Module vault.java.driver
Package io.github.jopenlibs.vault.api.pki

Class RoleOptions

java.lang.Object
io.github.jopenlibs.vault.api.pki.RoleOptions
All Implemented Interfaces:
Serializable
public class RoleOptions extends Object implements Serializable

A container for options sent to and returned by role-related endpoints on the PKI backend. This class is meant for use with a builder pattern style. Example usage:


 final RoleOptions options = new RoleOptions()
                              .allowedDomains(new ArrayList<String>(){{ add("myvault.com"); }})
                              .allowSubdomains(true)
                              .maxTtl("9h");
See Also:

  • Constructor Details

    • RoleOptions

      public RoleOptions()

  • Method Details

    • ttl

      public RoleOptions ttl(String ttl)
      Parameters:
      ttl - (optional) The Time To Live value provided as a string duration with time suffix. Hour is the largest suffix. If not set, uses the system default value or the value of max_ttl, whichever is shorter.
      Returns:
      This object, with ttl populated, ready for other builder methods or immediate use.

    • maxTtl

      public RoleOptions maxTtl(String maxTtl)
      Parameters:
      maxTtl - (optional) The maximum Time To Live provided as a string duration with time suffix. Hour is the largest suffix. If not set, defaults to the system maximum lease TTL.
      Returns:
      This object, with maxTtl populated, ready for other builder methods or immediate use.

    • allowLocalhost

      public RoleOptions allowLocalhost(Boolean allowLocalhost)
      Parameters:
      allowLocalhost - (optional) If set, clients can request certificates for localhost as one of the requested common names. This is useful for testing and to allow clients on a single host to talk securely. Defaults to true.
      Returns:
      This object, with allowLocalhost populated, ready for other builder methods or immediate use.

    • allowedDomains

      public RoleOptions allowedDomains(List<String> allowedDomains)
      Parameters:
      allowedDomains - (optional) Designates the domains of the role, provided as a comma-separated list. This is used with the allow_bare_domains and allow_subdomains options. There is no default.
      Returns:
      This object, with allowedDomains populated, ready for other builder methods or immediate use.

    • allowBareDomains

      public RoleOptions allowBareDomains(Boolean allowBareDomains)
      Parameters:
      allowBareDomains - (optional) If set, clients can request certificates matching the value of the actual domains themselves; e.g. if a configured domain set with allowed_domains is example.com, this allows clients to actually request a certificate containing the name example.com as one of the DNS values on the final certificate. In some scenarios, this can be considered a security risk. Defaults to false.
      Returns:
      This object, with allowBareDomains populated, ready for other builder methods or immediate use.

    • allowSubdomains

      public RoleOptions allowSubdomains(Boolean allowSubdomains)
      Parameters:
      allowSubdomains - (optional) If set, clients can request certificates with CNs that are subdomains of the CNs allowed by the other role options. This includes wildcard subdomains. For example, an allowed_domains value of example.com with this option set to true will allow foo.example.com and bar.example.com as well as *.example.com. This is redundant when using the allow_any_name option. Defaults to false. *
      Returns:
      This object, with allowSubdomains populated, ready for other builder methods or immediate use.

    • allowSpiffeName

      public RoleOptions allowSpiffeName(Boolean allowSpiffename)
      Parameters:
      allowSpiffename - (optional)
      Returns:
      This object, with AllowSpiffename populated, ready for other builder methods or immediate use.

    • allowAnyName

      public RoleOptions allowAnyName(Boolean allowAnyName)
      Parameters:
      allowAnyName - (optional) If set, clients can request any CN. Useful in some circumstances, but make sure you understand whether it is appropriate for your installation before enabling it. Defaults to false.
      Returns:
      This object, with allowSubdomains populated, ready for other builder methods or immediate use.

    • enforceHostnames

      public RoleOptions enforceHostnames(Boolean enforceHostnames)
      Parameters:
      enforceHostnames - (optional) If set, only valid host names are allowed for CNs, DNS SANs, and the host part of email addresses. Defaults to true.
      Returns:
      This object, with enforceHostnames populated, ready for other builder methods or immediate use.

    • allowIpSans

      public RoleOptions allowIpSans(Boolean allowIpSans)
      Parameters:
      allowIpSans - (optional) If set, clients can request IP Subject Alternative Names. No authorization checking is performed except to verify that the given values are valid IP addresses. Defaults to true.
      Returns:
      This object, with allowIpSans populated, ready for other builder methods or immediate use.

    • serverFlag

      public RoleOptions serverFlag(Boolean serverFlag)
      Parameters:
      serverFlag - (optional) If set, certificates are flagged for server use. Defaults to true.
      Returns:
      This object, with serverFlag populated, ready for other builder methods or immediate use.

    • clientFlag

      public RoleOptions clientFlag(Boolean clientFlag)
      Parameters:
      clientFlag - (optional) If set, certificates are flagged for client use. Defaults to true.
      Returns:
      This object, with clientFlag populated, ready for other builder methods or immediate use.

    • codeSigningFlag

      public RoleOptions codeSigningFlag(Boolean codeSigningFlag)
      Parameters:
      codeSigningFlag - (optional) If set, certificates are flagged for code signing use. Defaults to false.
      Returns:
      This object, with codeSigningFlag populated, ready for other builder methods or immediate use.

    • emailProtectionFlag

      public RoleOptions emailProtectionFlag(Boolean emailProtectionFlag)
      Parameters:
      emailProtectionFlag - (optional) If set, certificates are flagged for email protection use. Defaults to false.
      Returns:
      This object, with emailProtectionFlag populated, ready for other builder methods or immediate use.

    • keyType

      public RoleOptions keyType(String keyType)
      Parameters:
      keyType - (optional) The type of key to generate for generated private keys. Currently, rsa and ec are supported. Defaults to rsa.
      Returns:
      This object, with keyType populated, ready for other builder methods or immediate use.

    • keyBits

      public RoleOptions keyBits(Long keyBits)
      Parameters:
      keyBits - (optional) The number of bits to use for the generated keys. Defaults to 2048; this will need to be changed for ec keys. See https://golang.org/pkg/crypto/elliptic/#Curve for an overview of allowed bit lengths for ec.
      Returns:
      This object, with keyBits populated, ready for other builder methods or immediate use.

    • useCsrCommonName

      public RoleOptions useCsrCommonName(Boolean useCsrCommonName)
      Parameters:
      useCsrCommonName - (optional) If set, when used with the CSR signing endpoint, the common name in the CSR will be used instead of taken from the JSON data. This does not include any requested SANs in the CSR. Defaults to false.
      Returns:
      This object, with useCsrCommonName populated, ready for other builder methods or immediate use.

    • useCsrSans

      public RoleOptions useCsrSans(Boolean useCsrSans)
      Parameters:
      useCsrSans - (optional) If set, when used with the CSR signing endpoint, the common name in the CSR will be used instead of taken from the JSON data. This does not include any requested SANs in the CSR. Defaults to false.
      Returns:
      This object, with useCsrCommonName populated, ready for other builder methods or immediate use.

    • getTtl

      public String getTtl()

    • getMaxTtl

      public String getMaxTtl()

    • getAllowLocalhost

      public Boolean getAllowLocalhost()

    • getAllowedDomains

      public List<String> getAllowedDomains()

    • getAllowBareDomains

      public Boolean getAllowBareDomains()

    • getAllowSubdomains

      public Boolean getAllowSubdomains()

    • getAllowAnyName

      public Boolean getAllowAnyName()

    • getEnforceHostnames

      public Boolean getEnforceHostnames()

    • getAllowIpSans

      public Boolean getAllowIpSans()

    • getServerFlag

      public Boolean getServerFlag()

    • getClientFlag

      public Boolean getClientFlag()

    • getCodeSigningFlag

      public Boolean getCodeSigningFlag()

    • getEmailProtectionFlag

      public Boolean getEmailProtectionFlag()

    • getKeyType

      public String getKeyType()

    • getKeyBits

      public Long getKeyBits()

    • getUseCsrCommonName

      public Boolean getUseCsrCommonName()

    • getUseCsrSans

      public Boolean getUseCsrSans()

    • getAllowSpiffename

      public Boolean getAllowSpiffename()

    • keyUsage

      public RoleOptions keyUsage(List<String> keyUsage)

    • getKeyUsage

      public List<String> getKeyUsage()