Add support for response wrapping #78

See issue #78

Author: dubreuia

src/main/java/com/bettercloud/vault/api/Auth.java

@@ -7,8 +7,8 @@
 import com.bettercloud.vault.json.JsonObject;
 import com.bettercloud.vault.response.AuthResponse;
 import com.bettercloud.vault.response.LookupResponse;
-import com.bettercloud.vault.rest.RestResponse;
 import com.bettercloud.vault.rest.Rest;
+import com.bettercloud.vault.rest.RestResponse;
 import lombok.Getter;
 
 import java.io.Serializable;
@@ -1196,4 +1196,111 @@ public void revokeSelf(final String tokenAuthMount) throws VaultException {
         }
     }
 
+    /**
+     * <p>Returns the original response inside the wrapped auth token. This method is useful if you need to unwrap a
+     * token without being authenticated. See {@link #unwrap(String)} if you need to do that authenticated.</p>
+     *
+     * <p>In the example below, you cannot use twice the {@code VaultConfig}, since
+     * after the first usage of the {@code wrappingToken}, it is not usable anymore. You need to use the
+     * {@code unwrappedToken} in a new vault configuration to continue. Example usage:</p>
+     *
+     * <blockquote>
+     * <pre>{@code
+     * final String wrappingToken = "...";
+     * final VaultConfig config = new VaultConfig().address(...).token(wrappingToken).build();
+     * final Vault vault = new Vault(config);
+     * final AuthResponse response = vault.auth().unwrap();
+     * final String unwrappedToken = response.getAuthClientToken();
+     * }</pre>
+     * </blockquote>
+     *
+     * @return The response information returned from Vault
+     * @throws VaultException If any error occurs, or unexpected response received from Vault
+     * @see #unwrap(String)
+     */
+    public AuthResponse unwrap() throws VaultException {
+        return unwrap(null);
+    }
+
+    /**
+     * <p>Returns the original response inside the given wrapped auth token. This method is useful if you need to unwrap
+     * a token, while being already authenticated. Do NOT authenticate in vault with your wrapping token, since it will
+     * both fail authentication and invalidate the wrapping token at the same time. See {@link #unwrap()} if you need to
+     * do that without being authenticated.</p>
+     *
+     * <p>In the example below, {@code authToken} is NOT your wrapped token, and should have unwrapping permissions.
+     * The unwrapped token in {@code unwrappedToken}. Example usage:</p>
+     *
+     * <blockquote>
+     * <pre>{@code
+     * final String authToken = "...";
+     * final String wrappingToken = "...";
+     * final VaultConfig config = new VaultConfig().address(...).token(authToken).build();
+     * final Vault vault = new Vault(config);
+     * final AuthResponse response = vault.auth().unwrap(wrappingToken);
+     * final String unwrappedToken = response.getAuthClientToken();
+     * }</pre>
+     * </blockquote>
+     *
+     * @param wrappedToken Specifies the wrapping token ID, do NOT also put this in your {@link VaultConfig#token},
+     *              if token is {@code null}, this method will unwrap the auth token in {@link VaultConfig#token}
+     * @return The response information returned from Vault
+     * @throws VaultException If any error occurs, or unexpected response received from Vault
+     * @see #unwrap()
+     */
+    public AuthResponse unwrap(final String wrappedToken) throws VaultException {
+        int retryCount = 0;
+        while (true) {
+            try {
+                // Parse parameters to JSON
+                final JsonObject jsonObject = Json.object();
+                if (wrappedToken != null) {
+                    jsonObject.add("token", wrappedToken);
+                }
+
+                final String requestJson = jsonObject.toString();
+                final String url = config.getAddress() + "/v1/sys/wrapping/unwrap";
+
+                // HTTP request to Vault
+                final RestResponse restResponse = new Rest()
+                                .url(url)
+                                .header("X-Vault-Token", config.getToken())
+                                .body(requestJson.getBytes("UTF-8"))
+                                .connectTimeoutSeconds(config.getOpenTimeout())
+                                .readTimeoutSeconds(config.getReadTimeout())
+                                .sslVerification(config.getSslConfig().isVerify())
+                                .sslContext(config.getSslConfig().getSslContext())
+                                .post();
+
+                // Validate restResponse
+                if (restResponse.getStatus() != 200) {
+                    throw new VaultException("Vault responded with HTTP status code: " + restResponse.getStatus(),
+                                    restResponse.getStatus());
+                }
+                final String mimeType = restResponse.getMimeType() == null ? "null" : restResponse.getMimeType();
+                if (!mimeType.equals("application/json")) {
+                    throw new VaultException("Vault responded with MIME type: " + mimeType, restResponse.getStatus());
+                }
+                return new AuthResponse(restResponse, retryCount);
+            } catch (final Exception e) {
+                // If there are retries to perform, then pause for the configured interval and then execute the
+                // loop again...
+                if (retryCount < config.getMaxRetries()) {
+                    retryCount++;
+                    try {
+                        final int retryIntervalMilliseconds = config.getRetryIntervalMilliseconds();
+                        Thread.sleep(retryIntervalMilliseconds);
+                    } catch (InterruptedException e1) {
+                        e1.printStackTrace();
+                    }
+                } else if (e instanceof VaultException) {
+                    // ... otherwise, give up.
+                    throw (VaultException) e;
+                } else {
+                    throw new VaultException(e);
+                }
+            }
+        }
+    }
+
 }

src/test/java/com/bettercloud/vault/vault/VaultTestUtils.java

@@ -1,6 +1,9 @@
 package com.bettercloud.vault.vault;
 
+import com.bettercloud.vault.json.Json;
+import com.bettercloud.vault.json.JsonObject;
 import com.bettercloud.vault.vault.mock.MockVault;
+import org.apache.commons.io.IOUtils;
 import org.eclipse.jetty.server.Connector;
 import org.eclipse.jetty.server.HttpConfiguration;
 import org.eclipse.jetty.server.HttpConnectionFactory;
@@ -10,6 +13,15 @@
 import org.eclipse.jetty.server.SslConnectionFactory;
 import org.eclipse.jetty.util.ssl.SslContextFactory;
 
+import javax.servlet.http.HttpServletRequest;
+import java.io.IOException;
+import java.util.Collections;
+import java.util.Map;
+import java.util.Optional;
+
+import static java.util.function.Function.identity;
+import static java.util.stream.Collectors.toMap;
+
 /**
  * <p>Utilities used by all of the Vault-related unit test classes under
  * <code>src/test/java/com/bettercloud/vault</code>, to setup and shutdown mock Vault server implementations.</p>
@@ -54,5 +66,20 @@ public static void shutdownMockVault(final Server server) throws Exception {
         }
     }
 
+    public static Optional<JsonObject> readRequestBody(HttpServletRequest request) {
+        try {
+            StringBuilder requestBuffer = new StringBuilder();
+            IOUtils.readLines(request.getReader()).forEach(requestBuffer::append);
+            return Optional.of(Json.parse(requestBuffer.toString()).asObject());
+        } catch (IOException e) {
+            return Optional.empty();
+        }
+    }
+
+    public static Map<String, String> readRequestHeaders(HttpServletRequest request) {
+        return Collections.list(request.getHeaderNames()).stream()
+                .collect(toMap(identity(), request::getHeader));
+    }
+
 }
 

src/test/java/com/bettercloud/vault/vault/api/AuthBackendAwsTests.java

@@ -3,17 +3,16 @@
 import com.bettercloud.vault.Vault;
 import com.bettercloud.vault.VaultConfig;
 import com.bettercloud.vault.VaultException;
-import com.bettercloud.vault.json.Json;
 import com.bettercloud.vault.json.JsonObject;
 import com.bettercloud.vault.vault.VaultTestUtils;
 import com.bettercloud.vault.vault.mock.AuthRequestValidatingMockVault;
-import org.apache.commons.io.IOUtils;
 import org.eclipse.jetty.server.Server;
 import org.junit.Test;
 
 import javax.servlet.http.HttpServletRequest;
 import java.util.function.Predicate;
 
+import static com.bettercloud.vault.vault.VaultTestUtils.readRequestBody;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotNull;
 
@@ -23,7 +22,7 @@ public class AuthBackendAwsTests {
     public void testLoginByAwsEc2Id() throws Exception {
         final Predicate<HttpServletRequest> isValidEc2IdRequest = (request) -> {
             try {
-                JsonObject requestBody = readRequestBody(request);
+                JsonObject requestBody = readRequestBody(request).orElse(null);
                 return requestBody != null && request.getRequestURI().endsWith("/auth/aws/login") &&
                         requestBody.getString("identity", "").equals("identity") &&
                         requestBody.getString("signature", "").equals("signature");
@@ -59,7 +58,7 @@ public void testLoginByAwsEc2Id() throws Exception {
     public void testLoginByAwsEc2Pkcs7() throws Exception {
         final Predicate<HttpServletRequest> isValidEc2pkcs7Request = (request) -> {
             try {
-                JsonObject requestBody = readRequestBody(request);
+                JsonObject requestBody = readRequestBody(request).orElse(null);
                 return requestBody != null && request.getRequestURI().endsWith("/auth/aws/login") &&
                       requestBody.getString("pkcs7", "").equals("pkcs7");
             } catch (Exception e) {
@@ -95,7 +94,7 @@ public void testLoginByAwsEc2Pkcs7() throws Exception {
     @Test
     public void testLoginByAwsIam() throws Exception {
         final Predicate<HttpServletRequest> isValidEc2IamRequest = (request) -> {
-            JsonObject requestBody = readRequestBody(request);
+            JsonObject requestBody = readRequestBody(request).orElse(null);
             return requestBody != null && request.getRequestURI().endsWith("/auth/aws/login") &&
                     requestBody.getString("iam_http_request_method", "").equals("POST") &&
                     requestBody.getString("iam_request_url", "").equals("url") &&
@@ -123,14 +122,4 @@ public void testLoginByAwsIam() throws Exception {
         assertEquals("c9368254-3f21-aded-8a6f-7c818e81b17a", token.trim());
     }
 
-    private JsonObject readRequestBody(HttpServletRequest request) {
-        try {
-            StringBuilder requestBuffer = new StringBuilder();
-            IOUtils.readLines(request.getReader()).forEach(requestBuffer::append);
-            return Json.parse(requestBuffer.toString()).asObject();
-        } catch (Exception e) {
-            return null;
-        }
-    }
-
 }

src/test/java/com/bettercloud/vault/vault/api/AuthUnwrapTest.java

@@ -0,0 +1,72 @@
+package com.bettercloud.vault.vault.api;
+
+import com.bettercloud.vault.Vault;
+import com.bettercloud.vault.VaultConfig;
+import com.bettercloud.vault.json.JsonArray;
+import com.bettercloud.vault.json.JsonObject;
+import com.bettercloud.vault.response.AuthResponse;
+import com.bettercloud.vault.vault.VaultTestUtils;
+import com.bettercloud.vault.vault.mock.MockVault;
+import org.eclipse.jetty.server.Server;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+
+import static org.junit.Assert.assertEquals;
+
+public class AuthUnwrapTest {
+
+    private static final JsonObject RESPONSE_AUTH_UNWRAP = new JsonObject()
+            .add("renewable", false)
+            .add("auth", new JsonObject()
+                    .add("policies", new JsonArray())
+                    .add("client_token", "unwrappedToken"));
+
+    private Server server;
+    private MockVault vaultServer;
+
+    @Before
+    public void before() throws Exception {
+        vaultServer = new MockVault(200, RESPONSE_AUTH_UNWRAP.toString());
+        server = VaultTestUtils.initHttpMockVault(vaultServer);
+        server.start();
+    }
+
+    @After
+    public void after() throws Exception {
+        VaultTestUtils.shutdownMockVault(server);
+    }
+
+    @Test
+    public void should_unwrap_without_param_sends_no_token_and_return_unwrapped_token() throws Exception {
+        VaultConfig vaultConfig = new VaultConfig().address("http://127.0.0.1:8999").token("wrappedToken").build();
+        Vault vault = new Vault(vaultConfig);
+        AuthResponse response = vault.auth().unwrap();
+
+        assertEquals(200, response.getRestResponse().getStatus());
+
+        // Assert request body should NOT have token body (wrapped is in header)
+        assertEquals(null, vaultServer.getRequestBody().get("token"));
+        assertEquals("wrappedToken", vaultServer.getRequestHeaders().get("X-Vault-Token"));
+
+        // Assert response should have the unwrapped token in the client_token key
+        assertEquals("unwrappedToken", response.getAuthClientToken());
+    }
+
+    @Test
+    public void should_unwrap_param_sends_token_and_return_unwrapped_token() throws Exception {
+        VaultConfig vaultConfig = new VaultConfig().address("http://127.0.0.1:8999").token("authToken").build();
+        Vault vault = new Vault(vaultConfig);
+        AuthResponse response = vault.auth().unwrap("wrappedToken");
+
+        assertEquals(200, response.getRestResponse().getStatus());
+
+        // Assert request body SHOULD have token body
+        assertEquals("wrappedToken", vaultServer.getRequestBody().getString("token", null));
+        assertEquals("authToken", vaultServer.getRequestHeaders().get("X-Vault-Token"));
+
+        // Assert response should have the unwrapped token in the client_token key
+        assertEquals("unwrappedToken", response.getAuthClientToken());
+    }
+
+}

src/test/java/com/bettercloud/vault/vault/mock/MockVault.java

@@ -1,12 +1,18 @@
 package com.bettercloud.vault.vault.mock;
 
-import org.eclipse.jetty.server.Request;
-import org.eclipse.jetty.server.handler.AbstractHandler;
+import static com.bettercloud.vault.vault.VaultTestUtils.readRequestBody;
+import static com.bettercloud.vault.vault.VaultTestUtils.readRequestHeaders;
 
+import java.io.IOException;
+import java.util.Map;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
-import java.io.IOException;
+
+import org.eclipse.jetty.server.Request;
+import org.eclipse.jetty.server.handler.AbstractHandler;
+
+import com.bettercloud.vault.json.JsonObject;
 
 /**
  * <p>This class is used to mock out a Vault server in unit tests involving retry logic. As it extends Jetty's
@@ -22,7 +28,7 @@
  * server.setHandler( new MockVault(200, "{\"data\":{\"value\":\"mock\"}}") );
  * server.start();
  *
- * final VaultConfig vaultConfig = new VaultConfig("http://127.0.0.1:8999", "mock_token");
+ * final VaultConfig vaultConfig = new VaultConfig().address("http://127.0.0.1:8999").token("mock_token").build();
  * final Vault vault = new Vault(vaultConfig);
  * final LogicalResponse response = vault.logical().read("secret/hello");
  *
@@ -37,22 +43,26 @@ public class MockVault extends AbstractHandler {
 
     private int mockStatus;
     private String mockResponse;
+    private JsonObject requestBody;
+    private Map<String, String> requestHeaders;
+
+    MockVault() {
+    }
 
     public MockVault(final int mockStatus, final String mockResponse) {
         this.mockStatus = mockStatus;
         this.mockResponse = mockResponse;
     }
 
-    protected MockVault() {
-    }
-
     @Override
     public void handle(
             final String target,
             final Request baseRequest,
             final HttpServletRequest request,
             final HttpServletResponse response
     ) throws IOException, ServletException {
+        requestBody = readRequestBody(request).orElse(null);
+        requestHeaders = readRequestHeaders(request);
         response.setContentType("application/json");
         baseRequest.setHandled(true);
         System.out.println("MockVault is sending an HTTP " + mockStatus + " code, with expected success payload...");
@@ -62,4 +72,12 @@ public void handle(
         }
     }
 
+    public JsonObject getRequestBody() {
+        return requestBody;
+    }
+
+    public Map<String, String> getRequestHeaders() {
+        return requestHeaders;
+    }
+
 }