Add optional "group" parameter to FromVault

thekid · thekid · commit 37fb491dba63 · 2019-01-26T15:39:48.000+01:00
diff --git a/README.md b/README.md
@@ -49,9 +49,14 @@ Via the `FromVault` class. Credentials are read from the backend mounted at `/se
 ```php
 use security\credentials\{Credentials, FromVault};
 
-$credentials= new Credentials(new FromVault('http://127.0.0.1:8200/', '72698676-4988-94a4-...'));
+// Set token to NULL to use VAULT_TOKEN from environment
+$token= '72698676-4988-94a4-...';
+
+$credentials= new Credentials(new FromVault('http://127.0.0.1:8200/', $token));
 $secret= $credentials->named('ldap_password');     // Reads ldap_password key from /secret
-$secret= $credentials->named('vendor/name/mysql'); // Reads mysql key from /secret/vendor/name
+
+$credentials= new Credentials(new FromVault('http://127.0.0.1:8200/', $token, 'vendor/name'));
+$secret= $credentials->named('mysql');             // Reads mysql key from /secret/vendor/name
 ```
 
 ### KeePass databases
diff --git a/src/main/php/security/credentials/FromVault.class.php b/src/main/php/security/credentials/FromVault.class.php
@@ -4,15 +4,16 @@
 use webservices\rest\Endpoint;
 
 class FromVault implements Secrets {
-  private $endpoint;
+  private $endpoint, $group;
 
   /**
    * Creates a secrets source which reads credentials from a running vault service
    *
    * @param  string|peer.URL|webservices.rest.Endpoint $endpoint If omitted, defaults to `VAULT_ADDR` environment variable
    * @param  string $token If omitted, defaults to `VAULT_TOKEN` environment variable
+   * @param  string $group The secret group, e.g. "/vendor/name"
    */
-  public function __construct($endpoint= null, $token= null) {
+  public function __construct($endpoint= null, $token= null, $group= '/') {
     if ($endpoint instanceof Endpoint) {
       $this->endpoint= $endpoint;
     } else {
@@ -22,6 +23,8 @@ public function __construct($endpoint= null, $token= null) {
     if ($header= $token ?: getenv('VAULT_TOKEN')) {
       $this->endpoint->with('X-Vault-Token', $header);
     }
+
+    $this->group= '/' === $group ? '' : trim($group, '/').'/';
   }
 
   /** @return self */
@@ -35,7 +38,7 @@ public function open() { return $this; }
    */
   public function named($name) {
     $p= strrpos($name, '/');
-    $response= $this->endpoint->resource('/v1/secret/'.substr($name, 0, $p))->get();
+    $response= $this->endpoint->resource('/v1/secret/'.$this->group.substr($name, 0, $p))->get();
     if ($response->status() < 400) {
       $data= $response->value()['data'];
       $key= ltrim(substr($name, $p), '/');
@@ -54,7 +57,7 @@ public function named($name) {
   public function all($pattern) {
     $p= strrpos($pattern, '/');
     $group= substr($pattern, 0, $p);
-    $response= $this->endpoint->resource('/v1/secret/'.$group)->get();
+    $response= $this->endpoint->resource('/v1/secret/'.$this->group.$group)->get();
     if ($response->status() < 400) {
       $key= ltrim(substr($pattern, $p), '/');
       $match= substr($key, 0, strrpos($key, '*'));
diff --git a/src/test/php/security/credentials/unittest/FromVaultTest.class.php b/src/test/php/security/credentials/unittest/FromVaultTest.class.php
@@ -31,6 +31,9 @@ class FromVaultTest extends AbstractSecretsTest {
     ],
     'all_in_subfolder' => [
       ['data' => ['mysql' => 'test']],
+    ],
+    'using_group' => [
+      ['data' => ['credential' => 'test']],
     ]
   ];
 
@@ -65,6 +68,11 @@ public function can_create_with_token() {
     new FromVault('http://vault:8200/', 'SECRET_VAULT_TOKEN');
   }
 
+  #[@test]
+  public function can_create_with_token_and_group() {
+    new FromVault('http://vault:8200/', 'SECRET_VAULT_TOKEN', '/vendor/name');
+  }
+
   #[@test]
   public function uses_environment_variable_by_default() {
     putenv('VAULT_ADDR=http://127.0.0.1:8200');
@@ -76,4 +84,23 @@ public function fails_if_environment_variable_missing() {
     putenv('VAULT_ADDR=');
     new FromVault();
   }
+
+  #[@test, @values(map= [
+  #  '/'             => '/',
+  #  '/vendor/name'  => '/vendor/name/',
+  #  '/vendor/name/' => '/vendor/name/',
+  #  'vendor/name'   => '/vendor/name/',
+  #  'vendor/name/'  => '/vendor/name/',
+  #])]
+  public function using_group($group, $path) {
+    $endpoint= newinstance(Endpoint::class, ['http://test/'], [
+      'execute' => function(RestRequest $request) use(&$requested) {
+        $requested= $request->path();
+        return new RestResponse(404, 'Not found');
+      }
+    ]);
+
+    (new FromVault($endpoint, 'SECRET_VAULT_TOKEN', $group))->named('credential');
+    $this->assertEquals('/v1/secret'.$path, $requested);
+  }
 }
