Releasing 1.0.6

Author: technicalguru

README.md

@@ -15,6 +15,30 @@ composer install technicalguru/vault
 ## By Package Download
 You can download the source code packages from [GitHub Release Page](https://github.com/technicalguru/php-vault/releases)
 
+# Hashicorp Setup
+The procedure is best described at [Hashicorp Blog](https://www.hashicorp.com/blog/authenticating-applications-with-vault-approle). It describes
+how to create an `approle`. Here is the essence of it:
+
+```
+# Enable the auth method for approle
+vault auth enable approle
+
+# Create a file with your policy on the respective secret path:
+cat 'path "secret/my-secret" { capabilities = ["read", "list"] }' >app-policy.hcl
+
+# Create the policy
+vault policy write my-app-policy app-policy.hcl
+
+# Create the approle
+vault write auth/approle/role/my-approle  secret_id_ttl=120m  token_ttl=60m  token_max_tll=120m  policies="my-app-policy"
+
+# Get the role ID printed
+vault read auth/approle/role/my-approle/role-id
+
+# Create the secret ID and print it
+vault write -f auth/approle/role/my-approle/secret-id
+```
+
 # Examples
 ## Create a HashicorpVault
 Please note that this vault is actually a client to an existing Hashicorp Vault.
@@ -107,8 +131,8 @@ The secrets file (JSON) shall look like this:
 
 ```
 try {
-	$mySecret1 = $vault->get('my/secret/number/1');
-	$mySecret2 = $vault->get('my/secret/number/2');
+	$mySecret1 = $vault->getSecret('my/secret/number/1');
+	$mySecret2 = $vault->getSecret('my/secret/number/2');
 } catch (\TgVault\VaultException $e) {
 	// secret was not found
 }

composer.json

@@ -25,7 +25,12 @@
 			"TgVault\\": "src/TgVault/"
 		}
 	},
+	"extra": {
+		"branch-alias": {
+			"dev-master": "1.0-dev"
+		}
+	},
 	"require-dev": {
 		"phpunit/phpunit": "^9"
 	}
-}
+}

src/TgVault/BaseVault.php

@@ -28,7 +28,7 @@ public function __construct($logger = NULL) {
 	  * @return Secret
 	  * @throws VaultException when the secret cannot be found or retrieved.
 	  */
-	public function getSecret(string $path) {
+	public function getSecret($path) {
 		throw new VaultException(get_class().'::getSecret() must be implemented.', VAULT_ERR_INTERNAL);
 	}
 
@@ -47,7 +47,7 @@ public function setLogger($logger) {
 	  * @param $s      - the string to be logged
 	  * @param $object - the object to be logged
 	  */
-	protected function debug(string $s, $object = NULL) {
+	protected function debug($s, $object = NULL) {
 		if ($this->logger != NULL) {
 			$object = self::cleanObject($object);
 			$psrInterface = '\\Psr\\Log\\LoggerInterface';
@@ -64,7 +64,7 @@ protected function debug(string $s, $object = NULL) {
 	  * @param $s      - the string to be logged
 	  * @param $object - the object to be logged
 	  */
-	protected function warn(string $s, $object = NULL) {
+	protected function warn($s, $object = NULL) {
 		if ($this->logger != NULL) {
 			$object = self::cleanObject($object);
 			$psrInterface = '\\Psr\\Log\\LoggerInterface';
@@ -81,7 +81,7 @@ protected function warn(string $s, $object = NULL) {
 	  * @param $s      - the string to be logged
 	  * @param $object - the object to be logged
 	  */
-	protected function info(string $s, $object = NULL) {
+	protected function info($s, $object = NULL) {
 		if ($this->logger != NULL) {
 			$object = self::cleanObject($object);
 			$psrInterface = '\\Psr\\Log\\LoggerInterface';
@@ -98,7 +98,7 @@ protected function info(string $s, $object = NULL) {
 	  * @param $s      - the string to be logged
 	  * @param $object - the object to be logged
 	  */
-	protected function error(string $s, $object = NULL) {
+	protected function error($s, $object = NULL) {
 		if ($this->logger != NULL) {
 			$object = self::cleanObject($object);
 			$psrInterface = '\\Psr\\Log\\LoggerInterface';

src/TgVault/CredentialsProvider.php

@@ -24,7 +24,7 @@ class CredentialsProvider extends SecretProvider implements \TgUtils\Auth\Creden
 	  * @param string $passwordKey - the key in the secret holding the password (default is 'password')
 	  * @throws VaultException when vault or path are NULL
 	  */
-	public function __construct(Vault $vault, string $path, string $usernameKey = NULL, string $passwordKey = NULL) {
+	public function __construct($vault, $path, $usernameKey = NULL, $passwordKey = NULL) {
 		parent::__construct($vault, $path);
 		if (($usernameKey == NULL) || (trim($usernameKey) == '')) $usernameKey = 'username';
 		if (($passwordKey == NULL) || (trim($passwordKey) == '')) $passwordKey = 'password';

src/TgVault/File/FileVault.php

@@ -62,7 +62,7 @@ protected function load() {
 	  * @return Secret
 	  * @throws VaultException when the secret cannot be found or retrieved.
 	  */
-	public function getSecret(string $path) {
+	public function getSecret($path) {
 		$this->load();
 		if (!isset($this->secrets[$path])) {
 			throw new VaultException('Secret not available', VAULT_ERR_NOT_FOUND);

src/TgVault/Hashicorp/Cache.php

@@ -21,7 +21,7 @@ class Cache {
 	  * @param string $cacheFile - where the cache is located in filesystem.
 	  * @param object $logger    - a logger, either TgVault\Logger or Psr\Log\LoggerInterface
 	  */
-	public function __construct(string $cacheFile, $logger = NULL) {
+	public function __construct($cacheFile, $logger = NULL) {
 		$this->cacheFile = $cacheFile;
 		$this->logger    = $logger;
 	}
@@ -64,7 +64,7 @@ protected function save() {
 	  * @param string $key - the key in the cache.
 	  * @return mixed - the data from the cache or NULL if not available.
 	  */
-	public function get(string $key) {
+	public function get($key) {
 		$this->load();
 		if (isset($this->data->$key)) {
 			return $this->data->$key;
@@ -77,7 +77,7 @@ public function get(string $key) {
 	  * @param string $key   - the key in the cache.
 	  * @param mixed  $value - the value to be stored.
 	  */
-	public function set(string $key, $value) {
+	public function set($key, $value) {
 		$this->load();
 		$this->data->$key = $value;
 		$this->save();

src/TgVault/Hashicorp/Config.php

@@ -78,7 +78,7 @@ private function check($valueKey, $errorMessage) {
 	  * @param string $roleId   - the role ID in vault
 	  * @param string $secretId - the secret ID of the client
 	  */
-	public function setVaultCredentials(string $roleId, string $secretId) {
+	public function setVaultCredentials($roleId, $secretId) {
 		$this->roleId   = $roleId;
 		$this->secretId = $secretId;
 		$this->check('roleId',   'Vault AppRole ID not set');

src/TgVault/Hashicorp/HashicorpVault.php

@@ -21,6 +21,7 @@ class HashicorpVault extends BaseVault implements Vault {
 	protected $isTls;
 	protected $config;
 	protected $lastResult;
+	private   $loggedToken;
 	private   $cache;
 	private   $token;
 	private   $secrets;
@@ -33,9 +34,10 @@ class HashicorpVault extends BaseVault implements Vault {
 	public function __construct($config, $logger = NULL) {
 		parent::__construct($logger);
 		if ($config == NULL) throw new VaultException('Configuration must be set', VAULT_ERR_CONFIG_EMPTY);
-		$this->config   = new Config($config);
-		$this->isTls    = substr($this->config->uri, 0, 5) == 'https';
-		$this->cache    = new Cache($this->config->cacheFile, $logger);
+		$this->config      = new Config($config);
+		$this->isTls       = substr($this->config->uri, 0, 5) == 'https';
+		$this->cache       = new Cache($this->config->cacheFile, $logger);
+		$this->loggedToken = FALSE;
 	}
 
 	/**
@@ -52,18 +54,27 @@ public function removeToken() {
 	  * @return Secret
 	  * @throws VaultException when the secret cannot be found or retrieved.
 	  */
-	public function getSecret(string $path) {
+	public function getSecret($path) {
 		if (!isset($this->secrets[$path])) {
 			$this->getToken();
 			$rc = $this->GET($path);
 			if (($rc->error == 0) && ($rc->http_code == 200) && is_object($rc->data->data)) {
-				$this->secrets[$path] = new Secret($rc->data->data);
+				// It's unclear why some vaults do answer with one level less (without metadata)
+				if (isset($rc->data->data->data)) {
+					$this->secrets[$path] = new Secret($rc->data->data);
+				} else {
+					$this->secrets[$path] = new Secret($rc->data);
+				}
 			} else {
 				$this->secrets[$path] = $rc;
 			}
 		}
 
-		if (get_class($this->secrets[$path]) != 'TgVault\\Secret') throw new VaultException('Secret not available', VAULT_ERR_SECRET);
+		if (get_class($this->secrets[$path]) != 'TgVault\\Secret') {
+			$ex = new VaultException('Secret not available', VAULT_ERR_SECRET);
+			$ex->setDetails($this->secrets[$path]);
+			throw $ex;
+		}
 		return $this->secrets[$path];
 	}
 
@@ -175,7 +186,7 @@ protected function getToken() {
 
 		if (($this->token != NULL) && !$this->loggedToken) {
 			$this->info('Using token: '.$this->token->getInfo());
-			$this->loggedToken = true;
+			$this->loggedToken = TRUE;
 		}
 
 		return $this->token;
@@ -339,6 +350,7 @@ protected function request($curl, $path, $additionalHeaders = array()) {
 			}
 		}
 		***********************************/
+		$additionalHeaders[] = 'X-Vault-Request: true';
 		if (($this->token != NULL) && isset($this->token->client_token)) {
 			$additionalHeaders[] = 'X-Vault-Token: '.$this->token->client_token;
 		}

src/TgVault/Memory/MemoryVault.php

@@ -42,7 +42,7 @@ public function __construct($config, $logger = NULL) {
 	  * @return Secret
 	  * @throws VaultException when the secret cannot be found or retrieved.
 	  */
-	public function getSecret(string $path) {
+	public function getSecret($path) {
 		if (!isset($this->secrets[$path])) {
 			throw new VaultException('Secret not available', VAULT_ERR_NOT_FOUND);
 		}

src/TgVault/Secret.php

@@ -37,7 +37,7 @@ public function __construct($data) {
 	  * @param string $key - the key of the value to be retrieved.
 	  * @return string the value or NULL if not set.
 	  */
-	public function get(string $key) {
+	public function get($key) {
 		if (isset($this->data->$key)) return $this->data->$key;
 		return NULL;
 	}