Vault property source (#57)

* Vault Property Source

---------

Signed-off-by: Anders Swanson <anders.swanson@oracle.com>

Author: anders-swanson

docs/src/main/asciidoc/vault.adoc

@@ -0,0 +1,110 @@
+// Copyright (c) 2024, Oracle and/or its affiliates.
+// Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/
+
+[#vault]
+== Vault
+
+https://docs.oracle.com/en-us/iaas/Content/KeyManagement/home.htm[Vault] can be used as a Spring property source for Vault secrets, and as an application bean for creating, updating, listing, and deleting secrets from a Vault.
+
+Maven coordinates, using <<getting-started.adoc#bill-of-materials, Spring Cloud OCI BOM>>:
+
+[source,xml]
+----
+<dependency>
+    <groupId>com.oracle.cloud.spring</groupId>
+    <artifactId>spring-cloud-oci-starter-vault</artifactId>
+</dependency>
+----
+
+Gradle coordinates:
+
+[source,subs="normal"]
+----
+dependencies {
+    implementation("com.oracle.cloud.spring:spring-cloud-oci-starter-vault")
+}
+----
+
+=== Using VaultPropertySource
+
+By configuring Vault as a property source, secrets can be dynamically loaded from OCI Vault into the Spring application context.
+For each vault specified as a property source, Spring will inject secrets as properties identified by their name.
+
+[source,yaml]
+----
+spring:
+  cloud:
+    oci:
+      config:
+        type: file
+      region:
+        static: us-ashburn-1
+      vault:
+        enabled: true
+        compartment: ${OCI_COMPARTMENT_ID}
+        # Spring will automatically refresh properties from Vault,
+        # if the property-refresh-interval is greater than 0ms.
+        # Defaults to 10 minutes.
+        property-refresh-interval: 10000ms
+        property-sources:
+        - vault-id: ${OCI_VAULT_ID}
+----
+
+[source,java]
+----
+// The secret "secretName" will be loaded from the Vault,
+// and it's String value bound to the secretValue variable.
+@Value("${secretname}")
+String secretValue;
+----
+
+=== Using Vault APIs in an application
+
+The starter automatically configures and registers an `Vault` bean in the Spring application context.
+The `Vault` bean can be used to create, update, list, and delete secrets in an OCI Vault
+
+[source,yaml]
+----
+spring:
+  cloud:
+    oci:
+      config:
+        type: file
+      region:
+        static: us-ashburn-1
+      vault:
+        compartment: ${OCI_COMPARTMENT_ID}
+        vault-id: ${OCI_VAULT_ID}
+        enabled: true
+----
+
+[source,java]
+----
+@Autowired
+private Vault vault;
+
+public String getSecretByName(String secretName) {
+    GetSecretBundleByNameResponse bundle = vault.getSecret(secretName);
+    return vault.decodeBundle(bundle);
+}
+
+----
+
+
+=== Configuration
+
+The Spring Boot Starter for Oracle Vault provides the following configuration options:
+
+|===
+^| Name ^| Description ^| Required ^| Default value
+| `spring.cloud.oci.vault.enabled` | Enables the OCI Vault APIs. | No | `true`
+| `spring.cloud.oci.vault.compartment` | Compartment for Vault APIs and property sources. | Yes |
+| `spring.cloud.oci.vault.vault-id` | Vault OCID for Vault APIs. | Yes |
+| `spring.cloud.oci.vault.property-refresh-interval` | Duration on which properties will be refreshed. | No | 10m
+| `spring.cloud.oci.vault.property-sources` | List of Vaults to use as Spring property sources. | No |
+| `spring.cloud.oci.vault.property-sources[i].vault-id` | Vault OCID to use as a property source. | Yes |
+|===
+
+=== Sample
+
+A sample application provided https://github.com/oracle/spring-cloud-oci/tree/main/spring-cloud-oci-samples/spring-cloud-oci-vault-sample[here] contains the examples to demonstrates the usage of OCI Spring Cloud Vault module.

spring-cloud-oci-autoconfigure/src/main/java/com/oracle/cloud/spring/autoconfigure/core/RegionProviderAutoConfiguration.java

@@ -37,7 +37,7 @@ public RegionProvider regionProvider() {
         return createRegionProvider(properties);
     }
 
-    private static RegionProvider createRegionProvider(RegionProperties properties) {
+    public static RegionProvider createRegionProvider(RegionProperties properties) {
         if (properties.getStatic() != null && properties.isStatic()) {
             return new StaticRegionProvider(properties.getStatic().trim());
         }

spring-cloud-oci-autoconfigure/src/main/java/com/oracle/cloud/spring/vault/VaultAutoConfiguration.java

@@ -53,12 +53,7 @@ public Vault vault(Vaults vaults, Secrets secrets) {
     public Vaults vaults(@Qualifier(regionProviderQualifier) RegionProvider regionProvider,
                          @Qualifier(credentialsProviderQualifier)
                          CredentialsProvider cp) {
-        Vaults vaults = VaultsClient.builder()
-                .build(cp.getAuthenticationDetailsProvider());
-        if (regionProvider.getRegion() != null) {
-            vaults.setRegion(regionProvider.getRegion());
-        }
-        return vaults;
+        return createVaultClient(regionProvider, cp);
     }
 
     @Bean
@@ -67,12 +62,25 @@ public Vaults vaults(@Qualifier(regionProviderQualifier) RegionProvider regionPr
     public Secrets secrets(@Qualifier(regionProviderQualifier) RegionProvider regionProvider,
                           @Qualifier(credentialsProviderQualifier)
                          CredentialsProvider cp) {
+        return createSecretsClient(regionProvider, cp);
+    }
+
+    public static Secrets createSecretsClient(RegionProvider regionProvider, CredentialsProvider cp) {
         Secrets secrets = SecretsClient.builder()
                 .build(cp.getAuthenticationDetailsProvider());
         if (regionProvider.getRegion() != null) {
             secrets.setRegion(regionProvider.getRegion());
         }
         return secrets;
     }
+
+    public static Vaults createVaultClient(RegionProvider regionProvider, CredentialsProvider cp) {
+        Vaults vaults = VaultsClient.builder()
+                .build(cp.getAuthenticationDetailsProvider());
+        if (regionProvider.getRegion() != null) {
+            vaults.setRegion(regionProvider.getRegion());
+        }
+        return vaults;
+    }
 }
 

spring-cloud-oci-autoconfigure/src/main/java/com/oracle/cloud/spring/vault/VaultEnvironmentPostProcessor.java

@@ -0,0 +1,82 @@
+// Copyright (c) 2024, Oracle and/or its affiliates.
+// Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/
+package com.oracle.cloud.spring.vault;
+
+import java.io.IOException;
+
+import com.oracle.bmc.auth.RegionProvider;
+import com.oracle.bmc.secrets.Secrets;
+import com.oracle.bmc.vault.Vaults;
+import com.oracle.cloud.spring.autoconfigure.core.CredentialsProperties;
+import com.oracle.cloud.spring.autoconfigure.core.CredentialsProvider;
+import com.oracle.cloud.spring.autoconfigure.core.RegionProperties;
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.context.config.ConfigDataEnvironmentPostProcessor;
+import org.springframework.boot.context.properties.bind.Bindable;
+import org.springframework.boot.context.properties.bind.Binder;
+import org.springframework.boot.env.EnvironmentPostProcessor;
+import org.springframework.core.Ordered;
+import org.springframework.core.env.ConfigurableEnvironment;
+import org.springframework.core.env.MutablePropertySources;
+import org.springframework.util.ClassUtils;
+
+import static com.oracle.cloud.spring.autoconfigure.core.RegionProviderAutoConfiguration.createRegionProvider;
+import static com.oracle.cloud.spring.vault.VaultAutoConfiguration.createSecretsClient;
+import static com.oracle.cloud.spring.vault.VaultAutoConfiguration.createVaultClient;
+import static org.springframework.core.env.StandardEnvironment.SYSTEM_ENVIRONMENT_PROPERTY_SOURCE_NAME;
+
+/**
+ * Injects a VaultPropertySource for each OCI Vault property source specified in the application properties.
+ * OCI Vault property sources will only be loaded if the com.oracle.cloud.spring.vault.Vault class is on the classpath.
+ */
+public class VaultEnvironmentPostProcessor implements EnvironmentPostProcessor, Ordered {
+    @Override
+    public void postProcessEnvironment(ConfigurableEnvironment environment, SpringApplication application) {
+        if (areClassesLoaded()) {
+            // Load Vault Properties
+            Binder binder = Binder.get(environment);
+            CredentialsProperties credentialsProperties = binder.bind(CredentialsProperties.PREFIX, Bindable.of(CredentialsProperties.class))
+                    .orElse(new CredentialsProperties());
+            RegionProperties regionProperties = binder.bind(RegionProperties.PREFIX, Bindable.of(RegionProperties.class))
+                    .orElse(new RegionProperties());
+            VaultProperties vaultProperties = binder.bind(VaultProperties.PREFIX, Bindable.of(VaultProperties.class))
+                    .orElse(new VaultProperties());
+
+            // Create vault/secrets clients
+            RegionProvider regionProvider = createRegionProvider(regionProperties);
+            CredentialsProvider credentialsProvider = getCredentialsProvider(credentialsProperties);
+            Secrets secretsClient = createSecretsClient(regionProvider, credentialsProvider);
+            Vaults vaultClient = createVaultClient(regionProvider, credentialsProvider);
+
+            // Inject VaultPropertySources into the system property sources
+            MutablePropertySources propertySources = environment.getPropertySources();
+            for (VaultPropertySourceProperties properties : vaultProperties.getPropertySources()) {
+                Vault vault = new VaultImpl(vaultClient, secretsClient, properties.getVaultId(), vaultProperties.getCompartment());
+                VaultPropertyLoader vaultPropertyLoader = new VaultPropertyLoader(vault, vaultProperties.getPropertyRefreshInterval());
+                VaultPropertySource vaultPropertySource = new VaultPropertySource(properties.getVaultId(), vaultPropertyLoader);
+                if (propertySources.contains(SYSTEM_ENVIRONMENT_PROPERTY_SOURCE_NAME)) {
+                    propertySources.addAfter(SYSTEM_ENVIRONMENT_PROPERTY_SOURCE_NAME, vaultPropertySource);
+                } else {
+                    propertySources.addFirst(vaultPropertySource);
+                }
+            }
+        }
+    }
+
+    @Override
+    public int getOrder() {
+        return ConfigDataEnvironmentPostProcessor.ORDER + 1;
+    }
+
+    private boolean areClassesLoaded() {
+        return ClassUtils.isPresent("com.oracle.cloud.spring.vault.Vault", VaultEnvironmentPostProcessor.class.getClassLoader());
+    }
+
+    private CredentialsProvider getCredentialsProvider(CredentialsProperties credentialsProperties) {
+        try {
+            return new CredentialsProvider(credentialsProperties);
+        } catch (IOException e) {
+            throw new RuntimeException(e);
+        }
+    }
+}

spring-cloud-oci-autoconfigure/src/main/java/com/oracle/cloud/spring/vault/VaultProperties.java

@@ -2,6 +2,9 @@
 // Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/
 package com.oracle.cloud.spring.vault;
 
+import java.time.Duration;
+import java.util.List;
+
 import org.springframework.boot.context.properties.ConfigurationProperties;
 
 @ConfigurationProperties(prefix = VaultProperties.PREFIX)
@@ -11,6 +14,10 @@ public class VaultProperties {
     private String compartment;
     private String vaultId;
 
+    private List<VaultPropertySourceProperties> propertySources;
+
+    private Duration propertyRefreshInterval;
+
     public String getCompartment() {
         return compartment;
     }
@@ -26,4 +33,20 @@ public String getVaultId() {
     public void setVaultId(String vaultId) {
         this.vaultId = vaultId;
     }
+
+    public List<VaultPropertySourceProperties> getPropertySources() {
+        return propertySources;
+    }
+
+    public void setPropertySources(List<VaultPropertySourceProperties> propertySources) {
+        this.propertySources = propertySources;
+    }
+
+    public Duration getPropertyRefreshInterval() {
+        return propertyRefreshInterval;
+    }
+
+    public void setPropertyRefreshInterval(Duration propertyRefreshInterval) {
+        this.propertyRefreshInterval = propertyRefreshInterval;
+    }
 }

spring-cloud-oci-autoconfigure/src/main/java/com/oracle/cloud/spring/vault/VaultPropertyLoader.java

@@ -0,0 +1,74 @@
+// Copyright (c) 2024, Oracle and/or its affiliates.
+// Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/
+package com.oracle.cloud.spring.vault;
+
+import java.time.Duration;
+import java.util.LinkedHashMap;
+import java.util.List;
+import java.util.Map;
+import java.util.Optional;
+import java.util.Timer;
+import java.util.TimerTask;
+
+import com.oracle.bmc.secrets.responses.GetSecretBundleByNameResponse;
+import com.oracle.bmc.vault.model.SecretSummary;
+
+public class VaultPropertyLoader implements AutoCloseable {
+    private static Timer timer;
+
+    private final Vault vault;
+    private final Map<String, Object> properties = new LinkedHashMap<>();
+
+    public VaultPropertyLoader(Vault vault, Duration refresh) {
+        this.vault = vault;
+        reload();
+        long refreshMillis = Optional.ofNullable(refresh)
+                .orElse(Duration.ofMinutes(10))
+                .toMillis();
+        if (refreshMillis > 0) {
+            synchronized (VaultPropertyLoader.class) {
+                if (timer == null) {
+                    timer = new Timer(true);
+                    ;
+                    timer.scheduleAtFixedRate(new TimerTask() {
+                        @Override
+                        public void run() {
+                            reload();
+                        }
+                    }, refreshMillis, refreshMillis);
+                }
+            }
+        }
+    }
+
+    boolean containsProperty(String key) {
+        return properties.containsKey(key);
+    }
+
+    Object getProperty(String key) {
+        return properties.get(key);
+    }
+
+    String[] getPropertyNames() {
+        return properties.keySet().toArray(String[]::new);
+    }
+
+    private void reload() {
+        List<SecretSummary> secrets = vault.listSecrets();
+        for (SecretSummary secretSummary : secrets) {
+            GetSecretBundleByNameResponse getSecretResponse = vault.getSecret(secretSummary.getSecretName());
+            String secretValue = vault.decodeBundle(getSecretResponse);
+            properties.put(secretSummary.getSecretName(), secretValue);
+        }
+    }
+
+    @Override
+    public void close() throws Exception {
+        synchronized (VaultPropertyLoader.class) {
+            if (timer != null) {
+                timer.cancel();
+                timer = null;
+            }
+        }
+    }
+}

spring-cloud-oci-autoconfigure/src/main/java/com/oracle/cloud/spring/vault/VaultPropertySource.java

@@ -0,0 +1,26 @@
+// Copyright (c) 2024, Oracle and/or its affiliates.
+// Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/
+package com.oracle.cloud.spring.vault;
+
+import org.springframework.core.env.EnumerablePropertySource;
+
+public class VaultPropertySource extends EnumerablePropertySource<VaultPropertyLoader> {
+    public VaultPropertySource(String name, VaultPropertyLoader source) {
+        super(name, source);
+    }
+
+    @Override
+    public String[] getPropertyNames() {
+        return source.getPropertyNames();
+    }
+
+    @Override
+    public Object getProperty(String name) {
+        return source.getProperty(name);
+    }
+
+    @Override
+    public boolean containsProperty(String name) {
+        return source.containsProperty(name);
+    }
+}