feat: implement automatic hashicorp token renewal

[hamidonos]

What this PR changes/adds

This PR adds an automatic token renewal mechanism to the Hashicorp Vault extension.

Why it does that

Currently the EDC uses the root token which is not suitable for production stage.

Further notes

Note that the Vault token does not rotate. It is renewed.

A token has a TTL. The TTL defines the interval in which the token has to be renewed, otherwise it will be invalidated forever. If a token expires for any reason the EDC will go into a unhealthy state. Currently there is no other way to recover from a invalid token other than restarting the EDC with a fresh token since the token is provided in the boot configurations.

Brief explanation of new configurations added:

• VAULT_TOKEN_TTL: Defines the TTL of the token which is passed to the Vault upon renewal. The TTL might not be honored by the Vault (e.g. in the case of periodic tokens). Therefore the TTL value returned by the Vault should be respected for each renewal. Vault requires a minimum TTL of 5 seconds.
• VAULT_TOKEN_RENEW_BUFFER: Buffer before a renewal is triggered to account for network issues etc. Has to be smaller than the TTL.
• VAULT_TOKEN_SCHEDULED_RENEWAL_ENABLED: Whether the automatic renewal feature added by this PR is active or not. Defaults to true. This should be only set to false for development or testing cases.

Upon start the EDC validates the token by calling the Vault API. For non valid tokens a error message will be logged and the Connector will enter a unhealthy state. If the token is renewable it will be renewed instantly. If the renewal was successful a scheduled one-shot task is submitted. The task executes after a delay defined as TTL - VAULT_TOKEN_RENEW_BUFFER. If the renewal was successful the next task is scheduled again at TTL - VAULT_TOKEN_RENEW_BUFFER and so on. Http requests are retried if they are retryable. See Hashicorp status codes

For non-renewable but valid tokens the EDC will stay healthy until the token expires.

Tokens have a max TTL even if they're renewable (unless they're periodic). After the max ttl expires the token will be invalidated for ever. Further renewals will fail.
The max TTL can either be a system default config on Vault side, or a explicit max TTL set by the admin at token creation.

Periodic tokens can be renewed forever as long they're renewed within the TTL.

Linked Issue(s)

Closes #3610

---

_{Hamid Ahmetovic[email protected], Mercedes-Benz Tech Innovation GmbH, legal info/Impressum}

[github-actions]

This pull request is stale because it has been open for 7 days with no activity.

[paullatzelsperger]

just a minor naming nit, but once that is resolved I think we can merge this PR.

[github-actions]

This pull request is stale because it has been open for 7 days with no activity.

[paullatzelsperger]

@hamidonos is any work being done on this? Seeing as the latest comments from @jimmarino are 2 weeks old.

[paullatzelsperger]

Notice: should this PR not receive any updates by Friday March 15 2024 5pm CET, I will close, adopt and re-submit it under my authorship.
The Copyright will remain with the original author.

[DominikPinsel]

Notice: should this PR not receive any updates by Friday March 15 2024 5pm CET, I will close, adopt and re-submit it under my authorship. The Copyright will remain with the original author.

We kindly request reconsideration of the one-day response time, as your team member, Hamid, will be out of the office until Friday. Adjusting the response timeframe would greatly aid in maintaining workflow efficiency.

[paullatzelsperger]

@DominikPinsel this PR has been open forever, and no activity was visible for two weeks after the latest comments. We have a release scheduled for March 27 which should have this feature in it.

If it is a matter of a few days, then I'm sure we can accomodate, but we shouldn't wait too long. Shall we say +1week, i.e. Friday March 22nd then.

[DominikPinsel]

@DominikPinsel this PR has been open forever, and no activity was visible for two weeks after the latest comments. We have a release scheduled for March 27 which should have this feature in it.

If it is a matter of a few days, then I'm sure we can accomodate, but we shouldn't wait too long. Shall we say +1week, i.e. Friday March 22nd then.

This would be great! :)

[ndr-brt]

hey @hamidonos we had some changes that conflicted with this PR, please solve conflicts and then we'll be ready to merge

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

Attention: Patch coverage is 90.07937% with 25 lines in your changes missing coverage. Please review.

Project coverage is 73.96%. Comparing base (7f20ba5) to head (f379945).
Report is 533 commits behind head on main.

Files with missing lines	Patch %	Lines
...ipse/edc/vault/hashicorp/HashicorpVaultClient.java	84.34%	11 Missing and 7 partials ⚠️
.../vault/hashicorp/HashicorpVaultTokenRenewTask.java	89.47%	1 Missing and 3 partials ⚠️
...vault/hashicorp/HashicorpVaultHealthExtension.java	81.81%	1 Missing and 1 partial ⚠️
...lipse/edc/spi/system/health/HealthCheckResult.java	0.00%	1 Missing ⚠️

❗ Your organization needs to install the Codecov GitHub app to enable full functionality.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3782      +/-   ##
==========================================
+ Coverage   71.74%   73.96%   +2.22%     
==========================================
  Files         919      984      +65     
  Lines       18457    20008    +1551     
  Branches     1037     1127      +90     
==========================================
+ Hits        13242    14799    +1557     
+ Misses       4756     4726      -30     
- Partials      459      483      +24     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.