Module vault.java.driver
Package io.github.jopenlibs.vault.api.pki

Class RoleOptions

  • All Implemented Interfaces:
    java.io.Serializable
    public class RoleOptions
extends java.lang.Object
implements java.io.Serializable

    A container for options sent to and returned by role-related endpoints on the PKI backend. This class is meant for use with a builder pattern style. Example usage:

    
 final RoleOptions options = new RoleOptions()
                              .allowedDomains(new ArrayList<String>(){{ add("myvault.com"); }})
                              .allowSubdomains(true)
                              .maxTtl("9h");
    See Also:
    Serialized Form

    • Constructor Detail

      • RoleOptions

        public RoleOptions()

    • Method Detail

      • ttl

        public RoleOptions ttl​(java.lang.String ttl)
        Parameters:
        ttl - (optional) The Time To Live value provided as a string duration with time suffix. Hour is the largest suffix. If not set, uses the system default value or the value of max_ttl, whichever is shorter.
        Returns:
        This object, with ttl populated, ready for other builder methods or immediate use.

      • maxTtl

        public RoleOptions maxTtl​(java.lang.String maxTtl)
        Parameters:
        maxTtl - (optional) The maximum Time To Live provided as a string duration with time suffix. Hour is the largest suffix. If not set, defaults to the system maximum lease TTL.
        Returns:
        This object, with maxTtl populated, ready for other builder methods or immediate use.

      • allowLocalhost

        public RoleOptions allowLocalhost​(java.lang.Boolean allowLocalhost)
        Parameters:
        allowLocalhost - (optional) If set, clients can request certificates for localhost as one of the requested common names. This is useful for testing and to allow clients on a single host to talk securely. Defaults to true.
        Returns:
        This object, with allowLocalhost populated, ready for other builder methods or immediate use.

      • allowedDomains

        public RoleOptions allowedDomains​(java.util.List<java.lang.String> allowedDomains)
        Parameters:
        allowedDomains - (optional) Designates the domains of the role, provided as a comma-separated list. This is used with the allow_bare_domains and allow_subdomains options. There is no default.
        Returns:
        This object, with allowedDomains populated, ready for other builder methods or immediate use.

      • allowBareDomains

        public RoleOptions allowBareDomains​(java.lang.Boolean allowBareDomains)
        Parameters:
        allowBareDomains - (optional) If set, clients can request certificates matching the value of the actual domains themselves; e.g. if a configured domain set with allowed_domains is example.com, this allows clients to actually request a certificate containing the name example.com as one of the DNS values on the final certificate. In some scenarios, this can be considered a security risk. Defaults to false.
        Returns:
        This object, with allowBareDomains populated, ready for other builder methods or immediate use.

      • allowSubdomains

        public RoleOptions allowSubdomains​(java.lang.Boolean allowSubdomains)
        Parameters:
        allowSubdomains - (optional) If set, clients can request certificates with CNs that are subdomains of the CNs allowed by the other role options. This includes wildcard subdomains. For example, an allowed_domains value of example.com with this option set to true will allow foo.example.com and bar.example.com as well as *.example.com. This is redundant when using the allow_any_name option. Defaults to false. *
        Returns:
        This object, with allowSubdomains populated, ready for other builder methods or immediate use.

      • allowSpiffeName

        public RoleOptions allowSpiffeName​(java.lang.Boolean allowSpiffename)
        Parameters:
        allowSpiffename - (optional)
        Returns:
        This object, with AllowSpiffename populated, ready for other builder methods or immediate use.

      • allowAnyName

        public RoleOptions allowAnyName​(java.lang.Boolean allowAnyName)
        Parameters:
        allowAnyName - (optional) If set, clients can request any CN. Useful in some circumstances, but make sure you understand whether it is appropriate for your installation before enabling it. Defaults to false.
        Returns:
        This object, with allowSubdomains populated, ready for other builder methods or immediate use.

      • enforceHostnames

        public RoleOptions enforceHostnames​(java.lang.Boolean enforceHostnames)
        Parameters:
        enforceHostnames - (optional) If set, only valid host names are allowed for CNs, DNS SANs, and the host part of email addresses. Defaults to true.
        Returns:
        This object, with enforceHostnames populated, ready for other builder methods or immediate use.

      • allowIpSans

        public RoleOptions allowIpSans​(java.lang.Boolean allowIpSans)
        Parameters:
        allowIpSans - (optional) If set, clients can request IP Subject Alternative Names. No authorization checking is performed except to verify that the given values are valid IP addresses. Defaults to true.
        Returns:
        This object, with allowIpSans populated, ready for other builder methods or immediate use.

      • serverFlag

        public RoleOptions serverFlag​(java.lang.Boolean serverFlag)
        Parameters:
        serverFlag - (optional) If set, certificates are flagged for server use. Defaults to true.
        Returns:
        This object, with serverFlag populated, ready for other builder methods or immediate use.

      • clientFlag

        public RoleOptions clientFlag​(java.lang.Boolean clientFlag)
        Parameters:
        clientFlag - (optional) If set, certificates are flagged for client use. Defaults to true.
        Returns:
        This object, with clientFlag populated, ready for other builder methods or immediate use.

      • codeSigningFlag

        public RoleOptions codeSigningFlag​(java.lang.Boolean codeSigningFlag)
        Parameters:
        codeSigningFlag - (optional) If set, certificates are flagged for code signing use. Defaults to false.
        Returns:
        This object, with codeSigningFlag populated, ready for other builder methods or immediate use.

      • emailProtectionFlag

        public RoleOptions emailProtectionFlag​(java.lang.Boolean emailProtectionFlag)
        Parameters:
        emailProtectionFlag - (optional) If set, certificates are flagged for email protection use. Defaults to false.
        Returns:
        This object, with emailProtectionFlag populated, ready for other builder methods or immediate use.

      • keyType

        public RoleOptions keyType​(java.lang.String keyType)
        Parameters:
        keyType - (optional) The type of key to generate for generated private keys. Currently, rsa and ec are supported. Defaults to rsa.
        Returns:
        This object, with keyType populated, ready for other builder methods or immediate use.

      • keyBits

        public RoleOptions keyBits​(java.lang.Long keyBits)
        Parameters:
        keyBits - (optional) The number of bits to use for the generated keys. Defaults to 2048; this will need to be changed for ec keys. See https://golang.org/pkg/crypto/elliptic/#Curve for an overview of allowed bit lengths for ec.
        Returns:
        This object, with keyBits populated, ready for other builder methods or immediate use.

      • useCsrCommonName

        public RoleOptions useCsrCommonName​(java.lang.Boolean useCsrCommonName)
        Parameters:
        useCsrCommonName - (optional) If set, when used with the CSR signing endpoint, the common name in the CSR will be used instead of taken from the JSON data. This does not include any requested SANs in the CSR. Defaults to false.
        Returns:
        This object, with useCsrCommonName populated, ready for other builder methods or immediate use.

      • useCsrSans

        public RoleOptions useCsrSans​(java.lang.Boolean useCsrSans)
        Parameters:
        useCsrSans - (optional) If set, when used with the CSR signing endpoint, the common name in the CSR will be used instead of taken from the JSON data. This does not include any requested SANs in the CSR. Defaults to false.
        Returns:
        This object, with useCsrCommonName populated, ready for other builder methods or immediate use.

      • getTtl

        public java.lang.String getTtl()

      • getMaxTtl

        public java.lang.String getMaxTtl()

      • getAllowLocalhost

        public java.lang.Boolean getAllowLocalhost()

      • getAllowedDomains

        public java.util.List<java.lang.String> getAllowedDomains()

      • getAllowBareDomains

        public java.lang.Boolean getAllowBareDomains()

      • getAllowSubdomains

        public java.lang.Boolean getAllowSubdomains()

      • getAllowAnyName

        public java.lang.Boolean getAllowAnyName()

      • getEnforceHostnames

        public java.lang.Boolean getEnforceHostnames()

      • getAllowIpSans

        public java.lang.Boolean getAllowIpSans()

      • getServerFlag

        public java.lang.Boolean getServerFlag()

      • getClientFlag

        public java.lang.Boolean getClientFlag()

      • getCodeSigningFlag

        public java.lang.Boolean getCodeSigningFlag()

      • getEmailProtectionFlag

        public java.lang.Boolean getEmailProtectionFlag()

      • getKeyType

        public java.lang.String getKeyType()

      • getKeyBits

        public java.lang.Long getKeyBits()

      • getUseCsrCommonName

        public java.lang.Boolean getUseCsrCommonName()

      • getUseCsrSans

        public java.lang.Boolean getUseCsrSans()

      • getAllowSpiffename

        public java.lang.Boolean getAllowSpiffename()

      • keyUsage

        public RoleOptions keyUsage​(java.util.List<java.lang.String> keyUsage)

      • getKeyUsage

        public java.util.List<java.lang.String> getKeyUsage()