Skip to content

Add batch secret retrieval API support#127

Open
miewest wants to merge 1 commit intocyberark:mainfrom
miewest:feature/batch-secret-retrieval
Open

Add batch secret retrieval API support#127
miewest wants to merge 1 commit intocyberark:mainfrom
miewest:feature/batch-secret-retrieval

Conversation

@miewest
Copy link

@miewest miewest commented Mar 3, 2026

Summary

Adds support for the Conjur Batch Secret Retrieval API (GET /secrets?variable_ids=...) to the Java SDK.

Closes #126

Changes

New: Batch Secret Retrieval

  • ResourceProvider: Added retrieveBatchSecrets(String... variableIds) as a default interface method
  • ResourceClient: Full implementation — builds the variable_ids query parameter with proper percent-encoding (slashes, @, +, &, spaces as %20), parses the JSON map response via Gson, and strips the {account}:variable: prefix from response keys
  • Variables / Conjur: Expose the batch method through the existing delegation chain

Refactored: Endpoints

  • Primary constructor is now Endpoints(String applianceUrl, String account) — all service URIs are derived from these two values
  • Added Endpoints(String applianceUrl, String account, String authnUrl) for custom authenticators (LDAP, OIDC, etc.)
  • Added getBatchSecretsUri() returning {applianceUrl}/secrets
  • Factory methods fromSystemProperties() and fromCredentials() simplified to thin wrappers
  • Removed redundant getServiceUri() static helper that re-read system properties

Tests

  • 26 new unit tests in ResourceClientTest using Mockito to mock the JAX-RS client stack
  • Covers: single/multi variable batch, URL encoding edge cases (slashes, @, +, &, spaces), all error codes (401/403/404/422), null/empty args, deeply nested paths, response order preservation, buildBatchQueryParam helper, single secret retrieval, and Endpoints URI derivation

API Usage

Conjur conjur = new Conjur();

// Fetch multiple secrets in one HTTP call
Map<String, String> secrets = conjur.retrieveBatchSecrets(
    "prod/db/password",
    "prod/db/username",
    "prod/api/key"
);

String dbPass = secrets.get("prod/db/password");

Testing

  • All 27 unit tests pass (mvn test)
  • Manually verified against a live Conjur server (single retrieval, batch retrieval, consistency check, 404 handling)

@miewest
Add batch secret retrieval functionality and unit tests
95a3fcc 
- Implemented batch secret retrieval methods in ResourceClient, Variables, and ResourceProvider.
- Enhanced Endpoints class to support batch retrieval URI.
- Added comprehensive unit tests for batch secret retrieval in ResourceClientTest.
@miewest
Copy link
Author

miewest commented Mar 3, 2026
edited
Loading

Ignore close, I mixed up tabs and closed the wrong PR.

@miewest miewest closed this Mar 3, 2026
@miewest miewest reopened this Mar 3, 2026
@miewest
Copy link
Author

miewest commented Mar 3, 2026
edited
Loading

I also created a manual full integration test of this code but wasn't sure if it fit in the repo. I can add it if wanted.

@miewest miewest changed the title feat: Add batch secret retrieval support Add batch secret retrieval support Mar 3, 2026
@miewest miewest mentioned this pull request Mar 3, 2026
Open
@miewest miewest changed the title Add batch secret retrieval support Add batch secret retrieval API support Mar 3, 2026
@szh
Copy link
Contributor

szh commented Mar 5, 2026

Thank you for the PR! We've added it to our backlog to review.

Tracking internally as CNJR-13117.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add batch secret retrieval support

2 participants

@miewest @szh