Credentials
thekid opened this issue · 1 comments
thekid commented
Scope of Change
A functionality with exchangeable backends to retrieve credentials will be added to the framework in the form of a library.
Rationale
Currently, property files offer the possibility to reference environment variables. This is a nice way to store connection strings without passwords in clear text. However, environment variables may not be desirable in all cases.
Functionality
The core of the functionality is a facade wrapping one ore more backends to retrieve their respective values on the other side.
$vault= new Vault(new FromEnvironment());
$secret= $vault->credential('ldap_password'); // Reads $ENV{LDAP_PASSWORD} => util.Secret
Closing
$vault= new Vault(new FromEnvironment(FromEnvironment::REMOVE));
$secret= $vault->credential('ldap_password');
// Close the vault explicitely. Will unset $ENV{LDAP_PASSWORD} - ensuring
// no code after this can access it via getenv() or $_ENV
//
// However, /proc/self/environ will still contain the entry(!), since PHP's
// putenv() function doesn't update the global char **__environ variable
$vault->close();
Backends
- Environment - Reads from the environment. Can unset replaced values on vault close
- File - Reads from a file. Can remove file on vault close
- KeePass - Uses https://github.com/xp-forge/keepass
Security considerations
Speed impact
Dependencies
Related documents
thekid commented
Initial implementation now at https://github.com/xp-forge/credentials