Polishing.

mp911de · mp911de · commit 2249ff1ca390 · 2025-12-10T10:30:00.000+01:00
Simplify test, use token for assertions for tighter assumptions instead of relying on 403 responses potentially caused by other reasons. See gh-874 Original pull request: gh-875
diff --git a/spring-cloud-vault-config/src/main/java/org/springframework/cloud/vault/config/ClientAuthenticationFactory.java b/spring-cloud-vault-config/src/main/java/org/springframework/cloud/vault/config/ClientAuthenticationFactory.java
@@ -50,6 +50,7 @@
 import org.springframework.vault.authentication.ClientAuthentication;
 import org.springframework.vault.authentication.ClientCertificateAuthentication;
 import org.springframework.vault.authentication.ClientCertificateAuthenticationOptions;
+import org.springframework.vault.authentication.ClientCertificateAuthenticationOptions.ClientCertificateAuthenticationOptionsBuilder;
 import org.springframework.vault.authentication.CubbyholeAuthentication;
 import org.springframework.vault.authentication.CubbyholeAuthenticationOptions;
 import org.springframework.vault.authentication.GcpComputeAuthentication;
@@ -378,14 +379,14 @@ private ClientAuthentication pcfAuthentication(VaultProperties vaultProperties)
 
 	private ClientAuthentication certificateAuthentication(VaultProperties vaultProperties) {
 
-		ClientCertificateAuthenticationOptions.ClientCertificateAuthenticationOptionsBuilder optionsBuilder = ClientCertificateAuthenticationOptions
-			.builder();
-		optionsBuilder.path(vaultProperties.getSsl().getCertAuthPath());
+		ClientCertificateAuthenticationOptionsBuilder builder = ClientCertificateAuthenticationOptions.builder();
+		builder.path(vaultProperties.getSsl().getCertAuthPath());
+
 		if (StringUtils.hasText(vaultProperties.getSsl().getRole())) {
-			optionsBuilder.role(vaultProperties.getSsl().getRole());
+			builder.role(vaultProperties.getSsl().getRole());
 		}
 
-		return new ClientCertificateAuthentication(optionsBuilder.build(), this.restOperations);
+		return new ClientCertificateAuthentication(builder.build(), this.restOperations);
 	}
 
 	private ClientAuthentication tokenAuthentication(VaultProperties vaultProperties) {
diff --git a/spring-cloud-vault-config/src/test/java/org/springframework/cloud/vault/config/VaultConfigTlsCertAuthenticationTests.java b/spring-cloud-vault-config/src/test/java/org/springframework/cloud/vault/config/VaultConfigTlsCertAuthenticationTests.java
@@ -20,25 +20,23 @@
 import java.nio.charset.StandardCharsets;
 import java.util.Collections;
 import java.util.HashMap;
+import java.util.List;
 import java.util.Map;
 
 import org.assertj.core.util.Files;
 import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeAll;
 import org.junit.jupiter.api.Test;
 
-import org.junit.jupiter.api.extension.ExtendWith;
 import org.springframework.boot.test.context.TestConfiguration;
-import org.springframework.boot.test.system.CapturedOutput;
-import org.springframework.boot.test.system.OutputCaptureExtension;
 import org.springframework.cloud.vault.util.Settings;
 import org.springframework.cloud.vault.util.VaultRule;
 import org.springframework.cloud.vault.util.VaultTestContextRunner;
 import org.springframework.vault.core.VaultOperations;
+import org.springframework.vault.core.VaultTemplate;
+import org.springframework.vault.support.VaultResponse;
 
 import static org.assertj.core.api.Assertions.assertThat;
-import static org.junit.jupiter.api.Assertions.assertNull;
-import static org.springframework.cloud.vault.config.VaultProperties.AuthenticationMethod.CERT;
 import static org.springframework.cloud.vault.util.Settings.findWorkDir;
 
 /**
@@ -50,14 +48,12 @@
  * @author Mark Paluch
  * @author Issam El-atif
  */
-@ExtendWith(OutputCaptureExtension.class)
 public class VaultConfigTlsCertAuthenticationTests {
 
-	VaultTestContextRunner contextRunner = VaultTestContextRunner.of(CERT)
-		.testClass(getClass())
-		.bootstrap(true)
-		.reactive(false)
-		.configurations(TestConfig.class);
+	VaultTestContextRunner contextRunner = VaultTestContextRunner.of(VaultConfigTlsCertAuthenticationTests.class)
+		.auth(VaultProperties.AuthenticationMethod.CERT)
+		.configurations(TestConfig.class)
+		.settings(s -> s.bootstrap());
 
 	private static VaultOperations vaultOperations;
 
@@ -111,22 +107,28 @@ void authenticateUsingTlsCertificate() {
 	void authenticateUsingNamedCertificateRole() {
 		Map<String, String> anotherRole = new HashMap<>();
 		anotherRole.put("certificate", certificate);
+		anotherRole.put("policies", "another-policy");
 		vaultOperations.write("auth/cert/certs/another-role", anotherRole);
 
-		this.contextRunner.property("spring.cloud.vault.ssl.role", "my-role")
-			.run(context -> assertThat(context.getEnvironment().getProperty("vault.value")).isEqualTo("foo"));
+		this.contextRunner.property("spring.cloud.vault.ssl.role", "my-role").run(context -> {
+			VaultTemplate template = context.getBean(VaultTemplate.class);
+			VaultResponse tokenLookup = template.read("auth/token/lookup-self");
+			assertThat(tokenLookup.getRequiredData()).containsEntry("policies", List.of("default", "testpolicy"));
+			assertThat(context.getEnvironment().getProperty("vault.value")).isEqualTo("foo");
+		});
 	}
 
 	@Test
-	void authenticationFailsWhenMultipleCertsAndNoNamedRole(CapturedOutput capturedOutput) {
+	void authenticationFailsWhenMultipleCertsAndNoNamedRole() {
 		Map<String, String> anotherRole = new HashMap<>();
 		anotherRole.put("certificate", certificate);
 		vaultOperations.write("auth/cert/certs/another-role", anotherRole);
 
 		this.contextRunner.run(context -> {
-			assertThat(capturedOutput.getOut())
-				.contains("org.springframework.vault.VaultException: Status 403 Forbidden");
-			assertNull(context.getEnvironment().getProperty("vault.value"));
+			VaultTemplate template = context.getBean(VaultTemplate.class);
+			VaultResponse tokenLookup = template.read("auth/token/lookup-self");
+			assertThat(tokenLookup.getRequiredData()).containsEntry("policies", Collections.singletonList("default"));
+			assertThat(context.getEnvironment().getProperty("vault.value")).isNull();
 		});
 	}
 
diff --git a/spring-cloud-vault-config/src/test/java/org/springframework/cloud/vault/util/VaultTestContextRunner.java b/spring-cloud-vault-config/src/test/java/org/springframework/cloud/vault/util/VaultTestContextRunner.java
@@ -16,96 +16,128 @@
 
 package org.springframework.cloud.vault.util;
 
-import org.springframework.boot.WebApplicationType;
-import org.springframework.boot.builder.SpringApplicationBuilder;
-import org.springframework.boot.test.context.runner.ApplicationContextRunner;
-import org.springframework.cloud.vault.config.VaultProperties.AuthenticationMethod;
-import org.springframework.context.ConfigurableApplicationContext;
-
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.LinkedHashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.function.Consumer;
 
+import org.springframework.boot.WebApplicationType;
+import org.springframework.boot.builder.SpringApplicationBuilder;
+import org.springframework.boot.test.context.runner.ApplicationContextRunner;
+import org.springframework.cloud.vault.config.VaultProperties.AuthenticationMethod;
+import org.springframework.context.ConfigurableApplicationContext;
+
 /**
  * A utility class built on top of {@link SpringApplicationBuilder} that follows Spring
  * Boot’s testing patterns but designed for Spring Cloud Vault integration tests.
  *
  * <p>
  * Its goal is to eliminate repetitive boilerplate particularly when repeatedly
- * configuring:
- * </p>
- *
- * <ul>
- * <li>Bootstrap mode</li>
- * <li>Reactive vs. non-reactive modes</li>
- * <li>Environment and test classes</li>
- * <li>Vault-specific properties</li>
- * </ul>
+ * configuring startup properties.
  *
  * @author Issam EL-ATIF
- * @since 5.0.1
+ * @author Mark Paluch
  * @see SpringApplicationBuilder
  * @see ApplicationContextRunner
  */
-public class VaultTestContextRunner {
+public final class VaultTestContextRunner {
 
 	private final List<Class<?>> configurationClasses = new ArrayList<>();
 
 	private final Map<String, Object> properties = new LinkedHashMap<>();
 
+	private final TestSettings testSettings = new TestSettings();
+
 	private VaultTestContextRunner(Map<String, Object> properties) {
 		this.properties.putAll(properties);
 	}
 
-	public static VaultTestContextRunner of(AuthenticationMethod authenticationMethod) {
-		Map<String, Object> authProperties = new LinkedHashMap<>();
-		switch (authenticationMethod) {
-			case CERT -> {
-				authProperties.put("spring.cloud.vault.authentication", "cert");
-				authProperties.put("spring.cloud.vault.ssl.key-store", "file:../work/client-cert.jks");
-				authProperties.put("spring.cloud.vault.ssl.key-store-password", "changeit");
-			}
-			case KUBERNETES -> {
-				authProperties.put("spring.cloud.vault.authentication", "kubernetes");
-				authProperties.put("spring.cloud.vault.kubernetes.service-account-token-file",
-						"../work/minikube/hello-minikube-token");
-			}
-		}
+	/**
+	 * Create a {@code VaultTestContextRunner} with default TLS configuration.
+	 * @return the {@link VaultTestContextRunner}.
+	 */
+	public static VaultTestContextRunner create() {
+
+		Map<String, Object> configurationProperties = new LinkedHashMap<>();
+		configurationProperties.put("spring.cloud.vault.ssl.key-store", "file:../work/client-cert.jks");
+		configurationProperties.put("spring.cloud.vault.ssl.key-store-password", "changeit");
 
-		return new VaultTestContextRunner(authProperties);
+		return new VaultTestContextRunner(configurationProperties);
 	}
 
-	public VaultTestContextRunner configurations(Class<?>... configClasses) {
-		this.configurationClasses.addAll(Arrays.asList(configClasses));
-		return this;
+	/**
+	 * Create a {@code VaultTestContextRunner} with default TLS configuration and using
+	 * the {@code testClass} to set the application name.
+	 * @return the {@link VaultTestContextRunner}.
+	 */
+	public static VaultTestContextRunner of(Class<?> testClass) {
+		return create().testClass(testClass);
 	}
 
-	public VaultTestContextRunner property(String key, Object value) {
-		this.properties.put(key, value);
-		return this;
+	/**
+	 * Configure an authentication method to be used.
+	 * @param authenticationMethod the authentication method to use.
+	 * @return this builder.
+	 */
+	public VaultTestContextRunner auth(AuthenticationMethod authenticationMethod) {
+		return property("spring.cloud.vault.authentication", authenticationMethod.name());
 	}
 
+	/**
+	 * Configure the application name based on the given test class.
+	 * @param testClass the test class.
+	 * @return this builder.
+	 */
 	public VaultTestContextRunner testClass(Class<?> testClass) {
-		this.properties.put("spring.cloud.vault.application-name", testClass.getSimpleName());
+		return property("spring.cloud.vault.application-name", testClass.getSimpleName());
+	}
+
+	/**
+	 * Configure configuration classes to be added.
+	 * @param configClasses configuration classes to add.
+	 * @return this builder.
+	 */
+	public VaultTestContextRunner configurations(Class<?>... configClasses) {
+		this.configurationClasses.addAll(Arrays.asList(configClasses));
 		return this;
 	}
 
-	public VaultTestContextRunner bootstrap(boolean bootstrap) {
-		this.properties.put("spring.cloud.bootstrap.enabled", bootstrap);
+	/**
+	 * Set a property to be used in the test context.
+	 * @param key the property key.
+	 * @param value the property value.
+	 * @return this builder.
+	 */
+	public VaultTestContextRunner property(String key, Object value) {
+		this.properties.put(key, value);
 		return this;
 	}
 
-	public VaultTestContextRunner reactive(boolean reactive) {
-		this.properties.put("spring.cloud.vault.reactive.enabled", reactive);
+	/**
+	 * Provides access to {@link TestSettings} with the possibility to update test
+	 * settings.
+	 * @param settingsConsumer a function that consumes the test settings.
+	 * @return this builder.
+	 */
+	public VaultTestContextRunner settings(Consumer<TestSettings> settingsConsumer) {
+		settingsConsumer.accept(this.testSettings);
 		return this;
 	}
 
+	/**
+	 * Run the application and provide access to the application context through the
+	 * {@code consumer}.
+	 * @param consumer consumes the application context.
+	 */
 	public void run(Consumer<ConfigurableApplicationContext> consumer) {
+
+		property("spring.cloud.bootstrap.enabled", this.testSettings.bootstrap);
+		property("spring.cloud.vault.reactive.enabled", this.testSettings.reactive);
+
 		SpringApplicationBuilder builder = new SpringApplicationBuilder();
-		builder.sources(configurationClasses.toArray(new Class<?>[0]))
+		builder.sources(this.configurationClasses.toArray(new Class<?>[0]))
 			.web(WebApplicationType.NONE)
 			.properties(this.properties);
 
@@ -114,4 +146,49 @@ public void run(Consumer<ConfigurableApplicationContext> consumer) {
 		}
 	}
 
+	/**
+	 * Common settings used in tests.
+	 */
+	public class TestSettings {
+
+		private boolean bootstrap = false;
+
+		private boolean reactive = false;
+
+		/**
+		 * Enable Spring Cloud bootstrap context usage (disabled by default).
+		 * @return this settings builder.
+		 */
+		public TestSettings bootstrap() {
+			return bootstrap(true);
+		}
+
+		/**
+		 * Enable or disable Spring Cloud bootstrap context usage (disabled by default).
+		 * @return this settings builder.
+		 */
+		public TestSettings bootstrap(boolean bootstrap) {
+			this.bootstrap = bootstrap;
+			return this;
+		}
+
+		/**
+		 * Enable reactive usage (disabled by default).
+		 * @return this settings builder.
+		 */
+		public TestSettings reactive() {
+			return reactive(true);
+		}
+
+		/**
+		 * Enable or disable reactive usage (disabled by default).
+		 * @return this settings builder.
+		 */
+		public TestSettings reactive(boolean reactive) {
+			this.reactive = reactive;
+			return this;
+		}
+
+	}
+
 }
