search

spring-projects / spring-vault

Provides familiar Spring abstractions for HashiCorp Vault
https://spring.io/projects/spring-vault
Apache License 2.0
283 stars 186 forks source link

Add expiry `Predicate` to `SecretLeaseContainer` to determine whether a `Lease` is expired #809

Closed yuandongjian closed 4 months ago

yuandongjian commented 1 year ago

expiryThreshold is shared by minRenewal, It is difficult to assess how much minRenewal should be set

renewed.getLeaseDuration().getSeconds() < this.minRenewal.getSeconds()

https://github.com/spring-projects/spring-vault/blob/afdbdd67f1018634a536fa4e0f60a52d37b1860c/spring-vault-core/src/main/java/org/springframework/vault/core/lease/SecretLeaseContainer.java#L594C5-L594C5

mp911de commented 1 year ago

Care to elaborate on what you're planning to achieve? Please provide more detail and context so that we can understand what you're up to.

yuandongjian commented 1 year ago

Here is my code.

    class VaultForJdbc {
        private static SecretLeaseContainer secretLeaseContainer;

        static {
            VaultTemplate vaultTemplate = new VaultTemplate(VaultEndpoint.create("http://127.0.0.1", 1234));
            SecretLeaseContainer secretLeaseContainer = new SecretLeaseContainer(vaultTemplate);
            secretLeaseContainer.afterPropertiesSet();
            secretLeaseContainer.start();
            VaultForJdbc.secretLeaseContainer = secretLeaseContainer;
        }

        private static Map<RequestedSecret, LeaseAwareVaultPropertySource> map = new ConcurrentHashMap<>();

        public static LeaseAwareVaultPropertySource requestSecret(RequestedSecret requestedSecret) {
            return map.computeIfAbsent(requestedSecret, k -> new LeaseAwareVaultPropertySource(secretLeaseContainer, requestedSecret));
        }
    }

    public static void main(String[] args) {
        LeaseAwareVaultPropertySource propertySource = VaultForJdbc.requestSecret(RequestedSecret.rotating("/database/readwrite"));
        Object username = propertySource.getProperty("username");
        Object password = propertySource.getProperty("password");
    }

minRenewal is used in two pieces of code.

  1. Sets the amount of seconds that is at least required before renewing a lease.
  2. Ttl threshold of the valid lease

SecretLeaseContainer whether can like LifecycleAwareSessionManagerSupport. RefreshTrigger, Open for users to configure nextExecutionTime and getValidTtlThreshold?

yuandongjian commented 1 year ago

If a sockettimeout is displayed, The default leaseStrategy is drop, but onLeaseExpired(requestedSecret, lease) is not executed after drop. Note Rescheduling can only be triggered by the user rotate, which affects the execution time of the user. if leaseStrategy is retainOnIoError, doRenewLease will return the original lease with no change in leaseDuration, resulting in a high probability that the calculation for the next execution cycle is wrong.

https://github.com/spring-projects/spring-vault/blob/61ca991ba4ec8b54a728899d3460f1e9076e90de/spring-vault-core/src/main/java/org/springframework/vault/core/lease/SecretLeaseContainer.java#L680