通过以下方式搜索 
technicalguru / vault
一个灵活、轻量级的基于PHP的密钥库,用于动态提供密钥
v1.0.7
2020-12-18 10:16 UTC
Requires
- php: >=7.0.0
- technicalguru/utils: ^1
Requires (Dev)
- phpunit/phpunit: ^9
This package is auto-updated.
Last update: 2024-09-18 00:16:39 UTC
README
一个基于PHP的灵活密钥库,用于动态提供密钥
许可证
本项目采用GNU LGPL 3.0许可证。
安装
通过Composer
composer install technicalguru/vault
通过包下载
您可以从GitHub发布页面下载源代码包
Hashicorp设置
该过程最好在Hashicorp博客中描述。它描述了如何创建一个approle。以下是它的核心内容
# Enable the auth method for approle vault auth enable approle # Create a renewal policy echo 'path "auth/token/*" { capabilities = [ "create", "read", "update", "delete", "list", "sudo" ] }' >renewal-policy.hcl vault policy write renewal-policy renewal-policy.hcl # Create a file with your policy on the respective secret path: cat 'path "secret/my-secret" { capabilities = ["read", "list"] }' >app-policy.hcl # Create the policy vault policy write my-app-policy app-policy.hcl # Create the approle with renewal-policy and your application policy vault write auth/approle/role/my-approle token_policies=renewal-policy,my-app-policy token_period=30m token_ttl=30m token_max_ttl=1h token_explicit_max_ttl=2h # Get the role ID printed vault read auth/approle/role/my-approle/role-id # Create the secret ID and print it vault write -f auth/approle/role/my-approle/secret-id
请注意,每次您更改应用程序角色或策略时,都需要重新创建密钥ID。
示例
创建一个HashicorpVault
请注意,这个密钥库实际上是一个现有Hashicorp Vault的客户端。
// Create configuration $config = array( 'type' => 'hashicorp', 'config' => array( 'uri' => 'https://127.0.0.1:8200/v1', 'roleId' => '123456-12345-12345-123456', 'secretId' => 'abcdef-abcde-abcde-abcdef' ) ); // Create the vault instance try { $vault = \TgVault\VaultFactory::create($config); } catch (\TgVault\VaultException $e) { // Vault could not be created }
创建一个MemoryVault
// Create configuration $config = array( 'type' => 'memory', 'config' => array( 'secrets' => array( 'my/secret/number/1' => array( 'username' => 'my-username1', 'password' => 'my-password1', ), 'my/secret/number/2' => array( 'username' => 'my-username2', 'password' => 'my-password2', ), ) ) ); // Create the vault instance try { $vault = \TgVault\VaultFactory::create($config); } catch (\TgVault\VaultException $e) { // Vault could not be created }
创建一个FileVault
// Create configuration $config = array( 'type' => 'file', 'config' => array( 'filename' => 'path-to-json-secret-file' ) ); // Create the vault instance try { $vault = \TgVault\VaultFactory::create($config); } catch (\TgVault\VaultException $e) { // Vault could not be created }
密钥文件(JSON)应如下所示
{
"secrets": {
"my/secret/number/1" : {
"username" : "my-username1",
"password" : "my-password1"
},
"my/secret/number/2" : {
"username" : "my-username2",
"password" : "my-password2"
}
}
}
检索密钥
try { $mySecret1 = $vault->getSecret('my/secret/number/1'); $mySecret2 = $vault->getSecret('my/secret/number/2'); } catch (\TgVault\VaultException $e) { // secret was not found } $username1 = $mySecret1->get('username'); $password1 = $mySecret1->get('password'); $username2 = $mySecret2->get('username'); $password2 = $mySecret2->get('password');
当键不存在时,密钥中的值是NULL,而当密钥本身无法找到或检索过程中发生错误时,将抛出异常。
使用延迟回调凭证
您可以使用SecretProvider或CredentialsProvider辅助类来传递凭证,而无需知道它们来自何处或如何使用密钥库。
$callback1 = new \TgVault\SecretProvider($vault, 'my/secret/number/1'); $callback2 = new \TgVault\CredentialsProvider($vault, 'my/secret/number/2'); try { $username1 = $callback1->get('username'); $password1 = $callback1->get('password'); $username2 = $callback2->getUsername(); $password2 = $callback2->getPassword(); } catch (\TgVault\VaultException $e) { // Secret cannot be retrieved or does not exist }
CredentialsProvider接受额外的构造函数参数,这些参数定义了密钥中的哪些键提供用户名和密码。默认值与上述SecretProvider中给出的相同。
贡献
在GitHub问题跟踪器中报告错误、请求增强功能或提交拉取请求。