feat: implement token-exchange auth for HashiCorp Vault (#5821)

implement token-exchange auth with jwtlet

Author: paullatzelsperger

extensions/common/vault/vault-hashicorp/README.md

@@ -13,15 +13,37 @@ creating secrets the EDC should consume.
 
 ## Configuration
 
-| Key                                         | Description                                                                                                      | Mandatory | Default          |
-|:--------------------------------------------|:-----------------------------------------------------------------------------------------------------------------|-----------|------------------|
-| edc.vault.hashicorp.url                     | URL to connect to the HashiCorp Vault                                                                            | X         |                  |     |
-| edc.vault.hashicorp.token                   | Value for [Token Authentication](https://www.vaultproject.io/docs/auth/token) with the vault                     | X         |                  |     |
-| edc.vault.hashicorp.timeout.seconds         | Request timeout in seconds when contacting the vault                                                             |           | `30`             |
-| edc.vault.hashicorp.health.check.enabled    | Enable health checks to ensure vault is initialized, unsealed and active                                         |           | `true`           |
-| edc.vault.hashicorp.health.check.standby.ok | Specifies if a vault in standby is healthy. This is useful when Vault is behind a non-configurable load balancer |           | `false`          |
-| edc.vault.hashicorp.api.secret.path         | Path to the [secret api](https://www.vaultproject.io/api-docs/secret/kv/kv-v1)                                   |           | `/v1/secret`     |
-| edc.vault.hashicorp.api.health.check.path   | Path to the [health api](https://www.vaultproject.io/api-docs/system/health)                                     |           | `/v1/sys/health` |
+| Key                                                  | Description                                                                                                      | Mandatory | Default          |
+|:-----------------------------------------------------|:-----------------------------------------------------------------------------------------------------------------|-----------|------------------|
+| edc.vault.hashicorp.url                              | URL to connect to the HashiCorp Vault                                                                            | X         |                  |     |
+| edc.vault.hashicorp.token                            | Value for [Token Authentication](https://www.vaultproject.io/docs/auth/token). Required unless token exchange is configured | (*)       |                  |     |
+| edc.vault.hashicorp.auth.tokenexchange.url           | Base URL of the token-exchange service (e.g. `jwtlet`). Setting it enables token-exchange authentication         | (*)       |                  |     |
+| edc.vault.hashicorp.auth.tokenexchange.subjecttokenpath | Path to the file holding the projected workload (ServiceAccount) token used as the subject token              |           |                  |     |
+| edc.vault.hashicorp.auth.tokenexchange.audience      | Audience requested for the exchanged token; must match the token-exchange service's configured audience          |           | `edcv`           |
+| edc.vault.hashicorp.auth.tokenexchange.scope         | Abstract scope (tier) requested for the exchanged token                                                          |           | `read`           |
+| edc.vault.hashicorp.auth.tokenexchange.resource      | Participant context id used as the `resource` for the default vault partition (optional)                         |           |                  |     |
+| edc.vault.hashicorp.auth.jwt.role                    | The Vault JWT auth method role to authenticate with                                                              |           | `participant`    |
+| edc.vault.hashicorp.timeout.seconds                  | Request timeout in seconds when contacting the vault                                                             |           | `30`             |
+| edc.vault.hashicorp.health.check.enabled             | Enable health checks to ensure vault is initialized, unsealed and active                                         |           | `true`           |
+| edc.vault.hashicorp.health.check.standby.ok          | Specifies if a vault in standby is healthy. This is useful when Vault is behind a non-configurable load balancer |           | `false`          |
+| edc.vault.hashicorp.api.secret.path                  | Path to the [secret api](https://www.vaultproject.io/api-docs/secret/kv/kv-v1)                                   |           | `/v1/secret`     |
+| edc.vault.hashicorp.api.health.check.path            | Path to the [health api](https://www.vaultproject.io/api-docs/system/health)                                     |           | `/v1/sys/health` |
+
+(*) Exactly one authentication mechanism must be configured: either a static `edc.vault.hashicorp.token`, or token
+exchange (`edc.vault.hashicorp.auth.tokenexchange.url`). Both may be combined, in which case the static token is used for
+the default vault partition and token exchange for named (per-participant) partitions.
+
+## Authentication
+
+The extension supports two ways of obtaining a Vault token:
+
+- **Static token** (`edc.vault.hashicorp.token`): the configured token is used directly as the `X-Vault-Token`.
+- **Token exchange** (`edc.vault.hashicorp.auth.tokenexchange.*`): the connector reads its projected Kubernetes
+  ServiceAccount token from `subjecttokenpath`, exchanges it at the token-exchange service (RFC 8693, e.g. `jwtlet`) for
+  a participant-scoped JWT, and presents that JWT to Vault's [JWT auth method](https://developer.hashicorp.com/vault/docs/auth/jwt)
+  (`v1/auth/jwt/login`, role `edc.vault.hashicorp.auth.jwt.role`). For named vault partitions the participant context id
+  is used as the exchange `resource`, so the issued Vault token is scoped to that participant. The resulting Vault token
+  is cached until shortly before it expires.
 
 ## Health Check
 

extensions/common/vault/vault-hashicorp/src/main/java/org/eclipse/edc/vault/hashicorp/HashicorpVault.java

@@ -22,7 +22,7 @@
 import org.eclipse.edc.spi.result.Result;
 import org.eclipse.edc.spi.security.Vault;
 import org.eclipse.edc.vault.hashicorp.client.HashicorpVaultConfig;
-import org.eclipse.edc.vault.hashicorp.spi.auth.HashicorpVaultTokenProvider;
+import org.eclipse.edc.vault.hashicorp.spi.auth.HashicorpVaultTokenProviderFactory;
 import org.jetbrains.annotations.NotNull;
 import org.jetbrains.annotations.Nullable;
 
@@ -37,18 +37,18 @@ class HashicorpVault implements Vault {
     private final ParticipantContextConfig participantContextConfig;
     private final Monitor monitor;
     private final HashicorpVaultConfig vaultConfig;
-    private final HashicorpVaultTokenProvider defaultTokenProvider;
+    private final HashicorpVaultTokenProviderFactory tokenProviderFactory;
     private final EdcHttpClient edcHttpClient;
     private final ObjectMapper mapper;
 
     HashicorpVault(ParticipantContextConfig participantContextConfig,
                    Monitor monitor,
-                   HashicorpVaultConfig vaultConfig, HashicorpVaultTokenProvider defaultTokenProvider,
+                   HashicorpVaultConfig vaultConfig, HashicorpVaultTokenProviderFactory tokenProviderFactory,
                    EdcHttpClient edcHttpClient) {
         this.participantContextConfig = participantContextConfig;
         this.monitor = monitor;
         this.vaultConfig = vaultConfig;
-        this.defaultTokenProvider = defaultTokenProvider;
+        this.tokenProviderFactory = tokenProviderFactory;
         this.edcHttpClient = edcHttpClient;
         this.mapper = new ObjectMapper().disable(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES);
 
@@ -99,7 +99,7 @@ public Result<Void> deleteSecret(String vaultPartition, String key) {
 
         var settings = forParticipant(vaultPartition, participantContextConfig);
         if (settings != null) {
-            return new HashicorpVaultClient(monitor, settings.config(), edcHttpClient, mapper, settings.tokenProvider(edcHttpClient));
+            return new HashicorpVaultClient(monitor, settings.config(), edcHttpClient, mapper, tokenProviderFactory.create(vaultPartition));
         }
 
         if (vaultConfig.isAllowFallback()) {
@@ -112,7 +112,7 @@ public Result<Void> deleteSecret(String vaultPartition, String key) {
      * creates a new HashicorpVaultClient with the "global" configuration / auth-settings taken from the runtime configuration.
      */
     private HashicorpVaultClient createDefault() {
-        return new HashicorpVaultClient(monitor, vaultConfig, edcHttpClient, mapper, defaultTokenProvider);
+        return new HashicorpVaultClient(monitor, vaultConfig, edcHttpClient, mapper, tokenProviderFactory.create(null));
     }
 
 }

extensions/common/vault/vault-hashicorp/src/main/java/org/eclipse/edc/vault/hashicorp/HashicorpVaultExtension.java

@@ -33,7 +33,7 @@
 import org.eclipse.edc.vault.hashicorp.client.HashicorpVaultHealthService;
 import org.eclipse.edc.vault.hashicorp.client.HashicorpVaultTokenRenewService;
 import org.eclipse.edc.vault.hashicorp.client.HashicorpVaultTokenRenewTask;
-import org.eclipse.edc.vault.hashicorp.spi.auth.HashicorpVaultTokenProvider;
+import org.eclipse.edc.vault.hashicorp.spi.auth.HashicorpVaultTokenProviderFactory;
 import org.jetbrains.annotations.NotNull;
 
 import static com.fasterxml.jackson.databind.DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES;
@@ -50,7 +50,7 @@ public class HashicorpVaultExtension implements ServiceExtension {
     private ExecutorInstrumentation executorInstrumentation;
 
     @Inject
-    private HashicorpVaultTokenProvider tokenProvider;
+    private HashicorpVaultTokenProviderFactory tokenProviderFactory;
 
     @Inject
     private ParticipantContextConfig participantContextConfig;
@@ -72,19 +72,19 @@ public String name() {
 
     @Provider
     public Vault hashicorpVault() {
-        return new HashicorpVault(participantContextConfig, monitor, defaultVaultConfig, tokenProvider, httpClient);
+        return new HashicorpVault(participantContextConfig, monitor, defaultVaultConfig, tokenProviderFactory, httpClient);
     }
 
     @Provider
     public SignatureService signatureService() {
-        return new HashicorpVaultSignatureService(monitor, defaultVaultConfig, httpClient, MAPPER, tokenProvider);
+        return new HashicorpVaultSignatureService(monitor, defaultVaultConfig, httpClient, MAPPER, tokenProviderFactory.create(null));
     }
 
     @Override
     public void initialize(ServiceExtensionContext context) {
         monitor = context.getMonitor().withPrefix(NAME);
-        
-        var tokenRenewService = new HashicorpVaultTokenRenewService(httpClient, MAPPER, defaultVaultConfig, tokenProvider, monitor);
+
+        var tokenRenewService = new HashicorpVaultTokenRenewService(httpClient, MAPPER, defaultVaultConfig, tokenProviderFactory.create(null), monitor);
         tokenRenewalTask = new HashicorpVaultTokenRenewTask(
                 NAME,
                 executorInstrumentation,
@@ -96,7 +96,7 @@ public void initialize(ServiceExtensionContext context) {
     @Provider
     public @NotNull HashicorpVaultHealthService createHealthService() {
         if (healthService == null) {
-            healthService = new HashicorpVaultHealthService(httpClient, defaultVaultConfig, tokenProvider);
+            healthService = new HashicorpVaultHealthService(httpClient, defaultVaultConfig, tokenProviderFactory.create(null));
         }
         return healthService;
     }

extensions/common/vault/vault-hashicorp/src/main/java/org/eclipse/edc/vault/hashicorp/HashicorpVaultSettings.java

@@ -1,5 +1,5 @@
 /*
- *  Copyright (c) 2025 Metaform Systems, Inc.
+ *  Copyright (c) 2025 Cofinity-X
  *
  *  This program and the accompanying materials are made available under the
  *  terms of the Apache License, Version 2.0 which is available at
@@ -8,7 +8,7 @@
  *  SPDX-License-Identifier: Apache-2.0
  *
  *  Contributors:
- *       Metaform Systems, Inc. - initial API and implementation
+ *       Cofinity-X - initial API and implementation
  *
  */
 
@@ -17,23 +17,21 @@
 import com.fasterxml.jackson.core.JsonProcessingException;
 import com.fasterxml.jackson.databind.DeserializationFeature;
 import com.fasterxml.jackson.databind.ObjectMapper;
-import org.eclipse.edc.http.spi.EdcHttpClient;
 import org.eclipse.edc.participantcontext.spi.config.ParticipantContextConfig;
 import org.eclipse.edc.spi.EdcException;
 import org.eclipse.edc.util.string.StringUtils;
-import org.eclipse.edc.vault.hashicorp.auth.HashicorpJwtTokenProvider;
-import org.eclipse.edc.vault.hashicorp.auth.HashicorpVaultTokenProviderImpl;
 import org.eclipse.edc.vault.hashicorp.client.HashicorpVaultConfig;
-import org.eclipse.edc.vault.hashicorp.client.HashicorpVaultCredentials;
-import org.eclipse.edc.vault.hashicorp.spi.auth.HashicorpVaultTokenProvider;
 import org.jetbrains.annotations.Nullable;
 
 import static org.eclipse.edc.vault.hashicorp.VaultConstants.VAULT_CONFIG;
 
 /**
- * POJO that contains a config object and a credentials object. This is intended to be serialized, e.g., as DTO in API calls.
+ * POJO that contains the per-partition vault configuration. This is intended to be serialized, e.g., as DTO in API calls.
+ * Authentication is configured globally (see {@code HashicorpVaultAuthenticationExtension}); the only per-partition value
+ * relevant to authentication is the partition key itself (the participant context id), which is derived from the
+ * partition and used as the token-exchange {@code resource}.
  */
-public record HashicorpVaultSettings(HashicorpVaultConfig config, HashicorpVaultCredentials credentials) {
+public record HashicorpVaultSettings(HashicorpVaultConfig config) {
 
     private static final ObjectMapper MAPPER = new ObjectMapper().disable(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES);
 
@@ -57,25 +55,4 @@ public record HashicorpVaultSettings(HashicorpVaultConfig config, HashicorpVault
         }
     }
 
-    /**
-     * Generates a {@link HashicorpJwtTokenProvider} for the given settings. If a static token is provided in the credentials,
-     * a simple token provider is returned. If client credentials are provided, a JWT token provider is returned.
-     *
-     * @param edcHttpClient An {@link EdcHttpClient} instance to be used for HTTP requests. This is only needed for the JWT token provider.
-     * @return A {@link HashicorpVaultTokenProvider} instance.
-     */
-    public HashicorpVaultTokenProvider tokenProvider(EdcHttpClient edcHttpClient) {
-        if (credentials.getToken() != null) {
-            return new HashicorpVaultTokenProviderImpl(credentials.getToken());
-        }
-
-        return HashicorpJwtTokenProvider.Builder.newInstance()
-                .clientId(credentials.getClientId())
-                .clientSecret(credentials.getClientSecret())
-                .tokenUrl(credentials.getTokenUrl())
-                .vaultUrl(config.getVaultUrl())
-                .httpClient(edcHttpClient)
-                .build();
-    }
-
 }