drop support for deprecated App-ID auth backend (#61)

App-ID is deprecated since Vault 0.6 and was removed in 1.12.
Our compatibility methods are depreacted since Connector 0.4. It's time
to drop it for good.

.github/workflows/ci.yml

@@ -6,10 +6,10 @@ jobs:
     strategy:
       matrix:
         jdk: [ 11, 17, 21 ]
-        vault: [ '1.2.0', '1.11.12', '1.16.0' ]
+        vault: [ '1.2.0', '1.16.0' ]
         include:
           - jdk: 21
-            vault: '1.11.12'
+            vault: '1.16.0'
             analysis: true
     steps:
       - name: Checkout

CHANGELOG.md

@@ -1,3 +1,9 @@
+## unreleased
+
+### Removal
+* Drop support fpr deprecated `App-ID` auth backend (#61)
+
+
 ## 1.2.0 (2023-12-11)
 
 ### Deprecations

pom.xml

@@ -4,7 +4,7 @@
 
     <groupId>de.stklcode.jvault</groupId>
     <artifactId>jvault-connector</artifactId>
-    <version>1.2.1-SNAPSHOT</version>
+    <version>1.3.0-SNAPSHOT</version>
 
     <packaging>jar</packaging>
 

src/main/java/de/stklcode/jvault/connector/HTTPVaultConnector.java

@@ -58,7 +58,6 @@ public class HTTPVaultConnector implements VaultConnector {
     private static final String PATH_ROLES = "/roles";
     private static final String PATH_CREATE_ORPHAN = "/create-orphan";
     private static final String PATH_AUTH_USERPASS = PATH_AUTH + "/userpass/login/";
-    private static final String PATH_AUTH_APPID = PATH_AUTH + "/app-id";
     private static final String PATH_AUTH_APPROLE = PATH_AUTH + "/approle";
     private static final String PATH_AUTH_APPROLE_ROLE = PATH_AUTH_APPROLE + "/role/%s%s";
 
@@ -200,18 +199,6 @@ public final AuthResponse authUserPass(final String username, final String passw
         return queryAuth(PATH_AUTH_USERPASS + username, payload);
     }
 
-    @Override
-    @Deprecated(since = "0.4", forRemoval = true)
-    public final AuthResponse authAppId(final String appID, final String userID) throws VaultConnectorException {
-        return queryAuth(
-                PATH_AUTH_APPID + PATH_LOGIN,
-                Map.of(
-                        "app_id", appID,
-                        "user_id", userID
-                )
-        );
-    }
-
     @Override
     public final AuthResponse authAppRole(final String roleID, final String secretID) throws VaultConnectorException {
         final Map<String, String> payload = mapOfStrings(
@@ -241,40 +228,6 @@ private AuthResponse queryAuth(final String path, final Map<String, String> payl
         return auth;
     }
 
-    @Override
-    @Deprecated(since = "0.4", forRemoval = true)
-    public final boolean registerAppId(final String appID, final String policy, final String displayName)
-            throws VaultConnectorException {
-        requireAuth();
-
-        /* Issue request and expect code 204 with empty response */
-        request.postWithoutResponse(
-                PATH_AUTH_APPID + "/map/app-id/" + appID,
-                Map.of(
-                        "value", policy,
-                        "display_name", displayName
-                ),
-                token
-        );
-
-        return true;
-    }
-
-    @Override
-    @Deprecated(since = "0.4", forRemoval = true)
-    public final boolean registerUserId(final String appID, final String userID) throws VaultConnectorException {
-        requireAuth();
-
-        /* Issue request and expect code 204 with empty response */
-        request.postWithoutResponse(
-                PATH_AUTH_APPID + "/map/user-id/" + userID,
-                singletonMap("value", appID),
-                token
-        );
-
-        return true;
-    }
-
     @Override
     public final boolean createAppRole(final AppRole role) throws VaultConnectorException {
         requireAuth();

src/main/java/de/stklcode/jvault/connector/VaultConnector.java

@@ -112,19 +112,6 @@ default SealResponse unseal(final String key) throws VaultConnectorException {
      */
     AuthResponse authUserPass(final String username, final String password) throws VaultConnectorException;
 
-    /**
-     * Authorize to Vault using AppID method.
-     *
-     * @param appID  The App ID
-     * @param userID The User ID
-     * @return The {@link AuthResponse}
-     * @throws VaultConnectorException on error
-     * @deprecated As of Vault 0.6.1 App-ID is superseded by AppRole. App-ID was removed in Vault 1.12.
-     * Consider using {@link #authAppRole} instead.
-     */
-    @Deprecated(since = "0.4", forRemoval = true)
-    AuthResponse authAppId(final String appID, final String userID) throws VaultConnectorException;
-
     /**
      * Authorize to Vault using AppRole method without secret ID.
      *
@@ -148,21 +135,6 @@ default AuthResponse authAppRole(final String roleID) throws VaultConnectorExcep
      */
     AuthResponse authAppRole(final String roleID, final String secretID) throws VaultConnectorException;
 
-    /**
-     * Register new App-ID with policy.
-     *
-     * @param appID       The unique App-ID
-     * @param policy      The policy to associate with
-     * @param displayName Arbitrary name to display
-     * @return {@code true} on success
-     * @throws VaultConnectorException on error
-     * @deprecated As of Vault 0.6.1 App-ID is superseded by AppRole. App-ID was removed in Vault 1.12.
-     * Consider using {@link #createAppRole} instead.
-     */
-    @Deprecated(since = "0.4", forRemoval = true)
-    boolean registerAppId(final String appID, final String policy, final String displayName)
-            throws VaultConnectorException;
-
     /**
      * Register a new AppRole role from given metamodel.
      *
@@ -344,38 +316,6 @@ AppRoleSecretResponse lookupAppRoleSecret(final String roleName, final String se
      */
     List<String> listAppRoleSecrets(final String roleName) throws VaultConnectorException;
 
-    /**
-     * Register User-ID with App-ID.
-     *
-     * @param appID  The App-ID
-     * @param userID The User-ID
-     * @return {@code true} on success
-     * @throws VaultConnectorException on error
-     * @deprecated As of Vault 0.6.1 App-ID is superseded by AppRole. App-ID was removed in Vault 1.12.
-     * Consider using {@link #createAppRoleSecret} instead.
-     */
-    @Deprecated(since = "0.4", forRemoval = true)
-    boolean registerUserId(final String appID, final String userID) throws VaultConnectorException;
-
-    /**
-     * Register new App-ID and User-ID at once.
-     *
-     * @param appID       The App-ID
-     * @param policy      The policy to associate with
-     * @param displayName Arbitrary name to display
-     * @param userID      The User-ID
-     * @return {@code true} on success
-     * @throws VaultConnectorException on error
-     * @deprecated As of Vault 0.6.1 App-ID is superseded by AppRole. App-ID was removed in Vault 1.12.
-     */
-    @Deprecated(since = "0.4", forRemoval = true)
-    default boolean registerAppUserId(final String appID,
-                                      final String policy,
-                                      final String displayName,
-                                      final String userID) throws VaultConnectorException {
-        return registerAppId(appID, policy, userID) && registerUserId(appID, userID);
-    }
-
     /**
      * Get authorization status.
      *

src/main/java/de/stklcode/jvault/connector/model/AuthBackend.java

@@ -24,8 +24,6 @@
  */
 public enum AuthBackend {
     TOKEN("token"),
-    @Deprecated(since = "1.1.3", forRemoval = true)
-    APPID("app-id"),
     APPROLE("approle"),
     USERPASS("userpass"),
     GITHUB("github"),   // Not supported yet.

src/test/java/de/stklcode/jvault/connector/HTTPVaultConnectorIT.java

@@ -25,7 +25,6 @@
 import de.stklcode.jvault.connector.test.Credentials;
 import de.stklcode.jvault.connector.test.VaultConfiguration;
 import org.junit.jupiter.api.*;
-import org.junit.jupiter.api.condition.EnabledIf;
 import org.junit.jupiter.api.io.TempDir;
 
 import java.io.*;
@@ -59,7 +58,6 @@ class HTTPVaultConnectorIT {
     private static final String USER_VALID = "validUser";
     private static final String PASS_VALID = "validPass";
 
-    private static boolean legacy;
     private Process vaultProcess;
     private VaultConnector connector;
 
@@ -70,9 +68,6 @@ public static void init() {
             VAULT_VERSION = System.getenv("VAULT_VERSION");
             System.out.println("Vault version set to " + VAULT_VERSION);
         }
-        if (compareVersions(VAULT_VERSION, "1.12.0") < 0) {
-            legacy = true;
-        }
     }
 
     /**
@@ -550,74 +545,6 @@ void handleSecretVersionsTest() {
         }
     }
 
-    @Nested
-    @DisplayName("App-ID Tests")
-    @EnabledIf(value = "de.stklcode.jvault.connector.HTTPVaultConnectorIT#isLegacy",
-            disabledReason = "AppID tests no longer available for Vault 1.12 and above")
-    @SuppressWarnings("deprecation")
-    class AppIdTests {
-        private static final String APP_ID = "152AEA38-85FB-47A8-9CBD-612D645BFACA";
-        private static final String USER_ID = "5ADF8218-D7FB-4089-9E38-287465DBF37E";
-
-        /**
-         * App-ID authentication roundtrip.
-         */
-        @Test
-        @Order(10)
-        @DisplayName("Authenticate with App-ID")
-        void authAppIdTest() {
-            // Try unauthorized access first.
-            assumeFalse(connector.isAuthorized());
-
-            assertThrows(
-                    AuthorizationRequiredException.class,
-                    () -> connector.registerAppId("", "", ""),
-                    "Expected exception not thrown"
-            );
-            assertThrows(
-                    AuthorizationRequiredException.class,
-                    () -> connector.registerUserId("", ""),
-                    "Expected exception not thrown"
-            );
-        }
-
-        /**
-         * App-ID authentication roundtrip.
-         */
-        @Test
-        @Order(20)
-        @DisplayName("Register App-ID")
-        void registerAppIdTest() {
-            // Authorize.
-            authRoot();
-            assumeTrue(connector.isAuthorized());
-
-            // Register App-ID.
-            boolean res = assertDoesNotThrow(
-                    () -> connector.registerAppId(APP_ID, "user", "App Name"),
-                    "Failed to register App-ID"
-            );
-            assertTrue(res, "Failed to register App-ID");
-
-            // Register User-ID.
-            res = assertDoesNotThrow(
-                    () -> connector.registerUserId(APP_ID, USER_ID),
-                    "Failed to register App-ID"
-            );
-            assertTrue(res, "Failed to register App-ID");
-
-            connector.resetAuth();
-            assumeFalse(connector.isAuthorized());
-
-            // Authenticate with created credentials.
-            AuthResponse resp = assertDoesNotThrow(
-                    () -> connector.authAppId(APP_ID, USER_ID),
-                    "Failed to authenticate using App-ID"
-            );
-            assertTrue(connector.isAuthorized(), "Authorization flag not set after App-ID login");
-        }
-    }
-
     @Nested
     @DisplayName("AppRole Tests")
     @TestMethodOrder(MethodOrderer.OrderAnnotation.class)
@@ -1080,13 +1007,9 @@ void authMethodsTest() {
                     () -> connector.getAuthBackends(),
                     "Could not list supported auth backends"
             );
-            if (legacy) {
-                assertEquals(4, supportedBackends.size());
-                assertTrue(supportedBackends.containsAll(List.of(AuthBackend.TOKEN, AuthBackend.USERPASS, AuthBackend.APPID, AuthBackend.APPROLE)));
-            } else {
-                assertEquals(3, supportedBackends.size());
-                assertTrue(supportedBackends.containsAll(List.of(AuthBackend.TOKEN, AuthBackend.USERPASS, AuthBackend.APPROLE)));
-            }
+
+            assertEquals(3, supportedBackends.size());
+            assertTrue(supportedBackends.containsAll(List.of(AuthBackend.TOKEN, AuthBackend.USERPASS, AuthBackend.APPROLE)));
         }
 
         /**
@@ -1212,11 +1135,7 @@ void closeTest() throws NoSuchFieldException, IllegalAccessException {
      */
     private VaultConfiguration initializeVault(File dir, boolean tls) throws IllegalStateException, IOException {
         File dataDir = new File(dir, "data");
-        if (legacy) {
-            copyDirectory(new File(getClass().getResource("/data_dir_legacy").getPath()), dataDir);
-        } else {
-            copyDirectory(new File(getClass().getResource("/data_dir").getPath()), dataDir);
-        }
+        copyDirectory(new File(getClass().getResource("/data_dir").getPath()), dataDir);
 
         // Generate vault local unencrypted configuration.
         VaultConfiguration config = new VaultConfiguration()
@@ -1337,8 +1256,4 @@ private static int compareVersions(String version1, String version2) {
 
         return comparisonResult;
     }
-
-    private static boolean isLegacy() {
-        return legacy;
-    }
 }

src/test/java/de/stklcode/jvault/connector/HTTPVaultConnectorTest.java

@@ -235,18 +235,6 @@ void nonEmpty204ResponseTest() throws URISyntaxException {
         mockHttpResponse(200, "{}", "application/json");
 
         // Now test the methods expecting a 204.
-        assertThrows(
-                InvalidResponseException.class,
-                () -> connector.registerAppId("appID", "policy", "displayName"),
-                "registerAppId() with 200 response succeeded"
-        );
-
-        assertThrows(
-                InvalidResponseException.class,
-                () -> connector.registerUserId("appID", "userID"),
-                "registerUserId() with 200 response succeeded"
-        );
-
         assertThrows(
                 InvalidResponseException.class,
                 () -> connector.createAppRole("appID", Collections.singletonList("policy")),

src/test/java/de/stklcode/jvault/connector/model/AuthBackendTest.java

@@ -33,10 +33,8 @@ class AuthBackendTest {
      * Test forType() method.
      */
     @Test
-    @SuppressWarnings("deprecation")
     void forTypeTest() {
         assertEquals(AuthBackend.TOKEN, AuthBackend.forType("token"));
-        assertEquals(AuthBackend.APPID, AuthBackend.forType("app-id"));
         assertEquals(AuthBackend.USERPASS, AuthBackend.forType("userpass"));
         assertEquals(AuthBackend.GITHUB, AuthBackend.forType("github"));
         assertEquals(AuthBackend.UNKNOWN, AuthBackend.forType(""));