feat: add update

2026-05-12 21:05:03 +03:00
parent 3c7ece512c
commit 0a2773488f
5 changed files with 252 additions and 105 deletions
--- a/src/infrastructure/vault/keys.py
+++ b/src/infrastructure/vault/keys.py
@@ -3,7 +3,7 @@ import asyncio
 from datetime import datetime, timezone
 from src.application.domain.dto import JwtPublicKeySet, JwtPublicKey
 from src.application.domain.exceptions import ApplicationException
-from src.infrastructure.vault import create_hvac_client, read_kv2_secret
+from src.infrastructure.vault.client import VaultClient


 class JwtKeyStore:
@@ -19,21 +19,25 @@ class JwtKeyStore:
        self,
        *,
        vault_addr: str,
-        vault_token: str,
+        vault_role_id: str,
+        vault_secret_id: str,
+        vault_namespace: str | None,
        mount_point: str,
        kid_path: str = 'jwt/kid',
        kids_prefix: str = 'jwt/kids',
-        timeout_seconds: int = 5,
        refresh_ttl_seconds: int = 60,
    ):
        if getattr(self, '_initialized', False):
            return

-        self._vault_addr = vault_addr
-        self._vault_token = vault_token
-        self._timeout = timeout_seconds
+        self._vault_client = VaultClient(
+            addr=vault_addr,
+            role_id=vault_role_id,
+            secret_id=vault_secret_id,
+            namespace=vault_namespace,
+            mount_point=mount_point,
+        )

-        self._mount = mount_point
        self._kid_path = kid_path
        self._kids_prefix = kids_prefix

@@ -52,29 +56,23 @@ class JwtKeyStore:
        return cls._instance

    def _read_keyset_sync(self) -> JwtPublicKeySet:
-        client = create_hvac_client(url=self._vault_addr, token=self._vault_token, timeout=self._timeout)
-
-        kids = read_kv2_secret(client=client, mount_point=self._mount, path=self._kid_path)
+        kids = self._vault_client.read_secret(self._kid_path)
        active_kid = kids.get('active')
        previous_kid = kids.get('previous')

        if not active_kid:
            raise RuntimeError('Vault jwt/kid secret missing "active"')

-        active = self._read_public_key_sync(client, str(active_kid))
+        active = self._read_public_key_sync(str(active_kid))

        previous = None
        if previous_kid and previous_kid != active_kid:
-            previous = self._read_public_key_sync(client, str(previous_kid))
+            previous = self._read_public_key_sync(str(previous_kid))

        return JwtPublicKeySet(active=active, previous=previous)

-    def _read_public_key_sync(self, client, kid: str) -> JwtPublicKey:
-        data = read_kv2_secret(
-            client=client,
-            mount_point=self._mount,
-            path=f'{self._kids_prefix}/{kid}',
-        )
+    def _read_public_key_sync(self, kid: str) -> JwtPublicKey:
+        data = self._vault_client.read_secret(f'{self._kids_prefix}/{kid}')
        pub = data.get('public_key')
        if not pub:
            raise RuntimeError(f'Vault jwt/kids/{kid} missing public_key')
@@ -110,4 +108,4 @@ class JwtKeyStore:
        if age >= self._refresh_ttl_seconds:
            return await self.refresh()

-        return ks
+        return ks