public interface SecretsGroup
extends java.lang.AutoCloseable
SecretsGroup
is a logical collection of secrets. The interface does not expose how the secrets are
encrypted and stored, only how to add and retrieve them.
While the stream
is the the most flexible way to retrieve Secrets, we recommend
using the convenience methods like getActive
whenever possible.
The convenience methods use the concept of active. A secret entry is active if it is enabled, and now (in seconds)
are larger or equal to not before (if present), and less than or equal to not after (if present).Modifier and Type | Method and Description |
---|---|
RawSecretEntry |
addVersion(NewSecretEntry newSecretEntry)
Add a version to an existing version.
|
void |
close()
Certain Secret Groups, e.g.
|
RawSecretEntry |
create(NewSecretEntry newSecretEntry)
Create a new Secret.
|
SecretEntry |
decrypt(RawSecretEntry rawSecretEntry,
SecretIdentifier expectedSecretIdentifier,
long expectedVersion)
Decrypts a
RawSecretEntry into a SecretEntry . |
SecretEntry |
decryptEvenIfNotActive(RawSecretEntry rawSecretEntry,
SecretIdentifier expectedSecretIdentifier,
long expectedVersion)
Decrypts a
RawSecretEntry into a SecretEntry . |
void |
delete(SecretIdentifier secretIdentifier)
Delete all versions of the given secret.
|
default java.util.Optional<SecretEntry> |
getActive(SecretIdentifier secretIdentifier,
long targetVersion)
Get a specific version of a secret.
|
default java.util.List<SecretEntry> |
getAllActiveVersions()
Get all entries that are active for all secrets.
|
default java.util.List<SecretEntry> |
getAllActiveVersions(SecretIdentifier secretIdentifier)
Get all active versions of a secret.
|
default java.util.Optional<SecretEntry> |
getLatestActiveVersion(SecretIdentifier secretIdentifier)
Convenience method to get the latest active version of a secret, i.e.
|
default java.util.List<SecretEntry> |
getLatestActiveVersionOfAllSecrets()
Get the latest active version of all secrets, i.e.
|
java.util.Set<SecretIdentifier> |
identifiers()
This method is used to list the secret identifiers in the Secret Group.
|
SRN |
srn(SecretIdentifier secretIdentifier)
Returns a globally unique identifier of the particular secret.
|
com.schibsted.security.strongbox.sdk.internal.kv4j.generic.frontend.KVStream<RawSecretEntry> |
stream()
Get a key value stream of the entries, that can be used to filter and retrieve some subset of the secrets.
|
RawSecretEntry |
update(SecretMetadata secretMetadata)
Update the metadata for a Secret.
|
RawSecretEntry create(NewSecretEntry newSecretEntry)
newSecretEntry
- the secret entry to createRawSecretEntry
of the newly created entryAlreadyExistsException
- if the secret already existsRawSecretEntry addVersion(NewSecretEntry newSecretEntry)
newSecretEntry
- the Secret entry to addRawSecretEntry
of the newly created entryDoesNotExistException
- if the secret does not existAlreadyExistsException
- if there is a race on the automatically incremented versionRawSecretEntry update(SecretMetadata secretMetadata)
secretMetadata
- metadata to updateRawSecretEntry
of the updated secret entryDoesNotExistException
- if the secret does not existjava.util.Set<SecretIdentifier> identifiers()
SecretIdentifier
that are present in this Secret Groupvoid delete(SecretIdentifier secretIdentifier)
secretIdentifier
- the identifier of the secret to deletecom.schibsted.security.strongbox.sdk.internal.kv4j.generic.frontend.KVStream<RawSecretEntry> stream()
getActive
whenever possible.RawSecretEntry
for this Secret GroupSecretEntry decrypt(RawSecretEntry rawSecretEntry, SecretIdentifier expectedSecretIdentifier, long expectedVersion)
RawSecretEntry
into a SecretEntry
. This includes verifying the integrity
of all the returned data, both encrypted and decrypted.
This method expects the secret to be active. If you do not need to verify that property, please see
decryptEvenIfNotActive
.
Please see the top of the class for the definition of active.rawSecretEntry
- The RawSecretEntry
to be decrypted and verifiedexpectedSecretIdentifier
- The @{code SecretIdentifier} you are expecting to decrypt (to verify integrity)expectedVersion
- The version you are expecting to decrypt (to verify integrity)SecretEntry
PotentiallyMaliciousDataException
- if the integrity cannot be verifiedSecretEntry decryptEvenIfNotActive(RawSecretEntry rawSecretEntry, SecretIdentifier expectedSecretIdentifier, long expectedVersion)
RawSecretEntry
into a SecretEntry
. This includes verifying the integrity
of all the returned data, both encrypted and decrypted, but not if the secret is active.
Please see the top of the class for the definition of active.rawSecretEntry
- The RawSecretEntry
to be decrypted and verifiedexpectedSecretIdentifier
- The @{code SecretIdentifier} you are expecting to decrypt (to verify integrity)expectedVersion
- The version you are expecting to decrypt (to verify integrity)SecretEntry
PotentiallyMaliciousDataException
- if the integrity cannot be verifiedSRN srn(SecretIdentifier secretIdentifier)
secretIdentifier
- identifier of the secret to get SRN forSRN
of the given secretdefault java.util.Optional<SecretEntry> getLatestActiveVersion(SecretIdentifier secretIdentifier)
getActive(SecretIdentifier, long)
,
as this offers 'pinning' of the version.
Please see the top of the class for the definition of active.secretIdentifier
- identifier of the secret to retrieveSecretEntry
requestedPotentiallyMaliciousDataException
- if the integrity of the data returned is compromiseddefault java.util.Optional<SecretEntry> getActive(SecretIdentifier secretIdentifier, long targetVersion)
secretIdentifier
- identifier of the secret to retrievetargetVersion
- version of the entry to retrieveSecretEntry
requestedPotentiallyMaliciousDataException
- if the integrity of the data returned is compromiseddefault java.util.List<SecretEntry> getAllActiveVersions(SecretIdentifier secretIdentifier)
secretIdentifier
- identifier of the secret to retrieveSecretEntry
matching the requestPotentiallyMaliciousDataException
- if the integrity of the data returned is compromiseddefault java.util.List<SecretEntry> getLatestActiveVersionOfAllSecrets()
SecretEntry
matching the requestPotentiallyMaliciousDataException
- if the integrity of the data returned is compromiseddefault java.util.List<SecretEntry> getAllActiveVersions()
SecretEntry
matching the requestPotentiallyMaliciousDataException
- if the integrity of the data returned is compromisedvoid close()
close
in interface java.lang.AutoCloseable