Java Vault Connector

Changelog

1.3.1 - 2023-10-03 »

Fix

Remove Automatic-Module-Name from JAR manifest (#79)

Dependencies

Updated Jackson to 2.18.0 (#80)

↑

1.3.0 - 2023-06-29 »

Improvements

Simplify JSON parsing in error handler
Add new fields from Vault 1.16 and 1.17 to HealthResponse (#76)
- echo_duration_ms
- clock_skew_ms
- replication_primary_canary_age_ms
- enterprise
Add missing num_uses field to AuthData
Add mount_type attribute to common response model
Add auth attribute to common response model
Add custom_metadata, cas_required and delete_version_after fields for KVv2 metadata
Generate and attach CycloneDX SBOM

Fix

Rename enable_local_secret_id to local_secret_ids in AppRole model

Dependencies

Updated Jackson to 2.17.1

Test

Tested against Vault 1.2 to 1.17

↑

1.2.0 - 2023-12-11 »

Deprecations

get...TimeString() methods on various model classes are now deprecated

Improvements

Parse timestamps as ZonedDateTime instead of String representation
Remove redundant java.base requirement from module-info.java (#69)
Close Java HTTP Client when running on Java 21 or later (#70)
Add MFA requirements to AuthResponse (#71)
Extend AuthMethod data model (#72)

Dependencies

Updated Jackson to 2.16.0

Test

Tested against Vault 1.2.0 to 1.15.4

↑

1.1.5 - 2023-08-19 »

Fix

Fixed JSON type conversion in SecretResponse#get(String, Class) (#67)

Test

Tested against Vault 1.2.0 to 1.14.0

↑

1.1.4 - 2023-06-15 »

Fix

Use [+-]XX:XX notation for timezone in date/time parsing

Improvements

Use explicit UTF-8 encoding for parsing responses

Dependencies

Updated Jackson to 2.15.2

Test

Tested against Vault 1.2.0 to 1.13.3

↑

1.1.3 - 2023-01-31 »

Deprecations

AppID components (deprecated since 0.4) are marked for removal with the next major release

Dependencies

Updated Jackson to 2.14.2

Improvements

Minor internal refactoring

Test

Tested against Vault 1.2.0 to 1.12.2

↑

1.1.2 - 2022-10-26 »

Dependencies

Updated Jackson to 2.13.4.2

Test

Tested against Vault 1.2.0 to 1.12.0
Disable AppID tests for Vault 1.12 and above (auth method removed)
Tested with Java 19

↑

1.1.1 - 2022-08-29 »

Dependencies

Updated Jackson to 2.13.3

Test

Tested against Vault 1.11.2
Tested with Java 18

↑

1.1.0 - 2022-04-24 »

Fix

Use replication_performance_mode instead of replication_perf_mode in health response

Improvements

Add migration, recovery_seal and storage_type fields to SealResponse model
Add support for wrap_info in data response models
Dependency updates
Model and response classes implement Serializable (#57)
Split SercretResponse into PlainSecretResponse and MetaSecretResponse subclasses (common API unchanged)
Add missing fields to AuthMethod model
Add support for (dis)allowed policy glob patterns in TokenRole
Add request ID to data response models

Test

Tested against Vault 1.10.1

↑

1.0.1 - 2021-11-21 »

Fix

Make HTTPVaultConnectorBuilder#withPort(Integer) null-safe (#56)
Make system-lambda dependency test-only (#58)

Test

Tested against Vault 1.9.0

↑

1.0.0 - 2021-10-02 »

Breaking

Requires Java 11 or later
Builder invocation has changed, use HTTPVaultConnector.builder()....build()

Removal

Remove deprecated VaultConnectorFactory in favor of VaultConnectorBuilder with identical API
Remove deprecated AppRoleBuilder and TokenBuilder in favor of AppRole.Builder and Token.Builder
Remove deprecated Period, Policy and Policies methods from AppRole in favor of Token-prefixed versions
Remove deprecated SecretResponse#getValue() method, use get("value") instead
Remove deprecated convenience methods for interaction with "secret" mount

Improvements

Use pre-sized map objects for fixed-size payloads
Remove Apache HTTP Client dependency in favor of Java 11 HTTP
Introduce Java module descriptor

Test

Tested against Vault 1.8.3

↑

0.9.5 - 2021-07-28 »

Deprecations

Deprecate {read,write,delete}Secret() convenience methods. Use {read,write,delete}("secret/...") instead (#52)
Deprecated builder invocation VaultConnectorBuilder.http() in favor of HTTPVaultConnector.builder() (#51)
Deprecated de.stklcode.jvault.connector.builder.HTTPVaultConnectorBuilder in favor of de.stklcode.jvault.connector.HTTPVaultConnectorBuilder (only package changed) (#51)

Old builders will be removed in 1.0

Improvements

Minor dependency updates

Test

Tested against Vault 1.8.0

↑

0.9.4 - 2021-06-06 »

Deprecations

AppRole.Builder#wit0hTokenPeriod() is deprecated in favor of #withTokenPeriod() (#49)

Improvements

Minor dependency updates

Test

Tested against Vault 1.7.2

↑

0.9.3 - 2021-04-02 »

Improvements

Use pre-sized map objects for fixed-size payloads
Minor dependency updates
Unit test adjustments for JDK 16 build environments

Test

Tested against Vault 1.7.0

↑

0.9.2 - 2021-01-24 »

Fixes

Only initialize custom trust managers, if CA certificate is actually provided (#43)

Improvements

Minor dependency updates

↑

0.9.1 - 2021-01-03 »

Improvements

Dependency updates

Test

Tested against Vault 1.6.1

↑

0.9.0 - 2020-04-29 »

Fixes

Correctly parse Map field for token metadata (#34)
Correctly map token policies on token lookup (#35)

Features

Support for token types (#26)
Support for token role handling (#27) (#37)

Improvements

Added entity_id, token_policies, token_type and orphan flags to auth response
Added entity_id, expire_time, explicit_max_ttl, issue_time, renewable and type flags to token data
Added explicit_max_ttl, period and entity_alias flags to Token model (#41)
Added enable_local_secret_ids, token_bound_cidrs, token_explicit_max_ttl, token_no_default_policy, token_num_uses, token_period and token_type flags to AppRole model
Minor dependency updates

Deprecations

AppRole#getPolicies() and #setPolicies() are deprecated in favor of #getTokenPolicies() and #setTokenPolicies()
AppRole#getPeriod() is deprecated in favor of #getTokenPeriod()
AppRoleBuilder and TokenBuilder in favor of AppRole.Builder and Token.Builder
All-arg constructors of AppRole and Token in favor of .builder()....build() introduced in 0.8

Removals

Deprecated methods AppRole#getBoundCidrList(), #setBoundCidrList() and getBoundCidrListString() have been removed

Test

Tested against Vault 1.4.0

↑

0.8.2 - 2019-10-20 »

Fixes

Fixed token lookup (#31)

Improvements

Updated ependencies

Test

Tested against Vault 1.2.3

↑

0.8.1 - 2019-08-16 »

Fixes

Removed compile dependency to JUnit library (#30)

Improvements

Updated ependencies

Test

Tested against Vault 1.2.2

↑

0.8.0 - 2019-03-24 »

Breaking

Moved Maven artifact to de.stklcode.jvault:jvault-connector (#28)
Removed support for HTTPVaultConnectorFactory#withSslContext() in favor of #withTrustedCA()

Features

Support for KV version 2 secret engine (#16)
Ability to pass custom mount point to KV v2 read/write methods (#25)

Improvements

refactoring of the internal SSL handling (#17)
VaultConnector implements java.io.Serializable (#19)
Added missing flags to SealResponse (#20)
Added replication flags to HealthResponse (#21)
Enforce TLS 1.2 by default with option to override (#22)
Build environment and tests now compatible with Java 10 and above
Updated dependencies to fix vulnerabilities (i.e. CVE-2018-7489)
New static method Token.builder() to get token builder instance
New static method AppRole.builder() to get AppRole builder instance

Deprecation

VaultConnectorFactory is deprecated in favor of VaultConnectorBuilder with identical API (#18)
AppRoleBuilder#withBoundCidrList(List) is deprecated in favor of AppRoleBuilder#withSecretIdBoundCidrs(List) (#24)

↑

0.7.1 - 2018-03-17 »

Improvements

Added automatic module name for JPMS compatibility
Minor dependency updates

Test

Tested against Vault 0.9.5

↑

0.7.0 - 2017-10-03 »

Features

Retrieval of health status via getHealth() (#15)

Improvements

seal(), unseal() are now void and throw Exception on error (#12)
Adaptation to Vault 0.8 endpoints for renew and revoke, breaking 0.7 compatibility (#11)

Removed

Removed deprecated listAppRoleSecretss() (use listAppRoleSecrets()) (#14)

Test

Tested against Vault 0.8.3

↑

0.6.2 - 2017-08-19 »

Fixes

Prevent potential NPE on SecretResponse getter
Removed stack traces on PUT request and response deserialization (#13)

Improvements

Fields of InvalidResposneException made final

Deprecation

listAppRoleSecretss() in favor of listAppRoleSecrets() (#14)

Test

Tested against Vault 0.8.1, increased coverage

↑

0.6.1 - 2017-08-02 »

Fixes

TokenModel.getPassword() returned username instead of password
TokenModel.getUsername() and getPassword() could produce NPE in multithreaded environments
TokenData.getCreatinTtl() renamed to getCreationTtl() (typo fix)

Test

Tested against Vault 0.7.3

↑

0.6.0 - 2017-05-12 »

Fixes

SecretResponse does not throw NPE on get(key) and getData()

Features

Initialization from environment variables using fromEnv() in factory (#8)
Automatic authentication with buildAndAuth()
Custom timeout and number of retries (#9)
Connector implements AutoCloseable

Test

Tested against Vault 0.7.0

↑

0.5.0 - 2017-03-18 »

Fixes

Minor bugfix in TokenBuilder

Features

Convenience methods for DB credentials (#7)

Deprecation

SecretResponse.getValue() deprecated

Test

Tested against Vault 0.7.0

↑

0.4.1 - 2016-12-24 »

Fixes

Factory Null-tolerant for trusted certificate (#6)

Test

StackTraces tested for secret leaks
Tested against Vault 0.6.4

↑

0.4.0 - 2016-11-06 »

Features

Option to provide a trusted CA certificate (#2)
Deletion, revocation and renewal of secrets (#3)
Token creation (#4)
AppRole auth backend supported (#5)

Improvements

Support for complex secrets

Deprecation

App-ID backend marked as deprecated

↑

0.3.0 - 2016-10-07 »

Features

Retrieval of JSON objects (#1)

Test

Tested against Vault 0.6.2

↑

0.2.0 - 2016-09-01 »

Fixes

Fixed auth backend detection for Vault 0.6.1

Improvements

Dependecies updated and CommonsIO removed

Test

Tested against Vault 0.6.1

↑

0.1.1 - 2016-06-20 »

Fixes

Check for "permission denied" without status code 400 instead of 403

Test

Tested against Vault 0.6.0

↑

0.1.0 - 2016-03-29 »

First release

↑