KEYCLOAK-12619 Improve mapped byte buffer cleanup

2020-01-06 13:09:26 +01:00 · 2020-01-06 13:09:26 +01:00 · f7379086e0
commit f7379086e0
parent c0aa0891cd
2 changed files with 10 additions and 5 deletions
--- a/services/src/main/java/org/keycloak/vault/DefaultVaultRawSecret.java
+++ b/services/src/main/java/org/keycloak/vault/DefaultVaultRawSecret.java
@ -26,6 +26,8 @@ import java.util.concurrent.ThreadLocalRandom;
 */
 public class DefaultVaultRawSecret implements VaultRawSecret {

+    private static final ByteBuffer EMPTY_BUFFER = ByteBuffer.allocate(0);
+
    private static final VaultRawSecret EMPTY_VAULT_SECRET = new VaultRawSecret() {
        @Override
        public Optional<ByteBuffer> get() {
@ -42,7 +44,7 @@ public class DefaultVaultRawSecret implements VaultRawSecret {
        }
    };

-    private final ByteBuffer rawSecret;
+    private ByteBuffer rawSecret;

    private byte[] secretArray;

@ -80,9 +82,12 @@ public class DefaultVaultRawSecret implements VaultRawSecret {
    public void close() {
        if (rawSecret.hasArray()) {
            ThreadLocalRandom.current().nextBytes(rawSecret.array());
-        } else if (this.secretArray != null) {
+        }
+        if (this.secretArray != null) {
            ThreadLocalRandom.current().nextBytes(this.secretArray);
+            this.secretArray = null;    // dispose of secretArray
        }
        rawSecret.clear();
+        rawSecret = EMPTY_BUFFER;
    }
 }
--- a/services/src/test/java/org/keycloak/vault/PlainTextVaultProviderTest.java
+++ b/services/src/test/java/org/keycloak/vault/PlainTextVaultProviderTest.java
@ -5,10 +5,9 @@ import org.junit.Test;
 import java.nio.charset.StandardCharsets;
 import java.nio.file.Files;
 import java.nio.file.Path;
-import java.util.ArrayList;
 import java.util.Arrays;
-import java.util.List;

+import static org.hamcrest.CoreMatchers.not;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertNotNull;
@ -154,11 +153,12 @@ public class PlainTextVaultProviderTest {

        //when
        VaultRawSecret secretAfterFirstRead = provider.obtainSecret(secretName);
+        assertThat(secretAfterFirstRead, secretContains("secret"));
        secretAfterFirstRead.close();
        VaultRawSecret secretAfterSecondRead = provider.obtainSecret(secretName);

        //then
-        assertThat(secretAfterFirstRead, secretContains("secret"));
+        assertThat(secretAfterFirstRead, not(secretContains("secret")));
        assertThat(secretAfterSecondRead, secretContains("secret"));
    }
 }