Releasing 1.0.6

README.md

@@ -15,6 +15,30 @@ composer install technicalguru/vault
 ## By Package Download
 You can download the source code packages from [GitHub Release Page](https://github.com/technicalguru/php-vault/releases)
 
+# Hashicorp Setup
+The procedure is best described at [Hashicorp Blog](https://www.hashicorp.com/blog/authenticating-applications-with-vault-approle). It describes
+how to create an `approle`. Here is the essence of it:
+
+```
+# Enable the auth method for approle
+vault auth enable approle
+
+# Create a file with your policy on the respective secret path:
+cat 'path "secret/my-secret" { capabilities = ["read", "list"] }' >app-policy.hcl
+
+# Create the policy
+vault policy write my-app-policy app-policy.hcl
+
+# Create the approle
+vault write auth/approle/role/my-approle  secret_id_ttl=120m  token_ttl=60m  token_max_tll=120m  policies="my-app-policy"
+
+# Get the role ID printed
+vault read auth/approle/role/my-approle/role-id
+
+# Create the secret ID and print it
+vault write -f auth/approle/role/my-approle/secret-id
+```
+
 # Examples
 ## Create a HashicorpVault
 Please note that this vault is actually a client to an existing Hashicorp Vault.
@@ -107,8 +131,8 @@ The secrets file (JSON) shall look like this:
 
 ```
 try {
-	$mySecret1 = $vault->get('my/secret/number/1');
-	$mySecret2 = $vault->get('my/secret/number/2');
+	$mySecret1 = $vault->getSecret('my/secret/number/1');
+	$mySecret2 = $vault->getSecret('my/secret/number/2');
 } catch (\TgVault\VaultException $e) {
 	// secret was not found
 }

composer.json

@@ -25,7 +25,12 @@
 			"TgVault\\": "src/TgVault/"
 		}
 	},
+	"extra": {
+		"branch-alias": {
+			"dev-master": "1.0-dev"
+		}
+	},
 	"require-dev": {
 		"phpunit/phpunit": "^9"
 	}
-}
+}

src/TgVault/BaseVault.php

@@ -28,7 +28,7 @@ public function __construct($logger = NULL) {
 	  * @return Secret
 	  * @throws VaultException when the secret cannot be found or retrieved.
 	  */
-	public function getSecret(string $path) {
+	public function getSecret($path) {
 		throw new VaultException(get_class().'::getSecret() must be implemented.', VAULT_ERR_INTERNAL);
 	}
 
@@ -47,7 +47,7 @@ public function setLogger($logger) {
 	  * @param $s      - the string to be logged
 	  * @param $object - the object to be logged
 	  */
-	protected function debug(string $s, $object = NULL) {
+	protected function debug($s, $object = NULL) {
 		if ($this->logger != NULL) {
 			$object = self::cleanObject($object);
 			$psrInterface = '\\Psr\\Log\\LoggerInterface';
@@ -64,7 +64,7 @@ protected function debug(string $s, $object = NULL) {
 	  * @param $s      - the string to be logged
 	  * @param $object - the object to be logged
 	  */
-	protected function warn(string $s, $object = NULL) {
+	protected function warn($s, $object = NULL) {
 		if ($this->logger != NULL) {
 			$object = self::cleanObject($object);
 			$psrInterface = '\\Psr\\Log\\LoggerInterface';
@@ -81,7 +81,7 @@ protected function warn(string $s, $object = NULL) {
 	  * @param $s      - the string to be logged
 	  * @param $object - the object to be logged
 	  */
-	protected function info(string $s, $object = NULL) {
+	protected function info($s, $object = NULL) {
 		if ($this->logger != NULL) {
 			$object = self::cleanObject($object);
 			$psrInterface = '\\Psr\\Log\\LoggerInterface';
@@ -98,7 +98,7 @@ protected function info(string $s, $object = NULL) {
 	  * @param $s      - the string to be logged
 	  * @param $object - the object to be logged
 	  */
-	protected function error(string $s, $object = NULL) {
+	protected function error($s, $object = NULL) {
 		if ($this->logger != NULL) {
 			$object = self::cleanObject($object);
 			$psrInterface = '\\Psr\\Log\\LoggerInterface';

src/TgVault/CredentialsProvider.php

@@ -24,7 +24,7 @@ class CredentialsProvider extends SecretProvider implements \TgUtils\Auth\Creden
 	  * @param string $passwordKey - the key in the secret holding the password (default is 'password')
 	  * @throws VaultException when vault or path are NULL
 	  */
-	public function __construct(Vault $vault, string $path, string $usernameKey = NULL, string $passwordKey = NULL) {
+	public function __construct($vault, $path, $usernameKey = NULL, $passwordKey = NULL) {
 		parent::__construct($vault, $path);
 		if (($usernameKey == NULL) || (trim($usernameKey) == '')) $usernameKey = 'username';
 		if (($passwordKey == NULL) || (trim($passwordKey) == '')) $passwordKey = 'password';

src/TgVault/File/FileVault.php

@@ -62,7 +62,7 @@ protected function load() {
 	  * @return Secret
 	  * @throws VaultException when the secret cannot be found or retrieved.
 	  */
-	public function getSecret(string $path) {
+	public function getSecret($path) {
 		$this->load();
 		if (!isset($this->secrets[$path])) {
 			throw new VaultException('Secret not available', VAULT_ERR_NOT_FOUND);

src/TgVault/Hashicorp/Cache.php

@@ -21,7 +21,7 @@ class Cache {
 	  * @param string $cacheFile - where the cache is located in filesystem.
 	  * @param object $logger    - a logger, either TgVault\Logger or Psr\Log\LoggerInterface
 	  */
-	public function __construct(string $cacheFile, $logger = NULL) {
+	public function __construct($cacheFile, $logger = NULL) {
 		$this->cacheFile = $cacheFile;
 		$this->logger    = $logger;
 	}
@@ -64,7 +64,7 @@ protected function save() {
 	  * @param string $key - the key in the cache.
 	  * @return mixed - the data from the cache or NULL if not available.
 	  */
-	public function get(string $key) {
+	public function get($key) {
 		$this->load();
 		if (isset($this->data->$key)) {
 			return $this->data->$key;
@@ -77,7 +77,7 @@ public function get(string $key) {
 	  * @param string $key   - the key in the cache.
 	  * @param mixed  $value - the value to be stored.
 	  */
-	public function set(string $key, $value) {
+	public function set($key, $value) {
 		$this->load();
 		$this->data->$key = $value;
 		$this->save();

src/TgVault/Hashicorp/Config.php

@@ -78,7 +78,7 @@ private function check($valueKey, $errorMessage) {
 	  * @param string $roleId   - the role ID in vault
 	  * @param string $secretId - the secret ID of the client
 	  */
-	public function setVaultCredentials(string $roleId, string $secretId) {
+	public function setVaultCredentials($roleId, $secretId) {
 		$this->roleId   = $roleId;
 		$this->secretId = $secretId;
 		$this->check('roleId',   'Vault AppRole ID not set');

src/TgVault/Hashicorp/HashicorpVault.php

@@ -21,6 +21,7 @@ class HashicorpVault extends BaseVault implements Vault {
 	protected $isTls;
 	protected $config;
 	protected $lastResult;
+	private   $loggedToken;
 	private   $cache;
 	private   $token;
 	private   $secrets;
@@ -33,9 +34,10 @@ class HashicorpVault extends BaseVault implements Vault {
 	public function __construct($config, $logger = NULL) {
 		parent::__construct($logger);
 		if ($config == NULL) throw new VaultException('Configuration must be set', VAULT_ERR_CONFIG_EMPTY);
-		$this->config   = new Config($config);
-		$this->isTls    = substr($this->config->uri, 0, 5) == 'https';
-		$this->cache    = new Cache($this->config->cacheFile, $logger);
+		$this->config      = new Config($config);
+		$this->isTls       = substr($this->config->uri, 0, 5) == 'https';
+		$this->cache       = new Cache($this->config->cacheFile, $logger);
+		$this->loggedToken = FALSE;
 	}
 
 	/**
@@ -52,18 +54,27 @@ public function removeToken() {
 	  * @return Secret
 	  * @throws VaultException when the secret cannot be found or retrieved.
 	  */
-	public function getSecret(string $path) {
+	public function getSecret($path) {
 		if (!isset($this->secrets[$path])) {
 			$this->getToken();
 			$rc = $this->GET($path);
 			if (($rc->error == 0) && ($rc->http_code == 200) && is_object($rc->data->data)) {
-				$this->secrets[$path] = new Secret($rc->data->data);
+				// It's unclear why some vaults do answer with one level less (without metadata)
+				if (isset($rc->data->data->data)) {
+					$this->secrets[$path] = new Secret($rc->data->data);
+				} else {
+					$this->secrets[$path] = new Secret($rc->data);
+				}
 			} else {
 				$this->secrets[$path] = $rc;
 			}
 		}
 
-		if (get_class($this->secrets[$path]) != 'TgVault\\Secret') throw new VaultException('Secret not available', VAULT_ERR_SECRET);
+		if (get_class($this->secrets[$path]) != 'TgVault\\Secret') {
+			$ex = new VaultException('Secret not available', VAULT_ERR_SECRET);
+			$ex->setDetails($this->secrets[$path]);
+			throw $ex;
+		}
 		return $this->secrets[$path];
 	}
 
@@ -175,7 +186,7 @@ protected function getToken() {
 
 		if (($this->token != NULL) && !$this->loggedToken) {
 			$this->info('Using token: '.$this->token->getInfo());
-			$this->loggedToken = true;
+			$this->loggedToken = TRUE;
 		}
 
 		return $this->token;
@@ -339,6 +350,7 @@ protected function request($curl, $path, $additionalHeaders = array()) {
 			}
 		}
 		***********************************/
+		$additionalHeaders[] = 'X-Vault-Request: true';
 		if (($this->token != NULL) && isset($this->token->client_token)) {
 			$additionalHeaders[] = 'X-Vault-Token: '.$this->token->client_token;
 		}

src/TgVault/Memory/MemoryVault.php

@@ -42,7 +42,7 @@ public function __construct($config, $logger = NULL) {
 	  * @return Secret
 	  * @throws VaultException when the secret cannot be found or retrieved.
 	  */
-	public function getSecret(string $path) {
+	public function getSecret($path) {
 		if (!isset($this->secrets[$path])) {
 			throw new VaultException('Secret not available', VAULT_ERR_NOT_FOUND);
 		}

src/TgVault/Secret.php

@@ -37,7 +37,7 @@ public function __construct($data) {
 	  * @param string $key - the key of the value to be retrieved.
 	  * @return string the value or NULL if not set.
 	  */
-	public function get(string $key) {
+	public function get($key) {
 		if (isset($this->data->$key)) return $this->data->$key;
 		return NULL;
 	}

src/TgVault/SecretProvider.php

@@ -26,7 +26,7 @@ class SecretProvider {
 	  * @param string $passwordKey - the key in the secret holding the password (default is 'password')
 	  * @throws VaultException when vault or path are NULL
 	  */
-	public function __construct(Vault $vault, string $path) {
+	public function __construct($vault, $path) {
 		if ($vault == NULL) throw new VaultException('Vault cannot be NULL.', VAULT_ERR_NULL);
 		if ($path  == NULL) throw new VaultException('Path cannot be NULL.', VAULT_ERR_NULL);
 		$this->vault  = $vault;
@@ -41,7 +41,7 @@ public function __construct(Vault $vault, string $path) {
 	  * @return string the value or NULL if not set.
 	  * @throws VaultException when the secret does not exist.
 	  */
-	public function get(string $key) {
+	public function get($key) {
 		if ($this->secret == NULL) {
 			$this->loadSecret();
 		}

src/TgVault/Vault.php

@@ -15,13 +15,13 @@ interface Vault {
 	  * @return Secret
 	  * @throws VaultException when the secret cannot be found or retrieved.
 	  */
-	public function getSecret(string $path);
+	public function getSecret($path);
 
 	/**
 	  * Set the logger and log all information via this object.
 	  * It is up to the vault whether it uses the logger and what it logs there.
 	  * @param Logger - the logging object.
 	  */
-	public function setLogger(Logger $logger);
+	public function setLogger($logger);
 }
 

src/TgVault/VaultException.php

@@ -9,11 +9,28 @@
   */
 class VaultException extends \Exception {
 
+	private $details;
+
 	/**
 	  * Default constructor from PHP exception.
 	  */
 	public function __construct($message = null, $code = 0, \Exception $previous = null) {
 		parent::__construct($message, $code, $previous);
 	}
 
+	/**
+	  * Sets some debug information if available.
+	  * @param mixed $details - some debug info
+	  */
+	public function setDetails($details) {
+		$this->details = $details;
+	}
+
+	/**
+	  * Returns some debug information if available.
+	  * @return mixed $details - some debug info
+	  */
+	public function getDetails() {
+		return $this->details;
+	}
 }

src/TgVault/VaultFactory.php

@@ -20,7 +20,7 @@ class VaultFactory {
 	  * @return Vault created, otherwise it will throw an exception.
 	  * @throws VaultException when the vault could not be created.
 	  */
-	public static function create($config, Logger $logger = NULL) {
+	public static function create($config, $logger = NULL) {
 		if ($config == NULL) throw new VaultException('Vault configuration cannot be empty', VAULT_ERR_CONFIG_EMPTY);
 		if (is_object($config)) return self::createVault($config->type,   $config->config,   $logger);
 		if (is_array($config)) return  self::createVault($config['type'], $config['config'], $logger);
@@ -36,7 +36,7 @@ public static function create($config, Logger $logger = NULL) {
 	  * @return Vault created and configured
 	  * @throws VaultException when the vault could not be created.
 	  */
-	public static function createVault(string $type, $config = NULL, $logger = NULL) {
+	public static function createVault($type, $config = NULL, $logger = NULL) {
 		if (($type == NULL) || (trim($type) == '')) throw new VaultException('Vault type cannot be empty', VAULT_ERR_TYPE_EMPTY);
 		$type = ucfirst(trim($type));
 		$className = 'TgVault\\'.$type.'\\'.$type.'Vault';