From cd29f94d2865e5dc4ffb6fdff61aad34a57164b6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Roman=20Pi=C5=A1t=C4=9Bk?= <roman.pistek@keboola.com>
Date: Tue, 28 Jan 2025 19:41:00 +0100
Subject: [PATCH] feat (csas-migration): Add TransClient

---
 src/Temporary/TransClient.php       |  39 +++++++
 tests/Temporary/TransClientTest.php | 166 ++++++++++++++++++++++++++++
 2 files changed, 205 insertions(+)
 create mode 100644 src/Temporary/TransClient.php
 create mode 100644 tests/Temporary/TransClientTest.php

diff --git a/src/Temporary/TransClient.php b/src/Temporary/TransClient.php
new file mode 100644
index 0000000..be7df10
--- /dev/null
+++ b/src/Temporary/TransClient.php
@@ -0,0 +1,39 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Keboola\ObjectEncryptor\Temporary;
+
+use Keboola\AzureKeyVaultClient\Client;
+use Keboola\AzureKeyVaultClient\GuzzleClientFactory;
+
+class TransClient extends Client
+{
+    public function __construct(GuzzleClientFactory $clientFactory, ?string $encryptorId)
+    {
+        $vaultBaseUrl = (string) getenv(self::determinateVaultUrlEnvName($encryptorId));
+
+        if ($vaultBaseUrl === '') {
+            throw new TransClientNotAvailableException;
+        }
+
+        parent::__construct(
+            $clientFactory,
+            new TransAuthenticatorFactory(),
+            $vaultBaseUrl,
+        );
+    }
+
+    public static function determinateVaultUrlEnvName(?string $encryptorId): string
+    {
+        $transEnvName = 'TRANS_AZURE_KEY_VAULT_URL';
+
+        if (!empty($encryptorId)) { // not null or empty string
+            $suffix = (string) preg_replace('/[\s\-_]+/', '_', $encryptorId);
+            $suffix = trim($suffix, '_');
+            $transEnvName .= sprintf('_%s', strtoupper($suffix));
+        }
+
+        return $transEnvName;
+    }
+}
diff --git a/tests/Temporary/TransClientTest.php b/tests/Temporary/TransClientTest.php
new file mode 100644
index 0000000..f89bd90
--- /dev/null
+++ b/tests/Temporary/TransClientTest.php
@@ -0,0 +1,166 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Keboola\ObjectEncryptor\Tests\Temporary;
+
+use Keboola\AzureKeyVaultClient\GuzzleClientFactory;
+use Keboola\ObjectEncryptor\Temporary\TransClient;
+use Keboola\ObjectEncryptor\Temporary\TransClientNotAvailableException;
+use PHPUnit\Framework\TestCase;
+use Psr\Log\NullLogger;
+
+class TransClientTest extends TestCase
+{
+    protected function setUp(): void
+    {
+        parent::setUp();
+
+        putenv('TRANS_AZURE_TENANT_ID=');
+        putenv('TRANS_AZURE_CLIENT_ID=');
+        putenv('TRANS_AZURE_CLIENT_SECRET=');
+
+        $definedEnvsInProviders = array_column([
+            ...self::provideTransClientUrlTestData(),
+            ...self::provideTransClientMismatchEnvsTestData(),
+            ], 'envs');
+        foreach (array_keys(array_merge(...$definedEnvsInProviders)) as $envName) {
+            putenv(sprintf('%s=', $envName));
+        }
+    }
+
+    public static function provideDeterminateVaultUrlEnvNameTestData(): iterable
+    {
+        yield 'encryptorId is null' => [
+            'encryptorId' => null,
+            'expectedEnvName' => 'TRANS_AZURE_KEY_VAULT_URL',
+        ];
+        yield 'encryptorId is empty' => [
+            'encryptorId' => '',
+            'expectedEnvName' => 'TRANS_AZURE_KEY_VAULT_URL',
+        ];
+        yield 'encryptorId = "internal"' => [
+            'encryptorId' => 'internal',
+            'expectedEnvName' => 'TRANS_AZURE_KEY_VAULT_URL_INTERNAL',
+        ];
+        yield 'encryptorId = "job_queue"' => [
+            'encryptorId' => 'job_queue',
+            'expectedEnvName' => 'TRANS_AZURE_KEY_VAULT_URL_JOB_QUEUE',
+        ];
+        yield 'encryptorId = "job__queue_"' => [
+            'encryptorId' => 'job__queue_',
+            'expectedEnvName' => 'TRANS_AZURE_KEY_VAULT_URL_JOB_QUEUE',
+        ];
+        yield 'encryptorId = "job-queue"' => [
+            'encryptorId' => 'job-queue',
+            'expectedEnvName' => 'TRANS_AZURE_KEY_VAULT_URL_JOB_QUEUE',
+        ];
+        yield 'encryptorId = "job queue"' => [
+            'encryptorId' => 'job queue',
+            'expectedEnvName' => 'TRANS_AZURE_KEY_VAULT_URL_JOB_QUEUE',
+        ];
+    }
+
+    /** @dataProvider provideDeterminateVaultUrlEnvNameTestData */
+    public function testDeterminateVaultUrlEnvName(
+        ?string $encryptorId,
+        string $expectedEnvName,
+    ): void {
+        self::assertSame(
+            $expectedEnvName,
+            TransClient::determinateVaultUrlEnvName($encryptorId),
+        );
+    }
+
+    public static function provideTransClientUrlTestData(): iterable
+    {
+        yield 'encryptorId is null' => [
+            'encryptorId' => null,
+            'envs' => [
+                'TRANS_AZURE_KEY_VAULT_URL' => 'https://vault-url',
+            ],
+            'expectedClientUrl' => 'https://vault-url',
+        ];
+
+        yield 'encryptorId = "internal"' => [
+            'encryptorId' => 'internal',
+            'envs' => [
+                'TRANS_AZURE_KEY_VAULT_URL_INTERNAL' => 'https://internal-vault-url',
+            ],
+            'expectedClientUrl' => 'https://internal-vault-url',
+        ];
+    }
+
+    /** @dataProvider provideTransClientUrlTestData */
+    public function testTransClientUrl(
+        ?string $encryptorId,
+        array $envs,
+        string $expectedVaultUrl,
+    ): void {
+        putenv('TRANS_AZURE_TENANT_ID=tenant-id');
+        putenv('TRANS_AZURE_CLIENT_ID=client-id');
+        putenv('TRANS_AZURE_CLIENT_SECRET=client-secret');
+        foreach ($envs as $envName => $envValue) {
+            putenv(sprintf('%s=%s', $envName, $envValue));
+        }
+
+        $guzzleClientFactoryCounter = self::exactly(2);
+        $guzzleClientFactoryMock = $this->createMock(GuzzleClientFactory::class);
+        $guzzleClientFactoryMock->expects($guzzleClientFactoryCounter)
+            ->method('getClient')
+            ->with(
+                self::callback(fn($url) => match ($guzzleClientFactoryCounter->getInvocationCount()) {
+                    1 => $url === $expectedVaultUrl,
+                    2 => $url === 'https://management.azure.com/metadata/endpoints?api-version=2020-01-01',
+                    default => self::fail('Unexpected url: ' . $url),
+                }),
+                self::isType('array'),
+            );
+
+        try {
+            new TransClient(
+                $guzzleClientFactoryMock,
+                $encryptorId,
+            );
+        } catch (TransClientNotAvailableException) {
+            self::fail('Test should not have thrown an exception');
+        }
+    }
+
+    public static function provideTransClientMismatchEnvsTestData(): iterable
+    {
+        yield 'encryptorId is null, env has suffix' => [
+            'encryptorId' => null,
+            'envs' => [
+                'TRANS_AZURE_KEY_VAULT_URL_SOMETHING' => 'https://vault-url',
+            ],
+        ];
+
+        yield 'encryptorId = "internal", env suffix is missing' => [
+            'encryptorId' => 'internal',
+            'envs' => [
+                'TRANS_AZURE_KEY_VAULT_URL' => 'https://vault-url',
+            ],
+        ];
+    }
+
+    /** @dataProvider provideTransClientMismatchEnvsTestData */
+    public function testTransClientMismatchEnvs(
+        ?string $encryptorId,
+        array $envs,
+    ): void {
+        putenv('TRANS_AZURE_TENANT_ID=tenant-id');
+        putenv('TRANS_AZURE_CLIENT_ID=client-id');
+        putenv('TRANS_AZURE_CLIENT_SECRET=client-secret');
+        foreach ($envs as $envName => $envValue) {
+            putenv(sprintf('%s=%s', $envName, $envValue));
+        }
+
+        $this->expectException(TransClientNotAvailableException::class);
+
+        new TransClient(
+            new GuzzleClientFactory(new NullLogger()),
+            $encryptorId,
+        );
+    }
+}