Drop support for hierarchical credentials

thekid · thekid · commit d81e80545a1d · 2019-01-26T16:07:11.000+01:00
Not supported by every backend, making them not interchangeable. To access
credentials inside KeePass / Vault groups, the group name needs to be
passed to their respective constructors
diff --git a/ChangeLog.md b/ChangeLog.md
@@ -5,6 +5,9 @@ Credentials change log
 
 ## 1.0.0 / 2019-01-26
 
+* **Heads up:** Dropped support for hierarchical credentials using forward
+  slashes. Credential groups in KeePass databases and in Vault can be
+  accessed by passing the groups' names to their respective constructors.
 * Require xp-forge/rest-client `^1.0` - @thekid
 
 ## 0.8.5 / 2019-01-22
diff --git a/src/main/php/security/credentials/FromEnvironment.class.php b/src/main/php/security/credentials/FromEnvironment.class.php
@@ -28,7 +28,7 @@ public function open() { return $this; }
    * @return util.Secret
    */
   public function named($name) {
-    $name= strtoupper(strtr($name, ['/' => '__']));
+    $name= strtoupper($name);
     if (null === ($value= Environment::variable($name, null))) return null;
 
     $this->remove && $this->unset[$name]= null;
@@ -42,9 +42,9 @@ public function named($name) {
    * @return iterable
    */
   public function all($pattern) {
-    $match= strtoupper(strtr(substr($pattern, 0, strrpos($pattern, '*')), ['/' => '__']));
+    $match= strtoupper(substr($pattern, 0, strrpos($pattern, '*')));
     foreach ($_ENV as $name => $value) {
-      if (0 === strncmp($name, $match, strlen($match))) yield strtr(strtolower($name), ['__' => '/']) => new Secret($value);
+      if (0 === strncmp($name, $match, strlen($match))) yield strtolower($name) => new Secret($value);
     }
   }
 
diff --git a/src/main/php/security/credentials/FromKeePass.class.php b/src/main/php/security/credentials/FromKeePass.class.php
@@ -37,16 +37,8 @@ public function open() {
    * @return util.Secret
    */
   public function named($name) {
-    if (false === ($p= strrpos($name, '/'))) {
-      $group= '/';
-      $match= $name;
-    } else {
-      $group= '/'.substr($name, 0, $p);
-      $match= substr($name, $p + 1);
-    }
-    
-    foreach ($this->db->group($this->group.$group)->passwords() as $path => $value) {
-      if (basename($path) === $match) return new Secret((string)$value);
+    foreach ($this->db->group('/'.$this->group)->passwords() as $path => $value) {
+      if (basename($path) === $name) return new Secret((string)$value);
     }
     return null;
   }
@@ -58,16 +50,10 @@ public function named($name) {
    * @return iterable
    */
   public function all($pattern) {
-    if (false === ($p= strrpos($pattern, '/'))) {
-      $group= '/';
-      $match= substr($pattern, 0, strrpos($pattern, '*'));
-    } else {
-      $group= '/'.substr($pattern, 0, $p);
-      $match= substr($pattern, $p + 1, strrpos($pattern, '*') - $p - 1);
-    }
-    
-    foreach ($this->db->group($this->group.$group)->passwords() as $path => $value) {
-      if (0 === strncmp(basename($path), $match, strlen($match))) yield substr($path, 1) => new Secret((string)$value);
+    $match= substr($pattern, 0, strrpos($pattern, '*'));
+    foreach ($this->db->group('/'.$this->group)->passwords() as $path => $value) {
+      $base= basename($path);
+      if (0 === strncmp($base, $match, strlen($match))) yield $base => new Secret((string)$value);
     }
   }
 
diff --git a/src/main/php/security/credentials/FromVault.class.php b/src/main/php/security/credentials/FromVault.class.php
@@ -37,12 +37,10 @@ public function open() { return $this; }
    * @return util.Secret
    */
   public function named($name) {
-    $p= strrpos($name, '/');
-    $response= $this->endpoint->resource('/v1/secret/'.$this->group.substr($name, 0, $p))->get();
+    $response= $this->endpoint->resource('/v1/secret/'.$this->group)->get();
     if ($response->status() < 400) {
       $data= $response->value()['data'];
-      $key= ltrim(substr($name, $p), '/');
-      return isset($data[$key]) ? new Secret($data[$key]) : null;
+      return isset($data[$name]) ? new Secret($data[$name]) : null;
     } else {
       return null;
     }
@@ -55,14 +53,11 @@ public function named($name) {
    * @return iterable
    */
   public function all($pattern) {
-    $p= strrpos($pattern, '/');
-    $group= substr($pattern, 0, $p);
-    $response= $this->endpoint->resource('/v1/secret/'.$this->group.$group)->get();
+    $response= $this->endpoint->resource('/v1/secret/'.$this->group)->get();
     if ($response->status() < 400) {
-      $key= ltrim(substr($pattern, $p), '/');
-      $match= substr($key, 0, strrpos($key, '*'));
+      $match= substr($pattern, 0, strrpos($pattern, '*'));
       foreach ($response->value()['data'] as $name => $value) {
-        if (0 === strncmp($name, $match, strlen($match))) yield ltrim($group.'/'.$name, '/') => new Secret($value);
+        if (0 === strncmp($name, $match, strlen($match))) yield $name => new Secret($value);
       }
     }
   }
diff --git a/src/test/php/security/credentials/unittest/AbstractSecretsTest.class.php b/src/test/php/security/credentials/unittest/AbstractSecretsTest.class.php
@@ -8,13 +8,13 @@ protected abstract function newFixture();
   /**
    * Assertion helper
    *
+   * @param  security.valuts.Secrets $fixture
    * @param  string $expected
    * @param  string $name
    * @return void
    * @throws unittest.AssertionFailedError
    */
-  protected function assertCredential($expected, $name) {
-    $fixture= $this->newFixture();
+  protected function assertCredential($fixture, $expected, $name) {
     $fixture->open();
     try {
       $this->assertEquals($expected, $fixture->named($name)->reveal());
@@ -26,13 +26,13 @@ protected function assertCredential($expected, $name) {
   /**
    * Assertion helper
    *
+   * @param  security.valuts.Secrets $fixture
    * @param  [:string] $expected
    * @param  string $pattern
    * @return void
    * @throws unittest.AssertionFailedError
    */
-  protected function assertCredentials($expected, $pattern) {
-    $fixture= $this->newFixture();
+  protected function assertCredentials($fixture, $expected, $pattern) {
     $fixture->open();
     try {
       $this->assertEquals($expected, array_map(
@@ -60,7 +60,7 @@ public function open_and_close_can_be_called_twice() {
   #  ['prod_master_key', 'master']
   #])]
   public function credential($name, $result) {
-    $this->assertCredential($result, $name);
+    $this->assertCredential($this->newFixture(), $result, $name);
   }
 
   #[@test, @values([
@@ -69,17 +69,7 @@ public function credential($name, $result) {
   #  ['non_existant_*', []]
   #])]
   public function credentials($filter, $result) {
-    $this->assertCredentials($result, $filter);
-  }
-
-  #[@test]
-  public function from_subfolder() {
-    $this->assertCredential('test', 'xp/app/mysql');
-  }
-
-  #[@test]
-  public function all_in_subfolder() {
-    $this->assertCredentials(['xp/app/mysql' => 'test'], 'xp/app/*');
+    $this->assertCredentials($this->newFixture(), $result, $filter);
   }
 
   #[@test]
diff --git a/src/test/php/security/credentials/unittest/FromEnvironmentTest.class.php b/src/test/php/security/credentials/unittest/FromEnvironmentTest.class.php
@@ -1,8 +1,8 @@
 <?php namespace security\credentials\unittest;
 
+use lang\Environment;
 use security\credentials\FromEnvironment;
 use util\Secret;
-use lang\Environment;
 
 class FromEnvironmentTest extends AbstractSecretsTest {
 
@@ -15,7 +15,6 @@ public function setUp() {
       'TEST_DB_PASSWORD'   => 'db',
       'TEST_LDAP_PASSWORD' => 'ldap',
       'PROD_MASTER_KEY'    => 'master',
-      'XP__APP__MYSQL'     => 'test'
     ]);
   }
 
diff --git a/src/test/php/security/credentials/unittest/FromFileTest.class.php b/src/test/php/security/credentials/unittest/FromFileTest.class.php
@@ -1,10 +1,10 @@
 <?php namespace security\credentials\unittest;
 
-use security\credentials\FromFile;
 use io\File;
 use io\TempFile;
-use io\streams\Streams;
 use io\streams\MemoryInputStream;
+use io\streams\Streams;
+use security\credentials\FromFile;
 
 class FromFileTest extends AbstractSecretsTest {
 
@@ -14,7 +14,6 @@ protected function newFixture() {
       "TEST_DB_PASSWORD=db\n".
       "TEST_LDAP_PASSWORD=ldap\n".
       "PROD_MASTER_KEY=master\n".
-      "XP/APP/MYSQL=test\n".
       "CLOUD_SECRET=S\\xa7T"
     )));
   }
@@ -47,6 +46,6 @@ public function can_optionally_be_removed_after_close() {
 
   #[@test]
   public function byte_escape_sequence() {
-    $this->assertCredential("S\xa7T", 'cloud_secret');
+    $this->assertCredential($this->newFixture(), "S\xa7T", 'cloud_secret');
   }
 }
diff --git a/src/test/php/security/credentials/unittest/FromKeePassTest.class.php b/src/test/php/security/credentials/unittest/FromKeePassTest.class.php
@@ -17,12 +17,11 @@ protected function newFixture($group= '/') {
 
   #[@test, @values(['xp/app', '/xp/app', '/xp/app/'])]
   public function using_group($group) {
-    $fixture= $this->newFixture($group);
-    $fixture->open();
-    try {
-      $this->assertEquals('test', $fixture->named('mysql')->reveal());
-    } finally {
-      $fixture->close();
-    }
+    $this->assertCredential($this->newFixture($group), 'test', 'mysql');
+  }
+
+  #[@test, @values(['xp/app', '/xp/app', '/xp/app/'])]
+  public function all_in_group($group) {
+    $this->assertCredentials($this->newFixture($group), ['mysql' => 'test'], '*');
   }
 }
