Support versioned key/value secrets engine using Vault repositories.

We now support CRUD operations using key/value secrets engine version 2 and optimistic locking through Vault's cas mechanism.

Closes gh-593

Author: mp911de

spring-vault-core/pom.xml

@@ -100,6 +100,7 @@
 		<dependency>
 			<groupId>org.springframework.data</groupId>
 			<artifactId>spring-data-keyvalue</artifactId>
+			<version>2.7.1-SNAPSHOT</version>
 			<optional>true</optional>
 		</dependency>
 

spring-vault-core/src/main/java/org/springframework/vault/core/util/KeyValueDelegate.java

@@ -118,7 +118,7 @@ private MountInfo doGetMountInfo(String path) {
 		return MountInfo.from((String) data.get("path"), (Map) data.get("options"));
 	}
 
-	private MountInfo getMountInfo(String path) {
+	public MountInfo getMountInfo(String path) {
 
 		MountInfo mountInfo = this.mountInfo.get(path);
 
@@ -136,15 +136,15 @@ private MountInfo getMountInfo(String path) {
 		return mountInfo;
 	}
 
-	static class MountInfo {
+	public static class MountInfo {
 
 		static final MountInfo UNAVAILABLE = new MountInfo("", Collections.emptyMap(), false);
 
-		final String path;
+		private final String path;
 
-		final @Nullable Map<String, Object> options;
+		private final @Nullable Map<String, Object> options;
 
-		final boolean available;
+		private final boolean available;
 
 		private MountInfo(String path, @Nullable Map<String, Object> options, boolean available) {
 			this.path = path;

spring-vault-core/src/main/java/org/springframework/vault/repository/convert/MappingVaultConverter.java

@@ -443,8 +443,7 @@ private void writeProperties(VaultPersistentEntity<?> entity, PersistentProperty
 				writePropertyInternal(value, sink, prop);
 			}
 			else {
-
-				sink.put(prop, getPotentiallyConvertedSimpleWrite(value));
+				sink.put(prop, getPotentiallyConvertedSimpleWrite(value, prop.getTypeInformation().getType()));
 			}
 		}
 	}
@@ -529,7 +528,7 @@ private List<Object> writeCollectionInternal(Collection<?> source, @Nullable Typ
 			Class<?> elementType = element == null ? null : element.getClass();
 
 			if (elementType == null || this.conversions.isSimpleType(elementType)) {
-				sink.add(getPotentiallyConvertedSimpleWrite(element));
+				sink.add(getPotentiallyConvertedSimpleWrite(element, elementType == null ? Object.class : elementType));
 			}
 			else if (element instanceof Collection || elementType.isArray()) {
 				sink.add(writeCollectionInternal(asCollection(element), componentType, new ArrayList<>()));
@@ -627,10 +626,11 @@ protected void addCustomTypeKeyIfNecessary(@Nullable TypeInformation<?> type, Ob
 	 * arbitrary simple Vault type. Returns the converted value if so. If not, we perform
 	 * special enum handling or simply return the value as is.
 	 * @param value the value to write.
+	 * @param targetType
 	 * @return the converted value. Can be {@literal null}.
 	 */
 	@Nullable
-	private Object getPotentiallyConvertedSimpleWrite(@Nullable Object value) {
+	private Object getPotentiallyConvertedSimpleWrite(@Nullable Object value, Class<?> targetType) {
 
 		if (value == null) {
 			return null;
@@ -650,7 +650,15 @@ private Object getPotentiallyConvertedSimpleWrite(@Nullable Object value) {
 			return asCollection(value);
 		}
 
-		return Enum.class.isAssignableFrom(value.getClass()) ? ((Enum<?>) value).name() : value;
+		if (Enum.class.isAssignableFrom(value.getClass())) {
+			return ((Enum<?>) value).name();
+		}
+
+		if (!ClassUtils.isAssignableValue(targetType, value)) {
+			return this.conversionService.convert(value, targetType);
+		}
+
+		return value;
 	}
 
 	/**

spring-vault-core/src/main/java/org/springframework/vault/repository/convert/SecretDocument.java

@@ -17,10 +17,10 @@
 
 import java.util.LinkedHashMap;
 import java.util.Map;
-import java.util.Objects;
 
 import org.springframework.lang.Nullable;
 import org.springframework.util.Assert;
+import org.springframework.util.ObjectUtils;
 import org.springframework.vault.support.VaultResponse;
 
 /**
@@ -42,6 +42,8 @@ public class SecretDocument {
 
 	private final Map<String, Object> body;
 
+	private @Nullable Integer version;
+
 	/**
 	 * Create a new, empty {@link SecretDocument}.
 	 */
@@ -70,6 +72,22 @@ public SecretDocument(@Nullable String id, Map<String, Object> body) {
 		this.body = body;
 	}
 
+	/**
+	 * Create a new {@link SecretDocument} given an {@code id} and {@link Map body map}.
+	 * @param id may be {@literal null}.
+	 * @param version for versioned secrets, may be {@literal null} if not available.
+	 * @param body must not be {@literal null}.
+	 * @since 2.4
+	 */
+	public SecretDocument(@Nullable String id, @Nullable Integer version, Map<String, Object> body) {
+
+		Assert.notNull(body, "Body must not be null");
+
+		this.id = id;
+		this.version = version;
+		this.body = body;
+	}
+
 	public SecretDocument(String id) {
 		this(id, new LinkedHashMap<>());
 	}
@@ -87,21 +105,55 @@ public static SecretDocument from(@Nullable String id, VaultResponse vaultRespon
 	}
 
 	/**
-	 * @return the Id or {@literal null} if the Id is not set.
+	 * @return the identifier or {@literal null} if the identifier is not set.
 	 */
 	@Nullable
 	public String getId() {
 		return this.id;
 	}
 
 	/**
-	 * Set the Id.
+	 * Return the required Id or throw {@link IllegalStateException} if the Id is not set.
+	 * @return the required Id.
+	 * @throws IllegalStateException if the Id is not set.
+	 * @since 2.4
+	 */
+	public String getRequiredId() {
+
+		String id = getId();
+
+		if (id == null) {
+			throw new IllegalStateException("Id is not set");
+		}
+
+		return id;
+	}
+
+	/**
+	 * Set the identifier value.
 	 * @param id may be {@literal null}.
 	 */
 	public void setId(@Nullable String id) {
 		this.id = id;
 	}
 
+	/**
+	 * @return the version number, may be {@code null} if absent.
+	 * @since 2.4
+	 */
+	@Nullable
+	public Integer getVersion() {
+		return version;
+	}
+
+	/**
+	 * @param version
+	 * @since 2.4
+	 */
+	public void setVersion(@Nullable Integer version) {
+		this.version = version;
+	}
+
 	/**
 	 * @return the body of this {@link SecretDocument}
 	 */
@@ -130,17 +182,28 @@ public void put(String key, Object value) {
 
 	@Override
 	public boolean equals(Object o) {
-		if (this == o)
+		if (this == o) {
 			return true;
-		if (!(o instanceof SecretDocument))
+		}
+		if (!(o instanceof SecretDocument)) {
 			return false;
+		}
 		SecretDocument that = (SecretDocument) o;
-		return Objects.equals(this.id, that.id) && Objects.equals(this.body, that.body);
+		if (!ObjectUtils.nullSafeEquals(this.id, that.id)) {
+			return false;
+		}
+		if (!ObjectUtils.nullSafeEquals(this.body, that.body)) {
+			return false;
+		}
+		return ObjectUtils.nullSafeEquals(this.version, that.version);
 	}
 
 	@Override
 	public int hashCode() {
-		return Objects.hash(this.id, this.body);
+		int result = ObjectUtils.nullSafeHashCode(this.id);
+		result = 31 * result + ObjectUtils.nullSafeHashCode(this.body);
+		result = 31 * result + ObjectUtils.nullSafeHashCode(this.version);
+		return result;
 	}
 
 	@Override
@@ -149,6 +212,7 @@ public String toString() {
 		sb.append(getClass().getSimpleName());
 		sb.append(" [id='").append(this.id).append('\'');
 		sb.append(", body=").append(this.body);
+		sb.append(", version=").append(this.version);
 		sb.append(']');
 		return sb.toString();
 	}

spring-vault-core/src/main/java/org/springframework/vault/repository/convert/SecretDocumentAccessor.java

@@ -87,6 +87,11 @@ void put(VaultPersistentProperty prop, @Nullable Object value) {
 			return;
 		}
 
+		if (prop.isVersionProperty()) {
+			this.document.setVersion(value == null ? null : ((Number) value).intValue());
+			return;
+		}
+
 		if (!fieldName.contains(".")) {
 			this.body.put(fieldName, value);
 			return;
@@ -125,6 +130,10 @@ Object get(VaultPersistentProperty property) {
 			return this.document.getId();
 		}
 
+		if (property.isVersionProperty()) {
+			return this.document.getVersion();
+		}
+
 		if (!fieldName.contains(".")) {
 			return this.body.get(fieldName);
 		}
@@ -159,6 +168,10 @@ boolean hasValue(VaultPersistentProperty property) {
 			return StringUtils.hasText(this.document.getId());
 		}
 
+		if (property.isVersionProperty()) {
+			return this.document.getVersion() != null;
+		}
+
 		String fieldName = property.getName();
 
 		if (!fieldName.contains(".")) {