Polishing.

Update documentation, extract base class for GCP IAM authentication options.

Closes gh-600.
Original pull request: gh-619.

Author: mp911de

spring-vault-core/pom.xml

@@ -197,6 +197,7 @@
 		<dependency>
 			<groupId>com.google.cloud</groupId>
 			<artifactId>google-cloud-iamcredentials</artifactId>
+			<optional>true</optional>
 			<exclusions>
 				<exclusion>
 					<groupId>com.fasterxml.jackson.core</groupId>
@@ -211,7 +212,6 @@
 					<groupId>commons-logging</groupId>
 				</exclusion>
 			</exclusions>
-			<optional>true</optional>
 		</dependency>
 
 		<dependency>

spring-vault-core/src/main/java/org/springframework/vault/authentication/DefaultGcpCredentialsAccessors.java renamed to spring-vault-core/src/main/java/org/springframework/vault/authentication/DefaultGoogleCredentialsAccessors.java

@@ -21,14 +21,14 @@
 import com.google.auth.oauth2.ServiceAccountCredentials;
 
 /**
- * Default implementation of {@link GcpCredentialsAccountIdAccessor}. Used by
+ * Default implementation of {@link GoogleCredentialsAccountIdAccessor}. Used by
  * {@link GcpIamCredentialsAuthentication}.
  *
  * @author Andreas Gebauer
- * @since 2.4
+ * @since 2.3.2
  * @see GcpIamCredentialsAuthentication
  */
-enum DefaultGcpCredentialsAccessors implements GcpCredentialsAccountIdAccessor {
+enum DefaultGoogleCredentialsAccessors implements GoogleCredentialsAccountIdAccessor {
 
 	INSTANCE;
 

spring-vault-core/src/main/java/org/springframework/vault/authentication/GcpIamAuthentication.java

@@ -41,7 +41,8 @@
 
 /**
  * GCP IAM login implementation using GCP IAM service accounts to legitimate its
- * authenticity via JSON Web Token.
+ * authenticity via JSON Web Token using the deprecated IAM
+ * {@code projects.serviceAccounts.signJwt} method.
  * <p/>
  * This authentication method uses Googles IAM API to obtain a signed token for a specific
  * {@link com.google.api.client.auth.oauth2.Credential}. Project and service account
@@ -64,7 +65,7 @@
  * @see <a href=
  * "https://cloud.google.com/iam/reference/rest/v1/projects.serviceAccounts/signJwt">GCP:
  * projects.serviceAccounts.signJwt</a>
- * @deprecated Use {@link GcpIamCredentialsAuthentication} instead.
+ * @deprecated since 2.3.2, use {@link GcpIamCredentialsAuthentication} instead.
  */
 @Deprecated
 public class GcpIamAuthentication extends GcpJwtAuthenticationSupport implements ClientAuthentication {

spring-vault-core/src/main/java/org/springframework/vault/authentication/GcpIamAuthenticationOptions.java

@@ -36,35 +36,15 @@
  * @see GcpIamAuthentication
  * @see #builder()
  * @since 2.1
+ * @deprecated since 2.3.2
  */
-public class GcpIamAuthenticationOptions {
+@Deprecated
+public class GcpIamAuthenticationOptions extends GcpIamAuthenticationSupport {
 
 	public static final String DEFAULT_GCP_AUTHENTICATION_PATH = "gcp";
 
-	/**
-	 * Path of the gcp authentication backend mount.
-	 */
-	private final String path;
-
 	private final GcpCredentialSupplier credentialSupplier;
 
-	/**
-	 * Name of the role against which the login is being attempted. If role is not
-	 * specified, the friendly name (i.e., role name or username) of the IAM principal
-	 * authenticated. If a matching role is not found, login fails.
-	 */
-	private final String role;
-
-	/**
-	 * JWT validity/expiration.
-	 */
-	private final Duration jwtValidity;
-
-	/**
-	 * {@link Clock} to calculate JWT expiration.
-	 */
-	private final Clock clock;
-
 	/**
 	 * Provide the service account id to use as sub/iss claims.
 	 */
@@ -79,11 +59,9 @@ private GcpIamAuthenticationOptions(String path, GcpCredentialSupplier credentia
 			Duration jwtValidity, Clock clock, GcpServiceAccountIdAccessor serviceAccountIdSupplier,
 			GcpProjectIdAccessor projectIdAccessor) {
 
-		this.path = path;
+		super(path, role, jwtValidity, clock);
+
 		this.credentialSupplier = credentialSupplier;
-		this.role = role;
-		this.jwtValidity = jwtValidity;
-		this.clock = clock;
 		this.serviceAccountIdAccessor = serviceAccountIdSupplier;
 		this.projectIdAccessor = projectIdAccessor;
 	}
@@ -95,41 +73,13 @@ public static GcpIamAuthenticationOptionsBuilder builder() {
 		return new GcpIamAuthenticationOptionsBuilder();
 	}
 
-	/**
-	 * @return the path of the gcp authentication backend mount.
-	 */
-	public String getPath() {
-		return this.path;
-	}
-
 	/**
 	 * @return the gcp {@link Credential} supplier.
 	 */
 	public GcpCredentialSupplier getCredentialSupplier() {
 		return this.credentialSupplier;
 	}
 
-	/**
-	 * @return name of the role against which the login is being attempted.
-	 */
-	public String getRole() {
-		return this.role;
-	}
-
-	/**
-	 * @return {@link Duration} of the JWT to generate.
-	 */
-	public Duration getJwtValidity() {
-		return this.jwtValidity;
-	}
-
-	/**
-	 * @return {@link Clock} used to calculate epoch seconds until the JWT expires.
-	 */
-	public Clock getClock() {
-		return this.clock;
-	}
-
 	/**
 	 * @return the service account id to use as sub/iss claims.
 	 * @since 2.1

spring-vault-core/src/main/java/org/springframework/vault/authentication/GcpIamAuthenticationSupport.java

@@ -0,0 +1,91 @@
+/*
+ * Copyright 2018-2021 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.vault.authentication;
+
+import java.time.Clock;
+import java.time.Duration;
+
+/**
+ * Support class for Google Cloud IAM-based Authentication options.
+ * <p/>
+ * Mainly to support implementations within the framework.
+ *
+ * @author Mark Paluch
+ * @since 2.3.2
+ * @see GcpIamAuthenticationOptions
+ * @see GcpIamCredentialsAuthenticationOptions
+ */
+public abstract class GcpIamAuthenticationSupport {
+
+	/**
+	 * Path of the gcp authentication backend mount.
+	 */
+	private final String path;
+
+	/**
+	 * Name of the role against which the login is being attempted. If role is not
+	 * specified, the friendly name (i.e., role name or username) of the IAM principal
+	 * authenticated. If a matching role is not found, login fails.
+	 */
+	private final String role;
+
+	/**
+	 * JWT validity/expiration.
+	 */
+	private final Duration jwtValidity;
+
+	/**
+	 * {@link Clock} to calculate JWT expiration.
+	 */
+	private final Clock clock;
+
+	protected GcpIamAuthenticationSupport(String path, String role, Duration jwtValidity, Clock clock) {
+
+		this.path = path;
+		this.role = role;
+		this.jwtValidity = jwtValidity;
+		this.clock = clock;
+	}
+
+	/**
+	 * @return the path of the gcp authentication backend mount.
+	 */
+	public String getPath() {
+		return this.path;
+	}
+
+	/**
+	 * @return name of the role against which the login is being attempted.
+	 */
+	public String getRole() {
+		return this.role;
+	}
+
+	/**
+	 * @return {@link Duration} of the JWT to generate.
+	 */
+	public Duration getJwtValidity() {
+		return this.jwtValidity;
+	}
+
+	/**
+	 * @return {@link Clock} used to calculate epoch seconds until the JWT expires.
+	 */
+	public Clock getClock() {
+		return this.clock;
+	}
+
+}

spring-vault-core/src/main/java/org/springframework/vault/authentication/GcpIamCredentialsAuthentication.java

@@ -39,8 +39,9 @@
 import com.google.cloud.iam.credentials.v1.stub.IamCredentialsStubSettings;
 
 /**
- * GCP IAM credentials login implementation using GCP IAM service accounts to legitimate
- * its authenticity via JSON Web Token.
+ * Google Cloud IAM credentials login implementation using GCP IAM service accounts to
+ * legitimate its authenticity via JSON Web Token using the IAM Credentials
+ * {@code projects.serviceAccounts.signJwt} method.
  * <p/>
  * This authentication method uses Googles IAM Credentials API to obtain a signed token
  * for a specific {@link com.google.api.client.auth.oauth2.Credential}. Service account
@@ -50,7 +51,8 @@
  * {@link GcpIamCredentialsAuthentication} uses Google Java API that uses synchronous API.
  *
  * @author Andreas Gebauer
- * @since 2.4
+ * @author Mark Paluch
+ * @since 2.3.2
  * @see GcpIamCredentialsAuthenticationOptions
  * @see HttpTransport
  * @see GoogleCredentials