Credentials

[thekid]

Scope of Change

A functionality with exchangeable backends to retrieve credentials will be added to the framework in the form of a library.

Rationale

Currently, property files offer the possibility to reference environment variables. This is a nice way to store connection strings without passwords in clear text. However, environment variables may not be desirable in all cases.

Functionality

The core of the functionality is a facade wrapping one ore more backends to retrieve their respective values on the other side.

$vault= new Vault(new FromEnvironment());
$secret= $vault->credential('ldap_password');   // Reads $ENV{LDAP_PASSWORD} => util.Secret

Closing

$vault= new Vault(new FromEnvironment(FromEnvironment::REMOVE));
$secret= $vault->credential('ldap_password');

// Close the vault explicitely. Will unset $ENV{LDAP_PASSWORD} - ensuring
// no code after this can access it via getenv() or $_ENV
//
// However, /proc/self/environ will still contain the entry(!), since PHP's 
// putenv() function doesn't update the global char **__environ variable
$vault->close();

Backends

• Environment - Reads from the environment. Can unset replaced values on vault close
• File - Reads from a file. Can remove file on vault close
• KeePass - Uses https://github.com/xp-forge/keepass

Security considerations

Speed impact

Dependencies

Related documents

• 
  String interpolation in C# 6
• Windows.Security.Credentials.PasswordVault with Powershell

[thekid]

Initial implementation now at https://github.com/xp-forge/credentials