Add plaintext backup and convergent encryption support and version to Vault transit keys.

Closes gh-661
Original pull request: gh-793

Author: nbaars

spring-vault-core/src/main/java/org/springframework/vault/core/VaultTransitTemplate.java

@@ -16,8 +16,6 @@
 package org.springframework.vault.core;
 
 import com.fasterxml.jackson.annotation.JsonProperty;
-import org.jetbrains.annotations.NotNull;
-
 import org.springframework.lang.Nullable;
 import org.springframework.util.Assert;
 import org.springframework.util.ObjectUtils;
@@ -598,6 +596,15 @@ static class VaultTransitKeyImpl implements VaultTransitKey {
 		@JsonProperty("supports_signing")
 		private boolean supportsSigning;
 
+		@JsonProperty("allow_plaintext_backup")
+		private boolean allowPlaintextBackup;
+
+		@JsonProperty("convergent_encryption")
+		private boolean supportsConvergentEncryption;
+
+		@JsonProperty("convergent_encryption_version")
+		private int convergentVersion;
+
 		public VaultTransitKeyImpl() {
 		}
 
@@ -631,6 +638,21 @@ public boolean supportsSigning() {
 			return isSupportsSigning();
 		}
 
+		@Override
+		public boolean allowPlaintextBackup() {
+			return isAllowPlaintextBackup();
+		}
+
+		@Override
+		public boolean supportsConvergentEncryption() {
+			return isSupportsConvergentEncryption();
+		}
+
+		@Override
+		public int getConvergentVersion() {
+			return this.convergentVersion;
+		}
+
 		@Nullable
 		public String getName() {
 			return this.name;
@@ -668,6 +690,10 @@ public int getMinEncryptionVersion() {
 			return this.minEncryptionVersion;
 		}
 
+		public boolean isAllowPlaintextBackup() {
+			return this.allowPlaintextBackup;
+		}
+
 		public boolean isSupportsDecryption() {
 			return this.supportsDecryption;
 		}
@@ -684,6 +710,10 @@ public boolean isSupportsSigning() {
 			return this.supportsSigning;
 		}
 
+		public boolean isSupportsConvergentEncryption() {
+			return this.supportsConvergentEncryption;
+		}
+
 		public void setName(@Nullable String name) {
 			this.name = name;
 		}
@@ -756,15 +786,17 @@ public boolean equals(Object o) {
 					&& this.supportsDerivation == that.supportsDerivation
 					&& this.supportsSigning == that.supportsSigning && Objects.equals(this.name, that.name)
 					&& this.cipherMode.equals(that.cipherMode) && Objects.equals(this.type, that.type)
-					&& this.keys.equals(that.keys);
+					&& this.allowPlaintextBackup == that.allowPlaintextBackup
+					&& this.supportsConvergentEncryption == that.supportsConvergentEncryption;
 		}
 
 		@Override
 		public int hashCode() {
 			return Objects.hash(this.name, this.cipherMode, this.type, this.deletionAllowed, this.derived,
 					this.exportable, this.keys, this.latestVersion, this.minDecryptionVersion,
 					this.minEncryptionVersion, this.supportsDecryption, this.supportsEncryption,
-					this.supportsDerivation, this.supportsSigning);
+					this.supportsDerivation, this.supportsSigning, this.allowPlaintextBackup,
+					this.supportsConvergentEncryption);
 		}
 
 	}

spring-vault-core/src/main/java/org/springframework/vault/support/VaultTransitKey.java

@@ -96,4 +96,23 @@ public interface VaultTransitKey {
 	 */
 	boolean supportsSigning();
 
+	/**
+	 * @return if set, enables taking backup of named key in the plaintext format. Once
+	 * set, this cannot be disabled.
+	 */
+	boolean allowPlaintextBackup();
+
+	/**
+	 * @return If enabled, the key will support convergent encryption, where the same
+	 * plaintext creates the same ciphertext. This requires 'derived' to be set to true.
+	 */
+	boolean supportsConvergentEncryption();
+
+	/**
+	 * @return the version of the convergent nonce to use. Note: since version 3 the
+	 * algorithm used in `transit`'s convergent encryption returns -1 since the version is
+	 * stored with the key. For backwards compatability this field might be interesting.
+	 */
+	int getConvergentVersion();
+
 }

spring-vault-core/src/main/java/org/springframework/vault/support/VaultTransitKeyCreationRequest.java

@@ -37,12 +37,16 @@ public class VaultTransitKeyCreationRequest {
 
 	private final boolean exportable;
 
+	@JsonProperty("allow_plaintext_backup")
+	private final boolean allowPlaintextBackup;
+
 	private VaultTransitKeyCreationRequest(boolean derived, String type, boolean convergentEncryption,
-			boolean exportable) {
+			boolean exportable, boolean allowPlaintextBackup) {
 		this.derived = derived;
 		this.type = type;
 		this.convergentEncryption = convergentEncryption;
 		this.exportable = exportable;
+		this.allowPlaintextBackup = allowPlaintextBackup;
 	}
 
 	/**
@@ -106,6 +110,8 @@ public static class VaultTransitKeyCreationRequestBuilder {
 
 		private boolean exportable;
 
+		private boolean allowPlaintextBackup;
+
 		VaultTransitKeyCreationRequestBuilder() {
 		}
 
@@ -160,6 +166,12 @@ public VaultTransitKeyCreationRequestBuilder exportable(boolean exportable) {
 			return this;
 		}
 
+		public VaultTransitKeyCreationRequestBuilder allowPlaintextBackup(boolean allowPlaintextBackup) {
+
+			this.allowPlaintextBackup = allowPlaintextBackup;
+			return this;
+		}
+
 		/**
 		 * Build a new {@link VaultTransitKeyCreationRequest} instance. Requires
 		 * {@link #type(String)} to be configured.
@@ -170,7 +182,7 @@ public VaultTransitKeyCreationRequest build() {
 			Assert.hasText(this.type, "Type must not be empty");
 
 			return new VaultTransitKeyCreationRequest(this.derived, this.type, this.convergentEncryption,
-					this.exportable);
+					this.exportable, this.allowPlaintextBackup);
 		}
 
 	}

spring-vault-core/src/test/java/org/springframework/vault/core/VaultTransitTemplateIntegrationTests.java

@@ -232,6 +232,22 @@ void createKeyShouldCreateKeyWithOptions() {
 		assertThat(mykey.isDerived()).isTrue();
 		assertThat(mykey.getMinDecryptionVersion()).isEqualTo(1);
 		assertThat(mykey.getLatestVersion()).isEqualTo(1);
+		assertThat(mykey.supportsConvergentEncryption()).isTrue();
+		assertThat(mykey.getConvergentVersion()).isEqualTo(-1);
+	}
+
+	@Test
+	void createKeyWithPlaintextBackupOption() {
+		VaultTransitKeyCreationRequest request = VaultTransitKeyCreationRequest.builder() //
+			.allowPlaintextBackup(true) //
+			.build();
+
+		this.transitOperations.createKey("mykey", request);
+
+		VaultTransitKey mykey = this.transitOperations.getKey("mykey");
+
+		assertThat(mykey.getName()).isEqualTo("mykey");
+		assertThat(mykey.allowPlaintextBackup()).isTrue();
 	}
 
 	@Test