search

jopenlibs / vault-java-driver

Zero-dependency Java client for HashiCorp's Vault
https://jopenlibs.github.io/vault-java-driver
26 stars 18 forks source link

Allow logical() operation to set additional wrapTtl request headers #26

Closed kvandermast closed 1 year ago

kvandermast commented 1 year ago

With the approle authn ceremony, Vault allows you to wrap the secret, see: Response Wrap the SecretID

On the cli, it is as easy as adding the -wrap-ttl parameter

# This wraps the secretId so that it can only be retrieved once
# In this case the wrapped token is only valid for 60s
vault write -wrap-ttl=60s -force auth/approle/role/jenkins/secret-id

# it outputs something alike
# Key                              Value
# ---                              -----
# wrapping_token:                  hvs.CAESIJSSOk-5NW_YJvnInsFSrtbBKrf29Ux2-L_Ief3JyiSMGh4KHGh2cy4zUE4wdHMxY2FzRUxjT2dUYWdNcnhPR24
# wrapping_accessor:               xAUGHpZMS0UiTK97avRhDqno
# wrapping_token_ttl:              1m
# wrapping_token_creation_time:    2023-03-03 10:51:18.507844663 +0000 UTC
# wrapping_token_creation_path:    auth/approle/role/jenkins/secret-id
# wrapped_accessor:                4d75ac69-a10e-639d-6c04-ee3e9f923e0e

With the API, it seems that you can add the X-Vault-Wrap-TTL header in the request.

From the (decompiled) source, it seems that adding this header is not possible on the logical().write() operation.

RestResponse restResponse = (new Rest()).url(this.config.getAddress() + "/v1/" + LogicalUtilities.adjustPathForReadOrWrite(path, this.config.getPrefixPathDepth(), operation)).body(LogicalUtilities.jsonObjectToWriteFromEngineVersion(operation, requestJson).toString().getBytes(StandardCharsets.UTF_8))
.header("X-Vault-Token", this.config.getToken()) // these are the fixed headers -> add header in logical()?
.header("X-Vault-Namespace", this.nameSpace)
.header("X-Vault-Request", "true")
.connectTimeoutSeconds(this.config.getOpenTimeout())
.readTimeoutSeconds(this.config.getReadTimeout())
.sslVerification(this.config.getSslConfig().isVerify()).sslContext(this.config.getSslConfig().getSslContext()).post();

Would it be possible to add the ability to add either dynamic headers when building the logical() request or by adding a specific wrapTtl method?

Thanks, Kris

henryx commented 1 year ago

Thank you for request, adding the header in request is not a particular problem so I've implemented it

kvandermast commented 1 year ago

Thanks for the change! When can we expect a new version of the lib (5.4 I assume)?

henryx commented 1 year ago

I've released new version with this patch. For some reasons, publishing to Maven Central is a bit slow. If you need asap this release, you can use jitpack.io as as alternate package repository

kvandermast commented 1 year ago

Perfect! Thanks for the update.