Merge pull request #3 from UrosPurtic/develop

Implement Hashicorp Vault for config and secrets

Author: ppavlovic

src/Processor.php

@@ -8,6 +8,9 @@
 
 class Processor
 {
+    const VAULT_KEYWORD = 'vault';
+    const VAULT_URL_KEYWORD = 'url';
+    const VAULT_API_TOKEN_KEYWORD = 'token';
 
     /**
      * @var array
@@ -31,16 +34,27 @@ class Processor
 
     private $useAggregator;
 
+    /**
+     * @var VaultRepository
+     */
+    private $vaultRepository;
+    /**
+     * @var array
+     */
+    private $vaultVariables;
+
+
     /**
      * Processor constructor.
      * @param $path
      * @param $section
+     * @param $useAggregator
      */
     public function __construct($path, $section, $useAggregator)
     {
-        $this->path             = $path;
-        $this->section          = $section;
-        $this->useAggregator    = $useAggregator;
+        $this->path = $path;
+        $this->section = $section;
+        $this->useAggregator = $useAggregator;
     }
 
     public function process()
@@ -53,21 +67,31 @@ public function process()
             ? $this->getSection($this->section)
             : $this->mergeSections();
 
+        $this->getVaultVariables();
+
+        if (empty($this->vaultVariables)) {
+            return $this->data;
+        }
+
+        $this->setVaultRepo();
+
+        $this->replaceVaultVariablesWithData($this->data, $this->getValuesFromVault());
+
         return $this->data;
     }
 
     private function getSection($name)
     {
         $this->processSections();
 
-        if(!array_key_exists($name, $this->sections)) {
+        if (!array_key_exists($name, $this->sections)) {
             throw new \Exception("Section '{$name}' missing");
         }
 
         $extends = false;
         $parentData = array();
 
-        if($this->sections[$name] !== null) {
+        if ($this->sections[$name] !== null) {
             $extends = true;
             $func = __FUNCTION__;
             $parentData = $this->$func($this->sections[$name]);
@@ -96,7 +120,7 @@ private function getSectionName($item)
     private function mergeSections()
     {
         $tmpData = [];
-        foreach($this->data as $sectionName => $data){
+        foreach ($this->data as $sectionName => $data) {
             $name = $this->getSectionName($sectionName);
             $tmpData[$name] = $this->getSection($name);
         }
@@ -107,8 +131,9 @@ private function processSections()
     {
         $tmp = array_keys($this->data);
 
-        foreach($tmp as $item) {
-            if(substr_count($item, ":") > 1) { }
+        foreach ($tmp as $item) {
+            if (substr_count($item, ":") > 1) {
+            }
 
             $segments = explode(':', $item);
 
@@ -136,11 +161,91 @@ private function readFromFile()
     {
         $path = realpath($this->path);
 
-        if(false === $path || !is_readable($path)) {
+        if (false === $path || !is_readable($path)) {
             throw new \Exception('Configuration file is not readable');
         }
 
         $reader = new Reader();
         $this->data = $reader->fromFile($path);
     }
+
+    private function getVaultVariables()
+    {
+        $this->vaultVariables = $this->filterMultiArray($this->data);
+    }
+
+    public function filterMultiArray(array $data)
+    {
+        $filteredArray = [];
+        foreach ($data as $value) {
+            if (is_array($value)) {
+                $filteredSubArray = $this->filterMultiArray($value);
+                $filteredArray = array_merge($filteredArray, $filteredSubArray);
+            } elseif (substr($value, 0, strlen(self::VAULT_KEYWORD)) === self::VAULT_KEYWORD) {
+                $filteredArray[] = $value;
+            }
+        }
+
+        return $filteredArray;
+    }
+
+    private function sortVariablesByRouteAndKey()
+    {
+        //todo maybe remove strtolower when variables are stored in apper case in vault.
+        $sorted = [];
+        foreach ($this->vaultVariables as $vaultVariable) {
+            $array = explode('/', strtolower($vaultVariable));
+            $secretKey = array_pop($array);
+            array_shift($array);
+            $secretRoute = implode('/', $array);
+            $sorted[$secretRoute][] = $secretKey;
+        }
+
+        return $sorted;
+    }
+
+    private function getValuesFromVault()
+    {
+        $sorted = $this->sortVariablesByRouteAndKey();
+
+        $data = [];
+
+        foreach ($sorted as $section => $secretKeys) {
+            $valuesForSection = $this->vaultRepository->getValueBySection($section);
+            foreach ($secretKeys as $secretKey) {
+                $data[self::VAULT_KEYWORD . '/' . $section . '/' . $secretKey] = $valuesForSection[$secretKey] ?? '';
+            }
+        }
+
+        return $data;
+    }
+
+    public function replaceVaultVariablesWithData(&$array, $searchArray)
+    {
+        foreach ($array as &$value) {
+            if (is_array($value)) {
+                $this->replaceVaultVariablesWithData($value, $searchArray);
+            } else {
+                if (array_key_exists($value, $searchArray)) {
+                    $value = $searchArray[$value];
+                }
+            }
+        }
+    }
+
+    private function setVaultRepo()
+    {
+        $message = 'No config found for Vault %s ';
+
+        if(!isset($this->data[self::VAULT_KEYWORD][self::VAULT_URL_KEYWORD])){
+            throw new \RuntimeException(sprintf($message, self::VAULT_URL_KEYWORD));
+        }
+        if(!isset($this->data[self::VAULT_KEYWORD][self::VAULT_API_TOKEN_KEYWORD])){
+            throw new \RuntimeException(sprintf($message, self::VAULT_API_TOKEN_KEYWORD));
+        }
+
+        $this->vaultRepository =  new VaultRepository(
+            $this->data[self::VAULT_KEYWORD][self::VAULT_URL_KEYWORD],
+            $this->data[self::VAULT_KEYWORD][self::VAULT_API_TOKEN_KEYWORD]);
+    }
 }

src/VaultRepository.php

@@ -0,0 +1,49 @@
+<?php
+
+namespace G4\Config;
+
+class VaultRepository
+{
+    /**
+     * @var mixed
+     */
+    private $vaultUrl;
+    /**
+     * @var mixed
+     */
+    private $vaultApiToken;
+
+    /**
+     * @param string $vaultUrl
+     * @param string $vaultApiToken
+     */
+    public function __construct(string $vaultUrl, string $vaultApiToken)
+    {
+        $this->vaultUrl = $vaultUrl;
+        $this->vaultApiToken = $vaultApiToken;
+    }
+
+    public function getValueBySection($section)
+    {
+        $ch = curl_init();
+        curl_setopt($ch, CURLOPT_URL, $this->vaultUrl . '/v1/' . $section);
+        curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
+        curl_setopt($ch, CURLOPT_HTTPHEADER, [
+            "X-Vault-Token: " . $this->vaultApiToken,
+            "X-Vault-Namespace: " . $this->vaultUrl
+        ]);
+
+        $response = curl_exec($ch);
+
+        if (curl_errno($ch)) {
+            echo 'Error:' . curl_error($ch);
+        } else {
+            $json = json_decode($response, true);
+            $param = $json['data'];
+        }
+
+        curl_close($ch);
+
+        return $param;
+    }
+}