More documentation, make mount path configurable

Author: eirslett

README.md

@@ -1,7 +1,11 @@
 # Hvordan få en applikasjon til å hente credentials fra Vault og koble seg til PostgreSQL
 
-Kopier/lim inn Java-klassene i dette repoet, inn i appen din.
+Kopier/lim inn Java-klassene i dette repoet (bortsett fra `HikariCPTest`), inn i appen din.
 (Koden er ikke publisert som at maven-artifakt ennå.)
 
 For å opprette en DataSource, lager du en HikariConfig med konfigurasjon for appen,
 og sender inn i HikariCPVaultUtil, som tar seg av kobling mot Vault.
+Se `makeDataSource()` i `HikariCPTest`-klassen.
+
+Denne DataSourcen bruker du videre i appen, for eksempel som en Spring Bean
+(hvis du bruker Spring Framework).

policy-db.hcl

@@ -2,6 +2,6 @@ path "sys/renew/*" {
   capabilities = ["update"]
 }
 
-path "database/creds/testdb-user" {
+path "postgresql/preprod/creds/testdb-user" {
   capabilities = ["read"]
 }

provision.sh

@@ -15,15 +15,15 @@ psql_root() {
 # That way, access to CREATE in "public" can be revoked later on, without superuser access.
 psql_root -c 'CREATE DATABASE "testdb"'
 
-vault secrets enable database
-vault write database/config/testdb \
+vault secrets enable -path=postgresql/preprod database
+vault write postgresql/preprod/config/testdb \
   allowed_roles="testdb-user" \
   plugin_name=postgresql-database-plugin \
   connection_url="postgresql://{{username}}:{{password}}@$PGSQL_HOST:5432/testdb?sslmode=disable" \
   username="$PGSQL_ROOT_USERNAME" \
   password="$PGPASSWORD"
 
-vault write database/roles/testdb-user \
+vault write postgresql/preprod/roles/testdb-user \
     db_name=testdb \
     creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'" \
     default_ttl="1m" \

src/main/java/no/nav/vault/jdbc/hikaricp/HikariCPTest.java

@@ -12,15 +12,9 @@
 
 public class HikariCPTest {
     public static void main(String[] args) throws Exception {
-        final HikariConfig config = new HikariConfig();
-        config.setJdbcUrl("jdbc:postgresql://localhost:5432/testdb");
-        config.setMaxLifetime(5000);
-        config.setMaximumPoolSize(1);
-        config.setConnectionTimeout(250);
-        config.setIdleTimeout(100);
-
-        final HikariDataSource ds = HikariCPVaultUtil.createHikariDataSourceWithVaultIntegration(config, "testdb-user");
+        final HikariDataSource ds = makeDataSource();
 
+        // The rest of the code here is just testing that the data source works.
         final Timer timer = new Timer("PostgreSQLSelectTimer", true);
         final TimerTask task = new TimerTask() {
             @Override
@@ -35,6 +29,16 @@ public void run() {
         System.out.println("Done");
     }
 
+    private static HikariDataSource makeDataSource() throws VaultError {
+        final HikariConfig config = new HikariConfig();
+        config.setJdbcUrl("jdbc:postgresql://localhost:5432/testdb");
+        config.setMaxLifetime(5000);
+        config.setMaximumPoolSize(1);
+        config.setConnectionTimeout(250);
+        config.setIdleTimeout(100);
+        return HikariCPVaultUtil.createHikariDataSourceWithVaultIntegration(config, "postgresql/preprod", "testdb-user");
+    }
+
     private static void runQuery(HikariDataSource ds) {
         try {
             Connection conn = ds.getConnection();

src/main/java/no/nav/vault/jdbc/hikaricp/HikariCPVaultUtil.java

@@ -17,23 +17,25 @@ public final class HikariCPVaultUtil {
     private HikariDataSource ds = null;
     private final HikariConfig hikariConfig;
     private final Vault vault;
+    private final String mountPath;
     private final String role;
 
-    private HikariCPVaultUtil(final HikariConfig config, final Vault vault, final String role) {
+    private HikariCPVaultUtil(final HikariConfig config, final Vault vault, final String mountPath, final String role) {
         this.hikariConfig = config;
         this.vault = vault;
+        this.mountPath = mountPath;
         this.role = role;
     }
 
     private void setDs(final HikariDataSource ds) {
         this.ds = ds;
     }
 
-    public static HikariDataSource createHikariDataSourceWithVaultIntegration(final HikariConfig config, final String role) throws VaultError {
+    public static HikariDataSource createHikariDataSourceWithVaultIntegration(final HikariConfig config, final String mountPath, final String role) throws VaultError {
         final VaultUtil instance = VaultUtil.getInstance();
         final Vault vault = instance.getClient();
 
-        final HikariCPVaultUtil hikariCPVaultUtil = new HikariCPVaultUtil(config, vault, role);
+        final HikariCPVaultUtil hikariCPVaultUtil = new HikariCPVaultUtil(config, vault, mountPath, role);
 
         final class RefreshDbCredentialsTask extends TimerTask {
             @Override
@@ -67,7 +69,7 @@ public void run() {
     }
 
     private RefreshResult refreshCredentialsAndReturnRefreshInterval() throws VaultException {
-        final String path = "database/creds/" + role;
+        final String path = mountPath + "/creds/" + role;
         logger.info("Renewing database credentials for role \"" + role + "\"");
         final LogicalResponse response = vault.logical().read(path);
         final String username = response.getData().get("username");

src/main/java/no/nav/vault/jdbc/hikaricp/VaultUtil.java

@@ -26,6 +26,8 @@ private VaultUtil() {
         timer = new Timer("VaultScheduler", true);
     }
 
+    // We should refresh tokens from Vault before they expire, so we add 30 seconds margin.
+    // If the token is valid for less than 60 seconds, we use duration / 2 instead.
     public static long suggestedRefreshInterval(long duration) {
         if (duration < 60000) {
             return duration / 2;