Add support for RevisionRepository.

Vault repositories can now implement RevisionRepository to access older secret revisions.

See gh-593

Author: mp911de

spring-vault-core/src/main/java/org/springframework/vault/repository/convert/SecretDocument.java

@@ -22,6 +22,7 @@
 import org.springframework.util.Assert;
 import org.springframework.util.ObjectUtils;
 import org.springframework.vault.support.VaultResponse;
+import org.springframework.vault.support.Versioned;
 
 /**
  * Vault database exchange object containing data before/after it's exchanged with Vault.

spring-vault-core/src/main/java/org/springframework/vault/repository/core/VaultKeyValueAdapter.java

@@ -268,6 +268,14 @@ private VaultKeyValueKeyspaceAccessor getAccessor(String keyspace) {
 
 	}
 
+	public VaultConverter getConverter() {
+		return this.vaultConverter;
+	}
+
+	public VaultOperations getVaultOperations() {
+		return this.vaultOperations;
+	}
+
 	static abstract class VaultKeyValueKeyspaceAccessor {
 
 		private final KeyValueDelegate.MountInfo mountInfo;
@@ -384,8 +392,7 @@ SecretDocument get(String id) {
 				return null;
 			}
 
-			return new SecretDocument(id, versioned.getVersion()
-					.getVersion(), versioned.getRequiredData());
+			return new SecretDocument(id, versioned.getVersion().getVersion(), versioned.getRequiredData());
 		}
 
 		@Override
@@ -401,14 +408,12 @@ SecretDocument put(SecretDocument secretDocument) {
 					metadata = operations.put(createPath(secretDocument.getRequiredId()), secretDocument.getBody());
 				}
 
-				return new SecretDocument(secretDocument.getRequiredId(), metadata.getVersion()
-						.getVersion(),
+				return new SecretDocument(secretDocument.getRequiredId(), metadata.getVersion().getVersion(),
 						secretDocument.getBody());
 			}
 			catch (VaultException e) {
 				if (e.getMessage() != null
-						&& e.getMessage()
-						.contains("check-and-set parameter did not match the current version")) {
+						&& e.getMessage().contains("check-and-set parameter did not match the current version")) {
 					throw new OptimisticLockingFailureException(e.getMessage(), e);
 				}
 

spring-vault-core/src/main/java/org/springframework/vault/repository/core/VaultKeyValueTemplate.java

@@ -28,6 +28,8 @@
 import org.springframework.util.Assert;
 import org.springframework.util.ClassUtils;
 import org.springframework.util.CollectionUtils;
+import org.springframework.vault.core.VaultOperations;
+import org.springframework.vault.repository.convert.VaultConverter;
 import org.springframework.vault.repository.mapping.VaultMappingContext;
 
 /**
@@ -44,8 +46,7 @@ public class VaultKeyValueTemplate extends KeyValueTemplate {
 	private boolean publishEvents = true;
 
 	@SuppressWarnings("rawtypes")
-	private Set<Class<? extends KeyValueEvent>> eventTypesToPublish = Collections
-			.emptySet();
+	private Set<Class<? extends KeyValueEvent>> eventTypesToPublish = Collections.emptySet();
 
 	/**
 	 * Create a new {@link VaultKeyValueTemplate} given {@link KeyValueAdapter} and
@@ -163,8 +164,7 @@ private String resolveKeySpace(Class<?> type) {
 
 	@SuppressWarnings("rawtypes")
 	private KeyValuePersistentEntity<?, ?> getEntity(Class<?> type) {
-		return (KeyValuePersistentEntity) getMappingContext()
-				.getRequiredPersistentEntity(type);
+		return (KeyValuePersistentEntity) getMappingContext().getRequiredPersistentEntity(type);
 	}
 
 	@SuppressWarnings("rawtypes")
@@ -179,4 +179,12 @@ private void potentiallyPublishEvent(KeyValueEvent event) {
 		}
 	}
 
+	public VaultConverter getConverter() {
+		return execute(adapter -> ((VaultKeyValueAdapter) adapter).getConverter());
+	}
+
+	public VaultOperations getVaultOperations() {
+		return execute(adapter -> ((VaultKeyValueAdapter) adapter).getVaultOperations());
+	}
+
 }

spring-vault-core/src/main/java/org/springframework/vault/repository/support/VaultRepositoryFactory.java

@@ -19,10 +19,15 @@
 import org.springframework.data.keyvalue.repository.query.KeyValuePartTreeQuery;
 import org.springframework.data.keyvalue.repository.support.KeyValueRepositoryFactory;
 import org.springframework.data.repository.core.EntityInformation;
+import org.springframework.data.repository.core.RepositoryMetadata;
+import org.springframework.data.repository.core.support.RepositoryComposition;
 import org.springframework.data.repository.core.support.RepositoryFactorySupport;
+import org.springframework.data.repository.core.support.RepositoryFragment;
+import org.springframework.data.repository.history.RevisionRepository;
 import org.springframework.data.repository.query.RepositoryQuery;
 import org.springframework.data.repository.query.parser.AbstractQueryCreator;
 import org.springframework.vault.repository.core.MappingVaultEntityInformation;
+import org.springframework.vault.repository.core.VaultKeyValueTemplate;
 import org.springframework.vault.repository.mapping.VaultPersistentEntity;
 import org.springframework.vault.repository.query.VaultQueryCreator;
 
@@ -54,12 +59,35 @@ public VaultRepositoryFactory(KeyValueOperations keyValueOperations,
 		this.operations = keyValueOperations;
 	}
 
+	@Override
+	protected RepositoryComposition.RepositoryFragments getRepositoryFragments(RepositoryMetadata metadata,
+			KeyValueOperations operations) {
+
+		RepositoryComposition.RepositoryFragments fragments = super.getRepositoryFragments(metadata, operations);
+
+		if (RevisionRepository.class.isAssignableFrom(metadata.getRepositoryInterface())
+				&& operations instanceof VaultKeyValueTemplate) {
+
+			VaultKeyValueTemplate template = (VaultKeyValueTemplate) operations;
+
+			VaultPersistentEntity<?> entity = (VaultPersistentEntity<?>) this.operations.getMappingContext()
+					.getRequiredPersistentEntity(metadata.getDomainType());
+			EntityInformation<?, String> entityInformation = getEntityInformation(metadata.getDomainType());
+			VaultRevisionRepository<?> repository = new VaultRevisionRepository<>(entityInformation,
+					entity.getKeySpace(), template);
+
+			return fragments.append(RepositoryFragment.implemented(repository));
+		}
+
+		return fragments;
+	}
+
 	@Override
 	@SuppressWarnings("unchecked")
 	public <T, ID> EntityInformation<T, ID> getEntityInformation(Class<T> domainClass) {
 
 		VaultPersistentEntity<T> entity = (VaultPersistentEntity<T>) this.operations.getMappingContext()
-				.getPersistentEntity(domainClass);
+				.getRequiredPersistentEntity(domainClass);
 
 		return new MappingVaultEntityInformation<>(entity);
 	}

spring-vault-core/src/main/java/org/springframework/vault/repository/support/VaultRevisionMetadata.java

@@ -0,0 +1,54 @@
+/*
+ * Copyright 2022 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.vault.repository.support;
+
+import java.time.Instant;
+import java.util.Optional;
+
+import org.springframework.data.history.RevisionMetadata;
+import org.springframework.vault.support.Versioned;
+
+/**
+ * @author Mark Paluch
+ */
+public class VaultRevisionMetadata implements RevisionMetadata<Integer> {
+
+	private final Versioned.Metadata metadata;
+
+	public VaultRevisionMetadata(Versioned<?> versioned) {
+		this(versioned.getRequiredMetadata());
+	}
+
+	public VaultRevisionMetadata(Versioned.Metadata metadata) {
+		this.metadata = metadata;
+	}
+
+	@Override
+	public Optional<Integer> getRevisionNumber() {
+		return Optional.of(metadata.getVersion().getVersion());
+	}
+
+	@Override
+	public Optional<Instant> getRevisionInstant() {
+		return Optional.of(metadata.getCreatedAt());
+	}
+
+	@Override
+	public <T> T getDelegate() {
+		return (T) metadata;
+	}
+
+}

spring-vault-core/src/main/java/org/springframework/vault/repository/support/VaultRevisionRepository.java

@@ -0,0 +1,177 @@
+/*
+ * Copyright 2022 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.springframework.vault.repository.support;
+
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+import java.util.Map;
+import java.util.Optional;
+
+import org.springframework.data.domain.Page;
+import org.springframework.data.domain.PageImpl;
+import org.springframework.data.domain.Pageable;
+import org.springframework.data.history.Revision;
+import org.springframework.data.history.Revisions;
+import org.springframework.data.repository.core.EntityInformation;
+import org.springframework.data.repository.history.RevisionRepository;
+import org.springframework.lang.Nullable;
+import org.springframework.util.Assert;
+import org.springframework.vault.core.VaultKeyValueMetadataOperations;
+import org.springframework.vault.core.VaultOperations;
+import org.springframework.vault.core.VaultVersionedKeyValueOperations;
+import org.springframework.vault.core.util.KeyValueDelegate;
+import org.springframework.vault.repository.convert.SecretDocument;
+import org.springframework.vault.repository.convert.VaultConverter;
+import org.springframework.vault.repository.core.VaultKeyValueTemplate;
+import org.springframework.vault.support.VaultMetadataResponse;
+import org.springframework.vault.support.Versioned;
+
+/**
+ * Vault-based {@link RevisionRepository} providing revision metadata for versioned
+ * secrets.
+ *
+ * @author Mark Paluch
+ * @since 2.4
+ */
+public class VaultRevisionRepository<T> implements RevisionRepository<T, String, Integer> {
+
+	private final EntityInformation<T, String> metadata;
+
+	private final String keyspacePath;
+
+	private final VaultVersionedKeyValueOperations operations;
+
+	private final VaultKeyValueMetadataOperations metadataOperations;
+
+	private final VaultConverter converter;
+
+	public VaultRevisionRepository(EntityInformation<T, String> metadata, String keyspace,
+			VaultKeyValueTemplate keyValueTemplate) {
+
+		Assert.notNull(metadata, "EntityInformation must not be null");
+		Assert.notNull(keyValueTemplate, "VaultKeyValueTemplate must not be null");
+
+		this.metadata = metadata;
+		this.converter = keyValueTemplate.getConverter();
+
+		VaultOperations vaultOperations = keyValueTemplate.getVaultOperations();
+
+		KeyValueDelegate delegate = new KeyValueDelegate(vaultOperations);
+		KeyValueDelegate.MountInfo mountInfo = delegate.getMountInfo(keyspace);
+
+		if (!mountInfo.isAvailable()) {
+			throw new IllegalStateException("Mount not available under " + keyspace);
+		}
+
+		if (!delegate.isVersioned(keyspace)) {
+			throw new IllegalStateException("Mount under " + keyspace + " is not versioned");
+		}
+
+		this.keyspacePath = keyspace.substring(mountInfo.getPath().length());
+		this.operations = vaultOperations.opsForVersionedKeyValue(mountInfo.getPath());
+		this.metadataOperations = this.operations.opsForKeyValueMetadata();
+	}
+
+	@Override
+	public Optional<Revision<Integer, T>> findLastChangeRevision(String id) {
+
+		Assert.notNull(id, "Identifier must not be null");
+
+		return toRevision(operations.get(getPath(id)), id);
+	}
+
+	@Override
+	public Revisions<Integer, T> findRevisions(String id) {
+
+		VaultMetadataResponse metadata = metadataOperations.get(getPath(id));
+
+		if (metadata == null) {
+			return Revisions.none();
+		}
+
+		return Revisions.of(collectRevisions(id, metadata.getVersions()));
+	}
+
+	private List<Revision<Integer, T>> collectRevisions(String id, List<Versioned.Metadata> versions) {
+
+		List<Revision<Integer, T>> revisions = new ArrayList<>();
+
+		for (Versioned.Metadata version : versions) {
+
+			Versioned<Map<String, Object>> versioned = operations.get(getPath(id), version.getVersion());
+
+			if (versioned == null) {
+				continue;
+			}
+
+			T entity = versioned.hasData() ? converter.read(this.metadata.getJavaType(), createDocument(id, versioned))
+					: null;
+			revisions.add(Revision.of(new VaultRevisionMetadata(versioned), entity));
+		}
+		return revisions;
+	}
+
+	@Override
+	public Page<Revision<Integer, T>> findRevisions(String id, Pageable pageable) {
+
+		if (pageable.isUnpaged()) {
+			return new PageImpl<>(Collections.emptyList());
+		}
+
+		VaultMetadataResponse metadata = metadataOperations.get(getPath(id));
+		if (metadata == null || pageable.getOffset() > metadata.getVersions().size()) {
+			return Page.empty(pageable);
+		}
+
+		List<Versioned.Metadata> versions = metadata.getVersions();
+
+		int toIndex = Math.min(versions.size(), Math.toIntExact(pageable.getOffset() + pageable.getPageSize()));
+		List<Versioned.Metadata> metadataPage = versions.subList(Math.toIntExact(pageable.getOffset()), toIndex);
+
+		List<Revision<Integer, T>> revisions = collectRevisions(id, metadataPage);
+
+		return new PageImpl<>(revisions, pageable, versions.size());
+	}
+
+	@Override
+	public Optional<Revision<Integer, T>> findRevision(String id, Integer revisionNumber) {
+
+		Assert.notNull(id, "Identifier must not be null");
+		Assert.notNull(revisionNumber, "Revision number must not be null");
+
+		return toRevision(operations.get(getPath(id), Versioned.Version.from(revisionNumber)), id);
+	}
+
+	private Optional<Revision<Integer, T>> toRevision(@Nullable Versioned<Map<String, Object>> versioned, String id) {
+
+		if (versioned == null) {
+			return Optional.empty();
+		}
+
+		T entity = versioned.hasData() ? converter.read(metadata.getJavaType(), createDocument(id, versioned)) : null;
+		return Optional.of(Revision.of(new VaultRevisionMetadata(versioned), entity));
+	}
+
+	private String getPath(String id) {
+		return keyspacePath + "/" + id;
+	}
+
+	private SecretDocument createDocument(String id, Versioned<Map<String, Object>> versioned) {
+		return new SecretDocument(id, versioned.getVersion().getVersion(), versioned.getRequiredData());
+	}
+
+}

spring-vault-core/src/main/java/org/springframework/vault/support/VaultCertificateRequest.java

@@ -376,8 +376,8 @@ public VaultCertificateRequestBuilder format(String format) {
 
 		/**
 		 * Configure the key format.
-		 * @param format the key format to use. Can be {@code pem}, {@code der}, or
-		 * {@code pkcs8}
+		 * @param privateKeyFormat the key format to use. Can be {@code pem}, {@code der},
+		 * or {@code pkcs8}
 		 * @return {@code this} {@link VaultCertificateRequestBuilder}.
 		 * @since 2.4
 		 */