Also accept util.Secret instances in FromVault constructor

thekid · thekid · commit ecf16f35b314 · 2019-01-26T16:12:27.000+01:00
diff --git a/README.md b/README.md
@@ -49,7 +49,7 @@ Via the `FromVault` class. Credentials are read from the backend mounted at `/se
 use security\credentials\{Credentials, FromVault};
 
 // Set token to NULL to use VAULT_TOKEN from environment
-$token= '72698676-4988-94a4-...';
+$token= new Secret('72698676-4988-94a4-...');
 
 $credentials= new Credentials(new FromVault('http://127.0.0.1:8200', $token));
 $secret= $credentials->named('ldap_password');     // Reads ldap_password key from /secret
diff --git a/src/main/php/security/credentials/FromVault.class.php b/src/main/php/security/credentials/FromVault.class.php
@@ -10,7 +10,7 @@ class FromVault implements Secrets {
    * Creates a secrets source which reads credentials from a running vault service
    *
    * @param  string|peer.URL|webservices.rest.Endpoint $endpoint If omitted, defaults to `VAULT_ADDR` environment variable
-   * @param  string $token If omitted, defaults to `VAULT_TOKEN` environment variable
+   * @param  string|util.Secret $token If omitted, defaults to `VAULT_TOKEN` environment variable
    * @param  string $group The secret group, e.g. "/vendor/name"
    */
   public function __construct($endpoint= null, $token= null, $group= '/') {
@@ -20,7 +20,9 @@ public function __construct($endpoint= null, $token= null, $group= '/') {
       $this->endpoint= new Endpoint($endpoint ?: getenv('VAULT_ADDR'));
     }
 
-    if ($header= $token ?: getenv('VAULT_TOKEN')) {
+    if ($token instanceof Secret) {
+      $this->endpoint->with('X-Vault-Token', $token->reveal());
+    } else if ($header= $token ?: getenv('VAULT_TOKEN')) {
       $this->endpoint->with('X-Vault-Token', $header);
     }
 
diff --git a/src/test/php/security/credentials/unittest/FromVaultTest.class.php b/src/test/php/security/credentials/unittest/FromVaultTest.class.php
@@ -26,15 +26,6 @@ class FromVaultTest extends AbstractSecretsTest {
       ['data' => ['test_db_password' => 'db', 'test_ldap_password' => 'ldap']],
       ['data' => ['prod_master_key' => 'master']]
     ],
-    'from_subfolder' => [
-      ['data' => ['mysql' => 'test']],
-    ],
-    'all_in_subfolder' => [
-      ['data' => ['mysql' => 'test']],
-    ],
-    'using_group' => [
-      ['data' => ['credential' => 'test']],
-    ]
   ];
 
   /** @return security.vault.Secrets */
@@ -63,9 +54,9 @@ public function can_create_with($arg) {
     new FromVault($arg);
   }
 
-  #[@test]
-  public function can_create_with_token() {
-    new FromVault('http://vault:8200', 'SECRET_VAULT_TOKEN');
+  #[@test, @values(['secret', new Secret('for-vault')])]
+  public function can_create_with_token($token) {
+    new FromVault('http://vault:8200', $token);
   }
 
   #[@test]

Original file line number	Diff line number	Diff line change
`@@ -10,7 +10,7 @@ class FromVault implements Secrets {`
`10`	`10`	`* Creates a secrets source which reads credentials from a running vault service`
`11`	`11`	`*`
`12`	`12`	* @param string\|peer.URL\|webservices.rest.Endpoint $endpoint If omitted, defaults to `VAULT_ADDR` environment variable
`13`		- * @param string $token If omitted, defaults to `VAULT_TOKEN` environment variable
	`13`	+ * @param string\|util.Secret $token If omitted, defaults to `VAULT_TOKEN` environment variable
`14`	`14`	`* @param string $group The secret group, e.g. "/vendor/name"`
`15`	`15`	`*/`
`16`	`16`	`public function __construct($endpoint= null, $token= null, $group= '/') {`
`@@ -20,7 +20,9 @@ public function __construct($endpoint= null, $token= null, $group= '/') {`
`20`	`20`	`$this->endpoint= new Endpoint($endpoint ?: getenv('VAULT_ADDR'));`
`21`	`21`	`}`
`22`	`22`
`23`		`- if ($header= $token ?: getenv('VAULT_TOKEN')) {`
	`23`	`+ if ($token instanceof Secret) {`
	`24`	`+ $this->endpoint->with('X-Vault-Token', $token->reveal());`
	`25`	`+ } else if ($header= $token ?: getenv('VAULT_TOKEN')) {`
`24`	`26`	`$this->endpoint->with('X-Vault-Token', $header);`
`25`	`27`	`}`
`26`	`28`