Use JSpecify to indicate nullness.

Closes #902

pom.xml

@@ -383,7 +383,6 @@
 				<configuration>
 					<release>${java.version}</release>
 					<parameters>true</parameters>
-					<release>${source.level}</release>
 					<showWarnings>true</showWarnings>
 					<annotationProcessorPaths>
 						<path>

spring-vault-core/src/main/java/org/springframework/vault/authentication/AppRoleAuthentication.java

@@ -214,7 +214,7 @@ private String getRoleId(RoleId roleId) throws VaultLoginException {
 
 				ResponseEntity<VaultResponse> entity = this.restOperations.exchange(getRoleIdIdPath(this.options),
 						HttpMethod.GET, createHttpEntity(token), VaultResponse.class);
-				return (String) ResponseUtil.getRequiredData(entity).get("role_id");
+				return (String) ResponseUtil.getRequiredValue(entity, "role_id");
 			}
 			catch (HttpStatusCodeException e) {
 				throw new VaultLoginException("Cannot get Role id using AppRole: %s"
@@ -233,7 +233,7 @@ private String getRoleId(RoleId roleId) throws VaultLoginException {
 
 				VaultResponse response = unwrappingEndpoints.unwrap(ResponseUtil.getRequiredBody(entity));
 
-				return (String) response.getRequiredData().get("role_id");
+				return (String) ResponseUtil.getRequiredValue(response, "role_id");
 			}
 			catch (HttpStatusCodeException e) {
 				throw new VaultLoginException("Cannot unwrap Role id using AppRole: %s"
@@ -244,6 +244,7 @@ private String getRoleId(RoleId roleId) throws VaultLoginException {
 		throw new IllegalArgumentException("Unknown RoleId configuration: " + roleId);
 	}
 
+	@SuppressWarnings("NullAway")
 	private String getSecretId(SecretId secretId) throws VaultLoginException {
 
 		if (secretId instanceof Provided) {

spring-vault-core/src/main/java/org/springframework/vault/authentication/AppRoleAuthenticationOptions.java

@@ -128,20 +128,15 @@ public static class AppRoleAuthenticationOptionsBuilder {
 
 		private String path = DEFAULT_APPROLE_AUTHENTICATION_PATH;
 
-		@Nullable
-		private String providedRoleId;
+		private @Nullable String providedRoleId;
 
-		@Nullable
-		private RoleId roleId;
+		private @Nullable RoleId roleId;
 
-		@Nullable
-		private String providedSecretId;
+		private @Nullable String providedSecretId;
 
-		@Nullable
-		private SecretId secretId;
+		private @Nullable SecretId secretId;
 
-		@Nullable
-		private String appRole;
+		private @Nullable String appRole;
 
 		private UnwrappingEndpoints unwrappingEndpoints = UnwrappingEndpoints.SysWrapping;
 
@@ -250,6 +245,9 @@ public AppRoleAuthenticationOptions build() {
 						"AppRole authentication configured for pull mode. AppRole must not be null.");
 			}
 
+			Assert.notNull(this.roleId, "RoleId must not be null");
+			Assert.notNull(this.secretId, "SecretId must not be null");
+
 			return new AppRoleAuthenticationOptions(this.path, this.roleId, this.secretId, this.appRole,
 					this.unwrappingEndpoints);
 		}

spring-vault-core/src/main/java/org/springframework/vault/authentication/AuthenticationSteps.java

@@ -299,7 +299,8 @@ public static class HttpRequestBuilder {
 		@Nullable
 		String uriTemplate;
 
-		String @Nullable[] urlVariables;
+		@Nullable
+		String[] urlVariables = new String[0];
 
 		@Nullable
 		HttpEntity<?> entity;
@@ -379,14 +380,14 @@ private HttpRequestBuilder(HttpMethod method, URI uri) {
 			this.uri = uri;
 		}
 
-		private HttpRequestBuilder(HttpMethod method, @Nullable String uriTemplate, String @Nullable[] urlVariables) {
+		private HttpRequestBuilder(HttpMethod method, @Nullable String uriTemplate, @Nullable String[] urlVariables) {
 			this.method = method;
 			this.uriTemplate = uriTemplate;
 			this.urlVariables = urlVariables;
 		}
 
 		private HttpRequestBuilder(HttpMethod method, @Nullable URI uri, @Nullable String uriTemplate,
-			String @Nullable[] urlVariables, @Nullable HttpEntity<?> entity) {
+				@Nullable String[] urlVariables, @Nullable HttpEntity<?> entity) {
 			this.method = method;
 			this.uri = uri;
 			this.uriTemplate = uriTemplate;
@@ -448,8 +449,7 @@ public static class HttpRequest<T> {
 		@Nullable
 		final String uriTemplate;
 
-
-		final String @Nullable[] urlVariables;
+		final @Nullable String[] urlVariables;
 
 		@Nullable
 		final HttpEntity<?> entity;
@@ -485,7 +485,8 @@ String getUriTemplate() {
 			return this.uriTemplate;
 		}
 
-		String @Nullable[] getUrlVariables() {
+		@Nullable
+		String[] getUrlVariables() {
 			return this.urlVariables;
 		}
 

spring-vault-core/src/main/java/org/springframework/vault/authentication/AuthenticationStepsExecutor.java

@@ -92,7 +92,7 @@ public VaultToken login() throws VaultException {
 	}
 
 	@SuppressWarnings({ "unchecked", "ConstantConditions" })
-	private Object evaluate(Iterable<Node<?>> steps) {
+	private @Nullable Object evaluate(Iterable<Node<?>> steps) {
 
 		Object state = null;
 
@@ -108,14 +108,17 @@ private Object evaluate(Iterable<Node<?>> steps) {
 				}
 
 				if (o instanceof MapStep) {
+					Assert.state(state != null, "No state available for MapStep");
 					state = doMapStep((MapStep<Object, Object>) o, state);
 				}
 
 				if (o instanceof ZipStep) {
+					Assert.state(state != null, "No state available for ZipStep");
 					state = doZipStep((ZipStep<Object, Object>) o, state);
 				}
 
 				if (o instanceof OnNextStep) {
+					Assert.state(state != null, "No state available for OnNextStep");
 					state = doOnNext((OnNextStep<Object>) o, state);
 				}
 
@@ -143,24 +146,28 @@ private Object evaluate(Iterable<Node<?>> steps) {
 	}
 
 	@SuppressWarnings("ConstantConditions")
-	@Nullable
-	private Object doHttpRequest(HttpRequestNode<Object> step, @Nullable Object state) {
+	private @Nullable Object doHttpRequest(HttpRequestNode<Object> step, @Nullable Object state) {
 
 		HttpRequest<Object> definition = step.getDefinition();
 
-		if (definition.getUri() == null) {
+		if (definition.getUriTemplate() != null) {
 
 			ResponseEntity<?> exchange = this.restOperations.exchange(definition.getUriTemplate(),
 					definition.getMethod(), getEntity(definition.getEntity(), state), definition.getResponseType(),
 					(Object[]) definition.getUrlVariables());
 
 			return exchange.getBody();
 		}
-		ResponseEntity<?> exchange = this.restOperations.exchange(definition.getUri(), definition.getMethod(),
-				getEntity(definition.getEntity(), state), definition.getResponseType());
 
-		return exchange.getBody();
+		if (definition.getUri() != null) {
 
+			ResponseEntity<?> exchange = this.restOperations.exchange(definition.getUri(), definition.getMethod(),
+					getEntity(definition.getEntity(), state), definition.getResponseType());
+
+			return exchange.getBody();
+		}
+
+		return null;
 	}
 
 	static HttpEntity<?> getEntity(@Nullable HttpEntity<?> entity, @Nullable Object state) {
@@ -185,6 +192,7 @@ private static Object doMapStep(MapStep<Object, Object> o, Object state) {
 		return o.apply(state);
 	}
 
+	@SuppressWarnings("NullAway")
 	private Object doZipStep(ZipStep<Object, Object> o, Object state) {
 
 		Object result = evaluate(o.getRight());

spring-vault-core/src/main/java/org/springframework/vault/authentication/AuthenticationStepsOperator.java

@@ -155,7 +155,7 @@ private Mono<Object> createMono(Iterable<Node<?>> steps) {
 		return state;
 	}
 
-	@SuppressWarnings({"NullAway", "DataFlowIssue"})
+	@SuppressWarnings({ "NullAway", "DataFlowIssue" })
 	private Mono<Object> doHttpRequest(HttpRequestNode<Object> step, Object state) {
 
 		HttpRequest<Object> definition = step.getDefinition();

spring-vault-core/src/main/java/org/springframework/vault/authentication/AzureMsiAuthentication.java

@@ -159,7 +159,7 @@ private VaultToken createTokenUsingAzureMsiCompute() {
 			VaultResponse response = this.vaultRestOperations
 				.postForObject(AuthenticationUtil.getLoginPath(this.options.getPath()), login, VaultResponse.class);
 
-			Assert.state(response != null && response.getAuth() != null, "Auth field must not be null");
+			Assert.state(response != null, "Auth field must not be null");
 
 			if (logger.isDebugEnabled()) {
 				logger.debug("Login successful using Azure authentication");
@@ -185,6 +185,7 @@ private static Map<String, String> getAzureLogin(String role, AzureVmEnvironment
 		return loginBody;
 	}
 
+	@SuppressWarnings({ "NullAway", "rawtypes" })
 	private String getAccessToken() {
 
 		ResponseEntity<Map> response = this.azureMetadataRestOperations
@@ -200,6 +201,7 @@ private AzureVmEnvironment getVmEnvironment() {
 		return vmEnvironment != null ? vmEnvironment : fetchAzureVmEnvironment();
 	}
 
+	@SuppressWarnings({ "unchecked", "rawtypes" })
 	private AzureVmEnvironment fetchAzureVmEnvironment() {
 
 		ResponseEntity<Map> response = this.azureMetadataRestOperations
@@ -208,16 +210,23 @@ private AzureVmEnvironment fetchAzureVmEnvironment() {
 		return toAzureVmEnvironment(ResponseUtil.getRequiredBody(response));
 	}
 
-	@SuppressWarnings("unchecked")
+	@SuppressWarnings({ "unchecked", "rawtypes" })
 	private static AzureVmEnvironment toAzureVmEnvironment(Map<String, Object> instanceMetadata) {
 
 		Map<String, String> compute = (Map) instanceMetadata.get("compute");
 
+		Assert.notNull(compute, "Metadata does not contain compute");
+
 		String subscriptionId = compute.get("subscriptionId");
 		String resourceGroupName = compute.get("resourceGroupName");
 		String vmName = compute.get("name");
 		String vmScaleSetName = compute.get("vmScaleSetName");
 
+		Assert.notNull(subscriptionId, "Metadata does not contain subscriptionId");
+		Assert.notNull(resourceGroupName, "Metadata does not contain resourceGroupName");
+		Assert.notNull(vmName, "Metadata does not contain name");
+		Assert.notNull(vmScaleSetName, "Metadata does not contain vmScaleSetName");
+
 		return new AzureVmEnvironment(subscriptionId, resourceGroupName, vmName, vmScaleSetName);
 	}
 

spring-vault-core/src/main/java/org/springframework/vault/authentication/CachingVaultTokenSupplier.java

@@ -18,6 +18,7 @@
 import java.util.Objects;
 import java.util.concurrent.atomic.AtomicReference;
 
+import org.jspecify.annotations.NonNull;
 import reactor.core.publisher.Mono;
 
 import org.springframework.vault.VaultException;
@@ -38,7 +39,7 @@ public class CachingVaultTokenSupplier implements VaultTokenSupplier, ReactiveSe
 
 	private final VaultTokenSupplier clientAuthentication;
 
-	private final AtomicReference<Mono<VaultToken>> tokenRef = new AtomicReference<>(EMPTY);
+	private final AtomicReference<@NonNull Mono<VaultToken>> tokenRef = new AtomicReference<>(EMPTY);
 
 	private CachingVaultTokenSupplier(VaultTokenSupplier clientAuthentication) {
 		this.clientAuthentication = clientAuthentication;
@@ -56,6 +57,7 @@ public static CachingVaultTokenSupplier of(VaultTokenSupplier delegate) {
 	}
 
 	@Override
+	@SuppressWarnings("NullAway")
 	public Mono<VaultToken> getVaultToken() throws VaultException {
 
 		if (Objects.equals(this.tokenRef.get(), EMPTY)) {

spring-vault-core/src/main/java/org/springframework/vault/authentication/LifecycleAwareSessionManager.java

@@ -239,7 +239,9 @@ private RenewOutcome doRenew(TokenWrapper wrapper) {
 		VaultResponse vaultResponse = this.restOperations.postForObject("auth/token/renew-self",
 				new HttpEntity<>(VaultHttpHeaders.from(wrapper.token)), VaultResponse.class);
 
-		LoginToken renewed = LoginTokenUtil.from(vaultResponse.getRequiredAuth());
+		Assert.notNull(vaultResponse, "VaultResponse must not be null");
+
+		LoginToken renewed = LoginTokenUtil.from(vaultResponse.getAuth());
 
 		if (isExpired(renewed)) {
 

spring-vault-core/src/main/java/org/springframework/vault/authentication/LoginToken.java

@@ -206,8 +206,7 @@ public String toString() {
 	 */
 	public static class LoginTokenBuilder {
 
-
-		private char @Nullable[] token;
+		private char @Nullable [] token;
 
 		private boolean renewable;
 

spring-vault-core/src/main/java/org/springframework/vault/authentication/LoginTokenUtil.java

@@ -40,8 +40,8 @@ private LoginTokenUtil() {
 	static LoginToken from(Map<String, Object> auth) {
 
 		Assert.notNull(auth, "Authentication must not be null");
-
 		String token = (String) auth.get("client_token");
+		Assert.notNull(token, "Authentication must contain 'client_token' key");
 
 		return from(token.toCharArray(), auth);
 	}
@@ -52,6 +52,7 @@ static LoginToken from(Map<String, Object> auth) {
 	 * @return the {@link LoginToken}
 	 * @since 2.0
 	 */
+	@SuppressWarnings("NullAway")
 	static LoginToken from(char[] token, Map<String, ?> auth) {
 
 		Assert.notNull(auth, "Authentication must not be null");

spring-vault-core/src/main/java/org/springframework/vault/authentication/ReactiveLifecycleAwareSessionManager.java

@@ -20,6 +20,7 @@
 import java.util.Optional;
 import java.util.concurrent.atomic.AtomicReference;
 
+import org.jspecify.annotations.NonNull;
 import reactor.core.publisher.Mono;
 
 import org.springframework.beans.factory.DisposableBean;
@@ -91,7 +92,7 @@ public class ReactiveLifecycleAwareSessionManager extends LifecycleAwareSessionM
 	 * The token state: Contains the currently valid token that identifies the Vault
 	 * session.
 	 */
-	private volatile AtomicReference<Mono<TokenWrapper>> token = new AtomicReference<>(EMPTY);
+	private final AtomicReference<@NonNull Mono<TokenWrapper>> token = new AtomicReference<>(EMPTY);
 
 	/**
 	 * Create a {@link ReactiveLifecycleAwareSessionManager} given
@@ -136,6 +137,7 @@ public ReactiveLifecycleAwareSessionManager(VaultTokenSupplier clientAuthenticat
 	}
 
 	@Override
+	@SuppressWarnings("NullAway")
 	public void destroy() {
 
 		Mono<TokenWrapper> tokenMono = this.token.get();
@@ -149,6 +151,7 @@ public void destroy() {
 	 * @return a mono emitting completion upon successful revocation.
 	 * @since 3.0.2
 	 */
+	@SuppressWarnings("NullAway")
 	public Mono<Void> revoke() {
 		return doRevoke(this.token.get()).doOnSuccess(unused -> this.token.set(EMPTY));
 	}
@@ -216,6 +219,7 @@ private Mono<String> onRevokeFailed(VaultToken token, Throwable e) {
 	 * obtained. {@link Mono#empty()} if a new the token expired or
 	 * {@link Mono#error(Throwable)} if refresh failed.
 	 */
+	@SuppressWarnings("NullAway")
 	public Mono<VaultToken> renewToken() {
 
 		this.logger.info("Renewing token");
@@ -268,7 +272,7 @@ private Mono<TokenWrapper> doRenew(TokenWrapper tokenWrapper) {
 			.doOnSubscribe(ignore -> multicastEvent(new BeforeLoginTokenRenewedEvent(tokenWrapper.getToken())))
 			.handle((response, sink) -> {
 
-				LoginToken renewed = LoginTokenUtil.from(response.getRequiredAuth());
+				LoginToken renewed = LoginTokenUtil.from(response.getAuth());
 
 				if (!isExpired(renewed)) {
 					sink.next(new TokenWrapper(renewed, tokenWrapper.revocable));
@@ -301,6 +305,7 @@ private void dropCurrentToken() {
 	}
 
 	@Override
+	@SuppressWarnings("NullAway")
 	public Mono<VaultToken> getVaultToken() throws VaultException {
 
 		Mono<TokenWrapper> tokenWrapper = this.token.get();