = response.getAuthClientToken();
+        assertNotNull(token);
+    }
+
     /**
      * Test Authentication with app-id auth backend
      *
@@ -127,7 +142,7 @@ public void testRenewSelf() throws VaultException, UnsupportedEncodingException
         // Generate a client token
         final VaultConfig authConfig = new VaultConfig(address, rootToken);
         final Vault authVault = new Vault(authConfig);
-        final AuthResponse createResponse = authVault.auth().createToken(null, null, null, null, null, "1h", null, null);
+        final AuthResponse createResponse = authVault.auth().createToken(new Auth.TokenRequest().withTtl("1h"));
         final String token = createResponse.getAuthClientToken();
         assertNotNull(token);
         assertNotSame("", token.trim());
