[BAEL-455] Initial code

spring-cloud/pom.xml

@@ -31,6 +31,7 @@
         <module>spring-cloud-zuul-eureka-integration</module>
         <module>spring-cloud-contract</module>
         <module>spring-cloud-kubernetes</module>
+        <module>spring-cloud-vault</module>
     </modules>
 
     <build>

spring-cloud/spring-cloud-vault/.gitignore

@@ -0,0 +1,29 @@
+/target/
+!.mvn/wrapper/maven-wrapper.jar
+
+### STS ###
+.apt_generated
+.classpath
+.factorypath
+.project
+.settings
+.springBeans
+.sts4-cache
+
+### IntelliJ IDEA ###
+.idea
+*.iws
+*.iml
+*.ipr
+
+### NetBeans ###
+/nbproject/private/
+/build/
+/nbbuild/
+/dist/
+/nbdist/
+/.nb-gradle/
+
+## Extra
+/vault-data/
+*.log

spring-cloud/spring-cloud-vault/pom.xml

@@ -0,0 +1,90 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+	xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+	<modelVersion>4.0.0</modelVersion>
+
+	<groupId>org.baeldung.spring.cloud</groupId>
+	<artifactId>spring-cloud-vault</artifactId>
+	<packaging>jar</packaging>
+
+	<name>spring-cloud-vault</name>
+	<description>Demo project for Spring Boot</description>
+
+	<parent>
+		<groupId>com.baeldung</groupId>
+		<artifactId>parent-boot-2</artifactId>
+		<version>0.0.1-SNAPSHOT</version>
+		<relativePath>../../parent-boot-2</relativePath>
+	</parent>
+
+	<!-- <parent> <groupId>org.springframework.boot</groupId> <artifactId>spring-boot-starter-parent</artifactId> 
+		<version>2.0.4.RELEASE</version> <relativePath/> </parent> -->
+
+	<properties>
+		<project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+		<project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
+		<java.version>1.8</java.version>
+		<spring-cloud.version>Finchley.SR1</spring-cloud.version>
+	</properties>
+
+	<dependencies>
+	
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-data-rest</artifactId>
+		</dependency>
+		
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-data-jpa</artifactId>
+		</dependency>
+		
+		
+		<dependency>
+			<groupId>org.springframework.cloud</groupId>
+			<artifactId>spring-cloud-starter-vault-config</artifactId>
+		</dependency>
+
+		<dependency>
+			<groupId>org.springframework.boot</groupId>
+			<artifactId>spring-boot-starter-test</artifactId>
+			<scope>test</scope>
+		</dependency>
+
+
+
+		<dependency>
+			<groupId>mysql</groupId>
+			<artifactId>mysql-connector-java</artifactId>
+		</dependency>
+
+		<dependency>
+			<groupId>org.springframework.cloud</groupId>
+			<artifactId>spring-cloud-vault-config-databases</artifactId>
+		</dependency>
+
+	</dependencies>
+
+	<dependencyManagement>
+		<dependencies>
+			<dependency>
+				<groupId>org.springframework.cloud</groupId>
+				<artifactId>spring-cloud-dependencies</artifactId>
+				<version>${spring-cloud.version}</version>
+				<type>pom</type>
+				<scope>import</scope>
+			</dependency>
+		</dependencies>
+	</dependencyManagement>
+
+	<build>
+		<plugins>
+			<plugin>
+				<groupId>org.springframework.boot</groupId>
+				<artifactId>spring-boot-maven-plugin</artifactId>
+			</plugin>
+		</plugins>
+	</build>
+
+
+</project>

spring-cloud/spring-cloud-vault/src/main/java/org/baeldung/spring/cloud/vaultsample/VaultSampleApplication.java

@@ -0,0 +1,12 @@
+package org.baeldung.spring.cloud.vaultsample;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+
+@SpringBootApplication
+public class VaultSampleApplication {
+
+	public static void main(String[] args) {
+		SpringApplication.run(VaultSampleApplication.class, args);
+	}
+}

spring-cloud/spring-cloud-vault/src/main/java/org/baeldung/spring/cloud/vaultsample/domain/Account.java

@@ -0,0 +1,58 @@
+package org.baeldung.spring.cloud.vaultsample.domain;
+
+import javax.persistence.Entity;
+import javax.persistence.Id;
+import javax.validation.constraints.NotNull;
+
+@Entity
+public class Account {
+    
+    @Id
+    private Long id;
+    
+    @NotNull
+    private String name;
+    
+    @NotNull
+    private Long branchId;
+    
+    @NotNull
+    private Long customerId;
+    
+
+    public Long getId() {
+        return id;
+    }
+
+    public void setId(Long id) {
+        this.id = id;
+    }
+
+    public String getName() {
+        return name;
+    }
+
+    public void setName(String name) {
+        this.name = name;
+    }
+
+    public Long getBranchId() {
+        return branchId;
+    }
+
+    public void setBranchId(Long branchId) {
+        this.branchId = branchId;
+    }
+
+    public Long getCustomerId() {
+        return customerId;
+    }
+
+    public void setCustomerId(Long customerId) {
+        this.customerId = customerId;
+    }
+
+    
+    
+
+}

spring-cloud/spring-cloud-vault/src/main/java/org/baeldung/spring/cloud/vaultsample/repository/AccountRepository.java

@@ -0,0 +1,10 @@
+package org.baeldung.spring.cloud.vaultsample.repository;
+
+import org.baeldung.spring.cloud.vaultsample.domain.Account;
+import org.springframework.data.repository.PagingAndSortingRepository;
+import org.springframework.data.rest.core.annotation.RepositoryRestResource;
+
+@RepositoryRestResource(collectionResourceRel="accounts", path="accounts")
+public interface AccountRepository extends PagingAndSortingRepository<Account, Long> {
+
+}

spring-cloud/spring-cloud-vault/src/main/resources/application.yml

@@ -0,0 +1,6 @@
+spring:
+  application:
+    name: fakebank
+    
+  datasource:
+    url: jdbc:mysql://localhost:3306/fakebank

spring-cloud/spring-cloud-vault/src/main/resources/bootstrap.yml

@@ -0,0 +1,37 @@
+spring:
+  cloud:
+    vault:
+      uri: https://localhost:8200
+      connection-timeout: 5000
+      read-timeout: 15000
+      config:
+          order: -10
+          
+      token: b93d1b0d-15b5-f69e-d311-352a65fa7bc8
+      ssl:
+        trust-store: classpath:/vault.jks
+        trust-store-password: changeit
+      
+      generic:
+        enabled: true
+        application-name: fakebank
+        
+      kv:
+        enabled: true
+        backend: kv
+        application-name: fakebank
+        
+      database:
+        enabled: true
+        role: fakebank-accounts-rw
+#        username-property: spring.datasource.username
+#        password-property: spring.datasource.password
+        
+              
+        
+      
+      
+        
+      
+          
+          

spring-cloud/spring-cloud-vault/src/test/java/org/baeldung/spring/cloud/vaultsample/VaultSampleApplicationLiveTest.java

@@ -0,0 +1,66 @@
+package org.baeldung.spring.cloud.vaultsample;
+
+import static org.junit.Assert.assertEquals;
+
+import java.sql.Connection;
+import java.sql.ResultSet;
+import java.sql.SQLException;
+
+import javax.sql.DataSource;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.core.env.Environment;
+import org.springframework.test.context.junit4.SpringRunner;
+import org.springframework.vault.annotation.VaultPropertySource;
+
+@RunWith(SpringRunner.class)
+@SpringBootTest
+public class VaultSampleApplicationLiveTest {
+
+    @Autowired
+    Environment env;
+
+    @Autowired
+    DataSource datasource;
+
+    @Test
+    public void whenGenericBackendEnabled_thenEnvHasAccessToVaultSecrets() {
+
+        String fooValue = env.getProperty("foo");
+        assertEquals("bar", fooValue);
+
+    }
+    
+    @Test
+    public void whenKvBackendEnabled_thenEnvHasAccessToVaultSecrets() {
+
+        String fooValue = env.getProperty("foo.versioned");
+        assertEquals("bar1", fooValue);
+
+
+    }
+    
+
+    @Test
+    public void whenDatabaseBackendEnabled_thenDatasourceUsesVaultCredentials() {
+
+        try (Connection c = datasource.getConnection()) {
+
+            ResultSet rs = c.createStatement()
+              .executeQuery("select 1");
+            
+            rs.next();
+            Long value = rs.getLong(1);
+
+            assertEquals(Long.valueOf(1), value);
+
+        } catch (SQLException sex) {
+            throw new RuntimeException(sex);
+        }
+
+    }
+
+}

spring-cloud/spring-cloud-vault/src/test/resources/bootstrap.properties

@@ -0,0 +1,3 @@
+#spring.cloud.vault.token=b93d1b0d-15b5-f69e-d311-352a65fa7bc8
+
+logging.level.org.springframework=INFO

spring-cloud/spring-cloud-vault/src/test/vault-config/localhost.cert

@@ -0,0 +1,18 @@
+-----BEGIN CERTIFICATE-----
+MIIC+zCCAeOgAwIBAgIJAKoy5OBgOKYwMA0GCSqGSIb3DQEBBQUAMBQxEjAQBgNV
+BAMMCWxvY2FsaG9zdDAeFw0xODA4MDkwMTM1MzJaFw0yODA4MDYwMTM1MzJaMBQx
+EjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
+ggEBAMXiHqB5dYdxJ1+abSG55gb3NNo3fzNbkjp/tAIl1FUeyCyyP/yERrkUkhFj
+4gg/q1YHUO/ftc0PdL/JBaVBTKnzsxgp7hY/dUEkZqXZ649X0UrJIRd13w5N71cL
+P1+PjCrqokMVceU18kK7CyaOmiTKYFmt/RTJQLmFQspmJXNSiq7zUvAgyvoY5TzJ
+n7MuSobHXq17pnlm+XbnAgDJUt9yR6BC2dFF20iZU4uTXy2VRngfLey3p+6in0TO
+jD4cEMJqwgUbjiI8m/hESCketVkq0W0qkkVfWBNzz5qqGHNRbhZBwT7SM0MuXum+
+qEY7n7jcQAk5BDb613liVQjQ0tkCAwEAAaNQME4wHQYDVR0OBBYEFHYjQ0/HJgXd
+BnqM4jLPjmygfi8fMB8GA1UdIwQYMBaAFHYjQ0/HJgXdBnqM4jLPjmygfi8fMAwG
+A1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADggEBABSf++sinLT9dFnC+B6ut5Zp
+haTL7PA1/CdmhTdE2vlFPGGw2BD4c/gphBsHKSNHE96irTqFXI/kl6labQpZ5P8G
+JORLfaAyl58UT1FayxL4ISzwsp+UrqO60vxkYyLkbEJjuaxIv11oOoFDIp5oBTqe
+BVoCfcTjYtTr+IwwlypLPrVTnDNGX5oPIBbTUFvR0t5RaLZgmXLT78ERhWOLINqh
+Yi6j7fYaRm/C5IQ8N/TASot7V0SMH2Rt6PrzJb5SLV8r+yozg2BSfU6hZUyKwABR
+N3zppKvKzdhlVo9OuSW3x4Tb3V+CVE/8CmTwRfhab9SCmvmaa2FxI+8/2OPVWDU=
+-----END CERTIFICATE-----

spring-cloud/spring-cloud-vault/src/test/vault-config/localhost.key

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEpAIBAAKCAQEAxeIeoHl1h3EnX5ptIbnmBvc02jd/M1uSOn+0AiXUVR7ILLI/
+/IRGuRSSEWPiCD+rVgdQ79+1zQ90v8kFpUFMqfOzGCnuFj91QSRmpdnrj1fRSskh
+F3XfDk3vVws/X4+MKuqiQxVx5TXyQrsLJo6aJMpgWa39FMlAuYVCymYlc1KKrvNS
+8CDK+hjlPMmfsy5KhsderXumeWb5ducCAMlS33JHoELZ0UXbSJlTi5NfLZVGeB8t
+7Len7qKfRM6MPhwQwmrCBRuOIjyb+ERIKR61WSrRbSqSRV9YE3PPmqoYc1FuFkHB
+PtIzQy5e6b6oRjufuNxACTkENvrXeWJVCNDS2QIDAQABAoIBACEyB5VACtlHwCUn
+kLshplbwzWr1+F6zM9qgZaAenHoTCd2FoXpI7lxJ+R71tItRsvphi9BRpPvbZehu
+XoYUaDnyac7Z6djNmGvvIVEdN4j6YF+9UdHPsjWCGW5uspjjSc5BQisiw9KBtDxB
+iGNVdMJLONKSf2wnPrZgho3RiOLJX/poPyGTkMHuhBVvo4oy7Ax3XalaAcufgqwm
+YBQJ1Tka+33EUiLkxzJTXxNbIAI2scP8jhGn6mokS0V4gZPxJKUZEyydXRWwi6ex
+ua/7q76ELJS5b+xKRYfGsvavFDx8R+LqX8oegALD33ki3rm1MQW7GmikRL98+EVW
+Q9mQsqECgYEA/IrP8vycbJOgn1vriNItFcZtczSBlrXCRF0up2cqKMs9c+T5i51x
+ZKXK5lo3DfMT+YDM+iiGZ9+vM0UA2VxbFD3XV9mQDBaNC+Duknqxx+OLmWva9YwR
+nMaevqVV9LCn+GgUcK+IygEnpzpdP4q8YcXAfGAnZgnihN/AUYAaB70CgYEAyJe4
+yO0S9gAH5aoDdooL0YXrH/Dzd+fAgNsawLhoOltcoZqZFWeAllM0GsrCpfTRltuy
+dn9ca3YK0GlWl7h5rDle1HO3nhp1FcpeG1oxmkeQta3PG66uUuMccTAljCLFrEe3
+DguH8+qdjhLk+ZnUB9AVkS79pzdwuEHVljCK600CgYB6mMygkh9B2lzkX9Q0xItc
+gcqKXdf3GN9pHq9SVxOxYBDCHUtDirgMeyvHrc4COJneyrc3TcsJzB4aToo9+sbA
+SdErdZOnOp9YP+axN1zsw7r2TNSr1UaLjCRuOodC1SuFvMkHdz95iRv946h2+1u+
+PyjVeDxIHc5YYOLU7dI1JQKBgQDF5KDBYNm25brkwcCe3nvgXfzjyyN25KUOupn/
+DS6Oe/m72Lgz3KOIKleaIvS7IvbunJnIu8dioNb0Wye5kJ5A4WyDrhG1IabnM3l6
+BJYw/W9vPSS4y7FhRnuV0wkH4nofh7S5X3jlk02Sj2NkN3Vtq8TLMY++uzwyG4jq
+ncM/dQKBgQC+6mA5OfbVN4lRn+zrSiIH5gpvZYPh9wXeTnDWHa13sJsu3e8AQxtk
+TfE0W13UV5jhGL8Wvyyxn+doGFTdcZapOlwuoQ6RcgHcVQm2sOl60GAa4idmm0A6
+TcgnIOTyVRlNBoWLCfN83BlGz4gcDpnuZZ/0JuguixgLS323hQlLvg==
+-----END RSA PRIVATE KEY-----

spring-cloud/spring-cloud-vault/src/test/vault-config/vault-test.hcl

@@ -0,0 +1,20 @@
+/*
+ * Sample configuration file for tests
+ */
+ 
+// Enable UI
+ui = true
+
+// Filesystem storage
+storage "file" {
+  path    = "./vault-data"
+}
+
+// TCP Listener using a self-signed certificate
+listener "tcp" {
+  address     = "127.0.0.1:8200"
+  tls_cert_file = "./src/test/vault-config/localhost.cert"
+  tls_key_file = "./src/test/vault-config/localhost.key"
+}
+
+

spring-cloud/spring-cloud-vault/vault-cheatsheet.txt

@@ -0,0 +1,82 @@
+== Vault server bootstrap
+
+1. Run vaul-start in one shell
+
+2. Open another shell and execute the command below:
+> vault operator init
+
+Vault will output the unseal keys and root token: STORE THEM SAFELY !!!
+
+Example output:
+Unseal Key 1: OfCseaSZzjTZmrxhfx+5clKobwLGCNiJdAlfixSG9E3o
+Unseal Key 2: iplVLPTHW0n0WL5XuI6QWwyNtWbKTek1SoKcG0gR7vdT
+Unseal Key 3: K0TleK3OYUvWFF+uIDsQuf5a+/gkv1PtZ3O47ornzRoF
+Unseal Key 4: +5zhysLAO4hIdZs0kiZpkrRovw11uQacfloiBwnZBJA/
+Unseal Key 5: GDwSq18lXV3Cw4MoHsKIH137kuI0mdl36UiD9WxOdulc
+
+Initial Root Token: d341fdaf-1cf9-936a-3c38-cf5eec94b5c0
+
+...
+
+== Admin token setup
+
+1. Set the VAULT_TOKEN environment variable with the root token value 
+export VAULT_TOKEN=d341fdaf-1cf9-936a-3c38-cf5eec94b5c0 (Linux) 
+set VAULT_TOKEN=d341fdaf-1cf9-936a-3c38-cf5eec94b5c0 (Windows)
+
+2. Create another admin token
+
+>vault token create -display-name=admin
+Key                  Value
+---                  -----
+token                3779c3ca-9f5e-1d8f-3842-efa96d88de43  <=== this is the new root token
+token_accessor       2dfa4031-973b-cf88-c749-ee6f520ecaea
+token_duration       ∞
+token_renewable      false
+token_policies       ["root"]
+identity_policies    []
+policies             ["root"]
+
+3. Create ~/.vault-secret with your root token
+4. Unset the VAULT_TOKEN environment variable !
+
+=== Test DB setup (MySQL only, for now)
+
+1. Create test db
+2. Create admin account used to create dynamic accounts:
+
+create schema fakebank;
+create user 'fakebank-admin'@'%' identified by 'Sup&rSecre7!'
+grant all privileges on fakebank.* to 'fakebank-admin'@'%' with grant option;
+grant create user on *.* to 'fakebank-admin' with grant option;
+flush privileges;
+
+
+=== Database secret backend setup
+> vault secrets enable database
+
+==== Create db configuration
+> vault write database/config/mysql-fakebank ^
+  plugin_name=mysql-legacy-database-plugin ^
+  connection_url="{{username}}:{{password}}@tcp(127.0.0.1:3306)/fakebank" ^
+  allowed_roles="*" ^
+  username="fakebank-admin" ^
+  password="Sup&rSecre7!" 
+  
+==== Create roles
+> vault write database/roles/fakebank-accounts-ro ^
+    db_name=mysql-fakebank ^
+    creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT SELECT ON fakebank.* TO '{{name}}'@'%';" ^
+    default_ttl="1h" ^
+    max_ttl="24h"  
+
+> vault write database/roles/fakebank-accounts-rw ^
+    db_name=mysql-fakebank ^
+    creation_statements="CREATE USER '{{name}}'@'%' IDENTIFIED BY '{{password}}';GRANT SELECT,INSERT,UPDATE ON fakebank.* TO '{{name}}'@'%';" ^
+    default_ttl="1m" ^
+    max_ttl="2m"  
+	
+=== Get credentials
+> vault read database/creds/fakebank-accounts-rw
+
+

spring-cloud/spring-cloud-vault/vault-env.bat

@@ -0,0 +1,5 @@
+@echo off
+echo Setting environment variables to access local vault..
+set VAULT_ADDR=https://localhost:8200
+set VAULT_CACERT=%~dp0%/src/test/vault-config/localhost.cert
+set VAULT_TLS_SERVER_NAME=localhost

spring-cloud/spring-cloud-vault/vault-env.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+echo Setting environment variables to access local vault..
+SCRIPTPATH="$( cd "$(dirname "$0")" ; pwd -P )"
+export VAULT_ADDR=https://localhost:8200
+export VAULT_CACERT=$SCRIPTPATH/src/test/vault-config/localhost.cert
+export VAULT_TLS_SERVER_NAME=localhost

spring-cloud/spring-cloud-vault/vault-start.bat

@@ -0,0 +1,3 @@
+echo Starting vault server...
+pushd %~dp0%
+vault server -config %~dp0%/src/test/vault-config/vault-test.hcl

spring-cloud/spring-cloud-vault/vault-start.sh

@@ -0,0 +1,5 @@
+#!/bin/bash
+SCRIPTPATH="$( cd "$(dirname "$0")" ; pwd -P )"
+pushd $SCRIPTPATH
+echo Starting vault server...
+vault server -config $SCRIPTPATH/src/test/vault-config/vault-test.hcl

spring-cloud/spring-cloud-vault/vault-unseal.bat

@@ -0,0 +1,7 @@
+
+call %~dp0%/vault-env.bat
+
+vault operator unseal OfCseaSZzjTZmrxhfx+5clKobwLGCNiJdAlfixSG9E3o
+vault operator unseal iplVLPTHW0n0WL5XuI6QWwyNtWbKTek1SoKcG0gR7vdT
+vault operator unseal iplVLPTHW0n0WL5XuI6QWwyNtWbKTek1SoKcG0gR7vdT
+vault operator unseal K0TleK3OYUvWFF+uIDsQuf5a+/gkv1PtZ3O47ornzRoF

spring-cloud/spring-cloud-vault/vault-unseal.sh

@@ -0,0 +1,8 @@
+#!/bin/bash
+SCRIPTPATH="$( cd "$(dirname "$0")" ; pwd -P )"
+. $SCRIPTPATH/vault-env.sh
+
+# Please replace the unseal keys below for your own
+vault operator unseal OfCseaSZzjTZmrxhfx+5clKobwLGCNiJdAlfixSG9E3o
+vault operator unseal iplVLPTHW0n0WL5XuI6QWwyNtWbKTek1SoKcG0gR7vdT
+vault operator unseal K0TleK3OYUvWFF+uIDsQuf5a+/gkv1PtZ3O47ornzRoF