Merge pull request #2 from Liftric/feature/lazy

lazy configuration and enhanced error messages

README.md

@@ -17,20 +17,24 @@ Usage example in you build script:
 
 ```kotlin
 import com.liftric.vault.vault
+import com.liftric.vault.GetVaultSecretTask
 
 plugins {
  id("com.liftric.vault-client-plugin") version ("<latest>")
 }
 vault {
- vaultAddress = "http://localhost:8200"
- vaultToken = "myroottoken" // don't do that in production code!
- vaultTokenFilePath = "${System.getProperty("user.home")}/.vault-token" // from file is prefered over vaultToken 
- maxRetries = 2
- retryIntervalMilliseconds = 200
+ vaultAddress.set("http://localhost:8200")
+ vaultToken.set("myroottoken") // don't do that in production code!
+ vaultTokenFilePath.set("${System.getProperty("user.home")}/.vault-token") // from file is prefered over vaultToken 
+ maxRetries.set(2)
+ retryIntervalMilliseconds.set(200)
 }
 tasks {
- val needsSecrets by creating {
- val secrets: Map<String, String> = project.vault("secret/example")
+ val needsSecrets by creating(GetVaultSecretTask::class) {
+ secretPath.set("secret/example")
+ doLast {
+ val secrets: Map<String, String> = secret.get()
+ }
  }
 }
 ```
@@ -68,10 +72,17 @@ import com.liftric.vault.vault
 import org.gradle.api.Project
 
 object Configs {
- fun Project.secretStuff(): String {
+ fun Project.secretStuff(): Any {
  val secrets = project.vault("secret/example")
  [...] // use the secrets
  }
+ fun Project.secretStuff(): Any {
+ val needsSecrets: GetVaultSecretTask = tasks.getByName<GetVaultSecretTask>("needsSecrets").apply {
+ execute()
+ }
+ val secret = needsSecrets.secret.get()
+ [...] // use the secrets
+ }
 }
 ```
 This can be used in your build scripts like:

build.gradle.kts

@@ -1,11 +1,9 @@
 import net.nemerosa.versioning.tasks.VersionDisplayTask
 
 plugins {
- kotlin("jvm") version "1.3.61"
- `java-gradle-plugin`
- id("org.gradle.kotlin.kotlin-dsl") version "1.3.3"
+ `kotlin-dsl`
  `maven-publish`
- id("com.gradle.plugin-publish") version "0.10.1"
+ id("com.gradle.plugin-publish") version "0.11.0"
  id("net.nemerosa.versioning") version "2.12.0"
 }
 

gradle/wrapper/gradle-wrapper.properties

@@ -1,5 +1,5 @@
 distributionBase=GRADLE_USER_HOME
 distributionPath=wrapper/dists
-distributionUrl=https\://services.gradle.org/distributions/gradle-6.2.1-all.zip
+distributionUrl=https\://services.gradle.org/distributions/gradle-6.3-all.zip
 zipStoreBase=GRADLE_USER_HOME
 zipStorePath=wrapper/dists

integration-token/build.gradle.kts

@@ -1,22 +1,24 @@
 import com.liftric.vault.vault
+import com.liftric.vault.GetVaultSecretTask
 
 plugins {
  java
  id("com.liftric.vault-client-plugin") // version known from buildSrc
 }
 vault {
- vaultAddress = "http://localhost:8200"
- vaultToken = "myroottoken" // don't do that in production code!
- maxRetries = 2
- retryIntervalMilliseconds = 200
+ vaultAddress.set("http://localhost:8200")
+ vaultToken.set("myroottoken") // don't do that in production code!
+ maxRetries.set(2)
+ retryIntervalMilliseconds.set(200)
 }
 tasks {
- val needsSecrets by creating {
+ val needsSecrets by creating(GetVaultSecretTask::class) {
+ secretPath.set("secret/example")
  doLast {
- val secrets: Map<String, String> = project.vault("secret/example")
- if (secrets["examplestring"] != "helloworld") throw kotlin.IllegalStateException("examplestring couldn't be read")
- if (secrets["exampleint"]?.toInt() != 1337) throw kotlin.IllegalStateException("exampleint couldn't be read")
- println("getting secrets succeeded!")
+ val secret = secret.get()
+ if (secret["examplestring"] != "helloworld") throw kotlin.IllegalStateException("examplestring couldn't be read")
+ if (secret["exampleint"]?.toInt() != 1337) throw kotlin.IllegalStateException("exampleint couldn't be read")
+ println("getting secret succeeded!")
  }
  }
  val fromBuildSrc by creating {

integration-token/buildSrc/src/main/kotlin/Configs.kt

@@ -1,9 +1,13 @@
-import com.liftric.vault.vault
+import com.liftric.vault.GetVaultSecretTask
 import org.gradle.api.Project
+import org.gradle.kotlin.dsl.getByName
 
 object Configs {
  fun Project.secretStuff(): String {
- val secrets = project.vault("secret/example")
- return "${secrets["examplestring"]}:${secrets["exampleint"]}"
+ val needsSecrets: GetVaultSecretTask = tasks.getByName<GetVaultSecretTask>("needsSecrets").apply {
+ execute()
+ }
+ val secret = needsSecrets.secret.get()
+ return "${secret["examplestring"]}:${secret["exampleint"]}"
  }
-}
+}

integration-tokenfile/build.gradle.kts

@@ -1,23 +1,24 @@
 import com.liftric.vault.vault
+import com.liftric.vault.GetVaultSecretTask
 
 plugins {
  java
- id("com.liftric.vault-client-plugin") version "1.0.0-SNAPSHOT"
+ id("com.liftric.vault-client-plugin")
 }
 vault {
- vaultAddress = "http://localhost:8200"
- vaultTokenFilePath = "${projectDir.path}/.vault-token" // don't put the token file on the repo itself like here!
- maxRetries = 2
- retryIntervalMilliseconds = 200
+ vaultAddress.set("http://localhost:8200")
+ vaultTokenFilePath.set("${projectDir.path}/.vault-token") // don't put the token file on the repo itself like here!
+ maxRetries.set(2)
+ retryIntervalMilliseconds.set(200)
 }
 tasks {
- val needsSecrets by creating {
- val secrets = project.objects.mapProperty<String, String>()
+ val needsSecrets by creating(GetVaultSecretTask::class) {
+ secretPath.set("secret/example")
  doLast {
- secrets.set(project.vault("secret/example"))
- if (secrets.get()["examplestring"] != "helloworld") throw kotlin.IllegalStateException("examplestring couldn't be read")
- if (secrets.get()["exampleint"]?.toInt() != 1337) throw kotlin.IllegalStateException("exampleint couldn't be read")
- println("getting secrets succeeded!")
+ val secret = secret.get()
+ if (secret["examplestring"] != "helloworld") throw kotlin.IllegalStateException("examplestring couldn't be read")
+ if (secret["exampleint"]?.toInt() != 1337) throw kotlin.IllegalStateException("exampleint couldn't be read")
+ println("getting secret succeeded!")
  }
  }
  val build by existing {

src/main/kotlin/com/liftric/vault/Defaults.kt

@@ -0,0 +1,12 @@
+package com.liftric.vault
+
+object Defaults {
+ // values
+ const val MAX_RETRIES = 5
+ const val RETRY_INTERVAL_MILLI = 1000
+
+ // env vars
+ const val VAULT_TOKEN_ENV = "VAULT_TOKEN"
+ const val VAULT_TOKEN_FILE_PATH_ENV = "VAULT_TOKEN_FILE_PATH"
+ const val VAULT_ADDR_ENV = "VAULT_ADDR"
+}

src/main/kotlin/com/liftric/vault/GetVaultSecretTask.kt

@@ -0,0 +1,91 @@
+package com.liftric.vault
+
+import com.liftric.vault.Defaults.MAX_RETRIES
+import com.liftric.vault.Defaults.RETRY_INTERVAL_MILLI
+import com.liftric.vault.Defaults.VAULT_ADDR_ENV
+import com.liftric.vault.Defaults.VAULT_TOKEN_ENV
+import com.liftric.vault.Defaults.VAULT_TOKEN_FILE_PATH_ENV
+import org.gradle.api.DefaultTask
+import org.gradle.api.provider.MapProperty
+import org.gradle.api.provider.Property
+import org.gradle.api.tasks.*
+import org.gradle.kotlin.dsl.mapProperty
+import org.gradle.kotlin.dsl.property
+import java.io.File
+
+/**
+ * See extension for property documentation
+ */
+open class GetVaultSecretTask : DefaultTask() {
+ init {
+ group = "com.liftric.vault"
+ description = "Fetches a secret from vault."
+ outputs.upToDateWhen { false }
+ }
+
+ @Input
+ val secretPath: Property<String> = project.objects.property()
+
+ @Input
+ @Optional
+ val vaultAddress: Property<String> = project.objects.property()
+
+ @Input
+ @Optional
+ val vaultToken: Property<String> = project.objects.property()
+
+ @Input
+ @Optional
+ val vaultTokenFilePath: Property<String> = project.objects.property()
+
+ @Input
+ @Optional
+ val maxRetries: Property<Int> = project.objects.property()
+
+ @Input
+ @Optional
+ val retryIntervalMilliseconds: Property<Int> = project.objects.property()
+
+ @Internal
+ // actually used as output...
+ val secret: MapProperty<String, String> = project.objects.mapProperty()
+
+ @TaskAction
+ fun execute() {
+ val token = determineToken(vaultToken = vaultToken.orNull, vaultTokenFilePath = vaultTokenFilePath.orNull)
+ val address = determinAddress(vaultAddress = vaultAddress.orNull)
+ val maxRetries = maxRetries.getOrElse(MAX_RETRIES)
+ val retryIntervalMilliseconds = retryIntervalMilliseconds.getOrElse(RETRY_INTERVAL_MILLI)
+ val path = secretPath.get()
+ println("[vault] getting `$path` from $address")
+ secret.set(
+ VaultClient(
+ token = token,
+ vaultAddress = address,
+ maxRetries = maxRetries,
+ retryIntervalMilliseconds = retryIntervalMilliseconds
+ ).get(path)
+ )
+ }
+
+ companion object {
+ fun determineToken(vaultToken: String?, vaultTokenFilePath: String?): String {
+ val finalVaultToken = vaultToken ?: System.getenv()[VAULT_TOKEN_ENV]?.trim()
+ val finalVaultTokenFilePath = vaultTokenFilePath ?: System.getenv()[VAULT_TOKEN_FILE_PATH_ENV]?.trim()
+ return when {
+ finalVaultToken != null -> finalVaultToken.trim()
+ finalVaultTokenFilePath != null -> File(finalVaultTokenFilePath).apply {
+ if (exists().not()) error("vault token file doesn't exist!")
+ }.let {
+ return@let it.readText().trim()
+ }
+ else -> error("neither `vaultToken` nor `vaultTokenFilePath` nor `$VAULT_TOKEN_FILE_PATH_ENV` env var nor `$VAULT_TOKEN_ENV` env var provided!")
+ }
+ }
+
+ fun determinAddress(vaultAddress: String?): String {
+ val finalVaultAddress = vaultAddress ?: System.getenv()[VAULT_ADDR_ENV]
+ return finalVaultAddress?.trim() ?: error("neither `vaultAddress` nor `$VAULT_ADDR_ENV` env var provided!")
+ }
+ }
+}

src/main/kotlin/com/liftric/vault/VaultClient.kt

@@ -2,32 +2,70 @@ package com.liftric.vault
 
 import com.bettercloud.vault.Vault
 import com.bettercloud.vault.VaultConfig
+import com.bettercloud.vault.VaultException
 
 /**
  * Actual client connecting to the configured vault server
  */
 class VaultClient(
- private val extension: VaultClientExtension,
- token: String
+ token: String,
+ private val vaultAddress: String,
+ private val maxRetries: Int,
+ private val retryIntervalMilliseconds: Int
 ) {
  private val config by lazy {
- VaultConfig()
- .address(extension.vaultAddress)
- .token(token)
- .build()
+ try {
+ VaultConfig()
+ .address(vaultAddress)
+ .token(token)
+ .build()
+ } catch (e: VaultException) {
+ println("[vault] exception while creating vault client for $vaultAddress: ${e.message}")
+ throw e
+ }
+ }
+ private val vault by lazy {
+ try {
+ Vault(config)
+ } catch (e: VaultException) {
+ println(
+ "[vault] exception while preparing vault client config for $vaultAddress: ${e.message} - token valid?"
+ .replace('\n', '#')
+ )
+ throw e
+ }
+ }
+
+ fun get(secretPath: String): Map<String, String> {
+ verifyTokenValid()
+ return try {
+ vault.withRetries(maxRetries, retryIntervalMilliseconds)
+ .logical()
+ .read(secretPath)
+ .data.also {
+ if (it.isEmpty()) error("[vault] secret response contains no data - secret exists? token has correct rights to access it?")
+ }
+ } catch (e: VaultException) {
+ println(
+ "[vault] exception while calling vault at $vaultAddress: ${e.message} - secret exists? token has correct rights to access it?"
+ .replace('\n', '#')
+ )
+ if (vaultAddress.startsWith("https").not()) {
+ println("[vault] is your vault address correct? It doesn't start with https!")
+ }
+ throw e
+ }
  }
- private val vault by lazy { Vault(config) }
 
- fun get(secretPath: String): Map<String, String> = try {
- vault.withRetries(extension.maxRetries, extension.retryIntervalMilliseconds)
- .logical()
-  .read(secretPath)
- .data
- } catch (e: Exception) {
- println("[vault] exception while calling vault at ${extension.vaultAddress}: ${e.message}")
- if (extension.vaultAddress?.startsWith("https") == false) {
- println("[vault] is your vault address correct? It doesn't start with https!")
+ private fun verifyTokenValid() {
+ try {
+ vault.auth().lookupSelf()
+ } catch (e: VaultException) {
+ println(
+  "[vault] exception while verifying vault token validity for $vaultAddress: ${e.message}"
+  .replace('\n', '#')
+  )
+ throw e
  }
- throw e
  }
 }