Add support for RestClient.

We now accept RestClient instances for our authentication implementations and to construct VaultTemplate. The config part remains as-is without exposing RestClient any further through VaultTemplate.

Closes gh-941

Author: mp911de

spring-vault-core/src/main/java/org/springframework/vault/authentication/AppRoleAuthentication.java

@@ -40,6 +40,7 @@
 import org.springframework.vault.support.VaultResponse;
 import org.springframework.vault.support.VaultToken;
 import org.springframework.web.client.HttpStatusCodeException;
+import org.springframework.web.client.RestClient;
 import org.springframework.web.client.RestClientException;
 import org.springframework.web.client.RestOperations;
 
@@ -67,7 +68,7 @@ public class AppRoleAuthentication implements ClientAuthentication, Authenticati
 
 	private final AppRoleAuthenticationOptions options;
 
-	private final RestOperations restOperations;
+	private final ClientAdapter adapter;
 
 	/**
 	 * Create a {@link AppRoleAuthentication} using {@link AppRoleAuthenticationOptions}
@@ -81,7 +82,23 @@ public AppRoleAuthentication(AppRoleAuthenticationOptions options, RestOperation
 		Assert.notNull(restOperations, "RestOperations must not be null");
 
 		this.options = options;
-		this.restOperations = restOperations;
+		this.adapter = ClientAdapter.from(restOperations);
+	}
+
+	/**
+	 * Create a {@link AppRoleAuthentication} using {@link AppRoleAuthenticationOptions}
+	 * and {@link RestClient}.
+	 * @param options must not be {@literal null}.
+	 * @param client must not be {@literal null}.
+	 * @since 4.0
+	 */
+	public AppRoleAuthentication(AppRoleAuthenticationOptions options, RestClient client) {
+
+		Assert.notNull(options, "AppRoleAuthenticationOptions must not be null");
+		Assert.notNull(client, "RestClient must not be null");
+
+		this.options = options;
+		this.adapter = ClientAdapter.from(client);
 	}
 
 	/**
@@ -186,7 +203,7 @@ private VaultToken createTokenUsingAppRole() {
 		Map<String, String> login = getAppRoleLoginBody(this.options.getRoleId(), this.options.getSecretId());
 
 		try {
-			VaultResponse response = this.restOperations.postForObject(getLoginPath(this.options.getPath()), login,
+			VaultResponse response = this.adapter.postForObject(getLoginPath(this.options.getPath()), login,
 					VaultResponse.class);
 
 			Assert.state(response != null && response.getAuth() != null, "Auth field must not be null");
@@ -212,7 +229,7 @@ private String getRoleId(RoleId roleId) throws VaultLoginException {
 
 			try {
 
-				ResponseEntity<VaultResponse> entity = this.restOperations.exchange(getRoleIdIdPath(this.options),
+				ResponseEntity<VaultResponse> entity = this.adapter.exchange(getRoleIdIdPath(this.options),
 						HttpMethod.GET, createHttpEntity(token), VaultResponse.class);
 				return (String) ResponseUtil.getRequiredValue(entity, "role_id");
 			}
@@ -228,7 +245,7 @@ private String getRoleId(RoleId roleId) throws VaultLoginException {
 
 			try {
 				UnwrappingEndpoints unwrappingEndpoints = this.options.getUnwrappingEndpoints();
-				ResponseEntity<VaultResponse> entity = this.restOperations.exchange(unwrappingEndpoints.getPath(),
+				ResponseEntity<VaultResponse> entity = this.adapter.exchange(unwrappingEndpoints.getPath(),
 						unwrappingEndpoints.getUnwrapRequestMethod(), createHttpEntity(token), VaultResponse.class);
 
 				VaultResponse response = unwrappingEndpoints.unwrap(ResponseUtil.getRequiredBody(entity));
@@ -256,7 +273,7 @@ private String getSecretId(SecretId secretId) throws VaultLoginException {
 			VaultToken token = ((Pull) secretId).getInitialToken();
 
 			try {
-				VaultResponse response = this.restOperations.postForObject(getSecretIdPath(this.options),
+				VaultResponse response = this.adapter.postForObject(getSecretIdPath(this.options),
 						createHttpEntity(token), VaultResponse.class);
 				return (String) ResponseUtil.getRequiredData(response).get("secret_id");
 			}
@@ -273,7 +290,7 @@ private String getSecretId(SecretId secretId) throws VaultLoginException {
 			try {
 
 				UnwrappingEndpoints unwrappingEndpoints = this.options.getUnwrappingEndpoints();
-				ResponseEntity<VaultResponse> entity = this.restOperations.exchange(unwrappingEndpoints.getPath(),
+				ResponseEntity<VaultResponse> entity = this.adapter.exchange(unwrappingEndpoints.getPath(),
 						unwrappingEndpoints.getUnwrapRequestMethod(), createHttpEntity(token), VaultResponse.class);
 
 				VaultResponse response = unwrappingEndpoints.unwrap(ResponseUtil.getRequiredBody(entity));

spring-vault-core/src/main/java/org/springframework/vault/authentication/AuthenticationStepsExecutor.java

@@ -37,6 +37,7 @@
 import org.springframework.vault.support.VaultResponse;
 import org.springframework.vault.support.VaultToken;
 import org.springframework.web.client.HttpStatusCodeException;
+import org.springframework.web.client.RestClient;
 import org.springframework.web.client.RestOperations;
 
 /**
@@ -53,7 +54,7 @@ public class AuthenticationStepsExecutor implements ClientAuthentication {
 
 	private final AuthenticationSteps chain;
 
-	private final RestOperations restOperations;
+	private final ClientAdapter adapter;
 
 	/**
 	 * Create a new {@link AuthenticationStepsExecutor} given {@link AuthenticationSteps}
@@ -67,7 +68,22 @@ public AuthenticationStepsExecutor(AuthenticationSteps steps, RestOperations res
 		Assert.notNull(restOperations, "RestOperations must not be null");
 
 		this.chain = steps;
-		this.restOperations = restOperations;
+		this.adapter = ClientAdapter.from(restOperations);
+	}
+
+	/**
+	 * Create a new {@link AuthenticationStepsExecutor} given {@link AuthenticationSteps}
+	 * and {@link RestOperations}.
+	 * @param steps must not be {@literal null}.
+	 * @param client must not be {@literal null}.
+	 */
+	public AuthenticationStepsExecutor(AuthenticationSteps steps, RestClient client) {
+
+		Assert.notNull(steps, "AuthenticationSteps must not be null");
+		Assert.notNull(client, "RestClient must not be null");
+
+		this.chain = steps;
+		this.adapter = ClientAdapter.from(client);
 	}
 
 	@Override
@@ -152,16 +168,16 @@ public VaultToken login() throws VaultException {
 
 		if (definition.getUriTemplate() != null) {
 
-			ResponseEntity<?> exchange = this.restOperations.exchange(definition.getUriTemplate(),
-					definition.getMethod(), getEntity(definition.getEntity(), state), definition.getResponseType(),
+			ResponseEntity<?> exchange = this.adapter.exchange(definition.getUriTemplate(), definition.getMethod(),
+					getEntity(definition.getEntity(), state), definition.getResponseType(),
 					(Object[]) definition.getUrlVariables());
 
 			return exchange.getBody();
 		}
 
 		if (definition.getUri() != null) {
 
-			ResponseEntity<?> exchange = this.restOperations.exchange(definition.getUri(), definition.getMethod(),
+			ResponseEntity<?> exchange = this.adapter.exchange(definition.getUri(), definition.getMethod(),
 					getEntity(definition.getEntity(), state), definition.getResponseType());
 
 			return exchange.getBody();

spring-vault-core/src/main/java/org/springframework/vault/authentication/AwsEc2Authentication.java

@@ -36,6 +36,7 @@
 import org.springframework.vault.support.VaultResponse;
 import org.springframework.vault.support.VaultToken;
 import org.springframework.web.client.HttpClientErrorException;
+import org.springframework.web.client.RestClient;
 import org.springframework.web.client.RestClientException;
 import org.springframework.web.client.RestOperations;
 
@@ -64,9 +65,9 @@ public class AwsEc2Authentication implements ClientAuthentication, Authenticatio
 
 	private final AwsEc2AuthenticationOptions options;
 
-	private final RestOperations vaultRestOperations;
+	private final ClientAdapter vaultAdapter;
 
-	private final RestOperations awsMetadataRestOperations;
+	private final ClientAdapter awsMetadataAdapter;
 
 	private final AtomicReference<char[]> nonce = new AtomicReference<>(EMPTY);
 
@@ -94,8 +95,38 @@ public AwsEc2Authentication(AwsEc2AuthenticationOptions options, RestOperations
 		Assert.notNull(awsMetadataRestOperations, "AWS Metadata RestOperations must not be null");
 
 		this.options = options;
-		this.vaultRestOperations = vaultRestOperations;
-		this.awsMetadataRestOperations = awsMetadataRestOperations;
+		this.vaultAdapter = ClientAdapter.from(vaultRestOperations);
+		this.awsMetadataAdapter = ClientAdapter.from(awsMetadataRestOperations);
+	}
+
+	/**
+	 * Create a new {@link AwsEc2Authentication}.
+	 * @param vaultClient must not be {@literal null}.
+	 * @since 4.0
+	 */
+	public AwsEc2Authentication(RestClient vaultClient) {
+		this(AwsEc2AuthenticationOptions.DEFAULT, vaultClient, vaultClient);
+	}
+
+	/**
+	 * Create a new {@link AwsEc2Authentication} specifying
+	 * {@link AwsEc2AuthenticationOptions}, a Vault and an AWS-Metadata-specific
+	 * {@link RestClient}.
+	 * @param options must not be {@literal null}.
+	 * @param vaultClient must not be {@literal null}.
+	 * @param awsMetadataClient must not be {@literal null}.
+	 * @since 4.0
+	 */
+	public AwsEc2Authentication(AwsEc2AuthenticationOptions options, RestClient vaultClient,
+			RestClient awsMetadataClient) {
+
+		Assert.notNull(options, "AwsEc2AuthenticationOptions must not be null");
+		Assert.notNull(vaultClient, "Vault RestClient must not be null");
+		Assert.notNull(awsMetadataClient, "AWS Metadata RestClient must not be null");
+
+		this.options = options;
+		this.vaultAdapter = ClientAdapter.from(vaultClient);
+		this.awsMetadataAdapter = ClientAdapter.from(awsMetadataClient);
 	}
 
 	/**
@@ -179,7 +210,7 @@ private VaultToken createTokenUsingAwsEc2() {
 
 		try {
 
-			VaultResponse response = this.vaultRestOperations
+			VaultResponse response = this.vaultAdapter
 				.postForObject(AuthenticationUtil.getLoginPath(this.options.getPath()), login, VaultResponse.class);
 
 			Assert.state(response != null && response.getAuth() != null, "Auth field must not be null");
@@ -225,8 +256,8 @@ protected Map<String, String> getEc2Login() {
 		try {
 
 			HttpEntity<Object> entity = new HttpEntity<>(headers);
-			ResponseEntity<String> exchange = this.awsMetadataRestOperations
-				.exchange(this.options.getIdentityDocumentUri(), HttpMethod.GET, entity, String.class);
+			ResponseEntity<String> exchange = this.awsMetadataAdapter.exchange(this.options.getIdentityDocumentUri(),
+					HttpMethod.GET, entity, String.class);
 			if (!exchange.getStatusCode().is2xxSuccessful()) {
 				throw new HttpClientErrorException(exchange.getStatusCode());
 			}
@@ -250,7 +281,7 @@ private String createIMDSv2Token() {
 
 			HttpEntity<Object> entity = new HttpEntity<>(createTokenRequestHeaders(this.options));
 
-			ResponseEntity<String> exchange = this.awsMetadataRestOperations
+			ResponseEntity<String> exchange = this.awsMetadataAdapter
 				.exchange(this.options.getMetadataTokenRequestUri(), HttpMethod.PUT, entity, String.class);
 			if (!exchange.getStatusCode().is2xxSuccessful()) {
 				throw new HttpClientErrorException(exchange.getStatusCode());

spring-vault-core/src/main/java/org/springframework/vault/authentication/AwsIamAuthentication.java

@@ -26,8 +26,6 @@
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 import software.amazon.awssdk.auth.credentials.AwsCredentials;
-import software.amazon.awssdk.auth.signer.Aws4Signer;
-import software.amazon.awssdk.auth.signer.params.Aws4SignerParams;
 import software.amazon.awssdk.http.ContentStreamProvider;
 import software.amazon.awssdk.http.SdkHttpFullRequest;
 import software.amazon.awssdk.http.SdkHttpMethod;
@@ -44,6 +42,7 @@
 import org.springframework.vault.support.JacksonCompat;
 import org.springframework.vault.support.VaultResponse;
 import org.springframework.vault.support.VaultToken;
+import org.springframework.web.client.RestClient;
 import org.springframework.web.client.RestClientException;
 import org.springframework.web.client.RestOperations;
 
@@ -84,12 +83,11 @@ public class AwsIamAuthentication implements ClientAuthentication, Authenticatio
 
 	private final AwsIamAuthenticationOptions options;
 
-	private final RestOperations vaultRestOperations;
+	private final ClientAdapter adapter;
 
 	/**
 	 * Create a new {@link AwsIamAuthentication} specifying
-	 * {@link AwsIamAuthenticationOptions}, a Vault and an AWS-Metadata-specific
-	 * {@link RestOperations}.
+	 * {@link AwsIamAuthenticationOptions} and a Vault {@link RestOperations}.
 	 * @param options must not be {@literal null}.
 	 * @param vaultRestOperations must not be {@literal null}.
 	 */
@@ -99,7 +97,22 @@ public AwsIamAuthentication(AwsIamAuthenticationOptions options, RestOperations
 		Assert.notNull(vaultRestOperations, "Vault RestOperations must not be null");
 
 		this.options = options;
-		this.vaultRestOperations = vaultRestOperations;
+		this.adapter = ClientAdapter.from(vaultRestOperations);
+	}
+
+	/**
+	 * Create a new {@link AwsIamAuthentication} specifying
+	 * {@link AwsIamAuthenticationOptions} and a Vault {@link RestClient}.
+	 * @param options must not be {@literal null}.
+	 * @param vaultClient must not be {@literal null}.
+	 */
+	public AwsIamAuthentication(AwsIamAuthenticationOptions options, RestClient vaultClient) {
+
+		Assert.notNull(options, "AwsIamAuthenticationOptions must not be null");
+		Assert.notNull(vaultClient, "Vault RestOperations must not be null");
+
+		this.options = options;
+		this.adapter = ClientAdapter.from(vaultClient);
 	}
 
 	/**
@@ -146,8 +159,8 @@ private VaultToken createTokenUsingAwsIam() {
 
 		try {
 
-			VaultResponse response = this.vaultRestOperations
-				.postForObject(AuthenticationUtil.getLoginPath(this.options.getPath()), login, VaultResponse.class);
+			VaultResponse response = this.adapter.postForObject(AuthenticationUtil.getLoginPath(this.options.getPath()),
+					login, VaultResponse.class);
 
 			Assert.state(response != null && response.getAuth() != null, "Auth field must not be null");
 

spring-vault-core/src/main/java/org/springframework/vault/authentication/AzureMsiAuthentication.java

@@ -32,6 +32,7 @@
 import org.springframework.vault.authentication.AuthenticationSteps.Node;
 import org.springframework.vault.support.VaultResponse;
 import org.springframework.vault.support.VaultToken;
+import org.springframework.web.client.RestClient;
 import org.springframework.web.client.RestClientException;
 import org.springframework.web.client.RestOperations;
 
@@ -67,9 +68,9 @@ public class AzureMsiAuthentication implements ClientAuthentication, Authenticat
 
 	private final AzureMsiAuthenticationOptions options;
 
-	private final RestOperations vaultRestOperations;
+	private final ClientAdapter vaultAdapter;
 
-	private final RestOperations azureMetadataRestOperations;
+	private final ClientAdapter azureMetadataAdapter;
 
 	/**
 	 * Create a new {@link AzureMsiAuthentication}.
@@ -96,8 +97,38 @@ public AzureMsiAuthentication(AzureMsiAuthenticationOptions options, RestOperati
 		Assert.notNull(azureMetadataRestOperations, "Azure Instance Metadata RestOperations must not be null");
 
 		this.options = options;
-		this.vaultRestOperations = vaultRestOperations;
-		this.azureMetadataRestOperations = azureMetadataRestOperations;
+		this.vaultAdapter = ClientAdapter.from(vaultRestOperations);
+		this.azureMetadataAdapter = ClientAdapter.from(azureMetadataRestOperations);
+	}
+
+	/**
+	 * Create a new {@link AzureMsiAuthentication}.
+	 * @param options must not be {@literal null}.
+	 * @param client must not be {@literal null}.
+	 * @since 4.0
+	 */
+	public AzureMsiAuthentication(AzureMsiAuthenticationOptions options, RestClient client) {
+		this(options, client, client);
+	}
+
+	/**
+	 * Create a new {@link AzureMsiAuthentication} specifying
+	 * {@link AzureMsiAuthenticationOptions}, a Vault and an Azure-Metadata-specific
+	 * {@link RestClient}.
+	 * @param options must not be {@literal null}.
+	 * @param vaultClient must not be {@literal null}.
+	 * @param azureMetadataClient must not be {@literal null}.
+	 */
+	public AzureMsiAuthentication(AzureMsiAuthenticationOptions options, RestClient vaultClient,
+			RestClient azureMetadataClient) {
+
+		Assert.notNull(options, "AzureAuthenticationOptions must not be null");
+		Assert.notNull(vaultClient, "Vault RestOperations must not be null");
+		Assert.notNull(azureMetadataClient, "Azure Instance Metadata RestOperations must not be null");
+
+		this.options = options;
+		this.vaultAdapter = ClientAdapter.from(vaultClient);
+		this.azureMetadataAdapter = ClientAdapter.from(azureMetadataClient);
 	}
 
 	/**
@@ -156,7 +187,7 @@ private VaultToken createTokenUsingAzureMsiCompute() {
 
 		try {
 
-			VaultResponse response = this.vaultRestOperations
+			VaultResponse response = this.vaultAdapter
 				.postForObject(AuthenticationUtil.getLoginPath(this.options.getPath()), login, VaultResponse.class);
 
 			Assert.state(response != null, "Auth field must not be null");
@@ -188,8 +219,8 @@ private static Map<String, String> getAzureLogin(String role, AzureVmEnvironment
 	@SuppressWarnings({ "NullAway", "rawtypes" })
 	private String getAccessToken() {
 
-		ResponseEntity<Map> response = this.azureMetadataRestOperations
-			.exchange(this.options.getIdentityTokenServiceUri(), HttpMethod.GET, METADATA_HEADERS, Map.class);
+		ResponseEntity<Map> response = this.azureMetadataAdapter.exchange(this.options.getIdentityTokenServiceUri(),
+				HttpMethod.GET, METADATA_HEADERS, Map.class);
 
 		return (String) ResponseUtil.getRequiredBody(response).get("access_token");
 	}
@@ -204,8 +235,8 @@ private AzureVmEnvironment getVmEnvironment() {
 	@SuppressWarnings({ "unchecked", "rawtypes" })
 	private AzureVmEnvironment fetchAzureVmEnvironment() {
 
-		ResponseEntity<Map> response = this.azureMetadataRestOperations
-			.exchange(this.options.getInstanceMetadataServiceUri(), HttpMethod.GET, METADATA_HEADERS, Map.class);
+		ResponseEntity<Map> response = this.azureMetadataAdapter.exchange(this.options.getInstanceMetadataServiceUri(),
+				HttpMethod.GET, METADATA_HEADERS, Map.class);
 
 		return toAzureVmEnvironment(ResponseUtil.getRequiredBody(response));
 	}