diff --git a/docs/src/main/asciidoc/vault.adoc b/docs/src/main/asciidoc/vault.adoc index c5036b44360bb..3a3211de491f2 100644 --- a/docs/src/main/asciidoc/vault.adoc +++ b/docs/src/main/asciidoc/vault.adoc @@ -7,7 +7,7 @@ https://github.com/quarkusio/quarkus/tree/master/docs/src/main/asciidoc include::./attributes.adoc[] :config-file: application.properties -:vault-version: 1.2.2 +:vault-version: 1.6.0 :root-token: s.5VUS8pte13RqekCB2fmMT3u2 :client-token: s.s93BVzJPzBiIGuYJHBTkG8Uw :extension-status: preview @@ -138,7 +138,7 @@ Initialized true Sealed false Total Shares 1 Threshold 1 -Version 1.2.2 +Version 1.6.0 Cluster Name vault-cluster-b07e80d8 Cluster ID 55bd74b6-eaaf-3862-f7ce-3473ab86c57f HA Enabled false diff --git a/extensions/vault/model/src/main/java/io/quarkus/vault/runtime/client/dto/transit/VaultTransitEncryptBody.java b/extensions/vault/model/src/main/java/io/quarkus/vault/runtime/client/dto/transit/VaultTransitEncryptBody.java index cdc8901ddf674..5af97b3a14c1d 100644 --- a/extensions/vault/model/src/main/java/io/quarkus/vault/runtime/client/dto/transit/VaultTransitEncryptBody.java +++ b/extensions/vault/model/src/main/java/io/quarkus/vault/runtime/client/dto/transit/VaultTransitEncryptBody.java @@ -4,10 +4,17 @@ import com.fasterxml.jackson.annotation.JsonProperty; +import io.quarkus.vault.runtime.Base64String; import io.quarkus.vault.runtime.client.dto.VaultModel; public class VaultTransitEncryptBody implements VaultModel { + public String name; + public Base64String plaintext; + public Base64String context; + public Base64String nonce; + @JsonProperty("key_version") + public Integer keyVersion; public String type; @JsonProperty("convergent_encryption") public String convergentEncryption; diff --git a/extensions/vault/model/src/main/java/io/quarkus/vault/runtime/client/dto/transit/VaultTransitEncryptData.java b/extensions/vault/model/src/main/java/io/quarkus/vault/runtime/client/dto/transit/VaultTransitEncryptData.java index 3cae705e449b1..0c84d904b703c 100644 --- a/extensions/vault/model/src/main/java/io/quarkus/vault/runtime/client/dto/transit/VaultTransitEncryptData.java +++ b/extensions/vault/model/src/main/java/io/quarkus/vault/runtime/client/dto/transit/VaultTransitEncryptData.java @@ -8,6 +8,8 @@ public class VaultTransitEncryptData implements VaultModel { + public String ciphertext; + public String error; @JsonProperty("batch_results") public List batchResults; diff --git a/extensions/vault/runtime/src/main/java/io/quarkus/vault/runtime/VaultTransitManager.java b/extensions/vault/runtime/src/main/java/io/quarkus/vault/runtime/VaultTransitManager.java index c8fba2e314c6f..5431a6a0f4644 100644 --- a/extensions/vault/runtime/src/main/java/io/quarkus/vault/runtime/VaultTransitManager.java +++ b/extensions/vault/runtime/src/main/java/io/quarkus/vault/runtime/VaultTransitManager.java @@ -8,6 +8,7 @@ import static java.util.stream.Collectors.groupingBy; import static java.util.stream.Collectors.toList; +import java.util.HashMap; import java.util.IdentityHashMap; import java.util.List; import java.util.Map; @@ -79,8 +80,37 @@ public String encrypt(String keyName, ClearData clearData, TransitContext transi return encryptBatch(keyName, singletonList(item)).get(0).getValueOrElseError(); } + // workaround https://github.com/hashicorp/vault/issues/10232 + private String encrypt(String keyName, EncryptionRequest request) { + VaultTransitEncryptBody body = new VaultTransitEncryptBody(); + body.plaintext = Base64String.from(request.getData().getValue()); + body.context = Base64String.from(request.getContext()); + body.keyVersion = request.getKeyVersion(); + + TransitKeyConfig config = serverConfig.transit.key.get(keyName); + if (config != null) { + keyName = config.name.orElse(keyName); + body.type = config.type.orElse(null); + body.convergentEncryption = config.convergentEncryption.orElse(null); + } + VaultTransitEncrypt encrypt = vaultClient.encrypt(getToken(), keyName, body); + EncryptionResult result = new EncryptionResult(encrypt.data.ciphertext, encrypt.data.error); + if (result.isInError()) { + Map errorMap = new HashMap<>(); + errorMap.put(request, result); + throw new VaultEncryptionBatchException("encryption error with key " + keyName, errorMap); + } + return result.getValue(); + } + @Override public Map encrypt(String keyName, List requests) { + if (requests.size() == 1) { + EncryptionRequest request = requests.get(0); + Map result = new HashMap<>(); + result.put(request, encrypt(keyName, request)); + return result; + } List results = encryptBatch(keyName, requests); checkBatchErrors(results, errors -> new VaultEncryptionBatchException(errors + " encryption errors", zip(requests, results))); diff --git a/test-framework/vault/src/main/java/io/quarkus/vault/test/VaultTestExtension.java b/test-framework/vault/src/main/java/io/quarkus/vault/test/VaultTestExtension.java index a14138d37b1e1..30b6741a545c2 100644 --- a/test-framework/vault/src/main/java/io/quarkus/vault/test/VaultTestExtension.java +++ b/test-framework/vault/src/main/java/io/quarkus/vault/test/VaultTestExtension.java @@ -69,7 +69,7 @@ public class VaultTestExtension { static final String DB_USERNAME = "postgres"; public static final String DB_PASSWORD = "bar"; public static final String SECRET_VALUE = "s\u20accr\u20act"; - static final String DEFAULT_VAULT_VERSION = "1.2.2"; + static final String DEFAULT_VAULT_VERSION = "1.6.0"; static final int VAULT_PORT = 8200; static final int MAPPED_POSTGRESQL_PORT = 6543; public static final String VAULT_AUTH_USERPASS_USER = "bob";