Add CredentialsProvider for vault, database and email access using ENV or Kubernetes secrets

Author: technicalguru

src/WebApp/Application.php

@@ -53,7 +53,13 @@ public function init() {
 
 	protected function initVault() {
 		if ($this->config->has('vault')) {
-			$this->vault = \TgVault\VaultFactory::create($this->config->get('vault'));
+			$credentials    = $this->config->getCredentialsProvider('vault', NULL);
+			$vaultConfig = $this->config->get('vault');
+			if ($credentials != NULL) {
+				$vaultConfig->config->roleId   = $credentials->getUsername();
+				$vaultConfig->config->secretId = $credentials->getPassword();
+			}
+			$this->vault = \TgVault\VaultFactory::create($vaultConfig);
 			// TODO $this->vault->setLogger(Log::instance());
 		}
 	}

src/WebApp/Configuration.php

@@ -34,15 +34,32 @@ public function has($feature) {
 
 	/** Return credentials provider when credentials are defined */
 	public function getCredentialsProvider($feature, $vault) {
-		if (($vault != NULL) && $this->has($feature)) {
+		if ($this->has($feature)) {
 			if (!isset($this->credentialProviders->$feature)) {
 				if (!isset($this->credentialProviders)) $this->credentialProviders = new \stdClass;
 				$this->credentialProviders->$feature = NULL;
-				if (isset($this->data->$feature->security) && ($this->data->$feature->security->type == 'vault')) {
-					$path    = $this->data->$feature->security->path;
-					$userKey = isset($this->data->$feature->security->userKey) ? $this->data->$feature->security->userKey : 'username';
-					$passKey = isset($this->data->$feature->security->passKey) ? $this->data->$feature->security->passKey : 'password';
-					$this->credentialProviders->$feature = new \TgVault\CredentialsProvider($vault, $path, $userKey, $passKey);
+
+				// A security object is defined
+				if (isset($this->data->$feature->security)) {
+					if ($this->data->$feature->security->type == 'vault') {
+						// CredentialsProvider is of type vault
+						if ($vault != NULL) {
+							$path    = $this->data->$feature->security->path;
+							$userKey = isset($this->data->$feature->security->userKey) ? $this->data->$feature->security->userKey : 'username';
+							$passKey = isset($this->data->$feature->security->passKey) ? $this->data->$feature->security->passKey : 'password';
+							$this->credentialProviders->$feature = new \TgVault\CredentialsProvider($vault, $path, $userKey, $passKey);
+						}
+					} else if ($this->data->$feature->security->type == 'env') {
+						// CredentialsProvider is fed from environment variables
+						$userKey = isset($this->data->$feature->security->userKey) ? $this->data->$feature->security->userKey : strtoupper($feature).'_USERNAME';
+						$passKey = isset($this->data->$feature->security->passKey) ? $this->data->$feature->security->passKey : strtoupper($feature).'_PASSWORD';
+						$this->credentialProviders->$feature = new \WebApp\Security\EnvCredentialsProvider($userKey, $passKey);
+					} else if ($this->data->$feature->security->type == 'k8secret') {
+						// CredentialsProvider is fed from Kubernetes Secret mounted
+						$userKey = isset($this->data->$feature->security->userKey) ? $this->data->$feature->security->userKey : 'username';
+						$passKey = isset($this->data->$feature->security->passKey) ? $this->data->$feature->security->passKey : 'password';
+						$this->credentialProviders->$feature = new \WebApp\Security\K8SecretCredentialsProvider($this->data->$feature->security->path, $userKey, $passKey);
+					}
 				}
 			}
 			return $this->credentialProviders->$feature;

src/WebApp/Security/EnvCredentialsProvider.php

@@ -0,0 +1,22 @@
+<?php
+
+namespace WebApp\Security;
+
+/**
+  * A Helper class that gets its credentials from environment variables.
+  */
+class EnvCredentialsProvider extends \TgUtils\Auth\DefaultCredentialsProvider {
+
+	/**
+	  * Construct the provider.
+	  * @param string $usernameKey - the name of the environment variable holding the username (default is 'USERNAME')
+	  * @param string $passwordKey - the name of the environment variable holding the password (default is 'PASSWORD')
+	  */
+	public function __construct($usernameKey = NULL, $passwordKey = NULL) {
+		if (($usernameKey == NULL) || (trim($usernameKey) == '')) $usernameKey = 'USERNAME';
+		if (($passwordKey == NULL) || (trim($passwordKey) == '')) $passwordKey = 'PASSWORD';
+		parent::__construct($_ENV[$usernameKey], $_ENV[$passwordKey]);
+	}
+
+}
+

src/WebApp/Security/K8SecretCredentialsProvider.php

@@ -0,0 +1,47 @@
+<?php
+
+namespace WebApp\Security;
+
+/**
+  * A Helper class that returns the credentials from a Secret mounted in a Kubernetes pod.
+  */
+class K8SecretCredentialsProvider extends \TgUtils\Auth\DefaultCredentialsProvider {
+
+	/** The path where the secret is stored */
+	private $path;
+	/** The key in the secret holding the username (default is 'username') */
+	private $usernameKey;
+	/** The key in the secret holding the password (default is 'password') */
+	private $passwordKey;
+
+	/**
+	 * Construct the provider.
+	 * @param string $path        - the path to the mounted Kubernets secret
+	 * @param string $usernameKey - the key in the secret holding the username (default is 'username')
+	 * @param string $passwordKey - the key in the secret holding the password (default is 'password')
+	 */
+	public function __construct($path, $usernameKey = NULL, $passwordKey = NULL) {
+		if (($usernameKey == NULL) || (trim($usernameKey) == '')) $usernameKey = 'username';
+		if (($passwordKey == NULL) || (trim($passwordKey) == '')) $passwordKey = 'password';
+		$this->path        = $path;
+		$this->usernameKey = $usernameKey;
+		$this->passwordKey = $passwordKey;
+		parent::__construct('', '');
+	}
+
+	public function getUsername() {
+		return $this->get($this->usernameKey);
+	}
+
+	public function getPassword() {
+		return $this->get($this->passwordKey);
+	}
+
+	public function get($key) {
+		if (file_exists($this->path.'/'.$key)) {
+			return trim(file_get_contents($this->path.'/'.$key));
+		}
+		return NULL;
+	}
+}
+