Allow dropping tokens from the session manager for easier recovery on…

… lookup failures. Closes gh-684
spring-projects · Mar 20, 2023 · 04a41c7 · 04a41c7
1 parent 4e794ed
commit 04a41c7
Show file tree

Hide file tree

Showing 4 changed files with 84 additions and 4 deletions.
diff --git a/.../src/main/java/org/springframework/vault/authentication/LifecycleAwareSessionManager.java b/.../src/main/java/org/springframework/vault/authentication/LifecycleAwareSessionManager.java
@@ -25,7 +25,6 @@
 import org.springframework.scheduling.TaskScheduler;
 import org.springframework.util.Assert;
 import org.springframework.util.ClassUtils;
-import org.springframework.util.StringUtils;
 import org.springframework.vault.VaultException;
 import org.springframework.vault.authentication.event.*;
 import org.springframework.vault.client.VaultHttpHeaders;
@@ -149,11 +148,18 @@ protected void setToken(Optional<TokenWrapper> token) {
 
 	@Override
 	public void destroy() {
+		revoke();
+	}
 
-		Optional<TokenWrapper> token = getToken();
-		setToken(Optional.empty());
+	/**
+	 * Revoke and drop the current {@link VaultToken}.
+	 * @since 3.0.2
+	 */
+	public void revoke() {
 
+		Optional<TokenWrapper> token = getToken();
 		token.filter(TokenWrapper::isRevocable).map(TokenWrapper::getToken).ifPresent(this::revoke);
+		setToken(Optional.empty());
 	}
 
 	/**

diff --git a/...n/java/org/springframework/vault/authentication/ReactiveLifecycleAwareSessionManager.java b/...n/java/org/springframework/vault/authentication/ReactiveLifecycleAwareSessionManager.java
@@ -26,7 +26,6 @@
 import org.springframework.scheduling.TaskScheduler;
 import org.springframework.util.Assert;
 import org.springframework.util.ClassUtils;
-import org.springframework.util.StringUtils;
 import org.springframework.vault.VaultException;
 import org.springframework.vault.authentication.event.*;
 import org.springframework.vault.client.VaultHttpHeaders;
@@ -145,6 +144,23 @@ public void destroy() {
 		revokeNow(tokenMono);
 	}
 
+	/**
+	 * Revoke and drop the current {@link VaultToken}.
+	 * @return a mono emitting completion upon successful revocation.
+	 * @since 3.0.2
+	 */
+	public Mono<Void> revoke() {
+		return doRevoke(this.token.get()).doOnSuccess(unused -> this.token.set(EMPTY));
+	}
+
+	/**
+	 * Revoke and drop the current {@link VaultToken} now.
+	 * @since 3.0.2
+	 */
+	public void revokeNow() {
+		revoke().block(Duration.ofSeconds(5));
+	}
+
 	/**
 	 * Revoke a {@link VaultToken} now and block execution until revocation completes.
 	 * @param tokenMono

diff --git a/...rg/springframework/vault/authentication/LifecycleAwareSessionManagerIntegrationTests.java b/...rg/springframework/vault/authentication/LifecycleAwareSessionManagerIntegrationTests.java
@@ -99,6 +99,33 @@ public VaultToken getSessionToken() {
 		sessionManager.renewToken();
 	}
 
+	@Test
+	void shouldRevokeToken() {
+
+		final LoginToken loginToken = createLoginToken();
+		TokenAuthentication tokenAuthentication = new TokenAuthentication(loginToken);
+
+		LifecycleAwareSessionManager sessionManager = new LifecycleAwareSessionManager(tokenAuthentication,
+				this.taskScheduler, prepare().getRestTemplate());
+
+		sessionManager.getSessionToken();
+		sessionManager.revoke();
+
+		prepare().getVaultOperations().doWithSession(restOperations -> {
+
+			try {
+				restOperations.getForEntity("auth/token/lookup/{token}", Map.class, loginToken.toCharArray());
+				fail("Missing HttpStatusCodeException");
+			}
+			catch (HttpStatusCodeException e) {
+				// Compatibility across Vault versions.
+				assertThat(e.getStatusCode()).isIn(HttpStatus.BAD_REQUEST, HttpStatus.NOT_FOUND, HttpStatus.FORBIDDEN);
+			}
+
+			return null;
+		});
+	}
+
 	@Test
 	void shouldRevokeOnDisposal() {
 

diff --git a/...gframework/vault/authentication/ReactiveLifecycleAwareSessionManagerIntegrationTests.java b/...gframework/vault/authentication/ReactiveLifecycleAwareSessionManagerIntegrationTests.java
@@ -22,6 +22,7 @@
 import java.util.Map;
 import java.util.concurrent.TimeUnit;
 import java.util.concurrent.atomic.AtomicInteger;
+import java.util.concurrent.atomic.AtomicReference;
 import java.util.stream.Stream;
 
 import org.assertj.core.util.Files;
@@ -171,6 +172,36 @@ void shouldRevokeOnDisposal() {
 		});
 	}
 
+	@Test
+	void shouldRevokeToken() {
+
+		LoginToken loginToken = createLoginToken();
+
+		ReactiveLifecycleAwareSessionManager sessionManager = new ReactiveLifecycleAwareSessionManager(
+				() -> Flux.fromStream(Stream.of((VaultToken) loginToken)).next(), this.taskScheduler,
+				prepare().getWebClient());
+
+		sessionManager.getSessionToken() //
+				.as(StepVerifier::create) //
+				.expectNext(loginToken) //
+				.verifyComplete();
+		sessionManager.revokeNow();
+
+		prepare().getVaultOperations().doWithSession(restOperations -> {
+
+			try {
+				restOperations.getForEntity("auth/token/lookup/{token}", Map.class, loginToken.toCharArray());
+				fail("Missing HttpStatusCodeException");
+			}
+			catch (HttpStatusCodeException e) {
+				// Compatibility across Vault versions.
+				assertThat(e.getStatusCode()).isIn(HttpStatus.BAD_REQUEST, HttpStatus.NOT_FOUND, HttpStatus.FORBIDDEN);
+			}
+
+			return null;
+		});
+	}
+
 	private LoginToken createLoginToken() {
 
 		VaultTokenOperations tokenOperations = prepare().getVaultOperations().opsForToken();