Propagate failure to detect MountInfo.

mp911de · mp911de · commit 012b4bda3e68 · 2025-07-18T15:06:03.000+02:00
We now propagate failures to detect the MountInfo to simplify problem analysis when using repositories, the Key-Value API and Property Sources. Closes gh-929
diff --git a/spring-vault-core/src/main/java/org/springframework/vault/core/util/KeyValueDelegate.java b/spring-vault-core/src/main/java/org/springframework/vault/core/util/KeyValueDelegate.java
@@ -22,14 +22,16 @@
 
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
-
 import org.jspecify.annotations.Nullable;
+
+import org.springframework.http.HttpStatus;
 import org.springframework.util.ConcurrentReferenceHashMap;
 import org.springframework.util.StringUtils;
 import org.springframework.vault.VaultException;
 import org.springframework.vault.core.VaultKeyValueOperationsSupport.KeyValueBackend;
 import org.springframework.vault.core.VaultOperations;
 import org.springframework.vault.support.VaultResponse;
+import org.springframework.web.client.RestClientResponseException;
 
 /**
  * Key-Value utility to retrieve secrets from a versioned key-value backend. For internal
@@ -132,19 +134,22 @@ public MountInfo getMountInfo(String path) {
 			try {
 				mountInfo = doGetMountInfo(path);
 			}
-			catch (VaultException e) {
-				if (logger.isDebugEnabled()) {
-					logger.debug("Unable to determine mount information for [%s]. Returning unavailable MountInfo: %s"
-						.formatted(path, e.getMessage()), e);
-				}
-				return MountInfo.unavailable();
-			}
 			catch (RuntimeException e) {
-				if (logger.isDebugEnabled()) {
-					logger.debug("Unable to determine mount information for [%s]. Caching unavailable MountInfo: %s"
-						.formatted(path, e.getMessage()), e);
+
+				if (e.getCause() instanceof RestClientResponseException rcx
+						&& rcx.getStatusCode().value() == HttpStatus.FORBIDDEN.value()) {
+
+					if (logger.isDebugEnabled()) {
+						logger
+							.debug("Unable to determine mount information for [%s]. Returning unavailable MountInfo: %s"
+								.formatted(path, e.getMessage()), e);
+					}
+
+					return MountInfo.unavailable();
 				}
-				mountInfo = MountInfo.unavailable();
+
+				throw new VaultException(
+						"Cannot determine MountInfo for path '%s' using 'sys/internal/ui/mounts'".formatted(path), e);
 			}
 
 			this.mountInfo.put(path, mountInfo);
diff --git a/spring-vault-core/src/test/java/org/springframework/vault/core/env/VaultPropertySourceUnitTests.java b/spring-vault-core/src/test/java/org/springframework/vault/core/env/VaultPropertySourceUnitTests.java
@@ -19,10 +19,13 @@
 import java.util.LinkedHashMap;
 import java.util.Map;
 
+import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.extension.ExtendWith;
 import org.mockito.Mock;
 import org.mockito.junit.jupiter.MockitoExtension;
+import org.mockito.junit.jupiter.MockitoSettings;
+import org.mockito.quality.Strictness;
 
 import org.springframework.vault.VaultException;
 import org.springframework.vault.core.VaultTemplate;
@@ -38,16 +41,26 @@
  * @author Mark Paluch
  */
 @ExtendWith(MockitoExtension.class)
+@MockitoSettings(strictness = Strictness.LENIENT)
 class VaultPropertySourceUnitTests {
 
 	@Mock
 	VaultTemplate vaultTemplate;
 
+	@BeforeEach
+	void setUp() {
+
+		VaultResponse mountInfo = new VaultResponse();
+		Map<String, Object> data = Map.of("path", "data", "options", Map.of("version", "1"));
+		mountInfo.setData(data);
+
+		when(vaultTemplate.read("sys/internal/ui/mounts/my-secret")).thenReturn(mountInfo);
+	}
+
 	@Test
 	void shouldRejectEmptyPath() {
 		assertThatIllegalArgumentException()
 			.isThrownBy(() -> new VaultPropertySource("hello", this.vaultTemplate, "", PropertyTransformers.noop()));
-
 	}
 
 	@Test
diff --git a/spring-vault-core/src/test/java/org/springframework/vault/core/lease/SecretLeaseContainerUnitTests.java b/spring-vault-core/src/test/java/org/springframework/vault/core/lease/SecretLeaseContainerUnitTests.java
@@ -32,6 +32,8 @@
 import org.mockito.Captor;
 import org.mockito.Mock;
 import org.mockito.junit.jupiter.MockitoExtension;
+import org.mockito.junit.jupiter.MockitoSettings;
+import org.mockito.quality.Strictness;
 
 import org.springframework.http.HttpStatus;
 import org.springframework.scheduling.TaskScheduler;
@@ -51,6 +53,7 @@
 import org.springframework.vault.core.lease.event.SecretLeaseExpiredEvent;
 import org.springframework.vault.core.lease.event.SecretLeaseRotatedEvent;
 import org.springframework.vault.core.lease.event.SecretNotFoundEvent;
+import org.springframework.vault.core.util.KeyValueDelegate;
 import org.springframework.vault.support.LeaseStrategy;
 import org.springframework.vault.support.VaultResponse;
 import org.springframework.web.client.HttpClientErrorException;
@@ -67,6 +70,7 @@
  * @author Thomas Kåsene
  */
 @ExtendWith(MockitoExtension.class)
+@MockitoSettings(strictness = Strictness.LENIENT)
 class SecretLeaseContainerUnitTests {
 
 	@Mock
@@ -97,6 +101,12 @@ void before() throws Exception {
 		this.secretLeaseContainer.addLeaseListener(this.leaseListenerAdapter);
 		this.secretLeaseContainer.addErrorListener(this.leaseListenerAdapter);
 		this.secretLeaseContainer.afterPropertiesSet();
+
+		VaultResponse mountInfo = new VaultResponse();
+		Map<String, Object> data = Map.of("path", "data", "options", Map.of("version", "1"));
+		mountInfo.setData(data);
+
+		when(vaultOperations.read("sys/internal/ui/mounts/my-secret")).thenReturn(mountInfo);
 	}
 
 	@Test
diff --git a/src/main/antora/modules/ROOT/pages/vault/propertysource.adoc b/src/main/antora/modules/ROOT/pages/vault/propertysource.adoc
@@ -10,6 +10,8 @@ NOTE: You can reference properties stored inside Vault in other property sources
 NOTE: Spring Boot/Spring Cloud users can benefit from https://github.com/spring-cloud/spring-cloud-vault-config[Spring Cloud Vault]'s
 configuration integration that initializes various property sources during application startup.
 
+NOTE: Vault determines the mount path through Vault's `sys/internal/ui/mounts/…` endpoint. Make sure that your policy allows accessing that path, otherwise you won't be able to use  Vault Property sources.
+
 == Registering `VaultPropertySource`
 
 Spring Vault provides a javadoc:org.springframework.vault.core.env.VaultPropertySource[] to be used with Vault to obtain
diff --git a/src/main/antora/modules/ROOT/pages/vault/vault-secret-engines.adoc b/src/main/antora/modules/ROOT/pages/vault/vault-secret-engines.adoc
@@ -53,6 +53,8 @@ include::example$KeyValueV1.java[tags=vaultOperations]
 
 You can find more details about the https://www.vaultproject.io/api-docs/secret/kv/kv-v1[Vault Key-Value version 1 API] in the Vault reference documentation.
 
+NOTE: Vault determines the mount path through Vault's `sys/internal/ui/mounts/…` endpoint. Make sure that your policy allows accessing that path, otherwise you won't be able to use the Key-Value API.
+
 [[vault.core.backends.kv2]]
 == Key-Value Version 2 ("versioned secrets")
 
@@ -105,6 +107,8 @@ include::example$KeyValueV2.java[tags=vaultOperations]
 
 You can find more details about the https://www.vaultproject.io/api-docs/secret/kv/kv-v2[Vault Key-Value version 2 API] in the Vault reference documentation.
 
+NOTE: Vault determines the mount path through Vault's `sys/internal/ui/mounts/…` endpoint. Make sure that your policy allows accessing that path, otherwise you won't be able to use the Key-Value API.
+
 [[vault.core.backends.pki]]
 == PKI (Public Key Infrastructure)
 
