Throw exceptions if vault is down

Author: thekid

src/main/php/security/credentials/FromVault.class.php

@@ -1,5 +1,6 @@
 <?php namespace security\credentials;
 
+use lang\IllegalAccessException;
 use util\Secret;
 use webservices\rest\Endpoint;
 
@@ -37,14 +38,20 @@ public function open() { return $this; }
    *
    * @param  string $name
    * @return util.Secret
+   * @throws lang.IllegalAccessException if vault backend fails
    */
   public function named($name) {
-    $response= $this->endpoint->resource('/v1/secret/'.$this->group)->get();
-    if ($response->status() < 400) {
-      $data= $response->value()['data'];
-      return isset($data[$name]) ? new Secret($data[$name]) : null;
-    } else {
-      return null;
+    $r= $this->endpoint->resource('/v1/secret/'.$this->group)->get();
+    switch ($r->status()) {
+      case 200:
+        $data= $r->value()['data'];
+        return isset($data[$name]) ? new Secret($data[$name]) : null;
+
+      case 404:
+        return null;
+
+      default:
+        throw new IllegalAccessException('Unexpected '.$r->status().': '.$r->error());
     }
   }
 
@@ -55,12 +62,20 @@ public function named($name) {
    * @return iterable
    */
   public function all($pattern) {
-    $response= $this->endpoint->resource('/v1/secret/'.$this->group)->get();
-    if ($response->status() < 400) {
-      $match= substr($pattern, 0, strrpos($pattern, '*'));
-      foreach ($response->value()['data'] as $name => $value) {
-        if (0 === strncmp($name, $match, strlen($match))) yield $name => new Secret($value);
-      }
+    $r= $this->endpoint->resource('/v1/secret/'.$this->group)->get();
+    switch ($r->status()) {
+      case 200:
+        $match= substr($pattern, 0, strrpos($pattern, '*'));
+        foreach ($r->value()['data'] as $name => $value) {
+          if (0 === strncmp($name, $match, strlen($match))) yield $name => new Secret($value);
+        }
+        return;
+
+      case 404:
+        return;
+
+      default:
+        throw new IllegalAccessException('Unexpected '.$r->status().': '.$r->error());
     }
   }
 

src/test/php/security/credentials/unittest/FromVaultTest.class.php

@@ -1,7 +1,7 @@
 <?php namespace security\credentials\unittest;
 
 use io\streams\MemoryInputStream;
-use lang\FormatException;
+use lang\{FormatException, IllegalAccessException};
 use peer\URL;
 use peer\http\HttpResponse;
 use security\credentials\FromVault;
@@ -79,6 +79,32 @@ public function fails_if_environment_variable_missing() {
     new FromVault();
   }
 
+  #[Test, Expect(IllegalAccessException::class)]
+  public function named_on_vault_error() {
+    $endpoint= newinstance(Endpoint::class, ['http://test'], [
+      'execute' => function(RestRequest $request) {
+        return newinstance(RestResponse::class, [503, 'Service unavailable'], [
+          'error' => function($type= null) { return 'Database error'; }
+        ]);
+      }
+    ]);
+
+    (new FromVault($endpoint))->named('credential');
+  }
+
+  #[Test, Expect(IllegalAccessException::class)]
+  public function all_on_vault_error() {
+    $endpoint= newinstance(Endpoint::class, ['http://test'], [
+      'execute' => function(RestRequest $request) {
+        return newinstance(RestResponse::class, [503, 'Service unavailable'], [
+          'error' => function($type= null) { return 'Database error'; }
+        ]);
+      }
+    ]);
+
+    iterator_count((new FromVault($endpoint))->all('group*'));
+  }
+
   #[Test, Values(['map' => ['/'             => '/', '/vendor/name'  => '/vendor/name/', '/vendor/name/' => '/vendor/name/', 'vendor/name'   => '/vendor/name/', 'vendor/name/'  => '/vendor/name/',]])]
   public function using_group($group, $path) {
     $endpoint= newinstance(Endpoint::class, ['http://test'], [