This is an automated email from the ASF dual-hosted git repository.

exceptionfactory pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/nifi.git


The following commit(s) were added to refs/heads/main by this push:
     new 9df359acd4b NIFI-16078 Fixed StandardHashiCorpVaultClientService for 
non-token Authentication (#11396)
9df359acd4b is described below

commit 9df359acd4b6f50ca9cf363c18c8472c3364041b
Author: Pierre Villard <[email protected]>
AuthorDate: Fri Jul 10 21:55:46 2026 +0200

    NIFI-16078 Fixed StandardHashiCorpVaultClientService for non-token 
Authentication (#11396)
    
    Signed-off-by: David Handermann <[email protected]>
---
 ...StandardHashiCorpVaultCommunicationService.java |  2 ++
 .../config/HashiCorpVaultConfiguration.java        | 28 ++++++++++++++-
 .../hashicorp/TestHashiCorpVaultConfiguration.java | 40 ++++++++++++++++++++++
 3 files changed, 69 insertions(+), 1 deletion(-)

diff --git 
a/nifi-commons/nifi-hashicorp-vault/src/main/java/org/apache/nifi/vault/hashicorp/StandardHashiCorpVaultCommunicationService.java
 
b/nifi-commons/nifi-hashicorp-vault/src/main/java/org/apache/nifi/vault/hashicorp/StandardHashiCorpVaultCommunicationService.java
index bcda62c654c..7b10615f5c3 100644
--- 
a/nifi-commons/nifi-hashicorp-vault/src/main/java/org/apache/nifi/vault/hashicorp/StandardHashiCorpVaultCommunicationService.java
+++ 
b/nifi-commons/nifi-hashicorp-vault/src/main/java/org/apache/nifi/vault/hashicorp/StandardHashiCorpVaultCommunicationService.java
@@ -107,6 +107,8 @@ public class StandardHashiCorpVaultCommunicationService 
implements HashiCorpVaul
         final VaultEndpoint vaultEndpoint = vaultConfiguration.vaultEndpoint();
         final RestTemplate restTemplate = 
VaultClients.createRestTemplate(vaultEndpoint, clientHttpRequestFactory);
 
+        
vaultConfiguration.setClientHttpRequestFactory(clientHttpRequestFactory);
+
         final VaultClient.Builder vaultClientBuilder = 
VaultClient.builder(restTemplate).endpoint(vaultEndpoint);
         final String namespace = vaultConfiguration.getNamespace();
         if (namespace != null && !namespace.isEmpty()) {
diff --git 
a/nifi-commons/nifi-hashicorp-vault/src/main/java/org/apache/nifi/vault/hashicorp/config/HashiCorpVaultConfiguration.java
 
b/nifi-commons/nifi-hashicorp-vault/src/main/java/org/apache/nifi/vault/hashicorp/config/HashiCorpVaultConfiguration.java
index 012f0fb83e3..190684aafd7 100644
--- 
a/nifi-commons/nifi-hashicorp-vault/src/main/java/org/apache/nifi/vault/hashicorp/config/HashiCorpVaultConfiguration.java
+++ 
b/nifi-commons/nifi-hashicorp-vault/src/main/java/org/apache/nifi/vault/hashicorp/config/HashiCorpVaultConfiguration.java
@@ -23,6 +23,9 @@ import org.springframework.core.env.PropertySource;
 import org.springframework.core.env.StandardEnvironment;
 import org.springframework.core.io.FileSystemResource;
 import org.springframework.core.io.support.ResourcePropertySource;
+import org.springframework.http.client.ClientHttpRequestFactory;
+import org.springframework.vault.client.RestTemplateFactory;
+import org.springframework.vault.config.AbstractVaultConfiguration;
 import org.springframework.vault.config.EnvironmentVaultConfiguration;
 import 
org.springframework.vault.core.VaultKeyValueOperationsSupport.KeyValueBackend;
 import org.springframework.vault.support.ClientOptions;
@@ -65,9 +68,14 @@ public class HashiCorpVaultConfiguration extends 
EnvironmentVaultConfiguration {
 
     private static final String HTTPS = "https";
 
+    private static final String CLIENT_HTTP_REQUEST_FACTORY_WRAPPER_BEAN = 
"clientHttpRequestFactoryWrapper";
+
     private final SslConfiguration sslConfiguration;
     private final ClientOptions clientOptions;
     private final KeyValueBackend keyValueBackend;
+    private final HashiCorpVaultApplicationContext applicationContext;
+
+    private AbstractVaultConfiguration.ClientFactoryWrapper 
clientFactoryWrapper;
 
     /**
      * Creates a HashiCorpVaultConfiguration from property sources, in 
increasing precedence.
@@ -118,7 +126,8 @@ public class HashiCorpVaultConfiguration extends 
EnvironmentVaultConfiguration {
         }
         this.keyValueBackend = keyValueBackend;
 
-        this.setApplicationContext(new HashiCorpVaultApplicationContext(env));
+        this.applicationContext = new HashiCorpVaultApplicationContext(env);
+        this.setApplicationContext(applicationContext);
 
         sslConfiguration = 
env.getProperty(VaultConfigurationKey.URI.key).contains(HTTPS)
                 ? super.sslConfiguration() : SslConfiguration.unconfigured();
@@ -130,6 +139,23 @@ public class HashiCorpVaultConfiguration extends 
EnvironmentVaultConfiguration {
         return keyValueBackend;
     }
 
+    /**
+     * Registers the given request factory as the {@code 
clientHttpRequestFactoryWrapper} bean and uses it
+     * to build the {@link RestTemplateFactory}. Spring Vault authentication 
methods other than token
+     * authentication build their own Vault client from these, so this must be 
called before
+     * {@link #clientAuthentication()} to supply NiFi's configured request 
factory.
+     * @param clientHttpRequestFactory The request factory used for Vault 
communication
+     */
+    public void setClientHttpRequestFactory(final ClientHttpRequestFactory 
clientHttpRequestFactory) {
+        this.clientFactoryWrapper = new 
AbstractVaultConfiguration.ClientFactoryWrapper(clientHttpRequestFactory);
+        
applicationContext.getBeanFactory().registerSingleton(CLIENT_HTTP_REQUEST_FACTORY_WRAPPER_BEAN,
 clientFactoryWrapper);
+    }
+
+    @Override
+    protected RestTemplateFactory getRestTemplateFactory() {
+        return clientFactoryWrapper == null ? super.getRestTemplateFactory() : 
restTemplateFactory(clientFactoryWrapper);
+    }
+
     /**
      * A convenience method to create a PropertySource from a file on disk.
      * @param filename The properties filename.
diff --git 
a/nifi-commons/nifi-hashicorp-vault/src/test/java/org/apache/nifi/vault/hashicorp/TestHashiCorpVaultConfiguration.java
 
b/nifi-commons/nifi-hashicorp-vault/src/test/java/org/apache/nifi/vault/hashicorp/TestHashiCorpVaultConfiguration.java
index 41bf16b3b38..1dbec16c053 100644
--- 
a/nifi-commons/nifi-hashicorp-vault/src/test/java/org/apache/nifi/vault/hashicorp/TestHashiCorpVaultConfiguration.java
+++ 
b/nifi-commons/nifi-hashicorp-vault/src/test/java/org/apache/nifi/vault/hashicorp/TestHashiCorpVaultConfiguration.java
@@ -23,8 +23,10 @@ import org.junit.jupiter.api.AfterAll;
 import org.junit.jupiter.api.BeforeAll;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.io.TempDir;
 import org.springframework.core.env.ConfigurableEnvironment;
 import org.springframework.core.env.StandardEnvironment;
+import org.springframework.http.client.SimpleClientHttpRequestFactory;
 import org.springframework.vault.authentication.ClientAuthentication;
 import org.springframework.vault.client.VaultEndpoint;
 import org.springframework.vault.core.VaultKeyValueOperationsSupport;
@@ -148,6 +150,44 @@ public class TestHashiCorpVaultConfiguration {
         this.runTest("http");
     }
 
+    @Test
+    public void testKubernetesClientAuthentication(@TempDir Path tempDir) 
throws IOException {
+        final Path tokenFile = Files.createTempFile(tempDir, 
"vault-k8s-token", ".jwt");
+        Files.writeString(tokenFile, "test-jwt-token");
+
+        final Map<String, String> props = new HashMap<>();
+        props.put(VAULT_AUTHENTICATION, "KUBERNETES");
+        props.put("vault.kubernetes.role", "test-role");
+        props.put("vault.kubernetes.service-account-token-file", 
tokenFile.toFile().getAbsolutePath());
+        final File k8sAuthProps = Files.createTempFile(tempDir, "vault-", 
".properties").toFile();
+        writeProperties(props, k8sAuthProps);
+        
propertiesBuilder.setAuthPropertiesFilename(k8sAuthProps.getAbsolutePath());
+
+        config = new HashiCorpVaultConfiguration(
+                createIsolatedEnvironment(), new 
HashiCorpVaultPropertySource(propertiesBuilder.build()));
+        config.setClientHttpRequestFactory(new 
SimpleClientHttpRequestFactory());
+
+        final ClientAuthentication clientAuthentication = 
config.clientAuthentication();
+        assertNotNull(clientAuthentication);
+    }
+
+    @Test
+    public void testAwsEc2ClientAuthentication(@TempDir Path tempDir) throws 
IOException {
+        final Map<String, String> props = new HashMap<>();
+        props.put(VAULT_AUTHENTICATION, "AWS_EC2");
+        props.put("vault.aws-ec2.role", "test-role");
+        final File awsAuthProps = Files.createTempFile(tempDir, "vault-", 
".properties").toFile();
+        writeProperties(props, awsAuthProps);
+        
propertiesBuilder.setAuthPropertiesFilename(awsAuthProps.getAbsolutePath());
+
+        config = new HashiCorpVaultConfiguration(
+                createIsolatedEnvironment(), new 
HashiCorpVaultPropertySource(propertiesBuilder.build()));
+        config.setClientHttpRequestFactory(new 
SimpleClientHttpRequestFactory());
+
+        final ClientAuthentication clientAuthentication = 
config.clientAuthentication();
+        assertNotNull(clientAuthentication);
+    }
+
     @Test
     public void testKvVersion() {
         config = new HashiCorpVaultConfiguration(new 
HashiCorpVaultPropertySource(propertiesBuilder.build()));

Reply via email to